1 /*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "Cryptfs"
18
19 #include "cryptfs.h"
20
21 #include "Checkpoint.h"
22 #include "CryptoType.h"
23 #include "EncryptInplace.h"
24 #include "FsCrypt.h"
25 #include "Keymaster.h"
26 #include "Process.h"
27 #include "ScryptParameters.h"
28 #include "Utils.h"
29 #include "VoldUtil.h"
30 #include "VolumeManager.h"
31
32 #include <android-base/logging.h>
33 #include <android-base/parseint.h>
34 #include <android-base/properties.h>
35 #include <android-base/stringprintf.h>
36 #include <android-base/strings.h>
37 #include <bootloader_message/bootloader_message.h>
38 #include <cutils/android_reboot.h>
39 #include <cutils/properties.h>
40 #include <ext4_utils/ext4_utils.h>
41 #include <f2fs_sparseblock.h>
42 #include <fs_mgr.h>
43 #include <fscrypt/fscrypt.h>
44 #include <libdm/dm.h>
45 #include <log/log.h>
46 #include <logwrap/logwrap.h>
47 #include <openssl/evp.h>
48 #include <openssl/sha.h>
49 #include <selinux/selinux.h>
50 #include <wakelock/wakelock.h>
51
52 #include <ctype.h>
53 #include <errno.h>
54 #include <fcntl.h>
55 #include <inttypes.h>
56 #include <libgen.h>
57 #include <linux/kdev_t.h>
58 #include <math.h>
59 #include <mntent.h>
60 #include <stdio.h>
61 #include <stdlib.h>
62 #include <string.h>
63 #include <sys/mount.h>
64 #include <sys/param.h>
65 #include <sys/stat.h>
66 #include <sys/types.h>
67 #include <sys/wait.h>
68 #include <time.h>
69 #include <unistd.h>
70
71 #include <chrono>
72 #include <thread>
73
74 extern "C" {
75 #include <crypto_scrypt.h>
76 }
77
78 using android::base::ParseUint;
79 using android::base::StringPrintf;
80 using android::fs_mgr::GetEntryForMountPoint;
81 using android::vold::CryptoType;
82 using android::vold::KeyBuffer;
83 using android::vold::KeyGeneration;
84 using namespace android::vold;
85 using namespace android::dm;
86 using namespace std::chrono_literals;
87
88 /* The current cryptfs version */
89 #define CURRENT_MAJOR_VERSION 1
90 #define CURRENT_MINOR_VERSION 3
91
92 #define CRYPT_FOOTER_TO_PERSIST_OFFSET 0x1000
93 #define CRYPT_PERSIST_DATA_SIZE 0x1000
94
95 #define CRYPT_SECTOR_SIZE 512
96
97 #define MAX_CRYPTO_TYPE_NAME_LEN 64
98
99 #define MAX_KEY_LEN 48
100 #define SALT_LEN 16
101 #define SCRYPT_LEN 32
102
103 /* definitions of flags in the structure below */
104 #define CRYPT_MNT_KEY_UNENCRYPTED 0x1 /* The key for the partition is not encrypted. */
105 #define CRYPT_ENCRYPTION_IN_PROGRESS 0x2 /* no longer used */
106 #define CRYPT_INCONSISTENT_STATE \
107 0x4 /* Set when starting encryption, clear when \
108 exit cleanly, either through success or \
109 correctly marked partial encryption */
110 #define CRYPT_DATA_CORRUPT \
111 0x8 /* Set when encryption is fine, but the \
112 underlying volume is corrupt */
113 #define CRYPT_FORCE_ENCRYPTION \
114 0x10 /* Set when it is time to encrypt this \
115 volume on boot. Everything in this \
116 structure is set up correctly as \
117 though device is encrypted except \
118 that the master key is encrypted with the \
119 default password. */
120 #define CRYPT_FORCE_COMPLETE \
121 0x20 /* Set when the above encryption cycle is \
122 complete. On next cryptkeeper entry, match \
123 the password. If it matches fix the master \
124 key and remove this flag. */
125
126 /* Allowed values for type in the structure below */
127 #define CRYPT_TYPE_PASSWORD \
128 0 /* master_key is encrypted with a password \
129 * Must be zero to be compatible with pre-L \
130 * devices where type is always password.*/
131 #define CRYPT_TYPE_DEFAULT \
132 1 /* master_key is encrypted with default \
133 * password */
134 #define CRYPT_TYPE_PATTERN 2 /* master_key is encrypted with a pattern */
135 #define CRYPT_TYPE_PIN 3 /* master_key is encrypted with a pin */
136 #define CRYPT_TYPE_MAX_TYPE 3 /* type cannot be larger than this value */
137
138 #define CRYPT_MNT_MAGIC 0xD0B5B1C4
139 #define PERSIST_DATA_MAGIC 0xE950CD44
140
141 /* Key Derivation Function algorithms */
142 #define KDF_PBKDF2 1
143 #define KDF_SCRYPT 2
144 /* Algorithms 3 & 4 deprecated before shipping outside of google, so removed */
145 #define KDF_SCRYPT_KEYMASTER 5
146
147 /* Maximum allowed keymaster blob size. */
148 #define KEYMASTER_BLOB_SIZE 2048
149
150 /* __le32 and __le16 defined in system/extras/ext4_utils/ext4_utils.h */
151 #define __le8 unsigned char
152
153 #if !defined(SHA256_DIGEST_LENGTH)
154 #define SHA256_DIGEST_LENGTH 32
155 #endif
156
157 /* This structure starts 16,384 bytes before the end of a hardware
158 * partition that is encrypted, or in a separate partition. It's location
159 * is specified by a property set in init.<device>.rc.
160 * The structure allocates 48 bytes for a key, but the real key size is
161 * specified in the struct. Currently, the code is hardcoded to use 128
162 * bit keys.
163 * The fields after salt are only valid in rev 1.1 and later stuctures.
164 * Obviously, the filesystem does not include the last 16 kbytes
165 * of the partition if the crypt_mnt_ftr lives at the end of the
166 * partition.
167 */
168
169 struct crypt_mnt_ftr {
170 __le32 magic; /* See above */
171 __le16 major_version;
172 __le16 minor_version;
173 __le32 ftr_size; /* in bytes, not including key following */
174 __le32 flags; /* See above */
175 __le32 keysize; /* in bytes */
176 __le32 crypt_type; /* how master_key is encrypted. Must be a
177 * CRYPT_TYPE_XXX value */
178 __le64 fs_size; /* Size of the encrypted fs, in 512 byte sectors */
179 __le32 failed_decrypt_count; /* count of # of failed attempts to decrypt and
180 mount, set to 0 on successful mount */
181 unsigned char crypto_type_name[MAX_CRYPTO_TYPE_NAME_LEN]; /* The type of encryption
182 needed to decrypt this
183 partition, null terminated */
184 __le32 spare2; /* ignored */
185 unsigned char master_key[MAX_KEY_LEN]; /* The encrypted key for decrypting the filesystem */
186 unsigned char salt[SALT_LEN]; /* The salt used for this encryption */
187 __le64 persist_data_offset[2]; /* Absolute offset to both copies of crypt_persist_data
188 * on device with that info, either the footer of the
189 * real_blkdevice or the metadata partition. */
190
191 __le32 persist_data_size; /* The number of bytes allocated to each copy of the
192 * persistent data table*/
193
194 __le8 kdf_type; /* The key derivation function used. */
195
196 /* scrypt parameters. See www.tarsnap.com/scrypt/scrypt.pdf */
197 __le8 N_factor; /* (1 << N) */
198 __le8 r_factor; /* (1 << r) */
199 __le8 p_factor; /* (1 << p) */
200 __le64 encrypted_upto; /* no longer used */
201 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; /* no longer used */
202
203 /* key_master key, used to sign the derived key which is then used to generate
204 * the intermediate key
205 * This key should be used for no other purposes! We use this key to sign unpadded
206 * data, which is acceptable but only if the key is not reused elsewhere. */
207 __le8 keymaster_blob[KEYMASTER_BLOB_SIZE];
208 __le32 keymaster_blob_size;
209
210 /* Store scrypt of salted intermediate key. When decryption fails, we can
211 check if this matches, and if it does, we know that the problem is with the
212 drive, and there is no point in asking the user for more passwords.
213
214 Note that if any part of this structure is corrupt, this will not match and
215 we will continue to believe the user entered the wrong password. In that
216 case the only solution is for the user to enter a password enough times to
217 force a wipe.
218
219 Note also that there is no need to worry about migration. If this data is
220 wrong, we simply won't recognise a right password, and will continue to
221 prompt. On the first password change, this value will be populated and
222 then we will be OK.
223 */
224 unsigned char scrypted_intermediate_key[SCRYPT_LEN];
225
226 /* sha of this structure with this element set to zero
227 Used when encrypting on reboot to validate structure before doing something
228 fatal
229 */
230 unsigned char sha256[SHA256_DIGEST_LENGTH];
231 };
232
233 /* Persistant data that should be available before decryption.
234 * Things like airplane mode, locale and timezone are kept
235 * here and can be retrieved by the CryptKeeper UI to properly
236 * configure the phone before asking for the password
237 * This is only valid if the major and minor version above
238 * is set to 1.1 or higher.
239 *
240 * This is a 4K structure. There are 2 copies, and the code alternates
241 * writing one and then clearing the previous one. The reading
242 * code reads the first valid copy it finds, based on the magic number.
243 * The absolute offset to the first of the two copies is kept in rev 1.1
244 * and higher crypt_mnt_ftr structures.
245 */
246 struct crypt_persist_entry {
247 char key[PROPERTY_KEY_MAX];
248 char val[PROPERTY_VALUE_MAX];
249 };
250
251 /* Should be exactly 4K in size */
252 struct crypt_persist_data {
253 __le32 persist_magic;
254 __le32 persist_valid_entries;
255 __le32 persist_spare[30];
256 struct crypt_persist_entry persist_entry[0];
257 };
258
259 typedef int (*kdf_func)(const char* passwd, const unsigned char* salt, unsigned char* ikey,
260 void* params);
261
262 #define UNUSED __attribute__((unused))
263
264 #define HASH_COUNT 2000
265
266 constexpr size_t INTERMEDIATE_KEY_LEN_BYTES = 16;
267 constexpr size_t INTERMEDIATE_IV_LEN_BYTES = 16;
268 constexpr size_t INTERMEDIATE_BUF_SIZE = (INTERMEDIATE_KEY_LEN_BYTES + INTERMEDIATE_IV_LEN_BYTES);
269
270 // SCRYPT_LEN is used by struct crypt_mnt_ftr for its intermediate key.
271 static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN, "Mismatch of intermediate key sizes");
272
273 #define KEY_IN_FOOTER "footer"
274
275 #define DEFAULT_PASSWORD "default_password"
276
277 #define CRYPTO_BLOCK_DEVICE "userdata"
278
279 #define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
280
281 #define EXT4_FS 1
282 #define F2FS_FS 2
283
284 #define TABLE_LOAD_RETRIES 10
285
286 #define RSA_KEY_SIZE 2048
287 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
288 #define RSA_EXPONENT 0x10001
289 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
290
291 #define RETRY_MOUNT_ATTEMPTS 10
292 #define RETRY_MOUNT_DELAY_SECONDS 1
293
294 #define CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE (1)
295
296 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr);
297
298 static unsigned char saved_master_key[MAX_KEY_LEN];
299 static char* saved_mount_point;
300 static int master_key_saved = 0;
301 static struct crypt_persist_data* persist_data = NULL;
302
303 constexpr CryptoType aes_128_cbc = CryptoType()
304 .set_config_name("AES-128-CBC")
305 .set_kernel_name("aes-cbc-essiv:sha256")
306 .set_keysize(16);
307
308 constexpr CryptoType supported_crypto_types[] = {aes_128_cbc, android::vold::adiantum};
309
310 static_assert(validateSupportedCryptoTypes(MAX_KEY_LEN, supported_crypto_types,
311 array_length(supported_crypto_types)),
312 "We have a CryptoType with keysize > MAX_KEY_LEN or which was "
313 "incompletely constructed.");
314
get_crypto_type()315 static const CryptoType& get_crypto_type() {
316 // We only want to parse this read-only property once. But we need to wait
317 // until the system is initialized before we can read it. So we use a static
318 // scoped within this function to get it only once.
