blob: 400a6167e16353c21c5892982b1711c99e7b1d6b [file] [log] [blame]
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001/*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
Logan Chiend557d762018-05-02 11:36:45 +080023#define LOG_TAG "Cryptfs"
24
25#include "cryptfs.h"
26
Daniel Rosenberg65f99c92018-08-28 01:58:49 -070027#include "Checkpoint.h"
Logan Chiend557d762018-05-02 11:36:45 +080028#include "EncryptInplace.h"
Eric Biggersa701c452018-10-23 13:06:55 -070029#include "FsCrypt.h"
Logan Chiend557d762018-05-02 11:36:45 +080030#include "Keymaster.h"
31#include "Process.h"
32#include "ScryptParameters.h"
Paul Crowleycfe39722018-10-30 15:59:24 -070033#include "Utils.h"
Logan Chiend557d762018-05-02 11:36:45 +080034#include "VoldUtil.h"
35#include "VolumeManager.h"
Logan Chiend557d762018-05-02 11:36:45 +080036
Eric Biggersed45ec32019-01-25 10:47:55 -080037#include <android-base/parseint.h>
Logan Chien3f2b1222018-05-02 11:39:03 +080038#include <android-base/properties.h>
Greg Kaiserab1e84a2018-12-11 12:40:51 -080039#include <android-base/stringprintf.h>
Logan Chiend557d762018-05-02 11:36:45 +080040#include <bootloader_message/bootloader_message.h>
Logan Chien3f2b1222018-05-02 11:39:03 +080041#include <cutils/android_reboot.h>
Logan Chien3f2b1222018-05-02 11:39:03 +080042#include <cutils/properties.h>
Tao Bao5a95ddb2016-10-05 18:01:19 -070043#include <ext4_utils/ext4_utils.h>
Logan Chien3f2b1222018-05-02 11:39:03 +080044#include <f2fs_sparseblock.h>
Ken Sumralle5032c42012-04-01 23:58:44 -070045#include <fs_mgr.h>
Eric Biggersa701c452018-10-23 13:06:55 -070046#include <fscrypt/fscrypt.h>
Logan Chien3f2b1222018-05-02 11:39:03 +080047#include <hardware_legacy/power.h>
Logan Chien188b0ab2018-04-23 13:37:39 +080048#include <log/log.h>
Logan Chiend557d762018-05-02 11:36:45 +080049#include <logwrap/logwrap.h>
50#include <openssl/evp.h>
51#include <openssl/sha.h>
Jeff Vander Stoepdf725752016-01-29 15:34:43 -080052#include <selinux/selinux.h>
Logan Chiend557d762018-05-02 11:36:45 +080053
54#include <ctype.h>
55#include <errno.h>
56#include <fcntl.h>
57#include <inttypes.h>
58#include <libgen.h>
59#include <linux/dm-ioctl.h>
60#include <linux/kdev_t.h>
61#include <math.h>
62#include <stdio.h>
63#include <stdlib.h>
64#include <string.h>
65#include <sys/ioctl.h>
66#include <sys/mount.h>
67#include <sys/param.h>
68#include <sys/stat.h>
69#include <sys/types.h>
70#include <sys/wait.h>
71#include <time.h>
72#include <unistd.h>
73
Wei Wang4375f1b2017-02-24 17:43:01 -080074extern "C" {
75#include <crypto_scrypt.h>
76}
Mark Salyzyn3e971272014-01-21 13:27:04 -080077
Eric Biggersed45ec32019-01-25 10:47:55 -080078using android::base::ParseUint;
Greg Kaiserab1e84a2018-12-11 12:40:51 -080079using android::base::StringPrintf;
Tom Cherry4c5bde22019-01-29 14:34:01 -080080using android::fs_mgr::GetEntryForMountPoint;
Paul Crowleycfe39722018-10-30 15:59:24 -070081using namespace std::chrono_literals;
82
Mark Salyzyn5eecc442014-02-12 14:16:14 -080083#define UNUSED __attribute__((unused))
84
Ken Sumrall8f869aa2010-12-03 03:47:09 -080085#define DM_CRYPT_BUF_SIZE 4096
86
Jason parks70a4b3f2011-01-28 10:10:47 -060087#define HASH_COUNT 2000
Greg Kaiserc0de9c72018-02-14 20:05:54 -080088
89constexpr size_t INTERMEDIATE_KEY_LEN_BYTES = 16;
90constexpr size_t INTERMEDIATE_IV_LEN_BYTES = 16;
Paul Crowley14c8c072018-09-18 13:30:21 -070091constexpr size_t INTERMEDIATE_BUF_SIZE = (INTERMEDIATE_KEY_LEN_BYTES + INTERMEDIATE_IV_LEN_BYTES);
Greg Kaiserc0de9c72018-02-14 20:05:54 -080092
93// SCRYPT_LEN is used by struct crypt_mnt_ftr for its intermediate key.
Paul Crowley14c8c072018-09-18 13:30:21 -070094static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN, "Mismatch of intermediate key sizes");
Jason parks70a4b3f2011-01-28 10:10:47 -060095
Paul Crowley14c8c072018-09-18 13:30:21 -070096#define KEY_IN_FOOTER "footer"
Ken Sumrall29d8da82011-05-18 17:20:07 -070097
Paul Lawrence3bd36d52015-06-09 13:37:44 -070098#define DEFAULT_PASSWORD "default_password"
Paul Lawrencef4faa572014-01-29 13:31:03 -080099
Paul Lawrence3d99eba2015-11-20 07:07:19 -0800100#define CRYPTO_BLOCK_DEVICE "userdata"
101
102#define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
103
Ken Sumrall29d8da82011-05-18 17:20:07 -0700104#define EXT4_FS 1
JP Abgrall62c7af32014-06-16 13:01:23 -0700105#define F2FS_FS 2
Ken Sumrall29d8da82011-05-18 17:20:07 -0700106
Ken Sumralle919efe2012-09-29 17:07:41 -0700107#define TABLE_LOAD_RETRIES 10
108
Shawn Willden47ba10d2014-09-03 17:07:06 -0600109#define RSA_KEY_SIZE 2048
110#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
111#define RSA_EXPONENT 0x10001
Shawn Willdenda6e8992015-06-03 09:40:45 -0600112#define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
Paul Lawrence69f4ebd2014-04-14 12:17:14 -0700113
Paul Lawrence8e3f4512014-09-08 10:11:17 -0700114#define RETRY_MOUNT_ATTEMPTS 10
115#define RETRY_MOUNT_DELAY_SECONDS 1
116
Paul Crowley5afbc622017-11-27 09:42:17 -0800117#define CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE (1)
118
Paul Crowley73473332017-11-21 15:43:51 -0800119static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr);
120
Greg Kaiser59ad0182018-02-16 13:01:36 -0800121static unsigned char saved_master_key[MAX_KEY_LEN];
Paul Crowley14c8c072018-09-18 13:30:21 -0700122static char* saved_mount_point;
123static int master_key_saved = 0;
124static struct crypt_persist_data* persist_data = NULL;
Ken Sumrall56ad03c2013-02-13 13:00:19 -0800125
Paul Lawrence69f4ebd2014-04-14 12:17:14 -0700126/* Should we use keymaster? */
Paul Crowley14c8c072018-09-18 13:30:21 -0700127static int keymaster_check_compatibility() {
Janis Danisevskis015ec302017-01-31 11:31:08 +0000128 return keymaster_compatibility_cryptfs_scrypt();
Paul Lawrence69f4ebd2014-04-14 12:17:14 -0700129}
130
131/* Create a new keymaster key and store it in this footer */
Paul Crowley14c8c072018-09-18 13:30:21 -0700132static int keymaster_create_key(struct crypt_mnt_ftr* ftr) {
Paul Lawrence3d99eba2015-11-20 07:07:19 -0800133 if (ftr->keymaster_blob_size) {
134 SLOGI("Already have key");
135 return 0;
136 }
137
Paul Crowley14c8c072018-09-18 13:30:21 -0700138 int rc = keymaster_create_key_for_cryptfs_scrypt(
139 RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
140 KEYMASTER_BLOB_SIZE, &ftr->keymaster_blob_size);
Janis Danisevskis015ec302017-01-31 11:31:08 +0000141 if (rc) {
142 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
Paul Crowley73473332017-11-21 15:43:51 -0800143 SLOGE("Keymaster key blob too large");
Janis Danisevskis015ec302017-01-31 11:31:08 +0000144 ftr->keymaster_blob_size = 0;
145 }
146 SLOGE("Failed to generate keypair");
Paul Lawrence69f4ebd2014-04-14 12:17:14 -0700147 return -1;
148 }
Janis Danisevskis015ec302017-01-31 11:31:08 +0000149 return 0;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -0700150}
151
Shawn Willdene17a9c42014-09-08 13:04:08 -0600152/* This signs the given object using the keymaster key. */
Paul Crowley14c8c072018-09-18 13:30:21 -0700153static int keymaster_sign_object(struct crypt_mnt_ftr* ftr, const unsigned char* object,
154 const size_t object_size, unsigned char** signature,
155 size_t* signature_size) {
Shawn Willden47ba10d2014-09-03 17:07:06 -0600156 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
Shawn Willdene17a9c42014-09-08 13:04:08 -0600157 size_t to_sign_size = sizeof(to_sign);
Shawn Willden47ba10d2014-09-03 17:07:06 -0600158 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
Shawn Willden47ba10d2014-09-03 17:07:06 -0600159
Shawn Willdene17a9c42014-09-08 13:04:08 -0600160 // To sign a message with RSA, the message must satisfy two
161 // constraints:
162 //
163 // 1. The message, when interpreted as a big-endian numeric value, must
164 // be strictly less than the public modulus of the RSA key. Note
165 // that because the most significant bit of the public modulus is
166 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
167 // key), an n-bit message with most significant bit 0 always
168 // satisfies this requirement.
169 //
170 // 2. The message must have the same length in bits as the public
171 // modulus of the RSA key. This requirement isn't mathematically
172 // necessary, but is necessary to ensure consistency in
173 // implementations.
174 switch (ftr->kdf_type) {
Shawn Willdene17a9c42014-09-08 13:04:08 -0600175 case KDF_SCRYPT_KEYMASTER:
176 // This ensures the most significant byte of the signed message
177 // is zero. We could have zero-padded to the left instead, but
178 // this approach is slightly more robust against changes in
179 // object size. However, it's still broken (but not unusably
Shawn Willdenda6e8992015-06-03 09:40:45 -0600180 // so) because we really should be using a proper deterministic
181 // RSA padding function, such as PKCS1.
Wei Wang4375f1b2017-02-24 17:43:01 -0800182 memcpy(to_sign + 1, object, std::min((size_t)RSA_KEY_SIZE_BYTES - 1, object_size));
Shawn Willdene17a9c42014-09-08 13:04:08 -0600183 SLOGI("Signing safely-padded object");
184 break;
185 default:
186 SLOGE("Unknown KDF type %d", ftr->kdf_type);
Janis Danisevskis015ec302017-01-31 11:31:08 +0000187 return -1;
Shawn Willdene17a9c42014-09-08 13:04:08 -0600188 }
Paul Crowley73473332017-11-21 15:43:51 -0800189 for (;;) {
190 auto result = keymaster_sign_object_for_cryptfs_scrypt(
191 ftr->keymaster_blob, ftr->keymaster_blob_size, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign,
192 to_sign_size, signature, signature_size);
193 switch (result) {
194 case KeymasterSignResult::ok:
195 return 0;
196 case KeymasterSignResult::upgrade:
197 break;
198 default:
199 return -1;
200 }
201 SLOGD("Upgrading key");
202 if (keymaster_upgrade_key_for_cryptfs_scrypt(
203 RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
204 ftr->keymaster_blob_size, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
205 &ftr->keymaster_blob_size) != 0) {
206 SLOGE("Failed to upgrade key");
207 return -1;
208 }
209 if (put_crypt_ftr_and_key(ftr) != 0) {
210 SLOGE("Failed to write upgraded key to disk");
211 }
212 SLOGD("Key upgraded successfully");
213 }
Shawn Willden47ba10d2014-09-03 17:07:06 -0600214}
215
Paul Lawrence399317e2014-03-10 13:20:50 -0700216/* Store password when userdata is successfully decrypted and mounted.
217 * Cleared by cryptfs_clear_password
218 *
219 * To avoid a double prompt at boot, we need to store the CryptKeeper
220 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
221 * Since the entire framework is torn down and rebuilt after encryption,
222 * we have to use a daemon or similar to store the password. Since vold
223 * is secured against IPC except from system processes, it seems a reasonable
224 * place to store this.
225 *
226 * password should be cleared once it has been used.
227 *
228 * password is aged out after password_max_age_seconds seconds.
Paul Lawrence684dbdf2014-02-07 12:07:22 -0800229 */
Paul Lawrence399317e2014-03-10 13:20:50 -0700230static char* password = 0;
231static int password_expiry_time = 0;
232static const int password_max_age_seconds = 60;
Paul Lawrence684dbdf2014-02-07 12:07:22 -0800233
Paul Crowley14c8c072018-09-18 13:30:21 -0700234enum class RebootType { reboot, recovery, shutdown };
235static void cryptfs_reboot(RebootType rt) {
236 switch (rt) {
237 case RebootType::reboot:
238 property_set(ANDROID_RB_PROPERTY, "reboot");
239 break;
Paul Lawrence87999172014-02-20 12:21:31 -0800240
Paul Crowley14c8c072018-09-18 13:30:21 -0700241 case RebootType::recovery:
242 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
243 break;
Paul Lawrence87999172014-02-20 12:21:31 -0800244
Paul Crowley14c8c072018-09-18 13:30:21 -0700245 case RebootType::shutdown:
246 property_set(ANDROID_RB_PROPERTY, "shutdown");
247 break;
Ken Sumralladfba362013-06-04 16:37:52 -0700248 }
Paul Lawrence87999172014-02-20 12:21:31 -0800249
Ken Sumralladfba362013-06-04 16:37:52 -0700250 sleep(20);
251
252 /* Shouldn't get here, reboot should happen before sleep times out */
253 return;
254}
255
Paul Crowley14c8c072018-09-18 13:30:21 -0700256static void ioctl_init(struct dm_ioctl* io, size_t dataSize, const char* name, unsigned flags) {
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800257 memset(io, 0, dataSize);
258 io->data_size = dataSize;
259 io->data_start = sizeof(struct dm_ioctl);
260 io->version[0] = 4;
261 io->version[1] = 0;
262 io->version[2] = 0;
263 io->flags = flags;
264 if (name) {
Marek Pola5e6b9142015-02-05 14:22:34 +0100265 strlcpy(io->name, name, sizeof(io->name));
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800266 }
267}
268
Greg Kaiser38723f22018-02-16 13:35:35 -0800269namespace {
270
271struct CryptoType;
272
273// Use to get the CryptoType in use on this device.
Paul Crowley14c8c072018-09-18 13:30:21 -0700274const CryptoType& get_crypto_type();
Greg Kaiser38723f22018-02-16 13:35:35 -0800275
276struct CryptoType {
277 // We should only be constructing CryptoTypes as part of
278 // supported_crypto_types[]. We do it via this pseudo-builder pattern,
279 // which isn't pure or fully protected as a concession to being able to
280 // do it all at compile time. Add new CryptoTypes in
281 // supported_crypto_types[] below.
282 constexpr CryptoType() : CryptoType(nullptr, nullptr, 0xFFFFFFFF) {}
283 constexpr CryptoType set_keysize(uint32_t size) const {
284 return CryptoType(this->property_name, this->crypto_name, size);
285 }
Paul Crowley14c8c072018-09-18 13:30:21 -0700286 constexpr CryptoType set_property_name(const char* property) const {
Greg Kaiser38723f22018-02-16 13:35:35 -0800287 return CryptoType(property, this->crypto_name, this->keysize);
288 }
Paul Crowley14c8c072018-09-18 13:30:21 -0700289 constexpr CryptoType set_crypto_name(const char* crypto) const {
Greg Kaiser38723f22018-02-16 13:35:35 -0800290 return CryptoType(this->property_name, crypto, this->keysize);
291 }
292
Paul Crowley14c8c072018-09-18 13:30:21 -0700293 constexpr const char* get_property_name() const { return property_name; }
294 constexpr const char* get_crypto_name() const { return crypto_name; }
Greg Kaiser38723f22018-02-16 13:35:35 -0800295 constexpr uint32_t get_keysize() const { return keysize; }
296
Paul Crowley14c8c072018-09-18 13:30:21 -0700297 private:
298 const char* property_name;
299 const char* crypto_name;
Greg Kaiser38723f22018-02-16 13:35:35 -0800300 uint32_t keysize;
301
Paul Crowley14c8c072018-09-18 13:30:21 -0700302 constexpr CryptoType(const char* property, const char* crypto, uint32_t ksize)
Greg Kaiser38723f22018-02-16 13:35:35 -0800303 : property_name(property), crypto_name(crypto), keysize(ksize) {}
Paul Crowley14c8c072018-09-18 13:30:21 -0700304 friend const CryptoType& get_crypto_type();
305 static const CryptoType& get_device_crypto_algorithm();
Greg Kaiser38723f22018-02-16 13:35:35 -0800306};
307
308// We only want to parse this read-only property once. But we need to wait
309// until the system is initialized before we can read it. So we use a static
310// scoped within this function to get it only once.
