1 /*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 /* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
23 #define LOG_TAG "Cryptfs"
24
25 #include "cryptfs.h"
26
27 #include "Checkpoint.h"
28 #include "EncryptInplace.h"
29 #include "FsCrypt.h"
30 #include "Keymaster.h"
31 #include "Process.h"
32 #include "ScryptParameters.h"
33 #include "Utils.h"
34 #include "VoldUtil.h"
35 #include "VolumeManager.h"
36
37 #include <android-base/parseint.h>
38 #include <android-base/properties.h>
39 #include <android-base/stringprintf.h>
40 #include <bootloader_message/bootloader_message.h>
41 #include <cutils/android_reboot.h>
42 #include <cutils/properties.h>
43 #include <ext4_utils/ext4_utils.h>
44 #include <f2fs_sparseblock.h>
45 #include <fs_mgr.h>
46 #include <fscrypt/fscrypt.h>
47 #include <hardware_legacy/power.h>
48 #include <log/log.h>
49 #include <logwrap/logwrap.h>
50 #include <openssl/evp.h>
51 #include <openssl/sha.h>
52 #include <selinux/selinux.h>
53
54 #include <ctype.h>
55 #include <errno.h>
56 #include <fcntl.h>
57 #include <inttypes.h>
58 #include <libgen.h>
59 #include <linux/dm-ioctl.h>
60 #include <linux/kdev_t.h>
61 #include <math.h>
62 #include <stdio.h>
63 #include <stdlib.h>
64 #include <string.h>
65 #include <sys/ioctl.h>
66 #include <sys/mount.h>
67 #include <sys/param.h>
68 #include <sys/stat.h>
69 #include <sys/types.h>
70 #include <sys/wait.h>
71 #include <time.h>
72 #include <unistd.h>
73
74 extern "C" {
75 #include <crypto_scrypt.h>
76 }
77
78 using android::base::ParseUint;
79 using android::base::StringPrintf;
80 using android::fs_mgr::GetEntryForMountPoint;
81 using namespace std::chrono_literals;
82
83 #define UNUSED __attribute__((unused))
84
85 #define DM_CRYPT_BUF_SIZE 4096
86
87 #define HASH_COUNT 2000
88
89 constexpr size_t INTERMEDIATE_KEY_LEN_BYTES = 16;
90 constexpr size_t INTERMEDIATE_IV_LEN_BYTES = 16;
91 constexpr size_t INTERMEDIATE_BUF_SIZE = (INTERMEDIATE_KEY_LEN_BYTES + INTERMEDIATE_IV_LEN_BYTES);
92
93 // SCRYPT_LEN is used by struct crypt_mnt_ftr for its intermediate key.
94 static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN, "Mismatch of intermediate key sizes");
95
96 #define KEY_IN_FOOTER "footer"
97
98 #define DEFAULT_PASSWORD "default_password"
99
100 #define CRYPTO_BLOCK_DEVICE "userdata"
101
102 #define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
103
104 #define EXT4_FS 1
105 #define F2FS_FS 2
106
107 #define TABLE_LOAD_RETRIES 10
108
109 #define RSA_KEY_SIZE 2048
110 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
111 #define RSA_EXPONENT 0x10001
112 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
113
114 #define RETRY_MOUNT_ATTEMPTS 10
115 #define RETRY_MOUNT_DELAY_SECONDS 1
116
117 #define CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE (1)
118
119 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr);
120
121 static unsigned char saved_master_key[MAX_KEY_LEN];
122 static char* saved_mount_point;
123 static int master_key_saved = 0;
124 static struct crypt_persist_data* persist_data = NULL;
125
126 /* Should we use keymaster? */
keymaster_check_compatibility()127 static int keymaster_check_compatibility() {
128 return keymaster_compatibility_cryptfs_scrypt();
129 }
130
131 /* Create a new keymaster key and store it in this footer */
keymaster_create_key(struct crypt_mnt_ftr * ftr)132 static int keymaster_create_key(struct crypt_mnt_ftr* ftr) {
133 if (ftr->keymaster_blob_size) {
134 SLOGI("Already have key");
135 return 0;
136 }
137
138 int rc = keymaster_create_key_for_cryptfs_scrypt(
139 RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
140 KEYMASTER_BLOB_SIZE, &ftr->keymaster_blob_size);
141 if (rc) {
142 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
143 SLOGE("Keymaster key blob too large");
144 ftr->keymaster_blob_size = 0;
145 }
146 SLOGE("Failed to generate keypair");
147 return -1;
148 }
149 return 0;
150 }
151
152 /* This signs the given object using the keymaster key. */
keymaster_sign_object(struct crypt_mnt_ftr * ftr,const unsigned char * object,const size_t object_size,unsigned char ** signature,size_t * signature_size)153 static int keymaster_sign_object(struct crypt_mnt_ftr* ftr, const unsigned char* object,
154 const size_t object_size, unsigned char** signature,
155 size_t* signature_size) {
156 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
157 size_t to_sign_size = sizeof(to_sign);
158 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
159
160 // To sign a message with RSA, the message must satisfy two
161 // constraints:
162 //
163 // 1. The message, when interpreted as a big-endian numeric value, must
164 // be strictly less than the public modulus of the RSA key. Note
165 // that because the most significant bit of the public modulus is
166 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
167 // key), an n-bit message with most significant bit 0 always
168 // satisfies this requirement.
169 //
170 // 2. The message must have the same length in bits as the public
171 // modulus of the RSA key. This requirement isn't mathematically
172 // necessary, but is necessary to ensure consistency in
173 // implementations.
174 switch (ftr->kdf_type) {
175 case KDF_SCRYPT_KEYMASTER:
176 // This ensures the most significant byte of the signed message
177 // is zero. We could have zero-padded to the left instead, but
178 // this approach is slightly more robust against changes in
179 // object size. However, it's still broken (but not unusably
180 // so) because we really should be using a proper deterministic
181 // RSA padding function, such as PKCS1.
182 memcpy(to_sign + 1, object, std::min((size_t)RSA_KEY_SIZE_BYTES - 1, object_size));
183 SLOGI("Signing safely-padded object");
184 break;
185 default:
186 SLOGE("Unknown KDF type %d", ftr->kdf_type);
187 return -1;
188 }
189 for (;;) {
190 auto result = keymaster_sign_object_for_cryptfs_scrypt(
191 ftr->keymaster_blob, ftr->keymaster_blob_size, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign,
192 to_sign_size, signature, signature_size);
193 switch (result) {
194 case KeymasterSignResult::ok:
195 return 0;
196 case KeymasterSignResult::upgrade:
197 break;
198 default:
199 return -1;
200 }
201 SLOGD("Upgrading key");
202 if (keymaster_upgrade_key_for_cryptfs_scrypt(
203 RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
204 ftr->keymaster_blob_size, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
205 &ftr->keymaster_blob_size) != 0) {
206 SLOGE("Failed to upgrade key");
207 return -1;
208 }
209 if (put_crypt_ftr_and_key(ftr) != 0) {
210 SLOGE("Failed to write upgraded key to disk");
211 }
212 SLOGD("Key upgraded successfully");
213 }
214 }
215
216 /* Store password when userdata is successfully decrypted and mounted.
217 * Cleared by cryptfs_clear_password
218 *
219 * To avoid a double prompt at boot, we need to store the CryptKeeper
220 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
221 * Since the entire framework is torn down and rebuilt after encryption,
222 * we have to use a daemon or similar to store the password. Since vold
223 * is secured against IPC except from system processes, it seems a reasonable
224 * place to store this.
225 *
226 * password should be cleared once it has been used.
227 *
228 * password is aged out after password_max_age_seconds seconds.
229 */
230 static char* password = 0;
231 static int password_expiry_time = 0;
232 static const int password_max_age_seconds = 60;
233
234 enum class RebootType { reboot, recovery, shutdown };
cryptfs_reboot(RebootType rt)235 static void cryptfs_reboot(RebootType rt) {
236 switch (rt) {
237 case RebootType::reboot:
238 property_set(ANDROID_RB_PROPERTY, "reboot");
239 break;
240
241 case RebootType::recovery:
242 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
243 break;
244
245 case RebootType::shutdown:
246 property_set(ANDROID_RB_PROPERTY, "shutdown");
247 break;
248 }
249
250 sleep(20);
251
252 /* Shouldn't get here, reboot should happen before sleep times out */
253 return;
254 }
255
ioctl_init(struct dm_ioctl * io,size_t dataSize,const char * name,unsigned flags)256 static void ioctl_init(struct dm_ioctl* io, size_t dataSize, const char* name, unsigned flags) {
257 memset(io, 0, dataSize);
258 io->data_size = dataSize;
259 io->data_start = sizeof(struct dm_ioctl);
260 io->version[0] = 4;
261 io->version[1] = 0;
262 io->version[2] = 0;
263 io->flags = flags;
264 if (name) {
265 strlcpy(io->name, name, sizeof(io->name));
266 }
267 }
268
269 namespace {
270
271 struct CryptoType;
272
273 // Use to get the CryptoType in use on this device.
274 const CryptoType& get_crypto_type();
275
276 struct CryptoType {
277 // We should only be constructing CryptoTypes as part of
278 // supported_crypto_types[]. We do it via this pseudo-builder pattern,
279 // which isn't pure or fully protected as a concession to being able to
280 // do it all at compile time. Add new CryptoTypes in
281 // supported_crypto_types[] below.
CryptoType__anonc99cc05c0111::CryptoType282 constexpr CryptoType() : CryptoType(nullptr, nullptr, 0xFFFFFFFF) {}
set_keysize__anonc99cc05c0111::CryptoType283 constexpr CryptoType set_keysize(uint32_t size) const {
284 return CryptoType(this->property_name, this->crypto_name, size);
285 }
set_property_name__anonc99cc05c0111::CryptoType286 constexpr CryptoType set_property_name(const char* property) const {
287 return CryptoType(property, this->crypto_name, this->keysize);
288 }
set_crypto_name__anonc99cc05c0111::CryptoType289 constexpr CryptoType set_crypto_name(const char* crypto) const {
290 return CryptoType(this->property_name, crypto, this->keysize);
291 }
292
get_property_name__anonc99cc05c0111::CryptoType293 constexpr const char* get_property_name() const { return property_name; }
get_crypto_name__anonc99cc05c0111::CryptoType294 constexpr const char* get_crypto_name() const { return crypto_name; }
get_keysize__anonc99cc05c0111::CryptoType295 constexpr uint32_t get_keysize() const { return keysize; }
296
297 private:
298 const char* property_name;
299 const char* crypto_name;
300 uint32_t keysize;
301
CryptoType__anonc99cc05c0111::CryptoType302 constexpr CryptoType(const char* property, const char* crypto, uint32_t ksize)
303 : property_name(property), crypto_name(crypto), keysize(ksize) {}
304 friend const CryptoType& get_crypto_type();
305 static const CryptoType& get_device_crypto_algorithm();
306 };
307
308 // We only want to parse this read-only property once. But we need to wait
309 // until the system is initialized before we can read it. So we use a static
310 // scoped within this function to get it only once.
get_crypto_type()311 const CryptoType& get_crypto_type() {
312 static CryptoType crypto_type = CryptoType::get_device_crypto_algorithm();
313 return crypto_type;
314 }
315
316 constexpr CryptoType default_crypto_type = CryptoType()
317 .set_property_name("AES-128-CBC")
318 .set_crypto_name("aes-cbc-essiv:sha256")
319 .set_keysize(16);
320
321 constexpr CryptoType supported_crypto_types[] = {
322 default_crypto_type,
323 CryptoType()
324 .set_property_name("adiantum")
325 .set_crypto_name("xchacha12,aes-adiantum-plain64")
326 .set_keysize(32),
327 // Add new CryptoTypes here. Order is not important.
328 };
329
330 // ---------- START COMPILE-TIME SANITY CHECK BLOCK -------------------------
331 // We confirm all supported_crypto_types have a small enough keysize and
332 // had both set_property_name() and set_crypto_name() called.
333
334 template <typename T, size_t N>
array_length(T (&)[N])335 constexpr size_t array_length(T (&)[N]) {
336 return N;
337 }
338
indexOutOfBoundsForCryptoTypes(size_t index)339 constexpr bool indexOutOfBoundsForCryptoTypes(size_t index) {
340 return (index >= array_length(supported_crypto_types));
341 }
342
isValidCryptoType(const CryptoType & crypto_type)343 constexpr bool isValidCryptoType(const CryptoType& crypto_type) {
344 return ((crypto_type.get_property_name() != nullptr) &&
345 (crypto_type.get_crypto_name() != nullptr) &&
346 (crypto_type.get_keysize() <= MAX_KEY_LEN));
347 }
348
349 // Note in C++11 that constexpr functions can only have a single line.
