1 /*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 /* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
23 #include <sys/types.h>
24 #include <sys/wait.h>
25 #include <sys/stat.h>
26 #include <ctype.h>
27 #include <fcntl.h>
28 #include <inttypes.h>
29 #include <unistd.h>
30 #include <stdio.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
33 #include <libgen.h>
34 #include <stdlib.h>
35 #include <sys/param.h>
36 #include <string.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
39 #include <openssl/sha.h>
40 #include <errno.h>
41 #include <ext4_utils/ext4.h>
42 #include <ext4_utils/ext4_utils.h>
43 #include <linux/kdev_t.h>
44 #include <fs_mgr.h>
45 #include <time.h>
46 #include <math.h>
47 #include <selinux/selinux.h>
48 #include "cryptfs.h"
49 #include "secontext.h"
50 #define LOG_TAG "Cryptfs"
51 #include "cutils/log.h"
52 #include "cutils/properties.h"
53 #include "cutils/android_reboot.h"
54 #include "hardware_legacy/power.h"
55 #include <logwrap/logwrap.h>
56 #include "ScryptParameters.h"
57 #include "VolumeManager.h"
58 #include "VoldUtil.h"
59 #include "Ext4Crypt.h"
60 #include "f2fs_sparseblock.h"
61 #include "CheckBattery.h"
62 #include "Process.h"
63 #include "Keymaster.h"
64 #include "android-base/properties.h"
65 #include <bootloader_message/bootloader_message.h>
66 extern "C" {
67 #include <crypto_scrypt.h>
68 }
69
70 #define UNUSED __attribute__((unused))
71
72 #define DM_CRYPT_BUF_SIZE 4096
73
74 #define HASH_COUNT 2000
75 #define KEY_LEN_BYTES 16
76 #define IV_LEN_BYTES 16
77
78 #define KEY_IN_FOOTER "footer"
79
80 #define DEFAULT_PASSWORD "default_password"
81
82 #define CRYPTO_BLOCK_DEVICE "userdata"
83
84 #define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
85
86 #define EXT4_FS 1
87 #define F2FS_FS 2
88
89 #define TABLE_LOAD_RETRIES 10
90
91 #define RSA_KEY_SIZE 2048
92 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
93 #define RSA_EXPONENT 0x10001
94 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
95
96 #define RETRY_MOUNT_ATTEMPTS 10
97 #define RETRY_MOUNT_DELAY_SECONDS 1
98
99 static unsigned char saved_master_key[KEY_LEN_BYTES];
100 static char *saved_mount_point;
101 static int master_key_saved = 0;
102 static struct crypt_persist_data *persist_data = NULL;
103
104 /* Should we use keymaster? */
keymaster_check_compatibility()105 static int keymaster_check_compatibility()
106 {
107 return keymaster_compatibility_cryptfs_scrypt();
108 }
109
110 /* Create a new keymaster key and store it in this footer */
keymaster_create_key(struct crypt_mnt_ftr * ftr)111 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
112 {
113 if (ftr->keymaster_blob_size) {
114 SLOGI("Already have key");
115 return 0;
116 }
117
118 int rc = keymaster_create_key_for_cryptfs_scrypt(RSA_KEY_SIZE, RSA_EXPONENT,
119 KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
120 &ftr->keymaster_blob_size);
121 if (rc) {
122 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
123 SLOGE("Keymaster key blob to large)");
124 ftr->keymaster_blob_size = 0;
125 }
126 SLOGE("Failed to generate keypair");
127 return -1;
128 }
129 return 0;
130 }
131
132 /* This signs the given object using the keymaster key. */
keymaster_sign_object(struct crypt_mnt_ftr * ftr,const unsigned char * object,const size_t object_size,unsigned char ** signature,size_t * signature_size)133 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
134 const unsigned char *object,
135 const size_t object_size,
136 unsigned char **signature,
137 size_t *signature_size)
138 {
139 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
140 size_t to_sign_size = sizeof(to_sign);
141 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
142
143 // To sign a message with RSA, the message must satisfy two
144 // constraints:
145 //
146 // 1. The message, when interpreted as a big-endian numeric value, must
147 // be strictly less than the public modulus of the RSA key. Note
148 // that because the most significant bit of the public modulus is
149 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
150 // key), an n-bit message with most significant bit 0 always
151 // satisfies this requirement.
152 //
153 // 2. The message must have the same length in bits as the public
154 // modulus of the RSA key. This requirement isn't mathematically
155 // necessary, but is necessary to ensure consistency in
156 // implementations.
157 switch (ftr->kdf_type) {
158 case KDF_SCRYPT_KEYMASTER:
159 // This ensures the most significant byte of the signed message
160 // is zero. We could have zero-padded to the left instead, but
161 // this approach is slightly more robust against changes in
162 // object size. However, it's still broken (but not unusably
163 // so) because we really should be using a proper deterministic
164 // RSA padding function, such as PKCS1.
165 memcpy(to_sign + 1, object, std::min((size_t)RSA_KEY_SIZE_BYTES - 1, object_size));
166 SLOGI("Signing safely-padded object");
167 break;
168 default:
169 SLOGE("Unknown KDF type %d", ftr->kdf_type);
170 return -1;
171 }
172 return keymaster_sign_object_for_cryptfs_scrypt(ftr->keymaster_blob, ftr->keymaster_blob_size,
173 KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign, to_sign_size, signature, signature_size);
174 }
175
176 /* Store password when userdata is successfully decrypted and mounted.
177 * Cleared by cryptfs_clear_password
178 *
179 * To avoid a double prompt at boot, we need to store the CryptKeeper
180 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
181 * Since the entire framework is torn down and rebuilt after encryption,
182 * we have to use a daemon or similar to store the password. Since vold
183 * is secured against IPC except from system processes, it seems a reasonable
184 * place to store this.
185 *
186 * password should be cleared once it has been used.
187 *
188 * password is aged out after password_max_age_seconds seconds.
189 */
190 static char* password = 0;
191 static int password_expiry_time = 0;
192 static const int password_max_age_seconds = 60;
193
194 extern struct fstab *fstab;
195
196 enum RebootType {reboot, recovery, shutdown};
cryptfs_reboot(enum RebootType rt)197 static void cryptfs_reboot(enum RebootType rt)
198 {
199 switch(rt) {
200 case reboot:
201 property_set(ANDROID_RB_PROPERTY, "reboot");
202 break;
203
204 case recovery:
205 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
206 break;
207
208 case shutdown:
209 property_set(ANDROID_RB_PROPERTY, "shutdown");
210 break;
211 }
212
213 sleep(20);
214
215 /* Shouldn't get here, reboot should happen before sleep times out */
216 return;
217 }
218
ioctl_init(struct dm_ioctl * io,size_t dataSize,const char * name,unsigned flags)219 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
220 {
221 memset(io, 0, dataSize);
222 io->data_size = dataSize;
223 io->data_start = sizeof(struct dm_ioctl);
224 io->version[0] = 4;
225 io->version[1] = 0;
226 io->version[2] = 0;
227 io->flags = flags;
228 if (name) {
229 strlcpy(io->name, name, sizeof(io->name));
230 }
231 }
232
233 /**
234 * Gets the default device scrypt parameters for key derivation time tuning.
235 * The parameters should lead to about one second derivation time for the
236 * given device.
237 */
get_device_scrypt_params(struct crypt_mnt_ftr * ftr)238 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
239 char paramstr[PROPERTY_VALUE_MAX];
240 int Nf, rf, pf;
241
242 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
243 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
244 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
245 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
246 }
247 ftr->N_factor = Nf;
248 ftr->r_factor = rf;
249 ftr->p_factor = pf;
250 }
251
get_fs_size(char * dev)252 static unsigned int get_fs_size(char *dev)
253 {
254 int fd, block_size;
255 struct ext4_super_block sb;
256 off64_t len;
257
258 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) {
259 SLOGE("Cannot open device to get filesystem size ");
260 return 0;
261 }
262
263 if (lseek64(fd, 1024, SEEK_SET) < 0) {
264 SLOGE("Cannot seek to superblock");
265 return 0;
266 }
267
268 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
269 SLOGE("Cannot read superblock");
270 return 0;
271 }
272
273 close(fd);
274
275 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
276 SLOGE("Not a valid ext4 superblock");
277 return 0;
278 }
279 block_size = 1024 << sb.s_log_block_size;
280 /* compute length in bytes */
281 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
282
283 /* return length in sectors */
284 return (unsigned int) (len / 512);
285 }
286
get_crypt_ftr_info(char ** metadata_fname,off64_t * off)287 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
288 {
289 static int cached_data = 0;
290 static off64_t cached_off = 0;
291 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
292 int fd;
293 char key_loc[PROPERTY_VALUE_MAX];
294 char real_blkdev[PROPERTY_VALUE_MAX];
295 int rc = -1;
296
297 if (!cached_data) {
298 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
299
300 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
301 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
302 SLOGE("Cannot open real block device %s\n", real_blkdev);
303 return -1;
304 }
305
306 unsigned long nr_sec = 0;
307 get_blkdev_size(fd, &nr_sec);
308 if (nr_sec != 0) {
309 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
310 * encryption info footer and key, and plenty of bytes to spare for future
311 * growth.
312 */
313 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
314 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
315 cached_data = 1;
316 } else {
317 SLOGE("Cannot get size of block device %s\n", real_blkdev);
318 }
319 close(fd);
320 } else {
321 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
322 cached_off = 0;
323 cached_data = 1;
324 }
325 }
326
327 if (cached_data) {
328 if (metadata_fname) {
329 *metadata_fname = cached_metadata_fname;
330 }
331 if (off) {
332 *off = cached_off;
333 }
334 rc = 0;
335 }
336
337 return rc;
338 }
339
340 /* Set sha256 checksum in structure */
set_ftr_sha(struct crypt_mnt_ftr * crypt_ftr)341 static void set_ftr_sha(struct crypt_mnt_ftr *crypt_ftr)
342 {
343 SHA256_CTX c;
344 SHA256_Init(&c);
345 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
346 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
347 SHA256_Final(crypt_ftr->sha256, &c);
348 }
349
350 /* key or salt can be NULL, in which case just skip writing that value. Useful to
351 * update the failed mount count but not change the key.
352 */
put_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)353 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
354 {
355 int fd;
356 unsigned int cnt;
357 /* starting_off is set to the SEEK_SET offset
358 * where the crypto structure starts
359 */
360 off64_t starting_off;
361 int rc = -1;
362 char *fname = NULL;
363 struct stat statbuf;
364
365 set_ftr_sha(crypt_ftr);
366
367 if (get_crypt_ftr_info(&fname, &starting_off)) {
368 SLOGE("Unable to get crypt_ftr_info\n");
369 return -1;
370 }
371 if (fname[0] != '/') {
372 SLOGE("Unexpected value for crypto key location\n");
373 return -1;
374 }
375 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) {
376 SLOGE("Cannot open footer file %s for put\n", fname);
377 return -1;
378 }
379
380 /* Seek to the start of the crypt footer */
381 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
382 SLOGE("Cannot seek to real block device footer\n");
383 goto errout;
384 }
385
386 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
387 SLOGE("Cannot write real block device footer\n");
388 goto errout;
389 }
390
391 fstat(fd, &statbuf);
392 /* If the keys are kept on a raw block device, do not try to truncate it. */
393 if (S_ISREG(statbuf.st_mode)) {
394 if (ftruncate(fd, 0x4000)) {
395 SLOGE("Cannot set footer file size\n");
396 goto errout;
397 }
398 }
399
400 /* Success! */
401 rc = 0;
402
403 errout:
404 close(fd);
405 return rc;
406
407 }
408
check_ftr_sha(const struct crypt_mnt_ftr * crypt_ftr)409 static bool check_ftr_sha(const struct crypt_mnt_ftr *crypt_ftr)
410 {
411 struct crypt_mnt_ftr copy;
412 memcpy(©, crypt_ftr, sizeof(copy));
413 set_ftr_sha(©);
414 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
415 }
416
unix_read(int fd,void * buff,int len)417 static inline int unix_read(int fd, void* buff, int len)
418 {
419 return TEMP_FAILURE_RETRY(read(fd, buff, len));
420 }
421
unix_write(int fd,const void * buff,int len)422 static inline int unix_write(int fd, const void* buff, int len)
423 {
424 return TEMP_FAILURE_RETRY(write(fd, buff, len));
425 }
426
init_empty_persist_data(struct crypt_persist_data * pdata,int len)427 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
428 {
429 memset(pdata, 0, len);
430 pdata->persist_magic = PERSIST_DATA_MAGIC;
431 pdata->persist_valid_entries = 0;
432 }
433
434 /* A routine to update the passed in crypt_ftr to the lastest version.
435 * fd is open read/write on the device that holds the crypto footer and persistent
436 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
437 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
438 */
upgrade_crypt_ftr(int fd,struct crypt_mnt_ftr * crypt_ftr,off64_t offset)439 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
440 {
441 int orig_major = crypt_ftr->major_version;
442 int orig_minor = crypt_ftr->minor_version;
443
444 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
445 struct crypt_persist_data *pdata;
446 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
447
448 SLOGW("upgrading crypto footer to 1.1");
449
450 pdata = (crypt_persist_data *)malloc(CRYPT_PERSIST_DATA_SIZE);
451 if (pdata == NULL) {
452 SLOGE("Cannot allocate persisent data\n");
453 return;
454 }
455 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
456
457 /* Need to initialize the persistent data area */
458 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
459 SLOGE("Cannot seek to persisent data offset\n");
460 free(pdata);
461 return;
462 }
463 /* Write all zeros to the first copy, making it invalid */
464 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
465
466 /* Write a valid but empty structure to the second copy */
467 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
468 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
469
470 /* Update the footer */
471 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
472 crypt_ftr->persist_data_offset[0] = pdata_offset;
473 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
474 crypt_ftr->minor_version = 1;
475 free(pdata);
476 }
477
478 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
479 SLOGW("upgrading crypto footer to 1.2");
480 /* But keep the old kdf_type.
