1 /*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 /* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
23 #include <sys/types.h>
24 #include <sys/wait.h>
25 #include <sys/stat.h>
26 #include <ctype.h>
27 #include <fcntl.h>
28 #include <inttypes.h>
29 #include <unistd.h>
30 #include <stdio.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
33 #include <libgen.h>
34 #include <stdlib.h>
35 #include <sys/param.h>
36 #include <string.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
39 #include <errno.h>
40 #include <ext4.h>
41 #include <linux/kdev_t.h>
42 #include <fs_mgr.h>
43 #include <time.h>
44 #include "cryptfs.h"
45 #define LOG_TAG "Cryptfs"
46 #include "cutils/log.h"
47 #include "cutils/properties.h"
48 #include "cutils/android_reboot.h"
49 #include "hardware_legacy/power.h"
50 #include <logwrap/logwrap.h>
51 #include "VolumeManager.h"
52 #include "VoldUtil.h"
53 #include "crypto_scrypt.h"
54 #include "ext4_utils.h"
55 #include "f2fs_sparseblock.h"
56 #include "CheckBattery.h"
57 #include "Process.h"
58
59 #include <hardware/keymaster.h>
60
61 #define UNUSED __attribute__((unused))
62
63 #define UNUSED __attribute__((unused))
64
65 #define DM_CRYPT_BUF_SIZE 4096
66
67 #define HASH_COUNT 2000
68 #define KEY_LEN_BYTES 16
69 #define IV_LEN_BYTES 16
70
71 #define KEY_IN_FOOTER "footer"
72
73 // "default_password" encoded into hex (d=0x64 etc)
74 #define DEFAULT_PASSWORD "64656661756c745f70617373776f7264"
75
76 #define EXT4_FS 1
77 #define F2FS_FS 2
78
79 #define TABLE_LOAD_RETRIES 10
80
81 #define RSA_KEY_SIZE 2048
82 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
83 #define RSA_EXPONENT 0x10001
84
85 #define RETRY_MOUNT_ATTEMPTS 10
86 #define RETRY_MOUNT_DELAY_SECONDS 1
87
88 char *me = "cryptfs";
89
90 static unsigned char saved_master_key[KEY_LEN_BYTES];
91 static char *saved_mount_point;
92 static int master_key_saved = 0;
93 static struct crypt_persist_data *persist_data = NULL;
94
keymaster_init(keymaster_device_t ** keymaster_dev)95 static int keymaster_init(keymaster_device_t **keymaster_dev)
96 {
97 int rc;
98
99 const hw_module_t* mod;
100 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
101 if (rc) {
102 ALOGE("could not find any keystore module");
103 goto out;
104 }
105
106 rc = keymaster_open(mod, keymaster_dev);
107 if (rc) {
108 ALOGE("could not open keymaster device in %s (%s)",
109 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
110 goto out;
111 }
112
113 return 0;
114
115 out:
116 *keymaster_dev = NULL;
117 return rc;
118 }
119
120 /* Should we use keymaster? */
keymaster_check_compatibility()121 static int keymaster_check_compatibility()
122 {
123 keymaster_device_t *keymaster_dev = 0;
124 int rc = 0;
125
126 if (keymaster_init(&keymaster_dev)) {
127 SLOGE("Failed to init keymaster");
128 rc = -1;
129 goto out;
130 }
131
132 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version);
133
134 if (keymaster_dev->common.module->module_api_version
135 < KEYMASTER_MODULE_API_VERSION_0_3) {
136 rc = 0;
137 goto out;
138 }
139
140 if (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE) {
141 rc = 1;
142 }
143
144 out:
145 keymaster_close(keymaster_dev);
146 return rc;
147 }
148
149 /* Create a new keymaster key and store it in this footer */
keymaster_create_key(struct crypt_mnt_ftr * ftr)150 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
151 {
152 uint8_t* key = 0;
153 keymaster_device_t *keymaster_dev = 0;
154
155 if (keymaster_init(&keymaster_dev)) {
156 SLOGE("Failed to init keymaster");
157 return -1;
158 }
159
160 int rc = 0;
161
162 keymaster_rsa_keygen_params_t params;
163 memset(¶ms, '\0', sizeof(params));
164 params.public_exponent = RSA_EXPONENT;
165 params.modulus_size = RSA_KEY_SIZE;
166
167 size_t key_size;
168 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms,
169 &key, &key_size)) {
170 SLOGE("Failed to generate keypair");
171 rc = -1;
172 goto out;
173 }
174
175 if (key_size > KEYMASTER_BLOB_SIZE) {
176 SLOGE("Keymaster key too large for crypto footer");
177 rc = -1;
178 goto out;
179 }
180
181 memcpy(ftr->keymaster_blob, key, key_size);
182 ftr->keymaster_blob_size = key_size;
183
184 out:
185 keymaster_close(keymaster_dev);
186 free(key);
187 return rc;
188 }
189
190 /* This signs the given object using the keymaster key. */
keymaster_sign_object(struct crypt_mnt_ftr * ftr,const unsigned char * object,const size_t object_size,unsigned char ** signature,size_t * signature_size)191 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
192 const unsigned char *object,
193 const size_t object_size,
194 unsigned char **signature,
195 size_t *signature_size)
196 {
197 int rc = 0;
198 keymaster_device_t *keymaster_dev = 0;
199 if (keymaster_init(&keymaster_dev)) {
200 SLOGE("Failed to init keymaster");
201 return -1;
202 }
203
204 /* We currently set the digest type to DIGEST_NONE because it's the
205 * only supported value for keymaster. A similar issue exists with
206 * PADDING_NONE. Long term both of these should likely change.
207 */
208 keymaster_rsa_sign_params_t params;
209 params.digest_type = DIGEST_NONE;
210 params.padding_type = PADDING_NONE;
211
212 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
213 size_t to_sign_size = sizeof(to_sign);
214 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
215
216 // To sign a message with RSA, the message must satisfy two
217 // constraints:
218 //
219 // 1. The message, when interpreted as a big-endian numeric value, must
220 // be strictly less than the public modulus of the RSA key. Note
221 // that because the most significant bit of the public modulus is
222 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
223 // key), an n-bit message with most significant bit 0 always
224 // satisfies this requirement.
225 //
226 // 2. The message must have the same length in bits as the public
227 // modulus of the RSA key. This requirement isn't mathematically
228 // necessary, but is necessary to ensure consistency in
229 // implementations.
230 switch (ftr->kdf_type) {
231 case KDF_SCRYPT_KEYMASTER_UNPADDED:
232 // This is broken: It produces a message which is shorter than
233 // the public modulus, failing criterion 2.
234 memcpy(to_sign, object, object_size);
235 to_sign_size = object_size;
236 SLOGI("Signing unpadded object");
237 break;
238 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
239 // This is broken: Since the value of object is uniformly
240 // distributed, it produces a message that is larger than the
241 // public modulus with probability 0.25.
242 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size));
243 SLOGI("Signing end-padded object");
244 break;
245 case KDF_SCRYPT_KEYMASTER:
246 // This ensures the most significant byte of the signed message
247 // is zero. We could have zero-padded to the left instead, but
248 // this approach is slightly more robust against changes in
249 // object size. However, it's still broken (but not unusably
250 // so) because we really should be using a proper RSA padding
251 // function, such as OAEP.
252 //
253 // TODO(paullawrence): When keymaster 0.4 is available, change
254 // this to use the padding options it provides.
255 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
256 SLOGI("Signing safely-padded object");
257 break;
258 default:
259 SLOGE("Unknown KDF type %d", ftr->kdf_type);
260 return -1;
261 }
262
263 rc = keymaster_dev->sign_data(keymaster_dev,
264 ¶ms,
265 ftr->keymaster_blob,
266 ftr->keymaster_blob_size,
267 to_sign,
268 to_sign_size,
269 signature,
270 signature_size);
271
272 keymaster_close(keymaster_dev);
273 return rc;
274 }
275
276 /* Store password when userdata is successfully decrypted and mounted.
277 * Cleared by cryptfs_clear_password
278 *
279 * To avoid a double prompt at boot, we need to store the CryptKeeper
280 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
281 * Since the entire framework is torn down and rebuilt after encryption,
282 * we have to use a daemon or similar to store the password. Since vold
283 * is secured against IPC except from system processes, it seems a reasonable
284 * place to store this.
285 *
286 * password should be cleared once it has been used.
287 *
288 * password is aged out after password_max_age_seconds seconds.
289 */
290 static char* password = 0;
291 static int password_expiry_time = 0;
292 static const int password_max_age_seconds = 60;
293
294 extern struct fstab *fstab;
295
296 enum RebootType {reboot, recovery, shutdown};
cryptfs_reboot(enum RebootType rt)297 static void cryptfs_reboot(enum RebootType rt)
298 {
299 switch(rt) {
300 case reboot:
301 property_set(ANDROID_RB_PROPERTY, "reboot");
302 break;
303
304 case recovery:
305 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
306 break;
307
308 case shutdown:
309 property_set(ANDROID_RB_PROPERTY, "shutdown");
310 break;
311 }
312
313 sleep(20);
314
315 /* Shouldn't get here, reboot should happen before sleep times out */
316 return;
317 }
318
ioctl_init(struct dm_ioctl * io,size_t dataSize,const char * name,unsigned flags)319 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
320 {
321 memset(io, 0, dataSize);
322 io->data_size = dataSize;
323 io->data_start = sizeof(struct dm_ioctl);
324 io->version[0] = 4;
325 io->version[1] = 0;
326 io->version[2] = 0;
327 io->flags = flags;
328 if (name) {
329 strncpy(io->name, name, sizeof(io->name));
330 }
331 }
332
333 /**
334 * Gets the default device scrypt parameters for key derivation time tuning.
335 * The parameters should lead to about one second derivation time for the
336 * given device.
337 */
get_device_scrypt_params(struct crypt_mnt_ftr * ftr)338 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
339 const int default_params[] = SCRYPT_DEFAULTS;
340 int params[] = SCRYPT_DEFAULTS;
341 char paramstr[PROPERTY_VALUE_MAX];
342 char *token;
343 char *saveptr;
344 int i;
345
346 property_get(SCRYPT_PROP, paramstr, "");
347 if (paramstr[0] != '\0') {
348 /*
349 * The token we're looking for should be three integers separated by
350 * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
351 */
352 for (i = 0, token = strtok_r(paramstr, ":", &saveptr);
353 token != NULL && i < 3;
354 i++, token = strtok_r(NULL, ":", &saveptr)) {
355 char *endptr;
356 params[i] = strtol(token, &endptr, 10);
357
358 /*
359 * Check that there was a valid number and it's 8-bit. If not,
360 * break out and the end check will take the default values.
361 */
362 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
363 break;
364 }
365 }
366
367 /*
368 * If there were not enough tokens or a token was malformed (not an
369 * integer), it will end up here and the default parameters can be
370 * taken.
371 */
372 if ((i != 3) || (token != NULL)) {
373 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
374 memcpy(params, default_params, sizeof(params));
375 }
376 }
377
378 ftr->N_factor = params[0];
379 ftr->r_factor = params[1];
380 ftr->p_factor = params[2];
381 }
382
get_fs_size(char * dev)383 static unsigned int get_fs_size(char *dev)
384 {
385 int fd, block_size;
386 struct ext4_super_block sb;
387 off64_t len;
388
389 if ((fd = open(dev, O_RDONLY)) < 0) {
390 SLOGE("Cannot open device to get filesystem size ");
391 return 0;
392 }
393
394 if (lseek64(fd, 1024, SEEK_SET) < 0) {
395 SLOGE("Cannot seek to superblock");
396 return 0;
397 }
398
399 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
400 SLOGE("Cannot read superblock");
401 return 0;
402 }
403
404 close(fd);
405
406 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
407 SLOGE("Not a valid ext4 superblock");
408 return 0;
409 }
410 block_size = 1024 << sb.s_log_block_size;
411 /* compute length in bytes */
412 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
413
414 /* return length in sectors */
415 return (unsigned int) (len / 512);
416 }
417
get_crypt_ftr_info(char ** metadata_fname,off64_t * off)418 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
419 {
420 static int cached_data = 0;
421 static off64_t cached_off = 0;
422 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
423 int fd;
424 char key_loc[PROPERTY_VALUE_MAX];
425 char real_blkdev[PROPERTY_VALUE_MAX];
426 unsigned int nr_sec;
427 int rc = -1;
428
429 if (!cached_data) {
430 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
431
432 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
433 if ( (fd = open(real_blkdev, O_RDWR)) < 0) {
434 SLOGE("Cannot open real block device %s\n", real_blkdev);
435 return -1;
436 }
437
438 if ((nr_sec = get_blkdev_size(fd))) {
439 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
440 * encryption info footer and key, and plenty of bytes to spare for future
441 * growth.
442 */
443 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
444 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
445 cached_data = 1;
446 } else {
447 SLOGE("Cannot get size of block device %s\n", real_blkdev);
448 }
449 close(fd);
450 } else {
451 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
452 cached_off = 0;
453 cached_data = 1;
454 }
455 }
456
457 if (cached_data) {
458 if (metadata_fname) {
459 *metadata_fname = cached_metadata_fname;
460 }
461 if (off) {
462 *off = cached_off;
463 }
464 rc = 0;
465 }
466
467 return rc;
468 }
469
470 /* key or salt can be NULL, in which case just skip writing that value. Useful to
471 * update the failed mount count but not change the key.
