1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23#include <sys/types.h> 24#include <sys/wait.h> 25#include <sys/stat.h> 26#include <ctype.h> 27#include <fcntl.h> 28#include <inttypes.h> 29#include <unistd.h> 30#include <stdio.h> 31#include <sys/ioctl.h> 32#include <linux/dm-ioctl.h> 33#include <libgen.h> 34#include <stdlib.h> 35#include <sys/param.h> 36#include <string.h> 37#include <sys/mount.h> 38#include <openssl/evp.h> 39#include <openssl/sha.h> 40#include <errno.h> 41#include <ext4_utils/ext4_crypt.h> 42#include <ext4_utils/ext4_utils.h> 43#include <linux/kdev_t.h> 44#include <fs_mgr.h> 45#include <time.h> 46#include <math.h> 47#include <selinux/selinux.h> 48#include "cryptfs.h" 49#include "secontext.h" 50#define LOG_TAG "Cryptfs" 51#include "cutils/log.h" 52#include "cutils/properties.h" 53#include "cutils/android_reboot.h" 54#include "hardware_legacy/power.h" 55#include <logwrap/logwrap.h> 56#include "ScryptParameters.h" 57#include "VolumeManager.h" 58#include "VoldUtil.h" 59#include "Ext4Crypt.h" 60#include "f2fs_sparseblock.h" 61#include "EncryptInplace.h" 62#include "Process.h" 63#include "Keymaster.h" 64#include "android-base/properties.h" 65#include <bootloader_message/bootloader_message.h> 66extern "C" { 67#include <crypto_scrypt.h> 68} 69 70#define UNUSED __attribute__((unused)) 71 72#define DM_CRYPT_BUF_SIZE 4096 73 74#define HASH_COUNT 2000 75 76constexpr size_t INTERMEDIATE_KEY_LEN_BYTES = 16; 77constexpr size_t INTERMEDIATE_IV_LEN_BYTES = 16; 78constexpr size_t INTERMEDIATE_BUF_SIZE = 79 (INTERMEDIATE_KEY_LEN_BYTES + INTERMEDIATE_IV_LEN_BYTES); 80 81// SCRYPT_LEN is used by struct crypt_mnt_ftr for its intermediate key. 82static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN, 83 "Mismatch of intermediate key sizes"); 84 85#define KEY_IN_FOOTER "footer" 86 87#define DEFAULT_PASSWORD "default_password" 88 89#define CRYPTO_BLOCK_DEVICE "userdata" 90 91#define BREADCRUMB_FILE "/data/misc/vold/convert_fde" 92 93#define EXT4_FS 1 94#define F2FS_FS 2 95 96#define TABLE_LOAD_RETRIES 10 97 98#define RSA_KEY_SIZE 2048 99#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 100#define RSA_EXPONENT 0x10001 101#define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second 102 103#define RETRY_MOUNT_ATTEMPTS 10 104#define RETRY_MOUNT_DELAY_SECONDS 1 105 106#define CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE (1) 107 108static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr); 109 110static unsigned char saved_master_key[MAX_KEY_LEN]; 111static char *saved_mount_point; 112static int master_key_saved = 0; 113static struct crypt_persist_data *persist_data = NULL; 114 115/* Should we use keymaster? */ 116static int keymaster_check_compatibility() 117{ 118 return keymaster_compatibility_cryptfs_scrypt(); 119} 120 121/* Create a new keymaster key and store it in this footer */ 122static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 123{ 124 if (ftr->keymaster_blob_size) { 125 SLOGI("Already have key"); 126 return 0; 127 } 128 129 int rc = keymaster_create_key_for_cryptfs_scrypt(RSA_KEY_SIZE, RSA_EXPONENT, 130 KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE, 131 &ftr->keymaster_blob_size); 132 if (rc) { 133 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) { 134 SLOGE("Keymaster key blob too large"); 135 ftr->keymaster_blob_size = 0; 136 } 137 SLOGE("Failed to generate keypair"); 138 return -1; 139 } 140 return 0; 141} 142 143/* This signs the given object using the keymaster key. */ 144static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 145 const unsigned char *object, 146 const size_t object_size, 147 unsigned char **signature, 148 size_t *signature_size) 149{ 150 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 151 size_t to_sign_size = sizeof(to_sign); 152 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 153 154 // To sign a message with RSA, the message must satisfy two 155 // constraints: 156 // 157 // 1. The message, when interpreted as a big-endian numeric value, must 158 // be strictly less than the public modulus of the RSA key. Note 159 // that because the most significant bit of the public modulus is 160 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 161 // key), an n-bit message with most significant bit 0 always 162 // satisfies this requirement. 163 // 164 // 2. The message must have the same length in bits as the public 165 // modulus of the RSA key. This requirement isn't mathematically 166 // necessary, but is necessary to ensure consistency in 167 // implementations. 168 switch (ftr->kdf_type) { 169 case KDF_SCRYPT_KEYMASTER: 170 // This ensures the most significant byte of the signed message 171 // is zero. We could have zero-padded to the left instead, but 172 // this approach is slightly more robust against changes in 173 // object size. However, it's still broken (but not unusably 174 // so) because we really should be using a proper deterministic 175 // RSA padding function, such as PKCS1. 176 memcpy(to_sign + 1, object, std::min((size_t)RSA_KEY_SIZE_BYTES - 1, object_size)); 177 SLOGI("Signing safely-padded object"); 178 break; 179 default: 180 SLOGE("Unknown KDF type %d", ftr->kdf_type); 181 return -1; 182 } 183 for (;;) { 184 auto result = keymaster_sign_object_for_cryptfs_scrypt( 185 ftr->keymaster_blob, ftr->keymaster_blob_size, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign, 186 to_sign_size, signature, signature_size); 187 switch (result) { 188 case KeymasterSignResult::ok: 189 return 0; 190 case KeymasterSignResult::upgrade: 191 break; 192 default: 193 return -1; 194 } 195 SLOGD("Upgrading key"); 196 if (keymaster_upgrade_key_for_cryptfs_scrypt( 197 RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob, 198 ftr->keymaster_blob_size, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE, 199 &ftr->keymaster_blob_size) != 0) { 200 SLOGE("Failed to upgrade key"); 201 return -1; 202 } 203 if (put_crypt_ftr_and_key(ftr) != 0) { 204 SLOGE("Failed to write upgraded key to disk"); 205 } 206 SLOGD("Key upgraded successfully"); 207 } 208} 209 210/* Store password when userdata is successfully decrypted and mounted. 211 * Cleared by cryptfs_clear_password 212 * 213 * To avoid a double prompt at boot, we need to store the CryptKeeper 214 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 215 * Since the entire framework is torn down and rebuilt after encryption, 216 * we have to use a daemon or similar to store the password. Since vold 217 * is secured against IPC except from system processes, it seems a reasonable 218 * place to store this. 219 * 220 * password should be cleared once it has been used. 221 * 222 * password is aged out after password_max_age_seconds seconds. 223 */ 224static char* password = 0; 225static int password_expiry_time = 0; 226static const int password_max_age_seconds = 60; 227 228enum class RebootType {reboot, recovery, shutdown}; 229static void cryptfs_reboot(RebootType rt) 230{ 231 switch (rt) { 232 case RebootType::reboot: 233 property_set(ANDROID_RB_PROPERTY, "reboot"); 234 break; 235 236 case RebootType::recovery: 237 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 238 break; 239 240 case RebootType::shutdown: 241 property_set(ANDROID_RB_PROPERTY, "shutdown"); 242 break; 243 } 244 245 sleep(20); 246 247 /* Shouldn't get here, reboot should happen before sleep times out */ 248 return; 249} 250 251static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 252{ 253 memset(io, 0, dataSize); 254 io->data_size = dataSize; 255 io->data_start = sizeof(struct dm_ioctl); 256 io->version[0] = 4; 257 io->version[1] = 0; 258 io->version[2] = 0; 259 io->flags = flags; 260 if (name) { 261 strlcpy(io->name, name, sizeof(io->name)); 262 } 263} 264 265namespace { 266 267struct CryptoType; 268 269// Use to get the CryptoType in use on this device. 270const CryptoType &get_crypto_type(); 271 272struct CryptoType { 273 // We should only be constructing CryptoTypes as part of 274 // supported_crypto_types[]. We do it via this pseudo-builder pattern, 275 // which isn't pure or fully protected as a concession to being able to 276 // do it all at compile time. Add new CryptoTypes in 277 // supported_crypto_types[] below. 278 constexpr CryptoType() : CryptoType(nullptr, nullptr, 0xFFFFFFFF) {} 279 constexpr CryptoType set_keysize(uint32_t size) const { 280 return CryptoType(this->property_name, this->crypto_name, size); 281 } 282 constexpr CryptoType set_property_name(const char *property) const { 283 return CryptoType(property, this->crypto_name, this->keysize); 284 } 285 constexpr CryptoType set_crypto_name(const char *crypto) const { 286 return CryptoType(this->property_name, crypto, this->keysize); 287 } 288 289 constexpr const char *get_property_name() const { return property_name; } 290 constexpr const char *get_crypto_name() const { return crypto_name; } 291 constexpr uint32_t get_keysize() const { return keysize; } 292 293 private: 294 const char *property_name; 295 const char *crypto_name; 296 uint32_t keysize; 297 298 constexpr CryptoType(const char *property, const char *crypto, 299 uint32_t ksize) 300 : property_name(property), crypto_name(crypto), keysize(ksize) {} 301 friend const CryptoType &get_crypto_type(); 302 static const CryptoType &get_device_crypto_algorithm(); 303}; 304 305// We only want to parse this read-only property once. But we need to wait 306// until the system is initialized before we can read it. So we use a static 307// scoped within this function to get it only once. 308const CryptoType &get_crypto_type() { 309 static CryptoType crypto_type = CryptoType::get_device_crypto_algorithm(); 310 return crypto_type; 311} 312 313constexpr CryptoType default_crypto_type = CryptoType() 314 .set_property_name("AES-128-CBC") 315 .set_crypto_name("aes-cbc-essiv:sha256") 316 .set_keysize(16); 317 318constexpr CryptoType supported_crypto_types[] = { 319 default_crypto_type, 320 CryptoType() 321 .set_property_name("Speck128/128-XTS") 322 .set_crypto_name("speck128-xts-plain64") 323 .set_keysize(32), 324 // Add new CryptoTypes here. Order is not important. 325}; 326 327 328// ---------- START COMPILE-TIME SANITY CHECK BLOCK ------------------------- 329// We confirm all supported_crypto_types have a small enough keysize and 330// had both set_property_name() and set_crypto_name() called. 331 332template <typename T, size_t N> 333constexpr size_t array_length(T (&)[N]) { return N; } 334 335constexpr bool indexOutOfBoundsForCryptoTypes(size_t index) { 336 return (index >= array_length(supported_crypto_types)); 337} 338 339constexpr bool isValidCryptoType(const CryptoType &crypto_type) { 340 return ((crypto_type.get_property_name() != nullptr) && 341 (crypto_type.get_crypto_name() != nullptr) && 342 (crypto_type.get_keysize() <= MAX_KEY_LEN)); 343} 344 345// Note in C++11 that constexpr functions can only have a single line. 346// So our code is a bit convoluted (using recursion instead of a loop), 347// but it's asserting at compile time that all of our key lengths are valid. 348constexpr bool validateSupportedCryptoTypes(size_t index) { 349 return indexOutOfBoundsForCryptoTypes(index) || 350 (isValidCryptoType(supported_crypto_types[index]) && 351 validateSupportedCryptoTypes(index + 1)); 352} 353 354static_assert(validateSupportedCryptoTypes(0), 355 "We have a CryptoType with keysize > MAX_KEY_LEN or which was " 356 "incompletely constructed."); 357// ---------- END COMPILE-TIME SANITY CHECK BLOCK ------------------------- 358 359 360// Don't call this directly, use get_crypto_type(), which caches this result. 