cryptfs.c revision e22b21af3a4d7729c23f559add26bc4f78cbaab1
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23#include <sys/types.h> 24#include <sys/wait.h> 25#include <sys/stat.h> 26#include <ctype.h> 27#include <fcntl.h> 28#include <inttypes.h> 29#include <unistd.h> 30#include <stdio.h> 31#include <sys/ioctl.h> 32#include <linux/dm-ioctl.h> 33#include <libgen.h> 34#include <stdlib.h> 35#include <sys/param.h> 36#include <string.h> 37#include <sys/mount.h> 38#include <openssl/evp.h> 39#include <openssl/sha.h> 40#include <errno.h> 41#include <ext4.h> 42#include <linux/kdev_t.h> 43#include <fs_mgr.h> 44#include <time.h> 45#include <math.h> 46#include "cryptfs.h" 47#define LOG_TAG "Cryptfs" 48#include "cutils/log.h" 49#include "cutils/properties.h" 50#include "cutils/android_reboot.h" 51#include "hardware_legacy/power.h" 52#include <logwrap/logwrap.h> 53#include "VolumeManager.h" 54#include "VoldUtil.h" 55#include "crypto_scrypt.h" 56#include "ext4_utils.h" 57#include "f2fs_sparseblock.h" 58#include "CheckBattery.h" 59#include "Process.h" 60 61#include <hardware/keymaster.h> 62 63#define UNUSED __attribute__((unused)) 64 65#define UNUSED __attribute__((unused)) 66 67#ifdef CONFIG_HW_DISK_ENCRYPTION 68#include "cryptfs_hw.h" 69#endif 70 71#define DM_CRYPT_BUF_SIZE 4096 72 73#define HASH_COUNT 2000 74#define KEY_LEN_BYTES 16 75#define IV_LEN_BYTES 16 76 77#define KEY_IN_FOOTER "footer" 78 79// "default_password" encoded into hex (d=0x64 etc) 80#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264" 81 82#define EXT4_FS 1 83#define F2FS_FS 2 84 85#define TABLE_LOAD_RETRIES 10 86 87#define RSA_KEY_SIZE 2048 88#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 89#define RSA_EXPONENT 0x10001 90 91#define RETRY_MOUNT_ATTEMPTS 10 92#define RETRY_MOUNT_DELAY_SECONDS 1 93 94char *me = "cryptfs"; 95 96static unsigned char saved_master_key[KEY_LEN_BYTES]; 97static char *saved_mount_point; 98static int master_key_saved = 0; 99static struct crypt_persist_data *persist_data = NULL; 100 101static int keymaster_init(keymaster_device_t **keymaster_dev) 102{ 103 int rc; 104 105 const hw_module_t* mod; 106 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 107 if (rc) { 108 ALOGE("could not find any keystore module"); 109 goto out; 110 } 111 112 rc = keymaster_open(mod, keymaster_dev); 113 if (rc) { 114 ALOGE("could not open keymaster device in %s (%s)", 115 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 116 goto out; 117 } 118 119 return 0; 120 121out: 122 *keymaster_dev = NULL; 123 return rc; 124} 125 126/* Should we use keymaster? */ 127static int keymaster_check_compatibility() 128{ 129 keymaster_device_t *keymaster_dev = 0; 130 int rc = 0; 131 132 if (keymaster_init(&keymaster_dev)) { 133 SLOGE("Failed to init keymaster"); 134 rc = -1; 135 goto out; 136 } 137 138 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version); 139 140 if (keymaster_dev->common.module->module_api_version 141 < KEYMASTER_MODULE_API_VERSION_0_3) { 142 rc = 0; 143 goto out; 144 } 145 146 if (!(keymaster_dev->flags & KEYMASTER_SOFTWARE_ONLY) && 147 (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) { 148 rc = 1; 149 } 150 151out: 152 keymaster_close(keymaster_dev); 153 return rc; 154} 155 156/* Create a new keymaster key and store it in this footer */ 157static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 158{ 159 uint8_t* key = 0; 160 keymaster_device_t *keymaster_dev = 0; 161 162 if (keymaster_init(&keymaster_dev)) { 163 SLOGE("Failed to init keymaster"); 164 return -1; 165 } 166 167 int rc = 0; 168 169 keymaster_rsa_keygen_params_t params; 170 memset(¶ms, '\0', sizeof(params)); 171 params.public_exponent = RSA_EXPONENT; 172 params.modulus_size = RSA_KEY_SIZE; 173 174 size_t key_size; 175 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms, 176 &key, &key_size)) { 177 SLOGE("Failed to generate keypair"); 178 rc = -1; 179 goto out; 180 } 181 182 if (key_size > KEYMASTER_BLOB_SIZE) { 183 SLOGE("Keymaster key too large for crypto footer"); 184 rc = -1; 185 goto out; 186 } 187 188 memcpy(ftr->keymaster_blob, key, key_size); 189 ftr->keymaster_blob_size = key_size; 190 191out: 192 keymaster_close(keymaster_dev); 193 free(key); 194 return rc; 195} 196 197/* This signs the given object using the keymaster key. */ 198static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 199 const unsigned char *object, 200 const size_t object_size, 201 unsigned char **signature, 202 size_t *signature_size) 203{ 204 int rc = 0; 205 keymaster_device_t *keymaster_dev = 0; 206 if (keymaster_init(&keymaster_dev)) { 207 SLOGE("Failed to init keymaster"); 208 return -1; 209 } 210 211 /* We currently set the digest type to DIGEST_NONE because it's the 212 * only supported value for keymaster. A similar issue exists with 213 * PADDING_NONE. Long term both of these should likely change. 214 */ 215 keymaster_rsa_sign_params_t params; 216 params.digest_type = DIGEST_NONE; 217 params.padding_type = PADDING_NONE; 218 219 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 220 size_t to_sign_size = sizeof(to_sign); 221 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 222 223 // To sign a message with RSA, the message must satisfy two 224 // constraints: 225 // 226 // 1. The message, when interpreted as a big-endian numeric value, must 227 // be strictly less than the public modulus of the RSA key. Note 228 // that because the most significant bit of the public modulus is 229 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 230 // key), an n-bit message with most significant bit 0 always 231 // satisfies this requirement. 232 // 233 // 2. The message must have the same length in bits as the public 234 // modulus of the RSA key. This requirement isn't mathematically 235 // necessary, but is necessary to ensure consistency in 236 // implementations. 237 switch (ftr->kdf_type) { 238 case KDF_SCRYPT_KEYMASTER_UNPADDED: 239 // This is broken: It produces a message which is shorter than 240 // the public modulus, failing criterion 2. 241 memcpy(to_sign, object, object_size); 242 to_sign_size = object_size; 243 SLOGI("Signing unpadded object"); 244 break; 245 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 246 // This is broken: Since the value of object is uniformly 247 // distributed, it produces a message that is larger than the 248 // public modulus with probability 0.25. 249 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size)); 250 SLOGI("Signing end-padded object"); 251 break; 252 case KDF_SCRYPT_KEYMASTER: 253 // This ensures the most significant byte of the signed message 254 // is zero. We could have zero-padded to the left instead, but 255 // this approach is slightly more robust against changes in 256 // object size. However, it's still broken (but not unusably 257 // so) because we really should be using a proper RSA padding 258 // function, such as OAEP. 259 // 260 // TODO(paullawrence): When keymaster 0.4 is available, change 261 // this to use the padding options it provides. 262 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 263 SLOGI("Signing safely-padded object"); 264 break; 265 default: 266 SLOGE("Unknown KDF type %d", ftr->kdf_type); 267 return -1; 268 } 269 270 rc = keymaster_dev->sign_data(keymaster_dev, 271 ¶ms, 272 ftr->keymaster_blob, 273 ftr->keymaster_blob_size, 274 to_sign, 275 to_sign_size, 276 signature, 277 signature_size); 278 279 keymaster_close(keymaster_dev); 280 return rc; 281} 282 283/* Store password when userdata is successfully decrypted and mounted. 284 * Cleared by cryptfs_clear_password 285 * 286 * To avoid a double prompt at boot, we need to store the CryptKeeper 287 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 288 * Since the entire framework is torn down and rebuilt after encryption, 289 * we have to use a daemon or similar to store the password. Since vold 290 * is secured against IPC except from system processes, it seems a reasonable 291 * place to store this. 292 * 293 * password should be cleared once it has been used. 294 * 295 * password is aged out after password_max_age_seconds seconds. 296 */ 297static char* password = 0; 298static int password_expiry_time = 0; 299static const int password_max_age_seconds = 60; 300 301extern struct fstab *fstab; 302 303enum RebootType {reboot, recovery, shutdown}; 304static void cryptfs_reboot(enum RebootType rt) 305{ 306 switch(rt) { 307 case reboot: 308 property_set(ANDROID_RB_PROPERTY, "reboot"); 309 break; 310 311 case recovery: 312 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 313 break; 314 315 case shutdown: 316 property_set(ANDROID_RB_PROPERTY, "shutdown"); 317 break; 318 } 319 320 sleep(20); 321 322 /* Shouldn't get here, reboot should happen before sleep times out */ 323 return; 324} 325 326static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 327{ 328 memset(io, 0, dataSize); 329 io->data_size = dataSize; 330 io->data_start = sizeof(struct dm_ioctl); 331 io->version[0] = 4; 332 io->version[1] = 0; 333 io->version[2] = 0; 334 io->flags = flags; 335 if (name) { 336 strncpy(io->name, name, sizeof(io->name)); 337 } 338} 339 340/** 341 * Gets the default device scrypt parameters for key derivation time tuning. 342 * The parameters should lead to about one second derivation time for the 343 * given device. 344 */ 345static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 346 const int default_params[] = SCRYPT_DEFAULTS; 347 int params[] = SCRYPT_DEFAULTS; 348 char paramstr[PROPERTY_VALUE_MAX]; 349 char *token; 350 char *saveptr; 351 int i; 352 353 property_get(SCRYPT_PROP, paramstr, ""); 354 if (paramstr[0] != '\0') { 355 /* 356 * The token we're looking for should be three integers separated by 357 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 358 */ 359 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 360 token != NULL && i < 3; 361 i++, token = strtok_r(NULL, ":", &saveptr)) { 362 char *endptr; 363 params[i] = strtol(token, &endptr, 10); 364 365 /* 366 * Check that there was a valid number and it's 8-bit. If not, 367 * break out and the end check will take the default values. 368 */ 369 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 370 break; 371 } 372 } 373 374 /* 375 * If there were not enough tokens or a token was malformed (not an 376 * integer), it will end up here and the default parameters can be 377 * taken. 378 */ 379 if ((i != 3) || (token != NULL)) { 380 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 381 memcpy(params, default_params, sizeof(params)); 382 } 383 } 384 385 ftr->N_factor = params[0]; 386 ftr->r_factor = params[1]; 387 ftr->p_factor = params[2]; 388} 389 390static unsigned int get_fs_size(char *dev) 391{ 392 int fd, block_size; 393 struct ext4_super_block sb; 394 off64_t len; 395 396 if ((fd = open(dev, O_RDONLY)) < 0) { 397 SLOGE("Cannot open device to get filesystem size "); 398 return 0; 399 } 400 401 if (lseek64(fd, 1024, SEEK_SET) < 0) { 402 SLOGE("Cannot seek to superblock"); 403 return 0; 404 } 405 406 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 407 SLOGE("Cannot read superblock"); 408 return 0; 409 } 410 411 close(fd); 412 413 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 414 SLOGE("Not a valid ext4 superblock"); 415 return 0; 416 } 417 block_size = 1024 << sb.s_log_block_size; 418 /* compute length in bytes */ 419 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 420 421 /* return length in sectors */ 422 return (unsigned int) (len / 512); 423} 424 425static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 426{ 427 static int cached_data = 0; 428 static off64_t cached_off = 0; 429 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 430 int fd; 431 char key_loc[PROPERTY_VALUE_MAX]; 432 char real_blkdev[PROPERTY_VALUE_MAX]; 433 unsigned int nr_sec; 434 int rc = -1; 435 436 if (!cached_data) { 437 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 438 439 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 440 if ( (fd = open(real_blkdev, O_RDWR)) < 0) { 441 SLOGE("Cannot open real block device %s\n", real_blkdev); 442 return -1; 443 } 444 445 if ((nr_sec = get_blkdev_size(fd))) { 446 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 447 * encryption info footer and key, and plenty of bytes to spare for future 448 * growth. 449 */ 450 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 451 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 452 cached_data = 1; 453 } else { 454 SLOGE("Cannot get size of block device %s\n", real_blkdev); 455 } 456 close(fd); 457 } else { 458 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 459 cached_off = 0; 460 cached_data = 1; 461 } 462 } 463 464 if (cached_data) { 465 if (metadata_fname) { 466 *metadata_fname = cached_metadata_fname; 467 } 468 if (off) { 469 *off = cached_off; 470 } 471 rc = 0; 472 } 473 474 return rc; 475} 476 477/* key or salt can be NULL, in which case just skip writing that value. Useful to 478 * update the failed mount count but not change the key. 479 */ 480static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 481{ 482 int fd; 483 unsigned int cnt; 484 /* starting_off is set to the SEEK_SET offset 485 * where the crypto structure starts 486 */ 487 off64_t starting_off; 488 int rc = -1; 489 char *fname = NULL; 490 struct stat statbuf; 491 492 if (get_crypt_ftr_info(&fname, &starting_off)) { 493 SLOGE("Unable to get crypt_ftr_info\n"); 494 return -1; 495 } 496 if (fname[0] != '/') { 497 SLOGE("Unexpected value for crypto key location\n"); 498 return -1; 499 } 500 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) { 501 SLOGE("Cannot open footer file %s for put\n", fname); 502 return -1; 503 } 504 505 /* Seek to the start of the crypt footer */ 506 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 507 SLOGE("Cannot seek to real block device footer\n"); 508 goto errout; 509 } 510 511 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 512 SLOGE("Cannot write real block device footer\n"); 513 goto errout; 514 } 515 516 fstat(fd, &statbuf); 517 /* If the keys are kept on a raw block device, do not try to truncate it. */ 518 if (S_ISREG(statbuf.st_mode)) { 519 if (ftruncate(fd, 0x4000)) { 520 SLOGE("Cannot set footer file size\n"); 521 goto errout; 522 } 523 } 524 525 /* Success! */ 526 rc = 0; 527 528errout: 529 close(fd); 530 return rc; 531 532} 533 534static inline int unix_read(int fd, void* buff, int len) 535{ 536 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 537} 538 539static inline int unix_write(int fd, const void* buff, int len) 540{ 541 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 542} 543 544static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 545{ 546 memset(pdata, 0, len); 547 pdata->persist_magic = PERSIST_DATA_MAGIC; 548 pdata->persist_valid_entries = 0; 549} 550 551/* A routine to update the passed in crypt_ftr to the lastest version. 