1 /*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 /* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
23 #include <sys/types.h>
24 #include <sys/wait.h>
25 #include <sys/stat.h>
26 #include <ctype.h>
27 #include <fcntl.h>
28 #include <inttypes.h>
29 #include <unistd.h>
30 #include <stdio.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
33 #include <libgen.h>
34 #include <stdlib.h>
35 #include <sys/param.h>
36 #include <string.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
39 #include <openssl/sha.h>
40 #include <errno.h>
41 #include <ext4_utils/ext4_crypt.h>
42 #include <ext4_utils/ext4_utils.h>
43 #include <linux/kdev_t.h>
44 #include <fs_mgr.h>
45 #include <time.h>
46 #include <math.h>
47 #include <selinux/selinux.h>
48 #include "cryptfs.h"
49 #include "secontext.h"
50 #define LOG_TAG "Cryptfs"
51 #include "cutils/log.h"
52 #include "cutils/properties.h"
53 #include "cutils/android_reboot.h"
54 #include "hardware_legacy/power.h"
55 #include <logwrap/logwrap.h>
56 #include "ScryptParameters.h"
57 #include "VolumeManager.h"
58 #include "VoldUtil.h"
59 #include "Ext4Crypt.h"
60 #include "f2fs_sparseblock.h"
61 #include "EncryptInplace.h"
62 #include "Process.h"
63 #include "Keymaster.h"
64 #include "android-base/properties.h"
65 #include <bootloader_message/bootloader_message.h>
66 extern "C" {
67 #include <crypto_scrypt.h>
68 }
69
70 #define UNUSED __attribute__((unused))
71
72 #define DM_CRYPT_BUF_SIZE 4096
73
74 #define HASH_COUNT 2000
75
76 constexpr size_t INTERMEDIATE_KEY_LEN_BYTES = 16;
77 constexpr size_t INTERMEDIATE_IV_LEN_BYTES = 16;
78 constexpr size_t INTERMEDIATE_BUF_SIZE =
79 (INTERMEDIATE_KEY_LEN_BYTES + INTERMEDIATE_IV_LEN_BYTES);
80
81 // SCRYPT_LEN is used by struct crypt_mnt_ftr for its intermediate key.
82 static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN,
83 "Mismatch of intermediate key sizes");
84
85 #define KEY_IN_FOOTER "footer"
86
87 #define DEFAULT_PASSWORD "default_password"
88
89 #define CRYPTO_BLOCK_DEVICE "userdata"
90
91 #define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
92
93 #define EXT4_FS 1
94 #define F2FS_FS 2
95
96 #define TABLE_LOAD_RETRIES 10
97
98 #define RSA_KEY_SIZE 2048
99 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
100 #define RSA_EXPONENT 0x10001
101 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
102
103 #define RETRY_MOUNT_ATTEMPTS 10
104 #define RETRY_MOUNT_DELAY_SECONDS 1
105
106 #define CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE (1)
107
108 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr);
109
110 static unsigned char saved_master_key[MAX_KEY_LEN];
111 static char *saved_mount_point;
112 static int master_key_saved = 0;
113 static struct crypt_persist_data *persist_data = NULL;
114
115 /* Should we use keymaster? */
keymaster_check_compatibility()116 static int keymaster_check_compatibility()
117 {
118 return keymaster_compatibility_cryptfs_scrypt();
119 }
120
121 /* Create a new keymaster key and store it in this footer */
keymaster_create_key(struct crypt_mnt_ftr * ftr)122 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
123 {
124 if (ftr->keymaster_blob_size) {
125 SLOGI("Already have key");
126 return 0;
127 }
128
129 int rc = keymaster_create_key_for_cryptfs_scrypt(RSA_KEY_SIZE, RSA_EXPONENT,
130 KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
131 &ftr->keymaster_blob_size);
132 if (rc) {
133 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
134 SLOGE("Keymaster key blob too large");
135 ftr->keymaster_blob_size = 0;
136 }
137 SLOGE("Failed to generate keypair");
138 return -1;
139 }
140 return 0;
141 }
142
143 /* This signs the given object using the keymaster key. */
keymaster_sign_object(struct crypt_mnt_ftr * ftr,const unsigned char * object,const size_t object_size,unsigned char ** signature,size_t * signature_size)144 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
145 const unsigned char *object,
146 const size_t object_size,
147 unsigned char **signature,
148 size_t *signature_size)
149 {
150 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
151 size_t to_sign_size = sizeof(to_sign);
152 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
153
154 // To sign a message with RSA, the message must satisfy two
155 // constraints:
156 //
157 // 1. The message, when interpreted as a big-endian numeric value, must
158 // be strictly less than the public modulus of the RSA key. Note
159 // that because the most significant bit of the public modulus is
160 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
161 // key), an n-bit message with most significant bit 0 always
162 // satisfies this requirement.
163 //
164 // 2. The message must have the same length in bits as the public
165 // modulus of the RSA key. This requirement isn't mathematically
166 // necessary, but is necessary to ensure consistency in
167 // implementations.
168 switch (ftr->kdf_type) {
169 case KDF_SCRYPT_KEYMASTER:
170 // This ensures the most significant byte of the signed message
171 // is zero. We could have zero-padded to the left instead, but
172 // this approach is slightly more robust against changes in
173 // object size. However, it's still broken (but not unusably
174 // so) because we really should be using a proper deterministic
175 // RSA padding function, such as PKCS1.
176 memcpy(to_sign + 1, object, std::min((size_t)RSA_KEY_SIZE_BYTES - 1, object_size));
177 SLOGI("Signing safely-padded object");
178 break;
179 default:
180 SLOGE("Unknown KDF type %d", ftr->kdf_type);
181 return -1;
182 }
183 for (;;) {
184 auto result = keymaster_sign_object_for_cryptfs_scrypt(
185 ftr->keymaster_blob, ftr->keymaster_blob_size, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign,
186 to_sign_size, signature, signature_size);
187 switch (result) {
188 case KeymasterSignResult::ok:
189 return 0;
190 case KeymasterSignResult::upgrade:
191 break;
192 default:
193 return -1;
194 }
195 SLOGD("Upgrading key");
196 if (keymaster_upgrade_key_for_cryptfs_scrypt(
197 RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
198 ftr->keymaster_blob_size, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
199 &ftr->keymaster_blob_size) != 0) {
200 SLOGE("Failed to upgrade key");
201 return -1;
202 }
203 if (put_crypt_ftr_and_key(ftr) != 0) {
204 SLOGE("Failed to write upgraded key to disk");
205 }
206 SLOGD("Key upgraded successfully");
207 }
208 }
209
210 /* Store password when userdata is successfully decrypted and mounted.
211 * Cleared by cryptfs_clear_password
212 *
213 * To avoid a double prompt at boot, we need to store the CryptKeeper
214 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
215 * Since the entire framework is torn down and rebuilt after encryption,
216 * we have to use a daemon or similar to store the password. Since vold
217 * is secured against IPC except from system processes, it seems a reasonable
218 * place to store this.
219 *
220 * password should be cleared once it has been used.
221 *
222 * password is aged out after password_max_age_seconds seconds.
223 */
224 static char* password = 0;
225 static int password_expiry_time = 0;
226 static const int password_max_age_seconds = 60;
227
228 enum class RebootType {reboot, recovery, shutdown};
cryptfs_reboot(RebootType rt)229 static void cryptfs_reboot(RebootType rt)
230 {
231 switch (rt) {
232 case RebootType::reboot:
233 property_set(ANDROID_RB_PROPERTY, "reboot");
234 break;
235
236 case RebootType::recovery:
237 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
238 break;
239
240 case RebootType::shutdown:
241 property_set(ANDROID_RB_PROPERTY, "shutdown");
242 break;
243 }
244
245 sleep(20);
246
247 /* Shouldn't get here, reboot should happen before sleep times out */
248 return;
249 }
250
ioctl_init(struct dm_ioctl * io,size_t dataSize,const char * name,unsigned flags)251 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
252 {
253 memset(io, 0, dataSize);
254 io->data_size = dataSize;
255 io->data_start = sizeof(struct dm_ioctl);
256 io->version[0] = 4;
257 io->version[1] = 0;
258 io->version[2] = 0;
259 io->flags = flags;
260 if (name) {
261 strlcpy(io->name, name, sizeof(io->name));
262 }
263 }
264
265 namespace {
266
267 struct CryptoType;
268
269 // Use to get the CryptoType in use on this device.
270 const CryptoType &get_crypto_type();
271
272 struct CryptoType {
273 // We should only be constructing CryptoTypes as part of
274 // supported_crypto_types[]. We do it via this pseudo-builder pattern,
275 // which isn't pure or fully protected as a concession to being able to
276 // do it all at compile time. Add new CryptoTypes in
277 // supported_crypto_types[] below.
CryptoType__anonb2c86a500111::CryptoType278 constexpr CryptoType() : CryptoType(nullptr, nullptr, 0xFFFFFFFF) {}
set_keysize__anonb2c86a500111::CryptoType279 constexpr CryptoType set_keysize(uint32_t size) const {
280 return CryptoType(this->property_name, this->crypto_name, size);
281 }
set_property_name__anonb2c86a500111::CryptoType282 constexpr CryptoType set_property_name(const char *property) const {
283 return CryptoType(property, this->crypto_name, this->keysize);
284 }
set_crypto_name__anonb2c86a500111::CryptoType285 constexpr CryptoType set_crypto_name(const char *crypto) const {
286 return CryptoType(this->property_name, crypto, this->keysize);
287 }
288
get_property_name__anonb2c86a500111::CryptoType289 constexpr const char *get_property_name() const { return property_name; }
get_crypto_name__anonb2c86a500111::CryptoType290 constexpr const char *get_crypto_name() const { return crypto_name; }
get_keysize__anonb2c86a500111::CryptoType291 constexpr uint32_t get_keysize() const { return keysize; }
292
293 private:
294 const char *property_name;
295 const char *crypto_name;
296 uint32_t keysize;
297
CryptoType__anonb2c86a500111::CryptoType298 constexpr CryptoType(const char *property, const char *crypto,
299 uint32_t ksize)
300 : property_name(property), crypto_name(crypto), keysize(ksize) {}
301 friend const CryptoType &get_crypto_type();
302 static const CryptoType &get_device_crypto_algorithm();
303 };
304
305 // We only want to parse this read-only property once. But we need to wait
306 // until the system is initialized before we can read it. So we use a static
307 // scoped within this function to get it only once.
get_crypto_type()308 const CryptoType &get_crypto_type() {
309 static CryptoType crypto_type = CryptoType::get_device_crypto_algorithm();
310 return crypto_type;
311 }
312
313 constexpr CryptoType default_crypto_type = CryptoType()
314 .set_property_name("AES-128-CBC")
315 .set_crypto_name("aes-cbc-essiv:sha256")
316 .set_keysize(16);
317
318 constexpr CryptoType supported_crypto_types[] = {
319 default_crypto_type,
320 CryptoType()
321 .set_property_name("Speck128/128-XTS")
322 .set_crypto_name("speck128-xts-plain64")
323 .set_keysize(32),
324 // Add new CryptoTypes here. Order is not important.
325 };
326
327
328 // ---------- START COMPILE-TIME SANITY CHECK BLOCK -------------------------
329 // We confirm all supported_crypto_types have a small enough keysize and
330 // had both set_property_name() and set_crypto_name() called.
331
332 template <typename T, size_t N>
array_length(T (&)[N])333 constexpr size_t array_length(T (&)[N]) { return N; }
334
indexOutOfBoundsForCryptoTypes(size_t index)335 constexpr bool indexOutOfBoundsForCryptoTypes(size_t index) {
336 return (index >= array_length(supported_crypto_types));
337 }
338
isValidCryptoType(const CryptoType & crypto_type)339 constexpr bool isValidCryptoType(const CryptoType &crypto_type) {
340 return ((crypto_type.get_property_name() != nullptr) &&
341 (crypto_type.get_crypto_name() != nullptr) &&
342 (crypto_type.get_keysize() <= MAX_KEY_LEN));
343 }
344
345 // Note in C++11 that constexpr functions can only have a single line.
