• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2010 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 /* TO DO:
18  *   1.  Perhaps keep several copies of the encrypted key, in case something
19  *       goes horribly wrong?
20  *
21  */
22 
23 #include <sys/types.h>
24 #include <sys/wait.h>
25 #include <sys/stat.h>
26 #include <ctype.h>
27 #include <fcntl.h>
28 #include <inttypes.h>
29 #include <unistd.h>
30 #include <stdio.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
33 #include <libgen.h>
34 #include <stdlib.h>
35 #include <sys/param.h>
36 #include <string.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
39 #include <openssl/sha.h>
40 #include <errno.h>
41 #include <ext4.h>
42 #include <linux/kdev_t.h>
43 #include <fs_mgr.h>
44 #include <time.h>
45 #include <math.h>
46 #include <selinux/selinux.h>
47 #include "cryptfs.h"
48 #include "secontext.h"
49 #define LOG_TAG "Cryptfs"
50 #include "cutils/log.h"
51 #include "cutils/properties.h"
52 #include "cutils/android_reboot.h"
53 #include "hardware_legacy/power.h"
54 #include <logwrap/logwrap.h>
55 #include "ScryptParameters.h"
56 #include "VolumeManager.h"
57 #include "VoldUtil.h"
58 #include "crypto_scrypt.h"
59 #include "Ext4Crypt.h"
60 #include "ext4_utils.h"
61 #include "f2fs_sparseblock.h"
62 #include "CheckBattery.h"
63 #include "Process.h"
64 
65 #include <bootloader_message/bootloader_message.h>
66 #include <hardware/keymaster0.h>
67 #include <hardware/keymaster1.h>
68 
69 #define UNUSED __attribute__((unused))
70 
71 #define UNUSED __attribute__((unused))
72 
73 #ifdef CONFIG_HW_DISK_ENCRYPTION
74 #include "cryptfs_hw.h"
75 #endif
76 
77 #define DM_CRYPT_BUF_SIZE 4096
78 
79 #define HASH_COUNT 2000
80 #define KEY_LEN_BYTES 16
81 #define IV_LEN_BYTES 16
82 
83 #define KEY_IN_FOOTER  "footer"
84 
85 #define DEFAULT_PASSWORD "default_password"
86 
87 #define CRYPTO_BLOCK_DEVICE "userdata"
88 
89 #define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
90 
91 #define EXT4_FS 1
92 #define F2FS_FS 2
93 
94 #define TABLE_LOAD_RETRIES 10
95 
96 #define RSA_KEY_SIZE 2048
97 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
98 #define RSA_EXPONENT 0x10001
99 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1  // Maximum one try per second
100 
101 #define RETRY_MOUNT_ATTEMPTS 10
102 #define RETRY_MOUNT_DELAY_SECONDS 1
103 
104 char *me = "cryptfs";
105 
106 static unsigned char saved_master_key[KEY_LEN_BYTES];
107 static char *saved_mount_point;
108 static int  master_key_saved = 0;
109 static struct crypt_persist_data *persist_data = NULL;
110 
keymaster_init(keymaster0_device_t ** keymaster0_dev,keymaster1_device_t ** keymaster1_dev)111 static int keymaster_init(keymaster0_device_t **keymaster0_dev,
112                           keymaster1_device_t **keymaster1_dev)
113 {
114     int rc;
115 
116     const hw_module_t* mod;
117     rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
118     if (rc) {
119         ALOGE("could not find any keystore module");
120         goto err;
121     }
122 
123     SLOGI("keymaster module name is %s", mod->name);
124     SLOGI("keymaster version is %d", mod->module_api_version);
125 
126     *keymaster0_dev = NULL;
127     *keymaster1_dev = NULL;
128     if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
129         SLOGI("Found keymaster1 module, using keymaster1 API.");
130         rc = keymaster1_open(mod, keymaster1_dev);
131     } else {
132         SLOGI("Found keymaster0 module, using keymaster0 API.");
133         rc = keymaster0_open(mod, keymaster0_dev);
134     }
135 
136     if (rc) {
137         ALOGE("could not open keymaster device in %s (%s)",
138               KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
139         goto err;
140     }
141 
142     return 0;
143 
144 err:
145     *keymaster0_dev = NULL;
146     *keymaster1_dev = NULL;
147     return rc;
148 }
149 
150 /* Should we use keymaster? */
keymaster_check_compatibility()151 static int keymaster_check_compatibility()
152 {
153     keymaster0_device_t *keymaster0_dev = 0;
154     keymaster1_device_t *keymaster1_dev = 0;
155     int rc = 0;
156 
157     if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
158         SLOGE("Failed to init keymaster");
159         rc = -1;
160         goto out;
161     }
162 
163     if (keymaster1_dev) {
164         rc = 1;
165         goto out;
166     }
167 
168     if (!keymaster0_dev || !keymaster0_dev->common.module) {
169         rc = -1;
170         goto out;
171     }
172 
173     // TODO(swillden): Check to see if there's any reason to require v0.3.  I think v0.1 and v0.2
174     // should work.
175     if (keymaster0_dev->common.module->module_api_version
176             < KEYMASTER_MODULE_API_VERSION_0_3) {
177         rc = 0;
178         goto out;
179     }
180 
181     if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
182         (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
183         rc = 1;
184     }
185 
186 out:
187     if (keymaster1_dev) {
188         keymaster1_close(keymaster1_dev);
189     }
190     if (keymaster0_dev) {
191         keymaster0_close(keymaster0_dev);
192     }
193     return rc;
194 }
195 
196 /* Create a new keymaster key and store it in this footer */
keymaster_create_key(struct crypt_mnt_ftr * ftr)197 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
198 {
199     uint8_t* key = 0;
200     keymaster0_device_t *keymaster0_dev = 0;
201     keymaster1_device_t *keymaster1_dev = 0;
202 
203     if (ftr->keymaster_blob_size) {
204         SLOGI("Already have key");
205         return 0;
206     }
207 
208     if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
209         SLOGE("Failed to init keymaster");
210         return -1;
211     }
212 
213     int rc = 0;
214     size_t key_size = 0;
215     if (keymaster1_dev) {
216         keymaster_key_param_t params[] = {
217             /* Algorithm & size specifications.  Stick with RSA for now.  Switch to AES later. */
218             keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA),
219             keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE),
220             keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT),
221 
222 	    /* The only allowed purpose for this key is signing. */
223 	    keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN),
224 
225             /* Padding & digest specifications. */
226             keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
227             keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
228 
229             /* Require that the key be usable in standalone mode.  File system isn't available. */
230             keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE),
231 
232             /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */
233             keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED),
234 
235             /* Rate-limit key usage attempts, to rate-limit brute force */
236             keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT),
237         };
238         keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
239         keymaster_key_blob_t key_blob;
240         keymaster_error_t error = keymaster1_dev->generate_key(keymaster1_dev, &param_set,
241                                                                &key_blob,
242                                                                NULL /* characteristics */);
243         if (error != KM_ERROR_OK) {
244             SLOGE("Failed to generate keymaster1 key, error %d", error);
245             rc = -1;
246             goto out;
247         }
248 
249         key = (uint8_t*)key_blob.key_material;
250         key_size = key_blob.key_material_size;
251     }
252     else if (keymaster0_dev) {
253         keymaster_rsa_keygen_params_t params;
254         memset(&params, '\0', sizeof(params));
255         params.public_exponent = RSA_EXPONENT;
256         params.modulus_size = RSA_KEY_SIZE;
257 
258         if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, &params,
259                                              &key, &key_size)) {
260             SLOGE("Failed to generate keypair");
261             rc = -1;
262             goto out;
263         }
264     } else {
265         SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device");
266         rc = -1;
267         goto out;
268     }
269 
270     if (key_size > KEYMASTER_BLOB_SIZE) {
271         SLOGE("Keymaster key too large for crypto footer");
272         rc = -1;
273         goto out;
274     }
275 
276     memcpy(ftr->keymaster_blob, key, key_size);
277     ftr->keymaster_blob_size = key_size;
278 
279 out:
280     if (keymaster0_dev)
281         keymaster0_close(keymaster0_dev);
282     if (keymaster1_dev)
283         keymaster1_close(keymaster1_dev);
284     free(key);
285     return rc;
286 }
287 
288 /* This signs the given object using the keymaster key. */
keymaster_sign_object(struct crypt_mnt_ftr * ftr,const unsigned char * object,const size_t object_size,unsigned char ** signature,size_t * signature_size)289 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
290                                  const unsigned char *object,
291                                  const size_t object_size,
292                                  unsigned char **signature,
293                                  size_t *signature_size)
294 {
295     int rc = 0;
296     keymaster0_device_t *keymaster0_dev = 0;
297     keymaster1_device_t *keymaster1_dev = 0;
298     if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
299         SLOGE("Failed to init keymaster");
300         rc = -1;
301         goto out;
302     }
303 
304     unsigned char to_sign[RSA_KEY_SIZE_BYTES];
305     size_t to_sign_size = sizeof(to_sign);
306     memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
307 
308     // To sign a message with RSA, the message must satisfy two
309     // constraints:
310     //
311     // 1. The message, when interpreted as a big-endian numeric value, must
312     //    be strictly less than the public modulus of the RSA key.  Note
313     //    that because the most significant bit of the public modulus is
314     //    guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
315     //    key), an n-bit message with most significant bit 0 always
316     //    satisfies this requirement.
317     //
318     // 2. The message must have the same length in bits as the public
319     //    modulus of the RSA key.  This requirement isn't mathematically
320     //    necessary, but is necessary to ensure consistency in
321     //    implementations.
322     switch (ftr->kdf_type) {
323         case KDF_SCRYPT_KEYMASTER:
324             // This ensures the most significant byte of the signed message
325             // is zero.  We could have zero-padded to the left instead, but
326             // this approach is slightly more robust against changes in
327             // object size.  However, it's still broken (but not unusably
328             // so) because we really should be using a proper deterministic
329             // RSA padding function, such as PKCS1.
330             memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
331             SLOGI("Signing safely-padded object");
332             break;
333         default:
334             SLOGE("Unknown KDF type %d", ftr->kdf_type);
335             rc = -1;
336             goto out;
337     }
338 
339     if (keymaster0_dev) {
340         keymaster_rsa_sign_params_t params;
341         params.digest_type = DIGEST_NONE;
342         params.padding_type = PADDING_NONE;
343 
344         rc = keymaster0_dev->sign_data(keymaster0_dev,
345                                       &params,
346                                       ftr->keymaster_blob,
347                                       ftr->keymaster_blob_size,
348                                       to_sign,
349                                       to_sign_size,
350                                       signature,
351                                       signature_size);
352         goto out;
353     } else if (keymaster1_dev) {
354         keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size };
355         keymaster_key_param_t params[] = {
356             keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
357             keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
358         };
359         keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
360         keymaster_operation_handle_t op_handle;
361         keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
362                                                         &param_set, NULL /* out_params */,
363                                                         &op_handle);
364         if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) {
365             // Key usage has been rate-limited.  Wait a bit and try again.
366             sleep(KEYMASTER_CRYPTFS_RATE_LIMIT);
367             error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
368                                           &param_set, NULL /* out_params */,
369                                           &op_handle);
370         }
371         if (error != KM_ERROR_OK) {
372             SLOGE("Error starting keymaster signature transaction: %d", error);
373             rc = -1;
374             goto out;
375         }
376 
377         keymaster_blob_t input = { to_sign, to_sign_size };
378         size_t input_consumed;
379         error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */,
380                                        &input, &input_consumed, NULL /* out_params */,
381                                        NULL /* output */);
382         if (error != KM_ERROR_OK) {
383             SLOGE("Error sending data to keymaster signature transaction: %d", error);
384             rc = -1;
385             goto out;
386         }
387         if (input_consumed != to_sign_size) {
388             // This should never happen.  If it does, it's a bug in the keymaster implementation.
389             SLOGE("Keymaster update() did not consume all data.");
390             keymaster1_dev->abort(keymaster1_dev, op_handle);
391             rc = -1;
392             goto out;
393         }
394 
395         keymaster_blob_t tmp_sig;
396         error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */,
397                                        NULL /* verify signature */, NULL /* out_params */,
398                                        &tmp_sig);
399         if (error != KM_ERROR_OK) {
400             SLOGE("Error finishing keymaster signature transaction: %d", error);
401             rc = -1;
402             goto out;
403         }
404 
405         *signature = (uint8_t*)tmp_sig.data;
406         *signature_size = tmp_sig.data_length;
407     } else {
408         SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device.");
409         rc = -1;
410         goto out;
411     }
412 
413     out:
414         if (keymaster1_dev)
415             keymaster1_close(keymaster1_dev);
416         if (keymaster0_dev)
417             keymaster0_close(keymaster0_dev);
418 
419         return rc;
420 }
421 
422 /* Store password when userdata is successfully decrypted and mounted.
423  * Cleared by cryptfs_clear_password
424  *
425  * To avoid a double prompt at boot, we need to store the CryptKeeper
426  * password and pass it to KeyGuard, which uses it to unlock KeyStore.
427  * Since the entire framework is torn down and rebuilt after encryption,
428  * we have to use a daemon or similar to store the password. Since vold
429  * is secured against IPC except from system processes, it seems a reasonable
430  * place to store this.
431  *
432  * password should be cleared once it has been used.
433  *
434  * password is aged out after password_max_age_seconds seconds.
435  */
436 static char* password = 0;
437 static int password_expiry_time = 0;
438 static const int password_max_age_seconds = 60;
439 
440 extern struct fstab *fstab;
441 
442 enum RebootType {reboot, recovery, shutdown};
cryptfs_reboot(enum RebootType rt)443 static void cryptfs_reboot(enum RebootType rt)
444 {
445   switch(rt) {
446       case reboot:
447           property_set(ANDROID_RB_PROPERTY, "reboot");
448           break;
449 
450       case recovery:
451           property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
452           break;
453 
454       case shutdown:
455           property_set(ANDROID_RB_PROPERTY, "shutdown");
456           break;
457     }
458 
459     sleep(20);
460 
461     /* Shouldn't get here, reboot should happen before sleep times out */
462     return;
463 }
464 
ioctl_init(struct dm_ioctl * io,size_t dataSize,const char * name,unsigned flags)465 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
466 {
467     memset(io, 0, dataSize);
468     io->data_size = dataSize;
469     io->data_start = sizeof(struct dm_ioctl);
470     io->version[0] = 4;
471     io->version[1] = 0;
472     io->version[2] = 0;
473     io->flags = flags;
474     if (name) {
475         strlcpy(io->name, name, sizeof(io->name));
476     }
477 }
478 
479 /**
480  * Gets the default device scrypt parameters for key derivation time tuning.
481  * The parameters should lead to about one second derivation time for the
482  * given device.