481 * It will get updated later to KDF_SCRYPT after the password has been verified.
482 */
483 crypt_ftr->kdf_type = KDF_PBKDF2;
484 get_device_scrypt_params(crypt_ftr);
485 crypt_ftr->minor_version = 2;
486 }
487
488 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
489 SLOGW("upgrading crypto footer to 1.3");
490 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
491 crypt_ftr->minor_version = 3;
492 }
493
494 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
495 if (lseek64(fd, offset, SEEK_SET) == -1) {
496 SLOGE("Cannot seek to crypt footer\n");
497 return;
498 }
499 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
500 }
501 }
502
503
get_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)504 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
505 {
506 int fd;
507 unsigned int cnt;
508 off64_t starting_off;
509 int rc = -1;
510 char *fname = NULL;
511 struct stat statbuf;
512
513 if (get_crypt_ftr_info(&fname, &starting_off)) {
514 SLOGE("Unable to get crypt_ftr_info\n");
515 return -1;
516 }
517 if (fname[0] != '/') {
518 SLOGE("Unexpected value for crypto key location\n");
519 return -1;
520 }
521 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) {
522 SLOGE("Cannot open footer file %s for get\n", fname);
523 return -1;
524 }
525
526 /* Make sure it's 16 Kbytes in length */
527 fstat(fd, &statbuf);
528 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
529 SLOGE("footer file %s is not the expected size!\n", fname);
530 goto errout;
531 }
532
533 /* Seek to the start of the crypt footer */
534 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
535 SLOGE("Cannot seek to real block device footer\n");
536 goto errout;
537 }
538
539 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
540 SLOGE("Cannot read real block device footer\n");
541 goto errout;
542 }
543
544 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
545 SLOGE("Bad magic for real block device %s\n", fname);
546 goto errout;
547 }
548
549 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
550 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
551 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
552 goto errout;
553 }
554
555 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
556 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
557 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
558 }
559
560 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
561 * copy on disk before returning.
562 */
563 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
564 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
565 }
566
567 /* Success! */
568 rc = 0;
569
570 errout:
571 close(fd);
572 return rc;
573 }
574
validate_persistent_data_storage(struct crypt_mnt_ftr * crypt_ftr)575 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
576 {
577 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
578 crypt_ftr->persist_data_offset[1]) {
579 SLOGE("Crypt_ftr persist data regions overlap");
580 return -1;
581 }
582
583 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
584 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
585 return -1;
586 }
587
588 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
589 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
590 CRYPT_FOOTER_OFFSET) {
591 SLOGE("Persistent data extends past crypto footer");
592 return -1;
593 }
594
595 return 0;
596 }
597
load_persistent_data(void)598 static int load_persistent_data(void)
599 {
600 struct crypt_mnt_ftr crypt_ftr;
601 struct crypt_persist_data *pdata = NULL;
602 char encrypted_state[PROPERTY_VALUE_MAX];
603 char *fname;
604 int found = 0;
605 int fd;
606 int ret;
607 int i;
608
609 if (persist_data) {
610 /* Nothing to do, we've already loaded or initialized it */
611 return 0;
612 }
613
614
615 /* If not encrypted, just allocate an empty table and initialize it */
616 property_get("ro.crypto.state", encrypted_state, "");
617 if (strcmp(encrypted_state, "encrypted") ) {
618 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
619 if (pdata) {
620 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
621 persist_data = pdata;
622 return 0;
623 }
624 return -1;
625 }
626
627 if(get_crypt_ftr_and_key(&crypt_ftr)) {
628 return -1;
629 }
630
631 if ((crypt_ftr.major_version < 1)
632 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
633 SLOGE("Crypt_ftr version doesn't support persistent data");
634 return -1;
635 }
636
637 if (get_crypt_ftr_info(&fname, NULL)) {
638 return -1;
639 }
640
641 ret = validate_persistent_data_storage(&crypt_ftr);
642 if (ret) {
643 return -1;
644 }
645
646 fd = open(fname, O_RDONLY|O_CLOEXEC);
647 if (fd < 0) {
648 SLOGE("Cannot open %s metadata file", fname);
649 return -1;
650 }
651
652 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
653 if (pdata == NULL) {
654 SLOGE("Cannot allocate memory for persistent data");
655 goto err;
656 }
657
658 for (i = 0; i < 2; i++) {
659 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
660 SLOGE("Cannot seek to read persistent data on %s", fname);
661 goto err2;
662 }
663 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
664 SLOGE("Error reading persistent data on iteration %d", i);
665 goto err2;
666 }
667 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
668 found = 1;
669 break;
670 }
671 }
672
673 if (!found) {
674 SLOGI("Could not find valid persistent data, creating");
675 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
676 }
677
678 /* Success */
679 persist_data = pdata;
680 close(fd);
681 return 0;
682
683 err2:
684 free(pdata);
685
686 err:
687 close(fd);
688 return -1;
689 }
690
save_persistent_data(void)691 static int save_persistent_data(void)
692 {
693 struct crypt_mnt_ftr crypt_ftr;
694 struct crypt_persist_data *pdata;
695 char *fname;
696 off64_t write_offset;
697 off64_t erase_offset;
698 int fd;
699 int ret;
700
701 if (persist_data == NULL) {
702 SLOGE("No persistent data to save");
703 return -1;
704 }
705
706 if(get_crypt_ftr_and_key(&crypt_ftr)) {
707 return -1;
708 }
709
710 if ((crypt_ftr.major_version < 1)
711 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
712 SLOGE("Crypt_ftr version doesn't support persistent data");
713 return -1;
714 }
715
716 ret = validate_persistent_data_storage(&crypt_ftr);
717 if (ret) {
718 return -1;
719 }
720
721 if (get_crypt_ftr_info(&fname, NULL)) {
722 return -1;
723 }
724
725 fd = open(fname, O_RDWR|O_CLOEXEC);
726 if (fd < 0) {
727 SLOGE("Cannot open %s metadata file", fname);
728 return -1;
729 }
730
731 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
732 if (pdata == NULL) {
733 SLOGE("Cannot allocate persistant data");
734 goto err;
735 }
736
737 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
738 SLOGE("Cannot seek to read persistent data on %s", fname);
739 goto err2;
740 }
741
742 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
743 SLOGE("Error reading persistent data before save");
744 goto err2;
745 }
746
747 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
748 /* The first copy is the curent valid copy, so write to
749 * the second copy and erase this one */
750 write_offset = crypt_ftr.persist_data_offset[1];
751 erase_offset = crypt_ftr.persist_data_offset[0];
752 } else {
753 /* The second copy must be the valid copy, so write to
754 * the first copy, and erase the second */
755 write_offset = crypt_ftr.persist_data_offset[0];
756 erase_offset = crypt_ftr.persist_data_offset[1];
757 }
758
759 /* Write the new copy first, if successful, then erase the old copy */
760 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
761 SLOGE("Cannot seek to write persistent data");
762 goto err2;
763 }
764 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
765 (int) crypt_ftr.persist_data_size) {
766 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
767 SLOGE("Cannot seek to erase previous persistent data");
768 goto err2;
769 }
770 fsync(fd);
771 memset(pdata, 0, crypt_ftr.persist_data_size);
772 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
773 (int) crypt_ftr.persist_data_size) {
774 SLOGE("Cannot write to erase previous persistent data");
775 goto err2;
776 }
777 fsync(fd);
778 } else {
779 SLOGE("Cannot write to save persistent data");
780 goto err2;
781 }
782
783 /* Success */
784 free(pdata);
785 close(fd);
786 return 0;
787
788 err2:
789 free(pdata);
790 err:
791 close(fd);
792 return -1;
793 }
794
795 /* Convert a binary key of specified length into an ascii hex string equivalent,
796 * without the leading 0x and with null termination
797 */
convert_key_to_hex_ascii(const unsigned char * master_key,unsigned int keysize,char * master_key_ascii)798 static void convert_key_to_hex_ascii(const unsigned char *master_key,
799 unsigned int keysize, char *master_key_ascii) {
800 unsigned int i, a;
801 unsigned char nibble;
802
803 for (i=0, a=0; i<keysize; i++, a+=2) {
804 /* For each byte, write out two ascii hex digits */
805 nibble = (master_key[i] >> 4) & 0xf;
806 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
807
808 nibble = master_key[i] & 0xf;
809 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
810 }
811
812 /* Add the null termination */
813 master_key_ascii[a] = '\0';
814
815 }
816
load_crypto_mapping_table(struct crypt_mnt_ftr * crypt_ftr,const unsigned char * master_key,const char * real_blk_name,const char * name,int fd,const char * extra_params)817 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
818 const unsigned char *master_key, const char *real_blk_name,
819 const char *name, int fd, const char *extra_params) {
820 alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
821 struct dm_ioctl *io;
822 struct dm_target_spec *tgt;
823 char *crypt_params;
824 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
825 size_t buff_offset;
826 int i;
827
828 io = (struct dm_ioctl *) buffer;
829
830 /* Load the mapping table for this device */
831 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
832
833 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
834 io->target_count = 1;
835 tgt->status = 0;
836 tgt->sector_start = 0;
837 tgt->length = crypt_ftr->fs_size;
838 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
839
840 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
841 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
842
843 buff_offset = crypt_params - buffer;
844 snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s",
845 crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name,
846 extra_params);
847 crypt_params += strlen(crypt_params) + 1;
848 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
849 tgt->next = crypt_params - buffer;
850
851 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
852 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
853 break;
854 }
855 usleep(500000);
856 }
857
858 if (i == TABLE_LOAD_RETRIES) {
859 /* We failed to load the table, return an error */
860 return -1;
861 } else {
862 return i + 1;
863 }
864 }
865
866
get_dm_crypt_version(int fd,const char * name,int * version)867 static int get_dm_crypt_version(int fd, const char *name, int *version)
868 {
869 char buffer[DM_CRYPT_BUF_SIZE];
870 struct dm_ioctl *io;
871 struct dm_target_versions *v;
872
873 io = (struct dm_ioctl *) buffer;
874
875 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
876
877 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
878 return -1;
879 }
880
881 /* Iterate over the returned versions, looking for name of "crypt".
882 * When found, get and return the version.