346 // So our code is a bit convoluted (using recursion instead of a loop),
347 // but it's asserting at compile time that all of our key lengths are valid.
validateSupportedCryptoTypes(size_t index)348 constexpr bool validateSupportedCryptoTypes(size_t index) {
349 return indexOutOfBoundsForCryptoTypes(index) ||
350 (isValidCryptoType(supported_crypto_types[index]) &&
351 validateSupportedCryptoTypes(index + 1));
352 }
353
354 static_assert(validateSupportedCryptoTypes(0),
355 "We have a CryptoType with keysize > MAX_KEY_LEN or which was "
356 "incompletely constructed.");
357 // ---------- END COMPILE-TIME SANITY CHECK BLOCK -------------------------
358
359
360 // Don't call this directly, use get_crypto_type(), which caches this result.
get_device_crypto_algorithm()361 const CryptoType &CryptoType::get_device_crypto_algorithm() {
362 constexpr char CRYPT_ALGO_PROP[] = "ro.crypto.fde_algorithm";
363 char paramstr[PROPERTY_VALUE_MAX];
364
365 property_get(CRYPT_ALGO_PROP, paramstr,
366 default_crypto_type.get_property_name());
367 for (auto const &ctype : supported_crypto_types) {
368 if (strcmp(paramstr, ctype.get_property_name()) == 0) {
369 return ctype;
370 }
371 }
372 ALOGE("Invalid name (%s) for %s. Defaulting to %s\n", paramstr,
373 CRYPT_ALGO_PROP, default_crypto_type.get_property_name());
374 return default_crypto_type;
375 }
376
377 } // namespace
378
379
380
381 /**
382 * Gets the default device scrypt parameters for key derivation time tuning.
383 * The parameters should lead to about one second derivation time for the
384 * given device.
385 */
get_device_scrypt_params(struct crypt_mnt_ftr * ftr)386 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
387 char paramstr[PROPERTY_VALUE_MAX];
388 int Nf, rf, pf;
389
390 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
391 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
392 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
393 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
394 }
395 ftr->N_factor = Nf;
396 ftr->r_factor = rf;
397 ftr->p_factor = pf;
398 }
399
cryptfs_get_keysize()400 uint32_t cryptfs_get_keysize() {
401 return get_crypto_type().get_keysize();
402 }
403
cryptfs_get_crypto_name()404 const char *cryptfs_get_crypto_name() {
405 return get_crypto_type().get_crypto_name();
406 }
407
get_fs_size(char * dev)408 static unsigned int get_fs_size(char *dev)
409 {
410 int fd, block_size;
411 struct ext4_super_block sb;
412 off64_t len;
413
414 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) {
415 SLOGE("Cannot open device to get filesystem size ");
416 return 0;
417 }
418
419 if (lseek64(fd, 1024, SEEK_SET) < 0) {
420 SLOGE("Cannot seek to superblock");
421 return 0;
422 }
423
424 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
425 SLOGE("Cannot read superblock");
426 return 0;
427 }
428
429 close(fd);
430
431 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
432 SLOGE("Not a valid ext4 superblock");
433 return 0;
434 }
435 block_size = 1024 << sb.s_log_block_size;
436 /* compute length in bytes */
437 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
438
439 /* return length in sectors */
440 return (unsigned int) (len / 512);
441 }
442
get_crypt_ftr_info(char ** metadata_fname,off64_t * off)443 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
444 {
445 static int cached_data = 0;
446 static off64_t cached_off = 0;
447 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
448 int fd;
449 char key_loc[PROPERTY_VALUE_MAX];
450 char real_blkdev[PROPERTY_VALUE_MAX];
451 int rc = -1;
452
453 if (!cached_data) {
454 fs_mgr_get_crypt_info(fstab_default, key_loc, real_blkdev, sizeof(key_loc));
455
456 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
457 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
458 SLOGE("Cannot open real block device %s\n", real_blkdev);
459 return -1;
460 }
461
462 unsigned long nr_sec = 0;
463 get_blkdev_size(fd, &nr_sec);
464 if (nr_sec != 0) {
465 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
466 * encryption info footer and key, and plenty of bytes to spare for future
467 * growth.
468 */
469 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
470 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
471 cached_data = 1;
472 } else {
473 SLOGE("Cannot get size of block device %s\n", real_blkdev);
474 }
475 close(fd);
476 } else {
477 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
478 cached_off = 0;
479 cached_data = 1;
480 }
481 }
482
483 if (cached_data) {
484 if (metadata_fname) {
485 *metadata_fname = cached_metadata_fname;
486 }
487 if (off) {
488 *off = cached_off;
489 }
490 rc = 0;
491 }
492
493 return rc;
494 }
495
496 /* Set sha256 checksum in structure */
set_ftr_sha(struct crypt_mnt_ftr * crypt_ftr)497 static void set_ftr_sha(struct crypt_mnt_ftr *crypt_ftr)
498 {
499 SHA256_CTX c;
500 SHA256_Init(&c);
501 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
502 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
503 SHA256_Final(crypt_ftr->sha256, &c);
504 }
505
506 /* key or salt can be NULL, in which case just skip writing that value. Useful to
507 * update the failed mount count but not change the key.
508 */
put_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)509 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
510 {
511 int fd;
512 unsigned int cnt;
513 /* starting_off is set to the SEEK_SET offset
514 * where the crypto structure starts
515 */
516 off64_t starting_off;
517 int rc = -1;
518 char *fname = NULL;
519 struct stat statbuf;
520
521 set_ftr_sha(crypt_ftr);
522
523 if (get_crypt_ftr_info(&fname, &starting_off)) {
524 SLOGE("Unable to get crypt_ftr_info\n");
525 return -1;
526 }
527 if (fname[0] != '/') {
528 SLOGE("Unexpected value for crypto key location\n");
529 return -1;
530 }
531 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) {
532 SLOGE("Cannot open footer file %s for put\n", fname);
533 return -1;
534 }
535
536 /* Seek to the start of the crypt footer */
537 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
538 SLOGE("Cannot seek to real block device footer\n");
539 goto errout;
540 }
541
542 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
543 SLOGE("Cannot write real block device footer\n");
544 goto errout;
545 }
546
547 fstat(fd, &statbuf);
548 /* If the keys are kept on a raw block device, do not try to truncate it. */
549 if (S_ISREG(statbuf.st_mode)) {
550 if (ftruncate(fd, 0x4000)) {
551 SLOGE("Cannot set footer file size\n");
552 goto errout;
553 }
554 }
555
556 /* Success! */
557 rc = 0;
558
559 errout:
560 close(fd);
561 return rc;
562
563 }
564
check_ftr_sha(const struct crypt_mnt_ftr * crypt_ftr)565 static bool check_ftr_sha(const struct crypt_mnt_ftr *crypt_ftr)
566 {
567 struct crypt_mnt_ftr copy;
568 memcpy(©, crypt_ftr, sizeof(copy));
569 set_ftr_sha(©);
570 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
571 }
572
unix_read(int fd,void * buff,int len)573 static inline int unix_read(int fd, void* buff, int len)
574 {
575 return TEMP_FAILURE_RETRY(read(fd, buff, len));
576 }
577
unix_write(int fd,const void * buff,int len)578 static inline int unix_write(int fd, const void* buff, int len)
579 {
580 return TEMP_FAILURE_RETRY(write(fd, buff, len));
581 }
582
init_empty_persist_data(struct crypt_persist_data * pdata,int len)583 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
584 {
585 memset(pdata, 0, len);
586 pdata->persist_magic = PERSIST_DATA_MAGIC;
587 pdata->persist_valid_entries = 0;
588 }
589
590 /* A routine to update the passed in crypt_ftr to the lastest version.
591 * fd is open read/write on the device that holds the crypto footer and persistent
592 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
593 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
594 */
upgrade_crypt_ftr(int fd,struct crypt_mnt_ftr * crypt_ftr,off64_t offset)595 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
596 {
597 int orig_major = crypt_ftr->major_version;
598 int orig_minor = crypt_ftr->minor_version;
599
600 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
601 struct crypt_persist_data *pdata;
602 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
603
604 SLOGW("upgrading crypto footer to 1.1");
605
606 pdata = (crypt_persist_data *)malloc(CRYPT_PERSIST_DATA_SIZE);
607 if (pdata == NULL) {
608 SLOGE("Cannot allocate persisent data\n");
609 return;
610 }
611 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
612
613 /* Need to initialize the persistent data area */
614 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
615 SLOGE("Cannot seek to persisent data offset\n");
616 free(pdata);
617 return;
618 }
619 /* Write all zeros to the first copy, making it invalid */
620 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
621
622 /* Write a valid but empty structure to the second copy */
623 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
624 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
625
626 /* Update the footer */
627 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
628 crypt_ftr->persist_data_offset[0] = pdata_offset;
629 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
630 crypt_ftr->minor_version = 1;
631 free(pdata);
632 }
633
634 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
635 SLOGW("upgrading crypto footer to 1.2");
636 /* But keep the old kdf_type.
637 * It will get updated later to KDF_SCRYPT after the password has been verified.
638 */
639 crypt_ftr->kdf_type = KDF_PBKDF2;
640 get_device_scrypt_params(crypt_ftr);
641 crypt_ftr->minor_version = 2;
642 }
643
644 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
645 SLOGW("upgrading crypto footer to 1.3");
646 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
647 crypt_ftr->minor_version = 3;
648 }
649
650 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
651 if (lseek64(fd, offset, SEEK_SET) == -1) {
652 SLOGE("Cannot seek to crypt footer\n");
653 return;
654 }
655 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
656 }
657 }
658
659
get_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)660 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
661 {
662 int fd;
663 unsigned int cnt;
664 off64_t starting_off;
665 int rc = -1;
666 char *fname = NULL;
667 struct stat statbuf;
668
669 if (get_crypt_ftr_info(&fname, &starting_off)) {
670 SLOGE("Unable to get crypt_ftr_info\n");
671 return -1;
672 }
673 if (fname[0] != '/') {
674 SLOGE("Unexpected value for crypto key location\n");
675 return -1;
676 }
677 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) {
678 SLOGE("Cannot open footer file %s for get\n", fname);
679 return -1;
680 }
681
682 /* Make sure it's 16 Kbytes in length */
683 fstat(fd, &statbuf);
684 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
685 SLOGE("footer file %s is not the expected size!\n", fname);
686 goto errout;
687 }
688
689 /* Seek to the start of the crypt footer */
690 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
691 SLOGE("Cannot seek to real block device footer\n");
692 goto errout;
693 }
694
695 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
696 SLOGE("Cannot read real block device footer\n");
697 goto errout;
698 }
699
700 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
701 SLOGE("Bad magic for real block device %s\n", fname);
702 goto errout;
703 }
704
705 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
706 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
707 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
708 goto errout;
709 }
710
711 // We risk buffer overflows with oversized keys, so we just reject them.
712 // 0-sized keys are problematic (essentially by-passing encryption), and
713 // AES-CBC key wrapping only works for multiples of 16 bytes.
714 if ((crypt_ftr->keysize == 0) || ((crypt_ftr->keysize % 16) != 0) ||
715 (crypt_ftr->keysize > MAX_KEY_LEN)) {
716 SLOGE("Invalid keysize (%u) for block device %s; Must be non-zero, "
717 "divisible by 16, and <= %d\n", crypt_ftr->keysize, fname,
718 MAX_KEY_LEN);
719 goto errout;
720 }
721
722 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
723 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
724 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
725 }
726
727 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
728 * copy on disk before returning.