319 static CryptoType crypto_type =
320 lookup_crypto_algorithm(supported_crypto_types, array_length(supported_crypto_types),
321 aes_128_cbc, "ro.crypto.fde_algorithm");
322 return crypto_type;
323 }
324
cryptfs_get_keygen()325 const KeyGeneration cryptfs_get_keygen() {
326 return KeyGeneration{get_crypto_type().get_keysize(), true, false};
327 }
328
write_string_to_buf(const std::string & towrite,uint8_t * buffer,uint32_t buffer_size,uint32_t * out_size)329 static bool write_string_to_buf(const std::string& towrite, uint8_t* buffer, uint32_t buffer_size,
330 uint32_t* out_size) {
331 if (!buffer || !out_size) {
332 LOG(ERROR) << "Missing target pointers";
333 return false;
334 }
335 *out_size = towrite.size();
336 if (buffer_size < towrite.size()) {
337 LOG(ERROR) << "Buffer too small " << buffer_size << " < " << towrite.size();
338 return false;
339 }
340 memset(buffer, '\0', buffer_size);
341 std::copy(towrite.begin(), towrite.end(), buffer);
342 return true;
343 }
344
keymaster_create_key_for_cryptfs_scrypt(uint32_t rsa_key_size,uint64_t rsa_exponent,uint32_t ratelimit,uint8_t * key_buffer,uint32_t key_buffer_size,uint32_t * key_out_size)345 static int keymaster_create_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64_t rsa_exponent,
346 uint32_t ratelimit, uint8_t* key_buffer,
347 uint32_t key_buffer_size,
348 uint32_t* key_out_size) {
349 if (key_out_size) {
350 *key_out_size = 0;
351 }
352 Keymaster dev;
353 if (!dev) {
354 LOG(ERROR) << "Failed to initiate keymaster session";
355 return -1;
356 }
357 auto keyParams = km::AuthorizationSetBuilder()
358 .RsaSigningKey(rsa_key_size, rsa_exponent)
359 .NoDigestOrPadding()
360 .Authorization(km::TAG_NO_AUTH_REQUIRED)
361 .Authorization(km::TAG_MIN_SECONDS_BETWEEN_OPS, ratelimit);
362 std::string key;
363 if (!dev.generateKey(keyParams, &key)) return -1;
364 if (!write_string_to_buf(key, key_buffer, key_buffer_size, key_out_size)) return -1;
365 return 0;
366 }
367
368 /* Create a new keymaster key and store it in this footer */
keymaster_create_key(struct crypt_mnt_ftr * ftr)369 static int keymaster_create_key(struct crypt_mnt_ftr* ftr) {
370 if (ftr->keymaster_blob_size) {
371 SLOGI("Already have key");
372 return 0;
373 }
374
375 int rc = keymaster_create_key_for_cryptfs_scrypt(
376 RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
377 KEYMASTER_BLOB_SIZE, &ftr->keymaster_blob_size);
378 if (rc) {
379 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
380 SLOGE("Keymaster key blob too large");
381 ftr->keymaster_blob_size = 0;
382 }
383 SLOGE("Failed to generate keypair");
384 return -1;
385 }
386 return 0;
387 }
388
keymaster_sign_object_for_cryptfs_scrypt(struct crypt_mnt_ftr * ftr,uint32_t ratelimit,const uint8_t * object,const size_t object_size,uint8_t ** signature_buffer,size_t * signature_buffer_size)389 static int keymaster_sign_object_for_cryptfs_scrypt(struct crypt_mnt_ftr* ftr, uint32_t ratelimit,
390 const uint8_t* object, const size_t object_size,
391 uint8_t** signature_buffer,
392 size_t* signature_buffer_size) {
393 if (!object || !signature_buffer || !signature_buffer_size) {
394 LOG(ERROR) << __FILE__ << ":" << __LINE__ << ":Invalid argument";
395 return -1;
396 }
397
398 Keymaster dev;
399 if (!dev) {
400 LOG(ERROR) << "Failed to initiate keymaster session";
401 return -1;
402 }
403
404 km::AuthorizationSet outParams;
405 std::string key(reinterpret_cast<const char*>(ftr->keymaster_blob), ftr->keymaster_blob_size);
406 std::string input(reinterpret_cast<const char*>(object), object_size);
407 std::string output;
408 KeymasterOperation op;
409
410 auto paramBuilder = km::AuthorizationSetBuilder().NoDigestOrPadding().Authorization(
411 km::TAG_PURPOSE, km::KeyPurpose::SIGN);
412 while (true) {
413 op = dev.begin(key, paramBuilder, &outParams);
414 if (op.getErrorCode() == km::ErrorCode::KEY_RATE_LIMIT_EXCEEDED) {
415 sleep(ratelimit);
416 continue;
417 } else
418 break;
419 }
420
421 if (!op) {
422 LOG(ERROR) << "Error starting keymaster signature transaction: "
423 << int32_t(op.getErrorCode());
424 return -1;
425 }
426
427 if (op.getUpgradedBlob()) {
428 write_string_to_buf(*op.getUpgradedBlob(), ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
429 &ftr->keymaster_blob_size);
430
431 SLOGD("Upgrading key");
432 if (put_crypt_ftr_and_key(ftr) != 0) {
433 SLOGE("Failed to write upgraded key to disk");
434 return -1;
435 }
436 SLOGD("Key upgraded successfully");
437 }
438
439 if (!op.updateCompletely(input, &output)) {
440 LOG(ERROR) << "Error sending data to keymaster signature transaction: "
441 << int32_t(op.getErrorCode());
442 return -1;
443 }
444
445 if (!op.finish(&output)) {
446 LOG(ERROR) << "Error finalizing keymaster signature transaction: "
447 << int32_t(op.getErrorCode());
448 return -1;
449 }
450
451 *signature_buffer = reinterpret_cast<uint8_t*>(malloc(output.size()));
452 if (*signature_buffer == nullptr) {
453 LOG(ERROR) << "Error allocation buffer for keymaster signature";
454 return -1;
455 }
456 *signature_buffer_size = output.size();
457 std::copy(output.data(), output.data() + output.size(), *signature_buffer);
458
459 return 0;
460 }
461
462 /* This signs the given object using the keymaster key. */
keymaster_sign_object(struct crypt_mnt_ftr * ftr,const unsigned char * object,const size_t object_size,unsigned char ** signature,size_t * signature_size)463 static int keymaster_sign_object(struct crypt_mnt_ftr* ftr, const unsigned char* object,
464 const size_t object_size, unsigned char** signature,
465 size_t* signature_size) {
466 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
467 size_t to_sign_size = sizeof(to_sign);
468 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
469
470 // To sign a message with RSA, the message must satisfy two
471 // constraints:
472 //
473 // 1. The message, when interpreted as a big-endian numeric value, must
474 // be strictly less than the public modulus of the RSA key. Note
475 // that because the most significant bit of the public modulus is
476 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
477 // key), an n-bit message with most significant bit 0 always
478 // satisfies this requirement.
479 //
480 // 2. The message must have the same length in bits as the public
481 // modulus of the RSA key. This requirement isn't mathematically
482 // necessary, but is necessary to ensure consistency in
483 // implementations.
484 switch (ftr->kdf_type) {
485 case KDF_SCRYPT_KEYMASTER:
486 // This ensures the most significant byte of the signed message
487 // is zero. We could have zero-padded to the left instead, but
488 // this approach is slightly more robust against changes in
489 // object size. However, it's still broken (but not unusably
490 // so) because we really should be using a proper deterministic
491 // RSA padding function, such as PKCS1.
492 memcpy(to_sign + 1, object, std::min((size_t)RSA_KEY_SIZE_BYTES - 1, object_size));
493 SLOGI("Signing safely-padded object");
494 break;
495 default:
496 SLOGE("Unknown KDF type %d", ftr->kdf_type);
497 return -1;
498 }
499 return keymaster_sign_object_for_cryptfs_scrypt(ftr, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign,
500 to_sign_size, signature, signature_size);
501 }
502
503 /* Store password when userdata is successfully decrypted and mounted.
504 * Cleared by cryptfs_clear_password
505 *
506 * To avoid a double prompt at boot, we need to store the CryptKeeper
507 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
508 * Since the entire framework is torn down and rebuilt after encryption,
509 * we have to use a daemon or similar to store the password. Since vold
510 * is secured against IPC except from system processes, it seems a reasonable
511 * place to store this.
512 *
513 * password should be cleared once it has been used.
514 *
515 * password is aged out after password_max_age_seconds seconds.
516 */
517 static char* password = 0;
518 static int password_expiry_time = 0;
519 static const int password_max_age_seconds = 60;
520
521 enum class RebootType { reboot, recovery, shutdown };
cryptfs_reboot(RebootType rt)522 static void cryptfs_reboot(RebootType rt) {
523 switch (rt) {
524 case RebootType::reboot:
525 property_set(ANDROID_RB_PROPERTY, "reboot");
526 break;
527
528 case RebootType::recovery:
529 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
530 break;
531
532 case RebootType::shutdown:
533 property_set(ANDROID_RB_PROPERTY, "shutdown");
534 break;
535 }
536
537 sleep(20);
538
539 /* Shouldn't get here, reboot should happen before sleep times out */
540 return;
541 }
542
543 /**
544 * Gets the default device scrypt parameters for key derivation time tuning.
545 * The parameters should lead to about one second derivation time for the
546 * given device.
547 */
get_device_scrypt_params(struct crypt_mnt_ftr * ftr)548 static void get_device_scrypt_params(struct crypt_mnt_ftr* ftr) {
549 char paramstr[PROPERTY_VALUE_MAX];
550 int Nf, rf, pf;
551
552 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
553 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
554 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
555 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
556 }
557 ftr->N_factor = Nf;
558 ftr->r_factor = rf;
559 ftr->p_factor = pf;
560 }
561
get_fs_size(const char * dev)562 static uint64_t get_fs_size(const char* dev) {
563 int fd, block_size;
564 struct ext4_super_block sb;
565 uint64_t len;
566
567 if ((fd = open(dev, O_RDONLY | O_CLOEXEC)) < 0) {
568 SLOGE("Cannot open device to get filesystem size ");
569 return 0;
570 }
571
572 if (lseek64(fd, 1024, SEEK_SET) < 0) {
573 SLOGE("Cannot seek to superblock");
574 return 0;
575 }
576
577 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
578 SLOGE("Cannot read superblock");
579 return 0;
580 }
581
582 close(fd);
583
584 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
585 SLOGE("Not a valid ext4 superblock");
586 return 0;
587 }
588 block_size = 1024 << sb.s_log_block_size;
589 /* compute length in bytes */
590 len = (((uint64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
591
592 /* return length in sectors */
593 return len / 512;
594 }
595
get_crypt_info(std::string * key_loc,std::string * real_blk_device)596 static void get_crypt_info(std::string* key_loc, std::string* real_blk_device) {
597 for (const auto& entry : fstab_default) {
598 if (!entry.fs_mgr_flags.vold_managed &&
599 (entry.fs_mgr_flags.crypt || entry.fs_mgr_flags.force_crypt ||
600 entry.fs_mgr_flags.force_fde_or_fbe || entry.fs_mgr_flags.file_encryption)) {
601 if (key_loc != nullptr) {
602 *key_loc = entry.key_loc;
603 }
604 if (real_blk_device != nullptr) {
605 *real_blk_device = entry.blk_device;
606 }
607 return;
608 }
609 }
610 }
611
get_crypt_ftr_info(char ** metadata_fname,off64_t * off)612 static int get_crypt_ftr_info(char** metadata_fname, off64_t* off) {
613 static int cached_data = 0;
614 static uint64_t cached_off = 0;
615 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
616 char key_loc[PROPERTY_VALUE_MAX];
617 char real_blkdev[PROPERTY_VALUE_MAX];
618 int rc = -1;
619
620 if (!cached_data) {
621 std::string key_loc;
622 std::string real_blkdev;
623 get_crypt_info(&key_loc, &real_blkdev);
624
625 if (key_loc == KEY_IN_FOOTER) {
626 if (android::vold::GetBlockDevSize(real_blkdev, &cached_off) == android::OK) {
627 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
628 * encryption info footer and key, and plenty of bytes to spare for future
629 * growth.
630 */
631 strlcpy(cached_metadata_fname, real_blkdev.c_str(), sizeof(cached_metadata_fname));
632 cached_off -= CRYPT_FOOTER_OFFSET;
633 cached_data = 1;
634 } else {
635 SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
636 }
637 } else {
638 strlcpy(cached_metadata_fname, key_loc.c_str(), sizeof(cached_metadata_fname));
639 cached_off = 0;
640 cached_data = 1;
641 }
642 }
643
644 if (cached_data) {
645 if (metadata_fname) {
646 *metadata_fname = cached_metadata_fname;
647 }
648 if (off) {
649 *off = cached_off;
650 }
651 rc = 0;
652 }
653
654 return rc;
655 }
656
657 /* Set sha256 checksum in structure */
set_ftr_sha(struct crypt_mnt_ftr * crypt_ftr)658 static void set_ftr_sha(struct crypt_mnt_ftr* crypt_ftr) {
659 SHA256_CTX c;
660 SHA256_Init(&c);
661 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
662 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
663 SHA256_Final(crypt_ftr->sha256, &c);
664 }
665
666 /* key or salt can be NULL, in which case just skip writing that value. Useful to
667 * update the failed mount count but not change the key.
