1 /*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 /* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
23 #include <sys/types.h>
24 #include <sys/wait.h>
25 #include <sys/stat.h>
26 #include <ctype.h>
27 #include <fcntl.h>
28 #include <inttypes.h>
29 #include <unistd.h>
30 #include <stdio.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
33 #include <libgen.h>
34 #include <stdlib.h>
35 #include <sys/param.h>
36 #include <string.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
39 #include <openssl/sha.h>
40 #include <errno.h>
41 #include <ext4.h>
42 #include <linux/kdev_t.h>
43 #include <fs_mgr.h>
44 #include <time.h>
45 #include <math.h>
46 #include "cryptfs.h"
47 #define LOG_TAG "Cryptfs"
48 #include "cutils/log.h"
49 #include "cutils/properties.h"
50 #include "cutils/android_reboot.h"
51 #include "hardware_legacy/power.h"
52 #include <logwrap/logwrap.h>
53 #include "VolumeManager.h"
54 #include "VoldUtil.h"
55 #include "crypto_scrypt.h"
56 #include "Ext4Crypt.h"
57 #include "ext4_crypt_init_extensions.h"
58 #include "ext4_utils.h"
59 #include "f2fs_sparseblock.h"
60 #include "CheckBattery.h"
61 #include "Process.h"
62
63 #include <hardware/keymaster0.h>
64 #include <hardware/keymaster1.h>
65
66 #define UNUSED __attribute__((unused))
67
68 #define UNUSED __attribute__((unused))
69
70 #ifdef CONFIG_HW_DISK_ENCRYPTION
71 #include "cryptfs_hw.h"
72 #endif
73
74 #define DM_CRYPT_BUF_SIZE 4096
75
76 #define HASH_COUNT 2000
77 #define KEY_LEN_BYTES 16
78 #define IV_LEN_BYTES 16
79
80 #define KEY_IN_FOOTER "footer"
81
82 #define DEFAULT_PASSWORD "default_password"
83
84 #define EXT4_FS 1
85 #define F2FS_FS 2
86
87 #define TABLE_LOAD_RETRIES 10
88
89 #define RSA_KEY_SIZE 2048
90 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
91 #define RSA_EXPONENT 0x10001
92 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
93
94 #define RETRY_MOUNT_ATTEMPTS 10
95 #define RETRY_MOUNT_DELAY_SECONDS 1
96
97 char *me = "cryptfs";
98
99 static unsigned char saved_master_key[KEY_LEN_BYTES];
100 static char *saved_mount_point;
101 static int master_key_saved = 0;
102 static struct crypt_persist_data *persist_data = NULL;
103
keymaster_init(keymaster0_device_t ** keymaster0_dev,keymaster1_device_t ** keymaster1_dev)104 static int keymaster_init(keymaster0_device_t **keymaster0_dev,
105 keymaster1_device_t **keymaster1_dev)
106 {
107 int rc;
108
109 const hw_module_t* mod;
110 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
111 if (rc) {
112 ALOGE("could not find any keystore module");
113 goto err;
114 }
115
116 SLOGI("keymaster module name is %s", mod->name);
117 SLOGI("keymaster version is %d", mod->module_api_version);
118
119 *keymaster0_dev = NULL;
120 *keymaster1_dev = NULL;
121 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
122 SLOGI("Found keymaster1 module, using keymaster1 API.");
123 rc = keymaster1_open(mod, keymaster1_dev);
124 } else {
125 SLOGI("Found keymaster0 module, using keymaster0 API.");
126 rc = keymaster0_open(mod, keymaster0_dev);
127 }
128
129 if (rc) {
130 ALOGE("could not open keymaster device in %s (%s)",
131 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
132 goto err;
133 }
134
135 return 0;
136
137 err:
138 *keymaster0_dev = NULL;
139 *keymaster1_dev = NULL;
140 return rc;
141 }
142
143 /* Should we use keymaster? */
keymaster_check_compatibility()144 static int keymaster_check_compatibility()
145 {
146 keymaster0_device_t *keymaster0_dev = 0;
147 keymaster1_device_t *keymaster1_dev = 0;
148 int rc = 0;
149
150 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
151 SLOGE("Failed to init keymaster");
152 rc = -1;
153 goto out;
154 }
155
156 if (keymaster1_dev) {
157 rc = 1;
158 goto out;
159 }
160
161 // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2
162 // should work.
163 if (keymaster0_dev->common.module->module_api_version
164 < KEYMASTER_MODULE_API_VERSION_0_3) {
165 rc = 0;
166 goto out;
167 }
168
169 if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
170 (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
171 rc = 1;
172 }
173
174 out:
175 if (keymaster1_dev) {
176 keymaster1_close(keymaster1_dev);
177 }
178 if (keymaster0_dev) {
179 keymaster0_close(keymaster0_dev);
180 }
181 return rc;
182 }
183
184 /* Create a new keymaster key and store it in this footer */
keymaster_create_key(struct crypt_mnt_ftr * ftr)185 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
186 {
187 uint8_t* key = 0;
188 keymaster0_device_t *keymaster0_dev = 0;
189 keymaster1_device_t *keymaster1_dev = 0;
190
191 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
192 SLOGE("Failed to init keymaster");
193 return -1;
194 }
195
196 int rc = 0;
197 size_t key_size = 0;
198 if (keymaster1_dev) {
199 keymaster_key_param_t params[] = {
200 /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */
201 keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA),
202 keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE),
203 keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT),
204
205 /* The only allowed purpose for this key is signing. */
206 keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN),
207
208 /* Padding & digest specifications. */
209 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
210 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
211
212 /* Require that the key be usable in standalone mode. File system isn't available. */
213 keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE),
214
215 /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */
216 keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED),
217
218 /* Rate-limit key usage attempts, to rate-limit brute force */
219 keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT),
220 };
221 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
222 keymaster_key_blob_t key_blob;
223 keymaster_error_t error = keymaster1_dev->generate_key(keymaster1_dev, ¶m_set,
224 &key_blob,
225 NULL /* characteristics */);
226 if (error != KM_ERROR_OK) {
227 SLOGE("Failed to generate keymaster1 key, error %d", error);
228 rc = -1;
229 goto out;
230 }
231
232 key = (uint8_t*)key_blob.key_material;
233 key_size = key_blob.key_material_size;
234 }
235 else if (keymaster0_dev) {
236 keymaster_rsa_keygen_params_t params;
237 memset(¶ms, '\0', sizeof(params));
238 params.public_exponent = RSA_EXPONENT;
239 params.modulus_size = RSA_KEY_SIZE;
240
241 if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, ¶ms,
242 &key, &key_size)) {
243 SLOGE("Failed to generate keypair");
244 rc = -1;
245 goto out;
246 }
247 } else {
248 SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device");
249 rc = -1;
250 goto out;
251 }
252
253 if (key_size > KEYMASTER_BLOB_SIZE) {
254 SLOGE("Keymaster key too large for crypto footer");
255 rc = -1;
256 goto out;
257 }
258
259 memcpy(ftr->keymaster_blob, key, key_size);
260 ftr->keymaster_blob_size = key_size;
261
262 out:
263 if (keymaster0_dev)
264 keymaster0_close(keymaster0_dev);
265 if (keymaster1_dev)
266 keymaster1_close(keymaster1_dev);
267 free(key);
268 return rc;
269 }
270
271 /* This signs the given object using the keymaster key. */
keymaster_sign_object(struct crypt_mnt_ftr * ftr,const unsigned char * object,const size_t object_size,unsigned char ** signature,size_t * signature_size)272 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
273 const unsigned char *object,
274 const size_t object_size,
275 unsigned char **signature,
276 size_t *signature_size)
277 {
278 int rc = 0;
279 keymaster0_device_t *keymaster0_dev = 0;
280 keymaster1_device_t *keymaster1_dev = 0;
281 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
282 SLOGE("Failed to init keymaster");
283 rc = -1;
284 goto out;
285 }
286
287 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
288 size_t to_sign_size = sizeof(to_sign);
289 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
290
291 // To sign a message with RSA, the message must satisfy two
292 // constraints:
293 //
294 // 1. The message, when interpreted as a big-endian numeric value, must
295 // be strictly less than the public modulus of the RSA key. Note
296 // that because the most significant bit of the public modulus is
297 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
298 // key), an n-bit message with most significant bit 0 always
299 // satisfies this requirement.
300 //
301 // 2. The message must have the same length in bits as the public
302 // modulus of the RSA key. This requirement isn't mathematically
303 // necessary, but is necessary to ensure consistency in
304 // implementations.
305 switch (ftr->kdf_type) {
306 case KDF_SCRYPT_KEYMASTER:
307 // This ensures the most significant byte of the signed message
308 // is zero. We could have zero-padded to the left instead, but
309 // this approach is slightly more robust against changes in
310 // object size. However, it's still broken (but not unusably
311 // so) because we really should be using a proper deterministic
312 // RSA padding function, such as PKCS1.
313 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
314 SLOGI("Signing safely-padded object");
315 break;
316 default:
317 SLOGE("Unknown KDF type %d", ftr->kdf_type);
318 rc = -1;
319 goto out;
320 }
321
322 if (keymaster0_dev) {
323 keymaster_rsa_sign_params_t params;
324 params.digest_type = DIGEST_NONE;
325 params.padding_type = PADDING_NONE;
326
327 rc = keymaster0_dev->sign_data(keymaster0_dev,
328 ¶ms,
329 ftr->keymaster_blob,
330 ftr->keymaster_blob_size,
331 to_sign,
332 to_sign_size,
333 signature,
334 signature_size);
335 goto out;
336 } else if (keymaster1_dev) {
337 keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size };
338 keymaster_key_param_t params[] = {
339 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
340 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
341 };
342 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
343 keymaster_operation_handle_t op_handle;
344 keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
345 ¶m_set, NULL /* out_params */,
346 &op_handle);
347 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) {
348 // Key usage has been rate-limited. Wait a bit and try again.
349 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT);
350 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
351 ¶m_set, NULL /* out_params */,
352 &op_handle);
353 }
354 if (error != KM_ERROR_OK) {
355 SLOGE("Error starting keymaster signature transaction: %d", error);
356 rc = -1;
357 goto out;
358 }
359
360 keymaster_blob_t input = { to_sign, to_sign_size };
361 size_t input_consumed;
362 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */,
363 &input, &input_consumed, NULL /* out_params */,
364 NULL /* output */);
365 if (error != KM_ERROR_OK) {
366 SLOGE("Error sending data to keymaster signature transaction: %d", error);
367 rc = -1;
368 goto out;
369 }
370 if (input_consumed != to_sign_size) {
371 // This should never happen. If it does, it's a bug in the keymaster implementation.
372 SLOGE("Keymaster update() did not consume all data.");
373 keymaster1_dev->abort(keymaster1_dev, op_handle);
374 rc = -1;
375 goto out;
376 }
377
378 keymaster_blob_t tmp_sig;
379 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */,
380 NULL /* verify signature */, NULL /* out_params */,
381 &tmp_sig);
382 if (error != KM_ERROR_OK) {
383 SLOGE("Error finishing keymaster signature transaction: %d", error);
384 rc = -1;
385 goto out;
386 }
387
388 *signature = (uint8_t*)tmp_sig.data;
389 *signature_size = tmp_sig.data_length;
390 } else {
391 SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device.");
392 rc = -1;
393 goto out;
394 }
395
396 out:
397 if (keymaster1_dev)
398 keymaster1_close(keymaster1_dev);
399 if (keymaster0_dev)
400 keymaster0_close(keymaster0_dev);
401
402 return rc;
403 }
404
405 /* Store password when userdata is successfully decrypted and mounted.
406 * Cleared by cryptfs_clear_password
407 *
408 * To avoid a double prompt at boot, we need to store the CryptKeeper
409 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
410 * Since the entire framework is torn down and rebuilt after encryption,
411 * we have to use a daemon or similar to store the password. Since vold
412 * is secured against IPC except from system processes, it seems a reasonable
413 * place to store this.
414 *
415 * password should be cleared once it has been used.
416 *
417 * password is aged out after password_max_age_seconds seconds.
418 */
419 static char* password = 0;
420 static int password_expiry_time = 0;
421 static const int password_max_age_seconds = 60;
422
423 extern struct fstab *fstab;
424
425 enum RebootType {reboot, recovery, shutdown};
cryptfs_reboot(enum RebootType rt)426 static void cryptfs_reboot(enum RebootType rt)
427 {
428 switch(rt) {
429 case reboot:
430 property_set(ANDROID_RB_PROPERTY, "reboot");
431 break;
432
433 case recovery:
434 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
435 break;
436
437 case shutdown:
438 property_set(ANDROID_RB_PROPERTY, "shutdown");
439 break;
440 }
441
442 sleep(20);
443
444 /* Shouldn't get here, reboot should happen before sleep times out */
445 return;
446 }
447
ioctl_init(struct dm_ioctl * io,size_t dataSize,const char * name,unsigned flags)448 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
449 {
450 memset(io, 0, dataSize);
451 io->data_size = dataSize;
452 io->data_start = sizeof(struct dm_ioctl);
453 io->version[0] = 4;
454 io->version[1] = 0;
455 io->version[2] = 0;
456 io->flags = flags;
457 if (name) {
458 strlcpy(io->name, name, sizeof(io->name));
459 }
460 }
461
462 /**
463 * Gets the default device scrypt parameters for key derivation time tuning.
464 * The parameters should lead to about one second derivation time for the
465 * given device.