Paul Crowley14c8c072018-09-18 13:30:21 -0700311const CryptoType& get_crypto_type() {
Greg Kaiser38723f22018-02-16 13:35:35 -0800312 static CryptoType crypto_type = CryptoType::get_device_crypto_algorithm();
313 return crypto_type;
314}
315
316constexpr CryptoType default_crypto_type = CryptoType()
Paul Crowley14c8c072018-09-18 13:30:21 -0700317 .set_property_name("AES-128-CBC")
318 .set_crypto_name("aes-cbc-essiv:sha256")
319 .set_keysize(16);
Greg Kaiser38723f22018-02-16 13:35:35 -0800320
321constexpr CryptoType supported_crypto_types[] = {
322 default_crypto_type,
Greg Kaiser8cb4c9f2018-12-03 11:23:19 -0800323 CryptoType()
324 .set_property_name("adiantum")
325 .set_crypto_name("xchacha12,aes-adiantum-plain64")
326 .set_keysize(32),
Greg Kaiser38723f22018-02-16 13:35:35 -0800327 // Add new CryptoTypes here. Order is not important.
328};
329
Greg Kaiser38723f22018-02-16 13:35:35 -0800330// ---------- START COMPILE-TIME SANITY CHECK BLOCK -------------------------
331// We confirm all supported_crypto_types have a small enough keysize and
332// had both set_property_name() and set_crypto_name() called.
333
334template <typename T, size_t N>
Paul Crowley14c8c072018-09-18 13:30:21 -0700335constexpr size_t array_length(T (&)[N]) {
336 return N;
337}
Greg Kaiser38723f22018-02-16 13:35:35 -0800338
339constexpr bool indexOutOfBoundsForCryptoTypes(size_t index) {
340 return (index >= array_length(supported_crypto_types));
341}
342
Paul Crowley14c8c072018-09-18 13:30:21 -0700343constexpr bool isValidCryptoType(const CryptoType& crypto_type) {
Greg Kaiser38723f22018-02-16 13:35:35 -0800344 return ((crypto_type.get_property_name() != nullptr) &&
345 (crypto_type.get_crypto_name() != nullptr) &&
346 (crypto_type.get_keysize() <= MAX_KEY_LEN));
347}
348
349// Note in C++11 that constexpr functions can only have a single line.
350// So our code is a bit convoluted (using recursion instead of a loop),
351// but it's asserting at compile time that all of our key lengths are valid.
352constexpr bool validateSupportedCryptoTypes(size_t index) {
353 return indexOutOfBoundsForCryptoTypes(index) ||
Paul Crowley14c8c072018-09-18 13:30:21 -0700354 (isValidCryptoType(supported_crypto_types[index]) &&
355 validateSupportedCryptoTypes(index + 1));
Greg Kaiser38723f22018-02-16 13:35:35 -0800356}
357
358static_assert(validateSupportedCryptoTypes(0),
359 "We have a CryptoType with keysize > MAX_KEY_LEN or which was "
360 "incompletely constructed.");
361// ---------- END COMPILE-TIME SANITY CHECK BLOCK -------------------------
362
Greg Kaiser38723f22018-02-16 13:35:35 -0800363// Don't call this directly, use get_crypto_type(), which caches this result.
Paul Crowley14c8c072018-09-18 13:30:21 -0700364const CryptoType& CryptoType::get_device_crypto_algorithm() {
Greg Kaiser38723f22018-02-16 13:35:35 -0800365 constexpr char CRYPT_ALGO_PROP[] = "ro.crypto.fde_algorithm";
366 char paramstr[PROPERTY_VALUE_MAX];
367
Paul Crowley14c8c072018-09-18 13:30:21 -0700368 property_get(CRYPT_ALGO_PROP, paramstr, default_crypto_type.get_property_name());
369 for (auto const& ctype : supported_crypto_types) {
Greg Kaiser38723f22018-02-16 13:35:35 -0800370 if (strcmp(paramstr, ctype.get_property_name()) == 0) {
371 return ctype;
372 }
373 }
Paul Crowley14c8c072018-09-18 13:30:21 -0700374 ALOGE("Invalid name (%s) for %s. Defaulting to %s\n", paramstr, CRYPT_ALGO_PROP,
375 default_crypto_type.get_property_name());
Greg Kaiser38723f22018-02-16 13:35:35 -0800376 return default_crypto_type;
377}
378
379} // namespace
380
Kenny Rootc4c70f12013-06-14 12:11:38 -0700381/**
382 * Gets the default device scrypt parameters for key derivation time tuning.
383 * The parameters should lead to about one second derivation time for the
384 * given device.
385 */
Paul Crowley14c8c072018-09-18 13:30:21 -0700386static void get_device_scrypt_params(struct crypt_mnt_ftr* ftr) {
Kenny Rootc4c70f12013-06-14 12:11:38 -0700387 char paramstr[PROPERTY_VALUE_MAX];
Paul Crowley63c18d32016-02-10 14:02:47 +0000388 int Nf, rf, pf;
Kenny Rootc4c70f12013-06-14 12:11:38 -0700389
Paul Crowley63c18d32016-02-10 14:02:47 +0000390 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
391 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
392 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
393 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
Kenny Rootc4c70f12013-06-14 12:11:38 -0700394 }
Paul Crowley63c18d32016-02-10 14:02:47 +0000395 ftr->N_factor = Nf;
396 ftr->r_factor = rf;
397 ftr->p_factor = pf;
Kenny Rootc4c70f12013-06-14 12:11:38 -0700398}
399
Greg Kaiser57f9af62018-02-16 13:13:58 -0800400uint32_t cryptfs_get_keysize() {
Greg Kaiser38723f22018-02-16 13:35:35 -0800401 return get_crypto_type().get_keysize();
Greg Kaiser57f9af62018-02-16 13:13:58 -0800402}
403
Paul Crowley14c8c072018-09-18 13:30:21 -0700404const char* cryptfs_get_crypto_name() {
Greg Kaiser38723f22018-02-16 13:35:35 -0800405 return get_crypto_type().get_crypto_name();
Greg Kaiser57f9af62018-02-16 13:13:58 -0800406}
407
Tom Cherry4c5bde22019-01-29 14:34:01 -0800408static uint64_t get_fs_size(const char* dev) {
Ken Sumrall3ed82362011-01-28 23:31:16 -0800409 int fd, block_size;
410 struct ext4_super_block sb;
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +0200411 uint64_t len;
Ken Sumrall3ed82362011-01-28 23:31:16 -0800412
Paul Crowley14c8c072018-09-18 13:30:21 -0700413 if ((fd = open(dev, O_RDONLY | O_CLOEXEC)) < 0) {
Ken Sumrall3ed82362011-01-28 23:31:16 -0800414 SLOGE("Cannot open device to get filesystem size ");
415 return 0;
416 }
417
418 if (lseek64(fd, 1024, SEEK_SET) < 0) {
419 SLOGE("Cannot seek to superblock");
420 return 0;
421 }
422
423 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
424 SLOGE("Cannot read superblock");
425 return 0;
426 }
427
428 close(fd);
429
Daniel Rosenberge82df162014-08-15 22:19:23 +0000430 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
431 SLOGE("Not a valid ext4 superblock");
432 return 0;
433 }
Ken Sumrall3ed82362011-01-28 23:31:16 -0800434 block_size = 1024 << sb.s_log_block_size;
435 /* compute length in bytes */
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +0200436 len = (((uint64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
Ken Sumrall3ed82362011-01-28 23:31:16 -0800437
438 /* return length in sectors */
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +0200439 return len / 512;
Ken Sumrall3ed82362011-01-28 23:31:16 -0800440}
441
Tom Cherry4c5bde22019-01-29 14:34:01 -0800442static void get_crypt_info(std::string* key_loc, std::string* real_blk_device) {
443 for (const auto& entry : fstab_default) {
444 if (!entry.fs_mgr_flags.vold_managed &&
445 (entry.fs_mgr_flags.crypt || entry.fs_mgr_flags.force_crypt ||
446 entry.fs_mgr_flags.force_fde_or_fbe || entry.fs_mgr_flags.file_encryption)) {
447 if (key_loc != nullptr) {
448 *key_loc = entry.key_loc;
449 }
450 if (real_blk_device != nullptr) {
451 *real_blk_device = entry.blk_device;
452 }
453 return;
454 }
455 }
456}
457
Paul Crowley14c8c072018-09-18 13:30:21 -0700458static int get_crypt_ftr_info(char** metadata_fname, off64_t* off) {
459 static int cached_data = 0;
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +0200460 static uint64_t cached_off = 0;
Paul Crowley14c8c072018-09-18 13:30:21 -0700461 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
Paul Crowley14c8c072018-09-18 13:30:21 -0700462 char key_loc[PROPERTY_VALUE_MAX];
463 char real_blkdev[PROPERTY_VALUE_MAX];
464 int rc = -1;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700465
Paul Crowley14c8c072018-09-18 13:30:21 -0700466 if (!cached_data) {
Tom Cherry4c5bde22019-01-29 14:34:01 -0800467 std::string key_loc;
468 std::string real_blkdev;
469 get_crypt_info(&key_loc, &real_blkdev);
Ken Sumrall160b4d62013-04-22 12:15:39 -0700470
Tom Cherry4c5bde22019-01-29 14:34:01 -0800471 if (key_loc == KEY_IN_FOOTER) {
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +0200472 if (android::vold::GetBlockDevSize(real_blkdev, &cached_off) == android::OK) {
Paul Crowley14c8c072018-09-18 13:30:21 -0700473 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
474 * encryption info footer and key, and plenty of bytes to spare for future
475 * growth.
476 */
Tom Cherry4c5bde22019-01-29 14:34:01 -0800477 strlcpy(cached_metadata_fname, real_blkdev.c_str(), sizeof(cached_metadata_fname));
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +0200478 cached_off -= CRYPT_FOOTER_OFFSET;
Paul Crowley14c8c072018-09-18 13:30:21 -0700479 cached_data = 1;
480 } else {
Tom Cherry4c5bde22019-01-29 14:34:01 -0800481 SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
Paul Crowley14c8c072018-09-18 13:30:21 -0700482 }
Paul Crowley14c8c072018-09-18 13:30:21 -0700483 } else {
Tom Cherry4c5bde22019-01-29 14:34:01 -0800484 strlcpy(cached_metadata_fname, key_loc.c_str(), sizeof(cached_metadata_fname));
Paul Crowley14c8c072018-09-18 13:30:21 -0700485 cached_off = 0;
486 cached_data = 1;
487 }
Ken Sumrall160b4d62013-04-22 12:15:39 -0700488 }
Ken Sumrall160b4d62013-04-22 12:15:39 -0700489
Paul Crowley14c8c072018-09-18 13:30:21 -0700490 if (cached_data) {
491 if (metadata_fname) {
492 *metadata_fname = cached_metadata_fname;
493 }
494 if (off) {
495 *off = cached_off;
496 }
497 rc = 0;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700498 }
Ken Sumrall160b4d62013-04-22 12:15:39 -0700499
Paul Crowley14c8c072018-09-18 13:30:21 -0700500 return rc;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700501}
502
Paul Lawrence3d99eba2015-11-20 07:07:19 -0800503/* Set sha256 checksum in structure */
Paul Crowley14c8c072018-09-18 13:30:21 -0700504static void set_ftr_sha(struct crypt_mnt_ftr* crypt_ftr) {
Paul Lawrence3d99eba2015-11-20 07:07:19 -0800505 SHA256_CTX c;
506 SHA256_Init(&c);
507 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
508 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
509 SHA256_Final(crypt_ftr->sha256, &c);
510}
511
Ken Sumralle8744072011-01-18 22:01:55 -0800512/* key or salt can be NULL, in which case just skip writing that value. Useful to
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800513 * update the failed mount count but not change the key.
514 */
Paul Crowley14c8c072018-09-18 13:30:21 -0700515static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
516 int fd;
517 unsigned int cnt;
518 /* starting_off is set to the SEEK_SET offset
519 * where the crypto structure starts
520 */
521 off64_t starting_off;
522 int rc = -1;
523 char* fname = NULL;
524 struct stat statbuf;
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800525
Paul Crowley14c8c072018-09-18 13:30:21 -0700526 set_ftr_sha(crypt_ftr);
Paul Lawrence3d99eba2015-11-20 07:07:19 -0800527
Paul Crowley14c8c072018-09-18 13:30:21 -0700528 if (get_crypt_ftr_info(&fname, &starting_off)) {
529 SLOGE("Unable to get crypt_ftr_info\n");
530 return -1;
Ken Sumralle8744072011-01-18 22:01:55 -0800531 }
Paul Crowley14c8c072018-09-18 13:30:21 -0700532 if (fname[0] != '/') {
533 SLOGE("Unexpected value for crypto key location\n");
534 return -1;
535 }
536 if ((fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0600)) < 0) {
537 SLOGE("Cannot open footer file %s for put\n", fname);
538 return -1;
539 }
Ken Sumralle8744072011-01-18 22:01:55 -0800540
Paul Crowley14c8c072018-09-18 13:30:21 -0700541 /* Seek to the start of the crypt footer */
542 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
543 SLOGE("Cannot seek to real block device footer\n");
544 goto errout;
545 }
546
547 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
548 SLOGE("Cannot write real block device footer\n");
549 goto errout;
550 }
551
552 fstat(fd, &statbuf);
553 /* If the keys are kept on a raw block device, do not try to truncate it. */
554 if (S_ISREG(statbuf.st_mode)) {
555 if (ftruncate(fd, 0x4000)) {
556 SLOGE("Cannot set footer file size\n");
557 goto errout;
558 }
559 }
560
561 /* Success! */
562 rc = 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800563
564errout:
Paul Crowley14c8c072018-09-18 13:30:21 -0700565 close(fd);
566 return rc;
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800567}
568
Paul Crowley14c8c072018-09-18 13:30:21 -0700569static bool check_ftr_sha(const struct crypt_mnt_ftr* crypt_ftr) {
Paul Lawrence3d99eba2015-11-20 07:07:19 -0800570 struct crypt_mnt_ftr copy;
571 memcpy(&copy, crypt_ftr, sizeof(copy));
572 set_ftr_sha(&copy);
573 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
574}
575
Paul Crowley14c8c072018-09-18 13:30:21 -0700576static inline int unix_read(int fd, void* buff, int len) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700577 return TEMP_FAILURE_RETRY(read(fd, buff, len));
578}
579
Paul Crowley14c8c072018-09-18 13:30:21 -0700580static inline int unix_write(int fd, const void* buff, int len) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700581 return TEMP_FAILURE_RETRY(write(fd, buff, len));
582}
583
Paul Crowley14c8c072018-09-18 13:30:21 -0700584static void init_empty_persist_data(struct crypt_persist_data* pdata, int len) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700585 memset(pdata, 0, len);
586 pdata->persist_magic = PERSIST_DATA_MAGIC;
587 pdata->persist_valid_entries = 0;
588}
589
590/* A routine to update the passed in crypt_ftr to the lastest version.
591 * fd is open read/write on the device that holds the crypto footer and persistent
592 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
593 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
594 */
Paul Crowley14c8c072018-09-18 13:30:21 -0700595static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr* crypt_ftr, off64_t offset) {
Kenny Root7434b312013-06-14 11:29:53 -0700596 int orig_major = crypt_ftr->major_version;
597 int orig_minor = crypt_ftr->minor_version;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700598
Kenny Root7434b312013-06-14 11:29:53 -0700599 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
Paul Crowley14c8c072018-09-18 13:30:21 -0700600 struct crypt_persist_data* pdata;
Kenny Root7434b312013-06-14 11:29:53 -0700601 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700602
Kenny Rootc4c70f12013-06-14 12:11:38 -0700603 SLOGW("upgrading crypto footer to 1.1");
604
Paul Crowley14c8c072018-09-18 13:30:21 -0700605 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
Kenny Root7434b312013-06-14 11:29:53 -0700606 if (pdata == NULL) {
607 SLOGE("Cannot allocate persisent data\n");
608 return;
609 }
610 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
611
612 /* Need to initialize the persistent data area */
613 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
614 SLOGE("Cannot seek to persisent data offset\n");
Henrik Baard91064632015-02-05 15:09:17 +0100615 free(pdata);
Kenny Root7434b312013-06-14 11:29:53 -0700616 return;
617 }
618 /* Write all zeros to the first copy, making it invalid */
619 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
620
621 /* Write a valid but empty structure to the second copy */
622 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
623 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
624
625 /* Update the footer */
626 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
627 crypt_ftr->persist_data_offset[0] = pdata_offset;
628 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
629 crypt_ftr->minor_version = 1;
Henrik Baard91064632015-02-05 15:09:17 +0100630 free(pdata);
Ken Sumrall160b4d62013-04-22 12:15:39 -0700631 }
632
Paul Lawrencef4faa572014-01-29 13:31:03 -0800633 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
Kenny Rootc4c70f12013-06-14 12:11:38 -0700634 SLOGW("upgrading crypto footer to 1.2");
JP Abgrall7bdfa522013-11-15 13:42:56 -0800635 /* But keep the old kdf_type.
636 * It will get updated later to KDF_SCRYPT after the password has been verified.