350 // So our code is a bit convoluted (using recursion instead of a loop),
351 // but it's asserting at compile time that all of our key lengths are valid.
validateSupportedCryptoTypes(size_t index)352 constexpr bool validateSupportedCryptoTypes(size_t index) {
353 return indexOutOfBoundsForCryptoTypes(index) ||
354 (isValidCryptoType(supported_crypto_types[index]) &&
355 validateSupportedCryptoTypes(index + 1));
356 }
357
358 static_assert(validateSupportedCryptoTypes(0),
359 "We have a CryptoType with keysize > MAX_KEY_LEN or which was "
360 "incompletely constructed.");
361 // ---------- END COMPILE-TIME SANITY CHECK BLOCK -------------------------
362
363 // Don't call this directly, use get_crypto_type(), which caches this result.
get_device_crypto_algorithm()364 const CryptoType& CryptoType::get_device_crypto_algorithm() {
365 constexpr char CRYPT_ALGO_PROP[] = "ro.crypto.fde_algorithm";
366 char paramstr[PROPERTY_VALUE_MAX];
367
368 property_get(CRYPT_ALGO_PROP, paramstr, default_crypto_type.get_property_name());
369 for (auto const& ctype : supported_crypto_types) {
370 if (strcmp(paramstr, ctype.get_property_name()) == 0) {
371 return ctype;
372 }
373 }
374 ALOGE("Invalid name (%s) for %s. Defaulting to %s\n", paramstr, CRYPT_ALGO_PROP,
375 default_crypto_type.get_property_name());
376 return default_crypto_type;
377 }
378
379 } // namespace
380
381 /**
382 * Gets the default device scrypt parameters for key derivation time tuning.
383 * The parameters should lead to about one second derivation time for the
384 * given device.
385 */
get_device_scrypt_params(struct crypt_mnt_ftr * ftr)386 static void get_device_scrypt_params(struct crypt_mnt_ftr* ftr) {
387 char paramstr[PROPERTY_VALUE_MAX];
388 int Nf, rf, pf;
389
390 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
391 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
392 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
393 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
394 }
395 ftr->N_factor = Nf;
396 ftr->r_factor = rf;
397 ftr->p_factor = pf;
398 }
399
cryptfs_get_keysize()400 uint32_t cryptfs_get_keysize() {
401 return get_crypto_type().get_keysize();
402 }
403
cryptfs_get_crypto_name()404 const char* cryptfs_get_crypto_name() {
405 return get_crypto_type().get_crypto_name();
406 }
407
get_fs_size(const char * dev)408 static uint64_t get_fs_size(const char* dev) {
409 int fd, block_size;
410 struct ext4_super_block sb;
411 uint64_t len;
412
413 if ((fd = open(dev, O_RDONLY | O_CLOEXEC)) < 0) {
414 SLOGE("Cannot open device to get filesystem size ");
415 return 0;
416 }
417
418 if (lseek64(fd, 1024, SEEK_SET) < 0) {
419 SLOGE("Cannot seek to superblock");
420 return 0;
421 }
422
423 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
424 SLOGE("Cannot read superblock");
425 return 0;
426 }
427
428 close(fd);
429
430 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
431 SLOGE("Not a valid ext4 superblock");
432 return 0;
433 }
434 block_size = 1024 << sb.s_log_block_size;
435 /* compute length in bytes */
436 len = (((uint64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
437
438 /* return length in sectors */
439 return len / 512;
440 }
441
get_crypt_info(std::string * key_loc,std::string * real_blk_device)442 static void get_crypt_info(std::string* key_loc, std::string* real_blk_device) {
443 for (const auto& entry : fstab_default) {
444 if (!entry.fs_mgr_flags.vold_managed &&
445 (entry.fs_mgr_flags.crypt || entry.fs_mgr_flags.force_crypt ||
446 entry.fs_mgr_flags.force_fde_or_fbe || entry.fs_mgr_flags.file_encryption)) {
447 if (key_loc != nullptr) {
448 *key_loc = entry.key_loc;
449 }
450 if (real_blk_device != nullptr) {
451 *real_blk_device = entry.blk_device;
452 }
453 return;
454 }
455 }
456 }
457
get_crypt_ftr_info(char ** metadata_fname,off64_t * off)458 static int get_crypt_ftr_info(char** metadata_fname, off64_t* off) {
459 static int cached_data = 0;
460 static uint64_t cached_off = 0;
461 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
462 char key_loc[PROPERTY_VALUE_MAX];
463 char real_blkdev[PROPERTY_VALUE_MAX];
464 int rc = -1;
465
466 if (!cached_data) {
467 std::string key_loc;
468 std::string real_blkdev;
469 get_crypt_info(&key_loc, &real_blkdev);
470
471 if (key_loc == KEY_IN_FOOTER) {
472 if (android::vold::GetBlockDevSize(real_blkdev, &cached_off) == android::OK) {
473 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
474 * encryption info footer and key, and plenty of bytes to spare for future
475 * growth.
476 */
477 strlcpy(cached_metadata_fname, real_blkdev.c_str(), sizeof(cached_metadata_fname));
478 cached_off -= CRYPT_FOOTER_OFFSET;
479 cached_data = 1;
480 } else {
481 SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
482 }
483 } else {
484 strlcpy(cached_metadata_fname, key_loc.c_str(), sizeof(cached_metadata_fname));
485 cached_off = 0;
486 cached_data = 1;
487 }
488 }
489
490 if (cached_data) {
491 if (metadata_fname) {
492 *metadata_fname = cached_metadata_fname;
493 }
494 if (off) {
495 *off = cached_off;
496 }
497 rc = 0;
498 }
499
500 return rc;
501 }
502
503 /* Set sha256 checksum in structure */
set_ftr_sha(struct crypt_mnt_ftr * crypt_ftr)504 static void set_ftr_sha(struct crypt_mnt_ftr* crypt_ftr) {
505 SHA256_CTX c;
506 SHA256_Init(&c);
507 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
508 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
509 SHA256_Final(crypt_ftr->sha256, &c);
510 }
511
512 /* key or salt can be NULL, in which case just skip writing that value. Useful to
513 * update the failed mount count but not change the key.
514 */
put_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)515 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
516 int fd;
517 unsigned int cnt;
518 /* starting_off is set to the SEEK_SET offset
519 * where the crypto structure starts
520 */
521 off64_t starting_off;
522 int rc = -1;
523 char* fname = NULL;
524 struct stat statbuf;
525
526 set_ftr_sha(crypt_ftr);
527
528 if (get_crypt_ftr_info(&fname, &starting_off)) {
529 SLOGE("Unable to get crypt_ftr_info\n");
530 return -1;
531 }
532 if (fname[0] != '/') {
533 SLOGE("Unexpected value for crypto key location\n");
534 return -1;
535 }
536 if ((fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0600)) < 0) {
537 SLOGE("Cannot open footer file %s for put\n", fname);
538 return -1;
539 }
540
541 /* Seek to the start of the crypt footer */
542 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
543 SLOGE("Cannot seek to real block device footer\n");
544 goto errout;
545 }
546
547 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
548 SLOGE("Cannot write real block device footer\n");
549 goto errout;
550 }
551
552 fstat(fd, &statbuf);
553 /* If the keys are kept on a raw block device, do not try to truncate it. */
554 if (S_ISREG(statbuf.st_mode)) {
555 if (ftruncate(fd, 0x4000)) {
556 SLOGE("Cannot set footer file size\n");
557 goto errout;
558 }
559 }
560
561 /* Success! */
562 rc = 0;
563
564 errout:
565 close(fd);
566 return rc;
567 }
568
check_ftr_sha(const struct crypt_mnt_ftr * crypt_ftr)569 static bool check_ftr_sha(const struct crypt_mnt_ftr* crypt_ftr) {
570 struct crypt_mnt_ftr copy;
571 memcpy(©, crypt_ftr, sizeof(copy));
572 set_ftr_sha(©);
573 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
574 }
575
unix_read(int fd,void * buff,int len)576 static inline int unix_read(int fd, void* buff, int len) {
577 return TEMP_FAILURE_RETRY(read(fd, buff, len));
578 }
579
unix_write(int fd,const void * buff,int len)580 static inline int unix_write(int fd, const void* buff, int len) {
581 return TEMP_FAILURE_RETRY(write(fd, buff, len));
582 }
583
init_empty_persist_data(struct crypt_persist_data * pdata,int len)584 static void init_empty_persist_data(struct crypt_persist_data* pdata, int len) {
585 memset(pdata, 0, len);
586 pdata->persist_magic = PERSIST_DATA_MAGIC;
587 pdata->persist_valid_entries = 0;
588 }
589
590 /* A routine to update the passed in crypt_ftr to the lastest version.
591 * fd is open read/write on the device that holds the crypto footer and persistent
592 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
593 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
594 */
upgrade_crypt_ftr(int fd,struct crypt_mnt_ftr * crypt_ftr,off64_t offset)595 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr* crypt_ftr, off64_t offset) {
596 int orig_major = crypt_ftr->major_version;
597 int orig_minor = crypt_ftr->minor_version;
598
599 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
600 struct crypt_persist_data* pdata;
601 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
602
603 SLOGW("upgrading crypto footer to 1.1");
604
605 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
606 if (pdata == NULL) {
607 SLOGE("Cannot allocate persisent data\n");
608 return;
609 }
610 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
611
612 /* Need to initialize the persistent data area */
613 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
614 SLOGE("Cannot seek to persisent data offset\n");
615 free(pdata);
616 return;
617 }
618 /* Write all zeros to the first copy, making it invalid */
619 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
620
621 /* Write a valid but empty structure to the second copy */
622 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
623 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
624
625 /* Update the footer */
626 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
627 crypt_ftr->persist_data_offset[0] = pdata_offset;
628 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
629 crypt_ftr->minor_version = 1;
630 free(pdata);
631 }
632
633 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
634 SLOGW("upgrading crypto footer to 1.2");
635 /* But keep the old kdf_type.
636 * It will get updated later to KDF_SCRYPT after the password has been verified.
637 */
638 crypt_ftr->kdf_type = KDF_PBKDF2;
639 get_device_scrypt_params(crypt_ftr);
640 crypt_ftr->minor_version = 2;
641 }
642
643 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
644 SLOGW("upgrading crypto footer to 1.3");
645 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
646 crypt_ftr->minor_version = 3;
647 }
648
649 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
650 if (lseek64(fd, offset, SEEK_SET) == -1) {
651 SLOGE("Cannot seek to crypt footer\n");
652 return;
653 }
654 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
655 }
656 }
657
get_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)658 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
659 int fd;
660 unsigned int cnt;
661 off64_t starting_off;
662 int rc = -1;
663 char* fname = NULL;
664 struct stat statbuf;
665
666 if (get_crypt_ftr_info(&fname, &starting_off)) {
667 SLOGE("Unable to get crypt_ftr_info\n");
668 return -1;
669 }
670 if (fname[0] != '/') {
671 SLOGE("Unexpected value for crypto key location\n");
672 return -1;
673 }
674 if ((fd = open(fname, O_RDWR | O_CLOEXEC)) < 0) {
675 SLOGE("Cannot open footer file %s for get\n", fname);
676 return -1;
677 }
678
679 /* Make sure it's 16 Kbytes in length */
680 fstat(fd, &statbuf);
681 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
682 SLOGE("footer file %s is not the expected size!\n", fname);
683 goto errout;
684 }
685
686 /* Seek to the start of the crypt footer */
687 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
688 SLOGE("Cannot seek to real block device footer\n");
689 goto errout;
690 }
691
692 if ((cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
693 SLOGE("Cannot read real block device footer\n");
694 goto errout;
695 }
696
697 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
698 SLOGE("Bad magic for real block device %s\n", fname);
699 goto errout;
700 }
701
702 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
703 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
704 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
705 goto errout;
706 }
707
708 // We risk buffer overflows with oversized keys, so we just reject them.
709 // 0-sized keys are problematic (essentially by-passing encryption), and
710 // AES-CBC key wrapping only works for multiples of 16 bytes.
711 if ((crypt_ftr->keysize == 0) || ((crypt_ftr->keysize % 16) != 0) ||
712 (crypt_ftr->keysize > MAX_KEY_LEN)) {
713 SLOGE(
714 "Invalid keysize (%u) for block device %s; Must be non-zero, "
715 "divisible by 16, and <= %d\n",
716 crypt_ftr->keysize, fname, MAX_KEY_LEN);
717 goto errout;
718 }
719
720 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
721 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
722 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
723 }
724
725 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
726 * copy on disk before returning.