466 */
get_device_scrypt_params(struct crypt_mnt_ftr * ftr)467 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
468 const int default_params[] = SCRYPT_DEFAULTS;
469 int params[] = SCRYPT_DEFAULTS;
470 char paramstr[PROPERTY_VALUE_MAX];
471 char *token;
472 char *saveptr;
473 int i;
474
475 property_get(SCRYPT_PROP, paramstr, "");
476 if (paramstr[0] != '\0') {
477 /*
478 * The token we're looking for should be three integers separated by
479 * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
480 */
481 for (i = 0, token = strtok_r(paramstr, ":", &saveptr);
482 token != NULL && i < 3;
483 i++, token = strtok_r(NULL, ":", &saveptr)) {
484 char *endptr;
485 params[i] = strtol(token, &endptr, 10);
486
487 /*
488 * Check that there was a valid number and it's 8-bit. If not,
489 * break out and the end check will take the default values.
490 */
491 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
492 break;
493 }
494 }
495
496 /*
497 * If there were not enough tokens or a token was malformed (not an
498 * integer), it will end up here and the default parameters can be
499 * taken.
500 */
501 if ((i != 3) || (token != NULL)) {
502 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
503 memcpy(params, default_params, sizeof(params));
504 }
505 }
506
507 ftr->N_factor = params[0];
508 ftr->r_factor = params[1];
509 ftr->p_factor = params[2];
510 }
511
get_fs_size(char * dev)512 static unsigned int get_fs_size(char *dev)
513 {
514 int fd, block_size;
515 struct ext4_super_block sb;
516 off64_t len;
517
518 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) {
519 SLOGE("Cannot open device to get filesystem size ");
520 return 0;
521 }
522
523 if (lseek64(fd, 1024, SEEK_SET) < 0) {
524 SLOGE("Cannot seek to superblock");
525 return 0;
526 }
527
528 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
529 SLOGE("Cannot read superblock");
530 return 0;
531 }
532
533 close(fd);
534
535 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
536 SLOGE("Not a valid ext4 superblock");
537 return 0;
538 }
539 block_size = 1024 << sb.s_log_block_size;
540 /* compute length in bytes */
541 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
542
543 /* return length in sectors */
544 return (unsigned int) (len / 512);
545 }
546
get_crypt_ftr_info(char ** metadata_fname,off64_t * off)547 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
548 {
549 static int cached_data = 0;
550 static off64_t cached_off = 0;
551 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
552 int fd;
553 char key_loc[PROPERTY_VALUE_MAX];
554 char real_blkdev[PROPERTY_VALUE_MAX];
555 int rc = -1;
556
557 if (!cached_data) {
558 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
559
560 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
561 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
562 SLOGE("Cannot open real block device %s\n", real_blkdev);
563 return -1;
564 }
565
566 unsigned long nr_sec = 0;
567 get_blkdev_size(fd, &nr_sec);
568 if (nr_sec != 0) {
569 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
570 * encryption info footer and key, and plenty of bytes to spare for future
571 * growth.
572 */
573 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
574 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
575 cached_data = 1;
576 } else {
577 SLOGE("Cannot get size of block device %s\n", real_blkdev);
578 }
579 close(fd);
580 } else {
581 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
582 cached_off = 0;
583 cached_data = 1;
584 }
585 }
586
587 if (cached_data) {
588 if (metadata_fname) {
589 *metadata_fname = cached_metadata_fname;
590 }
591 if (off) {
592 *off = cached_off;
593 }
594 rc = 0;
595 }
596
597 return rc;
598 }
599
600 /* key or salt can be NULL, in which case just skip writing that value. Useful to
601 * update the failed mount count but not change the key.
602 */
put_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)603 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
604 {
605 int fd;
606 unsigned int cnt;
607 /* starting_off is set to the SEEK_SET offset
608 * where the crypto structure starts
609 */
610 off64_t starting_off;
611 int rc = -1;
612 char *fname = NULL;
613 struct stat statbuf;
614
615 if (get_crypt_ftr_info(&fname, &starting_off)) {
616 SLOGE("Unable to get crypt_ftr_info\n");
617 return -1;
618 }
619 if (fname[0] != '/') {
620 SLOGE("Unexpected value for crypto key location\n");
621 return -1;
622 }
623 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) {
624 SLOGE("Cannot open footer file %s for put\n", fname);
625 return -1;
626 }
627
628 /* Seek to the start of the crypt footer */
629 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
630 SLOGE("Cannot seek to real block device footer\n");
631 goto errout;
632 }
633
634 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
635 SLOGE("Cannot write real block device footer\n");
636 goto errout;
637 }
638
639 fstat(fd, &statbuf);
640 /* If the keys are kept on a raw block device, do not try to truncate it. */
641 if (S_ISREG(statbuf.st_mode)) {
642 if (ftruncate(fd, 0x4000)) {
643 SLOGE("Cannot set footer file size\n");
644 goto errout;
645 }
646 }
647
648 /* Success! */
649 rc = 0;
650
651 errout:
652 close(fd);
653 return rc;
654
655 }
656
unix_read(int fd,void * buff,int len)657 static inline int unix_read(int fd, void* buff, int len)
658 {
659 return TEMP_FAILURE_RETRY(read(fd, buff, len));
660 }
661
unix_write(int fd,const void * buff,int len)662 static inline int unix_write(int fd, const void* buff, int len)
663 {
664 return TEMP_FAILURE_RETRY(write(fd, buff, len));
665 }
666
init_empty_persist_data(struct crypt_persist_data * pdata,int len)667 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
668 {
669 memset(pdata, 0, len);
670 pdata->persist_magic = PERSIST_DATA_MAGIC;
671 pdata->persist_valid_entries = 0;
672 }
673
674 /* A routine to update the passed in crypt_ftr to the lastest version.
675 * fd is open read/write on the device that holds the crypto footer and persistent
676 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
677 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
678 */
upgrade_crypt_ftr(int fd,struct crypt_mnt_ftr * crypt_ftr,off64_t offset)679 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
680 {
681 int orig_major = crypt_ftr->major_version;
682 int orig_minor = crypt_ftr->minor_version;
683
684 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
685 struct crypt_persist_data *pdata;
686 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
687
688 SLOGW("upgrading crypto footer to 1.1");
689
690 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
691 if (pdata == NULL) {
692 SLOGE("Cannot allocate persisent data\n");
693 return;
694 }
695 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
696
697 /* Need to initialize the persistent data area */
698 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
699 SLOGE("Cannot seek to persisent data offset\n");
700 free(pdata);
701 return;
702 }
703 /* Write all zeros to the first copy, making it invalid */
704 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
705
706 /* Write a valid but empty structure to the second copy */
707 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
708 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
709
710 /* Update the footer */
711 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
712 crypt_ftr->persist_data_offset[0] = pdata_offset;
713 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
714 crypt_ftr->minor_version = 1;
715 free(pdata);
716 }
717
718 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
719 SLOGW("upgrading crypto footer to 1.2");
720 /* But keep the old kdf_type.
721 * It will get updated later to KDF_SCRYPT after the password has been verified.
722 */
723 crypt_ftr->kdf_type = KDF_PBKDF2;
724 get_device_scrypt_params(crypt_ftr);
725 crypt_ftr->minor_version = 2;
726 }
727
728 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
729 SLOGW("upgrading crypto footer to 1.3");
730 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
731 crypt_ftr->minor_version = 3;
732 }
733
734 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
735 if (lseek64(fd, offset, SEEK_SET) == -1) {
736 SLOGE("Cannot seek to crypt footer\n");
737 return;
738 }
739 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
740 }
741 }
742
743
get_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)744 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
745 {
746 int fd;
747 unsigned int cnt;
748 off64_t starting_off;
749 int rc = -1;
750 char *fname = NULL;
751 struct stat statbuf;
752
753 if (get_crypt_ftr_info(&fname, &starting_off)) {
754 SLOGE("Unable to get crypt_ftr_info\n");
755 return -1;
756 }
757 if (fname[0] != '/') {
758 SLOGE("Unexpected value for crypto key location\n");
759 return -1;
760 }
761 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) {
762 SLOGE("Cannot open footer file %s for get\n", fname);
763 return -1;
764 }
765
766 /* Make sure it's 16 Kbytes in length */
767 fstat(fd, &statbuf);
768 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
769 SLOGE("footer file %s is not the expected size!\n", fname);
770 goto errout;
771 }
772
773 /* Seek to the start of the crypt footer */
774 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
775 SLOGE("Cannot seek to real block device footer\n");
776 goto errout;
777 }
778
779 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
780 SLOGE("Cannot read real block device footer\n");
781 goto errout;
782 }
783
784 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
785 SLOGE("Bad magic for real block device %s\n", fname);
786 goto errout;
787 }
788
789 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
790 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
791 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
792 goto errout;
793 }
794
795 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
796 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
797 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
798 }
799
800 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
801 * copy on disk before returning.
802 */
803 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
804 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
805 }
806
807 /* Success! */
808 rc = 0;
809
810 errout:
811 close(fd);
812 return rc;
813 }
814
validate_persistent_data_storage(struct crypt_mnt_ftr * crypt_ftr)815 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
816 {
817 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
818 crypt_ftr->persist_data_offset[1]) {
819 SLOGE("Crypt_ftr persist data regions overlap");
820 return -1;
821 }
822
823 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
824 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
825 return -1;
826 }
827
828 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
829 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
830 CRYPT_FOOTER_OFFSET) {
831 SLOGE("Persistent data extends past crypto footer");
832 return -1;
833 }
834
835 return 0;
836 }
837
load_persistent_data(void)838 static int load_persistent_data(void)
839 {
840 struct crypt_mnt_ftr crypt_ftr;
841 struct crypt_persist_data *pdata = NULL;
842 char encrypted_state[PROPERTY_VALUE_MAX];
843 char *fname;
844 int found = 0;
845 int fd;
846 int ret;
847 int i;
848
849 if (persist_data) {
850 /* Nothing to do, we've already loaded or initialized it */
851 return 0;
852 }
853
854
855 /* If not encrypted, just allocate an empty table and initialize it */
856 property_get("ro.crypto.state", encrypted_state, "");
857 if (strcmp(encrypted_state, "encrypted") ) {
858 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
859 if (pdata) {
860 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
861 persist_data = pdata;
862 return 0;
863 }
864 return -1;
865 }
866
867 if(get_crypt_ftr_and_key(&crypt_ftr)) {
868 return -1;
869 }
870
871 if ((crypt_ftr.major_version < 1)
872 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
873 SLOGE("Crypt_ftr version doesn't support persistent data");
874 return -1;
875 }
876
877 if (get_crypt_ftr_info(&fname, NULL)) {
878 return -1;
879 }
880
881 ret = validate_persistent_data_storage(&crypt_ftr);
882 if (ret) {
883 return -1;
884 }
885
886 fd = open(fname, O_RDONLY|O_CLOEXEC);
887 if (fd < 0) {
888 SLOGE("Cannot open %s metadata file", fname);
889 return -1;
890 }
891
892 if (persist_data == NULL) {
893 pdata = malloc(crypt_ftr.persist_data_size);
894 if (pdata == NULL) {
895 SLOGE("Cannot allocate memory for persistent data");
896 goto err;
897 }
898 }
899
900 for (i = 0; i < 2; i++) {
901 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
902 SLOGE("Cannot seek to read persistent data on %s", fname);
903 goto err2;
904 }
905 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
906 SLOGE("Error reading persistent data on iteration %d", i);
907 goto err2;
908 }
909 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
910 found = 1;
911 break;
912 }
913 }
914
915 if (!found) {
916 SLOGI("Could not find valid persistent data, creating");
917 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
918 }
919
920 /* Success */
921 persist_data = pdata;
922 close(fd);
923 return 0;
924
925 err2:
926 free(pdata);
927
928 err:
929 close(fd);
930 return -1;
931 }
932
save_persistent_data(void)933 static int save_persistent_data(void)
934 {
935 struct crypt_mnt_ftr crypt_ftr;
936 struct crypt_persist_data *pdata;
937 char *fname;
938 off64_t write_offset;
939 off64_t erase_offset;
940 int fd;
941 int ret;
942
943 if (persist_data == NULL) {
944 SLOGE("No persistent data to save");
945 return -1;
946 }
947
948 if(get_crypt_ftr_and_key(&crypt_ftr)) {
949 return -1;
950 }
951
952 if ((crypt_ftr.major_version < 1)
953 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
954 SLOGE("Crypt_ftr version doesn't support persistent data");
955 return -1;
956 }
957
958 ret = validate_persistent_data_storage(&crypt_ftr);
959 if (ret) {
960 return -1;
961 }
962
963 if (get_crypt_ftr_info(&fname, NULL)) {
964 return -1;
965 }
966
967 fd = open(fname, O_RDWR|O_CLOEXEC);
968 if (fd < 0) {
969 SLOGE("Cannot open %s metadata file", fname);
970 return -1;
971 }
972
973 pdata = malloc(crypt_ftr.persist_data_size);
974 if (pdata == NULL) {
975 SLOGE("Cannot allocate persistant data");
976 goto err;
977 }
978
979 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
980 SLOGE("Cannot seek to read persistent data on %s", fname);
981 goto err2;
982 }
983
984 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
985 SLOGE("Error reading persistent data before save");
986 goto err2;
987 }
988
989 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
990 /* The first copy is the curent valid copy, so write to
991 * the second copy and erase this one */
992 write_offset = crypt_ftr.persist_data_offset[1];
993 erase_offset = crypt_ftr.persist_data_offset[0];
994 } else {
995 /* The second copy must be the valid copy, so write to
996 * the first copy, and erase the second */
997 write_offset = crypt_ftr.persist_data_offset[0];
998 erase_offset = crypt_ftr.persist_data_offset[1];
999 }
1000
1001 /* Write the new copy first, if successful, then erase the old copy */
1002 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
1003 SLOGE("Cannot seek to write persistent data");
1004 goto err2;
1005 }
1006 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
1007 (int) crypt_ftr.persist_data_size) {
1008 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
1009 SLOGE("Cannot seek to erase previous persistent data");
1010 goto err2;
1011 }
1012 fsync(fd);
1013 memset(pdata, 0, crypt_ftr.persist_data_size);
1014 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
1015 (int) crypt_ftr.persist_data_size) {
1016 SLOGE("Cannot write to erase previous persistent data");
1017 goto err2;
1018 }
1019 fsync(fd);
1020 } else {
1021 SLOGE("Cannot write to save persistent data");
1022 goto err2;
1023 }
1024
1025 /* Success */
1026 free(pdata);
1027 close(fd);
1028 return 0;
1029
1030 err2:
1031 free(pdata);
1032 err:
1033 close(fd);
1034 return -1;
1035 }
1036
1037 /* Convert a binary key of specified length into an ascii hex string equivalent,
1038 * without the leading 0x and with null termination
1039 */
convert_key_to_hex_ascii(const unsigned char * master_key,unsigned int keysize,char * master_key_ascii)1040 static void convert_key_to_hex_ascii(const unsigned char *master_key,
1041 unsigned int keysize, char *master_key_ascii) {
1042 unsigned int i, a;
1043 unsigned char nibble;
1044
1045 for (i=0, a=0; i<keysize; i++, a+=2) {
1046 /* For each byte, write out two ascii hex digits */
1047 nibble = (master_key[i] >> 4) & 0xf;
1048 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
1049
1050 nibble = master_key[i] & 0xf;
1051 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
1052 }
1053
1054 /* Add the null termination */
1055 master_key_ascii[a] = '\0';
1056
1057 }
1058
load_crypto_mapping_table(struct crypt_mnt_ftr * crypt_ftr,const unsigned char * master_key,const char * real_blk_name,const char * name,int fd,const char * extra_params)1059 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
1060 const unsigned char *master_key, const char *real_blk_name,
1061 const char *name, int fd, const char *extra_params) {
1062 _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
1063 struct dm_ioctl *io;
1064 struct dm_target_spec *tgt;
1065 char *crypt_params;
1066 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
1067 int i;
1068
1069 io = (struct dm_ioctl *) buffer;
1070
1071 /* Load the mapping table for this device */
1072 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
1073
1074 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1075 io->target_count = 1;
1076 tgt->status = 0;
1077 tgt->sector_start = 0;
1078 tgt->length = crypt_ftr->fs_size;
1079 #ifdef CONFIG_HW_DISK_ENCRYPTION
1080 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
1081 strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME);
1082 }
1083 else {
1084 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1085 }
1086 #else
1087 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1088 #endif
1089
1090 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1091 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1092 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
1093 master_key_ascii, real_blk_name, extra_params);
1094 crypt_params += strlen(crypt_params) + 1;
1095 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1096 tgt->next = crypt_params - buffer;
1097
1098 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1099 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
1100 break;
1101 }
1102 usleep(500000);
1103 }
1104
1105 if (i == TABLE_LOAD_RETRIES) {
1106 /* We failed to load the table, return an error */
1107 return -1;
1108 } else {
1109 return i + 1;
1110 }
1111 }
1112
1113
get_dm_crypt_version(int fd,const char * name,int * version)1114 static int get_dm_crypt_version(int fd, const char *name, int *version)
1115 {
1116 char buffer[DM_CRYPT_BUF_SIZE];
1117 struct dm_ioctl *io;
1118 struct dm_target_versions *v;
1119
1120 io = (struct dm_ioctl *) buffer;
1121
1122 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1123
1124 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1125 return -1;
1126 }
1127
1128 /* Iterate over the returned versions, looking for name of "crypt".
