cryptfs.c revision da6e899f4e1429add2ef023e0cc6b0fcca42c945
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23#include <sys/types.h> 24#include <sys/wait.h> 25#include <sys/stat.h> 26#include <ctype.h> 27#include <fcntl.h> 28#include <inttypes.h> 29#include <unistd.h> 30#include <stdio.h> 31#include <sys/ioctl.h> 32#include <linux/dm-ioctl.h> 33#include <libgen.h> 34#include <stdlib.h> 35#include <sys/param.h> 36#include <string.h> 37#include <sys/mount.h> 38#include <openssl/evp.h> 39#include <openssl/sha.h> 40#include <errno.h> 41#include <ext4.h> 42#include <linux/kdev_t.h> 43#include <fs_mgr.h> 44#include <time.h> 45#include <math.h> 46#include "cryptfs.h" 47#define LOG_TAG "Cryptfs" 48#include "cutils/log.h" 49#include "cutils/properties.h" 50#include "cutils/android_reboot.h" 51#include "hardware_legacy/power.h" 52#include <logwrap/logwrap.h> 53#include "VolumeManager.h" 54#include "VoldUtil.h" 55#include "crypto_scrypt.h" 56#include "Ext4Crypt.h" 57#include "ext4_crypt_init_extensions.h" 58#include "ext4_utils.h" 59#include "f2fs_sparseblock.h" 60#include "CheckBattery.h" 61#include "Process.h" 62 63#include <hardware/keymaster0.h> 64#include <hardware/keymaster1.h> 65 66#define UNUSED __attribute__((unused)) 67 68#define UNUSED __attribute__((unused)) 69 70#ifdef CONFIG_HW_DISK_ENCRYPTION 71#include "cryptfs_hw.h" 72#endif 73 74#define DM_CRYPT_BUF_SIZE 4096 75 76#define HASH_COUNT 2000 77#define KEY_LEN_BYTES 16 78#define IV_LEN_BYTES 16 79 80#define KEY_IN_FOOTER "footer" 81 82#define DEFAULT_PASSWORD "default_password" 83 84#define EXT4_FS 1 85#define F2FS_FS 2 86 87#define TABLE_LOAD_RETRIES 10 88 89#define RSA_KEY_SIZE 2048 90#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 91#define RSA_EXPONENT 0x10001 92#define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second 93#define KEYMASTER_CRYPTFS_APP_ID "vold cryptfs" 94 95#define RETRY_MOUNT_ATTEMPTS 10 96#define RETRY_MOUNT_DELAY_SECONDS 1 97 98char *me = "cryptfs"; 99 100static unsigned char saved_master_key[KEY_LEN_BYTES]; 101static char *saved_mount_point; 102static int master_key_saved = 0; 103static struct crypt_persist_data *persist_data = NULL; 104 105static int keymaster_init(keymaster0_device_t **keymaster0_dev, 106 keymaster1_device_t **keymaster1_dev) 107{ 108 int rc; 109 110 const hw_module_t* mod; 111 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 112 if (rc) { 113 ALOGE("could not find any keystore module"); 114 goto err; 115 } 116 117 SLOGI("keymaster module name is %s", mod->name); 118 SLOGI("keymaster version is %d", mod->module_api_version); 119 120 *keymaster0_dev = NULL; 121 *keymaster1_dev = NULL; 122 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) { 123 SLOGI("Found keymaster1 module, using keymaster1 API."); 124 rc = keymaster1_open(mod, keymaster1_dev); 125 } else { 126 SLOGI("Found keymaster0 module, using keymaster0 API."); 127 rc = keymaster0_open(mod, keymaster0_dev); 128 } 129 130 if (rc) { 131 ALOGE("could not open keymaster device in %s (%s)", 132 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 133 goto err; 134 } 135 136 return 0; 137 138err: 139 *keymaster0_dev = NULL; 140 *keymaster1_dev = NULL; 141 return rc; 142} 143 144/* Should we use keymaster? */ 145static int keymaster_check_compatibility() 146{ 147 keymaster0_device_t *keymaster0_dev = 0; 148 keymaster1_device_t *keymaster1_dev = 0; 149 int rc = 0; 150 151 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { 152 SLOGE("Failed to init keymaster"); 153 rc = -1; 154 goto out; 155 } 156 157 if (keymaster1_dev) { 158 rc = 1; 159 goto out; 160 } 161 162 // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2 163 // should work. 164 if (keymaster0_dev->common.module->module_api_version 165 < KEYMASTER_MODULE_API_VERSION_0_3) { 166 rc = 0; 167 goto out; 168 } 169 170 if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) && 171 (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) { 172 rc = 1; 173 } 174 175out: 176 if (keymaster1_dev) { 177 keymaster1_close(keymaster1_dev); 178 } 179 if (keymaster0_dev) { 180 keymaster0_close(keymaster0_dev); 181 } 182 return rc; 183} 184 185/* Create a new keymaster key and store it in this footer */ 186static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 187{ 188 uint8_t* key = 0; 189 keymaster0_device_t *keymaster0_dev = 0; 190 keymaster1_device_t *keymaster1_dev = 0; 191 192 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { 193 SLOGE("Failed to init keymaster"); 194 return -1; 195 } 196 197 int rc = 0; 198 size_t key_size = 0; 199 if (keymaster1_dev) { 200 keymaster_key_param_t params[] = { 201 /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */ 202 keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA), 203 keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE), 204 keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT), 205 206 /* Padding & digest specifications. We'll use none/none, but add better options 207 * just in case we want to use them later. Actual selection is done at operation 208 * time, but restricted to options specified at keygen. */ 209 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE), 210 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN), 211 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE), 212 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_SHA_2_256), 213 214 /* Require that the key be usable in standalone mode. File system isn't available. */ 215 keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE), 216 217 /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */ 218 keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED), 219 220 /* Set app ID to a value keystore will never use */ 221 keymaster_param_blob(KM_TAG_APPLICATION_ID, (uint8_t*)KEYMASTER_CRYPTFS_APP_ID, 222 sizeof(KEYMASTER_CRYPTFS_APP_ID)), 223 224 /* Rate-limit key usage attempts, to rate-limit brute force */ 225 keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT), 226 }; 227 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) }; 228 keymaster_key_blob_t key_blob; 229 keymaster_error_t error = keymaster1_dev->generate_key(keymaster1_dev, ¶m_set, 230 &key_blob, 231 NULL /* characteristics */); 232 if (error != KM_ERROR_OK) { 233 SLOGE("Failed to generate keymaster1 key, error %d", error); 234 rc = -1; 235 goto out; 236 } 237 238 key = (uint8_t*)key_blob.key_material; 239 key_size = key_blob.key_material_size; 240 } 241 else if (keymaster0_dev) { 242 keymaster_rsa_keygen_params_t params; 243 memset(¶ms, '\0', sizeof(params)); 244 params.public_exponent = RSA_EXPONENT; 245 params.modulus_size = RSA_KEY_SIZE; 246 247 if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, ¶ms, 248 &key, &key_size)) { 249 SLOGE("Failed to generate keypair"); 250 rc = -1; 251 goto out; 252 } 253 } else { 254 SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device"); 255 rc = -1; 256 goto out; 257 } 258 259 if (key_size > KEYMASTER_BLOB_SIZE) { 260 SLOGE("Keymaster key too large for crypto footer"); 261 rc = -1; 262 goto out; 263 } 264 265 memcpy(ftr->keymaster_blob, key, key_size); 266 ftr->keymaster_blob_size = key_size; 267 268out: 269 if (keymaster0_dev) 270 keymaster0_close(keymaster0_dev); 271 if (keymaster1_dev) 272 keymaster1_close(keymaster1_dev); 273 free(key); 274 return rc; 275} 276 277/* This signs the given object using the keymaster key. */ 278static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 279 const unsigned char *object, 280 const size_t object_size, 281 unsigned char **signature, 282 size_t *signature_size) 283{ 284 int rc = 0; 285 keymaster0_device_t *keymaster0_dev = 0; 286 keymaster1_device_t *keymaster1_dev = 0; 287 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { 288 SLOGE("Failed to init keymaster"); 289 rc = -1; 290 goto out; 291 } 292 293 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 294 size_t to_sign_size = sizeof(to_sign); 295 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 296 297 // To sign a message with RSA, the message must satisfy two 298 // constraints: 299 // 300 // 1. The message, when interpreted as a big-endian numeric value, must 301 // be strictly less than the public modulus of the RSA key. Note 302 // that because the most significant bit of the public modulus is 303 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 304 // key), an n-bit message with most significant bit 0 always 305 // satisfies this requirement. 306 // 307 // 2. The message must have the same length in bits as the public 308 // modulus of the RSA key. This requirement isn't mathematically 309 // necessary, but is necessary to ensure consistency in 310 // implementations. 311 switch (ftr->kdf_type) { 312 case KDF_SCRYPT_KEYMASTER: 313 // This ensures the most significant byte of the signed message 314 // is zero. We could have zero-padded to the left instead, but 315 // this approach is slightly more robust against changes in 316 // object size. However, it's still broken (but not unusably 317 // so) because we really should be using a proper deterministic 318 // RSA padding function, such as PKCS1. 319 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 320 SLOGI("Signing safely-padded object"); 321 break; 322 default: 323 SLOGE("Unknown KDF type %d", ftr->kdf_type); 324 rc = -1; 325 goto out; 326 } 327 328 if (keymaster0_dev) { 329 keymaster_rsa_sign_params_t params; 330 params.digest_type = DIGEST_NONE; 331 params.padding_type = PADDING_NONE; 332 333 rc = keymaster0_dev->sign_data(keymaster0_dev, 334 ¶ms, 335 ftr->keymaster_blob, 336 ftr->keymaster_blob_size, 337 to_sign, 338 to_sign_size, 339 signature, 340 signature_size); 341 goto out; 342 } else if (keymaster1_dev) { 343 keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size }; 344 keymaster_key_param_t params[] = { 345 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE), 346 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE), 347 }; 348 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) }; 349 keymaster_operation_handle_t op_handle; 350 keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key, 351 ¶m_set, NULL /* out_params */, 352 &op_handle); 353 if (error == KM_ERROR_VERIFICATION_FAILED) { 354 // Key usage has been rate-limited. Wait a bit and try again. 355 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT); 356 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key, 357 ¶m_set, NULL /* out_params */, 358 &op_handle); 359 } 360 if (error != KM_ERROR_OK) { 361 SLOGE("Error starting keymaster signature transaction: %d", error); 362 rc = -1; 363 goto out; 364 } 365 366 keymaster_blob_t input = { to_sign, to_sign_size }; 367 size_t input_consumed; 368 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */, 369 &input, &input_consumed, NULL /* out_params */, 370 NULL /* output */); 371 if (error != KM_ERROR_OK) { 372 SLOGE("Error sending data to keymaster signature transaction: %d", error); 373 rc = -1; 374 goto out; 375 } 376 if (input_consumed != to_sign_size) { 377 // This should never happen. If it does, it's a bug in the keymaster implementation. 378 SLOGE("Keymaster update() did not consume all data."); 379 keymaster1_dev->abort(keymaster1_dev, op_handle); 380 rc = -1; 381 goto out; 382 } 383 384 keymaster_blob_t tmp_sig; 385 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */, 386 NULL /* verify signature */, NULL /* out_params */, 387 &tmp_sig); 388 if (error != KM_ERROR_OK) { 389 SLOGE("Error finishing keymaster signature transaction: %d", error); 390 rc = -1; 391 goto out; 392 } 393 394 *signature = (uint8_t*)tmp_sig.data; 395 *signature_size = tmp_sig.data_length; 396 } else { 397 SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device."); 398 rc = -1; 399 goto out; 400 } 401 402 out: 403 if (keymaster1_dev) 404 keymaster1_close(keymaster1_dev); 405 if (keymaster0_dev) 406 keymaster0_close(keymaster0_dev); 407 408 return rc; 409} 410 411/* Store password when userdata is successfully decrypted and mounted. 412 * Cleared by cryptfs_clear_password 413 * 414 * To avoid a double prompt at boot, we need to store the CryptKeeper 415 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 416 * Since the entire framework is torn down and rebuilt after encryption, 417 * we have to use a daemon or similar to store the password. Since vold 418 * is secured against IPC except from system processes, it seems a reasonable 419 * place to store this. 420 * 421 * password should be cleared once it has been used. 422 * 423 * password is aged out after password_max_age_seconds seconds. 424 */ 425static char* password = 0; 426static int password_expiry_time = 0; 427static const int password_max_age_seconds = 60; 428 429extern struct fstab *fstab; 430 431enum RebootType {reboot, recovery, shutdown}; 432static void cryptfs_reboot(enum RebootType rt) 433{ 434 switch(rt) { 435 case reboot: 436 property_set(ANDROID_RB_PROPERTY, "reboot"); 437 break; 438 439 case recovery: 440 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 441 break; 442 443 case shutdown: 444 property_set(ANDROID_RB_PROPERTY, "shutdown"); 445 break; 446 } 447 448 sleep(20); 449 450 /* Shouldn't get here, reboot should happen before sleep times out */ 451 return; 452} 453 454static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 455{ 456 memset(io, 0, dataSize); 457 io->data_size = dataSize; 458 io->data_start = sizeof(struct dm_ioctl); 459 io->version[0] = 4; 460 io->version[1] = 0; 461 io->version[2] = 0; 462 io->flags = flags; 463 if (name) { 464 strlcpy(io->name, name, sizeof(io->name)); 465 } 466} 467 468/** 469 * Gets the default device scrypt parameters for key derivation time tuning. 470 * The parameters should lead to about one second derivation time for the 471 * given device. 