883 */
884 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
885 while (v->next) {
886 if (! strcmp(v->name, "crypt")) {
887 /* We found the crypt driver, return the version, and get out */
888 version[0] = v->version[0];
889 version[1] = v->version[1];
890 version[2] = v->version[2];
891 return 0;
892 }
893 v = (struct dm_target_versions *)(((char *)v) + v->next);
894 }
895
896 return -1;
897 }
898
create_crypto_blk_dev(struct crypt_mnt_ftr * crypt_ftr,const unsigned char * master_key,const char * real_blk_name,char * crypto_blk_name,const char * name)899 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr,
900 const unsigned char *master_key, const char *real_blk_name,
901 char *crypto_blk_name, const char *name) {
902 char buffer[DM_CRYPT_BUF_SIZE];
903 struct dm_ioctl *io;
904 unsigned int minor;
905 int fd=0;
906 int err;
907 int retval = -1;
908 int version[3];
909 const char *extra_params;
910 int load_count;
911
912 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
913 SLOGE("Cannot open device-mapper\n");
914 goto errout;
915 }
916
917 io = (struct dm_ioctl *) buffer;
918
919 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
920 err = ioctl(fd, DM_DEV_CREATE, io);
921 if (err) {
922 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno));
923 goto errout;
924 }
925
926 /* Get the device status, in particular, the name of it's device file */
927 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
928 if (ioctl(fd, DM_DEV_STATUS, io)) {
929 SLOGE("Cannot retrieve dm-crypt device status\n");
930 goto errout;
931 }
932 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
933 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
934
935 extra_params = "";
936 if (! get_dm_crypt_version(fd, name, version)) {
937 /* Support for allow_discards was added in version 1.11.0 */
938 if ((version[0] >= 2) ||
939 ((version[0] == 1) && (version[1] >= 11))) {
940 extra_params = "1 allow_discards";
941 SLOGI("Enabling support for allow_discards in dmcrypt.\n");
942 }
943 }
944
945 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
946 fd, extra_params);
947 if (load_count < 0) {
948 SLOGE("Cannot load dm-crypt mapping table.\n");
949 goto errout;
950 } else if (load_count > 1) {
951 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
952 }
953
954 /* Resume this device to activate it */
955 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
956
957 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
958 SLOGE("Cannot resume the dm-crypt device\n");
959 goto errout;
960 }
961
962 /* We made it here with no errors. Woot! */
963 retval = 0;
964
965 errout:
966 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
967
968 return retval;
969 }
970
delete_crypto_blk_dev(const char * name)971 static int delete_crypto_blk_dev(const char *name)
972 {
973 int fd;
974 char buffer[DM_CRYPT_BUF_SIZE];
975 struct dm_ioctl *io;
976 int retval = -1;
977
978 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
979 SLOGE("Cannot open device-mapper\n");
980 goto errout;
981 }
982
983 io = (struct dm_ioctl *) buffer;
984
985 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
986 if (ioctl(fd, DM_DEV_REMOVE, io)) {
987 SLOGE("Cannot remove dm-crypt device\n");
988 goto errout;
989 }
990
991 /* We made it here with no errors. Woot! */
992 retval = 0;
993
994 errout:
995 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
996
997 return retval;
998
999 }
1000
pbkdf2(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params UNUSED)1001 static int pbkdf2(const char *passwd, const unsigned char *salt,
1002 unsigned char *ikey, void *params UNUSED)
1003 {
1004 SLOGI("Using pbkdf2 for cryptfs KDF");
1005
1006 /* Turn the password into a key and IV that can decrypt the master key */
1007 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN,
1008 HASH_COUNT, KEY_LEN_BYTES + IV_LEN_BYTES,
1009 ikey) != 1;
1010 }
1011
scrypt(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params)1012 static int scrypt(const char *passwd, const unsigned char *salt,
1013 unsigned char *ikey, void *params)
1014 {
1015 SLOGI("Using scrypt for cryptfs KDF");
1016
1017 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1018
1019 int N = 1 << ftr->N_factor;
1020 int r = 1 << ftr->r_factor;
1021 int p = 1 << ftr->p_factor;
1022
1023 /* Turn the password into a key and IV that can decrypt the master key */
1024 unsigned int keysize;
1025 crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1026 salt, SALT_LEN, N, r, p, ikey,
1027 KEY_LEN_BYTES + IV_LEN_BYTES);
1028
1029 return 0;
1030 }
1031
scrypt_keymaster(const char * passwd,const unsigned char * salt,unsigned char * ikey,void * params)1032 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1033 unsigned char *ikey, void *params)
1034 {
1035 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1036
1037 int rc;
1038 size_t signature_size;
1039 unsigned char* signature;
1040 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1041
1042 int N = 1 << ftr->N_factor;
1043 int r = 1 << ftr->r_factor;
1044 int p = 1 << ftr->p_factor;
1045
1046 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1047 salt, SALT_LEN, N, r, p, ikey,
1048 KEY_LEN_BYTES + IV_LEN_BYTES);
1049
1050 if (rc) {
1051 SLOGE("scrypt failed");
1052 return -1;
1053 }
1054
1055 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1056 &signature, &signature_size)) {
1057 SLOGE("Signing failed");
1058 return -1;
1059 }
1060
1061 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1062 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1063 free(signature);
1064
1065 if (rc) {
1066 SLOGE("scrypt failed");
1067 return -1;
1068 }
1069
1070 return 0;
1071 }
1072
encrypt_master_key(const char * passwd,const unsigned char * salt,const unsigned char * decrypted_master_key,unsigned char * encrypted_master_key,struct crypt_mnt_ftr * crypt_ftr)1073 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1074 const unsigned char *decrypted_master_key,
1075 unsigned char *encrypted_master_key,
1076 struct crypt_mnt_ftr *crypt_ftr)
1077 {
1078 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1079 EVP_CIPHER_CTX e_ctx;
1080 int encrypted_len, final_len;
1081 int rc = 0;
1082
1083 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1084 get_device_scrypt_params(crypt_ftr);
1085
1086 switch (crypt_ftr->kdf_type) {
1087 case KDF_SCRYPT_KEYMASTER:
1088 if (keymaster_create_key(crypt_ftr)) {
1089 SLOGE("keymaster_create_key failed");
1090 return -1;
1091 }
1092
1093 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1094 SLOGE("scrypt failed");
1095 return -1;
1096 }
1097 break;
1098
1099 case KDF_SCRYPT:
1100 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1101 SLOGE("scrypt failed");
1102 return -1;
1103 }
1104 break;
1105
1106 default:
1107 SLOGE("Invalid kdf_type");
1108 return -1;
1109 }
1110
1111 /* Initialize the decryption engine */
1112 EVP_CIPHER_CTX_init(&e_ctx);
1113 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1114 SLOGE("EVP_EncryptInit failed\n");
1115 return -1;
1116 }
1117 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1118
1119 /* Encrypt the master key */
1120 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1121 decrypted_master_key, KEY_LEN_BYTES)) {
1122 SLOGE("EVP_EncryptUpdate failed\n");
1123 return -1;
1124 }
1125 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1126 SLOGE("EVP_EncryptFinal failed\n");
1127 return -1;
1128 }
1129
1130 if (encrypted_len + final_len != KEY_LEN_BYTES) {
1131 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1132 return -1;
1133 }
1134
1135 /* Store the scrypt of the intermediate key, so we can validate if it's a
1136 password error or mount error when things go wrong.
1137 Note there's no need to check for errors, since if this is incorrect, we
1138 simply won't wipe userdata, which is the correct default behavior
1139 */
1140 int N = 1 << crypt_ftr->N_factor;
1141 int r = 1 << crypt_ftr->r_factor;
1142 int p = 1 << crypt_ftr->p_factor;
1143
1144 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1145 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1146 crypt_ftr->scrypted_intermediate_key,
1147 sizeof(crypt_ftr->scrypted_intermediate_key));
1148
1149 if (rc) {
1150 SLOGE("encrypt_master_key: crypto_scrypt failed");
1151 }
1152
1153 EVP_CIPHER_CTX_cleanup(&e_ctx);
1154
1155 return 0;
1156 }
1157
decrypt_master_key_aux(const char * passwd,unsigned char * salt,unsigned char * encrypted_master_key,unsigned char * decrypted_master_key,kdf_func kdf,void * kdf_params,unsigned char ** intermediate_key,size_t * intermediate_key_size)1158 static int decrypt_master_key_aux(const char *passwd, unsigned char *salt,
1159 unsigned char *encrypted_master_key,
1160 unsigned char *decrypted_master_key,
1161 kdf_func kdf, void *kdf_params,
1162 unsigned char** intermediate_key,
1163 size_t* intermediate_key_size)
1164 {
1165 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1166 EVP_CIPHER_CTX d_ctx;
1167 int decrypted_len, final_len;
1168
1169 /* Turn the password into an intermediate key and IV that can decrypt the
1170 master key */
1171 if (kdf(passwd, salt, ikey, kdf_params)) {
1172 SLOGE("kdf failed");
1173 return -1;
1174 }
1175
1176 /* Initialize the decryption engine */
1177 EVP_CIPHER_CTX_init(&d_ctx);
1178 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1179 return -1;
1180 }
1181 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1182 /* Decrypt the master key */
1183 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1184 encrypted_master_key, KEY_LEN_BYTES)) {
1185 return -1;
1186 }
1187 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1188 return -1;
1189 }
1190
1191 if (decrypted_len + final_len != KEY_LEN_BYTES) {
1192 return -1;
1193 }
1194
1195 /* Copy intermediate key if needed by params */
1196 if (intermediate_key && intermediate_key_size) {
1197 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1198 if (*intermediate_key) {
1199 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1200 *intermediate_key_size = KEY_LEN_BYTES;
1201 }
1202 }
1203
1204 EVP_CIPHER_CTX_cleanup(&d_ctx);
1205
1206 return 0;
1207 }
1208
get_kdf_func(struct crypt_mnt_ftr * ftr,kdf_func * kdf,void ** kdf_params)1209 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1210 {
1211 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1212 *kdf = scrypt_keymaster;
1213 *kdf_params = ftr;
1214 } else if (ftr->kdf_type == KDF_SCRYPT) {
1215 *kdf = scrypt;
1216 *kdf_params = ftr;
1217 } else {
1218 *kdf = pbkdf2;
1219 *kdf_params = NULL;
1220 }
1221 }
1222
decrypt_master_key(const char * passwd,unsigned char * decrypted_master_key,struct crypt_mnt_ftr * crypt_ftr,unsigned char ** intermediate_key,size_t * intermediate_key_size)1223 static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key,
1224 struct crypt_mnt_ftr *crypt_ftr,
1225 unsigned char** intermediate_key,
1226 size_t* intermediate_key_size)
1227 {
1228 kdf_func kdf;
1229 void *kdf_params;
1230 int ret;
1231
1232 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1233 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1234 decrypted_master_key, kdf, kdf_params,
1235 intermediate_key, intermediate_key_size);
1236 if (ret != 0) {
1237 SLOGW("failure decrypting master key");
1238 }
1239
1240 return ret;
1241 }
1242
create_encrypted_random_key(const char * passwd,unsigned char * master_key,unsigned char * salt,struct crypt_mnt_ftr * crypt_ftr)1243 static int create_encrypted_random_key(const char *passwd, unsigned char *master_key, unsigned char *salt,
1244 struct crypt_mnt_ftr *crypt_ftr) {
1245 int fd;
1246 unsigned char key_buf[KEY_LEN_BYTES];
1247
1248 /* Get some random bits for a key */
1249 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
1250 read(fd, key_buf, sizeof(key_buf));
1251 read(fd, salt, SALT_LEN);
1252 close(fd);
1253
1254 /* Now encrypt it with the password */
1255 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1256 }
1257
wait_and_unmount(const char * mountpoint,bool kill)1258 int wait_and_unmount(const char *mountpoint, bool kill)
1259 {
1260 int i, err, rc;
1261 #define WAIT_UNMOUNT_COUNT 20
1262
1263 /* Now umount the tmpfs filesystem */
1264 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1265 if (umount(mountpoint) == 0) {
1266 break;
1267 }
1268
1269 if (errno == EINVAL) {
1270 /* EINVAL is returned if the directory is not a mountpoint,
1271 * i.e. there is no filesystem mounted there. So just get out.
1272 */
1273 break;
1274 }
1275
1276 err = errno;
1277
1278 /* If allowed, be increasingly aggressive before the last two retries */
1279 if (kill) {
1280 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1281 SLOGW("sending SIGHUP to processes with open files\n");
1282 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM);
1283 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1284 SLOGW("sending SIGKILL to processes with open files\n");
1285 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL);
1286 }
1287 }
1288
1289 sleep(1);
1290 }
1291
1292 if (i < WAIT_UNMOUNT_COUNT) {
1293 SLOGD("unmounting %s succeeded\n", mountpoint);
1294 rc = 0;
1295 } else {
1296 vold_killProcessesWithOpenFiles(mountpoint, 0);
1297 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1298 rc = -1;
1299 }
1300
1301 return rc;
1302 }
1303
prep_data_fs(void)1304 static int prep_data_fs(void)
1305 {
1306 int i;
1307
1308 // NOTE: post_fs_data results in init calling back around to vold, so all
1309 // callers to this method must be async
1310
1311 /* Do the prep of the /data filesystem */
1312 property_set("vold.post_fs_data_done", "0");
1313 property_set("vold.decrypt", "trigger_post_fs_data");
1314 SLOGD("Just triggered post_fs_data\n");
1315
1316 /* Wait a max of 50 seconds, hopefully it takes much less */
1317 if (!android::base::WaitForProperty("vold.post_fs_data_done",
1318 "1",
1319 std::chrono::seconds(50))) {
1320 /* Ugh, we failed to prep /data in time. Bail. */
1321 SLOGE("post_fs_data timed out!\n");
1322 return -1;
1323 } else {
1324 SLOGD("post_fs_data done\n");
1325 return 0;
1326 }
1327 }
1328
cryptfs_set_corrupt()1329 static void cryptfs_set_corrupt()
1330 {
1331 // Mark the footer as bad
1332 struct crypt_mnt_ftr crypt_ftr;
1333 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1334 SLOGE("Failed to get crypto footer - panic");
1335 return;
1336 }
1337
1338 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1339 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1340 SLOGE("Failed to set crypto footer - panic");
1341 return;
1342 }
1343 }
1344
cryptfs_trigger_restart_min_framework()1345 static void cryptfs_trigger_restart_min_framework()
1346 {
1347 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1348 SLOGE("Failed to mount tmpfs on data - panic");
1349 return;
1350 }
1351
1352 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1353 SLOGE("Failed to trigger post fs data - panic");
1354 return;
1355 }
1356
1357 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1358 SLOGE("Failed to trigger restart min framework - panic");
1359 return;
1360 }
1361 }
1362
1363 /* returns < 0 on failure */
cryptfs_restart_internal(int restart_main)1364 static int cryptfs_restart_internal(int restart_main)
1365 {
1366 char crypto_blkdev[MAXPATHLEN];
1367 int rc = -1;
1368 static int restart_successful = 0;
1369
1370 /* Validate that it's OK to call this routine */
1371 if (! master_key_saved) {
1372 SLOGE("Encrypted filesystem not validated, aborting");
1373 return -1;
1374 }
1375
1376 if (restart_successful) {
1377 SLOGE("System already restarted with encrypted disk, aborting");
1378 return -1;
1379 }
1380
1381 if (restart_main) {
1382 /* Here is where we shut down the framework. The init scripts
1383 * start all services in one of three classes: core, main or late_start.
1384 * On boot, we start core and main. Now, we stop main, but not core,
1385 * as core includes vold and a few other really important things that
1386 * we need to keep running. Once main has stopped, we should be able
1387 * to umount the tmpfs /data, then mount the encrypted /data.
1388 * We then restart the class main, and also the class late_start.
1389 * At the moment, I've only put a few things in late_start that I know
1390 * are not needed to bring up the framework, and that also cause problems
1391 * with unmounting the tmpfs /data, but I hope to add add more services
1392 * to the late_start class as we optimize this to decrease the delay
1393 * till the user is asked for the password to the filesystem.
1394 */
1395
1396 /* The init files are setup to stop the class main when vold.decrypt is
1397 * set to trigger_reset_main.
1398 */
1399 property_set("vold.decrypt", "trigger_reset_main");
1400 SLOGD("Just asked init to shut down class main\n");
1401
1402 /* Ugh, shutting down the framework is not synchronous, so until it
1403 * can be fixed, this horrible hack will wait a moment for it all to
1404 * shut down before proceeding. Without it, some devices cannot
1405 * restart the graphics services.
1406 */
1407 sleep(2);
1408 }
1409
1410 /* Now that the framework is shutdown, we should be able to umount()
1411 * the tmpfs filesystem, and mount the real one.
1412 */
1413
1414 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1415 if (strlen(crypto_blkdev) == 0) {
1416 SLOGE("fs_crypto_blkdev not set\n");
1417 return -1;
1418 }
1419
1420 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1421 /* If ro.crypto.readonly is set to 1, mount the decrypted
1422 * filesystem readonly. This is used when /data is mounted by
1423 * recovery mode.