1129 * When found, get and return the version.
1130 */
1131 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
1132 while (v->next) {
1133 #ifdef CONFIG_HW_DISK_ENCRYPTION
1134 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) {
1135 #else
1136 if (! strcmp(v->name, "crypt")) {
1137 #endif
1138 /* We found the crypt driver, return the version, and get out */
1139 version[0] = v->version[0];
1140 version[1] = v->version[1];
1141 version[2] = v->version[2];
1142 return 0;
1143 }
1144 v = (struct dm_target_versions *)(((char *)v) + v->next);
1145 }
1146
1147 return -1;
1148 }
1149
1150 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr,
1151 const unsigned char *master_key, const char *real_blk_name,
1152 char *crypto_blk_name, const char *name) {
1153 char buffer[DM_CRYPT_BUF_SIZE];
1154 struct dm_ioctl *io;
1155 unsigned int minor;
1156 int fd=0;
1157 int retval = -1;
1158 int version[3];
1159 char *extra_params;
1160 int load_count;
1161
1162 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1163 SLOGE("Cannot open device-mapper\n");
1164 goto errout;
1165 }
1166
1167 io = (struct dm_ioctl *) buffer;
1168
1169 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1170 if (ioctl(fd, DM_DEV_CREATE, io)) {
1171 SLOGE("Cannot create dm-crypt device\n");
1172 goto errout;
1173 }
1174
1175 /* Get the device status, in particular, the name of it's device file */
1176 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1177 if (ioctl(fd, DM_DEV_STATUS, io)) {
1178 SLOGE("Cannot retrieve dm-crypt device status\n");
1179 goto errout;
1180 }
1181 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1182 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1183
1184 extra_params = "";
1185 if (! get_dm_crypt_version(fd, name, version)) {
1186 /* Support for allow_discards was added in version 1.11.0 */
1187 if ((version[0] >= 2) ||
1188 ((version[0] == 1) && (version[1] >= 11))) {
1189 extra_params = "1 allow_discards";
1190 SLOGI("Enabling support for allow_discards in dmcrypt.\n");
1191 }
1192 }
1193
1194 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
1195 fd, extra_params);
1196 if (load_count < 0) {
1197 SLOGE("Cannot load dm-crypt mapping table.\n");
1198 goto errout;
1199 } else if (load_count > 1) {
1200 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1201 }
1202
1203 /* Resume this device to activate it */
1204 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1205
1206 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1207 SLOGE("Cannot resume the dm-crypt device\n");
1208 goto errout;
1209 }
1210
1211 /* We made it here with no errors. Woot! */
1212 retval = 0;
1213
1214 errout:
1215 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1216
1217 return retval;
1218 }
1219
1220 static int delete_crypto_blk_dev(char *name)
1221 {
1222 int fd;
1223 char buffer[DM_CRYPT_BUF_SIZE];
1224 struct dm_ioctl *io;
1225 int retval = -1;
1226
1227 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1228 SLOGE("Cannot open device-mapper\n");
1229 goto errout;
1230 }
1231
1232 io = (struct dm_ioctl *) buffer;
1233
1234 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1235 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1236 SLOGE("Cannot remove dm-crypt device\n");
1237 goto errout;
1238 }
1239
1240 /* We made it here with no errors. Woot! */
1241 retval = 0;
1242
1243 errout:
1244 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1245
1246 return retval;
1247
1248 }
1249
1250 static int pbkdf2(const char *passwd, const unsigned char *salt,
1251 unsigned char *ikey, void *params UNUSED)
1252 {
1253 SLOGI("Using pbkdf2 for cryptfs KDF");
1254
1255 /* Turn the password into a key and IV that can decrypt the master key */
1256 PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd),
1257 salt, SALT_LEN,
1258 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey);
1259
1260 return 0;
1261 }
1262
1263 static int scrypt(const char *passwd, const unsigned char *salt,
1264 unsigned char *ikey, void *params)
1265 {
1266 SLOGI("Using scrypt for cryptfs KDF");
1267
1268 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1269
1270 int N = 1 << ftr->N_factor;
1271 int r = 1 << ftr->r_factor;
1272 int p = 1 << ftr->p_factor;
1273
1274 /* Turn the password into a key and IV that can decrypt the master key */
1275 unsigned int keysize;
1276 crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1277 salt, SALT_LEN, N, r, p, ikey,
1278 KEY_LEN_BYTES + IV_LEN_BYTES);
1279
1280 return 0;
1281 }
1282
1283 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1284 unsigned char *ikey, void *params)
1285 {
1286 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1287
1288 int rc;
1289 size_t signature_size;
1290 unsigned char* signature;
1291 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1292
1293 int N = 1 << ftr->N_factor;
1294 int r = 1 << ftr->r_factor;
1295 int p = 1 << ftr->p_factor;
1296
1297 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1298 salt, SALT_LEN, N, r, p, ikey,
1299 KEY_LEN_BYTES + IV_LEN_BYTES);
1300
1301 if (rc) {
1302 SLOGE("scrypt failed");
1303 return -1;
1304 }
1305
1306 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1307 &signature, &signature_size)) {
1308 SLOGE("Signing failed");
1309 return -1;
1310 }
1311
1312 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1313 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1314 free(signature);
1315
1316 if (rc) {
1317 SLOGE("scrypt failed");
1318 return -1;
1319 }
1320
1321 return 0;
1322 }
1323
1324 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1325 const unsigned char *decrypted_master_key,
1326 unsigned char *encrypted_master_key,
1327 struct crypt_mnt_ftr *crypt_ftr)
1328 {
1329 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1330 EVP_CIPHER_CTX e_ctx;
1331 int encrypted_len, final_len;
1332 int rc = 0;
1333
1334 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1335 get_device_scrypt_params(crypt_ftr);
1336
1337 switch (crypt_ftr->kdf_type) {
1338 case KDF_SCRYPT_KEYMASTER:
1339 if (keymaster_create_key(crypt_ftr)) {
1340 SLOGE("keymaster_create_key failed");
1341 return -1;
1342 }
1343
1344 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1345 SLOGE("scrypt failed");
1346 return -1;
1347 }
1348 break;
1349
1350 case KDF_SCRYPT:
1351 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1352 SLOGE("scrypt failed");
1353 return -1;
1354 }
1355 break;
1356
1357 default:
1358 SLOGE("Invalid kdf_type");
1359 return -1;
1360 }
1361
1362 /* Initialize the decryption engine */
1363 EVP_CIPHER_CTX_init(&e_ctx);
1364 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1365 SLOGE("EVP_EncryptInit failed\n");
1366 return -1;
1367 }
1368 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1369
1370 /* Encrypt the master key */
1371 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1372 decrypted_master_key, KEY_LEN_BYTES)) {
1373 SLOGE("EVP_EncryptUpdate failed\n");
1374 return -1;
1375 }
1376 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1377 SLOGE("EVP_EncryptFinal failed\n");
1378 return -1;
1379 }
1380
1381 if (encrypted_len + final_len != KEY_LEN_BYTES) {
1382 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1383 return -1;
1384 }
1385
1386 /* Store the scrypt of the intermediate key, so we can validate if it's a
1387 password error or mount error when things go wrong.
1388 Note there's no need to check for errors, since if this is incorrect, we
1389 simply won't wipe userdata, which is the correct default behavior
1390 */
1391 int N = 1 << crypt_ftr->N_factor;
1392 int r = 1 << crypt_ftr->r_factor;
1393 int p = 1 << crypt_ftr->p_factor;
1394
1395 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1396 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1397 crypt_ftr->scrypted_intermediate_key,
1398 sizeof(crypt_ftr->scrypted_intermediate_key));
1399
1400 if (rc) {
1401 SLOGE("encrypt_master_key: crypto_scrypt failed");
1402 }
1403
1404 return 0;
1405 }
1406
1407 static int decrypt_master_key_aux(const char *passwd, unsigned char *salt,
1408 unsigned char *encrypted_master_key,
1409 unsigned char *decrypted_master_key,
1410 kdf_func kdf, void *kdf_params,
1411 unsigned char** intermediate_key,
1412 size_t* intermediate_key_size)
1413 {
1414 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1415 EVP_CIPHER_CTX d_ctx;
1416 int decrypted_len, final_len;
1417
1418 /* Turn the password into an intermediate key and IV that can decrypt the
1419 master key */
1420 if (kdf(passwd, salt, ikey, kdf_params)) {
1421 SLOGE("kdf failed");
1422 return -1;
1423 }
1424
1425 /* Initialize the decryption engine */
1426 EVP_CIPHER_CTX_init(&d_ctx);
1427 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1428 return -1;
1429 }
1430 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1431 /* Decrypt the master key */
1432 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1433 encrypted_master_key, KEY_LEN_BYTES)) {
1434 return -1;
1435 }
1436 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1437 return -1;
1438 }
1439
1440 if (decrypted_len + final_len != KEY_LEN_BYTES) {
1441 return -1;
1442 }
1443
1444 /* Copy intermediate key if needed by params */
1445 if (intermediate_key && intermediate_key_size) {
1446 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1447 if (intermediate_key) {
1448 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1449 *intermediate_key_size = KEY_LEN_BYTES;
1450 }
1451 }
1452
1453 return 0;
1454 }
1455
1456 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1457 {
1458 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1459 *kdf = scrypt_keymaster;
1460 *kdf_params = ftr;
1461 } else if (ftr->kdf_type == KDF_SCRYPT) {
1462 *kdf = scrypt;
1463 *kdf_params = ftr;
1464 } else {
1465 *kdf = pbkdf2;
1466 *kdf_params = NULL;
1467 }
1468 }
1469
1470 static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key,
1471 struct crypt_mnt_ftr *crypt_ftr,
1472 unsigned char** intermediate_key,
1473 size_t* intermediate_key_size)
1474 {
1475 kdf_func kdf;
1476 void *kdf_params;
1477 int ret;
1478
1479 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1480 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1481 decrypted_master_key, kdf, kdf_params,
1482 intermediate_key, intermediate_key_size);
1483 if (ret != 0) {
1484 SLOGW("failure decrypting master key");
1485 }
1486
1487 return ret;
1488 }
1489
1490 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
1491 struct crypt_mnt_ftr *crypt_ftr) {
1492 int fd;
1493 unsigned char key_buf[KEY_LEN_BYTES];
1494
1495 /* Get some random bits for a key */
1496 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
1497 read(fd, key_buf, sizeof(key_buf));
1498 read(fd, salt, SALT_LEN);
1499 close(fd);
1500
1501 /* Now encrypt it with the password */
1502 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1503 }
1504
1505 int wait_and_unmount(const char *mountpoint, bool kill)
1506 {
1507 int i, err, rc;
1508 #define WAIT_UNMOUNT_COUNT 20
1509
1510 /* Now umount the tmpfs filesystem */
1511 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1512 if (umount(mountpoint) == 0) {
1513 break;
1514 }
1515
1516 if (errno == EINVAL) {
1517 /* EINVAL is returned if the directory is not a mountpoint,
1518 * i.e. there is no filesystem mounted there. So just get out.