552 * fd is open read/write on the device that holds the crypto footer and persistent 553 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 554 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 555 */ 556static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 557{ 558 int orig_major = crypt_ftr->major_version; 559 int orig_minor = crypt_ftr->minor_version; 560 561 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 562 struct crypt_persist_data *pdata; 563 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 564 565 SLOGW("upgrading crypto footer to 1.1"); 566 567 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 568 if (pdata == NULL) { 569 SLOGE("Cannot allocate persisent data\n"); 570 return; 571 } 572 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 573 574 /* Need to initialize the persistent data area */ 575 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 576 SLOGE("Cannot seek to persisent data offset\n"); 577 free(pdata); 578 return; 579 } 580 /* Write all zeros to the first copy, making it invalid */ 581 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 582 583 /* Write a valid but empty structure to the second copy */ 584 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 585 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 586 587 /* Update the footer */ 588 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 589 crypt_ftr->persist_data_offset[0] = pdata_offset; 590 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 591 crypt_ftr->minor_version = 1; 592 free(pdata); 593 } 594 595 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 596 SLOGW("upgrading crypto footer to 1.2"); 597 /* But keep the old kdf_type. 598 * It will get updated later to KDF_SCRYPT after the password has been verified. 599 */ 600 crypt_ftr->kdf_type = KDF_PBKDF2; 601 get_device_scrypt_params(crypt_ftr); 602 crypt_ftr->minor_version = 2; 603 } 604 605 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 606 SLOGW("upgrading crypto footer to 1.3"); 607 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 608 crypt_ftr->minor_version = 3; 609 } 610 611 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 612 if (lseek64(fd, offset, SEEK_SET) == -1) { 613 SLOGE("Cannot seek to crypt footer\n"); 614 return; 615 } 616 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 617 } 618} 619 620 621static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 622{ 623 int fd; 624 unsigned int cnt; 625 off64_t starting_off; 626 int rc = -1; 627 char *fname = NULL; 628 struct stat statbuf; 629 630 if (get_crypt_ftr_info(&fname, &starting_off)) { 631 SLOGE("Unable to get crypt_ftr_info\n"); 632 return -1; 633 } 634 if (fname[0] != '/') { 635 SLOGE("Unexpected value for crypto key location\n"); 636 return -1; 637 } 638 if ( (fd = open(fname, O_RDWR)) < 0) { 639 SLOGE("Cannot open footer file %s for get\n", fname); 640 return -1; 641 } 642 643 /* Make sure it's 16 Kbytes in length */ 644 fstat(fd, &statbuf); 645 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 646 SLOGE("footer file %s is not the expected size!\n", fname); 647 goto errout; 648 } 649 650 /* Seek to the start of the crypt footer */ 651 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 652 SLOGE("Cannot seek to real block device footer\n"); 653 goto errout; 654 } 655 656 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 657 SLOGE("Cannot read real block device footer\n"); 658 goto errout; 659 } 660 661 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 662 SLOGE("Bad magic for real block device %s\n", fname); 663 goto errout; 664 } 665 666 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 667 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 668 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 669 goto errout; 670 } 671 672 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 673 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 674 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 675 } 676 677 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 678 * copy on disk before returning. 679 */ 680 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 681 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 682 } 683 684 /* Success! */ 685 rc = 0; 686 687errout: 688 close(fd); 689 return rc; 690} 691 692static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 693{ 694 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 695 crypt_ftr->persist_data_offset[1]) { 696 SLOGE("Crypt_ftr persist data regions overlap"); 697 return -1; 698 } 699 700 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 701 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 702 return -1; 703 } 704 705 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 706 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 707 CRYPT_FOOTER_OFFSET) { 708 SLOGE("Persistent data extends past crypto footer"); 709 return -1; 710 } 711 712 return 0; 713} 714 715static int load_persistent_data(void) 716{ 717 struct crypt_mnt_ftr crypt_ftr; 718 struct crypt_persist_data *pdata = NULL; 719 char encrypted_state[PROPERTY_VALUE_MAX]; 720 char *fname; 721 int found = 0; 722 int fd; 723 int ret; 724 int i; 725 726 if (persist_data) { 727 /* Nothing to do, we've already loaded or initialized it */ 728 return 0; 729 } 730 731 732 /* If not encrypted, just allocate an empty table and initialize it */ 733 property_get("ro.crypto.state", encrypted_state, ""); 734 if (strcmp(encrypted_state, "encrypted") ) { 735 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 736 if (pdata) { 737 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 738 persist_data = pdata; 739 return 0; 740 } 741 return -1; 742 } 743 744 if(get_crypt_ftr_and_key(&crypt_ftr)) { 745 return -1; 746 } 747 748 if ((crypt_ftr.major_version < 1) 749 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 750 SLOGE("Crypt_ftr version doesn't support persistent data"); 751 return -1; 752 } 753 754 if (get_crypt_ftr_info(&fname, NULL)) { 755 return -1; 756 } 757 758 ret = validate_persistent_data_storage(&crypt_ftr); 759 if (ret) { 760 return -1; 761 } 762 763 fd = open(fname, O_RDONLY); 764 if (fd < 0) { 765 SLOGE("Cannot open %s metadata file", fname); 766 return -1; 767 } 768 769 if (persist_data == NULL) { 770 pdata = malloc(crypt_ftr.persist_data_size); 771 if (pdata == NULL) { 772 SLOGE("Cannot allocate memory for persistent data"); 773 goto err; 774 } 775 } 776 777 for (i = 0; i < 2; i++) { 778 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 779 SLOGE("Cannot seek to read persistent data on %s", fname); 780 goto err2; 781 } 782 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 783 SLOGE("Error reading persistent data on iteration %d", i); 784 goto err2; 785 } 786 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 787 found = 1; 788 break; 789 } 790 } 791 792 if (!found) { 793 SLOGI("Could not find valid persistent data, creating"); 794 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 795 } 796 797 /* Success */ 798 persist_data = pdata; 799 close(fd); 800 return 0; 801 802err2: 803 free(pdata); 804 805err: 806 close(fd); 807 return -1; 808} 809 810static int save_persistent_data(void) 811{ 812 struct crypt_mnt_ftr crypt_ftr; 813 struct crypt_persist_data *pdata; 814 char *fname; 815 off64_t write_offset; 816 off64_t erase_offset; 817 int fd; 818 int ret; 819 820 if (persist_data == NULL) { 821 SLOGE("No persistent data to save"); 822 return -1; 823 } 824 825 if(get_crypt_ftr_and_key(&crypt_ftr)) { 826 return -1; 827 } 828 829 if ((crypt_ftr.major_version < 1) 830 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 831 SLOGE("Crypt_ftr version doesn't support persistent data"); 832 return -1; 833 } 834 835 ret = validate_persistent_data_storage(&crypt_ftr); 836 if (ret) { 837 return -1; 838 } 839 840 if (get_crypt_ftr_info(&fname, NULL)) { 841 return -1; 842 } 843 844 fd = open(fname, O_RDWR); 845 if (fd < 0) { 846 SLOGE("Cannot open %s metadata file", fname); 847 return -1; 848 } 849 850 pdata = malloc(crypt_ftr.persist_data_size); 851 if (pdata == NULL) { 852 SLOGE("Cannot allocate persistant data"); 853 goto err; 854 } 855 856 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 857 SLOGE("Cannot seek to read persistent data on %s", fname); 858 goto err2; 859 } 860 861 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 862 SLOGE("Error reading persistent data before save"); 863 goto err2; 864 } 865 866 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 867 /* The first copy is the curent valid copy, so write to 868 * the second copy and erase this one */ 869 write_offset = crypt_ftr.persist_data_offset[1]; 870 erase_offset = crypt_ftr.persist_data_offset[0]; 871 } else { 872 /* The second copy must be the valid copy, so write to 873 * the first copy, and erase the second */ 874 write_offset = crypt_ftr.persist_data_offset[0]; 875 erase_offset = crypt_ftr.persist_data_offset[1]; 876 } 877 878 /* Write the new copy first, if successful, then erase the old copy */ 879 if (lseek(fd, write_offset, SEEK_SET) < 0) { 880 SLOGE("Cannot seek to write persistent data"); 881 goto err2; 882 } 883 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 884 (int) crypt_ftr.persist_data_size) { 885 if (lseek(fd, erase_offset, SEEK_SET) < 0) { 886 SLOGE("Cannot seek to erase previous persistent data"); 887 goto err2; 888 } 889 fsync(fd); 890 memset(pdata, 0, crypt_ftr.persist_data_size); 891 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 892 (int) crypt_ftr.persist_data_size) { 893 SLOGE("Cannot write to erase previous persistent data"); 894 goto err2; 895 } 896 fsync(fd); 897 } else { 898 SLOGE("Cannot write to save persistent data"); 899 goto err2; 900 } 901 902 /* Success */ 903 free(pdata); 904 close(fd); 905 return 0; 906 907err2: 908 free(pdata); 909err: 910 close(fd); 911 return -1; 912} 913 914static int hexdigit (char c) 915{ 916 if (c >= '0' && c <= '9') return c - '0'; 917 c = tolower(c); 918 if (c >= 'a' && c <= 'f') return c - 'a' + 10; 919 return -1; 920} 921 922static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii, 923 unsigned int* out_keysize) 924{ 925 unsigned int i; 926 *out_keysize = 0; 927 928 size_t size = strlen (master_key_ascii); 929 if (size % 2) { 930 SLOGE("Trying to convert ascii string of odd length"); 931 return NULL; 932 } 933 934 unsigned char* master_key = (unsigned char*) malloc(size / 2); 935 if (master_key == 0) { 936 SLOGE("Cannot allocate"); 937 return NULL; 938 } 939 940 for (i = 0; i < size; i += 2) { 941 int high_nibble = hexdigit (master_key_ascii[i]); 942 int low_nibble = hexdigit (master_key_ascii[i + 1]); 943 944 if(high_nibble < 0 || low_nibble < 0) { 945 SLOGE("Invalid hex string"); 946 free (master_key); 947 return NULL; 948 } 949 950 master_key[*out_keysize] = high_nibble * 16 + low_nibble; 951 (*out_keysize)++; 952 } 953 954 return master_key; 955} 956 957/* Convert a binary key of specified length into an ascii hex string equivalent, 958 * without the leading 0x and with null termination 959 */ 960static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize, 961 char *master_key_ascii) 962{ 963 unsigned int i, a; 964 unsigned char nibble; 965 966 for (i=0, a=0; i<keysize; i++, a+=2) { 967 /* For each byte, write out two ascii hex digits */ 968 nibble = (master_key[i] >> 4) & 0xf; 969 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 970 971 nibble = master_key[i] & 0xf; 972 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 973 } 974 975 /* Add the null termination */ 976 master_key_ascii[a] = '\0'; 977 978} 979 980static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 981 char *real_blk_name, const char *name, int fd, 982 char *extra_params) 983{ 984 _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE]; 985 struct dm_ioctl *io; 986 struct dm_target_spec *tgt; 987 char *crypt_params; 988 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 989 int i; 990 991 io = (struct dm_ioctl *) buffer; 992 993 /* Load the mapping table for this device */ 994 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 995 996 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 997 io->target_count = 1; 998 tgt->status = 0; 999 tgt->sector_start = 0; 1000 tgt->length = crypt_ftr->fs_size; 1001#ifdef CONFIG_HW_DISK_ENCRYPTION 1002 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1003 strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME); 1004 } 1005 else { 1006 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 1007 } 1008#else 1009 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 1010#endif 1011 1012 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 1013 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 1014 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 1015 master_key_ascii, real_blk_name, extra_params); 1016 crypt_params += strlen(crypt_params) + 1; 1017 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 1018 tgt->next = crypt_params - buffer; 1019 1020 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1021 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1022 break; 1023 } 1024 usleep(500000); 1025 } 1026 1027 if (i == TABLE_LOAD_RETRIES) { 1028 /* We failed to load the table, return an error */ 1029 return -1; 1030 } else { 1031 return i + 1; 1032 } 1033} 1034 1035 1036static int get_dm_crypt_version(int fd, const char *name, int *version) 1037{ 1038 char buffer[DM_CRYPT_BUF_SIZE]; 1039 struct dm_ioctl *io; 1040 struct dm_target_versions *v; 1041 1042 io = (struct dm_ioctl *) buffer; 1043 1044 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1045 1046 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1047 return -1; 1048 } 1049 1050 /* Iterate over the returned versions, looking for name of "crypt". 