1424 */
1425 char ro_prop[PROPERTY_VALUE_MAX];
1426 property_get("ro.crypto.readonly", ro_prop, "");
1427 if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
1428 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1429 rec->flags |= MS_RDONLY;
1430 }
1431
1432 /* If that succeeded, then mount the decrypted filesystem */
1433 int retries = RETRY_MOUNT_ATTEMPTS;
1434 int mount_rc;
1435
1436 /*
1437 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
1438 * partitions in the fsck domain.
1439 */
1440 if (setexeccon(secontextFsck())){
1441 SLOGE("Failed to setexeccon");
1442 return -1;
1443 }
1444 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
1445 crypto_blkdev, 0))
1446 != 0) {
1447 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1448 /* TODO: invoke something similar to
1449 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1450 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1451 SLOGI("Failed to mount %s because it is busy - waiting",
1452 crypto_blkdev);
1453 if (--retries) {
1454 sleep(RETRY_MOUNT_DELAY_SECONDS);
1455 } else {
1456 /* Let's hope that a reboot clears away whatever is keeping
1457 the mount busy */
1458 cryptfs_reboot(reboot);
1459 }
1460 } else {
1461 SLOGE("Failed to mount decrypted data");
1462 cryptfs_set_corrupt();
1463 cryptfs_trigger_restart_min_framework();
1464 SLOGI("Started framework to offer wipe");
1465 if (setexeccon(NULL)) {
1466 SLOGE("Failed to setexeccon");
1467 }
1468 return -1;
1469 }
1470 }
1471 if (setexeccon(NULL)) {
1472 SLOGE("Failed to setexeccon");
1473 return -1;
1474 }
1475
1476 /* Create necessary paths on /data */
1477 if (prep_data_fs()) {
1478 return -1;
1479 }
1480 property_set("vold.decrypt", "trigger_load_persist_props");
1481
1482 /* startup service classes main and late_start */
1483 property_set("vold.decrypt", "trigger_restart_framework");
1484 SLOGD("Just triggered restart_framework\n");
1485
1486 /* Give it a few moments to get started */
1487 sleep(1);
1488 }
1489
1490 if (rc == 0) {
1491 restart_successful = 1;
1492 }
1493
1494 return rc;
1495 }
1496
cryptfs_restart(void)1497 int cryptfs_restart(void)
1498 {
1499 SLOGI("cryptfs_restart");
1500 if (e4crypt_is_native()) {
1501 SLOGE("cryptfs_restart not valid for file encryption:");
1502 return -1;
1503 }
1504
1505 /* Call internal implementation forcing a restart of main service group */
1506 return cryptfs_restart_internal(1);
1507 }
1508
do_crypto_complete(const char * mount_point)1509 static int do_crypto_complete(const char *mount_point)
1510 {
1511 struct crypt_mnt_ftr crypt_ftr;
1512 char encrypted_state[PROPERTY_VALUE_MAX];
1513 char key_loc[PROPERTY_VALUE_MAX];
1514
1515 property_get("ro.crypto.state", encrypted_state, "");
1516 if (strcmp(encrypted_state, "encrypted") ) {
1517 SLOGE("not running with encryption, aborting");
1518 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1519 }
1520
1521 // crypto_complete is full disk encrypted status
1522 if (e4crypt_is_native()) {
1523 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1524 }
1525
1526 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1527 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1528
1529 /*
1530 * Only report this error if key_loc is a file and it exists.
1531 * If the device was never encrypted, and /data is not mountable for
1532 * some reason, returning 1 should prevent the UI from presenting the
1533 * a "enter password" screen, or worse, a "press button to wipe the
1534 * device" screen.
1535 */
1536 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1537 SLOGE("master key file does not exist, aborting");
1538 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1539 } else {
1540 SLOGE("Error getting crypt footer and key\n");
1541 return CRYPTO_COMPLETE_BAD_METADATA;
1542 }
1543 }
1544
1545 // Test for possible error flags
1546 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1547 SLOGE("Encryption process is partway completed\n");
1548 return CRYPTO_COMPLETE_PARTIAL;
1549 }
1550
1551 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1552 SLOGE("Encryption process was interrupted but cannot continue\n");
1553 return CRYPTO_COMPLETE_INCONSISTENT;
1554 }
1555
1556 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1557 SLOGE("Encryption is successful but data is corrupt\n");
1558 return CRYPTO_COMPLETE_CORRUPT;
1559 }
1560
1561 /* We passed the test! We shall diminish, and return to the west */
1562 return CRYPTO_COMPLETE_ENCRYPTED;
1563 }
1564
test_mount_encrypted_fs(struct crypt_mnt_ftr * crypt_ftr,const char * passwd,const char * mount_point,const char * label)1565 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1566 const char *passwd, const char *mount_point, const char *label)
1567 {
1568 /* Allocate enough space for a 256 bit key, but we may use less */
1569 unsigned char decrypted_master_key[32];
1570 char crypto_blkdev[MAXPATHLEN];
1571 char real_blkdev[MAXPATHLEN];
1572 char tmp_mount_point[64];
1573 unsigned int orig_failed_decrypt_count;
1574 int rc;
1575 int use_keymaster = 0;
1576 int upgrade = 0;
1577 unsigned char* intermediate_key = 0;
1578 size_t intermediate_key_size = 0;
1579 int N = 1 << crypt_ftr->N_factor;
1580 int r = 1 << crypt_ftr->r_factor;
1581 int p = 1 << crypt_ftr->p_factor;
1582
1583 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1584 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1585
1586 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1587 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1588 &intermediate_key, &intermediate_key_size)) {
1589 SLOGE("Failed to decrypt master key\n");
1590 rc = -1;
1591 goto errout;
1592 }
1593 }
1594
1595 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
1596
1597 // Create crypto block device - all (non fatal) code paths
1598 // need it
1599 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1600 real_blkdev, crypto_blkdev, label)) {
1601 SLOGE("Error creating decrypted block device\n");
1602 rc = -1;
1603 goto errout;
1604 }
1605
1606 /* Work out if the problem is the password or the data */
1607 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1608 scrypted_intermediate_key)];
1609
1610 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1611 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1612 N, r, p, scrypted_intermediate_key,
1613 sizeof(scrypted_intermediate_key));
1614
1615 // Does the key match the crypto footer?
1616 if (rc == 0 && memcmp(scrypted_intermediate_key,
1617 crypt_ftr->scrypted_intermediate_key,
1618 sizeof(scrypted_intermediate_key)) == 0) {
1619 SLOGI("Password matches");
1620 rc = 0;
1621 } else {
1622 /* Try mounting the file system anyway, just in case the problem's with
1623 * the footer, not the key. */
1624 snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt",
1625 mount_point);
1626 mkdir(tmp_mount_point, 0755);
1627 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1628 SLOGE("Error temp mounting decrypted block device\n");
1629 delete_crypto_blk_dev(label);
1630
1631 rc = ++crypt_ftr->failed_decrypt_count;
1632 put_crypt_ftr_and_key(crypt_ftr);
1633 } else {
1634 /* Success! */
1635 SLOGI("Password did not match but decrypted drive mounted - continue");
1636 umount(tmp_mount_point);
1637 rc = 0;
1638 }
1639 }
1640
1641 if (rc == 0) {
1642 crypt_ftr->failed_decrypt_count = 0;
1643 if (orig_failed_decrypt_count != 0) {
1644 put_crypt_ftr_and_key(crypt_ftr);
1645 }
1646
1647 /* Save the name of the crypto block device
1648 * so we can mount it when restarting the framework. */
1649 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1650
1651 /* Also save a the master key so we can reencrypted the key
1652 * the key when we want to change the password on it. */
1653 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1654 saved_mount_point = strdup(mount_point);
1655 master_key_saved = 1;
1656 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1657 rc = 0;
1658
1659 // Upgrade if we're not using the latest KDF.
1660 use_keymaster = keymaster_check_compatibility();
1661 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1662 // Don't allow downgrade
1663 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1664 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1665 upgrade = 1;
1666 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1667 crypt_ftr->kdf_type = KDF_SCRYPT;
1668 upgrade = 1;
1669 }
1670
1671 if (upgrade) {
1672 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1673 crypt_ftr->master_key, crypt_ftr);
1674 if (!rc) {
1675 rc = put_crypt_ftr_and_key(crypt_ftr);
1676 }
1677 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1678
1679 // Do not fail even if upgrade failed - machine is bootable
1680 // Note that if this code is ever hit, there is a *serious* problem
1681 // since KDFs should never fail. You *must* fix the kdf before
1682 // proceeding!
1683 if (rc) {
1684 SLOGW("Upgrade failed with error %d,"
1685 " but continuing with previous state",
1686 rc);
1687 rc = 0;
1688 }
1689 }
1690 }
1691
1692 errout:
1693 if (intermediate_key) {
1694 memset(intermediate_key, 0, intermediate_key_size);
1695 free(intermediate_key);
1696 }
1697 return rc;
1698 }
1699
1700 /*
1701 * Called by vold when it's asked to mount an encrypted external
1702 * storage volume. The incoming partition has no crypto header/footer,
1703 * as any metadata is been stored in a separate, small partition.
1704 *
1705 * out_crypto_blkdev must be MAXPATHLEN.
1706 */
cryptfs_setup_ext_volume(const char * label,const char * real_blkdev,const unsigned char * key,int keysize,char * out_crypto_blkdev)1707 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
1708 const unsigned char* key, int keysize, char* out_crypto_blkdev) {
1709 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
1710 if (fd == -1) {
1711 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno));
1712 return -1;
1713 }
1714
1715 unsigned long nr_sec = 0;
1716 get_blkdev_size(fd, &nr_sec);
1717 close(fd);
1718
1719 if (nr_sec == 0) {
1720 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1721 return -1;
1722 }
1723
1724 struct crypt_mnt_ftr ext_crypt_ftr;
1725 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1726 ext_crypt_ftr.fs_size = nr_sec;
1727 ext_crypt_ftr.keysize = keysize;
1728 strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
1729
1730 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev,
1731 out_crypto_blkdev, label);
1732 }
1733
1734 /*
1735 * Called by vold when it's asked to unmount an encrypted external
1736 * storage volume.
1737 */
cryptfs_revert_ext_volume(const char * label)1738 int cryptfs_revert_ext_volume(const char* label) {
1739 return delete_crypto_blk_dev((char*) label);
1740 }
1741
cryptfs_crypto_complete(void)1742 int cryptfs_crypto_complete(void)
1743 {
1744 return do_crypto_complete("/data");
1745 }
1746
check_unmounted_and_get_ftr(struct crypt_mnt_ftr * crypt_ftr)1747 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
1748 {
1749 char encrypted_state[PROPERTY_VALUE_MAX];
1750 property_get("ro.crypto.state", encrypted_state, "");
1751 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
1752 SLOGE("encrypted fs already validated or not running with encryption,"
1753 " aborting");
1754 return -1;
1755 }
1756
1757 if (get_crypt_ftr_and_key(crypt_ftr)) {
1758 SLOGE("Error getting crypt footer and key");
1759 return -1;
1760 }
1761
1762 return 0;
1763 }
1764
cryptfs_check_passwd(const char * passwd)1765 int cryptfs_check_passwd(const char *passwd)
1766 {
1767 SLOGI("cryptfs_check_passwd");
1768 if (e4crypt_is_native()) {
1769 SLOGE("cryptfs_check_passwd not valid for file encryption");
1770 return -1;
1771 }
1772
1773 struct crypt_mnt_ftr crypt_ftr;
1774 int rc;
1775
1776 rc = check_unmounted_and_get_ftr(&crypt_ftr);
1777 if (rc) {
1778 SLOGE("Could not get footer");
1779 return rc;
1780 }
1781
1782 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
1783 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
1784 if (rc) {
1785 SLOGE("Password did not match");
1786 return rc;
1787 }
1788
1789 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
1790 // Here we have a default actual password but a real password
1791 // we must test against the scrypted value
1792 // First, we must delete the crypto block device that
1793 // test_mount_encrypted_fs leaves behind as a side effect
1794 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
1795 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD,
1796 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
1797 if (rc) {
1798 SLOGE("Default password did not match on reboot encryption");
1799 return rc;
1800 }
1801
1802 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
1803 put_crypt_ftr_and_key(&crypt_ftr);
1804 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
1805 if (rc) {
1806 SLOGE("Could not change password on reboot encryption");
1807 return rc;
1808 }
1809 }
1810
1811 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
1812 cryptfs_clear_password();
1813 password = strdup(passwd);
1814 struct timespec now;
1815 clock_gettime(CLOCK_BOOTTIME, &now);
1816 password_expiry_time = now.tv_sec + password_max_age_seconds;
1817 }
1818
1819 return rc;
1820 }
1821
cryptfs_verify_passwd(char * passwd)1822 int cryptfs_verify_passwd(char *passwd)
1823 {
1824 struct crypt_mnt_ftr crypt_ftr;
1825 /* Allocate enough space for a 256 bit key, but we may use less */
1826 unsigned char decrypted_master_key[32];
1827 char encrypted_state[PROPERTY_VALUE_MAX];
1828 int rc;
1829
1830 property_get("ro.crypto.state", encrypted_state, "");
1831 if (strcmp(encrypted_state, "encrypted") ) {
1832 SLOGE("device not encrypted, aborting");
1833 return -2;
1834 }
1835
1836 if (!master_key_saved) {
1837 SLOGE("encrypted fs not yet mounted, aborting");
1838 return -1;
1839 }
1840
1841 if (!saved_mount_point) {
1842 SLOGE("encrypted fs failed to save mount point, aborting");
1843 return -1;
1844 }
1845
1846 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1847 SLOGE("Error getting crypt footer and key\n");
1848 return -1;
1849 }
1850
1851 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
1852 /* If the device has no password, then just say the password is valid */
1853 rc = 0;
1854 } else {
1855 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
1856 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
1857 /* They match, the password is correct */
1858 rc = 0;
1859 } else {
1860 /* If incorrect, sleep for a bit to prevent dictionary attacks */
1861 sleep(1);
1862 rc = 1;
1863 }
1864 }
1865
1866 return rc;
1867 }
1868
1869 /* Initialize a crypt_mnt_ftr structure. The keysize is
1870 * defaulted to 16 bytes, and the filesystem size to 0.