361const CryptoType &CryptoType::get_device_crypto_algorithm() { 362 constexpr char CRYPT_ALGO_PROP[] = "ro.crypto.fde_algorithm"; 363 char paramstr[PROPERTY_VALUE_MAX]; 364 365 property_get(CRYPT_ALGO_PROP, paramstr, 366 default_crypto_type.get_property_name()); 367 for (auto const &ctype : supported_crypto_types) { 368 if (strcmp(paramstr, ctype.get_property_name()) == 0) { 369 return ctype; 370 } 371 } 372 ALOGE("Invalid name (%s) for %s. Defaulting to %s\n", paramstr, 373 CRYPT_ALGO_PROP, default_crypto_type.get_property_name()); 374 return default_crypto_type; 375} 376 377} // namespace 378 379 380 381/** 382 * Gets the default device scrypt parameters for key derivation time tuning. 383 * The parameters should lead to about one second derivation time for the 384 * given device. 385 */ 386static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 387 char paramstr[PROPERTY_VALUE_MAX]; 388 int Nf, rf, pf; 389 390 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS); 391 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) { 392 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 393 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf); 394 } 395 ftr->N_factor = Nf; 396 ftr->r_factor = rf; 397 ftr->p_factor = pf; 398} 399 400uint32_t cryptfs_get_keysize() { 401 return get_crypto_type().get_keysize(); 402} 403 404const char *cryptfs_get_crypto_name() { 405 return get_crypto_type().get_crypto_name(); 406} 407 408static unsigned int get_fs_size(char *dev) 409{ 410 int fd, block_size; 411 struct ext4_super_block sb; 412 off64_t len; 413 414 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) { 415 SLOGE("Cannot open device to get filesystem size "); 416 return 0; 417 } 418 419 if (lseek64(fd, 1024, SEEK_SET) < 0) { 420 SLOGE("Cannot seek to superblock"); 421 return 0; 422 } 423 424 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 425 SLOGE("Cannot read superblock"); 426 return 0; 427 } 428 429 close(fd); 430 431 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 432 SLOGE("Not a valid ext4 superblock"); 433 return 0; 434 } 435 block_size = 1024 << sb.s_log_block_size; 436 /* compute length in bytes */ 437 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 438 439 /* return length in sectors */ 440 return (unsigned int) (len / 512); 441} 442 443static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 444{ 445 static int cached_data = 0; 446 static off64_t cached_off = 0; 447 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 448 int fd; 449 char key_loc[PROPERTY_VALUE_MAX]; 450 char real_blkdev[PROPERTY_VALUE_MAX]; 451 int rc = -1; 452 453 if (!cached_data) { 454 fs_mgr_get_crypt_info(fstab_default, key_loc, real_blkdev, sizeof(key_loc)); 455 456 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 457 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 458 SLOGE("Cannot open real block device %s\n", real_blkdev); 459 return -1; 460 } 461 462 unsigned long nr_sec = 0; 463 get_blkdev_size(fd, &nr_sec); 464 if (nr_sec != 0) { 465 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 466 * encryption info footer and key, and plenty of bytes to spare for future 467 * growth. 468 */ 469 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 470 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 471 cached_data = 1; 472 } else { 473 SLOGE("Cannot get size of block device %s\n", real_blkdev); 474 } 475 close(fd); 476 } else { 477 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 478 cached_off = 0; 479 cached_data = 1; 480 } 481 } 482 483 if (cached_data) { 484 if (metadata_fname) { 485 *metadata_fname = cached_metadata_fname; 486 } 487 if (off) { 488 *off = cached_off; 489 } 490 rc = 0; 491 } 492 493 return rc; 494} 495 496/* Set sha256 checksum in structure */ 497static void set_ftr_sha(struct crypt_mnt_ftr *crypt_ftr) 498{ 499 SHA256_CTX c; 500 SHA256_Init(&c); 501 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256)); 502 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr)); 503 SHA256_Final(crypt_ftr->sha256, &c); 504} 505 506/* key or salt can be NULL, in which case just skip writing that value. Useful to 507 * update the failed mount count but not change the key. 508 */ 509static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 510{ 511 int fd; 512 unsigned int cnt; 513 /* starting_off is set to the SEEK_SET offset 514 * where the crypto structure starts 515 */ 516 off64_t starting_off; 517 int rc = -1; 518 char *fname = NULL; 519 struct stat statbuf; 520 521 set_ftr_sha(crypt_ftr); 522 523 if (get_crypt_ftr_info(&fname, &starting_off)) { 524 SLOGE("Unable to get crypt_ftr_info\n"); 525 return -1; 526 } 527 if (fname[0] != '/') { 528 SLOGE("Unexpected value for crypto key location\n"); 529 return -1; 530 } 531 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) { 532 SLOGE("Cannot open footer file %s for put\n", fname); 533 return -1; 534 } 535 536 /* Seek to the start of the crypt footer */ 537 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 538 SLOGE("Cannot seek to real block device footer\n"); 539 goto errout; 540 } 541 542 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 543 SLOGE("Cannot write real block device footer\n"); 544 goto errout; 545 } 546 547 fstat(fd, &statbuf); 548 /* If the keys are kept on a raw block device, do not try to truncate it. */ 549 if (S_ISREG(statbuf.st_mode)) { 550 if (ftruncate(fd, 0x4000)) { 551 SLOGE("Cannot set footer file size\n"); 552 goto errout; 553 } 554 } 555 556 /* Success! */ 557 rc = 0; 558 559errout: 560 close(fd); 561 return rc; 562 563} 564 565static bool check_ftr_sha(const struct crypt_mnt_ftr *crypt_ftr) 566{ 567 struct crypt_mnt_ftr copy; 568 memcpy(©, crypt_ftr, sizeof(copy)); 569 set_ftr_sha(©); 570 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0; 571} 572 573static inline int unix_read(int fd, void* buff, int len) 574{ 575 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 576} 577 578static inline int unix_write(int fd, const void* buff, int len) 579{ 580 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 581} 582 583static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 584{ 585 memset(pdata, 0, len); 586 pdata->persist_magic = PERSIST_DATA_MAGIC; 587 pdata->persist_valid_entries = 0; 588} 589 590/* A routine to update the passed in crypt_ftr to the lastest version. 591 * fd is open read/write on the device that holds the crypto footer and persistent 592 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 593 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 594 */ 595static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 596{ 597 int orig_major = crypt_ftr->major_version; 598 int orig_minor = crypt_ftr->minor_version; 599 600 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 601 struct crypt_persist_data *pdata; 602 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 603 604 SLOGW("upgrading crypto footer to 1.1"); 605 606 pdata = (crypt_persist_data *)malloc(CRYPT_PERSIST_DATA_SIZE); 607 if (pdata == NULL) { 608 SLOGE("Cannot allocate persisent data\n"); 609 return; 610 } 611 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 612 613 /* Need to initialize the persistent data area */ 614 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 615 SLOGE("Cannot seek to persisent data offset\n"); 616 free(pdata); 617 return; 618 } 619 /* Write all zeros to the first copy, making it invalid */ 620 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 621 622 /* Write a valid but empty structure to the second copy */ 623 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 624 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 625 626 /* Update the footer */ 627 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 628 crypt_ftr->persist_data_offset[0] = pdata_offset; 629 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 630 crypt_ftr->minor_version = 1; 631 free(pdata); 632 } 633 634 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 635 SLOGW("upgrading crypto footer to 1.2"); 636 /* But keep the old kdf_type. 637 * It will get updated later to KDF_SCRYPT after the password has been verified. 638 */ 639 crypt_ftr->kdf_type = KDF_PBKDF2; 640 get_device_scrypt_params(crypt_ftr); 641 crypt_ftr->minor_version = 2; 642 } 643 644 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 645 SLOGW("upgrading crypto footer to 1.3"); 646 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 647 crypt_ftr->minor_version = 3; 648 } 649 650 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 651 if (lseek64(fd, offset, SEEK_SET) == -1) { 652 SLOGE("Cannot seek to crypt footer\n"); 653 return; 654 } 655 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 656 } 657} 658 659 660static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 661{ 662 int fd; 663 unsigned int cnt; 664 off64_t starting_off; 665 int rc = -1; 666 char *fname = NULL; 667 struct stat statbuf; 668 669 if (get_crypt_ftr_info(&fname, &starting_off)) { 670 SLOGE("Unable to get crypt_ftr_info\n"); 671 return -1; 672 } 673 if (fname[0] != '/') { 674 SLOGE("Unexpected value for crypto key location\n"); 675 return -1; 676 } 677 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) { 678 SLOGE("Cannot open footer file %s for get\n", fname); 679 return -1; 680 } 681 682 /* Make sure it's 16 Kbytes in length */ 683 fstat(fd, &statbuf); 684 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 685 SLOGE("footer file %s is not the expected size!\n", fname); 686 goto errout; 687 } 688 689 /* Seek to the start of the crypt footer */ 690 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 691 SLOGE("Cannot seek to real block device footer\n"); 692 goto errout; 693 } 694 695 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 696 SLOGE("Cannot read real block device footer\n"); 697 goto errout; 698 } 699 700 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 701 SLOGE("Bad magic for real block device %s\n", fname); 702 goto errout; 703 } 704 705 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 706 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 707 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 708 goto errout; 709 } 710 711 // We risk buffer overflows with oversized keys, so we just reject them. 712 // 0-sized keys are problematic (essentially by-passing encryption), and 713 // AES-CBC key wrapping only works for multiples of 16 bytes. 714 if ((crypt_ftr->keysize == 0) || ((crypt_ftr->keysize % 16) != 0) || 715 (crypt_ftr->keysize > MAX_KEY_LEN)) { 716 SLOGE("Invalid keysize (%u) for block device %s; Must be non-zero, " 717 "divisible by 16, and <= %d\n", crypt_ftr->keysize, fname, 718 MAX_KEY_LEN); 719 goto errout; 720 } 721 722 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 723 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 724 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 725 } 726 727 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 728 * copy on disk before returning. 