1 /*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 /* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
23 #include <sys/types.h>
24 #include <sys/wait.h>
25 #include <sys/stat.h>
26 #include <ctype.h>
27 #include <fcntl.h>
28 #include <inttypes.h>
29 #include <unistd.h>
30 #include <stdio.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
33 #include <libgen.h>
34 #include <stdlib.h>
35 #include <sys/param.h>
36 #include <string.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
39 #include <openssl/sha.h>
40 #include <errno.h>
41 #include <ext4.h>
42 #include <linux/kdev_t.h>
43 #include <fs_mgr.h>
44 #include <time.h>
45 #include <math.h>
46 #include <selinux/selinux.h>
47 #include "cryptfs.h"
48 #include "secontext.h"
49 #define LOG_TAG "Cryptfs"
50 #include "cutils/log.h"
51 #include "cutils/properties.h"
52 #include "cutils/android_reboot.h"
53 #include "hardware_legacy/power.h"
54 #include <logwrap/logwrap.h>
55 #include "ScryptParameters.h"
56 #include "VolumeManager.h"
57 #include "VoldUtil.h"
58 #include "crypto_scrypt.h"
59 #include "Ext4Crypt.h"
60 #include "ext4_utils.h"
61 #include "f2fs_sparseblock.h"
62 #include "CheckBattery.h"
63 #include "Process.h"
64
65 #include <bootloader_message_writer.h>
66 #include <hardware/keymaster0.h>
67 #include <hardware/keymaster1.h>
68
69 #define UNUSED __attribute__((unused))
70
71 #define UNUSED __attribute__((unused))
72
73 #ifdef CONFIG_HW_DISK_ENCRYPTION
74 #include "cryptfs_hw.h"
75 #endif
76
77 #define DM_CRYPT_BUF_SIZE 4096
78
79 #define HASH_COUNT 2000
80 #define KEY_LEN_BYTES 16
81 #define IV_LEN_BYTES 16
82
83 #define KEY_IN_FOOTER "footer"
84
85 #define DEFAULT_PASSWORD "default_password"
86
87 #define CRYPTO_BLOCK_DEVICE "userdata"
88
89 #define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
90
91 #define EXT4_FS 1
92 #define F2FS_FS 2
93
94 #define TABLE_LOAD_RETRIES 10
95
96 #define RSA_KEY_SIZE 2048
97 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
98 #define RSA_EXPONENT 0x10001
99 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
100
101 #define RETRY_MOUNT_ATTEMPTS 10
102 #define RETRY_MOUNT_DELAY_SECONDS 1
103
104 char *me = "cryptfs";
105
106 static unsigned char saved_master_key[KEY_LEN_BYTES];
107 static char *saved_mount_point;
108 static int master_key_saved = 0;
109 static struct crypt_persist_data *persist_data = NULL;
110
keymaster_init(keymaster0_device_t ** keymaster0_dev,keymaster1_device_t ** keymaster1_dev)111 static int keymaster_init(keymaster0_device_t **keymaster0_dev,
112 keymaster1_device_t **keymaster1_dev)
113 {
114 int rc;
115
116 const hw_module_t* mod;
117 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
118 if (rc) {
119 ALOGE("could not find any keystore module");
120 goto err;
121 }
122
123 SLOGI("keymaster module name is %s", mod->name);
124 SLOGI("keymaster version is %d", mod->module_api_version);
125
126 *keymaster0_dev = NULL;
127 *keymaster1_dev = NULL;
128 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
129 SLOGI("Found keymaster1 module, using keymaster1 API.");
130 rc = keymaster1_open(mod, keymaster1_dev);
131 } else {
132 SLOGI("Found keymaster0 module, using keymaster0 API.");
133 rc = keymaster0_open(mod, keymaster0_dev);
134 }
135
136 if (rc) {
137 ALOGE("could not open keymaster device in %s (%s)",
138 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
139 goto err;
140 }
141
142 return 0;
143
144 err:
145 *keymaster0_dev = NULL;
146 *keymaster1_dev = NULL;
147 return rc;
148 }
149
150 /* Should we use keymaster? */
keymaster_check_compatibility()151 static int keymaster_check_compatibility()
152 {
153 keymaster0_device_t *keymaster0_dev = 0;
154 keymaster1_device_t *keymaster1_dev = 0;
155 int rc = 0;
156
157 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
158 SLOGE("Failed to init keymaster");
159 rc = -1;
160 goto out;
161 }
162
163 if (keymaster1_dev) {
164 rc = 1;
165 goto out;
166 }
167
168 if (!keymaster0_dev || !keymaster0_dev->common.module) {
169 rc = -1;
170 goto out;
171 }
172
173 // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2
174 // should work.
175 if (keymaster0_dev->common.module->module_api_version
176 < KEYMASTER_MODULE_API_VERSION_0_3) {
177 rc = 0;
178 goto out;
179 }
180
181 if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
182 (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
183 rc = 1;
184 }
185
186 out:
187 if (keymaster1_dev) {
188 keymaster1_close(keymaster1_dev);
189 }
190 if (keymaster0_dev) {
191 keymaster0_close(keymaster0_dev);
192 }
193 return rc;
194 }
195
196 /* Create a new keymaster key and store it in this footer */
keymaster_create_key(struct crypt_mnt_ftr * ftr)197 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
198 {
199 uint8_t* key = 0;
200 keymaster0_device_t *keymaster0_dev = 0;
201 keymaster1_device_t *keymaster1_dev = 0;
202
203 if (ftr->keymaster_blob_size) {
204 SLOGI("Already have key");
205 return 0;
206 }
207
208 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
209 SLOGE("Failed to init keymaster");
210 return -1;
211 }
212
213 int rc = 0;
214 size_t key_size = 0;
215 if (keymaster1_dev) {
216 keymaster_key_param_t params[] = {
217 /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */
218 keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA),
219 keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE),
220 keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT),
221
222 /* The only allowed purpose for this key is signing. */
223 keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN),
224
225 /* Padding & digest specifications. */
226 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
227 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
228
229 /* Require that the key be usable in standalone mode. File system isn't available. */
230 keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE),
231
232 /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */
233 keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED),
234
235 /* Rate-limit key usage attempts, to rate-limit brute force */
236 keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT),
237 };
238 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
239 keymaster_key_blob_t key_blob;
240 keymaster_error_t error = keymaster1_dev->generate_key(keymaster1_dev, ¶m_set,
241 &key_blob,
242 NULL /* characteristics */);
243 if (error != KM_ERROR_OK) {
244 SLOGE("Failed to generate keymaster1 key, error %d", error);
245 rc = -1;
246 goto out;
247 }
248
249 key = (uint8_t*)key_blob.key_material;
250 key_size = key_blob.key_material_size;
251 }
252 else if (keymaster0_dev) {
253 keymaster_rsa_keygen_params_t params;
254 memset(¶ms, '\0', sizeof(params));
255 params.public_exponent = RSA_EXPONENT;
256 params.modulus_size = RSA_KEY_SIZE;
257
258 if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, ¶ms,
259 &key, &key_size)) {
260 SLOGE("Failed to generate keypair");
261 rc = -1;
262 goto out;
263 }
264 } else {
265 SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device");
266 rc = -1;
267 goto out;
268 }
269
270 if (key_size > KEYMASTER_BLOB_SIZE) {
271 SLOGE("Keymaster key too large for crypto footer");
272 rc = -1;
273 goto out;
274 }
275
276 memcpy(ftr->keymaster_blob, key, key_size);
277 ftr->keymaster_blob_size = key_size;
278
279 out:
280 if (keymaster0_dev)
281 keymaster0_close(keymaster0_dev);
282 if (keymaster1_dev)
283 keymaster1_close(keymaster1_dev);
284 free(key);
285 return rc;
286 }
287
288 /* This signs the given object using the keymaster key. */
keymaster_sign_object(struct crypt_mnt_ftr * ftr,const unsigned char * object,const size_t object_size,unsigned char ** signature,size_t * signature_size)289 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
290 const unsigned char *object,
291 const size_t object_size,
292 unsigned char **signature,
293 size_t *signature_size)
294 {
295 int rc = 0;
296 keymaster0_device_t *keymaster0_dev = 0;
297 keymaster1_device_t *keymaster1_dev = 0;
298 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
299 SLOGE("Failed to init keymaster");
300 rc = -1;
301 goto out;
302 }
303
304 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
305 size_t to_sign_size = sizeof(to_sign);
306 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
307
308 // To sign a message with RSA, the message must satisfy two
309 // constraints:
310 //
311 // 1. The message, when interpreted as a big-endian numeric value, must
312 // be strictly less than the public modulus of the RSA key. Note
313 // that because the most significant bit of the public modulus is
314 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
315 // key), an n-bit message with most significant bit 0 always
316 // satisfies this requirement.
317 //
318 // 2. The message must have the same length in bits as the public
319 // modulus of the RSA key. This requirement isn't mathematically
320 // necessary, but is necessary to ensure consistency in
321 // implementations.
322 switch (ftr->kdf_type) {
323 case KDF_SCRYPT_KEYMASTER:
324 // This ensures the most significant byte of the signed message
325 // is zero. We could have zero-padded to the left instead, but
326 // this approach is slightly more robust against changes in
327 // object size. However, it's still broken (but not unusably
328 // so) because we really should be using a proper deterministic
329 // RSA padding function, such as PKCS1.
330 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
331 SLOGI("Signing safely-padded object");
332 break;
333 default:
334 SLOGE("Unknown KDF type %d", ftr->kdf_type);
335 rc = -1;
336 goto out;
337 }
338
339 if (keymaster0_dev) {
340 keymaster_rsa_sign_params_t params;
341 params.digest_type = DIGEST_NONE;
342 params.padding_type = PADDING_NONE;
343
344 rc = keymaster0_dev->sign_data(keymaster0_dev,
345 ¶ms,
346 ftr->keymaster_blob,
347 ftr->keymaster_blob_size,
348 to_sign,
349 to_sign_size,
350 signature,
351 signature_size);
352 goto out;
353 } else if (keymaster1_dev) {
354 keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size };
355 keymaster_key_param_t params[] = {
356 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
357 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
358 };
359 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
360 keymaster_operation_handle_t op_handle;
361 keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
362 ¶m_set, NULL /* out_params */,
363 &op_handle);
364 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) {
365 // Key usage has been rate-limited. Wait a bit and try again.
366 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT);
367 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
368 ¶m_set, NULL /* out_params */,
369 &op_handle);
370 }
371 if (error != KM_ERROR_OK) {
372 SLOGE("Error starting keymaster signature transaction: %d", error);
373 rc = -1;
374 goto out;
375 }
376
377 keymaster_blob_t input = { to_sign, to_sign_size };
378 size_t input_consumed;
379 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */,
380 &input, &input_consumed, NULL /* out_params */,
381 NULL /* output */);
382 if (error != KM_ERROR_OK) {
383 SLOGE("Error sending data to keymaster signature transaction: %d", error);
384 rc = -1;
385 goto out;
386 }
387 if (input_consumed != to_sign_size) {
388 // This should never happen. If it does, it's a bug in the keymaster implementation.
389 SLOGE("Keymaster update() did not consume all data.");
390 keymaster1_dev->abort(keymaster1_dev, op_handle);
391 rc = -1;
392 goto out;
393 }
394
395 keymaster_blob_t tmp_sig;
396 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */,
397 NULL /* verify signature */, NULL /* out_params */,
398 &tmp_sig);
399 if (error != KM_ERROR_OK) {
400 SLOGE("Error finishing keymaster signature transaction: %d", error);
401 rc = -1;
402 goto out;
403 }
404
405 *signature = (uint8_t*)tmp_sig.data;
406 *signature_size = tmp_sig.data_length;
407 } else {
408 SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device.");
409 rc = -1;
410 goto out;
411 }
412
413 out:
414 if (keymaster1_dev)
415 keymaster1_close(keymaster1_dev);
416 if (keymaster0_dev)
417 keymaster0_close(keymaster0_dev);
418
419 return rc;
420 }
421
422 /* Store password when userdata is successfully decrypted and mounted.
423 * Cleared by cryptfs_clear_password
424 *
425 * To avoid a double prompt at boot, we need to store the CryptKeeper
426 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
427 * Since the entire framework is torn down and rebuilt after encryption,
428 * we have to use a daemon or similar to store the password. Since vold
429 * is secured against IPC except from system processes, it seems a reasonable
430 * place to store this.
431 *
432 * password should be cleared once it has been used.
433 *
434 * password is aged out after password_max_age_seconds seconds.
435 */
436 static char* password = 0;
437 static int password_expiry_time = 0;
438 static const int password_max_age_seconds = 60;
439
440 extern struct fstab *fstab;
441
442 enum RebootType {reboot, recovery, shutdown};
cryptfs_reboot(enum RebootType rt)443 static void cryptfs_reboot(enum RebootType rt)
444 {
445 switch(rt) {
446 case reboot:
447 property_set(ANDROID_RB_PROPERTY, "reboot");
448 break;
449
450 case recovery:
451 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
452 break;
453
454 case shutdown:
455 property_set(ANDROID_RB_PROPERTY, "shutdown");
456 break;
457 }
458
459 sleep(20);
460
461 /* Shouldn't get here, reboot should happen before sleep times out */
462 return;
463 }
464
ioctl_init(struct dm_ioctl * io,size_t dataSize,const char * name,unsigned flags)465 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
466 {
467 memset(io, 0, dataSize);
468 io->data_size = dataSize;
469 io->data_start = sizeof(struct dm_ioctl);
470 io->version[0] = 4;
471 io->version[1] = 0;
472 io->version[2] = 0;
473 io->flags = flags;
474 if (name) {
475 strlcpy(io->name, name, sizeof(io->name));
476 }
477 }
478
479 /**
480 * Gets the default device scrypt parameters for key derivation time tuning.
481 * The parameters should lead to about one second derivation time for the
482 * given device.