1871 * Presumably, at a minimum, the caller will update the
1872 * filesystem size and crypto_type_name after calling this function.
1873 */
cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr * ftr)1874 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
1875 {
1876 off64_t off;
1877
1878 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
1879 ftr->magic = CRYPT_MNT_MAGIC;
1880 ftr->major_version = CURRENT_MAJOR_VERSION;
1881 ftr->minor_version = CURRENT_MINOR_VERSION;
1882 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
1883 ftr->keysize = KEY_LEN_BYTES;
1884
1885 switch (keymaster_check_compatibility()) {
1886 case 1:
1887 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1888 break;
1889
1890 case 0:
1891 ftr->kdf_type = KDF_SCRYPT;
1892 break;
1893
1894 default:
1895 SLOGE("keymaster_check_compatibility failed");
1896 return -1;
1897 }
1898
1899 get_device_scrypt_params(ftr);
1900
1901 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
1902 if (get_crypt_ftr_info(NULL, &off) == 0) {
1903 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
1904 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
1905 ftr->persist_data_size;
1906 }
1907
1908 return 0;
1909 }
1910
cryptfs_enable_wipe(char * crypto_blkdev,off64_t size,int type)1911 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
1912 {
1913 const char *args[10];
1914 char size_str[32]; /* Must be large enough to hold a %lld and null byte */
1915 int num_args;
1916 int status;
1917 int tmp;
1918 int rc = -1;
1919
1920 if (type == EXT4_FS) {
1921 #ifdef TARGET_USES_MKE2FS
1922 args[0] = "/system/bin/mke2fs";
1923 args[1] = "-M";
1924 args[2] = "/data";
1925 args[3] = "-b";
1926 args[4] = "4096";
1927 args[5] = "-t";
1928 args[6] = "ext4";
1929 args[7] = crypto_blkdev;
1930 snprintf(size_str, sizeof(size_str), "%" PRId64, size / (4096 / 512));
1931 args[8] = size_str;
1932 num_args = 9;
1933 #else
1934 args[0] = "/system/bin/make_ext4fs";
1935 args[1] = "-a";
1936 args[2] = "/data";
1937 args[3] = "-l";
1938 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
1939 args[4] = size_str;
1940 args[5] = crypto_blkdev;
1941 num_args = 6;
1942 #endif
1943 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
1944 args[0], args[1], args[2], args[3], args[4], args[5]);
1945 } else if (type == F2FS_FS) {
1946 args[0] = "/system/bin/mkfs.f2fs";
1947 args[1] = "-t";
1948 args[2] = "-d1";
1949 args[3] = crypto_blkdev;
1950 snprintf(size_str, sizeof(size_str), "%" PRId64, size);
1951 args[4] = size_str;
1952 num_args = 5;
1953 SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
1954 args[0], args[1], args[2], args[3], args[4]);
1955 } else {
1956 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
1957 return -1;
1958 }
1959
1960 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
1961
1962 if (tmp != 0) {
1963 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
1964 } else {
1965 if (WIFEXITED(status)) {
1966 if (WEXITSTATUS(status)) {
1967 SLOGE("Error creating filesystem on %s, exit status %d ",
1968 crypto_blkdev, WEXITSTATUS(status));
1969 } else {
1970 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
1971 rc = 0;
1972 }
1973 } else {
1974 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
1975 }
1976 }
1977
1978 return rc;
1979 }
1980
1981 #define CRYPT_INPLACE_BUFSIZE 4096
1982 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
1983 #define CRYPT_SECTOR_SIZE 512
1984
1985 /* aligned 32K writes tends to make flash happy.
1986 * SD card association recommends it.
1987 */
1988 #define BLOCKS_AT_A_TIME 8
1989
1990 struct encryptGroupsData
1991 {
1992 int realfd;
1993 int cryptofd;
1994 off64_t numblocks;
1995 off64_t one_pct, cur_pct, new_pct;
1996 off64_t blocks_already_done, tot_numblocks;
1997 off64_t used_blocks_already_done, tot_used_blocks;
1998 char* real_blkdev, * crypto_blkdev;
1999 int count;
2000 off64_t offset;
2001 char* buffer;
2002 off64_t last_written_sector;
2003 int completed;
2004 time_t time_started;
2005 int remaining_time;
2006 };
2007
update_progress(struct encryptGroupsData * data,int is_used)2008 static void update_progress(struct encryptGroupsData* data, int is_used)
2009 {
2010 data->blocks_already_done++;
2011
2012 if (is_used) {
2013 data->used_blocks_already_done++;
2014 }
2015 if (data->tot_used_blocks) {
2016 data->new_pct = data->used_blocks_already_done / data->one_pct;
2017 } else {
2018 data->new_pct = data->blocks_already_done / data->one_pct;
2019 }
2020
2021 if (data->new_pct > data->cur_pct) {
2022 char buf[8];
2023 data->cur_pct = data->new_pct;
2024 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
2025 property_set("vold.encrypt_progress", buf);
2026 }
2027
2028 if (data->cur_pct >= 5) {
2029 struct timespec time_now;
2030 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
2031 SLOGW("Error getting time");
2032 } else {
2033 double elapsed_time = difftime(time_now.tv_sec, data->time_started);
2034 off64_t remaining_blocks = data->tot_used_blocks
2035 - data->used_blocks_already_done;
2036 int remaining_time = (int)(elapsed_time * remaining_blocks
2037 / data->used_blocks_already_done);
2038
2039 // Change time only if not yet set, lower, or a lot higher for
2040 // best user experience
2041 if (data->remaining_time == -1
2042 || remaining_time < data->remaining_time
2043 || remaining_time > data->remaining_time + 60) {
2044 char buf[8];
2045 snprintf(buf, sizeof(buf), "%d", remaining_time);
2046 property_set("vold.encrypt_time_remaining", buf);
2047 data->remaining_time = remaining_time;
2048 }
2049 }
2050 }
2051 }
2052
log_progress(struct encryptGroupsData const * data,bool completed)2053 static void log_progress(struct encryptGroupsData const* data, bool completed)
2054 {
2055 // Precondition - if completed data = 0 else data != 0
2056
2057 // Track progress so we can skip logging blocks
2058 static off64_t offset = -1;
2059
2060 // Need to close existing 'Encrypting from' log?
2061 if (completed || (offset != -1 && data->offset != offset)) {
2062 SLOGI("Encrypted to sector %" PRId64,
2063 offset / info.block_size * CRYPT_SECTOR_SIZE);
2064 offset = -1;
2065 }
2066
2067 // Need to start new 'Encrypting from' log?
2068 if (!completed && offset != data->offset) {
2069 SLOGI("Encrypting from sector %" PRId64,
2070 data->offset / info.block_size * CRYPT_SECTOR_SIZE);
2071 }
2072
2073 // Update offset
2074 if (!completed) {
2075 offset = data->offset + (off64_t)data->count * info.block_size;
2076 }
2077 }
2078
flush_outstanding_data(struct encryptGroupsData * data)2079 static int flush_outstanding_data(struct encryptGroupsData* data)
2080 {
2081 if (data->count == 0) {
2082 return 0;
2083 }
2084
2085 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
2086
2087 if (pread64(data->realfd, data->buffer,
2088 info.block_size * data->count, data->offset)
2089 <= 0) {
2090 SLOGE("Error reading real_blkdev %s for inplace encrypt",
2091 data->real_blkdev);
2092 return -1;
2093 }
2094
2095 if (pwrite64(data->cryptofd, data->buffer,
2096 info.block_size * data->count, data->offset)
2097 <= 0) {
2098 SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
2099 data->crypto_blkdev);
2100 return -1;
2101 } else {
2102 log_progress(data, false);
2103 }
2104
2105 data->count = 0;
2106 data->last_written_sector = (data->offset + data->count)
2107 / info.block_size * CRYPT_SECTOR_SIZE - 1;
2108 return 0;
2109 }
2110
encrypt_groups(struct encryptGroupsData * data)2111 static int encrypt_groups(struct encryptGroupsData* data)
2112 {
2113 unsigned int i;
2114 u8 *block_bitmap = 0;
2115 unsigned int block;
2116 off64_t ret;
2117 int rc = -1;
2118
2119 data->buffer = (char *)malloc(info.block_size * BLOCKS_AT_A_TIME);
2120 if (!data->buffer) {
2121 SLOGE("Failed to allocate crypto buffer");
2122 goto errout;
2123 }
2124
2125 block_bitmap = (u8 *)malloc(info.block_size);
2126 if (!block_bitmap) {
2127 SLOGE("failed to allocate block bitmap");
2128 goto errout;
2129 }
2130
2131 for (i = 0; i < aux_info.groups; ++i) {
2132 SLOGI("Encrypting group %d", i);
2133
2134 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
2135 u32 block_count = std::min(info.blocks_per_group,
2136 (u32)(aux_info.len_blocks - first_block));
2137
2138 off64_t offset = (u64)info.block_size
2139 * aux_info.bg_desc[i].bg_block_bitmap;
2140
2141 ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
2142 if (ret != (int)info.block_size) {
2143 SLOGE("failed to read all of block group bitmap %d", i);
2144 goto errout;
2145 }
2146
2147 offset = (u64)info.block_size * first_block;
2148
2149 data->count = 0;
2150
2151 for (block = 0; block < block_count; block++) {
2152 int used = (aux_info.bg_desc[i].bg_flags & EXT4_BG_BLOCK_UNINIT) ?
2153 0 : bitmap_get_bit(block_bitmap, block);
2154 update_progress(data, used);
2155 if (used) {
2156 if (data->count == 0) {
2157 data->offset = offset;
2158 }
2159 data->count++;
2160 } else {
2161 if (flush_outstanding_data(data)) {
2162 goto errout;
2163 }
2164 }
2165
2166 offset += info.block_size;
2167
2168 /* Write data if we are aligned or buffer size reached */
2169 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
2170 || data->count == BLOCKS_AT_A_TIME) {
2171 if (flush_outstanding_data(data)) {
2172 goto errout;
2173 }
2174 }
2175
2176 if (!is_battery_ok_to_continue()) {
2177 SLOGE("Stopping encryption due to low battery");
2178 rc = 0;
2179 goto errout;
2180 }
2181
2182 }
2183 if (flush_outstanding_data(data)) {
2184 goto errout;
2185 }
2186 }
2187
2188 data->completed = 1;
2189 rc = 0;
2190
2191 errout:
2192 log_progress(0, true);
2193 free(data->buffer);
2194 free(block_bitmap);
2195 return rc;
2196 }
2197
cryptfs_enable_inplace_ext4(char * crypto_blkdev,char * real_blkdev,off64_t size,off64_t * size_already_done,off64_t tot_size,off64_t previously_encrypted_upto)2198 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
2199 char *real_blkdev,
2200 off64_t size,
2201 off64_t *size_already_done,
2202 off64_t tot_size,
2203 off64_t previously_encrypted_upto)
2204 {
2205 u32 i;
2206 struct encryptGroupsData data;
2207 int rc; // Can't initialize without causing warning -Wclobbered
2208 struct timespec time_started = {0};
2209 int retries = RETRY_MOUNT_ATTEMPTS;
2210
2211 if (previously_encrypted_upto > *size_already_done) {
2212 SLOGD("Not fast encrypting since resuming part way through");
2213 return -1;
2214 }
2215
2216 memset(&data, 0, sizeof(data));
2217 data.real_blkdev = real_blkdev;
2218 data.crypto_blkdev = crypto_blkdev;
2219
2220 if ( (data.realfd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2221 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n",
2222 real_blkdev, errno, strerror(errno));
2223 rc = -1;
2224 goto errout;
2225 }
2226
2227 // Wait until the block device appears. Re-use the mount retry values since it is reasonable.
2228 while ((data.cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2229 if (--retries) {
2230 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s), retrying\n",
2231 crypto_blkdev, errno, strerror(errno));
2232 sleep(RETRY_MOUNT_DELAY_SECONDS);
2233 } else {
2234 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n",
2235 crypto_blkdev, errno, strerror(errno));
2236 rc = ENABLE_INPLACE_ERR_DEV;
2237 goto errout;
2238 }
2239 }
2240
2241 if (setjmp(setjmp_env)) {
2242 SLOGE("Reading ext4 extent caused an exception\n");
2243 rc = -1;
2244 goto errout;
2245 }
2246
2247 if (read_ext(data.realfd, 0) != 0) {
2248 SLOGE("Failed to read ext4 extent\n");
2249 rc = -1;
2250 goto errout;
2251 }
2252
2253 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2254 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2255 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2256
2257 SLOGI("Encrypting ext4 filesystem in place...");
2258
2259 data.tot_used_blocks = data.numblocks;
2260 for (i = 0; i < aux_info.groups; ++i) {
2261 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
2262 }
2263
2264 data.one_pct = data.tot_used_blocks / 100;
2265 data.cur_pct = 0;
2266
2267 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
2268 SLOGW("Error getting time at start");
2269 // Note - continue anyway - we'll run with 0
2270 }
2271 data.time_started = time_started.tv_sec;
2272 data.remaining_time = -1;
2273
2274 rc = encrypt_groups(&data);
2275 if (rc) {
2276 SLOGE("Error encrypting groups");
2277 goto errout;
2278 }
2279
2280 *size_already_done += data.completed ? size : data.last_written_sector;
2281 rc = 0;
2282
2283 errout:
2284 close(data.realfd);
2285 close(data.cryptofd);
2286
2287 return rc;
2288 }
2289
log_progress_f2fs(u64 block,bool completed)2290 static void log_progress_f2fs(u64 block, bool completed)
2291 {
2292 // Precondition - if completed data = 0 else data != 0
2293
2294 // Track progress so we can skip logging blocks
2295 static u64 last_block = (u64)-1;
2296
2297 // Need to close existing 'Encrypting from' log?