472 */
put_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)473 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
474 {
475 int fd;
476 unsigned int nr_sec, cnt;
477 /* starting_off is set to the SEEK_SET offset
478 * where the crypto structure starts
479 */
480 off64_t starting_off;
481 int rc = -1;
482 char *fname = NULL;
483 struct stat statbuf;
484
485 if (get_crypt_ftr_info(&fname, &starting_off)) {
486 SLOGE("Unable to get crypt_ftr_info\n");
487 return -1;
488 }
489 if (fname[0] != '/') {
490 SLOGE("Unexpected value for crypto key location\n");
491 return -1;
492 }
493 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) {
494 SLOGE("Cannot open footer file %s for put\n", fname);
495 return -1;
496 }
497
498 /* Seek to the start of the crypt footer */
499 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
500 SLOGE("Cannot seek to real block device footer\n");
501 goto errout;
502 }
503
504 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
505 SLOGE("Cannot write real block device footer\n");
506 goto errout;
507 }
508
509 fstat(fd, &statbuf);
510 /* If the keys are kept on a raw block device, do not try to truncate it. */
511 if (S_ISREG(statbuf.st_mode)) {
512 if (ftruncate(fd, 0x4000)) {
513 SLOGE("Cannot set footer file size\n");
514 goto errout;
515 }
516 }
517
518 /* Success! */
519 rc = 0;
520
521 errout:
522 close(fd);
523 return rc;
524
525 }
526
unix_read(int fd,void * buff,int len)527 static inline int unix_read(int fd, void* buff, int len)
528 {
529 return TEMP_FAILURE_RETRY(read(fd, buff, len));
530 }
531
unix_write(int fd,const void * buff,int len)532 static inline int unix_write(int fd, const void* buff, int len)
533 {
534 return TEMP_FAILURE_RETRY(write(fd, buff, len));
535 }
536
init_empty_persist_data(struct crypt_persist_data * pdata,int len)537 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
538 {
539 memset(pdata, 0, len);
540 pdata->persist_magic = PERSIST_DATA_MAGIC;
541 pdata->persist_valid_entries = 0;
542 }
543
544 /* A routine to update the passed in crypt_ftr to the lastest version.
545 * fd is open read/write on the device that holds the crypto footer and persistent
546 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
547 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
548 */
upgrade_crypt_ftr(int fd,struct crypt_mnt_ftr * crypt_ftr,off64_t offset)549 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
550 {
551 int orig_major = crypt_ftr->major_version;
552 int orig_minor = crypt_ftr->minor_version;
553
554 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
555 struct crypt_persist_data *pdata;
556 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
557
558 SLOGW("upgrading crypto footer to 1.1");
559
560 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
561 if (pdata == NULL) {
562 SLOGE("Cannot allocate persisent data\n");
563 return;
564 }
565 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
566
567 /* Need to initialize the persistent data area */
568 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
569 SLOGE("Cannot seek to persisent data offset\n");
570 return;
571 }
572 /* Write all zeros to the first copy, making it invalid */
573 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
574
575 /* Write a valid but empty structure to the second copy */
576 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
577 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
578
579 /* Update the footer */
580 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
581 crypt_ftr->persist_data_offset[0] = pdata_offset;
582 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
583 crypt_ftr->minor_version = 1;
584 }
585
586 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
587 SLOGW("upgrading crypto footer to 1.2");
588 /* But keep the old kdf_type.
589 * It will get updated later to KDF_SCRYPT after the password has been verified.
590 */
591 crypt_ftr->kdf_type = KDF_PBKDF2;
592 get_device_scrypt_params(crypt_ftr);
593 crypt_ftr->minor_version = 2;
594 }
595
596 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
597 SLOGW("upgrading crypto footer to 1.3");
598 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
599 crypt_ftr->minor_version = 3;
600 }
601
602 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
603 if (lseek64(fd, offset, SEEK_SET) == -1) {
604 SLOGE("Cannot seek to crypt footer\n");
605 return;
606 }
607 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
608 }
609 }
610
611
get_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)612 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
613 {
614 int fd;
615 unsigned int nr_sec, cnt;
616 off64_t starting_off;
617 int rc = -1;
618 char *fname = NULL;
619 struct stat statbuf;
620
621 if (get_crypt_ftr_info(&fname, &starting_off)) {
622 SLOGE("Unable to get crypt_ftr_info\n");
623 return -1;
624 }
625 if (fname[0] != '/') {
626 SLOGE("Unexpected value for crypto key location\n");
627 return -1;
628 }
629 if ( (fd = open(fname, O_RDWR)) < 0) {
630 SLOGE("Cannot open footer file %s for get\n", fname);
631 return -1;
632 }
633
634 /* Make sure it's 16 Kbytes in length */
635 fstat(fd, &statbuf);
636 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
637 SLOGE("footer file %s is not the expected size!\n", fname);
638 goto errout;
639 }
640
641 /* Seek to the start of the crypt footer */
642 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
643 SLOGE("Cannot seek to real block device footer\n");
644 goto errout;
645 }
646
647 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
648 SLOGE("Cannot read real block device footer\n");
649 goto errout;
650 }
651
652 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
653 SLOGE("Bad magic for real block device %s\n", fname);
654 goto errout;
655 }
656
657 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
658 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
659 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
660 goto errout;
661 }
662
663 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
664 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
665 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
666 }
667
668 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
669 * copy on disk before returning.
670 */
671 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
672 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
673 }
674
675 /* Success! */
676 rc = 0;
677
678 errout:
679 close(fd);
680 return rc;
681 }
682
validate_persistent_data_storage(struct crypt_mnt_ftr * crypt_ftr)683 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
684 {
685 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
686 crypt_ftr->persist_data_offset[1]) {
687 SLOGE("Crypt_ftr persist data regions overlap");
688 return -1;
689 }
690
691 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
692 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
693 return -1;
694 }
695
696 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
697 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
698 CRYPT_FOOTER_OFFSET) {
699 SLOGE("Persistent data extends past crypto footer");
700 return -1;
701 }
702
703 return 0;
704 }
705
load_persistent_data(void)706 static int load_persistent_data(void)
707 {
708 struct crypt_mnt_ftr crypt_ftr;
709 struct crypt_persist_data *pdata = NULL;
710 char encrypted_state[PROPERTY_VALUE_MAX];
711 char *fname;
712 int found = 0;
713 int fd;
714 int ret;
715 int i;
716
717 if (persist_data) {
718 /* Nothing to do, we've already loaded or initialized it */
719 return 0;
720 }
721
722
723 /* If not encrypted, just allocate an empty table and initialize it */
724 property_get("ro.crypto.state", encrypted_state, "");
725 if (strcmp(encrypted_state, "encrypted") ) {
726 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
727 if (pdata) {
728 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
729 persist_data = pdata;
730 return 0;
731 }
732 return -1;
733 }
734
735 if(get_crypt_ftr_and_key(&crypt_ftr)) {
736 return -1;
737 }
738
739 if ((crypt_ftr.major_version < 1)
740 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
741 SLOGE("Crypt_ftr version doesn't support persistent data");
742 return -1;
743 }
744
745 if (get_crypt_ftr_info(&fname, NULL)) {
746 return -1;
747 }
748
749 ret = validate_persistent_data_storage(&crypt_ftr);
750 if (ret) {
751 return -1;
752 }
753
754 fd = open(fname, O_RDONLY);
755 if (fd < 0) {
756 SLOGE("Cannot open %s metadata file", fname);
757 return -1;
758 }
759
760 if (persist_data == NULL) {
761 pdata = malloc(crypt_ftr.persist_data_size);
762 if (pdata == NULL) {
763 SLOGE("Cannot allocate memory for persistent data");
764 goto err;
765 }
766 }
767
768 for (i = 0; i < 2; i++) {
769 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
770 SLOGE("Cannot seek to read persistent data on %s", fname);
771 goto err2;
772 }
773 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
774 SLOGE("Error reading persistent data on iteration %d", i);
775 goto err2;
776 }
777 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
778 found = 1;
779 break;
780 }
781 }
782
783 if (!found) {
784 SLOGI("Could not find valid persistent data, creating");
785 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
786 }
787
788 /* Success */
789 persist_data = pdata;
790 close(fd);
791 return 0;
792
793 err2:
794 free(pdata);
795
796 err:
797 close(fd);
798 return -1;
799 }
800
save_persistent_data(void)801 static int save_persistent_data(void)
802 {
803 struct crypt_mnt_ftr crypt_ftr;
804 struct crypt_persist_data *pdata;
805 char *fname;
806 off64_t write_offset;
807 off64_t erase_offset;
808 int found = 0;
809 int fd;
810 int ret;
811
812 if (persist_data == NULL) {
813 SLOGE("No persistent data to save");
814 return -1;
815 }
816
817 if(get_crypt_ftr_and_key(&crypt_ftr)) {
818 return -1;
819 }
820
821 if ((crypt_ftr.major_version < 1)
822 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
823 SLOGE("Crypt_ftr version doesn't support persistent data");
824 return -1;
825 }
826
827 ret = validate_persistent_data_storage(&crypt_ftr);
828 if (ret) {
829 return -1;
830 }
831
832 if (get_crypt_ftr_info(&fname, NULL)) {
833 return -1;
834 }
835
836 fd = open(fname, O_RDWR);
837 if (fd < 0) {
838 SLOGE("Cannot open %s metadata file", fname);
839 return -1;
840 }
841
842 pdata = malloc(crypt_ftr.persist_data_size);
843 if (pdata == NULL) {
844 SLOGE("Cannot allocate persistant data");
845 goto err;
846 }
847
848 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
849 SLOGE("Cannot seek to read persistent data on %s", fname);
850 goto err2;
851 }
852
853 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
854 SLOGE("Error reading persistent data before save");
855 goto err2;
856 }
857
858 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
859 /* The first copy is the curent valid copy, so write to
860 * the second copy and erase this one */
861 write_offset = crypt_ftr.persist_data_offset[1];
862 erase_offset = crypt_ftr.persist_data_offset[0];
863 } else {
864 /* The second copy must be the valid copy, so write to
865 * the first copy, and erase the second */
866 write_offset = crypt_ftr.persist_data_offset[0];
867 erase_offset = crypt_ftr.persist_data_offset[1];
868 }
869
870 /* Write the new copy first, if successful, then erase the old copy */
871 if (lseek(fd, write_offset, SEEK_SET) < 0) {
872 SLOGE("Cannot seek to write persistent data");
873 goto err2;
874 }
875 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
876 (int) crypt_ftr.persist_data_size) {
877 if (lseek(fd, erase_offset, SEEK_SET) < 0) {
878 SLOGE("Cannot seek to erase previous persistent data");
879 goto err2;
880 }
881 fsync(fd);
882 memset(pdata, 0, crypt_ftr.persist_data_size);
883 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
884 (int) crypt_ftr.persist_data_size) {
885 SLOGE("Cannot write to erase previous persistent data");
886 goto err2;
887 }
888 fsync(fd);
889 } else {
890 SLOGE("Cannot write to save persistent data");
891 goto err2;
892 }
893
894 /* Success */
895 free(pdata);
896 close(fd);
897 return 0;
898
899 err2:
900 free(pdata);
901 err:
902 close(fd);
903 return -1;
904 }
905
hexdigit(char c)906 static int hexdigit (char c)
907 {
908 if (c >= '0' && c <= '9') return c - '0';
909 c = tolower(c);
910 if (c >= 'a' && c <= 'f') return c - 'a' + 10;
911 return -1;
912 }
913
convert_hex_ascii_to_key(const char * master_key_ascii,unsigned int * out_keysize)914 static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii,
915 unsigned int* out_keysize)
916 {
917 unsigned int i;
918 *out_keysize = 0;
919
920 size_t size = strlen (master_key_ascii);
921 if (size % 2) {
922 SLOGE("Trying to convert ascii string of odd length");
923 return NULL;
924 }
925
926 unsigned char* master_key = (unsigned char*) malloc(size / 2);
927 if (master_key == 0) {
928 SLOGE("Cannot allocate");
929 return NULL;
930 }
931
932 for (i = 0; i < size; i += 2) {
933 int high_nibble = hexdigit (master_key_ascii[i]);
934 int low_nibble = hexdigit (master_key_ascii[i + 1]);
935
936 if(high_nibble < 0 || low_nibble < 0) {
937 SLOGE("Invalid hex string");
938 free (master_key);
939 return NULL;
940 }
941
942 master_key[*out_keysize] = high_nibble * 16 + low_nibble;
943 (*out_keysize)++;
944 }
945
946 return master_key;
947 }
948
949 /* Convert a binary key of specified length into an ascii hex string equivalent,
950 * without the leading 0x and with null termination
951 */
convert_key_to_hex_ascii(unsigned char * master_key,unsigned int keysize,char * master_key_ascii)952 static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize,
953 char *master_key_ascii)
954 {
955 unsigned int i, a;
956 unsigned char nibble;
957
958 for (i=0, a=0; i<keysize; i++, a+=2) {
959 /* For each byte, write out two ascii hex digits */
960 nibble = (master_key[i] >> 4) & 0xf;
961 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
962
963 nibble = master_key[i] & 0xf;
964 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
965 }
966
967 /* Add the null termination */
968 master_key_ascii[a] = '\0';
969
970 }
971
load_crypto_mapping_table(struct crypt_mnt_ftr * crypt_ftr,unsigned char * master_key,char * real_blk_name,const char * name,int fd,char * extra_params)972 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
973 char *real_blk_name, const char *name, int fd,
974 char *extra_params)
975 {
976 char buffer[DM_CRYPT_BUF_SIZE];
977 struct dm_ioctl *io;
978 struct dm_target_spec *tgt;
979 char *crypt_params;
980 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
981 int i;
982
983 io = (struct dm_ioctl *) buffer;
984
985 /* Load the mapping table for this device */
986 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
987
988 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
989 io->target_count = 1;
990 tgt->status = 0;
991 tgt->sector_start = 0;
992 tgt->length = crypt_ftr->fs_size;
993 strcpy(tgt->target_type, "crypt");
994
995 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
996 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
997 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
998 master_key_ascii, real_blk_name, extra_params);
999 crypt_params += strlen(crypt_params) + 1;
1000 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1001 tgt->next = crypt_params - buffer;
1002
1003 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1004 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
1005 break;
1006 }
1007 usleep(500000);
1008 }
1009
1010 if (i == TABLE_LOAD_RETRIES) {
1011 /* We failed to load the table, return an error */
1012 return -1;
1013 } else {
1014 return i + 1;
1015 }
1016 }
1017
1018
get_dm_crypt_version(int fd,const char * name,int * version)1019 static int get_dm_crypt_version(int fd, const char *name, int *version)
1020 {
1021 char buffer[DM_CRYPT_BUF_SIZE];
1022 struct dm_ioctl *io;
1023 struct dm_target_versions *v;
1024 int i;
1025
1026 io = (struct dm_ioctl *) buffer;
1027
1028 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1029
1030 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1031 return -1;
1032 }
1033
1034 /* Iterate over the returned versions, looking for name of "crypt".