1051 * When found, get and return the version. 1052 */ 1053 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1054 while (v->next) { 1055#ifdef CONFIG_HW_DISK_ENCRYPTION 1056 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) { 1057#else 1058 if (! strcmp(v->name, "crypt")) { 1059#endif 1060 /* We found the crypt driver, return the version, and get out */ 1061 version[0] = v->version[0]; 1062 version[1] = v->version[1]; 1063 version[2] = v->version[2]; 1064 return 0; 1065 } 1066 v = (struct dm_target_versions *)(((char *)v) + v->next); 1067 } 1068 1069 return -1; 1070} 1071 1072static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 1073 char *real_blk_name, char *crypto_blk_name, const char *name) 1074{ 1075 char buffer[DM_CRYPT_BUF_SIZE]; 1076 struct dm_ioctl *io; 1077 unsigned int minor; 1078 int fd=0; 1079 int retval = -1; 1080 int version[3]; 1081 char *extra_params; 1082 int load_count; 1083 1084 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1085 SLOGE("Cannot open device-mapper\n"); 1086 goto errout; 1087 } 1088 1089 io = (struct dm_ioctl *) buffer; 1090 1091 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1092 if (ioctl(fd, DM_DEV_CREATE, io)) { 1093 SLOGE("Cannot create dm-crypt device\n"); 1094 goto errout; 1095 } 1096 1097 /* Get the device status, in particular, the name of it's device file */ 1098 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1099 if (ioctl(fd, DM_DEV_STATUS, io)) { 1100 SLOGE("Cannot retrieve dm-crypt device status\n"); 1101 goto errout; 1102 } 1103 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1104 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1105 1106 extra_params = ""; 1107 if (! get_dm_crypt_version(fd, name, version)) { 1108 /* Support for allow_discards was added in version 1.11.0 */ 1109 if ((version[0] >= 2) || 1110 ((version[0] == 1) && (version[1] >= 11))) { 1111 extra_params = "1 allow_discards"; 1112 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1113 } 1114 } 1115 1116 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1117 fd, extra_params); 1118 if (load_count < 0) { 1119 SLOGE("Cannot load dm-crypt mapping table.\n"); 1120 goto errout; 1121 } else if (load_count > 1) { 1122 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1123 } 1124 1125 /* Resume this device to activate it */ 1126 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1127 1128 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1129 SLOGE("Cannot resume the dm-crypt device\n"); 1130 goto errout; 1131 } 1132 1133 /* We made it here with no errors. Woot! */ 1134 retval = 0; 1135 1136errout: 1137 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1138 1139 return retval; 1140} 1141 1142static int delete_crypto_blk_dev(char *name) 1143{ 1144 int fd; 1145 char buffer[DM_CRYPT_BUF_SIZE]; 1146 struct dm_ioctl *io; 1147 int retval = -1; 1148 1149 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1150 SLOGE("Cannot open device-mapper\n"); 1151 goto errout; 1152 } 1153 1154 io = (struct dm_ioctl *) buffer; 1155 1156 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1157 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1158 SLOGE("Cannot remove dm-crypt device\n"); 1159 goto errout; 1160 } 1161 1162 /* We made it here with no errors. Woot! */ 1163 retval = 0; 1164 1165errout: 1166 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1167 1168 return retval; 1169 1170} 1171 1172static int pbkdf2(const char *passwd, const unsigned char *salt, 1173 unsigned char *ikey, void *params UNUSED) 1174{ 1175 SLOGI("Using pbkdf2 for cryptfs KDF"); 1176 1177 /* Turn the password into a key and IV that can decrypt the master key */ 1178 unsigned int keysize; 1179 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize); 1180 if (!master_key) return -1; 1181 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN, 1182 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1183 1184 memset(master_key, 0, keysize); 1185 free (master_key); 1186 return 0; 1187} 1188 1189static int scrypt(const char *passwd, const unsigned char *salt, 1190 unsigned char *ikey, void *params) 1191{ 1192 SLOGI("Using scrypt for cryptfs KDF"); 1193 1194 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1195 1196 int N = 1 << ftr->N_factor; 1197 int r = 1 << ftr->r_factor; 1198 int p = 1 << ftr->p_factor; 1199 1200 /* Turn the password into a key and IV that can decrypt the master key */ 1201 unsigned int keysize; 1202 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize); 1203 if (!master_key) return -1; 1204 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey, 1205 KEY_LEN_BYTES + IV_LEN_BYTES); 1206 1207 memset(master_key, 0, keysize); 1208 free (master_key); 1209 return 0; 1210} 1211 1212static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1213 unsigned char *ikey, void *params) 1214{ 1215 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1216 1217 int rc; 1218 unsigned int key_size; 1219 size_t signature_size; 1220 unsigned char* signature; 1221 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1222 1223 int N = 1 << ftr->N_factor; 1224 int r = 1 << ftr->r_factor; 1225 int p = 1 << ftr->p_factor; 1226 1227 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size); 1228 if (!master_key) { 1229 SLOGE("Failed to convert passwd from hex"); 1230 return -1; 1231 } 1232 1233 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN, 1234 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1235 memset(master_key, 0, key_size); 1236 free(master_key); 1237 1238 if (rc) { 1239 SLOGE("scrypt failed"); 1240 return -1; 1241 } 1242 1243 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1244 &signature, &signature_size)) { 1245 SLOGE("Signing failed"); 1246 return -1; 1247 } 1248 1249 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1250 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1251 free(signature); 1252 1253 if (rc) { 1254 SLOGE("scrypt failed"); 1255 return -1; 1256 } 1257 1258 return 0; 1259} 1260 1261static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1262 const unsigned char *decrypted_master_key, 1263 unsigned char *encrypted_master_key, 1264 struct crypt_mnt_ftr *crypt_ftr) 1265{ 1266 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1267 EVP_CIPHER_CTX e_ctx; 1268 int encrypted_len, final_len; 1269 int rc = 0; 1270 1271 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1272 get_device_scrypt_params(crypt_ftr); 1273 1274 switch (crypt_ftr->kdf_type) { 1275 case KDF_SCRYPT_KEYMASTER_UNPADDED: 1276 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 1277 case KDF_SCRYPT_KEYMASTER: 1278 if (keymaster_create_key(crypt_ftr)) { 1279 SLOGE("keymaster_create_key failed"); 1280 return -1; 1281 } 1282 1283 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1284 SLOGE("scrypt failed"); 1285 return -1; 1286 } 1287 break; 1288 1289 case KDF_SCRYPT: 1290 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1291 SLOGE("scrypt failed"); 1292 return -1; 1293 } 1294 break; 1295 1296 default: 1297 SLOGE("Invalid kdf_type"); 1298 return -1; 1299 } 1300 1301 /* Initialize the decryption engine */ 1302 EVP_CIPHER_CTX_init(&e_ctx); 1303 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1304 SLOGE("EVP_EncryptInit failed\n"); 1305 return -1; 1306 } 1307 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1308 1309 /* Encrypt the master key */ 1310 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1311 decrypted_master_key, KEY_LEN_BYTES)) { 1312 SLOGE("EVP_EncryptUpdate failed\n"); 1313 return -1; 1314 } 1315 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1316 SLOGE("EVP_EncryptFinal failed\n"); 1317 return -1; 1318 } 1319 1320 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1321 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1322 return -1; 1323 } 1324 1325 /* Store the scrypt of the intermediate key, so we can validate if it's a 1326 password error or mount error when things go wrong. 1327 Note there's no need to check for errors, since if this is incorrect, we 1328 simply won't wipe userdata, which is the correct default behavior 1329 */ 1330 int N = 1 << crypt_ftr->N_factor; 1331 int r = 1 << crypt_ftr->r_factor; 1332 int p = 1 << crypt_ftr->p_factor; 1333 1334 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1335 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1336 crypt_ftr->scrypted_intermediate_key, 1337 sizeof(crypt_ftr->scrypted_intermediate_key)); 1338 1339 if (rc) { 1340 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1341 } 1342 1343 return 0; 1344} 1345 1346static int decrypt_master_key_aux(char *passwd, unsigned char *salt, 1347 unsigned char *encrypted_master_key, 1348 unsigned char *decrypted_master_key, 1349 kdf_func kdf, void *kdf_params, 1350 unsigned char** intermediate_key, 1351 size_t* intermediate_key_size) 1352{ 1353 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1354 EVP_CIPHER_CTX d_ctx; 1355 int decrypted_len, final_len; 1356 1357 /* Turn the password into an intermediate key and IV that can decrypt the 1358 master key */ 1359 if (kdf(passwd, salt, ikey, kdf_params)) { 1360 SLOGE("kdf failed"); 1361 return -1; 1362 } 1363 1364 /* Initialize the decryption engine */ 1365 EVP_CIPHER_CTX_init(&d_ctx); 1366 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1367 return -1; 1368 } 1369 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1370 /* Decrypt the master key */ 1371 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1372 encrypted_master_key, KEY_LEN_BYTES)) { 1373 return -1; 1374 } 1375 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1376 return -1; 1377 } 1378 1379 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1380 return -1; 1381 } 1382 1383 /* Copy intermediate key if needed by params */ 1384 if (intermediate_key && intermediate_key_size) { 1385 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1386 if (intermediate_key) { 1387 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1388 *intermediate_key_size = KEY_LEN_BYTES; 1389 } 1390 } 1391 1392 return 0; 1393} 1394 1395static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1396{ 1397 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED || 1398 ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED || 1399 ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1400 *kdf = scrypt_keymaster; 1401 *kdf_params = ftr; 1402 } else if (ftr->kdf_type == KDF_SCRYPT) { 1403 *kdf = scrypt; 1404 *kdf_params = ftr; 1405 } else { 1406 *kdf = pbkdf2; 1407 *kdf_params = NULL; 1408 } 1409} 1410 1411static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key, 1412 struct crypt_mnt_ftr *crypt_ftr, 1413 unsigned char** intermediate_key, 1414 size_t* intermediate_key_size) 1415{ 1416 kdf_func kdf; 1417 void *kdf_params; 1418 int ret; 1419 1420 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1421 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1422 decrypted_master_key, kdf, kdf_params, 1423 intermediate_key, intermediate_key_size); 1424 if (ret != 0) { 1425 SLOGW("failure decrypting master key"); 1426 } 1427 1428 return ret; 1429} 1430 1431static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1432 struct crypt_mnt_ftr *crypt_ftr) { 1433 int fd; 1434 unsigned char key_buf[KEY_LEN_BYTES]; 1435 1436 /* Get some random bits for a key */ 1437 fd = open("/dev/urandom", O_RDONLY); 1438 read(fd, key_buf, sizeof(key_buf)); 1439 read(fd, salt, SALT_LEN); 1440 close(fd); 1441 1442 /* Now encrypt it with the password */ 1443 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1444} 1445 1446static int wait_and_unmount(char *mountpoint, bool kill) 1447{ 1448 int i, err, rc; 1449#define WAIT_UNMOUNT_COUNT 20 1450 1451 /* Now umount the tmpfs filesystem */ 1452 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1453 if (umount(mountpoint) == 0) { 1454 break; 1455 } 1456 1457 if (errno == EINVAL) { 1458 /* EINVAL is returned if the directory is not a mountpoint, 1459 * i.e. there is no filesystem mounted there. So just get out. 1460 */ 1461 break; 1462 } 1463 1464 err = errno; 1465 1466 /* If allowed, be increasingly aggressive before the last two retries */ 1467 if (kill) { 1468 if (i == (WAIT_UNMOUNT_COUNT - 3)) { 1469 SLOGW("sending SIGHUP to processes with open files\n"); 1470 vold_killProcessesWithOpenFiles(mountpoint, 1); 1471 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { 1472 SLOGW("sending SIGKILL to processes with open files\n"); 1473 vold_killProcessesWithOpenFiles(mountpoint, 2); 1474 } 1475 } 1476 1477 sleep(1); 1478 } 1479 1480 if (i < WAIT_UNMOUNT_COUNT) { 1481 SLOGD("unmounting %s succeeded\n", mountpoint); 1482 rc = 0; 1483 } else { 1484 vold_killProcessesWithOpenFiles(mountpoint, 0); 1485 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err)); 1486 rc = -1; 1487 } 1488 1489 return rc; 1490} 1491 1492#define DATA_PREP_TIMEOUT 200 1493static int prep_data_fs(void) 1494{ 1495 int i; 1496 1497 /* Do the prep of the /data filesystem */ 1498 property_set("vold.post_fs_data_done", "0"); 1499 property_set("vold.decrypt", "trigger_post_fs_data"); 1500 SLOGD("Just triggered post_fs_data\n"); 1501 1502 /* Wait a max of 50 seconds, hopefully it takes much less */ 1503 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1504 char p[PROPERTY_VALUE_MAX]; 1505 1506 property_get("vold.post_fs_data_done", p, "0"); 1507 if (*p == '1') { 1508 break; 1509 } else { 1510 usleep(250000); 1511 } 1512 } 1513 if (i == DATA_PREP_TIMEOUT) { 1514 /* Ugh, we failed to prep /data in time. Bail. */ 1515 SLOGE("post_fs_data timed out!