483  */
get_device_scrypt_params(struct crypt_mnt_ftr * ftr)484 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
485     char paramstr[PROPERTY_VALUE_MAX];
486     int Nf, rf, pf;
487 
488     property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
489     if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
490         SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
491         parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
492     }
493     ftr->N_factor = Nf;
494     ftr->r_factor = rf;
495     ftr->p_factor = pf;
496 }
497 
get_fs_size(char * dev)498 static unsigned int get_fs_size(char *dev)
499 {
500     int fd, block_size;
501     struct ext4_super_block sb;
502     off64_t len;
503 
504     if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) {
505         SLOGE("Cannot open device to get filesystem size ");
506         return 0;
507     }
508 
509     if (lseek64(fd, 1024, SEEK_SET) < 0) {
510         SLOGE("Cannot seek to superblock");
511         return 0;
512     }
513 
514     if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
515         SLOGE("Cannot read superblock");
516         return 0;
517     }
518 
519     close(fd);
520 
521     if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
522         SLOGE("Not a valid ext4 superblock");
523         return 0;
524     }
525     block_size = 1024 << sb.s_log_block_size;
526     /* compute length in bytes */
527     len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
528 
529     /* return length in sectors */
530     return (unsigned int) (len / 512);
531 }
532 
get_crypt_ftr_info(char ** metadata_fname,off64_t * off)533 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
534 {
535   static int cached_data = 0;
536   static off64_t cached_off = 0;
537   static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
538   int fd;
539   char key_loc[PROPERTY_VALUE_MAX];
540   char real_blkdev[PROPERTY_VALUE_MAX];
541   int rc = -1;
542 
543   if (!cached_data) {
544     fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
545 
546     if (!strcmp(key_loc, KEY_IN_FOOTER)) {
547       if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
548         SLOGE("Cannot open real block device %s\n", real_blkdev);
549         return -1;
550       }
551 
552       unsigned long nr_sec = 0;
553       get_blkdev_size(fd, &nr_sec);
554       if (nr_sec != 0) {
555         /* If it's an encrypted Android partition, the last 16 Kbytes contain the
556          * encryption info footer and key, and plenty of bytes to spare for future
557          * growth.
558          */
559         strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
560         cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
561         cached_data = 1;
562       } else {
563         SLOGE("Cannot get size of block device %s\n", real_blkdev);
564       }
565       close(fd);
566     } else {
567       strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
568       cached_off = 0;
569       cached_data = 1;
570     }
571   }
572 
573   if (cached_data) {
574     if (metadata_fname) {
575         *metadata_fname = cached_metadata_fname;
576     }
577     if (off) {
578         *off = cached_off;
579     }
580     rc = 0;
581   }
582 
583   return rc;
584 }
585 
586 /* Set sha256 checksum in structure */
set_ftr_sha(struct crypt_mnt_ftr * crypt_ftr)587 static void set_ftr_sha(struct crypt_mnt_ftr *crypt_ftr)
588 {
589     SHA256_CTX c;
590     SHA256_Init(&c);
591     memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
592     SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
593     SHA256_Final(crypt_ftr->sha256, &c);
594 }
595 
596 /* key or salt can be NULL, in which case just skip writing that value.  Useful to
597  * update the failed mount count but not change the key.
598  */
put_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)599 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
600 {
601   int fd;
602   unsigned int cnt;
603   /* starting_off is set to the SEEK_SET offset
604    * where the crypto structure starts
605    */
606   off64_t starting_off;
607   int rc = -1;
608   char *fname = NULL;
609   struct stat statbuf;
610 
611   set_ftr_sha(crypt_ftr);
612 
613   if (get_crypt_ftr_info(&fname, &starting_off)) {
614     SLOGE("Unable to get crypt_ftr_info\n");
615     return -1;
616   }
617   if (fname[0] != '/') {
618     SLOGE("Unexpected value for crypto key location\n");
619     return -1;
620   }
621   if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) {
622     SLOGE("Cannot open footer file %s for put\n", fname);
623     return -1;
624   }
625 
626   /* Seek to the start of the crypt footer */
627   if (lseek64(fd, starting_off, SEEK_SET) == -1) {
628     SLOGE("Cannot seek to real block device footer\n");
629     goto errout;
630   }
631 
632   if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
633     SLOGE("Cannot write real block device footer\n");
634     goto errout;
635   }
636 
637   fstat(fd, &statbuf);
638   /* If the keys are kept on a raw block device, do not try to truncate it. */
639   if (S_ISREG(statbuf.st_mode)) {
640     if (ftruncate(fd, 0x4000)) {
641       SLOGE("Cannot set footer file size\n");
642       goto errout;
643     }
644   }
645 
646   /* Success! */
647   rc = 0;
648 
649 errout:
650   close(fd);
651   return rc;
652 
653 }
654 
check_ftr_sha(const struct crypt_mnt_ftr * crypt_ftr)655 static bool check_ftr_sha(const struct crypt_mnt_ftr *crypt_ftr)
656 {
657     struct crypt_mnt_ftr copy;
658     memcpy(&copy, crypt_ftr, sizeof(copy));
659     set_ftr_sha(&copy);
660     return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
661 }
662 
unix_read(int fd,void * buff,int len)663 static inline int unix_read(int  fd, void*  buff, int  len)
664 {
665     return TEMP_FAILURE_RETRY(read(fd, buff, len));
666 }
667 
unix_write(int fd,const void * buff,int len)668 static inline int unix_write(int  fd, const void*  buff, int  len)
669 {
670     return TEMP_FAILURE_RETRY(write(fd, buff, len));
671 }
672 
init_empty_persist_data(struct crypt_persist_data * pdata,int len)673 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
674 {
675     memset(pdata, 0, len);
676     pdata->persist_magic = PERSIST_DATA_MAGIC;
677     pdata->persist_valid_entries = 0;
678 }
679 
680 /* A routine to update the passed in crypt_ftr to the lastest version.
681  * fd is open read/write on the device that holds the crypto footer and persistent
682  * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
683  * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
684  */
upgrade_crypt_ftr(int fd,struct crypt_mnt_ftr * crypt_ftr,off64_t offset)685 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
686 {
687     int orig_major = crypt_ftr->major_version;
688     int orig_minor = crypt_ftr->minor_version;
689 
690     if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
691         struct crypt_persist_data *pdata;
692         off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
693 
694         SLOGW("upgrading crypto footer to 1.1");
695 
696         pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
697         if (pdata == NULL) {
698             SLOGE("Cannot allocate persisent data\n");
699             return;
700         }
701         memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
702 
703         /* Need to initialize the persistent data area */
704         if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
705             SLOGE("Cannot seek to persisent data offset\n");
706             free(pdata);
707             return;
708         }
709         /* Write all zeros to the first copy, making it invalid */
710         unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
711 
712         /* Write a valid but empty structure to the second copy */
713         init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
714         unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
715 
716         /* Update the footer */
717         crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
718         crypt_ftr->persist_data_offset[0] = pdata_offset;
719         crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
720         crypt_ftr->minor_version = 1;
721         free(pdata);
722     }
723 
724     if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
725         SLOGW("upgrading crypto footer to 1.2");
726         /* But keep the old kdf_type.
727          * It will get updated later to KDF_SCRYPT after the password has been verified.
728          */
729         crypt_ftr->kdf_type = KDF_PBKDF2;
730         get_device_scrypt_params(crypt_ftr);
731         crypt_ftr->minor_version = 2;
732     }
733 
734     if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
735         SLOGW("upgrading crypto footer to 1.3");
736         crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
737         crypt_ftr->minor_version = 3;
738     }
739 
740     if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
741         if (lseek64(fd, offset, SEEK_SET) == -1) {
742             SLOGE("Cannot seek to crypt footer\n");
743             return;
744         }
745         unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
746     }
747 }
748 
749 
get_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)750 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
751 {
752   int fd;
753   unsigned int cnt;
754   off64_t starting_off;
755   int rc = -1;
756   char *fname = NULL;
757   struct stat statbuf;
758 
759   if (get_crypt_ftr_info(&fname, &starting_off)) {
760     SLOGE("Unable to get crypt_ftr_info\n");
761     return -1;
762   }
763   if (fname[0] != '/') {
764     SLOGE("Unexpected value for crypto key location\n");
765     return -1;
766   }
767   if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) {
768     SLOGE("Cannot open footer file %s for get\n", fname);
769     return -1;
770   }
771 
772   /* Make sure it's 16 Kbytes in length */
773   fstat(fd, &statbuf);
774   if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
775     SLOGE("footer file %s is not the expected size!\n", fname);
776     goto errout;
777   }
778 
779   /* Seek to the start of the crypt footer */
780   if (lseek64(fd, starting_off, SEEK_SET) == -1) {
781     SLOGE("Cannot seek to real block device footer\n");
782     goto errout;
783   }
784 
785   if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
786     SLOGE("Cannot read real block device footer\n");
787     goto errout;
788   }
789 
790   if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
791     SLOGE("Bad magic for real block device %s\n", fname);
792     goto errout;
793   }
794 
795   if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
796     SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
797           crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
798     goto errout;
799   }
800 
801   if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
802     SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
803           crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
804   }
805 
806   /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
807    * copy on disk before returning.
808    */
809   if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
810     upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
811   }
812 
813   /* Success! */
814   rc = 0;
815 
816 errout:
817   close(fd);
818   return rc;
819 }
820 
validate_persistent_data_storage(struct crypt_mnt_ftr * crypt_ftr)821 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
822 {
823     if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
824         crypt_ftr->persist_data_offset[1]) {
825         SLOGE("Crypt_ftr persist data regions overlap");
826         return -1;
827     }
828 
829     if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
830         SLOGE("Crypt_ftr persist data region 0 starts after region 1");
831         return -1;
832     }
833 
834     if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
835         (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
836         CRYPT_FOOTER_OFFSET) {
837         SLOGE("Persistent data extends past crypto footer");
838         return -1;
839     }
840 
841     return 0;
842 }
843 
load_persistent_data(void)844 static int load_persistent_data(void)
845 {
846     struct crypt_mnt_ftr crypt_ftr;
847     struct crypt_persist_data *pdata = NULL;
848     char encrypted_state[PROPERTY_VALUE_MAX];
849     char *fname;
850     int found = 0;
851     int fd;
852     int ret;
853     int i;
854 
855     if (persist_data) {
856         /* Nothing to do, we've already loaded or initialized it */
857         return 0;
858     }
859 
860 
861     /* If not encrypted, just allocate an empty table and initialize it */
862     property_get("ro.crypto.state", encrypted_state, "");
863     if (strcmp(encrypted_state, "encrypted") ) {
864         pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
865         if (pdata) {
866             init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
867             persist_data = pdata;
868             return 0;
869         }
870         return -1;
871     }
872 
873     if(get_crypt_ftr_and_key(&crypt_ftr)) {
874         return -1;
875     }
876 
877     if ((crypt_ftr.major_version < 1)
878         || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
879         SLOGE("Crypt_ftr version doesn't support persistent data");
880         return -1;
881     }
882 
883     if (get_crypt_ftr_info(&fname, NULL)) {
884         return -1;
885     }
886 
887     ret = validate_persistent_data_storage(&crypt_ftr);
888     if (ret) {
889         return -1;
890     }
891 
892     fd = open(fname, O_RDONLY|O_CLOEXEC);
893     if (fd < 0) {
894         SLOGE("Cannot open %s metadata file", fname);
895         return -1;
896     }
897 
898     pdata = malloc(crypt_ftr.persist_data_size);
899     if (pdata == NULL) {
900         SLOGE("Cannot allocate memory for persistent data");
901         goto err;
902     }
903 
904     for (i = 0; i < 2; i++) {
905         if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
906             SLOGE("Cannot seek to read persistent data on %s", fname);
907             goto err2;
908         }
909         if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
910             SLOGE("Error reading persistent data on iteration %d", i);
911             goto err2;
912         }
913         if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
914             found = 1;
915             break;
916         }
917     }
918 
919     if (!found) {
920         SLOGI("Could not find valid persistent data, creating");
921         init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
922     }
923 
924     /* Success */
925     persist_data = pdata;
926     close(fd);
927     return 0;
928 
929 err2:
930     free(pdata);
931 
932 err:
933     close(fd);
934     return -1;
935 }
936 
save_persistent_data(void)937 static int save_persistent_data(void)
938 {
939     struct crypt_mnt_ftr crypt_ftr;
940     struct crypt_persist_data *pdata;
941     char *fname;
942     off64_t write_offset;
943     off64_t erase_offset;
944     int fd;
945     int ret;
946 
947     if (persist_data == NULL) {
948         SLOGE("No persistent data to save");
949         return -1;
950     }
951 
952     if(get_crypt_ftr_and_key(&crypt_ftr)) {
953         return -1;
954     }
955 
956     if ((crypt_ftr.major_version < 1)
957         || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
958         SLOGE("Crypt_ftr version doesn't support persistent data");
959         return -1;
960     }
961 
962     ret = validate_persistent_data_storage(&crypt_ftr);
963     if (ret) {
964         return -1;
965     }
966 
967     if (get_crypt_ftr_info(&fname, NULL)) {
968         return -1;
969     }
970 
971     fd = open(fname, O_RDWR|O_CLOEXEC);
972     if (fd < 0) {
973         SLOGE("Cannot open %s metadata file", fname);
974         return -1;
975     }
976 
977     pdata = malloc(crypt_ftr.persist_data_size);
978     if (pdata == NULL) {
979         SLOGE("Cannot allocate persistant data");
980         goto err;
981     }
982 
983     if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
984         SLOGE("Cannot seek to read persistent data on %s", fname);
985         goto err2;
986     }
987 
988     if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
989             SLOGE("Error reading persistent data before save");
990             goto err2;
991     }
992 
993     if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
994         /* The first copy is the curent valid copy, so write to
995          * the second copy and erase this one */
996        write_offset = crypt_ftr.persist_data_offset[1];
997        erase_offset = crypt_ftr.persist_data_offset[0];
998     } else {
999         /* The second copy must be the valid copy, so write to
1000          * the first copy, and erase the second */
1001        write_offset = crypt_ftr.persist_data_offset[0];
1002        erase_offset = crypt_ftr.persist_data_offset[1];
1003     }
1004 
1005     /* Write the new copy first, if successful, then erase the old copy */
1006     if (lseek64(fd, write_offset, SEEK_SET) < 0) {
1007         SLOGE("Cannot seek to write persistent data");
1008         goto err2;
1009     }
1010     if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
1011         (int) crypt_ftr.persist_data_size) {
1012         if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
1013             SLOGE("Cannot seek to erase previous persistent data");
1014             goto err2;
1015         }
1016         fsync(fd);
1017         memset(pdata, 0, crypt_ftr.persist_data_size);
1018         if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
1019             (int) crypt_ftr.persist_data_size) {
1020             SLOGE("Cannot write to erase previous persistent data");
1021             goto err2;
1022         }
1023         fsync(fd);
1024     } else {
1025         SLOGE("Cannot write to save persistent data");
1026         goto err2;
1027     }
1028 
1029     /* Success */
1030     free(pdata);
1031     close(fd);
1032     return 0;
1033 
1034 err2:
1035     free(pdata);
1036 err:
1037     close(fd);
1038     return -1;
1039 }
1040 
1041 /* Convert a binary key of specified length into an ascii hex string equivalent,
1042  * without the leading 0x and with null termination
1043  */
convert_key_to_hex_ascii(const unsigned char * master_key,unsigned int keysize,char * master_key_ascii)1044 static void convert_key_to_hex_ascii(const unsigned char *master_key,
1045                                      unsigned int keysize, char *master_key_ascii) {
1046     unsigned int i, a;
1047     unsigned char nibble;
1048 
1049     for (i=0, a=0; i<keysize; i++, a+=2) {
1050         /* For each byte, write out two ascii hex digits */
1051         nibble = (master_key[i] >> 4) & 0xf;
1052         master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
1053 
1054         nibble = master_key[i] & 0xf;
1055         master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
1056     }
1057 
1058     /* Add the null termination */
1059     master_key_ascii[a] = '\0';
1060 
1061 }
1062 
load_crypto_mapping_table(struct crypt_mnt_ftr * crypt_ftr,const unsigned char * master_key,const char * real_blk_name,const char * name,int fd,const char * extra_params)1063 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
1064         const unsigned char *master_key, const char *real_blk_name,
1065         const char *name, int fd, const char *extra_params) {
1066   _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
1067   struct dm_ioctl *io;
1068   struct dm_target_spec *tgt;
1069   char *crypt_params;
1070   char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
1071   int i;
1072 
1073   io = (struct dm_ioctl *) buffer;
1074 
1075   /* Load the mapping table for this device */
1076   tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
1077 
1078   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1079   io->target_count = 1;
1080   tgt->status = 0;
1081   tgt->sector_start = 0;
1082   tgt->length = crypt_ftr->fs_size;
1083 #ifdef CONFIG_HW_DISK_ENCRYPTION
1084   if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
1085     strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME);
1086   }
1087   else {
1088     strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1089   }
1090 #else
1091   strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1092 #endif
1093 
1094   crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1095   convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1096   sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
1097           master_key_ascii, real_blk_name, extra_params);
1098   crypt_params += strlen(crypt_params) + 1;
1099   crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1100   tgt->next = crypt_params - buffer;
1101 
1102   for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1103     if (! ioctl(fd, DM_TABLE_LOAD, io)) {
1104       break;
1105     }
1106     usleep(500000);
1107   }
1108 
1109   if (i == TABLE_LOAD_RETRIES) {
1110     /* We failed to load the table, return an error */
1111     return -1;
1112   } else {
1113     return i + 1;
1114   }
1115 }
1116 
1117 
get_dm_crypt_version(int fd,const char * name,int * version)1118 static int get_dm_crypt_version(int fd, const char *name,  int *version)
1119 {
1120     char buffer[DM_CRYPT_BUF_SIZE];
1121     struct dm_ioctl *io;
1122     struct dm_target_versions *v;
1123 
1124     io = (struct dm_ioctl *) buffer;
1125 
1126     ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1127 
1128     if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1129         return -1;
1130     }
1131 
1132     /* Iterate over the returned versions, looking for name of "crypt".