729 */
730 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
731 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
732 }
733
734 /* Success! */
735 rc = 0;
736
737 errout:
738 close(fd);
739 return rc;
740 }
741
validate_persistent_data_storage(struct crypt_mnt_ftr * crypt_ftr)742 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
743 {
744 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
745 crypt_ftr->persist_data_offset[1]) {
746 SLOGE("Crypt_ftr persist data regions overlap");
747 return -1;
748 }
749
750 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
751 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
752 return -1;
753 }
754
755 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
756 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
757 CRYPT_FOOTER_OFFSET) {
758 SLOGE("Persistent data extends past crypto footer");
759 return -1;
760 }
761
762 return 0;
763 }
764
load_persistent_data(void)765 static int load_persistent_data(void)
766 {
767 struct crypt_mnt_ftr crypt_ftr;
768 struct crypt_persist_data *pdata = NULL;
769 char encrypted_state[PROPERTY_VALUE_MAX];
770 char *fname;
771 int found = 0;
772 int fd;
773 int ret;
774 int i;
775
776 if (persist_data) {
777 /* Nothing to do, we've already loaded or initialized it */
778 return 0;
779 }
780
781
782 /* If not encrypted, just allocate an empty table and initialize it */
783 property_get("ro.crypto.state", encrypted_state, "");
784 if (strcmp(encrypted_state, "encrypted") ) {
785 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
786 if (pdata) {
787 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
788 persist_data = pdata;
789 return 0;
790 }
791 return -1;
792 }
793
794 if(get_crypt_ftr_and_key(&crypt_ftr)) {
795 return -1;
796 }
797
798 if ((crypt_ftr.major_version < 1)
799 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
800 SLOGE("Crypt_ftr version doesn't support persistent data");
801 return -1;
802 }
803
804 if (get_crypt_ftr_info(&fname, NULL)) {
805 return -1;
806 }
807
808 ret = validate_persistent_data_storage(&crypt_ftr);
809 if (ret) {
810 return -1;
811 }
812
813 fd = open(fname, O_RDONLY|O_CLOEXEC);
814 if (fd < 0) {
815 SLOGE("Cannot open %s metadata file", fname);
816 return -1;
817 }
818
819 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
820 if (pdata == NULL) {
821 SLOGE("Cannot allocate memory for persistent data");
822 goto err;
823 }
824
825 for (i = 0; i < 2; i++) {
826 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
827 SLOGE("Cannot seek to read persistent data on %s", fname);
828 goto err2;
829 }
830 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
831 SLOGE("Error reading persistent data on iteration %d", i);
832 goto err2;
833 }
834 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
835 found = 1;
836 break;
837 }
838 }
839
840 if (!found) {
841 SLOGI("Could not find valid persistent data, creating");
842 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
843 }
844
845 /* Success */
846 persist_data = pdata;
847 close(fd);
848 return 0;
849
850 err2:
851 free(pdata);
852
853 err:
854 close(fd);
855 return -1;
856 }
857
save_persistent_data(void)858 static int save_persistent_data(void)
859 {
860 struct crypt_mnt_ftr crypt_ftr;
861 struct crypt_persist_data *pdata;
862 char *fname;
863 off64_t write_offset;
864 off64_t erase_offset;
865 int fd;
866 int ret;
867
868 if (persist_data == NULL) {
869 SLOGE("No persistent data to save");
870 return -1;
871 }
872
873 if(get_crypt_ftr_and_key(&crypt_ftr)) {
874 return -1;
875 }
876
877 if ((crypt_ftr.major_version < 1)
878 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
879 SLOGE("Crypt_ftr version doesn't support persistent data");
880 return -1;
881 }
882
883 ret = validate_persistent_data_storage(&crypt_ftr);
884 if (ret) {
885 return -1;
886 }
887
888 if (get_crypt_ftr_info(&fname, NULL)) {
889 return -1;
890 }
891
892 fd = open(fname, O_RDWR|O_CLOEXEC);
893 if (fd < 0) {
894 SLOGE("Cannot open %s metadata file", fname);
895 return -1;
896 }
897
898 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
899 if (pdata == NULL) {
900 SLOGE("Cannot allocate persistant data");
901 goto err;
902 }
903
904 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
905 SLOGE("Cannot seek to read persistent data on %s", fname);
906 goto err2;
907 }
908
909 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
910 SLOGE("Error reading persistent data before save");
911 goto err2;
912 }
913
914 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
915 /* The first copy is the curent valid copy, so write to
916 * the second copy and erase this one */
917 write_offset = crypt_ftr.persist_data_offset[1];
918 erase_offset = crypt_ftr.persist_data_offset[0];
919 } else {
920 /* The second copy must be the valid copy, so write to
921 * the first copy, and erase the second */
922 write_offset = crypt_ftr.persist_data_offset[0];
923 erase_offset = crypt_ftr.persist_data_offset[1];
924 }
925
926 /* Write the new copy first, if successful, then erase the old copy */
927 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
928 SLOGE("Cannot seek to write persistent data");
929 goto err2;
930 }
931 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
932 (int) crypt_ftr.persist_data_size) {
933 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
934 SLOGE("Cannot seek to erase previous persistent data");
935 goto err2;
936 }
937 fsync(fd);
938 memset(pdata, 0, crypt_ftr.persist_data_size);
939 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
940 (int) crypt_ftr.persist_data_size) {
941 SLOGE("Cannot write to erase previous persistent data");
942 goto err2;
943 }
944 fsync(fd);
945 } else {
946 SLOGE("Cannot write to save persistent data");
947 goto err2;
948 }
949
950 /* Success */
951 free(pdata);
952 close(fd);
953 return 0;
954
955 err2:
956 free(pdata);
957 err:
958 close(fd);
959 return -1;
960 }
961
962 /* Convert a binary key of specified length into an ascii hex string equivalent,
963 * without the leading 0x and with null termination
964 */
convert_key_to_hex_ascii(const unsigned char * master_key,unsigned int keysize,char * master_key_ascii)965 static void convert_key_to_hex_ascii(const unsigned char *master_key,
966 unsigned int keysize, char *master_key_ascii) {
967 unsigned int i, a;
968 unsigned char nibble;
969
970 for (i=0, a=0; i<keysize; i++, a+=2) {
971 /* For each byte, write out two ascii hex digits */
972 nibble = (master_key[i] >> 4) & 0xf;
973 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
974
975 nibble = master_key[i] & 0xf;
976 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
977 }
978
979 /* Add the null termination */
980 master_key_ascii[a] = '\0';
981
982 }
983
load_crypto_mapping_table(struct crypt_mnt_ftr * crypt_ftr,const unsigned char * master_key,const char * real_blk_name,const char * name,int fd,const char * extra_params)984 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
985 const unsigned char *master_key, const char *real_blk_name,
986 const char *name, int fd, const char *extra_params) {
987 alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
988 struct dm_ioctl *io;
989 struct dm_target_spec *tgt;
990 char *crypt_params;
991 // We need two ASCII characters to represent each byte, and need space for
992 // the '\0' terminator.
993 char master_key_ascii[MAX_KEY_LEN * 2 + 1];
994 size_t buff_offset;
995 int i;
996
997 io = (struct dm_ioctl *) buffer;
998
999 /* Load the mapping table for this device */
1000 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
1001
1002 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1003 io->target_count = 1;
1004 tgt->status = 0;
1005 tgt->sector_start = 0;
1006 tgt->length = crypt_ftr->fs_size;
1007 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1008
1009 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1010 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1011
1012 buff_offset = crypt_params - buffer;
1013 SLOGI("Extra parameters for dm_crypt: %s\n", extra_params);
1014 snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s",
1015 crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name,
1016 extra_params);
1017 crypt_params += strlen(crypt_params) + 1;
1018 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1019 tgt->next = crypt_params - buffer;
1020
1021 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1022 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
1023 break;
1024 }
1025 usleep(500000);
1026 }
1027
1028 if (i == TABLE_LOAD_RETRIES) {
1029 /* We failed to load the table, return an error */
1030 return -1;
1031 } else {
1032 return i + 1;
1033 }
1034 }
1035
1036
get_dm_crypt_version(int fd,const char * name,int * version)1037 static int get_dm_crypt_version(int fd, const char *name, int *version)
1038 {
1039 char buffer[DM_CRYPT_BUF_SIZE];
1040 struct dm_ioctl *io;
1041 struct dm_target_versions *v;
1042
1043 io = (struct dm_ioctl *) buffer;
1044
1045 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1046
1047 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1048 return -1;
1049 }
1050
1051 /* Iterate over the returned versions, looking for name of "crypt".
1052 * When found, get and return the version.
