1 /*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 /* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
23 #include <sys/types.h>
24 #include <sys/wait.h>
25 #include <sys/stat.h>
26 #include <ctype.h>
27 #include <fcntl.h>
28 #include <inttypes.h>
29 #include <unistd.h>
30 #include <stdio.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
33 #include <libgen.h>
34 #include <stdlib.h>
35 #include <sys/param.h>
36 #include <string.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
39 #include <errno.h>
40 #include <ext4.h>
41 #include <linux/kdev_t.h>
42 #include <fs_mgr.h>
43 #include <time.h>
44 #include <math.h>
45 #include "cryptfs.h"
46 #define LOG_TAG "Cryptfs"
47 #include "cutils/log.h"
48 #include "cutils/properties.h"
49 #include "cutils/android_reboot.h"
50 #include "hardware_legacy/power.h"
51 #include <logwrap/logwrap.h>
52 #include "VolumeManager.h"
53 #include "VoldUtil.h"
54 #include "crypto_scrypt.h"
55 #include "ext4_utils.h"
56 #include "f2fs_sparseblock.h"
57 #include "CheckBattery.h"
58 #include "Process.h"
59
60 #include <hardware/keymaster.h>
61
62 #define UNUSED __attribute__((unused))
63
64 #define UNUSED __attribute__((unused))
65
66 #ifdef CONFIG_HW_DISK_ENCRYPTION
67 #include "cryptfs_hw.h"
68 #endif
69
70 #define DM_CRYPT_BUF_SIZE 4096
71
72 #define HASH_COUNT 2000
73 #define KEY_LEN_BYTES 16
74 #define IV_LEN_BYTES 16
75
76 #define KEY_IN_FOOTER "footer"
77
78 // "default_password" encoded into hex (d=0x64 etc)
79 #define DEFAULT_PASSWORD "64656661756c745f70617373776f7264"
80
81 #define EXT4_FS 1
82 #define F2FS_FS 2
83
84 #define TABLE_LOAD_RETRIES 10
85
86 #define RSA_KEY_SIZE 2048
87 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
88 #define RSA_EXPONENT 0x10001
89
90 #define RETRY_MOUNT_ATTEMPTS 10
91 #define RETRY_MOUNT_DELAY_SECONDS 1
92
93 char *me = "cryptfs";
94
95 static unsigned char saved_master_key[KEY_LEN_BYTES];
96 static char *saved_mount_point;
97 static int master_key_saved = 0;
98 static struct crypt_persist_data *persist_data = NULL;
99
keymaster_init(keymaster_device_t ** keymaster_dev)100 static int keymaster_init(keymaster_device_t **keymaster_dev)
101 {
102 int rc;
103
104 const hw_module_t* mod;
105 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
106 if (rc) {
107 ALOGE("could not find any keystore module");
108 goto out;
109 }
110
111 rc = keymaster_open(mod, keymaster_dev);
112 if (rc) {
113 ALOGE("could not open keymaster device in %s (%s)",
114 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
115 goto out;
116 }
117
118 return 0;
119
120 out:
121 *keymaster_dev = NULL;
122 return rc;
123 }
124
125 /* Should we use keymaster? */
keymaster_check_compatibility()126 static int keymaster_check_compatibility()
127 {
128 keymaster_device_t *keymaster_dev = 0;
129 int rc = 0;
130
131 if (keymaster_init(&keymaster_dev)) {
132 SLOGE("Failed to init keymaster");
133 rc = -1;
134 goto out;
135 }
136
137 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version);
138
139 if (keymaster_dev->common.module->module_api_version
140 < KEYMASTER_MODULE_API_VERSION_0_3) {
141 rc = 0;
142 goto out;
143 }
144
145 if (!(keymaster_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
146 (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
147 rc = 1;
148 }
149
150 out:
151 keymaster_close(keymaster_dev);
152 return rc;
153 }
154
155 /* Create a new keymaster key and store it in this footer */
keymaster_create_key(struct crypt_mnt_ftr * ftr)156 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
157 {
158 uint8_t* key = 0;
159 keymaster_device_t *keymaster_dev = 0;
160
161 if (keymaster_init(&keymaster_dev)) {
162 SLOGE("Failed to init keymaster");
163 return -1;
164 }
165
166 int rc = 0;
167
168 keymaster_rsa_keygen_params_t params;
169 memset(¶ms, '\0', sizeof(params));
170 params.public_exponent = RSA_EXPONENT;
171 params.modulus_size = RSA_KEY_SIZE;
172
173 size_t key_size;
174 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms,
175 &key, &key_size)) {
176 SLOGE("Failed to generate keypair");
177 rc = -1;
178 goto out;
179 }
180
181 if (key_size > KEYMASTER_BLOB_SIZE) {
182 SLOGE("Keymaster key too large for crypto footer");
183 rc = -1;
184 goto out;
185 }
186
187 memcpy(ftr->keymaster_blob, key, key_size);
188 ftr->keymaster_blob_size = key_size;
189
190 out:
191 keymaster_close(keymaster_dev);
192 free(key);
193 return rc;
194 }
195
196 /* This signs the given object using the keymaster key. */
keymaster_sign_object(struct crypt_mnt_ftr * ftr,const unsigned char * object,const size_t object_size,unsigned char ** signature,size_t * signature_size)197 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
198 const unsigned char *object,
199 const size_t object_size,
200 unsigned char **signature,
201 size_t *signature_size)
202 {
203 int rc = 0;
204 keymaster_device_t *keymaster_dev = 0;
205 if (keymaster_init(&keymaster_dev)) {
206 SLOGE("Failed to init keymaster");
207 return -1;
208 }
209
210 /* We currently set the digest type to DIGEST_NONE because it's the
211 * only supported value for keymaster. A similar issue exists with
212 * PADDING_NONE. Long term both of these should likely change.
213 */
214 keymaster_rsa_sign_params_t params;
215 params.digest_type = DIGEST_NONE;
216 params.padding_type = PADDING_NONE;
217
218 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
219 size_t to_sign_size = sizeof(to_sign);
220 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
221
222 // To sign a message with RSA, the message must satisfy two
223 // constraints:
224 //
225 // 1. The message, when interpreted as a big-endian numeric value, must
226 // be strictly less than the public modulus of the RSA key. Note
227 // that because the most significant bit of the public modulus is
228 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
229 // key), an n-bit message with most significant bit 0 always
230 // satisfies this requirement.
231 //
232 // 2. The message must have the same length in bits as the public
233 // modulus of the RSA key. This requirement isn't mathematically
234 // necessary, but is necessary to ensure consistency in
235 // implementations.
236 switch (ftr->kdf_type) {
237 case KDF_SCRYPT_KEYMASTER_UNPADDED:
238 // This is broken: It produces a message which is shorter than
239 // the public modulus, failing criterion 2.
240 memcpy(to_sign, object, object_size);
241 to_sign_size = object_size;
242 SLOGI("Signing unpadded object");
243 break;
244 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
245 // This is broken: Since the value of object is uniformly
246 // distributed, it produces a message that is larger than the
247 // public modulus with probability 0.25.
248 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size));
249 SLOGI("Signing end-padded object");
250 break;
251 case KDF_SCRYPT_KEYMASTER:
252 // This ensures the most significant byte of the signed message
253 // is zero. We could have zero-padded to the left instead, but
254 // this approach is slightly more robust against changes in
255 // object size. However, it's still broken (but not unusably
256 // so) because we really should be using a proper RSA padding
257 // function, such as OAEP.
258 //
259 // TODO(paullawrence): When keymaster 0.4 is available, change
260 // this to use the padding options it provides.
261 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
262 SLOGI("Signing safely-padded object");
263 break;
264 default:
265 SLOGE("Unknown KDF type %d", ftr->kdf_type);
266 return -1;
267 }
268
269 rc = keymaster_dev->sign_data(keymaster_dev,
270 ¶ms,
271 ftr->keymaster_blob,
272 ftr->keymaster_blob_size,
273 to_sign,
274 to_sign_size,
275 signature,
276 signature_size);
277
278 keymaster_close(keymaster_dev);
279 return rc;
280 }
281
282 /* Store password when userdata is successfully decrypted and mounted.
283 * Cleared by cryptfs_clear_password
284 *
285 * To avoid a double prompt at boot, we need to store the CryptKeeper
286 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
287 * Since the entire framework is torn down and rebuilt after encryption,
288 * we have to use a daemon or similar to store the password. Since vold
289 * is secured against IPC except from system processes, it seems a reasonable
290 * place to store this.
291 *
292 * password should be cleared once it has been used.
293 *
294 * password is aged out after password_max_age_seconds seconds.
295 */
296 static char* password = 0;
297 static int password_expiry_time = 0;
298 static const int password_max_age_seconds = 60;
299
300 extern struct fstab *fstab;
301
302 enum RebootType {reboot, recovery, shutdown};
cryptfs_reboot(enum RebootType rt)303 static void cryptfs_reboot(enum RebootType rt)
304 {
305 switch(rt) {
306 case reboot:
307 property_set(ANDROID_RB_PROPERTY, "reboot");
308 break;
309
310 case recovery:
311 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
312 break;
313
314 case shutdown:
315 property_set(ANDROID_RB_PROPERTY, "shutdown");
316 break;
317 }
318
319 sleep(20);
320
321 /* Shouldn't get here, reboot should happen before sleep times out */
322 return;
323 }
324
ioctl_init(struct dm_ioctl * io,size_t dataSize,const char * name,unsigned flags)325 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
326 {
327 memset(io, 0, dataSize);
328 io->data_size = dataSize;
329 io->data_start = sizeof(struct dm_ioctl);
330 io->version[0] = 4;
331 io->version[1] = 0;
332 io->version[2] = 0;
333 io->flags = flags;
334 if (name) {
335 strncpy(io->name, name, sizeof(io->name));
336 }
337 }
338
339 /**
340 * Gets the default device scrypt parameters for key derivation time tuning.
341 * The parameters should lead to about one second derivation time for the
342 * given device.
343 */
get_device_scrypt_params(struct crypt_mnt_ftr * ftr)344 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
345 const int default_params[] = SCRYPT_DEFAULTS;
346 int params[] = SCRYPT_DEFAULTS;
347 char paramstr[PROPERTY_VALUE_MAX];
348 char *token;
349 char *saveptr;
350 int i;
351
352 property_get(SCRYPT_PROP, paramstr, "");
353 if (paramstr[0] != '\0') {
354 /*
355 * The token we're looking for should be three integers separated by
356 * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
357 */
358 for (i = 0, token = strtok_r(paramstr, ":", &saveptr);
359 token != NULL && i < 3;
360 i++, token = strtok_r(NULL, ":", &saveptr)) {
361 char *endptr;
362 params[i] = strtol(token, &endptr, 10);
363
364 /*
365 * Check that there was a valid number and it's 8-bit. If not,
366 * break out and the end check will take the default values.
367 */
368 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
369 break;
370 }
371 }
372
373 /*
374 * If there were not enough tokens or a token was malformed (not an
375 * integer), it will end up here and the default parameters can be
376 * taken.
377 */
378 if ((i != 3) || (token != NULL)) {
379 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
380 memcpy(params, default_params, sizeof(params));
381 }
382 }
383
384 ftr->N_factor = params[0];
385 ftr->r_factor = params[1];
386 ftr->p_factor = params[2];
387 }
388
get_fs_size(char * dev)389 static unsigned int get_fs_size(char *dev)
390 {
391 int fd, block_size;
392 struct ext4_super_block sb;
393 off64_t len;
394
395 if ((fd = open(dev, O_RDONLY)) < 0) {
396 SLOGE("Cannot open device to get filesystem size ");
397 return 0;
398 }
399
400 if (lseek64(fd, 1024, SEEK_SET) < 0) {
401 SLOGE("Cannot seek to superblock");
402 return 0;
403 }
404
405 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
406 SLOGE("Cannot read superblock");
407 return 0;
408 }
409
410 close(fd);
411
412 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
413 SLOGE("Not a valid ext4 superblock");
414 return 0;
415 }
416 block_size = 1024 << sb.s_log_block_size;
417 /* compute length in bytes */
418 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
419
420 /* return length in sectors */
421 return (unsigned int) (len / 512);
422 }
423
get_crypt_ftr_info(char ** metadata_fname,off64_t * off)424 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
425 {
426 static int cached_data = 0;
427 static off64_t cached_off = 0;
428 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
429 int fd;
430 char key_loc[PROPERTY_VALUE_MAX];
431 char real_blkdev[PROPERTY_VALUE_MAX];
432 unsigned int nr_sec;
433 int rc = -1;
434
435 if (!cached_data) {
436 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
437
438 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
439 if ( (fd = open(real_blkdev, O_RDWR)) < 0) {
440 SLOGE("Cannot open real block device %s\n", real_blkdev);
441 return -1;
442 }
443
444 if ((nr_sec = get_blkdev_size(fd))) {
445 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
446 * encryption info footer and key, and plenty of bytes to spare for future
447 * growth.
448 */
449 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
450 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
451 cached_data = 1;
452 } else {
453 SLOGE("Cannot get size of block device %s\n", real_blkdev);
454 }
455 close(fd);
456 } else {
457 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
458 cached_off = 0;
459 cached_data = 1;
460 }
461 }
462
463 if (cached_data) {
464 if (metadata_fname) {
465 *metadata_fname = cached_metadata_fname;
466 }
467 if (off) {
468 *off = cached_off;
469 }
470 rc = 0;
471 }
472
473 return rc;
474 }
475
476 /* key or salt can be NULL, in which case just skip writing that value. Useful to
477 * update the failed mount count but not change the key.