668 */
put_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)669 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
670 int fd;
671 unsigned int cnt;
672 /* starting_off is set to the SEEK_SET offset
673 * where the crypto structure starts
674 */
675 off64_t starting_off;
676 int rc = -1;
677 char* fname = NULL;
678 struct stat statbuf;
679
680 set_ftr_sha(crypt_ftr);
681
682 if (get_crypt_ftr_info(&fname, &starting_off)) {
683 SLOGE("Unable to get crypt_ftr_info\n");
684 return -1;
685 }
686 if (fname[0] != '/') {
687 SLOGE("Unexpected value for crypto key location\n");
688 return -1;
689 }
690 if ((fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0600)) < 0) {
691 SLOGE("Cannot open footer file %s for put\n", fname);
692 return -1;
693 }
694
695 /* Seek to the start of the crypt footer */
696 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
697 SLOGE("Cannot seek to real block device footer\n");
698 goto errout;
699 }
700
701 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
702 SLOGE("Cannot write real block device footer\n");
703 goto errout;
704 }
705
706 fstat(fd, &statbuf);
707 /* If the keys are kept on a raw block device, do not try to truncate it. */
708 if (S_ISREG(statbuf.st_mode)) {
709 if (ftruncate(fd, 0x4000)) {
710 SLOGE("Cannot set footer file size\n");
711 goto errout;
712 }
713 }
714
715 /* Success! */
716 rc = 0;
717
718 errout:
719 close(fd);
720 return rc;
721 }
722
check_ftr_sha(const struct crypt_mnt_ftr * crypt_ftr)723 static bool check_ftr_sha(const struct crypt_mnt_ftr* crypt_ftr) {
724 struct crypt_mnt_ftr copy;
725 memcpy(©, crypt_ftr, sizeof(copy));
726 set_ftr_sha(©);
727 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
728 }
729
unix_read(int fd,void * buff,int len)730 static inline int unix_read(int fd, void* buff, int len) {
731 return TEMP_FAILURE_RETRY(read(fd, buff, len));
732 }
733
unix_write(int fd,const void * buff,int len)734 static inline int unix_write(int fd, const void* buff, int len) {
735 return TEMP_FAILURE_RETRY(write(fd, buff, len));
736 }
737
init_empty_persist_data(struct crypt_persist_data * pdata,int len)738 static void init_empty_persist_data(struct crypt_persist_data* pdata, int len) {
739 memset(pdata, 0, len);
740 pdata->persist_magic = PERSIST_DATA_MAGIC;
741 pdata->persist_valid_entries = 0;
742 }
743
744 /* A routine to update the passed in crypt_ftr to the lastest version.
745 * fd is open read/write on the device that holds the crypto footer and persistent
746 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
747 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
748 */
upgrade_crypt_ftr(int fd,struct crypt_mnt_ftr * crypt_ftr,off64_t offset)749 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr* crypt_ftr, off64_t offset) {
750 int orig_major = crypt_ftr->major_version;
751 int orig_minor = crypt_ftr->minor_version;
752
753 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
754 struct crypt_persist_data* pdata;
755 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
756
757 SLOGW("upgrading crypto footer to 1.1");
758
759 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
760 if (pdata == NULL) {
761 SLOGE("Cannot allocate persisent data\n");
762 return;
763 }
764 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
765
766 /* Need to initialize the persistent data area */
767 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
768 SLOGE("Cannot seek to persisent data offset\n");
769 free(pdata);
770 return;
771 }
772 /* Write all zeros to the first copy, making it invalid */
773 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
774
775 /* Write a valid but empty structure to the second copy */
776 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
777 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
778
779 /* Update the footer */
780 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
781 crypt_ftr->persist_data_offset[0] = pdata_offset;
782 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
783 crypt_ftr->minor_version = 1;
784 free(pdata);
785 }
786
787 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
788 SLOGW("upgrading crypto footer to 1.2");
789 /* But keep the old kdf_type.
790 * It will get updated later to KDF_SCRYPT after the password has been verified.
791 */
792 crypt_ftr->kdf_type = KDF_PBKDF2;
793 get_device_scrypt_params(crypt_ftr);
794 crypt_ftr->minor_version = 2;
795 }
796
797 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
798 SLOGW("upgrading crypto footer to 1.3");
799 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
800 crypt_ftr->minor_version = 3;
801 }
802
803 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
804 if (lseek64(fd, offset, SEEK_SET) == -1) {
805 SLOGE("Cannot seek to crypt footer\n");
806 return;
807 }
808 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
809 }
810 }
811
get_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)812 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
813 int fd;
814 unsigned int cnt;
815 off64_t starting_off;
816 int rc = -1;
817 char* fname = NULL;
818 struct stat statbuf;
819
820 if (get_crypt_ftr_info(&fname, &starting_off)) {
821 SLOGE("Unable to get crypt_ftr_info\n");
822 return -1;
823 }
824 if (fname[0] != '/') {
825 SLOGE("Unexpected value for crypto key location\n");
826 return -1;
827 }
828 if ((fd = open(fname, O_RDWR | O_CLOEXEC)) < 0) {
829 SLOGE("Cannot open footer file %s for get\n", fname);
830 return -1;
831 }
832
833 /* Make sure it's 16 Kbytes in length */
834 fstat(fd, &statbuf);
835 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
836 SLOGE("footer file %s is not the expected size!\n", fname);
837 goto errout;
838 }
839
840 /* Seek to the start of the crypt footer */
841 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
842 SLOGE("Cannot seek to real block device footer\n");
843 goto errout;
844 }
845
846 if ((cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
847 SLOGE("Cannot read real block device footer\n");
848 goto errout;
849 }
850
851 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
852 SLOGE("Bad magic for real block device %s\n", fname);
853 goto errout;
854 }
855
856 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
857 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
858 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
859 goto errout;
860 }
861
862 // We risk buffer overflows with oversized keys, so we just reject them.
863 // 0-sized keys are problematic (essentially by-passing encryption), and
864 // AES-CBC key wrapping only works for multiples of 16 bytes.
865 if ((crypt_ftr->keysize == 0) || ((crypt_ftr->keysize % 16) != 0) ||
866 (crypt_ftr->keysize > MAX_KEY_LEN)) {
867 SLOGE(
868 "Invalid keysize (%u) for block device %s; Must be non-zero, "
869 "divisible by 16, and <= %d\n",
870 crypt_ftr->keysize, fname, MAX_KEY_LEN);
871 goto errout;
872 }
873
874 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
875 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
876 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
877 }
878
879 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
880 * copy on disk before returning.
881 */
882 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
883 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
884 }
885
886 /* Success! */
887 rc = 0;
888
889 errout:
890 close(fd);
891 return rc;
892 }
893
validate_persistent_data_storage(struct crypt_mnt_ftr * crypt_ftr)894 static int validate_persistent_data_storage(struct crypt_mnt_ftr* crypt_ftr) {
895 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
896 crypt_ftr->persist_data_offset[1]) {
897 SLOGE("Crypt_ftr persist data regions overlap");
898 return -1;
899 }
900
901 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
902 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
903 return -1;
904 }
905
906 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
907 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
908 CRYPT_FOOTER_OFFSET) {
909 SLOGE("Persistent data extends past crypto footer");
910 return -1;
911 }
912
913 return 0;
914 }
915
load_persistent_data(void)916 static int load_persistent_data(void) {
917 struct crypt_mnt_ftr crypt_ftr;
918 struct crypt_persist_data* pdata = NULL;
919 char encrypted_state[PROPERTY_VALUE_MAX];
920 char* fname;
921 int found = 0;
922 int fd;
923 int ret;
924 int i;
925
926 if (persist_data) {
927 /* Nothing to do, we've already loaded or initialized it */
928 return 0;
929 }
930
931 /* If not encrypted, just allocate an empty table and initialize it */
932 property_get("ro.crypto.state", encrypted_state, "");
933 if (strcmp(encrypted_state, "encrypted")) {
934 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
935 if (pdata) {
936 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
937 persist_data = pdata;
938 return 0;
939 }
940 return -1;
941 }
942
943 if (get_crypt_ftr_and_key(&crypt_ftr)) {
944 return -1;
945 }
946
947 if ((crypt_ftr.major_version < 1) ||
948 (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
949 SLOGE("Crypt_ftr version doesn't support persistent data");
950 return -1;
951 }
952
953 if (get_crypt_ftr_info(&fname, NULL)) {
954 return -1;
955 }
956
957 ret = validate_persistent_data_storage(&crypt_ftr);
958 if (ret) {
959 return -1;
960 }
961
962 fd = open(fname, O_RDONLY | O_CLOEXEC);
963 if (fd < 0) {
964 SLOGE("Cannot open %s metadata file", fname);
965 return -1;
966 }
967
968 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
969 if (pdata == NULL) {
970 SLOGE("Cannot allocate memory for persistent data");
971 goto err;
972 }
973
974 for (i = 0; i < 2; i++) {
975 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
976 SLOGE("Cannot seek to read persistent data on %s", fname);
977 goto err2;
978 }
979 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
980 SLOGE("Error reading persistent data on iteration %d", i);
981 goto err2;
982 }
983 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
984 found = 1;
985 break;
986 }
987 }
988
989 if (!found) {
990 SLOGI("Could not find valid persistent data, creating");
991 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
992 }
993
994 /* Success */
995 persist_data = pdata;
996 close(fd);
997 return 0;
998
999 err2:
1000 free(pdata);
1001
1002 err:
1003 close(fd);
1004 return -1;
1005 }
1006
save_persistent_data(void)1007 static int save_persistent_data(void) {
1008 struct crypt_mnt_ftr crypt_ftr;
1009 struct crypt_persist_data* pdata;
1010 char* fname;
1011 off64_t write_offset;
1012 off64_t erase_offset;
1013 int fd;
1014 int ret;
1015
1016 if (persist_data == NULL) {
1017 SLOGE("No persistent data to save");
1018 return -1;
1019 }
1020
1021 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1022 return -1;
1023 }
1024
1025 if ((crypt_ftr.major_version < 1) ||
1026 (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
1027 SLOGE("Crypt_ftr version doesn't support persistent data");
1028 return -1;
1029 }
1030
1031 ret = validate_persistent_data_storage(&crypt_ftr);
1032 if (ret) {
1033 return -1;
1034 }
1035
1036 if (get_crypt_ftr_info(&fname, NULL)) {
1037 return -1;
1038 }
1039
1040 fd = open(fname, O_RDWR | O_CLOEXEC);
1041 if (fd < 0) {
1042 SLOGE("Cannot open %s metadata file", fname);
1043 return -1;
1044 }
1045
1046 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
1047 if (pdata == NULL) {
1048 SLOGE("Cannot allocate persistant data");
1049 goto err;
1050 }
1051
1052 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
1053 SLOGE("Cannot seek to read persistent data on %s", fname);
1054 goto err2;
1055 }
1056
1057 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
1058 SLOGE("Error reading persistent data before save");
1059 goto err2;
1060 }
1061
1062 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
1063 /* The first copy is the curent valid copy, so write to
1064 * the second copy and erase this one */
1065 write_offset = crypt_ftr.persist_data_offset[1];
1066 erase_offset = crypt_ftr.persist_data_offset[0];
1067 } else {
1068 /* The second copy must be the valid copy, so write to
1069 * the first copy, and erase the second */
1070 write_offset = crypt_ftr.persist_data_offset[0];
1071 erase_offset = crypt_ftr.persist_data_offset[1];
1072 }
1073
1074 /* Write the new copy first, if successful, then erase the old copy */
1075 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
1076 SLOGE("Cannot seek to write persistent data");
1077 goto err2;
1078 }
1079 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
1080 (int)crypt_ftr.persist_data_size) {
1081 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
1082 SLOGE("Cannot seek to erase previous persistent data");
1083 goto err2;
1084 }
1085 fsync(fd);
1086 memset(pdata, 0, crypt_ftr.persist_data_size);
1087 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != (int)crypt_ftr.persist_data_size) {
1088 SLOGE("Cannot write to erase previous persistent data");
1089 goto err2;
1090 }
1091 fsync(fd);
1092 } else {
1093 SLOGE("Cannot write to save persistent data");
1094 goto err2;
1095 }
1096
1097 /* Success */
1098 free(pdata);
1099 close(fd);
1100 return 0;
1101
1102 err2:
1103 free(pdata);
1104 err:
1105 close(fd);
1106 return -1;
1107 }
1108
1109 /* Convert a binary key of specified length into an ascii hex string equivalent,
1110 * without the leading 0x and with null termination
1111 */
convert_key_to_hex_ascii(const unsigned char * master_key,unsigned int keysize,char * master_key_ascii)1112 static void convert_key_to_hex_ascii(const unsigned char* master_key, unsigned int keysize,
1113 char* master_key_ascii) {
1114 unsigned int i, a;
1115 unsigned char nibble;
1116
1117 for (i = 0, a = 0; i < keysize; i++, a += 2) {
1118 /* For each byte, write out two ascii hex digits */
1119 nibble = (master_key[i] >> 4) & 0xf;
1120 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
1121
1122 nibble = master_key[i] & 0xf;
1123 master_key_ascii[a + 1] = nibble + (nibble > 9 ? 0x37 : 0x30);
1124 }
1125
1126 /* Add the null termination */
1127 master_key_ascii[a] = '\0';
1128 }
1129
1130 /*
1131 * If the ro.crypto.fde_sector_size system property is set, append the
1132 * parameters to make dm-crypt use the specified crypto sector size and round
1133 * the crypto device size down to a crypto sector boundary.