729 */ 730 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 731 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 732 } 733 734 /* Success! */ 735 rc = 0; 736 737errout: 738 close(fd); 739 return rc; 740} 741 742static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 743{ 744 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 745 crypt_ftr->persist_data_offset[1]) { 746 SLOGE("Crypt_ftr persist data regions overlap"); 747 return -1; 748 } 749 750 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 751 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 752 return -1; 753 } 754 755 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 756 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 757 CRYPT_FOOTER_OFFSET) { 758 SLOGE("Persistent data extends past crypto footer"); 759 return -1; 760 } 761 762 return 0; 763} 764 765static int load_persistent_data(void) 766{ 767 struct crypt_mnt_ftr crypt_ftr; 768 struct crypt_persist_data *pdata = NULL; 769 char encrypted_state[PROPERTY_VALUE_MAX]; 770 char *fname; 771 int found = 0; 772 int fd; 773 int ret; 774 int i; 775 776 if (persist_data) { 777 /* Nothing to do, we've already loaded or initialized it */ 778 return 0; 779 } 780 781 782 /* If not encrypted, just allocate an empty table and initialize it */ 783 property_get("ro.crypto.state", encrypted_state, ""); 784 if (strcmp(encrypted_state, "encrypted") ) { 785 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE); 786 if (pdata) { 787 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 788 persist_data = pdata; 789 return 0; 790 } 791 return -1; 792 } 793 794 if(get_crypt_ftr_and_key(&crypt_ftr)) { 795 return -1; 796 } 797 798 if ((crypt_ftr.major_version < 1) 799 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 800 SLOGE("Crypt_ftr version doesn't support persistent data"); 801 return -1; 802 } 803 804 if (get_crypt_ftr_info(&fname, NULL)) { 805 return -1; 806 } 807 808 ret = validate_persistent_data_storage(&crypt_ftr); 809 if (ret) { 810 return -1; 811 } 812 813 fd = open(fname, O_RDONLY|O_CLOEXEC); 814 if (fd < 0) { 815 SLOGE("Cannot open %s metadata file", fname); 816 return -1; 817 } 818 819 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size); 820 if (pdata == NULL) { 821 SLOGE("Cannot allocate memory for persistent data"); 822 goto err; 823 } 824 825 for (i = 0; i < 2; i++) { 826 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 827 SLOGE("Cannot seek to read persistent data on %s", fname); 828 goto err2; 829 } 830 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 831 SLOGE("Error reading persistent data on iteration %d", i); 832 goto err2; 833 } 834 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 835 found = 1; 836 break; 837 } 838 } 839 840 if (!found) { 841 SLOGI("Could not find valid persistent data, creating"); 842 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 843 } 844 845 /* Success */ 846 persist_data = pdata; 847 close(fd); 848 return 0; 849 850err2: 851 free(pdata); 852 853err: 854 close(fd); 855 return -1; 856} 857 858static int save_persistent_data(void) 859{ 860 struct crypt_mnt_ftr crypt_ftr; 861 struct crypt_persist_data *pdata; 862 char *fname; 863 off64_t write_offset; 864 off64_t erase_offset; 865 int fd; 866 int ret; 867 868 if (persist_data == NULL) { 869 SLOGE("No persistent data to save"); 870 return -1; 871 } 872 873 if(get_crypt_ftr_and_key(&crypt_ftr)) { 874 return -1; 875 } 876 877 if ((crypt_ftr.major_version < 1) 878 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 879 SLOGE("Crypt_ftr version doesn't support persistent data"); 880 return -1; 881 } 882 883 ret = validate_persistent_data_storage(&crypt_ftr); 884 if (ret) { 885 return -1; 886 } 887 888 if (get_crypt_ftr_info(&fname, NULL)) { 889 return -1; 890 } 891 892 fd = open(fname, O_RDWR|O_CLOEXEC); 893 if (fd < 0) { 894 SLOGE("Cannot open %s metadata file", fname); 895 return -1; 896 } 897 898 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size); 899 if (pdata == NULL) { 900 SLOGE("Cannot allocate persistant data"); 901 goto err; 902 } 903 904 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 905 SLOGE("Cannot seek to read persistent data on %s", fname); 906 goto err2; 907 } 908 909 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 910 SLOGE("Error reading persistent data before save"); 911 goto err2; 912 } 913 914 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 915 /* The first copy is the curent valid copy, so write to 916 * the second copy and erase this one */ 917 write_offset = crypt_ftr.persist_data_offset[1]; 918 erase_offset = crypt_ftr.persist_data_offset[0]; 919 } else { 920 /* The second copy must be the valid copy, so write to 921 * the first copy, and erase the second */ 922 write_offset = crypt_ftr.persist_data_offset[0]; 923 erase_offset = crypt_ftr.persist_data_offset[1]; 924 } 925 926 /* Write the new copy first, if successful, then erase the old copy */ 927 if (lseek64(fd, write_offset, SEEK_SET) < 0) { 928 SLOGE("Cannot seek to write persistent data"); 929 goto err2; 930 } 931 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 932 (int) crypt_ftr.persist_data_size) { 933 if (lseek64(fd, erase_offset, SEEK_SET) < 0) { 934 SLOGE("Cannot seek to erase previous persistent data"); 935 goto err2; 936 } 937 fsync(fd); 938 memset(pdata, 0, crypt_ftr.persist_data_size); 939 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 940 (int) crypt_ftr.persist_data_size) { 941 SLOGE("Cannot write to erase previous persistent data"); 942 goto err2; 943 } 944 fsync(fd); 945 } else { 946 SLOGE("Cannot write to save persistent data"); 947 goto err2; 948 } 949 950 /* Success */ 951 free(pdata); 952 close(fd); 953 return 0; 954 955err2: 956 free(pdata); 957err: 958 close(fd); 959 return -1; 960} 961 962/* Convert a binary key of specified length into an ascii hex string equivalent, 963 * without the leading 0x and with null termination 964 */ 965static void convert_key_to_hex_ascii(const unsigned char *master_key, 966 unsigned int keysize, char *master_key_ascii) { 967 unsigned int i, a; 968 unsigned char nibble; 969 970 for (i=0, a=0; i<keysize; i++, a+=2) { 971 /* For each byte, write out two ascii hex digits */ 972 nibble = (master_key[i] >> 4) & 0xf; 973 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 974 975 nibble = master_key[i] & 0xf; 976 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 977 } 978 979 /* Add the null termination */ 980 master_key_ascii[a] = '\0'; 981 982} 983 984static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, 985 const unsigned char *master_key, const char *real_blk_name, 986 const char *name, int fd, const char *extra_params) { 987 alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE]; 988 struct dm_ioctl *io; 989 struct dm_target_spec *tgt; 990 char *crypt_params; 991 // We need two ASCII characters to represent each byte, and need space for 992 // the '\0' terminator. 993 char master_key_ascii[MAX_KEY_LEN * 2 + 1]; 994 size_t buff_offset; 995 int i; 996 997 io = (struct dm_ioctl *) buffer; 998 999 /* Load the mapping table for this device */ 1000 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 1001 1002 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1003 io->target_count = 1; 1004 tgt->status = 0; 1005 tgt->sector_start = 0; 1006 tgt->length = crypt_ftr->fs_size; 1007 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 1008 1009 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 1010 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 1011 1012 buff_offset = crypt_params - buffer; 1013 SLOGI("Extra parameters for dm_crypt: %s\n", extra_params); 1014 snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s", 1015 crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name, 1016 extra_params); 1017 crypt_params += strlen(crypt_params) + 1; 1018 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 1019 tgt->next = crypt_params - buffer; 1020 1021 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1022 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1023 break; 1024 } 1025 usleep(500000); 1026 } 1027 1028 if (i == TABLE_LOAD_RETRIES) { 1029 /* We failed to load the table, return an error */ 1030 return -1; 1031 } else { 1032 return i + 1; 1033 } 1034} 1035 1036 1037static int get_dm_crypt_version(int fd, const char *name, int *version) 1038{ 1039 char buffer[DM_CRYPT_BUF_SIZE]; 1040 struct dm_ioctl *io; 1041 struct dm_target_versions *v; 1042 1043 io = (struct dm_ioctl *) buffer; 1044 1045 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1046 1047 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1048 return -1; 1049 } 1050 1051 /* Iterate over the returned versions, looking for name of "crypt". 1052 * When found, get and return the version. 1053 */ 1054 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1055 while (v->next) { 1056 if (! strcmp(v->name, "crypt")) { 1057 /* We found the crypt driver, return the version, and get out */ 1058 version[0] = v->version[0]; 1059 version[1] = v->version[1]; 1060 version[2] = v->version[2]; 1061 return 0; 1062 } 1063 v = (struct dm_target_versions *)(((char *)v) + v->next); 1064 } 1065 1066 return -1; 1067} 1068 1069static std::string extra_params_as_string(const std::vector<std::string>& extra_params_vec) { 1070 if (extra_params_vec.empty()) return ""; 1071 std::string extra_params = std::to_string(extra_params_vec.size()); 1072 for (const auto& p : extra_params_vec) { 1073 extra_params.append(" "); 1074 extra_params.append(p); 1075 } 1076 return extra_params; 1077} 1078 1079static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned char* master_key, 1080 const char* real_blk_name, char* crypto_blk_name, const char* name, 1081 uint32_t flags) { 1082 char buffer[DM_CRYPT_BUF_SIZE]; 1083 struct dm_ioctl* io; 1084 unsigned int minor; 1085 int fd = 0; 1086 int err; 1087 int retval = -1; 1088 int version[3]; 1089 int load_count; 1090 std::vector<std::string> extra_params_vec; 1091 1092 if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) { 1093 SLOGE("Cannot open device-mapper\n"); 1094 goto errout; 1095 } 1096 1097 io = (struct dm_ioctl*)buffer; 1098 1099 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1100 err = ioctl(fd, DM_DEV_CREATE, io); 1101 if (err) { 1102 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno)); 1103 goto errout; 1104 } 1105 1106 /* Get the device status, in particular, the name of it's device file */ 1107 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1108 if (ioctl(fd, DM_DEV_STATUS, io)) { 1109 SLOGE("Cannot retrieve dm-crypt device status\n"); 1110 goto errout; 1111 } 1112 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1113 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1114 1115 if (!get_dm_crypt_version(fd, name, version)) { 1116 /* Support for allow_discards was added in version 1.11.0 */ 1117 if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) { 1118 extra_params_vec.emplace_back("allow_discards"); 1119 } 1120 } 1121 if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) { 1122 extra_params_vec.emplace_back("allow_encrypt_override"); 1123 } 1124 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd, 1125 extra_params_as_string(extra_params_vec).c_str()); 1126 if (load_count < 0) { 1127 SLOGE("Cannot load dm-crypt mapping table.