483 */
get_device_scrypt_params(struct crypt_mnt_ftr * ftr)484 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
485 char paramstr[PROPERTY_VALUE_MAX];
486 int Nf, rf, pf;
487
488 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
489 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
490 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
491 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
492 }
493 ftr->N_factor = Nf;
494 ftr->r_factor = rf;
495 ftr->p_factor = pf;
496 }
497
get_fs_size(char * dev)498 static unsigned int get_fs_size(char *dev)
499 {
500 int fd, block_size;
501 struct ext4_super_block sb;
502 off64_t len;
503
504 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) {
505 SLOGE("Cannot open device to get filesystem size ");
506 return 0;
507 }
508
509 if (lseek64(fd, 1024, SEEK_SET) < 0) {
510 SLOGE("Cannot seek to superblock");
511 return 0;
512 }
513
514 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
515 SLOGE("Cannot read superblock");
516 return 0;
517 }
518
519 close(fd);
520
521 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
522 SLOGE("Not a valid ext4 superblock");
523 return 0;
524 }
525 block_size = 1024 << sb.s_log_block_size;
526 /* compute length in bytes */
527 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
528
529 /* return length in sectors */
530 return (unsigned int) (len / 512);
531 }
532
get_crypt_ftr_info(char ** metadata_fname,off64_t * off)533 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
534 {
535 static int cached_data = 0;
536 static off64_t cached_off = 0;
537 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
538 int fd;
539 char key_loc[PROPERTY_VALUE_MAX];
540 char real_blkdev[PROPERTY_VALUE_MAX];
541 int rc = -1;
542
543 if (!cached_data) {
544 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
545
546 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
547 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
548 SLOGE("Cannot open real block device %s\n", real_blkdev);
549 return -1;
550 }
551
552 unsigned long nr_sec = 0;
553 get_blkdev_size(fd, &nr_sec);
554 if (nr_sec != 0) {
555 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
556 * encryption info footer and key, and plenty of bytes to spare for future
557 * growth.
558 */
559 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
560 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
561 cached_data = 1;
562 } else {
563 SLOGE("Cannot get size of block device %s\n", real_blkdev);
564 }
565 close(fd);
566 } else {
567 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
568 cached_off = 0;
569 cached_data = 1;
570 }
571 }
572
573 if (cached_data) {
574 if (metadata_fname) {
575 *metadata_fname = cached_metadata_fname;
576 }
577 if (off) {
578 *off = cached_off;
579 }
580 rc = 0;
581 }
582
583 return rc;
584 }
585
586 /* Set sha256 checksum in structure */
set_ftr_sha(struct crypt_mnt_ftr * crypt_ftr)587 static void set_ftr_sha(struct crypt_mnt_ftr *crypt_ftr)
588 {
589 SHA256_CTX c;
590 SHA256_Init(&c);
591 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
592 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
593 SHA256_Final(crypt_ftr->sha256, &c);
594 }
595
596 /* key or salt can be NULL, in which case just skip writing that value. Useful to
597 * update the failed mount count but not change the key.
598 */
put_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)599 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
600 {
601 int fd;
602 unsigned int cnt;
603 /* starting_off is set to the SEEK_SET offset
604 * where the crypto structure starts
605 */
606 off64_t starting_off;
607 int rc = -1;
608 char *fname = NULL;
609 struct stat statbuf;
610
611 set_ftr_sha(crypt_ftr);
612
613 if (get_crypt_ftr_info(&fname, &starting_off)) {
614 SLOGE("Unable to get crypt_ftr_info\n");
615 return -1;
616 }
617 if (fname[0] != '/') {
618 SLOGE("Unexpected value for crypto key location\n");
619 return -1;
620 }
621 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) {
622 SLOGE("Cannot open footer file %s for put\n", fname);
623 return -1;
624 }
625
626 /* Seek to the start of the crypt footer */
627 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
628 SLOGE("Cannot seek to real block device footer\n");
629 goto errout;
630 }
631
632 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
633 SLOGE("Cannot write real block device footer\n");
634 goto errout;
635 }
636
637 fstat(fd, &statbuf);
638 /* If the keys are kept on a raw block device, do not try to truncate it. */
639 if (S_ISREG(statbuf.st_mode)) {
640 if (ftruncate(fd, 0x4000)) {
641 SLOGE("Cannot set footer file size\n");
642 goto errout;
643 }
644 }
645
646 /* Success! */
647 rc = 0;
648
649 errout:
650 close(fd);
651 return rc;
652
653 }
654
check_ftr_sha(const struct crypt_mnt_ftr * crypt_ftr)655 static bool check_ftr_sha(const struct crypt_mnt_ftr *crypt_ftr)
656 {
657 struct crypt_mnt_ftr copy;
658 memcpy(©, crypt_ftr, sizeof(copy));
659 set_ftr_sha(©);
660 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
661 }
662
unix_read(int fd,void * buff,int len)663 static inline int unix_read(int fd, void* buff, int len)
664 {
665 return TEMP_FAILURE_RETRY(read(fd, buff, len));
666 }
667
unix_write(int fd,const void * buff,int len)668 static inline int unix_write(int fd, const void* buff, int len)
669 {
670 return TEMP_FAILURE_RETRY(write(fd, buff, len));
671 }
672
init_empty_persist_data(struct crypt_persist_data * pdata,int len)673 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
674 {
675 memset(pdata, 0, len);
676 pdata->persist_magic = PERSIST_DATA_MAGIC;
677 pdata->persist_valid_entries = 0;
678 }
679
680 /* A routine to update the passed in crypt_ftr to the lastest version.
681 * fd is open read/write on the device that holds the crypto footer and persistent
682 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
683 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
684 */
upgrade_crypt_ftr(int fd,struct crypt_mnt_ftr * crypt_ftr,off64_t offset)685 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
686 {
687 int orig_major = crypt_ftr->major_version;
688 int orig_minor = crypt_ftr->minor_version;
689
690 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
691 struct crypt_persist_data *pdata;
692 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
693
694 SLOGW("upgrading crypto footer to 1.1");
695
696 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
697 if (pdata == NULL) {
698 SLOGE("Cannot allocate persisent data\n");
699 return;
700 }
701 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
702
703 /* Need to initialize the persistent data area */
704 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
705 SLOGE("Cannot seek to persisent data offset\n");
706 free(pdata);
707 return;
708 }
709 /* Write all zeros to the first copy, making it invalid */
710 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
711
712 /* Write a valid but empty structure to the second copy */
713 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
714 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
715
716 /* Update the footer */
717 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
718 crypt_ftr->persist_data_offset[0] = pdata_offset;
719 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
720 crypt_ftr->minor_version = 1;
721 free(pdata);
722 }
723
724 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
725 SLOGW("upgrading crypto footer to 1.2");
726 /* But keep the old kdf_type.
727 * It will get updated later to KDF_SCRYPT after the password has been verified.
728 */
729 crypt_ftr->kdf_type = KDF_PBKDF2;
730 get_device_scrypt_params(crypt_ftr);
731 crypt_ftr->minor_version = 2;
732 }
733
734 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
735 SLOGW("upgrading crypto footer to 1.3");
736 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
737 crypt_ftr->minor_version = 3;
738 }
739
740 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
741 if (lseek64(fd, offset, SEEK_SET) == -1) {
742 SLOGE("Cannot seek to crypt footer\n");
743 return;
744 }
745 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
746 }
747 }
748
749
get_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)750 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
751 {
752 int fd;
753 unsigned int cnt;
754 off64_t starting_off;
755 int rc = -1;
756 char *fname = NULL;
757 struct stat statbuf;
758
759 if (get_crypt_ftr_info(&fname, &starting_off)) {
760 SLOGE("Unable to get crypt_ftr_info\n");
761 return -1;
762 }
763 if (fname[0] != '/') {
764 SLOGE("Unexpected value for crypto key location\n");
765 return -1;
766 }
767 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) {
768 SLOGE("Cannot open footer file %s for get\n", fname);
769 return -1;
770 }
771
772 /* Make sure it's 16 Kbytes in length */
773 fstat(fd, &statbuf);
774 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
775 SLOGE("footer file %s is not the expected size!\n", fname);
776 goto errout;
777 }
778
779 /* Seek to the start of the crypt footer */
780 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
781 SLOGE("Cannot seek to real block device footer\n");
782 goto errout;
783 }
784
785 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
786 SLOGE("Cannot read real block device footer\n");
787 goto errout;
788 }
789
790 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
791 SLOGE("Bad magic for real block device %s\n", fname);
792 goto errout;
793 }
794
795 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
796 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
797 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
798 goto errout;
799 }
800
801 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
802 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
803 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
804 }
805
806 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
807 * copy on disk before returning.
808 */
809 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
810 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
811 }
812
813 /* Success! */
814 rc = 0;
815
816 errout:
817 close(fd);
818 return rc;
819 }
820
validate_persistent_data_storage(struct crypt_mnt_ftr * crypt_ftr)821 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
822 {
823 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
824 crypt_ftr->persist_data_offset[1]) {
825 SLOGE("Crypt_ftr persist data regions overlap");
826 return -1;
827 }
828
829 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
830 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
831 return -1;
832 }
833
834 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
835 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
836 CRYPT_FOOTER_OFFSET) {
837 SLOGE("Persistent data extends past crypto footer");
838 return -1;
839 }
840
841 return 0;
842 }
843
load_persistent_data(void)844 static int load_persistent_data(void)
845 {
846 struct crypt_mnt_ftr crypt_ftr;
847 struct crypt_persist_data *pdata = NULL;
848 char encrypted_state[PROPERTY_VALUE_MAX];
849 char *fname;
850 int found = 0;
851 int fd;
852 int ret;
853 int i;
854
855 if (persist_data) {
856 /* Nothing to do, we've already loaded or initialized it */
857 return 0;
858 }
859
860
861 /* If not encrypted, just allocate an empty table and initialize it */
862 property_get("ro.crypto.state", encrypted_state, "");
863 if (strcmp(encrypted_state, "encrypted") ) {
864 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
865 if (pdata) {
866 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
867 persist_data = pdata;
868 return 0;
869 }
870 return -1;
871 }
872
873 if(get_crypt_ftr_and_key(&crypt_ftr)) {
874 return -1;
875 }
876
877 if ((crypt_ftr.major_version < 1)
878 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
879 SLOGE("Crypt_ftr version doesn't support persistent data");
880 return -1;
881 }
882
883 if (get_crypt_ftr_info(&fname, NULL)) {
884 return -1;
885 }
886
887 ret = validate_persistent_data_storage(&crypt_ftr);
888 if (ret) {
889 return -1;
890 }
891
892 fd = open(fname, O_RDONLY|O_CLOEXEC);
893 if (fd < 0) {
894 SLOGE("Cannot open %s metadata file", fname);
895 return -1;
896 }
897
898 pdata = malloc(crypt_ftr.persist_data_size);
899 if (pdata == NULL) {
900 SLOGE("Cannot allocate memory for persistent data");
901 goto err;
902 }
903
904 for (i = 0; i < 2; i++) {
905 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
906 SLOGE("Cannot seek to read persistent data on %s", fname);
907 goto err2;
908 }
909 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
910 SLOGE("Error reading persistent data on iteration %d", i);
911 goto err2;
912 }
913 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
914 found = 1;
915 break;
916 }
917 }
918
919 if (!found) {
920 SLOGI("Could not find valid persistent data, creating");
921 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
922 }
923
924 /* Success */
925 persist_data = pdata;
926 close(fd);
927 return 0;
928
929 err2:
930 free(pdata);
931
932 err:
933 close(fd);
934 return -1;
935 }
936
save_persistent_data(void)937 static int save_persistent_data(void)
938 {
939 struct crypt_mnt_ftr crypt_ftr;
940 struct crypt_persist_data *pdata;
941 char *fname;
942 off64_t write_offset;
943 off64_t erase_offset;
944 int fd;
945 int ret;
946
947 if (persist_data == NULL) {
948 SLOGE("No persistent data to save");
949 return -1;
950 }
951
952 if(get_crypt_ftr_and_key(&crypt_ftr)) {
953 return -1;
954 }
955
956 if ((crypt_ftr.major_version < 1)
957 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
958 SLOGE("Crypt_ftr version doesn't support persistent data");
959 return -1;
960 }
961
962 ret = validate_persistent_data_storage(&crypt_ftr);
963 if (ret) {
964 return -1;
965 }
966
967 if (get_crypt_ftr_info(&fname, NULL)) {
968 return -1;
969 }
970
971 fd = open(fname, O_RDWR|O_CLOEXEC);
972 if (fd < 0) {
973 SLOGE("Cannot open %s metadata file", fname);
974 return -1;
975 }
976
977 pdata = malloc(crypt_ftr.persist_data_size);
978 if (pdata == NULL) {
979 SLOGE("Cannot allocate persistant data");
980 goto err;
981 }
982
983 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
984 SLOGE("Cannot seek to read persistent data on %s", fname);
985 goto err2;
986 }
987
988 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
989 SLOGE("Error reading persistent data before save");
990 goto err2;
991 }
992
993 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
994 /* The first copy is the curent valid copy, so write to
995 * the second copy and erase this one */
996 write_offset = crypt_ftr.persist_data_offset[1];
997 erase_offset = crypt_ftr.persist_data_offset[0];
998 } else {
999 /* The second copy must be the valid copy, so write to
1000 * the first copy, and erase the second */
1001 write_offset = crypt_ftr.persist_data_offset[0];
1002 erase_offset = crypt_ftr.persist_data_offset[1];
1003 }
1004
1005 /* Write the new copy first, if successful, then erase the old copy */
1006 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
1007 SLOGE("Cannot seek to write persistent data");
1008 goto err2;
1009 }
1010 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
1011 (int) crypt_ftr.persist_data_size) {
1012 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
1013 SLOGE("Cannot seek to erase previous persistent data");
1014 goto err2;
1015 }
1016 fsync(fd);
1017 memset(pdata, 0, crypt_ftr.persist_data_size);
1018 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
1019 (int) crypt_ftr.persist_data_size) {
1020 SLOGE("Cannot write to erase previous persistent data");
1021 goto err2;
1022 }
1023 fsync(fd);
1024 } else {
1025 SLOGE("Cannot write to save persistent data");
1026 goto err2;
1027 }
1028
1029 /* Success */
1030 free(pdata);
1031 close(fd);
1032 return 0;
1033
1034 err2:
1035 free(pdata);
1036 err:
1037 close(fd);
1038 return -1;
1039 }
1040
1041 /* Convert a binary key of specified length into an ascii hex string equivalent,
1042 * without the leading 0x and with null termination
1043 */
convert_key_to_hex_ascii(const unsigned char * master_key,unsigned int keysize,char * master_key_ascii)1044 static void convert_key_to_hex_ascii(const unsigned char *master_key,
1045 unsigned int keysize, char *master_key_ascii) {
1046 unsigned int i, a;
1047 unsigned char nibble;
1048
1049 for (i=0, a=0; i<keysize; i++, a+=2) {
1050 /* For each byte, write out two ascii hex digits */
1051 nibble = (master_key[i] >> 4) & 0xf;
1052 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
1053
1054 nibble = master_key[i] & 0xf;
1055 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
1056 }
1057
1058 /* Add the null termination */
1059 master_key_ascii[a] = '\0';
1060
1061 }
1062
load_crypto_mapping_table(struct crypt_mnt_ftr * crypt_ftr,const unsigned char * master_key,const char * real_blk_name,const char * name,int fd,const char * extra_params)1063 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
1064 const unsigned char *master_key, const char *real_blk_name,
1065 const char *name, int fd, const char *extra_params) {
1066 _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
1067 struct dm_ioctl *io;
1068 struct dm_target_spec *tgt;
1069 char *crypt_params;
1070 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
1071 int i;
1072
1073 io = (struct dm_ioctl *) buffer;
1074
1075 /* Load the mapping table for this device */
1076 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
1077
1078 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1079 io->target_count = 1;
1080 tgt->status = 0;
1081 tgt->sector_start = 0;
1082 tgt->length = crypt_ftr->fs_size;
1083 #ifdef CONFIG_HW_DISK_ENCRYPTION
1084 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
1085 strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME);
1086 }
1087 else {
1088 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1089 }
1090 #else
1091 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1092 #endif
1093
1094 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1095 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1096 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
1097 master_key_ascii, real_blk_name, extra_params);
1098 crypt_params += strlen(crypt_params) + 1;
1099 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1100 tgt->next = crypt_params - buffer;
1101
1102 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1103 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
1104 break;
1105 }
1106 usleep(500000);
1107 }
1108
1109 if (i == TABLE_LOAD_RETRIES) {
1110 /* We failed to load the table, return an error */
1111 return -1;
1112 } else {
1113 return i + 1;
1114 }
1115 }
1116
1117
get_dm_crypt_version(int fd,const char * name,int * version)1118 static int get_dm_crypt_version(int fd, const char *name, int *version)
1119 {
1120 char buffer[DM_CRYPT_BUF_SIZE];
1121 struct dm_ioctl *io;
1122 struct dm_target_versions *v;
1123
1124 io = (struct dm_ioctl *) buffer;
1125
1126 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1127
1128 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1129 return -1;
1130 }
1131
1132 /* Iterate over the returned versions, looking for name of "crypt".