478 */
put_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)479 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
480 {
481 int fd;
482 unsigned int nr_sec, cnt;
483 /* starting_off is set to the SEEK_SET offset
484 * where the crypto structure starts
485 */
486 off64_t starting_off;
487 int rc = -1;
488 char *fname = NULL;
489 struct stat statbuf;
490
491 if (get_crypt_ftr_info(&fname, &starting_off)) {
492 SLOGE("Unable to get crypt_ftr_info\n");
493 return -1;
494 }
495 if (fname[0] != '/') {
496 SLOGE("Unexpected value for crypto key location\n");
497 return -1;
498 }
499 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) {
500 SLOGE("Cannot open footer file %s for put\n", fname);
501 return -1;
502 }
503
504 /* Seek to the start of the crypt footer */
505 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
506 SLOGE("Cannot seek to real block device footer\n");
507 goto errout;
508 }
509
510 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
511 SLOGE("Cannot write real block device footer\n");
512 goto errout;
513 }
514
515 fstat(fd, &statbuf);
516 /* If the keys are kept on a raw block device, do not try to truncate it. */
517 if (S_ISREG(statbuf.st_mode)) {
518 if (ftruncate(fd, 0x4000)) {
519 SLOGE("Cannot set footer file size\n");
520 goto errout;
521 }
522 }
523
524 /* Success! */
525 rc = 0;
526
527 errout:
528 close(fd);
529 return rc;
530
531 }
532
unix_read(int fd,void * buff,int len)533 static inline int unix_read(int fd, void* buff, int len)
534 {
535 return TEMP_FAILURE_RETRY(read(fd, buff, len));
536 }
537
unix_write(int fd,const void * buff,int len)538 static inline int unix_write(int fd, const void* buff, int len)
539 {
540 return TEMP_FAILURE_RETRY(write(fd, buff, len));
541 }
542
init_empty_persist_data(struct crypt_persist_data * pdata,int len)543 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
544 {
545 memset(pdata, 0, len);
546 pdata->persist_magic = PERSIST_DATA_MAGIC;
547 pdata->persist_valid_entries = 0;
548 }
549
550 /* A routine to update the passed in crypt_ftr to the lastest version.
551 * fd is open read/write on the device that holds the crypto footer and persistent
552 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
553 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
554 */
upgrade_crypt_ftr(int fd,struct crypt_mnt_ftr * crypt_ftr,off64_t offset)555 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
556 {
557 int orig_major = crypt_ftr->major_version;
558 int orig_minor = crypt_ftr->minor_version;
559
560 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
561 struct crypt_persist_data *pdata;
562 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
563
564 SLOGW("upgrading crypto footer to 1.1");
565
566 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
567 if (pdata == NULL) {
568 SLOGE("Cannot allocate persisent data\n");
569 return;
570 }
571 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
572
573 /* Need to initialize the persistent data area */
574 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
575 SLOGE("Cannot seek to persisent data offset\n");
576 return;
577 }
578 /* Write all zeros to the first copy, making it invalid */
579 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
580
581 /* Write a valid but empty structure to the second copy */
582 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
583 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
584
585 /* Update the footer */
586 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
587 crypt_ftr->persist_data_offset[0] = pdata_offset;
588 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
589 crypt_ftr->minor_version = 1;
590 }
591
592 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
593 SLOGW("upgrading crypto footer to 1.2");
594 /* But keep the old kdf_type.
595 * It will get updated later to KDF_SCRYPT after the password has been verified.
596 */
597 crypt_ftr->kdf_type = KDF_PBKDF2;
598 get_device_scrypt_params(crypt_ftr);
599 crypt_ftr->minor_version = 2;
600 }
601
602 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
603 SLOGW("upgrading crypto footer to 1.3");
604 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
605 crypt_ftr->minor_version = 3;
606 }
607
608 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
609 if (lseek64(fd, offset, SEEK_SET) == -1) {
610 SLOGE("Cannot seek to crypt footer\n");
611 return;
612 }
613 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
614 }
615 }
616
617
get_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)618 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
619 {
620 int fd;
621 unsigned int nr_sec, cnt;
622 off64_t starting_off;
623 int rc = -1;
624 char *fname = NULL;
625 struct stat statbuf;
626
627 if (get_crypt_ftr_info(&fname, &starting_off)) {
628 SLOGE("Unable to get crypt_ftr_info\n");
629 return -1;
630 }
631 if (fname[0] != '/') {
632 SLOGE("Unexpected value for crypto key location\n");
633 return -1;
634 }
635 if ( (fd = open(fname, O_RDWR)) < 0) {
636 SLOGE("Cannot open footer file %s for get\n", fname);
637 return -1;
638 }
639
640 /* Make sure it's 16 Kbytes in length */
641 fstat(fd, &statbuf);
642 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
643 SLOGE("footer file %s is not the expected size!\n", fname);
644 goto errout;
645 }
646
647 /* Seek to the start of the crypt footer */
648 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
649 SLOGE("Cannot seek to real block device footer\n");
650 goto errout;
651 }
652
653 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
654 SLOGE("Cannot read real block device footer\n");
655 goto errout;
656 }
657
658 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
659 SLOGE("Bad magic for real block device %s\n", fname);
660 goto errout;
661 }
662
663 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
664 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
665 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
666 goto errout;
667 }
668
669 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
670 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
671 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
672 }
673
674 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
675 * copy on disk before returning.
676 */
677 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
678 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
679 }
680
681 /* Success! */
682 rc = 0;
683
684 errout:
685 close(fd);
686 return rc;
687 }
688
validate_persistent_data_storage(struct crypt_mnt_ftr * crypt_ftr)689 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
690 {
691 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
692 crypt_ftr->persist_data_offset[1]) {
693 SLOGE("Crypt_ftr persist data regions overlap");
694 return -1;
695 }
696
697 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
698 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
699 return -1;
700 }
701
702 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
703 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
704 CRYPT_FOOTER_OFFSET) {
705 SLOGE("Persistent data extends past crypto footer");
706 return -1;
707 }
708
709 return 0;
710 }
711
load_persistent_data(void)712 static int load_persistent_data(void)
713 {
714 struct crypt_mnt_ftr crypt_ftr;
715 struct crypt_persist_data *pdata = NULL;
716 char encrypted_state[PROPERTY_VALUE_MAX];
717 char *fname;
718 int found = 0;
719 int fd;
720 int ret;
721 int i;
722
723 if (persist_data) {
724 /* Nothing to do, we've already loaded or initialized it */
725 return 0;
726 }
727
728
729 /* If not encrypted, just allocate an empty table and initialize it */
730 property_get("ro.crypto.state", encrypted_state, "");
731 if (strcmp(encrypted_state, "encrypted") ) {
732 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
733 if (pdata) {
734 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
735 persist_data = pdata;
736 return 0;
737 }
738 return -1;
739 }
740
741 if(get_crypt_ftr_and_key(&crypt_ftr)) {
742 return -1;
743 }
744
745 if ((crypt_ftr.major_version < 1)
746 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
747 SLOGE("Crypt_ftr version doesn't support persistent data");
748 return -1;
749 }
750
751 if (get_crypt_ftr_info(&fname, NULL)) {
752 return -1;
753 }
754
755 ret = validate_persistent_data_storage(&crypt_ftr);
756 if (ret) {
757 return -1;
758 }
759
760 fd = open(fname, O_RDONLY);
761 if (fd < 0) {
762 SLOGE("Cannot open %s metadata file", fname);
763 return -1;
764 }
765
766 if (persist_data == NULL) {
767 pdata = malloc(crypt_ftr.persist_data_size);
768 if (pdata == NULL) {
769 SLOGE("Cannot allocate memory for persistent data");
770 goto err;
771 }
772 }
773
774 for (i = 0; i < 2; i++) {
775 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
776 SLOGE("Cannot seek to read persistent data on %s", fname);
777 goto err2;
778 }
779 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
780 SLOGE("Error reading persistent data on iteration %d", i);
781 goto err2;
782 }
783 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
784 found = 1;
785 break;
786 }
787 }
788
789 if (!found) {
790 SLOGI("Could not find valid persistent data, creating");
791 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
792 }
793
794 /* Success */
795 persist_data = pdata;
796 close(fd);
797 return 0;
798
799 err2:
800 free(pdata);
801
802 err:
803 close(fd);
804 return -1;
805 }
806
save_persistent_data(void)807 static int save_persistent_data(void)
808 {
809 struct crypt_mnt_ftr crypt_ftr;
810 struct crypt_persist_data *pdata;
811 char *fname;
812 off64_t write_offset;
813 off64_t erase_offset;
814 int found = 0;
815 int fd;
816 int ret;
817
818 if (persist_data == NULL) {
819 SLOGE("No persistent data to save");
820 return -1;
821 }
822
823 if(get_crypt_ftr_and_key(&crypt_ftr)) {
824 return -1;
825 }
826
827 if ((crypt_ftr.major_version < 1)
828 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
829 SLOGE("Crypt_ftr version doesn't support persistent data");
830 return -1;
831 }
832
833 ret = validate_persistent_data_storage(&crypt_ftr);
834 if (ret) {
835 return -1;
836 }
837
838 if (get_crypt_ftr_info(&fname, NULL)) {
839 return -1;
840 }
841
842 fd = open(fname, O_RDWR);
843 if (fd < 0) {
844 SLOGE("Cannot open %s metadata file", fname);
845 return -1;
846 }
847
848 pdata = malloc(crypt_ftr.persist_data_size);
849 if (pdata == NULL) {
850 SLOGE("Cannot allocate persistant data");
851 goto err;
852 }
853
854 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
855 SLOGE("Cannot seek to read persistent data on %s", fname);
856 goto err2;
857 }
858
859 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
860 SLOGE("Error reading persistent data before save");
861 goto err2;
862 }
863
864 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
865 /* The first copy is the curent valid copy, so write to
866 * the second copy and erase this one */
867 write_offset = crypt_ftr.persist_data_offset[1];
868 erase_offset = crypt_ftr.persist_data_offset[0];
869 } else {
870 /* The second copy must be the valid copy, so write to
871 * the first copy, and erase the second */
872 write_offset = crypt_ftr.persist_data_offset[0];
873 erase_offset = crypt_ftr.persist_data_offset[1];
874 }
875
876 /* Write the new copy first, if successful, then erase the old copy */
877 if (lseek(fd, write_offset, SEEK_SET) < 0) {
878 SLOGE("Cannot seek to write persistent data");
879 goto err2;
880 }
881 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
882 (int) crypt_ftr.persist_data_size) {
883 if (lseek(fd, erase_offset, SEEK_SET) < 0) {
884 SLOGE("Cannot seek to erase previous persistent data");
885 goto err2;
886 }
887 fsync(fd);
888 memset(pdata, 0, crypt_ftr.persist_data_size);
889 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
890 (int) crypt_ftr.persist_data_size) {
891 SLOGE("Cannot write to erase previous persistent data");
892 goto err2;
893 }
894 fsync(fd);
895 } else {
896 SLOGE("Cannot write to save persistent data");
897 goto err2;
898 }
899
900 /* Success */
901 free(pdata);
902 close(fd);
903 return 0;
904
905 err2:
906 free(pdata);
907 err:
908 close(fd);
909 return -1;
910 }
911
hexdigit(char c)912 static int hexdigit (char c)
913 {
914 if (c >= '0' && c <= '9') return c - '0';
915 c = tolower(c);
916 if (c >= 'a' && c <= 'f') return c - 'a' + 10;
917 return -1;
918 }
919
convert_hex_ascii_to_key(const char * master_key_ascii,unsigned int * out_keysize)920 static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii,
921 unsigned int* out_keysize)
922 {
923 unsigned int i;
924 *out_keysize = 0;
925
926 size_t size = strlen (master_key_ascii);
927 if (size % 2) {
928 SLOGE("Trying to convert ascii string of odd length");
929 return NULL;
930 }
931
932 unsigned char* master_key = (unsigned char*) malloc(size / 2);
933 if (master_key == 0) {
934 SLOGE("Cannot allocate");
935 return NULL;
936 }
937
938 for (i = 0; i < size; i += 2) {
939 int high_nibble = hexdigit (master_key_ascii[i]);
940 int low_nibble = hexdigit (master_key_ascii[i + 1]);
941
942 if(high_nibble < 0 || low_nibble < 0) {
943 SLOGE("Invalid hex string");
944 free (master_key);
945 return NULL;
946 }
947
948 master_key[*out_keysize] = high_nibble * 16 + low_nibble;
949 (*out_keysize)++;
950 }
951
952 return master_key;
953 }
954
955 /* Convert a binary key of specified length into an ascii hex string equivalent,
956 * without the leading 0x and with null termination
957 */
convert_key_to_hex_ascii(unsigned char * master_key,unsigned int keysize,char * master_key_ascii)958 static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize,
959 char *master_key_ascii)
960 {
961 unsigned int i, a;
962 unsigned char nibble;
963
964 for (i=0, a=0; i<keysize; i++, a+=2) {
965 /* For each byte, write out two ascii hex digits */
966 nibble = (master_key[i] >> 4) & 0xf;
967 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
968
969 nibble = master_key[i] & 0xf;
970 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
971 }
972
973 /* Add the null termination */
974 master_key_ascii[a] = '\0';
975
976 }
977
load_crypto_mapping_table(struct crypt_mnt_ftr * crypt_ftr,unsigned char * master_key,char * real_blk_name,const char * name,int fd,char * extra_params)978 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
979 char *real_blk_name, const char *name, int fd,
980 char *extra_params)
981 {
982 char buffer[DM_CRYPT_BUF_SIZE];
983 struct dm_ioctl *io;
984 struct dm_target_spec *tgt;
985 char *crypt_params;
986 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
987 int i;
988
989 io = (struct dm_ioctl *) buffer;
990
991 /* Load the mapping table for this device */
992 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
993
994 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
995 io->target_count = 1;
996 tgt->status = 0;
997 tgt->sector_start = 0;
998 tgt->length = crypt_ftr->fs_size;
999 #ifdef CONFIG_HW_DISK_ENCRYPTION
1000 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
1001 strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME);
1002 }
1003 else {
1004 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1005 }
1006 #else
1007 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1008 #endif
1009
1010 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1011 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1012 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
1013 master_key_ascii, real_blk_name, extra_params);
1014 crypt_params += strlen(crypt_params) + 1;
1015 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1016 tgt->next = crypt_params - buffer;
1017
1018 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1019 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
1020 break;
1021 }
1022 usleep(500000);
1023 }
1024
1025 if (i == TABLE_LOAD_RETRIES) {
1026 /* We failed to load the table, return an error */
1027 return -1;
1028 } else {
1029 return i + 1;
1030 }
1031 }
1032
1033
get_dm_crypt_version(int fd,const char * name,int * version)1034 static int get_dm_crypt_version(int fd, const char *name, int *version)
1035 {
1036 char buffer[DM_CRYPT_BUF_SIZE];
1037 struct dm_ioctl *io;
1038 struct dm_target_versions *v;
1039 int i;
1040
1041 io = (struct dm_ioctl *) buffer;
1042
1043 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1044
1045 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1046 return -1;
1047 }
1048
1049 /* Iterate over the returned versions, looking for name of "crypt".