1134 */
add_sector_size_param(DmTargetCrypt * target,struct crypt_mnt_ftr * ftr)1135 static int add_sector_size_param(DmTargetCrypt* target, struct crypt_mnt_ftr* ftr) {
1136 constexpr char DM_CRYPT_SECTOR_SIZE[] = "ro.crypto.fde_sector_size";
1137 char value[PROPERTY_VALUE_MAX];
1138
1139 if (property_get(DM_CRYPT_SECTOR_SIZE, value, "") > 0) {
1140 unsigned int sector_size;
1141
1142 if (!ParseUint(value, §or_size) || sector_size < 512 || sector_size > 4096 ||
1143 (sector_size & (sector_size - 1)) != 0) {
1144 SLOGE("Invalid value for %s: %s. Must be >= 512, <= 4096, and a power of 2\n",
1145 DM_CRYPT_SECTOR_SIZE, value);
1146 return -1;
1147 }
1148
1149 target->SetSectorSize(sector_size);
1150
1151 // With this option, IVs will match the sector numbering, instead
1152 // of being hard-coded to being based on 512-byte sectors.
1153 target->SetIvLargeSectors();
1154
1155 // Round the crypto device size down to a crypto sector boundary.
1156 ftr->fs_size &= ~((sector_size / 512) - 1);
1157 }
1158 return 0;
1159 }
1160
create_crypto_blk_dev(struct crypt_mnt_ftr * crypt_ftr,const unsigned char * master_key,const char * real_blk_name,std::string * crypto_blk_name,const char * name,uint32_t flags)1161 static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned char* master_key,
1162 const char* real_blk_name, std::string* crypto_blk_name,
1163 const char* name, uint32_t flags) {
1164 auto& dm = DeviceMapper::Instance();
1165
1166 // We need two ASCII characters to represent each byte, and need space for
1167 // the '\0' terminator.
1168 char master_key_ascii[MAX_KEY_LEN * 2 + 1];
1169 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1170
1171 auto target = std::make_unique<DmTargetCrypt>(0, crypt_ftr->fs_size,
1172 (const char*)crypt_ftr->crypto_type_name,
1173 master_key_ascii, 0, real_blk_name, 0);
1174 target->AllowDiscards();
1175
1176 if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) {
1177 target->AllowEncryptOverride();
1178 }
1179 if (add_sector_size_param(target.get(), crypt_ftr)) {
1180 SLOGE("Error processing dm-crypt sector size param\n");
1181 return -1;
1182 }
1183
1184 DmTable table;
1185 table.AddTarget(std::move(target));
1186
1187 int load_count = 1;
1188 while (load_count < TABLE_LOAD_RETRIES) {
1189 if (dm.CreateDevice(name, table)) {
1190 break;
1191 }
1192 load_count++;
1193 }
1194
1195 if (load_count >= TABLE_LOAD_RETRIES) {
1196 SLOGE("Cannot load dm-crypt mapping table.\n");
1197 return -1;
1198 }
1199 if (load_count > 1) {
1200 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1201 }
1202
1203 if (!dm.GetDmDevicePathByName(name, crypto_blk_name)) {
1204 SLOGE("Cannot determine dm-crypt path for %s.\n", name);
1205 return -1;
1206 }
1207
1208 /* Ensure the dm device has been created before returning. */
1209 if (android::vold::WaitForFile(crypto_blk_name->c_str(), 1s) < 0) {
1210 // WaitForFile generates a suitable log message
1211 return -1;
1212 }
1213 return 0;
1214 }
1215
delete_crypto_blk_dev(const std::string & name)1216 static int delete_crypto_blk_dev(const std::string& name) {
1217 bool ret;
1218 auto& dm = DeviceMapper::Instance();
1219 // TODO(b/149396179) there appears to be a race somewhere in the system where trying
1220 // to delete the device fails with EBUSY; for now, work around this by retrying.
1221 int tries = 5;
1222 while (tries-- > 0) {
1223 ret = dm.DeleteDevice(name);
1224 if (ret || errno != EBUSY) {
1225 break;
1226 }
1227 SLOGW("DM_DEV Cannot remove dm-crypt device %s: %s, retrying...\n", name.c_str(),
1228 strerror(errno));
1229 std::this_thread::sleep_for(std::chrono::milliseconds(100));
1230 }
1231 if (!ret) {
1232 SLOGE("DM_DEV Cannot remove dm-crypt device %s: %s\n", name.c_str(), strerror(errno));
1233 return -1;
1234 }
1235 return 0;
1236 }
1237
pbkdf2(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params UNUSED)1238 static int pbkdf2(const char* passwd, const unsigned char* salt, unsigned char* ikey,
1239 void* params UNUSED) {
1240 SLOGI("Using pbkdf2 for cryptfs KDF");
1241
1242 /* Turn the password into a key and IV that can decrypt the master key */
1243 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN, HASH_COUNT,
1244 INTERMEDIATE_BUF_SIZE, ikey) != 1;
1245 }
1246
scrypt(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params)1247 static int scrypt(const char* passwd, const unsigned char* salt, unsigned char* ikey, void* params) {
1248 SLOGI("Using scrypt for cryptfs KDF");
1249
1250 struct crypt_mnt_ftr* ftr = (struct crypt_mnt_ftr*)params;
1251
1252 int N = 1 << ftr->N_factor;
1253 int r = 1 << ftr->r_factor;
1254 int p = 1 << ftr->p_factor;
1255
1256 /* Turn the password into a key and IV that can decrypt the master key */
1257 crypto_scrypt((const uint8_t*)passwd, strlen(passwd), salt, SALT_LEN, N, r, p, ikey,
1258 INTERMEDIATE_BUF_SIZE);
1259
1260 return 0;
1261 }
1262
scrypt_keymaster(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params)1263 static int scrypt_keymaster(const char* passwd, const unsigned char* salt, unsigned char* ikey,
1264 void* params) {
1265 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1266
1267 int rc;
1268 size_t signature_size;
1269 unsigned char* signature;
1270 struct crypt_mnt_ftr* ftr = (struct crypt_mnt_ftr*)params;
1271
1272 int N = 1 << ftr->N_factor;
1273 int r = 1 << ftr->r_factor;
1274 int p = 1 << ftr->p_factor;
1275
1276 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd), salt, SALT_LEN, N, r, p, ikey,
1277 INTERMEDIATE_BUF_SIZE);
1278
1279 if (rc) {
1280 SLOGE("scrypt failed");
1281 return -1;
1282 }
1283
1284 if (keymaster_sign_object(ftr, ikey, INTERMEDIATE_BUF_SIZE, &signature, &signature_size)) {
1285 SLOGE("Signing failed");
1286 return -1;
1287 }
1288
1289 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, N, r, p, ikey,
1290 INTERMEDIATE_BUF_SIZE);
1291 free(signature);
1292
1293 if (rc) {
1294 SLOGE("scrypt failed");
1295 return -1;
1296 }
1297
1298 return 0;
1299 }
1300
encrypt_master_key(const char * passwd,const unsigned char * salt,const unsigned char * decrypted_master_key,unsigned char * encrypted_master_key,struct crypt_mnt_ftr * crypt_ftr)1301 static int encrypt_master_key(const char* passwd, const unsigned char* salt,
1302 const unsigned char* decrypted_master_key,
1303 unsigned char* encrypted_master_key, struct crypt_mnt_ftr* crypt_ftr) {
1304 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = {0};
1305 EVP_CIPHER_CTX e_ctx;
1306 int encrypted_len, final_len;
1307 int rc = 0;
1308
1309 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1310 get_device_scrypt_params(crypt_ftr);
1311
1312 switch (crypt_ftr->kdf_type) {
1313 case KDF_SCRYPT_KEYMASTER:
1314 if (keymaster_create_key(crypt_ftr)) {
1315 SLOGE("keymaster_create_key failed");
1316 return -1;
1317 }
1318
1319 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1320 SLOGE("scrypt failed");
1321 return -1;
1322 }
1323 break;
1324
1325 case KDF_SCRYPT:
1326 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1327 SLOGE("scrypt failed");
1328 return -1;
1329 }
1330 break;
1331
1332 default:
1333 SLOGE("Invalid kdf_type");
1334 return -1;
1335 }
1336
1337 /* Initialize the decryption engine */
1338 EVP_CIPHER_CTX_init(&e_ctx);
1339 if (!EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey,
1340 ikey + INTERMEDIATE_KEY_LEN_BYTES)) {
1341 SLOGE("EVP_EncryptInit failed\n");
1342 return -1;
1343 }
1344 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1345
1346 /* Encrypt the master key */
1347 if (!EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, decrypted_master_key,
1348 crypt_ftr->keysize)) {
1349 SLOGE("EVP_EncryptUpdate failed\n");
1350 return -1;
1351 }
1352 if (!EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1353 SLOGE("EVP_EncryptFinal failed\n");
1354 return -1;
1355 }
1356
1357 if (encrypted_len + final_len != static_cast<int>(crypt_ftr->keysize)) {
1358 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1359 return -1;
1360 }
1361
1362 /* Store the scrypt of the intermediate key, so we can validate if it's a
1363 password error or mount error when things go wrong.