1133 * When found, get and return the version.
1134 */
1135 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
1136 while (v->next) {
1137 #ifdef CONFIG_HW_DISK_ENCRYPTION
1138 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) {
1139 #else
1140 if (! strcmp(v->name, "crypt")) {
1141 #endif
1142 /* We found the crypt driver, return the version, and get out */
1143 version[0] = v->version[0];
1144 version[1] = v->version[1];
1145 version[2] = v->version[2];
1146 return 0;
1147 }
1148 v = (struct dm_target_versions *)(((char *)v) + v->next);
1149 }
1150
1151 return -1;
1152 }
1153
1154 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr,
1155 const unsigned char *master_key, const char *real_blk_name,
1156 char *crypto_blk_name, const char *name) {
1157 char buffer[DM_CRYPT_BUF_SIZE];
1158 struct dm_ioctl *io;
1159 unsigned int minor;
1160 int fd=0;
1161 int err;
1162 int retval = -1;
1163 int version[3];
1164 char *extra_params;
1165 int load_count;
1166
1167 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1168 SLOGE("Cannot open device-mapper\n");
1169 goto errout;
1170 }
1171
1172 io = (struct dm_ioctl *) buffer;
1173
1174 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1175 err = ioctl(fd, DM_DEV_CREATE, io);
1176 if (err) {
1177 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno));
1178 goto errout;
1179 }
1180
1181 /* Get the device status, in particular, the name of it's device file */
1182 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1183 if (ioctl(fd, DM_DEV_STATUS, io)) {
1184 SLOGE("Cannot retrieve dm-crypt device status\n");
1185 goto errout;
1186 }
1187 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1188 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1189
1190 extra_params = "";
1191 if (! get_dm_crypt_version(fd, name, version)) {
1192 /* Support for allow_discards was added in version 1.11.0 */
1193 if ((version[0] >= 2) ||
1194 ((version[0] == 1) && (version[1] >= 11))) {
1195 extra_params = "1 allow_discards";
1196 SLOGI("Enabling support for allow_discards in dmcrypt.\n");
1197 }
1198 }
1199
1200 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
1201 fd, extra_params);
1202 if (load_count < 0) {
1203 SLOGE("Cannot load dm-crypt mapping table.\n");
1204 goto errout;
1205 } else if (load_count > 1) {
1206 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1207 }
1208
1209 /* Resume this device to activate it */
1210 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1211
1212 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1213 SLOGE("Cannot resume the dm-crypt device\n");
1214 goto errout;
1215 }
1216
1217 /* We made it here with no errors. Woot! */
1218 retval = 0;
1219
1220 errout:
1221 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1222
1223 return retval;
1224 }
1225
1226 static int delete_crypto_blk_dev(char *name)
1227 {
1228 int fd;
1229 char buffer[DM_CRYPT_BUF_SIZE];
1230 struct dm_ioctl *io;
1231 int retval = -1;
1232
1233 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1234 SLOGE("Cannot open device-mapper\n");
1235 goto errout;
1236 }
1237
1238 io = (struct dm_ioctl *) buffer;
1239
1240 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1241 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1242 SLOGE("Cannot remove dm-crypt device\n");
1243 goto errout;
1244 }
1245
1246 /* We made it here with no errors. Woot! */
1247 retval = 0;
1248
1249 errout:
1250 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1251
1252 return retval;
1253
1254 }
1255
1256 static int pbkdf2(const char *passwd, const unsigned char *salt,
1257 unsigned char *ikey, void *params UNUSED)
1258 {
1259 SLOGI("Using pbkdf2 for cryptfs KDF");
1260
1261 /* Turn the password into a key and IV that can decrypt the master key */
1262 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN,
1263 HASH_COUNT, KEY_LEN_BYTES + IV_LEN_BYTES,
1264 ikey) != 1;
1265 }
1266
1267 static int scrypt(const char *passwd, const unsigned char *salt,
1268 unsigned char *ikey, void *params)
1269 {
1270 SLOGI("Using scrypt for cryptfs KDF");
1271
1272 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1273
1274 int N = 1 << ftr->N_factor;
1275 int r = 1 << ftr->r_factor;
1276 int p = 1 << ftr->p_factor;
1277
1278 /* Turn the password into a key and IV that can decrypt the master key */
1279 unsigned int keysize;
1280 crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1281 salt, SALT_LEN, N, r, p, ikey,
1282 KEY_LEN_BYTES + IV_LEN_BYTES);
1283
1284 return 0;
1285 }
1286
1287 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1288 unsigned char *ikey, void *params)
1289 {
1290 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1291
1292 int rc;
1293 size_t signature_size;
1294 unsigned char* signature;
1295 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1296
1297 int N = 1 << ftr->N_factor;
1298 int r = 1 << ftr->r_factor;
1299 int p = 1 << ftr->p_factor;
1300
1301 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1302 salt, SALT_LEN, N, r, p, ikey,
1303 KEY_LEN_BYTES + IV_LEN_BYTES);
1304
1305 if (rc) {
1306 SLOGE("scrypt failed");
1307 return -1;
1308 }
1309
1310 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1311 &signature, &signature_size)) {
1312 SLOGE("Signing failed");
1313 return -1;
1314 }
1315
1316 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1317 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1318 free(signature);
1319
1320 if (rc) {
1321 SLOGE("scrypt failed");
1322 return -1;
1323 }
1324
1325 return 0;
1326 }
1327
1328 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1329 const unsigned char *decrypted_master_key,
1330 unsigned char *encrypted_master_key,
1331 struct crypt_mnt_ftr *crypt_ftr)
1332 {
1333 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1334 EVP_CIPHER_CTX e_ctx;
1335 int encrypted_len, final_len;
1336 int rc = 0;
1337
1338 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1339 get_device_scrypt_params(crypt_ftr);
1340
1341 switch (crypt_ftr->kdf_type) {
1342 case KDF_SCRYPT_KEYMASTER:
1343 if (keymaster_create_key(crypt_ftr)) {
1344 SLOGE("keymaster_create_key failed");
1345 return -1;
1346 }
1347
1348 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1349 SLOGE("scrypt failed");
1350 return -1;
1351 }
1352 break;
1353
1354 case KDF_SCRYPT:
1355 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1356 SLOGE("scrypt failed");
1357 return -1;
1358 }
1359 break;
1360
1361 default:
1362 SLOGE("Invalid kdf_type");
1363 return -1;
1364 }
1365
1366 /* Initialize the decryption engine */
1367 EVP_CIPHER_CTX_init(&e_ctx);
1368 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1369 SLOGE("EVP_EncryptInit failed\n");
1370 return -1;
1371 }
1372 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1373
1374 /* Encrypt the master key */
1375 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1376 decrypted_master_key, KEY_LEN_BYTES)) {
1377 SLOGE("EVP_EncryptUpdate failed\n");
1378 return -1;
1379 }
1380 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1381 SLOGE("EVP_EncryptFinal failed\n");
1382 return -1;
1383 }
1384
1385 if (encrypted_len + final_len != KEY_LEN_BYTES) {
1386 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1387 return -1;
1388 }
1389
1390 /* Store the scrypt of the intermediate key, so we can validate if it's a
1391 password error or mount error when things go wrong.
1392 Note there's no need to check for errors, since if this is incorrect, we
1393 simply won't wipe userdata, which is the correct default behavior
1394 */
1395 int N = 1 << crypt_ftr->N_factor;
1396 int r = 1 << crypt_ftr->r_factor;
1397 int p = 1 << crypt_ftr->p_factor;
1398
1399 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1400 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1401 crypt_ftr->scrypted_intermediate_key,
1402 sizeof(crypt_ftr->scrypted_intermediate_key));
1403
1404 if (rc) {
1405 SLOGE("encrypt_master_key: crypto_scrypt failed");
1406 }
1407
1408 return 0;
1409 }
1410
1411 static int decrypt_master_key_aux(const char *passwd, unsigned char *salt,
1412 unsigned char *encrypted_master_key,
1413 unsigned char *decrypted_master_key,
1414 kdf_func kdf, void *kdf_params,
1415 unsigned char** intermediate_key,
1416 size_t* intermediate_key_size)
1417 {
1418 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1419 EVP_CIPHER_CTX d_ctx;
1420 int decrypted_len, final_len;
1421
1422 /* Turn the password into an intermediate key and IV that can decrypt the
1423 master key */
1424 if (kdf(passwd, salt, ikey, kdf_params)) {
1425 SLOGE("kdf failed");
1426 return -1;
1427 }
1428
1429 /* Initialize the decryption engine */
1430 EVP_CIPHER_CTX_init(&d_ctx);
1431 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1432 return -1;
1433 }
1434 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1435 /* Decrypt the master key */
1436 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1437 encrypted_master_key, KEY_LEN_BYTES)) {
1438 return -1;
1439 }
1440 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1441 return -1;
1442 }
1443
1444 if (decrypted_len + final_len != KEY_LEN_BYTES) {
1445 return -1;
1446 }
1447
1448 /* Copy intermediate key if needed by params */
1449 if (intermediate_key && intermediate_key_size) {
1450 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1451 if (intermediate_key) {
1452 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1453 *intermediate_key_size = KEY_LEN_BYTES;
1454 }
1455 }
1456
1457 return 0;
1458 }
1459
1460 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1461 {
1462 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1463 *kdf = scrypt_keymaster;
1464 *kdf_params = ftr;
1465 } else if (ftr->kdf_type == KDF_SCRYPT) {
1466 *kdf = scrypt;
1467 *kdf_params = ftr;
1468 } else {
1469 *kdf = pbkdf2;
1470 *kdf_params = NULL;
1471 }
1472 }
1473
1474 static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key,
1475 struct crypt_mnt_ftr *crypt_ftr,
1476 unsigned char** intermediate_key,
1477 size_t* intermediate_key_size)
1478 {
1479 kdf_func kdf;
1480 void *kdf_params;
1481 int ret;
1482
1483 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1484 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1485 decrypted_master_key, kdf, kdf_params,
1486 intermediate_key, intermediate_key_size);
1487 if (ret != 0) {
1488 SLOGW("failure decrypting master key");
1489 }
1490
1491 return ret;
1492 }
1493
1494 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
1495 struct crypt_mnt_ftr *crypt_ftr) {
1496 int fd;
1497 unsigned char key_buf[KEY_LEN_BYTES];
1498
1499 /* Get some random bits for a key */
1500 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
1501 read(fd, key_buf, sizeof(key_buf));
1502 read(fd, salt, SALT_LEN);
1503 close(fd);
1504
1505 /* Now encrypt it with the password */
1506 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1507 }
1508
1509 int wait_and_unmount(const char *mountpoint, bool kill)
1510 {
1511 int i, err, rc;
1512 #define WAIT_UNMOUNT_COUNT 20
1513
1514 /* Now umount the tmpfs filesystem */
1515 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1516 if (umount(mountpoint) == 0) {
1517 break;
1518 }
1519
1520 if (errno == EINVAL) {
1521 /* EINVAL is returned if the directory is not a mountpoint,
1522 * i.e. there is no filesystem mounted there. So just get out.