1050 * When found, get and return the version.
1051 */
1052 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
1053 while (v->next) {
1054 #ifdef CONFIG_HW_DISK_ENCRYPTION
1055 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) {
1056 #else
1057 if (! strcmp(v->name, "crypt")) {
1058 #endif
1059 /* We found the crypt driver, return the version, and get out */
1060 version[0] = v->version[0];
1061 version[1] = v->version[1];
1062 version[2] = v->version[2];
1063 return 0;
1064 }
1065 v = (struct dm_target_versions *)(((char *)v) + v->next);
1066 }
1067
1068 return -1;
1069 }
1070
1071 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
1072 char *real_blk_name, char *crypto_blk_name, const char *name)
1073 {
1074 char buffer[DM_CRYPT_BUF_SIZE];
1075 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
1076 char *crypt_params;
1077 struct dm_ioctl *io;
1078 struct dm_target_spec *tgt;
1079 unsigned int minor;
1080 int fd=0;
1081 int i;
1082 int retval = -1;
1083 int version[3];
1084 char *extra_params;
1085 int load_count;
1086
1087 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
1088 SLOGE("Cannot open device-mapper\n");
1089 goto errout;
1090 }
1091
1092 io = (struct dm_ioctl *) buffer;
1093
1094 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1095 if (ioctl(fd, DM_DEV_CREATE, io)) {
1096 SLOGE("Cannot create dm-crypt device\n");
1097 goto errout;
1098 }
1099
1100 /* Get the device status, in particular, the name of it's device file */
1101 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1102 if (ioctl(fd, DM_DEV_STATUS, io)) {
1103 SLOGE("Cannot retrieve dm-crypt device status\n");
1104 goto errout;
1105 }
1106 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1107 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1108
1109 extra_params = "";
1110 if (! get_dm_crypt_version(fd, name, version)) {
1111 /* Support for allow_discards was added in version 1.11.0 */
1112 if ((version[0] >= 2) ||
1113 ((version[0] == 1) && (version[1] >= 11))) {
1114 extra_params = "1 allow_discards";
1115 SLOGI("Enabling support for allow_discards in dmcrypt.\n");
1116 }
1117 }
1118
1119 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
1120 fd, extra_params);
1121 if (load_count < 0) {
1122 SLOGE("Cannot load dm-crypt mapping table.\n");
1123 goto errout;
1124 } else if (load_count > 1) {
1125 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1126 }
1127
1128 /* Resume this device to activate it */
1129 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1130
1131 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1132 SLOGE("Cannot resume the dm-crypt device\n");
1133 goto errout;
1134 }
1135
1136 /* We made it here with no errors. Woot! */
1137 retval = 0;
1138
1139 errout:
1140 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1141
1142 return retval;
1143 }
1144
1145 static int delete_crypto_blk_dev(char *name)
1146 {
1147 int fd;
1148 char buffer[DM_CRYPT_BUF_SIZE];
1149 struct dm_ioctl *io;
1150 int retval = -1;
1151
1152 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
1153 SLOGE("Cannot open device-mapper\n");
1154 goto errout;
1155 }
1156
1157 io = (struct dm_ioctl *) buffer;
1158
1159 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1160 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1161 SLOGE("Cannot remove dm-crypt device\n");
1162 goto errout;
1163 }
1164
1165 /* We made it here with no errors. Woot! */
1166 retval = 0;
1167
1168 errout:
1169 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1170
1171 return retval;
1172
1173 }
1174
1175 static int pbkdf2(const char *passwd, const unsigned char *salt,
1176 unsigned char *ikey, void *params UNUSED)
1177 {
1178 SLOGI("Using pbkdf2 for cryptfs KDF");
1179
1180 /* Turn the password into a key and IV that can decrypt the master key */
1181 unsigned int keysize;
1182 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize);
1183 if (!master_key) return -1;
1184 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN,
1185 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey);
1186
1187 memset(master_key, 0, keysize);
1188 free (master_key);
1189 return 0;
1190 }
1191
1192 static int scrypt(const char *passwd, const unsigned char *salt,
1193 unsigned char *ikey, void *params)
1194 {
1195 SLOGI("Using scrypt for cryptfs KDF");
1196
1197 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1198
1199 int N = 1 << ftr->N_factor;
1200 int r = 1 << ftr->r_factor;
1201 int p = 1 << ftr->p_factor;
1202
1203 /* Turn the password into a key and IV that can decrypt the master key */
1204 unsigned int keysize;
1205 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize);
1206 if (!master_key) return -1;
1207 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey,
1208 KEY_LEN_BYTES + IV_LEN_BYTES);
1209
1210 memset(master_key, 0, keysize);
1211 free (master_key);
1212 return 0;
1213 }
1214
1215 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1216 unsigned char *ikey, void *params)
1217 {
1218 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1219
1220 int rc;
1221 unsigned int key_size;
1222 size_t signature_size;
1223 unsigned char* signature;
1224 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1225
1226 int N = 1 << ftr->N_factor;
1227 int r = 1 << ftr->r_factor;
1228 int p = 1 << ftr->p_factor;
1229
1230 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size);
1231 if (!master_key) {
1232 SLOGE("Failed to convert passwd from hex");
1233 return -1;
1234 }
1235
1236 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN,
1237 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1238 memset(master_key, 0, key_size);
1239 free(master_key);
1240
1241 if (rc) {
1242 SLOGE("scrypt failed");
1243 return -1;
1244 }
1245
1246 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1247 &signature, &signature_size)) {
1248 SLOGE("Signing failed");
1249 return -1;
1250 }
1251
1252 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1253 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1254 free(signature);
1255
1256 if (rc) {
1257 SLOGE("scrypt failed");
1258 return -1;
1259 }
1260
1261 return 0;
1262 }
1263
1264 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1265 const unsigned char *decrypted_master_key,
1266 unsigned char *encrypted_master_key,
1267 struct crypt_mnt_ftr *crypt_ftr)
1268 {
1269 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1270 EVP_CIPHER_CTX e_ctx;
1271 int encrypted_len, final_len;
1272 int rc = 0;
1273
1274 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1275 get_device_scrypt_params(crypt_ftr);
1276
1277 switch (crypt_ftr->kdf_type) {
1278 case KDF_SCRYPT_KEYMASTER_UNPADDED:
1279 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
1280 case KDF_SCRYPT_KEYMASTER:
1281 if (keymaster_create_key(crypt_ftr)) {
1282 SLOGE("keymaster_create_key failed");
1283 return -1;
1284 }
1285
1286 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1287 SLOGE("scrypt failed");
1288 return -1;
1289 }
1290 break;
1291
1292 case KDF_SCRYPT:
1293 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1294 SLOGE("scrypt failed");
1295 return -1;
1296 }
1297 break;
1298
1299 default:
1300 SLOGE("Invalid kdf_type");
1301 return -1;
1302 }
1303
1304 /* Initialize the decryption engine */
1305 if (! EVP_EncryptInit(&e_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
1306 SLOGE("EVP_EncryptInit failed\n");
1307 return -1;
1308 }
1309 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1310
1311 /* Encrypt the master key */
1312 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1313 decrypted_master_key, KEY_LEN_BYTES)) {
1314 SLOGE("EVP_EncryptUpdate failed\n");
1315 return -1;
1316 }
1317 if (! EVP_EncryptFinal(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1318 SLOGE("EVP_EncryptFinal failed\n");
1319 return -1;
1320 }
1321
1322 if (encrypted_len + final_len != KEY_LEN_BYTES) {
1323 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1324 return -1;
1325 }
1326
1327 /* Store the scrypt of the intermediate key, so we can validate if it's a
1328 password error or mount error when things go wrong.
1329 Note there's no need to check for errors, since if this is incorrect, we
1330 simply won't wipe userdata, which is the correct default behavior
1331 */
1332 int N = 1 << crypt_ftr->N_factor;
1333 int r = 1 << crypt_ftr->r_factor;
1334 int p = 1 << crypt_ftr->p_factor;
1335
1336 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1337 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1338 crypt_ftr->scrypted_intermediate_key,
1339 sizeof(crypt_ftr->scrypted_intermediate_key));
1340
1341 if (rc) {
1342 SLOGE("encrypt_master_key: crypto_scrypt failed");
1343 }
1344
1345 return 0;
1346 }
1347
1348 static int decrypt_master_key_aux(char *passwd, unsigned char *salt,
1349 unsigned char *encrypted_master_key,
1350 unsigned char *decrypted_master_key,
1351 kdf_func kdf, void *kdf_params,
1352 unsigned char** intermediate_key,
1353 size_t* intermediate_key_size)
1354 {
1355 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1356 EVP_CIPHER_CTX d_ctx;
1357 int decrypted_len, final_len;
1358
1359 /* Turn the password into an intermediate key and IV that can decrypt the
1360 master key */
1361 if (kdf(passwd, salt, ikey, kdf_params)) {
1362 SLOGE("kdf failed");
1363 return -1;
1364 }
1365
1366 /* Initialize the decryption engine */
1367 if (! EVP_DecryptInit(&d_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
1368 return -1;
1369 }
1370 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1371 /* Decrypt the master key */
1372 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1373 encrypted_master_key, KEY_LEN_BYTES)) {
1374 return -1;
1375 }
1376 if (! EVP_DecryptFinal(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1377 return -1;
1378 }
1379
1380 if (decrypted_len + final_len != KEY_LEN_BYTES) {
1381 return -1;
1382 }
1383
1384 /* Copy intermediate key if needed by params */
1385 if (intermediate_key && intermediate_key_size) {
1386 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1387 if (intermediate_key) {
1388 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1389 *intermediate_key_size = KEY_LEN_BYTES;
1390 }
1391 }
1392
1393 return 0;
1394 }
1395
1396 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1397 {
1398 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED ||
1399 ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED ||
1400 ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1401 *kdf = scrypt_keymaster;
1402 *kdf_params = ftr;
1403 } else if (ftr->kdf_type == KDF_SCRYPT) {
1404 *kdf = scrypt;
1405 *kdf_params = ftr;
1406 } else {
1407 *kdf = pbkdf2;
1408 *kdf_params = NULL;
1409 }
1410 }
1411
1412 static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key,
1413 struct crypt_mnt_ftr *crypt_ftr,
1414 unsigned char** intermediate_key,
1415 size_t* intermediate_key_size)
1416 {
1417 kdf_func kdf;
1418 void *kdf_params;
1419 int ret;
1420
1421 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1422 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1423 decrypted_master_key, kdf, kdf_params,
1424 intermediate_key, intermediate_key_size);
1425 if (ret != 0) {
1426 SLOGW("failure decrypting master key");
1427 }
1428
1429 return ret;
1430 }
1431
1432 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
1433 struct crypt_mnt_ftr *crypt_ftr) {
1434 int fd;
1435 unsigned char key_buf[KEY_LEN_BYTES];
1436 EVP_CIPHER_CTX e_ctx;
1437 int encrypted_len, final_len;
1438
1439 /* Get some random bits for a key */
1440 fd = open("/dev/urandom", O_RDONLY);
1441 read(fd, key_buf, sizeof(key_buf));
1442 read(fd, salt, SALT_LEN);
1443 close(fd);
1444
1445 /* Now encrypt it with the password */
1446 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1447 }
1448
1449 static int wait_and_unmount(char *mountpoint, bool kill)
1450 {
1451 int i, err, rc;
1452 #define WAIT_UNMOUNT_COUNT 20
1453
1454 /* Now umount the tmpfs filesystem */
1455 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1456 if (umount(mountpoint) == 0) {
1457 break;
1458 }
1459
1460 if (errno == EINVAL) {
1461 /* EINVAL is returned if the directory is not a mountpoint,
1462 * i.e. there is no filesystem mounted there. So just get out.