1133      * When found, get and return the version.
1134      */
1135     v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
1136     while (v->next) {
1137 #ifdef CONFIG_HW_DISK_ENCRYPTION
1138         if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) {
1139 #else
1140         if (! strcmp(v->name, "crypt")) {
1141 #endif
1142             /* We found the crypt driver, return the version, and get out */
1143             version[0] = v->version[0];
1144             version[1] = v->version[1];
1145             version[2] = v->version[2];
1146             return 0;
1147         }
1148         v = (struct dm_target_versions *)(((char *)v) + v->next);
1149     }
1150 
1151     return -1;
1152 }
1153 
1154 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr,
1155         const unsigned char *master_key, const char *real_blk_name,
1156         char *crypto_blk_name, const char *name) {
1157   char buffer[DM_CRYPT_BUF_SIZE];
1158   struct dm_ioctl *io;
1159   unsigned int minor;
1160   int fd=0;
1161   int err;
1162   int retval = -1;
1163   int version[3];
1164   char *extra_params;
1165   int load_count;
1166 
1167   if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1168     SLOGE("Cannot open device-mapper\n");
1169     goto errout;
1170   }
1171 
1172   io = (struct dm_ioctl *) buffer;
1173 
1174   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1175   err = ioctl(fd, DM_DEV_CREATE, io);
1176   if (err) {
1177     SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno));
1178     goto errout;
1179   }
1180 
1181   /* Get the device status, in particular, the name of it's device file */
1182   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1183   if (ioctl(fd, DM_DEV_STATUS, io)) {
1184     SLOGE("Cannot retrieve dm-crypt device status\n");
1185     goto errout;
1186   }
1187   minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1188   snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1189 
1190   extra_params = "";
1191   if (! get_dm_crypt_version(fd, name, version)) {
1192       /* Support for allow_discards was added in version 1.11.0 */
1193       if ((version[0] >= 2) ||
1194           ((version[0] == 1) && (version[1] >= 11))) {
1195           extra_params = "1 allow_discards";
1196           SLOGI("Enabling support for allow_discards in dmcrypt.\n");
1197       }
1198   }
1199 
1200   load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
1201                                          fd, extra_params);
1202   if (load_count < 0) {
1203       SLOGE("Cannot load dm-crypt mapping table.\n");
1204       goto errout;
1205   } else if (load_count > 1) {
1206       SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1207   }
1208 
1209   /* Resume this device to activate it */
1210   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1211 
1212   if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1213     SLOGE("Cannot resume the dm-crypt device\n");
1214     goto errout;
1215   }
1216 
1217   /* We made it here with no errors.  Woot! */
1218   retval = 0;
1219 
1220 errout:
1221   close(fd);   /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1222 
1223   return retval;
1224 }
1225 
1226 static int delete_crypto_blk_dev(char *name)
1227 {
1228   int fd;
1229   char buffer[DM_CRYPT_BUF_SIZE];
1230   struct dm_ioctl *io;
1231   int retval = -1;
1232 
1233   if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1234     SLOGE("Cannot open device-mapper\n");
1235     goto errout;
1236   }
1237 
1238   io = (struct dm_ioctl *) buffer;
1239 
1240   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1241   if (ioctl(fd, DM_DEV_REMOVE, io)) {
1242     SLOGE("Cannot remove dm-crypt device\n");
1243     goto errout;
1244   }
1245 
1246   /* We made it here with no errors.  Woot! */
1247   retval = 0;
1248 
1249 errout:
1250   close(fd);    /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1251 
1252   return retval;
1253 
1254 }
1255 
1256 static int pbkdf2(const char *passwd, const unsigned char *salt,
1257                   unsigned char *ikey, void *params UNUSED)
1258 {
1259     SLOGI("Using pbkdf2 for cryptfs KDF");
1260 
1261     /* Turn the password into a key and IV that can decrypt the master key */
1262     return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN,
1263                                   HASH_COUNT, KEY_LEN_BYTES + IV_LEN_BYTES,
1264                                   ikey) != 1;
1265 }
1266 
1267 static int scrypt(const char *passwd, const unsigned char *salt,
1268                   unsigned char *ikey, void *params)
1269 {
1270     SLOGI("Using scrypt for cryptfs KDF");
1271 
1272     struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1273 
1274     int N = 1 << ftr->N_factor;
1275     int r = 1 << ftr->r_factor;
1276     int p = 1 << ftr->p_factor;
1277 
1278     /* Turn the password into a key and IV that can decrypt the master key */
1279     unsigned int keysize;
1280     crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1281                   salt, SALT_LEN, N, r, p, ikey,
1282                   KEY_LEN_BYTES + IV_LEN_BYTES);
1283 
1284    return 0;
1285 }
1286 
1287 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1288                             unsigned char *ikey, void *params)
1289 {
1290     SLOGI("Using scrypt with keymaster for cryptfs KDF");
1291 
1292     int rc;
1293     size_t signature_size;
1294     unsigned char* signature;
1295     struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1296 
1297     int N = 1 << ftr->N_factor;
1298     int r = 1 << ftr->r_factor;
1299     int p = 1 << ftr->p_factor;
1300 
1301     rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1302                        salt, SALT_LEN, N, r, p, ikey,
1303                        KEY_LEN_BYTES + IV_LEN_BYTES);
1304 
1305     if (rc) {
1306         SLOGE("scrypt failed");
1307         return -1;
1308     }
1309 
1310     if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1311                               &signature, &signature_size)) {
1312         SLOGE("Signing failed");
1313         return -1;
1314     }
1315 
1316     rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1317                        N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1318     free(signature);
1319 
1320     if (rc) {
1321         SLOGE("scrypt failed");
1322         return -1;
1323     }
1324 
1325     return 0;
1326 }
1327 
1328 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1329                               const unsigned char *decrypted_master_key,
1330                               unsigned char *encrypted_master_key,
1331                               struct crypt_mnt_ftr *crypt_ftr)
1332 {
1333     unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1334     EVP_CIPHER_CTX e_ctx;
1335     int encrypted_len, final_len;
1336     int rc = 0;
1337 
1338     /* Turn the password into an intermediate key and IV that can decrypt the master key */
1339     get_device_scrypt_params(crypt_ftr);
1340 
1341     switch (crypt_ftr->kdf_type) {
1342     case KDF_SCRYPT_KEYMASTER:
1343         if (keymaster_create_key(crypt_ftr)) {
1344             SLOGE("keymaster_create_key failed");
1345             return -1;
1346         }
1347 
1348         if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1349             SLOGE("scrypt failed");
1350             return -1;
1351         }
1352         break;
1353 
1354     case KDF_SCRYPT:
1355         if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1356             SLOGE("scrypt failed");
1357             return -1;
1358         }
1359         break;
1360 
1361     default:
1362         SLOGE("Invalid kdf_type");
1363         return -1;
1364     }
1365 
1366     /* Initialize the decryption engine */
1367     EVP_CIPHER_CTX_init(&e_ctx);
1368     if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1369         SLOGE("EVP_EncryptInit failed\n");
1370         return -1;
1371     }
1372     EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1373 
1374     /* Encrypt the master key */
1375     if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1376                             decrypted_master_key, KEY_LEN_BYTES)) {
1377         SLOGE("EVP_EncryptUpdate failed\n");
1378         return -1;
1379     }
1380     if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1381         SLOGE("EVP_EncryptFinal failed\n");
1382         return -1;
1383     }
1384 
1385     if (encrypted_len + final_len != KEY_LEN_BYTES) {
1386         SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1387         return -1;
1388     }
1389 
1390     /* Store the scrypt of the intermediate key, so we can validate if it's a
1391        password error or mount error when things go wrong.
1392        Note there's no need to check for errors, since if this is incorrect, we
1393        simply won't wipe userdata, which is the correct default behavior
1394     */
1395     int N = 1 << crypt_ftr->N_factor;
1396     int r = 1 << crypt_ftr->r_factor;
1397     int p = 1 << crypt_ftr->p_factor;
1398 
1399     rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1400                        crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1401                        crypt_ftr->scrypted_intermediate_key,
1402                        sizeof(crypt_ftr->scrypted_intermediate_key));
1403 
1404     if (rc) {
1405       SLOGE("encrypt_master_key: crypto_scrypt failed");
1406     }
1407 
1408     return 0;
1409 }
1410 
1411 static int decrypt_master_key_aux(const char *passwd, unsigned char *salt,
1412                                   unsigned char *encrypted_master_key,
1413                                   unsigned char *decrypted_master_key,
1414                                   kdf_func kdf, void *kdf_params,
1415                                   unsigned char** intermediate_key,
1416                                   size_t* intermediate_key_size)
1417 {
1418   unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1419   EVP_CIPHER_CTX d_ctx;
1420   int decrypted_len, final_len;
1421 
1422   /* Turn the password into an intermediate key and IV that can decrypt the
1423      master key */
1424   if (kdf(passwd, salt, ikey, kdf_params)) {
1425     SLOGE("kdf failed");
1426     return -1;
1427   }
1428 
1429   /* Initialize the decryption engine */
1430   EVP_CIPHER_CTX_init(&d_ctx);
1431   if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1432     return -1;
1433   }
1434   EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1435   /* Decrypt the master key */
1436   if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1437                             encrypted_master_key, KEY_LEN_BYTES)) {
1438     return -1;
1439   }
1440   if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1441     return -1;
1442   }
1443 
1444   if (decrypted_len + final_len != KEY_LEN_BYTES) {
1445     return -1;
1446   }
1447 
1448   /* Copy intermediate key if needed by params */
1449   if (intermediate_key && intermediate_key_size) {
1450     *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1451     if (intermediate_key) {
1452       memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1453       *intermediate_key_size = KEY_LEN_BYTES;
1454     }
1455   }
1456 
1457   return 0;
1458 }
1459 
1460 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1461 {
1462     if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1463         *kdf = scrypt_keymaster;
1464         *kdf_params = ftr;
1465     } else if (ftr->kdf_type == KDF_SCRYPT) {
1466         *kdf = scrypt;
1467         *kdf_params = ftr;
1468     } else {
1469         *kdf = pbkdf2;
1470         *kdf_params = NULL;
1471     }
1472 }
1473 
1474 static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key,
1475                               struct crypt_mnt_ftr *crypt_ftr,
1476                               unsigned char** intermediate_key,
1477                               size_t* intermediate_key_size)
1478 {
1479     kdf_func kdf;
1480     void *kdf_params;
1481     int ret;
1482 
1483     get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1484     ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1485                                  decrypted_master_key, kdf, kdf_params,
1486                                  intermediate_key, intermediate_key_size);
1487     if (ret != 0) {
1488         SLOGW("failure decrypting master key");
1489     }
1490 
1491     return ret;
1492 }
1493 
1494 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
1495         struct crypt_mnt_ftr *crypt_ftr) {
1496     int fd;
1497     unsigned char key_buf[KEY_LEN_BYTES];
1498 
1499     /* Get some random bits for a key */
1500     fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
1501     read(fd, key_buf, sizeof(key_buf));
1502     read(fd, salt, SALT_LEN);
1503     close(fd);
1504 
1505     /* Now encrypt it with the password */
1506     return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1507 }
1508 
1509 int wait_and_unmount(const char *mountpoint, bool kill)
1510 {
1511     int i, err, rc;
1512 #define WAIT_UNMOUNT_COUNT 20
1513 
1514     /*  Now umount the tmpfs filesystem */
1515     for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1516         if (umount(mountpoint) == 0) {
1517             break;
1518         }
1519 
1520         if (errno == EINVAL) {
1521             /* EINVAL is returned if the directory is not a mountpoint,
1522              * i.e. there is no filesystem mounted there.  So just get out.