1035 * When found, get and return the version.
1036 */
1037 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
1038 while (v->next) {
1039 if (! strcmp(v->name, "crypt")) {
1040 /* We found the crypt driver, return the version, and get out */
1041 version[0] = v->version[0];
1042 version[1] = v->version[1];
1043 version[2] = v->version[2];
1044 return 0;
1045 }
1046 v = (struct dm_target_versions *)(((char *)v) + v->next);
1047 }
1048
1049 return -1;
1050 }
1051
create_crypto_blk_dev(struct crypt_mnt_ftr * crypt_ftr,unsigned char * master_key,char * real_blk_name,char * crypto_blk_name,const char * name)1052 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
1053 char *real_blk_name, char *crypto_blk_name, const char *name)
1054 {
1055 char buffer[DM_CRYPT_BUF_SIZE];
1056 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
1057 char *crypt_params;
1058 struct dm_ioctl *io;
1059 struct dm_target_spec *tgt;
1060 unsigned int minor;
1061 int fd;
1062 int i;
1063 int retval = -1;
1064 int version[3];
1065 char *extra_params;
1066 int load_count;
1067
1068 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
1069 SLOGE("Cannot open device-mapper\n");
1070 goto errout;
1071 }
1072
1073 io = (struct dm_ioctl *) buffer;
1074
1075 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1076 if (ioctl(fd, DM_DEV_CREATE, io)) {
1077 SLOGE("Cannot create dm-crypt device\n");
1078 goto errout;
1079 }
1080
1081 /* Get the device status, in particular, the name of it's device file */
1082 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1083 if (ioctl(fd, DM_DEV_STATUS, io)) {
1084 SLOGE("Cannot retrieve dm-crypt device status\n");
1085 goto errout;
1086 }
1087 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1088 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1089
1090 extra_params = "";
1091 if (! get_dm_crypt_version(fd, name, version)) {
1092 /* Support for allow_discards was added in version 1.11.0 */
1093 if ((version[0] >= 2) ||
1094 ((version[0] == 1) && (version[1] >= 11))) {
1095 extra_params = "1 allow_discards";
1096 SLOGI("Enabling support for allow_discards in dmcrypt.\n");
1097 }
1098 }
1099
1100 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
1101 fd, extra_params);
1102 if (load_count < 0) {
1103 SLOGE("Cannot load dm-crypt mapping table.\n");
1104 goto errout;
1105 } else if (load_count > 1) {
1106 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1107 }
1108
1109 /* Resume this device to activate it */
1110 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1111
1112 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1113 SLOGE("Cannot resume the dm-crypt device\n");
1114 goto errout;
1115 }
1116
1117 /* We made it here with no errors. Woot! */
1118 retval = 0;
1119
1120 errout:
1121 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1122
1123 return retval;
1124 }
1125
delete_crypto_blk_dev(char * name)1126 static int delete_crypto_blk_dev(char *name)
1127 {
1128 int fd;
1129 char buffer[DM_CRYPT_BUF_SIZE];
1130 struct dm_ioctl *io;
1131 int retval = -1;
1132
1133 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
1134 SLOGE("Cannot open device-mapper\n");
1135 goto errout;
1136 }
1137
1138 io = (struct dm_ioctl *) buffer;
1139
1140 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1141 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1142 SLOGE("Cannot remove dm-crypt device\n");
1143 goto errout;
1144 }
1145
1146 /* We made it here with no errors. Woot! */
1147 retval = 0;
1148
1149 errout:
1150 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1151
1152 return retval;
1153
1154 }
1155
pbkdf2(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params UNUSED)1156 static int pbkdf2(const char *passwd, const unsigned char *salt,
1157 unsigned char *ikey, void *params UNUSED)
1158 {
1159 SLOGI("Using pbkdf2 for cryptfs KDF");
1160
1161 /* Turn the password into a key and IV that can decrypt the master key */
1162 unsigned int keysize;
1163 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize);
1164 if (!master_key) return -1;
1165 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN,
1166 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey);
1167
1168 memset(master_key, 0, keysize);
1169 free (master_key);
1170 return 0;
1171 }
1172
scrypt(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params)1173 static int scrypt(const char *passwd, const unsigned char *salt,
1174 unsigned char *ikey, void *params)
1175 {
1176 SLOGI("Using scrypt for cryptfs KDF");
1177
1178 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1179
1180 int N = 1 << ftr->N_factor;
1181 int r = 1 << ftr->r_factor;
1182 int p = 1 << ftr->p_factor;
1183
1184 /* Turn the password into a key and IV that can decrypt the master key */
1185 unsigned int keysize;
1186 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize);
1187 if (!master_key) return -1;
1188 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey,
1189 KEY_LEN_BYTES + IV_LEN_BYTES);
1190
1191 memset(master_key, 0, keysize);
1192 free (master_key);
1193 return 0;
1194 }
1195
scrypt_keymaster(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params)1196 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1197 unsigned char *ikey, void *params)
1198 {
1199 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1200
1201 int rc;
1202 unsigned int key_size;
1203 size_t signature_size;
1204 unsigned char* signature;
1205 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1206
1207 int N = 1 << ftr->N_factor;
1208 int r = 1 << ftr->r_factor;
1209 int p = 1 << ftr->p_factor;
1210
1211 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size);
1212 if (!master_key) {
1213 SLOGE("Failed to convert passwd from hex");
1214 return -1;
1215 }
1216
1217 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN,
1218 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1219 memset(master_key, 0, key_size);
1220 free(master_key);
1221
1222 if (rc) {
1223 SLOGE("scrypt failed");
1224 return -1;
1225 }
1226
1227 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1228 &signature, &signature_size)) {
1229 SLOGE("Signing failed");
1230 return -1;
1231 }
1232
1233 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1234 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1235 free(signature);
1236
1237 if (rc) {
1238 SLOGE("scrypt failed");
1239 return -1;
1240 }
1241
1242 return 0;
1243 }
1244
encrypt_master_key(const char * passwd,const unsigned char * salt,const unsigned char * decrypted_master_key,unsigned char * encrypted_master_key,struct crypt_mnt_ftr * crypt_ftr)1245 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1246 const unsigned char *decrypted_master_key,
1247 unsigned char *encrypted_master_key,
1248 struct crypt_mnt_ftr *crypt_ftr)
1249 {
1250 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1251 EVP_CIPHER_CTX e_ctx;
1252 int encrypted_len, final_len;
1253 int rc = 0;
1254
1255 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1256 get_device_scrypt_params(crypt_ftr);
1257
1258 switch (crypt_ftr->kdf_type) {
1259 case KDF_SCRYPT_KEYMASTER_UNPADDED:
1260 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
1261 case KDF_SCRYPT_KEYMASTER:
1262 if (keymaster_create_key(crypt_ftr)) {
1263 SLOGE("keymaster_create_key failed");
1264 return -1;
1265 }
1266
1267 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1268 SLOGE("scrypt failed");
1269 return -1;
1270 }
1271 break;
1272
1273 case KDF_SCRYPT:
1274 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1275 SLOGE("scrypt failed");
1276 return -1;
1277 }
1278 break;
1279
1280 default:
1281 SLOGE("Invalid kdf_type");
1282 return -1;
1283 }
1284
1285 /* Initialize the decryption engine */
1286 if (! EVP_EncryptInit(&e_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
1287 SLOGE("EVP_EncryptInit failed\n");
1288 return -1;
1289 }
1290 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1291
1292 /* Encrypt the master key */
1293 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1294 decrypted_master_key, KEY_LEN_BYTES)) {
1295 SLOGE("EVP_EncryptUpdate failed\n");
1296 return -1;
1297 }
1298 if (! EVP_EncryptFinal(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1299 SLOGE("EVP_EncryptFinal failed\n");
1300 return -1;
1301 }
1302
1303 if (encrypted_len + final_len != KEY_LEN_BYTES) {
1304 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1305 return -1;
1306 }
1307
1308 /* Store the scrypt of the intermediate key, so we can validate if it's a
1309 password error or mount error when things go wrong.
1310 Note there's no need to check for errors, since if this is incorrect, we
1311 simply won't wipe userdata, which is the correct default behavior
1312 */
1313 int N = 1 << crypt_ftr->N_factor;
1314 int r = 1 << crypt_ftr->r_factor;
1315 int p = 1 << crypt_ftr->p_factor;
1316
1317 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1318 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1319 crypt_ftr->scrypted_intermediate_key,
1320 sizeof(crypt_ftr->scrypted_intermediate_key));
1321
1322 if (rc) {
1323 SLOGE("encrypt_master_key: crypto_scrypt failed");
1324 }
1325
1326 return 0;
1327 }
1328
decrypt_master_key_aux(char * passwd,unsigned char * salt,unsigned char * encrypted_master_key,unsigned char * decrypted_master_key,kdf_func kdf,void * kdf_params,unsigned char ** intermediate_key,size_t * intermediate_key_size)1329 static int decrypt_master_key_aux(char *passwd, unsigned char *salt,
1330 unsigned char *encrypted_master_key,
1331 unsigned char *decrypted_master_key,
1332 kdf_func kdf, void *kdf_params,
1333 unsigned char** intermediate_key,
1334 size_t* intermediate_key_size)
1335 {
1336 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1337 EVP_CIPHER_CTX d_ctx;
1338 int decrypted_len, final_len;
1339
1340 /* Turn the password into an intermediate key and IV that can decrypt the
1341 master key */
1342 if (kdf(passwd, salt, ikey, kdf_params)) {
1343 SLOGE("kdf failed");
1344 return -1;
1345 }
1346
1347 /* Initialize the decryption engine */
1348 if (! EVP_DecryptInit(&d_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
1349 return -1;
1350 }
1351 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1352 /* Decrypt the master key */
1353 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1354 encrypted_master_key, KEY_LEN_BYTES)) {
1355 return -1;
1356 }
1357 if (! EVP_DecryptFinal(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1358 return -1;
1359 }
1360
1361 if (decrypted_len + final_len != KEY_LEN_BYTES) {
1362 return -1;
1363 }
1364
1365 /* Copy intermediate key if needed by params */
1366 if (intermediate_key && intermediate_key_size) {
1367 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1368 if (intermediate_key) {
1369 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1370 *intermediate_key_size = KEY_LEN_BYTES;
1371 }
1372 }
1373
1374 return 0;
1375 }
1376
get_kdf_func(struct crypt_mnt_ftr * ftr,kdf_func * kdf,void ** kdf_params)1377 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1378 {
1379 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED ||
1380 ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED ||
1381 ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1382 *kdf = scrypt_keymaster;
1383 *kdf_params = ftr;
1384 } else if (ftr->kdf_type == KDF_SCRYPT) {
1385 *kdf = scrypt;
1386 *kdf_params = ftr;
1387 } else {
1388 *kdf = pbkdf2;
1389 *kdf_params = NULL;
1390 }
1391 }
1392
decrypt_master_key(char * passwd,unsigned char * decrypted_master_key,struct crypt_mnt_ftr * crypt_ftr,unsigned char ** intermediate_key,size_t * intermediate_key_size)1393 static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key,
1394 struct crypt_mnt_ftr *crypt_ftr,
1395 unsigned char** intermediate_key,
1396 size_t* intermediate_key_size)
1397 {
1398 kdf_func kdf;
1399 void *kdf_params;
1400 int ret;
1401
1402 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1403 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1404 decrypted_master_key, kdf, kdf_params,
1405 intermediate_key, intermediate_key_size);
1406 if (ret != 0) {
1407 SLOGW("failure decrypting master key");
1408 }
1409
1410 return ret;
1411 }
1412
create_encrypted_random_key(char * passwd,unsigned char * master_key,unsigned char * salt,struct crypt_mnt_ftr * crypt_ftr)1413 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
1414 struct crypt_mnt_ftr *crypt_ftr) {
1415 int fd;
1416 unsigned char key_buf[KEY_LEN_BYTES];
1417 EVP_CIPHER_CTX e_ctx;
1418 int encrypted_len, final_len;
1419
1420 /* Get some random bits for a key */
1421 fd = open("/dev/urandom", O_RDONLY);
1422 read(fd, key_buf, sizeof(key_buf));
1423 read(fd, salt, SALT_LEN);
1424 close(fd);
1425
1426 /* Now encrypt it with the password */
1427 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1428 }
1429
wait_and_unmount(char * mountpoint,bool kill)1430 static int wait_and_unmount(char *mountpoint, bool kill)
1431 {
1432 int i, err, rc;
1433 #define WAIT_UNMOUNT_COUNT 20
1434
1435 /* Now umount the tmpfs filesystem */
1436 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1437 if (umount(mountpoint) == 0) {
1438 break;
1439 }
1440
1441 if (errno == EINVAL) {
1442 /* EINVAL is returned if the directory is not a mountpoint,
1443 * i.e. there is no filesystem mounted there. So just get out.