1463 */
1464 break;
1465 }
1466
1467 err = errno;
1468
1469 /* If allowed, be increasingly aggressive before the last two retries */
1470 if (kill) {
1471 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1472 SLOGW("sending SIGHUP to processes with open files\n");
1473 vold_killProcessesWithOpenFiles(mountpoint, 1);
1474 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1475 SLOGW("sending SIGKILL to processes with open files\n");
1476 vold_killProcessesWithOpenFiles(mountpoint, 2);
1477 }
1478 }
1479
1480 sleep(1);
1481 }
1482
1483 if (i < WAIT_UNMOUNT_COUNT) {
1484 SLOGD("unmounting %s succeeded\n", mountpoint);
1485 rc = 0;
1486 } else {
1487 vold_killProcessesWithOpenFiles(mountpoint, 0);
1488 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1489 rc = -1;
1490 }
1491
1492 return rc;
1493 }
1494
1495 #define DATA_PREP_TIMEOUT 200
1496 static int prep_data_fs(void)
1497 {
1498 int i;
1499
1500 /* Do the prep of the /data filesystem */
1501 property_set("vold.post_fs_data_done", "0");
1502 property_set("vold.decrypt", "trigger_post_fs_data");
1503 SLOGD("Just triggered post_fs_data\n");
1504
1505 /* Wait a max of 50 seconds, hopefully it takes much less */
1506 for (i=0; i<DATA_PREP_TIMEOUT; i++) {
1507 char p[PROPERTY_VALUE_MAX];
1508
1509 property_get("vold.post_fs_data_done", p, "0");
1510 if (*p == '1') {
1511 break;
1512 } else {
1513 usleep(250000);
1514 }
1515 }
1516 if (i == DATA_PREP_TIMEOUT) {
1517 /* Ugh, we failed to prep /data in time. Bail. */
1518 SLOGE("post_fs_data timed out!\n");
1519 return -1;
1520 } else {
1521 SLOGD("post_fs_data done\n");
1522 return 0;
1523 }
1524 }
1525
1526 static void cryptfs_set_corrupt()
1527 {
1528 // Mark the footer as bad
1529 struct crypt_mnt_ftr crypt_ftr;
1530 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1531 SLOGE("Failed to get crypto footer - panic");
1532 return;
1533 }
1534
1535 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1536 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1537 SLOGE("Failed to set crypto footer - panic");
1538 return;
1539 }
1540 }
1541
1542 static void cryptfs_trigger_restart_min_framework()
1543 {
1544 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1545 SLOGE("Failed to mount tmpfs on data - panic");
1546 return;
1547 }
1548
1549 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1550 SLOGE("Failed to trigger post fs data - panic");
1551 return;
1552 }
1553
1554 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1555 SLOGE("Failed to trigger restart min framework - panic");
1556 return;
1557 }
1558 }
1559
1560 /* returns < 0 on failure */
1561 static int cryptfs_restart_internal(int restart_main)
1562 {
1563 char fs_type[32];
1564 char real_blkdev[MAXPATHLEN];
1565 char crypto_blkdev[MAXPATHLEN];
1566 char fs_options[256];
1567 unsigned long mnt_flags;
1568 struct stat statbuf;
1569 int rc = -1, i;
1570 static int restart_successful = 0;
1571
1572 /* Validate that it's OK to call this routine */
1573 if (! master_key_saved) {
1574 SLOGE("Encrypted filesystem not validated, aborting");
1575 return -1;
1576 }
1577
1578 if (restart_successful) {
1579 SLOGE("System already restarted with encrypted disk, aborting");
1580 return -1;
1581 }
1582
1583 if (restart_main) {
1584 /* Here is where we shut down the framework. The init scripts
1585 * start all services in one of three classes: core, main or late_start.
1586 * On boot, we start core and main. Now, we stop main, but not core,
1587 * as core includes vold and a few other really important things that
1588 * we need to keep running. Once main has stopped, we should be able
1589 * to umount the tmpfs /data, then mount the encrypted /data.
1590 * We then restart the class main, and also the class late_start.
1591 * At the moment, I've only put a few things in late_start that I know
1592 * are not needed to bring up the framework, and that also cause problems
1593 * with unmounting the tmpfs /data, but I hope to add add more services
1594 * to the late_start class as we optimize this to decrease the delay
1595 * till the user is asked for the password to the filesystem.
1596 */
1597
1598 /* The init files are setup to stop the class main when vold.decrypt is
1599 * set to trigger_reset_main.
1600 */
1601 property_set("vold.decrypt", "trigger_reset_main");
1602 SLOGD("Just asked init to shut down class main\n");
1603
1604 /* Ugh, shutting down the framework is not synchronous, so until it
1605 * can be fixed, this horrible hack will wait a moment for it all to
1606 * shut down before proceeding. Without it, some devices cannot
1607 * restart the graphics services.
1608 */
1609 sleep(2);
1610 }
1611
1612 /* Now that the framework is shutdown, we should be able to umount()
1613 * the tmpfs filesystem, and mount the real one.
1614 */
1615
1616 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1617 if (strlen(crypto_blkdev) == 0) {
1618 SLOGE("fs_crypto_blkdev not set\n");
1619 return -1;
1620 }
1621
1622 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1623 /* If ro.crypto.readonly is set to 1, mount the decrypted
1624 * filesystem readonly. This is used when /data is mounted by
1625 * recovery mode.
1626 */
1627 char ro_prop[PROPERTY_VALUE_MAX];
1628 property_get("ro.crypto.readonly", ro_prop, "");
1629 if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
1630 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1631 rec->flags |= MS_RDONLY;
1632 }
1633
1634 /* If that succeeded, then mount the decrypted filesystem */
1635 int retries = RETRY_MOUNT_ATTEMPTS;
1636 int mount_rc;
1637 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
1638 crypto_blkdev, 0))
1639 != 0) {
1640 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1641 /* TODO: invoke something similar to
1642 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1643 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1644 SLOGI("Failed to mount %s because it is busy - waiting",
1645 crypto_blkdev);
1646 if (--retries) {
1647 sleep(RETRY_MOUNT_DELAY_SECONDS);
1648 } else {
1649 /* Let's hope that a reboot clears away whatever is keeping
1650 the mount busy */
1651 cryptfs_reboot(reboot);
1652 }
1653 } else {
1654 SLOGE("Failed to mount decrypted data");
1655 cryptfs_set_corrupt();
1656 cryptfs_trigger_restart_min_framework();
1657 SLOGI("Started framework to offer wipe");
1658 return -1;
1659 }
1660 }
1661
1662 property_set("vold.decrypt", "trigger_load_persist_props");
1663 /* Create necessary paths on /data */
1664 if (prep_data_fs()) {
1665 return -1;
1666 }
1667
1668 /* startup service classes main and late_start */
1669 property_set("vold.decrypt", "trigger_restart_framework");
1670 SLOGD("Just triggered restart_framework\n");
1671
1672 /* Give it a few moments to get started */
1673 sleep(1);
1674 }
1675
1676 if (rc == 0) {
1677 restart_successful = 1;
1678 }
1679
1680 return rc;
1681 }
1682
1683 int cryptfs_restart(void)
1684 {
1685 /* Call internal implementation forcing a restart of main service group */
1686 return cryptfs_restart_internal(1);
1687 }
1688
1689 static int do_crypto_complete(char *mount_point UNUSED)
1690 {
1691 struct crypt_mnt_ftr crypt_ftr;
1692 char encrypted_state[PROPERTY_VALUE_MAX];
1693 char key_loc[PROPERTY_VALUE_MAX];
1694
1695 property_get("ro.crypto.state", encrypted_state, "");
1696 if (strcmp(encrypted_state, "encrypted") ) {
1697 SLOGE("not running with encryption, aborting");
1698 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1699 }
1700
1701 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1702 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1703
1704 /*
1705 * Only report this error if key_loc is a file and it exists.
1706 * If the device was never encrypted, and /data is not mountable for
1707 * some reason, returning 1 should prevent the UI from presenting the
1708 * a "enter password" screen, or worse, a "press button to wipe the
1709 * device" screen.
1710 */
1711 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1712 SLOGE("master key file does not exist, aborting");
1713 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1714 } else {
1715 SLOGE("Error getting crypt footer and key\n");
1716 return CRYPTO_COMPLETE_BAD_METADATA;
1717 }
1718 }
1719
1720 // Test for possible error flags
1721 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1722 SLOGE("Encryption process is partway completed\n");
1723 return CRYPTO_COMPLETE_PARTIAL;
1724 }
1725
1726 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1727 SLOGE("Encryption process was interrupted but cannot continue\n");
1728 return CRYPTO_COMPLETE_INCONSISTENT;
1729 }
1730
1731 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1732 SLOGE("Encryption is successful but data is corrupt\n");
1733 return CRYPTO_COMPLETE_CORRUPT;
1734 }
1735
1736 /* We passed the test! We shall diminish, and return to the west */
1737 return CRYPTO_COMPLETE_ENCRYPTED;
1738 }
1739
1740 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1741 char *passwd, char *mount_point, char *label)
1742 {
1743 /* Allocate enough space for a 256 bit key, but we may use less */
1744 unsigned char decrypted_master_key[32];
1745 char crypto_blkdev[MAXPATHLEN];
1746 char real_blkdev[MAXPATHLEN];
1747 char tmp_mount_point[64];
1748 unsigned int orig_failed_decrypt_count;
1749 int rc;
1750 kdf_func kdf;
1751 void *kdf_params;
1752 int use_keymaster = 0;
1753 int upgrade = 0;
1754 unsigned char* intermediate_key = 0;
1755 size_t intermediate_key_size = 0;
1756
1757 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1758 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1759
1760 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1761 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1762 &intermediate_key, &intermediate_key_size)) {
1763 SLOGE("Failed to decrypt master key\n");
1764 rc = -1;
1765 goto errout;
1766 }
1767 }
1768
1769 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
1770
1771 #ifdef CONFIG_HW_DISK_ENCRYPTION
1772 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
1773 if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) {
1774 SLOGE("Hardware encryption key does not match");
1775 }
1776 }
1777 #endif
1778
1779 // Create crypto block device - all (non fatal) code paths
1780 // need it
1781 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1782 real_blkdev, crypto_blkdev, label)) {
1783 SLOGE("Error creating decrypted block device\n");
1784 rc = -1;
1785 goto errout;
1786 }
1787
1788 /* Work out if the problem is the password or the data */
1789 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1790 scrypted_intermediate_key)];
1791 int N = 1 << crypt_ftr->N_factor;
1792 int r = 1 << crypt_ftr->r_factor;
1793 int p = 1 << crypt_ftr->p_factor;
1794
1795 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1796 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1797 N, r, p, scrypted_intermediate_key,
1798 sizeof(scrypted_intermediate_key));
1799
1800 // Does the key match the crypto footer?
1801 if (rc == 0 && memcmp(scrypted_intermediate_key,
1802 crypt_ftr->scrypted_intermediate_key,
1803 sizeof(scrypted_intermediate_key)) == 0) {
1804 SLOGI("Password matches");
1805 rc = 0;
1806 } else {
1807 /* Try mounting the file system anyway, just in case the problem's with
1808 * the footer, not the key. */
1809 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
1810 mkdir(tmp_mount_point, 0755);
1811 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1812 SLOGE("Error temp mounting decrypted block device\n");
1813 delete_crypto_blk_dev(label);
1814
1815 rc = ++crypt_ftr->failed_decrypt_count;
1816 put_crypt_ftr_and_key(crypt_ftr);
1817 } else {
1818 /* Success! */
1819 SLOGI("Password did not match but decrypted drive mounted - continue");
1820 umount(tmp_mount_point);
1821 rc = 0;
1822 }
1823 }
1824
1825 if (rc == 0) {
1826 crypt_ftr->failed_decrypt_count = 0;
1827 if (orig_failed_decrypt_count != 0) {
1828 put_crypt_ftr_and_key(crypt_ftr);
1829 }
1830
1831 /* Save the name of the crypto block device
1832 * so we can mount it when restarting the framework. */
1833 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1834
1835 /* Also save a the master key so we can reencrypted the key
1836 * the key when we want to change the password on it. */
1837 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1838 saved_mount_point = strdup(mount_point);
1839 master_key_saved = 1;
1840 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1841 rc = 0;
1842
1843 // Upgrade if we're not using the latest KDF.
1844 use_keymaster = keymaster_check_compatibility();
1845 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1846 // Don't allow downgrade
1847 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1848 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1849 upgrade = 1;
1850 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1851 crypt_ftr->kdf_type = KDF_SCRYPT;
1852 upgrade = 1;
1853 }
1854
1855 if (upgrade) {
1856 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1857 crypt_ftr->master_key, crypt_ftr);
1858 if (!rc) {
1859 rc = put_crypt_ftr_and_key(crypt_ftr);
1860 }
1861 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1862
1863 // Do not fail even if upgrade failed - machine is bootable
1864 // Note that if this code is ever hit, there is a *serious* problem
1865 // since KDFs should never fail. You *must* fix the kdf before
1866 // proceeding!
1867 if (rc) {
1868 SLOGW("Upgrade failed with error %d,"
1869 " but continuing with previous state",
1870 rc);
1871 rc = 0;
1872 }
1873 }
1874 }
1875
1876 errout:
1877 if (intermediate_key) {
1878 memset(intermediate_key, 0, intermediate_key_size);
1879 free(intermediate_key);
1880 }
1881 return rc;
1882 }
1883
1884 /* Called by vold when it wants to undo the crypto mapping of a volume it
1885 * manages. This is usually in response to a factory reset, when we want
1886 * to undo the crypto mapping so the volume is formatted in the clear.
1887 */
1888 int cryptfs_revert_volume(const char *label)
1889 {
1890 return delete_crypto_blk_dev((char *)label);
1891 }
1892
1893 /*
1894 * Called by vold when it's asked to mount an encrypted, nonremovable volume.
1895 * Setup a dm-crypt mapping, use the saved master key from
1896 * setting up the /data mapping, and return the new device path.
1897 */
1898 int cryptfs_setup_volume(const char *label, int major, int minor,
1899 char *crypto_sys_path, unsigned int max_path,
1900 int *new_major, int *new_minor)
1901 {
1902 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN];
1903 struct crypt_mnt_ftr sd_crypt_ftr;
1904 struct stat statbuf;
1905 int nr_sec, fd;
1906
1907 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor);
1908
1909 get_crypt_ftr_and_key(&sd_crypt_ftr);
1910
1911 /* Update the fs_size field to be the size of the volume */
1912 fd = open(real_blkdev, O_RDONLY);
1913 nr_sec = get_blkdev_size(fd);
1914 close(fd);
1915 if (nr_sec == 0) {
1916 SLOGE("Cannot get size of volume %s\n", real_blkdev);
1917 return -1;
1918 }
1919
1920 sd_crypt_ftr.fs_size = nr_sec;
1921 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev,
1922 crypto_blkdev, label);
1923
1924 if (stat(crypto_blkdev, &statbuf) < 0) {
1925 SLOGE("Error get stat for crypto_blkdev %s. err=%d(%s)\n",
1926 crypto_blkdev, errno, strerror(errno));
1927 }
1928 *new_major = MAJOR(statbuf.st_rdev);
1929 *new_minor = MINOR(statbuf.st_rdev);
1930
1931 /* Create path to sys entry for this block device */
1932 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1);
1933
1934 return 0;
1935 }
1936
1937 int cryptfs_crypto_complete(void)
1938 {
1939 return do_crypto_complete("/data");
1940 }
1941
1942 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
1943 {
1944 char encrypted_state[PROPERTY_VALUE_MAX];
1945 property_get("ro.crypto.state", encrypted_state, "");
1946 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
1947 SLOGE("encrypted fs already validated or not running with encryption,"
1948 " aborting");
1949 return -1;
1950 }
1951
1952 if (get_crypt_ftr_and_key(crypt_ftr)) {
1953 SLOGE("Error getting crypt footer and key");
1954 return -1;
1955 }
1956
1957 return 0;
1958 }
1959
1960 /*
1961 * TODO - transition patterns to new format in calling code
1962 * and remove this vile hack, and the use of hex in
1963 * the password passing code.