1523              */
1524             break;
1525         }
1526 
1527         err = errno;
1528 
1529         /* If allowed, be increasingly aggressive before the last two retries */
1530         if (kill) {
1531             if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1532                 SLOGW("sending SIGHUP to processes with open files\n");
1533                 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM);
1534             } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1535                 SLOGW("sending SIGKILL to processes with open files\n");
1536                 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL);
1537             }
1538         }
1539 
1540         sleep(1);
1541     }
1542 
1543     if (i < WAIT_UNMOUNT_COUNT) {
1544       SLOGD("unmounting %s succeeded\n", mountpoint);
1545       rc = 0;
1546     } else {
1547       vold_killProcessesWithOpenFiles(mountpoint, 0);
1548       SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1549       rc = -1;
1550     }
1551 
1552     return rc;
1553 }
1554 
1555 #define DATA_PREP_TIMEOUT 1000
1556 static int prep_data_fs(void)
1557 {
1558     int i;
1559 
1560     // NOTE: post_fs_data results in init calling back around to vold, so all
1561     // callers to this method must be async
1562 
1563     /* Do the prep of the /data filesystem */
1564     property_set("vold.post_fs_data_done", "0");
1565     property_set("vold.decrypt", "trigger_post_fs_data");
1566     SLOGD("Just triggered post_fs_data\n");
1567 
1568     /* Wait a max of 50 seconds, hopefully it takes much less */
1569     for (i=0; i<DATA_PREP_TIMEOUT; i++) {
1570         char p[PROPERTY_VALUE_MAX];
1571 
1572         property_get("vold.post_fs_data_done", p, "0");
1573         if (*p == '1') {
1574             break;
1575         } else {
1576             usleep(50000);
1577         }
1578     }
1579     if (i == DATA_PREP_TIMEOUT) {
1580         /* Ugh, we failed to prep /data in time.  Bail. */
1581         SLOGE("post_fs_data timed out!\n");
1582         return -1;
1583     } else {
1584         SLOGD("post_fs_data done\n");
1585         return 0;
1586     }
1587 }
1588 
1589 static void cryptfs_set_corrupt()
1590 {
1591     // Mark the footer as bad
1592     struct crypt_mnt_ftr crypt_ftr;
1593     if (get_crypt_ftr_and_key(&crypt_ftr)) {
1594         SLOGE("Failed to get crypto footer - panic");
1595         return;
1596     }
1597 
1598     crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1599     if (put_crypt_ftr_and_key(&crypt_ftr)) {
1600         SLOGE("Failed to set crypto footer - panic");
1601         return;
1602     }
1603 }
1604 
1605 static void cryptfs_trigger_restart_min_framework()
1606 {
1607     if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1608       SLOGE("Failed to mount tmpfs on data - panic");
1609       return;
1610     }
1611 
1612     if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1613         SLOGE("Failed to trigger post fs data - panic");
1614         return;
1615     }
1616 
1617     if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1618         SLOGE("Failed to trigger restart min framework - panic");
1619         return;
1620     }
1621 }
1622 
1623 /* returns < 0 on failure */
1624 static int cryptfs_restart_internal(int restart_main)
1625 {
1626     char crypto_blkdev[MAXPATHLEN];
1627     int rc = -1;
1628     static int restart_successful = 0;
1629 
1630     /* Validate that it's OK to call this routine */
1631     if (! master_key_saved) {
1632         SLOGE("Encrypted filesystem not validated, aborting");
1633         return -1;
1634     }
1635 
1636     if (restart_successful) {
1637         SLOGE("System already restarted with encrypted disk, aborting");
1638         return -1;
1639     }
1640 
1641     if (restart_main) {
1642         /* Here is where we shut down the framework.  The init scripts
1643          * start all services in one of three classes: core, main or late_start.
1644          * On boot, we start core and main.  Now, we stop main, but not core,
1645          * as core includes vold and a few other really important things that
1646          * we need to keep running.  Once main has stopped, we should be able
1647          * to umount the tmpfs /data, then mount the encrypted /data.
1648          * We then restart the class main, and also the class late_start.
1649          * At the moment, I've only put a few things in late_start that I know
1650          * are not needed to bring up the framework, and that also cause problems
1651          * with unmounting the tmpfs /data, but I hope to add add more services
1652          * to the late_start class as we optimize this to decrease the delay
1653          * till the user is asked for the password to the filesystem.
1654          */
1655 
1656         /* The init files are setup to stop the class main when vold.decrypt is
1657          * set to trigger_reset_main.
1658          */
1659         property_set("vold.decrypt", "trigger_reset_main");
1660         SLOGD("Just asked init to shut down class main\n");
1661 
1662         /* Ugh, shutting down the framework is not synchronous, so until it
1663          * can be fixed, this horrible hack will wait a moment for it all to
1664          * shut down before proceeding.  Without it, some devices cannot
1665          * restart the graphics services.
1666          */
1667         sleep(2);
1668     }
1669 
1670     /* Now that the framework is shutdown, we should be able to umount()
1671      * the tmpfs filesystem, and mount the real one.
1672      */
1673 
1674     property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1675     if (strlen(crypto_blkdev) == 0) {
1676         SLOGE("fs_crypto_blkdev not set\n");
1677         return -1;
1678     }
1679 
1680     if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1681         /* If ro.crypto.readonly is set to 1, mount the decrypted
1682          * filesystem readonly.  This is used when /data is mounted by
1683          * recovery mode.
1684          */
1685         char ro_prop[PROPERTY_VALUE_MAX];
1686         property_get("ro.crypto.readonly", ro_prop, "");
1687         if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
1688             struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1689             rec->flags |= MS_RDONLY;
1690         }
1691 
1692         /* If that succeeded, then mount the decrypted filesystem */
1693         int retries = RETRY_MOUNT_ATTEMPTS;
1694         int mount_rc;
1695 
1696         /*
1697          * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
1698          * partitions in the fsck domain.
1699          */
1700         if (setexeccon(secontextFsck())){
1701             SLOGE("Failed to setexeccon");
1702             return -1;
1703         }
1704         while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
1705                                            crypto_blkdev, 0))
1706                != 0) {
1707             if (mount_rc == FS_MGR_DOMNT_BUSY) {
1708                 /* TODO: invoke something similar to
1709                    Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1710                                    retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1711                 SLOGI("Failed to mount %s because it is busy - waiting",
1712                       crypto_blkdev);
1713                 if (--retries) {
1714                     sleep(RETRY_MOUNT_DELAY_SECONDS);
1715                 } else {
1716                     /* Let's hope that a reboot clears away whatever is keeping
1717                        the mount busy */
1718                     cryptfs_reboot(reboot);
1719                 }
1720             } else {
1721                 SLOGE("Failed to mount decrypted data");
1722                 cryptfs_set_corrupt();
1723                 cryptfs_trigger_restart_min_framework();
1724                 SLOGI("Started framework to offer wipe");
1725                 if (setexeccon(NULL)) {
1726                     SLOGE("Failed to setexeccon");
1727                 }
1728                 return -1;
1729             }
1730         }
1731         if (setexeccon(NULL)) {
1732             SLOGE("Failed to setexeccon");
1733             return -1;
1734         }
1735 
1736         property_set("vold.decrypt", "trigger_load_persist_props");
1737         /* Create necessary paths on /data */
1738         if (prep_data_fs()) {
1739             return -1;
1740         }
1741 
1742         /* startup service classes main and late_start */
1743         property_set("vold.decrypt", "trigger_restart_framework");
1744         SLOGD("Just triggered restart_framework\n");
1745 
1746         /* Give it a few moments to get started */
1747         sleep(1);
1748     }
1749 
1750     if (rc == 0) {
1751         restart_successful = 1;
1752     }
1753 
1754     return rc;
1755 }
1756 
1757 int cryptfs_restart(void)
1758 {
1759     SLOGI("cryptfs_restart");
1760     if (e4crypt_is_native()) {
1761         SLOGE("cryptfs_restart not valid for file encryption:");
1762         return -1;
1763     }
1764 
1765     /* Call internal implementation forcing a restart of main service group */
1766     return cryptfs_restart_internal(1);
1767 }
1768 
1769 static int do_crypto_complete(char *mount_point)
1770 {
1771   struct crypt_mnt_ftr crypt_ftr;
1772   char encrypted_state[PROPERTY_VALUE_MAX];
1773   char key_loc[PROPERTY_VALUE_MAX];
1774 
1775   property_get("ro.crypto.state", encrypted_state, "");
1776   if (strcmp(encrypted_state, "encrypted") ) {
1777     SLOGE("not running with encryption, aborting");
1778     return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1779   }
1780 
1781   // crypto_complete is full disk encrypted status
1782   if (e4crypt_is_native()) {
1783     return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1784   }
1785 
1786   if (get_crypt_ftr_and_key(&crypt_ftr)) {
1787     fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1788 
1789     /*
1790      * Only report this error if key_loc is a file and it exists.
1791      * If the device was never encrypted, and /data is not mountable for
1792      * some reason, returning 1 should prevent the UI from presenting the
1793      * a "enter password" screen, or worse, a "press button to wipe the
1794      * device" screen.
1795      */
1796     if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1797       SLOGE("master key file does not exist, aborting");
1798       return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1799     } else {
1800       SLOGE("Error getting crypt footer and key\n");
1801       return CRYPTO_COMPLETE_BAD_METADATA;
1802     }
1803   }
1804 
1805   // Test for possible error flags
1806   if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1807     SLOGE("Encryption process is partway completed\n");
1808     return CRYPTO_COMPLETE_PARTIAL;
1809   }
1810 
1811   if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1812     SLOGE("Encryption process was interrupted but cannot continue\n");
1813     return CRYPTO_COMPLETE_INCONSISTENT;
1814   }
1815 
1816   if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1817     SLOGE("Encryption is successful but data is corrupt\n");
1818     return CRYPTO_COMPLETE_CORRUPT;
1819   }
1820 
1821   /* We passed the test! We shall diminish, and return to the west */
1822   return CRYPTO_COMPLETE_ENCRYPTED;
1823 }
1824 
1825 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1826                                    char *passwd, char *mount_point, char *label)
1827 {
1828   /* Allocate enough space for a 256 bit key, but we may use less */
1829   unsigned char decrypted_master_key[32];
1830   char crypto_blkdev[MAXPATHLEN];
1831   char real_blkdev[MAXPATHLEN];
1832   char tmp_mount_point[64];
1833   unsigned int orig_failed_decrypt_count;
1834   int rc;
1835   int use_keymaster = 0;
1836   int upgrade = 0;
1837   unsigned char* intermediate_key = 0;
1838   size_t intermediate_key_size = 0;
1839 
1840   SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1841   orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1842 
1843   if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1844     if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1845                            &intermediate_key, &intermediate_key_size)) {
1846       SLOGE("Failed to decrypt master key\n");
1847       rc = -1;
1848       goto errout;
1849     }
1850   }
1851 
1852   fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
1853 
1854 #ifdef CONFIG_HW_DISK_ENCRYPTION
1855   if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
1856     if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) {
1857       SLOGE("Hardware encryption key does not match");
1858     }
1859   }
1860 #endif
1861 
1862   // Create crypto block device - all (non fatal) code paths
1863   // need it
1864   if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1865                             real_blkdev, crypto_blkdev, label)) {
1866      SLOGE("Error creating decrypted block device\n");
1867      rc = -1;
1868      goto errout;
1869   }
1870 
1871   /* Work out if the problem is the password or the data */
1872   unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1873                                                  scrypted_intermediate_key)];
1874   int N = 1 << crypt_ftr->N_factor;
1875   int r = 1 << crypt_ftr->r_factor;
1876   int p = 1 << crypt_ftr->p_factor;
1877 
1878   rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1879                      crypt_ftr->salt, sizeof(crypt_ftr->salt),
1880                      N, r, p, scrypted_intermediate_key,
1881                      sizeof(scrypted_intermediate_key));
1882 
1883   // Does the key match the crypto footer?
1884   if (rc == 0 && memcmp(scrypted_intermediate_key,
1885                         crypt_ftr->scrypted_intermediate_key,
1886                         sizeof(scrypted_intermediate_key)) == 0) {
1887     SLOGI("Password matches");
1888     rc = 0;
1889   } else {
1890     /* Try mounting the file system anyway, just in case the problem's with
1891      * the footer, not the key. */
1892     sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
1893     mkdir(tmp_mount_point, 0755);
1894     if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1895       SLOGE("Error temp mounting decrypted block device\n");
1896       delete_crypto_blk_dev(label);
1897 
1898       rc = ++crypt_ftr->failed_decrypt_count;
1899       put_crypt_ftr_and_key(crypt_ftr);
1900     } else {
1901       /* Success! */
1902       SLOGI("Password did not match but decrypted drive mounted - continue");
1903       umount(tmp_mount_point);
1904       rc = 0;
1905     }
1906   }
1907 
1908   if (rc == 0) {
1909     crypt_ftr->failed_decrypt_count = 0;
1910     if (orig_failed_decrypt_count != 0) {
1911       put_crypt_ftr_and_key(crypt_ftr);
1912     }
1913 
1914     /* Save the name of the crypto block device
1915      * so we can mount it when restarting the framework. */
1916     property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1917 
1918     /* Also save a the master key so we can reencrypted the key
1919      * the key when we want to change the password on it. */
1920     memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1921     saved_mount_point = strdup(mount_point);
1922     master_key_saved = 1;
1923     SLOGD("%s(): Master key saved\n", __FUNCTION__);
1924     rc = 0;
1925 
1926     // Upgrade if we're not using the latest KDF.
1927     use_keymaster = keymaster_check_compatibility();
1928     if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1929         // Don't allow downgrade
1930     } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1931         crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1932         upgrade = 1;
1933     } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1934         crypt_ftr->kdf_type = KDF_SCRYPT;
1935         upgrade = 1;
1936     }
1937 
1938     if (upgrade) {
1939         rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1940                                 crypt_ftr->master_key, crypt_ftr);
1941         if (!rc) {
1942             rc = put_crypt_ftr_and_key(crypt_ftr);
1943         }
1944         SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1945 
1946         // Do not fail even if upgrade failed - machine is bootable
1947         // Note that if this code is ever hit, there is a *serious* problem
1948         // since KDFs should never fail. You *must* fix the kdf before
1949         // proceeding!
1950         if (rc) {
1951           SLOGW("Upgrade failed with error %d,"
1952                 " but continuing with previous state",
1953                 rc);
1954           rc = 0;
1955         }
1956     }
1957   }
1958 
1959  errout:
1960   if (intermediate_key) {
1961     memset(intermediate_key, 0, intermediate_key_size);
1962     free(intermediate_key);
1963   }
1964   return rc;
1965 }
1966 
1967 /*
1968  * Called by vold when it's asked to mount an encrypted external
1969  * storage volume. The incoming partition has no crypto header/footer,
1970  * as any metadata is been stored in a separate, small partition.