\n"); 1516 return -1; 1517 } else { 1518 SLOGD("post_fs_data done\n"); 1519 return 0; 1520 } 1521} 1522 1523static void cryptfs_set_corrupt() 1524{ 1525 // Mark the footer as bad 1526 struct crypt_mnt_ftr crypt_ftr; 1527 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1528 SLOGE("Failed to get crypto footer - panic"); 1529 return; 1530 } 1531 1532 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1533 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1534 SLOGE("Failed to set crypto footer - panic"); 1535 return; 1536 } 1537} 1538 1539static void cryptfs_trigger_restart_min_framework() 1540{ 1541 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1542 SLOGE("Failed to mount tmpfs on data - panic"); 1543 return; 1544 } 1545 1546 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1547 SLOGE("Failed to trigger post fs data - panic"); 1548 return; 1549 } 1550 1551 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1552 SLOGE("Failed to trigger restart min framework - panic"); 1553 return; 1554 } 1555} 1556 1557/* returns < 0 on failure */ 1558static int cryptfs_restart_internal(int restart_main) 1559{ 1560 char crypto_blkdev[MAXPATHLEN]; 1561 int rc = -1; 1562 static int restart_successful = 0; 1563 1564 /* Validate that it's OK to call this routine */ 1565 if (! master_key_saved) { 1566 SLOGE("Encrypted filesystem not validated, aborting"); 1567 return -1; 1568 } 1569 1570 if (restart_successful) { 1571 SLOGE("System already restarted with encrypted disk, aborting"); 1572 return -1; 1573 } 1574 1575 if (restart_main) { 1576 /* Here is where we shut down the framework. The init scripts 1577 * start all services in one of three classes: core, main or late_start. 1578 * On boot, we start core and main. Now, we stop main, but not core, 1579 * as core includes vold and a few other really important things that 1580 * we need to keep running. Once main has stopped, we should be able 1581 * to umount the tmpfs /data, then mount the encrypted /data. 1582 * We then restart the class main, and also the class late_start. 1583 * At the moment, I've only put a few things in late_start that I know 1584 * are not needed to bring up the framework, and that also cause problems 1585 * with unmounting the tmpfs /data, but I hope to add add more services 1586 * to the late_start class as we optimize this to decrease the delay 1587 * till the user is asked for the password to the filesystem. 1588 */ 1589 1590 /* The init files are setup to stop the class main when vold.decrypt is 1591 * set to trigger_reset_main. 1592 */ 1593 property_set("vold.decrypt", "trigger_reset_main"); 1594 SLOGD("Just asked init to shut down class main\n"); 1595 1596 /* Ugh, shutting down the framework is not synchronous, so until it 1597 * can be fixed, this horrible hack will wait a moment for it all to 1598 * shut down before proceeding. Without it, some devices cannot 1599 * restart the graphics services. 1600 */ 1601 sleep(2); 1602 } 1603 1604 /* Now that the framework is shutdown, we should be able to umount() 1605 * the tmpfs filesystem, and mount the real one. 1606 */ 1607 1608 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1609 if (strlen(crypto_blkdev) == 0) { 1610 SLOGE("fs_crypto_blkdev not set\n"); 1611 return -1; 1612 } 1613 1614 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) { 1615 /* If ro.crypto.readonly is set to 1, mount the decrypted 1616 * filesystem readonly. This is used when /data is mounted by 1617 * recovery mode. 1618 */ 1619 char ro_prop[PROPERTY_VALUE_MAX]; 1620 property_get("ro.crypto.readonly", ro_prop, ""); 1621 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1622 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1623 rec->flags |= MS_RDONLY; 1624 } 1625 1626 /* If that succeeded, then mount the decrypted filesystem */ 1627 int retries = RETRY_MOUNT_ATTEMPTS; 1628 int mount_rc; 1629 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1630 crypto_blkdev, 0)) 1631 != 0) { 1632 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1633 /* TODO: invoke something similar to 1634 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1635 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1636 SLOGI("Failed to mount %s because it is busy - waiting", 1637 crypto_blkdev); 1638 if (--retries) { 1639 sleep(RETRY_MOUNT_DELAY_SECONDS); 1640 } else { 1641 /* Let's hope that a reboot clears away whatever is keeping 1642 the mount busy */ 1643 cryptfs_reboot(reboot); 1644 } 1645 } else { 1646 SLOGE("Failed to mount decrypted data"); 1647 cryptfs_set_corrupt(); 1648 cryptfs_trigger_restart_min_framework(); 1649 SLOGI("Started framework to offer wipe"); 1650 return -1; 1651 } 1652 } 1653 1654 property_set("vold.decrypt", "trigger_load_persist_props"); 1655 /* Create necessary paths on /data */ 1656 if (prep_data_fs()) { 1657 return -1; 1658 } 1659 1660 /* startup service classes main and late_start */ 1661 property_set("vold.decrypt", "trigger_restart_framework"); 1662 SLOGD("Just triggered restart_framework\n"); 1663 1664 /* Give it a few moments to get started */ 1665 sleep(1); 1666 } 1667 1668 if (rc == 0) { 1669 restart_successful = 1; 1670 } 1671 1672 return rc; 1673} 1674 1675int cryptfs_restart(void) 1676{ 1677 /* Call internal implementation forcing a restart of main service group */ 1678 return cryptfs_restart_internal(1); 1679} 1680 1681static int do_crypto_complete(char *mount_point UNUSED) 1682{ 1683 struct crypt_mnt_ftr crypt_ftr; 1684 char encrypted_state[PROPERTY_VALUE_MAX]; 1685 char key_loc[PROPERTY_VALUE_MAX]; 1686 1687 property_get("ro.crypto.state", encrypted_state, ""); 1688 if (strcmp(encrypted_state, "encrypted") ) { 1689 SLOGE("not running with encryption, aborting"); 1690 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1691 } 1692 1693 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1694 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1695 1696 /* 1697 * Only report this error if key_loc is a file and it exists. 1698 * If the device was never encrypted, and /data is not mountable for 1699 * some reason, returning 1 should prevent the UI from presenting the 1700 * a "enter password" screen, or worse, a "press button to wipe the 1701 * device" screen. 1702 */ 1703 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1704 SLOGE("master key file does not exist, aborting"); 1705 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1706 } else { 1707 SLOGE("Error getting crypt footer and key\n"); 1708 return CRYPTO_COMPLETE_BAD_METADATA; 1709 } 1710 } 1711 1712 // Test for possible error flags 1713 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1714 SLOGE("Encryption process is partway completed\n"); 1715 return CRYPTO_COMPLETE_PARTIAL; 1716 } 1717 1718 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1719 SLOGE("Encryption process was interrupted but cannot continue\n"); 1720 return CRYPTO_COMPLETE_INCONSISTENT; 1721 } 1722 1723 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1724 SLOGE("Encryption is successful but data is corrupt\n"); 1725 return CRYPTO_COMPLETE_CORRUPT; 1726 } 1727 1728 /* We passed the test! We shall diminish, and return to the west */ 1729 return CRYPTO_COMPLETE_ENCRYPTED; 1730} 1731 1732static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1733 char *passwd, char *mount_point, char *label) 1734{ 1735 /* Allocate enough space for a 256 bit key, but we may use less */ 1736 unsigned char decrypted_master_key[32]; 1737 char crypto_blkdev[MAXPATHLEN]; 1738 char real_blkdev[MAXPATHLEN]; 1739 char tmp_mount_point[64]; 1740 unsigned int orig_failed_decrypt_count; 1741 int rc; 1742 int use_keymaster = 0; 1743 int upgrade = 0; 1744 unsigned char* intermediate_key = 0; 1745 size_t intermediate_key_size = 0; 1746 1747 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1748 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1749 1750 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1751 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1752 &intermediate_key, &intermediate_key_size)) { 1753 SLOGE("Failed to decrypt master key\n"); 1754 rc = -1; 1755 goto errout; 1756 } 1757 } 1758 1759 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1760 1761#ifdef CONFIG_HW_DISK_ENCRYPTION 1762 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1763 if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) { 1764 SLOGE("Hardware encryption key does not match"); 1765 } 1766 } 1767#endif 1768 1769 // Create crypto block device - all (non fatal) code paths 1770 // need it 1771 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1772 real_blkdev, crypto_blkdev, label)) { 1773 SLOGE("Error creating decrypted block device\n"); 1774 rc = -1; 1775 goto errout; 1776 } 1777 1778 /* Work out if the problem is the password or the data */ 1779 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1780 scrypted_intermediate_key)]; 1781 int N = 1 << crypt_ftr->N_factor; 1782 int r = 1 << crypt_ftr->r_factor; 1783 int p = 1 << crypt_ftr->p_factor; 1784 1785 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1786 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1787 N, r, p, scrypted_intermediate_key, 1788 sizeof(scrypted_intermediate_key)); 1789 1790 // Does the key match the crypto footer? 1791 if (rc == 0 && memcmp(scrypted_intermediate_key, 1792 crypt_ftr->scrypted_intermediate_key, 1793 sizeof(scrypted_intermediate_key)) == 0) { 1794 SLOGI("Password matches"); 1795 rc = 0; 1796 } else { 1797 /* Try mounting the file system anyway, just in case the problem's with 1798 * the footer, not the key. */ 1799 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1800 mkdir(tmp_mount_point, 0755); 1801 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1802 SLOGE("Error temp mounting decrypted block device\n"); 1803 delete_crypto_blk_dev(label); 1804 1805 rc = ++crypt_ftr->failed_decrypt_count; 1806 put_crypt_ftr_and_key(crypt_ftr); 1807 } else { 1808 /* Success! */ 1809 SLOGI("Password did not match but decrypted drive mounted - continue"); 1810 umount(tmp_mount_point); 1811 rc = 0; 1812 } 1813 } 1814 1815 if (rc == 0) { 1816 crypt_ftr->failed_decrypt_count = 0; 1817 if (orig_failed_decrypt_count != 0) { 1818 put_crypt_ftr_and_key(crypt_ftr); 1819 } 1820 1821 /* Save the name of the crypto block device 1822 * so we can mount it when restarting the framework. */ 1823 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1824 1825 /* Also save a the master key so we can reencrypted the key 1826 * the key when we want to change the password on it. */ 1827 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1828 saved_mount_point = strdup(mount_point); 1829 master_key_saved = 1; 1830 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1831 rc = 0; 1832 1833 // Upgrade if we're not using the latest KDF. 1834 use_keymaster = keymaster_check_compatibility(); 1835 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1836 // Don't allow downgrade 1837 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1838 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1839 upgrade = 1; 1840 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1841 crypt_ftr->kdf_type = KDF_SCRYPT; 1842 upgrade = 1; 1843 } 1844 1845 if (upgrade) { 1846 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1847 crypt_ftr->master_key, crypt_ftr); 1848 if (!rc) { 1849 rc = put_crypt_ftr_and_key(crypt_ftr); 1850 } 1851 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1852 1853 // Do not fail even if upgrade failed - machine is bootable 1854 // Note that if this code is ever hit, there is a *serious* problem 1855 // since KDFs should never fail. You *must* fix the kdf before 1856 // proceeding! 1857 if (rc) { 1858 SLOGW("Upgrade failed with error %d," 1859 " but continuing with previous state", 1860 rc); 1861 rc = 0; 1862 } 1863 } 1864 } 1865 1866 errout: 1867 if (intermediate_key) { 1868 memset(intermediate_key, 0, intermediate_key_size); 1869 free(intermediate_key); 1870 } 1871 return rc; 1872} 1873 1874/* Called by vold when it wants to undo the crypto mapping of a volume it 1875 * manages. This is usually in response to a factory reset, when we want 1876 * to undo the crypto mapping so the volume is formatted in the clear. 1877 */ 1878int cryptfs_revert_volume(const char *label) 1879{ 1880 return delete_crypto_blk_dev((char *)label); 1881} 1882 1883/* 1884 * Called by vold when it's asked to mount an encrypted, nonremovable volume. 1885 * Setup a dm-crypt mapping, use the saved master key from 1886 * setting up the /data mapping, and return the new device path. 1887 */ 1888int cryptfs_setup_volume(const char *label, int major, int minor, 1889 char *crypto_sys_path, unsigned int max_path, 1890 int *new_major, int *new_minor) 1891{ 1892 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN]; 1893 struct crypt_mnt_ftr sd_crypt_ftr; 1894 struct stat statbuf; 1895 unsigned int nr_sec; 1896 int fd; 1897 1898 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor); 1899 1900 get_crypt_ftr_and_key(&sd_crypt_ftr); 1901 1902 /* Update the fs_size field to be the size of the volume */ 1903 fd = open(real_blkdev, O_RDONLY); 1904 nr_sec = get_blkdev_size(fd); 1905 close(fd); 1906 if (nr_sec == 0) { 1907 SLOGE("Cannot get size of volume %s\n", real_blkdev); 1908 return -1; 1909 } 1910 1911 sd_crypt_ftr.fs_size = nr_sec; 1912 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev, 1913 crypto_blkdev, label); 1914 1915 if (stat(crypto_blkdev, &statbuf) < 0) { 1916 SLOGE("Error get stat for crypto_blkdev %s. err=%d(%s)\n", 1917 crypto_blkdev, errno, strerror(errno)); 1918 } 1919 *new_major = MAJOR(statbuf.st_rdev); 1920 *new_minor = MINOR(statbuf.st_rdev); 1921 1922 /* Create path to sys entry for this block device */ 1923 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1); 1924 1925 return 0; 1926} 1927 1928int cryptfs_crypto_complete(void) 1929{ 1930 return do_crypto_complete("/data"); 1931} 1932 1933int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1934{ 1935 char encrypted_state[PROPERTY_VALUE_MAX]; 1936 property_get("ro.crypto.state", encrypted_state, ""); 1937 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1938 SLOGE("encrypted fs already validated or not running with encryption," 1939 " aborting"); 1940 return -1; 1941 } 1942 1943 if (get_crypt_ftr_and_key(crypt_ftr)) { 1944 SLOGE("Error getting crypt footer and key"); 1945 return -1; 1946 } 1947 1948 return 0; 1949} 1950 1951/* 1952 * TODO - transition patterns to new format in calling code 1953 * and remove this vile hack, and the use of hex in 1954 * the password passing code. 1955 * 1956 * Patterns are passed in zero based (i.e. the top left dot 1957 * is represented by zero, the top middle one etc), but we want 1958 * to store them '1' based. 