1964 *
1965 * Patterns are passed in zero based (i.e. the top left dot
1966 * is represented by zero, the top middle one etc), but we want
1967 * to store them '1' based.
1968 * This is to allow us to migrate the calling code to use this
1969 * convention. It also solves a nasty problem whereby scrypt ignores
1970 * trailing zeros, so patterns ending at the top left could be
1971 * truncated, and similarly, you could add the top left to any
1972 * pattern and still match.
1973 * adjust_passwd is a hack function that returns the alternate representation
1974 * if the password appears to be a pattern (hex numbers all less than 09)
1975 * If it succeeds we need to try both, and in particular try the alternate
1976 * first. If the original matches, then we need to update the footer
1977 * with the alternate.
1978 * All code that accepts passwords must adjust them first. Since
1979 * cryptfs_check_passwd is always the first function called after a migration
1980 * (and indeed on any boot) we only need to do the double try in this
1981 * function.
1982 */
1983 char* adjust_passwd(const char* passwd)
1984 {
1985 size_t index, length;
1986
1987 if (!passwd) {
1988 return 0;
1989 }
1990
1991 // Check even length. Hex encoded passwords are always
1992 // an even length, since each character encodes to two characters.
1993 length = strlen(passwd);
1994 if (length % 2) {
1995 SLOGW("Password not correctly hex encoded.");
1996 return 0;
1997 }
1998
1999 // Check password is old-style pattern - a collection of hex
2000 // encoded bytes less than 9 (00 through 08)
2001 for (index = 0; index < length; index +=2) {
2002 if (passwd[index] != '0'
2003 || passwd[index + 1] < '0' || passwd[index + 1] > '8') {
2004 return 0;
2005 }
2006 }
2007
2008 // Allocate room for adjusted passwd and null terminate
2009 char* adjusted = malloc(length + 1);
2010 adjusted[length] = 0;
2011
2012 // Add 0x31 ('1') to each character
2013 for (index = 0; index < length; index += 2) {
2014 // output is 31 through 39 so set first byte to three, second to src + 1
2015 adjusted[index] = '3';
2016 adjusted[index + 1] = passwd[index + 1] + 1;
2017 }
2018
2019 return adjusted;
2020 }
2021
2022 int cryptfs_check_passwd(char *passwd)
2023 {
2024 struct crypt_mnt_ftr crypt_ftr;
2025 int rc;
2026
2027 rc = check_unmounted_and_get_ftr(&crypt_ftr);
2028 if (rc)
2029 return rc;
2030
2031 char* adjusted_passwd = adjust_passwd(passwd);
2032 if (adjusted_passwd) {
2033 int failed_decrypt_count = crypt_ftr.failed_decrypt_count;
2034 rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd,
2035 DATA_MNT_POINT, "userdata");
2036
2037 // Maybe the original one still works?
2038 if (rc) {
2039 // Don't double count this failure
2040 crypt_ftr.failed_decrypt_count = failed_decrypt_count;
2041 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
2042 DATA_MNT_POINT, "userdata");
2043 if (!rc) {
2044 // cryptfs_changepw also adjusts so pass original
2045 // Note that adjust_passwd only recognises patterns
2046 // so we can safely use CRYPT_TYPE_PATTERN
2047 SLOGI("Updating pattern to new format");
2048 cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd);
2049 }
2050 }
2051 free(adjusted_passwd);
2052 } else {
2053 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
2054 DATA_MNT_POINT, "userdata");
2055 }
2056
2057 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2058 cryptfs_clear_password();
2059 password = strdup(passwd);
2060 struct timespec now;
2061 clock_gettime(CLOCK_BOOTTIME, &now);
2062 password_expiry_time = now.tv_sec + password_max_age_seconds;
2063 }
2064
2065 return rc;
2066 }
2067
2068 int cryptfs_verify_passwd(char *passwd)
2069 {
2070 struct crypt_mnt_ftr crypt_ftr;
2071 /* Allocate enough space for a 256 bit key, but we may use less */
2072 unsigned char decrypted_master_key[32];
2073 char encrypted_state[PROPERTY_VALUE_MAX];
2074 int rc;
2075
2076 property_get("ro.crypto.state", encrypted_state, "");
2077 if (strcmp(encrypted_state, "encrypted") ) {
2078 SLOGE("device not encrypted, aborting");
2079 return -2;
2080 }
2081
2082 if (!master_key_saved) {
2083 SLOGE("encrypted fs not yet mounted, aborting");
2084 return -1;
2085 }
2086
2087 if (!saved_mount_point) {
2088 SLOGE("encrypted fs failed to save mount point, aborting");
2089 return -1;
2090 }
2091
2092 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2093 SLOGE("Error getting crypt footer and key\n");
2094 return -1;
2095 }
2096
2097 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2098 /* If the device has no password, then just say the password is valid */
2099 rc = 0;
2100 } else {
2101 char* adjusted_passwd = adjust_passwd(passwd);
2102 if (adjusted_passwd) {
2103 passwd = adjusted_passwd;
2104 }
2105
2106 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2107 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2108 /* They match, the password is correct */
2109 rc = 0;
2110 } else {
2111 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2112 sleep(1);
2113 rc = 1;
2114 }
2115
2116 free(adjusted_passwd);
2117 }
2118
2119 return rc;
2120 }
2121
2122 /* Initialize a crypt_mnt_ftr structure. The keysize is
2123 * defaulted to 16 bytes, and the filesystem size to 0.
2124 * Presumably, at a minimum, the caller will update the
2125 * filesystem size and crypto_type_name after calling this function.
2126 */
2127 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
2128 {
2129 off64_t off;
2130
2131 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2132 ftr->magic = CRYPT_MNT_MAGIC;
2133 ftr->major_version = CURRENT_MAJOR_VERSION;
2134 ftr->minor_version = CURRENT_MINOR_VERSION;
2135 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2136 ftr->keysize = KEY_LEN_BYTES;
2137
2138 switch (keymaster_check_compatibility()) {
2139 case 1:
2140 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2141 break;
2142
2143 case 0:
2144 ftr->kdf_type = KDF_SCRYPT;
2145 break;
2146
2147 default:
2148 SLOGE("keymaster_check_compatibility failed");
2149 return -1;
2150 }
2151
2152 get_device_scrypt_params(ftr);
2153
2154 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2155 if (get_crypt_ftr_info(NULL, &off) == 0) {
2156 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2157 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
2158 ftr->persist_data_size;
2159 }
2160
2161 return 0;
2162 }
2163
2164 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
2165 {
2166 const char *args[10];
2167 char size_str[32]; /* Must be large enough to hold a %lld and null byte */
2168 int num_args;
2169 int status;
2170 int tmp;
2171 int rc = -1;
2172
2173 if (type == EXT4_FS) {
2174 args[0] = "/system/bin/make_ext4fs";
2175 args[1] = "-a";
2176 args[2] = "/data";
2177 args[3] = "-l";
2178 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
2179 args[4] = size_str;
2180 args[5] = crypto_blkdev;
2181 num_args = 6;
2182 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
2183 args[0], args[1], args[2], args[3], args[4], args[5]);
2184 } else if (type == F2FS_FS) {
2185 args[0] = "/system/bin/mkfs.f2fs";
2186 args[1] = "-t";
2187 args[2] = "-d1";
2188 args[3] = crypto_blkdev;
2189 snprintf(size_str, sizeof(size_str), "%" PRId64, size);
2190 args[4] = size_str;
2191 num_args = 5;
2192 SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
2193 args[0], args[1], args[2], args[3], args[4]);
2194 } else {
2195 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
2196 return -1;
2197 }
2198
2199 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
2200
2201 if (tmp != 0) {
2202 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
2203 } else {
2204 if (WIFEXITED(status)) {
2205 if (WEXITSTATUS(status)) {
2206 SLOGE("Error creating filesystem on %s, exit status %d ",
2207 crypto_blkdev, WEXITSTATUS(status));
2208 } else {
2209 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
2210 rc = 0;
2211 }
2212 } else {
2213 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
2214 }
2215 }
2216
2217 return rc;
2218 }
2219
2220 #define CRYPT_INPLACE_BUFSIZE 4096
2221 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
2222 #define CRYPT_SECTOR_SIZE 512
2223
2224 /* aligned 32K writes tends to make flash happy.
2225 * SD card association recommends it.
2226 */
2227 #ifndef CONFIG_HW_DISK_ENCRYPTION
2228 #define BLOCKS_AT_A_TIME 8
2229 #else
2230 #define BLOCKS_AT_A_TIME 1024
2231 #endif
2232
2233 struct encryptGroupsData
2234 {
2235 int realfd;
2236 int cryptofd;
2237 off64_t numblocks;
2238 off64_t one_pct, cur_pct, new_pct;
2239 off64_t blocks_already_done, tot_numblocks;
2240 off64_t used_blocks_already_done, tot_used_blocks;
2241 char* real_blkdev, * crypto_blkdev;
2242 int count;
2243 off64_t offset;
2244 char* buffer;
2245 off64_t last_written_sector;
2246 int completed;
2247 time_t time_started;
2248 int remaining_time;
2249 };
2250
2251 static void update_progress(struct encryptGroupsData* data, int is_used)
2252 {
2253 data->blocks_already_done++;
2254
2255 if (is_used) {
2256 data->used_blocks_already_done++;
2257 }
2258 if (data->tot_used_blocks) {
2259 data->new_pct = data->used_blocks_already_done / data->one_pct;
2260 } else {
2261 data->new_pct = data->blocks_already_done / data->one_pct;
2262 }
2263
2264 if (data->new_pct > data->cur_pct) {
2265 char buf[8];
2266 data->cur_pct = data->new_pct;
2267 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
2268 property_set("vold.encrypt_progress", buf);
2269 }
2270
2271 if (data->cur_pct >= 5) {
2272 struct timespec time_now;
2273 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
2274 SLOGW("Error getting time");
2275 } else {
2276 double elapsed_time = difftime(time_now.tv_sec, data->time_started);
2277 off64_t remaining_blocks = data->tot_used_blocks
2278 - data->used_blocks_already_done;
2279 int remaining_time = (int)(elapsed_time * remaining_blocks
2280 / data->used_blocks_already_done);
2281
2282 // Change time only if not yet set, lower, or a lot higher for
2283 // best user experience
2284 if (data->remaining_time == -1
2285 || remaining_time < data->remaining_time
2286 || remaining_time > data->remaining_time + 60) {
2287 char buf[8];
2288 snprintf(buf, sizeof(buf), "%d", remaining_time);
2289 property_set("vold.encrypt_time_remaining", buf);
2290 data->remaining_time = remaining_time;
2291 }
2292 }
2293 }
2294 }
2295
2296 static void log_progress(struct encryptGroupsData const* data, bool completed)
2297 {
2298 // Precondition - if completed data = 0 else data != 0
2299
2300 // Track progress so we can skip logging blocks
2301 static off64_t offset = -1;
2302
2303 // Need to close existing 'Encrypting from' log?
2304 if (completed || (offset != -1 && data->offset != offset)) {
2305 SLOGI("Encrypted to sector %" PRId64,
2306 offset / info.block_size * CRYPT_SECTOR_SIZE);
2307 offset = -1;
2308 }
2309
2310 // Need to start new 'Encrypting from' log?