727 */
728 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
729 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
730 }
731
732 /* Success! */
733 rc = 0;
734
735 errout:
736 close(fd);
737 return rc;
738 }
739
validate_persistent_data_storage(struct crypt_mnt_ftr * crypt_ftr)740 static int validate_persistent_data_storage(struct crypt_mnt_ftr* crypt_ftr) {
741 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
742 crypt_ftr->persist_data_offset[1]) {
743 SLOGE("Crypt_ftr persist data regions overlap");
744 return -1;
745 }
746
747 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
748 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
749 return -1;
750 }
751
752 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
753 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
754 CRYPT_FOOTER_OFFSET) {
755 SLOGE("Persistent data extends past crypto footer");
756 return -1;
757 }
758
759 return 0;
760 }
761
load_persistent_data(void)762 static int load_persistent_data(void) {
763 struct crypt_mnt_ftr crypt_ftr;
764 struct crypt_persist_data* pdata = NULL;
765 char encrypted_state[PROPERTY_VALUE_MAX];
766 char* fname;
767 int found = 0;
768 int fd;
769 int ret;
770 int i;
771
772 if (persist_data) {
773 /* Nothing to do, we've already loaded or initialized it */
774 return 0;
775 }
776
777 /* If not encrypted, just allocate an empty table and initialize it */
778 property_get("ro.crypto.state", encrypted_state, "");
779 if (strcmp(encrypted_state, "encrypted")) {
780 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
781 if (pdata) {
782 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
783 persist_data = pdata;
784 return 0;
785 }
786 return -1;
787 }
788
789 if (get_crypt_ftr_and_key(&crypt_ftr)) {
790 return -1;
791 }
792
793 if ((crypt_ftr.major_version < 1) ||
794 (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
795 SLOGE("Crypt_ftr version doesn't support persistent data");
796 return -1;
797 }
798
799 if (get_crypt_ftr_info(&fname, NULL)) {
800 return -1;
801 }
802
803 ret = validate_persistent_data_storage(&crypt_ftr);
804 if (ret) {
805 return -1;
806 }
807
808 fd = open(fname, O_RDONLY | O_CLOEXEC);
809 if (fd < 0) {
810 SLOGE("Cannot open %s metadata file", fname);
811 return -1;
812 }
813
814 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
815 if (pdata == NULL) {
816 SLOGE("Cannot allocate memory for persistent data");
817 goto err;
818 }
819
820 for (i = 0; i < 2; i++) {
821 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
822 SLOGE("Cannot seek to read persistent data on %s", fname);
823 goto err2;
824 }
825 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
826 SLOGE("Error reading persistent data on iteration %d", i);
827 goto err2;
828 }
829 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
830 found = 1;
831 break;
832 }
833 }
834
835 if (!found) {
836 SLOGI("Could not find valid persistent data, creating");
837 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
838 }
839
840 /* Success */
841 persist_data = pdata;
842 close(fd);
843 return 0;
844
845 err2:
846 free(pdata);
847
848 err:
849 close(fd);
850 return -1;
851 }
852
save_persistent_data(void)853 static int save_persistent_data(void) {
854 struct crypt_mnt_ftr crypt_ftr;
855 struct crypt_persist_data* pdata;
856 char* fname;
857 off64_t write_offset;
858 off64_t erase_offset;
859 int fd;
860 int ret;
861
862 if (persist_data == NULL) {
863 SLOGE("No persistent data to save");
864 return -1;
865 }
866
867 if (get_crypt_ftr_and_key(&crypt_ftr)) {
868 return -1;
869 }
870
871 if ((crypt_ftr.major_version < 1) ||
872 (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
873 SLOGE("Crypt_ftr version doesn't support persistent data");
874 return -1;
875 }
876
877 ret = validate_persistent_data_storage(&crypt_ftr);
878 if (ret) {
879 return -1;
880 }
881
882 if (get_crypt_ftr_info(&fname, NULL)) {
883 return -1;
884 }
885
886 fd = open(fname, O_RDWR | O_CLOEXEC);
887 if (fd < 0) {
888 SLOGE("Cannot open %s metadata file", fname);
889 return -1;
890 }
891
892 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
893 if (pdata == NULL) {
894 SLOGE("Cannot allocate persistant data");
895 goto err;
896 }
897
898 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
899 SLOGE("Cannot seek to read persistent data on %s", fname);
900 goto err2;
901 }
902
903 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
904 SLOGE("Error reading persistent data before save");
905 goto err2;
906 }
907
908 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
909 /* The first copy is the curent valid copy, so write to
910 * the second copy and erase this one */
911 write_offset = crypt_ftr.persist_data_offset[1];
912 erase_offset = crypt_ftr.persist_data_offset[0];
913 } else {
914 /* The second copy must be the valid copy, so write to
915 * the first copy, and erase the second */
916 write_offset = crypt_ftr.persist_data_offset[0];
917 erase_offset = crypt_ftr.persist_data_offset[1];
918 }
919
920 /* Write the new copy first, if successful, then erase the old copy */
921 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
922 SLOGE("Cannot seek to write persistent data");
923 goto err2;
924 }
925 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
926 (int)crypt_ftr.persist_data_size) {
927 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
928 SLOGE("Cannot seek to erase previous persistent data");
929 goto err2;
930 }
931 fsync(fd);
932 memset(pdata, 0, crypt_ftr.persist_data_size);
933 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != (int)crypt_ftr.persist_data_size) {
934 SLOGE("Cannot write to erase previous persistent data");
935 goto err2;
936 }
937 fsync(fd);
938 } else {
939 SLOGE("Cannot write to save persistent data");
940 goto err2;
941 }
942
943 /* Success */
944 free(pdata);
945 close(fd);
946 return 0;
947
948 err2:
949 free(pdata);
950 err:
951 close(fd);
952 return -1;
953 }
954
955 /* Convert a binary key of specified length into an ascii hex string equivalent,
956 * without the leading 0x and with null termination
957 */
convert_key_to_hex_ascii(const unsigned char * master_key,unsigned int keysize,char * master_key_ascii)958 static void convert_key_to_hex_ascii(const unsigned char* master_key, unsigned int keysize,
959 char* master_key_ascii) {
960 unsigned int i, a;
961 unsigned char nibble;
962
963 for (i = 0, a = 0; i < keysize; i++, a += 2) {
964 /* For each byte, write out two ascii hex digits */
965 nibble = (master_key[i] >> 4) & 0xf;
966 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
967
968 nibble = master_key[i] & 0xf;
969 master_key_ascii[a + 1] = nibble + (nibble > 9 ? 0x37 : 0x30);
970 }
971
972 /* Add the null termination */
973 master_key_ascii[a] = '\0';
974 }
975
load_crypto_mapping_table(struct crypt_mnt_ftr * crypt_ftr,const unsigned char * master_key,const char * real_blk_name,const char * name,int fd,const char * extra_params)976 static int load_crypto_mapping_table(struct crypt_mnt_ftr* crypt_ftr,
977 const unsigned char* master_key, const char* real_blk_name,
978 const char* name, int fd, const char* extra_params) {
979 alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
980 struct dm_ioctl* io;
981 struct dm_target_spec* tgt;
982 char* crypt_params;
983 // We need two ASCII characters to represent each byte, and need space for
984 // the '\0' terminator.
985 char master_key_ascii[MAX_KEY_LEN * 2 + 1];
986 size_t buff_offset;
987 int i;
988
989 io = (struct dm_ioctl*)buffer;
990
991 /* Load the mapping table for this device */
992 tgt = (struct dm_target_spec*)&buffer[sizeof(struct dm_ioctl)];
993
994 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
995 io->target_count = 1;
996 tgt->status = 0;
997 tgt->sector_start = 0;
998 tgt->length = crypt_ftr->fs_size;
999 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1000
1001 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1002 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1003
1004 buff_offset = crypt_params - buffer;
1005 SLOGI(
1006 "Creating crypto dev \"%s\"; cipher=%s, keysize=%u, real_dev=%s, len=%llu, params=\"%s\"\n",
1007 name, crypt_ftr->crypto_type_name, crypt_ftr->keysize, real_blk_name, tgt->length * 512,
1008 extra_params);
1009 snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s",
1010 crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name, extra_params);
1011 crypt_params += strlen(crypt_params) + 1;
1012 crypt_params =
1013 (char*)(((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1014 tgt->next = crypt_params - buffer;
1015
1016 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1017 if (!ioctl(fd, DM_TABLE_LOAD, io)) {
1018 break;
1019 }
1020 usleep(500000);
1021 }
1022
1023 if (i == TABLE_LOAD_RETRIES) {
1024 /* We failed to load the table, return an error */
1025 return -1;
1026 } else {
1027 return i + 1;
1028 }
1029 }
1030
get_dm_crypt_version(int fd,const char * name,int * version)1031 static int get_dm_crypt_version(int fd, const char* name, int* version) {
1032 char buffer[DM_CRYPT_BUF_SIZE];
1033 struct dm_ioctl* io;
1034 struct dm_target_versions* v;
1035
1036 io = (struct dm_ioctl*)buffer;
1037
1038 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1039
1040 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1041 return -1;
1042 }
1043
1044 /* Iterate over the returned versions, looking for name of "crypt".
1045 * When found, get and return the version.
1046 */
1047 v = (struct dm_target_versions*)&buffer[sizeof(struct dm_ioctl)];
1048 while (v->next) {
1049 if (!strcmp(v->name, "crypt")) {
1050 /* We found the crypt driver, return the version, and get out */
1051 version[0] = v->version[0];
1052 version[1] = v->version[1];
1053 version[2] = v->version[2];
1054 return 0;
1055 }
1056 v = (struct dm_target_versions*)(((char*)v) + v->next);
1057 }
1058
1059 return -1;
1060 }
1061
extra_params_as_string(const std::vector<std::string> & extra_params_vec)1062 static std::string extra_params_as_string(const std::vector<std::string>& extra_params_vec) {
1063 if (extra_params_vec.empty()) return "";
1064 std::string extra_params = std::to_string(extra_params_vec.size());
1065 for (const auto& p : extra_params_vec) {
1066 extra_params.append(" ");
1067 extra_params.append(p);
1068 }
1069 return extra_params;
1070 }
1071
1072 /*
1073 * If the ro.crypto.fde_sector_size system property is set, append the
1074 * parameters to make dm-crypt use the specified crypto sector size and round
1075 * the crypto device size down to a crypto sector boundary.
1076 */
add_sector_size_param(std::vector<std::string> * extra_params_vec,struct crypt_mnt_ftr * ftr)1077 static int add_sector_size_param(std::vector<std::string>* extra_params_vec,
1078 struct crypt_mnt_ftr* ftr) {
1079 constexpr char DM_CRYPT_SECTOR_SIZE[] = "ro.crypto.fde_sector_size";
1080 char value[PROPERTY_VALUE_MAX];
1081
1082 if (property_get(DM_CRYPT_SECTOR_SIZE, value, "") > 0) {
1083 unsigned int sector_size;
1084
1085 if (!ParseUint(value, §or_size) || sector_size < 512 || sector_size > 4096 ||
1086 (sector_size & (sector_size - 1)) != 0) {
1087 SLOGE("Invalid value for %s: %s. Must be >= 512, <= 4096, and a power of 2\n",
1088 DM_CRYPT_SECTOR_SIZE, value);
1089 return -1;
1090 }
1091
1092 std::string param = StringPrintf("sector_size:%u", sector_size);
1093 extra_params_vec->push_back(std::move(param));
1094
1095 // With this option, IVs will match the sector numbering, instead
1096 // of being hard-coded to being based on 512-byte sectors.
1097 extra_params_vec->emplace_back("iv_large_sectors");
1098
1099 // Round the crypto device size down to a crypto sector boundary.