1053 */
1054 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
1055 while (v->next) {
1056 if (! strcmp(v->name, "crypt")) {
1057 /* We found the crypt driver, return the version, and get out */
1058 version[0] = v->version[0];
1059 version[1] = v->version[1];
1060 version[2] = v->version[2];
1061 return 0;
1062 }
1063 v = (struct dm_target_versions *)(((char *)v) + v->next);
1064 }
1065
1066 return -1;
1067 }
1068
extra_params_as_string(const std::vector<std::string> & extra_params_vec)1069 static std::string extra_params_as_string(const std::vector<std::string>& extra_params_vec) {
1070 if (extra_params_vec.empty()) return "";
1071 std::string extra_params = std::to_string(extra_params_vec.size());
1072 for (const auto& p : extra_params_vec) {
1073 extra_params.append(" ");
1074 extra_params.append(p);
1075 }
1076 return extra_params;
1077 }
1078
create_crypto_blk_dev(struct crypt_mnt_ftr * crypt_ftr,const unsigned char * master_key,const char * real_blk_name,char * crypto_blk_name,const char * name,uint32_t flags)1079 static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned char* master_key,
1080 const char* real_blk_name, char* crypto_blk_name, const char* name,
1081 uint32_t flags) {
1082 char buffer[DM_CRYPT_BUF_SIZE];
1083 struct dm_ioctl* io;
1084 unsigned int minor;
1085 int fd = 0;
1086 int err;
1087 int retval = -1;
1088 int version[3];
1089 int load_count;
1090 std::vector<std::string> extra_params_vec;
1091
1092 if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
1093 SLOGE("Cannot open device-mapper\n");
1094 goto errout;
1095 }
1096
1097 io = (struct dm_ioctl*)buffer;
1098
1099 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1100 err = ioctl(fd, DM_DEV_CREATE, io);
1101 if (err) {
1102 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno));
1103 goto errout;
1104 }
1105
1106 /* Get the device status, in particular, the name of it's device file */
1107 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1108 if (ioctl(fd, DM_DEV_STATUS, io)) {
1109 SLOGE("Cannot retrieve dm-crypt device status\n");
1110 goto errout;
1111 }
1112 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1113 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1114
1115 if (!get_dm_crypt_version(fd, name, version)) {
1116 /* Support for allow_discards was added in version 1.11.0 */
1117 if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) {
1118 extra_params_vec.emplace_back("allow_discards");
1119 }
1120 }
1121 if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) {
1122 extra_params_vec.emplace_back("allow_encrypt_override");
1123 }
1124 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd,
1125 extra_params_as_string(extra_params_vec).c_str());
1126 if (load_count < 0) {
1127 SLOGE("Cannot load dm-crypt mapping table.\n");
1128 goto errout;
1129 } else if (load_count > 1) {
1130 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1131 }
1132
1133 /* Resume this device to activate it */
1134 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1135
1136 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1137 SLOGE("Cannot resume the dm-crypt device\n");
1138 goto errout;
1139 }
1140
1141 /* We made it here with no errors. Woot! */
1142 retval = 0;
1143
1144 errout:
1145 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1146
1147 return retval;
1148 }
1149
delete_crypto_blk_dev(const char * name)1150 static int delete_crypto_blk_dev(const char *name)
1151 {
1152 int fd;
1153 char buffer[DM_CRYPT_BUF_SIZE];
1154 struct dm_ioctl *io;
1155 int retval = -1;
1156
1157 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1158 SLOGE("Cannot open device-mapper\n");
1159 goto errout;
1160 }
1161
1162 io = (struct dm_ioctl *) buffer;
1163
1164 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1165 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1166 SLOGE("Cannot remove dm-crypt device\n");
1167 goto errout;
1168 }
1169
1170 /* We made it here with no errors. Woot! */
1171 retval = 0;
1172
1173 errout:
1174 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1175
1176 return retval;
1177
1178 }
1179
pbkdf2(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params UNUSED)1180 static int pbkdf2(const char *passwd, const unsigned char *salt,
1181 unsigned char *ikey, void *params UNUSED)
1182 {
1183 SLOGI("Using pbkdf2 for cryptfs KDF");
1184
1185 /* Turn the password into a key and IV that can decrypt the master key */
1186 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN,
1187 HASH_COUNT, INTERMEDIATE_BUF_SIZE,
1188 ikey) != 1;
1189 }
1190
scrypt(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params)1191 static int scrypt(const char *passwd, const unsigned char *salt,
1192 unsigned char *ikey, void *params)
1193 {
1194 SLOGI("Using scrypt for cryptfs KDF");
1195
1196 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1197
1198 int N = 1 << ftr->N_factor;
1199 int r = 1 << ftr->r_factor;
1200 int p = 1 << ftr->p_factor;
1201
1202 /* Turn the password into a key and IV that can decrypt the master key */
1203 crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1204 salt, SALT_LEN, N, r, p, ikey,
1205 INTERMEDIATE_BUF_SIZE);
1206
1207 return 0;
1208 }
1209
scrypt_keymaster(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params)1210 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1211 unsigned char *ikey, void *params)
1212 {
1213 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1214
1215 int rc;
1216 size_t signature_size;
1217 unsigned char* signature;
1218 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1219
1220 int N = 1 << ftr->N_factor;
1221 int r = 1 << ftr->r_factor;
1222 int p = 1 << ftr->p_factor;
1223
1224 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1225 salt, SALT_LEN, N, r, p, ikey,
1226 INTERMEDIATE_BUF_SIZE);
1227
1228 if (rc) {
1229 SLOGE("scrypt failed");
1230 return -1;
1231 }
1232
1233 if (keymaster_sign_object(ftr, ikey, INTERMEDIATE_BUF_SIZE,
1234 &signature, &signature_size)) {
1235 SLOGE("Signing failed");
1236 return -1;
1237 }
1238
1239 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1240 N, r, p, ikey, INTERMEDIATE_BUF_SIZE);
1241 free(signature);
1242
1243 if (rc) {
1244 SLOGE("scrypt failed");
1245 return -1;
1246 }
1247
1248 return 0;
1249 }
1250
encrypt_master_key(const char * passwd,const unsigned char * salt,const unsigned char * decrypted_master_key,unsigned char * encrypted_master_key,struct crypt_mnt_ftr * crypt_ftr)1251 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1252 const unsigned char *decrypted_master_key,
1253 unsigned char *encrypted_master_key,
1254 struct crypt_mnt_ftr *crypt_ftr)
1255 {
1256 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = { 0 };
1257 EVP_CIPHER_CTX e_ctx;
1258 int encrypted_len, final_len;
1259 int rc = 0;
1260
1261 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1262 get_device_scrypt_params(crypt_ftr);
1263
1264 switch (crypt_ftr->kdf_type) {
1265 case KDF_SCRYPT_KEYMASTER:
1266 if (keymaster_create_key(crypt_ftr)) {
1267 SLOGE("keymaster_create_key failed");
1268 return -1;
1269 }
1270
1271 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1272 SLOGE("scrypt failed");
1273 return -1;
1274 }
1275 break;
1276
1277 case KDF_SCRYPT:
1278 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1279 SLOGE("scrypt failed");
1280 return -1;
1281 }
1282 break;
1283
1284 default:
1285 SLOGE("Invalid kdf_type");
1286 return -1;
1287 }
1288
1289 /* Initialize the decryption engine */
1290 EVP_CIPHER_CTX_init(&e_ctx);
1291 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey,
1292 ikey+INTERMEDIATE_KEY_LEN_BYTES)) {
1293 SLOGE("EVP_EncryptInit failed\n");
1294 return -1;
1295 }
1296 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1297
1298 /* Encrypt the master key */
1299 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1300 decrypted_master_key, crypt_ftr->keysize)) {
1301 SLOGE("EVP_EncryptUpdate failed\n");
1302 return -1;
1303 }
1304 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1305 SLOGE("EVP_EncryptFinal failed\n");
1306 return -1;
1307 }
1308
1309 if (encrypted_len + final_len != static_cast<int>(crypt_ftr->keysize)) {
1310 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1311 return -1;
1312 }
1313
1314 /* Store the scrypt of the intermediate key, so we can validate if it's a
1315 password error or mount error when things go wrong.
1316 Note there's no need to check for errors, since if this is incorrect, we
1317 simply won't wipe userdata, which is the correct default behavior
1318 */
1319 int N = 1 << crypt_ftr->N_factor;
1320 int r = 1 << crypt_ftr->r_factor;
1321 int p = 1 << crypt_ftr->p_factor;
1322
1323 rc = crypto_scrypt(ikey, INTERMEDIATE_KEY_LEN_BYTES,
1324 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1325 crypt_ftr->scrypted_intermediate_key,
1326 sizeof(crypt_ftr->scrypted_intermediate_key));
1327
1328 if (rc) {
1329 SLOGE("encrypt_master_key: crypto_scrypt failed");
1330 }
1331
1332 EVP_CIPHER_CTX_cleanup(&e_ctx);
1333
1334 return 0;
1335 }
1336
decrypt_master_key_aux(const char * passwd,unsigned char * salt,const unsigned char * encrypted_master_key,size_t keysize,unsigned char * decrypted_master_key,kdf_func kdf,void * kdf_params,unsigned char ** intermediate_key,size_t * intermediate_key_size)1337 static int decrypt_master_key_aux(const char *passwd, unsigned char *salt,
1338 const unsigned char *encrypted_master_key,
1339 size_t keysize,
1340 unsigned char *decrypted_master_key,
1341 kdf_func kdf, void *kdf_params,
1342 unsigned char** intermediate_key,
1343 size_t* intermediate_key_size)
1344 {
1345 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = { 0 };
1346 EVP_CIPHER_CTX d_ctx;
1347 int decrypted_len, final_len;
1348
1349 /* Turn the password into an intermediate key and IV that can decrypt the
1350 master key */
1351 if (kdf(passwd, salt, ikey, kdf_params)) {
1352 SLOGE("kdf failed");
1353 return -1;
1354 }
1355
1356 /* Initialize the decryption engine */
1357 EVP_CIPHER_CTX_init(&d_ctx);
1358 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+INTERMEDIATE_KEY_LEN_BYTES)) {
1359 return -1;
1360 }
1361 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1362 /* Decrypt the master key */
1363 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1364 encrypted_master_key, keysize)) {
1365 return -1;
1366 }
1367 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1368 return -1;
1369 }
1370
1371 if (decrypted_len + final_len != static_cast<int>(keysize)) {
1372 return -1;
1373 }
1374
1375 /* Copy intermediate key if needed by params */
1376 if (intermediate_key && intermediate_key_size) {
1377 *intermediate_key = (unsigned char*) malloc(INTERMEDIATE_KEY_LEN_BYTES);
1378 if (*intermediate_key) {
1379 memcpy(*intermediate_key, ikey, INTERMEDIATE_KEY_LEN_BYTES);
1380 *intermediate_key_size = INTERMEDIATE_KEY_LEN_BYTES;
1381 }
1382 }
1383
1384 EVP_CIPHER_CTX_cleanup(&d_ctx);
1385
1386 return 0;
1387 }
1388
get_kdf_func(struct crypt_mnt_ftr * ftr,kdf_func * kdf,void ** kdf_params)1389 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1390 {
1391 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1392 *kdf = scrypt_keymaster;
1393 *kdf_params = ftr;
1394 } else if (ftr->kdf_type == KDF_SCRYPT) {
1395 *kdf = scrypt;
1396 *kdf_params = ftr;
1397 } else {
1398 *kdf = pbkdf2;
1399 *kdf_params = NULL;
1400 }
1401 }
1402
decrypt_master_key(const char * passwd,unsigned char * decrypted_master_key,struct crypt_mnt_ftr * crypt_ftr,unsigned char ** intermediate_key,size_t * intermediate_key_size)1403 static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key,
1404 struct crypt_mnt_ftr *crypt_ftr,
1405 unsigned char** intermediate_key,
1406 size_t* intermediate_key_size)
1407 {
1408 kdf_func kdf;
1409 void *kdf_params;
1410 int ret;
1411
1412 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1413 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1414 crypt_ftr->keysize,
1415 decrypted_master_key, kdf, kdf_params,
1416 intermediate_key, intermediate_key_size);
1417 if (ret != 0) {
1418 SLOGW("failure decrypting master key");
1419 }
1420
1421 return ret;
1422 }
1423
create_encrypted_random_key(const char * passwd,unsigned char * master_key,unsigned char * salt,struct crypt_mnt_ftr * crypt_ftr)1424 static int create_encrypted_random_key(const char *passwd, unsigned char *master_key, unsigned char *salt,
1425 struct crypt_mnt_ftr *crypt_ftr) {
1426 int fd;
1427 unsigned char key_buf[MAX_KEY_LEN];
1428
1429 /* Get some random bits for a key */
1430 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
1431 read(fd, key_buf, sizeof(key_buf));
1432 read(fd, salt, SALT_LEN);
1433 close(fd);
1434
1435 /* Now encrypt it with the password */
1436 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1437 }
1438
wait_and_unmount(const char * mountpoint,bool kill)1439 int wait_and_unmount(const char *mountpoint, bool kill)
1440 {
1441 int i, err, rc;
1442 #define WAIT_UNMOUNT_COUNT 20
1443
1444 /* Now umount the tmpfs filesystem */
1445 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1446 if (umount(mountpoint) == 0) {
1447 break;
1448 }
1449
1450 if (errno == EINVAL) {
1451 /* EINVAL is returned if the directory is not a mountpoint,
1452 * i.e. there is no filesystem mounted there. So just get out.
1453 */
1454 break;
1455 }
1456
1457 err = errno;
1458
1459 /* If allowed, be increasingly aggressive before the last two retries */
1460 if (kill) {
1461 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1462 SLOGW("sending SIGHUP to processes with open files\n");
1463 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM);
1464 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1465 SLOGW("sending SIGKILL to processes with open files\n");
1466 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL);
1467 }
1468 }
1469
1470 sleep(1);
1471 }
1472
1473 if (i < WAIT_UNMOUNT_COUNT) {
1474 SLOGD("unmounting %s succeeded\n", mountpoint);
1475 rc = 0;
1476 } else {
1477 android::vold::KillProcessesWithOpenFiles(mountpoint, 0);
1478 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1479 rc = -1;
1480 }
1481
1482 return rc;
1483 }
1484
prep_data_fs(void)1485 static void prep_data_fs(void)
1486 {
1487 // NOTE: post_fs_data results in init calling back around to vold, so all
1488 // callers to this method must be async
1489
1490 /* Do the prep of the /data filesystem */
1491 property_set("vold.post_fs_data_done", "0");
1492 property_set("vold.decrypt", "trigger_post_fs_data");
1493 SLOGD("Just triggered post_fs_data");
1494
1495 /* Wait a max of 50 seconds, hopefully it takes much less */
1496 while (!android::base::WaitForProperty("vold.post_fs_data_done",
1497 "1",
1498 std::chrono::seconds(15))) {
1499 /* We timed out to prep /data in time. Continue wait. */
1500 SLOGE("waited 15s for vold.post_fs_data_done, still waiting...");
1501 }
1502 SLOGD("post_fs_data done");
1503 }
1504
cryptfs_set_corrupt()1505 static void cryptfs_set_corrupt()
1506 {
1507 // Mark the footer as bad
1508 struct crypt_mnt_ftr crypt_ftr;
1509 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1510 SLOGE("Failed to get crypto footer - panic");
1511 return;
1512 }
1513
1514 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1515 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1516 SLOGE("Failed to set crypto footer - panic");
1517 return;
1518 }
1519 }
1520
cryptfs_trigger_restart_min_framework()1521 static void cryptfs_trigger_restart_min_framework()
1522 {
1523 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1524 SLOGE("Failed to mount tmpfs on data - panic");
1525 return;
1526 }
1527
1528 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1529 SLOGE("Failed to trigger post fs data - panic");
1530 return;
1531 }
1532
1533 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1534 SLOGE("Failed to trigger restart min framework - panic");
1535 return;
1536 }
1537 }
1538
1539 /* returns < 0 on failure */
cryptfs_restart_internal(int restart_main)1540 static int cryptfs_restart_internal(int restart_main)
1541 {
1542 char crypto_blkdev[MAXPATHLEN];
1543 int rc = -1;
1544 static int restart_successful = 0;
1545
1546 /* Validate that it's OK to call this routine */
1547 if (! master_key_saved) {
1548 SLOGE("Encrypted filesystem not validated, aborting");
1549 return -1;
1550 }
1551
1552 if (restart_successful) {
1553 SLOGE("System already restarted with encrypted disk, aborting");
1554 return -1;
1555 }
1556
1557 if (restart_main) {
1558 /* Here is where we shut down the framework. The init scripts
1559 * start all services in one of three classes: core, main or late_start.