1519 */
1520 break;
1521 }
1522
1523 err = errno;
1524
1525 /* If allowed, be increasingly aggressive before the last two retries */
1526 if (kill) {
1527 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1528 SLOGW("sending SIGHUP to processes with open files\n");
1529 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM);
1530 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1531 SLOGW("sending SIGKILL to processes with open files\n");
1532 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL);
1533 }
1534 }
1535
1536 sleep(1);
1537 }
1538
1539 if (i < WAIT_UNMOUNT_COUNT) {
1540 SLOGD("unmounting %s succeeded\n", mountpoint);
1541 rc = 0;
1542 } else {
1543 vold_killProcessesWithOpenFiles(mountpoint, 0);
1544 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1545 rc = -1;
1546 }
1547
1548 return rc;
1549 }
1550
1551 #define DATA_PREP_TIMEOUT 1000
1552 static int prep_data_fs(void)
1553 {
1554 int i;
1555
1556 /* Do the prep of the /data filesystem */
1557 property_set("vold.post_fs_data_done", "0");
1558 property_set("vold.decrypt", "trigger_post_fs_data");
1559 SLOGD("Just triggered post_fs_data\n");
1560
1561 /* Wait a max of 50 seconds, hopefully it takes much less */
1562 for (i=0; i<DATA_PREP_TIMEOUT; i++) {
1563 char p[PROPERTY_VALUE_MAX];
1564
1565 property_get("vold.post_fs_data_done", p, "0");
1566 if (*p == '1') {
1567 break;
1568 } else {
1569 usleep(50000);
1570 }
1571 }
1572 if (i == DATA_PREP_TIMEOUT) {
1573 /* Ugh, we failed to prep /data in time. Bail. */
1574 SLOGE("post_fs_data timed out!\n");
1575 return -1;
1576 } else {
1577 SLOGD("post_fs_data done\n");
1578 return 0;
1579 }
1580 }
1581
1582 static void cryptfs_set_corrupt()
1583 {
1584 // Mark the footer as bad
1585 struct crypt_mnt_ftr crypt_ftr;
1586 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1587 SLOGE("Failed to get crypto footer - panic");
1588 return;
1589 }
1590
1591 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1592 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1593 SLOGE("Failed to set crypto footer - panic");
1594 return;
1595 }
1596 }
1597
1598 static void cryptfs_trigger_restart_min_framework()
1599 {
1600 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1601 SLOGE("Failed to mount tmpfs on data - panic");
1602 return;
1603 }
1604
1605 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1606 SLOGE("Failed to trigger post fs data - panic");
1607 return;
1608 }
1609
1610 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1611 SLOGE("Failed to trigger restart min framework - panic");
1612 return;
1613 }
1614 }
1615
1616 /* returns < 0 on failure */
1617 static int cryptfs_restart_internal(int restart_main)
1618 {
1619 char crypto_blkdev[MAXPATHLEN];
1620 int rc = -1;
1621 static int restart_successful = 0;
1622
1623 /* Validate that it's OK to call this routine */
1624 if (! master_key_saved) {
1625 SLOGE("Encrypted filesystem not validated, aborting");
1626 return -1;
1627 }
1628
1629 if (restart_successful) {
1630 SLOGE("System already restarted with encrypted disk, aborting");
1631 return -1;
1632 }
1633
1634 if (restart_main) {
1635 /* Here is where we shut down the framework. The init scripts
1636 * start all services in one of three classes: core, main or late_start.
1637 * On boot, we start core and main. Now, we stop main, but not core,
1638 * as core includes vold and a few other really important things that
1639 * we need to keep running. Once main has stopped, we should be able
1640 * to umount the tmpfs /data, then mount the encrypted /data.
1641 * We then restart the class main, and also the class late_start.
1642 * At the moment, I've only put a few things in late_start that I know
1643 * are not needed to bring up the framework, and that also cause problems
1644 * with unmounting the tmpfs /data, but I hope to add add more services
1645 * to the late_start class as we optimize this to decrease the delay
1646 * till the user is asked for the password to the filesystem.
1647 */
1648
1649 /* The init files are setup to stop the class main when vold.decrypt is
1650 * set to trigger_reset_main.
1651 */
1652 property_set("vold.decrypt", "trigger_reset_main");
1653 SLOGD("Just asked init to shut down class main\n");
1654
1655 /* Ugh, shutting down the framework is not synchronous, so until it
1656 * can be fixed, this horrible hack will wait a moment for it all to
1657 * shut down before proceeding. Without it, some devices cannot
1658 * restart the graphics services.
1659 */
1660 sleep(2);
1661 }
1662
1663 /* Now that the framework is shutdown, we should be able to umount()
1664 * the tmpfs filesystem, and mount the real one.
1665 */
1666
1667 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1668 if (strlen(crypto_blkdev) == 0) {
1669 SLOGE("fs_crypto_blkdev not set\n");
1670 return -1;
1671 }
1672
1673 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1674 /* If ro.crypto.readonly is set to 1, mount the decrypted
1675 * filesystem readonly. This is used when /data is mounted by
1676 * recovery mode.
1677 */
1678 char ro_prop[PROPERTY_VALUE_MAX];
1679 property_get("ro.crypto.readonly", ro_prop, "");
1680 if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
1681 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1682 rec->flags |= MS_RDONLY;
1683 }
1684
1685 /* If that succeeded, then mount the decrypted filesystem */
1686 int retries = RETRY_MOUNT_ATTEMPTS;
1687 int mount_rc;
1688 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
1689 crypto_blkdev, 0))
1690 != 0) {
1691 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1692 /* TODO: invoke something similar to
1693 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1694 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1695 SLOGI("Failed to mount %s because it is busy - waiting",
1696 crypto_blkdev);
1697 if (--retries) {
1698 sleep(RETRY_MOUNT_DELAY_SECONDS);
1699 } else {
1700 /* Let's hope that a reboot clears away whatever is keeping
1701 the mount busy */
1702 cryptfs_reboot(reboot);
1703 }
1704 } else {
1705 SLOGE("Failed to mount decrypted data");
1706 cryptfs_set_corrupt();
1707 cryptfs_trigger_restart_min_framework();
1708 SLOGI("Started framework to offer wipe");
1709 return -1;
1710 }
1711 }
1712
1713 property_set("vold.decrypt", "trigger_load_persist_props");
1714 /* Create necessary paths on /data */
1715 if (prep_data_fs()) {
1716 return -1;
1717 }
1718
1719 /* startup service classes main and late_start */
1720 property_set("vold.decrypt", "trigger_restart_framework");
1721 SLOGD("Just triggered restart_framework\n");
1722
1723 /* Give it a few moments to get started */
1724 sleep(1);
1725 }
1726
1727 if (rc == 0) {
1728 restart_successful = 1;
1729 }
1730
1731 return rc;
1732 }
1733
1734 int cryptfs_restart(void)
1735 {
1736 SLOGI("cryptfs_restart");
1737 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
1738 struct fstab_rec* rec;
1739 int rc;
1740
1741 if (e4crypt_restart(DATA_MNT_POINT)) {
1742 SLOGE("Can't unmount e4crypt temp volume\n");
1743 return -1;
1744 }
1745
1746 rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1747 if (!rec) {
1748 SLOGE("Can't get fstab record for %s\n", DATA_MNT_POINT);
1749 return -1;
1750 }
1751
1752 rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, rec->blk_device, 0);
1753 if (rc) {
1754 SLOGE("Can't mount %s\n", DATA_MNT_POINT);
1755 return rc;
1756 }
1757
1758 property_set("vold.decrypt", "trigger_restart_framework");
1759 return 0;
1760 }
1761
1762 /* Call internal implementation forcing a restart of main service group */
1763 return cryptfs_restart_internal(1);
1764 }
1765
1766 static int do_crypto_complete(char *mount_point)
1767 {
1768 struct crypt_mnt_ftr crypt_ftr;
1769 char encrypted_state[PROPERTY_VALUE_MAX];
1770 char key_loc[PROPERTY_VALUE_MAX];
1771
1772 property_get("ro.crypto.state", encrypted_state, "");
1773 if (strcmp(encrypted_state, "encrypted") ) {
1774 SLOGE("not running with encryption, aborting");
1775 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1776 }
1777
1778 if (e4crypt_crypto_complete(mount_point) == 0) {
1779 return CRYPTO_COMPLETE_ENCRYPTED;
1780 }
1781
1782 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1783 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1784
1785 /*
1786 * Only report this error if key_loc is a file and it exists.
1787 * If the device was never encrypted, and /data is not mountable for
1788 * some reason, returning 1 should prevent the UI from presenting the
1789 * a "enter password" screen, or worse, a "press button to wipe the
1790 * device" screen.
1791 */
1792 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1793 SLOGE("master key file does not exist, aborting");
1794 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1795 } else {
1796 SLOGE("Error getting crypt footer and key\n");
1797 return CRYPTO_COMPLETE_BAD_METADATA;
1798 }
1799 }
1800
1801 // Test for possible error flags
1802 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1803 SLOGE("Encryption process is partway completed\n");
1804 return CRYPTO_COMPLETE_PARTIAL;
1805 }
1806
1807 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1808 SLOGE("Encryption process was interrupted but cannot continue\n");
1809 return CRYPTO_COMPLETE_INCONSISTENT;
1810 }
1811
1812 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1813 SLOGE("Encryption is successful but data is corrupt\n");
1814 return CRYPTO_COMPLETE_CORRUPT;
1815 }
1816
1817 /* We passed the test! We shall diminish, and return to the west */
1818 return CRYPTO_COMPLETE_ENCRYPTED;
1819 }
1820
1821 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1822 char *passwd, char *mount_point, char *label)
1823 {
1824 /* Allocate enough space for a 256 bit key, but we may use less */
1825 unsigned char decrypted_master_key[32];
1826 char crypto_blkdev[MAXPATHLEN];
1827 char real_blkdev[MAXPATHLEN];
1828 char tmp_mount_point[64];
1829 unsigned int orig_failed_decrypt_count;
1830 int rc;
1831 int use_keymaster = 0;
1832 int upgrade = 0;
1833 unsigned char* intermediate_key = 0;
1834 size_t intermediate_key_size = 0;
1835
1836 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1837 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1838
1839 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1840 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1841 &intermediate_key, &intermediate_key_size)) {
1842 SLOGE("Failed to decrypt master key\n");
1843 rc = -1;
1844 goto errout;
1845 }
1846 }
1847
1848 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
1849
1850 #ifdef CONFIG_HW_DISK_ENCRYPTION
1851 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
1852 if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) {
1853 SLOGE("Hardware encryption key does not match");
1854 }
1855 }
1856 #endif
1857
1858 // Create crypto block device - all (non fatal) code paths
1859 // need it
1860 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1861 real_blkdev, crypto_blkdev, label)) {
1862 SLOGE("Error creating decrypted block device\n");
1863 rc = -1;
1864 goto errout;
1865 }
1866
1867 /* Work out if the problem is the password or the data */
1868 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1869 scrypted_intermediate_key)];
1870 int N = 1 << crypt_ftr->N_factor;
1871 int r = 1 << crypt_ftr->r_factor;
1872 int p = 1 << crypt_ftr->p_factor;
1873
1874 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1875 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1876 N, r, p, scrypted_intermediate_key,
1877 sizeof(scrypted_intermediate_key));
1878
1879 // Does the key match the crypto footer?
1880 if (rc == 0 && memcmp(scrypted_intermediate_key,
1881 crypt_ftr->scrypted_intermediate_key,
1882 sizeof(scrypted_intermediate_key)) == 0) {
1883 SLOGI("Password matches");
1884 rc = 0;
1885 } else {
1886 /* Try mounting the file system anyway, just in case the problem's with
1887 * the footer, not the key. */
1888 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
1889 mkdir(tmp_mount_point, 0755);
1890 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1891 SLOGE("Error temp mounting decrypted block device\n");
1892 delete_crypto_blk_dev(label);
1893
1894 rc = ++crypt_ftr->failed_decrypt_count;
1895 put_crypt_ftr_and_key(crypt_ftr);
1896 } else {
1897 /* Success! */
1898 SLOGI("Password did not match but decrypted drive mounted - continue");
1899 umount(tmp_mount_point);
1900 rc = 0;
1901 }
1902 }
1903
1904 if (rc == 0) {
1905 crypt_ftr->failed_decrypt_count = 0;
1906 if (orig_failed_decrypt_count != 0) {
1907 put_crypt_ftr_and_key(crypt_ftr);
1908 }
1909
1910 /* Save the name of the crypto block device
1911 * so we can mount it when restarting the framework. */
1912 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1913
1914 /* Also save a the master key so we can reencrypted the key
1915 * the key when we want to change the password on it. */
1916 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1917 saved_mount_point = strdup(mount_point);
1918 master_key_saved = 1;
1919 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1920 rc = 0;
1921
1922 // Upgrade if we're not using the latest KDF.