1100 ftr->fs_size &= ~((sector_size / 512) - 1);
1101 }
1102 return 0;
1103 }
1104
create_crypto_blk_dev(struct crypt_mnt_ftr * crypt_ftr,const unsigned char * master_key,const char * real_blk_name,char * crypto_blk_name,const char * name,uint32_t flags)1105 static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned char* master_key,
1106 const char* real_blk_name, char* crypto_blk_name, const char* name,
1107 uint32_t flags) {
1108 char buffer[DM_CRYPT_BUF_SIZE];
1109 struct dm_ioctl* io;
1110 unsigned int minor;
1111 int fd = 0;
1112 int err;
1113 int retval = -1;
1114 int version[3];
1115 int load_count;
1116 std::vector<std::string> extra_params_vec;
1117
1118 if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
1119 SLOGE("Cannot open device-mapper\n");
1120 goto errout;
1121 }
1122
1123 io = (struct dm_ioctl*)buffer;
1124
1125 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1126 err = ioctl(fd, DM_DEV_CREATE, io);
1127 if (err) {
1128 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno));
1129 goto errout;
1130 }
1131
1132 /* Get the device status, in particular, the name of it's device file */
1133 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1134 if (ioctl(fd, DM_DEV_STATUS, io)) {
1135 SLOGE("Cannot retrieve dm-crypt device status\n");
1136 goto errout;
1137 }
1138 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1139 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1140
1141 if (!get_dm_crypt_version(fd, name, version)) {
1142 /* Support for allow_discards was added in version 1.11.0 */
1143 if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) {
1144 extra_params_vec.emplace_back("allow_discards");
1145 }
1146 }
1147 if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) {
1148 extra_params_vec.emplace_back("allow_encrypt_override");
1149 }
1150 if (add_sector_size_param(&extra_params_vec, crypt_ftr)) {
1151 SLOGE("Error processing dm-crypt sector size param\n");
1152 goto errout;
1153 }
1154 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd,
1155 extra_params_as_string(extra_params_vec).c_str());
1156 if (load_count < 0) {
1157 SLOGE("Cannot load dm-crypt mapping table.\n");
1158 goto errout;
1159 } else if (load_count > 1) {
1160 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1161 }
1162
1163 /* Resume this device to activate it */
1164 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1165
1166 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1167 SLOGE("Cannot resume the dm-crypt device\n");
1168 goto errout;
1169 }
1170
1171 /* Ensure the dm device has been created before returning. */
1172 if (android::vold::WaitForFile(crypto_blk_name, 1s) < 0) {
1173 // WaitForFile generates a suitable log message
1174 goto errout;
1175 }
1176
1177 /* We made it here with no errors. Woot! */
1178 retval = 0;
1179
1180 errout:
1181 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1182
1183 return retval;
1184 }
1185
delete_crypto_blk_dev(const char * name)1186 static int delete_crypto_blk_dev(const char* name) {
1187 int fd;
1188 char buffer[DM_CRYPT_BUF_SIZE];
1189 struct dm_ioctl* io;
1190 int retval = -1;
1191 int err;
1192
1193 if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
1194 SLOGE("Cannot open device-mapper\n");
1195 goto errout;
1196 }
1197
1198 io = (struct dm_ioctl*)buffer;
1199
1200 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1201 err = ioctl(fd, DM_DEV_REMOVE, io);
1202 if (err) {
1203 SLOGE("Cannot remove dm-crypt device %s: %s\n", name, strerror(errno));
1204 goto errout;
1205 }
1206
1207 /* We made it here with no errors. Woot! */
1208 retval = 0;
1209
1210 errout:
1211 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1212
1213 return retval;
1214 }
1215
pbkdf2(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params UNUSED)1216 static int pbkdf2(const char* passwd, const unsigned char* salt, unsigned char* ikey,
1217 void* params UNUSED) {
1218 SLOGI("Using pbkdf2 for cryptfs KDF");
1219
1220 /* Turn the password into a key and IV that can decrypt the master key */
1221 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN, HASH_COUNT,
1222 INTERMEDIATE_BUF_SIZE, ikey) != 1;
1223 }
1224
scrypt(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params)1225 static int scrypt(const char* passwd, const unsigned char* salt, unsigned char* ikey, void* params) {
1226 SLOGI("Using scrypt for cryptfs KDF");
1227
1228 struct crypt_mnt_ftr* ftr = (struct crypt_mnt_ftr*)params;
1229
1230 int N = 1 << ftr->N_factor;
1231 int r = 1 << ftr->r_factor;
1232 int p = 1 << ftr->p_factor;
1233
1234 /* Turn the password into a key and IV that can decrypt the master key */
1235 crypto_scrypt((const uint8_t*)passwd, strlen(passwd), salt, SALT_LEN, N, r, p, ikey,
1236 INTERMEDIATE_BUF_SIZE);
1237
1238 return 0;
1239 }
1240
scrypt_keymaster(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params)1241 static int scrypt_keymaster(const char* passwd, const unsigned char* salt, unsigned char* ikey,
1242 void* params) {
1243 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1244
1245 int rc;
1246 size_t signature_size;
1247 unsigned char* signature;
1248 struct crypt_mnt_ftr* ftr = (struct crypt_mnt_ftr*)params;
1249
1250 int N = 1 << ftr->N_factor;
1251 int r = 1 << ftr->r_factor;
1252 int p = 1 << ftr->p_factor;
1253
1254 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd), salt, SALT_LEN, N, r, p, ikey,
1255 INTERMEDIATE_BUF_SIZE);
1256
1257 if (rc) {
1258 SLOGE("scrypt failed");
1259 return -1;
1260 }
1261
1262 if (keymaster_sign_object(ftr, ikey, INTERMEDIATE_BUF_SIZE, &signature, &signature_size)) {
1263 SLOGE("Signing failed");
1264 return -1;
1265 }
1266
1267 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, N, r, p, ikey,
1268 INTERMEDIATE_BUF_SIZE);
1269 free(signature);
1270
1271 if (rc) {
1272 SLOGE("scrypt failed");
1273 return -1;
1274 }
1275
1276 return 0;
1277 }
1278
encrypt_master_key(const char * passwd,const unsigned char * salt,const unsigned char * decrypted_master_key,unsigned char * encrypted_master_key,struct crypt_mnt_ftr * crypt_ftr)1279 static int encrypt_master_key(const char* passwd, const unsigned char* salt,
1280 const unsigned char* decrypted_master_key,
1281 unsigned char* encrypted_master_key, struct crypt_mnt_ftr* crypt_ftr) {
1282 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = {0};
1283 EVP_CIPHER_CTX e_ctx;
1284 int encrypted_len, final_len;
1285 int rc = 0;
1286
1287 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1288 get_device_scrypt_params(crypt_ftr);
1289
1290 switch (crypt_ftr->kdf_type) {
1291 case KDF_SCRYPT_KEYMASTER:
1292 if (keymaster_create_key(crypt_ftr)) {
1293 SLOGE("keymaster_create_key failed");
1294 return -1;
1295 }
1296
1297 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1298 SLOGE("scrypt failed");
1299 return -1;
1300 }
1301 break;
1302
1303 case KDF_SCRYPT:
1304 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1305 SLOGE("scrypt failed");
1306 return -1;
1307 }
1308 break;
1309
1310 default:
1311 SLOGE("Invalid kdf_type");
1312 return -1;
1313 }
1314
1315 /* Initialize the decryption engine */
1316 EVP_CIPHER_CTX_init(&e_ctx);
1317 if (!EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey,
1318 ikey + INTERMEDIATE_KEY_LEN_BYTES)) {
1319 SLOGE("EVP_EncryptInit failed\n");
1320 return -1;
1321 }
1322 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1323
1324 /* Encrypt the master key */
1325 if (!EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, decrypted_master_key,
1326 crypt_ftr->keysize)) {
1327 SLOGE("EVP_EncryptUpdate failed\n");
1328 return -1;
1329 }
1330 if (!EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1331 SLOGE("EVP_EncryptFinal failed\n");
1332 return -1;
1333 }
1334
1335 if (encrypted_len + final_len != static_cast<int>(crypt_ftr->keysize)) {
1336 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1337 return -1;
1338 }
1339
1340 /* Store the scrypt of the intermediate key, so we can validate if it's a
1341 password error or mount error when things go wrong.
1342 Note there's no need to check for errors, since if this is incorrect, we
1343 simply won't wipe userdata, which is the correct default behavior
1344 */
1345 int N = 1 << crypt_ftr->N_factor;
1346 int r = 1 << crypt_ftr->r_factor;
1347 int p = 1 << crypt_ftr->p_factor;
1348
1349 rc = crypto_scrypt(ikey, INTERMEDIATE_KEY_LEN_BYTES, crypt_ftr->salt, sizeof(crypt_ftr->salt),
1350 N, r, p, crypt_ftr->scrypted_intermediate_key,
1351 sizeof(crypt_ftr->scrypted_intermediate_key));
1352
1353 if (rc) {
1354 SLOGE("encrypt_master_key: crypto_scrypt failed");
1355 }
1356
1357 EVP_CIPHER_CTX_cleanup(&e_ctx);
1358
1359 return 0;
1360 }
1361
decrypt_master_key_aux(const char * passwd,unsigned char * salt,const unsigned char * encrypted_master_key,size_t keysize,unsigned char * decrypted_master_key,kdf_func kdf,void * kdf_params,unsigned char ** intermediate_key,size_t * intermediate_key_size)1362 static int decrypt_master_key_aux(const char* passwd, unsigned char* salt,
1363 const unsigned char* encrypted_master_key, size_t keysize,
1364 unsigned char* decrypted_master_key, kdf_func kdf,
1365 void* kdf_params, unsigned char** intermediate_key,
1366 size_t* intermediate_key_size) {
1367 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = {0};
1368 EVP_CIPHER_CTX d_ctx;
1369 int decrypted_len, final_len;
1370
1371 /* Turn the password into an intermediate key and IV that can decrypt the
1372 master key */
1373 if (kdf(passwd, salt, ikey, kdf_params)) {
1374 SLOGE("kdf failed");
1375 return -1;
1376 }
1377
1378 /* Initialize the decryption engine */
1379 EVP_CIPHER_CTX_init(&d_ctx);
1380 if (!EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey,
1381 ikey + INTERMEDIATE_KEY_LEN_BYTES)) {
1382 return -1;
1383 }
1384 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1385 /* Decrypt the master key */
1386 if (!EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, encrypted_master_key,
1387 keysize)) {
1388 return -1;
1389 }
1390 if (!EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1391 return -1;
1392 }
1393
1394 if (decrypted_len + final_len != static_cast<int>(keysize)) {
1395 return -1;
1396 }
1397
1398 /* Copy intermediate key if needed by params */
1399 if (intermediate_key && intermediate_key_size) {
1400 *intermediate_key = (unsigned char*)malloc(INTERMEDIATE_KEY_LEN_BYTES);
1401 if (*intermediate_key) {
1402 memcpy(*intermediate_key, ikey, INTERMEDIATE_KEY_LEN_BYTES);
1403 *intermediate_key_size = INTERMEDIATE_KEY_LEN_BYTES;
1404 }
1405 }
1406
1407 EVP_CIPHER_CTX_cleanup(&d_ctx);
1408
1409 return 0;
1410 }
1411
get_kdf_func(struct crypt_mnt_ftr * ftr,kdf_func * kdf,void ** kdf_params)1412 static void get_kdf_func(struct crypt_mnt_ftr* ftr, kdf_func* kdf, void** kdf_params) {
1413 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1414 *kdf = scrypt_keymaster;
1415 *kdf_params = ftr;
1416 } else if (ftr->kdf_type == KDF_SCRYPT) {
1417 *kdf = scrypt;
1418 *kdf_params = ftr;
1419 } else {
1420 *kdf = pbkdf2;
1421 *kdf_params = NULL;
1422 }
1423 }
1424
decrypt_master_key(const char * passwd,unsigned char * decrypted_master_key,struct crypt_mnt_ftr * crypt_ftr,unsigned char ** intermediate_key,size_t * intermediate_key_size)1425 static int decrypt_master_key(const char* passwd, unsigned char* decrypted_master_key,
1426 struct crypt_mnt_ftr* crypt_ftr, unsigned char** intermediate_key,
1427 size_t* intermediate_key_size) {
1428 kdf_func kdf;
1429 void* kdf_params;
1430 int ret;
1431
1432 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1433 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, crypt_ftr->keysize,
1434 decrypted_master_key, kdf, kdf_params, intermediate_key,
1435 intermediate_key_size);
1436 if (ret != 0) {
1437 SLOGW("failure decrypting master key");
1438 }
1439
1440 return ret;
1441 }
1442
create_encrypted_random_key(const char * passwd,unsigned char * master_key,unsigned char * salt,struct crypt_mnt_ftr * crypt_ftr)1443 static int create_encrypted_random_key(const char* passwd, unsigned char* master_key,
1444 unsigned char* salt, struct crypt_mnt_ftr* crypt_ftr) {
1445 unsigned char key_buf[MAX_KEY_LEN];
1446
1447 /* Get some random bits for a key and salt */
1448 if (android::vold::ReadRandomBytes(sizeof(key_buf), reinterpret_cast<char*>(key_buf)) != 0) {
1449 return -1;
1450 }
1451 if (android::vold::ReadRandomBytes(SALT_LEN, reinterpret_cast<char*>(salt)) != 0) {
1452 return -1;
1453 }
1454
1455 /* Now encrypt it with the password */
1456 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1457 }
1458
wait_and_unmount(const char * mountpoint,bool kill)1459 int wait_and_unmount(const char* mountpoint, bool kill) {
1460 int i, err, rc;
1461 #define WAIT_UNMOUNT_COUNT 20
1462
1463 /* Now umount the tmpfs filesystem */
1464 for (i = 0; i < WAIT_UNMOUNT_COUNT; i++) {
1465 if (umount(mountpoint) == 0) {
1466 break;
1467 }
1468
1469 if (errno == EINVAL) {
1470 /* EINVAL is returned if the directory is not a mountpoint,
1471 * i.e. there is no filesystem mounted there. So just get out.