\n"); 1128 goto errout; 1129 } else if (load_count > 1) { 1130 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1131 } 1132 1133 /* Resume this device to activate it */ 1134 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1135 1136 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1137 SLOGE("Cannot resume the dm-crypt device\n"); 1138 goto errout; 1139 } 1140 1141 /* We made it here with no errors. Woot! */ 1142 retval = 0; 1143 1144errout: 1145 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1146 1147 return retval; 1148} 1149 1150static int delete_crypto_blk_dev(const char *name) 1151{ 1152 int fd; 1153 char buffer[DM_CRYPT_BUF_SIZE]; 1154 struct dm_ioctl *io; 1155 int retval = -1; 1156 1157 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) { 1158 SLOGE("Cannot open device-mapper\n"); 1159 goto errout; 1160 } 1161 1162 io = (struct dm_ioctl *) buffer; 1163 1164 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1165 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1166 SLOGE("Cannot remove dm-crypt device\n"); 1167 goto errout; 1168 } 1169 1170 /* We made it here with no errors. Woot! */ 1171 retval = 0; 1172 1173errout: 1174 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1175 1176 return retval; 1177 1178} 1179 1180static int pbkdf2(const char *passwd, const unsigned char *salt, 1181 unsigned char *ikey, void *params UNUSED) 1182{ 1183 SLOGI("Using pbkdf2 for cryptfs KDF"); 1184 1185 /* Turn the password into a key and IV that can decrypt the master key */ 1186 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN, 1187 HASH_COUNT, INTERMEDIATE_BUF_SIZE, 1188 ikey) != 1; 1189} 1190 1191static int scrypt(const char *passwd, const unsigned char *salt, 1192 unsigned char *ikey, void *params) 1193{ 1194 SLOGI("Using scrypt for cryptfs KDF"); 1195 1196 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1197 1198 int N = 1 << ftr->N_factor; 1199 int r = 1 << ftr->r_factor; 1200 int p = 1 << ftr->p_factor; 1201 1202 /* Turn the password into a key and IV that can decrypt the master key */ 1203 crypto_scrypt((const uint8_t*)passwd, strlen(passwd), 1204 salt, SALT_LEN, N, r, p, ikey, 1205 INTERMEDIATE_BUF_SIZE); 1206 1207 return 0; 1208} 1209 1210static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1211 unsigned char *ikey, void *params) 1212{ 1213 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1214 1215 int rc; 1216 size_t signature_size; 1217 unsigned char* signature; 1218 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1219 1220 int N = 1 << ftr->N_factor; 1221 int r = 1 << ftr->r_factor; 1222 int p = 1 << ftr->p_factor; 1223 1224 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd), 1225 salt, SALT_LEN, N, r, p, ikey, 1226 INTERMEDIATE_BUF_SIZE); 1227 1228 if (rc) { 1229 SLOGE("scrypt failed"); 1230 return -1; 1231 } 1232 1233 if (keymaster_sign_object(ftr, ikey, INTERMEDIATE_BUF_SIZE, 1234 &signature, &signature_size)) { 1235 SLOGE("Signing failed"); 1236 return -1; 1237 } 1238 1239 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1240 N, r, p, ikey, INTERMEDIATE_BUF_SIZE); 1241 free(signature); 1242 1243 if (rc) { 1244 SLOGE("scrypt failed"); 1245 return -1; 1246 } 1247 1248 return 0; 1249} 1250 1251static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1252 const unsigned char *decrypted_master_key, 1253 unsigned char *encrypted_master_key, 1254 struct crypt_mnt_ftr *crypt_ftr) 1255{ 1256 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = { 0 }; 1257 EVP_CIPHER_CTX e_ctx; 1258 int encrypted_len, final_len; 1259 int rc = 0; 1260 1261 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1262 get_device_scrypt_params(crypt_ftr); 1263 1264 switch (crypt_ftr->kdf_type) { 1265 case KDF_SCRYPT_KEYMASTER: 1266 if (keymaster_create_key(crypt_ftr)) { 1267 SLOGE("keymaster_create_key failed"); 1268 return -1; 1269 } 1270 1271 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1272 SLOGE("scrypt failed"); 1273 return -1; 1274 } 1275 break; 1276 1277 case KDF_SCRYPT: 1278 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1279 SLOGE("scrypt failed"); 1280 return -1; 1281 } 1282 break; 1283 1284 default: 1285 SLOGE("Invalid kdf_type"); 1286 return -1; 1287 } 1288 1289 /* Initialize the decryption engine */ 1290 EVP_CIPHER_CTX_init(&e_ctx); 1291 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, 1292 ikey+INTERMEDIATE_KEY_LEN_BYTES)) { 1293 SLOGE("EVP_EncryptInit failed\n"); 1294 return -1; 1295 } 1296 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1297 1298 /* Encrypt the master key */ 1299 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1300 decrypted_master_key, crypt_ftr->keysize)) { 1301 SLOGE("EVP_EncryptUpdate failed\n"); 1302 return -1; 1303 } 1304 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1305 SLOGE("EVP_EncryptFinal failed\n"); 1306 return -1; 1307 } 1308 1309 if (encrypted_len + final_len != static_cast<int>(crypt_ftr->keysize)) { 1310 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1311 return -1; 1312 } 1313 1314 /* Store the scrypt of the intermediate key, so we can validate if it's a 1315 password error or mount error when things go wrong. 1316 Note there's no need to check for errors, since if this is incorrect, we 1317 simply won't wipe userdata, which is the correct default behavior 1318 */ 1319 int N = 1 << crypt_ftr->N_factor; 1320 int r = 1 << crypt_ftr->r_factor; 1321 int p = 1 << crypt_ftr->p_factor; 1322 1323 rc = crypto_scrypt(ikey, INTERMEDIATE_KEY_LEN_BYTES, 1324 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1325 crypt_ftr->scrypted_intermediate_key, 1326 sizeof(crypt_ftr->scrypted_intermediate_key)); 1327 1328 if (rc) { 1329 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1330 } 1331 1332 EVP_CIPHER_CTX_cleanup(&e_ctx); 1333 1334 return 0; 1335} 1336 1337static int decrypt_master_key_aux(const char *passwd, unsigned char *salt, 1338 const unsigned char *encrypted_master_key, 1339 size_t keysize, 1340 unsigned char *decrypted_master_key, 1341 kdf_func kdf, void *kdf_params, 1342 unsigned char** intermediate_key, 1343 size_t* intermediate_key_size) 1344{ 1345 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = { 0 }; 1346 EVP_CIPHER_CTX d_ctx; 1347 int decrypted_len, final_len; 1348 1349 /* Turn the password into an intermediate key and IV that can decrypt the 1350 master key */ 1351 if (kdf(passwd, salt, ikey, kdf_params)) { 1352 SLOGE("kdf failed"); 1353 return -1; 1354 } 1355 1356 /* Initialize the decryption engine */ 1357 EVP_CIPHER_CTX_init(&d_ctx); 1358 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+INTERMEDIATE_KEY_LEN_BYTES)) { 1359 return -1; 1360 } 1361 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1362 /* Decrypt the master key */ 1363 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1364 encrypted_master_key, keysize)) { 1365 return -1; 1366 } 1367 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1368 return -1; 1369 } 1370 1371 if (decrypted_len + final_len != static_cast<int>(keysize)) { 1372 return -1; 1373 } 1374 1375 /* Copy intermediate key if needed by params */ 1376 if (intermediate_key && intermediate_key_size) { 1377 *intermediate_key = (unsigned char*) malloc(INTERMEDIATE_KEY_LEN_BYTES); 1378 if (*intermediate_key) { 1379 memcpy(*intermediate_key, ikey, INTERMEDIATE_KEY_LEN_BYTES); 1380 *intermediate_key_size = INTERMEDIATE_KEY_LEN_BYTES; 1381 } 1382 } 1383 1384 EVP_CIPHER_CTX_cleanup(&d_ctx); 1385 1386 return 0; 1387} 1388 1389static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1390{ 1391 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1392 *kdf = scrypt_keymaster; 1393 *kdf_params = ftr; 1394 } else if (ftr->kdf_type == KDF_SCRYPT) { 1395 *kdf = scrypt; 1396 *kdf_params = ftr; 1397 } else { 1398 *kdf = pbkdf2; 1399 *kdf_params = NULL; 1400 } 1401} 1402 1403static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key, 1404 struct crypt_mnt_ftr *crypt_ftr, 1405 unsigned char** intermediate_key, 1406 size_t* intermediate_key_size) 1407{ 1408 kdf_func kdf; 1409 void *kdf_params; 1410 int ret; 1411 1412 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1413 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1414 crypt_ftr->keysize, 1415 decrypted_master_key, kdf, kdf_params, 1416 intermediate_key, intermediate_key_size); 1417 if (ret != 0) { 1418 SLOGW("failure decrypting master key"); 1419 } 1420 1421 return ret; 1422} 1423 1424static int create_encrypted_random_key(const char *passwd, unsigned char *master_key, unsigned char *salt, 1425 struct crypt_mnt_ftr *crypt_ftr) { 1426 int fd; 1427 unsigned char key_buf[MAX_KEY_LEN]; 1428 1429 /* Get some random bits for a key */ 1430 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC); 1431 read(fd, key_buf, sizeof(key_buf)); 1432 read(fd, salt, SALT_LEN); 1433 close(fd); 1434 1435 /* Now encrypt it with the password */ 1436 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1437} 1438 1439int wait_and_unmount(const char *mountpoint, bool kill) 1440{ 1441 int i, err, rc; 1442#define WAIT_UNMOUNT_COUNT 20 1443 1444 /* Now umount the tmpfs filesystem */ 1445 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1446 if (umount(mountpoint) == 0) { 1447 break; 1448 } 1449 1450 if (errno == EINVAL) { 1451 /* EINVAL is returned if the directory is not a mountpoint, 1452 * i.e. there is no filesystem mounted there. So just get out. 1453 */ 1454 break; 1455 } 1456 1457 err = errno; 1458 1459 /* If allowed, be increasingly aggressive before the last two retries */ 1460 if (kill) { 1461 if (i == (WAIT_UNMOUNT_COUNT - 3)) { 1462 SLOGW("sending SIGHUP to processes with open files\n"); 1463 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM); 1464 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { 1465 SLOGW("sending SIGKILL to processes with open files\n"); 1466 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL); 1467 } 1468 } 1469 1470 sleep(1); 1471 } 1472 1473 if (i < WAIT_UNMOUNT_COUNT) { 1474 SLOGD("unmounting %s succeeded\n", mountpoint); 1475 rc = 0; 1476 } else { 1477 android::vold::KillProcessesWithOpenFiles(mountpoint, 0); 1478 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err)); 1479 rc = -1; 1480 } 1481 1482 return rc; 1483} 1484 1485static void prep_data_fs(void) 1486{ 1487 // NOTE: post_fs_data results in init calling back around to vold, so all 1488 // callers to this method must be async 1489 1490 /* Do the prep of the /data filesystem */ 1491 property_set("vold.post_fs_data_done", "0"); 1492 property_set("vold.decrypt", "trigger_post_fs_data"); 1493 SLOGD("Just triggered post_fs_data"); 1494 1495 /* Wait a max of 50 seconds, hopefully it takes much less */ 1496 while (!android::base::WaitForProperty("vold.post_fs_data_done", 1497 "1", 1498 std::chrono::seconds(15))) { 1499 /* We timed out to prep /data in time. Continue wait. */ 1500 SLOGE("waited 15s for vold.post_fs_data_done, still waiting..."); 1501 } 1502 SLOGD("post_fs_data done"); 1503} 1504 1505static void cryptfs_set_corrupt() 1506{ 1507 // Mark the footer as bad 1508 struct crypt_mnt_ftr crypt_ftr; 1509 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1510 SLOGE("Failed to get crypto footer - panic"); 1511 return; 1512 } 1513 1514 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1515 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1516 SLOGE("Failed to set crypto footer - panic"); 1517 return; 1518 } 1519} 1520 1521static void cryptfs_trigger_restart_min_framework() 1522{ 1523 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1524 SLOGE("Failed to mount tmpfs on data - panic"); 1525 return; 1526 } 1527 1528 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1529 SLOGE("Failed to trigger post fs data - panic"); 1530 return; 1531 } 1532 1533 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1534 SLOGE("Failed to trigger restart min framework - panic"); 1535 return; 1536 } 1537} 1538 1539/* returns < 0 on failure */ 1540static int cryptfs_restart_internal(int restart_main) 1541{ 1542 char crypto_blkdev[MAXPATHLEN]; 1543 int rc = -1; 1544 static int restart_successful = 0; 1545 1546 /* Validate that it's OK to call this routine */ 1547 if (! master_key_saved) { 1548 SLOGE("Encrypted filesystem not validated, aborting"); 1549 return -1; 1550 } 1551 1552 if (restart_successful) { 1553 SLOGE("System already restarted with encrypted disk, aborting"); 1554 return -1; 1555 } 1556 1557 if (restart_main) { 1558 /* Here is where we shut down the framework. The init scripts 1559 * start all services in one of three classes: core, main or late_start. 