1364 Note there's no need to check for errors, since if this is incorrect, we
1365 simply won't wipe userdata, which is the correct default behavior
1366 */
1367 int N = 1 << crypt_ftr->N_factor;
1368 int r = 1 << crypt_ftr->r_factor;
1369 int p = 1 << crypt_ftr->p_factor;
1370
1371 rc = crypto_scrypt(ikey, INTERMEDIATE_KEY_LEN_BYTES, crypt_ftr->salt, sizeof(crypt_ftr->salt),
1372 N, r, p, crypt_ftr->scrypted_intermediate_key,
1373 sizeof(crypt_ftr->scrypted_intermediate_key));
1374
1375 if (rc) {
1376 SLOGE("encrypt_master_key: crypto_scrypt failed");
1377 }
1378
1379 EVP_CIPHER_CTX_cleanup(&e_ctx);
1380
1381 return 0;
1382 }
1383
decrypt_master_key_aux(const char * passwd,unsigned char * salt,const unsigned char * encrypted_master_key,size_t keysize,unsigned char * decrypted_master_key,kdf_func kdf,void * kdf_params,unsigned char ** intermediate_key,size_t * intermediate_key_size)1384 static int decrypt_master_key_aux(const char* passwd, unsigned char* salt,
1385 const unsigned char* encrypted_master_key, size_t keysize,
1386 unsigned char* decrypted_master_key, kdf_func kdf,
1387 void* kdf_params, unsigned char** intermediate_key,
1388 size_t* intermediate_key_size) {
1389 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = {0};
1390 EVP_CIPHER_CTX d_ctx;
1391 int decrypted_len, final_len;
1392
1393 /* Turn the password into an intermediate key and IV that can decrypt the
1394 master key */
1395 if (kdf(passwd, salt, ikey, kdf_params)) {
1396 SLOGE("kdf failed");
1397 return -1;
1398 }
1399
1400 /* Initialize the decryption engine */
1401 EVP_CIPHER_CTX_init(&d_ctx);
1402 if (!EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey,
1403 ikey + INTERMEDIATE_KEY_LEN_BYTES)) {
1404 return -1;
1405 }
1406 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1407 /* Decrypt the master key */
1408 if (!EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, encrypted_master_key,
1409 keysize)) {
1410 return -1;
1411 }
1412 if (!EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1413 return -1;
1414 }
1415
1416 if (decrypted_len + final_len != static_cast<int>(keysize)) {
1417 return -1;
1418 }
1419
1420 /* Copy intermediate key if needed by params */
1421 if (intermediate_key && intermediate_key_size) {
1422 *intermediate_key = (unsigned char*)malloc(INTERMEDIATE_KEY_LEN_BYTES);
1423 if (*intermediate_key) {
1424 memcpy(*intermediate_key, ikey, INTERMEDIATE_KEY_LEN_BYTES);
1425 *intermediate_key_size = INTERMEDIATE_KEY_LEN_BYTES;
1426 }
1427 }
1428
1429 EVP_CIPHER_CTX_cleanup(&d_ctx);
1430
1431 return 0;
1432 }
1433
get_kdf_func(struct crypt_mnt_ftr * ftr,kdf_func * kdf,void ** kdf_params)1434 static void get_kdf_func(struct crypt_mnt_ftr* ftr, kdf_func* kdf, void** kdf_params) {
1435 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1436 *kdf = scrypt_keymaster;
1437 *kdf_params = ftr;
1438 } else if (ftr->kdf_type == KDF_SCRYPT) {
1439 *kdf = scrypt;
1440 *kdf_params = ftr;
1441 } else {
1442 *kdf = pbkdf2;
1443 *kdf_params = NULL;
1444 }
1445 }
1446
decrypt_master_key(const char * passwd,unsigned char * decrypted_master_key,struct crypt_mnt_ftr * crypt_ftr,unsigned char ** intermediate_key,size_t * intermediate_key_size)1447 static int decrypt_master_key(const char* passwd, unsigned char* decrypted_master_key,
1448 struct crypt_mnt_ftr* crypt_ftr, unsigned char** intermediate_key,
1449 size_t* intermediate_key_size) {
1450 kdf_func kdf;
1451 void* kdf_params;
1452 int ret;
1453
1454 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1455 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, crypt_ftr->keysize,
1456 decrypted_master_key, kdf, kdf_params, intermediate_key,
1457 intermediate_key_size);
1458 if (ret != 0) {
1459 SLOGW("failure decrypting master key");
1460 }
1461
1462 return ret;
1463 }
1464
create_encrypted_random_key(const char * passwd,unsigned char * master_key,unsigned char * salt,struct crypt_mnt_ftr * crypt_ftr)1465 static int create_encrypted_random_key(const char* passwd, unsigned char* master_key,
1466 unsigned char* salt, struct crypt_mnt_ftr* crypt_ftr) {
1467 unsigned char key_buf[MAX_KEY_LEN];
1468
1469 /* Get some random bits for a key and salt */
1470 if (android::vold::ReadRandomBytes(sizeof(key_buf), reinterpret_cast<char*>(key_buf)) != 0) {
1471 return -1;
1472 }
1473 if (android::vold::ReadRandomBytes(SALT_LEN, reinterpret_cast<char*>(salt)) != 0) {
1474 return -1;
1475 }
1476
1477 /* Now encrypt it with the password */
1478 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1479 }
1480
ensure_subdirectory_unmounted(const char * prefix)1481 static void ensure_subdirectory_unmounted(const char *prefix) {
1482 std::vector<std::string> umount_points;
1483 std::unique_ptr<FILE, int (*)(FILE*)> mnts(setmntent("/proc/mounts", "r"), endmntent);
1484 if (!mnts) {
1485 SLOGW("could not read mount files");
1486 return;
1487 }
1488
1489 //Find sudirectory mount point
1490 mntent* mentry;
1491 std::string top_directory(prefix);
1492 if (!android::base::EndsWith(prefix, "/")) {
1493 top_directory = top_directory + "/";
1494 }
1495 while ((mentry = getmntent(mnts.get())) != nullptr) {
1496 if (strcmp(mentry->mnt_dir, top_directory.c_str()) == 0) {
1497 continue;
1498 }
1499
1500 if (android::base::StartsWith(mentry->mnt_dir, top_directory)) {
1501 SLOGW("found sub-directory mount %s - %s\n", prefix, mentry->mnt_dir);
1502 umount_points.push_back(mentry->mnt_dir);
1503 }
1504 }
1505
1506 //Sort by path length to umount longest path first
1507 std::sort(std::begin(umount_points), std::end(umount_points),
1508 [](const std::string& s1, const std::string& s2) {return s1.length() > s2.length(); });
1509
1510 for (std::string& mount_point : umount_points) {
1511 umount(mount_point.c_str());
1512 SLOGW("umount sub-directory mount %s\n", mount_point.c_str());
1513 }
1514 }
1515
wait_and_unmount(const char * mountpoint)1516 static int wait_and_unmount(const char* mountpoint) {
1517 int i, err, rc;
1518
1519 // Subdirectory mount will cause a failure of umount.
1520 ensure_subdirectory_unmounted(mountpoint);
1521 #define WAIT_UNMOUNT_COUNT 20
1522
1523 /* Now umount the tmpfs filesystem */
1524 for (i = 0; i < WAIT_UNMOUNT_COUNT; i++) {
1525 if (umount(mountpoint) == 0) {
1526 break;
1527 }
1528
1529 if (errno == EINVAL) {
1530 /* EINVAL is returned if the directory is not a mountpoint,
1531 * i.e. there is no filesystem mounted there. So just get out.
1532 */
1533 break;
1534 }
1535
1536 err = errno;
1537
1538 // If it's taking too long, kill the processes with open files.
1539 //
1540 // Originally this logic was only a fail-safe, but now it's relied on to
1541 // kill certain processes that aren't stopped by init because they
1542 // aren't in the main or late_start classes. So to avoid waiting for
1543 // too long, we now are fairly aggressive in starting to kill processes.
1544 static_assert(WAIT_UNMOUNT_COUNT >= 4);
1545 if (i == 2) {
1546 SLOGW("sending SIGTERM to processes with open files\n");
1547 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM);
1548 } else if (i >= 3) {
1549 SLOGW("sending SIGKILL to processes with open files\n");
1550 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL);
1551 }
1552
1553 sleep(1);
1554 }
1555
1556 if (i < WAIT_UNMOUNT_COUNT) {
1557 SLOGD("unmounting %s succeeded\n", mountpoint);
1558 rc = 0;
1559 } else {
1560 android::vold::KillProcessesWithOpenFiles(mountpoint, 0);
1561 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1562 rc = -1;
1563 }
1564
1565 return rc;
1566 }
1567
prep_data_fs(void)1568 static void prep_data_fs(void) {
1569 // NOTE: post_fs_data results in init calling back around to vold, so all
1570 // callers to this method must be async
1571
1572 /* Do the prep of the /data filesystem */
1573 property_set("vold.post_fs_data_done", "0");
1574 property_set("vold.decrypt", "trigger_post_fs_data");
1575 SLOGD("Just triggered post_fs_data");
1576
1577 /* Wait a max of 50 seconds, hopefully it takes much less */
1578 while (!android::base::WaitForProperty("vold.post_fs_data_done", "1", std::chrono::seconds(15))) {
1579 /* We timed out to prep /data in time. Continue wait. */
1580 SLOGE("waited 15s for vold.post_fs_data_done, still waiting...");
1581 }
1582 SLOGD("post_fs_data done");
1583 }
1584
cryptfs_set_corrupt()1585 static void cryptfs_set_corrupt() {
1586 // Mark the footer as bad
1587 struct crypt_mnt_ftr crypt_ftr;
1588 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1589 SLOGE("Failed to get crypto footer - panic");
1590 return;
1591 }
1592
1593 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1594 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1595 SLOGE("Failed to set crypto footer - panic");
1596 return;
1597 }
1598 }
1599
cryptfs_trigger_restart_min_framework()1600 static void cryptfs_trigger_restart_min_framework() {
1601 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1602 SLOGE("Failed to mount tmpfs on data - panic");
1603 return;
1604 }
1605
1606 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1607 SLOGE("Failed to trigger post fs data - panic");
1608 return;
1609 }
1610
1611 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1612 SLOGE("Failed to trigger restart min framework - panic");
1613 return;
1614 }
1615 }
1616
1617 /* returns < 0 on failure */
cryptfs_restart_internal(int restart_main)1618 static int cryptfs_restart_internal(int restart_main) {
1619 char crypto_blkdev[MAXPATHLEN];
1620 int rc = -1;
1621 static int restart_successful = 0;
1622
1623 /* Validate that it's OK to call this routine */
1624 if (!master_key_saved) {
1625 SLOGE("Encrypted filesystem not validated, aborting");
1626 return -1;
1627 }
1628
1629 if (restart_successful) {
1630 SLOGE("System already restarted with encrypted disk, aborting");
1631 return -1;
1632 }
1633
1634 if (restart_main) {
1635 /* Here is where we shut down the framework. The init scripts
1636 * start all services in one of these classes: core, early_hal, hal,
1637 * main and late_start. To get to the minimal UI for PIN entry, we
1638 * need to start core, early_hal, hal and main. When we want to
1639 * shutdown the framework again, we need to stop most of the services in
1640 * these classes, but only those services that were started after
1641 * /data was mounted. This excludes critical services like vold and
1642 * ueventd, which need to keep running. We could possible stop
1643 * even fewer services, but because we want services to pick up APEX
1644 * libraries from the real /data, restarting is better, as it makes
1645 * these devices consistent with FBE devices and lets them use the
1646 * most recent code.
1647 *
1648 * Once these services have stopped, we should be able
1649 * to umount the tmpfs /data, then mount the encrypted /data.
1650 * We then restart the class core, hal, main, and also the class
1651 * late_start.
1652 *
1653 * At the moment, I've only put a few things in late_start that I know
1654 * are not needed to bring up the framework, and that also cause problems
1655 * with unmounting the tmpfs /data, but I hope to add add more services
1656 * to the late_start class as we optimize this to decrease the delay
1657 * till the user is asked for the password to the filesystem.
1658 */
1659
1660 /* The init files are setup to stop the right set of services when
1661 * vold.decrypt is set to trigger_shutdown_framework.
1662 */
1663 property_set("vold.decrypt", "trigger_shutdown_framework");
1664 SLOGD("Just asked init to shut down class main\n");
1665
1666 /* Ugh, shutting down the framework is not synchronous, so until it
1667 * can be fixed, this horrible hack will wait a moment for it all to
1668 * shut down before proceeding. Without it, some devices cannot
1669 * restart the graphics services.
1670 */
1671 sleep(2);
1672 }
1673
1674 /* Now that the framework is shutdown, we should be able to umount()
1675 * the tmpfs filesystem, and mount the real one.
1676 */
1677
1678 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1679 if (strlen(crypto_blkdev) == 0) {
1680 SLOGE("fs_crypto_blkdev not set\n");
1681 return -1;
1682 }
1683
1684 if (!(rc = wait_and_unmount(DATA_MNT_POINT))) {
1685 /* If ro.crypto.readonly is set to 1, mount the decrypted
1686 * filesystem readonly. This is used when /data is mounted by
1687 * recovery mode.
1688 */
1689 char ro_prop[PROPERTY_VALUE_MAX];
1690 property_get("ro.crypto.readonly", ro_prop, "");
1691 if (strlen(ro_prop) > 0 && std::stoi(ro_prop)) {
1692 auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
1693 if (entry != nullptr) {
1694 entry->flags |= MS_RDONLY;
1695 }
1696 }
1697
1698 /* If that succeeded, then mount the decrypted filesystem */
1699 int retries = RETRY_MOUNT_ATTEMPTS;
1700 int mount_rc;
1701
1702 /*
1703 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
1704 * partitions in the fsck domain.
1705 */
1706 if (setexeccon(android::vold::sFsckContext)) {
1707 SLOGE("Failed to setexeccon");
1708 return -1;
1709 }
1710 bool needs_cp = android::vold::cp_needsCheckpoint();
1711 while ((mount_rc = fs_mgr_do_mount(&fstab_default, DATA_MNT_POINT, crypto_blkdev, 0,
1712 needs_cp, false)) != 0) {
1713 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1714 /* TODO: invoke something similar to
1715 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1716 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1717 SLOGI("Failed to mount %s because it is busy - waiting", crypto_blkdev);
1718 if (--retries) {
1719 sleep(RETRY_MOUNT_DELAY_SECONDS);
1720 } else {
1721 /* Let's hope that a reboot clears away whatever is keeping
1722 the mount busy */
1723 cryptfs_reboot(RebootType::reboot);
1724 }
1725 } else {
1726 SLOGE("Failed to mount decrypted data");
1727 cryptfs_set_corrupt();
1728 cryptfs_trigger_restart_min_framework();
1729 SLOGI("Started framework to offer wipe");
1730 if (setexeccon(NULL)) {
1731 SLOGE("Failed to setexeccon");
1732 }
1733 return -1;
1734 }
1735 }
1736 if (setexeccon(NULL)) {
1737 SLOGE("Failed to setexeccon");
1738 return -1;
1739 }
1740
1741 /* Create necessary paths on /data */
1742 prep_data_fs();
1743 property_set("vold.decrypt", "trigger_load_persist_props");
1744
1745 /* startup service classes main and late_start */
1746 property_set("vold.decrypt", "trigger_restart_framework");
1747 SLOGD("Just triggered restart_framework\n");
1748
1749 /* Give it a few moments to get started */
1750 sleep(1);
1751 }
1752
1753 if (rc == 0) {
1754 restart_successful = 1;
1755 }
1756
1757 return rc;
1758 }
1759
cryptfs_restart(void)1760 int cryptfs_restart(void) {
1761 SLOGI("cryptfs_restart");
1762 if (fscrypt_is_native()) {
1763 SLOGE("cryptfs_restart not valid for file encryption:");
1764 return -1;
1765 }
1766
1767 /* Call internal implementation forcing a restart of main service group */
1768 return cryptfs_restart_internal(1);
1769 }
1770
do_crypto_complete(const char * mount_point)1771 static int do_crypto_complete(const char* mount_point) {
1772 struct crypt_mnt_ftr crypt_ftr;
1773 char encrypted_state[PROPERTY_VALUE_MAX];
1774
1775 property_get("ro.crypto.state", encrypted_state, "");
1776 if (strcmp(encrypted_state, "encrypted")) {
1777 SLOGE("not running with encryption, aborting");
1778 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1779 }
1780
1781 // crypto_complete is full disk encrypted status
1782 if (fscrypt_is_native()) {
1783 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1784 }
1785
1786 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1787 std::string key_loc;
1788 get_crypt_info(&key_loc, nullptr);
1789
1790 /*
1791 * Only report this error if key_loc is a file and it exists.