637 */
Kenny Rootc4c70f12013-06-14 12:11:38 -0700638 crypt_ftr->kdf_type = KDF_PBKDF2;
639 get_device_scrypt_params(crypt_ftr);
640 crypt_ftr->minor_version = 2;
641 }
642
Paul Lawrencef4faa572014-01-29 13:31:03 -0800643 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
644 SLOGW("upgrading crypto footer to 1.3");
645 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
646 crypt_ftr->minor_version = 3;
647 }
648
Kenny Root7434b312013-06-14 11:29:53 -0700649 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
650 if (lseek64(fd, offset, SEEK_SET) == -1) {
651 SLOGE("Cannot seek to crypt footer\n");
652 return;
653 }
654 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
Ken Sumrall160b4d62013-04-22 12:15:39 -0700655 }
Ken Sumrall160b4d62013-04-22 12:15:39 -0700656}
657
Paul Crowley14c8c072018-09-18 13:30:21 -0700658static int get_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
659 int fd;
660 unsigned int cnt;
661 off64_t starting_off;
662 int rc = -1;
663 char* fname = NULL;
664 struct stat statbuf;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700665
Paul Crowley14c8c072018-09-18 13:30:21 -0700666 if (get_crypt_ftr_info(&fname, &starting_off)) {
667 SLOGE("Unable to get crypt_ftr_info\n");
668 return -1;
669 }
670 if (fname[0] != '/') {
671 SLOGE("Unexpected value for crypto key location\n");
672 return -1;
673 }
674 if ((fd = open(fname, O_RDWR | O_CLOEXEC)) < 0) {
675 SLOGE("Cannot open footer file %s for get\n", fname);
676 return -1;
677 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800678
Paul Crowley14c8c072018-09-18 13:30:21 -0700679 /* Make sure it's 16 Kbytes in length */
680 fstat(fd, &statbuf);
681 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
682 SLOGE("footer file %s is not the expected size!\n", fname);
683 goto errout;
684 }
Ken Sumrall160b4d62013-04-22 12:15:39 -0700685
Paul Crowley14c8c072018-09-18 13:30:21 -0700686 /* Seek to the start of the crypt footer */
687 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
688 SLOGE("Cannot seek to real block device footer\n");
689 goto errout;
690 }
Ken Sumrall160b4d62013-04-22 12:15:39 -0700691
Paul Crowley14c8c072018-09-18 13:30:21 -0700692 if ((cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
693 SLOGE("Cannot read real block device footer\n");
694 goto errout;
695 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800696
Paul Crowley14c8c072018-09-18 13:30:21 -0700697 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
698 SLOGE("Bad magic for real block device %s\n", fname);
699 goto errout;
700 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800701
Paul Crowley14c8c072018-09-18 13:30:21 -0700702 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
703 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
704 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
705 goto errout;
706 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800707
Paul Crowley14c8c072018-09-18 13:30:21 -0700708 // We risk buffer overflows with oversized keys, so we just reject them.
709 // 0-sized keys are problematic (essentially by-passing encryption), and
710 // AES-CBC key wrapping only works for multiples of 16 bytes.
711 if ((crypt_ftr->keysize == 0) || ((crypt_ftr->keysize % 16) != 0) ||
712 (crypt_ftr->keysize > MAX_KEY_LEN)) {
713 SLOGE(
714 "Invalid keysize (%u) for block device %s; Must be non-zero, "
715 "divisible by 16, and <= %d\n",
716 crypt_ftr->keysize, fname, MAX_KEY_LEN);
717 goto errout;
718 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800719
Paul Crowley14c8c072018-09-18 13:30:21 -0700720 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
721 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
722 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
723 }
Greg Kaiser59ad0182018-02-16 13:01:36 -0800724
Paul Crowley14c8c072018-09-18 13:30:21 -0700725 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
726 * copy on disk before returning.
727 */
728 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
729 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
730 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800731
Paul Crowley14c8c072018-09-18 13:30:21 -0700732 /* Success! */
733 rc = 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800734
735errout:
Paul Crowley14c8c072018-09-18 13:30:21 -0700736 close(fd);
737 return rc;
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800738}
739
Paul Crowley14c8c072018-09-18 13:30:21 -0700740static int validate_persistent_data_storage(struct crypt_mnt_ftr* crypt_ftr) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700741 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
742 crypt_ftr->persist_data_offset[1]) {
743 SLOGE("Crypt_ftr persist data regions overlap");
744 return -1;
745 }
746
747 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
748 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
749 return -1;
750 }
751
752 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
Paul Crowley14c8c072018-09-18 13:30:21 -0700753 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
Ken Sumrall160b4d62013-04-22 12:15:39 -0700754 CRYPT_FOOTER_OFFSET) {
755 SLOGE("Persistent data extends past crypto footer");
756 return -1;
757 }
758
759 return 0;
760}
761
Paul Crowley14c8c072018-09-18 13:30:21 -0700762static int load_persistent_data(void) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700763 struct crypt_mnt_ftr crypt_ftr;
Paul Crowley14c8c072018-09-18 13:30:21 -0700764 struct crypt_persist_data* pdata = NULL;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700765 char encrypted_state[PROPERTY_VALUE_MAX];
Paul Crowley14c8c072018-09-18 13:30:21 -0700766 char* fname;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700767 int found = 0;
768 int fd;
769 int ret;
770 int i;
771
772 if (persist_data) {
773 /* Nothing to do, we've already loaded or initialized it */
774 return 0;
775 }
776
Ken Sumrall160b4d62013-04-22 12:15:39 -0700777 /* If not encrypted, just allocate an empty table and initialize it */
778 property_get("ro.crypto.state", encrypted_state, "");
Paul Crowley14c8c072018-09-18 13:30:21 -0700779 if (strcmp(encrypted_state, "encrypted")) {
Wei Wang4375f1b2017-02-24 17:43:01 -0800780 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
Ken Sumrall160b4d62013-04-22 12:15:39 -0700781 if (pdata) {
782 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
783 persist_data = pdata;
784 return 0;
785 }
786 return -1;
787 }
788
Paul Crowley14c8c072018-09-18 13:30:21 -0700789 if (get_crypt_ftr_and_key(&crypt_ftr)) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700790 return -1;
791 }
792
Paul Crowley14c8c072018-09-18 13:30:21 -0700793 if ((crypt_ftr.major_version < 1) ||
794 (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700795 SLOGE("Crypt_ftr version doesn't support persistent data");
796 return -1;
797 }
798
799 if (get_crypt_ftr_info(&fname, NULL)) {
800 return -1;
801 }
802
803 ret = validate_persistent_data_storage(&crypt_ftr);
804 if (ret) {
805 return -1;
806 }
807
Paul Crowley14c8c072018-09-18 13:30:21 -0700808 fd = open(fname, O_RDONLY | O_CLOEXEC);
Ken Sumrall160b4d62013-04-22 12:15:39 -0700809 if (fd < 0) {
810 SLOGE("Cannot open %s metadata file", fname);
811 return -1;
812 }
813
Wei Wang4375f1b2017-02-24 17:43:01 -0800814 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
Paul Lawrence300dae72016-03-11 11:02:52 -0800815 if (pdata == NULL) {
816 SLOGE("Cannot allocate memory for persistent data");
817 goto err;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700818 }
819
820 for (i = 0; i < 2; i++) {
821 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
822 SLOGE("Cannot seek to read persistent data on %s", fname);
823 goto err2;
824 }
Paul Crowley14c8c072018-09-18 13:30:21 -0700825 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700826 SLOGE("Error reading persistent data on iteration %d", i);
827 goto err2;
828 }
829 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
830 found = 1;
831 break;
832 }
833 }
834
835 if (!found) {
836 SLOGI("Could not find valid persistent data, creating");
837 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
838 }
839
840 /* Success */
841 persist_data = pdata;
842 close(fd);
843 return 0;
844
845err2:
846 free(pdata);
847
848err:
849 close(fd);
850 return -1;
851}
852
Paul Crowley14c8c072018-09-18 13:30:21 -0700853static int save_persistent_data(void) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700854 struct crypt_mnt_ftr crypt_ftr;
Paul Crowley14c8c072018-09-18 13:30:21 -0700855 struct crypt_persist_data* pdata;
856 char* fname;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700857 off64_t write_offset;
858 off64_t erase_offset;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700859 int fd;
860 int ret;
861
862 if (persist_data == NULL) {
863 SLOGE("No persistent data to save");
864 return -1;
865 }
866
Paul Crowley14c8c072018-09-18 13:30:21 -0700867 if (get_crypt_ftr_and_key(&crypt_ftr)) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700868 return -1;
869 }
870
Paul Crowley14c8c072018-09-18 13:30:21 -0700871 if ((crypt_ftr.major_version < 1) ||
872 (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700873 SLOGE("Crypt_ftr version doesn't support persistent data");
874 return -1;
875 }
876
877 ret = validate_persistent_data_storage(&crypt_ftr);
878 if (ret) {
879 return -1;
880 }
881
882 if (get_crypt_ftr_info(&fname, NULL)) {
883 return -1;
884 }
885
Paul Crowley14c8c072018-09-18 13:30:21 -0700886 fd = open(fname, O_RDWR | O_CLOEXEC);
Ken Sumrall160b4d62013-04-22 12:15:39 -0700887 if (fd < 0) {
888 SLOGE("Cannot open %s metadata file", fname);
889 return -1;
890 }
891
Wei Wang4375f1b2017-02-24 17:43:01 -0800892 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
Ken Sumrall160b4d62013-04-22 12:15:39 -0700893 if (pdata == NULL) {
894 SLOGE("Cannot allocate persistant data");
895 goto err;
896 }
897
898 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
899 SLOGE("Cannot seek to read persistent data on %s", fname);
900 goto err2;
901 }
902
903 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
Paul Crowley14c8c072018-09-18 13:30:21 -0700904 SLOGE("Error reading persistent data before save");
905 goto err2;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700906 }
907
908 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
909 /* The first copy is the curent valid copy, so write to
910 * the second copy and erase this one */
Paul Crowley14c8c072018-09-18 13:30:21 -0700911 write_offset = crypt_ftr.persist_data_offset[1];
912 erase_offset = crypt_ftr.persist_data_offset[0];
Ken Sumrall160b4d62013-04-22 12:15:39 -0700913 } else {
914 /* The second copy must be the valid copy, so write to
915 * the first copy, and erase the second */
Paul Crowley14c8c072018-09-18 13:30:21 -0700916 write_offset = crypt_ftr.persist_data_offset[0];
917 erase_offset = crypt_ftr.persist_data_offset[1];
Ken Sumrall160b4d62013-04-22 12:15:39 -0700918 }
919
920 /* Write the new copy first, if successful, then erase the old copy */
Björn Landström96dbee72015-01-20 12:43:56 +0100921 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700922 SLOGE("Cannot seek to write persistent data");
923 goto err2;
924 }
925 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
Paul Crowley14c8c072018-09-18 13:30:21 -0700926 (int)crypt_ftr.persist_data_size) {
Björn Landström96dbee72015-01-20 12:43:56 +0100927 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700928 SLOGE("Cannot seek to erase previous persistent data");
929 goto err2;
930 }
931 fsync(fd);
932 memset(pdata, 0, crypt_ftr.persist_data_size);
Paul Crowley14c8c072018-09-18 13:30:21 -0700933 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != (int)crypt_ftr.persist_data_size) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700934 SLOGE("Cannot write to erase previous persistent data");
935 goto err2;
936 }
937 fsync(fd);
938 } else {
939 SLOGE("Cannot write to save persistent data");
940 goto err2;
941 }
942
943 /* Success */
944 free(pdata);
945 close(fd);
946 return 0;
947
948err2:
949 free(pdata);
950err:
951 close(fd);
952 return -1;
953}
954
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800955/* Convert a binary key of specified length into an ascii hex string equivalent,
956 * without the leading 0x and with null termination
957 */
Paul Crowley14c8c072018-09-18 13:30:21 -0700958static void convert_key_to_hex_ascii(const unsigned char* master_key, unsigned int keysize,
959 char* master_key_ascii) {
Paul Lawrence3bd36d52015-06-09 13:37:44 -0700960 unsigned int i, a;
961 unsigned char nibble;
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800962
Paul Crowley14c8c072018-09-18 13:30:21 -0700963 for (i = 0, a = 0; i < keysize; i++, a += 2) {
Paul Lawrence3bd36d52015-06-09 13:37:44 -0700964 /* For each byte, write out two ascii hex digits */
965 nibble = (master_key[i] >> 4) & 0xf;
966 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800967
Paul Lawrence3bd36d52015-06-09 13:37:44 -0700968 nibble = master_key[i] & 0xf;
Paul Crowley14c8c072018-09-18 13:30:21 -0700969 master_key_ascii[a + 1] = nibble + (nibble > 9 ? 0x37 : 0x30);
Paul Lawrence3bd36d52015-06-09 13:37:44 -0700970 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800971
Paul Lawrence3bd36d52015-06-09 13:37:44 -0700972 /* Add the null termination */
973 master_key_ascii[a] = '\0';
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800974}
975
Paul Crowley14c8c072018-09-18 13:30:21 -0700976static int load_crypto_mapping_table(struct crypt_mnt_ftr* crypt_ftr,
977 const unsigned char* master_key, const char* real_blk_name,
978 const char* name, int fd, const char* extra_params) {
979 alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
980 struct dm_ioctl* io;
981 struct dm_target_spec* tgt;
982 char* crypt_params;
983 // We need two ASCII characters to represent each byte, and need space for
984 // the '\0' terminator.
985 char master_key_ascii[MAX_KEY_LEN * 2 + 1];
986 size_t buff_offset;
987 int i;
Ken Sumralldb5e0262013-02-05 17:39:48 -0800988
Paul Crowley14c8c072018-09-18 13:30:21 -0700989 io = (struct dm_ioctl*)buffer;
Ken Sumralldb5e0262013-02-05 17:39:48 -0800990
Paul Crowley14c8c072018-09-18 13:30:21 -0700991 /* Load the mapping table for this device */
992 tgt = (struct dm_target_spec*)&buffer[sizeof(struct dm_ioctl)];
Ken Sumralldb5e0262013-02-05 17:39:48 -0800993
Paul Crowley14c8c072018-09-18 13:30:21 -0700994 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
995 io->target_count = 1;
996 tgt->status = 0;
997 tgt->sector_start = 0;
998 tgt->length = crypt_ftr->fs_size;
999 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
Ken Sumralldb5e0262013-02-05 17:39:48 -08001000
Paul Crowley14c8c072018-09-18 13:30:21 -07001001 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1002 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
George Burgess IV605d7ae2016-02-29 13:39:17 -08001003
Paul Crowley14c8c072018-09-18 13:30:21 -07001004 buff_offset = crypt_params - buffer;
Eric Biggerse1a7e772019-01-25 12:11:25 -08001005 SLOGI(
1006 "Creating crypto dev \"%s\"; cipher=%s, keysize=%u, real_dev=%s, len=%llu, params=\"%s\"\n",
1007 name, crypt_ftr->crypto_type_name, crypt_ftr->keysize, real_blk_name, tgt->length * 512,
1008 extra_params);
Paul Crowley14c8c072018-09-18 13:30:21 -07001009 snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s",
1010 crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name, extra_params);
1011 crypt_params += strlen(crypt_params) + 1;
1012 crypt_params =
1013 (char*)(((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1014 tgt->next = crypt_params - buffer;
Ken Sumralldb5e0262013-02-05 17:39:48 -08001015
Paul Crowley14c8c072018-09-18 13:30:21 -07001016 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1017 if (!ioctl(fd, DM_TABLE_LOAD, io)) {
1018 break;
1019 }
1020 usleep(500000);
Ken Sumralldb5e0262013-02-05 17:39:48 -08001021 }
Ken Sumralldb5e0262013-02-05 17:39:48 -08001022
Paul Crowley14c8c072018-09-18 13:30:21 -07001023 if (i == TABLE_LOAD_RETRIES) {
1024 /* We failed to load the table, return an error */
1025 return -1;
1026 } else {
1027 return i + 1;
1028 }
Ken Sumralldb5e0262013-02-05 17:39:48 -08001029}
1030
Paul Crowley14c8c072018-09-18 13:30:21 -07001031static int get_dm_crypt_version(int fd, const char* name, int* version) {
Ken Sumralldb5e0262013-02-05 17:39:48 -08001032 char buffer[DM_CRYPT_BUF_SIZE];
Paul Crowley14c8c072018-09-18 13:30:21 -07001033 struct dm_ioctl* io;
1034 struct dm_target_versions* v;
Ken Sumralldb5e0262013-02-05 17:39:48 -08001035
Paul Crowley14c8c072018-09-18 13:30:21 -07001036 io = (struct dm_ioctl*)buffer;
Ken Sumralldb5e0262013-02-05 17:39:48 -08001037
1038 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1039
1040 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1041 return -1;
1042 }
1043
1044 /* Iterate over the returned versions, looking for name of "crypt".
1045 * When found, get and return the version.
1046 */
Paul Crowley14c8c072018-09-18 13:30:21 -07001047 v = (struct dm_target_versions*)&buffer[sizeof(struct dm_ioctl)];
Ken Sumralldb5e0262013-02-05 17:39:48 -08001048 while (v->next) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001049 if (!strcmp(v->name, "crypt")) {
Ken Sumralldb5e0262013-02-05 17:39:48 -08001050 /* We found the crypt driver, return the version, and get out */
1051 version[0] = v->version[0];
1052 version[1] = v->version[1];
1053 version[2] = v->version[2];
1054 return 0;
1055 }
Paul Crowley14c8c072018-09-18 13:30:21 -07001056 v = (struct dm_target_versions*)(((char*)v) + v->next);
Ken Sumralldb5e0262013-02-05 17:39:48 -08001057 }
1058
1059 return -1;
1060}
1061
Paul Crowley5afbc622017-11-27 09:42:17 -08001062static std::string extra_params_as_string(const std::vector<std::string>& extra_params_vec) {
1063 if (extra_params_vec.empty()) return "";
1064 std::string extra_params = std::to_string(extra_params_vec.size());
1065 for (const auto& p : extra_params_vec) {
1066 extra_params.append(" ");
1067 extra_params.append(p);
1068 }
1069 return extra_params;
1070}
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001071
Eric Biggersed45ec32019-01-25 10:47:55 -08001072/*
1073 * If the ro.crypto.fde_sector_size system property is set, append the
1074 * parameters to make dm-crypt use the specified crypto sector size and round
1075 * the crypto device size down to a crypto sector boundary.