1560 * On boot, we start core and main. Now, we stop main, but not core, 1561 * as core includes vold and a few other really important things that 1562 * we need to keep running. Once main has stopped, we should be able 1563 * to umount the tmpfs /data, then mount the encrypted /data. 1564 * We then restart the class main, and also the class late_start. 1565 * At the moment, I've only put a few things in late_start that I know 1566 * are not needed to bring up the framework, and that also cause problems 1567 * with unmounting the tmpfs /data, but I hope to add add more services 1568 * to the late_start class as we optimize this to decrease the delay 1569 * till the user is asked for the password to the filesystem. 1570 */ 1571 1572 /* The init files are setup to stop the class main when vold.decrypt is 1573 * set to trigger_reset_main. 1574 */ 1575 property_set("vold.decrypt", "trigger_reset_main"); 1576 SLOGD("Just asked init to shut down class main\n"); 1577 1578 /* Ugh, shutting down the framework is not synchronous, so until it 1579 * can be fixed, this horrible hack will wait a moment for it all to 1580 * shut down before proceeding. Without it, some devices cannot 1581 * restart the graphics services. 1582 */ 1583 sleep(2); 1584 } 1585 1586 /* Now that the framework is shutdown, we should be able to umount() 1587 * the tmpfs filesystem, and mount the real one. 1588 */ 1589 1590 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1591 if (strlen(crypto_blkdev) == 0) { 1592 SLOGE("fs_crypto_blkdev not set\n"); 1593 return -1; 1594 } 1595 1596 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) { 1597 /* If ro.crypto.readonly is set to 1, mount the decrypted 1598 * filesystem readonly. This is used when /data is mounted by 1599 * recovery mode. 1600 */ 1601 char ro_prop[PROPERTY_VALUE_MAX]; 1602 property_get("ro.crypto.readonly", ro_prop, ""); 1603 if (strlen(ro_prop) > 0 && std::stoi(ro_prop)) { 1604 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab_default, DATA_MNT_POINT); 1605 rec->flags |= MS_RDONLY; 1606 } 1607 1608 /* If that succeeded, then mount the decrypted filesystem */ 1609 int retries = RETRY_MOUNT_ATTEMPTS; 1610 int mount_rc; 1611 1612 /* 1613 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted 1614 * partitions in the fsck domain. 1615 */ 1616 if (setexeccon(secontextFsck())){ 1617 SLOGE("Failed to setexeccon"); 1618 return -1; 1619 } 1620 while ((mount_rc = fs_mgr_do_mount(fstab_default, DATA_MNT_POINT, 1621 crypto_blkdev, 0)) 1622 != 0) { 1623 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1624 /* TODO: invoke something similar to 1625 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1626 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1627 SLOGI("Failed to mount %s because it is busy - waiting", 1628 crypto_blkdev); 1629 if (--retries) { 1630 sleep(RETRY_MOUNT_DELAY_SECONDS); 1631 } else { 1632 /* Let's hope that a reboot clears away whatever is keeping 1633 the mount busy */ 1634 cryptfs_reboot(RebootType::reboot); 1635 } 1636 } else { 1637 SLOGE("Failed to mount decrypted data"); 1638 cryptfs_set_corrupt(); 1639 cryptfs_trigger_restart_min_framework(); 1640 SLOGI("Started framework to offer wipe"); 1641 if (setexeccon(NULL)) { 1642 SLOGE("Failed to setexeccon"); 1643 } 1644 return -1; 1645 } 1646 } 1647 if (setexeccon(NULL)) { 1648 SLOGE("Failed to setexeccon"); 1649 return -1; 1650 } 1651 1652 /* Create necessary paths on /data */ 1653 prep_data_fs(); 1654 property_set("vold.decrypt", "trigger_load_persist_props"); 1655 1656 /* startup service classes main and late_start */ 1657 property_set("vold.decrypt", "trigger_restart_framework"); 1658 SLOGD("Just triggered restart_framework\n"); 1659 1660 /* Give it a few moments to get started */ 1661 sleep(1); 1662 } 1663 1664 if (rc == 0) { 1665 restart_successful = 1; 1666 } 1667 1668 return rc; 1669} 1670 1671int cryptfs_restart(void) 1672{ 1673 SLOGI("cryptfs_restart"); 1674 if (e4crypt_is_native()) { 1675 SLOGE("cryptfs_restart not valid for file encryption:"); 1676 return -1; 1677 } 1678 1679 /* Call internal implementation forcing a restart of main service group */ 1680 return cryptfs_restart_internal(1); 1681} 1682 1683static int do_crypto_complete(const char *mount_point) 1684{ 1685 struct crypt_mnt_ftr crypt_ftr; 1686 char encrypted_state[PROPERTY_VALUE_MAX]; 1687 char key_loc[PROPERTY_VALUE_MAX]; 1688 1689 property_get("ro.crypto.state", encrypted_state, ""); 1690 if (strcmp(encrypted_state, "encrypted") ) { 1691 SLOGE("not running with encryption, aborting"); 1692 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1693 } 1694 1695 // crypto_complete is full disk encrypted status 1696 if (e4crypt_is_native()) { 1697 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1698 } 1699 1700 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1701 fs_mgr_get_crypt_info(fstab_default, key_loc, 0, sizeof(key_loc)); 1702 1703 /* 1704 * Only report this error if key_loc is a file and it exists. 1705 * If the device was never encrypted, and /data is not mountable for 1706 * some reason, returning 1 should prevent the UI from presenting the 1707 * a "enter password" screen, or worse, a "press button to wipe the 1708 * device" screen. 1709 */ 1710 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1711 SLOGE("master key file does not exist, aborting"); 1712 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1713 } else { 1714 SLOGE("Error getting crypt footer and key\n"); 1715 return CRYPTO_COMPLETE_BAD_METADATA; 1716 } 1717 } 1718 1719 // Test for possible error flags 1720 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1721 SLOGE("Encryption process is partway completed\n"); 1722 return CRYPTO_COMPLETE_PARTIAL; 1723 } 1724 1725 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1726 SLOGE("Encryption process was interrupted but cannot continue\n"); 1727 return CRYPTO_COMPLETE_INCONSISTENT; 1728 } 1729 1730 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1731 SLOGE("Encryption is successful but data is corrupt\n"); 1732 return CRYPTO_COMPLETE_CORRUPT; 1733 } 1734 1735 /* We passed the test! We shall diminish, and return to the west */ 1736 return CRYPTO_COMPLETE_ENCRYPTED; 1737} 1738 1739static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1740 const char *passwd, const char *mount_point, const char *label) 1741{ 1742 unsigned char decrypted_master_key[MAX_KEY_LEN]; 1743 char crypto_blkdev[MAXPATHLEN]; 1744 char real_blkdev[MAXPATHLEN]; 1745 char tmp_mount_point[64]; 1746 unsigned int orig_failed_decrypt_count; 1747 int rc; 1748 int use_keymaster = 0; 1749 int upgrade = 0; 1750 unsigned char* intermediate_key = 0; 1751 size_t intermediate_key_size = 0; 1752 int N = 1 << crypt_ftr->N_factor; 1753 int r = 1 << crypt_ftr->r_factor; 1754 int p = 1 << crypt_ftr->p_factor; 1755 1756 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1757 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1758 1759 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1760 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1761 &intermediate_key, &intermediate_key_size)) { 1762 SLOGE("Failed to decrypt master key\n"); 1763 rc = -1; 1764 goto errout; 1765 } 1766 } 1767 1768 fs_mgr_get_crypt_info(fstab_default, 0, real_blkdev, sizeof(real_blkdev)); 1769 1770 // Create crypto block device - all (non fatal) code paths 1771 // need it 1772 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, label, 0)) { 1773 SLOGE("Error creating decrypted block device\n"); 1774 rc = -1; 1775 goto errout; 1776 } 1777 1778 /* Work out if the problem is the password or the data */ 1779 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1780 scrypted_intermediate_key)]; 1781 1782 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1783 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1784 N, r, p, scrypted_intermediate_key, 1785 sizeof(scrypted_intermediate_key)); 1786 1787 // Does the key match the crypto footer? 1788 if (rc == 0 && memcmp(scrypted_intermediate_key, 1789 crypt_ftr->scrypted_intermediate_key, 1790 sizeof(scrypted_intermediate_key)) == 0) { 1791 SLOGI("Password matches"); 1792 rc = 0; 1793 } else { 1794 /* Try mounting the file system anyway, just in case the problem's with 1795 * the footer, not the key. */ 1796 snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt", 1797 mount_point); 1798 mkdir(tmp_mount_point, 0755); 1799 if (fs_mgr_do_mount(fstab_default, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1800 SLOGE("Error temp mounting decrypted block device\n"); 1801 delete_crypto_blk_dev(label); 1802 1803 rc = ++crypt_ftr->failed_decrypt_count; 1804 put_crypt_ftr_and_key(crypt_ftr); 1805 } else { 1806 /* Success! */ 1807 SLOGI("Password did not match but decrypted drive mounted - continue"); 1808 umount(tmp_mount_point); 1809 rc = 0; 1810 } 1811 } 1812 1813 if (rc == 0) { 1814 crypt_ftr->failed_decrypt_count = 0; 1815 if (orig_failed_decrypt_count != 0) { 1816 put_crypt_ftr_and_key(crypt_ftr); 1817 } 1818 1819 /* Save the name of the crypto block device 1820 * so we can mount it when restarting the framework. */ 1821 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1822 1823 /* Also save a the master key so we can reencrypted the key 1824 * the key when we want to change the password on it. */ 1825 memcpy(saved_master_key, decrypted_master_key, crypt_ftr->keysize); 1826 saved_mount_point = strdup(mount_point); 1827 master_key_saved = 1; 1828 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1829 rc = 0; 1830 1831 // Upgrade if we're not using the latest KDF. 1832 use_keymaster = keymaster_check_compatibility(); 1833 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1834 // Don't allow downgrade 1835 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1836 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1837 upgrade = 1; 1838 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1839 crypt_ftr->kdf_type = KDF_SCRYPT; 1840 upgrade = 1; 1841 } 1842 1843 if (upgrade) { 1844 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1845 crypt_ftr->master_key, crypt_ftr); 1846 if (!rc) { 1847 rc = put_crypt_ftr_and_key(crypt_ftr); 1848 } 1849 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1850 1851 // Do not fail even if upgrade failed - machine is bootable 1852 // Note that if this code is ever hit, there is a *serious* problem 1853 // since KDFs should never fail. You *must* fix the kdf before 1854 // proceeding! 