1959 * This is to allow us to migrate the calling code to use this 1960 * convention. It also solves a nasty problem whereby scrypt ignores 1961 * trailing zeros, so patterns ending at the top left could be 1962 * truncated, and similarly, you could add the top left to any 1963 * pattern and still match. 1964 * adjust_passwd is a hack function that returns the alternate representation 1965 * if the password appears to be a pattern (hex numbers all less than 09) 1966 * If it succeeds we need to try both, and in particular try the alternate 1967 * first. If the original matches, then we need to update the footer 1968 * with the alternate. 1969 * All code that accepts passwords must adjust them first. Since 1970 * cryptfs_check_passwd is always the first function called after a migration 1971 * (and indeed on any boot) we only need to do the double try in this 1972 * function. 1973 */ 1974char* adjust_passwd(const char* passwd) 1975{ 1976 size_t index, length; 1977 1978 if (!passwd) { 1979 return 0; 1980 } 1981 1982 // Check even length. Hex encoded passwords are always 1983 // an even length, since each character encodes to two characters. 1984 length = strlen(passwd); 1985 if (length % 2) { 1986 SLOGW("Password not correctly hex encoded."); 1987 return 0; 1988 } 1989 1990 // Check password is old-style pattern - a collection of hex 1991 // encoded bytes less than 9 (00 through 08) 1992 for (index = 0; index < length; index +=2) { 1993 if (passwd[index] != '0' 1994 || passwd[index + 1] < '0' || passwd[index + 1] > '8') { 1995 return 0; 1996 } 1997 } 1998 1999 // Allocate room for adjusted passwd and null terminate 2000 char* adjusted = malloc(length + 1); 2001 adjusted[length] = 0; 2002 2003 // Add 0x31 ('1') to each character 2004 for (index = 0; index < length; index += 2) { 2005 // output is 31 through 39 so set first byte to three, second to src + 1 2006 adjusted[index] = '3'; 2007 adjusted[index + 1] = passwd[index + 1] + 1; 2008 } 2009 2010 return adjusted; 2011} 2012 2013int cryptfs_check_passwd(char *passwd) 2014{ 2015 struct crypt_mnt_ftr crypt_ftr; 2016 int rc; 2017 2018 rc = check_unmounted_and_get_ftr(&crypt_ftr); 2019 if (rc) 2020 return rc; 2021 2022 char* adjusted_passwd = adjust_passwd(passwd); 2023 if (adjusted_passwd) { 2024 int failed_decrypt_count = crypt_ftr.failed_decrypt_count; 2025 rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd, 2026 DATA_MNT_POINT, "userdata"); 2027 2028 // Maybe the original one still works? 2029 if (rc) { 2030 // Don't double count this failure 2031 crypt_ftr.failed_decrypt_count = failed_decrypt_count; 2032 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2033 DATA_MNT_POINT, "userdata"); 2034 if (!rc) { 2035 // cryptfs_changepw also adjusts so pass original 2036 // Note that adjust_passwd only recognises patterns 2037 // so we can safely use CRYPT_TYPE_PATTERN 2038 SLOGI("Updating pattern to new format"); 2039 cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd); 2040 } 2041 } 2042 free(adjusted_passwd); 2043 } else { 2044 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2045 DATA_MNT_POINT, "userdata"); 2046 } 2047 2048 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 2049 cryptfs_clear_password(); 2050 password = strdup(passwd); 2051 struct timespec now; 2052 clock_gettime(CLOCK_BOOTTIME, &now); 2053 password_expiry_time = now.tv_sec + password_max_age_seconds; 2054 } 2055 2056 return rc; 2057} 2058 2059int cryptfs_verify_passwd(char *passwd) 2060{ 2061 struct crypt_mnt_ftr crypt_ftr; 2062 /* Allocate enough space for a 256 bit key, but we may use less */ 2063 unsigned char decrypted_master_key[32]; 2064 char encrypted_state[PROPERTY_VALUE_MAX]; 2065 int rc; 2066 2067 property_get("ro.crypto.state", encrypted_state, ""); 2068 if (strcmp(encrypted_state, "encrypted") ) { 2069 SLOGE("device not encrypted, aborting"); 2070 return -2; 2071 } 2072 2073 if (!master_key_saved) { 2074 SLOGE("encrypted fs not yet mounted, aborting"); 2075 return -1; 2076 } 2077 2078 if (!saved_mount_point) { 2079 SLOGE("encrypted fs failed to save mount point, aborting"); 2080 return -1; 2081 } 2082 2083 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2084 SLOGE("Error getting crypt footer and key\n"); 2085 return -1; 2086 } 2087 2088 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 2089 /* If the device has no password, then just say the password is valid */ 2090 rc = 0; 2091 } else { 2092 char* adjusted_passwd = adjust_passwd(passwd); 2093 if (adjusted_passwd) { 2094 passwd = adjusted_passwd; 2095 } 2096 2097 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2098 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 2099 /* They match, the password is correct */ 2100 rc = 0; 2101 } else { 2102 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 2103 sleep(1); 2104 rc = 1; 2105 } 2106 2107 free(adjusted_passwd); 2108 } 2109 2110 return rc; 2111} 2112 2113/* Initialize a crypt_mnt_ftr structure. The keysize is 2114 * defaulted to 16 bytes, and the filesystem size to 0. 2115 * Presumably, at a minimum, the caller will update the 2116 * filesystem size and crypto_type_name after calling this function. 2117 */ 2118static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 2119{ 2120 off64_t off; 2121 2122 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 2123 ftr->magic = CRYPT_MNT_MAGIC; 2124 ftr->major_version = CURRENT_MAJOR_VERSION; 2125 ftr->minor_version = CURRENT_MINOR_VERSION; 2126 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 2127 ftr->keysize = KEY_LEN_BYTES; 2128 2129 switch (keymaster_check_compatibility()) { 2130 case 1: 2131 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2132 break; 2133 2134 case 0: 2135 ftr->kdf_type = KDF_SCRYPT; 2136 break; 2137 2138 default: 2139 SLOGE("keymaster_check_compatibility failed"); 2140 return -1; 2141 } 2142 2143 get_device_scrypt_params(ftr); 2144 2145 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2146 if (get_crypt_ftr_info(NULL, &off) == 0) { 2147 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2148 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2149 ftr->persist_data_size; 2150 } 2151 2152 return 0; 2153} 2154 2155static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 2156{ 2157 const char *args[10]; 2158 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 2159 int num_args; 2160 int status; 2161 int tmp; 2162 int rc = -1; 2163 2164 if (type == EXT4_FS) { 2165 args[0] = "/system/bin/make_ext4fs"; 2166 args[1] = "-a"; 2167 args[2] = "/data"; 2168 args[3] = "-l"; 2169 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 2170 args[4] = size_str; 2171 args[5] = crypto_blkdev; 2172 num_args = 6; 2173 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 2174 args[0], args[1], args[2], args[3], args[4], args[5]); 2175 } else if (type == F2FS_FS) { 2176 args[0] = "/system/bin/mkfs.f2fs"; 2177 args[1] = "-t"; 2178 args[2] = "-d1"; 2179 args[3] = crypto_blkdev; 2180 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 2181 args[4] = size_str; 2182 num_args = 5; 2183 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 2184 args[0], args[1], args[2], args[3], args[4]); 2185 } else { 2186 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 2187 return -1; 2188 } 2189 2190 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 2191 2192 if (tmp != 0) { 2193 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 2194 } else { 2195 if (WIFEXITED(status)) { 2196 if (WEXITSTATUS(status)) { 2197 SLOGE("Error creating filesystem on %s, exit status %d ", 2198 crypto_blkdev, WEXITSTATUS(status)); 2199 } else { 2200 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 2201 rc = 0; 2202 } 2203 } else { 2204 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 2205 } 2206 } 2207 2208 return rc; 2209} 2210 2211#define CRYPT_INPLACE_BUFSIZE 4096 2212#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 2213#define CRYPT_SECTOR_SIZE 512 2214 2215/* aligned 32K writes tends to make flash happy. 2216 * SD card association recommends it. 2217 */ 2218#ifndef CONFIG_HW_DISK_ENCRYPTION 2219#define BLOCKS_AT_A_TIME 8 2220#else 2221#define BLOCKS_AT_A_TIME 1024 2222#endif 2223 2224struct encryptGroupsData 2225{ 2226 int realfd; 2227 int cryptofd; 2228 off64_t numblocks; 2229 off64_t one_pct, cur_pct, new_pct; 2230 off64_t blocks_already_done, tot_numblocks; 2231 off64_t used_blocks_already_done, tot_used_blocks; 2232 char* real_blkdev, * crypto_blkdev; 2233 int count; 2234 off64_t offset; 2235 char* buffer; 2236 off64_t last_written_sector; 2237 int completed; 2238 time_t time_started; 2239 int remaining_time; 2240}; 2241 2242static void update_progress(struct encryptGroupsData* data, int is_used) 2243{ 2244 data->blocks_already_done++; 2245 2246 if (is_used) { 2247 data->used_blocks_already_done++; 2248 } 2249 if (data->tot_used_blocks) { 2250 data->new_pct = data->used_blocks_already_done / data->one_pct; 2251 } else { 2252 data->new_pct = data->blocks_already_done / data->one_pct; 2253 } 2254 2255 if (data->new_pct > data->cur_pct) { 2256 char buf[8]; 2257 data->cur_pct = data->new_pct; 2258 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2259 property_set("vold.encrypt_progress", buf); 2260 } 2261 2262 if (data->cur_pct >= 5) { 2263 struct timespec time_now; 2264 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) { 2265 SLOGW("Error getting time"); 2266 } else { 2267 double elapsed_time = difftime(time_now.tv_sec, data->time_started); 2268 off64_t remaining_blocks = data->tot_used_blocks 2269 - data->used_blocks_already_done; 2270 int remaining_time = (int)(elapsed_time * remaining_blocks 2271 / data->used_blocks_already_done); 2272 2273 // Change time only if not yet set, lower, or a lot higher for 2274 // best user experience 2275 if (data->remaining_time == -1 2276 || remaining_time < data->remaining_time 2277 || remaining_time > data->remaining_time + 60) { 2278 char buf[8]; 2279 snprintf(buf, sizeof(buf), "%d", remaining_time); 2280 property_set("vold.encrypt_time_remaining", buf); 2281 data->remaining_time = remaining_time; 2282 } 2283 } 2284 } 2285} 2286 2287static void log_progress(struct encryptGroupsData const* data, bool completed) 2288{ 2289 // Precondition - if completed data = 0 else data != 0 2290 2291 // Track progress so we can skip logging blocks 2292 static off64_t offset = -1; 2293 2294 // Need to close existing 'Encrypting from' log? 2295 if (completed || (offset != -1 && data->offset != offset)) { 2296 SLOGI("Encrypted to sector %" PRId64, 2297 offset / info.block_size * CRYPT_SECTOR_SIZE); 2298 offset = -1; 2299 } 2300 2301 // Need to start new 'Encrypting from' log? 2302 if (!completed && offset != data->offset) { 2303 SLOGI("Encrypting from sector %" PRId64, 2304 data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2305 } 2306 2307 // Update offset 2308 if (!completed) { 2309 offset = data->offset + (off64_t)data->count * info.block_size; 2310 } 2311} 2312 2313static int flush_outstanding_data(struct encryptGroupsData* data) 2314{ 2315 if (data->count == 0) { 2316 return 0; 2317 } 2318 2319 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2320 2321 if (pread64(data->realfd, data->buffer, 2322 info.block_size * data->count, data->offset) 2323 <= 0) { 2324 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2325 data->real_blkdev); 2326 return -1; 2327 } 2328 2329 if (pwrite64(data->cryptofd, data->buffer, 2330 info.block_size * data->count, data->offset) 2331 <= 0) { 2332 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2333 data->crypto_blkdev); 2334 return -1; 2335 } else { 2336 log_progress(data, false); 2337 } 2338 2339 data->count = 0; 2340 data->last_written_sector = (data->offset + data->count) 2341 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2342 return 0; 2343} 2344 2345static int encrypt_groups(struct encryptGroupsData* data) 2346{ 2347 unsigned int i; 2348 u8 *block_bitmap = 0; 2349 unsigned int block; 2350 off64_t ret; 2351 int rc = -1; 2352 2353 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2354 if (!data->buffer) { 2355 SLOGE("Failed to allocate crypto buffer"); 2356 goto errout; 2357 } 2358 2359 block_bitmap = malloc(info.block_size); 2360 if (!block_bitmap) { 2361 SLOGE("failed to allocate block bitmap"); 2362 goto errout; 2363 } 2364 2365 for (i = 0; i < aux_info.groups; ++i) { 2366 SLOGI("Encrypting group %d", i); 2367 2368 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2369 u32 block_count = min(info.blocks_per_group, 2370 aux_info.len_blocks - first_block); 2371 2372 off64_t offset = (u64)info.block_size 2373 * aux_info.bg_desc[i].bg_block_bitmap; 2374 2375 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2376 if (ret != (int)info.block_size) { 2377 SLOGE("failed to read all of block group bitmap %d", i); 2378 goto errout; 2379 } 2380 2381 offset = (u64)info.block_size * first_block; 2382 2383 data->count = 0; 2384 2385 for (block = 0; block < block_count; block++) { 2386 int used = bitmap_get_bit(block_bitmap, block); 2387 update_progress(data, used); 2388 if (used) { 2389 if (data->count == 0) { 2390 data->offset = offset; 2391 } 2392 data->count++; 2393 } else { 2394 if (flush_outstanding_data(data)) { 2395 goto errout; 2396 } 2397 } 2398 2399 offset += info.block_size; 2400 2401 /* Write data if we are aligned or buffer size reached */ 2402 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2403 || data->count == BLOCKS_AT_A_TIME) { 2404 if (flush_outstanding_data(data)) { 2405 goto errout; 2406 } 2407 } 2408 2409 if (!is_battery_ok_to_continue()) { 2410 SLOGE("Stopping encryption due to low battery"); 2411 rc = 0; 2412 goto errout; 2413 } 2414 2415 } 2416 if (flush_outstanding_data(data)) { 2417 goto errout; 2418 } 