1560 * On boot, we start core and main. Now, we stop main, but not core,
1561 * as core includes vold and a few other really important things that
1562 * we need to keep running. Once main has stopped, we should be able
1563 * to umount the tmpfs /data, then mount the encrypted /data.
1564 * We then restart the class main, and also the class late_start.
1565 * At the moment, I've only put a few things in late_start that I know
1566 * are not needed to bring up the framework, and that also cause problems
1567 * with unmounting the tmpfs /data, but I hope to add add more services
1568 * to the late_start class as we optimize this to decrease the delay
1569 * till the user is asked for the password to the filesystem.
1570 */
1571
1572 /* The init files are setup to stop the class main when vold.decrypt is
1573 * set to trigger_reset_main.
1574 */
1575 property_set("vold.decrypt", "trigger_reset_main");
1576 SLOGD("Just asked init to shut down class main\n");
1577
1578 /* Ugh, shutting down the framework is not synchronous, so until it
1579 * can be fixed, this horrible hack will wait a moment for it all to
1580 * shut down before proceeding. Without it, some devices cannot
1581 * restart the graphics services.
1582 */
1583 sleep(2);
1584 }
1585
1586 /* Now that the framework is shutdown, we should be able to umount()
1587 * the tmpfs filesystem, and mount the real one.
1588 */
1589
1590 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1591 if (strlen(crypto_blkdev) == 0) {
1592 SLOGE("fs_crypto_blkdev not set\n");
1593 return -1;
1594 }
1595
1596 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1597 /* If ro.crypto.readonly is set to 1, mount the decrypted
1598 * filesystem readonly. This is used when /data is mounted by
1599 * recovery mode.
1600 */
1601 char ro_prop[PROPERTY_VALUE_MAX];
1602 property_get("ro.crypto.readonly", ro_prop, "");
1603 if (strlen(ro_prop) > 0 && std::stoi(ro_prop)) {
1604 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab_default, DATA_MNT_POINT);
1605 rec->flags |= MS_RDONLY;
1606 }
1607
1608 /* If that succeeded, then mount the decrypted filesystem */
1609 int retries = RETRY_MOUNT_ATTEMPTS;
1610 int mount_rc;
1611
1612 /*
1613 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
1614 * partitions in the fsck domain.
1615 */
1616 if (setexeccon(secontextFsck())){
1617 SLOGE("Failed to setexeccon");
1618 return -1;
1619 }
1620 while ((mount_rc = fs_mgr_do_mount(fstab_default, DATA_MNT_POINT,
1621 crypto_blkdev, 0))
1622 != 0) {
1623 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1624 /* TODO: invoke something similar to
1625 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1626 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1627 SLOGI("Failed to mount %s because it is busy - waiting",
1628 crypto_blkdev);
1629 if (--retries) {
1630 sleep(RETRY_MOUNT_DELAY_SECONDS);
1631 } else {
1632 /* Let's hope that a reboot clears away whatever is keeping
1633 the mount busy */
1634 cryptfs_reboot(RebootType::reboot);
1635 }
1636 } else {
1637 SLOGE("Failed to mount decrypted data");
1638 cryptfs_set_corrupt();
1639 cryptfs_trigger_restart_min_framework();
1640 SLOGI("Started framework to offer wipe");
1641 if (setexeccon(NULL)) {
1642 SLOGE("Failed to setexeccon");
1643 }
1644 return -1;
1645 }
1646 }
1647 if (setexeccon(NULL)) {
1648 SLOGE("Failed to setexeccon");
1649 return -1;
1650 }
1651
1652 /* Create necessary paths on /data */
1653 prep_data_fs();
1654 property_set("vold.decrypt", "trigger_load_persist_props");
1655
1656 /* startup service classes main and late_start */
1657 property_set("vold.decrypt", "trigger_restart_framework");
1658 SLOGD("Just triggered restart_framework\n");
1659
1660 /* Give it a few moments to get started */
1661 sleep(1);
1662 }
1663
1664 if (rc == 0) {
1665 restart_successful = 1;
1666 }
1667
1668 return rc;
1669 }
1670
cryptfs_restart(void)1671 int cryptfs_restart(void)
1672 {
1673 SLOGI("cryptfs_restart");
1674 if (e4crypt_is_native()) {
1675 SLOGE("cryptfs_restart not valid for file encryption:");
1676 return -1;
1677 }
1678
1679 /* Call internal implementation forcing a restart of main service group */
1680 return cryptfs_restart_internal(1);
1681 }
1682
do_crypto_complete(const char * mount_point)1683 static int do_crypto_complete(const char *mount_point)
1684 {
1685 struct crypt_mnt_ftr crypt_ftr;
1686 char encrypted_state[PROPERTY_VALUE_MAX];
1687 char key_loc[PROPERTY_VALUE_MAX];
1688
1689 property_get("ro.crypto.state", encrypted_state, "");
1690 if (strcmp(encrypted_state, "encrypted") ) {
1691 SLOGE("not running with encryption, aborting");
1692 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1693 }
1694
1695 // crypto_complete is full disk encrypted status
1696 if (e4crypt_is_native()) {
1697 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1698 }
1699
1700 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1701 fs_mgr_get_crypt_info(fstab_default, key_loc, 0, sizeof(key_loc));
1702
1703 /*
1704 * Only report this error if key_loc is a file and it exists.
1705 * If the device was never encrypted, and /data is not mountable for
1706 * some reason, returning 1 should prevent the UI from presenting the
1707 * a "enter password" screen, or worse, a "press button to wipe the
1708 * device" screen.
1709 */
1710 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1711 SLOGE("master key file does not exist, aborting");
1712 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1713 } else {
1714 SLOGE("Error getting crypt footer and key\n");
1715 return CRYPTO_COMPLETE_BAD_METADATA;
1716 }
1717 }
1718
1719 // Test for possible error flags
1720 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1721 SLOGE("Encryption process is partway completed\n");
1722 return CRYPTO_COMPLETE_PARTIAL;
1723 }
1724
1725 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1726 SLOGE("Encryption process was interrupted but cannot continue\n");
1727 return CRYPTO_COMPLETE_INCONSISTENT;
1728 }
1729
1730 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1731 SLOGE("Encryption is successful but data is corrupt\n");
1732 return CRYPTO_COMPLETE_CORRUPT;
1733 }
1734
1735 /* We passed the test! We shall diminish, and return to the west */
1736 return CRYPTO_COMPLETE_ENCRYPTED;
1737 }
1738
test_mount_encrypted_fs(struct crypt_mnt_ftr * crypt_ftr,const char * passwd,const char * mount_point,const char * label)1739 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1740 const char *passwd, const char *mount_point, const char *label)
1741 {
1742 unsigned char decrypted_master_key[MAX_KEY_LEN];
1743 char crypto_blkdev[MAXPATHLEN];
1744 char real_blkdev[MAXPATHLEN];
1745 char tmp_mount_point[64];
1746 unsigned int orig_failed_decrypt_count;
1747 int rc;
1748 int use_keymaster = 0;
1749 int upgrade = 0;
1750 unsigned char* intermediate_key = 0;
1751 size_t intermediate_key_size = 0;
1752 int N = 1 << crypt_ftr->N_factor;
1753 int r = 1 << crypt_ftr->r_factor;
1754 int p = 1 << crypt_ftr->p_factor;
1755
1756 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1757 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1758
1759 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1760 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1761 &intermediate_key, &intermediate_key_size)) {
1762 SLOGE("Failed to decrypt master key\n");
1763 rc = -1;
1764 goto errout;
1765 }
1766 }
1767
1768 fs_mgr_get_crypt_info(fstab_default, 0, real_blkdev, sizeof(real_blkdev));
1769
1770 // Create crypto block device - all (non fatal) code paths
1771 // need it
1772 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, label, 0)) {
1773 SLOGE("Error creating decrypted block device\n");
1774 rc = -1;
1775 goto errout;
1776 }
1777
1778 /* Work out if the problem is the password or the data */
1779 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1780 scrypted_intermediate_key)];
1781
1782 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1783 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1784 N, r, p, scrypted_intermediate_key,
1785 sizeof(scrypted_intermediate_key));
1786
1787 // Does the key match the crypto footer?
1788 if (rc == 0 && memcmp(scrypted_intermediate_key,
1789 crypt_ftr->scrypted_intermediate_key,
1790 sizeof(scrypted_intermediate_key)) == 0) {
1791 SLOGI("Password matches");
1792 rc = 0;
1793 } else {
1794 /* Try mounting the file system anyway, just in case the problem's with
1795 * the footer, not the key. */
1796 snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt",
1797 mount_point);
1798 mkdir(tmp_mount_point, 0755);
1799 if (fs_mgr_do_mount(fstab_default, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1800 SLOGE("Error temp mounting decrypted block device\n");
1801 delete_crypto_blk_dev(label);
1802
1803 rc = ++crypt_ftr->failed_decrypt_count;
1804 put_crypt_ftr_and_key(crypt_ftr);
1805 } else {
1806 /* Success! */
1807 SLOGI("Password did not match but decrypted drive mounted - continue");
1808 umount(tmp_mount_point);
1809 rc = 0;
1810 }
1811 }
1812
1813 if (rc == 0) {
1814 crypt_ftr->failed_decrypt_count = 0;
1815 if (orig_failed_decrypt_count != 0) {
1816 put_crypt_ftr_and_key(crypt_ftr);
1817 }
1818
1819 /* Save the name of the crypto block device
1820 * so we can mount it when restarting the framework. */
1821 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1822
1823 /* Also save a the master key so we can reencrypted the key
1824 * the key when we want to change the password on it. */
1825 memcpy(saved_master_key, decrypted_master_key, crypt_ftr->keysize);
1826 saved_mount_point = strdup(mount_point);
1827 master_key_saved = 1;
1828 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1829 rc = 0;
1830
1831 // Upgrade if we're not using the latest KDF.
1832 use_keymaster = keymaster_check_compatibility();
1833 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1834 // Don't allow downgrade
1835 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1836 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1837 upgrade = 1;
1838 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1839 crypt_ftr->kdf_type = KDF_SCRYPT;
1840 upgrade = 1;
1841 }
1842
1843 if (upgrade) {
1844 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1845 crypt_ftr->master_key, crypt_ftr);
1846 if (!rc) {
1847 rc = put_crypt_ftr_and_key(crypt_ftr);
1848 }
1849 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1850
1851 // Do not fail even if upgrade failed - machine is bootable
1852 // Note that if this code is ever hit, there is a *serious* problem
1853 // since KDFs should never fail. You *must* fix the kdf before
1854 // proceeding!