1923 use_keymaster = keymaster_check_compatibility();
1924 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1925 // Don't allow downgrade
1926 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1927 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1928 upgrade = 1;
1929 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1930 crypt_ftr->kdf_type = KDF_SCRYPT;
1931 upgrade = 1;
1932 }
1933
1934 if (upgrade) {
1935 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1936 crypt_ftr->master_key, crypt_ftr);
1937 if (!rc) {
1938 rc = put_crypt_ftr_and_key(crypt_ftr);
1939 }
1940 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1941
1942 // Do not fail even if upgrade failed - machine is bootable
1943 // Note that if this code is ever hit, there is a *serious* problem
1944 // since KDFs should never fail. You *must* fix the kdf before
1945 // proceeding!
1946 if (rc) {
1947 SLOGW("Upgrade failed with error %d,"
1948 " but continuing with previous state",
1949 rc);
1950 rc = 0;
1951 }
1952 }
1953 }
1954
1955 errout:
1956 if (intermediate_key) {
1957 memset(intermediate_key, 0, intermediate_key_size);
1958 free(intermediate_key);
1959 }
1960 return rc;
1961 }
1962
1963 /*
1964 * Called by vold when it's asked to mount an encrypted external
1965 * storage volume. The incoming partition has no crypto header/footer,
1966 * as any metadata is been stored in a separate, small partition.
1967 *
1968 * out_crypto_blkdev must be MAXPATHLEN.
1969 */
1970 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
1971 const unsigned char* key, int keysize, char* out_crypto_blkdev) {
1972 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
1973 if (fd == -1) {
1974 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno));
1975 return -1;
1976 }
1977
1978 unsigned long nr_sec = 0;
1979 get_blkdev_size(fd, &nr_sec);
1980 close(fd);
1981
1982 if (nr_sec == 0) {
1983 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1984 return -1;
1985 }
1986
1987 struct crypt_mnt_ftr ext_crypt_ftr;
1988 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1989 ext_crypt_ftr.fs_size = nr_sec;
1990 ext_crypt_ftr.keysize = keysize;
1991 strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
1992
1993 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev,
1994 out_crypto_blkdev, label);
1995 }
1996
1997 /*
1998 * Called by vold when it's asked to unmount an encrypted external
1999 * storage volume.
2000 */
2001 int cryptfs_revert_ext_volume(const char* label) {
2002 return delete_crypto_blk_dev((char*) label);
2003 }
2004
2005 int cryptfs_crypto_complete(void)
2006 {
2007 return do_crypto_complete("/data");
2008 }
2009
2010 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
2011 {
2012 char encrypted_state[PROPERTY_VALUE_MAX];
2013 property_get("ro.crypto.state", encrypted_state, "");
2014 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
2015 SLOGE("encrypted fs already validated or not running with encryption,"
2016 " aborting");
2017 return -1;
2018 }
2019
2020 if (get_crypt_ftr_and_key(crypt_ftr)) {
2021 SLOGE("Error getting crypt footer and key");
2022 return -1;
2023 }
2024
2025 return 0;
2026 }
2027
2028 int cryptfs_check_passwd(char *passwd)
2029 {
2030 SLOGI("cryptfs_check_passwd");
2031 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
2032 return e4crypt_check_passwd(DATA_MNT_POINT, passwd);
2033 }
2034
2035 struct crypt_mnt_ftr crypt_ftr;
2036 int rc;
2037
2038 rc = check_unmounted_and_get_ftr(&crypt_ftr);
2039 if (rc)
2040 return rc;
2041
2042 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
2043 DATA_MNT_POINT, "userdata");
2044
2045 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2046 cryptfs_clear_password();
2047 password = strdup(passwd);
2048 struct timespec now;
2049 clock_gettime(CLOCK_BOOTTIME, &now);
2050 password_expiry_time = now.tv_sec + password_max_age_seconds;
2051 }
2052
2053 return rc;
2054 }
2055
2056 int cryptfs_verify_passwd(char *passwd)
2057 {
2058 struct crypt_mnt_ftr crypt_ftr;
2059 /* Allocate enough space for a 256 bit key, but we may use less */
2060 unsigned char decrypted_master_key[32];
2061 char encrypted_state[PROPERTY_VALUE_MAX];
2062 int rc;
2063
2064 property_get("ro.crypto.state", encrypted_state, "");
2065 if (strcmp(encrypted_state, "encrypted") ) {
2066 SLOGE("device not encrypted, aborting");
2067 return -2;
2068 }
2069
2070 if (!master_key_saved) {
2071 SLOGE("encrypted fs not yet mounted, aborting");
2072 return -1;
2073 }
2074
2075 if (!saved_mount_point) {
2076 SLOGE("encrypted fs failed to save mount point, aborting");
2077 return -1;
2078 }
2079
2080 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2081 SLOGE("Error getting crypt footer and key\n");
2082 return -1;
2083 }
2084
2085 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2086 /* If the device has no password, then just say the password is valid */
2087 rc = 0;
2088 } else {
2089 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2090 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2091 /* They match, the password is correct */
2092 rc = 0;
2093 } else {
2094 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2095 sleep(1);
2096 rc = 1;
2097 }
2098 }
2099
2100 return rc;
2101 }
2102
2103 /* Initialize a crypt_mnt_ftr structure. The keysize is
2104 * defaulted to 16 bytes, and the filesystem size to 0.
2105 * Presumably, at a minimum, the caller will update the
2106 * filesystem size and crypto_type_name after calling this function.
2107 */
2108 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
2109 {
2110 off64_t off;
2111
2112 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2113 ftr->magic = CRYPT_MNT_MAGIC;
2114 ftr->major_version = CURRENT_MAJOR_VERSION;
2115 ftr->minor_version = CURRENT_MINOR_VERSION;
2116 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2117 ftr->keysize = KEY_LEN_BYTES;
2118
2119 switch (keymaster_check_compatibility()) {
2120 case 1:
2121 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2122 break;
2123
2124 case 0:
2125 ftr->kdf_type = KDF_SCRYPT;
2126 break;
2127
2128 default:
2129 SLOGE("keymaster_check_compatibility failed");
2130 return -1;
2131 }
2132
2133 get_device_scrypt_params(ftr);
2134
2135 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2136 if (get_crypt_ftr_info(NULL, &off) == 0) {
2137 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2138 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
2139 ftr->persist_data_size;
2140 }
2141
2142 return 0;
2143 }
2144
2145 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
2146 {
2147 const char *args[10];
2148 char size_str[32]; /* Must be large enough to hold a %lld and null byte */
2149 int num_args;
2150 int status;
2151 int tmp;
2152 int rc = -1;
2153
2154 if (type == EXT4_FS) {
2155 args[0] = "/system/bin/make_ext4fs";
2156 args[1] = "-a";
2157 args[2] = "/data";
2158 args[3] = "-l";
2159 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
2160 args[4] = size_str;
2161 args[5] = crypto_blkdev;
2162 num_args = 6;
2163 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
2164 args[0], args[1], args[2], args[3], args[4], args[5]);
2165 } else if (type == F2FS_FS) {
2166 args[0] = "/system/bin/mkfs.f2fs";
2167 args[1] = "-t";
2168 args[2] = "-d1";
2169 args[3] = crypto_blkdev;
2170 snprintf(size_str, sizeof(size_str), "%" PRId64, size);
2171 args[4] = size_str;
2172 num_args = 5;
2173 SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
2174 args[0], args[1], args[2], args[3], args[4]);
2175 } else {
2176 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
2177 return -1;
2178 }
2179
2180 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
2181
2182 if (tmp != 0) {
2183 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
2184 } else {
2185 if (WIFEXITED(status)) {
2186 if (WEXITSTATUS(status)) {
2187 SLOGE("Error creating filesystem on %s, exit status %d ",
2188 crypto_blkdev, WEXITSTATUS(status));
2189 } else {
2190 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
2191 rc = 0;
2192 }
2193 } else {
2194 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
2195 }
2196 }
2197
2198 return rc;
2199 }
2200
2201 #define CRYPT_INPLACE_BUFSIZE 4096
2202 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
2203 #define CRYPT_SECTOR_SIZE 512
2204
2205 /* aligned 32K writes tends to make flash happy.
2206 * SD card association recommends it.
2207 */
2208 #ifndef CONFIG_HW_DISK_ENCRYPTION
2209 #define BLOCKS_AT_A_TIME 8
2210 #else
2211 #define BLOCKS_AT_A_TIME 1024
2212 #endif
2213
2214 struct encryptGroupsData
2215 {
2216 int realfd;
2217 int cryptofd;
2218 off64_t numblocks;
2219 off64_t one_pct, cur_pct, new_pct;
2220 off64_t blocks_already_done, tot_numblocks;
2221 off64_t used_blocks_already_done, tot_used_blocks;
2222 char* real_blkdev, * crypto_blkdev;
2223 int count;
2224 off64_t offset;
2225 char* buffer;
2226 off64_t last_written_sector;
2227 int completed;
2228 time_t time_started;
2229 int remaining_time;
2230 };
2231
2232 static void update_progress(struct encryptGroupsData* data, int is_used)
2233 {
2234 data->blocks_already_done++;
2235
2236 if (is_used) {
2237 data->used_blocks_already_done++;
2238 }
2239 if (data->tot_used_blocks) {
2240 data->new_pct = data->used_blocks_already_done / data->one_pct;
2241 } else {
2242 data->new_pct = data->blocks_already_done / data->one_pct;
2243 }
2244
2245 if (data->new_pct > data->cur_pct) {
2246 char buf[8];
2247 data->cur_pct = data->new_pct;
2248 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
2249 property_set("vold.encrypt_progress", buf);
2250 }
2251
2252 if (data->cur_pct >= 5) {
2253 struct timespec time_now;
2254 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
2255 SLOGW("Error getting time");
2256 } else {
2257 double elapsed_time = difftime(time_now.tv_sec, data->time_started);
2258 off64_t remaining_blocks = data->tot_used_blocks
2259 - data->used_blocks_already_done;
2260 int remaining_time = (int)(elapsed_time * remaining_blocks
2261 / data->used_blocks_already_done);
2262
2263 // Change time only if not yet set, lower, or a lot higher for
2264 // best user experience
2265 if (data->remaining_time == -1
2266 || remaining_time < data->remaining_time
2267 || remaining_time > data->remaining_time + 60) {
2268 char buf[8];
2269 snprintf(buf, sizeof(buf), "%d", remaining_time);
2270 property_set("vold.encrypt_time_remaining", buf);
2271 data->remaining_time = remaining_time;
2272 }
2273 }
2274 }
2275 }
2276
2277 static void log_progress(struct encryptGroupsData const* data, bool completed)
2278 {
2279 // Precondition - if completed data = 0 else data != 0
2280
2281 // Track progress so we can skip logging blocks
2282 static off64_t offset = -1;
2283
2284 // Need to close existing 'Encrypting from' log?
2285 if (completed || (offset != -1 && data->offset != offset)) {
2286 SLOGI("Encrypted to sector %" PRId64,
2287 offset / info.block_size * CRYPT_SECTOR_SIZE);
2288 offset = -1;
2289 }
2290
2291 // Need to start new 'Encrypting from' log?