2419 } 2420 2421 data->completed = 1; 2422 rc = 0; 2423 2424errout: 2425 log_progress(0, true); 2426 free(data->buffer); 2427 free(block_bitmap); 2428 return rc; 2429} 2430 2431static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2432 char *real_blkdev, 2433 off64_t size, 2434 off64_t *size_already_done, 2435 off64_t tot_size, 2436 off64_t previously_encrypted_upto) 2437{ 2438 u32 i; 2439 struct encryptGroupsData data; 2440 int rc; // Can't initialize without causing warning -Wclobbered 2441 2442 if (previously_encrypted_upto > *size_already_done) { 2443 SLOGD("Not fast encrypting since resuming part way through"); 2444 return -1; 2445 } 2446 2447 memset(&data, 0, sizeof(data)); 2448 data.real_blkdev = real_blkdev; 2449 data.crypto_blkdev = crypto_blkdev; 2450 2451 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) { 2452 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n", 2453 real_blkdev, errno, strerror(errno)); 2454 rc = -1; 2455 goto errout; 2456 } 2457 2458 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2459 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n", 2460 crypto_blkdev, errno, strerror(errno)); 2461 rc = ENABLE_INPLACE_ERR_DEV; 2462 goto errout; 2463 } 2464 2465 if (setjmp(setjmp_env)) { 2466 SLOGE("Reading ext4 extent caused an exception\n"); 2467 rc = -1; 2468 goto errout; 2469 } 2470 2471 if (read_ext(data.realfd, 0) != 0) { 2472 SLOGE("Failed to read ext4 extent\n"); 2473 rc = -1; 2474 goto errout; 2475 } 2476 2477 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2478 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2479 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2480 2481 SLOGI("Encrypting ext4 filesystem in place..."); 2482 2483 data.tot_used_blocks = data.numblocks; 2484 for (i = 0; i < aux_info.groups; ++i) { 2485 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2486 } 2487 2488 data.one_pct = data.tot_used_blocks / 100; 2489 data.cur_pct = 0; 2490 2491 struct timespec time_started = {0}; 2492 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) { 2493 SLOGW("Error getting time at start"); 2494 // Note - continue anyway - we'll run with 0 2495 } 2496 data.time_started = time_started.tv_sec; 2497 data.remaining_time = -1; 2498 2499 rc = encrypt_groups(&data); 2500 if (rc) { 2501 SLOGE("Error encrypting groups"); 2502 goto errout; 2503 } 2504 2505 *size_already_done += data.completed ? size : data.last_written_sector; 2506 rc = 0; 2507 2508errout: 2509 close(data.realfd); 2510 close(data.cryptofd); 2511 2512 return rc; 2513} 2514 2515static void log_progress_f2fs(u64 block, bool completed) 2516{ 2517 // Precondition - if completed data = 0 else data != 0 2518 2519 // Track progress so we can skip logging blocks 2520 static u64 last_block = (u64)-1; 2521 2522 // Need to close existing 'Encrypting from' log? 2523 if (completed || (last_block != (u64)-1 && block != last_block + 1)) { 2524 SLOGI("Encrypted to block %" PRId64, last_block); 2525 last_block = -1; 2526 } 2527 2528 // Need to start new 'Encrypting from' log? 2529 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) { 2530 SLOGI("Encrypting from block %" PRId64, block); 2531 } 2532 2533 // Update offset 2534 if (!completed) { 2535 last_block = block; 2536 } 2537} 2538 2539static int encrypt_one_block_f2fs(u64 pos, void *data) 2540{ 2541 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2542 2543 priv_dat->blocks_already_done = pos - 1; 2544 update_progress(priv_dat, 1); 2545 2546 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2547 2548 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2549 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2550 return -1; 2551 } 2552 2553 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2554 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2555 return -1; 2556 } else { 2557 log_progress_f2fs(pos, false); 2558 } 2559 2560 return 0; 2561} 2562 2563static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2564 char *real_blkdev, 2565 off64_t size, 2566 off64_t *size_already_done, 2567 off64_t tot_size, 2568 off64_t previously_encrypted_upto) 2569{ 2570 struct encryptGroupsData data; 2571 struct f2fs_info *f2fs_info = NULL; 2572 int rc = ENABLE_INPLACE_ERR_OTHER; 2573 if (previously_encrypted_upto > *size_already_done) { 2574 SLOGD("Not fast encrypting since resuming part way through"); 2575 return ENABLE_INPLACE_ERR_OTHER; 2576 } 2577 memset(&data, 0, sizeof(data)); 2578 data.real_blkdev = real_blkdev; 2579 data.crypto_blkdev = crypto_blkdev; 2580 data.realfd = -1; 2581 data.cryptofd = -1; 2582 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) { 2583 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n", 2584 real_blkdev); 2585 goto errout; 2586 } 2587 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) { 2588 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n", 2589 crypto_blkdev, errno, strerror(errno)); 2590 rc = ENABLE_INPLACE_ERR_DEV; 2591 goto errout; 2592 } 2593 2594 f2fs_info = generate_f2fs_info(data.realfd); 2595 if (!f2fs_info) 2596 goto errout; 2597 2598 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2599 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2600 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2601 2602 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2603 2604 data.one_pct = data.tot_used_blocks / 100; 2605 data.cur_pct = 0; 2606 data.time_started = time(NULL); 2607 data.remaining_time = -1; 2608 2609 data.buffer = malloc(f2fs_info->block_size); 2610 if (!data.buffer) { 2611 SLOGE("Failed to allocate crypto buffer"); 2612 goto errout; 2613 } 2614 2615 data.count = 0; 2616 2617 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2618 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2619 2620 if (rc) { 2621 SLOGE("Error in running over f2fs blocks"); 2622 rc = ENABLE_INPLACE_ERR_OTHER; 2623 goto errout; 2624 } 2625 2626 *size_already_done += size; 2627 rc = 0; 2628 2629errout: 2630 if (rc) 2631 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2632 2633 log_progress_f2fs(0, true); 2634 free(f2fs_info); 2635 free(data.buffer); 2636 close(data.realfd); 2637 close(data.cryptofd); 2638 2639 return rc; 2640} 2641 2642static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2643 off64_t size, off64_t *size_already_done, 2644 off64_t tot_size, 2645 off64_t previously_encrypted_upto) 2646{ 2647 int realfd, cryptofd; 2648 char *buf[CRYPT_INPLACE_BUFSIZE]; 2649 int rc = ENABLE_INPLACE_ERR_OTHER; 2650 off64_t numblocks, i, remainder; 2651 off64_t one_pct, cur_pct, new_pct; 2652 off64_t blocks_already_done, tot_numblocks; 2653 2654 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) { 2655 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2656 return ENABLE_INPLACE_ERR_OTHER; 2657 } 2658 2659 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2660 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n", 2661 crypto_blkdev, errno, strerror(errno)); 2662 close(realfd); 2663 return ENABLE_INPLACE_ERR_DEV; 2664 } 2665 2666 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2667 * The size passed in is the number of 512 byte sectors in the filesystem. 2668 * So compute the number of whole 4K blocks we should read/write, 2669 * and the remainder. 2670 */ 2671 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2672 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2673 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2674 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2675 2676 SLOGE("Encrypting filesystem in place..."); 2677 2678 i = previously_encrypted_upto + 1 - *size_already_done; 2679 2680 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2681 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2682 goto errout; 2683 } 2684 2685 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2686 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2687 goto errout; 2688 } 2689 2690 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2691 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2692 SLOGE("Error reading initial sectors from real_blkdev %s for " 2693 "inplace encrypt\n", crypto_blkdev); 2694 goto errout; 2695 } 2696 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2697 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2698 "inplace encrypt\n", crypto_blkdev); 2699 goto errout; 2700 } else { 2701 SLOGI("Encrypted 1 block at %" PRId64, i); 2702 } 2703 } 2704 2705 one_pct = tot_numblocks / 100; 2706 cur_pct = 0; 2707 /* process the majority of the filesystem in blocks */ 2708 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2709 new_pct = (i + blocks_already_done) / one_pct; 2710 if (new_pct > cur_pct) { 2711 char buf[8]; 2712 2713 cur_pct = new_pct; 2714 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2715 property_set("vold.encrypt_progress", buf); 2716 } 2717 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2718 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2719 goto errout; 2720 } 2721 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2722 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2723 goto errout; 2724 } else { 2725 SLOGD("Encrypted %d block at %" PRId64, 2726 CRYPT_SECTORS_PER_BUFSIZE, 2727 i * CRYPT_SECTORS_PER_BUFSIZE); 2728 } 2729 2730 if (!is_battery_ok_to_continue()) { 2731 SLOGE("Stopping encryption due to low battery"); 2732 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2733 rc = 0; 2734 goto errout; 2735 } 2736 } 2737 2738 /* Do any remaining sectors */ 2739 for (i=0; i<remainder; i++) { 2740 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2741 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2742 goto errout; 2743 } 2744 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2745 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2746 goto errout; 2747 } else { 2748 SLOGI("Encrypted 1 block at next location"); 2749 } 2750 } 2751 2752 *size_already_done += size; 2753 rc = 0; 2754 2755errout: 2756 close(realfd); 2757 close(cryptofd); 2758 2759 return rc; 2760} 2761 2762/* returns on of the ENABLE_INPLACE_* return codes */ 2763static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2764 off64_t size, off64_t *size_already_done, 2765 off64_t tot_size, 2766 off64_t previously_encrypted_upto) 2767{ 2768 int rc_ext4, rc_f2fs, rc_full; 2769 if (previously_encrypted_upto) { 2770 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2771 } 2772 2773 if (*size_already_done + size < previously_encrypted_upto) { 2774 *size_already_done += size; 2775 return 0; 2776 } 2777 2778 /* TODO: identify filesystem type. 2779 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2780 * then we will drop down to cryptfs_enable_inplace_f2fs. 2781 * */ 2782 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2783 size, size_already_done, 2784 tot_size, previously_encrypted_upto)) == 0) { 2785 return 0; 2786 } 2787 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4); 2788 2789 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2790 size, size_already_done, 2791 tot_size, previously_encrypted_upto)) == 0) { 2792 return 0; 2793 } 2794 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs); 2795 2796 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2797 size, size_already_done, tot_size, 2798 previously_encrypted_upto); 2799 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full); 2800 2801 /* Hack for b/17898962, the following is the symptom... */ 2802 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV 2803 && rc_f2fs == ENABLE_INPLACE_ERR_DEV 2804 && rc_full == ENABLE_INPLACE_ERR_DEV) { 2805 return ENABLE_INPLACE_ERR_DEV; 2806 } 2807 return rc_full; 2808} 2809 2810#define CRYPTO_ENABLE_WIPE 1 2811#define CRYPTO_ENABLE_INPLACE 2 2812 2813#define FRAMEWORK_BOOT_WAIT 60 2814 2815static inline int should_encrypt(struct volume_info *volume) 2816{ 2817 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) == 2818 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE); 2819} 2820 2821static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2822{ 2823 int fd = open(filename, O_RDONLY); 2824 if (fd == -1) { 2825 SLOGE("Error opening file %s", filename); 2826 return -1; 2827 } 2828 2829 char block[CRYPT_INPLACE_BUFSIZE]; 2830 memset(block, 0, sizeof(block)); 2831 if (unix_read(fd, block, sizeof(block)) < 0) { 2832 SLOGE("Error reading file %s", filename); 2833 close(fd); 2834 return -1; 2835 } 2836 2837 close(fd); 2838 2839 SHA256_CTX c; 2840 SHA256_Init(&c); 2841 SHA256_Update(&c, block, sizeof(block)); 2842 SHA256_Final(buf, &c); 2843 2844 return 0; 2845} 2846 2847static int get_fs_type(struct fstab_rec *rec) 2848{ 2849 if (!strcmp(rec->fs_type, "ext4")) { 2850 return EXT4_FS; 2851 } else if (!strcmp(rec->fs_type, "f2fs")) { 2852 return F2FS_FS; 2853 } else { 2854 return -1; 2855 } 2856} 2857 2858static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2859 char *crypto_blkdev, char *real_blkdev, 2860 int previously_encrypted_upto) 2861{ 2862 off64_t cur_encryption_done=0, tot_encryption_size=0; 2863 int rc = -1; 2864 2865 if (!is_battery_ok_to_start()) { 2866 SLOGW("Not starting encryption due to low battery"); 2867 return 0; 2868 } 2869 2870 /* The size of the userdata partition, and add in the vold volumes below */ 2871 tot_encryption_size = crypt_ftr->fs_size; 2872 2873 if (how == CRYPTO_ENABLE_WIPE) { 2874 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2875 int fs_type = get_fs_type(rec); 2876 if (fs_type < 0) { 2877 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2878 return -1; 2879 } 2880 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2881 } else if (how == CRYPTO_ENABLE_INPLACE) { 2882 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2883 crypt_ftr->fs_size, &cur_encryption_done, 2884 tot_encryption_size, 2885 previously_encrypted_upto); 2886 2887 if (rc == ENABLE_INPLACE_ERR_DEV) { 2888 /* Hack for b/17898962 */ 2889 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n"); 2890 cryptfs_reboot(reboot); 2891 } 2892 2893 if (!rc) { 2894 crypt_ftr->encrypted_upto = cur_encryption_done; 2895 } 2896 2897 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2898 /* The inplace routine never actually sets the progress to 100% due 2899 * to the round down nature of integer division, so set it here */ 2900 property_set("vold.encrypt_progress", "100"); 2901 } 2902 } else { 2903 /* Shouldn't happen */ 2904 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2905 rc = -1; 2906 } 2907 2908 return rc; 2909} 2910 2911int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2912 int allow_reboot) 2913{ 2914 int how = 0; 2915 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2916 unsigned long nr_sec; 2917 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2918 int rc=-1, fd, i; 2919 struct crypt_mnt_ftr crypt_ftr; 2920 struct crypt_persist_data *pdata; 2921 char encrypted_state[PROPERTY_VALUE_MAX]; 2922 char lockid[32] = { 0 }; 2923 char key_loc[PROPERTY_VALUE_MAX]; 2924 char fuse_sdcard[PROPERTY_VALUE_MAX]; 2925 char *sd_mnt_point; 2926 int num_vols; 2927 struct volume_info *vol_list = 0; 2928 off64_t previously_encrypted_upto = 0; 2929 2930 if (!strcmp(howarg, "wipe")) { 2931 how = CRYPTO_ENABLE_WIPE; 2932 } else if (! strcmp(howarg, "inplace")) { 2933 how = CRYPTO_ENABLE_INPLACE; 2934 } else { 2935 /* Shouldn't happen, as CommandListener vets the args */ 2936 goto error_unencrypted; 2937 } 2938 2939 /* See if an encryption was underway and interrupted */ 2940 if (how == CRYPTO_ENABLE_INPLACE 2941 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2942 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2943 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2944 crypt_ftr.encrypted_upto = 0; 2945 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2946 2947 /* At this point, we are in an inconsistent state. Until we successfully 2948 complete encryption, a reboot will leave us broken. So mark the 2949 encryption failed in case that happens. 