1971  *
1972  * out_crypto_blkdev must be MAXPATHLEN.
1973  */
1974 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
1975         const unsigned char* key, int keysize, char* out_crypto_blkdev) {
1976     int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
1977     if (fd == -1) {
1978         SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno));
1979         return -1;
1980     }
1981 
1982     unsigned long nr_sec = 0;
1983     get_blkdev_size(fd, &nr_sec);
1984     close(fd);
1985 
1986     if (nr_sec == 0) {
1987         SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1988         return -1;
1989     }
1990 
1991     struct crypt_mnt_ftr ext_crypt_ftr;
1992     memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1993     ext_crypt_ftr.fs_size = nr_sec;
1994     ext_crypt_ftr.keysize = keysize;
1995     strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
1996 
1997     return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev,
1998             out_crypto_blkdev, label);
1999 }
2000 
2001 /*
2002  * Called by vold when it's asked to unmount an encrypted external
2003  * storage volume.
2004  */
2005 int cryptfs_revert_ext_volume(const char* label) {
2006     return delete_crypto_blk_dev((char*) label);
2007 }
2008 
2009 int cryptfs_crypto_complete(void)
2010 {
2011   return do_crypto_complete("/data");
2012 }
2013 
2014 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
2015 {
2016     char encrypted_state[PROPERTY_VALUE_MAX];
2017     property_get("ro.crypto.state", encrypted_state, "");
2018     if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
2019         SLOGE("encrypted fs already validated or not running with encryption,"
2020               " aborting");
2021         return -1;
2022     }
2023 
2024     if (get_crypt_ftr_and_key(crypt_ftr)) {
2025         SLOGE("Error getting crypt footer and key");
2026         return -1;
2027     }
2028 
2029     return 0;
2030 }
2031 
2032 int cryptfs_check_passwd(char *passwd)
2033 {
2034     SLOGI("cryptfs_check_passwd");
2035     if (e4crypt_is_native()) {
2036         SLOGE("cryptfs_check_passwd not valid for file encryption");
2037         return -1;
2038     }
2039 
2040     struct crypt_mnt_ftr crypt_ftr;
2041     int rc;
2042 
2043     rc = check_unmounted_and_get_ftr(&crypt_ftr);
2044     if (rc) {
2045         SLOGE("Could not get footer");
2046         return rc;
2047     }
2048 
2049     rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
2050                                  DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
2051     if (rc) {
2052         SLOGE("Password did not match");
2053         return rc;
2054     }
2055 
2056     if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
2057         // Here we have a default actual password but a real password
2058         // we must test against the scrypted value
2059         // First, we must delete the crypto block device that
2060         // test_mount_encrypted_fs leaves behind as a side effect
2061         delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
2062         rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD,
2063                                      DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
2064         if (rc) {
2065             SLOGE("Default password did not match on reboot encryption");
2066             return rc;
2067         }
2068 
2069         crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
2070         put_crypt_ftr_and_key(&crypt_ftr);
2071         rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
2072         if (rc) {
2073             SLOGE("Could not change password on reboot encryption");
2074             return rc;
2075         }
2076     }
2077 
2078     if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2079         cryptfs_clear_password();
2080         password = strdup(passwd);
2081         struct timespec now;
2082         clock_gettime(CLOCK_BOOTTIME, &now);
2083         password_expiry_time = now.tv_sec + password_max_age_seconds;
2084     }
2085 
2086     return rc;
2087 }
2088 
2089 int cryptfs_verify_passwd(char *passwd)
2090 {
2091     struct crypt_mnt_ftr crypt_ftr;
2092     /* Allocate enough space for a 256 bit key, but we may use less */
2093     unsigned char decrypted_master_key[32];
2094     char encrypted_state[PROPERTY_VALUE_MAX];
2095     int rc;
2096 
2097     property_get("ro.crypto.state", encrypted_state, "");
2098     if (strcmp(encrypted_state, "encrypted") ) {
2099         SLOGE("device not encrypted, aborting");
2100         return -2;
2101     }
2102 
2103     if (!master_key_saved) {
2104         SLOGE("encrypted fs not yet mounted, aborting");
2105         return -1;
2106     }
2107 
2108     if (!saved_mount_point) {
2109         SLOGE("encrypted fs failed to save mount point, aborting");
2110         return -1;
2111     }
2112 
2113     if (get_crypt_ftr_and_key(&crypt_ftr)) {
2114         SLOGE("Error getting crypt footer and key\n");
2115         return -1;
2116     }
2117 
2118     if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2119         /* If the device has no password, then just say the password is valid */
2120         rc = 0;
2121     } else {
2122         decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2123         if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2124             /* They match, the password is correct */
2125             rc = 0;
2126         } else {
2127             /* If incorrect, sleep for a bit to prevent dictionary attacks */
2128             sleep(1);
2129             rc = 1;
2130         }
2131     }
2132 
2133     return rc;
2134 }
2135 
2136 /* Initialize a crypt_mnt_ftr structure.  The keysize is
2137  * defaulted to 16 bytes, and the filesystem size to 0.
2138  * Presumably, at a minimum, the caller will update the
2139  * filesystem size and crypto_type_name after calling this function.
2140  */
2141 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
2142 {
2143     off64_t off;
2144 
2145     memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2146     ftr->magic = CRYPT_MNT_MAGIC;
2147     ftr->major_version = CURRENT_MAJOR_VERSION;
2148     ftr->minor_version = CURRENT_MINOR_VERSION;
2149     ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2150     ftr->keysize = KEY_LEN_BYTES;
2151 
2152     switch (keymaster_check_compatibility()) {
2153     case 1:
2154         ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2155         break;
2156 
2157     case 0:
2158         ftr->kdf_type = KDF_SCRYPT;
2159         break;
2160 
2161     default:
2162         SLOGE("keymaster_check_compatibility failed");
2163         return -1;
2164     }
2165 
2166     get_device_scrypt_params(ftr);
2167 
2168     ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2169     if (get_crypt_ftr_info(NULL, &off) == 0) {
2170         ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2171         ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
2172                                     ftr->persist_data_size;
2173     }
2174 
2175     return 0;
2176 }
2177 
2178 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
2179 {
2180     const char *args[10];
2181     char size_str[32]; /* Must be large enough to hold a %lld and null byte */
2182     int num_args;
2183     int status;
2184     int tmp;
2185     int rc = -1;
2186 
2187     if (type == EXT4_FS) {
2188         args[0] = "/system/bin/make_ext4fs";
2189         args[1] = "-a";
2190         args[2] = "/data";
2191         args[3] = "-l";
2192         snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
2193         args[4] = size_str;
2194         args[5] = crypto_blkdev;
2195         num_args = 6;
2196         SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
2197               args[0], args[1], args[2], args[3], args[4], args[5]);
2198     } else if (type == F2FS_FS) {
2199         args[0] = "/system/bin/mkfs.f2fs";
2200         args[1] = "-t";
2201         args[2] = "-d1";
2202         args[3] = crypto_blkdev;
2203         snprintf(size_str, sizeof(size_str), "%" PRId64, size);
2204         args[4] = size_str;
2205         num_args = 5;
2206         SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
2207               args[0], args[1], args[2], args[3], args[4]);
2208     } else {
2209         SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
2210         return -1;
2211     }
2212 
2213     tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
2214 
2215     if (tmp != 0) {
2216       SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
2217     } else {
2218         if (WIFEXITED(status)) {
2219             if (WEXITSTATUS(status)) {
2220                 SLOGE("Error creating filesystem on %s, exit status %d ",
2221                       crypto_blkdev, WEXITSTATUS(status));
2222             } else {
2223                 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
2224                 rc = 0;
2225             }
2226         } else {
2227             SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
2228        }
2229     }
2230 
2231     return rc;
2232 }
2233 
2234 #define CRYPT_INPLACE_BUFSIZE 4096
2235 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
2236 #define CRYPT_SECTOR_SIZE 512
2237 
2238 /* aligned 32K writes tends to make flash happy.
2239  * SD card association recommends it.
2240  */
2241 #ifndef CONFIG_HW_DISK_ENCRYPTION
2242 #define BLOCKS_AT_A_TIME 8
2243 #else
2244 #define BLOCKS_AT_A_TIME 1024
2245 #endif
2246 
2247 struct encryptGroupsData
2248 {
2249     int realfd;
2250     int cryptofd;
2251     off64_t numblocks;
2252     off64_t one_pct, cur_pct, new_pct;
2253     off64_t blocks_already_done, tot_numblocks;
2254     off64_t used_blocks_already_done, tot_used_blocks;
2255     char* real_blkdev, * crypto_blkdev;
2256     int count;
2257     off64_t offset;
2258     char* buffer;
2259     off64_t last_written_sector;
2260     int completed;
2261     time_t time_started;
2262     int remaining_time;
2263 };
2264 
2265 static void update_progress(struct encryptGroupsData* data, int is_used)
2266 {
2267     data->blocks_already_done++;
2268 
2269     if (is_used) {
2270         data->used_blocks_already_done++;
2271     }
2272     if (data->tot_used_blocks) {
2273         data->new_pct = data->used_blocks_already_done / data->one_pct;
2274     } else {
2275         data->new_pct = data->blocks_already_done / data->one_pct;
2276     }
2277 
2278     if (data->new_pct > data->cur_pct) {
2279         char buf[8];
2280         data->cur_pct = data->new_pct;
2281         snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
2282         property_set("vold.encrypt_progress", buf);
2283     }
2284 
2285     if (data->cur_pct >= 5) {
2286         struct timespec time_now;
2287         if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
2288             SLOGW("Error getting time");
2289         } else {
2290             double elapsed_time = difftime(time_now.tv_sec, data->time_started);
2291             off64_t remaining_blocks = data->tot_used_blocks
2292                                        - data->used_blocks_already_done;
2293             int remaining_time = (int)(elapsed_time * remaining_blocks
2294                                        / data->used_blocks_already_done);
2295 
2296             // Change time only if not yet set, lower, or a lot higher for
2297             // best user experience
2298             if (data->remaining_time == -1
2299                 || remaining_time < data->remaining_time
2300                 || remaining_time > data->remaining_time + 60) {
2301                 char buf[8];
2302                 snprintf(buf, sizeof(buf), "%d", remaining_time);
2303                 property_set("vold.encrypt_time_remaining", buf);
2304                 data->remaining_time = remaining_time;
2305             }
2306         }
2307     }
2308 }
2309 
2310 static void log_progress(struct encryptGroupsData const* data, bool completed)
2311 {
2312     // Precondition - if completed data = 0 else data != 0
2313 
2314     // Track progress so we can skip logging blocks
2315     static off64_t offset = -1;
2316 
2317     // Need to close existing 'Encrypting from' log?
2318     if (completed || (offset != -1 && data->offset != offset)) {
2319         SLOGI("Encrypted to sector %" PRId64,
2320               offset / info.block_size * CRYPT_SECTOR_SIZE);
2321         offset = -1;
2322     }
2323 
2324     // Need to start new 'Encrypting from' log?
2325     if (!completed && offset != data->offset) {
2326         SLOGI("Encrypting from sector %" PRId64,
2327               data->offset / info.block_size * CRYPT_SECTOR_SIZE);
2328     }
2329 
2330     // Update offset
2331     if (!completed) {
2332         offset = data->offset + (off64_t)data->count * info.block_size;
2333     }
2334 }
2335 
2336 static int flush_outstanding_data(struct encryptGroupsData* data)
2337 {
2338     if (data->count == 0) {
2339         return 0;
2340     }
2341 
2342     SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
2343 
2344     if (pread64(data->realfd, data->buffer,
2345                 info.block_size * data->count, data->offset)
2346         <= 0) {
2347         SLOGE("Error reading real_blkdev %s for inplace encrypt",
2348               data->real_blkdev);
2349         return -1;
2350     }
2351 
2352     if (pwrite64(data->cryptofd, data->buffer,
2353                  info.block_size * data->count, data->offset)
2354         <= 0) {
2355         SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
2356               data->crypto_blkdev);
2357         return -1;
2358     } else {
2359       log_progress(data, false);
2360     }
2361 
2362     data->count = 0;
2363     data->last_written_sector = (data->offset + data->count)
2364                                 / info.block_size * CRYPT_SECTOR_SIZE - 1;
2365     return 0;
2366 }
2367 
2368 static int encrypt_groups(struct encryptGroupsData* data)
2369 {
2370     unsigned int i;
2371     u8 *block_bitmap = 0;
2372     unsigned int block;
2373     off64_t ret;
2374     int rc = -1;
2375 
2376     data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
2377     if (!data->buffer) {
2378         SLOGE("Failed to allocate crypto buffer");
2379         goto errout;
2380     }
2381 
2382     block_bitmap = malloc(info.block_size);
2383     if (!block_bitmap) {
2384         SLOGE("failed to allocate block bitmap");
2385         goto errout;
2386     }
2387 
2388     for (i = 0; i < aux_info.groups; ++i) {
2389         SLOGI("Encrypting group %d", i);
2390 
2391         u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
2392         u32 block_count = min(info.blocks_per_group,
2393                              aux_info.len_blocks - first_block);
2394 
2395         off64_t offset = (u64)info.block_size
2396                          * aux_info.bg_desc[i].bg_block_bitmap;
2397 
2398         ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
2399         if (ret != (int)info.block_size) {
2400             SLOGE("failed to read all of block group bitmap %d", i);
2401             goto errout;
2402         }
2403 
2404         offset = (u64)info.block_size * first_block;
2405 
2406         data->count = 0;
2407 
2408         for (block = 0; block < block_count; block++) {
2409             int used = (aux_info.bg_desc[i].bg_flags & EXT4_BG_BLOCK_UNINIT) ?
2410                     0 : bitmap_get_bit(block_bitmap, block);
2411             update_progress(data, used);
2412             if (used) {
2413                 if (data->count == 0) {
2414                     data->offset = offset;
2415                 }
2416                 data->count++;
2417             } else {
2418                 if (flush_outstanding_data(data)) {
2419                     goto errout;
2420                 }
2421             }
2422 
2423             offset += info.block_size;
2424 
2425             /* Write data if we are aligned or buffer size reached */
2426             if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
2427                 || data->count == BLOCKS_AT_A_TIME) {
2428                 if (flush_outstanding_data(data)) {
2429                     goto errout;
2430                 }
2431             }
2432 
2433             if (!is_battery_ok_to_continue()) {
2434                 SLOGE("Stopping encryption due to low battery");
2435                 rc = 0;
2436                 goto errout;
2437             }
2438 
2439         }
2440         if (flush_outstanding_data(data)) {
2441             goto errout;
2442         }
2443     }
2444 
2445     data->completed = 1;
2446     rc = 0;
2447 
2448 errout:
2449     log_progress(0, true);
2450     free(data->buffer);
2451     free(block_bitmap);
2452     return rc;
2453 }
2454 
2455 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
2456                                        char *real_blkdev,
2457                                        off64_t size,
2458                                        off64_t *size_already_done,
2459                                        off64_t tot_size,
2460                                        off64_t previously_encrypted_upto)
2461 {
2462     u32 i;
2463     struct encryptGroupsData data;
2464     int rc; // Can't initialize without causing warning -Wclobbered
2465 
2466     if (previously_encrypted_upto > *size_already_done) {
2467         SLOGD("Not fast encrypting since resuming part way through");
2468         return -1;
2469     }
2470 
2471     memset(&data, 0, sizeof(data));
2472     data.real_blkdev = real_blkdev;
2473     data.crypto_blkdev = crypto_blkdev;
2474 
2475     if ( (data.realfd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2476         SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n",
2477               real_blkdev, errno, strerror(errno));
2478         rc = -1;
2479         goto errout;
2480     }
2481 
2482     // Wait until the block device appears.  Re-use the mount retry values since it is reasonable.