1523 */
1524 break;
1525 }
1526
1527 err = errno;
1528
1529 /* If allowed, be increasingly aggressive before the last two retries */
1530 if (kill) {
1531 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1532 SLOGW("sending SIGHUP to processes with open files\n");
1533 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM);
1534 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1535 SLOGW("sending SIGKILL to processes with open files\n");
1536 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL);
1537 }
1538 }
1539
1540 sleep(1);
1541 }
1542
1543 if (i < WAIT_UNMOUNT_COUNT) {
1544 SLOGD("unmounting %s succeeded\n", mountpoint);
1545 rc = 0;
1546 } else {
1547 vold_killProcessesWithOpenFiles(mountpoint, 0);
1548 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1549 rc = -1;
1550 }
1551
1552 return rc;
1553 }
1554
1555 #define DATA_PREP_TIMEOUT 1000
1556 static int prep_data_fs(void)
1557 {
1558 int i;
1559
1560 // NOTE: post_fs_data results in init calling back around to vold, so all
1561 // callers to this method must be async
1562
1563 /* Do the prep of the /data filesystem */
1564 property_set("vold.post_fs_data_done", "0");
1565 property_set("vold.decrypt", "trigger_post_fs_data");
1566 SLOGD("Just triggered post_fs_data\n");
1567
1568 /* Wait a max of 50 seconds, hopefully it takes much less */
1569 for (i=0; i<DATA_PREP_TIMEOUT; i++) {
1570 char p[PROPERTY_VALUE_MAX];
1571
1572 property_get("vold.post_fs_data_done", p, "0");
1573 if (*p == '1') {
1574 break;
1575 } else {
1576 usleep(50000);
1577 }
1578 }
1579 if (i == DATA_PREP_TIMEOUT) {
1580 /* Ugh, we failed to prep /data in time. Bail. */
1581 SLOGE("post_fs_data timed out!\n");
1582 return -1;
1583 } else {
1584 SLOGD("post_fs_data done\n");
1585 return 0;
1586 }
1587 }
1588
1589 static void cryptfs_set_corrupt()
1590 {
1591 // Mark the footer as bad
1592 struct crypt_mnt_ftr crypt_ftr;
1593 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1594 SLOGE("Failed to get crypto footer - panic");
1595 return;
1596 }
1597
1598 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1599 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1600 SLOGE("Failed to set crypto footer - panic");
1601 return;
1602 }
1603 }
1604
1605 static void cryptfs_trigger_restart_min_framework()
1606 {
1607 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1608 SLOGE("Failed to mount tmpfs on data - panic");
1609 return;
1610 }
1611
1612 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1613 SLOGE("Failed to trigger post fs data - panic");
1614 return;
1615 }
1616
1617 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1618 SLOGE("Failed to trigger restart min framework - panic");
1619 return;
1620 }
1621 }
1622
1623 /* returns < 0 on failure */
1624 static int cryptfs_restart_internal(int restart_main)
1625 {
1626 char crypto_blkdev[MAXPATHLEN];
1627 int rc = -1;
1628 static int restart_successful = 0;
1629
1630 /* Validate that it's OK to call this routine */
1631 if (! master_key_saved) {
1632 SLOGE("Encrypted filesystem not validated, aborting");
1633 return -1;
1634 }
1635
1636 if (restart_successful) {
1637 SLOGE("System already restarted with encrypted disk, aborting");
1638 return -1;
1639 }
1640
1641 if (restart_main) {
1642 /* Here is where we shut down the framework. The init scripts
1643 * start all services in one of three classes: core, main or late_start.
1644 * On boot, we start core and main. Now, we stop main, but not core,
1645 * as core includes vold and a few other really important things that
1646 * we need to keep running. Once main has stopped, we should be able
1647 * to umount the tmpfs /data, then mount the encrypted /data.
1648 * We then restart the class main, and also the class late_start.
1649 * At the moment, I've only put a few things in late_start that I know
1650 * are not needed to bring up the framework, and that also cause problems
1651 * with unmounting the tmpfs /data, but I hope to add add more services
1652 * to the late_start class as we optimize this to decrease the delay
1653 * till the user is asked for the password to the filesystem.
1654 */
1655
1656 /* The init files are setup to stop the class main when vold.decrypt is
1657 * set to trigger_reset_main.
1658 */
1659 property_set("vold.decrypt", "trigger_reset_main");
1660 SLOGD("Just asked init to shut down class main\n");
1661
1662 /* Ugh, shutting down the framework is not synchronous, so until it
1663 * can be fixed, this horrible hack will wait a moment for it all to
1664 * shut down before proceeding. Without it, some devices cannot
1665 * restart the graphics services.
1666 */
1667 sleep(2);
1668 }
1669
1670 /* Now that the framework is shutdown, we should be able to umount()
1671 * the tmpfs filesystem, and mount the real one.
1672 */
1673
1674 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1675 if (strlen(crypto_blkdev) == 0) {
1676 SLOGE("fs_crypto_blkdev not set\n");
1677 return -1;
1678 }
1679
1680 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1681 /* If ro.crypto.readonly is set to 1, mount the decrypted
1682 * filesystem readonly. This is used when /data is mounted by
1683 * recovery mode.
1684 */
1685 char ro_prop[PROPERTY_VALUE_MAX];
1686 property_get("ro.crypto.readonly", ro_prop, "");
1687 if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
1688 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1689 rec->flags |= MS_RDONLY;
1690 }
1691
1692 /* If that succeeded, then mount the decrypted filesystem */
1693 int retries = RETRY_MOUNT_ATTEMPTS;
1694 int mount_rc;
1695
1696 /*
1697 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
1698 * partitions in the fsck domain.
1699 */
1700 if (setexeccon(secontextFsck())){
1701 SLOGE("Failed to setexeccon");
1702 return -1;
1703 }
1704 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
1705 crypto_blkdev, 0))
1706 != 0) {
1707 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1708 /* TODO: invoke something similar to
1709 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1710 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1711 SLOGI("Failed to mount %s because it is busy - waiting",
1712 crypto_blkdev);
1713 if (--retries) {
1714 sleep(RETRY_MOUNT_DELAY_SECONDS);
1715 } else {
1716 /* Let's hope that a reboot clears away whatever is keeping
1717 the mount busy */
1718 cryptfs_reboot(reboot);
1719 }
1720 } else {
1721 SLOGE("Failed to mount decrypted data");
1722 cryptfs_set_corrupt();
1723 cryptfs_trigger_restart_min_framework();
1724 SLOGI("Started framework to offer wipe");
1725 if (setexeccon(NULL)) {
1726 SLOGE("Failed to setexeccon");
1727 }
1728 return -1;
1729 }
1730 }
1731 if (setexeccon(NULL)) {
1732 SLOGE("Failed to setexeccon");
1733 return -1;
1734 }
1735
1736 property_set("vold.decrypt", "trigger_load_persist_props");
1737 /* Create necessary paths on /data */
1738 if (prep_data_fs()) {
1739 return -1;
1740 }
1741
1742 /* startup service classes main and late_start */
1743 property_set("vold.decrypt", "trigger_restart_framework");
1744 SLOGD("Just triggered restart_framework\n");
1745
1746 /* Give it a few moments to get started */
1747 sleep(1);
1748 }
1749
1750 if (rc == 0) {
1751 restart_successful = 1;
1752 }
1753
1754 return rc;
1755 }
1756
1757 int cryptfs_restart(void)
1758 {
1759 SLOGI("cryptfs_restart");
1760 if (e4crypt_is_native()) {
1761 SLOGE("cryptfs_restart not valid for file encryption:");
1762 return -1;
1763 }
1764
1765 /* Call internal implementation forcing a restart of main service group */
1766 return cryptfs_restart_internal(1);
1767 }
1768
1769 static int do_crypto_complete(char *mount_point)
1770 {
1771 struct crypt_mnt_ftr crypt_ftr;
1772 char encrypted_state[PROPERTY_VALUE_MAX];
1773 char key_loc[PROPERTY_VALUE_MAX];
1774
1775 property_get("ro.crypto.state", encrypted_state, "");
1776 if (strcmp(encrypted_state, "encrypted") ) {
1777 SLOGE("not running with encryption, aborting");
1778 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1779 }
1780
1781 // crypto_complete is full disk encrypted status
1782 if (e4crypt_is_native()) {
1783 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1784 }
1785
1786 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1787 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1788
1789 /*
1790 * Only report this error if key_loc is a file and it exists.
1791 * If the device was never encrypted, and /data is not mountable for
1792 * some reason, returning 1 should prevent the UI from presenting the
1793 * a "enter password" screen, or worse, a "press button to wipe the
1794 * device" screen.
1795 */
1796 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1797 SLOGE("master key file does not exist, aborting");
1798 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1799 } else {
1800 SLOGE("Error getting crypt footer and key\n");
1801 return CRYPTO_COMPLETE_BAD_METADATA;
1802 }
1803 }
1804
1805 // Test for possible error flags
1806 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1807 SLOGE("Encryption process is partway completed\n");
1808 return CRYPTO_COMPLETE_PARTIAL;
1809 }
1810
1811 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1812 SLOGE("Encryption process was interrupted but cannot continue\n");
1813 return CRYPTO_COMPLETE_INCONSISTENT;
1814 }
1815
1816 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1817 SLOGE("Encryption is successful but data is corrupt\n");
1818 return CRYPTO_COMPLETE_CORRUPT;
1819 }
1820
1821 /* We passed the test! We shall diminish, and return to the west */
1822 return CRYPTO_COMPLETE_ENCRYPTED;
1823 }
1824
1825 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1826 char *passwd, char *mount_point, char *label)
1827 {
1828 /* Allocate enough space for a 256 bit key, but we may use less */
1829 unsigned char decrypted_master_key[32];
1830 char crypto_blkdev[MAXPATHLEN];
1831 char real_blkdev[MAXPATHLEN];
1832 char tmp_mount_point[64];
1833 unsigned int orig_failed_decrypt_count;
1834 int rc;
1835 int use_keymaster = 0;
1836 int upgrade = 0;
1837 unsigned char* intermediate_key = 0;
1838 size_t intermediate_key_size = 0;
1839
1840 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1841 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1842
1843 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1844 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1845 &intermediate_key, &intermediate_key_size)) {
1846 SLOGE("Failed to decrypt master key\n");
1847 rc = -1;
1848 goto errout;
1849 }
1850 }
1851
1852 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
1853
1854 #ifdef CONFIG_HW_DISK_ENCRYPTION
1855 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
1856 if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) {
1857 SLOGE("Hardware encryption key does not match");
1858 }
1859 }
1860 #endif
1861
1862 // Create crypto block device - all (non fatal) code paths
1863 // need it
1864 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1865 real_blkdev, crypto_blkdev, label)) {
1866 SLOGE("Error creating decrypted block device\n");
1867 rc = -1;
1868 goto errout;
1869 }
1870
1871 /* Work out if the problem is the password or the data */
1872 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1873 scrypted_intermediate_key)];
1874 int N = 1 << crypt_ftr->N_factor;
1875 int r = 1 << crypt_ftr->r_factor;
1876 int p = 1 << crypt_ftr->p_factor;
1877
1878 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1879 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1880 N, r, p, scrypted_intermediate_key,
1881 sizeof(scrypted_intermediate_key));
1882
1883 // Does the key match the crypto footer?
1884 if (rc == 0 && memcmp(scrypted_intermediate_key,
1885 crypt_ftr->scrypted_intermediate_key,
1886 sizeof(scrypted_intermediate_key)) == 0) {
1887 SLOGI("Password matches");
1888 rc = 0;
1889 } else {
1890 /* Try mounting the file system anyway, just in case the problem's with
1891 * the footer, not the key. */
1892 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
1893 mkdir(tmp_mount_point, 0755);
1894 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1895 SLOGE("Error temp mounting decrypted block device\n");
1896 delete_crypto_blk_dev(label);
1897
1898 rc = ++crypt_ftr->failed_decrypt_count;
1899 put_crypt_ftr_and_key(crypt_ftr);
1900 } else {
1901 /* Success! */
1902 SLOGI("Password did not match but decrypted drive mounted - continue");
1903 umount(tmp_mount_point);
1904 rc = 0;
1905 }
1906 }
1907
1908 if (rc == 0) {
1909 crypt_ftr->failed_decrypt_count = 0;
1910 if (orig_failed_decrypt_count != 0) {
1911 put_crypt_ftr_and_key(crypt_ftr);
1912 }
1913
1914 /* Save the name of the crypto block device
1915 * so we can mount it when restarting the framework. */
1916 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1917
1918 /* Also save a the master key so we can reencrypted the key
1919 * the key when we want to change the password on it. */
1920 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1921 saved_mount_point = strdup(mount_point);
1922 master_key_saved = 1;
1923 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1924 rc = 0;
1925
1926 // Upgrade if we're not using the latest KDF.
1927 use_keymaster = keymaster_check_compatibility();
1928 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1929 // Don't allow downgrade
1930 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1931 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1932 upgrade = 1;
1933 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1934 crypt_ftr->kdf_type = KDF_SCRYPT;
1935 upgrade = 1;
1936 }
1937
1938 if (upgrade) {
1939 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1940 crypt_ftr->master_key, crypt_ftr);
1941 if (!rc) {
1942 rc = put_crypt_ftr_and_key(crypt_ftr);
1943 }
1944 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1945
1946 // Do not fail even if upgrade failed - machine is bootable
1947 // Note that if this code is ever hit, there is a *serious* problem
1948 // since KDFs should never fail. You *must* fix the kdf before
1949 // proceeding!
1950 if (rc) {
1951 SLOGW("Upgrade failed with error %d,"
1952 " but continuing with previous state",
1953 rc);
1954 rc = 0;
1955 }
1956 }
1957 }
1958
1959 errout:
1960 if (intermediate_key) {
1961 memset(intermediate_key, 0, intermediate_key_size);
1962 free(intermediate_key);
1963 }
1964 return rc;
1965 }
1966
1967 /*
1968 * Called by vold when it's asked to mount an encrypted external
1969 * storage volume. The incoming partition has no crypto header/footer,
1970 * as any metadata is been stored in a separate, small partition.
1971 *
1972 * out_crypto_blkdev must be MAXPATHLEN.