1444 */
1445 break;
1446 }
1447
1448 err = errno;
1449
1450 /* If allowed, be increasingly aggressive before the last two retries */
1451 if (kill) {
1452 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1453 SLOGW("sending SIGHUP to processes with open files\n");
1454 vold_killProcessesWithOpenFiles(mountpoint, 1);
1455 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1456 SLOGW("sending SIGKILL to processes with open files\n");
1457 vold_killProcessesWithOpenFiles(mountpoint, 2);
1458 }
1459 }
1460
1461 sleep(1);
1462 }
1463
1464 if (i < WAIT_UNMOUNT_COUNT) {
1465 SLOGD("unmounting %s succeeded\n", mountpoint);
1466 rc = 0;
1467 } else {
1468 vold_killProcessesWithOpenFiles(mountpoint, 0);
1469 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1470 rc = -1;
1471 }
1472
1473 return rc;
1474 }
1475
1476 #define DATA_PREP_TIMEOUT 200
prep_data_fs(void)1477 static int prep_data_fs(void)
1478 {
1479 int i;
1480
1481 /* Do the prep of the /data filesystem */
1482 property_set("vold.post_fs_data_done", "0");
1483 property_set("vold.decrypt", "trigger_post_fs_data");
1484 SLOGD("Just triggered post_fs_data\n");
1485
1486 /* Wait a max of 50 seconds, hopefully it takes much less */
1487 for (i=0; i<DATA_PREP_TIMEOUT; i++) {
1488 char p[PROPERTY_VALUE_MAX];
1489
1490 property_get("vold.post_fs_data_done", p, "0");
1491 if (*p == '1') {
1492 break;
1493 } else {
1494 usleep(250000);
1495 }
1496 }
1497 if (i == DATA_PREP_TIMEOUT) {
1498 /* Ugh, we failed to prep /data in time. Bail. */
1499 SLOGE("post_fs_data timed out!\n");
1500 return -1;
1501 } else {
1502 SLOGD("post_fs_data done\n");
1503 return 0;
1504 }
1505 }
1506
cryptfs_set_corrupt()1507 static void cryptfs_set_corrupt()
1508 {
1509 // Mark the footer as bad
1510 struct crypt_mnt_ftr crypt_ftr;
1511 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1512 SLOGE("Failed to get crypto footer - panic");
1513 return;
1514 }
1515
1516 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1517 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1518 SLOGE("Failed to set crypto footer - panic");
1519 return;
1520 }
1521 }
1522
cryptfs_trigger_restart_min_framework()1523 static void cryptfs_trigger_restart_min_framework()
1524 {
1525 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1526 SLOGE("Failed to mount tmpfs on data - panic");
1527 return;
1528 }
1529
1530 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1531 SLOGE("Failed to trigger post fs data - panic");
1532 return;
1533 }
1534
1535 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1536 SLOGE("Failed to trigger restart min framework - panic");
1537 return;
1538 }
1539 }
1540
1541 /* returns < 0 on failure */
cryptfs_restart_internal(int restart_main)1542 static int cryptfs_restart_internal(int restart_main)
1543 {
1544 char fs_type[32];
1545 char real_blkdev[MAXPATHLEN];
1546 char crypto_blkdev[MAXPATHLEN];
1547 char fs_options[256];
1548 unsigned long mnt_flags;
1549 struct stat statbuf;
1550 int rc = -1, i;
1551 static int restart_successful = 0;
1552
1553 /* Validate that it's OK to call this routine */
1554 if (! master_key_saved) {
1555 SLOGE("Encrypted filesystem not validated, aborting");
1556 return -1;
1557 }
1558
1559 if (restart_successful) {
1560 SLOGE("System already restarted with encrypted disk, aborting");
1561 return -1;
1562 }
1563
1564 if (restart_main) {
1565 /* Here is where we shut down the framework. The init scripts
1566 * start all services in one of three classes: core, main or late_start.
1567 * On boot, we start core and main. Now, we stop main, but not core,
1568 * as core includes vold and a few other really important things that
1569 * we need to keep running. Once main has stopped, we should be able
1570 * to umount the tmpfs /data, then mount the encrypted /data.
1571 * We then restart the class main, and also the class late_start.
1572 * At the moment, I've only put a few things in late_start that I know
1573 * are not needed to bring up the framework, and that also cause problems
1574 * with unmounting the tmpfs /data, but I hope to add add more services
1575 * to the late_start class as we optimize this to decrease the delay
1576 * till the user is asked for the password to the filesystem.
1577 */
1578
1579 /* The init files are setup to stop the class main when vold.decrypt is
1580 * set to trigger_reset_main.
1581 */
1582 property_set("vold.decrypt", "trigger_reset_main");
1583 SLOGD("Just asked init to shut down class main\n");
1584
1585 /* Ugh, shutting down the framework is not synchronous, so until it
1586 * can be fixed, this horrible hack will wait a moment for it all to
1587 * shut down before proceeding. Without it, some devices cannot
1588 * restart the graphics services.
1589 */
1590 sleep(2);
1591 }
1592
1593 /* Now that the framework is shutdown, we should be able to umount()
1594 * the tmpfs filesystem, and mount the real one.
1595 */
1596
1597 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1598 if (strlen(crypto_blkdev) == 0) {
1599 SLOGE("fs_crypto_blkdev not set\n");
1600 return -1;
1601 }
1602
1603 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1604 /* If ro.crypto.readonly is set to 1, mount the decrypted
1605 * filesystem readonly. This is used when /data is mounted by
1606 * recovery mode.
1607 */
1608 char ro_prop[PROPERTY_VALUE_MAX];
1609 property_get("ro.crypto.readonly", ro_prop, "");
1610 if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
1611 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1612 rec->flags |= MS_RDONLY;
1613 }
1614
1615 /* If that succeeded, then mount the decrypted filesystem */
1616 int retries = RETRY_MOUNT_ATTEMPTS;
1617 int mount_rc;
1618 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
1619 crypto_blkdev, 0))
1620 != 0) {
1621 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1622 /* TODO: invoke something similar to
1623 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1624 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1625 SLOGI("Failed to mount %s because it is busy - waiting",
1626 crypto_blkdev);
1627 if (--retries) {
1628 sleep(RETRY_MOUNT_DELAY_SECONDS);
1629 } else {
1630 /* Let's hope that a reboot clears away whatever is keeping
1631 the mount busy */
1632 cryptfs_reboot(reboot);
1633 }
1634 } else {
1635 SLOGE("Failed to mount decrypted data");
1636 cryptfs_set_corrupt();
1637 cryptfs_trigger_restart_min_framework();
1638 SLOGI("Started framework to offer wipe");
1639 return -1;
1640 }
1641 }
1642
1643 property_set("vold.decrypt", "trigger_load_persist_props");
1644 /* Create necessary paths on /data */
1645 if (prep_data_fs()) {
1646 return -1;
1647 }
1648
1649 /* startup service classes main and late_start */
1650 property_set("vold.decrypt", "trigger_restart_framework");
1651 SLOGD("Just triggered restart_framework\n");
1652
1653 /* Give it a few moments to get started */
1654 sleep(1);
1655 }
1656
1657 if (rc == 0) {
1658 restart_successful = 1;
1659 }
1660
1661 return rc;
1662 }
1663
cryptfs_restart(void)1664 int cryptfs_restart(void)
1665 {
1666 /* Call internal implementation forcing a restart of main service group */
1667 return cryptfs_restart_internal(1);
1668 }
1669
do_crypto_complete(char * mount_point UNUSED)1670 static int do_crypto_complete(char *mount_point UNUSED)
1671 {
1672 struct crypt_mnt_ftr crypt_ftr;
1673 char encrypted_state[PROPERTY_VALUE_MAX];
1674 char key_loc[PROPERTY_VALUE_MAX];
1675
1676 property_get("ro.crypto.state", encrypted_state, "");
1677 if (strcmp(encrypted_state, "encrypted") ) {
1678 SLOGE("not running with encryption, aborting");
1679 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1680 }
1681
1682 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1683 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1684
1685 /*
1686 * Only report this error if key_loc is a file and it exists.
1687 * If the device was never encrypted, and /data is not mountable for
1688 * some reason, returning 1 should prevent the UI from presenting the
1689 * a "enter password" screen, or worse, a "press button to wipe the
1690 * device" screen.
1691 */
1692 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1693 SLOGE("master key file does not exist, aborting");
1694 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1695 } else {
1696 SLOGE("Error getting crypt footer and key\n");
1697 return CRYPTO_COMPLETE_BAD_METADATA;
1698 }
1699 }
1700
1701 // Test for possible error flags
1702 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1703 SLOGE("Encryption process is partway completed\n");
1704 return CRYPTO_COMPLETE_PARTIAL;
1705 }
1706
1707 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1708 SLOGE("Encryption process was interrupted but cannot continue\n");
1709 return CRYPTO_COMPLETE_INCONSISTENT;
1710 }
1711
1712 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1713 SLOGE("Encryption is successful but data is corrupt\n");
1714 return CRYPTO_COMPLETE_CORRUPT;
1715 }
1716
1717 /* We passed the test! We shall diminish, and return to the west */
1718 return CRYPTO_COMPLETE_ENCRYPTED;
1719 }
1720
test_mount_encrypted_fs(struct crypt_mnt_ftr * crypt_ftr,char * passwd,char * mount_point,char * label)1721 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1722 char *passwd, char *mount_point, char *label)
1723 {
1724 /* Allocate enough space for a 256 bit key, but we may use less */
1725 unsigned char decrypted_master_key[32];
1726 char crypto_blkdev[MAXPATHLEN];
1727 char real_blkdev[MAXPATHLEN];
1728 char tmp_mount_point[64];
1729 unsigned int orig_failed_decrypt_count;
1730 int rc;
1731 kdf_func kdf;
1732 void *kdf_params;
1733 int use_keymaster = 0;
1734 int upgrade = 0;
1735 unsigned char* intermediate_key = 0;
1736 size_t intermediate_key_size = 0;
1737
1738 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1739 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1740
1741 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1742 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1743 &intermediate_key, &intermediate_key_size)) {
1744 SLOGE("Failed to decrypt master key\n");
1745 rc = -1;
1746 goto errout;
1747 }
1748 }
1749
1750 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
1751
1752 // Create crypto block device - all (non fatal) code paths
1753 // need it
1754 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1755 real_blkdev, crypto_blkdev, label)) {
1756 SLOGE("Error creating decrypted block device\n");
1757 rc = -1;
1758 goto errout;
1759 }
1760
1761 /* Work out if the problem is the password or the data */
1762 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1763 scrypted_intermediate_key)];
1764 int N = 1 << crypt_ftr->N_factor;
1765 int r = 1 << crypt_ftr->r_factor;
1766 int p = 1 << crypt_ftr->p_factor;
1767
1768 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1769 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1770 N, r, p, scrypted_intermediate_key,
1771 sizeof(scrypted_intermediate_key));
1772
1773 // Does the key match the crypto footer?
1774 if (rc == 0 && memcmp(scrypted_intermediate_key,
1775 crypt_ftr->scrypted_intermediate_key,
1776 sizeof(scrypted_intermediate_key)) == 0) {
1777 SLOGI("Password matches");
1778 rc = 0;
1779 } else {
1780 /* Try mounting the file system anyway, just in case the problem's with
1781 * the footer, not the key. */
1782 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
1783 mkdir(tmp_mount_point, 0755);
1784 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1785 SLOGE("Error temp mounting decrypted block device\n");
1786 delete_crypto_blk_dev(label);
1787
1788 rc = ++crypt_ftr->failed_decrypt_count;
1789 put_crypt_ftr_and_key(crypt_ftr);
1790 } else {
1791 /* Success! */
1792 SLOGI("Password did not match but decrypted drive mounted - continue");
1793 umount(tmp_mount_point);
1794 rc = 0;
1795 }
1796 }
1797
1798 if (rc == 0) {
1799 crypt_ftr->failed_decrypt_count = 0;
1800 if (orig_failed_decrypt_count != 0) {
1801 put_crypt_ftr_and_key(crypt_ftr);
1802 }
1803
1804 /* Save the name of the crypto block device
1805 * so we can mount it when restarting the framework. */
1806 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1807
1808 /* Also save a the master key so we can reencrypted the key
1809 * the key when we want to change the password on it. */
1810 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1811 saved_mount_point = strdup(mount_point);
1812 master_key_saved = 1;
1813 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1814 rc = 0;
1815
1816 // Upgrade if we're not using the latest KDF.
1817 use_keymaster = keymaster_check_compatibility();
1818 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1819 // Don't allow downgrade
1820 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1821 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1822 upgrade = 1;
1823 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1824 crypt_ftr->kdf_type = KDF_SCRYPT;
1825 upgrade = 1;
1826 }
1827
1828 if (upgrade) {
1829 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1830 crypt_ftr->master_key, crypt_ftr);
1831 if (!rc) {
1832 rc = put_crypt_ftr_and_key(crypt_ftr);
1833 }
1834 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1835
1836 // Do not fail even if upgrade failed - machine is bootable
1837 // Note that if this code is ever hit, there is a *serious* problem
1838 // since KDFs should never fail. You *must* fix the kdf before
1839 // proceeding!