1076 */
1077static int add_sector_size_param(std::vector<std::string>* extra_params_vec,
1078 struct crypt_mnt_ftr* ftr) {
Greg Kaiserab1e84a2018-12-11 12:40:51 -08001079 constexpr char DM_CRYPT_SECTOR_SIZE[] = "ro.crypto.fde_sector_size";
Eric Biggersed45ec32019-01-25 10:47:55 -08001080 char value[PROPERTY_VALUE_MAX];
Greg Kaiserab1e84a2018-12-11 12:40:51 -08001081
Eric Biggersed45ec32019-01-25 10:47:55 -08001082 if (property_get(DM_CRYPT_SECTOR_SIZE, value, "") > 0) {
1083 unsigned int sector_size;
1084
1085 if (!ParseUint(value, &sector_size) || sector_size < 512 || sector_size > 4096 ||
1086 (sector_size & (sector_size - 1)) != 0) {
1087 SLOGE("Invalid value for %s: %s. Must be >= 512, <= 4096, and a power of 2\n",
1088 DM_CRYPT_SECTOR_SIZE, value);
1089 return -1;
1090 }
1091
1092 std::string param = StringPrintf("sector_size:%u", sector_size);
Greg Kaiserab1e84a2018-12-11 12:40:51 -08001093 extra_params_vec->push_back(std::move(param));
1094
1095 // With this option, IVs will match the sector numbering, instead
1096 // of being hard-coded to being based on 512-byte sectors.
1097 extra_params_vec->emplace_back("iv_large_sectors");
Eric Biggersed45ec32019-01-25 10:47:55 -08001098
1099 // Round the crypto device size down to a crypto sector boundary.
1100 ftr->fs_size &= ~((sector_size / 512) - 1);
Greg Kaiserab1e84a2018-12-11 12:40:51 -08001101 }
Eric Biggersed45ec32019-01-25 10:47:55 -08001102 return 0;
Greg Kaiserab1e84a2018-12-11 12:40:51 -08001103}
1104
Paul Crowley5afbc622017-11-27 09:42:17 -08001105static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned char* master_key,
1106 const char* real_blk_name, char* crypto_blk_name, const char* name,
1107 uint32_t flags) {
1108 char buffer[DM_CRYPT_BUF_SIZE];
1109 struct dm_ioctl* io;
1110 unsigned int minor;
1111 int fd = 0;
1112 int err;
1113 int retval = -1;
1114 int version[3];
1115 int load_count;
1116 std::vector<std::string> extra_params_vec;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001117
Paul Crowley5afbc622017-11-27 09:42:17 -08001118 if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
1119 SLOGE("Cannot open device-mapper\n");
1120 goto errout;
1121 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001122
Paul Crowley5afbc622017-11-27 09:42:17 -08001123 io = (struct dm_ioctl*)buffer;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001124
Paul Crowley5afbc622017-11-27 09:42:17 -08001125 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1126 err = ioctl(fd, DM_DEV_CREATE, io);
1127 if (err) {
1128 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno));
1129 goto errout;
1130 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001131
Paul Crowley5afbc622017-11-27 09:42:17 -08001132 /* Get the device status, in particular, the name of it's device file */
1133 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1134 if (ioctl(fd, DM_DEV_STATUS, io)) {
1135 SLOGE("Cannot retrieve dm-crypt device status\n");
1136 goto errout;
1137 }
1138 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1139 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
Ken Sumralle919efe2012-09-29 17:07:41 -07001140
Paul Crowley5afbc622017-11-27 09:42:17 -08001141 if (!get_dm_crypt_version(fd, name, version)) {
1142 /* Support for allow_discards was added in version 1.11.0 */
1143 if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) {
1144 extra_params_vec.emplace_back("allow_discards");
1145 }
1146 }
1147 if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) {
1148 extra_params_vec.emplace_back("allow_encrypt_override");
1149 }
Eric Biggersed45ec32019-01-25 10:47:55 -08001150 if (add_sector_size_param(&extra_params_vec, crypt_ftr)) {
1151 SLOGE("Error processing dm-crypt sector size param\n");
1152 goto errout;
1153 }
Paul Crowley5afbc622017-11-27 09:42:17 -08001154 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd,
1155 extra_params_as_string(extra_params_vec).c_str());
1156 if (load_count < 0) {
1157 SLOGE("Cannot load dm-crypt mapping table.\n");
1158 goto errout;
1159 } else if (load_count > 1) {
1160 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1161 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001162
Paul Crowley5afbc622017-11-27 09:42:17 -08001163 /* Resume this device to activate it */
1164 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001165
Paul Crowley5afbc622017-11-27 09:42:17 -08001166 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1167 SLOGE("Cannot resume the dm-crypt device\n");
1168 goto errout;
1169 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001170
Paul Crowleycfe39722018-10-30 15:59:24 -07001171 /* Ensure the dm device has been created before returning. */
1172 if (android::vold::WaitForFile(crypto_blk_name, 1s) < 0) {
1173 // WaitForFile generates a suitable log message
1174 goto errout;
1175 }
1176
Paul Crowley5afbc622017-11-27 09:42:17 -08001177 /* We made it here with no errors. Woot! */
1178 retval = 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001179
1180errout:
Paul Crowley14c8c072018-09-18 13:30:21 -07001181 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001182
Paul Crowley14c8c072018-09-18 13:30:21 -07001183 return retval;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001184}
1185
Paul Crowley14c8c072018-09-18 13:30:21 -07001186static int delete_crypto_blk_dev(const char* name) {
1187 int fd;
1188 char buffer[DM_CRYPT_BUF_SIZE];
1189 struct dm_ioctl* io;
1190 int retval = -1;
Yue Hu9d6cc182018-12-17 17:09:55 +08001191 int err;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001192
Paul Crowley14c8c072018-09-18 13:30:21 -07001193 if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
1194 SLOGE("Cannot open device-mapper\n");
1195 goto errout;
1196 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001197
Paul Crowley14c8c072018-09-18 13:30:21 -07001198 io = (struct dm_ioctl*)buffer;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001199
Paul Crowley14c8c072018-09-18 13:30:21 -07001200 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
Yue Hu9d6cc182018-12-17 17:09:55 +08001201 err = ioctl(fd, DM_DEV_REMOVE, io);
1202 if (err) {
1203 SLOGE("Cannot remove dm-crypt device %s: %s\n", name, strerror(errno));
Paul Crowley14c8c072018-09-18 13:30:21 -07001204 goto errout;
1205 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001206
Paul Crowley14c8c072018-09-18 13:30:21 -07001207 /* We made it here with no errors. Woot! */
1208 retval = 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001209
1210errout:
Paul Crowley14c8c072018-09-18 13:30:21 -07001211 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001212
Paul Crowley14c8c072018-09-18 13:30:21 -07001213 return retval;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001214}
1215
Paul Crowley14c8c072018-09-18 13:30:21 -07001216static int pbkdf2(const char* passwd, const unsigned char* salt, unsigned char* ikey,
1217 void* params UNUSED) {
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001218 SLOGI("Using pbkdf2 for cryptfs KDF");
1219
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001220 /* Turn the password into a key and IV that can decrypt the master key */
Paul Crowley14c8c072018-09-18 13:30:21 -07001221 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN, HASH_COUNT,
1222 INTERMEDIATE_BUF_SIZE, ikey) != 1;
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001223}
1224
Paul Crowley14c8c072018-09-18 13:30:21 -07001225static int scrypt(const char* passwd, const unsigned char* salt, unsigned char* ikey, void* params) {
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001226 SLOGI("Using scrypt for cryptfs KDF");
1227
Paul Crowley14c8c072018-09-18 13:30:21 -07001228 struct crypt_mnt_ftr* ftr = (struct crypt_mnt_ftr*)params;
Kenny Rootc4c70f12013-06-14 12:11:38 -07001229
1230 int N = 1 << ftr->N_factor;
1231 int r = 1 << ftr->r_factor;
1232 int p = 1 << ftr->p_factor;
1233
1234 /* Turn the password into a key and IV that can decrypt the master key */
Paul Crowley14c8c072018-09-18 13:30:21 -07001235 crypto_scrypt((const uint8_t*)passwd, strlen(passwd), salt, SALT_LEN, N, r, p, ikey,
Greg Kaiserc0de9c72018-02-14 20:05:54 -08001236 INTERMEDIATE_BUF_SIZE);
Paul Lawrencef4faa572014-01-29 13:31:03 -08001237
Paul Crowley14c8c072018-09-18 13:30:21 -07001238 return 0;
Kenny Rootc4c70f12013-06-14 12:11:38 -07001239}
1240
Paul Crowley14c8c072018-09-18 13:30:21 -07001241static int scrypt_keymaster(const char* passwd, const unsigned char* salt, unsigned char* ikey,
1242 void* params) {
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001243 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1244
1245 int rc;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001246 size_t signature_size;
1247 unsigned char* signature;
Paul Crowley14c8c072018-09-18 13:30:21 -07001248 struct crypt_mnt_ftr* ftr = (struct crypt_mnt_ftr*)params;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001249
1250 int N = 1 << ftr->N_factor;
1251 int r = 1 << ftr->r_factor;
1252 int p = 1 << ftr->p_factor;
1253
Paul Crowley14c8c072018-09-18 13:30:21 -07001254 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd), salt, SALT_LEN, N, r, p, ikey,
Greg Kaiserc0de9c72018-02-14 20:05:54 -08001255 INTERMEDIATE_BUF_SIZE);
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001256
1257 if (rc) {
1258 SLOGE("scrypt failed");
1259 return -1;
1260 }
1261
Paul Crowley14c8c072018-09-18 13:30:21 -07001262 if (keymaster_sign_object(ftr, ikey, INTERMEDIATE_BUF_SIZE, &signature, &signature_size)) {
Shawn Willdene17a9c42014-09-08 13:04:08 -06001263 SLOGE("Signing failed");
1264 return -1;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001265 }
1266
Paul Crowley14c8c072018-09-18 13:30:21 -07001267 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, N, r, p, ikey,
1268 INTERMEDIATE_BUF_SIZE);
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001269 free(signature);
1270
1271 if (rc) {
1272 SLOGE("scrypt failed");
1273 return -1;
1274 }
1275
1276 return 0;
1277}
1278
Paul Crowley14c8c072018-09-18 13:30:21 -07001279static int encrypt_master_key(const char* passwd, const unsigned char* salt,
1280 const unsigned char* decrypted_master_key,
1281 unsigned char* encrypted_master_key, struct crypt_mnt_ftr* crypt_ftr) {
1282 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = {0};
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001283 EVP_CIPHER_CTX e_ctx;
1284 int encrypted_len, final_len;
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001285 int rc = 0;
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001286
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001287 /* Turn the password into an intermediate key and IV that can decrypt the master key */
Kenny Rootc4c70f12013-06-14 12:11:38 -07001288 get_device_scrypt_params(crypt_ftr);
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001289
1290 switch (crypt_ftr->kdf_type) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001291 case KDF_SCRYPT_KEYMASTER:
1292 if (keymaster_create_key(crypt_ftr)) {
1293 SLOGE("keymaster_create_key failed");
1294 return -1;
1295 }
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001296
Paul Crowley14c8c072018-09-18 13:30:21 -07001297 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1298 SLOGE("scrypt failed");
1299 return -1;
1300 }
1301 break;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001302
Paul Crowley14c8c072018-09-18 13:30:21 -07001303 case KDF_SCRYPT:
1304 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1305 SLOGE("scrypt failed");
1306 return -1;
1307 }
1308 break;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001309
Paul Crowley14c8c072018-09-18 13:30:21 -07001310 default:
1311 SLOGE("Invalid kdf_type");
1312 return -1;
Paul Lawrencef4faa572014-01-29 13:31:03 -08001313 }
Kenny Rootc4c70f12013-06-14 12:11:38 -07001314
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001315 /* Initialize the decryption engine */
Adam Langley889c4f12014-09-03 14:23:13 -07001316 EVP_CIPHER_CTX_init(&e_ctx);
Paul Crowley14c8c072018-09-18 13:30:21 -07001317 if (!EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey,
1318 ikey + INTERMEDIATE_KEY_LEN_BYTES)) {
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001319 SLOGE("EVP_EncryptInit failed\n");
1320 return -1;
1321 }
1322 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001323
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001324 /* Encrypt the master key */
Paul Crowley14c8c072018-09-18 13:30:21 -07001325 if (!EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, decrypted_master_key,
1326 crypt_ftr->keysize)) {
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001327 SLOGE("EVP_EncryptUpdate failed\n");
1328 return -1;
1329 }
Paul Crowley14c8c072018-09-18 13:30:21 -07001330 if (!EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001331 SLOGE("EVP_EncryptFinal failed\n");
1332 return -1;
1333 }
1334
Greg Kaiser59ad0182018-02-16 13:01:36 -08001335 if (encrypted_len + final_len != static_cast<int>(crypt_ftr->keysize)) {
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001336 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1337 return -1;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001338 }
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001339
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001340 /* Store the scrypt of the intermediate key, so we can validate if it's a
1341 password error or mount error when things go wrong.
1342 Note there's no need to check for errors, since if this is incorrect, we
1343 simply won't wipe userdata, which is the correct default behavior
1344 */
1345 int N = 1 << crypt_ftr->N_factor;
1346 int r = 1 << crypt_ftr->r_factor;
1347 int p = 1 << crypt_ftr->p_factor;
1348
Paul Crowley14c8c072018-09-18 13:30:21 -07001349 rc = crypto_scrypt(ikey, INTERMEDIATE_KEY_LEN_BYTES, crypt_ftr->salt, sizeof(crypt_ftr->salt),
1350 N, r, p, crypt_ftr->scrypted_intermediate_key,
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001351 sizeof(crypt_ftr->scrypted_intermediate_key));
1352
1353 if (rc) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001354 SLOGE("encrypt_master_key: crypto_scrypt failed");
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001355 }
1356
Thurston Hou Yeen Dang06dc3112016-07-18 14:16:37 -07001357 EVP_CIPHER_CTX_cleanup(&e_ctx);
1358
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001359 return 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001360}
1361
Paul Crowley14c8c072018-09-18 13:30:21 -07001362static int decrypt_master_key_aux(const char* passwd, unsigned char* salt,
1363 const unsigned char* encrypted_master_key, size_t keysize,
1364 unsigned char* decrypted_master_key, kdf_func kdf,
1365 void* kdf_params, unsigned char** intermediate_key,
1366 size_t* intermediate_key_size) {
1367 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = {0};
1368 EVP_CIPHER_CTX d_ctx;
1369 int decrypted_len, final_len;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001370
Paul Crowley14c8c072018-09-18 13:30:21 -07001371 /* Turn the password into an intermediate key and IV that can decrypt the
1372 master key */
1373 if (kdf(passwd, salt, ikey, kdf_params)) {
1374 SLOGE("kdf failed");
1375 return -1;
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001376 }
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001377
Paul Crowley14c8c072018-09-18 13:30:21 -07001378 /* Initialize the decryption engine */
1379 EVP_CIPHER_CTX_init(&d_ctx);
1380 if (!EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey,
1381 ikey + INTERMEDIATE_KEY_LEN_BYTES)) {
1382 return -1;
1383 }
1384 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1385 /* Decrypt the master key */
1386 if (!EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, encrypted_master_key,
1387 keysize)) {
1388 return -1;
1389 }
1390 if (!EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1391 return -1;
1392 }
Thurston Hou Yeen Dang06dc3112016-07-18 14:16:37 -07001393
Paul Crowley14c8c072018-09-18 13:30:21 -07001394 if (decrypted_len + final_len != static_cast<int>(keysize)) {
1395 return -1;
1396 }
1397
1398 /* Copy intermediate key if needed by params */
1399 if (intermediate_key && intermediate_key_size) {
1400 *intermediate_key = (unsigned char*)malloc(INTERMEDIATE_KEY_LEN_BYTES);
1401 if (*intermediate_key) {
1402 memcpy(*intermediate_key, ikey, INTERMEDIATE_KEY_LEN_BYTES);
1403 *intermediate_key_size = INTERMEDIATE_KEY_LEN_BYTES;
1404 }
1405 }
1406
1407 EVP_CIPHER_CTX_cleanup(&d_ctx);
1408
1409 return 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001410}
1411
Paul Crowley14c8c072018-09-18 13:30:21 -07001412static void get_kdf_func(struct crypt_mnt_ftr* ftr, kdf_func* kdf, void** kdf_params) {
Paul Lawrencedb3730c2015-02-03 13:08:10 -08001413 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001414 *kdf = scrypt_keymaster;
1415 *kdf_params = ftr;
1416 } else if (ftr->kdf_type == KDF_SCRYPT) {
Kenny Rootc4c70f12013-06-14 12:11:38 -07001417 *kdf = scrypt;
1418 *kdf_params = ftr;
1419 } else {
1420 *kdf = pbkdf2;
1421 *kdf_params = NULL;
1422 }
1423}
1424
Paul Crowley14c8c072018-09-18 13:30:21 -07001425static int decrypt_master_key(const char* passwd, unsigned char* decrypted_master_key,
1426 struct crypt_mnt_ftr* crypt_ftr, unsigned char** intermediate_key,
1427 size_t* intermediate_key_size) {
Kenny Rootc4c70f12013-06-14 12:11:38 -07001428 kdf_func kdf;
Paul Crowley14c8c072018-09-18 13:30:21 -07001429 void* kdf_params;
Kenny Rootc4c70f12013-06-14 12:11:38 -07001430 int ret;
1431
1432 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
Paul Crowley14c8c072018-09-18 13:30:21 -07001433 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, crypt_ftr->keysize,
1434 decrypted_master_key, kdf, kdf_params, intermediate_key,
1435 intermediate_key_size);
Kenny Rootc4c70f12013-06-14 12:11:38 -07001436 if (ret != 0) {
1437 SLOGW("failure decrypting master key");
Kenny Rootc4c70f12013-06-14 12:11:38 -07001438 }
1439
1440 return ret;
1441}
1442
Paul Crowley14c8c072018-09-18 13:30:21 -07001443static int create_encrypted_random_key(const char* passwd, unsigned char* master_key,
1444 unsigned char* salt, struct crypt_mnt_ftr* crypt_ftr) {
Greg Kaiser59ad0182018-02-16 13:01:36 -08001445 unsigned char key_buf[MAX_KEY_LEN];
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001446
Eric Biggers3a2f7db2019-01-16 13:05:34 -08001447 /* Get some random bits for a key and salt */
1448 if (android::vold::ReadRandomBytes(sizeof(key_buf), reinterpret_cast<char*>(key_buf)) != 0) {
1449 return -1;
1450 }
1451 if (android::vold::ReadRandomBytes(SALT_LEN, reinterpret_cast<char*>(salt)) != 0) {
1452 return -1;
1453 }
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001454
1455 /* Now encrypt it with the password */
Kenny Rootc4c70f12013-06-14 12:11:38 -07001456 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001457}
1458
Paul Crowley14c8c072018-09-18 13:30:21 -07001459int wait_and_unmount(const char* mountpoint, bool kill) {
Greg Hackmann955653e2014-09-24 14:55:20 -07001460 int i, err, rc;
Ken Sumrall2eaf7132011-01-14 12:45:48 -08001461#define WAIT_UNMOUNT_COUNT 20
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001462
1463 /* Now umount the tmpfs filesystem */
Paul Crowley14c8c072018-09-18 13:30:21 -07001464 for (i = 0; i < WAIT_UNMOUNT_COUNT; i++) {
Greg Hackmann6e8440f2014-10-02 17:18:20 -07001465 if (umount(mountpoint) == 0) {
1466 break;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001467 }
Greg Hackmann6e8440f2014-10-02 17:18:20 -07001468
1469 if (errno == EINVAL) {
1470 /* EINVAL is returned if the directory is not a mountpoint,
1471 * i.e. there is no filesystem mounted there. So just get out.