2311 if (!completed && offset != data->offset) {
2312 SLOGI("Encrypting from sector %" PRId64,
2313 data->offset / info.block_size * CRYPT_SECTOR_SIZE);
2314 }
2315
2316 // Update offset
2317 if (!completed) {
2318 offset = data->offset + (off64_t)data->count * info.block_size;
2319 }
2320 }
2321
2322 static int flush_outstanding_data(struct encryptGroupsData* data)
2323 {
2324 if (data->count == 0) {
2325 return 0;
2326 }
2327
2328 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
2329
2330 if (pread64(data->realfd, data->buffer,
2331 info.block_size * data->count, data->offset)
2332 <= 0) {
2333 SLOGE("Error reading real_blkdev %s for inplace encrypt",
2334 data->real_blkdev);
2335 return -1;
2336 }
2337
2338 if (pwrite64(data->cryptofd, data->buffer,
2339 info.block_size * data->count, data->offset)
2340 <= 0) {
2341 SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
2342 data->crypto_blkdev);
2343 return -1;
2344 } else {
2345 log_progress(data, false);
2346 }
2347
2348 data->count = 0;
2349 data->last_written_sector = (data->offset + data->count)
2350 / info.block_size * CRYPT_SECTOR_SIZE - 1;
2351 return 0;
2352 }
2353
2354 static int encrypt_groups(struct encryptGroupsData* data)
2355 {
2356 unsigned int i;
2357 u8 *block_bitmap = 0;
2358 unsigned int block;
2359 off64_t ret;
2360 int rc = -1;
2361
2362 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
2363 if (!data->buffer) {
2364 SLOGE("Failed to allocate crypto buffer");
2365 goto errout;
2366 }
2367
2368 block_bitmap = malloc(info.block_size);
2369 if (!block_bitmap) {
2370 SLOGE("failed to allocate block bitmap");
2371 goto errout;
2372 }
2373
2374 for (i = 0; i < aux_info.groups; ++i) {
2375 SLOGI("Encrypting group %d", i);
2376
2377 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
2378 u32 block_count = min(info.blocks_per_group,
2379 aux_info.len_blocks - first_block);
2380
2381 off64_t offset = (u64)info.block_size
2382 * aux_info.bg_desc[i].bg_block_bitmap;
2383
2384 ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
2385 if (ret != (int)info.block_size) {
2386 SLOGE("failed to read all of block group bitmap %d", i);
2387 goto errout;
2388 }
2389
2390 offset = (u64)info.block_size * first_block;
2391
2392 data->count = 0;
2393
2394 for (block = 0; block < block_count; block++) {
2395 int used = bitmap_get_bit(block_bitmap, block);
2396 update_progress(data, used);
2397 if (used) {
2398 if (data->count == 0) {
2399 data->offset = offset;
2400 }
2401 data->count++;
2402 } else {
2403 if (flush_outstanding_data(data)) {
2404 goto errout;
2405 }
2406 }
2407
2408 offset += info.block_size;
2409
2410 /* Write data if we are aligned or buffer size reached */
2411 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
2412 || data->count == BLOCKS_AT_A_TIME) {
2413 if (flush_outstanding_data(data)) {
2414 goto errout;
2415 }
2416 }
2417
2418 if (!is_battery_ok_to_continue()) {
2419 SLOGE("Stopping encryption due to low battery");
2420 rc = 0;
2421 goto errout;
2422 }
2423
2424 }
2425 if (flush_outstanding_data(data)) {
2426 goto errout;
2427 }
2428 }
2429
2430 data->completed = 1;
2431 rc = 0;
2432
2433 errout:
2434 log_progress(0, true);
2435 free(data->buffer);
2436 free(block_bitmap);
2437 return rc;
2438 }
2439
2440 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
2441 char *real_blkdev,
2442 off64_t size,
2443 off64_t *size_already_done,
2444 off64_t tot_size,
2445 off64_t previously_encrypted_upto)
2446 {
2447 u32 i;
2448 struct encryptGroupsData data;
2449 int rc; // Can't initialize without causing warning -Wclobbered
2450
2451 if (previously_encrypted_upto > *size_already_done) {
2452 SLOGD("Not fast encrypting since resuming part way through");
2453 return -1;
2454 }
2455
2456 memset(&data, 0, sizeof(data));
2457 data.real_blkdev = real_blkdev;
2458 data.crypto_blkdev = crypto_blkdev;
2459
2460 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) {
2461 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n",
2462 real_blkdev, errno, strerror(errno));
2463 rc = -1;
2464 goto errout;
2465 }
2466
2467 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) {
2468 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n",
2469 crypto_blkdev, errno, strerror(errno));
2470 rc = ENABLE_INPLACE_ERR_DEV;
2471 goto errout;
2472 }
2473
2474 if (setjmp(setjmp_env)) {
2475 SLOGE("Reading ext4 extent caused an exception\n");
2476 rc = -1;
2477 goto errout;
2478 }
2479
2480 if (read_ext(data.realfd, 0) != 0) {
2481 SLOGE("Failed to read ext4 extent\n");
2482 rc = -1;
2483 goto errout;
2484 }
2485
2486 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2487 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2488 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2489
2490 SLOGI("Encrypting ext4 filesystem in place...");
2491
2492 data.tot_used_blocks = data.numblocks;
2493 for (i = 0; i < aux_info.groups; ++i) {
2494 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
2495 }
2496
2497 data.one_pct = data.tot_used_blocks / 100;
2498 data.cur_pct = 0;
2499
2500 struct timespec time_started = {0};
2501 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
2502 SLOGW("Error getting time at start");
2503 // Note - continue anyway - we'll run with 0
2504 }
2505 data.time_started = time_started.tv_sec;
2506 data.remaining_time = -1;
2507
2508 rc = encrypt_groups(&data);
2509 if (rc) {
2510 SLOGE("Error encrypting groups");
2511 goto errout;
2512 }
2513
2514 *size_already_done += data.completed ? size : data.last_written_sector;
2515 rc = 0;
2516
2517 errout:
2518 close(data.realfd);
2519 close(data.cryptofd);
2520
2521 return rc;
2522 }
2523
2524 static void log_progress_f2fs(u64 block, bool completed)
2525 {
2526 // Precondition - if completed data = 0 else data != 0
2527
2528 // Track progress so we can skip logging blocks
2529 static u64 last_block = (u64)-1;
2530
2531 // Need to close existing 'Encrypting from' log?
2532 if (completed || (last_block != (u64)-1 && block != last_block + 1)) {
2533 SLOGI("Encrypted to block %" PRId64, last_block);
2534 last_block = -1;
2535 }
2536
2537 // Need to start new 'Encrypting from' log?
2538 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) {
2539 SLOGI("Encrypting from block %" PRId64, block);
2540 }
2541
2542 // Update offset
2543 if (!completed) {
2544 last_block = block;
2545 }
2546 }
2547
2548 static int encrypt_one_block_f2fs(u64 pos, void *data)
2549 {
2550 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;
2551
2552 priv_dat->blocks_already_done = pos - 1;
2553 update_progress(priv_dat, 1);
2554
2555 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;
2556
2557 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2558 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2559 return -1;
2560 }
2561
2562 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2563 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2564 return -1;
2565 } else {
2566 log_progress_f2fs(pos, false);
2567 }
2568
2569 return 0;
2570 }
2571
2572 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
2573 char *real_blkdev,
2574 off64_t size,
2575 off64_t *size_already_done,
2576 off64_t tot_size,
2577 off64_t previously_encrypted_upto)
2578 {
2579 u32 i;
2580 struct encryptGroupsData data;
2581 struct f2fs_info *f2fs_info = NULL;
2582 int rc = ENABLE_INPLACE_ERR_OTHER;
2583 if (previously_encrypted_upto > *size_already_done) {
2584 SLOGD("Not fast encrypting since resuming part way through");
2585 return ENABLE_INPLACE_ERR_OTHER;
2586 }
2587 memset(&data, 0, sizeof(data));
2588 data.real_blkdev = real_blkdev;
2589 data.crypto_blkdev = crypto_blkdev;
2590 data.realfd = -1;
2591 data.cryptofd = -1;
2592 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) {
2593 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n",
2594 real_blkdev);
2595 goto errout;
2596 }
2597 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) {
2598 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n",
2599 crypto_blkdev, errno, strerror(errno));
2600 rc = ENABLE_INPLACE_ERR_DEV;
2601 goto errout;
2602 }
2603
2604 f2fs_info = generate_f2fs_info(data.realfd);
2605 if (!f2fs_info)
2606 goto errout;
2607
2608 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2609 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2610 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2611
2612 data.tot_used_blocks = get_num_blocks_used(f2fs_info);
2613
2614 data.one_pct = data.tot_used_blocks / 100;
2615 data.cur_pct = 0;
2616 data.time_started = time(NULL);
2617 data.remaining_time = -1;
2618
2619 data.buffer = malloc(f2fs_info->block_size);
2620 if (!data.buffer) {
2621 SLOGE("Failed to allocate crypto buffer");
2622 goto errout;
2623 }
2624
2625 data.count = 0;
2626
2627 /* Currently, this either runs to completion, or hits a nonrecoverable error */
2628 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);
2629
2630 if (rc) {
2631 SLOGE("Error in running over f2fs blocks");
2632 rc = ENABLE_INPLACE_ERR_OTHER;
2633 goto errout;
2634 }
2635
2636 *size_already_done += size;
2637 rc = 0;
2638
2639 errout:
2640 if (rc)
2641 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev);
2642
2643 log_progress_f2fs(0, true);
2644 free(f2fs_info);
2645 free(data.buffer);
2646 close(data.realfd);
2647 close(data.cryptofd);
2648
2649 return rc;
2650 }
2651
2652 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
2653 off64_t size, off64_t *size_already_done,
2654 off64_t tot_size,
2655 off64_t previously_encrypted_upto)
2656 {
2657 int realfd, cryptofd;
2658 char *buf[CRYPT_INPLACE_BUFSIZE];
2659 int rc = ENABLE_INPLACE_ERR_OTHER;
2660 off64_t numblocks, i, remainder;
2661 off64_t one_pct, cur_pct, new_pct;
2662 off64_t blocks_already_done, tot_numblocks;
2663
2664 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) {
2665 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2666 return ENABLE_INPLACE_ERR_OTHER;
2667 }
2668
2669 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) {
2670 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n",
2671 crypto_blkdev, errno, strerror(errno));
2672 close(realfd);
2673 return ENABLE_INPLACE_ERR_DEV;
2674 }
2675
2676 /* This is pretty much a simple loop of reading 4K, and writing 4K.
2677 * The size passed in is the number of 512 byte sectors in the filesystem.
2678 * So compute the number of whole 4K blocks we should read/write,
2679 * and the remainder.
2680 */
2681 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2682 remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2683 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2684 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2685
2686 SLOGE("Encrypting filesystem in place...");
2687
2688 i = previously_encrypted_upto + 1 - *size_already_done;
2689
2690 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2691 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
2692 goto errout;
2693 }
2694
2695 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2696 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
2697 goto errout;
2698 }
2699
2700 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
2701 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2702 SLOGE("Error reading initial sectors from real_blkdev %s for "
2703 "inplace encrypt\n", crypto_blkdev);
2704 goto errout;
2705 }
2706 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2707 SLOGE("Error writing initial sectors to crypto_blkdev %s for "
2708 "inplace encrypt\n", crypto_blkdev);
2709 goto errout;
2710 } else {
2711 SLOGI("Encrypted 1 block at %" PRId64, i);
2712 }
2713 }
2714
2715 one_pct = tot_numblocks / 100;
2716 cur_pct = 0;
2717 /* process the majority of the filesystem in blocks */
2718 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2719 new_pct = (i + blocks_already_done) / one_pct;
2720 if (new_pct > cur_pct) {
2721 char buf[8];
2722
2723 cur_pct = new_pct;
2724 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
2725 property_set("vold.encrypt_progress", buf);
2726 }
2727 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2728 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2729 goto errout;
2730 }
2731 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2732 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2733 goto errout;
2734 } else {
2735 SLOGD("Encrypted %d block at %" PRId64,
2736 CRYPT_SECTORS_PER_BUFSIZE,
2737 i * CRYPT_SECTORS_PER_BUFSIZE);
2738 }
2739
2740 if (!is_battery_ok_to_continue()) {
2741 SLOGE("Stopping encryption due to low battery");
2742 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
2743 rc = 0;
2744 goto errout;
2745 }
2746 }
2747
2748 /* Do any remaining sectors */
2749 for (i=0; i<remainder; i++) {
2750 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2751 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2752 goto errout;
2753 }
2754 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2755 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2756 goto errout;
2757 } else {
2758 SLOGI("Encrypted 1 block at next location");
2759 }
2760 }
2761
2762 *size_already_done += size;
2763 rc = 0;
2764
2765 errout:
2766 close(realfd);
2767 close(cryptofd);
2768
2769 return rc;
2770 }
2771
2772 /* returns on of the ENABLE_INPLACE_* return codes */
2773 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
2774 off64_t size, off64_t *size_already_done,
2775 off64_t tot_size,
2776 off64_t previously_encrypted_upto)
2777 {
2778 int rc_ext4, rc_f2fs, rc_full;
2779 if (previously_encrypted_upto) {
2780 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
2781 }
2782
2783 if (*size_already_done + size < previously_encrypted_upto) {
2784 *size_already_done += size;
2785 return 0;
2786 }
2787
2788 /* TODO: identify filesystem type.
2789 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
2790 * then we will drop down to cryptfs_enable_inplace_f2fs.