2292 if (!completed && offset != data->offset) {
2293 SLOGI("Encrypting from sector %" PRId64,
2294 data->offset / info.block_size * CRYPT_SECTOR_SIZE);
2295 }
2296
2297 // Update offset
2298 if (!completed) {
2299 offset = data->offset + (off64_t)data->count * info.block_size;
2300 }
2301 }
2302
2303 static int flush_outstanding_data(struct encryptGroupsData* data)
2304 {
2305 if (data->count == 0) {
2306 return 0;
2307 }
2308
2309 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
2310
2311 if (pread64(data->realfd, data->buffer,
2312 info.block_size * data->count, data->offset)
2313 <= 0) {
2314 SLOGE("Error reading real_blkdev %s for inplace encrypt",
2315 data->real_blkdev);
2316 return -1;
2317 }
2318
2319 if (pwrite64(data->cryptofd, data->buffer,
2320 info.block_size * data->count, data->offset)
2321 <= 0) {
2322 SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
2323 data->crypto_blkdev);
2324 return -1;
2325 } else {
2326 log_progress(data, false);
2327 }
2328
2329 data->count = 0;
2330 data->last_written_sector = (data->offset + data->count)
2331 / info.block_size * CRYPT_SECTOR_SIZE - 1;
2332 return 0;
2333 }
2334
2335 static int encrypt_groups(struct encryptGroupsData* data)
2336 {
2337 unsigned int i;
2338 u8 *block_bitmap = 0;
2339 unsigned int block;
2340 off64_t ret;
2341 int rc = -1;
2342
2343 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
2344 if (!data->buffer) {
2345 SLOGE("Failed to allocate crypto buffer");
2346 goto errout;
2347 }
2348
2349 block_bitmap = malloc(info.block_size);
2350 if (!block_bitmap) {
2351 SLOGE("failed to allocate block bitmap");
2352 goto errout;
2353 }
2354
2355 for (i = 0; i < aux_info.groups; ++i) {
2356 SLOGI("Encrypting group %d", i);
2357
2358 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
2359 u32 block_count = min(info.blocks_per_group,
2360 aux_info.len_blocks - first_block);
2361
2362 off64_t offset = (u64)info.block_size
2363 * aux_info.bg_desc[i].bg_block_bitmap;
2364
2365 ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
2366 if (ret != (int)info.block_size) {
2367 SLOGE("failed to read all of block group bitmap %d", i);
2368 goto errout;
2369 }
2370
2371 offset = (u64)info.block_size * first_block;
2372
2373 data->count = 0;
2374
2375 for (block = 0; block < block_count; block++) {
2376 int used = bitmap_get_bit(block_bitmap, block);
2377 update_progress(data, used);
2378 if (used) {
2379 if (data->count == 0) {
2380 data->offset = offset;
2381 }
2382 data->count++;
2383 } else {
2384 if (flush_outstanding_data(data)) {
2385 goto errout;
2386 }
2387 }
2388
2389 offset += info.block_size;
2390
2391 /* Write data if we are aligned or buffer size reached */
2392 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
2393 || data->count == BLOCKS_AT_A_TIME) {
2394 if (flush_outstanding_data(data)) {
2395 goto errout;
2396 }
2397 }
2398
2399 if (!is_battery_ok_to_continue()) {
2400 SLOGE("Stopping encryption due to low battery");
2401 rc = 0;
2402 goto errout;
2403 }
2404
2405 }
2406 if (flush_outstanding_data(data)) {
2407 goto errout;
2408 }
2409 }
2410
2411 data->completed = 1;
2412 rc = 0;
2413
2414 errout:
2415 log_progress(0, true);
2416 free(data->buffer);
2417 free(block_bitmap);
2418 return rc;
2419 }
2420
2421 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
2422 char *real_blkdev,
2423 off64_t size,
2424 off64_t *size_already_done,
2425 off64_t tot_size,
2426 off64_t previously_encrypted_upto)
2427 {
2428 u32 i;
2429 struct encryptGroupsData data;
2430 int rc; // Can't initialize without causing warning -Wclobbered
2431
2432 if (previously_encrypted_upto > *size_already_done) {
2433 SLOGD("Not fast encrypting since resuming part way through");
2434 return -1;
2435 }
2436
2437 memset(&data, 0, sizeof(data));
2438 data.real_blkdev = real_blkdev;
2439 data.crypto_blkdev = crypto_blkdev;
2440
2441 if ( (data.realfd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2442 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n",
2443 real_blkdev, errno, strerror(errno));
2444 rc = -1;
2445 goto errout;
2446 }
2447
2448 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2449 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n",
2450 crypto_blkdev, errno, strerror(errno));
2451 rc = ENABLE_INPLACE_ERR_DEV;
2452 goto errout;
2453 }
2454
2455 if (setjmp(setjmp_env)) {
2456 SLOGE("Reading ext4 extent caused an exception\n");
2457 rc = -1;
2458 goto errout;
2459 }
2460
2461 if (read_ext(data.realfd, 0) != 0) {
2462 SLOGE("Failed to read ext4 extent\n");
2463 rc = -1;
2464 goto errout;
2465 }
2466
2467 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2468 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2469 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2470
2471 SLOGI("Encrypting ext4 filesystem in place...");
2472
2473 data.tot_used_blocks = data.numblocks;
2474 for (i = 0; i < aux_info.groups; ++i) {
2475 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
2476 }
2477
2478 data.one_pct = data.tot_used_blocks / 100;
2479 data.cur_pct = 0;
2480
2481 struct timespec time_started = {0};
2482 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
2483 SLOGW("Error getting time at start");
2484 // Note - continue anyway - we'll run with 0
2485 }
2486 data.time_started = time_started.tv_sec;
2487 data.remaining_time = -1;
2488
2489 rc = encrypt_groups(&data);
2490 if (rc) {
2491 SLOGE("Error encrypting groups");
2492 goto errout;
2493 }
2494
2495 *size_already_done += data.completed ? size : data.last_written_sector;
2496 rc = 0;
2497
2498 errout:
2499 close(data.realfd);
2500 close(data.cryptofd);
2501
2502 return rc;
2503 }
2504
2505 static void log_progress_f2fs(u64 block, bool completed)
2506 {
2507 // Precondition - if completed data = 0 else data != 0
2508
2509 // Track progress so we can skip logging blocks
2510 static u64 last_block = (u64)-1;
2511
2512 // Need to close existing 'Encrypting from' log?
2513 if (completed || (last_block != (u64)-1 && block != last_block + 1)) {
2514 SLOGI("Encrypted to block %" PRId64, last_block);
2515 last_block = -1;
2516 }
2517
2518 // Need to start new 'Encrypting from' log?
2519 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) {
2520 SLOGI("Encrypting from block %" PRId64, block);
2521 }
2522
2523 // Update offset
2524 if (!completed) {
2525 last_block = block;
2526 }
2527 }
2528
2529 static int encrypt_one_block_f2fs(u64 pos, void *data)
2530 {
2531 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;
2532
2533 priv_dat->blocks_already_done = pos - 1;
2534 update_progress(priv_dat, 1);
2535
2536 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;
2537
2538 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2539 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2540 return -1;
2541 }
2542
2543 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2544 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2545 return -1;
2546 } else {
2547 log_progress_f2fs(pos, false);
2548 }
2549
2550 return 0;
2551 }
2552
2553 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
2554 char *real_blkdev,
2555 off64_t size,
2556 off64_t *size_already_done,
2557 off64_t tot_size,
2558 off64_t previously_encrypted_upto)
2559 {
2560 struct encryptGroupsData data;
2561 struct f2fs_info *f2fs_info = NULL;
2562 int rc = ENABLE_INPLACE_ERR_OTHER;
2563 if (previously_encrypted_upto > *size_already_done) {
2564 SLOGD("Not fast encrypting since resuming part way through");
2565 return ENABLE_INPLACE_ERR_OTHER;
2566 }
2567 memset(&data, 0, sizeof(data));
2568 data.real_blkdev = real_blkdev;
2569 data.crypto_blkdev = crypto_blkdev;
2570 data.realfd = -1;
2571 data.cryptofd = -1;
2572 if ( (data.realfd = open64(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2573 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n",
2574 real_blkdev);
2575 goto errout;
2576 }
2577 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2578 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n",
2579 crypto_blkdev, errno, strerror(errno));
2580 rc = ENABLE_INPLACE_ERR_DEV;
2581 goto errout;
2582 }
2583
2584 f2fs_info = generate_f2fs_info(data.realfd);
2585 if (!f2fs_info)
2586 goto errout;
2587
2588 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2589 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2590 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2591
2592 data.tot_used_blocks = get_num_blocks_used(f2fs_info);
2593
2594 data.one_pct = data.tot_used_blocks / 100;
2595 data.cur_pct = 0;
2596 data.time_started = time(NULL);
2597 data.remaining_time = -1;
2598
2599 data.buffer = malloc(f2fs_info->block_size);
2600 if (!data.buffer) {
2601 SLOGE("Failed to allocate crypto buffer");
2602 goto errout;
2603 }
2604
2605 data.count = 0;
2606
2607 /* Currently, this either runs to completion, or hits a nonrecoverable error */
2608 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);
2609
2610 if (rc) {
2611 SLOGE("Error in running over f2fs blocks");
2612 rc = ENABLE_INPLACE_ERR_OTHER;
2613 goto errout;
2614 }
2615
2616 *size_already_done += size;
2617 rc = 0;
2618
2619 errout:
2620 if (rc)
2621 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev);
2622
2623 log_progress_f2fs(0, true);
2624 free(f2fs_info);
2625 free(data.buffer);
2626 close(data.realfd);
2627 close(data.cryptofd);
2628
2629 return rc;
2630 }
2631
2632 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
2633 off64_t size, off64_t *size_already_done,
2634 off64_t tot_size,
2635 off64_t previously_encrypted_upto)
2636 {
2637 int realfd, cryptofd;
2638 char *buf[CRYPT_INPLACE_BUFSIZE];
2639 int rc = ENABLE_INPLACE_ERR_OTHER;
2640 off64_t numblocks, i, remainder;
2641 off64_t one_pct, cur_pct, new_pct;
2642 off64_t blocks_already_done, tot_numblocks;
2643
2644 if ( (realfd = open(real_blkdev, O_RDONLY|O_CLOEXEC)) < 0) {
2645 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2646 return ENABLE_INPLACE_ERR_OTHER;
2647 }
2648
2649 if ( (cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2650 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n",
2651 crypto_blkdev, errno, strerror(errno));
2652 close(realfd);
2653 return ENABLE_INPLACE_ERR_DEV;
2654 }
2655
2656 /* This is pretty much a simple loop of reading 4K, and writing 4K.
2657 * The size passed in is the number of 512 byte sectors in the filesystem.
2658 * So compute the number of whole 4K blocks we should read/write,
2659 * and the remainder.
2660 */
2661 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2662 remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2663 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2664 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2665
2666 SLOGE("Encrypting filesystem in place...");
2667
2668 i = previously_encrypted_upto + 1 - *size_already_done;
2669
2670 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2671 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
2672 goto errout;
2673 }
2674
2675 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2676 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
2677 goto errout;
2678 }
2679
2680 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
2681 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2682 SLOGE("Error reading initial sectors from real_blkdev %s for "
2683 "inplace encrypt\n", crypto_blkdev);
2684 goto errout;
2685 }
2686 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2687 SLOGE("Error writing initial sectors to crypto_blkdev %s for "
2688 "inplace encrypt\n", crypto_blkdev);
2689 goto errout;
2690 } else {
2691 SLOGI("Encrypted 1 block at %" PRId64, i);
2692 }
2693 }
2694
2695 one_pct = tot_numblocks / 100;
2696 cur_pct = 0;
2697 /* process the majority of the filesystem in blocks */
2698 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2699 new_pct = (i + blocks_already_done) / one_pct;
2700 if (new_pct > cur_pct) {
2701 char buf[8];
2702
2703 cur_pct = new_pct;
2704 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
2705 property_set("vold.encrypt_progress", buf);
2706 }
2707 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2708 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2709 goto errout;
2710 }
2711 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2712 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2713 goto errout;
2714 } else {
2715 SLOGD("Encrypted %d block at %" PRId64,
2716 CRYPT_SECTORS_PER_BUFSIZE,
2717 i * CRYPT_SECTORS_PER_BUFSIZE);
2718 }
2719
2720 if (!is_battery_ok_to_continue()) {
2721 SLOGE("Stopping encryption due to low battery");
2722 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
2723 rc = 0;
2724 goto errout;
2725 }
2726 }
2727
2728 /* Do any remaining sectors */
2729 for (i=0; i<remainder; i++) {
2730 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2731 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2732 goto errout;
2733 }
2734 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2735 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2736 goto errout;
2737 } else {
2738 SLOGI("Encrypted 1 block at next location");
2739 }
2740 }
2741
2742 *size_already_done += size;
2743 rc = 0;
2744
2745 errout:
2746 close(realfd);
2747 close(cryptofd);
2748
2749 return rc;
2750 }
2751
2752 /* returns on of the ENABLE_INPLACE_* return codes */
2753 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
2754 off64_t size, off64_t *size_already_done,
2755 off64_t tot_size,
2756 off64_t previously_encrypted_upto)
2757 {
2758 int rc_ext4, rc_f2fs, rc_full;
2759 if (previously_encrypted_upto) {
2760 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
2761 }
2762
2763 if (*size_already_done + size < previously_encrypted_upto) {
2764 *size_already_done += size;
2765 return 0;
2766 }
2767
2768 /* TODO: identify filesystem type.
2769 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
2770 * then we will drop down to cryptfs_enable_inplace_f2fs.