1855 if (rc) { 1856 SLOGW("Upgrade failed with error %d," 1857 " but continuing with previous state", 1858 rc); 1859 rc = 0; 1860 } 1861 } 1862 } 1863 1864 errout: 1865 if (intermediate_key) { 1866 memset(intermediate_key, 0, intermediate_key_size); 1867 free(intermediate_key); 1868 } 1869 return rc; 1870} 1871 1872/* 1873 * Called by vold when it's asked to mount an encrypted external 1874 * storage volume. The incoming partition has no crypto header/footer, 1875 * as any metadata is been stored in a separate, small partition. We 1876 * assume it must be using our same crypt type and keysize. 1877 * 1878 * out_crypto_blkdev must be MAXPATHLEN. 1879 */ 1880int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, 1881 const unsigned char* key, char* out_crypto_blkdev) { 1882 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC); 1883 if (fd == -1) { 1884 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno)); 1885 return -1; 1886 } 1887 1888 unsigned long nr_sec = 0; 1889 get_blkdev_size(fd, &nr_sec); 1890 close(fd); 1891 1892 if (nr_sec == 0) { 1893 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno)); 1894 return -1; 1895 } 1896 1897 struct crypt_mnt_ftr ext_crypt_ftr; 1898 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr)); 1899 ext_crypt_ftr.fs_size = nr_sec; 1900 ext_crypt_ftr.keysize = cryptfs_get_keysize(); 1901 strlcpy((char*) ext_crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(), 1902 MAX_CRYPTO_TYPE_NAME_LEN); 1903 uint32_t flags = 0; 1904 if (e4crypt_is_native() && 1905 android::base::GetBoolProperty("ro.crypto.allow_encrypt_override", false)) 1906 flags |= CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE; 1907 1908 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev, out_crypto_blkdev, label, flags); 1909} 1910 1911/* 1912 * Called by vold when it's asked to unmount an encrypted external 1913 * storage volume. 1914 */ 1915int cryptfs_revert_ext_volume(const char* label) { 1916 return delete_crypto_blk_dev((char*) label); 1917} 1918 1919int cryptfs_crypto_complete(void) 1920{ 1921 return do_crypto_complete("/data"); 1922} 1923 1924int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1925{ 1926 char encrypted_state[PROPERTY_VALUE_MAX]; 1927 property_get("ro.crypto.state", encrypted_state, ""); 1928 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1929 SLOGE("encrypted fs already validated or not running with encryption," 1930 " aborting"); 1931 return -1; 1932 } 1933 1934 if (get_crypt_ftr_and_key(crypt_ftr)) { 1935 SLOGE("Error getting crypt footer and key"); 1936 return -1; 1937 } 1938 1939 return 0; 1940} 1941 1942int cryptfs_check_passwd(const char *passwd) 1943{ 1944 SLOGI("cryptfs_check_passwd"); 1945 if (e4crypt_is_native()) { 1946 SLOGE("cryptfs_check_passwd not valid for file encryption"); 1947 return -1; 1948 } 1949 1950 struct crypt_mnt_ftr crypt_ftr; 1951 int rc; 1952 1953 rc = check_unmounted_and_get_ftr(&crypt_ftr); 1954 if (rc) { 1955 SLOGE("Could not get footer"); 1956 return rc; 1957 } 1958 1959 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 1960 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE); 1961 if (rc) { 1962 SLOGE("Password did not match"); 1963 return rc; 1964 } 1965 1966 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) { 1967 // Here we have a default actual password but a real password 1968 // we must test against the scrypted value 1969 // First, we must delete the crypto block device that 1970 // test_mount_encrypted_fs leaves behind as a side effect 1971 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE); 1972 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD, 1973 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE); 1974 if (rc) { 1975 SLOGE("Default password did not match on reboot encryption"); 1976 return rc; 1977 } 1978 1979 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE; 1980 put_crypt_ftr_and_key(&crypt_ftr); 1981 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd); 1982 if (rc) { 1983 SLOGE("Could not change password on reboot encryption"); 1984 return rc; 1985 } 1986 } 1987 1988 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 1989 cryptfs_clear_password(); 1990 password = strdup(passwd); 1991 struct timespec now; 1992 clock_gettime(CLOCK_BOOTTIME, &now); 1993 password_expiry_time = now.tv_sec + password_max_age_seconds; 1994 } 1995 1996 return rc; 1997} 1998 1999int cryptfs_verify_passwd(const char *passwd) 2000{ 2001 struct crypt_mnt_ftr crypt_ftr; 2002 unsigned char decrypted_master_key[MAX_KEY_LEN]; 2003 char encrypted_state[PROPERTY_VALUE_MAX]; 2004 int rc; 2005 2006 property_get("ro.crypto.state", encrypted_state, ""); 2007 if (strcmp(encrypted_state, "encrypted") ) { 2008 SLOGE("device not encrypted, aborting"); 2009 return -2; 2010 } 2011 2012 if (!master_key_saved) { 2013 SLOGE("encrypted fs not yet mounted, aborting"); 2014 return -1; 2015 } 2016 2017 if (!saved_mount_point) { 2018 SLOGE("encrypted fs failed to save mount point, aborting"); 2019 return -1; 2020 } 2021 2022 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2023 SLOGE("Error getting crypt footer and key\n"); 2024 return -1; 2025 } 2026 2027 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 2028 /* If the device has no password, then just say the password is valid */ 2029 rc = 0; 2030 } else { 2031 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2032 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 2033 /* They match, the password is correct */ 2034 rc = 0; 2035 } else { 2036 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 2037 sleep(1); 2038 rc = 1; 2039 } 2040 } 2041 2042 return rc; 2043} 2044 2045/* Initialize a crypt_mnt_ftr structure. The keysize is 2046 * defaulted to cryptfs_get_keysize() bytes, and the filesystem size to 0. 2047 * Presumably, at a minimum, the caller will update the 2048 * filesystem size and crypto_type_name after calling this function. 2049 */ 2050static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 2051{ 2052 off64_t off; 2053 2054 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 2055 ftr->magic = CRYPT_MNT_MAGIC; 2056 ftr->major_version = CURRENT_MAJOR_VERSION; 2057 ftr->minor_version = CURRENT_MINOR_VERSION; 2058 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 2059 ftr->keysize = cryptfs_get_keysize(); 2060 2061 switch (keymaster_check_compatibility()) { 2062 case 1: 2063 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2064 break; 2065 2066 case 0: 2067 ftr->kdf_type = KDF_SCRYPT; 2068 break; 2069 2070 default: 2071 SLOGE("keymaster_check_compatibility failed"); 2072 return -1; 2073 } 2074 2075 get_device_scrypt_params(ftr); 2076 2077 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2078 if (get_crypt_ftr_info(NULL, &off) == 0) { 2079 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2080 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2081 ftr->persist_data_size; 2082 } 2083 2084 return 0; 2085} 2086 2087#define FRAMEWORK_BOOT_WAIT 60 2088 2089static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2090{ 2091 int fd = open(filename, O_RDONLY|O_CLOEXEC); 2092 if (fd == -1) { 2093 SLOGE("Error opening file %s", filename); 2094 return -1; 2095 } 2096 2097 char block[CRYPT_INPLACE_BUFSIZE]; 2098 memset(block, 0, sizeof(block)); 2099 if (unix_read(fd, block, sizeof(block)) < 0) { 2100 SLOGE("Error reading file %s", filename); 2101 close(fd); 2102 return -1; 2103 } 2104 2105 close(fd); 2106 2107 SHA256_CTX c; 2108 SHA256_Init(&c); 2109 SHA256_Update(&c, block, sizeof(block)); 2110 SHA256_Final(buf, &c); 2111 2112 return 0; 2113} 2114 2115static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr* crypt_ftr, char* crypto_blkdev, 2116 char* real_blkdev, int previously_encrypted_upto) { 2117 off64_t cur_encryption_done=0, tot_encryption_size=0; 2118 int rc = -1; 2119 2120 /* The size of the userdata partition, and add in the vold volumes below */ 2121 tot_encryption_size = crypt_ftr->fs_size; 2122 2123 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, crypt_ftr->fs_size, &cur_encryption_done, 2124 tot_encryption_size, previously_encrypted_upto, true); 2125 2126 if (rc == ENABLE_INPLACE_ERR_DEV) { 2127 /* Hack for b/17898962 */ 2128 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n"); 2129 cryptfs_reboot(RebootType::reboot); 2130 } 2131 2132 if (!rc) { 2133 crypt_ftr->encrypted_upto = cur_encryption_done; 2134 } 2135 2136 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2137 /* The inplace routine never actually sets the progress to 100% due 2138 * to the round down nature of integer division, so set it here */ 2139 property_set("vold.encrypt_progress", "100"); 2140 } 2141 2142 return rc; 2143} 2144 2145static int vold_unmountAll(void) { 2146 VolumeManager* vm = VolumeManager::Instance(); 2147 return vm->unmountAll(); 2148} 2149 2150int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) { 2151 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2152 unsigned char decrypted_master_key[MAX_KEY_LEN]; 2153 int rc=-1, i; 2154 struct crypt_mnt_ftr crypt_ftr; 2155 struct crypt_persist_data *pdata; 2156 char encrypted_state[PROPERTY_VALUE_MAX]; 2157 char lockid[32] = { 0 }; 2158 char key_loc[PROPERTY_VALUE_MAX]; 2159 int num_vols; 2160 off64_t previously_encrypted_upto = 0; 2161 bool rebootEncryption = false; 2162 bool onlyCreateHeader = false; 2163 int fd = -1; 2164 2165 if (get_crypt_ftr_and_key(&crypt_ftr) == 0) { 2166 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) { 2167 /* An encryption was underway and was interrupted */ 2168 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2169 crypt_ftr.encrypted_upto = 0; 2170 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2171 2172 /* At this point, we are in an inconsistent state. Until we successfully 2173 complete encryption, a reboot will leave us broken. So mark the 2174 encryption failed in case that happens. 2175 On successfully completing encryption, remove this flag */ 2176 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2177 2178 put_crypt_ftr_and_key(&crypt_ftr); 2179 } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) { 2180 if (!check_ftr_sha(&crypt_ftr)) { 2181 memset(&crypt_ftr, 0, sizeof(crypt_ftr)); 2182 put_crypt_ftr_and_key(&crypt_ftr); 2183 goto error_unencrypted; 2184 } 2185 2186 /* Doing a reboot-encryption*/ 2187 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION; 2188 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE; 2189 rebootEncryption = true; 2190 } 2191 } else { 2192 // We don't want to accidentally reference invalid data. 2193 memset(&crypt_ftr, 0, sizeof(crypt_ftr)); 2194 } 2195 2196 property_get("ro.crypto.state", encrypted_state, ""); 2197 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2198 SLOGE("Device is already running encrypted, aborting"); 2199 goto error_unencrypted; 2200 } 2201 2202 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2203 fs_mgr_get_crypt_info(fstab_default, key_loc, 0, sizeof(key_loc)); 2204 fs_mgr_get_crypt_info(fstab_default, 0, real_blkdev, sizeof(real_blkdev)); 2205 2206 /* Get the size of the real block device */ 2207 fd = open(real_blkdev, O_RDONLY|O_CLOEXEC); 2208 if (fd == -1) { 2209 SLOGE("Cannot open block device %s\n", real_blkdev); 2210 goto error_unencrypted; 2211 } 2212 unsigned long nr_sec; 2213 get_blkdev_size(fd, &nr_sec); 2214 if (nr_sec == 0) { 2215 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2216 goto error_unencrypted; 2217 } 2218 close(fd); 2219 2220 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2221 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 2222 unsigned int fs_size_sec, max_fs_size_sec; 2223 fs_size_sec = get_fs_size(real_blkdev); 2224 if (fs_size_sec == 0) 2225 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2226 2227 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2228 2229 if (fs_size_sec > max_fs_size_sec) { 2230 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2231 goto error_unencrypted; 2232 } 2233 } 2234 2235 /* Get a wakelock as this may take a while, and we don't want the 2236 * device to sleep on us. We'll grab a partial wakelock, and if the UI 2237 * wants to keep the screen on, it can grab a full wakelock. 