2791 * */
2792 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2793 size, size_already_done,
2794 tot_size, previously_encrypted_upto)) == 0) {
2795 return 0;
2796 }
2797 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4);
2798
2799 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
2800 size, size_already_done,
2801 tot_size, previously_encrypted_upto)) == 0) {
2802 return 0;
2803 }
2804 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs);
2805
2806 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2807 size, size_already_done, tot_size,
2808 previously_encrypted_upto);
2809 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full);
2810
2811 /* Hack for b/17898962, the following is the symptom... */
2812 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV
2813 && rc_f2fs == ENABLE_INPLACE_ERR_DEV
2814 && rc_full == ENABLE_INPLACE_ERR_DEV) {
2815 return ENABLE_INPLACE_ERR_DEV;
2816 }
2817 return rc_full;
2818 }
2819
2820 #define CRYPTO_ENABLE_WIPE 1
2821 #define CRYPTO_ENABLE_INPLACE 2
2822
2823 #define FRAMEWORK_BOOT_WAIT 60
2824
2825 static inline int should_encrypt(struct volume_info *volume)
2826 {
2827 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) ==
2828 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE);
2829 }
2830
2831 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2832 {
2833 int fd = open(filename, O_RDONLY);
2834 if (fd == -1) {
2835 SLOGE("Error opening file %s", filename);
2836 return -1;
2837 }
2838
2839 char block[CRYPT_INPLACE_BUFSIZE];
2840 memset(block, 0, sizeof(block));
2841 if (unix_read(fd, block, sizeof(block)) < 0) {
2842 SLOGE("Error reading file %s", filename);
2843 close(fd);
2844 return -1;
2845 }
2846
2847 close(fd);
2848
2849 SHA256_CTX c;
2850 SHA256_Init(&c);
2851 SHA256_Update(&c, block, sizeof(block));
2852 SHA256_Final(buf, &c);
2853
2854 return 0;
2855 }
2856
2857 static int get_fs_type(struct fstab_rec *rec)
2858 {
2859 if (!strcmp(rec->fs_type, "ext4")) {
2860 return EXT4_FS;
2861 } else if (!strcmp(rec->fs_type, "f2fs")) {
2862 return F2FS_FS;
2863 } else {
2864 return -1;
2865 }
2866 }
2867
2868 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
2869 char *crypto_blkdev, char *real_blkdev,
2870 int previously_encrypted_upto)
2871 {
2872 off64_t cur_encryption_done=0, tot_encryption_size=0;
2873 int i, rc = -1;
2874
2875 if (!is_battery_ok_to_start()) {
2876 SLOGW("Not starting encryption due to low battery");
2877 return 0;
2878 }
2879
2880 /* The size of the userdata partition, and add in the vold volumes below */
2881 tot_encryption_size = crypt_ftr->fs_size;
2882
2883 if (how == CRYPTO_ENABLE_WIPE) {
2884 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
2885 int fs_type = get_fs_type(rec);
2886 if (fs_type < 0) {
2887 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
2888 return -1;
2889 }
2890 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2891 } else if (how == CRYPTO_ENABLE_INPLACE) {
2892 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
2893 crypt_ftr->fs_size, &cur_encryption_done,
2894 tot_encryption_size,
2895 previously_encrypted_upto);
2896
2897 if (rc == ENABLE_INPLACE_ERR_DEV) {
2898 /* Hack for b/17898962 */
2899 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2900 cryptfs_reboot(reboot);
2901 }
2902
2903 if (!rc) {
2904 crypt_ftr->encrypted_upto = cur_encryption_done;
2905 }
2906
2907 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2908 /* The inplace routine never actually sets the progress to 100% due
2909 * to the round down nature of integer division, so set it here */
2910 property_set("vold.encrypt_progress", "100");
2911 }
2912 } else {
2913 /* Shouldn't happen */
2914 SLOGE("cryptfs_enable: internal error, unknown option\n");
2915 rc = -1;
2916 }
2917
2918 return rc;
2919 }
2920
2921 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
2922 int allow_reboot)
2923 {
2924 int how = 0;
2925 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2926 unsigned long nr_sec;
2927 unsigned char decrypted_master_key[KEY_LEN_BYTES];
2928 int rc=-1, fd, i, ret;
2929 struct crypt_mnt_ftr crypt_ftr;
2930 struct crypt_persist_data *pdata;
2931 char encrypted_state[PROPERTY_VALUE_MAX];
2932 char lockid[32] = { 0 };
2933 char key_loc[PROPERTY_VALUE_MAX];
2934 char fuse_sdcard[PROPERTY_VALUE_MAX];
2935 char *sd_mnt_point;
2936 int num_vols;
2937 struct volume_info *vol_list = 0;
2938 off64_t previously_encrypted_upto = 0;
2939
2940 if (!strcmp(howarg, "wipe")) {
2941 how = CRYPTO_ENABLE_WIPE;
2942 } else if (! strcmp(howarg, "inplace")) {
2943 how = CRYPTO_ENABLE_INPLACE;
2944 } else {
2945 /* Shouldn't happen, as CommandListener vets the args */
2946 goto error_unencrypted;
2947 }
2948
2949 /* See if an encryption was underway and interrupted */
2950 if (how == CRYPTO_ENABLE_INPLACE
2951 && get_crypt_ftr_and_key(&crypt_ftr) == 0
2952 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) {
2953 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2954 crypt_ftr.encrypted_upto = 0;
2955 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2956
2957 /* At this point, we are in an inconsistent state. Until we successfully
2958 complete encryption, a reboot will leave us broken. So mark the
2959 encryption failed in case that happens.
2960 On successfully completing encryption, remove this flag */
2961 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2962
2963 put_crypt_ftr_and_key(&crypt_ftr);
2964 }
2965
2966 property_get("ro.crypto.state", encrypted_state, "");
2967 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2968 SLOGE("Device is already running encrypted, aborting");
2969 goto error_unencrypted;
2970 }
2971
2972 // TODO refactor fs_mgr_get_crypt_info to get both in one call
2973 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
2974 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
2975
2976 /* Get the size of the real block device */
2977 fd = open(real_blkdev, O_RDONLY);
2978 if ( (nr_sec = get_blkdev_size(fd)) == 0) {
2979 SLOGE("Cannot get size of block device %s\n", real_blkdev);
2980 goto error_unencrypted;
2981 }
2982 close(fd);
2983
2984 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2985 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
2986 unsigned int fs_size_sec, max_fs_size_sec;
2987 fs_size_sec = get_fs_size(real_blkdev);
2988 if (fs_size_sec == 0)
2989 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
2990
2991 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2992
2993 if (fs_size_sec > max_fs_size_sec) {
2994 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2995 goto error_unencrypted;
2996 }
2997 }
2998
2999 /* Get a wakelock as this may take a while, and we don't want the
3000 * device to sleep on us. We'll grab a partial wakelock, and if the UI
3001 * wants to keep the screen on, it can grab a full wakelock.
3002 */
3003 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
3004 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
3005
3006 /* Get the sdcard mount point */
3007 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE");
3008 if (!sd_mnt_point) {
3009 sd_mnt_point = getenv("EXTERNAL_STORAGE");
3010 }
3011 if (!sd_mnt_point) {
3012 sd_mnt_point = "/mnt/sdcard";
3013 }
3014
3015 /* TODO
3016 * Currently do not have test devices with multiple encryptable volumes.
3017 * When we acquire some, re-add support.
3018 */
3019 num_vols=vold_getNumDirectVolumes();
3020 vol_list = malloc(sizeof(struct volume_info) * num_vols);
3021 vold_getDirectVolumeList(vol_list);
3022
3023 for (i=0; i<num_vols; i++) {
3024 if (should_encrypt(&vol_list[i])) {
3025 SLOGE("Cannot encrypt if there are multiple encryptable volumes"
3026 "%s\n", vol_list[i].label);
3027 goto error_unencrypted;
3028 }
3029 }
3030
3031 /* The init files are setup to stop the class main and late start when
3032 * vold sets trigger_shutdown_framework.
3033 */
3034 property_set("vold.decrypt", "trigger_shutdown_framework");
3035 SLOGD("Just asked init to shut down class main\n");
3036
3037 if (vold_unmountAllAsecs()) {
3038 /* Just report the error. If any are left mounted,
3039 * umounting /data below will fail and handle the error.
3040 */
3041 SLOGE("Error unmounting internal asecs");
3042 }
3043
3044 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, "");
3045 if (!strcmp(fuse_sdcard, "true")) {
3046 /* This is a device using the fuse layer to emulate the sdcard semantics
3047 * on top of the userdata partition. vold does not manage it, it is managed
3048 * by the sdcard service. The sdcard service was killed by the property trigger
3049 * above, so just unmount it now. We must do this _AFTER_ killing the framework,
3050 * unlike the case for vold managed devices above.
3051 */
3052 if (wait_and_unmount(sd_mnt_point, false)) {
3053 goto error_shutting_down;
3054 }
3055 }
3056
3057 /* Now unmount the /data partition. */
3058 if (wait_and_unmount(DATA_MNT_POINT, false)) {
3059 if (allow_reboot) {
3060 goto error_shutting_down;
3061 } else {
3062 goto error_unencrypted;
3063 }
3064 }
3065
3066 /* Do extra work for a better UX when doing the long inplace encryption */
3067 if (how == CRYPTO_ENABLE_INPLACE) {
3068 /* Now that /data is unmounted, we need to mount a tmpfs
3069 * /data, set a property saying we're doing inplace encryption,
3070 * and restart the framework.
3071 */
3072 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
3073 goto error_shutting_down;
3074 }
3075 /* Tells the framework that inplace encryption is starting */
3076 property_set("vold.encrypt_progress", "0");
3077
3078 /* restart the framework. */
3079 /* Create necessary paths on /data */
3080 if (prep_data_fs()) {
3081 goto error_shutting_down;
3082 }
3083
3084 /* Ugh, shutting down the framework is not synchronous, so until it
3085 * can be fixed, this horrible hack will wait a moment for it all to
3086 * shut down before proceeding. Without it, some devices cannot
3087 * restart the graphics services.
3088 */
3089 sleep(2);
3090 }
3091
3092 /* Start the actual work of making an encrypted filesystem */
3093 /* Initialize a crypt_mnt_ftr for the partition */
3094 if (previously_encrypted_upto == 0) {
3095 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
3096 goto error_shutting_down;
3097 }
3098
3099 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
3100 crypt_ftr.fs_size = nr_sec
3101 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3102 } else {
3103 crypt_ftr.fs_size = nr_sec;
3104 }
3105 /* At this point, we are in an inconsistent state. Until we successfully
3106 complete encryption, a reboot will leave us broken. So mark the
3107 encryption failed in case that happens.
3108 On successfully completing encryption, remove this flag */
3109 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
3110 crypt_ftr.crypt_type = crypt_type;
3111 #ifndef CONFIG_HW_DISK_ENCRYPTION
3112 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN);
3113 #else
3114 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN);
3115
3116 rc = clear_hw_device_encryption_key();
3117 if (!rc) {
3118 SLOGE("Error clearing device encryption hardware key. rc = %d", rc);
3119 }
3120
3121 rc = set_hw_device_encryption_key(passwd,
3122 (char*) crypt_ftr.crypto_type_name);
3123 if (!rc) {
3124 SLOGE("Error initializing device encryption hardware key. rc = %d", rc);
3125 goto error_shutting_down;
3126 }
3127 #endif
3128
3129 /* Make an encrypted master key */
3130 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
3131 SLOGE("Cannot create encrypted master key\n");
3132 goto error_shutting_down;
3133 }
3134
3135 /* Write the key to the end of the partition */
3136 put_crypt_ftr_and_key(&crypt_ftr);
3137
3138 /* If any persistent data has been remembered, save it.
3139 * If none, create a valid empty table and save that.
3140 */
3141 if (!persist_data) {
3142 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
3143 if (pdata) {
3144 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
3145 persist_data = pdata;
3146 }
3147 }
3148 if (persist_data) {
3149 save_persistent_data();
3150 }
3151 }
3152
3153 if (how == CRYPTO_ENABLE_INPLACE) {
3154 /* startup service classes main and late_start */
3155 property_set("vold.decrypt", "trigger_restart_min_framework");
3156 SLOGD("Just triggered restart_min_framework\n");
3157
3158 /* OK, the framework is restarted and will soon be showing a
3159 * progress bar. Time to setup an encrypted mapping, and
3160 * either write a new filesystem, or encrypt in place updating
3161 * the progress bar as we work.
3162 */
3163 }
3164
3165 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
3166 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
3167 "userdata");
3168
3169 /* If we are continuing, check checksums match */
3170 rc = 0;
3171 if (previously_encrypted_upto) {
3172 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
3173 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
3174
3175 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
3176 sizeof(hash_first_block)) != 0) {
3177 SLOGE("Checksums do not match - trigger wipe");
3178 rc = -1;
3179 }
3180 }
3181
3182 if (!rc) {
3183 rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
3184 crypto_blkdev, real_blkdev,
3185 previously_encrypted_upto);
3186 }
3187
3188 /* Calculate checksum if we are not finished */
3189 if (!rc && how == CRYPTO_ENABLE_INPLACE
3190 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3191 rc = cryptfs_SHA256_fileblock(crypto_blkdev,
3192 crypt_ftr.hash_first_block);
3193 if (rc) {
3194 SLOGE("Error calculating checksum for continuing encryption");
3195 rc = -1;
3196 }
3197 }
3198
3199 /* Undo the dm-crypt mapping whether we succeed or not */
3200 delete_crypto_blk_dev("userdata");
3201
3202 free(vol_list);
3203
3204 if (! rc) {
3205 /* Success */
3206 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
3207
3208 if (how == CRYPTO_ENABLE_INPLACE
3209 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3210 SLOGD("Encrypted up to sector %lld - will continue after reboot",
3211 crypt_ftr.encrypted_upto);
3212 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
3213 }
3214
3215 put_crypt_ftr_and_key(&crypt_ftr);
3216
3217 if (how == CRYPTO_ENABLE_WIPE
3218 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
3219 char value[PROPERTY_VALUE_MAX];
3220 property_get("ro.crypto.state", value, "");
3221 if (!strcmp(value, "")) {
3222 /* default encryption - continue first boot sequence */
3223 property_set("ro.crypto.state", "encrypted");
3224 release_wake_lock(lockid);
3225 cryptfs_check_passwd(DEFAULT_PASSWORD);
3226 cryptfs_restart_internal(1);
3227 return 0;
3228 } else {
3229 sleep(2); /* Give the UI a chance to show 100% progress */
3230 cryptfs_reboot(reboot);
3231 }
3232 } else {
3233 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
3234 cryptfs_reboot(shutdown);
3235 }
3236 } else {
3237 char value[PROPERTY_VALUE_MAX];
3238
3239 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
3240 if (!strcmp(value, "1")) {
3241 /* wipe data if encryption failed */
3242 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
3243 mkdir("/cache/recovery", 0700);
3244 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600);
3245 if (fd >= 0) {
3246 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1);
3247 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1);
3248 close(fd);
3249 } else {
3250 SLOGE("could not open /cache/recovery/command\n");
3251 }
3252 cryptfs_reboot(recovery);
3253 } else {
3254 /* set property to trigger dialog */
3255 property_set("vold.encrypt_progress", "error_partially_encrypted");
3256 release_wake_lock(lockid);
3257 }
3258 return -1;
3259 }
3260
3261 /* hrm, the encrypt step claims success, but the reboot failed.
3262 * This should not happen.
3263 * Set the property and return. Hope the framework can deal with it.
3264 */
3265 property_set("vold.encrypt_progress", "error_reboot_failed");
3266 release_wake_lock(lockid);
3267 return rc;
3268
3269 error_unencrypted:
3270 free(vol_list);
3271 property_set("vold.encrypt_progress", "error_not_encrypted");
3272 if (lockid[0]) {
3273 release_wake_lock(lockid);
3274 }
3275 return -1;
3276
3277 error_shutting_down:
3278 /* we failed, and have not encrypted anthing, so the users's data is still intact,
3279 * but the framework is stopped and not restarted to show the error, so it's up to
3280 * vold to restart the system.