1472 */
1473 break;
1474 }
1475
1476 err = errno;
1477
1478 /* If allowed, be increasingly aggressive before the last two retries */
1479 if (kill) {
1480 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1481 SLOGW("sending SIGHUP to processes with open files\n");
1482 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM);
1483 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1484 SLOGW("sending SIGKILL to processes with open files\n");
1485 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL);
1486 }
1487 }
1488
1489 sleep(1);
1490 }
1491
1492 if (i < WAIT_UNMOUNT_COUNT) {
1493 SLOGD("unmounting %s succeeded\n", mountpoint);
1494 rc = 0;
1495 } else {
1496 android::vold::KillProcessesWithOpenFiles(mountpoint, 0);
1497 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1498 rc = -1;
1499 }
1500
1501 return rc;
1502 }
1503
prep_data_fs(void)1504 static void prep_data_fs(void) {
1505 // NOTE: post_fs_data results in init calling back around to vold, so all
1506 // callers to this method must be async
1507
1508 /* Do the prep of the /data filesystem */
1509 property_set("vold.post_fs_data_done", "0");
1510 property_set("vold.decrypt", "trigger_post_fs_data");
1511 SLOGD("Just triggered post_fs_data");
1512
1513 /* Wait a max of 50 seconds, hopefully it takes much less */
1514 while (!android::base::WaitForProperty("vold.post_fs_data_done", "1", std::chrono::seconds(15))) {
1515 /* We timed out to prep /data in time. Continue wait. */
1516 SLOGE("waited 15s for vold.post_fs_data_done, still waiting...");
1517 }
1518 SLOGD("post_fs_data done");
1519 }
1520
cryptfs_set_corrupt()1521 static void cryptfs_set_corrupt() {
1522 // Mark the footer as bad
1523 struct crypt_mnt_ftr crypt_ftr;
1524 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1525 SLOGE("Failed to get crypto footer - panic");
1526 return;
1527 }
1528
1529 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1530 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1531 SLOGE("Failed to set crypto footer - panic");
1532 return;
1533 }
1534 }
1535
cryptfs_trigger_restart_min_framework()1536 static void cryptfs_trigger_restart_min_framework() {
1537 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1538 SLOGE("Failed to mount tmpfs on data - panic");
1539 return;
1540 }
1541
1542 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1543 SLOGE("Failed to trigger post fs data - panic");
1544 return;
1545 }
1546
1547 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1548 SLOGE("Failed to trigger restart min framework - panic");
1549 return;
1550 }
1551 }
1552
1553 /* returns < 0 on failure */
cryptfs_restart_internal(int restart_main)1554 static int cryptfs_restart_internal(int restart_main) {
1555 char crypto_blkdev[MAXPATHLEN];
1556 int rc = -1;
1557 static int restart_successful = 0;
1558
1559 /* Validate that it's OK to call this routine */
1560 if (!master_key_saved) {
1561 SLOGE("Encrypted filesystem not validated, aborting");
1562 return -1;
1563 }
1564
1565 if (restart_successful) {
1566 SLOGE("System already restarted with encrypted disk, aborting");
1567 return -1;
1568 }
1569
1570 if (restart_main) {
1571 /* Here is where we shut down the framework. The init scripts
1572 * start all services in one of these classes: core, early_hal, hal,
1573 * main and late_start. To get to the minimal UI for PIN entry, we
1574 * need to start core, early_hal, hal and main. When we want to
1575 * shutdown the framework again, we need to stop most of the services in
1576 * these classes, but only those services that were started after
1577 * /data was mounted. This excludes critical services like vold and
1578 * ueventd, which need to keep running. We could possible stop
1579 * even fewer services, but because we want services to pick up APEX
1580 * libraries from the real /data, restarting is better, as it makes
1581 * these devices consistent with FBE devices and lets them use the
1582 * most recent code.
1583 *
1584 * Once these services have stopped, we should be able
1585 * to umount the tmpfs /data, then mount the encrypted /data.
1586 * We then restart the class core, hal, main, and also the class
1587 * late_start.
1588 *
1589 * At the moment, I've only put a few things in late_start that I know
1590 * are not needed to bring up the framework, and that also cause problems
1591 * with unmounting the tmpfs /data, but I hope to add add more services
1592 * to the late_start class as we optimize this to decrease the delay
1593 * till the user is asked for the password to the filesystem.
1594 */
1595
1596 /* The init files are setup to stop the right set of services when
1597 * vold.decrypt is set to trigger_shutdown_framework.
1598 */
1599 property_set("vold.decrypt", "trigger_shutdown_framework");
1600 SLOGD("Just asked init to shut down class main\n");
1601
1602 /* Ugh, shutting down the framework is not synchronous, so until it
1603 * can be fixed, this horrible hack will wait a moment for it all to
1604 * shut down before proceeding. Without it, some devices cannot
1605 * restart the graphics services.
1606 */
1607 sleep(2);
1608 }
1609
1610 /* Now that the framework is shutdown, we should be able to umount()
1611 * the tmpfs filesystem, and mount the real one.
1612 */
1613
1614 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1615 if (strlen(crypto_blkdev) == 0) {
1616 SLOGE("fs_crypto_blkdev not set\n");
1617 return -1;
1618 }
1619
1620 if (!(rc = wait_and_unmount(DATA_MNT_POINT, true))) {
1621 /* If ro.crypto.readonly is set to 1, mount the decrypted
1622 * filesystem readonly. This is used when /data is mounted by
1623 * recovery mode.
1624 */
1625 char ro_prop[PROPERTY_VALUE_MAX];
1626 property_get("ro.crypto.readonly", ro_prop, "");
1627 if (strlen(ro_prop) > 0 && std::stoi(ro_prop)) {
1628 auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
1629 if (entry != nullptr) {
1630 entry->flags |= MS_RDONLY;
1631 }
1632 }
1633
1634 /* If that succeeded, then mount the decrypted filesystem */
1635 int retries = RETRY_MOUNT_ATTEMPTS;
1636 int mount_rc;
1637
1638 /*
1639 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
1640 * partitions in the fsck domain.
1641 */
1642 if (setexeccon(android::vold::sFsckContext)) {
1643 SLOGE("Failed to setexeccon");
1644 return -1;
1645 }
1646 bool needs_cp = android::vold::cp_needsCheckpoint();
1647 while ((mount_rc = fs_mgr_do_mount(&fstab_default, DATA_MNT_POINT, crypto_blkdev, 0,
1648 needs_cp)) != 0) {
1649 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1650 /* TODO: invoke something similar to
1651 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1652 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1653 SLOGI("Failed to mount %s because it is busy - waiting", crypto_blkdev);
1654 if (--retries) {
1655 sleep(RETRY_MOUNT_DELAY_SECONDS);
1656 } else {
1657 /* Let's hope that a reboot clears away whatever is keeping
1658 the mount busy */
1659 cryptfs_reboot(RebootType::reboot);
1660 }
1661 } else {
1662 SLOGE("Failed to mount decrypted data");
1663 cryptfs_set_corrupt();
1664 cryptfs_trigger_restart_min_framework();
1665 SLOGI("Started framework to offer wipe");
1666 if (setexeccon(NULL)) {
1667 SLOGE("Failed to setexeccon");
1668 }
1669 return -1;
1670 }
1671 }
1672 if (setexeccon(NULL)) {
1673 SLOGE("Failed to setexeccon");
1674 return -1;
1675 }
1676
1677 /* Create necessary paths on /data */
1678 prep_data_fs();
1679 property_set("vold.decrypt", "trigger_load_persist_props");
1680
1681 /* startup service classes main and late_start */
1682 property_set("vold.decrypt", "trigger_restart_framework");
1683 SLOGD("Just triggered restart_framework\n");
1684
1685 /* Give it a few moments to get started */
1686 sleep(1);
1687 }
1688
1689 if (rc == 0) {
1690 restart_successful = 1;
1691 }
1692
1693 return rc;
1694 }
1695
cryptfs_restart(void)1696 int cryptfs_restart(void) {
1697 SLOGI("cryptfs_restart");
1698 if (fscrypt_is_native()) {
1699 SLOGE("cryptfs_restart not valid for file encryption:");
1700 return -1;
1701 }
1702
1703 /* Call internal implementation forcing a restart of main service group */
1704 return cryptfs_restart_internal(1);
1705 }
1706
do_crypto_complete(const char * mount_point)1707 static int do_crypto_complete(const char* mount_point) {
1708 struct crypt_mnt_ftr crypt_ftr;
1709 char encrypted_state[PROPERTY_VALUE_MAX];
1710
1711 property_get("ro.crypto.state", encrypted_state, "");
1712 if (strcmp(encrypted_state, "encrypted")) {
1713 SLOGE("not running with encryption, aborting");
1714 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1715 }
1716
1717 // crypto_complete is full disk encrypted status
1718 if (fscrypt_is_native()) {
1719 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1720 }
1721
1722 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1723 std::string key_loc;
1724 get_crypt_info(&key_loc, nullptr);
1725
1726 /*
1727 * Only report this error if key_loc is a file and it exists.
1728 * If the device was never encrypted, and /data is not mountable for
1729 * some reason, returning 1 should prevent the UI from presenting the
1730 * a "enter password" screen, or worse, a "press button to wipe the
1731 * device" screen.
1732 */
1733 if (!key_loc.empty() && key_loc[0] == '/' && (access("key_loc", F_OK) == -1)) {
1734 SLOGE("master key file does not exist, aborting");
1735 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1736 } else {
1737 SLOGE("Error getting crypt footer and key\n");
1738 return CRYPTO_COMPLETE_BAD_METADATA;
1739 }
1740 }
1741
1742 // Test for possible error flags
1743 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
1744 SLOGE("Encryption process is partway completed\n");
1745 return CRYPTO_COMPLETE_PARTIAL;
1746 }
1747
1748 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
1749 SLOGE("Encryption process was interrupted but cannot continue\n");
1750 return CRYPTO_COMPLETE_INCONSISTENT;
1751 }
1752
1753 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT) {
1754 SLOGE("Encryption is successful but data is corrupt\n");
1755 return CRYPTO_COMPLETE_CORRUPT;
1756 }
1757
1758 /* We passed the test! We shall diminish, and return to the west */
1759 return CRYPTO_COMPLETE_ENCRYPTED;
1760 }
1761
test_mount_encrypted_fs(struct crypt_mnt_ftr * crypt_ftr,const char * passwd,const char * mount_point,const char * label)1762 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, const char* passwd,
1763 const char* mount_point, const char* label) {
1764 unsigned char decrypted_master_key[MAX_KEY_LEN];
1765 char crypto_blkdev[MAXPATHLEN];
1766 std::string real_blkdev;
1767 char tmp_mount_point[64];
1768 unsigned int orig_failed_decrypt_count;
1769 int rc;
1770 int use_keymaster = 0;
1771 int upgrade = 0;
1772 unsigned char* intermediate_key = 0;
1773 size_t intermediate_key_size = 0;
1774 int N = 1 << crypt_ftr->N_factor;
1775 int r = 1 << crypt_ftr->r_factor;
1776 int p = 1 << crypt_ftr->p_factor;
1777
1778 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1779 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1780
1781 if (!(crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED)) {
1782 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, &intermediate_key,
1783 &intermediate_key_size)) {
1784 SLOGE("Failed to decrypt master key\n");
1785 rc = -1;
1786 goto errout;
1787 }
1788 }
1789
1790 get_crypt_info(nullptr, &real_blkdev);
1791
1792 // Create crypto block device - all (non fatal) code paths
1793 // need it
1794 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, real_blkdev.c_str(), crypto_blkdev,
1795 label, 0)) {
1796 SLOGE("Error creating decrypted block device\n");
1797 rc = -1;
1798 goto errout;
1799 }
1800
1801 /* Work out if the problem is the password or the data */
1802 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->scrypted_intermediate_key)];
1803
1804 rc = crypto_scrypt(intermediate_key, intermediate_key_size, crypt_ftr->salt,
1805 sizeof(crypt_ftr->salt), N, r, p, scrypted_intermediate_key,
1806 sizeof(scrypted_intermediate_key));
1807
1808 // Does the key match the crypto footer?