1472 */
1473 break;
1474 }
1475
1476 err = errno;
1477
1478 /* If allowed, be increasingly aggressive before the last two retries */
1479 if (kill) {
1480 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1481 SLOGW("sending SIGHUP to processes with open files\n");
Jeff Sharkey3472e522017-10-06 18:02:53 -06001482 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM);
Greg Hackmann6e8440f2014-10-02 17:18:20 -07001483 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1484 SLOGW("sending SIGKILL to processes with open files\n");
Jeff Sharkey3472e522017-10-06 18:02:53 -06001485 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL);
Greg Hackmann6e8440f2014-10-02 17:18:20 -07001486 }
1487 }
1488
1489 sleep(1);
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001490 }
1491
1492 if (i < WAIT_UNMOUNT_COUNT) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001493 SLOGD("unmounting %s succeeded\n", mountpoint);
1494 rc = 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001495 } else {
Paul Crowley14c8c072018-09-18 13:30:21 -07001496 android::vold::KillProcessesWithOpenFiles(mountpoint, 0);
1497 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1498 rc = -1;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001499 }
1500
1501 return rc;
1502}
1503
Paul Crowley14c8c072018-09-18 13:30:21 -07001504static void prep_data_fs(void) {
Jeff Sharkey47695b22016-02-01 17:02:29 -07001505 // NOTE: post_fs_data results in init calling back around to vold, so all
1506 // callers to this method must be async
1507
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001508 /* Do the prep of the /data filesystem */
1509 property_set("vold.post_fs_data_done", "0");
1510 property_set("vold.decrypt", "trigger_post_fs_data");
Wei Wang42e38102017-06-07 10:46:12 -07001511 SLOGD("Just triggered post_fs_data");
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001512
Ken Sumrallc5872692013-05-14 15:26:31 -07001513 /* Wait a max of 50 seconds, hopefully it takes much less */
Paul Crowley14c8c072018-09-18 13:30:21 -07001514 while (!android::base::WaitForProperty("vold.post_fs_data_done", "1", std::chrono::seconds(15))) {
Wei Wang42e38102017-06-07 10:46:12 -07001515 /* We timed out to prep /data in time. Continue wait. */
1516 SLOGE("waited 15s for vold.post_fs_data_done, still waiting...");
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001517 }
Wei Wang42e38102017-06-07 10:46:12 -07001518 SLOGD("post_fs_data done");
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001519}
1520
Paul Crowley14c8c072018-09-18 13:30:21 -07001521static void cryptfs_set_corrupt() {
Paul Lawrence74f29f12014-08-28 15:54:10 -07001522 // Mark the footer as bad
1523 struct crypt_mnt_ftr crypt_ftr;
1524 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1525 SLOGE("Failed to get crypto footer - panic");
1526 return;
1527 }
1528
1529 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1530 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1531 SLOGE("Failed to set crypto footer - panic");
1532 return;
1533 }
1534}
1535
Paul Crowley14c8c072018-09-18 13:30:21 -07001536static void cryptfs_trigger_restart_min_framework() {
Paul Lawrence74f29f12014-08-28 15:54:10 -07001537 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001538 SLOGE("Failed to mount tmpfs on data - panic");
1539 return;
Paul Lawrence74f29f12014-08-28 15:54:10 -07001540 }
1541
1542 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1543 SLOGE("Failed to trigger post fs data - panic");
1544 return;
1545 }
1546
1547 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1548 SLOGE("Failed to trigger restart min framework - panic");
1549 return;
1550 }
1551}
1552
Paul Lawrence8e3f4512014-09-08 10:11:17 -07001553/* returns < 0 on failure */
Paul Crowley14c8c072018-09-18 13:30:21 -07001554static int cryptfs_restart_internal(int restart_main) {
Ken Sumrall6864b7e2011-01-14 15:20:02 -08001555 char crypto_blkdev[MAXPATHLEN];
Tim Murray8439dc92014-12-15 11:56:11 -08001556 int rc = -1;
Ken Sumrall0cc16632011-01-18 20:32:26 -08001557 static int restart_successful = 0;
1558
1559 /* Validate that it's OK to call this routine */
Paul Crowley14c8c072018-09-18 13:30:21 -07001560 if (!master_key_saved) {
Ken Sumrall0cc16632011-01-18 20:32:26 -08001561 SLOGE("Encrypted filesystem not validated, aborting");
1562 return -1;
1563 }
1564
1565 if (restart_successful) {
1566 SLOGE("System already restarted with encrypted disk, aborting");
1567 return -1;
1568 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001569
Paul Lawrencef4faa572014-01-29 13:31:03 -08001570 if (restart_main) {
1571 /* Here is where we shut down the framework. The init scripts
1572 * start all services in one of three classes: core, main or late_start.
1573 * On boot, we start core and main. Now, we stop main, but not core,
1574 * as core includes vold and a few other really important things that
1575 * we need to keep running. Once main has stopped, we should be able
1576 * to umount the tmpfs /data, then mount the encrypted /data.
1577 * We then restart the class main, and also the class late_start.
1578 * At the moment, I've only put a few things in late_start that I know
1579 * are not needed to bring up the framework, and that also cause problems
1580 * with unmounting the tmpfs /data, but I hope to add add more services
1581 * to the late_start class as we optimize this to decrease the delay
1582 * till the user is asked for the password to the filesystem.
1583 */
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001584
Paul Lawrencef4faa572014-01-29 13:31:03 -08001585 /* The init files are setup to stop the class main when vold.decrypt is
1586 * set to trigger_reset_main.
1587 */
1588 property_set("vold.decrypt", "trigger_reset_main");
1589 SLOGD("Just asked init to shut down class main\n");
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001590
Paul Lawrencef4faa572014-01-29 13:31:03 -08001591 /* Ugh, shutting down the framework is not synchronous, so until it
1592 * can be fixed, this horrible hack will wait a moment for it all to
1593 * shut down before proceeding. Without it, some devices cannot
1594 * restart the graphics services.
1595 */
1596 sleep(2);
1597 }
Ken Sumrall9dedfd42012-10-09 14:16:59 -07001598
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001599 /* Now that the framework is shutdown, we should be able to umount()
1600 * the tmpfs filesystem, and mount the real one.
1601 */
1602
Ken Sumrall6864b7e2011-01-14 15:20:02 -08001603 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1604 if (strlen(crypto_blkdev) == 0) {
1605 SLOGE("fs_crypto_blkdev not set\n");
1606 return -1;
1607 }
1608
Paul Crowley14c8c072018-09-18 13:30:21 -07001609 if (!(rc = wait_and_unmount(DATA_MNT_POINT, true))) {
Doug Zongker6fd57712013-12-17 09:43:23 -08001610 /* If ro.crypto.readonly is set to 1, mount the decrypted
1611 * filesystem readonly. This is used when /data is mounted by
1612 * recovery mode.
1613 */
1614 char ro_prop[PROPERTY_VALUE_MAX];
1615 property_get("ro.crypto.readonly", ro_prop, "");
Jeff Sharkey95440eb2017-09-18 18:19:28 -06001616 if (strlen(ro_prop) > 0 && std::stoi(ro_prop)) {
Tom Cherry4c5bde22019-01-29 14:34:01 -08001617 auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
1618 if (entry != nullptr) {
1619 entry->flags |= MS_RDONLY;
Luis Hector Chavezbbb512d2018-05-30 15:47:50 -07001620 }
Doug Zongker6fd57712013-12-17 09:43:23 -08001621 }
JP Abgrall62c7af32014-06-16 13:01:23 -07001622
Ken Sumralle5032c42012-04-01 23:58:44 -07001623 /* If that succeeded, then mount the decrypted filesystem */
Paul Lawrence8e3f4512014-09-08 10:11:17 -07001624 int retries = RETRY_MOUNT_ATTEMPTS;
1625 int mount_rc;
Jeff Vander Stoepdf725752016-01-29 15:34:43 -08001626
1627 /*
1628 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
1629 * partitions in the fsck domain.
1630 */
LongPing Wei7f3ab952019-01-30 16:03:14 +08001631 if (setexeccon(android::vold::sFsckContext)) {
Jeff Vander Stoepdf725752016-01-29 15:34:43 -08001632 SLOGE("Failed to setexeccon");
1633 return -1;
1634 }
Daniel Rosenberg65f99c92018-08-28 01:58:49 -07001635 bool needs_cp = android::vold::cp_needsCheckpoint();
Tom Cherry4c5bde22019-01-29 14:34:01 -08001636 while ((mount_rc = fs_mgr_do_mount(&fstab_default, DATA_MNT_POINT, crypto_blkdev, 0,
Daniel Rosenberg65f99c92018-08-28 01:58:49 -07001637 needs_cp)) != 0) {
Paul Lawrence8e3f4512014-09-08 10:11:17 -07001638 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1639 /* TODO: invoke something similar to
1640 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1641 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
Paul Crowley14c8c072018-09-18 13:30:21 -07001642 SLOGI("Failed to mount %s because it is busy - waiting", crypto_blkdev);
Paul Lawrence8e3f4512014-09-08 10:11:17 -07001643 if (--retries) {
1644 sleep(RETRY_MOUNT_DELAY_SECONDS);
1645 } else {
1646 /* Let's hope that a reboot clears away whatever is keeping
1647 the mount busy */
Josh Gaofec44372017-08-28 13:22:55 -07001648 cryptfs_reboot(RebootType::reboot);
Paul Lawrence8e3f4512014-09-08 10:11:17 -07001649 }
1650 } else {
1651 SLOGE("Failed to mount decrypted data");
1652 cryptfs_set_corrupt();
1653 cryptfs_trigger_restart_min_framework();
1654 SLOGI("Started framework to offer wipe");
Jeff Vander Stoepdf725752016-01-29 15:34:43 -08001655 if (setexeccon(NULL)) {
1656 SLOGE("Failed to setexeccon");
1657 }
Paul Lawrence8e3f4512014-09-08 10:11:17 -07001658 return -1;
1659 }
Paul Lawrence74f29f12014-08-28 15:54:10 -07001660 }
Jeff Vander Stoepdf725752016-01-29 15:34:43 -08001661 if (setexeccon(NULL)) {
1662 SLOGE("Failed to setexeccon");
1663 return -1;
1664 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001665
Ken Sumralle5032c42012-04-01 23:58:44 -07001666 /* Create necessary paths on /data */
Wei Wang42e38102017-06-07 10:46:12 -07001667 prep_data_fs();
Seigo Nonakae2ef0c02016-06-20 17:05:40 +09001668 property_set("vold.decrypt", "trigger_load_persist_props");
Ken Sumralle5032c42012-04-01 23:58:44 -07001669
1670 /* startup service classes main and late_start */
1671 property_set("vold.decrypt", "trigger_restart_framework");
1672 SLOGD("Just triggered restart_framework\n");
1673
1674 /* Give it a few moments to get started */
1675 sleep(1);
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001676 }
1677
Ken Sumrall0cc16632011-01-18 20:32:26 -08001678 if (rc == 0) {
1679 restart_successful = 1;
1680 }
1681
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001682 return rc;
1683}
1684
Paul Crowley14c8c072018-09-18 13:30:21 -07001685int cryptfs_restart(void) {
Paul Lawrence05335c32015-03-05 09:46:23 -08001686 SLOGI("cryptfs_restart");
Eric Biggersa701c452018-10-23 13:06:55 -07001687 if (fscrypt_is_native()) {
Paul Lawrence7b6b5652016-02-02 11:14:59 -08001688 SLOGE("cryptfs_restart not valid for file encryption:");
1689 return -1;
Paul Lawrence05335c32015-03-05 09:46:23 -08001690 }
1691
Paul Lawrencef4faa572014-01-29 13:31:03 -08001692 /* Call internal implementation forcing a restart of main service group */
1693 return cryptfs_restart_internal(1);
1694}
1695
Paul Crowley14c8c072018-09-18 13:30:21 -07001696static int do_crypto_complete(const char* mount_point) {
1697 struct crypt_mnt_ftr crypt_ftr;
1698 char encrypted_state[PROPERTY_VALUE_MAX];
Ken Sumrall7f7dbaa2011-02-01 15:46:41 -08001699
Paul Crowley14c8c072018-09-18 13:30:21 -07001700 property_get("ro.crypto.state", encrypted_state, "");
1701 if (strcmp(encrypted_state, "encrypted")) {
1702 SLOGE("not running with encryption, aborting");
1703 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
Ken Sumralle1a45852011-12-14 21:24:27 -08001704 }
Ken Sumrall7f7dbaa2011-02-01 15:46:41 -08001705
Paul Crowley14c8c072018-09-18 13:30:21 -07001706 // crypto_complete is full disk encrypted status
Eric Biggersa701c452018-10-23 13:06:55 -07001707 if (fscrypt_is_native()) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001708 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1709 }
Paul Lawrence74f29f12014-08-28 15:54:10 -07001710
Paul Crowley14c8c072018-09-18 13:30:21 -07001711 if (get_crypt_ftr_and_key(&crypt_ftr)) {
Tom Cherry4c5bde22019-01-29 14:34:01 -08001712 std::string key_loc;
1713 get_crypt_info(&key_loc, nullptr);
Paul Lawrence74f29f12014-08-28 15:54:10 -07001714
Paul Crowley14c8c072018-09-18 13:30:21 -07001715 /*
1716 * Only report this error if key_loc is a file and it exists.
1717 * If the device was never encrypted, and /data is not mountable for
1718 * some reason, returning 1 should prevent the UI from presenting the
1719 * a "enter password" screen, or worse, a "press button to wipe the
1720 * device" screen.