2483     int retries = RETRY_MOUNT_ATTEMPTS;
2484     while ((data.cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2485         if (--retries) {
2486             SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s), retrying\n",
2487                   crypto_blkdev, errno, strerror(errno));
2488             sleep(RETRY_MOUNT_DELAY_SECONDS);
2489         } else {
2490             SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n",
2491                   crypto_blkdev, errno, strerror(errno));
2492             rc = ENABLE_INPLACE_ERR_DEV;
2493             goto errout;
2494         }
2495     }
2496 
2497     if (setjmp(setjmp_env)) {
2498         SLOGE("Reading ext4 extent caused an exception\n");
2499         rc = -1;
2500         goto errout;
2501     }
2502 
2503     if (read_ext(data.realfd, 0) != 0) {
2504         SLOGE("Failed to read ext4 extent\n");
2505         rc = -1;
2506         goto errout;
2507     }
2508 
2509     data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2510     data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2511     data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2512 
2513     SLOGI("Encrypting ext4 filesystem in place...");
2514 
2515     data.tot_used_blocks = data.numblocks;
2516     for (i = 0; i < aux_info.groups; ++i) {
2517       data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
2518     }
2519 
2520     data.one_pct = data.tot_used_blocks / 100;
2521     data.cur_pct = 0;
2522 
2523     struct timespec time_started = {0};
2524     if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
2525         SLOGW("Error getting time at start");
2526         // Note - continue anyway - we'll run with 0
2527     }
2528     data.time_started = time_started.tv_sec;
2529     data.remaining_time = -1;
2530 
2531     rc = encrypt_groups(&data);
2532     if (rc) {
2533         SLOGE("Error encrypting groups");
2534         goto errout;
2535     }
2536 
2537     *size_already_done += data.completed ? size : data.last_written_sector;
2538     rc = 0;
2539 
2540 errout:
2541     close(data.realfd);
2542     close(data.cryptofd);
2543 
2544     return rc;
2545 }
2546 
2547 static void log_progress_f2fs(u64 block, bool completed)
2548 {
2549     // Precondition - if completed data = 0 else data != 0
2550 
2551     // Track progress so we can skip logging blocks
2552     static u64 last_block = (u64)-1;
2553 
2554     // Need to close existing 'Encrypting from' log?
2555     if (completed || (last_block != (u64)-1 && block != last_block + 1)) {
2556         SLOGI("Encrypted to block %" PRId64, last_block);
2557         last_block = -1;
2558     }
2559 
2560     // Need to start new 'Encrypting from' log?
2561     if (!completed && (last_block == (u64)-1 || block != last_block + 1)) {
2562         SLOGI("Encrypting from block %" PRId64, block);
2563     }
2564 
2565     // Update offset
2566     if (!completed) {
2567         last_block = block;
2568     }
2569 }
2570 
2571 static int encrypt_one_block_f2fs(u64 pos, void *data)
2572 {
2573     struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;
2574 
2575     priv_dat->blocks_already_done = pos - 1;
2576     update_progress(priv_dat, 1);
2577 
2578     off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;
2579 
2580     if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2581         SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2582         return -1;
2583     }
2584 
2585     if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2586         SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2587         return -1;
2588     } else {
2589         log_progress_f2fs(pos, false);
2590     }
2591 
2592     return 0;
2593 }
2594 
2595 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
2596                                        char *real_blkdev,
2597                                        off64_t size,
2598                                        off64_t *size_already_done,
2599                                        off64_t tot_size,
2600                                        off64_t previously_encrypted_upto)
2601 {
2602     struct encryptGroupsData data;
2603     struct f2fs_info *f2fs_info = NULL;
2604     int rc = ENABLE_INPLACE_ERR_OTHER;
2605     if (previously_encrypted_upto > *size_already_done) {
2606         SLOGD("Not fast encrypting since resuming part way through");
2607         return ENABLE_INPLACE_ERR_OTHER;
2608     }
2609     memset(&data, 0, sizeof(data));
2610     data.real_blkdev = real_blkdev;
2611     data.crypto_blkdev = crypto_blkdev;
2612     data.realfd = -1;
2613     data.cryptofd = -1;
2614     if ( (data.realfd = open64(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2615         SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n",
2616               real_blkdev);
2617         goto errout;
2618     }
2619     if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2620         SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n",
2621               crypto_blkdev, errno, strerror(errno));
2622         rc = ENABLE_INPLACE_ERR_DEV;
2623         goto errout;
2624     }
2625 
2626     f2fs_info = generate_f2fs_info(data.realfd);
2627     if (!f2fs_info)
2628       goto errout;
2629 
2630     data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2631     data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2632     data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2633 
2634     data.tot_used_blocks = get_num_blocks_used(f2fs_info);
2635 
2636     data.one_pct = data.tot_used_blocks / 100;
2637     data.cur_pct = 0;
2638     data.time_started = time(NULL);
2639     data.remaining_time = -1;
2640 
2641     data.buffer = malloc(f2fs_info->block_size);
2642     if (!data.buffer) {
2643         SLOGE("Failed to allocate crypto buffer");
2644         goto errout;
2645     }
2646 
2647     data.count = 0;
2648 
2649     /* Currently, this either runs to completion, or hits a nonrecoverable error */
2650     rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);
2651 
2652     if (rc) {
2653         SLOGE("Error in running over f2fs blocks");
2654         rc = ENABLE_INPLACE_ERR_OTHER;
2655         goto errout;
2656     }
2657 
2658     *size_already_done += size;
2659     rc = 0;
2660 
2661 errout:
2662     if (rc)
2663         SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev);
2664 
2665     log_progress_f2fs(0, true);
2666     free(f2fs_info);
2667     free(data.buffer);
2668     close(data.realfd);
2669     close(data.cryptofd);
2670 
2671     return rc;
2672 }
2673 
2674 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
2675                                        off64_t size, off64_t *size_already_done,
2676                                        off64_t tot_size,
2677                                        off64_t previously_encrypted_upto)
2678 {
2679     int realfd, cryptofd;
2680     char *buf[CRYPT_INPLACE_BUFSIZE];
2681     int rc = ENABLE_INPLACE_ERR_OTHER;
2682     off64_t numblocks, i, remainder;
2683     off64_t one_pct, cur_pct, new_pct;
2684     off64_t blocks_already_done, tot_numblocks;
2685 
2686     if ( (realfd = open(real_blkdev, O_RDONLY|O_CLOEXEC)) < 0) {
2687         SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2688         return ENABLE_INPLACE_ERR_OTHER;
2689     }
2690 
2691     if ( (cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2692         SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n",
2693               crypto_blkdev, errno, strerror(errno));
2694         close(realfd);
2695         return ENABLE_INPLACE_ERR_DEV;
2696     }
2697 
2698     /* This is pretty much a simple loop of reading 4K, and writing 4K.
2699      * The size passed in is the number of 512 byte sectors in the filesystem.
2700      * So compute the number of whole 4K blocks we should read/write,
2701      * and the remainder.
2702      */
2703     numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2704     remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2705     tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2706     blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2707 
2708     SLOGE("Encrypting filesystem in place...");
2709 
2710     i = previously_encrypted_upto + 1 - *size_already_done;
2711 
2712     if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2713         SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
2714         goto errout;
2715     }
2716 
2717     if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2718         SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
2719         goto errout;
2720     }
2721 
2722     for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
2723         if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2724             SLOGE("Error reading initial sectors from real_blkdev %s for "
2725                   "inplace encrypt\n", crypto_blkdev);
2726             goto errout;
2727         }
2728         if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2729             SLOGE("Error writing initial sectors to crypto_blkdev %s for "
2730                   "inplace encrypt\n", crypto_blkdev);
2731             goto errout;
2732         } else {
2733             SLOGI("Encrypted 1 block at %" PRId64, i);
2734         }
2735     }
2736 
2737     one_pct = tot_numblocks / 100;
2738     cur_pct = 0;
2739     /* process the majority of the filesystem in blocks */
2740     for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2741         new_pct = (i + blocks_already_done) / one_pct;
2742         if (new_pct > cur_pct) {
2743             char buf[8];
2744 
2745             cur_pct = new_pct;
2746             snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
2747             property_set("vold.encrypt_progress", buf);
2748         }
2749         if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2750             SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2751             goto errout;
2752         }
2753         if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2754             SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2755             goto errout;
2756         } else {
2757             SLOGD("Encrypted %d block at %" PRId64,
2758                   CRYPT_SECTORS_PER_BUFSIZE,
2759                   i * CRYPT_SECTORS_PER_BUFSIZE);
2760         }
2761 
2762        if (!is_battery_ok_to_continue()) {
2763             SLOGE("Stopping encryption due to low battery");
2764             *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
2765             rc = 0;
2766             goto errout;
2767         }
2768     }
2769 
2770     /* Do any remaining sectors */
2771     for (i=0; i<remainder; i++) {
2772         if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2773             SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2774             goto errout;
2775         }
2776         if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2777             SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2778             goto errout;
2779         } else {
2780             SLOGI("Encrypted 1 block at next location");
2781         }
2782     }
2783 
2784     *size_already_done += size;
2785     rc = 0;
2786 
2787 errout:
2788     close(realfd);
2789     close(cryptofd);
2790 
2791     return rc;
2792 }
2793 
2794 /* returns on of the ENABLE_INPLACE_* return codes */
2795 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
2796                                   off64_t size, off64_t *size_already_done,
2797                                   off64_t tot_size,
2798                                   off64_t previously_encrypted_upto)
2799 {
2800     int rc_ext4, rc_f2fs, rc_full;
2801     if (previously_encrypted_upto) {
2802         SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
2803     }
2804 
2805     if (*size_already_done + size < previously_encrypted_upto) {
2806         *size_already_done += size;
2807         return 0;
2808     }
2809 
2810     /* TODO: identify filesystem type.
2811      * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
2812      * then we will drop down to cryptfs_enable_inplace_f2fs.
2813      * */
2814     if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2815                                 size, size_already_done,
2816                                 tot_size, previously_encrypted_upto)) == 0) {
2817       return 0;
2818     }
2819     SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4);
2820 
2821     if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
2822                                 size, size_already_done,
2823                                 tot_size, previously_encrypted_upto)) == 0) {
2824       return 0;
2825     }
2826     SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs);
2827 
2828     rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2829                                        size, size_already_done, tot_size,
2830                                        previously_encrypted_upto);
2831     SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full);
2832 
2833     /* Hack for b/17898962, the following is the symptom... */
2834     if (rc_ext4 == ENABLE_INPLACE_ERR_DEV
2835         && rc_f2fs == ENABLE_INPLACE_ERR_DEV
2836         && rc_full == ENABLE_INPLACE_ERR_DEV) {
2837             return ENABLE_INPLACE_ERR_DEV;
2838     }
2839     return rc_full;
2840 }
2841 
2842 #define CRYPTO_ENABLE_WIPE 1
2843 #define CRYPTO_ENABLE_INPLACE 2
2844 
2845 #define FRAMEWORK_BOOT_WAIT 60
2846 
2847 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2848 {
2849     int fd = open(filename, O_RDONLY|O_CLOEXEC);
2850     if (fd == -1) {
2851         SLOGE("Error opening file %s", filename);
2852         return -1;
2853     }
2854 
2855     char block[CRYPT_INPLACE_BUFSIZE];
2856     memset(block, 0, sizeof(block));
2857     if (unix_read(fd, block, sizeof(block)) < 0) {
2858         SLOGE("Error reading file %s", filename);
2859         close(fd);
2860         return -1;
2861     }
2862 
2863     close(fd);
2864 
2865     SHA256_CTX c;
2866     SHA256_Init(&c);
2867     SHA256_Update(&c, block, sizeof(block));
2868     SHA256_Final(buf, &c);
2869 
2870     return 0;
2871 }
2872 
2873 static int get_fs_type(struct fstab_rec *rec)
2874 {
2875     if (!strcmp(rec->fs_type, "ext4")) {
2876         return EXT4_FS;
2877     } else if (!strcmp(rec->fs_type, "f2fs")) {
2878         return F2FS_FS;
2879     } else {
2880         return -1;
2881     }
2882 }
2883 
2884 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
2885                                       char *crypto_blkdev, char *real_blkdev,
2886                                       int previously_encrypted_upto)
2887 {
2888     off64_t cur_encryption_done=0, tot_encryption_size=0;
2889     int rc = -1;
2890 
2891     if (!is_battery_ok_to_start()) {
2892         SLOGW("Not starting encryption due to low battery");
2893         return 0;
2894     }
2895 
2896     /* The size of the userdata partition, and add in the vold volumes below */
2897     tot_encryption_size = crypt_ftr->fs_size;
2898 
2899     if (how == CRYPTO_ENABLE_WIPE) {
2900         struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
2901         int fs_type = get_fs_type(rec);
2902         if (fs_type < 0) {
2903             SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
2904             return -1;
2905         }
2906         rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2907     } else if (how == CRYPTO_ENABLE_INPLACE) {
2908         rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
2909                                     crypt_ftr->fs_size, &cur_encryption_done,
2910                                     tot_encryption_size,
2911                                     previously_encrypted_upto);
2912 
2913         if (rc == ENABLE_INPLACE_ERR_DEV) {
2914             /* Hack for b/17898962 */
2915             SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2916             cryptfs_reboot(reboot);
2917         }
2918 
2919         if (!rc) {
2920             crypt_ftr->encrypted_upto = cur_encryption_done;
2921         }
2922 
2923         if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2924             /* The inplace routine never actually sets the progress to 100% due
2925              * to the round down nature of integer division, so set it here */
2926             property_set("vold.encrypt_progress", "100");
2927         }
2928     } else {
2929         /* Shouldn't happen */
2930         SLOGE("cryptfs_enable: internal error, unknown option\n");
2931         rc = -1;
2932     }
2933 
2934     return rc;
2935 }
2936 
2937 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
2938                             int no_ui)
2939 {
2940     int how = 0;
2941     char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2942     unsigned char decrypted_master_key[KEY_LEN_BYTES];
2943     int rc=-1, i;
2944     struct crypt_mnt_ftr crypt_ftr;
2945     struct crypt_persist_data *pdata;
2946     char encrypted_state[PROPERTY_VALUE_MAX];
2947     char lockid[32] = { 0 };
2948     char key_loc[PROPERTY_VALUE_MAX];
2949     int num_vols;
2950     off64_t previously_encrypted_upto = 0;
2951     bool rebootEncryption = false;
2952 
2953     if (!strcmp(howarg, "wipe")) {
2954       how = CRYPTO_ENABLE_WIPE;
2955     } else if (! strcmp(howarg, "inplace")) {
2956       how = CRYPTO_ENABLE_INPLACE;
2957     } else {
2958       /* Shouldn't happen, as CommandListener vets the args */
2959       goto error_unencrypted;
2960     }
2961 
2962     if (how == CRYPTO_ENABLE_INPLACE
2963           && get_crypt_ftr_and_key(&crypt_ftr) == 0) {
2964         if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
2965             /* An encryption was underway and was interrupted */
2966             previously_encrypted_upto = crypt_ftr.encrypted_upto;
2967             crypt_ftr.encrypted_upto = 0;
2968             crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2969 
2970             /* At this point, we are in an inconsistent state. Until we successfully
2971                complete encryption, a reboot will leave us broken. So mark the
2972                encryption failed in case that happens.