1792 * If the device was never encrypted, and /data is not mountable for
1793 * some reason, returning 1 should prevent the UI from presenting the
1794 * a "enter password" screen, or worse, a "press button to wipe the
1795 * device" screen.
1796 */
1797 if (!key_loc.empty() && key_loc[0] == '/' && (access("key_loc", F_OK) == -1)) {
1798 SLOGE("master key file does not exist, aborting");
1799 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1800 } else {
1801 SLOGE("Error getting crypt footer and key\n");
1802 return CRYPTO_COMPLETE_BAD_METADATA;
1803 }
1804 }
1805
1806 // Test for possible error flags
1807 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
1808 SLOGE("Encryption process is partway completed\n");
1809 return CRYPTO_COMPLETE_PARTIAL;
1810 }
1811
1812 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
1813 SLOGE("Encryption process was interrupted but cannot continue\n");
1814 return CRYPTO_COMPLETE_INCONSISTENT;
1815 }
1816
1817 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT) {
1818 SLOGE("Encryption is successful but data is corrupt\n");
1819 return CRYPTO_COMPLETE_CORRUPT;
1820 }
1821
1822 /* We passed the test! We shall diminish, and return to the west */
1823 return CRYPTO_COMPLETE_ENCRYPTED;
1824 }
1825
test_mount_encrypted_fs(struct crypt_mnt_ftr * crypt_ftr,const char * passwd,const char * mount_point,const char * label)1826 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, const char* passwd,
1827 const char* mount_point, const char* label) {
1828 unsigned char decrypted_master_key[MAX_KEY_LEN];
1829 std::string crypto_blkdev;
1830 std::string real_blkdev;
1831 char tmp_mount_point[64];
1832 unsigned int orig_failed_decrypt_count;
1833 int rc;
1834 int upgrade = 0;
1835 unsigned char* intermediate_key = 0;
1836 size_t intermediate_key_size = 0;
1837 int N = 1 << crypt_ftr->N_factor;
1838 int r = 1 << crypt_ftr->r_factor;
1839 int p = 1 << crypt_ftr->p_factor;
1840
1841 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1842 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1843
1844 if (!(crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED)) {
1845 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, &intermediate_key,
1846 &intermediate_key_size)) {
1847 SLOGE("Failed to decrypt master key\n");
1848 rc = -1;
1849 goto errout;
1850 }
1851 }
1852
1853 get_crypt_info(nullptr, &real_blkdev);
1854
1855 // Create crypto block device - all (non fatal) code paths
1856 // need it
1857 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, real_blkdev.c_str(), &crypto_blkdev,
1858 label, 0)) {
1859 SLOGE("Error creating decrypted block device\n");
1860 rc = -1;
1861 goto errout;
1862 }
1863
1864 /* Work out if the problem is the password or the data */
1865 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->scrypted_intermediate_key)];
1866
1867 rc = crypto_scrypt(intermediate_key, intermediate_key_size, crypt_ftr->salt,
1868 sizeof(crypt_ftr->salt), N, r, p, scrypted_intermediate_key,
1869 sizeof(scrypted_intermediate_key));
1870
1871 // Does the key match the crypto footer?
1872 if (rc == 0 && memcmp(scrypted_intermediate_key, crypt_ftr->scrypted_intermediate_key,
1873 sizeof(scrypted_intermediate_key)) == 0) {
1874 SLOGI("Password matches");
1875 rc = 0;
1876 } else {
1877 /* Try mounting the file system anyway, just in case the problem's with
1878 * the footer, not the key. */
1879 snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt", mount_point);
1880 mkdir(tmp_mount_point, 0755);
1881 if (fs_mgr_do_mount(&fstab_default, DATA_MNT_POINT,
1882 const_cast<char*>(crypto_blkdev.c_str()), tmp_mount_point)) {
1883 SLOGE("Error temp mounting decrypted block device\n");
1884 delete_crypto_blk_dev(label);
1885
1886 rc = ++crypt_ftr->failed_decrypt_count;
1887 put_crypt_ftr_and_key(crypt_ftr);
1888 } else {
1889 /* Success! */
1890 SLOGI("Password did not match but decrypted drive mounted - continue");
1891 umount(tmp_mount_point);
1892 rc = 0;
1893 }
1894 }
1895
1896 if (rc == 0) {
1897 crypt_ftr->failed_decrypt_count = 0;
1898 if (orig_failed_decrypt_count != 0) {
1899 put_crypt_ftr_and_key(crypt_ftr);
1900 }
1901
1902 /* Save the name of the crypto block device
1903 * so we can mount it when restarting the framework. */
1904 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev.c_str());
1905
1906 /* Also save a the master key so we can reencrypted the key
1907 * the key when we want to change the password on it. */
1908 memcpy(saved_master_key, decrypted_master_key, crypt_ftr->keysize);
1909 saved_mount_point = strdup(mount_point);
1910 master_key_saved = 1;
1911 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1912 rc = 0;
1913
1914 // Upgrade if we're not using the latest KDF.
1915 if (crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1916 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1917 upgrade = 1;
1918 }
1919
1920 if (upgrade) {
1921 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1922 crypt_ftr->master_key, crypt_ftr);
1923 if (!rc) {
1924 rc = put_crypt_ftr_and_key(crypt_ftr);
1925 }
1926 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1927
1928 // Do not fail even if upgrade failed - machine is bootable
1929 // Note that if this code is ever hit, there is a *serious* problem
1930 // since KDFs should never fail. You *must* fix the kdf before
1931 // proceeding!
1932 if (rc) {
1933 SLOGW(
1934 "Upgrade failed with error %d,"
1935 " but continuing with previous state",
1936 rc);
1937 rc = 0;
1938 }
1939 }
1940 }
1941
1942 errout:
1943 if (intermediate_key) {
1944 memset(intermediate_key, 0, intermediate_key_size);
1945 free(intermediate_key);
1946 }
1947 return rc;
1948 }
1949
1950 /*
1951 * Called by vold when it's asked to mount an encrypted external
1952 * storage volume. The incoming partition has no crypto header/footer,
1953 * as any metadata is been stored in a separate, small partition. We
1954 * assume it must be using our same crypt type and keysize.
1955 */
cryptfs_setup_ext_volume(const char * label,const char * real_blkdev,const KeyBuffer & key,std::string * out_crypto_blkdev)1956 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, const KeyBuffer& key,
1957 std::string* out_crypto_blkdev) {
1958 auto crypto_type = get_crypto_type();
1959 if (key.size() != crypto_type.get_keysize()) {
1960 SLOGE("Raw keysize %zu does not match crypt keysize %zu", key.size(),
1961 crypto_type.get_keysize());
1962 return -1;
1963 }
1964 uint64_t nr_sec = 0;
1965 if (android::vold::GetBlockDev512Sectors(real_blkdev, &nr_sec) != android::OK) {
1966 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1967 return -1;
1968 }
1969
1970 struct crypt_mnt_ftr ext_crypt_ftr;
1971 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1972 ext_crypt_ftr.fs_size = nr_sec;
1973 ext_crypt_ftr.keysize = crypto_type.get_keysize();
1974 strlcpy((char*)ext_crypt_ftr.crypto_type_name, crypto_type.get_kernel_name(),
1975 MAX_CRYPTO_TYPE_NAME_LEN);
1976 uint32_t flags = 0;
1977 if (fscrypt_is_native() &&
1978 android::base::GetBoolProperty("ro.crypto.allow_encrypt_override", false))
1979 flags |= CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE;
1980
1981 return create_crypto_blk_dev(&ext_crypt_ftr, reinterpret_cast<const unsigned char*>(key.data()),
1982 real_blkdev, out_crypto_blkdev, label, flags);
1983 }
1984
cryptfs_crypto_complete(void)1985 int cryptfs_crypto_complete(void) {
1986 return do_crypto_complete("/data");
1987 }
1988
check_unmounted_and_get_ftr(struct crypt_mnt_ftr * crypt_ftr)1989 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) {
1990 char encrypted_state[PROPERTY_VALUE_MAX];
1991 property_get("ro.crypto.state", encrypted_state, "");
1992 if (master_key_saved || strcmp(encrypted_state, "encrypted")) {
1993 SLOGE(
1994 "encrypted fs already validated or not running with encryption,"
1995 " aborting");
1996 return -1;
1997 }
1998
1999 if (get_crypt_ftr_and_key(crypt_ftr)) {
2000 SLOGE("Error getting crypt footer and key");
2001 return -1;
2002 }
2003
2004 return 0;
2005 }
2006
cryptfs_check_passwd(const char * passwd)2007 int cryptfs_check_passwd(const char* passwd) {
2008 SLOGI("cryptfs_check_passwd");
2009 if (fscrypt_is_native()) {
2010 SLOGE("cryptfs_check_passwd not valid for file encryption");
2011 return -1;
2012 }
2013
2014 struct crypt_mnt_ftr crypt_ftr;
2015 int rc;
2016
2017 rc = check_unmounted_and_get_ftr(&crypt_ftr);
2018 if (rc) {
2019 SLOGE("Could not get footer");
2020 return rc;
2021 }
2022
2023 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
2024 if (rc) {
2025 SLOGE("Password did not match");
2026 return rc;
2027 }
2028
2029 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
2030 // Here we have a default actual password but a real password
2031 // we must test against the scrypted value
2032 // First, we must delete the crypto block device that
2033 // test_mount_encrypted_fs leaves behind as a side effect
2034 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
2035 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD, DATA_MNT_POINT,
2036 CRYPTO_BLOCK_DEVICE);
2037 if (rc) {
2038 SLOGE("Default password did not match on reboot encryption");
2039 return rc;
2040 }
2041
2042 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
2043 put_crypt_ftr_and_key(&crypt_ftr);
2044 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
2045 if (rc) {
2046 SLOGE("Could not change password on reboot encryption");
2047 return rc;
2048 }
2049 }
2050
2051 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2052 cryptfs_clear_password();
2053 password = strdup(passwd);
2054 struct timespec now;
2055 clock_gettime(CLOCK_BOOTTIME, &now);
2056 password_expiry_time = now.tv_sec + password_max_age_seconds;
2057 }
2058
2059 return rc;
2060 }
2061
cryptfs_verify_passwd(const char * passwd)2062 int cryptfs_verify_passwd(const char* passwd) {
2063 struct crypt_mnt_ftr crypt_ftr;
2064 unsigned char decrypted_master_key[MAX_KEY_LEN];
2065 char encrypted_state[PROPERTY_VALUE_MAX];
2066 int rc;
2067
2068 property_get("ro.crypto.state", encrypted_state, "");
2069 if (strcmp(encrypted_state, "encrypted")) {
2070 SLOGE("device not encrypted, aborting");
2071 return -2;
2072 }
2073
2074 if (!master_key_saved) {
2075 SLOGE("encrypted fs not yet mounted, aborting");
2076 return -1;
2077 }
2078
2079 if (!saved_mount_point) {
2080 SLOGE("encrypted fs failed to save mount point, aborting");
2081 return -1;
2082 }
2083
2084 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2085 SLOGE("Error getting crypt footer and key\n");
2086 return -1;
2087 }
2088
2089 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2090 /* If the device has no password, then just say the password is valid */
2091 rc = 0;
2092 } else {
2093 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2094 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2095 /* They match, the password is correct */
2096 rc = 0;
2097 } else {
2098 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2099 sleep(1);
2100 rc = 1;
2101 }
2102 }
2103
2104 return rc;
2105 }
2106
2107 /* Initialize a crypt_mnt_ftr structure. The keysize is
2108 * defaulted to get_crypto_type().get_keysize() bytes, and the filesystem size to 0.