1840 if (rc) {
1841 SLOGW("Upgrade failed with error %d,"
1842 " but continuing with previous state",
1843 rc);
1844 rc = 0;
1845 }
1846 }
1847 }
1848
1849 errout:
1850 if (intermediate_key) {
1851 memset(intermediate_key, 0, intermediate_key_size);
1852 free(intermediate_key);
1853 }
1854 return rc;
1855 }
1856
1857 /* Called by vold when it wants to undo the crypto mapping of a volume it
1858 * manages. This is usually in response to a factory reset, when we want
1859 * to undo the crypto mapping so the volume is formatted in the clear.
1860 */
cryptfs_revert_volume(const char * label)1861 int cryptfs_revert_volume(const char *label)
1862 {
1863 return delete_crypto_blk_dev((char *)label);
1864 }
1865
1866 /*
1867 * Called by vold when it's asked to mount an encrypted, nonremovable volume.
1868 * Setup a dm-crypt mapping, use the saved master key from
1869 * setting up the /data mapping, and return the new device path.
1870 */
cryptfs_setup_volume(const char * label,int major,int minor,char * crypto_sys_path,unsigned int max_path,int * new_major,int * new_minor)1871 int cryptfs_setup_volume(const char *label, int major, int minor,
1872 char *crypto_sys_path, unsigned int max_path,
1873 int *new_major, int *new_minor)
1874 {
1875 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN];
1876 struct crypt_mnt_ftr sd_crypt_ftr;
1877 struct stat statbuf;
1878 int nr_sec, fd;
1879
1880 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor);
1881
1882 get_crypt_ftr_and_key(&sd_crypt_ftr);
1883
1884 /* Update the fs_size field to be the size of the volume */
1885 fd = open(real_blkdev, O_RDONLY);
1886 nr_sec = get_blkdev_size(fd);
1887 close(fd);
1888 if (nr_sec == 0) {
1889 SLOGE("Cannot get size of volume %s\n", real_blkdev);
1890 return -1;
1891 }
1892
1893 sd_crypt_ftr.fs_size = nr_sec;
1894 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev,
1895 crypto_blkdev, label);
1896
1897 stat(crypto_blkdev, &statbuf);
1898 *new_major = MAJOR(statbuf.st_rdev);
1899 *new_minor = MINOR(statbuf.st_rdev);
1900
1901 /* Create path to sys entry for this block device */
1902 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1);
1903
1904 return 0;
1905 }
1906
cryptfs_crypto_complete(void)1907 int cryptfs_crypto_complete(void)
1908 {
1909 return do_crypto_complete("/data");
1910 }
1911
check_unmounted_and_get_ftr(struct crypt_mnt_ftr * crypt_ftr)1912 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
1913 {
1914 char encrypted_state[PROPERTY_VALUE_MAX];
1915 property_get("ro.crypto.state", encrypted_state, "");
1916 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
1917 SLOGE("encrypted fs already validated or not running with encryption,"
1918 " aborting");
1919 return -1;
1920 }
1921
1922 if (get_crypt_ftr_and_key(crypt_ftr)) {
1923 SLOGE("Error getting crypt footer and key");
1924 return -1;
1925 }
1926
1927 return 0;
1928 }
1929
1930 /*
1931 * TODO - transition patterns to new format in calling code
1932 * and remove this vile hack, and the use of hex in
1933 * the password passing code.
1934 *
1935 * Patterns are passed in zero based (i.e. the top left dot
1936 * is represented by zero, the top middle one etc), but we want
1937 * to store them '1' based.
1938 * This is to allow us to migrate the calling code to use this
1939 * convention. It also solves a nasty problem whereby scrypt ignores
1940 * trailing zeros, so patterns ending at the top left could be
1941 * truncated, and similarly, you could add the top left to any
1942 * pattern and still match.
1943 * adjust_passwd is a hack function that returns the alternate representation
1944 * if the password appears to be a pattern (hex numbers all less than 09)
1945 * If it succeeds we need to try both, and in particular try the alternate
1946 * first. If the original matches, then we need to update the footer
1947 * with the alternate.
1948 * All code that accepts passwords must adjust them first. Since
1949 * cryptfs_check_passwd is always the first function called after a migration
1950 * (and indeed on any boot) we only need to do the double try in this
1951 * function.
1952 */
adjust_passwd(const char * passwd)1953 char* adjust_passwd(const char* passwd)
1954 {
1955 size_t index, length;
1956
1957 if (!passwd) {
1958 return 0;
1959 }
1960
1961 // Check even length. Hex encoded passwords are always
1962 // an even length, since each character encodes to two characters.
1963 length = strlen(passwd);
1964 if (length % 2) {
1965 SLOGW("Password not correctly hex encoded.");
1966 return 0;
1967 }
1968
1969 // Check password is old-style pattern - a collection of hex
1970 // encoded bytes less than 9 (00 through 08)
1971 for (index = 0; index < length; index +=2) {
1972 if (passwd[index] != '0'
1973 || passwd[index + 1] < '0' || passwd[index + 1] > '8') {
1974 return 0;
1975 }
1976 }
1977
1978 // Allocate room for adjusted passwd and null terminate
1979 char* adjusted = malloc(length + 1);
1980 adjusted[length] = 0;
1981
1982 // Add 0x31 ('1') to each character
1983 for (index = 0; index < length; index += 2) {
1984 // output is 31 through 39 so set first byte to three, second to src + 1
1985 adjusted[index] = '3';
1986 adjusted[index + 1] = passwd[index + 1] + 1;
1987 }
1988
1989 return adjusted;
1990 }
1991
cryptfs_check_passwd(char * passwd)1992 int cryptfs_check_passwd(char *passwd)
1993 {
1994 struct crypt_mnt_ftr crypt_ftr;
1995 int rc;
1996
1997 rc = check_unmounted_and_get_ftr(&crypt_ftr);
1998 if (rc)
1999 return rc;
2000
2001 char* adjusted_passwd = adjust_passwd(passwd);
2002 if (adjusted_passwd) {
2003 int failed_decrypt_count = crypt_ftr.failed_decrypt_count;
2004 rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd,
2005 DATA_MNT_POINT, "userdata");
2006
2007 // Maybe the original one still works?
2008 if (rc) {
2009 // Don't double count this failure
2010 crypt_ftr.failed_decrypt_count = failed_decrypt_count;
2011 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
2012 DATA_MNT_POINT, "userdata");
2013 if (!rc) {
2014 // cryptfs_changepw also adjusts so pass original
2015 // Note that adjust_passwd only recognises patterns
2016 // so we can safely use CRYPT_TYPE_PATTERN
2017 SLOGI("Updating pattern to new format");
2018 cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd);
2019 }
2020 }
2021 free(adjusted_passwd);
2022 } else {
2023 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
2024 DATA_MNT_POINT, "userdata");
2025 }
2026
2027 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2028 cryptfs_clear_password();
2029 password = strdup(passwd);
2030 struct timespec now;
2031 clock_gettime(CLOCK_BOOTTIME, &now);
2032 password_expiry_time = now.tv_sec + password_max_age_seconds;
2033 }
2034
2035 return rc;
2036 }
2037
cryptfs_verify_passwd(char * passwd)2038 int cryptfs_verify_passwd(char *passwd)
2039 {
2040 struct crypt_mnt_ftr crypt_ftr;
2041 /* Allocate enough space for a 256 bit key, but we may use less */
2042 unsigned char decrypted_master_key[32];
2043 char encrypted_state[PROPERTY_VALUE_MAX];
2044 int rc;
2045
2046 property_get("ro.crypto.state", encrypted_state, "");
2047 if (strcmp(encrypted_state, "encrypted") ) {
2048 SLOGE("device not encrypted, aborting");
2049 return -2;
2050 }
2051
2052 if (!master_key_saved) {
2053 SLOGE("encrypted fs not yet mounted, aborting");
2054 return -1;
2055 }
2056
2057 if (!saved_mount_point) {
2058 SLOGE("encrypted fs failed to save mount point, aborting");
2059 return -1;
2060 }
2061
2062 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2063 SLOGE("Error getting crypt footer and key\n");
2064 return -1;
2065 }
2066
2067 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2068 /* If the device has no password, then just say the password is valid */
2069 rc = 0;
2070 } else {
2071 char* adjusted_passwd = adjust_passwd(passwd);
2072 if (adjusted_passwd) {
2073 passwd = adjusted_passwd;
2074 }
2075
2076 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2077 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2078 /* They match, the password is correct */
2079 rc = 0;
2080 } else {
2081 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2082 sleep(1);
2083 rc = 1;
2084 }
2085
2086 free(adjusted_passwd);
2087 }
2088
2089 return rc;
2090 }
2091
2092 /* Initialize a crypt_mnt_ftr structure. The keysize is
2093 * defaulted to 16 bytes, and the filesystem size to 0.
2094 * Presumably, at a minimum, the caller will update the
2095 * filesystem size and crypto_type_name after calling this function.
2096 */
cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr * ftr)2097 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
2098 {
2099 off64_t off;
2100
2101 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2102 ftr->magic = CRYPT_MNT_MAGIC;
2103 ftr->major_version = CURRENT_MAJOR_VERSION;
2104 ftr->minor_version = CURRENT_MINOR_VERSION;
2105 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2106 ftr->keysize = KEY_LEN_BYTES;
2107
2108 switch (keymaster_check_compatibility()) {
2109 case 1:
2110 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2111 break;
2112
2113 case 0:
2114 ftr->kdf_type = KDF_SCRYPT;
2115 break;
2116
2117 default:
2118 SLOGE("keymaster_check_compatibility failed");
2119 return -1;
2120 }
2121
2122 get_device_scrypt_params(ftr);
2123
2124 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2125 if (get_crypt_ftr_info(NULL, &off) == 0) {
2126 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2127 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
2128 ftr->persist_data_size;
2129 }
2130
2131 return 0;
2132 }
2133
cryptfs_enable_wipe(char * crypto_blkdev,off64_t size,int type)2134 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
2135 {
2136 const char *args[10];
2137 char size_str[32]; /* Must be large enough to hold a %lld and null byte */
2138 int num_args;
2139 int status;
2140 int tmp;
2141 int rc = -1;
2142
2143 if (type == EXT4_FS) {
2144 args[0] = "/system/bin/make_ext4fs";
2145 args[1] = "-a";
2146 args[2] = "/data";
2147 args[3] = "-l";
2148 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
2149 args[4] = size_str;
2150 args[5] = crypto_blkdev;
2151 num_args = 6;
2152 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
2153 args[0], args[1], args[2], args[3], args[4], args[5]);
2154 } else if (type == F2FS_FS) {
2155 args[0] = "/system/bin/mkfs.f2fs";
2156 args[1] = "-t";
2157 args[2] = "-d1";
2158 args[3] = crypto_blkdev;
2159 snprintf(size_str, sizeof(size_str), "%" PRId64, size);
2160 args[4] = size_str;
2161 num_args = 5;
2162 SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
2163 args[0], args[1], args[2], args[3], args[4]);
2164 } else {
2165 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
2166 return -1;
2167 }
2168
2169 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
2170
2171 if (tmp != 0) {
2172 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
2173 } else {
2174 if (WIFEXITED(status)) {
2175 if (WEXITSTATUS(status)) {
2176 SLOGE("Error creating filesystem on %s, exit status %d ",
2177 crypto_blkdev, WEXITSTATUS(status));
2178 } else {
2179 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
2180 rc = 0;
2181 }
2182 } else {
2183 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
2184 }
2185 }
2186
2187 return rc;
2188 }
2189
2190 #define CRYPT_INPLACE_BUFSIZE 4096
2191 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
2192 #define CRYPT_SECTOR_SIZE 512
2193
2194 /* aligned 32K writes tends to make flash happy.
2195 * SD card association recommends it.
2196 */
2197 #define BLOCKS_AT_A_TIME 8
2198
2199 struct encryptGroupsData
2200 {
2201 int realfd;
2202 int cryptofd;
2203 off64_t numblocks;
2204 off64_t one_pct, cur_pct, new_pct;
2205 off64_t blocks_already_done, tot_numblocks;
2206 off64_t used_blocks_already_done, tot_used_blocks;
2207 char* real_blkdev, * crypto_blkdev;
2208 int count;
2209 off64_t offset;
2210 char* buffer;
2211 off64_t last_written_sector;
2212 int completed;
2213 time_t time_started;
2214 int remaining_time;
2215 };
2216
update_progress(struct encryptGroupsData * data,int is_used)2217 static void update_progress(struct encryptGroupsData* data, int is_used)
2218 {
2219 data->blocks_already_done++;
2220
2221 if (is_used) {
2222 data->used_blocks_already_done++;
2223 }
2224 if (data->tot_used_blocks) {
2225 data->new_pct = data->used_blocks_already_done / data->one_pct;
2226 } else {
2227 data->new_pct = data->blocks_already_done / data->one_pct;
2228 }
2229
2230 if (data->new_pct > data->cur_pct) {
2231 char buf[8];
2232 data->cur_pct = data->new_pct;
2233 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
2234 property_set("vold.encrypt_progress", buf);
2235 }
2236
2237 if (data->cur_pct >= 5) {
2238 struct timespec time_now;
2239 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
2240 SLOGW("Error getting time");
2241 } else {
2242 double elapsed_time = difftime(time_now.tv_sec, data->time_started);
2243 off64_t remaining_blocks = data->tot_used_blocks
2244 - data->used_blocks_already_done;
2245 int remaining_time = (int)(elapsed_time * remaining_blocks
2246 / data->used_blocks_already_done);
2247
2248 // Change time only if not yet set, lower, or a lot higher for
2249 // best user experience
2250 if (data->remaining_time == -1
2251 || remaining_time < data->remaining_time
2252 || remaining_time > data->remaining_time + 60) {
2253 char buf[8];
2254 snprintf(buf, sizeof(buf), "%d", remaining_time);
2255 property_set("vold.encrypt_time_remaining", buf);
2256 data->remaining_time = remaining_time;
2257 }
2258 }
2259 }
2260 }
2261
log_progress(struct encryptGroupsData const * data,bool completed)2262 static void log_progress(struct encryptGroupsData const* data, bool completed)
2263 {
2264 // Precondition - if completed data = 0 else data != 0
2265
2266 // Track progress so we can skip logging blocks
2267 static off64_t offset = -1;
2268
2269 // Need to close existing 'Encrypting from' log?