2238 */ 2239 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 2240 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 2241 2242 /* The init files are setup to stop the class main and late start when 2243 * vold sets trigger_shutdown_framework. 2244 */ 2245 property_set("vold.decrypt", "trigger_shutdown_framework"); 2246 SLOGD("Just asked init to shut down class main\n"); 2247 2248 /* Ask vold to unmount all devices that it manages */ 2249 if (vold_unmountAll()) { 2250 SLOGE("Failed to unmount all vold managed devices"); 2251 } 2252 2253 /* no_ui means we are being called from init, not settings. 2254 Now we always reboot from settings, so !no_ui means reboot 2255 */ 2256 if (!no_ui) { 2257 /* Try fallback, which is to reboot and try there */ 2258 onlyCreateHeader = true; 2259 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we"); 2260 if (breadcrumb == 0) { 2261 SLOGE("Failed to create breadcrumb file"); 2262 goto error_shutting_down; 2263 } 2264 fclose(breadcrumb); 2265 } 2266 2267 /* Do extra work for a better UX when doing the long inplace encryption */ 2268 if (!onlyCreateHeader) { 2269 /* Now that /data is unmounted, we need to mount a tmpfs 2270 * /data, set a property saying we're doing inplace encryption, 2271 * and restart the framework. 2272 */ 2273 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 2274 goto error_shutting_down; 2275 } 2276 /* Tells the framework that inplace encryption is starting */ 2277 property_set("vold.encrypt_progress", "0"); 2278 2279 /* restart the framework. */ 2280 /* Create necessary paths on /data */ 2281 prep_data_fs(); 2282 2283 /* Ugh, shutting down the framework is not synchronous, so until it 2284 * can be fixed, this horrible hack will wait a moment for it all to 2285 * shut down before proceeding. Without it, some devices cannot 2286 * restart the graphics services. 2287 */ 2288 sleep(2); 2289 } 2290 2291 /* Start the actual work of making an encrypted filesystem */ 2292 /* Initialize a crypt_mnt_ftr for the partition */ 2293 if (previously_encrypted_upto == 0 && !rebootEncryption) { 2294 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 2295 goto error_shutting_down; 2296 } 2297 2298 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 2299 crypt_ftr.fs_size = nr_sec 2300 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2301 } else { 2302 crypt_ftr.fs_size = nr_sec; 2303 } 2304 /* At this point, we are in an inconsistent state. Until we successfully 2305 complete encryption, a reboot will leave us broken. So mark the 2306 encryption failed in case that happens. 2307 On successfully completing encryption, remove this flag */ 2308 if (onlyCreateHeader) { 2309 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION; 2310 } else { 2311 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2312 } 2313 crypt_ftr.crypt_type = crypt_type; 2314 strlcpy((char *)crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(), MAX_CRYPTO_TYPE_NAME_LEN); 2315 2316 /* Make an encrypted master key */ 2317 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd, 2318 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 2319 SLOGE("Cannot create encrypted master key\n"); 2320 goto error_shutting_down; 2321 } 2322 2323 /* Replace scrypted intermediate key if we are preparing for a reboot */ 2324 if (onlyCreateHeader) { 2325 unsigned char fake_master_key[MAX_KEY_LEN]; 2326 unsigned char encrypted_fake_master_key[MAX_KEY_LEN]; 2327 memset(fake_master_key, 0, sizeof(fake_master_key)); 2328 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key, 2329 encrypted_fake_master_key, &crypt_ftr); 2330 } 2331 2332 /* Write the key to the end of the partition */ 2333 put_crypt_ftr_and_key(&crypt_ftr); 2334 2335 /* If any persistent data has been remembered, save it. 2336 * If none, create a valid empty table and save that. 2337 */ 2338 if (!persist_data) { 2339 pdata = (crypt_persist_data *)malloc(CRYPT_PERSIST_DATA_SIZE); 2340 if (pdata) { 2341 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 2342 persist_data = pdata; 2343 } 2344 } 2345 if (persist_data) { 2346 save_persistent_data(); 2347 } 2348 } 2349 2350 if (onlyCreateHeader) { 2351 sleep(2); 2352 cryptfs_reboot(RebootType::reboot); 2353 } 2354 2355 if (!no_ui || rebootEncryption) { 2356 /* startup service classes main and late_start */ 2357 property_set("vold.decrypt", "trigger_restart_min_framework"); 2358 SLOGD("Just triggered restart_min_framework\n"); 2359 2360 /* OK, the framework is restarted and will soon be showing a 2361 * progress bar. Time to setup an encrypted mapping, and 2362 * either write a new filesystem, or encrypt in place updating 2363 * the progress bar as we work. 2364 */ 2365 } 2366 2367 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2368 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 2369 CRYPTO_BLOCK_DEVICE, 0); 2370 2371 /* If we are continuing, check checksums match */ 2372 rc = 0; 2373 if (previously_encrypted_upto) { 2374 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 2375 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 2376 2377 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 2378 sizeof(hash_first_block)) != 0) { 2379 SLOGE("Checksums do not match - trigger wipe"); 2380 rc = -1; 2381 } 2382 } 2383 2384 if (!rc) { 2385 rc = cryptfs_enable_all_volumes(&crypt_ftr, crypto_blkdev, real_blkdev, 2386 previously_encrypted_upto); 2387 } 2388 2389 /* Calculate checksum if we are not finished */ 2390 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 2391 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 2392 crypt_ftr.hash_first_block); 2393 if (rc) { 2394 SLOGE("Error calculating checksum for continuing encryption"); 2395 rc = -1; 2396 } 2397 } 2398 2399 /* Undo the dm-crypt mapping whether we succeed or not */ 2400 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE); 2401 2402 if (! rc) { 2403 /* Success */ 2404 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 2405 2406 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 2407 SLOGD("Encrypted up to sector %lld - will continue after reboot", 2408 crypt_ftr.encrypted_upto); 2409 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 2410 } 2411 2412 put_crypt_ftr_and_key(&crypt_ftr); 2413 2414 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 2415 char value[PROPERTY_VALUE_MAX]; 2416 property_get("ro.crypto.state", value, ""); 2417 if (!strcmp(value, "")) { 2418 /* default encryption - continue first boot sequence */ 2419 property_set("ro.crypto.state", "encrypted"); 2420 property_set("ro.crypto.type", "block"); 2421 release_wake_lock(lockid); 2422 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 2423 // Bring up cryptkeeper that will check the password and set it 2424 property_set("vold.decrypt", "trigger_shutdown_framework"); 2425 sleep(2); 2426 property_set("vold.encrypt_progress", ""); 2427 cryptfs_trigger_restart_min_framework(); 2428 } else { 2429 cryptfs_check_passwd(DEFAULT_PASSWORD); 2430 cryptfs_restart_internal(1); 2431 } 2432 return 0; 2433 } else { 2434 sleep(2); /* Give the UI a chance to show 100% progress */ 2435 cryptfs_reboot(RebootType::reboot); 2436 } 2437 } else { 2438 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 2439 cryptfs_reboot(RebootType::shutdown); 2440 } 2441 } else { 2442 char value[PROPERTY_VALUE_MAX]; 2443 2444 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 2445 if (!strcmp(value, "1")) { 2446 /* wipe data if encryption failed */ 2447 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 2448 std::string err; 2449 const std::vector<std::string> options = { 2450 "--wipe_data\n--reason=cryptfs_enable_internal\n" 2451 }; 2452 if (!write_bootloader_message(options, &err)) { 2453 SLOGE("could not write bootloader message: %s", err.c_str()); 2454 } 2455 cryptfs_reboot(RebootType::recovery); 2456 } else { 2457 /* set property to trigger dialog */ 2458 property_set("vold.encrypt_progress", "error_partially_encrypted"); 2459 release_wake_lock(lockid); 2460 } 2461 return -1; 2462 } 2463 2464 /* hrm, the encrypt step claims success, but the reboot failed. 2465 * This should not happen. 2466 * Set the property and return. Hope the framework can deal with it. 2467 */ 2468 property_set("vold.encrypt_progress", "error_reboot_failed"); 2469 release_wake_lock(lockid); 2470 return rc; 2471 2472error_unencrypted: 2473 property_set("vold.encrypt_progress", "error_not_encrypted"); 2474 if (lockid[0]) { 2475 release_wake_lock(lockid); 2476 } 2477 return -1; 2478 2479error_shutting_down: 2480 /* we failed, and have not encrypted anthing, so the users's data is still intact, 2481 * but the framework is stopped and not restarted to show the error, so it's up to 2482 * vold to restart the system. 2483 */ 2484 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 2485 cryptfs_reboot(RebootType::reboot); 2486 2487 /* shouldn't get here */ 2488 property_set("vold.encrypt_progress", "error_shutting_down"); 2489 if (lockid[0]) { 2490 release_wake_lock(lockid); 2491 } 2492 return -1; 2493} 2494 2495int cryptfs_enable(int type, const char* passwd, int no_ui) { 2496 return cryptfs_enable_internal(type, passwd, no_ui); 2497} 2498 2499int cryptfs_enable_default(int no_ui) { 2500 return cryptfs_enable_internal(CRYPT_TYPE_DEFAULT, DEFAULT_PASSWORD, no_ui); 2501} 2502 2503int cryptfs_changepw(int crypt_type, const char *newpw) 2504{ 2505 if (e4crypt_is_native()) { 2506 SLOGE("cryptfs_changepw not valid for file encryption"); 2507 return -1; 2508 } 2509 2510 struct crypt_mnt_ftr crypt_ftr; 2511 int rc; 2512 2513 /* This is only allowed after we've successfully decrypted the master key */ 2514 if (!master_key_saved) { 2515 SLOGE("Key not saved, aborting"); 2516 return -1; 2517 } 2518 2519 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 2520 SLOGE("Invalid crypt_type %d", crypt_type); 2521 return -1; 2522 } 2523 2524 /* get key */ 2525 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2526 SLOGE("Error getting crypt footer and key"); 2527 return -1; 2528 } 2529 2530 crypt_ftr.crypt_type = crypt_type; 2531 2532 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 2533 : newpw, 2534 crypt_ftr.salt, 2535 saved_master_key, 2536 crypt_ftr.master_key, 2537 &crypt_ftr); 2538 if (rc) { 2539 SLOGE("Encrypt master key failed: %d", rc); 2540 return -1; 2541 } 2542 /* save the key */ 2543 put_crypt_ftr_and_key(&crypt_ftr); 2544 2545 return 0; 2546} 2547 2548static unsigned int persist_get_max_entries(int encrypted) { 2549 struct crypt_mnt_ftr crypt_ftr; 2550 unsigned int dsize; 2551 unsigned int max_persistent_entries; 2552 2553 /* If encrypted, use the values from the crypt_ftr, otherwise 2554 * use the values for the current spec. 2555 */ 2556 if (encrypted) { 2557 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2558 return -1; 2559 } 2560 dsize = crypt_ftr.persist_data_size; 2561 } else { 2562 dsize = CRYPT_PERSIST_DATA_SIZE; 2563 } 2564 2565 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 2566 sizeof(struct