1855 if (rc) {
1856 SLOGW("Upgrade failed with error %d,"
1857 " but continuing with previous state",
1858 rc);
1859 rc = 0;
1860 }
1861 }
1862 }
1863
1864 errout:
1865 if (intermediate_key) {
1866 memset(intermediate_key, 0, intermediate_key_size);
1867 free(intermediate_key);
1868 }
1869 return rc;
1870 }
1871
1872 /*
1873 * Called by vold when it's asked to mount an encrypted external
1874 * storage volume. The incoming partition has no crypto header/footer,
1875 * as any metadata is been stored in a separate, small partition. We
1876 * assume it must be using our same crypt type and keysize.
1877 *
1878 * out_crypto_blkdev must be MAXPATHLEN.
1879 */
cryptfs_setup_ext_volume(const char * label,const char * real_blkdev,const unsigned char * key,char * out_crypto_blkdev)1880 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
1881 const unsigned char* key, char* out_crypto_blkdev) {
1882 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
1883 if (fd == -1) {
1884 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno));
1885 return -1;
1886 }
1887
1888 unsigned long nr_sec = 0;
1889 get_blkdev_size(fd, &nr_sec);
1890 close(fd);
1891
1892 if (nr_sec == 0) {
1893 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1894 return -1;
1895 }
1896
1897 struct crypt_mnt_ftr ext_crypt_ftr;
1898 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1899 ext_crypt_ftr.fs_size = nr_sec;
1900 ext_crypt_ftr.keysize = cryptfs_get_keysize();
1901 strlcpy((char*) ext_crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(),
1902 MAX_CRYPTO_TYPE_NAME_LEN);
1903 uint32_t flags = 0;
1904 if (e4crypt_is_native() &&
1905 android::base::GetBoolProperty("ro.crypto.allow_encrypt_override", false))
1906 flags |= CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE;
1907
1908 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev, out_crypto_blkdev, label, flags);
1909 }
1910
1911 /*
1912 * Called by vold when it's asked to unmount an encrypted external
1913 * storage volume.
1914 */
cryptfs_revert_ext_volume(const char * label)1915 int cryptfs_revert_ext_volume(const char* label) {
1916 return delete_crypto_blk_dev((char*) label);
1917 }
1918
cryptfs_crypto_complete(void)1919 int cryptfs_crypto_complete(void)
1920 {
1921 return do_crypto_complete("/data");
1922 }
1923
check_unmounted_and_get_ftr(struct crypt_mnt_ftr * crypt_ftr)1924 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
1925 {
1926 char encrypted_state[PROPERTY_VALUE_MAX];
1927 property_get("ro.crypto.state", encrypted_state, "");
1928 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
1929 SLOGE("encrypted fs already validated or not running with encryption,"
1930 " aborting");
1931 return -1;
1932 }
1933
1934 if (get_crypt_ftr_and_key(crypt_ftr)) {
1935 SLOGE("Error getting crypt footer and key");
1936 return -1;
1937 }
1938
1939 return 0;
1940 }
1941
cryptfs_check_passwd(const char * passwd)1942 int cryptfs_check_passwd(const char *passwd)
1943 {
1944 SLOGI("cryptfs_check_passwd");
1945 if (e4crypt_is_native()) {
1946 SLOGE("cryptfs_check_passwd not valid for file encryption");
1947 return -1;
1948 }
1949
1950 struct crypt_mnt_ftr crypt_ftr;
1951 int rc;
1952
1953 rc = check_unmounted_and_get_ftr(&crypt_ftr);
1954 if (rc) {
1955 SLOGE("Could not get footer");
1956 return rc;
1957 }
1958
1959 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
1960 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
1961 if (rc) {
1962 SLOGE("Password did not match");
1963 return rc;
1964 }
1965
1966 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
1967 // Here we have a default actual password but a real password
1968 // we must test against the scrypted value
1969 // First, we must delete the crypto block device that
1970 // test_mount_encrypted_fs leaves behind as a side effect
1971 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
1972 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD,
1973 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
1974 if (rc) {
1975 SLOGE("Default password did not match on reboot encryption");
1976 return rc;
1977 }
1978
1979 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
1980 put_crypt_ftr_and_key(&crypt_ftr);
1981 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
1982 if (rc) {
1983 SLOGE("Could not change password on reboot encryption");
1984 return rc;
1985 }
1986 }
1987
1988 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
1989 cryptfs_clear_password();
1990 password = strdup(passwd);
1991 struct timespec now;
1992 clock_gettime(CLOCK_BOOTTIME, &now);
1993 password_expiry_time = now.tv_sec + password_max_age_seconds;
1994 }
1995
1996 return rc;
1997 }
1998
cryptfs_verify_passwd(const char * passwd)1999 int cryptfs_verify_passwd(const char *passwd)
2000 {
2001 struct crypt_mnt_ftr crypt_ftr;
2002 unsigned char decrypted_master_key[MAX_KEY_LEN];
2003 char encrypted_state[PROPERTY_VALUE_MAX];
2004 int rc;
2005
2006 property_get("ro.crypto.state", encrypted_state, "");
2007 if (strcmp(encrypted_state, "encrypted") ) {
2008 SLOGE("device not encrypted, aborting");
2009 return -2;
2010 }
2011
2012 if (!master_key_saved) {
2013 SLOGE("encrypted fs not yet mounted, aborting");
2014 return -1;
2015 }
2016
2017 if (!saved_mount_point) {
2018 SLOGE("encrypted fs failed to save mount point, aborting");
2019 return -1;
2020 }
2021
2022 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2023 SLOGE("Error getting crypt footer and key\n");
2024 return -1;
2025 }
2026
2027 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2028 /* If the device has no password, then just say the password is valid */
2029 rc = 0;
2030 } else {
2031 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2032 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2033 /* They match, the password is correct */
2034 rc = 0;
2035 } else {
2036 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2037 sleep(1);
2038 rc = 1;
2039 }
2040 }
2041
2042 return rc;
2043 }
2044
2045 /* Initialize a crypt_mnt_ftr structure. The keysize is
2046 * defaulted to cryptfs_get_keysize() bytes, and the filesystem size to 0.
2047 * Presumably, at a minimum, the caller will update the
2048 * filesystem size and crypto_type_name after calling this function.
2049 */
cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr * ftr)2050 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
2051 {
2052 off64_t off;
2053
2054 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2055 ftr->magic = CRYPT_MNT_MAGIC;
2056 ftr->major_version = CURRENT_MAJOR_VERSION;
2057 ftr->minor_version = CURRENT_MINOR_VERSION;
2058 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2059 ftr->keysize = cryptfs_get_keysize();
2060
2061 switch (keymaster_check_compatibility()) {
2062 case 1:
2063 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2064 break;
2065
2066 case 0:
2067 ftr->kdf_type = KDF_SCRYPT;
2068 break;
2069
2070 default:
2071 SLOGE("keymaster_check_compatibility failed");
2072 return -1;
2073 }
2074
2075 get_device_scrypt_params(ftr);
2076
2077 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2078 if (get_crypt_ftr_info(NULL, &off) == 0) {
2079 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2080 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
2081 ftr->persist_data_size;
2082 }
2083
2084 return 0;
2085 }
2086
2087 #define FRAMEWORK_BOOT_WAIT 60
2088
cryptfs_SHA256_fileblock(const char * filename,__le8 * buf)2089 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2090 {
2091 int fd = open(filename, O_RDONLY|O_CLOEXEC);
2092 if (fd == -1) {
2093 SLOGE("Error opening file %s", filename);
2094 return -1;
2095 }
2096
2097 char block[CRYPT_INPLACE_BUFSIZE];
2098 memset(block, 0, sizeof(block));
2099 if (unix_read(fd, block, sizeof(block)) < 0) {
2100 SLOGE("Error reading file %s", filename);
2101 close(fd);
2102 return -1;
2103 }
2104
2105 close(fd);
2106
2107 SHA256_CTX c;
2108 SHA256_Init(&c);
2109 SHA256_Update(&c, block, sizeof(block));
2110 SHA256_Final(buf, &c);
2111
2112 return 0;
2113 }
2114
cryptfs_enable_all_volumes(struct crypt_mnt_ftr * crypt_ftr,char * crypto_blkdev,char * real_blkdev,int previously_encrypted_upto)2115 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr* crypt_ftr, char* crypto_blkdev,
2116 char* real_blkdev, int previously_encrypted_upto) {
2117 off64_t cur_encryption_done=0, tot_encryption_size=0;
2118 int rc = -1;
2119
2120 /* The size of the userdata partition, and add in the vold volumes below */
2121 tot_encryption_size = crypt_ftr->fs_size;
2122
2123 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, crypt_ftr->fs_size, &cur_encryption_done,
2124 tot_encryption_size, previously_encrypted_upto, true);
2125
2126 if (rc == ENABLE_INPLACE_ERR_DEV) {
2127 /* Hack for b/17898962 */
2128 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2129 cryptfs_reboot(RebootType::reboot);
2130 }
2131
2132 if (!rc) {
2133 crypt_ftr->encrypted_upto = cur_encryption_done;
2134 }
2135
2136 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2137 /* The inplace routine never actually sets the progress to 100% due
2138 * to the round down nature of integer division, so set it here */
2139 property_set("vold.encrypt_progress", "100");
2140 }
2141
2142 return rc;
2143 }
2144
vold_unmountAll(void)2145 static int vold_unmountAll(void) {
2146 VolumeManager* vm = VolumeManager::Instance();
2147 return vm->unmountAll();
2148 }
2149
cryptfs_enable_internal(int crypt_type,const char * passwd,int no_ui)2150 int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
2151 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2152 unsigned char decrypted_master_key[MAX_KEY_LEN];
2153 int rc=-1, i;
2154 struct crypt_mnt_ftr crypt_ftr;
2155 struct crypt_persist_data *pdata;
2156 char encrypted_state[PROPERTY_VALUE_MAX];
2157 char lockid[32] = { 0 };
2158 char key_loc[PROPERTY_VALUE_MAX];
2159 int num_vols;
2160 off64_t previously_encrypted_upto = 0;
2161 bool rebootEncryption = false;
2162 bool onlyCreateHeader = false;
2163 int fd = -1;
2164
2165 if (get_crypt_ftr_and_key(&crypt_ftr) == 0) {
2166 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
2167 /* An encryption was underway and was interrupted */
2168 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2169 crypt_ftr.encrypted_upto = 0;
2170 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2171
2172 /* At this point, we are in an inconsistent state. Until we successfully
2173 complete encryption, a reboot will leave us broken. So mark the
2174 encryption failed in case that happens.
2175 On successfully completing encryption, remove this flag */
2176 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2177
2178 put_crypt_ftr_and_key(&crypt_ftr);
2179 } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
2180 if (!check_ftr_sha(&crypt_ftr)) {
2181 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2182 put_crypt_ftr_and_key(&crypt_ftr);
2183 goto error_unencrypted;
2184 }
2185
2186 /* Doing a reboot-encryption*/
2187 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
2188 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
2189 rebootEncryption = true;
2190 }
2191 } else {
2192 // We don't want to accidentally reference invalid data.