472 */ 473static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 474 const int default_params[] = SCRYPT_DEFAULTS; 475 int params[] = SCRYPT_DEFAULTS; 476 char paramstr[PROPERTY_VALUE_MAX]; 477 char *token; 478 char *saveptr; 479 int i; 480 481 property_get(SCRYPT_PROP, paramstr, ""); 482 if (paramstr[0] != '\0') { 483 /* 484 * The token we're looking for should be three integers separated by 485 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 486 */ 487 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 488 token != NULL && i < 3; 489 i++, token = strtok_r(NULL, ":", &saveptr)) { 490 char *endptr; 491 params[i] = strtol(token, &endptr, 10); 492 493 /* 494 * Check that there was a valid number and it's 8-bit. If not, 495 * break out and the end check will take the default values. 496 */ 497 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 498 break; 499 } 500 } 501 502 /* 503 * If there were not enough tokens or a token was malformed (not an 504 * integer), it will end up here and the default parameters can be 505 * taken. 506 */ 507 if ((i != 3) || (token != NULL)) { 508 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 509 memcpy(params, default_params, sizeof(params)); 510 } 511 } 512 513 ftr->N_factor = params[0]; 514 ftr->r_factor = params[1]; 515 ftr->p_factor = params[2]; 516} 517 518static unsigned int get_fs_size(char *dev) 519{ 520 int fd, block_size; 521 struct ext4_super_block sb; 522 off64_t len; 523 524 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) { 525 SLOGE("Cannot open device to get filesystem size "); 526 return 0; 527 } 528 529 if (lseek64(fd, 1024, SEEK_SET) < 0) { 530 SLOGE("Cannot seek to superblock"); 531 return 0; 532 } 533 534 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 535 SLOGE("Cannot read superblock"); 536 return 0; 537 } 538 539 close(fd); 540 541 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 542 SLOGE("Not a valid ext4 superblock"); 543 return 0; 544 } 545 block_size = 1024 << sb.s_log_block_size; 546 /* compute length in bytes */ 547 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 548 549 /* return length in sectors */ 550 return (unsigned int) (len / 512); 551} 552 553static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 554{ 555 static int cached_data = 0; 556 static off64_t cached_off = 0; 557 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 558 int fd; 559 char key_loc[PROPERTY_VALUE_MAX]; 560 char real_blkdev[PROPERTY_VALUE_MAX]; 561 int rc = -1; 562 563 if (!cached_data) { 564 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 565 566 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 567 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 568 SLOGE("Cannot open real block device %s\n", real_blkdev); 569 return -1; 570 } 571 572 unsigned long nr_sec = 0; 573 get_blkdev_size(fd, &nr_sec); 574 if (nr_sec != 0) { 575 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 576 * encryption info footer and key, and plenty of bytes to spare for future 577 * growth. 578 */ 579 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 580 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 581 cached_data = 1; 582 } else { 583 SLOGE("Cannot get size of block device %s\n", real_blkdev); 584 } 585 close(fd); 586 } else { 587 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 588 cached_off = 0; 589 cached_data = 1; 590 } 591 } 592 593 if (cached_data) { 594 if (metadata_fname) { 595 *metadata_fname = cached_metadata_fname; 596 } 597 if (off) { 598 *off = cached_off; 599 } 600 rc = 0; 601 } 602 603 return rc; 604} 605 606/* key or salt can be NULL, in which case just skip writing that value. Useful to 607 * update the failed mount count but not change the key. 608 */ 609static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 610{ 611 int fd; 612 unsigned int cnt; 613 /* starting_off is set to the SEEK_SET offset 614 * where the crypto structure starts 615 */ 616 off64_t starting_off; 617 int rc = -1; 618 char *fname = NULL; 619 struct stat statbuf; 620 621 if (get_crypt_ftr_info(&fname, &starting_off)) { 622 SLOGE("Unable to get crypt_ftr_info\n"); 623 return -1; 624 } 625 if (fname[0] != '/') { 626 SLOGE("Unexpected value for crypto key location\n"); 627 return -1; 628 } 629 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) { 630 SLOGE("Cannot open footer file %s for put\n", fname); 631 return -1; 632 } 633 634 /* Seek to the start of the crypt footer */ 635 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 636 SLOGE("Cannot seek to real block device footer\n"); 637 goto errout; 638 } 639 640 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 641 SLOGE("Cannot write real block device footer\n"); 642 goto errout; 643 } 644 645 fstat(fd, &statbuf); 646 /* If the keys are kept on a raw block device, do not try to truncate it. */ 647 if (S_ISREG(statbuf.st_mode)) { 648 if (ftruncate(fd, 0x4000)) { 649 SLOGE("Cannot set footer file size\n"); 650 goto errout; 651 } 652 } 653 654 /* Success! */ 655 rc = 0; 656 657errout: 658 close(fd); 659 return rc; 660 661} 662 663static inline int unix_read(int fd, void* buff, int len) 664{ 665 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 666} 667 668static inline int unix_write(int fd, const void* buff, int len) 669{ 670 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 671} 672 673static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 674{ 675 memset(pdata, 0, len); 676 pdata->persist_magic = PERSIST_DATA_MAGIC; 677 pdata->persist_valid_entries = 0; 678} 679 680/* A routine to update the passed in crypt_ftr to the lastest version. 681 * fd is open read/write on the device that holds the crypto footer and persistent 682 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 683 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 684 */ 685static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 686{ 687 int orig_major = crypt_ftr->major_version; 688 int orig_minor = crypt_ftr->minor_version; 689 690 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 691 struct crypt_persist_data *pdata; 692 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 693 694 SLOGW("upgrading crypto footer to 1.1"); 695 696 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 697 if (pdata == NULL) { 698 SLOGE("Cannot allocate persisent data\n"); 699 return; 700 } 701 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 702 703 /* Need to initialize the persistent data area */ 704 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 705 SLOGE("Cannot seek to persisent data offset\n"); 706 free(pdata); 707 return; 708 } 709 /* Write all zeros to the first copy, making it invalid */ 710 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 711 712 /* Write a valid but empty structure to the second copy */ 713 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 714 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 715 716 /* Update the footer */ 717 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 718 crypt_ftr->persist_data_offset[0] = pdata_offset; 719 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 720 crypt_ftr->minor_version = 1; 721 free(pdata); 722 } 723 724 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 725 SLOGW("upgrading crypto footer to 1.2"); 726 /* But keep the old kdf_type. 727 * It will get updated later to KDF_SCRYPT after the password has been verified. 728 */ 729 crypt_ftr->kdf_type = KDF_PBKDF2; 730 get_device_scrypt_params(crypt_ftr); 731 crypt_ftr->minor_version = 2; 732 } 733 734 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 735 SLOGW("upgrading crypto footer to 1.3"); 736 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 737 crypt_ftr->minor_version = 3; 738 } 739 740 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 741 if (lseek64(fd, offset, SEEK_SET) == -1) { 742 SLOGE("Cannot seek to crypt footer\n"); 743 return; 744 } 745 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 746 } 747} 748 749 750static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 751{ 752 int fd; 753 unsigned int cnt; 754 off64_t starting_off; 755 int rc = -1; 756 char *fname = NULL; 757 struct stat statbuf; 758 759 if (get_crypt_ftr_info(&fname, &starting_off)) { 760 SLOGE("Unable to get crypt_ftr_info\n"); 761 return -1; 762 } 763 if (fname[0] != '/') { 764 SLOGE("Unexpected value for crypto key location\n"); 765 return -1; 766 } 767 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) { 768 SLOGE("Cannot open footer file %s for get\n", fname); 769 return -1; 770 } 771 772 /* Make sure it's 16 Kbytes in length */ 773 fstat(fd, &statbuf); 774 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 775 SLOGE("footer file %s is not the expected size!\n", fname); 776 goto errout; 777 } 778 779 /* Seek to the start of the crypt footer */ 780 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 781 SLOGE("Cannot seek to real block device footer\n"); 782 goto errout; 783 } 784 785 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 786 SLOGE("Cannot read real block device footer\n"); 787 goto errout; 788 } 789 790 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 791 SLOGE("Bad magic for real block device %s\n", fname); 792 goto errout; 793 } 794 795 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 796 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 797 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 798 goto errout; 799 } 800 801 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 802 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 803 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 804 } 805 806 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 807 * copy on disk before returning. 808 */ 809 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 810 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 811 } 812 813 /* Success! */ 814 rc = 0; 815 816errout: 817 close(fd); 818 return rc; 819} 820 821static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 822{ 823 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 824 crypt_ftr->persist_data_offset[1]) { 825 SLOGE("Crypt_ftr persist data regions overlap"); 826 return -1; 827 } 828 829 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 830 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 831 return -1; 832 } 833 834 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 835 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 836 CRYPT_FOOTER_OFFSET) { 837 SLOGE("Persistent data extends past crypto footer"); 838 return -1; 839 } 840 841 return 0; 842} 843 844static int load_persistent_data(void) 845{ 846 struct crypt_mnt_ftr crypt_ftr; 847 struct crypt_persist_data *pdata = NULL; 848 char encrypted_state[PROPERTY_VALUE_MAX]; 849 char *fname; 850 int found = 0; 851 int fd; 852 int ret; 853 int i; 854 855 if (persist_data) { 856 /* Nothing to do, we've already loaded or initialized it */ 857 return 0; 858 } 859 860 861 /* If not encrypted, just allocate an empty table and initialize it */ 862 property_get("ro.crypto.state", encrypted_state, ""); 863 if (strcmp(encrypted_state, "encrypted") ) { 864 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 865 if (pdata) { 866 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 867 persist_data = pdata; 868 return 0; 869 } 870 return -1; 871 } 872 873 if(get_crypt_ftr_and_key(&crypt_ftr)) { 874 return -1; 875 } 876 877 if ((crypt_ftr.major_version < 1) 878 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 879 SLOGE("Crypt_ftr version doesn't support persistent data"); 880 return -1; 881 } 882 883 if (get_crypt_ftr_info(&fname, NULL)) { 884 return -1; 885 } 886 887 ret = validate_persistent_data_storage(&crypt_ftr); 888 if (ret) { 889 return -1; 890 } 891 892 fd = open(fname, O_RDONLY|O_CLOEXEC); 893 if (fd < 0) { 894 SLOGE("Cannot open %s metadata file", fname); 895 return -1; 896 } 897 898 if (persist_data == NULL) { 899 pdata = malloc(crypt_ftr.persist_data_size); 900 if (pdata == NULL) { 901 SLOGE("Cannot allocate memory for persistent data"); 902 goto err; 903 } 904 } 905 906 for (i = 0; i < 2; i++) { 907 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 908 SLOGE("Cannot seek to read persistent data on %s", fname); 909 goto err2; 910 } 911 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 912 SLOGE("Error reading persistent data on iteration %d", i); 913 goto err2; 914 } 915 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 916 found = 1; 917 break; 918 } 919 } 920 921 if (!found) { 922 SLOGI("Could not find valid persistent data, creating"); 923 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 924 } 925 926 /* Success */ 927 persist_data = pdata; 928 close(fd); 929 return 0; 930 931err2: 932 free(pdata); 933 934err: 935 close(fd); 936 return -1; 937} 938 939static int save_persistent_data(void) 940{ 941 struct crypt_mnt_ftr crypt_ftr; 942 struct crypt_persist_data *pdata; 943 char *fname; 944 off64_t write_offset; 945 off64_t erase_offset; 946 int fd; 947 int ret; 948 949 if (persist_data == NULL) { 950 SLOGE("No persistent data to save"); 951 return -1; 952 } 953 954 if(get_crypt_ftr_and_key(&crypt_ftr)) { 955 return -1; 956 } 957 958 if ((crypt_ftr.major_version < 1) 959 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 960 SLOGE("Crypt_ftr version doesn't support persistent data"); 961 return -1; 962 } 963 964 ret = validate_persistent_data_storage(&crypt_ftr); 965 if (ret) { 966 return -1; 967 } 968 969 if (get_crypt_ftr_info(&fname, NULL)) { 970 return -1; 971 } 972 973 fd = open(fname, O_RDWR|O_CLOEXEC); 974 if (fd < 0) { 975 SLOGE("Cannot open %s metadata file", fname); 976 return -1; 977 } 978 979 pdata = malloc(crypt_ftr.persist_data_size); 980 if (pdata == NULL) { 981 SLOGE("Cannot allocate persistant data"); 982 goto err; 983 } 984 985 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 986 SLOGE("Cannot seek to read persistent data on %s", fname); 987 goto err2; 988 } 989 990 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 991 SLOGE("Error reading persistent data before save"); 992 goto err2; 993 } 994 995 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 996 /* The first copy is the curent valid copy, so write to 997 * the second copy and erase this one */ 998 write_offset = crypt_ftr.persist_data_offset[1]; 999 erase_offset = crypt_ftr.persist_data_offset[0]; 1000 } else { 1001 /* The second copy must be the valid copy, so write to 1002 * the first copy, and erase the second */ 1003 write_offset = crypt_ftr.persist_data_offset[0]; 1004 erase_offset = crypt_ftr.persist_data_offset[1]; 1005 } 1006 1007 /* Write the new copy first, if successful, then erase the old copy */ 1008 if (lseek64(fd, write_offset, SEEK_SET) < 0) { 1009 SLOGE("Cannot seek to write persistent data"); 1010 goto err2; 1011 } 1012 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 1013 (int) crypt_ftr.persist_data_size) { 1014 if (lseek64(fd, erase_offset, SEEK_SET) < 0) { 1015 SLOGE("Cannot seek to erase previous persistent data"); 1016 goto err2; 1017 } 1018 fsync(fd); 1019 memset(pdata, 0, crypt_ftr.persist_data_size); 1020 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 1021 (int) crypt_ftr.persist_data_size) { 1022 SLOGE("Cannot write to erase previous persistent data"); 1023 goto err2; 1024 } 1025 fsync(fd); 1026 } else { 1027 SLOGE("Cannot write to save persistent data"); 1028 goto err2; 1029 } 1030 1031 /* Success */ 1032 free(pdata); 1033 close(fd); 1034 return 0; 1035 1036err2: 1037 free(pdata); 1038err: 1039 close(fd); 1040 return -1; 1041} 1042 1043/* Convert a binary key of specified length into an ascii hex string equivalent, 1044 * without the leading 0x and with null termination 1045 */ 1046static void convert_key_to_hex_ascii(const unsigned char *master_key, 1047 unsigned int keysize, char *master_key_ascii) { 1048 unsigned int i, a; 1049 unsigned char nibble; 1050 1051 for (i=0, a=0; i<keysize; i++, a+=2) { 1052 /* For each byte, write out two ascii hex digits */ 1053 nibble = (master_key[i] >> 4) & 0xf; 1054 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 1055 1056 nibble = master_key[i] & 0xf; 1057 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 1058 } 1059 1060 /* Add the null termination */ 1061 master_key_ascii[a] = '\0'; 1062 1063} 1064 1065static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, 1066 const unsigned char *master_key, const char *real_blk_name, 1067 const char *name, int fd, const char *extra_params) { 1068 _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE]; 1069 struct dm_ioctl *io; 1070 struct dm_target_spec *tgt; 1071 char *crypt_params; 1072 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 1073 int i; 1074 1075 io = (struct dm_ioctl *) buffer; 1076 1077 /* Load the mapping table for this device */ 1078 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 1079 1080 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1081 io->target_count = 1; 1082 tgt->status = 0; 1083 tgt->sector_start = 0; 1084 tgt->length = crypt_ftr->fs_size; 1085#ifdef CONFIG_HW_DISK_ENCRYPTION 1086 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1087 strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME); 1088 } 1089 else { 1090 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 1091 } 1092#else 1093 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 1094#endif 1095 1096 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 1097 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 1098 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 1099 master_key_ascii, real_blk_name, extra_params); 1100 crypt_params += strlen(crypt_params) + 1; 1101 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 1102 tgt->next = crypt_params - buffer; 1103 1104 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1105 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1106 break; 1107 } 1108 usleep(500000); 1109 } 1110 1111 if (i == TABLE_LOAD_RETRIES) { 1112 /* We failed to load the table, return an error */ 1113 return -1; 1114 } else { 1115 return i + 1; 1116 } 1117} 1118 1119 1120static int get_dm_crypt_version(int fd, const char *name, int *version) 1121{ 1122 char buffer[DM_CRYPT_BUF_SIZE]; 1123 struct dm_ioctl *io; 1124 struct dm_target_versions *v; 1125 1126 io = (struct dm_ioctl *) buffer; 1127 1128 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1129 1130 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1131 return -1; 1132 } 1133 1134 /* Iterate over the returned versions, looking for name of "crypt". 1135 * When found, get and return the version. 1136 */ 1137 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1138 while (v->next) { 1139#ifdef CONFIG_HW_DISK_ENCRYPTION 1140 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) { 1141#else 1142 if (! strcmp(v->name, "crypt")) { 1143#endif 1144 /* We found the crypt driver, return the version, and get out */ 1145 version[0] = v->version[0]; 1146 version[1] = v->version[1]; 1147 version[2] = v->version[2]; 1148 return 0; 1149 } 1150 v = (struct dm_target_versions *)(((char *)v) + v->next); 1151 } 1152 1153 return -1; 1154} 1155 1156static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, 1157 const unsigned char *master_key, const char *real_blk_name, 1158 char *crypto_blk_name, const char *name) { 1159 char buffer[DM_CRYPT_BUF_SIZE]; 1160 struct dm_ioctl *io; 1161 unsigned int minor; 1162 int fd=0; 1163 int retval = -1; 1164 int version[3]; 1165 char *extra_params; 1166 int load_count; 1167 1168 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) { 1169 SLOGE("Cannot open device-mapper\n"); 1170 goto errout; 1171 } 1172 1173 io = (struct dm_ioctl *) buffer; 1174 1175 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1176 if (ioctl(fd, DM_DEV_CREATE, io)) { 1177 SLOGE("Cannot create dm-crypt device\n"); 1178 goto errout; 1179 } 1180 1181 /* Get the device status, in particular, the name of it's device file */ 1182 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1183 if (ioctl(fd, DM_DEV_STATUS, io)) { 1184 SLOGE("Cannot retrieve dm-crypt device status\n"); 1185 goto errout; 1186 } 1187 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1188 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1189 1190 extra_params = ""; 1191 if (! get_dm_crypt_version(fd, name, version)) { 1192 /* Support for allow_discards was added in version 1.11.0 */ 1193 if ((version[0] >= 2) || 1194 ((version[0] == 1) && (version[1] >= 11))) { 1195 extra_params = "1 allow_discards"; 1196 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1197 } 1198 } 1199 1200 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1201 fd, extra_params); 1202 if (load_count < 0) { 1203 SLOGE("Cannot load dm-crypt mapping table.\n"); 1204 goto errout; 1205 } else if (load_count > 1) { 1206 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1207 } 1208 1209 /* Resume this device to activate it */ 1210 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1211 1212 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1213 SLOGE("Cannot resume the dm-crypt device\n"); 1214 goto errout; 1215 } 1216 1217 /* We made it here with no errors. Woot! */ 1218 retval = 0; 1219 1220errout: 1221 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1222 1223 return retval; 1224} 1225 1226static int delete_crypto_blk_dev(char *name) 1227{ 1228 int fd; 1229 char buffer[DM_CRYPT_BUF_SIZE]; 1230 struct dm_ioctl *io; 1231 int retval = -1; 1232 1233 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) { 1234 SLOGE("Cannot open device-mapper\n"); 1235 goto errout; 1236 } 1237 1238 io = (struct dm_ioctl *) buffer; 1239 1240 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1241 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1242 SLOGE("Cannot remove dm-crypt device\n"); 1243 goto errout; 1244 } 1245 1246 /* We made it here with no errors. Woot! */ 1247 retval = 0; 1248 1249errout: 1250 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1251 1252 return retval; 1253 1254} 1255 1256static int pbkdf2(const char *passwd, const unsigned char *salt, 1257 unsigned char *ikey, void *params UNUSED) 1258{ 1259 SLOGI("Using pbkdf2 for cryptfs KDF"); 1260 1261 /* Turn the password into a key and IV that can decrypt the master key */ 1262 PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), 1263 salt, SALT_LEN, 1264 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1265 1266 return 0; 1267} 1268 1269static int scrypt(const char *passwd, const unsigned char *salt, 1270 unsigned char *ikey, void *params) 1271{ 1272 SLOGI("Using scrypt for cryptfs KDF"); 1273 1274 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1275 1276 int N = 1 << ftr->N_factor; 1277 int r = 1 << ftr->r_factor; 1278 int p = 1 << ftr->p_factor; 1279 1280 /* Turn the password into a key and IV that can decrypt the master key */ 1281 unsigned int keysize; 1282 crypto_scrypt((const uint8_t*)passwd, strlen(passwd), 1283 salt, SALT_LEN, N, r, p, ikey, 1284 KEY_LEN_BYTES + IV_LEN_BYTES); 1285 1286 return 0; 1287} 1288 1289static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1290 unsigned char *ikey, void *params) 1291{ 1292 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1293 1294 int rc; 1295 size_t signature_size; 1296 unsigned char* signature; 1297 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1298 1299 int N = 1 << ftr->N_factor; 1300 int r = 1 << ftr->r_factor; 1301 int p = 1 << ftr->p_factor; 1302 1303 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd), 1304 salt, SALT_LEN, N, r, p, ikey, 1305 KEY_LEN_BYTES + IV_LEN_BYTES); 1306 1307 if (rc) { 1308 SLOGE("scrypt failed"); 1309 return -1; 1310 } 1311 1312 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1313 &signature, &signature_size)) { 1314 SLOGE("Signing failed"); 1315 return -1; 1316 } 1317 1318 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1319 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1320 free(signature); 1321 1322 if (rc) { 1323 SLOGE("scrypt failed"); 1324 return -1; 1325 } 1326 1327 return 0; 1328} 1329 1330static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1331 const unsigned char *decrypted_master_key, 1332 unsigned char *encrypted_master_key, 1333 struct crypt_mnt_ftr *crypt_ftr) 1334{ 1335 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1336 EVP_CIPHER_CTX e_ctx; 1337 int encrypted_len, final_len; 1338 int rc = 0; 1339 1340 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1341 get_device_scrypt_params(crypt_ftr); 1342 1343 switch (crypt_ftr->kdf_type) { 1344 case KDF_SCRYPT_KEYMASTER: 1345 if (keymaster_create_key(crypt_ftr)) { 1346 SLOGE("keymaster_create_key failed"); 1347 return -1; 1348 } 1349 1350 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1351 SLOGE("scrypt failed"); 1352 return -1; 1353 } 1354 break; 1355 1356 case KDF_SCRYPT: 1357 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1358 SLOGE("scrypt failed"); 1359 return -1; 1360 } 1361 break; 1362 1363 default: 1364 SLOGE("Invalid kdf_type"); 1365 return -1; 1366 } 1367 1368 /* Initialize the decryption engine */ 1369 EVP_CIPHER_CTX_init(&e_ctx); 1370 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1371 SLOGE("EVP_EncryptInit failed\n"); 1372 return -1; 1373 } 1374 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1375 1376 /* Encrypt the master key */ 1377 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1378 decrypted_master_key, KEY_LEN_BYTES)) { 1379 SLOGE("EVP_EncryptUpdate failed\n"); 1380 return -1; 1381 } 1382 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1383 SLOGE("EVP_EncryptFinal failed\n"); 1384 return -1; 1385 } 1386 1387 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1388 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1389 return -1; 1390 } 1391 1392 /* Store the scrypt of the intermediate key, so we can validate if it's a 1393 password error or mount error when things go wrong. 1394 Note there's no need to check for errors, since if this is incorrect, we 1395 simply won't wipe userdata, which is the correct default behavior 1396 */ 1397 int N = 1 << crypt_ftr->N_factor; 1398 int r = 1 << crypt_ftr->r_factor; 1399 int p = 1 << crypt_ftr->p_factor; 1400 1401 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1402 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1403 crypt_ftr->scrypted_intermediate_key, 1404 sizeof(crypt_ftr->scrypted_intermediate_key)); 1405 1406 if (rc) { 1407 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1408 } 1409 1410 return 0; 1411} 1412 1413static int decrypt_master_key_aux(const char *passwd, unsigned char *salt, 1414 unsigned char *encrypted_master_key, 1415 unsigned char *decrypted_master_key, 1416 kdf_func kdf, void *kdf_params, 1417 unsigned char** intermediate_key, 1418 size_t* intermediate_key_size) 1419{ 1420 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1421 EVP_CIPHER_CTX d_ctx; 1422 int decrypted_len, final_len; 1423 1424 /* Turn the password into an intermediate key and IV that can decrypt the 1425 master key */ 1426 if (kdf(passwd, salt, ikey, kdf_params)) { 1427 SLOGE("kdf failed"); 1428 return -1; 1429 } 1430 1431 /* Initialize the decryption engine */ 1432 EVP_CIPHER_CTX_init(&d_ctx); 1433 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1434 return -1; 1435 } 1436 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1437 /* Decrypt the master key */ 1438 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1439 encrypted_master_key, KEY_LEN_BYTES)) { 1440 return -1; 1441 } 1442 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1443 return -1; 1444 } 1445 1446 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1447 return -1; 1448 } 1449 1450 /* Copy intermediate key if needed by params */ 1451 if (intermediate_key && intermediate_key_size) { 1452 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1453 if (intermediate_key) { 1454 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1455 *intermediate_key_size = KEY_LEN_BYTES; 1456 } 1457 } 1458 1459 return 0; 1460} 1461 1462static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1463{ 1464 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1465 *kdf = scrypt_keymaster; 1466 *kdf_params = ftr; 1467 } else if (ftr->kdf_type == KDF_SCRYPT) { 1468 *kdf = scrypt; 1469 *kdf_params = ftr; 1470 } else { 1471 *kdf = pbkdf2; 1472 *kdf_params = NULL; 1473 } 1474} 1475 1476static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key, 1477 struct crypt_mnt_ftr *crypt_ftr, 1478 unsigned char** intermediate_key, 1479 size_t* intermediate_key_size) 1480{ 1481 kdf_func kdf; 1482 void *kdf_params; 1483 int ret; 1484 1485 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1486 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1487 decrypted_master_key, kdf, kdf_params, 1488 intermediate_key, intermediate_key_size); 1489 if (ret != 0) { 1490 SLOGW("failure decrypting master key"); 1491 } 1492 1493 return ret; 1494} 1495 1496static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1497 struct crypt_mnt_ftr *crypt_ftr) { 1498 int fd; 1499 unsigned char key_buf[KEY_LEN_BYTES]; 1500 1501 /* Get some random bits for a key */ 1502 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC); 1503 read(fd, key_buf, sizeof(key_buf)); 1504 read(fd, salt, SALT_LEN); 1505 close(fd); 1506 1507 /* Now encrypt it with the password */ 1508 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1509} 1510 1511int wait_and_unmount(const char *mountpoint, bool kill) 1512{ 1513 int i, err, rc; 1514#define WAIT_UNMOUNT_COUNT 20 1515 1516 /* Now umount the tmpfs filesystem */ 1517 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1518 if (umount(mountpoint) == 0) { 1519 break; 1520 } 1521 1522 if (errno == EINVAL) { 1523 /* EINVAL is returned if the directory is not a mountpoint, 1524 * i.e. there is no filesystem mounted there. So just get out. 1525 */ 1526 break; 1527 } 1528 1529 err = errno; 1530 1531 /* If allowed, be increasingly aggressive before the last two retries */ 1532 if (kill) { 1533 if (i == (WAIT_UNMOUNT_COUNT - 3)) { 1534 SLOGW("sending SIGHUP to processes with open files\n"); 1535 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM); 1536 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { 1537 SLOGW("sending SIGKILL to processes with open files\n"); 1538 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL); 1539 } 1540 } 1541 1542 sleep(1); 1543 } 1544 1545 if (i < WAIT_UNMOUNT_COUNT) { 1546 SLOGD("unmounting %s succeeded\n", mountpoint); 1547 rc = 0; 1548 } else { 1549 vold_killProcessesWithOpenFiles(mountpoint, 0); 1550 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err)); 1551 rc = -1; 1552 } 1553 1554 return rc; 1555} 1556 1557#define DATA_PREP_TIMEOUT 1000 1558static int prep_data_fs(void) 1559{ 1560 int i; 1561 1562 /* Do the prep of the /data filesystem */ 1563 property_set("vold.post_fs_data_done", "0"); 1564 property_set("vold.decrypt", "trigger_post_fs_data"); 1565 SLOGD("Just triggered post_fs_data\n"); 1566 1567 /* Wait a max of 50 seconds, hopefully it takes much less */ 1568 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1569 char p[PROPERTY_VALUE_MAX]; 1570 1571 property_get("vold.post_fs_data_done", p, "0"); 1572 if (*p == '1') { 1573 break; 1574 } else { 1575 usleep(50000); 1576 } 1577 } 1578 if (i == DATA_PREP_TIMEOUT) { 1579 /* Ugh, we failed to prep /data in time. Bail. */ 1580 SLOGE("post_fs_data timed out!\n"); 1581 return -1; 1582 } else { 1583 SLOGD("post_fs_data done\n"); 1584 return 0; 1585 } 1586} 1587 1588static void cryptfs_set_corrupt() 1589{ 1590 // Mark the footer as bad 1591 struct crypt_mnt_ftr crypt_ftr; 1592 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1593 SLOGE("Failed to get crypto footer - panic"); 1594 return; 1595 } 1596 1597 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1598 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1599 SLOGE("Failed to set crypto footer - panic"); 1600 return; 1601 } 1602} 1603 1604static void cryptfs_trigger_restart_min_framework() 1605{ 1606 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1607 SLOGE("Failed to mount tmpfs on data - panic"); 1608 return; 1609 } 1610 1611 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1612 SLOGE("Failed to trigger post fs data - panic"); 1613 return; 1614 } 1615 1616 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1617 SLOGE("Failed to trigger restart min framework - panic"); 1618 return; 1619 } 1620} 1621 1622/* returns < 0 on failure */ 1623static int cryptfs_restart_internal(int restart_main) 1624{ 1625 char crypto_blkdev[MAXPATHLEN]; 1626 int rc = -1; 1627 static int restart_successful = 0; 1628 1629 /* Validate that it's OK to call this routine */ 1630 if (! master_key_saved) { 1631 SLOGE("Encrypted filesystem not validated, aborting"); 1632 return -1; 1633 } 1634 1635 if (restart_successful) { 1636 SLOGE("System already restarted with encrypted disk, aborting"); 1637 return -1; 1638 } 1639 1640 if (restart_main) { 1641 /* Here is where we shut down the framework. The init scripts 1642 * start all services in one of three classes: core, main or late_start. 1643 * On boot, we start core and main. Now, we stop main, but not core, 1644 * as core includes vold and a few other really important things that 1645 * we need to keep running. Once main has stopped, we should be able 1646 * to umount the tmpfs /data, then mount the encrypted /data. 1647 * We then restart the class main, and also the class late_start. 1648 * At the moment, I've only put a few things in late_start that I know 1649 * are not needed to bring up the framework, and that also cause problems 1650 * with unmounting the tmpfs /data, but I hope to add add more services 1651 * to the late_start class as we optimize this to decrease the delay 1652 * till the user is asked for the password to the filesystem. 1653 */ 1654 1655 /* The init files are setup to stop the class main when vold.decrypt is 1656 * set to trigger_reset_main. 1657 */ 1658 property_set("vold.decrypt", "trigger_reset_main"); 1659 SLOGD("Just asked init to shut down class main\n"); 1660 1661 /* Ugh, shutting down the framework is not synchronous, so until it 1662 * can be fixed, this horrible hack will wait a moment for it all to 1663 * shut down before proceeding. Without it, some devices cannot 1664 * restart the graphics services. 1665 */ 1666 sleep(2); 1667 } 1668 1669 /* Now that the framework is shutdown, we should be able to umount() 1670 * the tmpfs filesystem, and mount the real one. 1671 */ 1672 1673 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1674 if (strlen(crypto_blkdev) == 0) { 1675 SLOGE("fs_crypto_blkdev not set\n"); 1676 return -1; 1677 } 1678 1679 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) { 1680 /* If ro.crypto.readonly is set to 1, mount the decrypted 1681 * filesystem readonly. This is used when /data is mounted by 1682 * recovery mode. 1683 */ 1684 char ro_prop[PROPERTY_VALUE_MAX]; 1685 property_get("ro.crypto.readonly", ro_prop, ""); 1686 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1687 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1688 rec->flags |= MS_RDONLY; 1689 } 1690 1691 /* If that succeeded, then mount the decrypted filesystem */ 1692 int retries = RETRY_MOUNT_ATTEMPTS; 1693 int mount_rc; 1694 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1695 crypto_blkdev, 0)) 1696 != 0) { 1697 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1698 /* TODO: invoke something similar to 1699 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1700 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1701 SLOGI("Failed to mount %s because it is busy - waiting", 1702 crypto_blkdev); 1703 if (--retries) { 1704 sleep(RETRY_MOUNT_DELAY_SECONDS); 1705 } else { 1706 /* Let's hope that a reboot clears away whatever is keeping 1707 the mount busy */ 1708 cryptfs_reboot(reboot); 1709 } 1710 } else { 1711 SLOGE("Failed to mount decrypted data"); 1712 cryptfs_set_corrupt(); 1713 cryptfs_trigger_restart_min_framework(); 1714 SLOGI("Started framework to offer wipe"); 1715 return -1; 1716 } 1717 } 1718 1719 property_set("vold.decrypt", "trigger_load_persist_props"); 1720 /* Create necessary paths on /data */ 1721 if (prep_data_fs()) { 1722 return -1; 1723 } 1724 1725 /* startup service classes main and late_start */ 1726 property_set("vold.decrypt", "trigger_restart_framework"); 1727 SLOGD("Just triggered restart_framework\n"); 1728 1729 /* Give it a few moments to get started */ 1730 sleep(1); 1731 } 1732 1733 if (rc == 0) { 1734 restart_successful = 1; 1735 } 1736 1737 return rc; 1738} 1739 1740int cryptfs_restart(void) 1741{ 1742 SLOGI("cryptfs_restart"); 1743 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 1744 struct fstab_rec* rec; 1745 int rc; 1746 1747 if (e4crypt_restart(DATA_MNT_POINT)) { 1748 SLOGE("Can't unmount e4crypt temp volume\n"); 1749 return -1; 1750 } 1751 1752 rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1753 if (!rec) { 1754 SLOGE("Can't get fstab record for %s\n", DATA_MNT_POINT); 1755 return -1; 1756 } 1757 1758 rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, rec->blk_device, 0); 1759 if (rc) { 1760 SLOGE("Can't mount %s\n", DATA_MNT_POINT); 1761 return rc; 1762 } 1763 1764 property_set("vold.decrypt", "trigger_restart_framework"); 1765 return 0; 1766 } 1767 1768 /* Call internal implementation forcing a restart of main service group */ 1769 return cryptfs_restart_internal(1); 1770} 1771 1772static int do_crypto_complete(char *mount_point) 1773{ 1774 struct crypt_mnt_ftr crypt_ftr; 1775 char encrypted_state[PROPERTY_VALUE_MAX]; 1776 char key_loc[PROPERTY_VALUE_MAX]; 1777 1778 property_get("ro.crypto.state", encrypted_state, ""); 1779 if (strcmp(encrypted_state, "encrypted") ) { 1780 SLOGE("not running with encryption, aborting"); 1781 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1782 } 1783 1784 if (e4crypt_crypto_complete(mount_point) == 0) { 1785 return CRYPTO_COMPLETE_ENCRYPTED; 1786 } 1787 1788 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1789 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1790 1791 /* 1792 * Only report this error if key_loc is a file and it exists. 1793 * If the device was never encrypted, and /data is not mountable for 1794 * some reason, returning 1 should prevent the UI from presenting the 1795 * a "enter password" screen, or worse, a "press button to wipe the 1796 * device" screen. 1797 */ 1798 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1799 SLOGE("master key file does not exist, aborting"); 1800 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1801 } else { 1802 SLOGE("Error getting crypt footer and key\n"); 1803 return CRYPTO_COMPLETE_BAD_METADATA; 1804 } 1805 } 1806 1807 // Test for possible error flags 1808 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1809 SLOGE("Encryption process is partway completed\n"); 1810 return CRYPTO_COMPLETE_PARTIAL; 1811 } 1812 1813 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1814 SLOGE("Encryption process was interrupted but cannot continue\n"); 1815 return CRYPTO_COMPLETE_INCONSISTENT; 1816 } 1817 1818 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1819 SLOGE("Encryption is successful but data is corrupt\n"); 1820 return CRYPTO_COMPLETE_CORRUPT; 1821 } 1822 1823 /* We passed the test! We shall diminish, and return to the west */ 1824 return CRYPTO_COMPLETE_ENCRYPTED; 1825} 1826 1827static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1828 char *passwd, char *mount_point, char *label) 1829{ 1830 /* Allocate enough space for a 256 bit key, but we may use less */ 1831 unsigned char decrypted_master_key[32]; 1832 char crypto_blkdev[MAXPATHLEN]; 1833 char real_blkdev[MAXPATHLEN]; 1834 char tmp_mount_point[64]; 1835 unsigned int orig_failed_decrypt_count; 1836 int rc; 1837 int use_keymaster = 0; 1838 int upgrade = 0; 1839 unsigned char* intermediate_key = 0; 1840 size_t intermediate_key_size = 0; 1841 1842 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1843 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1844 1845 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1846 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1847 &intermediate_key, &intermediate_key_size)) { 1848 SLOGE("Failed to decrypt master key\n"); 1849 rc = -1; 1850 goto errout; 1851 } 1852 } 1853 1854 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1855 1856#ifdef CONFIG_HW_DISK_ENCRYPTION 1857 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1858 if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) { 1859 SLOGE("Hardware encryption key does not match"); 1860 } 1861 } 1862#endif 1863 1864 // Create crypto block device - all (non fatal) code paths 1865 // need it 1866 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1867 real_blkdev, crypto_blkdev, label)) { 1868 SLOGE("Error creating decrypted block device\n"); 1869 rc = -1; 1870 goto errout; 1871 } 1872 1873 /* Work out if the problem is the password or the data */ 1874 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1875 scrypted_intermediate_key)]; 1876 int N = 1 << crypt_ftr->N_factor; 1877 int r = 1 << crypt_ftr->r_factor; 1878 int p = 1 << crypt_ftr->p_factor; 1879 1880 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1881 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1882 N, r, p, scrypted_intermediate_key, 1883 sizeof(scrypted_intermediate_key)); 1884 1885 // Does the key match the crypto footer? 