2270 if (completed || (offset != -1 && data->offset != offset)) {
2271 SLOGI("Encrypted to sector %" PRId64,
2272 offset / info.block_size * CRYPT_SECTOR_SIZE);
2273 offset = -1;
2274 }
2275
2276 // Need to start new 'Encrypting from' log?
2277 if (!completed && offset != data->offset) {
2278 SLOGI("Encrypting from sector %" PRId64,
2279 data->offset / info.block_size * CRYPT_SECTOR_SIZE);
2280 }
2281
2282 // Update offset
2283 if (!completed) {
2284 offset = data->offset + (off64_t)data->count * info.block_size;
2285 }
2286 }
2287
flush_outstanding_data(struct encryptGroupsData * data)2288 static int flush_outstanding_data(struct encryptGroupsData* data)
2289 {
2290 if (data->count == 0) {
2291 return 0;
2292 }
2293
2294 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
2295
2296 if (pread64(data->realfd, data->buffer,
2297 info.block_size * data->count, data->offset)
2298 <= 0) {
2299 SLOGE("Error reading real_blkdev %s for inplace encrypt",
2300 data->real_blkdev);
2301 return -1;
2302 }
2303
2304 if (pwrite64(data->cryptofd, data->buffer,
2305 info.block_size * data->count, data->offset)
2306 <= 0) {
2307 SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
2308 data->crypto_blkdev);
2309 return -1;
2310 } else {
2311 log_progress(data, false);
2312 }
2313
2314 data->count = 0;
2315 data->last_written_sector = (data->offset + data->count)
2316 / info.block_size * CRYPT_SECTOR_SIZE - 1;
2317 return 0;
2318 }
2319
encrypt_groups(struct encryptGroupsData * data)2320 static int encrypt_groups(struct encryptGroupsData* data)
2321 {
2322 unsigned int i;
2323 u8 *block_bitmap = 0;
2324 unsigned int block;
2325 off64_t ret;
2326 int rc = -1;
2327
2328 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
2329 if (!data->buffer) {
2330 SLOGE("Failed to allocate crypto buffer");
2331 goto errout;
2332 }
2333
2334 block_bitmap = malloc(info.block_size);
2335 if (!block_bitmap) {
2336 SLOGE("failed to allocate block bitmap");
2337 goto errout;
2338 }
2339
2340 for (i = 0; i < aux_info.groups; ++i) {
2341 SLOGI("Encrypting group %d", i);
2342
2343 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
2344 u32 block_count = min(info.blocks_per_group,
2345 aux_info.len_blocks - first_block);
2346
2347 off64_t offset = (u64)info.block_size
2348 * aux_info.bg_desc[i].bg_block_bitmap;
2349
2350 ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
2351 if (ret != (int)info.block_size) {
2352 SLOGE("failed to read all of block group bitmap %d", i);
2353 goto errout;
2354 }
2355
2356 offset = (u64)info.block_size * first_block;
2357
2358 data->count = 0;
2359
2360 for (block = 0; block < block_count; block++) {
2361 int used = bitmap_get_bit(block_bitmap, block);
2362 update_progress(data, used);
2363 if (used) {
2364 if (data->count == 0) {
2365 data->offset = offset;
2366 }
2367 data->count++;
2368 } else {
2369 if (flush_outstanding_data(data)) {
2370 goto errout;
2371 }
2372 }
2373
2374 offset += info.block_size;
2375
2376 /* Write data if we are aligned or buffer size reached */
2377 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
2378 || data->count == BLOCKS_AT_A_TIME) {
2379 if (flush_outstanding_data(data)) {
2380 goto errout;
2381 }
2382 }
2383
2384 if (!is_battery_ok_to_continue()) {
2385 SLOGE("Stopping encryption due to low battery");
2386 rc = 0;
2387 goto errout;
2388 }
2389
2390 }
2391 if (flush_outstanding_data(data)) {
2392 goto errout;
2393 }
2394 }
2395
2396 data->completed = 1;
2397 rc = 0;
2398
2399 errout:
2400 log_progress(0, true);
2401 free(data->buffer);
2402 free(block_bitmap);
2403 return rc;
2404 }
2405
cryptfs_enable_inplace_ext4(char * crypto_blkdev,char * real_blkdev,off64_t size,off64_t * size_already_done,off64_t tot_size,off64_t previously_encrypted_upto)2406 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
2407 char *real_blkdev,
2408 off64_t size,
2409 off64_t *size_already_done,
2410 off64_t tot_size,
2411 off64_t previously_encrypted_upto)
2412 {
2413 u32 i;
2414 struct encryptGroupsData data;
2415 int rc; // Can't initialize without causing warning -Wclobbered
2416
2417 if (previously_encrypted_upto > *size_already_done) {
2418 SLOGD("Not fast encrypting since resuming part way through");
2419 return -1;
2420 }
2421
2422 memset(&data, 0, sizeof(data));
2423 data.real_blkdev = real_blkdev;
2424 data.crypto_blkdev = crypto_blkdev;
2425
2426 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) {
2427 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n",
2428 real_blkdev, errno, strerror(errno));
2429 rc = -1;
2430 goto errout;
2431 }
2432
2433 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) {
2434 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n",
2435 crypto_blkdev, errno, strerror(errno));
2436 rc = ENABLE_INPLACE_ERR_DEV;
2437 goto errout;
2438 }
2439
2440 if (setjmp(setjmp_env)) {
2441 SLOGE("Reading ext4 extent caused an exception\n");
2442 rc = -1;
2443 goto errout;
2444 }
2445
2446 if (read_ext(data.realfd, 0) != 0) {
2447 SLOGE("Failed to read ext4 extent\n");
2448 rc = -1;
2449 goto errout;
2450 }
2451
2452 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2453 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2454 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2455
2456 SLOGI("Encrypting ext4 filesystem in place...");
2457
2458 data.tot_used_blocks = data.numblocks;
2459 for (i = 0; i < aux_info.groups; ++i) {
2460 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
2461 }
2462
2463 data.one_pct = data.tot_used_blocks / 100;
2464 data.cur_pct = 0;
2465
2466 struct timespec time_started = {0};
2467 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
2468 SLOGW("Error getting time at start");
2469 // Note - continue anyway - we'll run with 0
2470 }
2471 data.time_started = time_started.tv_sec;
2472 data.remaining_time = -1;
2473
2474 rc = encrypt_groups(&data);
2475 if (rc) {
2476 SLOGE("Error encrypting groups");
2477 goto errout;
2478 }
2479
2480 *size_already_done += data.completed ? size : data.last_written_sector;
2481 rc = 0;
2482
2483 errout:
2484 close(data.realfd);
2485 close(data.cryptofd);
2486
2487 return rc;
2488 }
2489
log_progress_f2fs(u64 block,bool completed)2490 static void log_progress_f2fs(u64 block, bool completed)
2491 {
2492 // Precondition - if completed data = 0 else data != 0
2493
2494 // Track progress so we can skip logging blocks
2495 static u64 last_block = (u64)-1;
2496
2497 // Need to close existing 'Encrypting from' log?
2498 if (completed || (last_block != (u64)-1 && block != last_block + 1)) {
2499 SLOGI("Encrypted to block %" PRId64, last_block);
2500 last_block = -1;
2501 }
2502
2503 // Need to start new 'Encrypting from' log?
2504 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) {
2505 SLOGI("Encrypting from block %" PRId64, block);
2506 }
2507
2508 // Update offset
2509 if (!completed) {
2510 last_block = block;
2511 }
2512 }
2513
encrypt_one_block_f2fs(u64 pos,void * data)2514 static int encrypt_one_block_f2fs(u64 pos, void *data)
2515 {
2516 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;
2517
2518 priv_dat->blocks_already_done = pos - 1;
2519 update_progress(priv_dat, 1);
2520
2521 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;
2522
2523 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2524 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2525 return -1;
2526 }
2527
2528 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2529 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2530 return -1;
2531 } else {
2532 log_progress_f2fs(pos, false);
2533 }
2534
2535 return 0;
2536 }
2537
cryptfs_enable_inplace_f2fs(char * crypto_blkdev,char * real_blkdev,off64_t size,off64_t * size_already_done,off64_t tot_size,off64_t previously_encrypted_upto)2538 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
2539 char *real_blkdev,
2540 off64_t size,
2541 off64_t *size_already_done,
2542 off64_t tot_size,
2543 off64_t previously_encrypted_upto)
2544 {
2545 u32 i;
2546 struct encryptGroupsData data;
2547 struct f2fs_info *f2fs_info = NULL;
2548 int rc = ENABLE_INPLACE_ERR_OTHER;
2549 if (previously_encrypted_upto > *size_already_done) {
2550 SLOGD("Not fast encrypting since resuming part way through");
2551 return ENABLE_INPLACE_ERR_OTHER;
2552 }
2553 memset(&data, 0, sizeof(data));
2554 data.real_blkdev = real_blkdev;
2555 data.crypto_blkdev = crypto_blkdev;
2556 data.realfd = -1;
2557 data.cryptofd = -1;
2558 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) {
2559 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n",
2560 real_blkdev);
2561 goto errout;
2562 }
2563 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) {
2564 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n",
2565 crypto_blkdev, errno, strerror(errno));
2566 rc = ENABLE_INPLACE_ERR_DEV;
2567 goto errout;
2568 }
2569
2570 f2fs_info = generate_f2fs_info(data.realfd);
2571 if (!f2fs_info)
2572 goto errout;
2573
2574 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2575 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2576 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2577
2578 data.tot_used_blocks = get_num_blocks_used(f2fs_info);
2579
2580 data.one_pct = data.tot_used_blocks / 100;
2581 data.cur_pct = 0;
2582 data.time_started = time(NULL);
2583 data.remaining_time = -1;
2584
2585 data.buffer = malloc(f2fs_info->block_size);
2586 if (!data.buffer) {
2587 SLOGE("Failed to allocate crypto buffer");
2588 goto errout;
2589 }
2590
2591 data.count = 0;
2592
2593 /* Currently, this either runs to completion, or hits a nonrecoverable error */
2594 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);
2595
2596 if (rc) {
2597 SLOGE("Error in running over f2fs blocks");
2598 rc = ENABLE_INPLACE_ERR_OTHER;
2599 goto errout;
2600 }
2601
2602 *size_already_done += size;
2603 rc = 0;
2604
2605 errout:
2606 if (rc)
2607 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev);
2608
2609 log_progress_f2fs(0, true);
2610 free(f2fs_info);
2611 free(data.buffer);
2612 close(data.realfd);
2613 close(data.cryptofd);
2614
2615 return rc;
2616 }
2617
cryptfs_enable_inplace_full(char * crypto_blkdev,char * real_blkdev,off64_t size,off64_t * size_already_done,off64_t tot_size,off64_t previously_encrypted_upto)2618 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
2619 off64_t size, off64_t *size_already_done,
2620 off64_t tot_size,
2621 off64_t previously_encrypted_upto)
2622 {
2623 int realfd, cryptofd;
2624 char *buf[CRYPT_INPLACE_BUFSIZE];
2625 int rc = ENABLE_INPLACE_ERR_OTHER;
2626 off64_t numblocks, i, remainder;
2627 off64_t one_pct, cur_pct, new_pct;
2628 off64_t blocks_already_done, tot_numblocks;
2629
2630 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) {
2631 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2632 return ENABLE_INPLACE_ERR_OTHER;
2633 }
2634
2635 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) {
2636 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n",
2637 crypto_blkdev, errno, strerror(errno));
2638 close(realfd);
2639 return ENABLE_INPLACE_ERR_DEV;
2640 }
2641
2642 /* This is pretty much a simple loop of reading 4K, and writing 4K.
2643 * The size passed in is the number of 512 byte sectors in the filesystem.
2644 * So compute the number of whole 4K blocks we should read/write,
2645 * and the remainder.