1973 */
1974 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
1975 const unsigned char* key, int keysize, char* out_crypto_blkdev) {
1976 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
1977 if (fd == -1) {
1978 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno));
1979 return -1;
1980 }
1981
1982 unsigned long nr_sec = 0;
1983 get_blkdev_size(fd, &nr_sec);
1984 close(fd);
1985
1986 if (nr_sec == 0) {
1987 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1988 return -1;
1989 }
1990
1991 struct crypt_mnt_ftr ext_crypt_ftr;
1992 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1993 ext_crypt_ftr.fs_size = nr_sec;
1994 ext_crypt_ftr.keysize = keysize;
1995 strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
1996
1997 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev,
1998 out_crypto_blkdev, label);
1999 }
2000
2001 /*
2002 * Called by vold when it's asked to unmount an encrypted external
2003 * storage volume.
2004 */
2005 int cryptfs_revert_ext_volume(const char* label) {
2006 return delete_crypto_blk_dev((char*) label);
2007 }
2008
2009 int cryptfs_crypto_complete(void)
2010 {
2011 return do_crypto_complete("/data");
2012 }
2013
2014 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
2015 {
2016 char encrypted_state[PROPERTY_VALUE_MAX];
2017 property_get("ro.crypto.state", encrypted_state, "");
2018 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
2019 SLOGE("encrypted fs already validated or not running with encryption,"
2020 " aborting");
2021 return -1;
2022 }
2023
2024 if (get_crypt_ftr_and_key(crypt_ftr)) {
2025 SLOGE("Error getting crypt footer and key");
2026 return -1;
2027 }
2028
2029 return 0;
2030 }
2031
2032 int cryptfs_check_passwd(char *passwd)
2033 {
2034 SLOGI("cryptfs_check_passwd");
2035 if (e4crypt_is_native()) {
2036 SLOGE("cryptfs_check_passwd not valid for file encryption");
2037 return -1;
2038 }
2039
2040 struct crypt_mnt_ftr crypt_ftr;
2041 int rc;
2042
2043 rc = check_unmounted_and_get_ftr(&crypt_ftr);
2044 if (rc) {
2045 SLOGE("Could not get footer");
2046 return rc;
2047 }
2048
2049 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
2050 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
2051 if (rc) {
2052 SLOGE("Password did not match");
2053 return rc;
2054 }
2055
2056 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
2057 // Here we have a default actual password but a real password
2058 // we must test against the scrypted value
2059 // First, we must delete the crypto block device that
2060 // test_mount_encrypted_fs leaves behind as a side effect
2061 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
2062 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD,
2063 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
2064 if (rc) {
2065 SLOGE("Default password did not match on reboot encryption");
2066 return rc;
2067 }
2068
2069 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
2070 put_crypt_ftr_and_key(&crypt_ftr);
2071 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
2072 if (rc) {
2073 SLOGE("Could not change password on reboot encryption");
2074 return rc;
2075 }
2076 }
2077
2078 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2079 cryptfs_clear_password();
2080 password = strdup(passwd);
2081 struct timespec now;
2082 clock_gettime(CLOCK_BOOTTIME, &now);
2083 password_expiry_time = now.tv_sec + password_max_age_seconds;
2084 }
2085
2086 return rc;
2087 }
2088
2089 int cryptfs_verify_passwd(char *passwd)
2090 {
2091 struct crypt_mnt_ftr crypt_ftr;
2092 /* Allocate enough space for a 256 bit key, but we may use less */
2093 unsigned char decrypted_master_key[32];
2094 char encrypted_state[PROPERTY_VALUE_MAX];
2095 int rc;
2096
2097 property_get("ro.crypto.state", encrypted_state, "");
2098 if (strcmp(encrypted_state, "encrypted") ) {
2099 SLOGE("device not encrypted, aborting");
2100 return -2;
2101 }
2102
2103 if (!master_key_saved) {
2104 SLOGE("encrypted fs not yet mounted, aborting");
2105 return -1;
2106 }
2107
2108 if (!saved_mount_point) {
2109 SLOGE("encrypted fs failed to save mount point, aborting");
2110 return -1;
2111 }
2112
2113 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2114 SLOGE("Error getting crypt footer and key\n");
2115 return -1;
2116 }
2117
2118 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2119 /* If the device has no password, then just say the password is valid */
2120 rc = 0;
2121 } else {
2122 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2123 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2124 /* They match, the password is correct */
2125 rc = 0;
2126 } else {
2127 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2128 sleep(1);
2129 rc = 1;
2130 }
2131 }
2132
2133 return rc;
2134 }
2135
2136 /* Initialize a crypt_mnt_ftr structure. The keysize is
2137 * defaulted to 16 bytes, and the filesystem size to 0.
2138 * Presumably, at a minimum, the caller will update the
2139 * filesystem size and crypto_type_name after calling this function.
2140 */
2141 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
2142 {
2143 off64_t off;
2144
2145 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2146 ftr->magic = CRYPT_MNT_MAGIC;
2147 ftr->major_version = CURRENT_MAJOR_VERSION;
2148 ftr->minor_version = CURRENT_MINOR_VERSION;
2149 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2150 ftr->keysize = KEY_LEN_BYTES;
2151
2152 switch (keymaster_check_compatibility()) {
2153 case 1:
2154 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2155 break;
2156
2157 case 0:
2158 ftr->kdf_type = KDF_SCRYPT;
2159 break;
2160
2161 default:
2162 SLOGE("keymaster_check_compatibility failed");
2163 return -1;
2164 }
2165
2166 get_device_scrypt_params(ftr);
2167
2168 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2169 if (get_crypt_ftr_info(NULL, &off) == 0) {
2170 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2171 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
2172 ftr->persist_data_size;
2173 }
2174
2175 return 0;
2176 }
2177
2178 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
2179 {
2180 const char *args[10];
2181 char size_str[32]; /* Must be large enough to hold a %lld and null byte */
2182 int num_args;
2183 int status;
2184 int tmp;
2185 int rc = -1;
2186
2187 if (type == EXT4_FS) {
2188 args[0] = "/system/bin/make_ext4fs";
2189 args[1] = "-a";
2190 args[2] = "/data";
2191 args[3] = "-l";
2192 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
2193 args[4] = size_str;
2194 args[5] = crypto_blkdev;
2195 num_args = 6;
2196 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
2197 args[0], args[1], args[2], args[3], args[4], args[5]);
2198 } else if (type == F2FS_FS) {
2199 args[0] = "/system/bin/mkfs.f2fs";
2200 args[1] = "-t";
2201 args[2] = "-d1";
2202 args[3] = crypto_blkdev;
2203 snprintf(size_str, sizeof(size_str), "%" PRId64, size);
2204 args[4] = size_str;
2205 num_args = 5;
2206 SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
2207 args[0], args[1], args[2], args[3], args[4]);
2208 } else {
2209 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
2210 return -1;
2211 }
2212
2213 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
2214
2215 if (tmp != 0) {
2216 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
2217 } else {
2218 if (WIFEXITED(status)) {
2219 if (WEXITSTATUS(status)) {
2220 SLOGE("Error creating filesystem on %s, exit status %d ",
2221 crypto_blkdev, WEXITSTATUS(status));
2222 } else {
2223 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
2224 rc = 0;
2225 }
2226 } else {
2227 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
2228 }
2229 }
2230
2231 return rc;
2232 }
2233
2234 #define CRYPT_INPLACE_BUFSIZE 4096
2235 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
2236 #define CRYPT_SECTOR_SIZE 512
2237
2238 /* aligned 32K writes tends to make flash happy.
2239 * SD card association recommends it.
2240 */
2241 #ifndef CONFIG_HW_DISK_ENCRYPTION
2242 #define BLOCKS_AT_A_TIME 8
2243 #else
2244 #define BLOCKS_AT_A_TIME 1024
2245 #endif
2246
2247 struct encryptGroupsData
2248 {
2249 int realfd;
2250 int cryptofd;
2251 off64_t numblocks;
2252 off64_t one_pct, cur_pct, new_pct;
2253 off64_t blocks_already_done, tot_numblocks;
2254 off64_t used_blocks_already_done, tot_used_blocks;
2255 char* real_blkdev, * crypto_blkdev;
2256 int count;
2257 off64_t offset;
2258 char* buffer;
2259 off64_t last_written_sector;
2260 int completed;
2261 time_t time_started;
2262 int remaining_time;
2263 };
2264
2265 static void update_progress(struct encryptGroupsData* data, int is_used)
2266 {
2267 data->blocks_already_done++;
2268
2269 if (is_used) {
2270 data->used_blocks_already_done++;
2271 }
2272 if (data->tot_used_blocks) {
2273 data->new_pct = data->used_blocks_already_done / data->one_pct;
2274 } else {
2275 data->new_pct = data->blocks_already_done / data->one_pct;
2276 }
2277
2278 if (data->new_pct > data->cur_pct) {
2279 char buf[8];
2280 data->cur_pct = data->new_pct;
2281 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
2282 property_set("vold.encrypt_progress", buf);
2283 }
2284
2285 if (data->cur_pct >= 5) {
2286 struct timespec time_now;
2287 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
2288 SLOGW("Error getting time");
2289 } else {
2290 double elapsed_time = difftime(time_now.tv_sec, data->time_started);
2291 off64_t remaining_blocks = data->tot_used_blocks
2292 - data->used_blocks_already_done;
2293 int remaining_time = (int)(elapsed_time * remaining_blocks
2294 / data->used_blocks_already_done);
2295
2296 // Change time only if not yet set, lower, or a lot higher for
2297 // best user experience
2298 if (data->remaining_time == -1
2299 || remaining_time < data->remaining_time
2300 || remaining_time > data->remaining_time + 60) {
2301 char buf[8];
2302 snprintf(buf, sizeof(buf), "%d", remaining_time);
2303 property_set("vold.encrypt_time_remaining", buf);
2304 data->remaining_time = remaining_time;
2305 }
2306 }
2307 }
2308 }
2309
2310 static void log_progress(struct encryptGroupsData const* data, bool completed)
2311 {
2312 // Precondition - if completed data = 0 else data != 0
2313
2314 // Track progress so we can skip logging blocks
2315 static off64_t offset = -1;
2316
2317 // Need to close existing 'Encrypting from' log?
2318 if (completed || (offset != -1 && data->offset != offset)) {
2319 SLOGI("Encrypted to sector %" PRId64,
2320 offset / info.block_size * CRYPT_SECTOR_SIZE);
2321 offset = -1;
2322 }
2323
2324 // Need to start new 'Encrypting from' log?
2325 if (!completed && offset != data->offset) {
2326 SLOGI("Encrypting from sector %" PRId64,
2327 data->offset / info.block_size * CRYPT_SECTOR_SIZE);
2328 }
2329
2330 // Update offset
2331 if (!completed) {
2332 offset = data->offset + (off64_t)data->count * info.block_size;
2333 }
2334 }
2335
2336 static int flush_outstanding_data(struct encryptGroupsData* data)
2337 {
2338 if (data->count == 0) {
2339 return 0;
2340 }
2341
2342 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
2343
2344 if (pread64(data->realfd, data->buffer,
2345 info.block_size * data->count, data->offset)
2346 <= 0) {
2347 SLOGE("Error reading real_blkdev %s for inplace encrypt",
2348 data->real_blkdev);
2349 return -1;
2350 }
2351
2352 if (pwrite64(data->cryptofd, data->buffer,
2353 info.block_size * data->count, data->offset)
2354 <= 0) {
2355 SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
2356 data->crypto_blkdev);
2357 return -1;
2358 } else {
2359 log_progress(data, false);
2360 }
2361
2362 data->count = 0;
2363 data->last_written_sector = (data->offset + data->count)
2364 / info.block_size * CRYPT_SECTOR_SIZE - 1;
2365 return 0;
2366 }
2367
2368 static int encrypt_groups(struct encryptGroupsData* data)
2369 {
2370 unsigned int i;
2371 u8 *block_bitmap = 0;
2372 unsigned int block;
2373 off64_t ret;
2374 int rc = -1;
2375
2376 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
2377 if (!data->buffer) {
2378 SLOGE("Failed to allocate crypto buffer");
2379 goto errout;
2380 }
2381
2382 block_bitmap = malloc(info.block_size);
2383 if (!block_bitmap) {
2384 SLOGE("failed to allocate block bitmap");
2385 goto errout;
2386 }
2387
2388 for (i = 0; i < aux_info.groups; ++i) {
2389 SLOGI("Encrypting group %d", i);
2390
2391 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
2392 u32 block_count = min(info.blocks_per_group,
2393 aux_info.len_blocks - first_block);
2394
2395 off64_t offset = (u64)info.block_size
2396 * aux_info.bg_desc[i].bg_block_bitmap;
2397
2398 ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
2399 if (ret != (int)info.block_size) {
2400 SLOGE("failed to read all of block group bitmap %d", i);
2401 goto errout;
2402 }
2403
2404 offset = (u64)info.block_size * first_block;
2405
2406 data->count = 0;
2407
2408 for (block = 0; block < block_count; block++) {
2409 int used = (aux_info.bg_desc[i].bg_flags & EXT4_BG_BLOCK_UNINIT) ?