1886 if (rc == 0 && memcmp(scrypted_intermediate_key, 1887 crypt_ftr->scrypted_intermediate_key, 1888 sizeof(scrypted_intermediate_key)) == 0) { 1889 SLOGI("Password matches"); 1890 rc = 0; 1891 } else { 1892 /* Try mounting the file system anyway, just in case the problem's with 1893 * the footer, not the key. */ 1894 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1895 mkdir(tmp_mount_point, 0755); 1896 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1897 SLOGE("Error temp mounting decrypted block device\n"); 1898 delete_crypto_blk_dev(label); 1899 1900 rc = ++crypt_ftr->failed_decrypt_count; 1901 put_crypt_ftr_and_key(crypt_ftr); 1902 } else { 1903 /* Success! */ 1904 SLOGI("Password did not match but decrypted drive mounted - continue"); 1905 umount(tmp_mount_point); 1906 rc = 0; 1907 } 1908 } 1909 1910 if (rc == 0) { 1911 crypt_ftr->failed_decrypt_count = 0; 1912 if (orig_failed_decrypt_count != 0) { 1913 put_crypt_ftr_and_key(crypt_ftr); 1914 } 1915 1916 /* Save the name of the crypto block device 1917 * so we can mount it when restarting the framework. */ 1918 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1919 1920 /* Also save a the master key so we can reencrypted the key 1921 * the key when we want to change the password on it. */ 1922 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1923 saved_mount_point = strdup(mount_point); 1924 master_key_saved = 1; 1925 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1926 rc = 0; 1927 1928 // Upgrade if we're not using the latest KDF. 1929 use_keymaster = keymaster_check_compatibility(); 1930 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1931 // Don't allow downgrade 1932 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1933 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1934 upgrade = 1; 1935 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1936 crypt_ftr->kdf_type = KDF_SCRYPT; 1937 upgrade = 1; 1938 } 1939 1940 if (upgrade) { 1941 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1942 crypt_ftr->master_key, crypt_ftr); 1943 if (!rc) { 1944 rc = put_crypt_ftr_and_key(crypt_ftr); 1945 } 1946 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1947 1948 // Do not fail even if upgrade failed - machine is bootable 1949 // Note that if this code is ever hit, there is a *serious* problem 1950 // since KDFs should never fail. You *must* fix the kdf before 1951 // proceeding! 1952 if (rc) { 1953 SLOGW("Upgrade failed with error %d," 1954 " but continuing with previous state", 1955 rc); 1956 rc = 0; 1957 } 1958 } 1959 } 1960 1961 errout: 1962 if (intermediate_key) { 1963 memset(intermediate_key, 0, intermediate_key_size); 1964 free(intermediate_key); 1965 } 1966 return rc; 1967} 1968 1969/* 1970 * Called by vold when it's asked to mount an encrypted external 1971 * storage volume. The incoming partition has no crypto header/footer, 1972 * as any metadata is been stored in a separate, small partition. 1973 * 1974 * out_crypto_blkdev must be MAXPATHLEN. 1975 */ 1976int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, 1977 const unsigned char* key, int keysize, char* out_crypto_blkdev) { 1978 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC); 1979 if (fd == -1) { 1980 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno)); 1981 return -1; 1982 } 1983 1984 unsigned long nr_sec = 0; 1985 get_blkdev_size(fd, &nr_sec); 1986 close(fd); 1987 1988 if (nr_sec == 0) { 1989 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno)); 1990 return -1; 1991 } 1992 1993 struct crypt_mnt_ftr ext_crypt_ftr; 1994 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr)); 1995 ext_crypt_ftr.fs_size = nr_sec; 1996 ext_crypt_ftr.keysize = keysize; 1997 strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256"); 1998 1999 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev, 2000 out_crypto_blkdev, label); 2001} 2002 2003/* 2004 * Called by vold when it's asked to unmount an encrypted external 2005 * storage volume. 2006 */ 2007int cryptfs_revert_ext_volume(const char* label) { 2008 return delete_crypto_blk_dev((char*) label); 2009} 2010 2011int cryptfs_crypto_complete(void) 2012{ 2013 return do_crypto_complete("/data"); 2014} 2015 2016int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 2017{ 2018 char encrypted_state[PROPERTY_VALUE_MAX]; 2019 property_get("ro.crypto.state", encrypted_state, ""); 2020 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 2021 SLOGE("encrypted fs already validated or not running with encryption," 2022 " aborting"); 2023 return -1; 2024 } 2025 2026 if (get_crypt_ftr_and_key(crypt_ftr)) { 2027 SLOGE("Error getting crypt footer and key"); 2028 return -1; 2029 } 2030 2031 return 0; 2032} 2033 2034int cryptfs_check_passwd(char *passwd) 2035{ 2036 SLOGI("cryptfs_check_passwd"); 2037 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 2038 return e4crypt_check_passwd(DATA_MNT_POINT, passwd); 2039 } 2040 2041 struct crypt_mnt_ftr crypt_ftr; 2042 int rc; 2043 2044 rc = check_unmounted_and_get_ftr(&crypt_ftr); 2045 if (rc) 2046 return rc; 2047 2048 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2049 DATA_MNT_POINT, "userdata"); 2050 2051 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 2052 cryptfs_clear_password(); 2053 password = strdup(passwd); 2054 struct timespec now; 2055 clock_gettime(CLOCK_BOOTTIME, &now); 2056 password_expiry_time = now.tv_sec + password_max_age_seconds; 2057 } 2058 2059 return rc; 2060} 2061 2062int cryptfs_verify_passwd(char *passwd) 2063{ 2064 struct crypt_mnt_ftr crypt_ftr; 2065 /* Allocate enough space for a 256 bit key, but we may use less */ 2066 unsigned char decrypted_master_key[32]; 2067 char encrypted_state[PROPERTY_VALUE_MAX]; 2068 int rc; 2069 2070 property_get("ro.crypto.state", encrypted_state, ""); 2071 if (strcmp(encrypted_state, "encrypted") ) { 2072 SLOGE("device not encrypted, aborting"); 2073 return -2; 2074 } 2075 2076 if (!master_key_saved) { 2077 SLOGE("encrypted fs not yet mounted, aborting"); 2078 return -1; 2079 } 2080 2081 if (!saved_mount_point) { 2082 SLOGE("encrypted fs failed to save mount point, aborting"); 2083 return -1; 2084 } 2085 2086 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2087 SLOGE("Error getting crypt footer and key\n"); 2088 return -1; 2089 } 2090 2091 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 2092 /* If the device has no password, then just say the password is valid */ 2093 rc = 0; 2094 } else { 2095 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2096 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 2097 /* They match, the password is correct */ 2098 rc = 0; 2099 } else { 2100 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 2101 sleep(1); 2102 rc = 1; 2103 } 2104 } 2105 2106 return rc; 2107} 2108 2109/* Initialize a crypt_mnt_ftr structure. The keysize is 2110 * defaulted to 16 bytes, and the filesystem size to 0. 2111 * Presumably, at a minimum, the caller will update the 2112 * filesystem size and crypto_type_name after calling this function. 2113 */ 2114static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 2115{ 2116 off64_t off; 2117 2118 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 2119 ftr->magic = CRYPT_MNT_MAGIC; 2120 ftr->major_version = CURRENT_MAJOR_VERSION; 2121 ftr->minor_version = CURRENT_MINOR_VERSION; 2122 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 2123 ftr->keysize = KEY_LEN_BYTES; 2124 2125 switch (keymaster_check_compatibility()) { 2126 case 1: 2127 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2128 break; 2129 2130 case 0: 2131 ftr->kdf_type = KDF_SCRYPT; 2132 break; 2133 2134 default: 2135 SLOGE("keymaster_check_compatibility failed"); 2136 return -1; 2137 } 2138 2139 get_device_scrypt_params(ftr); 2140 2141 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2142 if (get_crypt_ftr_info(NULL, &off) == 0) { 2143 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2144 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2145 ftr->persist_data_size; 2146 } 2147 2148 return 0; 2149} 2150 2151static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 2152{ 2153 const char *args[10]; 2154 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 2155 int num_args; 2156 int status; 2157 int tmp; 2158 int rc = -1; 2159 2160 if (type == EXT4_FS) { 2161 args[0] = "/system/bin/make_ext4fs"; 2162 args[1] = "-a"; 2163 args[2] = "/data"; 2164 args[3] = "-l"; 2165 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 2166 args[4] = size_str; 2167 args[5] = crypto_blkdev; 2168 num_args = 6; 2169 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 2170 args[0], args[1], args[2], args[3], args[4], args[5]); 2171 } else if (type == F2FS_FS) { 2172 args[0] = "/system/bin/mkfs.f2fs"; 2173 args[1] = "-t"; 2174 args[2] = "-d1"; 2175 args[3] = crypto_blkdev; 2176 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 2177 args[4] = size_str; 2178 num_args = 5; 2179 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 2180 args[0], args[1], args[2], args[3], args[4]); 2181 } else { 2182 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 2183 return -1; 2184 } 2185 2186 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 2187 2188 if (tmp != 0) { 2189 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 2190 } else { 2191 if (WIFEXITED(status)) { 2192 if (WEXITSTATUS(status)) { 2193 SLOGE("Error creating filesystem on %s, exit status %d ", 2194 crypto_blkdev, WEXITSTATUS(status)); 2195 } else { 2196 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 2197 rc = 0; 2198 } 2199 } else { 2200 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 2201 } 2202 } 2203 2204 return rc; 2205} 2206 2207#define CRYPT_INPLACE_BUFSIZE 4096 2208#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 2209#define CRYPT_SECTOR_SIZE 512 2210 2211/* aligned 32K writes tends to make flash happy. 2212 * SD card association recommends it. 2213 */ 2214#ifndef CONFIG_HW_DISK_ENCRYPTION 2215#define BLOCKS_AT_A_TIME 8 2216#else 2217#define BLOCKS_AT_A_TIME 1024 2218#endif 2219 2220struct encryptGroupsData 2221{ 2222 int realfd; 2223 int cryptofd; 2224 off64_t numblocks; 2225 off64_t one_pct, cur_pct, new_pct; 2226 off64_t blocks_already_done, tot_numblocks; 2227 off64_t used_blocks_already_done, tot_used_blocks; 2228 char* real_blkdev, * crypto_blkdev; 2229 int count; 2230 off64_t offset; 2231 char* buffer; 2232 off64_t last_written_sector; 2233 int completed; 2234 time_t time_started; 2235 int remaining_time; 2236}; 2237 2238static void update_progress(struct encryptGroupsData* data, int is_used) 2239{ 2240 data->blocks_already_done++; 2241 2242 if (is_used) { 2243 data->used_blocks_already_done++; 2244 } 2245 if (data->tot_used_blocks) { 2246 data->new_pct = data->used_blocks_already_done / data->one_pct; 2247 } else { 2248 data->new_pct = data->blocks_already_done / data->one_pct; 2249 } 2250 2251 if (data->new_pct > data->cur_pct) { 2252 char buf[8]; 2253 data->cur_pct = data->new_pct; 2254 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2255 property_set("vold.encrypt_progress", buf); 2256 } 2257 2258 if (data->cur_pct >= 5) { 2259 struct timespec time_now; 2260 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) { 2261 SLOGW("Error getting time"); 2262 } else { 2263 double elapsed_time = difftime(time_now.tv_sec, data->time_started); 2264 off64_t remaining_blocks = data->tot_used_blocks 2265 - data->used_blocks_already_done; 2266 int remaining_time = (int)(elapsed_time * remaining_blocks 2267 / data->used_blocks_already_done); 2268 2269 // Change time only if not yet set, lower, or a lot higher for 2270 // best user experience 2271 if (data->remaining_time == -1 2272 || remaining_time < data->remaining_time 2273 || remaining_time > data->remaining_time + 60) { 2274 char buf[8]; 2275 snprintf(buf, sizeof(buf), "%d", remaining_time); 2276 property_set("vold.encrypt_time_remaining", buf); 2277 data->remaining_time = remaining_time; 2278 } 2279 } 2280 } 2281} 2282 2283static void log_progress(struct encryptGroupsData const* data, bool completed) 2284{ 2285 // Precondition - if completed data = 0 else data != 0 2286 2287 // Track progress so we can skip logging blocks 2288 static off64_t offset = -1; 2289 2290 // Need to close existing 'Encrypting from' log? 2291 if (completed || (offset != -1 && data->offset != offset)) { 2292 SLOGI("Encrypted to sector %" PRId64, 2293 offset / info.block_size * CRYPT_SECTOR_SIZE); 2294 offset = -1; 2295 } 2296 2297 // Need to start new 'Encrypting from' log? 2298 if (!completed && offset != data->offset) { 2299 SLOGI("Encrypting from sector %" PRId64, 2300 data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2301 } 2302 2303 // Update offset 2304 if (!completed) { 2305 offset = data->offset + (off64_t)data->count * info.block_size; 2306 } 2307} 2308 2309static int flush_outstanding_data(struct encryptGroupsData* data) 2310{ 2311 if (data->count == 0) { 2312 return 0; 2313 } 2314 2315 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2316 2317 if (pread64(data->realfd, data->buffer, 2318 info.block_size * data->count, data->offset) 2319 <= 0) { 2320 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2321 data->real_blkdev); 2322 return -1; 2323 } 2324 2325 if (pwrite64(data->cryptofd, data->buffer, 2326 info.block_size * data->count, data->offset) 2327 <= 0) { 2328 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2329 data->crypto_blkdev); 2330 return -1; 2331 } else { 2332 log_progress(data, false); 2333 } 2334 2335 data->count = 0; 2336 data->last_written_sector = (data->offset + data->count) 2337 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2338 return 0; 2339} 2340 2341static int encrypt_groups(struct encryptGroupsData* data) 2342{ 2343 unsigned int i; 2344 u8 *block_bitmap = 0; 2345 unsigned int block; 2346 off64_t ret; 2347 int rc = -1; 2348 2349 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2350 if (!data->buffer) { 2351 SLOGE("Failed to allocate crypto buffer"); 2352 goto errout; 2353 } 2354 2355 block_bitmap = malloc(info.block_size); 2356 if (!block_bitmap) { 2357 SLOGE("failed to allocate block bitmap"); 2358 goto errout; 2359 } 2360 2361 for (i = 0; i < aux_info.groups; ++i) { 2362 SLOGI("Encrypting group %d", i); 2363 2364 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2365 u32 block_count = min(info.blocks_per_group, 2366 aux_info.len_blocks - first_block); 2367 2368 off64_t offset = (u64)info.block_size 2369 * aux_info.bg_desc[i].bg_block_bitmap; 2370 2371 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2372 if (ret != (int)info.block_size) { 2373 SLOGE("failed to read all of block group bitmap %d", i); 2374 goto errout; 2375 } 2376 2377 offset = (u64)info.block_size * first_block; 2378 2379 data->count = 0; 2380 2381 for (block = 0; block < block_count; block++) { 2382 int used = bitmap_get_bit(block_bitmap, block); 2383 update_progress(data, used); 2384 if (used) { 2385 if (data->count == 0) { 2386 data->offset = offset; 2387 } 2388 data->count++; 2389 } else { 2390 if (flush_outstanding_data(data)) { 2391 goto errout; 2392 } 2393 } 2394 2395 offset += info.block_size; 2396 2397 /* Write data if we are aligned or buffer size reached */ 2398 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2399 || data->count == BLOCKS_AT_A_TIME) { 2400 if (flush_outstanding_data(data)) { 2401 goto errout; 2402 } 2403 } 2404 2405 if (!is_battery_ok_to_continue()) { 2406 SLOGE("Stopping encryption due to low battery"); 2407 rc = 0; 2408 goto errout; 2409 } 2410 2411 } 2412 if (flush_outstanding_data(data)) { 2413 goto errout; 2414 } 2415 } 2416 2417 data->completed = 1; 2418 rc = 0; 2419 2420errout: 2421 log_progress(0, true); 2422 free(data->buffer); 2423 free(block_bitmap); 2424 return rc; 2425} 2426 2427static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2428 char *real_blkdev, 2429 off64_t size, 2430 off64_t *size_already_done, 2431 off64_t tot_size, 2432 off64_t previously_encrypted_upto) 2433{ 2434 u32 i; 2435 struct encryptGroupsData data; 2436 int rc; // Can't initialize without causing warning -Wclobbered 2437 2438 if (previously_encrypted_upto > *size_already_done) { 2439 SLOGD("Not fast encrypting since resuming part way through"); 2440 return -1; 2441 } 2442 2443 memset(&data, 0, sizeof(data)); 2444 data.real_blkdev = real_blkdev; 2445 data.crypto_blkdev = crypto_blkdev; 2446 2447 if ( (data.realfd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 2448 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n", 2449 real_blkdev, errno, strerror(errno)); 2450 rc = -1; 2451 goto errout; 2452 } 2453 2454 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2455 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n", 2456 crypto_blkdev, errno, strerror(errno)); 2457 rc = ENABLE_INPLACE_ERR_DEV; 2458 goto errout; 2459 } 2460 2461 if (setjmp(setjmp_env)) { 2462 SLOGE("Reading ext4 extent caused an exception\n"); 2463 rc = -1; 2464 goto errout; 2465 } 2466 2467 if (read_ext(data.realfd, 0) != 0) { 2468 SLOGE("Failed to read ext4 extent\n"); 2469 rc = -1; 2470 goto errout; 2471 } 2472 2473 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2474 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2475 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2476 2477 SLOGI("Encrypting ext4 filesystem in place..."); 2478 2479 data.tot_used_blocks = data.numblocks; 2480 for (i = 0; i < aux_info.groups; ++i) { 2481 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2482 } 2483 2484 data.one_pct = data.tot_used_blocks / 100; 2485 data.cur_pct = 0; 2486 2487 struct timespec time_started = {0}; 2488 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) { 2489 SLOGW("Error getting time at start"); 2490 // Note - continue anyway - we'll run with 0 2491 } 2492 data.time_started = time_started.tv_sec; 2493 data.remaining_time = -1; 2494 2495 rc = encrypt_groups(&data); 2496 if (rc) { 2497 SLOGE("Error encrypting groups"); 2498 goto errout; 2499 } 2500 2501 *size_already_done += data.completed ? size : data.last_written_sector; 2502 rc = 0; 2503 2504errout: 2505 close(data.realfd); 2506 close(data.cryptofd); 2507 2508 return rc; 2509} 2510 2511static void log_progress_f2fs(u64 block, bool completed) 2512{ 2513 // Precondition - if completed data = 0 else data != 0 2514 2515 // Track progress so we can skip logging blocks 2516 static u64 last_block = (u64)-1; 2517 2518 // Need to close existing 'Encrypting from' log? 2519 if (completed || (last_block != (u64)-1 && block != last_block + 1)) { 2520 SLOGI("Encrypted to block %" PRId64, last_block); 2521 last_block = -1; 2522 } 2523 2524 // Need to start new 'Encrypting from' log? 2525 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) { 2526 SLOGI("Encrypting from block %" PRId64, block); 2527 } 2528 2529 // Update offset 2530 if (!completed) { 2531 last_block = block; 2532 } 2533} 2534 2535static int encrypt_one_block_f2fs(u64 pos, void *data) 2536{ 2537 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2538 2539 priv_dat->blocks_already_done = pos - 1; 2540 update_progress(priv_dat, 1); 2541 2542 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2543 2544 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2545 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2546 return -1; 2547 } 2548 2549 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2550 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2551 return -1; 2552 } else { 2553 log_progress_f2fs(pos, false); 2554 } 2555 2556 return 0; 2557} 2558 2559static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2560 char *real_blkdev, 2561 off64_t size, 2562 off64_t *size_already_done, 2563 off64_t tot_size, 2564 off64_t previously_encrypted_upto) 2565{ 2566 struct encryptGroupsData data; 2567 struct f2fs_info *f2fs_info = NULL; 2568 int rc = ENABLE_INPLACE_ERR_OTHER; 2569 if (previously_encrypted_upto > *size_already_done) { 2570 SLOGD("Not fast encrypting since resuming part way through"); 2571 return ENABLE_INPLACE_ERR_OTHER; 2572 } 2573 memset(&data, 0, sizeof(data)); 2574 data.real_blkdev = real_blkdev; 2575 data.crypto_blkdev = crypto_blkdev; 2576 data.realfd = -1; 2577 data.cryptofd = -1; 2578 if ( (data.realfd = open64(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 2579 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n", 2580 real_blkdev); 2581 goto errout; 2582 } 2583 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2584 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n", 2585 crypto_blkdev, errno, strerror(errno)); 2586 rc = ENABLE_INPLACE_ERR_DEV; 2587 goto errout; 2588 } 2589 2590 f2fs_info = generate_f2fs_info(data.realfd); 2591 if (!f2fs_info) 2592 goto errout; 2593 2594 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2595 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2596 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2597 2598 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2599 2600 data.one_pct = data.tot_used_blocks / 100; 2601 data.cur_pct = 0; 2602 data.time_started = time(NULL); 2603 data.remaining_time = -1; 2604 2605 data.buffer = malloc(f2fs_info->block_size); 2606 if (!data.buffer) { 2607 SLOGE("Failed to allocate crypto buffer"); 2608 goto errout; 2609 } 2610 2611 data.count = 0; 2612 2613 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2614 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2615 2616 if (rc) { 2617 SLOGE("Error in running over f2fs blocks"); 2618 rc = ENABLE_INPLACE_ERR_OTHER; 2619 goto errout; 2620 } 2621 2622 *size_already_done += size; 2623 rc = 0; 2624 2625errout: 2626 if (rc) 2627 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2628 2629 log_progress_f2fs(0, true); 2630 free(f2fs_info); 2631 free(data.buffer); 2632 close(data.realfd); 2633 close(data.cryptofd); 2634 2635 return rc; 2636} 2637 2638static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2639 off64_t size, off64_t *size_already_done, 2640 off64_t tot_size, 2641 off64_t previously_encrypted_upto) 2642{ 2643 int realfd, cryptofd; 2644 char *buf[CRYPT_INPLACE_BUFSIZE]; 2645 int rc = ENABLE_INPLACE_ERR_OTHER; 2646 off64_t numblocks, i, remainder; 2647 off64_t one_pct, cur_pct, new_pct; 2648 off64_t blocks_already_done, tot_numblocks; 2649 2650 if ( (realfd = open(real_blkdev, O_RDONLY|O_CLOEXEC)) < 0) { 2651 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2652 return ENABLE_INPLACE_ERR_OTHER; 2653 } 2654 2655 if ( (cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2656 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n", 2657 crypto_blkdev, errno, strerror(errno)); 2658 close(realfd); 2659 return ENABLE_INPLACE_ERR_DEV; 2660 } 2661 2662 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2663 * The size passed in is the number of 512 byte sectors in the filesystem. 2664 * So compute the number of whole 4K blocks we should read/write, 2665 * and the remainder. 2666 */ 2667 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2668 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2669 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2670 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2671 2672 SLOGE("Encrypting filesystem in place..."); 2673 2674 i = previously_encrypted_upto + 1 - *size_already_done; 2675 2676 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2677 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2678 goto errout; 2679 } 2680 2681 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2682 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2683 goto errout; 2684 } 2685 2686 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2687 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2688 SLOGE("Error reading initial sectors from real_blkdev %s for " 2689 "inplace encrypt\n", crypto_blkdev); 2690 goto errout; 2691 } 2692 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2693 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2694 "inplace encrypt\n", crypto_blkdev); 2695 goto errout; 2696 } else { 2697 SLOGI("Encrypted 1 block at %" PRId64, i); 2698 } 2699 } 2700 2701 one_pct = tot_numblocks / 100; 2702 cur_pct = 0; 2703 /* process the majority of the filesystem in blocks */ 2704 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2705 new_pct = (i + blocks_already_done) / one_pct; 2706 if (new_pct > cur_pct) { 2707 char buf[8]; 2708 2709 cur_pct = new_pct; 2710 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2711 property_set("vold.encrypt_progress", buf); 2712 } 2713 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2714 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2715 goto errout; 2716 } 2717 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2718 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2719 goto errout; 2720 } else { 2721 SLOGD("Encrypted %d block at %" PRId64, 2722 CRYPT_SECTORS_PER_BUFSIZE, 2723 i * CRYPT_SECTORS_PER_BUFSIZE); 2724 } 2725 2726 if (!is_battery_ok_to_continue()) { 2727 SLOGE("Stopping encryption due to low battery"); 2728 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2729 rc = 0; 2730 goto errout; 2731 } 2732 } 2733 2734 /* Do any remaining sectors */ 2735 for (i=0; i<remainder; i++) { 2736 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2737 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2738 goto errout; 2739 } 2740 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2741 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2742 goto errout; 2743 } else { 2744 SLOGI("Encrypted 1 block at next location"); 2745 } 2746 } 2747 2748 *size_already_done += size; 2749 rc = 0; 2750 2751errout: 2752 close(realfd); 2753 close(cryptofd); 2754 2755 return rc; 2756} 2757 2758/* returns on of the ENABLE_INPLACE_* return codes */ 2759static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2760 off64_t size, off64_t *size_already_done, 2761 off64_t tot_size, 2762 off64_t previously_encrypted_upto) 2763{ 2764 int rc_ext4, rc_f2fs, rc_full; 2765 if (previously_encrypted_upto) { 2766 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2767 } 2768 2769 if (*size_already_done + size < previously_encrypted_upto) { 2770 *size_already_done += size; 2771 return 0; 2772 } 2773 2774 /* TODO: identify filesystem type. 2775 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2776 * then we will drop down to cryptfs_enable_inplace_f2fs. 2777 * */ 2778 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2779 size, size_already_done, 2780 tot_size, previously_encrypted_upto)) == 0) { 2781 return 0; 2782 } 2783 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4); 2784 2785 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2786 size, size_already_done, 2787 tot_size, previously_encrypted_upto)) == 0) { 2788 return 0; 2789 } 2790 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs); 2791 2792 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2793 size, size_already_done, tot_size, 2794 previously_encrypted_upto); 2795 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full); 2796 2797 /* Hack for b/17898962, the following is the symptom... */ 2798 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV 2799 && rc_f2fs == ENABLE_INPLACE_ERR_DEV 2800 && rc_full == ENABLE_INPLACE_ERR_DEV) { 2801 return ENABLE_INPLACE_ERR_DEV; 2802 } 2803 return rc_full; 2804} 2805 2806#define CRYPTO_ENABLE_WIPE 1 2807#define CRYPTO_ENABLE_INPLACE 2 2808 2809#define FRAMEWORK_BOOT_WAIT 60 2810 2811static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2812{ 2813 int fd = open(filename, O_RDONLY|O_CLOEXEC); 2814 if (fd == -1) { 2815 SLOGE("Error opening file %s", filename); 2816 return -1; 2817 } 2818 2819 char block[CRYPT_INPLACE_BUFSIZE]; 2820 memset(block, 0, sizeof(block)); 2821 if (unix_read(fd, block, sizeof(block)) < 0) { 2822 SLOGE("Error reading file %s", filename); 2823 close(fd); 2824 return -1; 2825 } 2826 2827 close(fd); 2828 2829 SHA256_CTX c; 2830 SHA256_Init(&c); 2831 SHA256_Update(&c, block, sizeof(block)); 2832 SHA256_Final(buf, &c); 2833 2834 return 0; 2835} 2836 2837static int get_fs_type(struct fstab_rec *rec) 2838{ 2839 if (!strcmp(rec->fs_type, "ext4")) { 2840 return EXT4_FS; 2841 } else if (!strcmp(rec->fs_type, "f2fs")) { 2842 return F2FS_FS; 2843 } else { 2844 return -1; 2845 } 2846} 2847 2848static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2849 char *crypto_blkdev, char *real_blkdev, 2850 int previously_encrypted_upto) 2851{ 2852 off64_t cur_encryption_done=0, tot_encryption_size=0; 2853 int rc = -1; 2854 2855 if (!is_battery_ok_to_start()) { 2856 SLOGW("Not starting encryption due to low battery"); 2857 return 0; 2858 } 2859 2860 /* The size of the userdata partition, and add in the vold volumes below */ 2861 tot_encryption_size = crypt_ftr->fs_size; 2862 2863 if (how == CRYPTO_ENABLE_WIPE) { 2864 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2865 int fs_type = get_fs_type(rec); 2866 if (fs_type < 0) { 2867 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2868 return -1; 2869 } 2870 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2871 } else if (how == CRYPTO_ENABLE_INPLACE) { 2872 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2873 crypt_ftr->fs_size, &cur_encryption_done, 2874 tot_encryption_size, 2875 previously_encrypted_upto); 2876 2877 if (rc == ENABLE_INPLACE_ERR_DEV) { 2878 /* Hack for b/17898962 */ 2879 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n"); 2880 cryptfs_reboot(reboot); 2881 } 2882 2883 if (!rc) { 2884 crypt_ftr->encrypted_upto = cur_encryption_done; 2885 } 2886 2887 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2888 /* The inplace routine never actually sets the progress to 100% due 2889 * to the round down nature of integer division, so set it here */ 2890 property_set("vold.encrypt_progress", "100"); 2891 } 2892 } else { 2893 /* Shouldn't happen */ 2894 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2895 rc = -1; 2896 } 2897 2898 return rc; 2899} 2900 2901int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2902 int allow_reboot) 2903{ 2904 int how = 0; 2905 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2906 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2907 int rc=-1, i; 2908 struct crypt_mnt_ftr crypt_ftr; 2909 struct crypt_persist_data *pdata; 2910 char encrypted_state[PROPERTY_VALUE_MAX]; 2911 char lockid[32] = { 0 }; 2912 char key_loc[PROPERTY_VALUE_MAX]; 2913 int num_vols; 2914 off64_t previously_encrypted_upto = 0; 2915 2916 if (!strcmp(howarg, "wipe")) { 2917 how = CRYPTO_ENABLE_WIPE; 2918 } else if (! strcmp(howarg, "inplace")) { 2919 how = CRYPTO_ENABLE_INPLACE; 2920 } else { 2921 /* Shouldn't happen, as CommandListener vets the args */ 2922 goto error_unencrypted; 2923 } 2924 2925 /* See if an encryption was underway and interrupted */ 2926 if (how == CRYPTO_ENABLE_INPLACE 2927 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2928 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2929 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2930 crypt_ftr.encrypted_upto = 0; 2931 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2932 2933 /* At this point, we are in an inconsistent state. Until we successfully 2934 complete encryption, a reboot will leave us broken. So mark the 2935 encryption failed in case that happens. 