2950 On successfully completing encryption, remove this flag */ 2951 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2952 2953 put_crypt_ftr_and_key(&crypt_ftr); 2954 } 2955 2956 property_get("ro.crypto.state", encrypted_state, ""); 2957 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2958 SLOGE("Device is already running encrypted, aborting"); 2959 goto error_unencrypted; 2960 } 2961 2962 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2963 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2964 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2965 2966 /* Get the size of the real block device */ 2967 fd = open(real_blkdev, O_RDONLY); 2968 if ( (nr_sec = get_blkdev_size(fd)) == 0) { 2969 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2970 goto error_unencrypted; 2971 } 2972 close(fd); 2973 2974 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2975 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2976 unsigned int fs_size_sec, max_fs_size_sec; 2977 fs_size_sec = get_fs_size(real_blkdev); 2978 if (fs_size_sec == 0) 2979 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2980 2981 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2982 2983 if (fs_size_sec > max_fs_size_sec) { 2984 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2985 goto error_unencrypted; 2986 } 2987 } 2988 2989 /* Get a wakelock as this may take a while, and we don't want the 2990 * device to sleep on us. We'll grab a partial wakelock, and if the UI 2991 * wants to keep the screen on, it can grab a full wakelock. 2992 */ 2993 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 2994 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 2995 2996 /* Get the sdcard mount point */ 2997 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE"); 2998 if (!sd_mnt_point) { 2999 sd_mnt_point = getenv("EXTERNAL_STORAGE"); 3000 } 3001 if (!sd_mnt_point) { 3002 sd_mnt_point = "/mnt/sdcard"; 3003 } 3004 3005 /* TODO 3006 * Currently do not have test devices with multiple encryptable volumes. 3007 * When we acquire some, re-add support. 3008 */ 3009 num_vols=vold_getNumDirectVolumes(); 3010 vol_list = malloc(sizeof(struct volume_info) * num_vols); 3011 vold_getDirectVolumeList(vol_list); 3012 3013 for (i=0; i<num_vols; i++) { 3014 if (should_encrypt(&vol_list[i])) { 3015 SLOGE("Cannot encrypt if there are multiple encryptable volumes" 3016 "%s\n", vol_list[i].label); 3017 goto error_unencrypted; 3018 } 3019 } 3020 3021 /* The init files are setup to stop the class main and late start when 3022 * vold sets trigger_shutdown_framework. 3023 */ 3024 property_set("vold.decrypt", "trigger_shutdown_framework"); 3025 SLOGD("Just asked init to shut down class main\n"); 3026 3027 if (vold_unmountAllAsecs()) { 3028 /* Just report the error. If any are left mounted, 3029 * umounting /data below will fail and handle the error. 3030 */ 3031 SLOGE("Error unmounting internal asecs"); 3032 } 3033 3034 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, ""); 3035 if (!strcmp(fuse_sdcard, "true")) { 3036 /* This is a device using the fuse layer to emulate the sdcard semantics 3037 * on top of the userdata partition. vold does not manage it, it is managed 3038 * by the sdcard service. The sdcard service was killed by the property trigger 3039 * above, so just unmount it now. We must do this _AFTER_ killing the framework, 3040 * unlike the case for vold managed devices above. 3041 */ 3042 if (wait_and_unmount(sd_mnt_point, false)) { 3043 goto error_shutting_down; 3044 } 3045 } 3046 3047 /* Now unmount the /data partition. */ 3048 if (wait_and_unmount(DATA_MNT_POINT, false)) { 3049 if (allow_reboot) { 3050 goto error_shutting_down; 3051 } else { 3052 goto error_unencrypted; 3053 } 3054 } 3055 3056 /* Do extra work for a better UX when doing the long inplace encryption */ 3057 if (how == CRYPTO_ENABLE_INPLACE) { 3058 /* Now that /data is unmounted, we need to mount a tmpfs 3059 * /data, set a property saying we're doing inplace encryption, 3060 * and restart the framework. 3061 */ 3062 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 3063 goto error_shutting_down; 3064 } 3065 /* Tells the framework that inplace encryption is starting */ 3066 property_set("vold.encrypt_progress", "0"); 3067 3068 /* restart the framework. */ 3069 /* Create necessary paths on /data */ 3070 if (prep_data_fs()) { 3071 goto error_shutting_down; 3072 } 3073 3074 /* Ugh, shutting down the framework is not synchronous, so until it 3075 * can be fixed, this horrible hack will wait a moment for it all to 3076 * shut down before proceeding. Without it, some devices cannot 3077 * restart the graphics services. 3078 */ 3079 sleep(2); 3080 } 3081 3082 /* Start the actual work of making an encrypted filesystem */ 3083 /* Initialize a crypt_mnt_ftr for the partition */ 3084 if (previously_encrypted_upto == 0) { 3085 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 3086 goto error_shutting_down; 3087 } 3088 3089 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 3090 crypt_ftr.fs_size = nr_sec 3091 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 3092 } else { 3093 crypt_ftr.fs_size = nr_sec; 3094 } 3095 /* At this point, we are in an inconsistent state. Until we successfully 3096 complete encryption, a reboot will leave us broken. So mark the 3097 encryption failed in case that happens. 3098 On successfully completing encryption, remove this flag */ 3099 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 3100 crypt_ftr.crypt_type = crypt_type; 3101#ifndef CONFIG_HW_DISK_ENCRYPTION 3102 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN); 3103#else 3104 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN); 3105 3106 rc = clear_hw_device_encryption_key(); 3107 if (!rc) { 3108 SLOGE("Error clearing device encryption hardware key. rc = %d", rc); 3109 } 3110 3111 rc = set_hw_device_encryption_key(passwd, 3112 (char*) crypt_ftr.crypto_type_name); 3113 if (!rc) { 3114 SLOGE("Error initializing device encryption hardware key. rc = %d", rc); 3115 goto error_shutting_down; 3116 } 3117#endif 3118 3119 /* Make an encrypted master key */ 3120 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 3121 SLOGE("Cannot create encrypted master key\n"); 3122 goto error_shutting_down; 3123 } 3124 3125 /* Write the key to the end of the partition */ 3126 put_crypt_ftr_and_key(&crypt_ftr); 3127 3128 /* If any persistent data has been remembered, save it. 3129 * If none, create a valid empty table and save that. 3130 */ 3131 if (!persist_data) { 3132 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 3133 if (pdata) { 3134 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 3135 persist_data = pdata; 3136 } 3137 } 3138 if (persist_data) { 3139 save_persistent_data(); 3140 } 3141 } 3142 3143 if (how == CRYPTO_ENABLE_INPLACE) { 3144 /* startup service classes main and late_start */ 3145 property_set("vold.decrypt", "trigger_restart_min_framework"); 3146 SLOGD("Just triggered restart_min_framework\n"); 3147 3148 /* OK, the framework is restarted and will soon be showing a 3149 * progress bar. Time to setup an encrypted mapping, and 3150 * either write a new filesystem, or encrypt in place updating 3151 * the progress bar as we work. 3152 */ 3153 } 3154 3155 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 3156 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 3157 "userdata"); 3158 3159 /* If we are continuing, check checksums match */ 3160 rc = 0; 3161 if (previously_encrypted_upto) { 3162 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 3163 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 3164 3165 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 3166 sizeof(hash_first_block)) != 0) { 3167 SLOGE("Checksums do not match - trigger wipe"); 3168 rc = -1; 3169 } 3170 } 3171 3172 if (!rc) { 3173 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 3174 crypto_blkdev, real_blkdev, 3175 previously_encrypted_upto); 3176 } 3177 3178 /* Calculate checksum if we are not finished */ 3179 if (!rc && how == CRYPTO_ENABLE_INPLACE 3180 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3181 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 3182 crypt_ftr.hash_first_block); 3183 if (rc) { 3184 SLOGE("Error calculating checksum for continuing encryption"); 3185 rc = -1; 3186 } 3187 } 3188 3189 /* Undo the dm-crypt mapping whether we succeed or not */ 3190 delete_crypto_blk_dev("userdata"); 3191 3192 free(vol_list); 3193 3194 if (! rc) { 3195 /* Success */ 3196 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 3197 3198 if (how == CRYPTO_ENABLE_INPLACE 3199 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3200 SLOGD("Encrypted up to sector %lld - will continue after reboot", 3201 crypt_ftr.encrypted_upto); 3202 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 3203 } 3204 3205 put_crypt_ftr_and_key(&crypt_ftr); 3206 3207 if (how == CRYPTO_ENABLE_WIPE 3208 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 3209 char value[PROPERTY_VALUE_MAX]; 3210 property_get("ro.crypto.state", value, ""); 3211 if (!strcmp(value, "")) { 3212 /* default encryption - continue first boot sequence */ 3213 property_set("ro.crypto.state", "encrypted"); 3214 release_wake_lock(lockid); 3215 cryptfs_check_passwd(DEFAULT_PASSWORD); 3216 cryptfs_restart_internal(1); 3217 return 0; 3218 } else { 3219 sleep(2); /* Give the UI a chance to show 100% progress */ 3220 cryptfs_reboot(reboot); 3221 } 3222 } else { 3223 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 3224 cryptfs_reboot(shutdown); 3225 } 3226 } else { 3227 char value[PROPERTY_VALUE_MAX]; 3228 3229 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 3230 if (!strcmp(value, "1")) { 3231 /* wipe data if encryption failed */ 3232 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 3233 mkdir("/cache/recovery", 0700); 3234 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600); 3235 if (fd >= 0) { 3236 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1); 3237 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1); 3238 close(fd); 3239 } else { 3240 SLOGE("could not open /cache/recovery/command\n"); 3241 } 3242 cryptfs_reboot(recovery); 3243 } else { 3244 /* set property to trigger dialog */ 3245 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3246 release_wake_lock(lockid); 3247 } 3248 return -1; 3249 } 3250 3251 /* hrm, the encrypt step claims success, but the reboot failed. 3252 * This should not happen. 3253 * Set the property and return. Hope the framework can deal with it. 3254 */ 3255 property_set("vold.encrypt_progress", "error_reboot_failed"); 3256 release_wake_lock(lockid); 3257 return rc; 3258 3259error_unencrypted: 3260 free(vol_list); 3261 property_set("vold.encrypt_progress", "error_not_encrypted"); 3262 if (lockid[0]) { 3263 release_wake_lock(lockid); 3264 } 3265 return -1; 3266 3267error_shutting_down: 3268 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3269 * but the framework is stopped and not restarted to show the error, so it's up to 3270 * vold to restart the system. 3271 */ 3272 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3273 cryptfs_reboot(reboot); 3274 3275 /* shouldn't get here */ 3276 property_set("vold.encrypt_progress", "error_shutting_down"); 3277 free(vol_list); 3278 if (lockid[0]) { 3279 release_wake_lock(lockid); 3280 } 3281 return -1; 3282} 3283 3284int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 3285{ 3286 char* adjusted_passwd = adjust_passwd(passwd); 3287 if (adjusted_passwd) { 3288 passwd = adjusted_passwd; 3289 } 3290 3291 int rc = cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 3292 3293 free(adjusted_passwd); 3294 return rc; 3295} 3296 3297int cryptfs_enable_default(char *howarg, int allow_reboot) 3298{ 3299 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3300 DEFAULT_PASSWORD, allow_reboot); 3301} 3302 3303static int device_is_force_encrypted() { 3304 int ret = -1; 3305 char value[PROP_VALUE_MAX]; 3306 ret = __system_property_get("ro.vold.forceencryption", value); 3307 if (ret < 0) 3308 return 0; 3309 return strcmp(value, "1") ? 0 : 1; 3310} 3311 3312int cryptfs_maybe_enable_default_crypto() 3313{ 3314 // Enable default crypt if /forceencrypt or /encryptable and 3315 // ro.vold.forceencrypt=1, else mount data and continue unencrypted 3316 struct fstab_rec *fstab_rec = 0; 3317 fstab_rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 3318 if (!fstab_rec) { 3319 SLOGE("Error getting fstab record"); 3320 return -1; 3321 } 3322 3323 // See if we should encrypt? 