2193 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2194 }
2195
2196 property_get("ro.crypto.state", encrypted_state, "");
2197 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2198 SLOGE("Device is already running encrypted, aborting");
2199 goto error_unencrypted;
2200 }
2201
2202 // TODO refactor fs_mgr_get_crypt_info to get both in one call
2203 fs_mgr_get_crypt_info(fstab_default, key_loc, 0, sizeof(key_loc));
2204 fs_mgr_get_crypt_info(fstab_default, 0, real_blkdev, sizeof(real_blkdev));
2205
2206 /* Get the size of the real block device */
2207 fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
2208 if (fd == -1) {
2209 SLOGE("Cannot open block device %s\n", real_blkdev);
2210 goto error_unencrypted;
2211 }
2212 unsigned long nr_sec;
2213 get_blkdev_size(fd, &nr_sec);
2214 if (nr_sec == 0) {
2215 SLOGE("Cannot get size of block device %s\n", real_blkdev);
2216 goto error_unencrypted;
2217 }
2218 close(fd);
2219
2220 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2221 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
2222 unsigned int fs_size_sec, max_fs_size_sec;
2223 fs_size_sec = get_fs_size(real_blkdev);
2224 if (fs_size_sec == 0)
2225 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
2226
2227 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2228
2229 if (fs_size_sec > max_fs_size_sec) {
2230 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2231 goto error_unencrypted;
2232 }
2233 }
2234
2235 /* Get a wakelock as this may take a while, and we don't want the
2236 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2237 * wants to keep the screen on, it can grab a full wakelock.
2238 */
2239 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
2240 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
2241
2242 /* The init files are setup to stop the class main and late start when
2243 * vold sets trigger_shutdown_framework.
2244 */
2245 property_set("vold.decrypt", "trigger_shutdown_framework");
2246 SLOGD("Just asked init to shut down class main\n");
2247
2248 /* Ask vold to unmount all devices that it manages */
2249 if (vold_unmountAll()) {
2250 SLOGE("Failed to unmount all vold managed devices");
2251 }
2252
2253 /* no_ui means we are being called from init, not settings.
2254 Now we always reboot from settings, so !no_ui means reboot
2255 */
2256 if (!no_ui) {
2257 /* Try fallback, which is to reboot and try there */
2258 onlyCreateHeader = true;
2259 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
2260 if (breadcrumb == 0) {
2261 SLOGE("Failed to create breadcrumb file");
2262 goto error_shutting_down;
2263 }
2264 fclose(breadcrumb);
2265 }
2266
2267 /* Do extra work for a better UX when doing the long inplace encryption */
2268 if (!onlyCreateHeader) {
2269 /* Now that /data is unmounted, we need to mount a tmpfs
2270 * /data, set a property saying we're doing inplace encryption,
2271 * and restart the framework.
2272 */
2273 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
2274 goto error_shutting_down;
2275 }
2276 /* Tells the framework that inplace encryption is starting */
2277 property_set("vold.encrypt_progress", "0");
2278
2279 /* restart the framework. */
2280 /* Create necessary paths on /data */
2281 prep_data_fs();
2282
2283 /* Ugh, shutting down the framework is not synchronous, so until it
2284 * can be fixed, this horrible hack will wait a moment for it all to
2285 * shut down before proceeding. Without it, some devices cannot
2286 * restart the graphics services.
2287 */
2288 sleep(2);
2289 }
2290
2291 /* Start the actual work of making an encrypted filesystem */
2292 /* Initialize a crypt_mnt_ftr for the partition */
2293 if (previously_encrypted_upto == 0 && !rebootEncryption) {
2294 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
2295 goto error_shutting_down;
2296 }
2297
2298 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
2299 crypt_ftr.fs_size = nr_sec
2300 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2301 } else {
2302 crypt_ftr.fs_size = nr_sec;
2303 }
2304 /* At this point, we are in an inconsistent state. Until we successfully
2305 complete encryption, a reboot will leave us broken. So mark the
2306 encryption failed in case that happens.
2307 On successfully completing encryption, remove this flag */
2308 if (onlyCreateHeader) {
2309 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
2310 } else {
2311 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2312 }
2313 crypt_ftr.crypt_type = crypt_type;
2314 strlcpy((char *)crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(), MAX_CRYPTO_TYPE_NAME_LEN);
2315
2316 /* Make an encrypted master key */
2317 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
2318 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
2319 SLOGE("Cannot create encrypted master key\n");
2320 goto error_shutting_down;
2321 }
2322
2323 /* Replace scrypted intermediate key if we are preparing for a reboot */
2324 if (onlyCreateHeader) {
2325 unsigned char fake_master_key[MAX_KEY_LEN];
2326 unsigned char encrypted_fake_master_key[MAX_KEY_LEN];
2327 memset(fake_master_key, 0, sizeof(fake_master_key));
2328 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key,
2329 encrypted_fake_master_key, &crypt_ftr);
2330 }
2331
2332 /* Write the key to the end of the partition */
2333 put_crypt_ftr_and_key(&crypt_ftr);
2334
2335 /* If any persistent data has been remembered, save it.
2336 * If none, create a valid empty table and save that.
2337 */
2338 if (!persist_data) {
2339 pdata = (crypt_persist_data *)malloc(CRYPT_PERSIST_DATA_SIZE);
2340 if (pdata) {
2341 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
2342 persist_data = pdata;
2343 }
2344 }
2345 if (persist_data) {
2346 save_persistent_data();
2347 }
2348 }
2349
2350 if (onlyCreateHeader) {
2351 sleep(2);
2352 cryptfs_reboot(RebootType::reboot);
2353 }
2354
2355 if (!no_ui || rebootEncryption) {
2356 /* startup service classes main and late_start */
2357 property_set("vold.decrypt", "trigger_restart_min_framework");
2358 SLOGD("Just triggered restart_min_framework\n");
2359
2360 /* OK, the framework is restarted and will soon be showing a
2361 * progress bar. Time to setup an encrypted mapping, and
2362 * either write a new filesystem, or encrypt in place updating
2363 * the progress bar as we work.
2364 */
2365 }
2366
2367 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2368 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
2369 CRYPTO_BLOCK_DEVICE, 0);
2370
2371 /* If we are continuing, check checksums match */
2372 rc = 0;
2373 if (previously_encrypted_upto) {
2374 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
2375 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
2376
2377 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
2378 sizeof(hash_first_block)) != 0) {
2379 SLOGE("Checksums do not match - trigger wipe");
2380 rc = -1;
2381 }
2382 }
2383
2384 if (!rc) {
2385 rc = cryptfs_enable_all_volumes(&crypt_ftr, crypto_blkdev, real_blkdev,
2386 previously_encrypted_upto);
2387 }
2388
2389 /* Calculate checksum if we are not finished */
2390 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2391 rc = cryptfs_SHA256_fileblock(crypto_blkdev,
2392 crypt_ftr.hash_first_block);
2393 if (rc) {
2394 SLOGE("Error calculating checksum for continuing encryption");
2395 rc = -1;
2396 }
2397 }
2398
2399 /* Undo the dm-crypt mapping whether we succeed or not */
2400 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
2401
2402 if (! rc) {
2403 /* Success */
2404 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
2405
2406 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2407 SLOGD("Encrypted up to sector %lld - will continue after reboot",
2408 crypt_ftr.encrypted_upto);
2409 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
2410 }
2411
2412 put_crypt_ftr_and_key(&crypt_ftr);
2413
2414 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
2415 char value[PROPERTY_VALUE_MAX];
2416 property_get("ro.crypto.state", value, "");
2417 if (!strcmp(value, "")) {
2418 /* default encryption - continue first boot sequence */
2419 property_set("ro.crypto.state", "encrypted");
2420 property_set("ro.crypto.type", "block");
2421 release_wake_lock(lockid);
2422 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2423 // Bring up cryptkeeper that will check the password and set it
2424 property_set("vold.decrypt", "trigger_shutdown_framework");
2425 sleep(2);
2426 property_set("vold.encrypt_progress", "");
2427 cryptfs_trigger_restart_min_framework();
2428 } else {
2429 cryptfs_check_passwd(DEFAULT_PASSWORD);
2430 cryptfs_restart_internal(1);
2431 }
2432 return 0;
2433 } else {
2434 sleep(2); /* Give the UI a chance to show 100% progress */
2435 cryptfs_reboot(RebootType::reboot);
2436 }
2437 } else {
2438 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
2439 cryptfs_reboot(RebootType::shutdown);
2440 }
2441 } else {
2442 char value[PROPERTY_VALUE_MAX];
2443
2444 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
2445 if (!strcmp(value, "1")) {
2446 /* wipe data if encryption failed */
2447 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
2448 std::string err;
2449 const std::vector<std::string> options = {
2450 "--wipe_data\n--reason=cryptfs_enable_internal\n"
2451 };
2452 if (!write_bootloader_message(options, &err)) {
2453 SLOGE("could not write bootloader message: %s", err.c_str());
2454 }
2455 cryptfs_reboot(RebootType::recovery);
2456 } else {
2457 /* set property to trigger dialog */
2458 property_set("vold.encrypt_progress", "error_partially_encrypted");
2459 release_wake_lock(lockid);
2460 }
2461 return -1;
2462 }
2463
2464 /* hrm, the encrypt step claims success, but the reboot failed.
2465 * This should not happen.
2466 * Set the property and return. Hope the framework can deal with it.
2467 */
2468 property_set("vold.encrypt_progress", "error_reboot_failed");
2469 release_wake_lock(lockid);
2470 return rc;
2471
2472 error_unencrypted:
2473 property_set("vold.encrypt_progress", "error_not_encrypted");
2474 if (lockid[0]) {
2475 release_wake_lock(lockid);
2476 }
2477 return -1;
2478
2479 error_shutting_down:
2480 /* we failed, and have not encrypted anthing, so the users's data is still intact,
2481 * but the framework is stopped and not restarted to show the error, so it's up to
2482 * vold to restart the system.
2483 */
2484 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
2485 cryptfs_reboot(RebootType::reboot);
2486
2487 /* shouldn't get here */
2488 property_set("vold.encrypt_progress", "error_shutting_down");
2489 if (lockid[0]) {
2490 release_wake_lock(lockid);
2491 }
2492 return -1;
2493 }
2494
cryptfs_enable(int type,const char * passwd,int no_ui)2495 int cryptfs_enable(int type, const char* passwd, int no_ui) {
2496 return cryptfs_enable_internal(type, passwd, no_ui);
2497 }
2498
cryptfs_enable_default(int no_ui)2499 int cryptfs_enable_default(int no_ui) {
2500 return cryptfs_enable_internal(CRYPT_TYPE_DEFAULT, DEFAULT_PASSWORD, no_ui);
2501 }
2502
cryptfs_changepw(int crypt_type,const char * newpw)2503 int cryptfs_changepw(int crypt_type, const char *newpw)
2504 {
2505 if (e4crypt_is_native()) {
2506 SLOGE("cryptfs_changepw not valid for file encryption");
2507 return -1;
2508 }
2509
2510 struct crypt_mnt_ftr crypt_ftr;
2511 int rc;
2512
2513 /* This is only allowed after we've successfully decrypted the master key */
2514 if (!master_key_saved) {
2515 SLOGE("Key not saved, aborting");
2516 return -1;
2517 }
2518
2519 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2520 SLOGE("Invalid crypt_type %d", crypt_type);
2521 return -1;
2522 }
2523
2524 /* get key */
2525 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2526 SLOGE("Error getting crypt footer and key");
2527 return -1;
2528 }
2529
2530 crypt_ftr.crypt_type = crypt_type;
2531
2532 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
2533 : newpw,
2534 crypt_ftr.salt,
2535 saved_master_key,
2536 crypt_ftr.master_key,
2537 &crypt_ftr);
2538 if (rc) {
2539 SLOGE("Encrypt master key failed: %d", rc);
2540 return -1;
2541 }
2542 /* save the key */
2543 put_crypt_ftr_and_key(&crypt_ftr);
2544
2545 return 0;
2546 }
2547
persist_get_max_entries(int encrypted)2548 static unsigned int persist_get_max_entries(int encrypted) {
2549 struct crypt_mnt_ftr crypt_ftr;
2550 unsigned int dsize;
2551
2552 /* If encrypted, use the values from the crypt_ftr, otherwise
2553 * use the values for the current spec.