2973                On successfully completing encryption, remove this flag */
2974             crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2975 
2976             put_crypt_ftr_and_key(&crypt_ftr);
2977         } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
2978             if (!check_ftr_sha(&crypt_ftr)) {
2979                 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2980                 put_crypt_ftr_and_key(&crypt_ftr);
2981                 goto error_unencrypted;
2982             }
2983 
2984             /* Doing a reboot-encryption*/
2985             crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
2986             crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
2987             rebootEncryption = true;
2988         }
2989     }
2990 
2991     property_get("ro.crypto.state", encrypted_state, "");
2992     if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2993         SLOGE("Device is already running encrypted, aborting");
2994         goto error_unencrypted;
2995     }
2996 
2997     // TODO refactor fs_mgr_get_crypt_info to get both in one call
2998     fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
2999     fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
3000 
3001     /* Get the size of the real block device */
3002     int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
3003     if (fd == -1) {
3004         SLOGE("Cannot open block device %s\n", real_blkdev);
3005         goto error_unencrypted;
3006     }
3007     unsigned long nr_sec;
3008     get_blkdev_size(fd, &nr_sec);
3009     if (nr_sec == 0) {
3010         SLOGE("Cannot get size of block device %s\n", real_blkdev);
3011         goto error_unencrypted;
3012     }
3013     close(fd);
3014 
3015     /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
3016     if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
3017         unsigned int fs_size_sec, max_fs_size_sec;
3018         fs_size_sec = get_fs_size(real_blkdev);
3019         if (fs_size_sec == 0)
3020             fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
3021 
3022         max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3023 
3024         if (fs_size_sec > max_fs_size_sec) {
3025             SLOGE("Orig filesystem overlaps crypto footer region.  Cannot encrypt in place.");
3026             goto error_unencrypted;
3027         }
3028     }
3029 
3030     /* Get a wakelock as this may take a while, and we don't want the
3031      * device to sleep on us.  We'll grab a partial wakelock, and if the UI
3032      * wants to keep the screen on, it can grab a full wakelock.
3033      */
3034     snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
3035     acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
3036 
3037     /* The init files are setup to stop the class main and late start when
3038      * vold sets trigger_shutdown_framework.
3039      */
3040     property_set("vold.decrypt", "trigger_shutdown_framework");
3041     SLOGD("Just asked init to shut down class main\n");
3042 
3043     /* Ask vold to unmount all devices that it manages */
3044     if (vold_unmountAll()) {
3045         SLOGE("Failed to unmount all vold managed devices");
3046     }
3047 
3048     /* no_ui means we are being called from init, not settings.
3049        Now we always reboot from settings, so !no_ui means reboot
3050      */
3051     bool onlyCreateHeader = false;
3052     if (!no_ui) {
3053         /* Try fallback, which is to reboot and try there */
3054         onlyCreateHeader = true;
3055         FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
3056         if (breadcrumb == 0) {
3057             SLOGE("Failed to create breadcrumb file");
3058             goto error_shutting_down;
3059         }
3060         fclose(breadcrumb);
3061     }
3062 
3063     /* Do extra work for a better UX when doing the long inplace encryption */
3064     if (how == CRYPTO_ENABLE_INPLACE && !onlyCreateHeader) {
3065         /* Now that /data is unmounted, we need to mount a tmpfs
3066          * /data, set a property saying we're doing inplace encryption,
3067          * and restart the framework.
3068          */
3069         if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
3070             goto error_shutting_down;
3071         }
3072         /* Tells the framework that inplace encryption is starting */
3073         property_set("vold.encrypt_progress", "0");
3074 
3075         /* restart the framework. */
3076         /* Create necessary paths on /data */
3077         if (prep_data_fs()) {
3078             goto error_shutting_down;
3079         }
3080 
3081         /* Ugh, shutting down the framework is not synchronous, so until it
3082          * can be fixed, this horrible hack will wait a moment for it all to
3083          * shut down before proceeding.  Without it, some devices cannot
3084          * restart the graphics services.
3085          */
3086         sleep(2);
3087     }
3088 
3089     /* Start the actual work of making an encrypted filesystem */
3090     /* Initialize a crypt_mnt_ftr for the partition */
3091     if (previously_encrypted_upto == 0 && !rebootEncryption) {
3092         if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
3093             goto error_shutting_down;
3094         }
3095 
3096         if (!strcmp(key_loc, KEY_IN_FOOTER)) {
3097             crypt_ftr.fs_size = nr_sec
3098               - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3099         } else {
3100             crypt_ftr.fs_size = nr_sec;
3101         }
3102         /* At this point, we are in an inconsistent state. Until we successfully
3103            complete encryption, a reboot will leave us broken. So mark the
3104            encryption failed in case that happens.
3105            On successfully completing encryption, remove this flag */
3106         if (onlyCreateHeader) {
3107             crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
3108         } else {
3109             crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
3110         }
3111         crypt_ftr.crypt_type = crypt_type;
3112 #ifndef CONFIG_HW_DISK_ENCRYPTION
3113         strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN);
3114 #else
3115         strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN);
3116 
3117         rc = clear_hw_device_encryption_key();
3118         if (!rc) {
3119           SLOGE("Error clearing device encryption hardware key. rc = %d", rc);
3120         }
3121 
3122         rc = set_hw_device_encryption_key(passwd,
3123                                           (char*) crypt_ftr.crypto_type_name);
3124         if (!rc) {
3125           SLOGE("Error initializing device encryption hardware key. rc = %d", rc);
3126           goto error_shutting_down;
3127         }
3128 #endif
3129 
3130         /* Make an encrypted master key */
3131         if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
3132                                         crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
3133             SLOGE("Cannot create encrypted master key\n");
3134             goto error_shutting_down;
3135         }
3136 
3137         /* Replace scrypted intermediate key if we are preparing for a reboot */
3138         if (onlyCreateHeader) {
3139             unsigned char fake_master_key[KEY_LEN_BYTES];
3140             unsigned char encrypted_fake_master_key[KEY_LEN_BYTES];
3141             memset(fake_master_key, 0, sizeof(fake_master_key));
3142             encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key,
3143                                encrypted_fake_master_key, &crypt_ftr);
3144         }
3145 
3146         /* Write the key to the end of the partition */
3147         put_crypt_ftr_and_key(&crypt_ftr);
3148 
3149         /* If any persistent data has been remembered, save it.
3150          * If none, create a valid empty table and save that.
3151          */
3152         if (!persist_data) {
3153            pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
3154            if (pdata) {
3155                init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
3156                persist_data = pdata;
3157            }
3158         }
3159         if (persist_data) {
3160             save_persistent_data();
3161         }
3162     }
3163 
3164     if (onlyCreateHeader) {
3165         sleep(2);
3166         cryptfs_reboot(reboot);
3167     }
3168 
3169     if (how == CRYPTO_ENABLE_INPLACE && (!no_ui || rebootEncryption)) {
3170         /* startup service classes main and late_start */
3171         property_set("vold.decrypt", "trigger_restart_min_framework");
3172         SLOGD("Just triggered restart_min_framework\n");
3173 
3174         /* OK, the framework is restarted and will soon be showing a
3175          * progress bar.  Time to setup an encrypted mapping, and
3176          * either write a new filesystem, or encrypt in place updating
3177          * the progress bar as we work.
3178          */
3179     }
3180 
3181     decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
3182     create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
3183                           CRYPTO_BLOCK_DEVICE);
3184 
3185     /* If we are continuing, check checksums match */
3186     rc = 0;
3187     if (previously_encrypted_upto) {
3188         __le8 hash_first_block[SHA256_DIGEST_LENGTH];
3189         rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
3190 
3191         if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
3192                           sizeof(hash_first_block)) != 0) {
3193             SLOGE("Checksums do not match - trigger wipe");
3194             rc = -1;
3195         }
3196     }
3197 
3198     if (!rc) {
3199         rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
3200                                         crypto_blkdev, real_blkdev,
3201                                         previously_encrypted_upto);
3202     }
3203 
3204     /* Calculate checksum if we are not finished */
3205     if (!rc && how == CRYPTO_ENABLE_INPLACE
3206             && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3207         rc = cryptfs_SHA256_fileblock(crypto_blkdev,
3208                                       crypt_ftr.hash_first_block);
3209         if (rc) {
3210             SLOGE("Error calculating checksum for continuing encryption");
3211             rc = -1;
3212         }
3213     }
3214 
3215     /* Undo the dm-crypt mapping whether we succeed or not */
3216     delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
3217 
3218     if (! rc) {
3219         /* Success */
3220         crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
3221 
3222         if (how == CRYPTO_ENABLE_INPLACE
3223               && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3224             SLOGD("Encrypted up to sector %lld - will continue after reboot",
3225                   crypt_ftr.encrypted_upto);
3226             crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
3227         }
3228 
3229         put_crypt_ftr_and_key(&crypt_ftr);
3230 
3231         if (how == CRYPTO_ENABLE_WIPE
3232               || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
3233           char value[PROPERTY_VALUE_MAX];
3234           property_get("ro.crypto.state", value, "");
3235           if (!strcmp(value, "")) {
3236             /* default encryption - continue first boot sequence */
3237             property_set("ro.crypto.state", "encrypted");
3238             property_set("ro.crypto.type", "block");
3239             release_wake_lock(lockid);
3240             if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
3241                 // Bring up cryptkeeper that will check the password and set it
3242                 property_set("vold.decrypt", "trigger_shutdown_framework");
3243                 sleep(2);
3244                 property_set("vold.encrypt_progress", "");
3245                 cryptfs_trigger_restart_min_framework();
3246             } else {
3247                 cryptfs_check_passwd(DEFAULT_PASSWORD);
3248                 cryptfs_restart_internal(1);
3249             }
3250             return 0;
3251           } else {
3252             sleep(2); /* Give the UI a chance to show 100% progress */
3253             cryptfs_reboot(reboot);
3254           }
3255         } else {
3256             sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
3257             cryptfs_reboot(shutdown);
3258         }
3259     } else {
3260         char value[PROPERTY_VALUE_MAX];
3261 
3262         property_get("ro.vold.wipe_on_crypt_fail", value, "0");
3263         if (!strcmp(value, "1")) {
3264             /* wipe data if encryption failed */
3265             SLOGE("encryption failed - rebooting into recovery to wipe data\n");
3266             if (!write_bootloader_message("--wipe_data\n--reason=cryptfs_enable_internal\n")) {
3267                 SLOGE("could not write bootloader message\n");
3268             }
3269             cryptfs_reboot(recovery);
3270         } else {
3271             /* set property to trigger dialog */
3272             property_set("vold.encrypt_progress", "error_partially_encrypted");
3273             release_wake_lock(lockid);
3274         }
3275         return -1;
3276     }
3277 
3278     /* hrm, the encrypt step claims success, but the reboot failed.
3279      * This should not happen.
3280      * Set the property and return.  Hope the framework can deal with it.
3281      */
3282     property_set("vold.encrypt_progress", "error_reboot_failed");
3283     release_wake_lock(lockid);
3284     return rc;
3285 
3286 error_unencrypted:
3287     property_set("vold.encrypt_progress", "error_not_encrypted");
3288     if (lockid[0]) {
3289         release_wake_lock(lockid);
3290     }
3291     return -1;
3292 
3293 error_shutting_down:
3294     /* we failed, and have not encrypted anthing, so the users's data is still intact,
3295      * but the framework is stopped and not restarted to show the error, so it's up to
3296      * vold to restart the system.
3297      */
3298     SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
3299     cryptfs_reboot(reboot);
3300 
3301     /* shouldn't get here */
3302     property_set("vold.encrypt_progress", "error_shutting_down");
3303     if (lockid[0]) {
3304         release_wake_lock(lockid);
3305     }
3306     return -1;
3307 }
3308 
3309 int cryptfs_enable(char *howarg, int type, char *passwd, int no_ui)
3310 {
3311     return cryptfs_enable_internal(howarg, type, passwd, no_ui);
3312 }
3313 
3314 int cryptfs_enable_default(char *howarg, int no_ui)
3315 {
3316     return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
3317                           DEFAULT_PASSWORD, no_ui);
3318 }
3319 
3320 int cryptfs_changepw(int crypt_type, const char *newpw)
3321 {
3322     if (e4crypt_is_native()) {
3323         SLOGE("cryptfs_changepw not valid for file encryption");
3324         return -1;
3325     }
3326 
3327     struct crypt_mnt_ftr crypt_ftr;
3328     int rc;
3329 
3330     /* This is only allowed after we've successfully decrypted the master key */
3331     if (!master_key_saved) {
3332         SLOGE("Key not saved, aborting");
3333         return -1;
3334     }
3335 
3336     if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3337         SLOGE("Invalid crypt_type %d", crypt_type);
3338         return -1;
3339     }
3340 
3341     /* get key */
3342     if (get_crypt_ftr_and_key(&crypt_ftr)) {
3343         SLOGE("Error getting crypt footer and key");
3344         return -1;
3345     }
3346 
3347     crypt_ftr.crypt_type = crypt_type;
3348 
3349     rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
3350                                                         : newpw,
3351                        crypt_ftr.salt,
3352                        saved_master_key,
3353                        crypt_ftr.master_key,
3354                        &crypt_ftr);
3355     if (rc) {
3356         SLOGE("Encrypt master key failed: %d", rc);
3357         return -1;
3358     }
3359     /* save the key */
3360     put_crypt_ftr_and_key(&crypt_ftr);
3361 
3362 #ifdef CONFIG_HW_DISK_ENCRYPTION
3363     if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) {
3364         if (crypt_type == CRYPT_TYPE_DEFAULT) {
3365             int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name);
3366             SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc);
3367             if (!rc)
3368                 return -1;
3369         } else {
3370             int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name);
3371             SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc);
3372             if (!rc)
3373                 return -1;
3374         }
3375     }
3376 #endif
3377     return 0;
3378 }
3379 
3380 static unsigned int persist_get_max_entries(int encrypted) {
3381     struct crypt_mnt_ftr crypt_ftr;
3382     unsigned int dsize;
3383     unsigned int max_persistent_entries;
3384 
3385     /* If encrypted, use the values from the crypt_ftr, otherwise
3386      * use the values for the current spec.