2410 0 : bitmap_get_bit(block_bitmap, block);
2411 update_progress(data, used);
2412 if (used) {
2413 if (data->count == 0) {
2414 data->offset = offset;
2415 }
2416 data->count++;
2417 } else {
2418 if (flush_outstanding_data(data)) {
2419 goto errout;
2420 }
2421 }
2422
2423 offset += info.block_size;
2424
2425 /* Write data if we are aligned or buffer size reached */
2426 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
2427 || data->count == BLOCKS_AT_A_TIME) {
2428 if (flush_outstanding_data(data)) {
2429 goto errout;
2430 }
2431 }
2432
2433 if (!is_battery_ok_to_continue()) {
2434 SLOGE("Stopping encryption due to low battery");
2435 rc = 0;
2436 goto errout;
2437 }
2438
2439 }
2440 if (flush_outstanding_data(data)) {
2441 goto errout;
2442 }
2443 }
2444
2445 data->completed = 1;
2446 rc = 0;
2447
2448 errout:
2449 log_progress(0, true);
2450 free(data->buffer);
2451 free(block_bitmap);
2452 return rc;
2453 }
2454
2455 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
2456 char *real_blkdev,
2457 off64_t size,
2458 off64_t *size_already_done,
2459 off64_t tot_size,
2460 off64_t previously_encrypted_upto)
2461 {
2462 u32 i;
2463 struct encryptGroupsData data;
2464 int rc; // Can't initialize without causing warning -Wclobbered
2465
2466 if (previously_encrypted_upto > *size_already_done) {
2467 SLOGD("Not fast encrypting since resuming part way through");
2468 return -1;
2469 }
2470
2471 memset(&data, 0, sizeof(data));
2472 data.real_blkdev = real_blkdev;
2473 data.crypto_blkdev = crypto_blkdev;
2474
2475 if ( (data.realfd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2476 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n",
2477 real_blkdev, errno, strerror(errno));
2478 rc = -1;
2479 goto errout;
2480 }
2481
2482 // Wait until the block device appears. Re-use the mount retry values since it is reasonable.
2483 int retries = RETRY_MOUNT_ATTEMPTS;
2484 while ((data.cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2485 if (--retries) {
2486 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s), retrying\n",
2487 crypto_blkdev, errno, strerror(errno));
2488 sleep(RETRY_MOUNT_DELAY_SECONDS);
2489 } else {
2490 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n",
2491 crypto_blkdev, errno, strerror(errno));
2492 rc = ENABLE_INPLACE_ERR_DEV;
2493 goto errout;
2494 }
2495 }
2496
2497 if (setjmp(setjmp_env)) {
2498 SLOGE("Reading ext4 extent caused an exception\n");
2499 rc = -1;
2500 goto errout;
2501 }
2502
2503 if (read_ext(data.realfd, 0) != 0) {
2504 SLOGE("Failed to read ext4 extent\n");
2505 rc = -1;
2506 goto errout;
2507 }
2508
2509 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2510 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2511 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2512
2513 SLOGI("Encrypting ext4 filesystem in place...");
2514
2515 data.tot_used_blocks = data.numblocks;
2516 for (i = 0; i < aux_info.groups; ++i) {
2517 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
2518 }
2519
2520 data.one_pct = data.tot_used_blocks / 100;
2521 data.cur_pct = 0;
2522
2523 struct timespec time_started = {0};
2524 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
2525 SLOGW("Error getting time at start");
2526 // Note - continue anyway - we'll run with 0
2527 }
2528 data.time_started = time_started.tv_sec;
2529 data.remaining_time = -1;
2530
2531 rc = encrypt_groups(&data);
2532 if (rc) {
2533 SLOGE("Error encrypting groups");
2534 goto errout;
2535 }
2536
2537 *size_already_done += data.completed ? size : data.last_written_sector;
2538 rc = 0;
2539
2540 errout:
2541 close(data.realfd);
2542 close(data.cryptofd);
2543
2544 return rc;
2545 }
2546
2547 static void log_progress_f2fs(u64 block, bool completed)
2548 {
2549 // Precondition - if completed data = 0 else data != 0
2550
2551 // Track progress so we can skip logging blocks
2552 static u64 last_block = (u64)-1;
2553
2554 // Need to close existing 'Encrypting from' log?
2555 if (completed || (last_block != (u64)-1 && block != last_block + 1)) {
2556 SLOGI("Encrypted to block %" PRId64, last_block);
2557 last_block = -1;
2558 }
2559
2560 // Need to start new 'Encrypting from' log?
2561 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) {
2562 SLOGI("Encrypting from block %" PRId64, block);
2563 }
2564
2565 // Update offset
2566 if (!completed) {
2567 last_block = block;
2568 }
2569 }
2570
2571 static int encrypt_one_block_f2fs(u64 pos, void *data)
2572 {
2573 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;
2574
2575 priv_dat->blocks_already_done = pos - 1;
2576 update_progress(priv_dat, 1);
2577
2578 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;
2579
2580 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2581 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2582 return -1;
2583 }
2584
2585 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2586 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2587 return -1;
2588 } else {
2589 log_progress_f2fs(pos, false);
2590 }
2591
2592 return 0;
2593 }
2594
2595 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
2596 char *real_blkdev,
2597 off64_t size,
2598 off64_t *size_already_done,
2599 off64_t tot_size,
2600 off64_t previously_encrypted_upto)
2601 {
2602 struct encryptGroupsData data;
2603 struct f2fs_info *f2fs_info = NULL;
2604 int rc = ENABLE_INPLACE_ERR_OTHER;
2605 if (previously_encrypted_upto > *size_already_done) {
2606 SLOGD("Not fast encrypting since resuming part way through");
2607 return ENABLE_INPLACE_ERR_OTHER;
2608 }
2609 memset(&data, 0, sizeof(data));
2610 data.real_blkdev = real_blkdev;
2611 data.crypto_blkdev = crypto_blkdev;
2612 data.realfd = -1;
2613 data.cryptofd = -1;
2614 if ( (data.realfd = open64(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2615 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n",
2616 real_blkdev);
2617 goto errout;
2618 }
2619 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2620 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n",
2621 crypto_blkdev, errno, strerror(errno));
2622 rc = ENABLE_INPLACE_ERR_DEV;
2623 goto errout;
2624 }
2625
2626 f2fs_info = generate_f2fs_info(data.realfd);
2627 if (!f2fs_info)
2628 goto errout;
2629
2630 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2631 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2632 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2633
2634 data.tot_used_blocks = get_num_blocks_used(f2fs_info);
2635
2636 data.one_pct = data.tot_used_blocks / 100;
2637 data.cur_pct = 0;
2638 data.time_started = time(NULL);
2639 data.remaining_time = -1;
2640
2641 data.buffer = malloc(f2fs_info->block_size);
2642 if (!data.buffer) {
2643 SLOGE("Failed to allocate crypto buffer");
2644 goto errout;
2645 }
2646
2647 data.count = 0;
2648
2649 /* Currently, this either runs to completion, or hits a nonrecoverable error */
2650 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);
2651
2652 if (rc) {
2653 SLOGE("Error in running over f2fs blocks");
2654 rc = ENABLE_INPLACE_ERR_OTHER;
2655 goto errout;
2656 }
2657
2658 *size_already_done += size;
2659 rc = 0;
2660
2661 errout:
2662 if (rc)
2663 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev);
2664
2665 log_progress_f2fs(0, true);
2666 free(f2fs_info);
2667 free(data.buffer);
2668 close(data.realfd);
2669 close(data.cryptofd);
2670
2671 return rc;
2672 }
2673
2674 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
2675 off64_t size, off64_t *size_already_done,
2676 off64_t tot_size,
2677 off64_t previously_encrypted_upto)
2678 {
2679 int realfd, cryptofd;
2680 char *buf[CRYPT_INPLACE_BUFSIZE];
2681 int rc = ENABLE_INPLACE_ERR_OTHER;
2682 off64_t numblocks, i, remainder;
2683 off64_t one_pct, cur_pct, new_pct;
2684 off64_t blocks_already_done, tot_numblocks;
2685
2686 if ( (realfd = open(real_blkdev, O_RDONLY|O_CLOEXEC)) < 0) {
2687 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2688 return ENABLE_INPLACE_ERR_OTHER;
2689 }
2690
2691 if ( (cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2692 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n",
2693 crypto_blkdev, errno, strerror(errno));
2694 close(realfd);
2695 return ENABLE_INPLACE_ERR_DEV;
2696 }
2697
2698 /* This is pretty much a simple loop of reading 4K, and writing 4K.
2699 * The size passed in is the number of 512 byte sectors in the filesystem.
2700 * So compute the number of whole 4K blocks we should read/write,
2701 * and the remainder.
2702 */
2703 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2704 remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2705 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2706 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2707
2708 SLOGE("Encrypting filesystem in place...");
2709
2710 i = previously_encrypted_upto + 1 - *size_already_done;
2711
2712 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2713 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
2714 goto errout;
2715 }
2716
2717 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2718 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
2719 goto errout;
2720 }
2721
2722 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
2723 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2724 SLOGE("Error reading initial sectors from real_blkdev %s for "
2725 "inplace encrypt\n", crypto_blkdev);
2726 goto errout;
2727 }
2728 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2729 SLOGE("Error writing initial sectors to crypto_blkdev %s for "
2730 "inplace encrypt\n", crypto_blkdev);
2731 goto errout;
2732 } else {
2733 SLOGI("Encrypted 1 block at %" PRId64, i);
2734 }
2735 }
2736
2737 one_pct = tot_numblocks / 100;
2738 cur_pct = 0;
2739 /* process the majority of the filesystem in blocks */
2740 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2741 new_pct = (i + blocks_already_done) / one_pct;
2742 if (new_pct > cur_pct) {
2743 char buf[8];
2744
2745 cur_pct = new_pct;
2746 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
2747 property_set("vold.encrypt_progress", buf);
2748 }
2749 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2750 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2751 goto errout;
2752 }
2753 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2754 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2755 goto errout;
2756 } else {
2757 SLOGD("Encrypted %d block at %" PRId64,
2758 CRYPT_SECTORS_PER_BUFSIZE,
2759 i * CRYPT_SECTORS_PER_BUFSIZE);
2760 }
2761
2762 if (!is_battery_ok_to_continue()) {
2763 SLOGE("Stopping encryption due to low battery");
2764 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
2765 rc = 0;
2766 goto errout;
2767 }
2768 }
2769
2770 /* Do any remaining sectors */
2771 for (i=0; i<remainder; i++) {
2772 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2773 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2774 goto errout;
2775 }
2776 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2777 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2778 goto errout;
2779 } else {
2780 SLOGI("Encrypted 1 block at next location");
2781 }
2782 }
2783
2784 *size_already_done += size;
2785 rc = 0;
2786
2787 errout:
2788 close(realfd);
2789 close(cryptofd);
2790
2791 return rc;
2792 }
2793
2794 /* returns on of the ENABLE_INPLACE_* return codes */
2795 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
2796 off64_t size, off64_t *size_already_done,
2797 off64_t tot_size,
2798 off64_t previously_encrypted_upto)
2799 {
2800 int rc_ext4, rc_f2fs, rc_full;
2801 if (previously_encrypted_upto) {
2802 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
2803 }
2804
2805 if (*size_already_done + size < previously_encrypted_upto) {
2806 *size_already_done += size;
2807 return 0;
2808 }
2809
2810 /* TODO: identify filesystem type.
2811 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
2812 * then we will drop down to cryptfs_enable_inplace_f2fs.
2813 * */
2814 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2815 size, size_already_done,
2816 tot_size, previously_encrypted_upto)) == 0) {
2817 return 0;
2818 }
2819 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4);
2820
2821 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
2822 size, size_already_done,
2823 tot_size, previously_encrypted_upto)) == 0) {
2824 return 0;
2825 }
2826 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs);
2827
2828 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2829 size, size_already_done, tot_size,
2830 previously_encrypted_upto);
2831 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full);
2832
2833 /* Hack for b/17898962, the following is the symptom... */
2834 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV
2835 && rc_f2fs == ENABLE_INPLACE_ERR_DEV
2836 && rc_full == ENABLE_INPLACE_ERR_DEV) {
2837 return ENABLE_INPLACE_ERR_DEV;
2838 }
2839 return rc_full;
2840 }
2841
2842 #define CRYPTO_ENABLE_WIPE 1
2843 #define CRYPTO_ENABLE_INPLACE 2
2844
2845 #define FRAMEWORK_BOOT_WAIT 60
2846
2847 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2848 {
2849 int fd = open(filename, O_RDONLY|O_CLOEXEC);
2850 if (fd == -1) {
2851 SLOGE("Error opening file %s", filename);
2852 return -1;
2853 }
2854
2855 char block[CRYPT_INPLACE_BUFSIZE];
2856 memset(block, 0, sizeof(block));
2857 if (unix_read(fd, block, sizeof(block)) < 0) {
2858 SLOGE("Error reading file %s", filename);
2859 close(fd);
2860 return -1;
2861 }
2862
2863 close(fd);
2864
2865 SHA256_CTX c;
2866 SHA256_Init(&c);
2867 SHA256_Update(&c, block, sizeof(block));
2868 SHA256_Final(buf, &c);
2869
2870 return 0;
2871 }
2872
2873 static int get_fs_type(struct fstab_rec *rec)
2874 {
2875 if (!strcmp(rec->fs_type, "ext4")) {
2876 return EXT4_FS;
2877 } else if (!strcmp(rec->fs_type, "f2fs")) {
2878 return F2FS_FS;
2879 } else {
2880 return -1;
2881 }
2882 }
2883
2884 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
2885 char *crypto_blkdev, char *real_blkdev,
2886 int previously_encrypted_upto)
2887 {
2888 off64_t cur_encryption_done=0, tot_encryption_size=0;
2889 int rc = -1;
2890
2891 if (!is_battery_ok_to_start()) {
2892 SLOGW("Not starting encryption due to low battery");
2893 return 0;
2894 }
2895
2896 /* The size of the userdata partition, and add in the vold volumes below */
2897 tot_encryption_size = crypt_ftr->fs_size;
2898
2899 if (how == CRYPTO_ENABLE_WIPE) {
2900 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
2901 int fs_type = get_fs_type(rec);
2902 if (fs_type < 0) {
2903 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
2904 return -1;
2905 }
2906 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2907 } else if (how == CRYPTO_ENABLE_INPLACE) {
2908 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
2909 crypt_ftr->fs_size, &cur_encryption_done,
2910 tot_encryption_size,
2911 previously_encrypted_upto);
2912
2913 if (rc == ENABLE_INPLACE_ERR_DEV) {
2914 /* Hack for b/17898962 */
2915 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2916 cryptfs_reboot(reboot);
2917 }
2918
2919 if (!rc) {
2920 crypt_ftr->encrypted_upto = cur_encryption_done;
2921 }
2922
2923 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2924 /* The inplace routine never actually sets the progress to 100% due
2925 * to the round down nature of integer division, so set it here */
2926 property_set("vold.encrypt_progress", "100");
2927 }
2928 } else {
2929 /* Shouldn't happen */
2930 SLOGE("cryptfs_enable: internal error, unknown option\n");
2931 rc = -1;
2932 }
2933
2934 return rc;
2935 }
2936
2937 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
2938 int no_ui)
2939 {
2940 int how = 0;
2941 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2942 unsigned char decrypted_master_key[KEY_LEN_BYTES];
2943 int rc=-1, i;
2944 struct crypt_mnt_ftr crypt_ftr;
2945 struct crypt_persist_data *pdata;
2946 char encrypted_state[PROPERTY_VALUE_MAX];
2947 char lockid[32] = { 0 };
2948 char key_loc[PROPERTY_VALUE_MAX];
2949 int num_vols;
2950 off64_t previously_encrypted_upto = 0;
2951 bool rebootEncryption = false;
2952
2953 if (!strcmp(howarg, "wipe")) {
2954 how = CRYPTO_ENABLE_WIPE;
2955 } else if (! strcmp(howarg, "inplace")) {
2956 how = CRYPTO_ENABLE_INPLACE;
2957 } else {
2958 /* Shouldn't happen, as CommandListener vets the args */
2959 goto error_unencrypted;
2960 }
2961
2962 if (how == CRYPTO_ENABLE_INPLACE
2963 && get_crypt_ftr_and_key(&crypt_ftr) == 0) {
2964 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
2965 /* An encryption was underway and was interrupted */
2966 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2967 crypt_ftr.encrypted_upto = 0;
2968 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2969
2970 /* At this point, we are in an inconsistent state. Until we successfully
2971 complete encryption, a reboot will leave us broken. So mark the
2972 encryption failed in case that happens.