1721 */
Tom Cherry4c5bde22019-01-29 14:34:01 -08001722 if (!key_loc.empty() && key_loc[0] == '/' && (access("key_loc", F_OK) == -1)) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001723 SLOGE("master key file does not exist, aborting");
1724 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1725 } else {
1726 SLOGE("Error getting crypt footer and key\n");
1727 return CRYPTO_COMPLETE_BAD_METADATA;
1728 }
1729 }
Ken Sumrall7f7dbaa2011-02-01 15:46:41 -08001730
Paul Crowley14c8c072018-09-18 13:30:21 -07001731 // Test for possible error flags
1732 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
1733 SLOGE("Encryption process is partway completed\n");
1734 return CRYPTO_COMPLETE_PARTIAL;
1735 }
1736
1737 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
1738 SLOGE("Encryption process was interrupted but cannot continue\n");
1739 return CRYPTO_COMPLETE_INCONSISTENT;
1740 }
1741
1742 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT) {
1743 SLOGE("Encryption is successful but data is corrupt\n");
1744 return CRYPTO_COMPLETE_CORRUPT;
1745 }
1746
1747 /* We passed the test! We shall diminish, and return to the west */
1748 return CRYPTO_COMPLETE_ENCRYPTED;
Ken Sumrall7f7dbaa2011-02-01 15:46:41 -08001749}
1750
Paul Crowley14c8c072018-09-18 13:30:21 -07001751static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, const char* passwd,
1752 const char* mount_point, const char* label) {
1753 unsigned char decrypted_master_key[MAX_KEY_LEN];
1754 char crypto_blkdev[MAXPATHLEN];
Tom Cherry4c5bde22019-01-29 14:34:01 -08001755 std::string real_blkdev;
Paul Crowley14c8c072018-09-18 13:30:21 -07001756 char tmp_mount_point[64];
1757 unsigned int orig_failed_decrypt_count;
1758 int rc;
1759 int use_keymaster = 0;
1760 int upgrade = 0;
1761 unsigned char* intermediate_key = 0;
1762 size_t intermediate_key_size = 0;
1763 int N = 1 << crypt_ftr->N_factor;
1764 int r = 1 << crypt_ftr->r_factor;
1765 int p = 1 << crypt_ftr->p_factor;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001766
Paul Crowley14c8c072018-09-18 13:30:21 -07001767 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1768 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
Ken Sumrall0cc16632011-01-18 20:32:26 -08001769
Paul Crowley14c8c072018-09-18 13:30:21 -07001770 if (!(crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED)) {
1771 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, &intermediate_key,
1772 &intermediate_key_size)) {
1773 SLOGE("Failed to decrypt master key\n");
1774 rc = -1;
1775 goto errout;
1776 }
JP Abgrall7bdfa522013-11-15 13:42:56 -08001777 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001778
Tom Cherry4c5bde22019-01-29 14:34:01 -08001779 get_crypt_info(nullptr, &real_blkdev);
Paul Lawrencef4faa572014-01-29 13:31:03 -08001780
Paul Crowley14c8c072018-09-18 13:30:21 -07001781 // Create crypto block device - all (non fatal) code paths
1782 // need it
Tom Cherry4c5bde22019-01-29 14:34:01 -08001783 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, real_blkdev.c_str(), crypto_blkdev,
1784 label, 0)) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001785 SLOGE("Error creating decrypted block device\n");
1786 rc = -1;
1787 goto errout;
1788 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001789
Paul Crowley14c8c072018-09-18 13:30:21 -07001790 /* Work out if the problem is the password or the data */
1791 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->scrypted_intermediate_key)];
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001792
Paul Crowley14c8c072018-09-18 13:30:21 -07001793 rc = crypto_scrypt(intermediate_key, intermediate_key_size, crypt_ftr->salt,
1794 sizeof(crypt_ftr->salt), N, r, p, scrypted_intermediate_key,
1795 sizeof(scrypted_intermediate_key));
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001796
Paul Crowley14c8c072018-09-18 13:30:21 -07001797 // Does the key match the crypto footer?
1798 if (rc == 0 && memcmp(scrypted_intermediate_key, crypt_ftr->scrypted_intermediate_key,
1799 sizeof(scrypted_intermediate_key)) == 0) {
1800 SLOGI("Password matches");
1801 rc = 0;
Paul Lawrence74f29f12014-08-28 15:54:10 -07001802 } else {
Paul Crowley14c8c072018-09-18 13:30:21 -07001803 /* Try mounting the file system anyway, just in case the problem's with
1804 * the footer, not the key. */
1805 snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt", mount_point);
1806 mkdir(tmp_mount_point, 0755);
Tom Cherry4c5bde22019-01-29 14:34:01 -08001807 if (fs_mgr_do_mount(&fstab_default, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001808 SLOGE("Error temp mounting decrypted block device\n");
1809 delete_crypto_blk_dev(label);
Paul Lawrence74f29f12014-08-28 15:54:10 -07001810
Paul Crowley14c8c072018-09-18 13:30:21 -07001811 rc = ++crypt_ftr->failed_decrypt_count;
1812 put_crypt_ftr_and_key(crypt_ftr);
1813 } else {
1814 /* Success! */
1815 SLOGI("Password did not match but decrypted drive mounted - continue");
1816 umount(tmp_mount_point);
1817 rc = 0;
Paul Lawrenceb2f682b2014-09-08 11:28:19 -07001818 }
JP Abgrall7bdfa522013-11-15 13:42:56 -08001819 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001820
Paul Crowley14c8c072018-09-18 13:30:21 -07001821 if (rc == 0) {
1822 crypt_ftr->failed_decrypt_count = 0;
1823 if (orig_failed_decrypt_count != 0) {
1824 put_crypt_ftr_and_key(crypt_ftr);
1825 }
1826
1827 /* Save the name of the crypto block device
1828 * so we can mount it when restarting the framework. */
1829 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1830
1831 /* Also save a the master key so we can reencrypted the key
1832 * the key when we want to change the password on it. */
1833 memcpy(saved_master_key, decrypted_master_key, crypt_ftr->keysize);
1834 saved_mount_point = strdup(mount_point);
1835 master_key_saved = 1;
1836 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1837 rc = 0;
1838
1839 // Upgrade if we're not using the latest KDF.
1840 use_keymaster = keymaster_check_compatibility();
1841 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1842 // Don't allow downgrade
1843 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1844 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1845 upgrade = 1;
1846 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1847 crypt_ftr->kdf_type = KDF_SCRYPT;
1848 upgrade = 1;
1849 }
1850
1851 if (upgrade) {
1852 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1853 crypt_ftr->master_key, crypt_ftr);
1854 if (!rc) {
1855 rc = put_crypt_ftr_and_key(crypt_ftr);
1856 }
1857 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1858
1859 // Do not fail even if upgrade failed - machine is bootable
1860 // Note that if this code is ever hit, there is a *serious* problem
1861 // since KDFs should never fail. You *must* fix the kdf before
1862 // proceeding!
1863 if (rc) {
1864 SLOGW(
1865 "Upgrade failed with error %d,"
1866 " but continuing with previous state",
1867 rc);
1868 rc = 0;
1869 }
1870 }
1871 }
1872
1873errout:
1874 if (intermediate_key) {
1875 memset(intermediate_key, 0, intermediate_key_size);
1876 free(intermediate_key);
1877 }
1878 return rc;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001879}
1880
Ken Sumrall29d8da82011-05-18 17:20:07 -07001881/*
Jeff Sharkey9c484982015-03-31 10:35:33 -07001882 * Called by vold when it's asked to mount an encrypted external
1883 * storage volume. The incoming partition has no crypto header/footer,
Greg Kaiser57f9af62018-02-16 13:13:58 -08001884 * as any metadata is been stored in a separate, small partition. We
1885 * assume it must be using our same crypt type and keysize.
Jeff Sharkey9c484982015-03-31 10:35:33 -07001886 *
1887 * out_crypto_blkdev must be MAXPATHLEN.
Ken Sumrall29d8da82011-05-18 17:20:07 -07001888 */
Paul Crowley14c8c072018-09-18 13:30:21 -07001889int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, const unsigned char* key,
1890 char* out_crypto_blkdev) {
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +02001891 uint64_t nr_sec = 0;
1892 if (android::vold::GetBlockDev512Sectors(real_blkdev, &nr_sec) != android::OK) {
Jeff Sharkey9c484982015-03-31 10:35:33 -07001893 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
Ken Sumrall29d8da82011-05-18 17:20:07 -07001894 return -1;
1895 }
1896
Jeff Sharkey9c484982015-03-31 10:35:33 -07001897 struct crypt_mnt_ftr ext_crypt_ftr;
1898 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1899 ext_crypt_ftr.fs_size = nr_sec;
Greg Kaiser57f9af62018-02-16 13:13:58 -08001900 ext_crypt_ftr.keysize = cryptfs_get_keysize();
Paul Crowley14c8c072018-09-18 13:30:21 -07001901 strlcpy((char*)ext_crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(),
Jeff Sharkey32ebb732017-03-27 16:18:50 -06001902 MAX_CRYPTO_TYPE_NAME_LEN);
Paul Crowley385cb8c2018-03-29 13:27:23 -07001903 uint32_t flags = 0;
Eric Biggersa701c452018-10-23 13:06:55 -07001904 if (fscrypt_is_native() &&
Paul Crowley385cb8c2018-03-29 13:27:23 -07001905 android::base::GetBoolProperty("ro.crypto.allow_encrypt_override", false))
1906 flags |= CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE;
Ken Sumrall29d8da82011-05-18 17:20:07 -07001907
Paul Crowley385cb8c2018-03-29 13:27:23 -07001908 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev, out_crypto_blkdev, label, flags);
Jeff Sharkey9c484982015-03-31 10:35:33 -07001909}
Ken Sumrall29d8da82011-05-18 17:20:07 -07001910
Jeff Sharkey9c484982015-03-31 10:35:33 -07001911/*
1912 * Called by vold when it's asked to unmount an encrypted external
1913 * storage volume.
1914 */
1915int cryptfs_revert_ext_volume(const char* label) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001916 return delete_crypto_blk_dev((char*)label);
Ken Sumrall29d8da82011-05-18 17:20:07 -07001917}
1918
Paul Crowley14c8c072018-09-18 13:30:21 -07001919int cryptfs_crypto_complete(void) {
1920 return do_crypto_complete("/data");
Ken Sumrall7f7dbaa2011-02-01 15:46:41 -08001921}
1922
Paul Crowley14c8c072018-09-18 13:30:21 -07001923int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) {
Paul Lawrencef4faa572014-01-29 13:31:03 -08001924 char encrypted_state[PROPERTY_VALUE_MAX];
1925 property_get("ro.crypto.state", encrypted_state, "");
Paul Crowley14c8c072018-09-18 13:30:21 -07001926 if (master_key_saved || strcmp(encrypted_state, "encrypted")) {
1927 SLOGE(
1928 "encrypted fs already validated or not running with encryption,"
1929 " aborting");
Paul Lawrencef4faa572014-01-29 13:31:03 -08001930 return -1;
1931 }
1932
1933 if (get_crypt_ftr_and_key(crypt_ftr)) {
1934 SLOGE("Error getting crypt footer and key");
1935 return -1;
1936 }
1937
1938 return 0;
1939}
1940
Paul Crowley14c8c072018-09-18 13:30:21 -07001941int cryptfs_check_passwd(const char* passwd) {
Paul Lawrence05335c32015-03-05 09:46:23 -08001942 SLOGI("cryptfs_check_passwd");
Eric Biggersa701c452018-10-23 13:06:55 -07001943 if (fscrypt_is_native()) {
Paul Lawrence7b6b5652016-02-02 11:14:59 -08001944 SLOGE("cryptfs_check_passwd not valid for file encryption");
1945 return -1;
Paul Lawrence05335c32015-03-05 09:46:23 -08001946 }
1947
Paul Lawrencef4faa572014-01-29 13:31:03 -08001948 struct crypt_mnt_ftr crypt_ftr;
1949 int rc;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001950
Paul Lawrencef4faa572014-01-29 13:31:03 -08001951 rc = check_unmounted_and_get_ftr(&crypt_ftr);
Paul Lawrence3d99eba2015-11-20 07:07:19 -08001952 if (rc) {
1953 SLOGE("Could not get footer");
Paul Lawrencef4faa572014-01-29 13:31:03 -08001954 return rc;
Paul Lawrence3d99eba2015-11-20 07:07:19 -08001955 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001956
Paul Crowley14c8c072018-09-18 13:30:21 -07001957 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
Paul Lawrence3d99eba2015-11-20 07:07:19 -08001958 if (rc) {
1959 SLOGE("Password did not match");
1960 return rc;
1961 }
Paul Lawrence684dbdf2014-02-07 12:07:22 -08001962
Paul Lawrence3d99eba2015-11-20 07:07:19 -08001963 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
1964 // Here we have a default actual password but a real password
1965 // we must test against the scrypted value
1966 // First, we must delete the crypto block device that
1967 // test_mount_encrypted_fs leaves behind as a side effect
1968 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
Paul Crowley14c8c072018-09-18 13:30:21 -07001969 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD, DATA_MNT_POINT,
1970 CRYPTO_BLOCK_DEVICE);
Paul Lawrence3d99eba2015-11-20 07:07:19 -08001971 if (rc) {
1972 SLOGE("Default password did not match on reboot encryption");
1973 return rc;
1974 }
1975
1976 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
1977 put_crypt_ftr_and_key(&crypt_ftr);
1978 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
1979 if (rc) {
1980 SLOGE("Could not change password on reboot encryption");
1981 return rc;
1982 }
1983 }
1984
1985 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
Paul Lawrence399317e2014-03-10 13:20:50 -07001986 cryptfs_clear_password();
1987 password = strdup(passwd);
1988 struct timespec now;
1989 clock_gettime(CLOCK_BOOTTIME, &now);
1990 password_expiry_time = now.tv_sec + password_max_age_seconds;
Paul Lawrence684dbdf2014-02-07 12:07:22 -08001991 }
1992
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001993 return rc;
1994}
1995
Paul Crowley14c8c072018-09-18 13:30:21 -07001996int cryptfs_verify_passwd(const char* passwd) {
Ken Sumrall3ad90722011-10-04 20:38:29 -07001997 struct crypt_mnt_ftr crypt_ftr;
Greg Kaiser59ad0182018-02-16 13:01:36 -08001998 unsigned char decrypted_master_key[MAX_KEY_LEN];
Ken Sumrall3ad90722011-10-04 20:38:29 -07001999 char encrypted_state[PROPERTY_VALUE_MAX];
2000 int rc;
2001
2002 property_get("ro.crypto.state", encrypted_state, "");
Paul Crowley14c8c072018-09-18 13:30:21 -07002003 if (strcmp(encrypted_state, "encrypted")) {
Ken Sumrall3ad90722011-10-04 20:38:29 -07002004 SLOGE("device not encrypted, aborting");
2005 return -2;
2006 }
2007
2008 if (!master_key_saved) {
2009 SLOGE("encrypted fs not yet mounted, aborting");
2010 return -1;
2011 }
2012
2013 if (!saved_mount_point) {
2014 SLOGE("encrypted fs failed to save mount point, aborting");
2015 return -1;
2016 }
2017
Ken Sumrall160b4d62013-04-22 12:15:39 -07002018 if (get_crypt_ftr_and_key(&crypt_ftr)) {
Ken Sumrall3ad90722011-10-04 20:38:29 -07002019 SLOGE("Error getting crypt footer and key\n");
2020 return -1;
2021 }
2022
2023 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2024 /* If the device has no password, then just say the password is valid */
2025 rc = 0;
2026 } else {
Paul Lawrenced0c7b172014-08-08 14:28:10 -07002027 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
Ken Sumrall3ad90722011-10-04 20:38:29 -07002028 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2029 /* They match, the password is correct */
2030 rc = 0;
2031 } else {
2032 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2033 sleep(1);
2034 rc = 1;
2035 }
2036 }
2037
2038 return rc;
2039}
2040
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002041/* Initialize a crypt_mnt_ftr structure. The keysize is
Greg Kaiser57f9af62018-02-16 13:13:58 -08002042 * defaulted to cryptfs_get_keysize() bytes, and the filesystem size to 0.
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002043 * Presumably, at a minimum, the caller will update the
2044 * filesystem size and crypto_type_name after calling this function.