2936 On successfully completing encryption, remove this flag */ 2937 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2938 2939 put_crypt_ftr_and_key(&crypt_ftr); 2940 } 2941 2942 property_get("ro.crypto.state", encrypted_state, ""); 2943 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2944 SLOGE("Device is already running encrypted, aborting"); 2945 goto error_unencrypted; 2946 } 2947 2948 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2949 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2950 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2951 2952 /* Get the size of the real block device */ 2953 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC); 2954 if (fd == -1) { 2955 SLOGE("Cannot open block device %s\n", real_blkdev); 2956 goto error_unencrypted; 2957 } 2958 unsigned long nr_sec; 2959 get_blkdev_size(fd, &nr_sec); 2960 if (nr_sec == 0) { 2961 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2962 goto error_unencrypted; 2963 } 2964 close(fd); 2965 2966 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2967 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2968 unsigned int fs_size_sec, max_fs_size_sec; 2969 fs_size_sec = get_fs_size(real_blkdev); 2970 if (fs_size_sec == 0) 2971 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2972 2973 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2974 2975 if (fs_size_sec > max_fs_size_sec) { 2976 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2977 goto error_unencrypted; 2978 } 2979 } 2980 2981 /* Get a wakelock as this may take a while, and we don't want the 2982 * device to sleep on us. We'll grab a partial wakelock, and if the UI 2983 * wants to keep the screen on, it can grab a full wakelock. 2984 */ 2985 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 2986 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 2987 2988 /* The init files are setup to stop the class main and late start when 2989 * vold sets trigger_shutdown_framework. 2990 */ 2991 property_set("vold.decrypt", "trigger_shutdown_framework"); 2992 SLOGD("Just asked init to shut down class main\n"); 2993 2994 /* Ask vold to unmount all devices that it manages */ 2995 if (vold_unmountAll()) { 2996 SLOGE("Failed to unmount all vold managed devices"); 2997 } 2998 2999 /* Now unmount the /data partition. */ 3000 if (wait_and_unmount(DATA_MNT_POINT, false)) { 3001 if (allow_reboot) { 3002 goto error_shutting_down; 3003 } else { 3004 goto error_unencrypted; 3005 } 3006 } 3007 3008 /* Do extra work for a better UX when doing the long inplace encryption */ 3009 if (how == CRYPTO_ENABLE_INPLACE) { 3010 /* Now that /data is unmounted, we need to mount a tmpfs 3011 * /data, set a property saying we're doing inplace encryption, 3012 * and restart the framework. 3013 */ 3014 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 3015 goto error_shutting_down; 3016 } 3017 /* Tells the framework that inplace encryption is starting */ 3018 property_set("vold.encrypt_progress", "0"); 3019 3020 /* restart the framework. */ 3021 /* Create necessary paths on /data */ 3022 if (prep_data_fs()) { 3023 goto error_shutting_down; 3024 } 3025 3026 /* Ugh, shutting down the framework is not synchronous, so until it 3027 * can be fixed, this horrible hack will wait a moment for it all to 3028 * shut down before proceeding. Without it, some devices cannot 3029 * restart the graphics services. 3030 */ 3031 sleep(2); 3032 } 3033 3034 /* Start the actual work of making an encrypted filesystem */ 3035 /* Initialize a crypt_mnt_ftr for the partition */ 3036 if (previously_encrypted_upto == 0) { 3037 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 3038 goto error_shutting_down; 3039 } 3040 3041 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 3042 crypt_ftr.fs_size = nr_sec 3043 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 3044 } else { 3045 crypt_ftr.fs_size = nr_sec; 3046 } 3047 /* At this point, we are in an inconsistent state. Until we successfully 3048 complete encryption, a reboot will leave us broken. So mark the 3049 encryption failed in case that happens. 3050 On successfully completing encryption, remove this flag */ 3051 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 3052 crypt_ftr.crypt_type = crypt_type; 3053#ifndef CONFIG_HW_DISK_ENCRYPTION 3054 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN); 3055#else 3056 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN); 3057 3058 rc = clear_hw_device_encryption_key(); 3059 if (!rc) { 3060 SLOGE("Error clearing device encryption hardware key. rc = %d", rc); 3061 } 3062 3063 rc = set_hw_device_encryption_key(passwd, 3064 (char*) crypt_ftr.crypto_type_name); 3065 if (!rc) { 3066 SLOGE("Error initializing device encryption hardware key. rc = %d", rc); 3067 goto error_shutting_down; 3068 } 3069#endif 3070 3071 /* Make an encrypted master key */ 3072 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 3073 SLOGE("Cannot create encrypted master key\n"); 3074 goto error_shutting_down; 3075 } 3076 3077 /* Write the key to the end of the partition */ 3078 put_crypt_ftr_and_key(&crypt_ftr); 3079 3080 /* If any persistent data has been remembered, save it. 3081 * If none, create a valid empty table and save that. 3082 */ 3083 if (!persist_data) { 3084 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 3085 if (pdata) { 3086 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 3087 persist_data = pdata; 3088 } 3089 } 3090 if (persist_data) { 3091 save_persistent_data(); 3092 } 3093 } 3094 3095 if (how == CRYPTO_ENABLE_INPLACE) { 3096 /* startup service classes main and late_start */ 3097 property_set("vold.decrypt", "trigger_restart_min_framework"); 3098 SLOGD("Just triggered restart_min_framework\n"); 3099 3100 /* OK, the framework is restarted and will soon be showing a 3101 * progress bar. Time to setup an encrypted mapping, and 3102 * either write a new filesystem, or encrypt in place updating 3103 * the progress bar as we work. 3104 */ 3105 } 3106 3107 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 3108 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 3109 "userdata"); 3110 3111 /* If we are continuing, check checksums match */ 3112 rc = 0; 3113 if (previously_encrypted_upto) { 3114 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 3115 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 3116 3117 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 3118 sizeof(hash_first_block)) != 0) { 3119 SLOGE("Checksums do not match - trigger wipe"); 3120 rc = -1; 3121 } 3122 } 3123 3124 if (!rc) { 3125 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 3126 crypto_blkdev, real_blkdev, 3127 previously_encrypted_upto); 3128 } 3129 3130 /* Calculate checksum if we are not finished */ 3131 if (!rc && how == CRYPTO_ENABLE_INPLACE 3132 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3133 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 3134 crypt_ftr.hash_first_block); 3135 if (rc) { 3136 SLOGE("Error calculating checksum for continuing encryption"); 3137 rc = -1; 3138 } 3139 } 3140 3141 /* Undo the dm-crypt mapping whether we succeed or not */ 3142 delete_crypto_blk_dev("userdata"); 3143 3144 if (! rc) { 3145 /* Success */ 3146 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 3147 3148 if (how == CRYPTO_ENABLE_INPLACE 3149 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3150 SLOGD("Encrypted up to sector %lld - will continue after reboot", 3151 crypt_ftr.encrypted_upto); 3152 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 3153 } 3154 3155 put_crypt_ftr_and_key(&crypt_ftr); 3156 3157 if (how == CRYPTO_ENABLE_WIPE 3158 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 3159 char value[PROPERTY_VALUE_MAX]; 3160 property_get("ro.crypto.state", value, ""); 3161 if (!strcmp(value, "")) { 3162 /* default encryption - continue first boot sequence */ 3163 property_set("ro.crypto.state", "encrypted"); 3164 release_wake_lock(lockid); 3165 cryptfs_check_passwd(DEFAULT_PASSWORD); 3166 cryptfs_restart_internal(1); 3167 return 0; 3168 } else { 3169 sleep(2); /* Give the UI a chance to show 100% progress */ 3170 cryptfs_reboot(reboot); 3171 } 3172 } else { 3173 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 3174 cryptfs_reboot(shutdown); 3175 } 3176 } else { 3177 char value[PROPERTY_VALUE_MAX]; 3178 3179 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 3180 if (!strcmp(value, "1")) { 3181 /* wipe data if encryption failed */ 3182 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 3183 mkdir("/cache/recovery", 0700); 3184 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0600); 3185 if (fd >= 0) { 3186 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1); 3187 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1); 3188 close(fd); 3189 } else { 3190 SLOGE("could not open /cache/recovery/command\n"); 3191 } 3192 cryptfs_reboot(recovery); 3193 } else { 3194 /* set property to trigger dialog */ 3195 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3196 release_wake_lock(lockid); 3197 } 3198 return -1; 3199 } 3200 3201 /* hrm, the encrypt step claims success, but the reboot failed. 3202 * This should not happen. 3203 * Set the property and return. Hope the framework can deal with it. 3204 */ 3205 property_set("vold.encrypt_progress", "error_reboot_failed"); 3206 release_wake_lock(lockid); 3207 return rc; 3208 3209error_unencrypted: 3210 property_set("vold.encrypt_progress", "error_not_encrypted"); 3211 if (lockid[0]) { 3212 release_wake_lock(lockid); 3213 } 3214 return -1; 3215 3216error_shutting_down: 3217 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3218 * but the framework is stopped and not restarted to show the error, so it's up to 3219 * vold to restart the system. 3220 */ 3221 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3222 cryptfs_reboot(reboot); 3223 3224 /* shouldn't get here */ 3225 property_set("vold.encrypt_progress", "error_shutting_down"); 3226 if (lockid[0]) { 3227 release_wake_lock(lockid); 3228 } 3229 return -1; 3230} 3231 3232int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 3233{ 3234 return cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 3235} 3236 3237int cryptfs_enable_default(char *howarg, int allow_reboot) 3238{ 3239 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3240 DEFAULT_PASSWORD, allow_reboot); 3241} 3242 3243int cryptfs_changepw(int crypt_type, const char *newpw) 3244{ 3245 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3246 return e4crypt_change_password(DATA_MNT_POINT, crypt_type, newpw); 3247 } 3248 3249 struct crypt_mnt_ftr crypt_ftr; 3250 int rc; 3251 3252 /* This is only allowed after we've successfully decrypted the master key */ 3253 if (!master_key_saved) { 3254 SLOGE("Key not saved, aborting"); 3255 return -1; 3256 } 3257 3258 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3259 SLOGE("Invalid crypt_type %d", crypt_type); 3260 return -1; 3261 } 3262 3263 /* get key */ 3264 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3265 SLOGE("Error getting crypt footer and key"); 3266 return -1; 3267 } 3268 3269 crypt_ftr.crypt_type = crypt_type; 3270 3271 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3272 : newpw, 3273 crypt_ftr.salt, 3274 saved_master_key, 3275 crypt_ftr.master_key, 3276 &crypt_ftr); 3277 if (rc) { 3278 SLOGE("Encrypt master key failed: %d", rc); 3279 return -1; 3280 } 3281 /* save the key */ 3282 put_crypt_ftr_and_key(&crypt_ftr); 3283 3284#ifdef CONFIG_HW_DISK_ENCRYPTION 3285 if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) { 3286 if (crypt_type == CRYPT_TYPE_DEFAULT) { 3287 int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name); 3288 SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc); 3289 if (!rc) 3290 return -1; 3291 } else { 3292 int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name); 3293 SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc); 3294 if (!rc) 3295 return -1; 3296 } 3297 } 3298#endif 3299 return 0; 3300} 3301 3302static unsigned int persist_get_max_entries(int