2771 * */
2772 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2773 size, size_already_done,
2774 tot_size, previously_encrypted_upto)) == 0) {
2775 return 0;
2776 }
2777 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4);
2778
2779 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
2780 size, size_already_done,
2781 tot_size, previously_encrypted_upto)) == 0) {
2782 return 0;
2783 }
2784 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs);
2785
2786 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2787 size, size_already_done, tot_size,
2788 previously_encrypted_upto);
2789 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full);
2790
2791 /* Hack for b/17898962, the following is the symptom... */
2792 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV
2793 && rc_f2fs == ENABLE_INPLACE_ERR_DEV
2794 && rc_full == ENABLE_INPLACE_ERR_DEV) {
2795 return ENABLE_INPLACE_ERR_DEV;
2796 }
2797 return rc_full;
2798 }
2799
2800 #define CRYPTO_ENABLE_WIPE 1
2801 #define CRYPTO_ENABLE_INPLACE 2
2802
2803 #define FRAMEWORK_BOOT_WAIT 60
2804
2805 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2806 {
2807 int fd = open(filename, O_RDONLY|O_CLOEXEC);
2808 if (fd == -1) {
2809 SLOGE("Error opening file %s", filename);
2810 return -1;
2811 }
2812
2813 char block[CRYPT_INPLACE_BUFSIZE];
2814 memset(block, 0, sizeof(block));
2815 if (unix_read(fd, block, sizeof(block)) < 0) {
2816 SLOGE("Error reading file %s", filename);
2817 close(fd);
2818 return -1;
2819 }
2820
2821 close(fd);
2822
2823 SHA256_CTX c;
2824 SHA256_Init(&c);
2825 SHA256_Update(&c, block, sizeof(block));
2826 SHA256_Final(buf, &c);
2827
2828 return 0;
2829 }
2830
2831 static int get_fs_type(struct fstab_rec *rec)
2832 {
2833 if (!strcmp(rec->fs_type, "ext4")) {
2834 return EXT4_FS;
2835 } else if (!strcmp(rec->fs_type, "f2fs")) {
2836 return F2FS_FS;
2837 } else {
2838 return -1;
2839 }
2840 }
2841
2842 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
2843 char *crypto_blkdev, char *real_blkdev,
2844 int previously_encrypted_upto)
2845 {
2846 off64_t cur_encryption_done=0, tot_encryption_size=0;
2847 int rc = -1;
2848
2849 if (!is_battery_ok_to_start()) {
2850 SLOGW("Not starting encryption due to low battery");
2851 return 0;
2852 }
2853
2854 /* The size of the userdata partition, and add in the vold volumes below */
2855 tot_encryption_size = crypt_ftr->fs_size;
2856
2857 if (how == CRYPTO_ENABLE_WIPE) {
2858 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
2859 int fs_type = get_fs_type(rec);
2860 if (fs_type < 0) {
2861 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
2862 return -1;
2863 }
2864 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2865 } else if (how == CRYPTO_ENABLE_INPLACE) {
2866 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
2867 crypt_ftr->fs_size, &cur_encryption_done,
2868 tot_encryption_size,
2869 previously_encrypted_upto);
2870
2871 if (rc == ENABLE_INPLACE_ERR_DEV) {
2872 /* Hack for b/17898962 */
2873 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2874 cryptfs_reboot(reboot);
2875 }
2876
2877 if (!rc) {
2878 crypt_ftr->encrypted_upto = cur_encryption_done;
2879 }
2880
2881 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2882 /* The inplace routine never actually sets the progress to 100% due
2883 * to the round down nature of integer division, so set it here */
2884 property_set("vold.encrypt_progress", "100");
2885 }
2886 } else {
2887 /* Shouldn't happen */
2888 SLOGE("cryptfs_enable: internal error, unknown option\n");
2889 rc = -1;
2890 }
2891
2892 return rc;
2893 }
2894
2895 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
2896 int allow_reboot)
2897 {
2898 int how = 0;
2899 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2900 unsigned char decrypted_master_key[KEY_LEN_BYTES];
2901 int rc=-1, i;
2902 struct crypt_mnt_ftr crypt_ftr;
2903 struct crypt_persist_data *pdata;
2904 char encrypted_state[PROPERTY_VALUE_MAX];
2905 char lockid[32] = { 0 };
2906 char key_loc[PROPERTY_VALUE_MAX];
2907 int num_vols;
2908 off64_t previously_encrypted_upto = 0;
2909
2910 if (!strcmp(howarg, "wipe")) {
2911 how = CRYPTO_ENABLE_WIPE;
2912 } else if (! strcmp(howarg, "inplace")) {
2913 how = CRYPTO_ENABLE_INPLACE;
2914 } else {
2915 /* Shouldn't happen, as CommandListener vets the args */
2916 goto error_unencrypted;
2917 }
2918
2919 /* See if an encryption was underway and interrupted */
2920 if (how == CRYPTO_ENABLE_INPLACE
2921 && get_crypt_ftr_and_key(&crypt_ftr) == 0
2922 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) {
2923 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2924 crypt_ftr.encrypted_upto = 0;
2925 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2926
2927 /* At this point, we are in an inconsistent state. Until we successfully
2928 complete encryption, a reboot will leave us broken. So mark the
2929 encryption failed in case that happens.
2930 On successfully completing encryption, remove this flag */
2931 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2932
2933 put_crypt_ftr_and_key(&crypt_ftr);
2934 }
2935
2936 property_get("ro.crypto.state", encrypted_state, "");
2937 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2938 SLOGE("Device is already running encrypted, aborting");
2939 goto error_unencrypted;
2940 }
2941
2942 // TODO refactor fs_mgr_get_crypt_info to get both in one call
2943 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
2944 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
2945
2946 /* Get the size of the real block device */
2947 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
2948 if (fd == -1) {
2949 SLOGE("Cannot open block device %s\n", real_blkdev);
2950 goto error_unencrypted;
2951 }
2952 unsigned long nr_sec;
2953 get_blkdev_size(fd, &nr_sec);
2954 if (nr_sec == 0) {
2955 SLOGE("Cannot get size of block device %s\n", real_blkdev);
2956 goto error_unencrypted;
2957 }
2958 close(fd);
2959
2960 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2961 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
2962 unsigned int fs_size_sec, max_fs_size_sec;
2963 fs_size_sec = get_fs_size(real_blkdev);
2964 if (fs_size_sec == 0)
2965 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
2966
2967 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2968
2969 if (fs_size_sec > max_fs_size_sec) {
2970 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2971 goto error_unencrypted;
2972 }
2973 }
2974
2975 /* Get a wakelock as this may take a while, and we don't want the
2976 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2977 * wants to keep the screen on, it can grab a full wakelock.
2978 */
2979 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
2980 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
2981
2982 /* The init files are setup to stop the class main and late start when
2983 * vold sets trigger_shutdown_framework.
2984 */
2985 property_set("vold.decrypt", "trigger_shutdown_framework");
2986 SLOGD("Just asked init to shut down class main\n");
2987
2988 /* Ask vold to unmount all devices that it manages */
2989 if (vold_unmountAll()) {
2990 SLOGE("Failed to unmount all vold managed devices");
2991 }
2992
2993 /* Now unmount the /data partition. */
2994 if (wait_and_unmount(DATA_MNT_POINT, false)) {
2995 if (allow_reboot) {
2996 goto error_shutting_down;
2997 } else {
2998 goto error_unencrypted;
2999 }
3000 }
3001
3002 /* Do extra work for a better UX when doing the long inplace encryption */
3003 if (how == CRYPTO_ENABLE_INPLACE) {
3004 /* Now that /data is unmounted, we need to mount a tmpfs
3005 * /data, set a property saying we're doing inplace encryption,
3006 * and restart the framework.
3007 */
3008 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
3009 goto error_shutting_down;
3010 }
3011 /* Tells the framework that inplace encryption is starting */
3012 property_set("vold.encrypt_progress", "0");
3013
3014 /* restart the framework. */
3015 /* Create necessary paths on /data */
3016 if (prep_data_fs()) {
3017 goto error_shutting_down;
3018 }
3019
3020 /* Ugh, shutting down the framework is not synchronous, so until it
3021 * can be fixed, this horrible hack will wait a moment for it all to
3022 * shut down before proceeding. Without it, some devices cannot
3023 * restart the graphics services.
3024 */
3025 sleep(2);
3026 }
3027
3028 /* Start the actual work of making an encrypted filesystem */
3029 /* Initialize a crypt_mnt_ftr for the partition */
3030 if (previously_encrypted_upto == 0) {
3031 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
3032 goto error_shutting_down;
3033 }
3034
3035 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
3036 crypt_ftr.fs_size = nr_sec
3037 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3038 } else {
3039 crypt_ftr.fs_size = nr_sec;
3040 }
3041 /* At this point, we are in an inconsistent state. Until we successfully
3042 complete encryption, a reboot will leave us broken. So mark the
3043 encryption failed in case that happens.
3044 On successfully completing encryption, remove this flag */
3045 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
3046 crypt_ftr.crypt_type = crypt_type;
3047 #ifndef CONFIG_HW_DISK_ENCRYPTION
3048 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN);
3049 #else
3050 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN);
3051
3052 rc = clear_hw_device_encryption_key();
3053 if (!rc) {
3054 SLOGE("Error clearing device encryption hardware key. rc = %d", rc);
3055 }
3056
3057 rc = set_hw_device_encryption_key(passwd,
3058 (char*) crypt_ftr.crypto_type_name);
3059 if (!rc) {
3060 SLOGE("Error initializing device encryption hardware key. rc = %d", rc);
3061 goto error_shutting_down;
3062 }
3063 #endif
3064
3065 /* Make an encrypted master key */
3066 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
3067 SLOGE("Cannot create encrypted master key\n");
3068 goto error_shutting_down;
3069 }
3070
3071 /* Write the key to the end of the partition */
3072 put_crypt_ftr_and_key(&crypt_ftr);
3073
3074 /* If any persistent data has been remembered, save it.
3075 * If none, create a valid empty table and save that.
3076 */
3077 if (!persist_data) {
3078 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
3079 if (pdata) {
3080 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
3081 persist_data = pdata;
3082 }
3083 }
3084 if (persist_data) {
3085 save_persistent_data();
3086 }
3087 }
3088
3089 if (how == CRYPTO_ENABLE_INPLACE) {
3090 /* startup service classes main and late_start */
3091 property_set("vold.decrypt", "trigger_restart_min_framework");
3092 SLOGD("Just triggered restart_min_framework\n");
3093
3094 /* OK, the framework is restarted and will soon be showing a
3095 * progress bar. Time to setup an encrypted mapping, and
3096 * either write a new filesystem, or encrypt in place updating
3097 * the progress bar as we work.
3098 */
3099 }
3100
3101 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
3102 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
3103 "userdata");
3104
3105 /* If we are continuing, check checksums match */
3106 rc = 0;
3107 if (previously_encrypted_upto) {
3108 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
3109 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
3110
3111 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
3112 sizeof(hash_first_block)) != 0) {
3113 SLOGE("Checksums do not match - trigger wipe");
3114 rc = -1;
3115 }
3116 }
3117
3118 if (!rc) {
3119 rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
3120 crypto_blkdev, real_blkdev,
3121 previously_encrypted_upto);
3122 }
3123
3124 /* Calculate checksum if we are not finished */
3125 if (!rc && how == CRYPTO_ENABLE_INPLACE
3126 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3127 rc = cryptfs_SHA256_fileblock(crypto_blkdev,
3128 crypt_ftr.hash_first_block);
3129 if (rc) {
3130 SLOGE("Error calculating checksum for continuing encryption");
3131 rc = -1;
3132 }
3133 }
3134
3135 /* Undo the dm-crypt mapping whether we succeed or not */
3136 delete_crypto_blk_dev("userdata");
3137
3138 if (! rc) {
3139 /* Success */
3140 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
3141
3142 if (how == CRYPTO_ENABLE_INPLACE
3143 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3144 SLOGD("Encrypted up to sector %lld - will continue after reboot",
3145 crypt_ftr.encrypted_upto);
3146 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
3147 }
3148
3149 put_crypt_ftr_and_key(&crypt_ftr);
3150
3151 if (how == CRYPTO_ENABLE_WIPE
3152 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
3153 char value[PROPERTY_VALUE_MAX];
3154 property_get("ro.crypto.state", value, "");
3155 if (!strcmp(value, "")) {
3156 /* default encryption - continue first boot sequence */
3157 property_set("ro.crypto.state", "encrypted");
3158 release_wake_lock(lockid);
3159 cryptfs_check_passwd(DEFAULT_PASSWORD);
3160 cryptfs_restart_internal(1);
3161 return 0;
3162 } else {
3163 sleep(2); /* Give the UI a chance to show 100% progress */
3164 cryptfs_reboot(reboot);
3165 }
3166 } else {
3167 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
3168 cryptfs_reboot(shutdown);
3169 }
3170 } else {
3171 char value[PROPERTY_VALUE_MAX];
3172
3173 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
3174 if (!strcmp(value, "1")) {
3175 /* wipe data if encryption failed */
3176 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
3177 mkdir("/cache/recovery", 0700);
3178 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0600);
3179 if (fd >= 0) {
3180 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1);
3181 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1);
3182 close(fd);
3183 } else {
3184 SLOGE("could not open /cache/recovery/command\n");
3185 }
3186 cryptfs_reboot(recovery);
3187 } else {
3188 /* set property to trigger dialog */
3189 property_set("vold.encrypt_progress", "error_partially_encrypted");
3190 release_wake_lock(lockid);
3191 }
3192 return -1;
3193 }
3194
3195 /* hrm, the encrypt step claims success, but the reboot failed.
3196 * This should not happen.
3197 * Set the property and return. Hope the framework can deal with it.
3198 */
3199 property_set("vold.encrypt_progress", "error_reboot_failed");
3200 release_wake_lock(lockid);
3201 return rc;
3202
3203 error_unencrypted:
3204 property_set("vold.encrypt_progress", "error_not_encrypted");
3205 if (lockid[0]) {
3206 release_wake_lock(lockid);
3207 }
3208 return -1;
3209
3210 error_shutting_down:
3211 /* we failed, and have not encrypted anthing, so the users's data is still intact,
3212 * but the framework is stopped and not restarted to show the error, so it's up to
3213 * vold to restart the system.
3214 */
3215 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
3216 cryptfs_reboot(reboot);
3217
3218 /* shouldn't get here */
3219 property_set("vold.encrypt_progress", "error_shutting_down");
3220 if (lockid[0]) {
3221 release_wake_lock(lockid);
3222 }
3223 return -1;
3224 }
3225
3226 int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot)
3227 {
3228 return cryptfs_enable_internal(howarg, type, passwd, allow_reboot);
3229 }
3230
3231 int cryptfs_enable_default(char *howarg, int allow_reboot)
3232 {
3233 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
3234 DEFAULT_PASSWORD, allow_reboot);
3235 }
3236
3237 int cryptfs_changepw(int crypt_type, const char *newpw)
3238 {
3239 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3240 return e4crypt_change_password(DATA_MNT_POINT, crypt_type, newpw);
3241 }
3242
3243 struct crypt_mnt_ftr crypt_ftr;
3244 int rc;
3245
3246 /* This is only allowed after we've successfully decrypted the master key */
3247 if (!master_key_saved) {
3248 SLOGE("Key not saved, aborting");
3249 return -1;
3250 }
3251
3252 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3253 SLOGE("Invalid crypt_type %d", crypt_type);
3254 return -1;
3255 }
3256
3257 /* get key */
3258 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3259 SLOGE("Error getting crypt footer and key");
3260 return -1;
3261 }
3262
3263 crypt_ftr.crypt_type = crypt_type;
3264
3265 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
3266 : newpw,
3267 crypt_ftr.salt,
3268 saved_master_key,
3269 crypt_ftr.master_key,
3270 &crypt_ftr);
3271 if (rc) {
3272 SLOGE("Encrypt master key failed: %d", rc);
3273 return -1;
3274 }
3275 /* save the key */
3276 put_crypt_ftr_and_key(&crypt_ftr);
3277
3278 #ifdef CONFIG_HW_DISK_ENCRYPTION
3279 if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) {
3280 if (crypt_type == CRYPT_TYPE_DEFAULT) {
3281 int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name);
3282 SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc);
3283 if (!rc)
3284 return -1;
3285 } else {
3286 int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name);
3287 SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc);
3288 if (!rc)
3289 return -1;
3290 }
3291 }
3292 #endif
3293 return 0;
3294 }
3295
3296 static unsigned int persist_get_max_entries(int encrypted) {
3297 struct crypt_mnt_ftr crypt_ftr;
3298 unsigned int dsize;
3299 unsigned int max_persistent_entries;
3300
3301 /* If encrypted, use the values from the crypt_ftr, otherwise
3302 * use the values for the current spec.