2045 */
Paul Crowley14c8c072018-09-18 13:30:21 -07002046static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr* ftr) {
Ken Sumrall160b4d62013-04-22 12:15:39 -07002047 off64_t off;
2048
2049 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002050 ftr->magic = CRYPT_MNT_MAGIC;
Kenny Rootc96a5f82013-06-14 12:08:28 -07002051 ftr->major_version = CURRENT_MAJOR_VERSION;
2052 ftr->minor_version = CURRENT_MINOR_VERSION;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002053 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
Greg Kaiser57f9af62018-02-16 13:13:58 -08002054 ftr->keysize = cryptfs_get_keysize();
Ken Sumrall160b4d62013-04-22 12:15:39 -07002055
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07002056 switch (keymaster_check_compatibility()) {
Paul Crowley14c8c072018-09-18 13:30:21 -07002057 case 1:
2058 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2059 break;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07002060
Paul Crowley14c8c072018-09-18 13:30:21 -07002061 case 0:
2062 ftr->kdf_type = KDF_SCRYPT;
2063 break;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07002064
Paul Crowley14c8c072018-09-18 13:30:21 -07002065 default:
2066 SLOGE("keymaster_check_compatibility failed");
2067 return -1;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07002068 }
2069
Kenny Rootc4c70f12013-06-14 12:11:38 -07002070 get_device_scrypt_params(ftr);
2071
Ken Sumrall160b4d62013-04-22 12:15:39 -07002072 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2073 if (get_crypt_ftr_info(NULL, &off) == 0) {
2074 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
Paul Crowley14c8c072018-09-18 13:30:21 -07002075 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + ftr->persist_data_size;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002076 }
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07002077
2078 return 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002079}
2080
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002081#define FRAMEWORK_BOOT_WAIT 60
2082
Paul Crowley14c8c072018-09-18 13:30:21 -07002083static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) {
2084 int fd = open(filename, O_RDONLY | O_CLOEXEC);
Paul Lawrence87999172014-02-20 12:21:31 -08002085 if (fd == -1) {
2086 SLOGE("Error opening file %s", filename);
2087 return -1;
2088 }
2089
2090 char block[CRYPT_INPLACE_BUFSIZE];
2091 memset(block, 0, sizeof(block));
2092 if (unix_read(fd, block, sizeof(block)) < 0) {
2093 SLOGE("Error reading file %s", filename);
2094 close(fd);
2095 return -1;
2096 }
2097
2098 close(fd);
2099
2100 SHA256_CTX c;
2101 SHA256_Init(&c);
2102 SHA256_Update(&c, block, sizeof(block));
2103 SHA256_Final(buf, &c);
2104
2105 return 0;
2106}
2107
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002108static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr* crypt_ftr, char* crypto_blkdev,
2109 char* real_blkdev, int previously_encrypted_upto) {
Paul Crowley14c8c072018-09-18 13:30:21 -07002110 off64_t cur_encryption_done = 0, tot_encryption_size = 0;
Tim Murray8439dc92014-12-15 11:56:11 -08002111 int rc = -1;
Paul Lawrence87999172014-02-20 12:21:31 -08002112
Paul Lawrence87999172014-02-20 12:21:31 -08002113 /* The size of the userdata partition, and add in the vold volumes below */
2114 tot_encryption_size = crypt_ftr->fs_size;
2115
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002116 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, crypt_ftr->fs_size, &cur_encryption_done,
Paul Crowley0fd26262018-01-30 09:48:19 -08002117 tot_encryption_size, previously_encrypted_upto, true);
Paul Lawrence87999172014-02-20 12:21:31 -08002118
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002119 if (rc == ENABLE_INPLACE_ERR_DEV) {
2120 /* Hack for b/17898962 */
2121 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2122 cryptfs_reboot(RebootType::reboot);
2123 }
JP Abgrall7fc1de82014-10-10 18:43:41 -07002124
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002125 if (!rc) {
2126 crypt_ftr->encrypted_upto = cur_encryption_done;
2127 }
Paul Lawrence87999172014-02-20 12:21:31 -08002128
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002129 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2130 /* The inplace routine never actually sets the progress to 100% due
2131 * to the round down nature of integer division, so set it here */
2132 property_set("vold.encrypt_progress", "100");
Paul Lawrence87999172014-02-20 12:21:31 -08002133 }
2134
2135 return rc;
2136}
2137
Paul Crowleyb64933a2017-10-31 08:25:55 -07002138static int vold_unmountAll(void) {
2139 VolumeManager* vm = VolumeManager::Instance();
2140 return vm->unmountAll();
2141}
2142
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002143int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
Tom Cherry4c5bde22019-01-29 14:34:01 -08002144 char crypto_blkdev[MAXPATHLEN];
2145 std::string real_blkdev;
Greg Kaiser59ad0182018-02-16 13:01:36 -08002146 unsigned char decrypted_master_key[MAX_KEY_LEN];
Paul Crowley14c8c072018-09-18 13:30:21 -07002147 int rc = -1, i;
Paul Lawrence87999172014-02-20 12:21:31 -08002148 struct crypt_mnt_ftr crypt_ftr;
Paul Crowley14c8c072018-09-18 13:30:21 -07002149 struct crypt_persist_data* pdata;
Ken Sumrall29d8da82011-05-18 17:20:07 -07002150 char encrypted_state[PROPERTY_VALUE_MAX];
Paul Crowley14c8c072018-09-18 13:30:21 -07002151 char lockid[32] = {0};
Tom Cherry4c5bde22019-01-29 14:34:01 -08002152 std::string key_loc;
Ken Sumrall29d8da82011-05-18 17:20:07 -07002153 int num_vols;
Paul Lawrence87999172014-02-20 12:21:31 -08002154 off64_t previously_encrypted_upto = 0;
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002155 bool rebootEncryption = false;
Wei Wang4375f1b2017-02-24 17:43:01 -08002156 bool onlyCreateHeader = false;
Ken Sumrall29d8da82011-05-18 17:20:07 -07002157
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002158 if (get_crypt_ftr_and_key(&crypt_ftr) == 0) {
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002159 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
2160 /* An encryption was underway and was interrupted */
2161 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2162 crypt_ftr.encrypted_upto = 0;
2163 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
Paul Lawrence6bfed202014-07-28 12:47:22 -07002164
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002165 /* At this point, we are in an inconsistent state. Until we successfully
2166 complete encryption, a reboot will leave us broken. So mark the
2167 encryption failed in case that happens.
2168 On successfully completing encryption, remove this flag */
2169 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
Paul Lawrence6bfed202014-07-28 12:47:22 -07002170
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002171 put_crypt_ftr_and_key(&crypt_ftr);
2172 } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
2173 if (!check_ftr_sha(&crypt_ftr)) {
2174 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2175 put_crypt_ftr_and_key(&crypt_ftr);
2176 goto error_unencrypted;
2177 }
2178
2179 /* Doing a reboot-encryption*/
2180 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
2181 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
2182 rebootEncryption = true;
2183 }
Greg Kaiser59ad0182018-02-16 13:01:36 -08002184 } else {
2185 // We don't want to accidentally reference invalid data.
2186 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
Paul Lawrence87999172014-02-20 12:21:31 -08002187 }
2188
2189 property_get("ro.crypto.state", encrypted_state, "");
2190 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2191 SLOGE("Device is already running encrypted, aborting");
2192 goto error_unencrypted;
2193 }
2194
Tom Cherry4c5bde22019-01-29 14:34:01 -08002195 get_crypt_info(&key_loc, &real_blkdev);
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002196
Ken Sumrall3ed82362011-01-28 23:31:16 -08002197 /* Get the size of the real block device */
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +02002198 uint64_t nr_sec;
2199 if (android::vold::GetBlockDev512Sectors(real_blkdev, &nr_sec) != android::OK) {
Tom Cherry4c5bde22019-01-29 14:34:01 -08002200 SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
Ken Sumrall3ed82362011-01-28 23:31:16 -08002201 goto error_unencrypted;
2202 }
Ken Sumrall3ed82362011-01-28 23:31:16 -08002203
2204 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
Tom Cherry4c5bde22019-01-29 14:34:01 -08002205 if (key_loc == KEY_IN_FOOTER) {
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +02002206 uint64_t fs_size_sec, max_fs_size_sec;
Tom Cherry4c5bde22019-01-29 14:34:01 -08002207 fs_size_sec = get_fs_size(real_blkdev.c_str());
2208 if (fs_size_sec == 0) fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev.data());
Daniel Rosenberge82df162014-08-15 22:19:23 +00002209
Paul Lawrence87999172014-02-20 12:21:31 -08002210 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
Ken Sumrall3ed82362011-01-28 23:31:16 -08002211
2212 if (fs_size_sec > max_fs_size_sec) {
2213 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2214 goto error_unencrypted;
2215 }
2216 }
2217
Ken Sumrall5d4c68e2011-01-30 19:06:03 -08002218 /* Get a wakelock as this may take a while, and we don't want the
2219 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2220 * wants to keep the screen on, it can grab a full wakelock.
2221 */
Paul Crowley14c8c072018-09-18 13:30:21 -07002222 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int)getpid());
Ken Sumrall5d4c68e2011-01-30 19:06:03 -08002223 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
2224
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002225 /* The init files are setup to stop the class main and late start when
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002226 * vold sets trigger_shutdown_framework.
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002227 */
2228 property_set("vold.decrypt", "trigger_shutdown_framework");
2229 SLOGD("Just asked init to shut down class main\n");
2230
Jeff Sharkey9c484982015-03-31 10:35:33 -07002231 /* Ask vold to unmount all devices that it manages */
2232 if (vold_unmountAll()) {
2233 SLOGE("Failed to unmount all vold managed devices");
Ken Sumrall2eaf7132011-01-14 12:45:48 -08002234 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002235
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002236 /* no_ui means we are being called from init, not settings.
2237 Now we always reboot from settings, so !no_ui means reboot
2238 */
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002239 if (!no_ui) {
2240 /* Try fallback, which is to reboot and try there */
2241 onlyCreateHeader = true;
2242 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
2243 if (breadcrumb == 0) {
2244 SLOGE("Failed to create breadcrumb file");
2245 goto error_shutting_down;
2246 }
2247 fclose(breadcrumb);
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002248 }
2249
2250 /* Do extra work for a better UX when doing the long inplace encryption */
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002251 if (!onlyCreateHeader) {
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002252 /* Now that /data is unmounted, we need to mount a tmpfs
2253 * /data, set a property saying we're doing inplace encryption,
2254 * and restart the framework.
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002255 */
Ken Sumralle5032c42012-04-01 23:58:44 -07002256 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
Ken Sumrall3ed82362011-01-28 23:31:16 -08002257 goto error_shutting_down;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002258 }
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002259 /* Tells the framework that inplace encryption is starting */
Ken Sumrall7df84122011-01-18 14:04:08 -08002260 property_set("vold.encrypt_progress", "0");
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002261
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002262 /* restart the framework. */
2263 /* Create necessary paths on /data */
Wei Wang42e38102017-06-07 10:46:12 -07002264 prep_data_fs();
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002265
Ken Sumrall92736ef2012-10-17 20:57:14 -07002266 /* Ugh, shutting down the framework is not synchronous, so until it
2267 * can be fixed, this horrible hack will wait a moment for it all to
2268 * shut down before proceeding. Without it, some devices cannot
2269 * restart the graphics services.
2270 */
2271 sleep(2);
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002272 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002273
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002274 /* Start the actual work of making an encrypted filesystem */
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002275 /* Initialize a crypt_mnt_ftr for the partition */
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002276 if (previously_encrypted_upto == 0 && !rebootEncryption) {
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07002277 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
2278 goto error_shutting_down;
2279 }
Ken Sumrall160b4d62013-04-22 12:15:39 -07002280
Tom Cherry4c5bde22019-01-29 14:34:01 -08002281 if (key_loc == KEY_IN_FOOTER) {
Paul Crowley14c8c072018-09-18 13:30:21 -07002282 crypt_ftr.fs_size = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
Paul Lawrence87999172014-02-20 12:21:31 -08002283 } else {
2284 crypt_ftr.fs_size = nr_sec;
2285 }
Paul Lawrence6bfed202014-07-28 12:47:22 -07002286 /* At this point, we are in an inconsistent state. Until we successfully
2287 complete encryption, a reboot will leave us broken. So mark the
2288 encryption failed in case that happens.
2289 On successfully completing encryption, remove this flag */
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002290 if (onlyCreateHeader) {
2291 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
2292 } else {
2293 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2294 }
Paul Lawrence87999172014-02-20 12:21:31 -08002295 crypt_ftr.crypt_type = crypt_type;
Paul Crowley14c8c072018-09-18 13:30:21 -07002296 strlcpy((char*)crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(),
2297 MAX_CRYPTO_TYPE_NAME_LEN);
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002298
Paul Lawrence87999172014-02-20 12:21:31 -08002299 /* Make an encrypted master key */
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002300 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
2301 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
Paul Lawrence87999172014-02-20 12:21:31 -08002302 SLOGE("Cannot create encrypted master key\n");
2303 goto error_shutting_down;
2304 }
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002305
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002306 /* Replace scrypted intermediate key if we are preparing for a reboot */
2307 if (onlyCreateHeader) {
Greg Kaiser59ad0182018-02-16 13:01:36 -08002308 unsigned char fake_master_key[MAX_KEY_LEN];
2309 unsigned char encrypted_fake_master_key[MAX_KEY_LEN];
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002310 memset(fake_master_key, 0, sizeof(fake_master_key));
Paul Crowley14c8c072018-09-18 13:30:21 -07002311 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key, encrypted_fake_master_key,
2312 &crypt_ftr);
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002313 }
2314
Paul Lawrence87999172014-02-20 12:21:31 -08002315 /* Write the key to the end of the partition */
2316 put_crypt_ftr_and_key(&crypt_ftr);
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002317
Paul Lawrence87999172014-02-20 12:21:31 -08002318 /* If any persistent data has been remembered, save it.
2319 * If none, create a valid empty table and save that.
2320 */
2321 if (!persist_data) {
Paul Crowley14c8c072018-09-18 13:30:21 -07002322 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
2323 if (pdata) {
2324 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
2325 persist_data = pdata;
2326 }
Paul Lawrence87999172014-02-20 12:21:31 -08002327 }
2328 if (persist_data) {
2329 save_persistent_data();
2330 }
Ken Sumrall160b4d62013-04-22 12:15:39 -07002331 }
2332
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002333 if (onlyCreateHeader) {
2334 sleep(2);
Josh Gaofec44372017-08-28 13:22:55 -07002335 cryptfs_reboot(RebootType::reboot);
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002336 }
2337
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002338 if (!no_ui || rebootEncryption) {
Ajay Dudani87701e22014-09-17 21:02:52 -07002339 /* startup service classes main and late_start */
2340 property_set("vold.decrypt", "trigger_restart_min_framework");
2341 SLOGD("Just triggered restart_min_framework\n");
2342
2343 /* OK, the framework is restarted and will soon be showing a
2344 * progress bar. Time to setup an encrypted mapping, and
2345 * either write a new filesystem, or encrypt in place updating
2346 * the progress bar as we work.
2347 */
2348 }
2349
Paul Lawrenced0c7b172014-08-08 14:28:10 -07002350 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
Tom Cherry4c5bde22019-01-29 14:34:01 -08002351 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev.c_str(), crypto_blkdev,
Paul Crowley5afbc622017-11-27 09:42:17 -08002352 CRYPTO_BLOCK_DEVICE, 0);
Ken Sumrall29d8da82011-05-18 17:20:07 -07002353
Paul Lawrence87999172014-02-20 12:21:31 -08002354 /* If we are continuing, check checksums match */
2355 rc = 0;
2356 if (previously_encrypted_upto) {
2357 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
2358 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
Ken Sumrall128626f2011-06-28 18:45:14 -07002359
Paul Crowley14c8c072018-09-18 13:30:21 -07002360 if (!rc &&
2361 memcmp(hash_first_block, crypt_ftr.hash_first_block, sizeof(hash_first_block)) != 0) {
Paul Lawrence87999172014-02-20 12:21:31 -08002362 SLOGE("Checksums do not match - trigger wipe");
2363 rc = -1;
Ken Sumrall29d8da82011-05-18 17:20:07 -07002364 }
2365 }
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002366
Paul Lawrence87999172014-02-20 12:21:31 -08002367 if (!rc) {
Tom Cherry4c5bde22019-01-29 14:34:01 -08002368 rc = cryptfs_enable_all_volumes(&crypt_ftr, crypto_blkdev, real_blkdev.data(),
Paul Lawrence87999172014-02-20 12:21:31 -08002369 previously_encrypted_upto);
2370 }
2371
2372 /* Calculate checksum if we are not finished */
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002373 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
Paul Crowley14c8c072018-09-18 13:30:21 -07002374 rc = cryptfs_SHA256_fileblock(crypto_blkdev, crypt_ftr.hash_first_block);
Paul Lawrence73d7a022014-06-09 14:10:09 -07002375 if (rc) {
Paul Lawrence87999172014-02-20 12:21:31 -08002376 SLOGE("Error calculating checksum for continuing encryption");
2377 rc = -1;
Ken Sumrall29d8da82011-05-18 17:20:07 -07002378 }
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002379 }
2380
2381 /* Undo the dm-crypt mapping whether we succeed or not */
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002382 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
Ken Sumrall29d8da82011-05-18 17:20:07 -07002383
Paul Crowley14c8c072018-09-18 13:30:21 -07002384 if (!rc) {
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002385 /* Success */
Paul Lawrence6bfed202014-07-28 12:47:22 -07002386 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
Ken Sumrall7f7dbaa2011-02-01 15:46:41 -08002387
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002388 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
Paul Lawrence87999172014-02-20 12:21:31 -08002389 SLOGD("Encrypted up to sector %lld - will continue after reboot",
2390 crypt_ftr.encrypted_upto);
Paul Lawrence6bfed202014-07-28 12:47:22 -07002391 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
Paul Lawrence87999172014-02-20 12:21:31 -08002392 }
Paul Lawrence73d7a022014-06-09 14:10:09 -07002393
Paul Lawrence6bfed202014-07-28 12:47:22 -07002394 put_crypt_ftr_and_key(&crypt_ftr);
Ken Sumralld33d4172011-02-01 00:49:13 -08002395
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002396 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
2397 char value[PROPERTY_VALUE_MAX];
2398 property_get("ro.crypto.state", value, "");
2399 if (!strcmp(value, "")) {
2400 /* default encryption - continue first boot sequence */
2401 property_set("ro.crypto.state", "encrypted");
2402 property_set("ro.crypto.type", "block");
2403 release_wake_lock(lockid);
2404 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2405 // Bring up cryptkeeper that will check the password and set it
2406 property_set("vold.decrypt", "trigger_shutdown_framework");
2407 sleep(2);
2408 property_set("vold.encrypt_progress", "");
2409 cryptfs_trigger_restart_min_framework();
2410 } else {
2411 cryptfs_check_passwd(DEFAULT_PASSWORD);
2412 cryptfs_restart_internal(1);
2413 }
2414 return 0;
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002415 } else {
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002416 sleep(2); /* Give the UI a chance to show 100% progress */
2417 cryptfs_reboot(RebootType::reboot);
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002418 }
Paul Lawrence87999172014-02-20 12:21:31 -08002419 } else {
Paul Lawrenceb6672e12014-08-15 07:37:28 -07002420 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
Josh Gaofec44372017-08-28 13:22:55 -07002421 cryptfs_reboot(RebootType::shutdown);
Paul Lawrence87999172014-02-20 12:21:31 -08002422 }
Ken Sumrall3ed82362011-01-28 23:31:16 -08002423 } else {
Mike Lockwoodee6d8c42012-02-15 13:43:28 -08002424 char value[PROPERTY_VALUE_MAX];
2425
Ken Sumrall319369a2012-06-27 16:30:18 -07002426 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
Mike Lockwoodee6d8c42012-02-15 13:43:28 -08002427 if (!strcmp(value, "1")) {
2428 /* wipe data if encryption failed */
2429 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
Wei Wang4375f1b2017-02-24 17:43:01 -08002430 std::string err;
2431 const std::vector<std::string> options = {
Paul Crowley14c8c072018-09-18 13:30:21 -07002432 "--wipe_data\n--reason=cryptfs_enable_internal\n"};
Wei Wang4375f1b2017-02-24 17:43:01 -08002433 if (!write_bootloader_message(options, &err)) {
2434 SLOGE("could not write bootloader message: %s", err.c_str());
Mike Lockwoodee6d8c42012-02-15 13:43:28 -08002435 }
Josh Gaofec44372017-08-28 13:22:55 -07002436 cryptfs_reboot(RebootType::recovery);
Mike Lockwoodee6d8c42012-02-15 13:43:28 -08002437 } else {
2438 /* set property to trigger dialog */
2439 property_set("vold.encrypt_progress", "error_partially_encrypted");
2440 release_wake_lock(lockid);
2441 }
Ken Sumrall3ed82362011-01-28 23:31:16 -08002442 return -1;
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002443 }
2444
Ken Sumrall3ed82362011-01-28 23:31:16 -08002445 /* hrm, the encrypt step claims success, but the reboot failed.