2109 * Presumably, at a minimum, the caller will update the
2110 * filesystem size and crypto_type_name after calling this function.
2111 */
cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr * ftr)2112 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr* ftr) {
2113 off64_t off;
2114
2115 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2116 ftr->magic = CRYPT_MNT_MAGIC;
2117 ftr->major_version = CURRENT_MAJOR_VERSION;
2118 ftr->minor_version = CURRENT_MINOR_VERSION;
2119 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2120 ftr->keysize = get_crypto_type().get_keysize();
2121 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2122
2123 get_device_scrypt_params(ftr);
2124
2125 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2126 if (get_crypt_ftr_info(NULL, &off) == 0) {
2127 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2128 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + ftr->persist_data_size;
2129 }
2130
2131 return 0;
2132 }
2133
2134 #define FRAMEWORK_BOOT_WAIT 60
2135
vold_unmountAll(void)2136 static int vold_unmountAll(void) {
2137 VolumeManager* vm = VolumeManager::Instance();
2138 return vm->unmountAll();
2139 }
2140
cryptfs_enable_internal(int crypt_type,const char * passwd,int no_ui)2141 int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
2142 std::string crypto_blkdev;
2143 std::string real_blkdev;
2144 unsigned char decrypted_master_key[MAX_KEY_LEN];
2145 int rc = -1, i;
2146 struct crypt_mnt_ftr crypt_ftr;
2147 struct crypt_persist_data* pdata;
2148 char encrypted_state[PROPERTY_VALUE_MAX];
2149 char lockid[32] = {0};
2150 std::string key_loc;
2151 int num_vols;
2152 bool rebootEncryption = false;
2153 bool onlyCreateHeader = false;
2154
2155 /* Get a wakelock as this may take a while, and we don't want the
2156 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2157 * wants to keep the screen on, it can grab a full wakelock.
2158 */
2159 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int)getpid());
2160 auto wl = android::wakelock::WakeLock::tryGet(lockid);
2161 if (!wl.has_value()) {
2162 return android::UNEXPECTED_NULL;
2163 }
2164
2165 if (get_crypt_ftr_and_key(&crypt_ftr) == 0) {
2166 if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
2167 if (!check_ftr_sha(&crypt_ftr)) {
2168 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2169 put_crypt_ftr_and_key(&crypt_ftr);
2170 goto error_unencrypted;
2171 }
2172
2173 /* Doing a reboot-encryption*/
2174 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
2175 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
2176 rebootEncryption = true;
2177 }
2178 } else {
2179 // We don't want to accidentally reference invalid data.
2180 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2181 }
2182
2183 property_get("ro.crypto.state", encrypted_state, "");
2184 if (!strcmp(encrypted_state, "encrypted")) {
2185 SLOGE("Device is already running encrypted, aborting");
2186 goto error_unencrypted;
2187 }
2188
2189 get_crypt_info(&key_loc, &real_blkdev);
2190
2191 /* Get the size of the real block device */
2192 uint64_t nr_sec;
2193 if (android::vold::GetBlockDev512Sectors(real_blkdev, &nr_sec) != android::OK) {
2194 SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
2195 goto error_unencrypted;
2196 }
2197
2198 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2199 if (key_loc == KEY_IN_FOOTER) {
2200 uint64_t fs_size_sec, max_fs_size_sec;
2201 fs_size_sec = get_fs_size(real_blkdev.c_str());
2202 if (fs_size_sec == 0) fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev.data());
2203
2204 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2205
2206 if (fs_size_sec > max_fs_size_sec) {
2207 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2208 goto error_unencrypted;
2209 }
2210 }
2211
2212 /* The init files are setup to stop the class main and late start when
2213 * vold sets trigger_shutdown_framework.
2214 */
2215 property_set("vold.decrypt", "trigger_shutdown_framework");
2216 SLOGD("Just asked init to shut down class main\n");
2217
2218 /* Ask vold to unmount all devices that it manages */
2219 if (vold_unmountAll()) {
2220 SLOGE("Failed to unmount all vold managed devices");
2221 }
2222
2223 /* no_ui means we are being called from init, not settings.
2224 Now we always reboot from settings, so !no_ui means reboot
2225 */
2226 if (!no_ui) {
2227 /* Try fallback, which is to reboot and try there */
2228 onlyCreateHeader = true;
2229 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
2230 if (breadcrumb == 0) {
2231 SLOGE("Failed to create breadcrumb file");
2232 goto error_shutting_down;
2233 }
2234 fclose(breadcrumb);
2235 }
2236
2237 /* Do extra work for a better UX when doing the long inplace encryption */
2238 if (!onlyCreateHeader) {
2239 /* Now that /data is unmounted, we need to mount a tmpfs
2240 * /data, set a property saying we're doing inplace encryption,
2241 * and restart the framework.
2242 */
2243 wait_and_unmount(DATA_MNT_POINT);
2244 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
2245 goto error_shutting_down;
2246 }
2247 /* Tells the framework that inplace encryption is starting */
2248 property_set("vold.encrypt_progress", "0");
2249
2250 /* restart the framework. */
2251 /* Create necessary paths on /data */
2252 prep_data_fs();
2253
2254 /* Ugh, shutting down the framework is not synchronous, so until it
2255 * can be fixed, this horrible hack will wait a moment for it all to
2256 * shut down before proceeding. Without it, some devices cannot
2257 * restart the graphics services.
2258 */
2259 sleep(2);
2260 }
2261
2262 /* Start the actual work of making an encrypted filesystem */
2263 /* Initialize a crypt_mnt_ftr for the partition */
2264 if (!rebootEncryption) {
2265 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
2266 goto error_shutting_down;
2267 }
2268
2269 if (key_loc == KEY_IN_FOOTER) {
2270 crypt_ftr.fs_size = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2271 } else {
2272 crypt_ftr.fs_size = nr_sec;
2273 }
2274 /* At this point, we are in an inconsistent state. Until we successfully
2275 complete encryption, a reboot will leave us broken. So mark the
2276 encryption failed in case that happens.
2277 On successfully completing encryption, remove this flag */
2278 if (onlyCreateHeader) {
2279 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
2280 } else {
2281 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2282 }
2283 crypt_ftr.crypt_type = crypt_type;
2284 strlcpy((char*)crypt_ftr.crypto_type_name, get_crypto_type().get_kernel_name(),
2285 MAX_CRYPTO_TYPE_NAME_LEN);
2286
2287 /* Make an encrypted master key */
2288 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
2289 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
2290 SLOGE("Cannot create encrypted master key\n");
2291 goto error_shutting_down;
2292 }
2293
2294 /* Replace scrypted intermediate key if we are preparing for a reboot */
2295 if (onlyCreateHeader) {
2296 unsigned char fake_master_key[MAX_KEY_LEN];
2297 unsigned char encrypted_fake_master_key[MAX_KEY_LEN];
2298 memset(fake_master_key, 0, sizeof(fake_master_key));
2299 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key, encrypted_fake_master_key,
2300 &crypt_ftr);
2301 }
2302
2303 /* Write the key to the end of the partition */
2304 put_crypt_ftr_and_key(&crypt_ftr);
2305
2306 /* If any persistent data has been remembered, save it.
2307 * If none, create a valid empty table and save that.
2308 */
2309 if (!persist_data) {
2310 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
2311 if (pdata) {
2312 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
2313 persist_data = pdata;
2314 }
2315 }
2316 if (persist_data) {
2317 save_persistent_data();
2318 }
2319 }
2320
2321 if (onlyCreateHeader) {
2322 sleep(2);
2323 cryptfs_reboot(RebootType::reboot);
2324 }
2325
2326 if (!no_ui || rebootEncryption) {
2327 /* startup service classes main and late_start */
2328 property_set("vold.decrypt", "trigger_restart_min_framework");
2329 SLOGD("Just triggered restart_min_framework\n");
2330
2331 /* OK, the framework is restarted and will soon be showing a
2332 * progress bar. Time to setup an encrypted mapping, and
2333 * either write a new filesystem, or encrypt in place updating
2334 * the progress bar as we work.
2335 */
2336 }
2337
2338 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2339 rc = create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev.c_str(),
2340 &crypto_blkdev, CRYPTO_BLOCK_DEVICE, 0);
2341 if (!rc) {
2342 if (encrypt_inplace(crypto_blkdev, real_blkdev, crypt_ftr.fs_size, true)) {
2343 crypt_ftr.encrypted_upto = crypt_ftr.fs_size;
2344 rc = 0;
2345 } else {
2346 rc = -1;
2347 }
2348 /* Undo the dm-crypt mapping whether we succeed or not */
2349 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
2350 }
2351
2352 if (!rc) {
2353 /* Success */
2354 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
2355
2356 put_crypt_ftr_and_key(&crypt_ftr);
2357
2358 char value[PROPERTY_VALUE_MAX];
2359 property_get("ro.crypto.state", value, "");
2360 if (!strcmp(value, "")) {
2361 /* default encryption - continue first boot sequence */
2362 property_set("ro.crypto.state", "encrypted");
2363 property_set("ro.crypto.type", "block");
2364 wl.reset();
2365 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2366 // Bring up cryptkeeper that will check the password and set it
2367 property_set("vold.decrypt", "trigger_shutdown_framework");
2368 sleep(2);
2369 property_set("vold.encrypt_progress", "");
2370 cryptfs_trigger_restart_min_framework();
2371 } else {
2372 cryptfs_check_passwd(DEFAULT_PASSWORD);
2373 cryptfs_restart_internal(1);
2374 }
2375 return 0;
2376 } else {
2377 sleep(2); /* Give the UI a chance to show 100% progress */
2378 cryptfs_reboot(RebootType::reboot);
2379 }
2380 } else {
2381 char value[PROPERTY_VALUE_MAX];
2382
2383 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
2384 if (!strcmp(value, "1")) {
2385 /* wipe data if encryption failed */
2386 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
2387 std::string err;
2388 const std::vector<std::string> options = {
2389 "--wipe_data\n--reason=cryptfs_enable_internal\n"};
2390 if (!write_bootloader_message(options, &err)) {
2391 SLOGE("could not write bootloader message: %s", err.c_str());
2392 }
2393 cryptfs_reboot(RebootType::recovery);
2394 } else {
2395 /* set property to trigger dialog */
2396 property_set("vold.encrypt_progress", "error_partially_encrypted");
2397 }
2398 return -1;
2399 }
2400
2401 /* hrm, the encrypt step claims success, but the reboot failed.
2402 * This should not happen.
2403 * Set the property and return. Hope the framework can deal with it.
2404 */
2405 property_set("vold.encrypt_progress", "error_reboot_failed");
2406 return rc;
2407
2408 error_unencrypted:
2409 property_set("vold.encrypt_progress", "error_not_encrypted");
2410 return -1;
2411
2412 error_shutting_down:
2413 /* we failed, and have not encrypted anthing, so the users's data is still intact,
2414 * but the framework is stopped and not restarted to show the error, so it's up to
2415 * vold to restart the system.
2416 */
2417 SLOGE(
2418 "Error enabling encryption after framework is shutdown, no data changed, restarting "
2419 "system");
2420 cryptfs_reboot(RebootType::reboot);
2421
2422 /* shouldn't get here */
2423 property_set("vold.encrypt_progress", "error_shutting_down");
2424 return -1;
2425 }
2426
cryptfs_enable(int type,const char * passwd,int no_ui)2427 int cryptfs_enable(int type, const char* passwd, int no_ui) {
2428 return cryptfs_enable_internal(type, passwd, no_ui);
2429 }
2430
cryptfs_enable_default(int no_ui)2431 int cryptfs_enable_default(int no_ui) {
2432 return cryptfs_enable_internal(CRYPT_TYPE_DEFAULT, DEFAULT_PASSWORD, no_ui);
2433 }
2434
cryptfs_changepw(int crypt_type,const char * newpw)2435 int cryptfs_changepw(int crypt_type, const char* newpw) {
2436 if (fscrypt_is_native()) {
2437 SLOGE("cryptfs_changepw not valid for file encryption");
2438 return -1;
2439 }
2440
2441 struct crypt_mnt_ftr crypt_ftr;
2442 int rc;
2443
2444 /* This is only allowed after we've successfully decrypted the master key */
2445 if (!master_key_saved) {
2446 SLOGE("Key not saved, aborting");
2447 return -1;
2448 }
2449
2450 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2451 SLOGE("Invalid crypt_type %d", crypt_type);
2452 return -1;
2453 }
2454
2455 /* get key */
2456 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2457 SLOGE("Error getting crypt footer and key");
2458 return -1;
2459 }
2460
2461 crypt_ftr.crypt_type = crypt_type;
2462
2463 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD : newpw,
2464 crypt_ftr.salt, saved_master_key, crypt_ftr.master_key, &crypt_ftr);
2465 if (rc) {
2466 SLOGE("Encrypt master key failed: %d", rc);
2467 return -1;
2468 }
2469 /* save the key */
2470 put_crypt_ftr_and_key(&crypt_ftr);
2471
2472 return 0;
2473 }
2474
persist_get_max_entries(int encrypted)2475 static unsigned int persist_get_max_entries(int encrypted) {
2476 struct crypt_mnt_ftr crypt_ftr;
2477 unsigned int dsize;
2478
2479 /* If encrypted, use the values from the crypt_ftr, otherwise
2480 * use the values for the current spec.