3303 */
3304 if (encrypted) {
3305 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3306 return -1;
3307 }
3308 dsize = crypt_ftr.persist_data_size;
3309 } else {
3310 dsize = CRYPT_PERSIST_DATA_SIZE;
3311 }
3312
3313 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
3314 sizeof(struct crypt_persist_entry);
3315
3316 return max_persistent_entries;
3317 }
3318
3319 static int persist_get_key(const char *fieldname, char *value)
3320 {
3321 unsigned int i;
3322
3323 if (persist_data == NULL) {
3324 return -1;
3325 }
3326 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3327 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3328 /* We found it! */
3329 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
3330 return 0;
3331 }
3332 }
3333
3334 return -1;
3335 }
3336
3337 static int persist_set_key(const char *fieldname, const char *value, int encrypted)
3338 {
3339 unsigned int i;
3340 unsigned int num;
3341 unsigned int max_persistent_entries;
3342
3343 if (persist_data == NULL) {
3344 return -1;
3345 }
3346
3347 max_persistent_entries = persist_get_max_entries(encrypted);
3348
3349 num = persist_data->persist_valid_entries;
3350
3351 for (i = 0; i < num; i++) {
3352 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3353 /* We found an existing entry, update it! */
3354 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
3355 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
3356 return 0;
3357 }
3358 }
3359
3360 /* We didn't find it, add it to the end, if there is room */
3361 if (persist_data->persist_valid_entries < max_persistent_entries) {
3362 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
3363 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
3364 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
3365 persist_data->persist_valid_entries++;
3366 return 0;
3367 }
3368
3369 return -1;
3370 }
3371
3372 /**
3373 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
3374 * sequence and its index is greater than or equal to index. Return 0 otherwise.
3375 */
3376 static int match_multi_entry(const char *key, const char *field, unsigned index) {
3377 unsigned int field_len;
3378 unsigned int key_index;
3379 field_len = strlen(field);
3380
3381 if (index == 0) {
3382 // The first key in a multi-entry field is just the filedname itself.
3383 if (!strcmp(key, field)) {
3384 return 1;
3385 }
3386 }
3387 // Match key against "%s_%d" % (field, index)
3388 if (strlen(key) < field_len + 1 + 1) {
3389 // Need at least a '_' and a digit.
3390 return 0;
3391 }
3392 if (strncmp(key, field, field_len)) {
3393 // If the key does not begin with field, it's not a match.
3394 return 0;
3395 }
3396 if (1 != sscanf(&key[field_len],"_%d", &key_index)) {
3397 return 0;
3398 }
3399 return key_index >= index;
3400 }
3401
3402 /*
3403 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
3404 * remaining entries starting from index will be deleted.
3405 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
3406 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
3407 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
3408 *
3409 */
3410 static int persist_del_keys(const char *fieldname, unsigned index)
3411 {
3412 unsigned int i;
3413 unsigned int j;
3414 unsigned int num;
3415
3416 if (persist_data == NULL) {
3417 return PERSIST_DEL_KEY_ERROR_OTHER;
3418 }
3419
3420 num = persist_data->persist_valid_entries;
3421
3422 j = 0; // points to the end of non-deleted entries.
3423 // Filter out to-be-deleted entries in place.
3424 for (i = 0; i < num; i++) {
3425 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
3426 persist_data->persist_entry[j] = persist_data->persist_entry[i];
3427 j++;
3428 }
3429 }
3430
3431 if (j < num) {
3432 persist_data->persist_valid_entries = j;
3433 // Zeroise the remaining entries
3434 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
3435 return PERSIST_DEL_KEY_OK;
3436 } else {
3437 // Did not find an entry matching the given fieldname
3438 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
3439 }
3440 }
3441
3442 static int persist_count_keys(const char *fieldname)
3443 {
3444 unsigned int i;
3445 unsigned int count;
3446
3447 if (persist_data == NULL) {
3448 return -1;
3449 }
3450
3451 count = 0;
3452 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3453 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
3454 count++;
3455 }
3456 }
3457
3458 return count;
3459 }
3460
3461 /* Return the value of the specified field. */
3462 int cryptfs_getfield(const char *fieldname, char *value, int len)
3463 {
3464 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3465 return e4crypt_get_field(DATA_MNT_POINT, fieldname, value, len);
3466 }
3467
3468 char temp_value[PROPERTY_VALUE_MAX];
3469 /* CRYPTO_GETFIELD_OK is success,
3470 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
3471 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
3472 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
3473 */
3474 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
3475 int i;
3476 char temp_field[PROPERTY_KEY_MAX];
3477
3478 if (persist_data == NULL) {
3479 load_persistent_data();
3480 if (persist_data == NULL) {
3481 SLOGE("Getfield error, cannot load persistent data");
3482 goto out;
3483 }
3484 }
3485
3486 // Read value from persistent entries. If the original value is split into multiple entries,
3487 // stitch them back together.
3488 if (!persist_get_key(fieldname, temp_value)) {
3489 // We found it, copy it to the caller's buffer and keep going until all entries are read.
3490 if (strlcpy(value, temp_value, len) >= (unsigned) len) {
3491 // value too small
3492 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3493 goto out;
3494 }
3495 rc = CRYPTO_GETFIELD_OK;
3496
3497 for (i = 1; /* break explicitly */; i++) {
3498 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
3499 (int) sizeof(temp_field)) {
3500 // If the fieldname is very long, we stop as soon as it begins to overflow the
3501 // maximum field length. At this point we have in fact fully read out the original
3502 // value because cryptfs_setfield would not allow fields with longer names to be
3503 // written in the first place.
3504 break;
3505 }
3506 if (!persist_get_key(temp_field, temp_value)) {
3507 if (strlcat(value, temp_value, len) >= (unsigned)len) {
3508 // value too small.
3509 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3510 goto out;
3511 }
3512 } else {
3513 // Exhaust all entries.
3514 break;
3515 }
3516 }
3517 } else {
3518 /* Sadness, it's not there. Return the error */
3519 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
3520 }
3521
3522 out:
3523 return rc;
3524 }
3525
3526 /* Set the value of the specified field. */
3527 int cryptfs_setfield(const char *fieldname, const char *value)
3528 {
3529 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3530 return e4crypt_set_field(DATA_MNT_POINT, fieldname, value);
3531 }
3532
3533 char encrypted_state[PROPERTY_VALUE_MAX];
3534 /* 0 is success, negative values are error */
3535 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
3536 int encrypted = 0;
3537 unsigned int field_id;
3538 char temp_field[PROPERTY_KEY_MAX];
3539 unsigned int num_entries;
3540 unsigned int max_keylen;
3541
3542 if (persist_data == NULL) {
3543 load_persistent_data();
3544 if (persist_data == NULL) {
3545 SLOGE("Setfield error, cannot load persistent data");
3546 goto out;
3547 }
3548 }
3549
3550 property_get("ro.crypto.state", encrypted_state, "");
3551 if (!strcmp(encrypted_state, "encrypted") ) {
3552 encrypted = 1;
3553 }
3554
3555 // Compute the number of entries required to store value, each entry can store up to
3556 // (PROPERTY_VALUE_MAX - 1) chars
3557 if (strlen(value) == 0) {
3558 // Empty value also needs one entry to store.
3559 num_entries = 1;
3560 } else {
3561 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
3562 }
3563
3564 max_keylen = strlen(fieldname);
3565 if (num_entries > 1) {
3566 // Need an extra "_%d" suffix.
3567 max_keylen += 1 + log10(num_entries);
3568 }
3569 if (max_keylen > PROPERTY_KEY_MAX - 1) {
3570 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
3571 goto out;
3572 }
3573
3574 // Make sure we have enough space to write the new value
3575 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
3576 persist_get_max_entries(encrypted)) {
3577 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
3578 goto out;
3579 }
3580
3581 // Now that we know persist_data has enough space for value, let's delete the old field first
3582 // to make up space.
3583 persist_del_keys(fieldname, 0);
3584
3585 if (persist_set_key(fieldname, value, encrypted)) {
3586 // fail to set key, should not happen as we have already checked the available space
3587 SLOGE("persist_set_key() error during setfield()");
3588 goto out;
3589 }
3590
3591 for (field_id = 1; field_id < num_entries; field_id++) {
3592 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id);
3593
3594 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
3595 // fail to set key, should not happen as we have already checked the available space.
3596 SLOGE("persist_set_key() error during setfield()");
3597 goto out;
3598 }
3599 }
3600
3601 /* If we are running encrypted, save the persistent data now */
3602 if (encrypted) {
3603 if (save_persistent_data()) {
3604 SLOGE("Setfield error, cannot save persistent data");
3605 goto out;
3606 }
3607 }
3608
3609 rc = CRYPTO_SETFIELD_OK;
3610
3611 out:
3612 return rc;
3613 }
3614
3615 /* Checks userdata. Attempt to mount the volume if default-
3616 * encrypted.
3617 * On success trigger next init phase and return 0.
3618 * Currently do not handle failure - see TODO below.
3619 */
3620 int cryptfs_mount_default_encrypted(void)
3621 {
3622 char decrypt_state[PROPERTY_VALUE_MAX];
3623 property_get("vold.decrypt", decrypt_state, "0");
3624 if (!strcmp(decrypt_state, "0")) {
3625 SLOGE("Not encrypted - should not call here");
3626 } else {
3627 int crypt_type = cryptfs_get_password_type();
3628 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3629 SLOGE("Bad crypt type - error");
3630 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
3631 SLOGD("Password is not default - "
3632 "starting min framework to prompt");
3633 property_set("vold.decrypt", "trigger_restart_min_framework");
3634 return 0;
3635 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
3636 SLOGD("Password is default - restarting filesystem");
3637 cryptfs_restart_internal(0);
3638 return 0;
3639 } else {
3640 SLOGE("Encrypted, default crypt type but can't decrypt");
3641 }
3642 }
3643
3644 /** Corrupt. Allow us to boot into framework, which will detect bad
3645 crypto when it calls do_crypto_complete, then do a factory reset
3646 */
3647 property_set("vold.decrypt", "trigger_restart_min_framework");
3648 return 0;
3649 }
3650
3651 /* Returns type of the password, default, pattern, pin or password.
3652 */
3653 int cryptfs_get_password_type(void)
3654 {
3655 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3656 return e4crypt_get_password_type(DATA_MNT_POINT);
3657 }
3658
3659 struct crypt_mnt_ftr crypt_ftr;
3660
3661 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3662 SLOGE("Error getting crypt footer and key\n");
3663 return -1;
3664 }
3665
3666 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
3667 return -1;
3668 }
3669
3670 return crypt_ftr.crypt_type;
3671 }
3672
3673 const char* cryptfs_get_password()
3674 {
3675 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3676 return e4crypt_get_password(DATA_MNT_POINT);
3677 }
3678
3679 struct timespec now;
3680 clock_gettime(CLOCK_BOOTTIME, &now);
3681 if (now.tv_sec < password_expiry_time) {
3682 return password;
3683 } else {
3684 cryptfs_clear_password();
3685 return 0;
3686 }
3687 }
3688
3689 void cryptfs_clear_password()
3690 {
3691 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3692 e4crypt_clear_password(DATA_MNT_POINT);
3693 }
3694
3695 if (password) {
3696 size_t len = strlen(password);
3697 memset(password, 0, len);
3698 free(password);
3699 password = 0;
3700 password_expiry_time = 0;
3701 }
3702 }
3703
3704 int cryptfs_enable_file()
3705 {
3706 return e4crypt_enable(DATA_MNT_POINT);
3707 }
3708
3709 int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length)
3710 {
3711 if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) {
3712 SLOGE("Failed to initialize crypt_ftr");
3713 return -1;
3714 }
3715
3716 if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key,
3717 crypt_ftr->salt, crypt_ftr)) {
3718 SLOGE("Cannot create encrypted master key\n");
3719 return -1;
3720 }
3721
3722 //crypt_ftr->keysize = key_length / 8;
3723 return 0;
3724 }
3725
3726 int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
3727 unsigned char* master_key)
3728 {
3729 int rc;
3730
3731 unsigned char* intermediate_key = 0;
3732 size_t intermediate_key_size = 0;
3733
3734 if (password == 0 || *password == 0) {
3735 password = DEFAULT_PASSWORD;
3736 }
3737
3738 rc = decrypt_master_key(password, master_key, ftr, &intermediate_key,
3739 &intermediate_key_size);
3740
3741 int N = 1 << ftr->N_factor;
3742 int r = 1 << ftr->r_factor;
3743 int p = 1 << ftr->p_factor;
3744
3745 unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)];
3746
3747 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
3748 ftr->salt, sizeof(ftr->salt), N, r, p,
3749 scrypted_intermediate_key,
3750 sizeof(scrypted_intermediate_key));
3751
3752 free(intermediate_key);
3753
3754 if (rc) {
3755 SLOGE("Can't calculate intermediate key");
3756 return rc;
3757 }
3758
3759 return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key,
3760 intermediate_key_size);
3761 }
3762
3763 int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password,
3764 const unsigned char* master_key)
3765 {
3766 return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key,
3767 ftr);
3768 }
3769