2298 if (completed || (last_block != (u64)-1 && block != last_block + 1)) {
2299 SLOGI("Encrypted to block %" PRId64, last_block);
2300 last_block = -1;
2301 }
2302
2303 // Need to start new 'Encrypting from' log?
2304 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) {
2305 SLOGI("Encrypting from block %" PRId64, block);
2306 }
2307
2308 // Update offset
2309 if (!completed) {
2310 last_block = block;
2311 }
2312 }
2313
encrypt_one_block_f2fs(u64 pos,void * data)2314 static int encrypt_one_block_f2fs(u64 pos, void *data)
2315 {
2316 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;
2317
2318 priv_dat->blocks_already_done = pos - 1;
2319 update_progress(priv_dat, 1);
2320
2321 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;
2322
2323 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2324 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2325 return -1;
2326 }
2327
2328 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2329 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2330 return -1;
2331 } else {
2332 log_progress_f2fs(pos, false);
2333 }
2334
2335 return 0;
2336 }
2337
cryptfs_enable_inplace_f2fs(char * crypto_blkdev,char * real_blkdev,off64_t size,off64_t * size_already_done,off64_t tot_size,off64_t previously_encrypted_upto)2338 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
2339 char *real_blkdev,
2340 off64_t size,
2341 off64_t *size_already_done,
2342 off64_t tot_size,
2343 off64_t previously_encrypted_upto)
2344 {
2345 struct encryptGroupsData data;
2346 struct f2fs_info *f2fs_info = NULL;
2347 int rc = ENABLE_INPLACE_ERR_OTHER;
2348 if (previously_encrypted_upto > *size_already_done) {
2349 SLOGD("Not fast encrypting since resuming part way through");
2350 return ENABLE_INPLACE_ERR_OTHER;
2351 }
2352 memset(&data, 0, sizeof(data));
2353 data.real_blkdev = real_blkdev;
2354 data.crypto_blkdev = crypto_blkdev;
2355 data.realfd = -1;
2356 data.cryptofd = -1;
2357 if ( (data.realfd = open64(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2358 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n",
2359 real_blkdev);
2360 goto errout;
2361 }
2362 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2363 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n",
2364 crypto_blkdev, errno, strerror(errno));
2365 rc = ENABLE_INPLACE_ERR_DEV;
2366 goto errout;
2367 }
2368
2369 f2fs_info = generate_f2fs_info(data.realfd);
2370 if (!f2fs_info)
2371 goto errout;
2372
2373 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2374 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2375 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2376
2377 data.tot_used_blocks = get_num_blocks_used(f2fs_info);
2378
2379 data.one_pct = data.tot_used_blocks / 100;
2380 data.cur_pct = 0;
2381 data.time_started = time(NULL);
2382 data.remaining_time = -1;
2383
2384 data.buffer = (char *)malloc(f2fs_info->block_size);
2385 if (!data.buffer) {
2386 SLOGE("Failed to allocate crypto buffer");
2387 goto errout;
2388 }
2389
2390 data.count = 0;
2391
2392 /* Currently, this either runs to completion, or hits a nonrecoverable error */
2393 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);
2394
2395 if (rc) {
2396 SLOGE("Error in running over f2fs blocks");
2397 rc = ENABLE_INPLACE_ERR_OTHER;
2398 goto errout;
2399 }
2400
2401 *size_already_done += size;
2402 rc = 0;
2403
2404 errout:
2405 if (rc)
2406 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev);
2407
2408 log_progress_f2fs(0, true);
2409 free(f2fs_info);
2410 free(data.buffer);
2411 close(data.realfd);
2412 close(data.cryptofd);
2413
2414 return rc;
2415 }
2416
cryptfs_enable_inplace_full(char * crypto_blkdev,char * real_blkdev,off64_t size,off64_t * size_already_done,off64_t tot_size,off64_t previously_encrypted_upto)2417 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
2418 off64_t size, off64_t *size_already_done,
2419 off64_t tot_size,
2420 off64_t previously_encrypted_upto)
2421 {
2422 int realfd, cryptofd;
2423 char *buf[CRYPT_INPLACE_BUFSIZE];
2424 int rc = ENABLE_INPLACE_ERR_OTHER;
2425 off64_t numblocks, i, remainder;
2426 off64_t one_pct, cur_pct, new_pct;
2427 off64_t blocks_already_done, tot_numblocks;
2428
2429 if ( (realfd = open(real_blkdev, O_RDONLY|O_CLOEXEC)) < 0) {
2430 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2431 return ENABLE_INPLACE_ERR_OTHER;
2432 }
2433
2434 if ( (cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2435 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n",
2436 crypto_blkdev, errno, strerror(errno));
2437 close(realfd);
2438 return ENABLE_INPLACE_ERR_DEV;
2439 }
2440
2441 /* This is pretty much a simple loop of reading 4K, and writing 4K.
2442 * The size passed in is the number of 512 byte sectors in the filesystem.
2443 * So compute the number of whole 4K blocks we should read/write,
2444 * and the remainder.
2445 */
2446 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2447 remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2448 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2449 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2450
2451 SLOGE("Encrypting filesystem in place...");
2452
2453 i = previously_encrypted_upto + 1 - *size_already_done;
2454
2455 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2456 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
2457 goto errout;
2458 }
2459
2460 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2461 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
2462 goto errout;
2463 }
2464
2465 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
2466 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2467 SLOGE("Error reading initial sectors from real_blkdev %s for "
2468 "inplace encrypt\n", crypto_blkdev);
2469 goto errout;
2470 }
2471 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2472 SLOGE("Error writing initial sectors to crypto_blkdev %s for "
2473 "inplace encrypt\n", crypto_blkdev);
2474 goto errout;
2475 } else {
2476 SLOGI("Encrypted 1 block at %" PRId64, i);
2477 }
2478 }
2479
2480 one_pct = tot_numblocks / 100;
2481 cur_pct = 0;
2482 /* process the majority of the filesystem in blocks */
2483 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2484 new_pct = (i + blocks_already_done) / one_pct;
2485 if (new_pct > cur_pct) {
2486 char buf[8];
2487
2488 cur_pct = new_pct;
2489 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
2490 property_set("vold.encrypt_progress", buf);
2491 }
2492 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2493 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2494 goto errout;
2495 }
2496 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2497 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2498 goto errout;
2499 } else {
2500 SLOGD("Encrypted %d block at %" PRId64,
2501 CRYPT_SECTORS_PER_BUFSIZE,
2502 i * CRYPT_SECTORS_PER_BUFSIZE);
2503 }
2504
2505 if (!is_battery_ok_to_continue()) {
2506 SLOGE("Stopping encryption due to low battery");
2507 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
2508 rc = 0;
2509 goto errout;
2510 }
2511 }
2512
2513 /* Do any remaining sectors */
2514 for (i=0; i<remainder; i++) {
2515 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2516 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2517 goto errout;
2518 }
2519 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2520 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2521 goto errout;
2522 } else {
2523 SLOGI("Encrypted 1 block at next location");
2524 }
2525 }
2526
2527 *size_already_done += size;
2528 rc = 0;
2529
2530 errout:
2531 close(realfd);
2532 close(cryptofd);
2533
2534 return rc;
2535 }
2536
2537 /* returns on of the ENABLE_INPLACE_* return codes */
cryptfs_enable_inplace(char * crypto_blkdev,char * real_blkdev,off64_t size,off64_t * size_already_done,off64_t tot_size,off64_t previously_encrypted_upto)2538 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
2539 off64_t size, off64_t *size_already_done,
2540 off64_t tot_size,
2541 off64_t previously_encrypted_upto)
2542 {
2543 int rc_ext4, rc_f2fs, rc_full;
2544 if (previously_encrypted_upto) {
2545 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
2546 }
2547
2548 if (*size_already_done + size < previously_encrypted_upto) {
2549 *size_already_done += size;
2550 return 0;
2551 }
2552
2553 /* TODO: identify filesystem type.
2554 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
2555 * then we will drop down to cryptfs_enable_inplace_f2fs.
2556 * */
2557 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2558 size, size_already_done,
2559 tot_size, previously_encrypted_upto)) == 0) {
2560 return 0;
2561 }
2562 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4);
2563
2564 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
2565 size, size_already_done,
2566 tot_size, previously_encrypted_upto)) == 0) {
2567 return 0;
2568 }
2569 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs);
2570
2571 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2572 size, size_already_done, tot_size,
2573 previously_encrypted_upto);
2574 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full);
2575
2576 /* Hack for b/17898962, the following is the symptom... */
2577 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV
2578 && rc_f2fs == ENABLE_INPLACE_ERR_DEV
2579 && rc_full == ENABLE_INPLACE_ERR_DEV) {
2580 return ENABLE_INPLACE_ERR_DEV;
2581 }
2582 return rc_full;
2583 }
2584
2585 #define CRYPTO_ENABLE_WIPE 1
2586 #define CRYPTO_ENABLE_INPLACE 2
2587
2588 #define FRAMEWORK_BOOT_WAIT 60
2589
cryptfs_SHA256_fileblock(const char * filename,__le8 * buf)2590 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2591 {
2592 int fd = open(filename, O_RDONLY|O_CLOEXEC);
2593 if (fd == -1) {
2594 SLOGE("Error opening file %s", filename);
2595 return -1;
2596 }
2597
2598 char block[CRYPT_INPLACE_BUFSIZE];
2599 memset(block, 0, sizeof(block));
2600 if (unix_read(fd, block, sizeof(block)) < 0) {
2601 SLOGE("Error reading file %s", filename);
2602 close(fd);
2603 return -1;
2604 }
2605
2606 close(fd);
2607
2608 SHA256_CTX c;
2609 SHA256_Init(&c);
2610 SHA256_Update(&c, block, sizeof(block));
2611 SHA256_Final(buf, &c);
2612
2613 return 0;
2614 }
2615
get_fs_type(struct fstab_rec * rec)2616 static int get_fs_type(struct fstab_rec *rec)
2617 {
2618 if (!strcmp(rec->fs_type, "ext4")) {
2619 return EXT4_FS;
2620 } else if (!strcmp(rec->fs_type, "f2fs")) {
2621 return F2FS_FS;
2622 } else {
2623 return -1;
2624 }
2625 }
2626
cryptfs_enable_all_volumes(struct crypt_mnt_ftr * crypt_ftr,int how,char * crypto_blkdev,char * real_blkdev,int previously_encrypted_upto)2627 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
2628 char *crypto_blkdev, char *real_blkdev,
2629 int previously_encrypted_upto)
2630 {
2631 off64_t cur_encryption_done=0, tot_encryption_size=0;
2632 int rc = -1;
2633
2634 if (!is_battery_ok_to_start()) {
2635 SLOGW("Not starting encryption due to low battery");
2636 return 0;
2637 }
2638
2639 /* The size of the userdata partition, and add in the vold volumes below */
2640 tot_encryption_size = crypt_ftr->fs_size;
2641
2642 if (how == CRYPTO_ENABLE_WIPE) {
2643 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
2644 int fs_type = get_fs_type(rec);
2645 if (fs_type < 0) {
2646 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
2647 return -1;
2648 }
2649 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2650 } else if (how == CRYPTO_ENABLE_INPLACE) {
2651 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
2652 crypt_ftr->fs_size, &cur_encryption_done,
2653 tot_encryption_size,
2654 previously_encrypted_upto);
2655
2656 if (rc == ENABLE_INPLACE_ERR_DEV) {
2657 /* Hack for b/17898962 */
2658 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2659 cryptfs_reboot(reboot);
2660 }
2661
2662 if (!rc) {
2663 crypt_ftr->encrypted_upto = cur_encryption_done;
2664 }
2665
2666 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2667 /* The inplace routine never actually sets the progress to 100% due
2668 * to the round down nature of integer division, so set it here */
2669 property_set("vold.encrypt_progress", "100");
2670 }
2671 } else {
2672 /* Shouldn't happen */
2673 SLOGE("cryptfs_enable: internal error, unknown option\n");
2674 rc = -1;
2675 }
2676
2677 return rc;
2678 }
2679
cryptfs_enable_internal(char * howarg,int crypt_type,const char * passwd,int no_ui)2680 int cryptfs_enable_internal(char *howarg, int crypt_type, const char *passwd,
2681 int no_ui)
2682 {
2683 int how = 0;
2684 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2685 unsigned char decrypted_master_key[KEY_LEN_BYTES];
2686 int rc=-1, i;
2687 struct crypt_mnt_ftr crypt_ftr;
2688 struct crypt_persist_data *pdata;
2689 char encrypted_state[PROPERTY_VALUE_MAX];
2690 char lockid[32] = { 0 };
2691 char key_loc[PROPERTY_VALUE_MAX];
2692 int num_vols;
2693 off64_t previously_encrypted_upto = 0;
2694 bool rebootEncryption = false;
2695 bool onlyCreateHeader = false;
2696 int fd = -1;
2697
2698 if (!strcmp(howarg, "wipe")) {
2699 how = CRYPTO_ENABLE_WIPE;
2700 } else if (! strcmp(howarg, "inplace")) {
2701 how = CRYPTO_ENABLE_INPLACE;
2702 } else {
2703 /* Shouldn't happen, as CommandListener vets the args */
2704 goto error_unencrypted;
2705 }
2706
2707 if (how == CRYPTO_ENABLE_INPLACE
2708 && get_crypt_ftr_and_key(&crypt_ftr) == 0) {
2709 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
2710 /* An encryption was underway and was interrupted */
2711 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2712 crypt_ftr.encrypted_upto = 0;
2713 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2714
2715 /* At this point, we are in an inconsistent state. Until we successfully
2716 complete encryption, a reboot will leave us broken. So mark the
2717 encryption failed in case that happens.