2481 */
2482 if (encrypted) {
2483 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2484 /* Something is wrong, assume no space for entries */
2485 return 0;
2486 }
2487 dsize = crypt_ftr.persist_data_size;
2488 } else {
2489 dsize = CRYPT_PERSIST_DATA_SIZE;
2490 }
2491
2492 if (dsize > sizeof(struct crypt_persist_data)) {
2493 return (dsize - sizeof(struct crypt_persist_data)) / sizeof(struct crypt_persist_entry);
2494 } else {
2495 return 0;
2496 }
2497 }
2498
persist_get_key(const char * fieldname,char * value)2499 static int persist_get_key(const char* fieldname, char* value) {
2500 unsigned int i;
2501
2502 if (persist_data == NULL) {
2503 return -1;
2504 }
2505 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2506 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2507 /* We found it! */
2508 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
2509 return 0;
2510 }
2511 }
2512
2513 return -1;
2514 }
2515
persist_set_key(const char * fieldname,const char * value,int encrypted)2516 static int persist_set_key(const char* fieldname, const char* value, int encrypted) {
2517 unsigned int i;
2518 unsigned int num;
2519 unsigned int max_persistent_entries;
2520
2521 if (persist_data == NULL) {
2522 return -1;
2523 }
2524
2525 max_persistent_entries = persist_get_max_entries(encrypted);
2526
2527 num = persist_data->persist_valid_entries;
2528
2529 for (i = 0; i < num; i++) {
2530 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2531 /* We found an existing entry, update it! */
2532 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
2533 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
2534 return 0;
2535 }
2536 }
2537
2538 /* We didn't find it, add it to the end, if there is room */
2539 if (persist_data->persist_valid_entries < max_persistent_entries) {
2540 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
2541 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
2542 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
2543 persist_data->persist_valid_entries++;
2544 return 0;
2545 }
2546
2547 return -1;
2548 }
2549
2550 /**
2551 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
2552 * sequence and its index is greater than or equal to index. Return 0 otherwise.
2553 */
match_multi_entry(const char * key,const char * field,unsigned index)2554 int match_multi_entry(const char* key, const char* field, unsigned index) {
2555 std::string key_ = key;
2556 std::string field_ = field;
2557
2558 std::string parsed_field;
2559 unsigned parsed_index;
2560
2561 std::string::size_type split = key_.find_last_of('_');
2562 if (split == std::string::npos) {
2563 parsed_field = key_;
2564 parsed_index = 0;
2565 } else {
2566 parsed_field = key_.substr(0, split);
2567 parsed_index = std::stoi(key_.substr(split + 1));
2568 }
2569
2570 return parsed_field == field_ && parsed_index >= index;
2571 }
2572
2573 /*
2574 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
2575 * remaining entries starting from index will be deleted.
2576 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
2577 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
2578 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
2579 *
2580 */
persist_del_keys(const char * fieldname,unsigned index)2581 static int persist_del_keys(const char* fieldname, unsigned index) {
2582 unsigned int i;
2583 unsigned int j;
2584 unsigned int num;
2585
2586 if (persist_data == NULL) {
2587 return PERSIST_DEL_KEY_ERROR_OTHER;
2588 }
2589
2590 num = persist_data->persist_valid_entries;
2591
2592 j = 0; // points to the end of non-deleted entries.
2593 // Filter out to-be-deleted entries in place.
2594 for (i = 0; i < num; i++) {
2595 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
2596 persist_data->persist_entry[j] = persist_data->persist_entry[i];
2597 j++;
2598 }
2599 }
2600
2601 if (j < num) {
2602 persist_data->persist_valid_entries = j;
2603 // Zeroise the remaining entries
2604 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
2605 return PERSIST_DEL_KEY_OK;
2606 } else {
2607 // Did not find an entry matching the given fieldname
2608 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
2609 }
2610 }
2611
persist_count_keys(const char * fieldname)2612 static int persist_count_keys(const char* fieldname) {
2613 unsigned int i;
2614 unsigned int count;
2615
2616 if (persist_data == NULL) {
2617 return -1;
2618 }
2619
2620 count = 0;
2621 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2622 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
2623 count++;
2624 }
2625 }
2626
2627 return count;
2628 }
2629
2630 /* Return the value of the specified field. */
cryptfs_getfield(const char * fieldname,char * value,int len)2631 int cryptfs_getfield(const char* fieldname, char* value, int len) {
2632 if (fscrypt_is_native()) {
2633 SLOGE("Cannot get field when file encrypted");
2634 return -1;
2635 }
2636
2637 char temp_value[PROPERTY_VALUE_MAX];
2638 /* CRYPTO_GETFIELD_OK is success,
2639 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
2640 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
2641 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
2642 */
2643 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
2644 int i;
2645 char temp_field[PROPERTY_KEY_MAX];
2646
2647 if (persist_data == NULL) {
2648 load_persistent_data();
2649 if (persist_data == NULL) {
2650 SLOGE("Getfield error, cannot load persistent data");
2651 goto out;
2652 }
2653 }
2654
2655 // Read value from persistent entries. If the original value is split into multiple entries,
2656 // stitch them back together.
2657 if (!persist_get_key(fieldname, temp_value)) {
2658 // We found it, copy it to the caller's buffer and keep going until all entries are read.
2659 if (strlcpy(value, temp_value, len) >= (unsigned)len) {
2660 // value too small
2661 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2662 goto out;
2663 }
2664 rc = CRYPTO_GETFIELD_OK;
2665
2666 for (i = 1; /* break explicitly */; i++) {
2667 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
2668 (int)sizeof(temp_field)) {
2669 // If the fieldname is very long, we stop as soon as it begins to overflow the
2670 // maximum field length. At this point we have in fact fully read out the original
2671 // value because cryptfs_setfield would not allow fields with longer names to be
2672 // written in the first place.
2673 break;
2674 }
2675 if (!persist_get_key(temp_field, temp_value)) {
2676 if (strlcat(value, temp_value, len) >= (unsigned)len) {
2677 // value too small.
2678 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2679 goto out;
2680 }
2681 } else {
2682 // Exhaust all entries.
2683 break;
2684 }
2685 }
2686 } else {
2687 /* Sadness, it's not there. Return the error */
2688 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
2689 }
2690
2691 out:
2692 return rc;
2693 }
2694
2695 /* Set the value of the specified field. */
cryptfs_setfield(const char * fieldname,const char * value)2696 int cryptfs_setfield(const char* fieldname, const char* value) {
2697 if (fscrypt_is_native()) {
2698 SLOGE("Cannot set field when file encrypted");
2699 return -1;
2700 }
2701
2702 char encrypted_state[PROPERTY_VALUE_MAX];
2703 /* 0 is success, negative values are error */
2704 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
2705 int encrypted = 0;
2706 unsigned int field_id;
2707 char temp_field[PROPERTY_KEY_MAX];
2708 unsigned int num_entries;
2709 unsigned int max_keylen;
2710
2711 if (persist_data == NULL) {
2712 load_persistent_data();
2713 if (persist_data == NULL) {
2714 SLOGE("Setfield error, cannot load persistent data");
2715 goto out;
2716 }
2717 }
2718
2719 property_get("ro.crypto.state", encrypted_state, "");
2720 if (!strcmp(encrypted_state, "encrypted")) {
2721 encrypted = 1;
2722 }
2723
2724 // Compute the number of entries required to store value, each entry can store up to
2725 // (PROPERTY_VALUE_MAX - 1) chars
2726 if (strlen(value) == 0) {
2727 // Empty value also needs one entry to store.
2728 num_entries = 1;
2729 } else {
2730 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
2731 }
2732
2733 max_keylen = strlen(fieldname);
2734 if (num_entries > 1) {
2735 // Need an extra "_%d" suffix.
2736 max_keylen += 1 + log10(num_entries);
2737 }
2738 if (max_keylen > PROPERTY_KEY_MAX - 1) {
2739 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
2740 goto out;
2741 }
2742
2743 // Make sure we have enough space to write the new value
2744 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
2745 persist_get_max_entries(encrypted)) {
2746 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
2747 goto out;
2748 }
2749
2750 // Now that we know persist_data has enough space for value, let's delete the old field first
2751 // to make up space.
2752 persist_del_keys(fieldname, 0);
2753
2754 if (persist_set_key(fieldname, value, encrypted)) {
2755 // fail to set key, should not happen as we have already checked the available space
2756 SLOGE("persist_set_key() error during setfield()");
2757 goto out;
2758 }
2759
2760 for (field_id = 1; field_id < num_entries; field_id++) {
2761 snprintf(temp_field, sizeof(temp_field), "%s_%u", fieldname, field_id);
2762
2763 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
2764 // fail to set key, should not happen as we have already checked the available space.
2765 SLOGE("persist_set_key() error during setfield()");
2766 goto out;
2767 }
2768 }
2769
2770 /* If we are running encrypted, save the persistent data now */
2771 if (encrypted) {
2772 if (save_persistent_data()) {
2773 SLOGE("Setfield error, cannot save persistent data");
2774 goto out;
2775 }
2776 }
2777
2778 rc = CRYPTO_SETFIELD_OK;
2779
2780 out:
2781 return rc;
2782 }
2783
2784 /* Checks userdata. Attempt to mount the volume if default-
2785 * encrypted.
2786 * On success trigger next init phase and return 0.
2787 * Currently do not handle failure - see TODO below.
2788 */
cryptfs_mount_default_encrypted(void)2789 int cryptfs_mount_default_encrypted(void) {
2790 int crypt_type = cryptfs_get_password_type();
2791 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2792 SLOGE("Bad crypt type - error");
2793 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
2794 SLOGD(
2795 "Password is not default - "
2796 "starting min framework to prompt");
2797 property_set("vold.decrypt", "trigger_restart_min_framework");
2798 return 0;
2799 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
2800 SLOGD("Password is default - restarting filesystem");
2801 cryptfs_restart_internal(0);
2802 return 0;
2803 } else {
2804 SLOGE("Encrypted, default crypt type but can't decrypt");
2805 }
2806
2807 /** Corrupt. Allow us to boot into framework, which will detect bad
2808 crypto when it calls do_crypto_complete, then do a factory reset
2809 */
2810 property_set("vold.decrypt", "trigger_restart_min_framework");
2811 return 0;
2812 }
2813
2814 /* Returns type of the password, default, pattern, pin or password.
2815 */
cryptfs_get_password_type(void)2816 int cryptfs_get_password_type(void) {
2817 if (fscrypt_is_native()) {
2818 SLOGE("cryptfs_get_password_type not valid for file encryption");
2819 return -1;
2820 }
2821
2822 struct crypt_mnt_ftr crypt_ftr;
2823
2824 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2825 SLOGE("Error getting crypt footer and key\n");
2826 return -1;
2827 }
2828
2829 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
2830 return -1;
2831 }
2832
2833 return crypt_ftr.crypt_type;
2834 }
2835
cryptfs_get_password()2836 const char* cryptfs_get_password() {
2837 if (fscrypt_is_native()) {
2838 SLOGE("cryptfs_get_password not valid for file encryption");
2839 return 0;
2840 }
2841
2842 struct timespec now;
2843 clock_gettime(CLOCK_BOOTTIME, &now);
2844 if (now.tv_sec < password_expiry_time) {
2845 return password;
2846 } else {
2847 cryptfs_clear_password();
2848 return 0;
2849 }
2850 }
2851
cryptfs_clear_password()2852 void cryptfs_clear_password() {
2853 if (password) {
2854 size_t len = strlen(password);
2855 memset(password, 0, len);
2856 free(password);
2857 password = 0;
2858 password_expiry_time = 0;
2859 }
2860 }
2861
cryptfs_isConvertibleToFBE()2862 int cryptfs_isConvertibleToFBE() {
2863 auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
2864 return entry && entry->fs_mgr_flags.force_fde_or_fbe;
2865 }
2866