crypt_persist_entry); 2567 2568 return max_persistent_entries; 2569} 2570 2571static int persist_get_key(const char *fieldname, char *value) 2572{ 2573 unsigned int i; 2574 2575 if (persist_data == NULL) { 2576 return -1; 2577 } 2578 for (i = 0; i < persist_data->persist_valid_entries; i++) { 2579 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 2580 /* We found it! */ 2581 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 2582 return 0; 2583 } 2584 } 2585 2586 return -1; 2587} 2588 2589static int persist_set_key(const char *fieldname, const char *value, int encrypted) 2590{ 2591 unsigned int i; 2592 unsigned int num; 2593 unsigned int max_persistent_entries; 2594 2595 if (persist_data == NULL) { 2596 return -1; 2597 } 2598 2599 max_persistent_entries = persist_get_max_entries(encrypted); 2600 2601 num = persist_data->persist_valid_entries; 2602 2603 for (i = 0; i < num; i++) { 2604 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 2605 /* We found an existing entry, update it! */ 2606 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 2607 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 2608 return 0; 2609 } 2610 } 2611 2612 /* We didn't find it, add it to the end, if there is room */ 2613 if (persist_data->persist_valid_entries < max_persistent_entries) { 2614 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 2615 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 2616 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 2617 persist_data->persist_valid_entries++; 2618 return 0; 2619 } 2620 2621 return -1; 2622} 2623 2624/** 2625 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the 2626 * sequence and its index is greater than or equal to index. Return 0 otherwise. 2627 */ 2628int match_multi_entry(const char *key, const char *field, unsigned index) { 2629 std::string key_ = key; 2630 std::string field_ = field; 2631 2632 std::string parsed_field; 2633 unsigned parsed_index; 2634 2635 std::string::size_type split = key_.find_last_of('_'); 2636 if (split == std::string::npos) { 2637 parsed_field = key_; 2638 parsed_index = 0; 2639 } else { 2640 parsed_field = key_.substr(0, split); 2641 parsed_index = std::stoi(key_.substr(split + 1)); 2642 } 2643 2644 return parsed_field == field_ && parsed_index >= index; 2645} 2646 2647/* 2648 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all 2649 * remaining entries starting from index will be deleted. 2650 * returns PERSIST_DEL_KEY_OK if deletion succeeds, 2651 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist, 2652 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs. 2653 * 2654 */ 2655static int persist_del_keys(const char *fieldname, unsigned index) 2656{ 2657 unsigned int i; 2658 unsigned int j; 2659 unsigned int num; 2660 2661 if (persist_data == NULL) { 2662 return PERSIST_DEL_KEY_ERROR_OTHER; 2663 } 2664 2665 num = persist_data->persist_valid_entries; 2666 2667 j = 0; // points to the end of non-deleted entries. 2668 // Filter out to-be-deleted entries in place. 2669 for (i = 0; i < num; i++) { 2670 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) { 2671 persist_data->persist_entry[j] = persist_data->persist_entry[i]; 2672 j++; 2673 } 2674 } 2675 2676 if (j < num) { 2677 persist_data->persist_valid_entries = j; 2678 // Zeroise the remaining entries 2679 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry)); 2680 return PERSIST_DEL_KEY_OK; 2681 } else { 2682 // Did not find an entry matching the given fieldname 2683 return PERSIST_DEL_KEY_ERROR_NO_FIELD; 2684 } 2685} 2686 2687static int persist_count_keys(const char *fieldname) 2688{ 2689 unsigned int i; 2690 unsigned int count; 2691 2692 if (persist_data == NULL) { 2693 return -1; 2694 } 2695 2696 count = 0; 2697 for (i = 0; i < persist_data->persist_valid_entries; i++) { 2698 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) { 2699 count++; 2700 } 2701 } 2702 2703 return count; 2704} 2705 2706/* Return the value of the specified field. */ 2707int cryptfs_getfield(const char *fieldname, char *value, int len) 2708{ 2709 if (e4crypt_is_native()) { 2710 SLOGE("Cannot get field when file encrypted"); 2711 return -1; 2712 } 2713 2714 char temp_value[PROPERTY_VALUE_MAX]; 2715 /* CRYPTO_GETFIELD_OK is success, 2716 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set, 2717 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small, 2718 * CRYPTO_GETFIELD_ERROR_OTHER is any other error 2719 */ 2720 int rc = CRYPTO_GETFIELD_ERROR_OTHER; 2721 int i; 2722 char temp_field[PROPERTY_KEY_MAX]; 2723 2724 if (persist_data == NULL) { 2725 load_persistent_data(); 2726 if (persist_data == NULL) { 2727 SLOGE("Getfield error, cannot load persistent data"); 2728 goto out; 2729 } 2730 } 2731 2732 // Read value from persistent entries. If the original value is split into multiple entries, 2733 // stitch them back together. 2734 if (!persist_get_key(fieldname, temp_value)) { 2735 // We found it, copy it to the caller's buffer and keep going until all entries are read. 2736 if (strlcpy(value, temp_value, len) >= (unsigned) len) { 2737 // value too small 2738 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 2739 goto out; 2740 } 2741 rc = CRYPTO_GETFIELD_OK; 2742 2743 for (i = 1; /* break explicitly */; i++) { 2744 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >= 2745 (int) sizeof(temp_field)) { 2746 // If the fieldname is very long, we stop as soon as it begins to overflow the 2747 // maximum field length. At this point we have in fact fully read out the original 2748 // value because cryptfs_setfield would not allow fields with longer names to be 2749 // written in the first place. 2750 break; 2751 } 2752 if (!persist_get_key(temp_field, temp_value)) { 2753 if (strlcat(value, temp_value, len) >= (unsigned)len) { 2754 // value too small. 2755 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 2756 goto out; 2757 } 2758 } else { 2759 // Exhaust all entries. 2760 break; 2761 } 2762 } 2763 } else { 2764 /* Sadness, it's not there. Return the error */ 2765 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD; 2766 } 2767 2768out: 2769 return rc; 2770} 2771 2772/* Set the value of the specified field. */ 2773int cryptfs_setfield(const char *fieldname, const char *value) 2774{ 2775 if (e4crypt_is_native()) { 2776 SLOGE("Cannot set field when file encrypted"); 2777 return -1; 2778 } 2779 2780 char encrypted_state[PROPERTY_VALUE_MAX]; 2781 /* 0 is success, negative values are error */ 2782 int rc = CRYPTO_SETFIELD_ERROR_OTHER; 2783 int encrypted = 0; 2784 unsigned int field_id; 2785 char temp_field[PROPERTY_KEY_MAX]; 2786 unsigned int num_entries; 2787 unsigned int max_keylen; 2788 2789 if (persist_data == NULL) { 2790 load_persistent_data(); 2791 if (persist_data == NULL) { 2792 SLOGE("Setfield error, cannot load persistent data"); 2793 goto out; 2794 } 2795 } 2796 2797 property_get("ro.crypto.state", encrypted_state, ""); 2798 if (!strcmp(encrypted_state, "encrypted") ) { 2799 encrypted = 1; 2800 } 2801 2802 // Compute the number of entries required to store value, each entry can store up to 2803 // (PROPERTY_VALUE_MAX - 1) chars 2804 if (strlen(value) == 0) { 2805 // Empty value also needs one entry to store. 2806 num_entries = 1; 2807 } else { 2808 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1); 2809 } 2810 2811 max_keylen = strlen(fieldname); 2812 if (num_entries > 1) { 2813 // Need an extra "_%d" suffix. 2814 max_keylen += 1 + log10(num_entries); 2815 } 2816 if (max_keylen > PROPERTY_KEY_MAX - 1) { 2817 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG; 2818 goto out; 2819 } 2820 2821 // Make sure we have enough space to write the new value 2822 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) > 2823 persist_get_max_entries(encrypted)) { 2824 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG; 2825 goto out; 2826 } 2827 2828 // Now that we know persist_data has enough space for value, let's delete the old field first 2829 // to make up space. 2830 persist_del_keys(fieldname, 0); 2831 2832 if (persist_set_key(fieldname, value, encrypted)) { 2833 // fail to set key, should not happen as we have already checked the available space 2834 SLOGE("persist_set_key() error during setfield()"); 2835 goto out; 2836 } 2837 2838 for (field_id = 1; field_id < num_entries; field_id++) { 2839 snprintf(temp_field, sizeof(temp_field), "%s_%u", fieldname, field_id); 2840 2841 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) { 2842 // fail to set key, should not happen as we have already checked the available space. 2843 SLOGE("persist_set_key() error during setfield()"); 2844 goto out; 2845 } 2846 } 2847 2848 /* If we are running encrypted, save the persistent data now */ 2849 if (encrypted) { 2850 if (save_persistent_data()) { 2851 SLOGE("Setfield error, cannot save persistent data"); 2852 goto out; 2853 } 2854 } 2855 2856 rc = CRYPTO_SETFIELD_OK; 2857 2858out: 2859 return rc; 2860} 2861 2862/* Checks userdata. Attempt to mount the volume if default- 2863 * encrypted. 2864 * On success trigger next init phase and return 0. 2865 * Currently do not handle failure - see TODO below. 2866 */ 2867int cryptfs_mount_default_encrypted(void) 2868{ 2869 int crypt_type = cryptfs_get_password_type(); 2870 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 2871 SLOGE("Bad crypt type - error"); 2872 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 2873 SLOGD("Password is not default - " 2874 "starting min framework to prompt"); 2875 property_set("vold.decrypt", "trigger_restart_min_framework"); 2876 return 0; 2877 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 2878 SLOGD("Password is default - restarting filesystem"); 2879 cryptfs_restart_internal(0); 2880 return 0; 2881 } else { 2882 SLOGE("Encrypted, default crypt type but can't decrypt"); 2883 } 2884 2885 /** Corrupt. Allow us to boot into framework, which will detect bad 2886 crypto when it calls do_crypto_complete, then do a factory reset 2887 */ 2888 property_set("vold.decrypt", "trigger_restart_min_framework"); 2889 return 0; 2890} 2891 2892/* Returns type of the password, default, pattern, pin or password. 2893 */ 2894int cryptfs_get_password_type(void) 2895{ 2896 if (e4crypt_is_native()) { 2897 SLOGE("cryptfs_get_password_type not valid for file encryption"); 2898 return -1; 2899 } 2900 2901 struct crypt_mnt_ftr crypt_ftr; 2902 2903 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2904 SLOGE("Error getting crypt footer and key\n"); 2905 return -1; 2906 } 2907 2908 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 2909 return -1; 2910 } 2911 2912 return crypt_ftr.crypt_type; 2913} 2914 2915const char* cryptfs_get_password() 2916{ 2917 if (e4crypt_is_native()) { 2918 SLOGE("cryptfs_get_password not valid for file encryption"); 2919 return 0; 2920 } 2921 2922 struct timespec now; 2923 clock_gettime(CLOCK_BOOTTIME, &now); 2924 if (now.tv_sec < password_expiry_time) { 2925 return password; 2926 } else { 2927 cryptfs_clear_password(); 2928 return 0; 2929 } 2930} 2931 2932void cryptfs_clear_password() 2933{ 2934 if (password) { 2935 size_t len = strlen(password); 2936 memset(password, 0, len); 2937 free(password); 2938 password = 0; 2939 password_expiry_time = 0; 2940 } 2941} 2942 2943int cryptfs_isConvertibleToFBE() 2944{ 2945 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab_default, DATA_MNT_POINT); 2946 return fs_mgr_is_convertible_to_fbe(rec) ? 1 : 0; 2947} 2948