3387      */
3388     if (encrypted) {
3389         if (get_crypt_ftr_and_key(&crypt_ftr)) {
3390             return -1;
3391         }
3392         dsize = crypt_ftr.persist_data_size;
3393     } else {
3394         dsize = CRYPT_PERSIST_DATA_SIZE;
3395     }
3396 
3397     max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
3398         sizeof(struct crypt_persist_entry);
3399 
3400     return max_persistent_entries;
3401 }
3402 
3403 static int persist_get_key(const char *fieldname, char *value)
3404 {
3405     unsigned int i;
3406 
3407     if (persist_data == NULL) {
3408         return -1;
3409     }
3410     for (i = 0; i < persist_data->persist_valid_entries; i++) {
3411         if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3412             /* We found it! */
3413             strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
3414             return 0;
3415         }
3416     }
3417 
3418     return -1;
3419 }
3420 
3421 static int persist_set_key(const char *fieldname, const char *value, int encrypted)
3422 {
3423     unsigned int i;
3424     unsigned int num;
3425     unsigned int max_persistent_entries;
3426 
3427     if (persist_data == NULL) {
3428         return -1;
3429     }
3430 
3431     max_persistent_entries = persist_get_max_entries(encrypted);
3432 
3433     num = persist_data->persist_valid_entries;
3434 
3435     for (i = 0; i < num; i++) {
3436         if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3437             /* We found an existing entry, update it! */
3438             memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
3439             strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
3440             return 0;
3441         }
3442     }
3443 
3444     /* We didn't find it, add it to the end, if there is room */
3445     if (persist_data->persist_valid_entries < max_persistent_entries) {
3446         memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
3447         strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
3448         strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
3449         persist_data->persist_valid_entries++;
3450         return 0;
3451     }
3452 
3453     return -1;
3454 }
3455 
3456 /**
3457  * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
3458  * sequence and its index is greater than or equal to index. Return 0 otherwise.
3459  */
3460 static int match_multi_entry(const char *key, const char *field, unsigned index) {
3461     unsigned int field_len;
3462     unsigned int key_index;
3463     field_len = strlen(field);
3464 
3465     if (index == 0) {
3466         // The first key in a multi-entry field is just the filedname itself.
3467         if (!strcmp(key, field)) {
3468             return 1;
3469         }
3470     }
3471     // Match key against "%s_%d" % (field, index)
3472     if (strlen(key) < field_len + 1 + 1) {
3473         // Need at least a '_' and a digit.
3474         return 0;
3475     }
3476     if (strncmp(key, field, field_len)) {
3477         // If the key does not begin with field, it's not a match.
3478         return 0;
3479     }
3480     if (1 != sscanf(&key[field_len],"_%d", &key_index)) {
3481         return 0;
3482     }
3483     return key_index >= index;
3484 }
3485 
3486 /*
3487  * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
3488  * remaining entries starting from index will be deleted.
3489  * returns PERSIST_DEL_KEY_OK if deletion succeeds,
3490  * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
3491  * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
3492  *
3493  */
3494 static int persist_del_keys(const char *fieldname, unsigned index)
3495 {
3496     unsigned int i;
3497     unsigned int j;
3498     unsigned int num;
3499 
3500     if (persist_data == NULL) {
3501         return PERSIST_DEL_KEY_ERROR_OTHER;
3502     }
3503 
3504     num = persist_data->persist_valid_entries;
3505 
3506     j = 0; // points to the end of non-deleted entries.
3507     // Filter out to-be-deleted entries in place.
3508     for (i = 0; i < num; i++) {
3509         if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
3510             persist_data->persist_entry[j] = persist_data->persist_entry[i];
3511             j++;
3512         }
3513     }
3514 
3515     if (j < num) {
3516         persist_data->persist_valid_entries = j;
3517         // Zeroise the remaining entries
3518         memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
3519         return PERSIST_DEL_KEY_OK;
3520     } else {
3521         // Did not find an entry matching the given fieldname
3522         return PERSIST_DEL_KEY_ERROR_NO_FIELD;
3523     }
3524 }
3525 
3526 static int persist_count_keys(const char *fieldname)
3527 {
3528     unsigned int i;
3529     unsigned int count;
3530 
3531     if (persist_data == NULL) {
3532         return -1;
3533     }
3534 
3535     count = 0;
3536     for (i = 0; i < persist_data->persist_valid_entries; i++) {
3537         if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
3538             count++;
3539         }
3540     }
3541 
3542     return count;
3543 }
3544 
3545 /* Return the value of the specified field. */
3546 int cryptfs_getfield(const char *fieldname, char *value, int len)
3547 {
3548     if (e4crypt_is_native()) {
3549         SLOGE("Cannot get field when file encrypted");
3550         return -1;
3551     }
3552 
3553     char temp_value[PROPERTY_VALUE_MAX];
3554     /* CRYPTO_GETFIELD_OK is success,
3555      * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
3556      * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
3557      * CRYPTO_GETFIELD_ERROR_OTHER is any other error
3558      */
3559     int rc = CRYPTO_GETFIELD_ERROR_OTHER;
3560     int i;
3561     char temp_field[PROPERTY_KEY_MAX];
3562 
3563     if (persist_data == NULL) {
3564         load_persistent_data();
3565         if (persist_data == NULL) {
3566             SLOGE("Getfield error, cannot load persistent data");
3567             goto out;
3568         }
3569     }
3570 
3571     // Read value from persistent entries. If the original value is split into multiple entries,
3572     // stitch them back together.
3573     if (!persist_get_key(fieldname, temp_value)) {
3574         // We found it, copy it to the caller's buffer and keep going until all entries are read.
3575         if (strlcpy(value, temp_value, len) >= (unsigned) len) {
3576             // value too small
3577             rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3578             goto out;
3579         }
3580         rc = CRYPTO_GETFIELD_OK;
3581 
3582         for (i = 1; /* break explicitly */; i++) {
3583             if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
3584                     (int) sizeof(temp_field)) {
3585                 // If the fieldname is very long, we stop as soon as it begins to overflow the
3586                 // maximum field length. At this point we have in fact fully read out the original
3587                 // value because cryptfs_setfield would not allow fields with longer names to be
3588                 // written in the first place.
3589                 break;
3590             }
3591             if (!persist_get_key(temp_field, temp_value)) {
3592                   if (strlcat(value, temp_value, len) >= (unsigned)len) {
3593                       // value too small.
3594                       rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3595                       goto out;
3596                   }
3597             } else {
3598                 // Exhaust all entries.
3599                 break;
3600             }
3601         }
3602     } else {
3603         /* Sadness, it's not there.  Return the error */
3604         rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
3605     }
3606 
3607 out:
3608     return rc;
3609 }
3610 
3611 /* Set the value of the specified field. */
3612 int cryptfs_setfield(const char *fieldname, const char *value)
3613 {
3614     if (e4crypt_is_native()) {
3615         SLOGE("Cannot set field when file encrypted");
3616         return -1;
3617     }
3618 
3619     char encrypted_state[PROPERTY_VALUE_MAX];
3620     /* 0 is success, negative values are error */
3621     int rc = CRYPTO_SETFIELD_ERROR_OTHER;
3622     int encrypted = 0;
3623     unsigned int field_id;
3624     char temp_field[PROPERTY_KEY_MAX];
3625     unsigned int num_entries;
3626     unsigned int max_keylen;
3627 
3628     if (persist_data == NULL) {
3629         load_persistent_data();
3630         if (persist_data == NULL) {
3631             SLOGE("Setfield error, cannot load persistent data");
3632             goto out;
3633         }
3634     }
3635 
3636     property_get("ro.crypto.state", encrypted_state, "");
3637     if (!strcmp(encrypted_state, "encrypted") ) {
3638         encrypted = 1;
3639     }
3640 
3641     // Compute the number of entries required to store value, each entry can store up to
3642     // (PROPERTY_VALUE_MAX - 1) chars
3643     if (strlen(value) == 0) {
3644         // Empty value also needs one entry to store.
3645         num_entries = 1;
3646     } else {
3647         num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
3648     }
3649 
3650     max_keylen = strlen(fieldname);
3651     if (num_entries > 1) {
3652         // Need an extra "_%d" suffix.
3653         max_keylen += 1 + log10(num_entries);
3654     }
3655     if (max_keylen > PROPERTY_KEY_MAX - 1) {
3656         rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
3657         goto out;
3658     }
3659 
3660     // Make sure we have enough space to write the new value
3661     if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
3662         persist_get_max_entries(encrypted)) {
3663         rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
3664         goto out;
3665     }
3666 
3667     // Now that we know persist_data has enough space for value, let's delete the old field first
3668     // to make up space.
3669     persist_del_keys(fieldname, 0);
3670 
3671     if (persist_set_key(fieldname, value, encrypted)) {
3672         // fail to set key, should not happen as we have already checked the available space
3673         SLOGE("persist_set_key() error during setfield()");
3674         goto out;
3675     }
3676 
3677     for (field_id = 1; field_id < num_entries; field_id++) {
3678         snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id);
3679 
3680         if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
3681             // fail to set key, should not happen as we have already checked the available space.
3682             SLOGE("persist_set_key() error during setfield()");
3683             goto out;
3684         }
3685     }
3686 
3687     /* If we are running encrypted, save the persistent data now */
3688     if (encrypted) {
3689         if (save_persistent_data()) {
3690             SLOGE("Setfield error, cannot save persistent data");
3691             goto out;
3692         }
3693     }
3694 
3695     rc = CRYPTO_SETFIELD_OK;
3696 
3697 out:
3698     return rc;
3699 }
3700 
3701 /* Checks userdata. Attempt to mount the volume if default-
3702  * encrypted.
3703  * On success trigger next init phase and return 0.
3704  * Currently do not handle failure - see TODO below.
3705  */
3706 int cryptfs_mount_default_encrypted(void)
3707 {
3708     int crypt_type = cryptfs_get_password_type();
3709     if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3710         SLOGE("Bad crypt type - error");
3711     } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
3712         SLOGD("Password is not default - "
3713               "starting min framework to prompt");
3714         property_set("vold.decrypt", "trigger_restart_min_framework");
3715         return 0;
3716     } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
3717         SLOGD("Password is default - restarting filesystem");
3718         cryptfs_restart_internal(0);
3719         return 0;
3720     } else {
3721         SLOGE("Encrypted, default crypt type but can't decrypt");
3722     }
3723 
3724     /** Corrupt. Allow us to boot into framework, which will detect bad
3725         crypto when it calls do_crypto_complete, then do a factory reset
3726      */
3727     property_set("vold.decrypt", "trigger_restart_min_framework");
3728     return 0;
3729 }
3730 
3731 /* Returns type of the password, default, pattern, pin or password.
3732  */
3733 int cryptfs_get_password_type(void)
3734 {
3735     if (e4crypt_is_native()) {
3736         SLOGE("cryptfs_get_password_type not valid for file encryption");
3737         return -1;
3738     }
3739 
3740     struct crypt_mnt_ftr crypt_ftr;
3741 
3742     if (get_crypt_ftr_and_key(&crypt_ftr)) {
3743         SLOGE("Error getting crypt footer and key\n");
3744         return -1;
3745     }
3746 
3747     if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
3748         return -1;
3749     }
3750 
3751     return crypt_ftr.crypt_type;
3752 }
3753 
3754 const char* cryptfs_get_password()
3755 {
3756     if (e4crypt_is_native()) {
3757         SLOGE("cryptfs_get_password not valid for file encryption");
3758         return 0;
3759     }
3760 
3761     struct timespec now;
3762     clock_gettime(CLOCK_BOOTTIME, &now);
3763     if (now.tv_sec < password_expiry_time) {
3764         return password;
3765     } else {
3766         cryptfs_clear_password();
3767         return 0;
3768     }
3769 }
3770 
3771 void cryptfs_clear_password()
3772 {
3773     if (password) {
3774         size_t len = strlen(password);
3775         memset(password, 0, len);
3776         free(password);
3777         password = 0;
3778         password_expiry_time = 0;
3779     }
3780 }
3781 
3782 int cryptfs_enable_file()
3783 {
3784     return e4crypt_initialize_global_de();
3785 }
3786 
3787 int cryptfs_isConvertibleToFBE()
3788 {
3789     struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
3790     return fs_mgr_is_convertible_to_fbe(rec) ? 1 : 0;
3791 }
3792 
3793 int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length)
3794 {
3795     if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) {
3796         SLOGE("Failed to initialize crypt_ftr");
3797         return -1;
3798     }
3799 
3800     if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key,
3801                                     crypt_ftr->salt, crypt_ftr)) {
3802         SLOGE("Cannot create encrypted master key\n");
3803         return -1;
3804     }
3805 
3806     //crypt_ftr->keysize = key_length / 8;
3807     return 0;
3808 }
3809 
3810 int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
3811                            unsigned char* master_key)
3812 {
3813     int rc;
3814 
3815     unsigned char* intermediate_key = 0;
3816     size_t intermediate_key_size = 0;
3817 
3818     if (password == 0 || *password == 0) {
3819         password = DEFAULT_PASSWORD;
3820     }
3821 
3822     rc = decrypt_master_key(password, master_key, ftr, &intermediate_key,
3823                             &intermediate_key_size);
3824 
3825     if (rc) {
3826         SLOGE("Can't calculate intermediate key");
3827         return rc;
3828     }
3829 
3830     int N = 1 << ftr->N_factor;
3831     int r = 1 << ftr->r_factor;
3832     int p = 1 << ftr->p_factor;
3833 
3834     unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)];
3835 
3836     rc = crypto_scrypt(intermediate_key, intermediate_key_size,
3837                        ftr->salt, sizeof(ftr->salt), N, r, p,
3838                        scrypted_intermediate_key,
3839                        sizeof(scrypted_intermediate_key));
3840 
3841     free(intermediate_key);
3842 
3843     if (rc) {
3844         SLOGE("Can't scrypt intermediate key");
3845         return rc;
3846     }
3847 
3848     return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key,
3849                   intermediate_key_size);
3850 }
3851 
3852 int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password,
3853                          const unsigned char* master_key)
3854 {
3855     return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key,
3856                               ftr);
3857 }
3858 
3859 const char* cryptfs_get_file_encryption_mode()
3860 {
3861     struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
3862     return fs_mgr_get_file_encryption_mode(rec);
3863 }
3864