2646 */
2647 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2648 remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2649 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2650 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2651
2652 SLOGE("Encrypting filesystem in place...");
2653
2654 i = previously_encrypted_upto + 1 - *size_already_done;
2655
2656 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2657 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
2658 goto errout;
2659 }
2660
2661 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2662 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
2663 goto errout;
2664 }
2665
2666 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
2667 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2668 SLOGE("Error reading initial sectors from real_blkdev %s for "
2669 "inplace encrypt\n", crypto_blkdev);
2670 goto errout;
2671 }
2672 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2673 SLOGE("Error writing initial sectors to crypto_blkdev %s for "
2674 "inplace encrypt\n", crypto_blkdev);
2675 goto errout;
2676 } else {
2677 SLOGI("Encrypted 1 block at %" PRId64, i);
2678 }
2679 }
2680
2681 one_pct = tot_numblocks / 100;
2682 cur_pct = 0;
2683 /* process the majority of the filesystem in blocks */
2684 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2685 new_pct = (i + blocks_already_done) / one_pct;
2686 if (new_pct > cur_pct) {
2687 char buf[8];
2688
2689 cur_pct = new_pct;
2690 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
2691 property_set("vold.encrypt_progress", buf);
2692 }
2693 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2694 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2695 goto errout;
2696 }
2697 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2698 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2699 goto errout;
2700 } else {
2701 SLOGD("Encrypted %d block at %" PRId64,
2702 CRYPT_SECTORS_PER_BUFSIZE,
2703 i * CRYPT_SECTORS_PER_BUFSIZE);
2704 }
2705
2706 if (!is_battery_ok_to_continue()) {
2707 SLOGE("Stopping encryption due to low battery");
2708 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
2709 rc = 0;
2710 goto errout;
2711 }
2712 }
2713
2714 /* Do any remaining sectors */
2715 for (i=0; i<remainder; i++) {
2716 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2717 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2718 goto errout;
2719 }
2720 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2721 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2722 goto errout;
2723 } else {
2724 SLOGI("Encrypted 1 block at next location");
2725 }
2726 }
2727
2728 *size_already_done += size;
2729 rc = 0;
2730
2731 errout:
2732 close(realfd);
2733 close(cryptofd);
2734
2735 return rc;
2736 }
2737
2738 /* returns on of the ENABLE_INPLACE_* return codes */
cryptfs_enable_inplace(char * crypto_blkdev,char * real_blkdev,off64_t size,off64_t * size_already_done,off64_t tot_size,off64_t previously_encrypted_upto)2739 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
2740 off64_t size, off64_t *size_already_done,
2741 off64_t tot_size,
2742 off64_t previously_encrypted_upto)
2743 {
2744 int rc_ext4, rc_f2fs, rc_full;
2745 if (previously_encrypted_upto) {
2746 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
2747 }
2748
2749 if (*size_already_done + size < previously_encrypted_upto) {
2750 *size_already_done += size;
2751 return 0;
2752 }
2753
2754 /* TODO: identify filesystem type.
2755 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
2756 * then we will drop down to cryptfs_enable_inplace_f2fs.
2757 * */
2758 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2759 size, size_already_done,
2760 tot_size, previously_encrypted_upto)) == 0) {
2761 return 0;
2762 }
2763 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4);
2764
2765 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
2766 size, size_already_done,
2767 tot_size, previously_encrypted_upto)) == 0) {
2768 return 0;
2769 }
2770 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs);
2771
2772 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2773 size, size_already_done, tot_size,
2774 previously_encrypted_upto);
2775 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full);
2776
2777 /* Hack for b/17898962, the following is the symptom... */
2778 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV
2779 && rc_f2fs == ENABLE_INPLACE_ERR_DEV
2780 && rc_full == ENABLE_INPLACE_ERR_DEV) {
2781 return ENABLE_INPLACE_ERR_DEV;
2782 }
2783 return rc_full;
2784 }
2785
2786 #define CRYPTO_ENABLE_WIPE 1
2787 #define CRYPTO_ENABLE_INPLACE 2
2788
2789 #define FRAMEWORK_BOOT_WAIT 60
2790
should_encrypt(struct volume_info * volume)2791 static inline int should_encrypt(struct volume_info *volume)
2792 {
2793 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) ==
2794 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE);
2795 }
2796
cryptfs_SHA256_fileblock(const char * filename,__le8 * buf)2797 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2798 {
2799 int fd = open(filename, O_RDONLY);
2800 if (fd == -1) {
2801 SLOGE("Error opening file %s", filename);
2802 return -1;
2803 }
2804
2805 char block[CRYPT_INPLACE_BUFSIZE];
2806 memset(block, 0, sizeof(block));
2807 if (unix_read(fd, block, sizeof(block)) < 0) {
2808 SLOGE("Error reading file %s", filename);
2809 close(fd);
2810 return -1;
2811 }
2812
2813 close(fd);
2814
2815 SHA256_CTX c;
2816 SHA256_Init(&c);
2817 SHA256_Update(&c, block, sizeof(block));
2818 SHA256_Final(buf, &c);
2819
2820 return 0;
2821 }
2822
get_fs_type(struct fstab_rec * rec)2823 static int get_fs_type(struct fstab_rec *rec)
2824 {
2825 if (!strcmp(rec->fs_type, "ext4")) {
2826 return EXT4_FS;
2827 } else if (!strcmp(rec->fs_type, "f2fs")) {
2828 return F2FS_FS;
2829 } else {
2830 return -1;
2831 }
2832 }
2833
cryptfs_enable_all_volumes(struct crypt_mnt_ftr * crypt_ftr,int how,char * crypto_blkdev,char * real_blkdev,int previously_encrypted_upto)2834 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
2835 char *crypto_blkdev, char *real_blkdev,
2836 int previously_encrypted_upto)
2837 {
2838 off64_t cur_encryption_done=0, tot_encryption_size=0;
2839 int i, rc = -1;
2840
2841 if (!is_battery_ok_to_start()) {
2842 SLOGW("Not starting encryption due to low battery");
2843 return 0;
2844 }
2845
2846 /* The size of the userdata partition, and add in the vold volumes below */
2847 tot_encryption_size = crypt_ftr->fs_size;
2848
2849 if (how == CRYPTO_ENABLE_WIPE) {
2850 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
2851 int fs_type = get_fs_type(rec);
2852 if (fs_type < 0) {
2853 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
2854 return -1;
2855 }
2856 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2857 } else if (how == CRYPTO_ENABLE_INPLACE) {
2858 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
2859 crypt_ftr->fs_size, &cur_encryption_done,
2860 tot_encryption_size,
2861 previously_encrypted_upto);
2862
2863 if (rc == ENABLE_INPLACE_ERR_DEV) {
2864 /* Hack for b/17898962 */
2865 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2866 cryptfs_reboot(reboot);
2867 }
2868
2869 if (!rc) {
2870 crypt_ftr->encrypted_upto = cur_encryption_done;
2871 }
2872
2873 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2874 /* The inplace routine never actually sets the progress to 100% due
2875 * to the round down nature of integer division, so set it here */
2876 property_set("vold.encrypt_progress", "100");
2877 }
2878 } else {
2879 /* Shouldn't happen */
2880 SLOGE("cryptfs_enable: internal error, unknown option\n");
2881 rc = -1;
2882 }
2883
2884 return rc;
2885 }
2886
cryptfs_enable_internal(char * howarg,int crypt_type,char * passwd,int allow_reboot)2887 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
2888 int allow_reboot)
2889 {
2890 int how = 0;
2891 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2892 unsigned long nr_sec;
2893 unsigned char decrypted_master_key[KEY_LEN_BYTES];
2894 int rc=-1, fd, i, ret;
2895 struct crypt_mnt_ftr crypt_ftr;
2896 struct crypt_persist_data *pdata;
2897 char encrypted_state[PROPERTY_VALUE_MAX];
2898 char lockid[32] = { 0 };
2899 char key_loc[PROPERTY_VALUE_MAX];
2900 char fuse_sdcard[PROPERTY_VALUE_MAX];
2901 char *sd_mnt_point;
2902 int num_vols;
2903 struct volume_info *vol_list = 0;
2904 off64_t previously_encrypted_upto = 0;
2905
2906 if (!strcmp(howarg, "wipe")) {
2907 how = CRYPTO_ENABLE_WIPE;
2908 } else if (! strcmp(howarg, "inplace")) {
2909 how = CRYPTO_ENABLE_INPLACE;
2910 } else {
2911 /* Shouldn't happen, as CommandListener vets the args */
2912 goto error_unencrypted;
2913 }
2914
2915 /* See if an encryption was underway and interrupted */
2916 if (how == CRYPTO_ENABLE_INPLACE
2917 && get_crypt_ftr_and_key(&crypt_ftr) == 0
2918 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) {
2919 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2920 crypt_ftr.encrypted_upto = 0;
2921 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2922
2923 /* At this point, we are in an inconsistent state. Until we successfully
2924 complete encryption, a reboot will leave us broken. So mark the
2925 encryption failed in case that happens.
2926 On successfully completing encryption, remove this flag */
2927 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2928
2929 put_crypt_ftr_and_key(&crypt_ftr);
2930 }
2931
2932 property_get("ro.crypto.state", encrypted_state, "");
2933 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2934 SLOGE("Device is already running encrypted, aborting");
2935 goto error_unencrypted;
2936 }
2937
2938 // TODO refactor fs_mgr_get_crypt_info to get both in one call
2939 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
2940 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
2941
2942 /* Get the size of the real block device */
2943 fd = open(real_blkdev, O_RDONLY);
2944 if ( (nr_sec = get_blkdev_size(fd)) == 0) {
2945 SLOGE("Cannot get size of block device %s\n", real_blkdev);
2946 goto error_unencrypted;
2947 }
2948 close(fd);
2949
2950 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2951 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
2952 unsigned int fs_size_sec, max_fs_size_sec;
2953 fs_size_sec = get_fs_size(real_blkdev);
2954 if (fs_size_sec == 0)
2955 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
2956
2957 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2958
2959 if (fs_size_sec > max_fs_size_sec) {
2960 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2961 goto error_unencrypted;
2962 }
2963 }
2964
2965 /* Get a wakelock as this may take a while, and we don't want the
2966 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2967 * wants to keep the screen on, it can grab a full wakelock.
2968 */
2969 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
2970 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
2971
2972 /* Get the sdcard mount point */
2973 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE");
2974 if (!sd_mnt_point) {
2975 sd_mnt_point = getenv("EXTERNAL_STORAGE");
2976 }
2977 if (!sd_mnt_point) {
2978 sd_mnt_point = "/mnt/sdcard";
2979 }
2980
2981 /* TODO
2982 * Currently do not have test devices with multiple encryptable volumes.
2983 * When we acquire some, re-add support.
2984 */
2985 num_vols=vold_getNumDirectVolumes();
2986 vol_list = malloc(sizeof(struct volume_info) * num_vols);
2987 vold_getDirectVolumeList(vol_list);
2988
2989 for (i=0; i<num_vols; i++) {
2990 if (should_encrypt(&vol_list[i])) {
2991 SLOGE("Cannot encrypt if there are multiple encryptable volumes"
2992 "%s\n", vol_list[i].label);
2993 goto error_unencrypted;
2994 }
2995 }
2996
2997 /* The init files are setup to stop the class main and late start when
2998 * vold sets trigger_shutdown_framework.
2999 */
3000 property_set("vold.decrypt", "trigger_shutdown_framework");
3001 SLOGD("Just asked init to shut down class main\n");
3002
3003 if (vold_unmountAllAsecs()) {
3004 /* Just report the error. If any are left mounted,
3005 * umounting /data below will fail and handle the error.
3006 */
3007 SLOGE("Error unmounting internal asecs");
3008 }
3009
3010 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, "");
3011 if (!strcmp(fuse_sdcard, "true")) {
3012 /* This is a device using the fuse layer to emulate the sdcard semantics
3013 * on top of the userdata partition. vold does not manage it, it is managed
3014 * by the sdcard service. The sdcard service was killed by the property trigger
3015 * above, so just unmount it now. We must do this _AFTER_ killing the framework,
3016 * unlike the case for vold managed devices above.
3017 */
3018 if (wait_and_unmount(sd_mnt_point, false)) {
3019 goto error_shutting_down;
3020 }
3021 }
3022
3023 /* Now unmount the /data partition. */
3024 if (wait_and_unmount(DATA_MNT_POINT, false)) {
3025 if (allow_reboot) {
3026 goto error_shutting_down;
3027 } else {
3028 goto error_unencrypted;
3029 }
3030 }
3031
3032 /* Do extra work for a better UX when doing the long inplace encryption */
3033 if (how == CRYPTO_ENABLE_INPLACE) {
3034 /* Now that /data is unmounted, we need to mount a tmpfs
3035 * /data, set a property saying we're doing inplace encryption,
3036 * and restart the framework.
3037 */
3038 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
3039 goto error_shutting_down;
3040 }
3041 /* Tells the framework that inplace encryption is starting */
3042 property_set("vold.encrypt_progress", "0");
3043
3044 /* restart the framework. */
3045 /* Create necessary paths on /data */
3046 if (prep_data_fs()) {
3047 goto error_shutting_down;
3048 }
3049
3050 /* Ugh, shutting down the framework is not synchronous, so until it
3051 * can be fixed, this horrible hack will wait a moment for it all to
3052 * shut down before proceeding. Without it, some devices cannot
3053 * restart the graphics services.
3054 */
3055 sleep(2);
3056
3057 /* startup service classes main and late_start */
3058 property_set("vold.decrypt", "trigger_restart_min_framework");
3059 SLOGD("Just triggered restart_min_framework\n");
3060
3061 /* OK, the framework is restarted and will soon be showing a
3062 * progress bar. Time to setup an encrypted mapping, and
3063 * either write a new filesystem, or encrypt in place updating
3064 * the progress bar as we work.