2973 On successfully completing encryption, remove this flag */
2974 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2975
2976 put_crypt_ftr_and_key(&crypt_ftr);
2977 } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
2978 if (!check_ftr_sha(&crypt_ftr)) {
2979 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2980 put_crypt_ftr_and_key(&crypt_ftr);
2981 goto error_unencrypted;
2982 }
2983
2984 /* Doing a reboot-encryption*/
2985 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
2986 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
2987 rebootEncryption = true;
2988 }
2989 }
2990
2991 property_get("ro.crypto.state", encrypted_state, "");
2992 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2993 SLOGE("Device is already running encrypted, aborting");
2994 goto error_unencrypted;
2995 }
2996
2997 // TODO refactor fs_mgr_get_crypt_info to get both in one call
2998 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
2999 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
3000
3001 /* Get the size of the real block device */
3002 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
3003 if (fd == -1) {
3004 SLOGE("Cannot open block device %s\n", real_blkdev);
3005 goto error_unencrypted;
3006 }
3007 unsigned long nr_sec;
3008 get_blkdev_size(fd, &nr_sec);
3009 if (nr_sec == 0) {
3010 SLOGE("Cannot get size of block device %s\n", real_blkdev);
3011 goto error_unencrypted;
3012 }
3013 close(fd);
3014
3015 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
3016 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
3017 unsigned int fs_size_sec, max_fs_size_sec;
3018 fs_size_sec = get_fs_size(real_blkdev);
3019 if (fs_size_sec == 0)
3020 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
3021
3022 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3023
3024 if (fs_size_sec > max_fs_size_sec) {
3025 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
3026 goto error_unencrypted;
3027 }
3028 }
3029
3030 /* Get a wakelock as this may take a while, and we don't want the
3031 * device to sleep on us. We'll grab a partial wakelock, and if the UI
3032 * wants to keep the screen on, it can grab a full wakelock.
3033 */
3034 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
3035 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
3036
3037 /* The init files are setup to stop the class main and late start when
3038 * vold sets trigger_shutdown_framework.
3039 */
3040 property_set("vold.decrypt", "trigger_shutdown_framework");
3041 SLOGD("Just asked init to shut down class main\n");
3042
3043 /* Ask vold to unmount all devices that it manages */
3044 if (vold_unmountAll()) {
3045 SLOGE("Failed to unmount all vold managed devices");
3046 }
3047
3048 /* no_ui means we are being called from init, not settings.
3049 Now we always reboot from settings, so !no_ui means reboot
3050 */
3051 bool onlyCreateHeader = false;
3052 if (!no_ui) {
3053 /* Try fallback, which is to reboot and try there */
3054 onlyCreateHeader = true;
3055 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
3056 if (breadcrumb == 0) {
3057 SLOGE("Failed to create breadcrumb file");
3058 goto error_shutting_down;
3059 }
3060 fclose(breadcrumb);
3061 }
3062
3063 /* Do extra work for a better UX when doing the long inplace encryption */
3064 if (how == CRYPTO_ENABLE_INPLACE && !onlyCreateHeader) {
3065 /* Now that /data is unmounted, we need to mount a tmpfs
3066 * /data, set a property saying we're doing inplace encryption,
3067 * and restart the framework.
3068 */
3069 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
3070 goto error_shutting_down;
3071 }
3072 /* Tells the framework that inplace encryption is starting */
3073 property_set("vold.encrypt_progress", "0");
3074
3075 /* restart the framework. */
3076 /* Create necessary paths on /data */
3077 if (prep_data_fs()) {
3078 goto error_shutting_down;
3079 }
3080
3081 /* Ugh, shutting down the framework is not synchronous, so until it
3082 * can be fixed, this horrible hack will wait a moment for it all to
3083 * shut down before proceeding. Without it, some devices cannot
3084 * restart the graphics services.
3085 */
3086 sleep(2);
3087 }
3088
3089 /* Start the actual work of making an encrypted filesystem */
3090 /* Initialize a crypt_mnt_ftr for the partition */
3091 if (previously_encrypted_upto == 0 && !rebootEncryption) {
3092 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
3093 goto error_shutting_down;
3094 }
3095
3096 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
3097 crypt_ftr.fs_size = nr_sec
3098 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3099 } else {
3100 crypt_ftr.fs_size = nr_sec;
3101 }
3102 /* At this point, we are in an inconsistent state. Until we successfully
3103 complete encryption, a reboot will leave us broken. So mark the
3104 encryption failed in case that happens.
3105 On successfully completing encryption, remove this flag */
3106 if (onlyCreateHeader) {
3107 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
3108 } else {
3109 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
3110 }
3111 crypt_ftr.crypt_type = crypt_type;
3112 #ifndef CONFIG_HW_DISK_ENCRYPTION
3113 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN);
3114 #else
3115 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN);
3116
3117 rc = clear_hw_device_encryption_key();
3118 if (!rc) {
3119 SLOGE("Error clearing device encryption hardware key. rc = %d", rc);
3120 }
3121
3122 rc = set_hw_device_encryption_key(passwd,
3123 (char*) crypt_ftr.crypto_type_name);
3124 if (!rc) {
3125 SLOGE("Error initializing device encryption hardware key. rc = %d", rc);
3126 goto error_shutting_down;
3127 }
3128 #endif
3129
3130 /* Make an encrypted master key */
3131 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
3132 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
3133 SLOGE("Cannot create encrypted master key\n");
3134 goto error_shutting_down;
3135 }
3136
3137 /* Replace scrypted intermediate key if we are preparing for a reboot */
3138 if (onlyCreateHeader) {
3139 unsigned char fake_master_key[KEY_LEN_BYTES];
3140 unsigned char encrypted_fake_master_key[KEY_LEN_BYTES];
3141 memset(fake_master_key, 0, sizeof(fake_master_key));
3142 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key,
3143 encrypted_fake_master_key, &crypt_ftr);
3144 }
3145
3146 /* Write the key to the end of the partition */
3147 put_crypt_ftr_and_key(&crypt_ftr);
3148
3149 /* If any persistent data has been remembered, save it.
3150 * If none, create a valid empty table and save that.
3151 */
3152 if (!persist_data) {
3153 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
3154 if (pdata) {
3155 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
3156 persist_data = pdata;
3157 }
3158 }
3159 if (persist_data) {
3160 save_persistent_data();
3161 }
3162 }
3163
3164 if (onlyCreateHeader) {
3165 sleep(2);
3166 cryptfs_reboot(reboot);
3167 }
3168
3169 if (how == CRYPTO_ENABLE_INPLACE && (!no_ui || rebootEncryption)) {
3170 /* startup service classes main and late_start */
3171 property_set("vold.decrypt", "trigger_restart_min_framework");
3172 SLOGD("Just triggered restart_min_framework\n");
3173
3174 /* OK, the framework is restarted and will soon be showing a
3175 * progress bar. Time to setup an encrypted mapping, and
3176 * either write a new filesystem, or encrypt in place updating
3177 * the progress bar as we work.
3178 */
3179 }
3180
3181 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
3182 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
3183 CRYPTO_BLOCK_DEVICE);
3184
3185 /* If we are continuing, check checksums match */
3186 rc = 0;
3187 if (previously_encrypted_upto) {
3188 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
3189 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
3190
3191 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
3192 sizeof(hash_first_block)) != 0) {
3193 SLOGE("Checksums do not match - trigger wipe");
3194 rc = -1;
3195 }
3196 }
3197
3198 if (!rc) {
3199 rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
3200 crypto_blkdev, real_blkdev,
3201 previously_encrypted_upto);
3202 }
3203
3204 /* Calculate checksum if we are not finished */
3205 if (!rc && how == CRYPTO_ENABLE_INPLACE
3206 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3207 rc = cryptfs_SHA256_fileblock(crypto_blkdev,
3208 crypt_ftr.hash_first_block);
3209 if (rc) {
3210 SLOGE("Error calculating checksum for continuing encryption");
3211 rc = -1;
3212 }
3213 }
3214
3215 /* Undo the dm-crypt mapping whether we succeed or not */
3216 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
3217
3218 if (! rc) {
3219 /* Success */
3220 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
3221
3222 if (how == CRYPTO_ENABLE_INPLACE
3223 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3224 SLOGD("Encrypted up to sector %lld - will continue after reboot",
3225 crypt_ftr.encrypted_upto);
3226 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
3227 }
3228
3229 put_crypt_ftr_and_key(&crypt_ftr);
3230
3231 if (how == CRYPTO_ENABLE_WIPE
3232 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
3233 char value[PROPERTY_VALUE_MAX];
3234 property_get("ro.crypto.state", value, "");
3235 if (!strcmp(value, "")) {
3236 /* default encryption - continue first boot sequence */
3237 property_set("ro.crypto.state", "encrypted");
3238 property_set("ro.crypto.type", "block");
3239 release_wake_lock(lockid);
3240 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
3241 // Bring up cryptkeeper that will check the password and set it
3242 property_set("vold.decrypt", "trigger_shutdown_framework");
3243 sleep(2);
3244 property_set("vold.encrypt_progress", "");
3245 cryptfs_trigger_restart_min_framework();
3246 } else {
3247 cryptfs_check_passwd(DEFAULT_PASSWORD);
3248 cryptfs_restart_internal(1);
3249 }
3250 return 0;
3251 } else {
3252 sleep(2); /* Give the UI a chance to show 100% progress */
3253 cryptfs_reboot(reboot);
3254 }
3255 } else {
3256 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
3257 cryptfs_reboot(shutdown);
3258 }
3259 } else {
3260 char value[PROPERTY_VALUE_MAX];
3261
3262 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
3263 if (!strcmp(value, "1")) {
3264 /* wipe data if encryption failed */
3265 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
3266 if (!write_bootloader_message("--wipe_data\n--reason=cryptfs_enable_internal\n")) {
3267 SLOGE("could not write bootloader message\n");
3268 }
3269 cryptfs_reboot(recovery);
3270 } else {
3271 /* set property to trigger dialog */
3272 property_set("vold.encrypt_progress", "error_partially_encrypted");
3273 release_wake_lock(lockid);
3274 }
3275 return -1;
3276 }
3277
3278 /* hrm, the encrypt step claims success, but the reboot failed.
3279 * This should not happen.
3280 * Set the property and return. Hope the framework can deal with it.
3281 */
3282 property_set("vold.encrypt_progress", "error_reboot_failed");
3283 release_wake_lock(lockid);
3284 return rc;
3285
3286 error_unencrypted:
3287 property_set("vold.encrypt_progress", "error_not_encrypted");
3288 if (lockid[0]) {
3289 release_wake_lock(lockid);
3290 }
3291 return -1;
3292
3293 error_shutting_down:
3294 /* we failed, and have not encrypted anthing, so the users's data is still intact,
3295 * but the framework is stopped and not restarted to show the error, so it's up to
3296 * vold to restart the system.
3297 */
3298 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
3299 cryptfs_reboot(reboot);
3300
3301 /* shouldn't get here */
3302 property_set("vold.encrypt_progress", "error_shutting_down");
3303 if (lockid[0]) {
3304 release_wake_lock(lockid);
3305 }
3306 return -1;
3307 }
3308
3309 int cryptfs_enable(char *howarg, int type, char *passwd, int no_ui)
3310 {
3311 return cryptfs_enable_internal(howarg, type, passwd, no_ui);
3312 }
3313
3314 int cryptfs_enable_default(char *howarg, int no_ui)
3315 {
3316 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
3317 DEFAULT_PASSWORD, no_ui);
3318 }
3319
3320 int cryptfs_changepw(int crypt_type, const char *newpw)
3321 {
3322 if (e4crypt_is_native()) {
3323 SLOGE("cryptfs_changepw not valid for file encryption");
3324 return -1;
3325 }
3326
3327 struct crypt_mnt_ftr crypt_ftr;
3328 int rc;
3329
3330 /* This is only allowed after we've successfully decrypted the master key */
3331 if (!master_key_saved) {
3332 SLOGE("Key not saved, aborting");
3333 return -1;
3334 }
3335
3336 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3337 SLOGE("Invalid crypt_type %d", crypt_type);
3338 return -1;
3339 }
3340
3341 /* get key */
3342 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3343 SLOGE("Error getting crypt footer and key");
3344 return -1;
3345 }
3346
3347 crypt_ftr.crypt_type = crypt_type;
3348
3349 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
3350 : newpw,
3351 crypt_ftr.salt,
3352 saved_master_key,
3353 crypt_ftr.master_key,
3354 &crypt_ftr);
3355 if (rc) {
3356 SLOGE("Encrypt master key failed: %d", rc);
3357 return -1;
3358 }
3359 /* save the key */
3360 put_crypt_ftr_and_key(&crypt_ftr);
3361
3362 #ifdef CONFIG_HW_DISK_ENCRYPTION
3363 if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) {
3364 if (crypt_type == CRYPT_TYPE_DEFAULT) {
3365 int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name);
3366 SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc);
3367 if (!rc)
3368 return -1;
3369 } else {
3370 int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name);
3371 SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc);
3372 if (!rc)
3373 return -1;
3374 }
3375 }
3376 #endif
3377 return 0;
3378 }
3379
3380 static unsigned int persist_get_max_entries(int encrypted) {
3381 struct crypt_mnt_ftr crypt_ftr;
3382 unsigned int dsize;
3383 unsigned int max_persistent_entries;
3384
3385 /* If encrypted, use the values from the crypt_ftr, otherwise
3386 * use the values for the current spec.