1809 if (rc == 0 && memcmp(scrypted_intermediate_key, crypt_ftr->scrypted_intermediate_key,
1810 sizeof(scrypted_intermediate_key)) == 0) {
1811 SLOGI("Password matches");
1812 rc = 0;
1813 } else {
1814 /* Try mounting the file system anyway, just in case the problem's with
1815 * the footer, not the key. */
1816 snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt", mount_point);
1817 mkdir(tmp_mount_point, 0755);
1818 if (fs_mgr_do_mount(&fstab_default, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1819 SLOGE("Error temp mounting decrypted block device\n");
1820 delete_crypto_blk_dev(label);
1821
1822 rc = ++crypt_ftr->failed_decrypt_count;
1823 put_crypt_ftr_and_key(crypt_ftr);
1824 } else {
1825 /* Success! */
1826 SLOGI("Password did not match but decrypted drive mounted - continue");
1827 umount(tmp_mount_point);
1828 rc = 0;
1829 }
1830 }
1831
1832 if (rc == 0) {
1833 crypt_ftr->failed_decrypt_count = 0;
1834 if (orig_failed_decrypt_count != 0) {
1835 put_crypt_ftr_and_key(crypt_ftr);
1836 }
1837
1838 /* Save the name of the crypto block device
1839 * so we can mount it when restarting the framework. */
1840 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1841
1842 /* Also save a the master key so we can reencrypted the key
1843 * the key when we want to change the password on it. */
1844 memcpy(saved_master_key, decrypted_master_key, crypt_ftr->keysize);
1845 saved_mount_point = strdup(mount_point);
1846 master_key_saved = 1;
1847 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1848 rc = 0;
1849
1850 // Upgrade if we're not using the latest KDF.
1851 use_keymaster = keymaster_check_compatibility();
1852 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1853 // Don't allow downgrade
1854 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1855 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1856 upgrade = 1;
1857 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1858 crypt_ftr->kdf_type = KDF_SCRYPT;
1859 upgrade = 1;
1860 }
1861
1862 if (upgrade) {
1863 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1864 crypt_ftr->master_key, crypt_ftr);
1865 if (!rc) {
1866 rc = put_crypt_ftr_and_key(crypt_ftr);
1867 }
1868 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1869
1870 // Do not fail even if upgrade failed - machine is bootable
1871 // Note that if this code is ever hit, there is a *serious* problem
1872 // since KDFs should never fail. You *must* fix the kdf before
1873 // proceeding!
1874 if (rc) {
1875 SLOGW(
1876 "Upgrade failed with error %d,"
1877 " but continuing with previous state",
1878 rc);
1879 rc = 0;
1880 }
1881 }
1882 }
1883
1884 errout:
1885 if (intermediate_key) {
1886 memset(intermediate_key, 0, intermediate_key_size);
1887 free(intermediate_key);
1888 }
1889 return rc;
1890 }
1891
1892 /*
1893 * Called by vold when it's asked to mount an encrypted external
1894 * storage volume. The incoming partition has no crypto header/footer,
1895 * as any metadata is been stored in a separate, small partition. We
1896 * assume it must be using our same crypt type and keysize.
1897 *
1898 * out_crypto_blkdev must be MAXPATHLEN.
1899 */
cryptfs_setup_ext_volume(const char * label,const char * real_blkdev,const unsigned char * key,char * out_crypto_blkdev)1900 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, const unsigned char* key,
1901 char* out_crypto_blkdev) {
1902 uint64_t nr_sec = 0;
1903 if (android::vold::GetBlockDev512Sectors(real_blkdev, &nr_sec) != android::OK) {
1904 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1905 return -1;
1906 }
1907
1908 struct crypt_mnt_ftr ext_crypt_ftr;
1909 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1910 ext_crypt_ftr.fs_size = nr_sec;
1911 ext_crypt_ftr.keysize = cryptfs_get_keysize();
1912 strlcpy((char*)ext_crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(),
1913 MAX_CRYPTO_TYPE_NAME_LEN);
1914 uint32_t flags = 0;
1915 if (fscrypt_is_native() &&
1916 android::base::GetBoolProperty("ro.crypto.allow_encrypt_override", false))
1917 flags |= CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE;
1918
1919 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev, out_crypto_blkdev, label, flags);
1920 }
1921
1922 /*
1923 * Called by vold when it's asked to unmount an encrypted external
1924 * storage volume.
1925 */
cryptfs_revert_ext_volume(const char * label)1926 int cryptfs_revert_ext_volume(const char* label) {
1927 return delete_crypto_blk_dev((char*)label);
1928 }
1929
cryptfs_crypto_complete(void)1930 int cryptfs_crypto_complete(void) {
1931 return do_crypto_complete("/data");
1932 }
1933
check_unmounted_and_get_ftr(struct crypt_mnt_ftr * crypt_ftr)1934 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) {
1935 char encrypted_state[PROPERTY_VALUE_MAX];
1936 property_get("ro.crypto.state", encrypted_state, "");
1937 if (master_key_saved || strcmp(encrypted_state, "encrypted")) {
1938 SLOGE(
1939 "encrypted fs already validated or not running with encryption,"
1940 " aborting");
1941 return -1;
1942 }
1943
1944 if (get_crypt_ftr_and_key(crypt_ftr)) {
1945 SLOGE("Error getting crypt footer and key");
1946 return -1;
1947 }
1948
1949 return 0;
1950 }
1951
cryptfs_check_passwd(const char * passwd)1952 int cryptfs_check_passwd(const char* passwd) {
1953 SLOGI("cryptfs_check_passwd");
1954 if (fscrypt_is_native()) {
1955 SLOGE("cryptfs_check_passwd not valid for file encryption");
1956 return -1;
1957 }
1958
1959 struct crypt_mnt_ftr crypt_ftr;
1960 int rc;
1961
1962 rc = check_unmounted_and_get_ftr(&crypt_ftr);
1963 if (rc) {
1964 SLOGE("Could not get footer");
1965 return rc;
1966 }
1967
1968 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
1969 if (rc) {
1970 SLOGE("Password did not match");
1971 return rc;
1972 }
1973
1974 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
1975 // Here we have a default actual password but a real password
1976 // we must test against the scrypted value
1977 // First, we must delete the crypto block device that
1978 // test_mount_encrypted_fs leaves behind as a side effect
1979 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
1980 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD, DATA_MNT_POINT,
1981 CRYPTO_BLOCK_DEVICE);
1982 if (rc) {
1983 SLOGE("Default password did not match on reboot encryption");
1984 return rc;
1985 }
1986
1987 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
1988 put_crypt_ftr_and_key(&crypt_ftr);
1989 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
1990 if (rc) {
1991 SLOGE("Could not change password on reboot encryption");
1992 return rc;
1993 }
1994 }
1995
1996 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
1997 cryptfs_clear_password();
1998 password = strdup(passwd);
1999 struct timespec now;
2000 clock_gettime(CLOCK_BOOTTIME, &now);
2001 password_expiry_time = now.tv_sec + password_max_age_seconds;
2002 }
2003
2004 return rc;
2005 }
2006
cryptfs_verify_passwd(const char * passwd)2007 int cryptfs_verify_passwd(const char* passwd) {
2008 struct crypt_mnt_ftr crypt_ftr;
2009 unsigned char decrypted_master_key[MAX_KEY_LEN];
2010 char encrypted_state[PROPERTY_VALUE_MAX];
2011 int rc;
2012
2013 property_get("ro.crypto.state", encrypted_state, "");
2014 if (strcmp(encrypted_state, "encrypted")) {
2015 SLOGE("device not encrypted, aborting");
2016 return -2;
2017 }
2018
2019 if (!master_key_saved) {
2020 SLOGE("encrypted fs not yet mounted, aborting");
2021 return -1;
2022 }
2023
2024 if (!saved_mount_point) {
2025 SLOGE("encrypted fs failed to save mount point, aborting");
2026 return -1;
2027 }
2028
2029 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2030 SLOGE("Error getting crypt footer and key\n");
2031 return -1;
2032 }
2033
2034 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2035 /* If the device has no password, then just say the password is valid */
2036 rc = 0;
2037 } else {
2038 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2039 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2040 /* They match, the password is correct */
2041 rc = 0;
2042 } else {
2043 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2044 sleep(1);
2045 rc = 1;
2046 }
2047 }
2048
2049 return rc;
2050 }
2051
2052 /* Initialize a crypt_mnt_ftr structure. The keysize is
2053 * defaulted to cryptfs_get_keysize() bytes, and the filesystem size to 0.
2054 * Presumably, at a minimum, the caller will update the
2055 * filesystem size and crypto_type_name after calling this function.
2056 */
cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr * ftr)2057 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr* ftr) {
2058 off64_t off;
2059
2060 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2061 ftr->magic = CRYPT_MNT_MAGIC;
2062 ftr->major_version = CURRENT_MAJOR_VERSION;
2063 ftr->minor_version = CURRENT_MINOR_VERSION;
2064 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2065 ftr->keysize = cryptfs_get_keysize();
2066
2067 switch (keymaster_check_compatibility()) {
2068 case 1:
2069 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2070 break;
2071
2072 case 0:
2073 ftr->kdf_type = KDF_SCRYPT;
2074 break;
2075
2076 default:
2077 SLOGE("keymaster_check_compatibility failed");
2078 return -1;
2079 }
2080
2081 get_device_scrypt_params(ftr);
2082
2083 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2084 if (get_crypt_ftr_info(NULL, &off) == 0) {
2085 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2086 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + ftr->persist_data_size;
2087 }
2088
2089 return 0;
2090 }
2091
2092 #define FRAMEWORK_BOOT_WAIT 60
2093
cryptfs_SHA256_fileblock(const char * filename,__le8 * buf)2094 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) {
2095 int fd = open(filename, O_RDONLY | O_CLOEXEC);
2096 if (fd == -1) {
2097 SLOGE("Error opening file %s", filename);
2098 return -1;
2099 }
2100
2101 char block[CRYPT_INPLACE_BUFSIZE];
2102 memset(block, 0, sizeof(block));
2103 if (unix_read(fd, block, sizeof(block)) < 0) {
2104 SLOGE("Error reading file %s", filename);
2105 close(fd);
2106 return -1;
2107 }
2108
2109 close(fd);
2110
2111 SHA256_CTX c;
2112 SHA256_Init(&c);
2113 SHA256_Update(&c, block, sizeof(block));
2114 SHA256_Final(buf, &c);
2115
2116 return 0;
2117 }
2118
cryptfs_enable_all_volumes(struct crypt_mnt_ftr * crypt_ftr,char * crypto_blkdev,char * real_blkdev,int previously_encrypted_upto)2119 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr* crypt_ftr, char* crypto_blkdev,
2120 char* real_blkdev, int previously_encrypted_upto) {
2121 off64_t cur_encryption_done = 0, tot_encryption_size = 0;
2122 int rc = -1;
2123
2124 /* The size of the userdata partition, and add in the vold volumes below */
2125 tot_encryption_size = crypt_ftr->fs_size;
2126
2127 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, crypt_ftr->fs_size, &cur_encryption_done,
2128 tot_encryption_size, previously_encrypted_upto, true);
2129
2130 if (rc == ENABLE_INPLACE_ERR_DEV) {
2131 /* Hack for b/17898962 */
2132 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2133 cryptfs_reboot(RebootType::reboot);
2134 }
2135
2136 if (!rc) {
2137 crypt_ftr->encrypted_upto = cur_encryption_done;
2138 }
2139
2140 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2141 /* The inplace routine never actually sets the progress to 100% due
2142 * to the round down nature of integer division, so set it here */
2143 property_set("vold.encrypt_progress", "100");
2144 }
2145
2146 return rc;
2147 }
2148
vold_unmountAll(void)2149 static int vold_unmountAll(void) {
2150 VolumeManager* vm = VolumeManager::Instance();
2151 return vm->unmountAll();
2152 }
2153
cryptfs_enable_internal(int crypt_type,const char * passwd,int no_ui)2154 int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
2155 char crypto_blkdev[MAXPATHLEN];
2156 std::string real_blkdev;
2157 unsigned char decrypted_master_key[MAX_KEY_LEN];
2158 int rc = -1, i;
2159 struct crypt_mnt_ftr crypt_ftr;
2160 struct crypt_persist_data* pdata;
2161 char encrypted_state[PROPERTY_VALUE_MAX];
2162 char lockid[32] = {0};
2163 std::string key_loc;
2164 int num_vols;
2165 off64_t previously_encrypted_upto = 0;
2166 bool rebootEncryption = false;
2167 bool onlyCreateHeader = false;
2168
2169 if (get_crypt_ftr_and_key(&crypt_ftr) == 0) {
2170 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
2171 /* An encryption was underway and was interrupted */
2172 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2173 crypt_ftr.encrypted_upto = 0;
2174 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2175
2176 /* At this point, we are in an inconsistent state. Until we successfully
2177 complete encryption, a reboot will leave us broken. So mark the
2178 encryption failed in case that happens.