2718 On successfully completing encryption, remove this flag */
2719 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2720
2721 put_crypt_ftr_and_key(&crypt_ftr);
2722 } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
2723 if (!check_ftr_sha(&crypt_ftr)) {
2724 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2725 put_crypt_ftr_and_key(&crypt_ftr);
2726 goto error_unencrypted;
2727 }
2728
2729 /* Doing a reboot-encryption*/
2730 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
2731 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
2732 rebootEncryption = true;
2733 }
2734 }
2735
2736 property_get("ro.crypto.state", encrypted_state, "");
2737 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2738 SLOGE("Device is already running encrypted, aborting");
2739 goto error_unencrypted;
2740 }
2741
2742 // TODO refactor fs_mgr_get_crypt_info to get both in one call
2743 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
2744 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
2745
2746 /* Get the size of the real block device */
2747 fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
2748 if (fd == -1) {
2749 SLOGE("Cannot open block device %s\n", real_blkdev);
2750 goto error_unencrypted;
2751 }
2752 unsigned long nr_sec;
2753 get_blkdev_size(fd, &nr_sec);
2754 if (nr_sec == 0) {
2755 SLOGE("Cannot get size of block device %s\n", real_blkdev);
2756 goto error_unencrypted;
2757 }
2758 close(fd);
2759
2760 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2761 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
2762 unsigned int fs_size_sec, max_fs_size_sec;
2763 fs_size_sec = get_fs_size(real_blkdev);
2764 if (fs_size_sec == 0)
2765 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
2766
2767 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2768
2769 if (fs_size_sec > max_fs_size_sec) {
2770 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2771 goto error_unencrypted;
2772 }
2773 }
2774
2775 /* Get a wakelock as this may take a while, and we don't want the
2776 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2777 * wants to keep the screen on, it can grab a full wakelock.
2778 */
2779 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
2780 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
2781
2782 /* The init files are setup to stop the class main and late start when
2783 * vold sets trigger_shutdown_framework.
2784 */
2785 property_set("vold.decrypt", "trigger_shutdown_framework");
2786 SLOGD("Just asked init to shut down class main\n");
2787
2788 /* Ask vold to unmount all devices that it manages */
2789 if (vold_unmountAll()) {
2790 SLOGE("Failed to unmount all vold managed devices");
2791 }
2792
2793 /* no_ui means we are being called from init, not settings.
2794 Now we always reboot from settings, so !no_ui means reboot
2795 */
2796 if (!no_ui) {
2797 /* Try fallback, which is to reboot and try there */
2798 onlyCreateHeader = true;
2799 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
2800 if (breadcrumb == 0) {
2801 SLOGE("Failed to create breadcrumb file");
2802 goto error_shutting_down;
2803 }
2804 fclose(breadcrumb);
2805 }
2806
2807 /* Do extra work for a better UX when doing the long inplace encryption */
2808 if (how == CRYPTO_ENABLE_INPLACE && !onlyCreateHeader) {
2809 /* Now that /data is unmounted, we need to mount a tmpfs
2810 * /data, set a property saying we're doing inplace encryption,
2811 * and restart the framework.
2812 */
2813 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
2814 goto error_shutting_down;
2815 }
2816 /* Tells the framework that inplace encryption is starting */
2817 property_set("vold.encrypt_progress", "0");
2818
2819 /* restart the framework. */
2820 /* Create necessary paths on /data */
2821 if (prep_data_fs()) {
2822 goto error_shutting_down;
2823 }
2824
2825 /* Ugh, shutting down the framework is not synchronous, so until it
2826 * can be fixed, this horrible hack will wait a moment for it all to
2827 * shut down before proceeding. Without it, some devices cannot
2828 * restart the graphics services.
2829 */
2830 sleep(2);
2831 }
2832
2833 /* Start the actual work of making an encrypted filesystem */
2834 /* Initialize a crypt_mnt_ftr for the partition */
2835 if (previously_encrypted_upto == 0 && !rebootEncryption) {
2836 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
2837 goto error_shutting_down;
2838 }
2839
2840 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
2841 crypt_ftr.fs_size = nr_sec
2842 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2843 } else {
2844 crypt_ftr.fs_size = nr_sec;
2845 }
2846 /* At this point, we are in an inconsistent state. Until we successfully
2847 complete encryption, a reboot will leave us broken. So mark the
2848 encryption failed in case that happens.
2849 On successfully completing encryption, remove this flag */
2850 if (onlyCreateHeader) {
2851 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
2852 } else {
2853 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2854 }
2855 crypt_ftr.crypt_type = crypt_type;
2856 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN);
2857
2858 /* Make an encrypted master key */
2859 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
2860 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
2861 SLOGE("Cannot create encrypted master key\n");
2862 goto error_shutting_down;
2863 }
2864
2865 /* Replace scrypted intermediate key if we are preparing for a reboot */
2866 if (onlyCreateHeader) {
2867 unsigned char fake_master_key[KEY_LEN_BYTES];
2868 unsigned char encrypted_fake_master_key[KEY_LEN_BYTES];
2869 memset(fake_master_key, 0, sizeof(fake_master_key));
2870 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key,
2871 encrypted_fake_master_key, &crypt_ftr);
2872 }
2873
2874 /* Write the key to the end of the partition */
2875 put_crypt_ftr_and_key(&crypt_ftr);
2876
2877 /* If any persistent data has been remembered, save it.
2878 * If none, create a valid empty table and save that.
2879 */
2880 if (!persist_data) {
2881 pdata = (crypt_persist_data *)malloc(CRYPT_PERSIST_DATA_SIZE);
2882 if (pdata) {
2883 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
2884 persist_data = pdata;
2885 }
2886 }
2887 if (persist_data) {
2888 save_persistent_data();
2889 }
2890 }
2891
2892 if (onlyCreateHeader) {
2893 sleep(2);
2894 cryptfs_reboot(reboot);
2895 }
2896
2897 if (how == CRYPTO_ENABLE_INPLACE && (!no_ui || rebootEncryption)) {
2898 /* startup service classes main and late_start */
2899 property_set("vold.decrypt", "trigger_restart_min_framework");
2900 SLOGD("Just triggered restart_min_framework\n");
2901
2902 /* OK, the framework is restarted and will soon be showing a
2903 * progress bar. Time to setup an encrypted mapping, and
2904 * either write a new filesystem, or encrypt in place updating
2905 * the progress bar as we work.
2906 */
2907 }
2908
2909 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2910 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
2911 CRYPTO_BLOCK_DEVICE);
2912
2913 /* If we are continuing, check checksums match */
2914 rc = 0;
2915 if (previously_encrypted_upto) {
2916 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
2917 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
2918
2919 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
2920 sizeof(hash_first_block)) != 0) {
2921 SLOGE("Checksums do not match - trigger wipe");
2922 rc = -1;
2923 }
2924 }
2925
2926 if (!rc) {
2927 rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
2928 crypto_blkdev, real_blkdev,
2929 previously_encrypted_upto);
2930 }
2931
2932 /* Calculate checksum if we are not finished */
2933 if (!rc && how == CRYPTO_ENABLE_INPLACE
2934 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2935 rc = cryptfs_SHA256_fileblock(crypto_blkdev,
2936 crypt_ftr.hash_first_block);
2937 if (rc) {
2938 SLOGE("Error calculating checksum for continuing encryption");
2939 rc = -1;
2940 }
2941 }
2942
2943 /* Undo the dm-crypt mapping whether we succeed or not */
2944 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
2945
2946 if (! rc) {
2947 /* Success */
2948 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
2949
2950 if (how == CRYPTO_ENABLE_INPLACE
2951 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2952 SLOGD("Encrypted up to sector %lld - will continue after reboot",
2953 crypt_ftr.encrypted_upto);
2954 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
2955 }
2956
2957 put_crypt_ftr_and_key(&crypt_ftr);
2958
2959 if (how == CRYPTO_ENABLE_WIPE
2960 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
2961 char value[PROPERTY_VALUE_MAX];
2962 property_get("ro.crypto.state", value, "");
2963 if (!strcmp(value, "")) {
2964 /* default encryption - continue first boot sequence */
2965 property_set("ro.crypto.state", "encrypted");
2966 property_set("ro.crypto.type", "block");
2967 release_wake_lock(lockid);
2968 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2969 // Bring up cryptkeeper that will check the password and set it
2970 property_set("vold.decrypt", "trigger_shutdown_framework");
2971 sleep(2);
2972 property_set("vold.encrypt_progress", "");
2973 cryptfs_trigger_restart_min_framework();
2974 } else {
2975 cryptfs_check_passwd(DEFAULT_PASSWORD);
2976 cryptfs_restart_internal(1);
2977 }
2978 return 0;
2979 } else {
2980 sleep(2); /* Give the UI a chance to show 100% progress */
2981 cryptfs_reboot(reboot);
2982 }
2983 } else {
2984 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
2985 cryptfs_reboot(shutdown);
2986 }
2987 } else {
2988 char value[PROPERTY_VALUE_MAX];
2989
2990 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
2991 if (!strcmp(value, "1")) {
2992 /* wipe data if encryption failed */
2993 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
2994 std::string err;
2995 const std::vector<std::string> options = {
2996 "--wipe_data\n--reason=cryptfs_enable_internal\n"
2997 };
2998 if (!write_bootloader_message(options, &err)) {
2999 SLOGE("could not write bootloader message: %s", err.c_str());
3000 }
3001 cryptfs_reboot(recovery);
3002 } else {
3003 /* set property to trigger dialog */
3004 property_set("vold.encrypt_progress", "error_partially_encrypted");
3005 release_wake_lock(lockid);
3006 }
3007 return -1;
3008 }
3009
3010 /* hrm, the encrypt step claims success, but the reboot failed.
3011 * This should not happen.
3012 * Set the property and return. Hope the framework can deal with it.
3013 */
3014 property_set("vold.encrypt_progress", "error_reboot_failed");
3015 release_wake_lock(lockid);
3016 return rc;
3017
3018 error_unencrypted:
3019 property_set("vold.encrypt_progress", "error_not_encrypted");
3020 if (lockid[0]) {
3021 release_wake_lock(lockid);
3022 }
3023 return -1;
3024
3025 error_shutting_down:
3026 /* we failed, and have not encrypted anthing, so the users's data is still intact,
3027 * but the framework is stopped and not restarted to show the error, so it's up to
3028 * vold to restart the system.
3029 */
3030 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
3031 cryptfs_reboot(reboot);
3032
3033 /* shouldn't get here */
3034 property_set("vold.encrypt_progress", "error_shutting_down");
3035 if (lockid[0]) {
3036 release_wake_lock(lockid);
3037 }
3038 return -1;
3039 }
3040
cryptfs_enable(char * howarg,int type,char * passwd,int no_ui)3041 int cryptfs_enable(char *howarg, int type, char *passwd, int no_ui)
3042 {
3043 return cryptfs_enable_internal(howarg, type, passwd, no_ui);
3044 }
3045
cryptfs_enable_default(char * howarg,int no_ui)3046 int cryptfs_enable_default(char *howarg, int no_ui)
3047 {
3048 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
3049 DEFAULT_PASSWORD, no_ui);
3050 }
3051
cryptfs_changepw(int crypt_type,const char * newpw)3052 int cryptfs_changepw(int crypt_type, const char *newpw)
3053 {
3054 if (e4crypt_is_native()) {
3055 SLOGE("cryptfs_changepw not valid for file encryption");
3056 return -1;
3057 }
3058
3059 struct crypt_mnt_ftr crypt_ftr;
3060 int rc;
3061
3062 /* This is only allowed after we've successfully decrypted the master key */
3063 if (!master_key_saved) {
3064 SLOGE("Key not saved, aborting");
3065 return -1;
3066 }
3067
3068 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3069 SLOGE("Invalid crypt_type %d", crypt_type);
3070 return -1;
3071 }
3072
3073 /* get key */
3074 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3075 SLOGE("Error getting crypt footer and key");
3076 return -1;
3077 }
3078
3079 crypt_ftr.crypt_type = crypt_type;
3080
3081 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
3082 : newpw,
3083 crypt_ftr.salt,
3084 saved_master_key,
3085 crypt_ftr.master_key,
3086 &crypt_ftr);
3087 if (rc) {
3088 SLOGE("Encrypt master key failed: %d", rc);
3089 return -1;
3090 }
3091 /* save the key */
3092 put_crypt_ftr_and_key(&crypt_ftr);
3093
3094 return 0;
3095 }
3096
persist_get_max_entries(int encrypted)3097 static unsigned int persist_get_max_entries(int encrypted) {
3098 struct crypt_mnt_ftr crypt_ftr;
3099 unsigned int dsize;
3100 unsigned int max_persistent_entries;
3101
3102 /* If encrypted, use the values from the crypt_ftr, otherwise
3103 * use the values for the current spec.