3065 */
3066 }
3067
3068 /* Start the actual work of making an encrypted filesystem */
3069 /* Initialize a crypt_mnt_ftr for the partition */
3070 if (previously_encrypted_upto == 0) {
3071 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
3072 goto error_shutting_down;
3073 }
3074
3075 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
3076 crypt_ftr.fs_size = nr_sec
3077 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3078 } else {
3079 crypt_ftr.fs_size = nr_sec;
3080 }
3081 /* At this point, we are in an inconsistent state. Until we successfully
3082 complete encryption, a reboot will leave us broken. So mark the
3083 encryption failed in case that happens.
3084 On successfully completing encryption, remove this flag */
3085 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
3086 crypt_ftr.crypt_type = crypt_type;
3087 strcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
3088
3089 /* Make an encrypted master key */
3090 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
3091 SLOGE("Cannot create encrypted master key\n");
3092 goto error_shutting_down;
3093 }
3094
3095 /* Write the key to the end of the partition */
3096 put_crypt_ftr_and_key(&crypt_ftr);
3097
3098 /* If any persistent data has been remembered, save it.
3099 * If none, create a valid empty table and save that.
3100 */
3101 if (!persist_data) {
3102 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
3103 if (pdata) {
3104 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
3105 persist_data = pdata;
3106 }
3107 }
3108 if (persist_data) {
3109 save_persistent_data();
3110 }
3111 }
3112
3113 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
3114 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
3115 "userdata");
3116
3117 /* If we are continuing, check checksums match */
3118 rc = 0;
3119 if (previously_encrypted_upto) {
3120 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
3121 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
3122
3123 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
3124 sizeof(hash_first_block)) != 0) {
3125 SLOGE("Checksums do not match - trigger wipe");
3126 rc = -1;
3127 }
3128 }
3129
3130 if (!rc) {
3131 rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
3132 crypto_blkdev, real_blkdev,
3133 previously_encrypted_upto);
3134 }
3135
3136 /* Calculate checksum if we are not finished */
3137 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3138 rc = cryptfs_SHA256_fileblock(crypto_blkdev,
3139 crypt_ftr.hash_first_block);
3140 if (rc) {
3141 SLOGE("Error calculating checksum for continuing encryption");
3142 rc = -1;
3143 }
3144 }
3145
3146 /* Undo the dm-crypt mapping whether we succeed or not */
3147 delete_crypto_blk_dev("userdata");
3148
3149 free(vol_list);
3150
3151 if (! rc) {
3152 /* Success */
3153 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
3154
3155 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3156 SLOGD("Encrypted up to sector %lld - will continue after reboot",
3157 crypt_ftr.encrypted_upto);
3158 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
3159 }
3160
3161 put_crypt_ftr_and_key(&crypt_ftr);
3162
3163 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
3164 char value[PROPERTY_VALUE_MAX];
3165 property_get("ro.crypto.state", value, "");
3166 if (!strcmp(value, "")) {
3167 /* default encryption - continue first boot sequence */
3168 property_set("ro.crypto.state", "encrypted");
3169 release_wake_lock(lockid);
3170 cryptfs_check_passwd(DEFAULT_PASSWORD);
3171 cryptfs_restart_internal(1);
3172 return 0;
3173 } else {
3174 sleep(2); /* Give the UI a chance to show 100% progress */
3175 cryptfs_reboot(reboot);
3176 }
3177 } else {
3178 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
3179 cryptfs_reboot(shutdown);
3180 }
3181 } else {
3182 char value[PROPERTY_VALUE_MAX];
3183
3184 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
3185 if (!strcmp(value, "1")) {
3186 /* wipe data if encryption failed */
3187 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
3188 mkdir("/cache/recovery", 0700);
3189 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600);
3190 if (fd >= 0) {
3191 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1);
3192 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1);
3193 close(fd);
3194 } else {
3195 SLOGE("could not open /cache/recovery/command\n");
3196 }
3197 cryptfs_reboot(recovery);
3198 } else {
3199 /* set property to trigger dialog */
3200 property_set("vold.encrypt_progress", "error_partially_encrypted");
3201 release_wake_lock(lockid);
3202 }
3203 return -1;
3204 }
3205
3206 /* hrm, the encrypt step claims success, but the reboot failed.
3207 * This should not happen.
3208 * Set the property and return. Hope the framework can deal with it.
3209 */
3210 property_set("vold.encrypt_progress", "error_reboot_failed");
3211 release_wake_lock(lockid);
3212 return rc;
3213
3214 error_unencrypted:
3215 free(vol_list);
3216 property_set("vold.encrypt_progress", "error_not_encrypted");
3217 if (lockid[0]) {
3218 release_wake_lock(lockid);
3219 }
3220 return -1;
3221
3222 error_shutting_down:
3223 /* we failed, and have not encrypted anthing, so the users's data is still intact,
3224 * but the framework is stopped and not restarted to show the error, so it's up to
3225 * vold to restart the system.
3226 */
3227 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
3228 cryptfs_reboot(reboot);
3229
3230 /* shouldn't get here */
3231 property_set("vold.encrypt_progress", "error_shutting_down");
3232 free(vol_list);
3233 if (lockid[0]) {
3234 release_wake_lock(lockid);
3235 }
3236 return -1;
3237 }
3238
cryptfs_enable(char * howarg,int type,char * passwd,int allow_reboot)3239 int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot)
3240 {
3241 char* adjusted_passwd = adjust_passwd(passwd);
3242 if (adjusted_passwd) {
3243 passwd = adjusted_passwd;
3244 }
3245
3246 int rc = cryptfs_enable_internal(howarg, type, passwd, allow_reboot);
3247
3248 free(adjusted_passwd);
3249 return rc;
3250 }
3251
cryptfs_enable_default(char * howarg,int allow_reboot)3252 int cryptfs_enable_default(char *howarg, int allow_reboot)
3253 {
3254 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
3255 DEFAULT_PASSWORD, allow_reboot);
3256 }
3257
cryptfs_changepw(int crypt_type,const char * newpw)3258 int cryptfs_changepw(int crypt_type, const char *newpw)
3259 {
3260 struct crypt_mnt_ftr crypt_ftr;
3261 unsigned char decrypted_master_key[KEY_LEN_BYTES];
3262
3263 /* This is only allowed after we've successfully decrypted the master key */
3264 if (!master_key_saved) {
3265 SLOGE("Key not saved, aborting");
3266 return -1;
3267 }
3268
3269 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3270 SLOGE("Invalid crypt_type %d", crypt_type);
3271 return -1;
3272 }
3273
3274 /* get key */
3275 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3276 SLOGE("Error getting crypt footer and key");
3277 return -1;
3278 }
3279
3280 crypt_ftr.crypt_type = crypt_type;
3281
3282 char* adjusted_passwd = adjust_passwd(newpw);
3283 if (adjusted_passwd) {
3284 newpw = adjusted_passwd;
3285 }
3286
3287 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
3288 : newpw,
3289 crypt_ftr.salt,
3290 saved_master_key,
3291 crypt_ftr.master_key,
3292 &crypt_ftr);
3293
3294 /* save the key */
3295 put_crypt_ftr_and_key(&crypt_ftr);
3296
3297 free(adjusted_passwd);
3298 return 0;
3299 }
3300
persist_get_key(char * fieldname,char * value)3301 static int persist_get_key(char *fieldname, char *value)
3302 {
3303 unsigned int i;
3304
3305 if (persist_data == NULL) {
3306 return -1;
3307 }
3308 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3309 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3310 /* We found it! */
3311 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
3312 return 0;
3313 }
3314 }
3315
3316 return -1;
3317 }
3318
persist_set_key(char * fieldname,char * value,int encrypted)3319 static int persist_set_key(char *fieldname, char *value, int encrypted)
3320 {
3321 unsigned int i;
3322 unsigned int num;
3323 struct crypt_mnt_ftr crypt_ftr;
3324 unsigned int max_persistent_entries;
3325 unsigned int dsize;
3326
3327 if (persist_data == NULL) {
3328 return -1;
3329 }
3330
3331 /* If encrypted, use the values from the crypt_ftr, otherwise
3332 * use the values for the current spec.
3333 */
3334 if (encrypted) {
3335 if(get_crypt_ftr_and_key(&crypt_ftr)) {
3336 return -1;
3337 }
3338 dsize = crypt_ftr.persist_data_size;
3339 } else {
3340 dsize = CRYPT_PERSIST_DATA_SIZE;
3341 }
3342 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
3343 sizeof(struct crypt_persist_entry);
3344
3345 num = persist_data->persist_valid_entries;
3346
3347 for (i = 0; i < num; i++) {
3348 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3349 /* We found an existing entry, update it! */
3350 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
3351 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
3352 return 0;
3353 }
3354 }
3355
3356 /* We didn't find it, add it to the end, if there is room */
3357 if (persist_data->persist_valid_entries < max_persistent_entries) {
3358 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
3359 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
3360 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
3361 persist_data->persist_valid_entries++;
3362 return 0;
3363 }
3364
3365 return -1;
3366 }
3367
3368 /* Return the value of the specified field. */
cryptfs_getfield(char * fieldname,char * value,int len)3369 int cryptfs_getfield(char *fieldname, char *value, int len)
3370 {
3371 char temp_value[PROPERTY_VALUE_MAX];
3372 char real_blkdev[MAXPATHLEN];
3373 /* 0 is success, 1 is not encrypted,
3374 * -1 is value not set, -2 is any other error
3375 */
3376 int rc = -2;
3377
3378 if (persist_data == NULL) {
3379 load_persistent_data();
3380 if (persist_data == NULL) {
3381 SLOGE("Getfield error, cannot load persistent data");
3382 goto out;
3383 }
3384 }
3385
3386 if (!persist_get_key(fieldname, temp_value)) {
3387 /* We found it, copy it to the caller's buffer and return */
3388 strlcpy(value, temp_value, len);
3389 rc = 0;
3390 } else {
3391 /* Sadness, it's not there. Return the error */
3392 rc = -1;
3393 }
3394
3395 out:
3396 return rc;
3397 }
3398
3399 /* Set the value of the specified field. */
cryptfs_setfield(char * fieldname,char * value)3400 int cryptfs_setfield(char *fieldname, char *value)
3401 {
3402 struct crypt_persist_data stored_pdata;
3403 struct crypt_persist_data *pdata_p;
3404 struct crypt_mnt_ftr crypt_ftr;
3405 char encrypted_state[PROPERTY_VALUE_MAX];
3406 /* 0 is success, -1 is an error */
3407 int rc = -1;
3408 int encrypted = 0;
3409
3410 if (persist_data == NULL) {
3411 load_persistent_data();
3412 if (persist_data == NULL) {
3413 SLOGE("Setfield error, cannot load persistent data");
3414 goto out;
3415 }
3416 }
3417
3418 property_get("ro.crypto.state", encrypted_state, "");
3419 if (!strcmp(encrypted_state, "encrypted") ) {
3420 encrypted = 1;
3421 }
3422
3423 if (persist_set_key(fieldname, value, encrypted)) {
3424 goto out;
3425 }
3426
3427 /* If we are running encrypted, save the persistent data now */
3428 if (encrypted) {
3429 if (save_persistent_data()) {
3430 SLOGE("Setfield error, cannot save persistent data");
3431 goto out;
3432 }
3433 }
3434
3435 rc = 0;
3436
3437 out:
3438 return rc;
3439 }
3440
3441 /* Checks userdata. Attempt to mount the volume if default-
3442 * encrypted.
3443 * On success trigger next init phase and return 0.
3444 * Currently do not handle failure - see TODO below.
3445 */
cryptfs_mount_default_encrypted(void)3446 int cryptfs_mount_default_encrypted(void)
3447 {
3448 char decrypt_state[PROPERTY_VALUE_MAX];
3449 property_get("vold.decrypt", decrypt_state, "0");
3450 if (!strcmp(decrypt_state, "0")) {
3451 SLOGE("Not encrypted - should not call here");
3452 } else {
3453 int crypt_type = cryptfs_get_password_type();
3454 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3455 SLOGE("Bad crypt type - error");
3456 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
3457 SLOGD("Password is not default - "
3458 "starting min framework to prompt");
3459 property_set("vold.decrypt", "trigger_restart_min_framework");
3460 return 0;
3461 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
3462 SLOGD("Password is default - restarting filesystem");
3463 cryptfs_restart_internal(0);
3464 return 0;
3465 } else {
3466 SLOGE("Encrypted, default crypt type but can't decrypt");
3467 }
3468 }
3469
3470 /** Corrupt. Allow us to boot into framework, which will detect bad
3471 crypto when it calls do_crypto_complete, then do a factory reset
3472 */
3473 property_set("vold.decrypt", "trigger_restart_min_framework");
3474 return 0;
3475 }
3476
3477 /* Returns type of the password, default, pattern, pin or password.
3478 */
cryptfs_get_password_type(void)3479 int cryptfs_get_password_type(void)
3480 {
3481 struct crypt_mnt_ftr crypt_ftr;
3482
3483 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3484 SLOGE("Error getting crypt footer and key\n");
3485 return -1;
3486 }
3487
3488 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
3489 return -1;
3490 }
3491
3492 return crypt_ftr.crypt_type;
3493 }
3494
cryptfs_get_password()3495 char* cryptfs_get_password()
3496 {
3497 struct timespec now;
3498 clock_gettime(CLOCK_MONOTONIC, &now);
3499 if (now.tv_sec < password_expiry_time) {
3500 return password;
3501 } else {
3502 cryptfs_clear_password();
3503 return 0;
3504 }
3505 }
3506
cryptfs_clear_password()3507 void cryptfs_clear_password()
3508 {
3509 if (password) {
3510 size_t len = strlen(password);
3511 memset(password, 0, len);
3512 free(password);
3513 password = 0;
3514 password_expiry_time = 0;
3515 }
3516 }
3517