2179 On successfully completing encryption, remove this flag */
2180 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2181
2182 put_crypt_ftr_and_key(&crypt_ftr);
2183 } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
2184 if (!check_ftr_sha(&crypt_ftr)) {
2185 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2186 put_crypt_ftr_and_key(&crypt_ftr);
2187 goto error_unencrypted;
2188 }
2189
2190 /* Doing a reboot-encryption*/
2191 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
2192 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
2193 rebootEncryption = true;
2194 }
2195 } else {
2196 // We don't want to accidentally reference invalid data.
2197 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2198 }
2199
2200 property_get("ro.crypto.state", encrypted_state, "");
2201 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2202 SLOGE("Device is already running encrypted, aborting");
2203 goto error_unencrypted;
2204 }
2205
2206 get_crypt_info(&key_loc, &real_blkdev);
2207
2208 /* Get the size of the real block device */
2209 uint64_t nr_sec;
2210 if (android::vold::GetBlockDev512Sectors(real_blkdev, &nr_sec) != android::OK) {
2211 SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
2212 goto error_unencrypted;
2213 }
2214
2215 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2216 if (key_loc == KEY_IN_FOOTER) {
2217 uint64_t fs_size_sec, max_fs_size_sec;
2218 fs_size_sec = get_fs_size(real_blkdev.c_str());
2219 if (fs_size_sec == 0) fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev.data());
2220
2221 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2222
2223 if (fs_size_sec > max_fs_size_sec) {
2224 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2225 goto error_unencrypted;
2226 }
2227 }
2228
2229 /* Get a wakelock as this may take a while, and we don't want the
2230 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2231 * wants to keep the screen on, it can grab a full wakelock.
2232 */
2233 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int)getpid());
2234 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
2235
2236 /* The init files are setup to stop the class main and late start when
2237 * vold sets trigger_shutdown_framework.
2238 */
2239 property_set("vold.decrypt", "trigger_shutdown_framework");
2240 SLOGD("Just asked init to shut down class main\n");
2241
2242 /* Ask vold to unmount all devices that it manages */
2243 if (vold_unmountAll()) {
2244 SLOGE("Failed to unmount all vold managed devices");
2245 }
2246
2247 /* no_ui means we are being called from init, not settings.
2248 Now we always reboot from settings, so !no_ui means reboot
2249 */
2250 if (!no_ui) {
2251 /* Try fallback, which is to reboot and try there */
2252 onlyCreateHeader = true;
2253 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
2254 if (breadcrumb == 0) {
2255 SLOGE("Failed to create breadcrumb file");
2256 goto error_shutting_down;
2257 }
2258 fclose(breadcrumb);
2259 }
2260
2261 /* Do extra work for a better UX when doing the long inplace encryption */
2262 if (!onlyCreateHeader) {
2263 /* Now that /data is unmounted, we need to mount a tmpfs
2264 * /data, set a property saying we're doing inplace encryption,
2265 * and restart the framework.
2266 */
2267 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
2268 goto error_shutting_down;
2269 }
2270 /* Tells the framework that inplace encryption is starting */
2271 property_set("vold.encrypt_progress", "0");
2272
2273 /* restart the framework. */
2274 /* Create necessary paths on /data */
2275 prep_data_fs();
2276
2277 /* Ugh, shutting down the framework is not synchronous, so until it
2278 * can be fixed, this horrible hack will wait a moment for it all to
2279 * shut down before proceeding. Without it, some devices cannot
2280 * restart the graphics services.
2281 */
2282 sleep(2);
2283 }
2284
2285 /* Start the actual work of making an encrypted filesystem */
2286 /* Initialize a crypt_mnt_ftr for the partition */
2287 if (previously_encrypted_upto == 0 && !rebootEncryption) {
2288 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
2289 goto error_shutting_down;
2290 }
2291
2292 if (key_loc == KEY_IN_FOOTER) {
2293 crypt_ftr.fs_size = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2294 } else {
2295 crypt_ftr.fs_size = nr_sec;
2296 }
2297 /* At this point, we are in an inconsistent state. Until we successfully
2298 complete encryption, a reboot will leave us broken. So mark the
2299 encryption failed in case that happens.
2300 On successfully completing encryption, remove this flag */
2301 if (onlyCreateHeader) {
2302 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
2303 } else {
2304 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2305 }
2306 crypt_ftr.crypt_type = crypt_type;
2307 strlcpy((char*)crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(),
2308 MAX_CRYPTO_TYPE_NAME_LEN);
2309
2310 /* Make an encrypted master key */
2311 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
2312 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
2313 SLOGE("Cannot create encrypted master key\n");
2314 goto error_shutting_down;
2315 }
2316
2317 /* Replace scrypted intermediate key if we are preparing for a reboot */
2318 if (onlyCreateHeader) {
2319 unsigned char fake_master_key[MAX_KEY_LEN];
2320 unsigned char encrypted_fake_master_key[MAX_KEY_LEN];
2321 memset(fake_master_key, 0, sizeof(fake_master_key));
2322 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key, encrypted_fake_master_key,
2323 &crypt_ftr);
2324 }
2325
2326 /* Write the key to the end of the partition */
2327 put_crypt_ftr_and_key(&crypt_ftr);
2328
2329 /* If any persistent data has been remembered, save it.
2330 * If none, create a valid empty table and save that.
2331 */
2332 if (!persist_data) {
2333 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
2334 if (pdata) {
2335 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
2336 persist_data = pdata;
2337 }
2338 }
2339 if (persist_data) {
2340 save_persistent_data();
2341 }
2342 }
2343
2344 if (onlyCreateHeader) {
2345 sleep(2);
2346 cryptfs_reboot(RebootType::reboot);
2347 }
2348
2349 if (!no_ui || rebootEncryption) {
2350 /* startup service classes main and late_start */
2351 property_set("vold.decrypt", "trigger_restart_min_framework");
2352 SLOGD("Just triggered restart_min_framework\n");
2353
2354 /* OK, the framework is restarted and will soon be showing a
2355 * progress bar. Time to setup an encrypted mapping, and
2356 * either write a new filesystem, or encrypt in place updating
2357 * the progress bar as we work.
2358 */
2359 }
2360
2361 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2362 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev.c_str(), crypto_blkdev,
2363 CRYPTO_BLOCK_DEVICE, 0);
2364
2365 /* If we are continuing, check checksums match */
2366 rc = 0;
2367 if (previously_encrypted_upto) {
2368 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
2369 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
2370
2371 if (!rc &&
2372 memcmp(hash_first_block, crypt_ftr.hash_first_block, sizeof(hash_first_block)) != 0) {
2373 SLOGE("Checksums do not match - trigger wipe");
2374 rc = -1;
2375 }
2376 }
2377
2378 if (!rc) {
2379 rc = cryptfs_enable_all_volumes(&crypt_ftr, crypto_blkdev, real_blkdev.data(),
2380 previously_encrypted_upto);
2381 }
2382
2383 /* Calculate checksum if we are not finished */
2384 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2385 rc = cryptfs_SHA256_fileblock(crypto_blkdev, crypt_ftr.hash_first_block);
2386 if (rc) {
2387 SLOGE("Error calculating checksum for continuing encryption");
2388 rc = -1;
2389 }
2390 }
2391
2392 /* Undo the dm-crypt mapping whether we succeed or not */
2393 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
2394
2395 if (!rc) {
2396 /* Success */
2397 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
2398
2399 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2400 SLOGD("Encrypted up to sector %lld - will continue after reboot",
2401 crypt_ftr.encrypted_upto);
2402 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
2403 }
2404
2405 put_crypt_ftr_and_key(&crypt_ftr);
2406
2407 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
2408 char value[PROPERTY_VALUE_MAX];
2409 property_get("ro.crypto.state", value, "");
2410 if (!strcmp(value, "")) {
2411 /* default encryption - continue first boot sequence */
2412 property_set("ro.crypto.state", "encrypted");
2413 property_set("ro.crypto.type", "block");
2414 release_wake_lock(lockid);
2415 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2416 // Bring up cryptkeeper that will check the password and set it
2417 property_set("vold.decrypt", "trigger_shutdown_framework");
2418 sleep(2);
2419 property_set("vold.encrypt_progress", "");
2420 cryptfs_trigger_restart_min_framework();
2421 } else {
2422 cryptfs_check_passwd(DEFAULT_PASSWORD);
2423 cryptfs_restart_internal(1);
2424 }
2425 return 0;
2426 } else {
2427 sleep(2); /* Give the UI a chance to show 100% progress */
2428 cryptfs_reboot(RebootType::reboot);
2429 }
2430 } else {
2431 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
2432 cryptfs_reboot(RebootType::shutdown);
2433 }
2434 } else {
2435 char value[PROPERTY_VALUE_MAX];
2436
2437 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
2438 if (!strcmp(value, "1")) {
2439 /* wipe data if encryption failed */
2440 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
2441 std::string err;
2442 const std::vector<std::string> options = {
2443 "--wipe_data\n--reason=cryptfs_enable_internal\n"};
2444 if (!write_bootloader_message(options, &err)) {
2445 SLOGE("could not write bootloader message: %s", err.c_str());
2446 }
2447 cryptfs_reboot(RebootType::recovery);
2448 } else {
2449 /* set property to trigger dialog */
2450 property_set("vold.encrypt_progress", "error_partially_encrypted");
2451 release_wake_lock(lockid);
2452 }
2453 return -1;
2454 }
2455
2456 /* hrm, the encrypt step claims success, but the reboot failed.
2457 * This should not happen.
2458 * Set the property and return. Hope the framework can deal with it.
2459 */
2460 property_set("vold.encrypt_progress", "error_reboot_failed");
2461 release_wake_lock(lockid);
2462 return rc;
2463
2464 error_unencrypted:
2465 property_set("vold.encrypt_progress", "error_not_encrypted");
2466 if (lockid[0]) {
2467 release_wake_lock(lockid);
2468 }
2469 return -1;
2470
2471 error_shutting_down:
2472 /* we failed, and have not encrypted anthing, so the users's data is still intact,
2473 * but the framework is stopped and not restarted to show the error, so it's up to
2474 * vold to restart the system.
2475 */
2476 SLOGE(
2477 "Error enabling encryption after framework is shutdown, no data changed, restarting "
2478 "system");
2479 cryptfs_reboot(RebootType::reboot);
2480
2481 /* shouldn't get here */
2482 property_set("vold.encrypt_progress", "error_shutting_down");
2483 if (lockid[0]) {
2484 release_wake_lock(lockid);
2485 }
2486 return -1;
2487 }
2488
cryptfs_enable(int type,const char * passwd,int no_ui)2489 int cryptfs_enable(int type, const char* passwd, int no_ui) {
2490 return cryptfs_enable_internal(type, passwd, no_ui);
2491 }
2492
cryptfs_enable_default(int no_ui)2493 int cryptfs_enable_default(int no_ui) {
2494 return cryptfs_enable_internal(CRYPT_TYPE_DEFAULT, DEFAULT_PASSWORD, no_ui);
2495 }
2496
cryptfs_changepw(int crypt_type,const char * newpw)2497 int cryptfs_changepw(int crypt_type, const char* newpw) {
2498 if (fscrypt_is_native()) {
2499 SLOGE("cryptfs_changepw not valid for file encryption");
2500 return -1;
2501 }
2502
2503 struct crypt_mnt_ftr crypt_ftr;
2504 int rc;
2505
2506 /* This is only allowed after we've successfully decrypted the master key */
2507 if (!master_key_saved) {
2508 SLOGE("Key not saved, aborting");
2509 return -1;
2510 }
2511
2512 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2513 SLOGE("Invalid crypt_type %d", crypt_type);
2514 return -1;
2515 }
2516
2517 /* get key */
2518 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2519 SLOGE("Error getting crypt footer and key");
2520 return -1;
2521 }
2522
2523 crypt_ftr.crypt_type = crypt_type;
2524
2525 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD : newpw,
2526 crypt_ftr.salt, saved_master_key, crypt_ftr.master_key, &crypt_ftr);
2527 if (rc) {
2528 SLOGE("Encrypt master key failed: %d", rc);
2529 return -1;
2530 }
2531 /* save the key */
2532 put_crypt_ftr_and_key(&crypt_ftr);
2533
2534 return 0;
2535 }
2536
persist_get_max_entries(int encrypted)2537 static unsigned int persist_get_max_entries(int encrypted) {
2538 struct crypt_mnt_ftr crypt_ftr;
2539 unsigned int dsize;
2540
2541 /* If encrypted, use the values from the crypt_ftr, otherwise
2542 * use the values for the current spec.