3104 */
3105 if (encrypted) {
3106 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3107 return -1;
3108 }
3109 dsize = crypt_ftr.persist_data_size;
3110 } else {
3111 dsize = CRYPT_PERSIST_DATA_SIZE;
3112 }
3113
3114 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
3115 sizeof(struct crypt_persist_entry);
3116
3117 return max_persistent_entries;
3118 }
3119
persist_get_key(const char * fieldname,char * value)3120 static int persist_get_key(const char *fieldname, char *value)
3121 {
3122 unsigned int i;
3123
3124 if (persist_data == NULL) {
3125 return -1;
3126 }
3127 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3128 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3129 /* We found it! */
3130 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
3131 return 0;
3132 }
3133 }
3134
3135 return -1;
3136 }
3137
persist_set_key(const char * fieldname,const char * value,int encrypted)3138 static int persist_set_key(const char *fieldname, const char *value, int encrypted)
3139 {
3140 unsigned int i;
3141 unsigned int num;
3142 unsigned int max_persistent_entries;
3143
3144 if (persist_data == NULL) {
3145 return -1;
3146 }
3147
3148 max_persistent_entries = persist_get_max_entries(encrypted);
3149
3150 num = persist_data->persist_valid_entries;
3151
3152 for (i = 0; i < num; i++) {
3153 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3154 /* We found an existing entry, update it! */
3155 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
3156 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
3157 return 0;
3158 }
3159 }
3160
3161 /* We didn't find it, add it to the end, if there is room */
3162 if (persist_data->persist_valid_entries < max_persistent_entries) {
3163 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
3164 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
3165 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
3166 persist_data->persist_valid_entries++;
3167 return 0;
3168 }
3169
3170 return -1;
3171 }
3172
3173 /**
3174 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
3175 * sequence and its index is greater than or equal to index. Return 0 otherwise.
3176 */
match_multi_entry(const char * key,const char * field,unsigned index)3177 static int match_multi_entry(const char *key, const char *field, unsigned index) {
3178 unsigned int field_len;
3179 unsigned int key_index;
3180 field_len = strlen(field);
3181
3182 if (index == 0) {
3183 // The first key in a multi-entry field is just the filedname itself.
3184 if (!strcmp(key, field)) {
3185 return 1;
3186 }
3187 }
3188 // Match key against "%s_%d" % (field, index)
3189 if (strlen(key) < field_len + 1 + 1) {
3190 // Need at least a '_' and a digit.
3191 return 0;
3192 }
3193 if (strncmp(key, field, field_len)) {
3194 // If the key does not begin with field, it's not a match.
3195 return 0;
3196 }
3197 if (1 != sscanf(&key[field_len],"_%d", &key_index)) {
3198 return 0;
3199 }
3200 return key_index >= index;
3201 }
3202
3203 /*
3204 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
3205 * remaining entries starting from index will be deleted.
3206 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
3207 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
3208 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
3209 *
3210 */
persist_del_keys(const char * fieldname,unsigned index)3211 static int persist_del_keys(const char *fieldname, unsigned index)
3212 {
3213 unsigned int i;
3214 unsigned int j;
3215 unsigned int num;
3216
3217 if (persist_data == NULL) {
3218 return PERSIST_DEL_KEY_ERROR_OTHER;
3219 }
3220
3221 num = persist_data->persist_valid_entries;
3222
3223 j = 0; // points to the end of non-deleted entries.
3224 // Filter out to-be-deleted entries in place.
3225 for (i = 0; i < num; i++) {
3226 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
3227 persist_data->persist_entry[j] = persist_data->persist_entry[i];
3228 j++;
3229 }
3230 }
3231
3232 if (j < num) {
3233 persist_data->persist_valid_entries = j;
3234 // Zeroise the remaining entries
3235 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
3236 return PERSIST_DEL_KEY_OK;
3237 } else {
3238 // Did not find an entry matching the given fieldname
3239 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
3240 }
3241 }
3242
persist_count_keys(const char * fieldname)3243 static int persist_count_keys(const char *fieldname)
3244 {
3245 unsigned int i;
3246 unsigned int count;
3247
3248 if (persist_data == NULL) {
3249 return -1;
3250 }
3251
3252 count = 0;
3253 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3254 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
3255 count++;
3256 }
3257 }
3258
3259 return count;
3260 }
3261
3262 /* Return the value of the specified field. */
cryptfs_getfield(const char * fieldname,char * value,int len)3263 int cryptfs_getfield(const char *fieldname, char *value, int len)
3264 {
3265 if (e4crypt_is_native()) {
3266 SLOGE("Cannot get field when file encrypted");
3267 return -1;
3268 }
3269
3270 char temp_value[PROPERTY_VALUE_MAX];
3271 /* CRYPTO_GETFIELD_OK is success,
3272 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
3273 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
3274 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
3275 */
3276 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
3277 int i;
3278 char temp_field[PROPERTY_KEY_MAX];
3279
3280 if (persist_data == NULL) {
3281 load_persistent_data();
3282 if (persist_data == NULL) {
3283 SLOGE("Getfield error, cannot load persistent data");
3284 goto out;
3285 }
3286 }
3287
3288 // Read value from persistent entries. If the original value is split into multiple entries,
3289 // stitch them back together.
3290 if (!persist_get_key(fieldname, temp_value)) {
3291 // We found it, copy it to the caller's buffer and keep going until all entries are read.
3292 if (strlcpy(value, temp_value, len) >= (unsigned) len) {
3293 // value too small
3294 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3295 goto out;
3296 }
3297 rc = CRYPTO_GETFIELD_OK;
3298
3299 for (i = 1; /* break explicitly */; i++) {
3300 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
3301 (int) sizeof(temp_field)) {
3302 // If the fieldname is very long, we stop as soon as it begins to overflow the
3303 // maximum field length. At this point we have in fact fully read out the original
3304 // value because cryptfs_setfield would not allow fields with longer names to be
3305 // written in the first place.
3306 break;
3307 }
3308 if (!persist_get_key(temp_field, temp_value)) {
3309 if (strlcat(value, temp_value, len) >= (unsigned)len) {
3310 // value too small.
3311 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3312 goto out;
3313 }
3314 } else {
3315 // Exhaust all entries.
3316 break;
3317 }
3318 }
3319 } else {
3320 /* Sadness, it's not there. Return the error */
3321 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
3322 }
3323
3324 out:
3325 return rc;
3326 }
3327
3328 /* Set the value of the specified field. */
cryptfs_setfield(const char * fieldname,const char * value)3329 int cryptfs_setfield(const char *fieldname, const char *value)
3330 {
3331 if (e4crypt_is_native()) {
3332 SLOGE("Cannot set field when file encrypted");
3333 return -1;
3334 }
3335
3336 char encrypted_state[PROPERTY_VALUE_MAX];
3337 /* 0 is success, negative values are error */
3338 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
3339 int encrypted = 0;
3340 unsigned int field_id;
3341 char temp_field[PROPERTY_KEY_MAX];
3342 unsigned int num_entries;
3343 unsigned int max_keylen;
3344
3345 if (persist_data == NULL) {
3346 load_persistent_data();
3347 if (persist_data == NULL) {
3348 SLOGE("Setfield error, cannot load persistent data");
3349 goto out;
3350 }
3351 }
3352
3353 property_get("ro.crypto.state", encrypted_state, "");
3354 if (!strcmp(encrypted_state, "encrypted") ) {
3355 encrypted = 1;
3356 }
3357
3358 // Compute the number of entries required to store value, each entry can store up to
3359 // (PROPERTY_VALUE_MAX - 1) chars
3360 if (strlen(value) == 0) {
3361 // Empty value also needs one entry to store.
3362 num_entries = 1;
3363 } else {
3364 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
3365 }
3366
3367 max_keylen = strlen(fieldname);
3368 if (num_entries > 1) {
3369 // Need an extra "_%d" suffix.
3370 max_keylen += 1 + log10(num_entries);
3371 }
3372 if (max_keylen > PROPERTY_KEY_MAX - 1) {
3373 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
3374 goto out;
3375 }
3376
3377 // Make sure we have enough space to write the new value
3378 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
3379 persist_get_max_entries(encrypted)) {
3380 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
3381 goto out;
3382 }
3383
3384 // Now that we know persist_data has enough space for value, let's delete the old field first
3385 // to make up space.
3386 persist_del_keys(fieldname, 0);
3387
3388 if (persist_set_key(fieldname, value, encrypted)) {
3389 // fail to set key, should not happen as we have already checked the available space
3390 SLOGE("persist_set_key() error during setfield()");
3391 goto out;
3392 }
3393
3394 for (field_id = 1; field_id < num_entries; field_id++) {
3395 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id);
3396
3397 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
3398 // fail to set key, should not happen as we have already checked the available space.
3399 SLOGE("persist_set_key() error during setfield()");
3400 goto out;
3401 }
3402 }
3403
3404 /* If we are running encrypted, save the persistent data now */
3405 if (encrypted) {
3406 if (save_persistent_data()) {
3407 SLOGE("Setfield error, cannot save persistent data");
3408 goto out;
3409 }
3410 }
3411
3412 rc = CRYPTO_SETFIELD_OK;
3413
3414 out:
3415 return rc;
3416 }
3417
3418 /* Checks userdata. Attempt to mount the volume if default-
3419 * encrypted.
3420 * On success trigger next init phase and return 0.
3421 * Currently do not handle failure - see TODO below.
3422 */
cryptfs_mount_default_encrypted(void)3423 int cryptfs_mount_default_encrypted(void)
3424 {
3425 int crypt_type = cryptfs_get_password_type();
3426 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3427 SLOGE("Bad crypt type - error");
3428 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
3429 SLOGD("Password is not default - "
3430 "starting min framework to prompt");
3431 property_set("vold.decrypt", "trigger_restart_min_framework");
3432 return 0;
3433 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
3434 SLOGD("Password is default - restarting filesystem");
3435 cryptfs_restart_internal(0);
3436 return 0;
3437 } else {
3438 SLOGE("Encrypted, default crypt type but can't decrypt");
3439 }
3440
3441 /** Corrupt. Allow us to boot into framework, which will detect bad
3442 crypto when it calls do_crypto_complete, then do a factory reset
3443 */
3444 property_set("vold.decrypt", "trigger_restart_min_framework");
3445 return 0;
3446 }
3447
3448 /* Returns type of the password, default, pattern, pin or password.
3449 */
cryptfs_get_password_type(void)3450 int cryptfs_get_password_type(void)
3451 {
3452 if (e4crypt_is_native()) {
3453 SLOGE("cryptfs_get_password_type not valid for file encryption");
3454 return -1;
3455 }
3456
3457 struct crypt_mnt_ftr crypt_ftr;
3458
3459 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3460 SLOGE("Error getting crypt footer and key\n");
3461 return -1;
3462 }
3463
3464 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
3465 return -1;
3466 }
3467
3468 return crypt_ftr.crypt_type;
3469 }
3470
cryptfs_get_password()3471 const char* cryptfs_get_password()
3472 {
3473 if (e4crypt_is_native()) {
3474 SLOGE("cryptfs_get_password not valid for file encryption");
3475 return 0;
3476 }
3477
3478 struct timespec now;
3479 clock_gettime(CLOCK_BOOTTIME, &now);
3480 if (now.tv_sec < password_expiry_time) {
3481 return password;
3482 } else {
3483 cryptfs_clear_password();
3484 return 0;
3485 }
3486 }
3487
cryptfs_clear_password()3488 void cryptfs_clear_password()
3489 {
3490 if (password) {
3491 size_t len = strlen(password);
3492 memset(password, 0, len);
3493 free(password);
3494 password = 0;
3495 password_expiry_time = 0;
3496 }
3497 }
3498
cryptfs_enable_file()3499 int cryptfs_enable_file()
3500 {
3501 return e4crypt_initialize_global_de();
3502 }
3503
cryptfs_isConvertibleToFBE()3504 int cryptfs_isConvertibleToFBE()
3505 {
3506 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
3507 return fs_mgr_is_convertible_to_fbe(rec) ? 1 : 0;
3508 }
3509
cryptfs_create_default_ftr(struct crypt_mnt_ftr * crypt_ftr,int key_length)3510 int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length)
3511 {
3512 if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) {
3513 SLOGE("Failed to initialize crypt_ftr");
3514 return -1;
3515 }
3516
3517 if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key,
3518 crypt_ftr->salt, crypt_ftr)) {
3519 SLOGE("Cannot create encrypted master key\n");
3520 return -1;
3521 }
3522
3523 //crypt_ftr->keysize = key_length / 8;
3524 return 0;
3525 }
3526
cryptfs_get_master_key(struct crypt_mnt_ftr * ftr,const char * password,unsigned char * master_key)3527 int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
3528 unsigned char* master_key)
3529 {
3530 int rc;
3531
3532 unsigned char* intermediate_key = 0;
3533 size_t intermediate_key_size = 0;
3534
3535 if (password == 0 || *password == 0) {
3536 password = DEFAULT_PASSWORD;
3537 }
3538
3539 rc = decrypt_master_key(password, master_key, ftr, &intermediate_key,
3540 &intermediate_key_size);
3541
3542 if (rc) {
3543 SLOGE("Can't calculate intermediate key");
3544 return rc;
3545 }
3546
3547 int N = 1 << ftr->N_factor;
3548 int r = 1 << ftr->r_factor;
3549 int p = 1 << ftr->p_factor;
3550
3551 unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)];
3552
3553 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
3554 ftr->salt, sizeof(ftr->salt), N, r, p,
3555 scrypted_intermediate_key,
3556 sizeof(scrypted_intermediate_key));
3557
3558 free(intermediate_key);
3559
3560 if (rc) {
3561 SLOGE("Can't scrypt intermediate key");
3562 return rc;
3563 }
3564
3565 return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key,
3566 intermediate_key_size);
3567 }
3568
cryptfs_set_password(struct crypt_mnt_ftr * ftr,const char * password,const unsigned char * master_key)3569 int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password,
3570 const unsigned char* master_key)
3571 {
3572 return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key,
3573 ftr);
3574 }
3575
cryptfs_get_file_encryption_modes(const char ** contents_mode_ret,const char ** filenames_mode_ret)3576 void cryptfs_get_file_encryption_modes(const char **contents_mode_ret,
3577 const char **filenames_mode_ret)
3578 {
3579 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
3580 fs_mgr_get_file_encryption_modes(rec, contents_mode_ret, filenames_mode_ret);
3581 }
3582