3387 */
3388 if (encrypted) {
3389 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3390 return -1;
3391 }
3392 dsize = crypt_ftr.persist_data_size;
3393 } else {
3394 dsize = CRYPT_PERSIST_DATA_SIZE;
3395 }
3396
3397 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
3398 sizeof(struct crypt_persist_entry);
3399
3400 return max_persistent_entries;
3401 }
3402
3403 static int persist_get_key(const char *fieldname, char *value)
3404 {
3405 unsigned int i;
3406
3407 if (persist_data == NULL) {
3408 return -1;
3409 }
3410 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3411 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3412 /* We found it! */
3413 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
3414 return 0;
3415 }
3416 }
3417
3418 return -1;
3419 }
3420
3421 static int persist_set_key(const char *fieldname, const char *value, int encrypted)
3422 {
3423 unsigned int i;
3424 unsigned int num;
3425 unsigned int max_persistent_entries;
3426
3427 if (persist_data == NULL) {
3428 return -1;
3429 }
3430
3431 max_persistent_entries = persist_get_max_entries(encrypted);
3432
3433 num = persist_data->persist_valid_entries;
3434
3435 for (i = 0; i < num; i++) {
3436 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3437 /* We found an existing entry, update it! */
3438 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
3439 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
3440 return 0;
3441 }
3442 }
3443
3444 /* We didn't find it, add it to the end, if there is room */
3445 if (persist_data->persist_valid_entries < max_persistent_entries) {
3446 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
3447 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
3448 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
3449 persist_data->persist_valid_entries++;
3450 return 0;
3451 }
3452
3453 return -1;
3454 }
3455
3456 /**
3457 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
3458 * sequence and its index is greater than or equal to index. Return 0 otherwise.
3459 */
3460 static int match_multi_entry(const char *key, const char *field, unsigned index) {
3461 unsigned int field_len;
3462 unsigned int key_index;
3463 field_len = strlen(field);
3464
3465 if (index == 0) {
3466 // The first key in a multi-entry field is just the filedname itself.
3467 if (!strcmp(key, field)) {
3468 return 1;
3469 }
3470 }
3471 // Match key against "%s_%d" % (field, index)
3472 if (strlen(key) < field_len + 1 + 1) {
3473 // Need at least a '_' and a digit.
3474 return 0;
3475 }
3476 if (strncmp(key, field, field_len)) {
3477 // If the key does not begin with field, it's not a match.
3478 return 0;
3479 }
3480 if (1 != sscanf(&key[field_len],"_%d", &key_index)) {
3481 return 0;
3482 }
3483 return key_index >= index;
3484 }
3485
3486 /*
3487 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
3488 * remaining entries starting from index will be deleted.
3489 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
3490 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
3491 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
3492 *
3493 */
3494 static int persist_del_keys(const char *fieldname, unsigned index)
3495 {
3496 unsigned int i;
3497 unsigned int j;
3498 unsigned int num;
3499
3500 if (persist_data == NULL) {
3501 return PERSIST_DEL_KEY_ERROR_OTHER;
3502 }
3503
3504 num = persist_data->persist_valid_entries;
3505
3506 j = 0; // points to the end of non-deleted entries.
3507 // Filter out to-be-deleted entries in place.
3508 for (i = 0; i < num; i++) {
3509 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
3510 persist_data->persist_entry[j] = persist_data->persist_entry[i];
3511 j++;
3512 }
3513 }
3514
3515 if (j < num) {
3516 persist_data->persist_valid_entries = j;
3517 // Zeroise the remaining entries
3518 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
3519 return PERSIST_DEL_KEY_OK;
3520 } else {
3521 // Did not find an entry matching the given fieldname
3522 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
3523 }
3524 }
3525
3526 static int persist_count_keys(const char *fieldname)
3527 {
3528 unsigned int i;
3529 unsigned int count;
3530
3531 if (persist_data == NULL) {
3532 return -1;
3533 }
3534
3535 count = 0;
3536 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3537 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
3538 count++;
3539 }
3540 }
3541
3542 return count;
3543 }
3544
3545 /* Return the value of the specified field. */
3546 int cryptfs_getfield(const char *fieldname, char *value, int len)
3547 {
3548 if (e4crypt_is_native()) {
3549 SLOGE("Cannot get field when file encrypted");
3550 return -1;
3551 }
3552
3553 char temp_value[PROPERTY_VALUE_MAX];
3554 /* CRYPTO_GETFIELD_OK is success,
3555 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
3556 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
3557 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
3558 */
3559 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
3560 int i;
3561 char temp_field[PROPERTY_KEY_MAX];
3562
3563 if (persist_data == NULL) {
3564 load_persistent_data();
3565 if (persist_data == NULL) {
3566 SLOGE("Getfield error, cannot load persistent data");
3567 goto out;
3568 }
3569 }
3570
3571 // Read value from persistent entries. If the original value is split into multiple entries,
3572 // stitch them back together.
3573 if (!persist_get_key(fieldname, temp_value)) {
3574 // We found it, copy it to the caller's buffer and keep going until all entries are read.
3575 if (strlcpy(value, temp_value, len) >= (unsigned) len) {
3576 // value too small
3577 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3578 goto out;
3579 }
3580 rc = CRYPTO_GETFIELD_OK;
3581
3582 for (i = 1; /* break explicitly */; i++) {
3583 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
3584 (int) sizeof(temp_field)) {
3585 // If the fieldname is very long, we stop as soon as it begins to overflow the
3586 // maximum field length. At this point we have in fact fully read out the original
3587 // value because cryptfs_setfield would not allow fields with longer names to be
3588 // written in the first place.
3589 break;
3590 }
3591 if (!persist_get_key(temp_field, temp_value)) {
3592 if (strlcat(value, temp_value, len) >= (unsigned)len) {
3593 // value too small.
3594 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3595 goto out;
3596 }
3597 } else {
3598 // Exhaust all entries.
3599 break;
3600 }
3601 }
3602 } else {
3603 /* Sadness, it's not there. Return the error */
3604 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
3605 }
3606
3607 out:
3608 return rc;
3609 }
3610
3611 /* Set the value of the specified field. */
3612 int cryptfs_setfield(const char *fieldname, const char *value)
3613 {
3614 if (e4crypt_is_native()) {
3615 SLOGE("Cannot set field when file encrypted");
3616 return -1;
3617 }
3618
3619 char encrypted_state[PROPERTY_VALUE_MAX];
3620 /* 0 is success, negative values are error */
3621 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
3622 int encrypted = 0;
3623 unsigned int field_id;
3624 char temp_field[PROPERTY_KEY_MAX];
3625 unsigned int num_entries;
3626 unsigned int max_keylen;
3627
3628 if (persist_data == NULL) {
3629 load_persistent_data();
3630 if (persist_data == NULL) {
3631 SLOGE("Setfield error, cannot load persistent data");
3632 goto out;
3633 }
3634 }
3635
3636 property_get("ro.crypto.state", encrypted_state, "");
3637 if (!strcmp(encrypted_state, "encrypted") ) {
3638 encrypted = 1;
3639 }
3640
3641 // Compute the number of entries required to store value, each entry can store up to
3642 // (PROPERTY_VALUE_MAX - 1) chars
3643 if (strlen(value) == 0) {
3644 // Empty value also needs one entry to store.
3645 num_entries = 1;
3646 } else {
3647 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
3648 }
3649
3650 max_keylen = strlen(fieldname);
3651 if (num_entries > 1) {
3652 // Need an extra "_%d" suffix.
3653 max_keylen += 1 + log10(num_entries);
3654 }
3655 if (max_keylen > PROPERTY_KEY_MAX - 1) {
3656 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
3657 goto out;
3658 }
3659
3660 // Make sure we have enough space to write the new value
3661 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
3662 persist_get_max_entries(encrypted)) {
3663 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
3664 goto out;
3665 }
3666
3667 // Now that we know persist_data has enough space for value, let's delete the old field first
3668 // to make up space.
3669 persist_del_keys(fieldname, 0);
3670
3671 if (persist_set_key(fieldname, value, encrypted)) {
3672 // fail to set key, should not happen as we have already checked the available space
3673 SLOGE("persist_set_key() error during setfield()");
3674 goto out;
3675 }
3676
3677 for (field_id = 1; field_id < num_entries; field_id++) {
3678 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id);
3679
3680 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
3681 // fail to set key, should not happen as we have already checked the available space.
3682 SLOGE("persist_set_key() error during setfield()");
3683 goto out;
3684 }
3685 }
3686
3687 /* If we are running encrypted, save the persistent data now */
3688 if (encrypted) {
3689 if (save_persistent_data()) {
3690 SLOGE("Setfield error, cannot save persistent data");
3691 goto out;
3692 }
3693 }
3694
3695 rc = CRYPTO_SETFIELD_OK;
3696
3697 out:
3698 return rc;
3699 }
3700
3701 /* Checks userdata. Attempt to mount the volume if default-
3702 * encrypted.
3703 * On success trigger next init phase and return 0.
3704 * Currently do not handle failure - see TODO below.
3705 */
3706 int cryptfs_mount_default_encrypted(void)
3707 {
3708 int crypt_type = cryptfs_get_password_type();
3709 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3710 SLOGE("Bad crypt type - error");
3711 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
3712 SLOGD("Password is not default - "
3713 "starting min framework to prompt");
3714 property_set("vold.decrypt", "trigger_restart_min_framework");
3715 return 0;
3716 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
3717 SLOGD("Password is default - restarting filesystem");
3718 cryptfs_restart_internal(0);
3719 return 0;
3720 } else {
3721 SLOGE("Encrypted, default crypt type but can't decrypt");
3722 }
3723
3724 /** Corrupt. Allow us to boot into framework, which will detect bad
3725 crypto when it calls do_crypto_complete, then do a factory reset
3726 */
3727 property_set("vold.decrypt", "trigger_restart_min_framework");
3728 return 0;
3729 }
3730
3731 /* Returns type of the password, default, pattern, pin or password.
3732 */
3733 int cryptfs_get_password_type(void)
3734 {
3735 if (e4crypt_is_native()) {
3736 SLOGE("cryptfs_get_password_type not valid for file encryption");
3737 return -1;
3738 }
3739
3740 struct crypt_mnt_ftr crypt_ftr;
3741
3742 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3743 SLOGE("Error getting crypt footer and key\n");
3744 return -1;
3745 }
3746
3747 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
3748 return -1;
3749 }
3750
3751 return crypt_ftr.crypt_type;
3752 }
3753
3754 const char* cryptfs_get_password()
3755 {
3756 if (e4crypt_is_native()) {
3757 SLOGE("cryptfs_get_password not valid for file encryption");
3758 return 0;
3759 }
3760
3761 struct timespec now;
3762 clock_gettime(CLOCK_BOOTTIME, &now);
3763 if (now.tv_sec < password_expiry_time) {
3764 return password;
3765 } else {
3766 cryptfs_clear_password();
3767 return 0;
3768 }
3769 }
3770
3771 void cryptfs_clear_password()
3772 {
3773 if (password) {
3774 size_t len = strlen(password);
3775 memset(password, 0, len);
3776 free(password);
3777 password = 0;
3778 password_expiry_time = 0;
3779 }
3780 }
3781
3782 int cryptfs_enable_file()
3783 {
3784 return e4crypt_initialize_global_de();
3785 }
3786
3787 int cryptfs_isConvertibleToFBE()
3788 {
3789 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
3790 return fs_mgr_is_convertible_to_fbe(rec) ? 1 : 0;
3791 }
3792
3793 int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length)
3794 {
3795 if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) {
3796 SLOGE("Failed to initialize crypt_ftr");
3797 return -1;
3798 }
3799
3800 if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key,
3801 crypt_ftr->salt, crypt_ftr)) {
3802 SLOGE("Cannot create encrypted master key\n");
3803 return -1;
3804 }
3805
3806 //crypt_ftr->keysize = key_length / 8;
3807 return 0;
3808 }
3809
3810 int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
3811 unsigned char* master_key)
3812 {
3813 int rc;
3814
3815 unsigned char* intermediate_key = 0;
3816 size_t intermediate_key_size = 0;
3817
3818 if (password == 0 || *password == 0) {
3819 password = DEFAULT_PASSWORD;
3820 }
3821
3822 rc = decrypt_master_key(password, master_key, ftr, &intermediate_key,
3823 &intermediate_key_size);
3824
3825 if (rc) {
3826 SLOGE("Can't calculate intermediate key");
3827 return rc;
3828 }
3829
3830 int N = 1 << ftr->N_factor;
3831 int r = 1 << ftr->r_factor;
3832 int p = 1 << ftr->p_factor;
3833
3834 unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)];
3835
3836 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
3837 ftr->salt, sizeof(ftr->salt), N, r, p,
3838 scrypted_intermediate_key,
3839 sizeof(scrypted_intermediate_key));
3840
3841 free(intermediate_key);
3842
3843 if (rc) {
3844 SLOGE("Can't scrypt intermediate key");
3845 return rc;
3846 }
3847
3848 return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key,
3849 intermediate_key_size);
3850 }
3851
3852 int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password,
3853 const unsigned char* master_key)
3854 {
3855 return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key,
3856 ftr);
3857 }
3858