3281 */
3282 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
3283 cryptfs_reboot(reboot);
3284
3285 /* shouldn't get here */
3286 property_set("vold.encrypt_progress", "error_shutting_down");
3287 free(vol_list);
3288 if (lockid[0]) {
3289 release_wake_lock(lockid);
3290 }
3291 return -1;
3292 }
3293
3294 int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot)
3295 {
3296 char* adjusted_passwd = adjust_passwd(passwd);
3297 if (adjusted_passwd) {
3298 passwd = adjusted_passwd;
3299 }
3300
3301 int rc = cryptfs_enable_internal(howarg, type, passwd, allow_reboot);
3302
3303 free(adjusted_passwd);
3304 return rc;
3305 }
3306
3307 int cryptfs_enable_default(char *howarg, int allow_reboot)
3308 {
3309 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
3310 DEFAULT_PASSWORD, allow_reboot);
3311 }
3312
3313 int cryptfs_changepw(int crypt_type, const char *newpw)
3314 {
3315 struct crypt_mnt_ftr crypt_ftr;
3316 unsigned char decrypted_master_key[KEY_LEN_BYTES];
3317
3318 /* This is only allowed after we've successfully decrypted the master key */
3319 if (!master_key_saved) {
3320 SLOGE("Key not saved, aborting");
3321 return -1;
3322 }
3323
3324 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3325 SLOGE("Invalid crypt_type %d", crypt_type);
3326 return -1;
3327 }
3328
3329 /* get key */
3330 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3331 SLOGE("Error getting crypt footer and key");
3332 return -1;
3333 }
3334
3335 crypt_ftr.crypt_type = crypt_type;
3336
3337 char* adjusted_passwd = adjust_passwd(newpw);
3338 if (adjusted_passwd) {
3339 newpw = adjusted_passwd;
3340 }
3341
3342 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
3343 : newpw,
3344 crypt_ftr.salt,
3345 saved_master_key,
3346 crypt_ftr.master_key,
3347 &crypt_ftr);
3348
3349 /* save the key */
3350 put_crypt_ftr_and_key(&crypt_ftr);
3351
3352 free(adjusted_passwd);
3353
3354 #ifdef CONFIG_HW_DISK_ENCRYPTION
3355 if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) {
3356 if (crypt_type == CRYPT_TYPE_DEFAULT) {
3357 int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name);
3358 SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc);
3359 if (!rc)
3360 return -1;
3361 } else {
3362 int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name);
3363 SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc);
3364 if (!rc)
3365 return -1;
3366 }
3367 }
3368 #endif
3369 return 0;
3370 }
3371
3372 static unsigned int persist_get_max_entries(int encrypted) {
3373 struct crypt_mnt_ftr crypt_ftr;
3374 unsigned int dsize;
3375 unsigned int max_persistent_entries;
3376
3377 /* If encrypted, use the values from the crypt_ftr, otherwise
3378 * use the values for the current spec.
3379 */
3380 if (encrypted) {
3381 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3382 return -1;
3383 }
3384 dsize = crypt_ftr.persist_data_size;
3385 } else {
3386 dsize = CRYPT_PERSIST_DATA_SIZE;
3387 }
3388
3389 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
3390 sizeof(struct crypt_persist_entry);
3391
3392 return max_persistent_entries;
3393 }
3394
3395 static int persist_get_key(const char *fieldname, char *value)
3396 {
3397 unsigned int i;
3398
3399 if (persist_data == NULL) {
3400 return -1;
3401 }
3402 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3403 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3404 /* We found it! */
3405 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
3406 return 0;
3407 }
3408 }
3409
3410 return -1;
3411 }
3412
3413 static int persist_set_key(const char *fieldname, const char *value, int encrypted)
3414 {
3415 unsigned int i;
3416 unsigned int num;
3417 unsigned int max_persistent_entries;
3418
3419 if (persist_data == NULL) {
3420 return -1;
3421 }
3422
3423 max_persistent_entries = persist_get_max_entries(encrypted);
3424
3425 num = persist_data->persist_valid_entries;
3426
3427 for (i = 0; i < num; i++) {
3428 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3429 /* We found an existing entry, update it! */
3430 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
3431 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
3432 return 0;
3433 }
3434 }
3435
3436 /* We didn't find it, add it to the end, if there is room */
3437 if (persist_data->persist_valid_entries < max_persistent_entries) {
3438 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
3439 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
3440 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
3441 persist_data->persist_valid_entries++;
3442 return 0;
3443 }
3444
3445 return -1;
3446 }
3447
3448 /**
3449 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
3450 * sequence and its index is greater than or equal to index. Return 0 otherwise.
3451 */
3452 static int match_multi_entry(const char *key, const char *field, unsigned index) {
3453 unsigned int i;
3454 unsigned int field_len;
3455 unsigned int key_index;
3456 field_len = strlen(field);
3457
3458 if (index == 0) {
3459 // The first key in a multi-entry field is just the filedname itself.
3460 if (!strcmp(key, field)) {
3461 return 1;
3462 }
3463 }
3464 // Match key against "%s_%d" % (field, index)
3465 if (strlen(key) < field_len + 1 + 1) {
3466 // Need at least a '_' and a digit.
3467 return 0;
3468 }
3469 if (strncmp(key, field, field_len)) {
3470 // If the key does not begin with field, it's not a match.
3471 return 0;
3472 }
3473 if (1 != sscanf(&key[field_len],"_%d", &key_index)) {
3474 return 0;
3475 }
3476 return key_index >= index;
3477 }
3478
3479 /*
3480 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
3481 * remaining entries starting from index will be deleted.
3482 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
3483 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
3484 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
3485 *
3486 */
3487 static int persist_del_keys(const char *fieldname, unsigned index)
3488 {
3489 unsigned int i;
3490 unsigned int j;
3491 unsigned int num;
3492
3493 if (persist_data == NULL) {
3494 return PERSIST_DEL_KEY_ERROR_OTHER;
3495 }
3496
3497 num = persist_data->persist_valid_entries;
3498
3499 j = 0; // points to the end of non-deleted entries.
3500 // Filter out to-be-deleted entries in place.
3501 for (i = 0; i < num; i++) {
3502 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
3503 persist_data->persist_entry[j] = persist_data->persist_entry[i];
3504 j++;
3505 }
3506 }
3507
3508 if (j < num) {
3509 persist_data->persist_valid_entries = j;
3510 // Zeroise the remaining entries
3511 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
3512 return PERSIST_DEL_KEY_OK;
3513 } else {
3514 // Did not find an entry matching the given fieldname
3515 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
3516 }
3517 }
3518
3519 static int persist_count_keys(const char *fieldname)
3520 {
3521 unsigned int i;
3522 unsigned int count;
3523
3524 if (persist_data == NULL) {
3525 return -1;
3526 }
3527
3528 count = 0;
3529 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3530 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
3531 count++;
3532 }
3533 }
3534
3535 return count;
3536 }
3537
3538 /* Return the value of the specified field. */
3539 int cryptfs_getfield(const char *fieldname, char *value, int len)
3540 {
3541 char temp_value[PROPERTY_VALUE_MAX];
3542 char real_blkdev[MAXPATHLEN];
3543 /* CRYPTO_GETFIELD_OK is success,
3544 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
3545 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
3546 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
3547 */
3548 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
3549 int i;
3550 char temp_field[PROPERTY_KEY_MAX];
3551
3552 if (persist_data == NULL) {
3553 load_persistent_data();
3554 if (persist_data == NULL) {
3555 SLOGE("Getfield error, cannot load persistent data");
3556 goto out;
3557 }
3558 }
3559
3560 // Read value from persistent entries. If the original value is split into multiple entries,
3561 // stitch them back together.
3562 if (!persist_get_key(fieldname, temp_value)) {
3563 // We found it, copy it to the caller's buffer and keep going until all entries are read.
3564 if (strlcpy(value, temp_value, len) >= (unsigned) len) {
3565 // value too small
3566 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3567 goto out;
3568 }
3569 rc = CRYPTO_GETFIELD_OK;
3570
3571 for (i = 1; /* break explicitly */; i++) {
3572 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
3573 (int) sizeof(temp_field)) {
3574 // If the fieldname is very long, we stop as soon as it begins to overflow the
3575 // maximum field length. At this point we have in fact fully read out the original
3576 // value because cryptfs_setfield would not allow fields with longer names to be
3577 // written in the first place.
3578 break;
3579 }
3580 if (!persist_get_key(temp_field, temp_value)) {
3581 if (strlcat(value, temp_value, len) >= (unsigned)len) {
3582 // value too small.
3583 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3584 goto out;
3585 }
3586 } else {
3587 // Exhaust all entries.
3588 break;
3589 }
3590 }
3591 } else {
3592 /* Sadness, it's not there. Return the error */
3593 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
3594 }
3595
3596 out:
3597 return rc;
3598 }
3599
3600 /* Set the value of the specified field. */
3601 int cryptfs_setfield(const char *fieldname, const char *value)
3602 {
3603 struct crypt_persist_data stored_pdata;
3604 struct crypt_persist_data *pdata_p;
3605 struct crypt_mnt_ftr crypt_ftr;
3606 char encrypted_state[PROPERTY_VALUE_MAX];
3607 /* 0 is success, negative values are error */
3608 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
3609 int encrypted = 0;
3610 unsigned int field_id;
3611 char temp_field[PROPERTY_KEY_MAX];
3612 unsigned int num_entries;
3613 unsigned int max_keylen;
3614
3615 if (persist_data == NULL) {
3616 load_persistent_data();
3617 if (persist_data == NULL) {
3618 SLOGE("Setfield error, cannot load persistent data");
3619 goto out;
3620 }
3621 }
3622
3623 property_get("ro.crypto.state", encrypted_state, "");
3624 if (!strcmp(encrypted_state, "encrypted") ) {
3625 encrypted = 1;
3626 }
3627
3628 // Compute the number of entries required to store value, each entry can store up to
3629 // (PROPERTY_VALUE_MAX - 1) chars
3630 if (strlen(value) == 0) {
3631 // Empty value also needs one entry to store.
3632 num_entries = 1;
3633 } else {
3634 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
3635 }
3636
3637 max_keylen = strlen(fieldname);
3638 if (num_entries > 1) {
3639 // Need an extra "_%d" suffix.
3640 max_keylen += 1 + log10(num_entries);
3641 }
3642 if (max_keylen > PROPERTY_KEY_MAX - 1) {
3643 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
3644 goto out;
3645 }
3646
3647 // Make sure we have enough space to write the new value
3648 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
3649 persist_get_max_entries(encrypted)) {
3650 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
3651 goto out;
3652 }
3653
3654 // Now that we know persist_data has enough space for value, let's delete the old field first
3655 // to make up space.
3656 persist_del_keys(fieldname, 0);
3657
3658 if (persist_set_key(fieldname, value, encrypted)) {
3659 // fail to set key, should not happen as we have already checked the available space
3660 SLOGE("persist_set_key() error during setfield()");
3661 goto out;
3662 }
3663
3664 for (field_id = 1; field_id < num_entries; field_id++) {
3665 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id);
3666
3667 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
3668 // fail to set key, should not happen as we have already checked the available space.
3669 SLOGE("persist_set_key() error during setfield()");
3670 goto out;
3671 }
3672 }
3673
3674 /* If we are running encrypted, save the persistent data now */
3675 if (encrypted) {
3676 if (save_persistent_data()) {
3677 SLOGE("Setfield error, cannot save persistent data");
3678 goto out;
3679 }
3680 }
3681
3682 rc = CRYPTO_SETFIELD_OK;
3683
3684 out:
3685 return rc;
3686 }
3687
3688 /* Checks userdata. Attempt to mount the volume if default-
3689 * encrypted.
3690 * On success trigger next init phase and return 0.
3691 * Currently do not handle failure - see TODO below.
3692 */
3693 int cryptfs_mount_default_encrypted(void)
3694 {
3695 char decrypt_state[PROPERTY_VALUE_MAX];
3696 property_get("vold.decrypt", decrypt_state, "0");
3697 if (!strcmp(decrypt_state, "0")) {
3698 SLOGE("Not encrypted - should not call here");
3699 } else {
3700 int crypt_type = cryptfs_get_password_type();
3701 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3702 SLOGE("Bad crypt type - error");
3703 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
3704 SLOGD("Password is not default - "
3705 "starting min framework to prompt");
3706 property_set("vold.decrypt", "trigger_restart_min_framework");
3707 return 0;
3708 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
3709 SLOGD("Password is default - restarting filesystem");
3710 cryptfs_restart_internal(0);
3711 return 0;
3712 } else {
3713 SLOGE("Encrypted, default crypt type but can't decrypt");
3714 }
3715 }
3716
3717 /** Corrupt. Allow us to boot into framework, which will detect bad
3718 crypto when it calls do_crypto_complete, then do a factory reset
3719 */
3720 property_set("vold.decrypt", "trigger_restart_min_framework");
3721 return 0;
3722 }
3723
3724 /* Returns type of the password, default, pattern, pin or password.
3725 */
3726 int cryptfs_get_password_type(void)
3727 {
3728 struct crypt_mnt_ftr crypt_ftr;
3729
3730 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3731 SLOGE("Error getting crypt footer and key\n");
3732 return -1;
3733 }
3734
3735 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
3736 return -1;
3737 }
3738
3739 return crypt_ftr.crypt_type;
3740 }
3741
3742 char* cryptfs_get_password()
3743 {
3744 struct timespec now;
3745 clock_gettime(CLOCK_BOOTTIME, &now);
3746 if (now.tv_sec < password_expiry_time) {
3747 return password;
3748 } else {
3749 cryptfs_clear_password();
3750 return 0;
3751 }
3752 }
3753
3754 void cryptfs_clear_password()
3755 {
3756 if (password) {
3757 size_t len = strlen(password);
3758 memset(password, 0, len);
3759 free(password);
3760 password = 0;
3761 password_expiry_time = 0;
3762 }
3763 }
3764