2554 */
2555 if (encrypted) {
2556 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2557 /* Something is wrong, assume no space for entries */
2558 return 0;
2559 }
2560 dsize = crypt_ftr.persist_data_size;
2561 } else {
2562 dsize = CRYPT_PERSIST_DATA_SIZE;
2563 }
2564
2565 if (dsize > sizeof(struct crypt_persist_data)) {
2566 return (dsize - sizeof(struct crypt_persist_data)) / sizeof(struct crypt_persist_entry);
2567 } else {
2568 return 0;
2569 }
2570 }
2571
persist_get_key(const char * fieldname,char * value)2572 static int persist_get_key(const char *fieldname, char *value)
2573 {
2574 unsigned int i;
2575
2576 if (persist_data == NULL) {
2577 return -1;
2578 }
2579 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2580 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2581 /* We found it! */
2582 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
2583 return 0;
2584 }
2585 }
2586
2587 return -1;
2588 }
2589
persist_set_key(const char * fieldname,const char * value,int encrypted)2590 static int persist_set_key(const char *fieldname, const char *value, int encrypted)
2591 {
2592 unsigned int i;
2593 unsigned int num;
2594 unsigned int max_persistent_entries;
2595
2596 if (persist_data == NULL) {
2597 return -1;
2598 }
2599
2600 max_persistent_entries = persist_get_max_entries(encrypted);
2601
2602 num = persist_data->persist_valid_entries;
2603
2604 for (i = 0; i < num; i++) {
2605 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2606 /* We found an existing entry, update it! */
2607 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
2608 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
2609 return 0;
2610 }
2611 }
2612
2613 /* We didn't find it, add it to the end, if there is room */
2614 if (persist_data->persist_valid_entries < max_persistent_entries) {
2615 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
2616 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
2617 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
2618 persist_data->persist_valid_entries++;
2619 return 0;
2620 }
2621
2622 return -1;
2623 }
2624
2625 /**
2626 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
2627 * sequence and its index is greater than or equal to index. Return 0 otherwise.
2628 */
match_multi_entry(const char * key,const char * field,unsigned index)2629 int match_multi_entry(const char *key, const char *field, unsigned index) {
2630 std::string key_ = key;
2631 std::string field_ = field;
2632
2633 std::string parsed_field;
2634 unsigned parsed_index;
2635
2636 std::string::size_type split = key_.find_last_of('_');
2637 if (split == std::string::npos) {
2638 parsed_field = key_;
2639 parsed_index = 0;
2640 } else {
2641 parsed_field = key_.substr(0, split);
2642 parsed_index = std::stoi(key_.substr(split + 1));
2643 }
2644
2645 return parsed_field == field_ && parsed_index >= index;
2646 }
2647
2648 /*
2649 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
2650 * remaining entries starting from index will be deleted.
2651 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
2652 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
2653 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
2654 *
2655 */
persist_del_keys(const char * fieldname,unsigned index)2656 static int persist_del_keys(const char *fieldname, unsigned index)
2657 {
2658 unsigned int i;
2659 unsigned int j;
2660 unsigned int num;
2661
2662 if (persist_data == NULL) {
2663 return PERSIST_DEL_KEY_ERROR_OTHER;
2664 }
2665
2666 num = persist_data->persist_valid_entries;
2667
2668 j = 0; // points to the end of non-deleted entries.
2669 // Filter out to-be-deleted entries in place.
2670 for (i = 0; i < num; i++) {
2671 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
2672 persist_data->persist_entry[j] = persist_data->persist_entry[i];
2673 j++;
2674 }
2675 }
2676
2677 if (j < num) {
2678 persist_data->persist_valid_entries = j;
2679 // Zeroise the remaining entries
2680 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
2681 return PERSIST_DEL_KEY_OK;
2682 } else {
2683 // Did not find an entry matching the given fieldname
2684 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
2685 }
2686 }
2687
persist_count_keys(const char * fieldname)2688 static int persist_count_keys(const char *fieldname)
2689 {
2690 unsigned int i;
2691 unsigned int count;
2692
2693 if (persist_data == NULL) {
2694 return -1;
2695 }
2696
2697 count = 0;
2698 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2699 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
2700 count++;
2701 }
2702 }
2703
2704 return count;
2705 }
2706
2707 /* Return the value of the specified field. */
cryptfs_getfield(const char * fieldname,char * value,int len)2708 int cryptfs_getfield(const char *fieldname, char *value, int len)
2709 {
2710 if (e4crypt_is_native()) {
2711 SLOGE("Cannot get field when file encrypted");
2712 return -1;
2713 }
2714
2715 char temp_value[PROPERTY_VALUE_MAX];
2716 /* CRYPTO_GETFIELD_OK is success,
2717 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
2718 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
2719 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
2720 */
2721 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
2722 int i;
2723 char temp_field[PROPERTY_KEY_MAX];
2724
2725 if (persist_data == NULL) {
2726 load_persistent_data();
2727 if (persist_data == NULL) {
2728 SLOGE("Getfield error, cannot load persistent data");
2729 goto out;
2730 }
2731 }
2732
2733 // Read value from persistent entries. If the original value is split into multiple entries,
2734 // stitch them back together.
2735 if (!persist_get_key(fieldname, temp_value)) {
2736 // We found it, copy it to the caller's buffer and keep going until all entries are read.
2737 if (strlcpy(value, temp_value, len) >= (unsigned) len) {
2738 // value too small
2739 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2740 goto out;
2741 }
2742 rc = CRYPTO_GETFIELD_OK;
2743
2744 for (i = 1; /* break explicitly */; i++) {
2745 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
2746 (int) sizeof(temp_field)) {
2747 // If the fieldname is very long, we stop as soon as it begins to overflow the
2748 // maximum field length. At this point we have in fact fully read out the original
2749 // value because cryptfs_setfield would not allow fields with longer names to be
2750 // written in the first place.
2751 break;
2752 }
2753 if (!persist_get_key(temp_field, temp_value)) {
2754 if (strlcat(value, temp_value, len) >= (unsigned)len) {
2755 // value too small.
2756 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2757 goto out;
2758 }
2759 } else {
2760 // Exhaust all entries.
2761 break;
2762 }
2763 }
2764 } else {
2765 /* Sadness, it's not there. Return the error */
2766 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
2767 }
2768
2769 out:
2770 return rc;
2771 }
2772
2773 /* Set the value of the specified field. */
cryptfs_setfield(const char * fieldname,const char * value)2774 int cryptfs_setfield(const char *fieldname, const char *value)
2775 {
2776 if (e4crypt_is_native()) {
2777 SLOGE("Cannot set field when file encrypted");
2778 return -1;
2779 }
2780
2781 char encrypted_state[PROPERTY_VALUE_MAX];
2782 /* 0 is success, negative values are error */
2783 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
2784 int encrypted = 0;
2785 unsigned int field_id;
2786 char temp_field[PROPERTY_KEY_MAX];
2787 unsigned int num_entries;
2788 unsigned int max_keylen;
2789
2790 if (persist_data == NULL) {
2791 load_persistent_data();
2792 if (persist_data == NULL) {
2793 SLOGE("Setfield error, cannot load persistent data");
2794 goto out;
2795 }
2796 }
2797
2798 property_get("ro.crypto.state", encrypted_state, "");
2799 if (!strcmp(encrypted_state, "encrypted") ) {
2800 encrypted = 1;
2801 }
2802
2803 // Compute the number of entries required to store value, each entry can store up to
2804 // (PROPERTY_VALUE_MAX - 1) chars
2805 if (strlen(value) == 0) {
2806 // Empty value also needs one entry to store.
2807 num_entries = 1;
2808 } else {
2809 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
2810 }
2811
2812 max_keylen = strlen(fieldname);
2813 if (num_entries > 1) {
2814 // Need an extra "_%d" suffix.
2815 max_keylen += 1 + log10(num_entries);
2816 }
2817 if (max_keylen > PROPERTY_KEY_MAX - 1) {
2818 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
2819 goto out;
2820 }
2821
2822 // Make sure we have enough space to write the new value
2823 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
2824 persist_get_max_entries(encrypted)) {
2825 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
2826 goto out;
2827 }
2828
2829 // Now that we know persist_data has enough space for value, let's delete the old field first
2830 // to make up space.
2831 persist_del_keys(fieldname, 0);
2832
2833 if (persist_set_key(fieldname, value, encrypted)) {
2834 // fail to set key, should not happen as we have already checked the available space
2835 SLOGE("persist_set_key() error during setfield()");
2836 goto out;
2837 }
2838
2839 for (field_id = 1; field_id < num_entries; field_id++) {
2840 snprintf(temp_field, sizeof(temp_field), "%s_%u", fieldname, field_id);
2841
2842 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
2843 // fail to set key, should not happen as we have already checked the available space.
2844 SLOGE("persist_set_key() error during setfield()");
2845 goto out;
2846 }
2847 }
2848
2849 /* If we are running encrypted, save the persistent data now */
2850 if (encrypted) {
2851 if (save_persistent_data()) {
2852 SLOGE("Setfield error, cannot save persistent data");
2853 goto out;
2854 }
2855 }
2856
2857 rc = CRYPTO_SETFIELD_OK;
2858
2859 out:
2860 return rc;
2861 }
2862
2863 /* Checks userdata. Attempt to mount the volume if default-
2864 * encrypted.
2865 * On success trigger next init phase and return 0.
2866 * Currently do not handle failure - see TODO below.
2867 */
cryptfs_mount_default_encrypted(void)2868 int cryptfs_mount_default_encrypted(void)
2869 {
2870 int crypt_type = cryptfs_get_password_type();
2871 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2872 SLOGE("Bad crypt type - error");
2873 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
2874 SLOGD("Password is not default - "
2875 "starting min framework to prompt");
2876 property_set("vold.decrypt", "trigger_restart_min_framework");
2877 return 0;
2878 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
2879 SLOGD("Password is default - restarting filesystem");
2880 cryptfs_restart_internal(0);
2881 return 0;
2882 } else {
2883 SLOGE("Encrypted, default crypt type but can't decrypt");
2884 }
2885
2886 /** Corrupt. Allow us to boot into framework, which will detect bad
2887 crypto when it calls do_crypto_complete, then do a factory reset
2888 */
2889 property_set("vold.decrypt", "trigger_restart_min_framework");
2890 return 0;
2891 }
2892
2893 /* Returns type of the password, default, pattern, pin or password.
2894 */
cryptfs_get_password_type(void)2895 int cryptfs_get_password_type(void)
2896 {
2897 if (e4crypt_is_native()) {
2898 SLOGE("cryptfs_get_password_type not valid for file encryption");
2899 return -1;
2900 }
2901
2902 struct crypt_mnt_ftr crypt_ftr;
2903
2904 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2905 SLOGE("Error getting crypt footer and key\n");
2906 return -1;
2907 }
2908
2909 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
2910 return -1;
2911 }
2912
2913 return crypt_ftr.crypt_type;
2914 }
2915
cryptfs_get_password()2916 const char* cryptfs_get_password()
2917 {
2918 if (e4crypt_is_native()) {
2919 SLOGE("cryptfs_get_password not valid for file encryption");
2920 return 0;
2921 }
2922
2923 struct timespec now;
2924 clock_gettime(CLOCK_BOOTTIME, &now);
2925 if (now.tv_sec < password_expiry_time) {
2926 return password;
2927 } else {
2928 cryptfs_clear_password();
2929 return 0;
2930 }
2931 }
2932
cryptfs_clear_password()2933 void cryptfs_clear_password()
2934 {
2935 if (password) {
2936 size_t len = strlen(password);
2937 memset(password, 0, len);
2938 free(password);
2939 password = 0;
2940 password_expiry_time = 0;
2941 }
2942 }
2943
cryptfs_isConvertibleToFBE()2944 int cryptfs_isConvertibleToFBE()
2945 {
2946 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab_default, DATA_MNT_POINT);
2947 return fs_mgr_is_convertible_to_fbe(rec) ? 1 : 0;
2948 }
2949