encrypted) { 3303 struct crypt_mnt_ftr crypt_ftr; 3304 unsigned int dsize; 3305 unsigned int max_persistent_entries; 3306 3307 /* If encrypted, use the values from the crypt_ftr, otherwise 3308 * use the values for the current spec. 3309 */ 3310 if (encrypted) { 3311 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3312 return -1; 3313 } 3314 dsize = crypt_ftr.persist_data_size; 3315 } else { 3316 dsize = CRYPT_PERSIST_DATA_SIZE; 3317 } 3318 3319 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3320 sizeof(struct crypt_persist_entry); 3321 3322 return max_persistent_entries; 3323} 3324 3325static int persist_get_key(const char *fieldname, char *value) 3326{ 3327 unsigned int i; 3328 3329 if (persist_data == NULL) { 3330 return -1; 3331 } 3332 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3333 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3334 /* We found it! */ 3335 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3336 return 0; 3337 } 3338 } 3339 3340 return -1; 3341} 3342 3343static int persist_set_key(const char *fieldname, const char *value, int encrypted) 3344{ 3345 unsigned int i; 3346 unsigned int num; 3347 unsigned int max_persistent_entries; 3348 3349 if (persist_data == NULL) { 3350 return -1; 3351 } 3352 3353 max_persistent_entries = persist_get_max_entries(encrypted); 3354 3355 num = persist_data->persist_valid_entries; 3356 3357 for (i = 0; i < num; i++) { 3358 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3359 /* We found an existing entry, update it! */ 3360 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3361 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3362 return 0; 3363 } 3364 } 3365 3366 /* We didn't find it, add it to the end, if there is room */ 3367 if (persist_data->persist_valid_entries < max_persistent_entries) { 3368 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3369 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3370 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3371 persist_data->persist_valid_entries++; 3372 return 0; 3373 } 3374 3375 return -1; 3376} 3377 3378/** 3379 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the 3380 * sequence and its index is greater than or equal to index. Return 0 otherwise. 3381 */ 3382static int match_multi_entry(const char *key, const char *field, unsigned index) { 3383 unsigned int field_len; 3384 unsigned int key_index; 3385 field_len = strlen(field); 3386 3387 if (index == 0) { 3388 // The first key in a multi-entry field is just the filedname itself. 3389 if (!strcmp(key, field)) { 3390 return 1; 3391 } 3392 } 3393 // Match key against "%s_%d" % (field, index) 3394 if (strlen(key) < field_len + 1 + 1) { 3395 // Need at least a '_' and a digit. 3396 return 0; 3397 } 3398 if (strncmp(key, field, field_len)) { 3399 // If the key does not begin with field, it's not a match. 3400 return 0; 3401 } 3402 if (1 != sscanf(&key[field_len],"_%d", &key_index)) { 3403 return 0; 3404 } 3405 return key_index >= index; 3406} 3407 3408/* 3409 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all 3410 * remaining entries starting from index will be deleted. 3411 * returns PERSIST_DEL_KEY_OK if deletion succeeds, 3412 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist, 3413 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs. 3414 * 3415 */ 3416static int persist_del_keys(const char *fieldname, unsigned index) 3417{ 3418 unsigned int i; 3419 unsigned int j; 3420 unsigned int num; 3421 3422 if (persist_data == NULL) { 3423 return PERSIST_DEL_KEY_ERROR_OTHER; 3424 } 3425 3426 num = persist_data->persist_valid_entries; 3427 3428 j = 0; // points to the end of non-deleted entries. 3429 // Filter out to-be-deleted entries in place. 3430 for (i = 0; i < num; i++) { 3431 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) { 3432 persist_data->persist_entry[j] = persist_data->persist_entry[i]; 3433 j++; 3434 } 3435 } 3436 3437 if (j < num) { 3438 persist_data->persist_valid_entries = j; 3439 // Zeroise the remaining entries 3440 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry)); 3441 return PERSIST_DEL_KEY_OK; 3442 } else { 3443 // Did not find an entry matching the given fieldname 3444 return PERSIST_DEL_KEY_ERROR_NO_FIELD; 3445 } 3446} 3447 3448static int persist_count_keys(const char *fieldname) 3449{ 3450 unsigned int i; 3451 unsigned int count; 3452 3453 if (persist_data == NULL) { 3454 return -1; 3455 } 3456 3457 count = 0; 3458 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3459 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) { 3460 count++; 3461 } 3462 } 3463 3464 return count; 3465} 3466 3467/* Return the value of the specified field. */ 3468int cryptfs_getfield(const char *fieldname, char *value, int len) 3469{ 3470 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3471 return e4crypt_get_field(DATA_MNT_POINT, fieldname, value, len); 3472 } 3473 3474 char temp_value[PROPERTY_VALUE_MAX]; 3475 /* CRYPTO_GETFIELD_OK is success, 3476 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set, 3477 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small, 3478 * CRYPTO_GETFIELD_ERROR_OTHER is any other error 3479 */ 3480 int rc = CRYPTO_GETFIELD_ERROR_OTHER; 3481 int i; 3482 char temp_field[PROPERTY_KEY_MAX]; 3483 3484 if (persist_data == NULL) { 3485 load_persistent_data(); 3486 if (persist_data == NULL) { 3487 SLOGE("Getfield error, cannot load persistent data"); 3488 goto out; 3489 } 3490 } 3491 3492 // Read value from persistent entries. If the original value is split into multiple entries, 3493 // stitch them back together. 3494 if (!persist_get_key(fieldname, temp_value)) { 3495 // We found it, copy it to the caller's buffer and keep going until all entries are read. 3496 if (strlcpy(value, temp_value, len) >= (unsigned) len) { 3497 // value too small 3498 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3499 goto out; 3500 } 3501 rc = CRYPTO_GETFIELD_OK; 3502 3503 for (i = 1; /* break explicitly */; i++) { 3504 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >= 3505 (int) sizeof(temp_field)) { 3506 // If the fieldname is very long, we stop as soon as it begins to overflow the 3507 // maximum field length. At this point we have in fact fully read out the original 3508 // value because cryptfs_setfield would not allow fields with longer names to be 3509 // written in the first place. 3510 break; 3511 } 3512 if (!persist_get_key(temp_field, temp_value)) { 3513 if (strlcat(value, temp_value, len) >= (unsigned)len) { 3514 // value too small. 3515 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3516 goto out; 3517 } 3518 } else { 3519 // Exhaust all entries. 3520 break; 3521 } 3522 } 3523 } else { 3524 /* Sadness, it's not there. Return the error */ 3525 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD; 3526 } 3527 3528out: 3529 return rc; 3530} 3531 3532/* Set the value of the specified field. */ 3533int cryptfs_setfield(const char *fieldname, const char *value) 3534{ 3535 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3536 return e4crypt_set_field(DATA_MNT_POINT, fieldname, value); 3537 } 3538 3539 char encrypted_state[PROPERTY_VALUE_MAX]; 3540 /* 0 is success, negative values are error */ 3541 int rc = CRYPTO_SETFIELD_ERROR_OTHER; 3542 int encrypted = 0; 3543 unsigned int field_id; 3544 char temp_field[PROPERTY_KEY_MAX]; 3545 unsigned int num_entries; 3546 unsigned int max_keylen; 3547 3548 if (persist_data == NULL) { 3549 load_persistent_data(); 3550 if (persist_data == NULL) { 3551 SLOGE("Setfield error, cannot load persistent data"); 3552 goto out; 3553 } 3554 } 3555 3556 property_get("ro.crypto.state", encrypted_state, ""); 3557 if (!strcmp(encrypted_state, "encrypted") ) { 3558 encrypted = 1; 3559 } 3560 3561 // Compute the number of entries required to store value, each entry can store up to 3562 // (PROPERTY_VALUE_MAX - 1) chars 3563 if (strlen(value) == 0) { 3564 // Empty value also needs one entry to store. 3565 num_entries = 1; 3566 } else { 3567 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1); 3568 } 3569 3570 max_keylen = strlen(fieldname); 3571 if (num_entries > 1) { 3572 // Need an extra "_%d" suffix. 3573 max_keylen += 1 + log10(num_entries); 3574 } 3575 if (max_keylen > PROPERTY_KEY_MAX - 1) { 3576 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG; 3577 goto out; 3578 } 3579 3580 // Make sure we have enough space to write the new value 3581 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) > 3582 persist_get_max_entries(encrypted)) { 3583 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG; 3584 goto out; 3585 } 3586 3587 // Now that we know persist_data has enough space for value, let's delete the old field first 3588 // to make up space. 3589 persist_del_keys(fieldname, 0); 3590 3591 if (persist_set_key(fieldname, value, encrypted)) { 3592 // fail to set key, should not happen as we have already checked the available space 3593 SLOGE("persist_set_key() error during setfield()"); 3594 goto out; 3595 } 3596 3597 for (field_id = 1; field_id < num_entries; field_id++) { 3598 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id); 3599 3600 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) { 3601 // fail to set key, should not happen as we have already checked the available space. 3602 SLOGE("persist_set_key() error during setfield()"); 3603 goto out; 3604 } 3605 } 3606 3607 /* If we are running encrypted, save the persistent data now */ 3608 if (encrypted) { 3609 if (save_persistent_data()) { 3610 SLOGE("Setfield error, cannot save persistent data"); 3611 goto out; 3612 } 3613 } 3614 3615 rc = CRYPTO_SETFIELD_OK; 3616 3617out: 3618 return rc; 3619} 3620 3621/* Checks userdata. Attempt to mount the volume if default- 3622 * encrypted. 3623 * On success trigger next init phase and return 0. 3624 * Currently do not handle failure - see TODO below. 3625 */ 3626int cryptfs_mount_default_encrypted(void) 3627{ 3628 char decrypt_state[PROPERTY_VALUE_MAX]; 3629 property_get("vold.decrypt", decrypt_state, "0"); 3630 if (!strcmp(decrypt_state, "0")) { 3631 SLOGE("Not encrypted - should not call here"); 3632 } else { 3633 int crypt_type = cryptfs_get_password_type(); 3634 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3635 SLOGE("Bad crypt type - error"); 3636 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3637 SLOGD("Password is not default - " 3638 "starting min framework to prompt"); 3639 property_set("vold.decrypt", "trigger_restart_min_framework"); 3640 return 0; 3641 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3642 SLOGD("Password is default - restarting filesystem"); 3643 cryptfs_restart_internal(0); 3644 return 0; 3645 } else { 3646 SLOGE("Encrypted, default crypt type but can't decrypt"); 3647 } 3648 } 3649 3650 /** Corrupt. Allow us to boot into framework, which will detect bad 3651 crypto when it calls do_crypto_complete, then do a factory reset 3652 */ 3653 property_set("vold.decrypt", "trigger_restart_min_framework"); 3654 return 0; 3655} 3656 3657/* Returns type of the password, default, pattern, pin or password. 3658 */ 3659int cryptfs_get_password_type(void) 3660{ 3661 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3662 return e4crypt_get_password_type(DATA_MNT_POINT); 3663 } 3664 3665 struct crypt_mnt_ftr crypt_ftr; 3666 3667 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3668 SLOGE("Error getting crypt footer and key\n"); 3669 return -1; 3670 } 3671 3672 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3673 return -1; 3674 } 3675 3676 return crypt_ftr.crypt_type; 3677} 3678 3679const char* cryptfs_get_password() 3680{ 3681 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3682 return e4crypt_get_password(DATA_MNT_POINT); 3683 } 3684 3685 struct timespec now; 3686 clock_gettime(CLOCK_BOOTTIME, &now); 3687 if (now.tv_sec < password_expiry_time) { 3688 return password; 3689 } else { 3690 cryptfs_clear_password(); 3691 return 0; 3692 } 3693} 3694 3695void cryptfs_clear_password() 3696{ 3697 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3698 e4crypt_clear_password(DATA_MNT_POINT); 3699 } 3700 3701 if (password) { 3702 size_t len = strlen(password); 3703 memset(password, 0, len); 3704 free(password); 3705 password = 0; 3706 password_expiry_time = 0; 3707 } 3708} 3709 3710int cryptfs_enable_file() 3711{ 3712 return e4crypt_enable(DATA_MNT_POINT); 3713} 3714 3715int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length) 3716{ 3717 if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) { 3718 SLOGE("Failed to initialize crypt_ftr"); 3719 return -1; 3720 } 3721 3722 if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key, 3723 crypt_ftr->salt, crypt_ftr)) { 3724 SLOGE("Cannot create encrypted master key\n"); 3725 return -1; 3726 } 3727 3728 //crypt_ftr->keysize = key_length / 8; 3729 return 0; 3730} 3731 3732int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password, 3733 unsigned char* master_key) 3734{ 3735 int rc; 3736 3737 unsigned char* intermediate_key = 0; 3738 size_t intermediate_key_size = 0; 3739 3740 if (password == 0 || *password == 0) { 3741 password = DEFAULT_PASSWORD; 3742 } 3743 3744 rc = decrypt_master_key(password, master_key, ftr, &intermediate_key, 3745 &intermediate_key_size); 3746 3747 int N = 1 << ftr->N_factor; 3748 int r = 1 << ftr->r_factor; 3749 int p = 1 << ftr->p_factor; 3750 3751 unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)]; 3752 3753 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 3754 ftr->salt, sizeof(ftr->salt), N, r, p, 3755 scrypted_intermediate_key, 3756 sizeof(scrypted_intermediate_key)); 3757 3758 free(intermediate_key); 3759 3760 if (rc) { 3761 SLOGE("Can't calculate intermediate key"); 3762 return rc; 3763 } 3764 3765 return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key, 3766 intermediate_key_size); 3767} 3768 3769int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password, 3770 const unsigned char* master_key) 3771{ 3772 return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key, 3773 ftr); 3774} 3775