2543 */
2544 if (encrypted) {
2545 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2546 /* Something is wrong, assume no space for entries */
2547 return 0;
2548 }
2549 dsize = crypt_ftr.persist_data_size;
2550 } else {
2551 dsize = CRYPT_PERSIST_DATA_SIZE;
2552 }
2553
2554 if (dsize > sizeof(struct crypt_persist_data)) {
2555 return (dsize - sizeof(struct crypt_persist_data)) / sizeof(struct crypt_persist_entry);
2556 } else {
2557 return 0;
2558 }
2559 }
2560
persist_get_key(const char * fieldname,char * value)2561 static int persist_get_key(const char* fieldname, char* value) {
2562 unsigned int i;
2563
2564 if (persist_data == NULL) {
2565 return -1;
2566 }
2567 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2568 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2569 /* We found it! */
2570 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
2571 return 0;
2572 }
2573 }
2574
2575 return -1;
2576 }
2577
persist_set_key(const char * fieldname,const char * value,int encrypted)2578 static int persist_set_key(const char* fieldname, const char* value, int encrypted) {
2579 unsigned int i;
2580 unsigned int num;
2581 unsigned int max_persistent_entries;
2582
2583 if (persist_data == NULL) {
2584 return -1;
2585 }
2586
2587 max_persistent_entries = persist_get_max_entries(encrypted);
2588
2589 num = persist_data->persist_valid_entries;
2590
2591 for (i = 0; i < num; i++) {
2592 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2593 /* We found an existing entry, update it! */
2594 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
2595 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
2596 return 0;
2597 }
2598 }
2599
2600 /* We didn't find it, add it to the end, if there is room */
2601 if (persist_data->persist_valid_entries < max_persistent_entries) {
2602 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
2603 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
2604 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
2605 persist_data->persist_valid_entries++;
2606 return 0;
2607 }
2608
2609 return -1;
2610 }
2611
2612 /**
2613 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
2614 * sequence and its index is greater than or equal to index. Return 0 otherwise.
2615 */
match_multi_entry(const char * key,const char * field,unsigned index)2616 int match_multi_entry(const char* key, const char* field, unsigned index) {
2617 std::string key_ = key;
2618 std::string field_ = field;
2619
2620 std::string parsed_field;
2621 unsigned parsed_index;
2622
2623 std::string::size_type split = key_.find_last_of('_');
2624 if (split == std::string::npos) {
2625 parsed_field = key_;
2626 parsed_index = 0;
2627 } else {
2628 parsed_field = key_.substr(0, split);
2629 parsed_index = std::stoi(key_.substr(split + 1));
2630 }
2631
2632 return parsed_field == field_ && parsed_index >= index;
2633 }
2634
2635 /*
2636 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
2637 * remaining entries starting from index will be deleted.
2638 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
2639 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
2640 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
2641 *
2642 */
persist_del_keys(const char * fieldname,unsigned index)2643 static int persist_del_keys(const char* fieldname, unsigned index) {
2644 unsigned int i;
2645 unsigned int j;
2646 unsigned int num;
2647
2648 if (persist_data == NULL) {
2649 return PERSIST_DEL_KEY_ERROR_OTHER;
2650 }
2651
2652 num = persist_data->persist_valid_entries;
2653
2654 j = 0; // points to the end of non-deleted entries.
2655 // Filter out to-be-deleted entries in place.
2656 for (i = 0; i < num; i++) {
2657 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
2658 persist_data->persist_entry[j] = persist_data->persist_entry[i];
2659 j++;
2660 }
2661 }
2662
2663 if (j < num) {
2664 persist_data->persist_valid_entries = j;
2665 // Zeroise the remaining entries
2666 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
2667 return PERSIST_DEL_KEY_OK;
2668 } else {
2669 // Did not find an entry matching the given fieldname
2670 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
2671 }
2672 }
2673
persist_count_keys(const char * fieldname)2674 static int persist_count_keys(const char* fieldname) {
2675 unsigned int i;
2676 unsigned int count;
2677
2678 if (persist_data == NULL) {
2679 return -1;
2680 }
2681
2682 count = 0;
2683 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2684 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
2685 count++;
2686 }
2687 }
2688
2689 return count;
2690 }
2691
2692 /* Return the value of the specified field. */
cryptfs_getfield(const char * fieldname,char * value,int len)2693 int cryptfs_getfield(const char* fieldname, char* value, int len) {
2694 if (fscrypt_is_native()) {
2695 SLOGE("Cannot get field when file encrypted");
2696 return -1;
2697 }
2698
2699 char temp_value[PROPERTY_VALUE_MAX];
2700 /* CRYPTO_GETFIELD_OK is success,
2701 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
2702 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
2703 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
2704 */
2705 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
2706 int i;
2707 char temp_field[PROPERTY_KEY_MAX];
2708
2709 if (persist_data == NULL) {
2710 load_persistent_data();
2711 if (persist_data == NULL) {
2712 SLOGE("Getfield error, cannot load persistent data");
2713 goto out;
2714 }
2715 }
2716
2717 // Read value from persistent entries. If the original value is split into multiple entries,
2718 // stitch them back together.
2719 if (!persist_get_key(fieldname, temp_value)) {
2720 // We found it, copy it to the caller's buffer and keep going until all entries are read.
2721 if (strlcpy(value, temp_value, len) >= (unsigned)len) {
2722 // value too small
2723 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2724 goto out;
2725 }
2726 rc = CRYPTO_GETFIELD_OK;
2727
2728 for (i = 1; /* break explicitly */; i++) {
2729 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
2730 (int)sizeof(temp_field)) {
2731 // If the fieldname is very long, we stop as soon as it begins to overflow the
2732 // maximum field length. At this point we have in fact fully read out the original
2733 // value because cryptfs_setfield would not allow fields with longer names to be
2734 // written in the first place.
2735 break;
2736 }
2737 if (!persist_get_key(temp_field, temp_value)) {
2738 if (strlcat(value, temp_value, len) >= (unsigned)len) {
2739 // value too small.
2740 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2741 goto out;
2742 }
2743 } else {
2744 // Exhaust all entries.
2745 break;
2746 }
2747 }
2748 } else {
2749 /* Sadness, it's not there. Return the error */
2750 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
2751 }
2752
2753 out:
2754 return rc;
2755 }
2756
2757 /* Set the value of the specified field. */
cryptfs_setfield(const char * fieldname,const char * value)2758 int cryptfs_setfield(const char* fieldname, const char* value) {
2759 if (fscrypt_is_native()) {
2760 SLOGE("Cannot set field when file encrypted");
2761 return -1;
2762 }
2763
2764 char encrypted_state[PROPERTY_VALUE_MAX];
2765 /* 0 is success, negative values are error */
2766 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
2767 int encrypted = 0;
2768 unsigned int field_id;
2769 char temp_field[PROPERTY_KEY_MAX];
2770 unsigned int num_entries;
2771 unsigned int max_keylen;
2772
2773 if (persist_data == NULL) {
2774 load_persistent_data();
2775 if (persist_data == NULL) {
2776 SLOGE("Setfield error, cannot load persistent data");
2777 goto out;
2778 }
2779 }
2780
2781 property_get("ro.crypto.state", encrypted_state, "");
2782 if (!strcmp(encrypted_state, "encrypted")) {
2783 encrypted = 1;
2784 }
2785
2786 // Compute the number of entries required to store value, each entry can store up to
2787 // (PROPERTY_VALUE_MAX - 1) chars
2788 if (strlen(value) == 0) {
2789 // Empty value also needs one entry to store.
2790 num_entries = 1;
2791 } else {
2792 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
2793 }
2794
2795 max_keylen = strlen(fieldname);
2796 if (num_entries > 1) {
2797 // Need an extra "_%d" suffix.
2798 max_keylen += 1 + log10(num_entries);
2799 }
2800 if (max_keylen > PROPERTY_KEY_MAX - 1) {
2801 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
2802 goto out;
2803 }
2804
2805 // Make sure we have enough space to write the new value
2806 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
2807 persist_get_max_entries(encrypted)) {
2808 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
2809 goto out;
2810 }
2811
2812 // Now that we know persist_data has enough space for value, let's delete the old field first
2813 // to make up space.
2814 persist_del_keys(fieldname, 0);
2815
2816 if (persist_set_key(fieldname, value, encrypted)) {
2817 // fail to set key, should not happen as we have already checked the available space
2818 SLOGE("persist_set_key() error during setfield()");
2819 goto out;
2820 }
2821
2822 for (field_id = 1; field_id < num_entries; field_id++) {
2823 snprintf(temp_field, sizeof(temp_field), "%s_%u", fieldname, field_id);
2824
2825 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
2826 // fail to set key, should not happen as we have already checked the available space.
2827 SLOGE("persist_set_key() error during setfield()");
2828 goto out;
2829 }
2830 }
2831
2832 /* If we are running encrypted, save the persistent data now */
2833 if (encrypted) {
2834 if (save_persistent_data()) {
2835 SLOGE("Setfield error, cannot save persistent data");
2836 goto out;
2837 }
2838 }
2839
2840 rc = CRYPTO_SETFIELD_OK;
2841
2842 out:
2843 return rc;
2844 }
2845
2846 /* Checks userdata. Attempt to mount the volume if default-
2847 * encrypted.
2848 * On success trigger next init phase and return 0.
2849 * Currently do not handle failure - see TODO below.
2850 */
cryptfs_mount_default_encrypted(void)2851 int cryptfs_mount_default_encrypted(void) {
2852 int crypt_type = cryptfs_get_password_type();
2853 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2854 SLOGE("Bad crypt type - error");
2855 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
2856 SLOGD(
2857 "Password is not default - "
2858 "starting min framework to prompt");
2859 property_set("vold.decrypt", "trigger_restart_min_framework");
2860 return 0;
2861 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
2862 SLOGD("Password is default - restarting filesystem");
2863 cryptfs_restart_internal(0);
2864 return 0;
2865 } else {
2866 SLOGE("Encrypted, default crypt type but can't decrypt");
2867 }
2868
2869 /** Corrupt. Allow us to boot into framework, which will detect bad
2870 crypto when it calls do_crypto_complete, then do a factory reset
2871 */
2872 property_set("vold.decrypt", "trigger_restart_min_framework");
2873 return 0;
2874 }
2875
2876 /* Returns type of the password, default, pattern, pin or password.
2877 */
cryptfs_get_password_type(void)2878 int cryptfs_get_password_type(void) {
2879 if (fscrypt_is_native()) {
2880 SLOGE("cryptfs_get_password_type not valid for file encryption");
2881 return -1;
2882 }
2883
2884 struct crypt_mnt_ftr crypt_ftr;
2885
2886 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2887 SLOGE("Error getting crypt footer and key\n");
2888 return -1;
2889 }
2890
2891 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
2892 return -1;
2893 }
2894
2895 return crypt_ftr.crypt_type;
2896 }
2897
cryptfs_get_password()2898 const char* cryptfs_get_password() {
2899 if (fscrypt_is_native()) {
2900 SLOGE("cryptfs_get_password not valid for file encryption");
2901 return 0;
2902 }
2903
2904 struct timespec now;
2905 clock_gettime(CLOCK_BOOTTIME, &now);
2906 if (now.tv_sec < password_expiry_time) {
2907 return password;
2908 } else {
2909 cryptfs_clear_password();
2910 return 0;
2911 }
2912 }
2913
cryptfs_clear_password()2914 void cryptfs_clear_password() {
2915 if (password) {
2916 size_t len = strlen(password);
2917 memset(password, 0, len);
2918 free(password);
2919 password = 0;
2920 password_expiry_time = 0;
2921 }
2922 }
2923
cryptfs_isConvertibleToFBE()2924 int cryptfs_isConvertibleToFBE() {
2925 auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
2926 return entry && entry->fs_mgr_flags.force_fde_or_fbe;
2927 }
2928