3324 if ( !fs_mgr_is_encryptable(fstab_rec) 3325 || (!fs_mgr_is_force_encrypted(fstab_rec) 3326 && !device_is_force_encrypted())) { 3327 int rc = 0; 3328 3329 rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, fstab_rec->blk_device, 0); 3330 property_set("vold.decrypt", "trigger_load_persist_props"); 3331 3332 /* Create necessary paths on /data */ 3333 if (prep_data_fs()) { 3334 return -1; 3335 } 3336 3337 property_set("ro.crypto.state", "unencrypted"); 3338 property_set("vold.decrypt", "trigger_restart_framework"); 3339 SLOGD("Unencrypted - restart_framework\n"); 3340 return rc; 3341 } 3342 3343 return cryptfs_enable_default("inplace", 0); 3344} 3345 3346int cryptfs_changepw(int crypt_type, const char *newpw) 3347{ 3348 struct crypt_mnt_ftr crypt_ftr; 3349 3350 /* This is only allowed after we've successfully decrypted the master key */ 3351 if (!master_key_saved) { 3352 SLOGE("Key not saved, aborting"); 3353 return -1; 3354 } 3355 3356 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3357 SLOGE("Invalid crypt_type %d", crypt_type); 3358 return -1; 3359 } 3360 3361 /* get key */ 3362 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3363 SLOGE("Error getting crypt footer and key"); 3364 return -1; 3365 } 3366 3367 crypt_ftr.crypt_type = crypt_type; 3368 3369 char* adjusted_passwd = adjust_passwd(newpw); 3370 if (adjusted_passwd) { 3371 newpw = adjusted_passwd; 3372 } 3373 3374 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3375 : newpw, 3376 crypt_ftr.salt, 3377 saved_master_key, 3378 crypt_ftr.master_key, 3379 &crypt_ftr); 3380 3381 /* save the key */ 3382 put_crypt_ftr_and_key(&crypt_ftr); 3383 3384 free(adjusted_passwd); 3385 3386#ifdef CONFIG_HW_DISK_ENCRYPTION 3387 if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) { 3388 if (crypt_type == CRYPT_TYPE_DEFAULT) { 3389 int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name); 3390 SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc); 3391 if (!rc) 3392 return -1; 3393 } else { 3394 int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name); 3395 SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc); 3396 if (!rc) 3397 return -1; 3398 } 3399 } 3400#endif 3401 return 0; 3402} 3403 3404static unsigned int persist_get_max_entries(int encrypted) { 3405 struct crypt_mnt_ftr crypt_ftr; 3406 unsigned int dsize; 3407 unsigned int max_persistent_entries; 3408 3409 /* If encrypted, use the values from the crypt_ftr, otherwise 3410 * use the values for the current spec. 3411 */ 3412 if (encrypted) { 3413 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3414 return -1; 3415 } 3416 dsize = crypt_ftr.persist_data_size; 3417 } else { 3418 dsize = CRYPT_PERSIST_DATA_SIZE; 3419 } 3420 3421 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3422 sizeof(struct crypt_persist_entry); 3423 3424 return max_persistent_entries; 3425} 3426 3427static int persist_get_key(const char *fieldname, char *value) 3428{ 3429 unsigned int i; 3430 3431 if (persist_data == NULL) { 3432 return -1; 3433 } 3434 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3435 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3436 /* We found it! */ 3437 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3438 return 0; 3439 } 3440 } 3441 3442 return -1; 3443} 3444 3445static int persist_set_key(const char *fieldname, const char *value, int encrypted) 3446{ 3447 unsigned int i; 3448 unsigned int num; 3449 unsigned int max_persistent_entries; 3450 3451 if (persist_data == NULL) { 3452 return -1; 3453 } 3454 3455 max_persistent_entries = persist_get_max_entries(encrypted); 3456 3457 num = persist_data->persist_valid_entries; 3458 3459 for (i = 0; i < num; i++) { 3460 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3461 /* We found an existing entry, update it! */ 3462 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3463 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3464 return 0; 3465 } 3466 } 3467 3468 /* We didn't find it, add it to the end, if there is room */ 3469 if (persist_data->persist_valid_entries < max_persistent_entries) { 3470 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3471 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3472 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3473 persist_data->persist_valid_entries++; 3474 return 0; 3475 } 3476 3477 return -1; 3478} 3479 3480/** 3481 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the 3482 * sequence and its index is greater than or equal to index. Return 0 otherwise. 3483 */ 3484static int match_multi_entry(const char *key, const char *field, unsigned index) { 3485 unsigned int field_len; 3486 unsigned int key_index; 3487 field_len = strlen(field); 3488 3489 if (index == 0) { 3490 // The first key in a multi-entry field is just the filedname itself. 3491 if (!strcmp(key, field)) { 3492 return 1; 3493 } 3494 } 3495 // Match key against "%s_%d" % (field, index) 3496 if (strlen(key) < field_len + 1 + 1) { 3497 // Need at least a '_' and a digit. 3498 return 0; 3499 } 3500 if (strncmp(key, field, field_len)) { 3501 // If the key does not begin with field, it's not a match. 3502 return 0; 3503 } 3504 if (1 != sscanf(&key[field_len],"_%d", &key_index)) { 3505 return 0; 3506 } 3507 return key_index >= index; 3508} 3509 3510/* 3511 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all 3512 * remaining entries starting from index will be deleted. 3513 * returns PERSIST_DEL_KEY_OK if deletion succeeds, 3514 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist, 3515 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs. 3516 * 3517 */ 3518static int persist_del_keys(const char *fieldname, unsigned index) 3519{ 3520 unsigned int i; 3521 unsigned int j; 3522 unsigned int num; 3523 3524 if (persist_data == NULL) { 3525 return PERSIST_DEL_KEY_ERROR_OTHER; 3526 } 3527 3528 num = persist_data->persist_valid_entries; 3529 3530 j = 0; // points to the end of non-deleted entries. 3531 // Filter out to-be-deleted entries in place. 3532 for (i = 0; i < num; i++) { 3533 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) { 3534 persist_data->persist_entry[j] = persist_data->persist_entry[i]; 3535 j++; 3536 } 3537 } 3538 3539 if (j < num) { 3540 persist_data->persist_valid_entries = j; 3541 // Zeroise the remaining entries 3542 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry)); 3543 return PERSIST_DEL_KEY_OK; 3544 } else { 3545 // Did not find an entry matching the given fieldname 3546 return PERSIST_DEL_KEY_ERROR_NO_FIELD; 3547 } 3548} 3549 3550static int persist_count_keys(const char *fieldname) 3551{ 3552 unsigned int i; 3553 unsigned int count; 3554 3555 if (persist_data == NULL) { 3556 return -1; 3557 } 3558 3559 count = 0; 3560 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3561 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) { 3562 count++; 3563 } 3564 } 3565 3566 return count; 3567} 3568 3569/* Return the value of the specified field. */ 3570int cryptfs_getfield(const char *fieldname, char *value, int len) 3571{ 3572 char temp_value[PROPERTY_VALUE_MAX]; 3573 /* CRYPTO_GETFIELD_OK is success, 3574 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set, 3575 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small, 3576 * CRYPTO_GETFIELD_ERROR_OTHER is any other error 3577 */ 3578 int rc = CRYPTO_GETFIELD_ERROR_OTHER; 3579 int i; 3580 char temp_field[PROPERTY_KEY_MAX]; 3581 3582 if (persist_data == NULL) { 3583 load_persistent_data(); 3584 if (persist_data == NULL) { 3585 SLOGE("Getfield error, cannot load persistent data"); 3586 goto out; 3587 } 3588 } 3589 3590 // Read value from persistent entries. If the original value is split into multiple entries, 3591 // stitch them back together. 3592 if (!persist_get_key(fieldname, temp_value)) { 3593 // We found it, copy it to the caller's buffer and keep going until all entries are read. 3594 if (strlcpy(value, temp_value, len) >= (unsigned) len) { 3595 // value too small 3596 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3597 goto out; 3598 } 3599 rc = CRYPTO_GETFIELD_OK; 3600 3601 for (i = 1; /* break explicitly */; i++) { 3602 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >= 3603 (int) sizeof(temp_field)) { 3604 // If the fieldname is very long, we stop as soon as it begins to overflow the 3605 // maximum field length. At this point we have in fact fully read out the original 3606 // value because cryptfs_setfield would not allow fields with longer names to be 3607 // written in the first place. 3608 break; 3609 } 3610 if (!persist_get_key(temp_field, temp_value)) { 3611 if (strlcat(value, temp_value, len) >= (unsigned)len) { 3612 // value too small. 3613 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3614 goto out; 3615 } 3616 } else { 3617 // Exhaust all entries. 3618 break; 3619 } 3620 } 3621 } else { 3622 /* Sadness, it's not there. Return the error */ 3623 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD; 3624 } 3625 3626out: 3627 return rc; 3628} 3629 3630/* Set the value of the specified field. */ 3631int cryptfs_setfield(const char *fieldname, const char *value) 3632{ 3633 char encrypted_state[PROPERTY_VALUE_MAX]; 3634 /* 0 is success, negative values are error */ 3635 int rc = CRYPTO_SETFIELD_ERROR_OTHER; 3636 int encrypted = 0; 3637 unsigned int field_id; 3638 char temp_field[PROPERTY_KEY_MAX]; 3639 unsigned int num_entries; 3640 unsigned int max_keylen; 3641 3642 if (persist_data == NULL) { 3643 load_persistent_data(); 3644 if (persist_data == NULL) { 3645 SLOGE("Setfield error, cannot load persistent data"); 3646 goto out; 3647 } 3648 } 3649 3650 property_get("ro.crypto.state", encrypted_state, ""); 3651 if (!strcmp(encrypted_state, "encrypted") ) { 3652 encrypted = 1; 3653 } 3654 3655 // Compute the number of entries required to store value, each entry can store up to 3656 // (PROPERTY_VALUE_MAX - 1) chars 3657 if (strlen(value) == 0) { 3658 // Empty value also needs one entry to store. 3659 num_entries = 1; 3660 } else { 3661 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1); 3662 } 3663 3664 max_keylen = strlen(fieldname); 3665 if (num_entries > 1) { 3666 // Need an extra "_%d" suffix. 3667 max_keylen += 1 + log10(num_entries); 3668 } 3669 if (max_keylen > PROPERTY_KEY_MAX - 1) { 3670 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG; 3671 goto out; 3672 } 3673 3674 // Make sure we have enough space to write the new value 3675 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) > 3676 persist_get_max_entries(encrypted)) { 3677 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG; 3678 goto out; 3679 } 3680 3681 // Now that we know persist_data has enough space for value, let's delete the old field first 3682 // to make up space. 3683 persist_del_keys(fieldname, 0); 3684 3685 if (persist_set_key(fieldname, value, encrypted)) { 3686 // fail to set key, should not happen as we have already checked the available space 3687 SLOGE("persist_set_key() error during setfield()"); 3688 goto out; 3689 } 3690 3691 for (field_id = 1; field_id < num_entries; field_id++) { 3692 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id); 3693 3694 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) { 3695 // fail to set key, should not happen as we have already checked the available space. 3696 SLOGE("persist_set_key() error during setfield()"); 3697 goto out; 3698 } 3699 } 3700 3701 /* If we are running encrypted, save the persistent data now */ 3702 if (encrypted) { 3703 if (save_persistent_data()) { 3704 SLOGE("Setfield error, cannot save persistent data"); 3705 goto out; 3706 } 3707 } 3708 3709 rc = CRYPTO_SETFIELD_OK; 3710 3711out: 3712 return rc; 3713} 3714 3715/* Checks userdata. Attempt to mount the volume if default- 3716 * encrypted. 3717 * On success trigger next init phase and return 0. 3718 * Currently do not handle failure - see TODO below. 3719 */ 3720int cryptfs_mount_default_encrypted(void) 3721{ 3722 char decrypt_state[PROPERTY_VALUE_MAX]; 3723 property_get("vold.decrypt", decrypt_state, "0"); 3724 if (!strcmp(decrypt_state, "0")) { 3725 SLOGE("Not encrypted - should not call here"); 3726 } else { 3727 int crypt_type = cryptfs_get_password_type(); 3728 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3729 SLOGE("Bad crypt type - error"); 3730 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3731 SLOGD("Password is not default - " 3732 "starting min framework to prompt"); 3733 property_set("vold.decrypt", "trigger_restart_min_framework"); 3734 return 0; 3735 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3736 SLOGD("Password is default - restarting filesystem"); 3737 cryptfs_restart_internal(0); 3738 return 0; 3739 } else { 3740 SLOGE("Encrypted, default crypt type but can't decrypt"); 3741 } 3742 } 3743 3744 /** Corrupt. Allow us to boot into framework, which will detect bad 3745 crypto when it calls do_crypto_complete, then do a factory reset 3746 */ 3747 property_set("vold.decrypt", "trigger_restart_min_framework"); 3748 return 0; 3749} 3750 3751/* Returns type of the password, default, pattern, pin or password. 3752 */ 3753int cryptfs_get_password_type(void) 3754{ 3755 struct crypt_mnt_ftr crypt_ftr; 3756 3757 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3758 SLOGE("Error getting crypt footer and key\n"); 3759 return -1; 3760 } 3761 3762 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3763 return -1; 3764 } 3765 3766 return crypt_ftr.crypt_type; 3767} 3768 3769char* cryptfs_get_password() 3770{ 3771 struct timespec now; 3772 clock_gettime(CLOCK_BOOTTIME, &now); 3773 if (now.tv_sec < password_expiry_time) { 3774 return password; 3775 } else { 3776 cryptfs_clear_password(); 3777 return 0; 3778 } 3779} 3780 3781void cryptfs_clear_password() 3782{ 3783 if (password) { 3784 size_t len = strlen(password); 3785 memset(password, 0, len); 3786 free(password); 3787 password = 0; 3788 password_expiry_time = 0; 3789 } 3790} 3791