2446 * This should not happen.
2447 * Set the property and return. Hope the framework can deal with it.
2448 */
2449 property_set("vold.encrypt_progress", "error_reboot_failed");
Ken Sumrall5d4c68e2011-01-30 19:06:03 -08002450 release_wake_lock(lockid);
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002451 return rc;
Ken Sumrall3ed82362011-01-28 23:31:16 -08002452
2453error_unencrypted:
2454 property_set("vold.encrypt_progress", "error_not_encrypted");
Ken Sumrall5d4c68e2011-01-30 19:06:03 -08002455 if (lockid[0]) {
2456 release_wake_lock(lockid);
2457 }
Ken Sumrall3ed82362011-01-28 23:31:16 -08002458 return -1;
2459
2460error_shutting_down:
2461 /* we failed, and have not encrypted anthing, so the users's data is still intact,
2462 * but the framework is stopped and not restarted to show the error, so it's up to
2463 * vold to restart the system.
2464 */
Paul Crowley14c8c072018-09-18 13:30:21 -07002465 SLOGE(
2466 "Error enabling encryption after framework is shutdown, no data changed, restarting "
2467 "system");
Josh Gaofec44372017-08-28 13:22:55 -07002468 cryptfs_reboot(RebootType::reboot);
Ken Sumrall3ed82362011-01-28 23:31:16 -08002469
2470 /* shouldn't get here */
2471 property_set("vold.encrypt_progress", "error_shutting_down");
Ken Sumrall5d4c68e2011-01-30 19:06:03 -08002472 if (lockid[0]) {
2473 release_wake_lock(lockid);
2474 }
Ken Sumrall3ed82362011-01-28 23:31:16 -08002475 return -1;
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002476}
2477
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002478int cryptfs_enable(int type, const char* passwd, int no_ui) {
2479 return cryptfs_enable_internal(type, passwd, no_ui);
Paul Lawrence13486032014-02-03 13:28:11 -08002480}
2481
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002482int cryptfs_enable_default(int no_ui) {
2483 return cryptfs_enable_internal(CRYPT_TYPE_DEFAULT, DEFAULT_PASSWORD, no_ui);
Paul Lawrence13486032014-02-03 13:28:11 -08002484}
2485
Paul Crowley14c8c072018-09-18 13:30:21 -07002486int cryptfs_changepw(int crypt_type, const char* newpw) {
Eric Biggersa701c452018-10-23 13:06:55 -07002487 if (fscrypt_is_native()) {
Paul Lawrence7b6b5652016-02-02 11:14:59 -08002488 SLOGE("cryptfs_changepw not valid for file encryption");
2489 return -1;
Paul Lawrence05335c32015-03-05 09:46:23 -08002490 }
2491
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002492 struct crypt_mnt_ftr crypt_ftr;
JP Abgrall933216c2015-02-11 13:44:32 -08002493 int rc;
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002494
2495 /* This is only allowed after we've successfully decrypted the master key */
Paul Lawrencef4faa572014-01-29 13:31:03 -08002496 if (!master_key_saved) {
Ken Sumrall0cc16632011-01-18 20:32:26 -08002497 SLOGE("Key not saved, aborting");
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002498 return -1;
2499 }
2500
Paul Lawrencef4faa572014-01-29 13:31:03 -08002501 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2502 SLOGE("Invalid crypt_type %d", crypt_type);
2503 return -1;
2504 }
2505
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002506 /* get key */
Ken Sumrall160b4d62013-04-22 12:15:39 -07002507 if (get_crypt_ftr_and_key(&crypt_ftr)) {
Paul Lawrencef4faa572014-01-29 13:31:03 -08002508 SLOGE("Error getting crypt footer and key");
2509 return -1;
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002510 }
2511
Paul Lawrencef4faa572014-01-29 13:31:03 -08002512 crypt_ftr.crypt_type = crypt_type;
2513
Paul Crowley14c8c072018-09-18 13:30:21 -07002514 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD : newpw,
2515 crypt_ftr.salt, saved_master_key, crypt_ftr.master_key, &crypt_ftr);
JP Abgrall933216c2015-02-11 13:44:32 -08002516 if (rc) {
2517 SLOGE("Encrypt master key failed: %d", rc);
2518 return -1;
2519 }
Jason parks70a4b3f2011-01-28 10:10:47 -06002520 /* save the key */
Ken Sumrall160b4d62013-04-22 12:15:39 -07002521 put_crypt_ftr_and_key(&crypt_ftr);
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002522
2523 return 0;
2524}
Ken Sumrall160b4d62013-04-22 12:15:39 -07002525
Rubin Xu85c01f92014-10-13 12:49:54 +01002526static unsigned int persist_get_max_entries(int encrypted) {
2527 struct crypt_mnt_ftr crypt_ftr;
2528 unsigned int dsize;
Rubin Xu85c01f92014-10-13 12:49:54 +01002529
2530 /* If encrypted, use the values from the crypt_ftr, otherwise
2531 * use the values for the current spec.
2532 */
2533 if (encrypted) {
2534 if (get_crypt_ftr_and_key(&crypt_ftr)) {
Rubin Xuf83cc612018-10-09 16:13:38 +01002535 /* Something is wrong, assume no space for entries */
2536 return 0;
Rubin Xu85c01f92014-10-13 12:49:54 +01002537 }
2538 dsize = crypt_ftr.persist_data_size;
2539 } else {
2540 dsize = CRYPT_PERSIST_DATA_SIZE;
2541 }
2542
Rubin Xuf83cc612018-10-09 16:13:38 +01002543 if (dsize > sizeof(struct crypt_persist_data)) {
2544 return (dsize - sizeof(struct crypt_persist_data)) / sizeof(struct crypt_persist_entry);
2545 } else {
2546 return 0;
2547 }
Rubin Xu85c01f92014-10-13 12:49:54 +01002548}
2549
Paul Crowley14c8c072018-09-18 13:30:21 -07002550static int persist_get_key(const char* fieldname, char* value) {
Ken Sumrall160b4d62013-04-22 12:15:39 -07002551 unsigned int i;
2552
2553 if (persist_data == NULL) {
2554 return -1;
2555 }
2556 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2557 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2558 /* We found it! */
2559 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
2560 return 0;
2561 }
2562 }
2563
2564 return -1;
2565}
2566
Paul Crowley14c8c072018-09-18 13:30:21 -07002567static int persist_set_key(const char* fieldname, const char* value, int encrypted) {
Ken Sumrall160b4d62013-04-22 12:15:39 -07002568 unsigned int i;
2569 unsigned int num;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002570 unsigned int max_persistent_entries;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002571
2572 if (persist_data == NULL) {
2573 return -1;
2574 }
2575
Rubin Xu85c01f92014-10-13 12:49:54 +01002576 max_persistent_entries = persist_get_max_entries(encrypted);
Ken Sumrall160b4d62013-04-22 12:15:39 -07002577
2578 num = persist_data->persist_valid_entries;
2579
2580 for (i = 0; i < num; i++) {
2581 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2582 /* We found an existing entry, update it! */
2583 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
2584 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
2585 return 0;
2586 }
2587 }
2588
2589 /* We didn't find it, add it to the end, if there is room */
2590 if (persist_data->persist_valid_entries < max_persistent_entries) {
2591 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
2592 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
2593 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
2594 persist_data->persist_valid_entries++;
2595 return 0;
2596 }
2597
2598 return -1;
2599}
2600
Rubin Xu85c01f92014-10-13 12:49:54 +01002601/**
2602 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
2603 * sequence and its index is greater than or equal to index. Return 0 otherwise.
2604 */
Paul Crowley14c8c072018-09-18 13:30:21 -07002605int match_multi_entry(const char* key, const char* field, unsigned index) {
Jeff Sharkey95440eb2017-09-18 18:19:28 -06002606 std::string key_ = key;
2607 std::string field_ = field;
Rubin Xu85c01f92014-10-13 12:49:54 +01002608
Jeff Sharkey95440eb2017-09-18 18:19:28 -06002609 std::string parsed_field;
2610 unsigned parsed_index;
2611
2612 std::string::size_type split = key_.find_last_of('_');
2613 if (split == std::string::npos) {
2614 parsed_field = key_;
2615 parsed_index = 0;
2616 } else {
2617 parsed_field = key_.substr(0, split);
2618 parsed_index = std::stoi(key_.substr(split + 1));
Rubin Xu85c01f92014-10-13 12:49:54 +01002619 }
Jeff Sharkey95440eb2017-09-18 18:19:28 -06002620
2621 return parsed_field == field_ && parsed_index >= index;
Rubin Xu85c01f92014-10-13 12:49:54 +01002622}
2623
2624/*
2625 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
2626 * remaining entries starting from index will be deleted.
2627 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
2628 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
2629 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
2630 *
2631 */
Paul Crowley14c8c072018-09-18 13:30:21 -07002632static int persist_del_keys(const char* fieldname, unsigned index) {
Rubin Xu85c01f92014-10-13 12:49:54 +01002633 unsigned int i;
2634 unsigned int j;
2635 unsigned int num;
2636
2637 if (persist_data == NULL) {
2638 return PERSIST_DEL_KEY_ERROR_OTHER;
2639 }
2640
2641 num = persist_data->persist_valid_entries;
2642
Paul Crowley14c8c072018-09-18 13:30:21 -07002643 j = 0; // points to the end of non-deleted entries.
Rubin Xu85c01f92014-10-13 12:49:54 +01002644 // Filter out to-be-deleted entries in place.
2645 for (i = 0; i < num; i++) {
2646 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
2647 persist_data->persist_entry[j] = persist_data->persist_entry[i];
2648 j++;
2649 }
2650 }
2651
2652 if (j < num) {
2653 persist_data->persist_valid_entries = j;
2654 // Zeroise the remaining entries
2655 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
2656 return PERSIST_DEL_KEY_OK;
2657 } else {
2658 // Did not find an entry matching the given fieldname
2659 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
2660 }
2661}
2662
Paul Crowley14c8c072018-09-18 13:30:21 -07002663static int persist_count_keys(const char* fieldname) {
Rubin Xu85c01f92014-10-13 12:49:54 +01002664 unsigned int i;
2665 unsigned int count;
2666
2667 if (persist_data == NULL) {
2668 return -1;
2669 }
2670
2671 count = 0;
2672 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2673 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
2674 count++;
2675 }
2676 }
2677
2678 return count;
2679}
2680
Ken Sumrall160b4d62013-04-22 12:15:39 -07002681/* Return the value of the specified field. */
Paul Crowley14c8c072018-09-18 13:30:21 -07002682int cryptfs_getfield(const char* fieldname, char* value, int len) {
Eric Biggersa701c452018-10-23 13:06:55 -07002683 if (fscrypt_is_native()) {
Paul Lawrence5a06a642016-02-03 13:39:13 -08002684 SLOGE("Cannot get field when file encrypted");
2685 return -1;
Paul Lawrence368d7942015-04-15 14:12:00 -07002686 }
2687
Ken Sumrall160b4d62013-04-22 12:15:39 -07002688 char temp_value[PROPERTY_VALUE_MAX];
Rubin Xu85c01f92014-10-13 12:49:54 +01002689 /* CRYPTO_GETFIELD_OK is success,
2690 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
2691 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
2692 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
Ken Sumrall160b4d62013-04-22 12:15:39 -07002693 */
Rubin Xu85c01f92014-10-13 12:49:54 +01002694 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
2695 int i;
2696 char temp_field[PROPERTY_KEY_MAX];
Ken Sumrall160b4d62013-04-22 12:15:39 -07002697
2698 if (persist_data == NULL) {
2699 load_persistent_data();
2700 if (persist_data == NULL) {
2701 SLOGE("Getfield error, cannot load persistent data");
2702 goto out;
2703 }
2704 }
2705
Rubin Xu85c01f92014-10-13 12:49:54 +01002706 // Read value from persistent entries. If the original value is split into multiple entries,
2707 // stitch them back together.
Ken Sumrall160b4d62013-04-22 12:15:39 -07002708 if (!persist_get_key(fieldname, temp_value)) {
Rubin Xu85c01f92014-10-13 12:49:54 +01002709 // We found it, copy it to the caller's buffer and keep going until all entries are read.
Paul Crowley14c8c072018-09-18 13:30:21 -07002710 if (strlcpy(value, temp_value, len) >= (unsigned)len) {
Rubin Xu85c01f92014-10-13 12:49:54 +01002711 // value too small
2712 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2713 goto out;
2714 }
2715 rc = CRYPTO_GETFIELD_OK;
2716
2717 for (i = 1; /* break explicitly */; i++) {
2718 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
Paul Crowley14c8c072018-09-18 13:30:21 -07002719 (int)sizeof(temp_field)) {
Rubin Xu85c01f92014-10-13 12:49:54 +01002720 // If the fieldname is very long, we stop as soon as it begins to overflow the
2721 // maximum field length. At this point we have in fact fully read out the original
2722 // value because cryptfs_setfield would not allow fields with longer names to be
2723 // written in the first place.
2724 break;
2725 }
2726 if (!persist_get_key(temp_field, temp_value)) {
Paul Crowley14c8c072018-09-18 13:30:21 -07002727 if (strlcat(value, temp_value, len) >= (unsigned)len) {
2728 // value too small.
2729 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2730 goto out;
2731 }
Rubin Xu85c01f92014-10-13 12:49:54 +01002732 } else {
2733 // Exhaust all entries.
2734 break;
2735 }
2736 }
Ken Sumrall160b4d62013-04-22 12:15:39 -07002737 } else {
2738 /* Sadness, it's not there. Return the error */
Rubin Xu85c01f92014-10-13 12:49:54 +01002739 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002740 }
2741
2742out:
2743 return rc;
2744}
2745
2746/* Set the value of the specified field. */
Paul Crowley14c8c072018-09-18 13:30:21 -07002747int cryptfs_setfield(const char* fieldname, const char* value) {
Eric Biggersa701c452018-10-23 13:06:55 -07002748 if (fscrypt_is_native()) {
Paul Lawrence5a06a642016-02-03 13:39:13 -08002749 SLOGE("Cannot set field when file encrypted");
2750 return -1;
Paul Lawrence368d7942015-04-15 14:12:00 -07002751 }
2752
Ken Sumrall160b4d62013-04-22 12:15:39 -07002753 char encrypted_state[PROPERTY_VALUE_MAX];
Rubin Xu85c01f92014-10-13 12:49:54 +01002754 /* 0 is success, negative values are error */
2755 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002756 int encrypted = 0;
Rubin Xu85c01f92014-10-13 12:49:54 +01002757 unsigned int field_id;
2758 char temp_field[PROPERTY_KEY_MAX];
2759 unsigned int num_entries;
2760 unsigned int max_keylen;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002761
2762 if (persist_data == NULL) {
2763 load_persistent_data();
2764 if (persist_data == NULL) {
2765 SLOGE("Setfield error, cannot load persistent data");
2766 goto out;
2767 }
2768 }
2769
2770 property_get("ro.crypto.state", encrypted_state, "");
Paul Crowley14c8c072018-09-18 13:30:21 -07002771 if (!strcmp(encrypted_state, "encrypted")) {
Ken Sumrall160b4d62013-04-22 12:15:39 -07002772 encrypted = 1;
2773 }
2774
Rubin Xu85c01f92014-10-13 12:49:54 +01002775 // Compute the number of entries required to store value, each entry can store up to
2776 // (PROPERTY_VALUE_MAX - 1) chars
2777 if (strlen(value) == 0) {
2778 // Empty value also needs one entry to store.
2779 num_entries = 1;
2780 } else {
2781 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
2782 }
2783
2784 max_keylen = strlen(fieldname);
2785 if (num_entries > 1) {
2786 // Need an extra "_%d" suffix.
2787 max_keylen += 1 + log10(num_entries);
2788 }
2789 if (max_keylen > PROPERTY_KEY_MAX - 1) {
2790 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002791 goto out;
2792 }
2793
Rubin Xu85c01f92014-10-13 12:49:54 +01002794 // Make sure we have enough space to write the new value
2795 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
2796 persist_get_max_entries(encrypted)) {
2797 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
2798 goto out;
2799 }
2800
2801 // Now that we know persist_data has enough space for value, let's delete the old field first
2802 // to make up space.
2803 persist_del_keys(fieldname, 0);
2804
2805 if (persist_set_key(fieldname, value, encrypted)) {
2806 // fail to set key, should not happen as we have already checked the available space
2807 SLOGE("persist_set_key() error during setfield()");
2808 goto out;
2809 }
2810
2811 for (field_id = 1; field_id < num_entries; field_id++) {
Greg Kaiserb610e772018-02-09 09:19:54 -08002812 snprintf(temp_field, sizeof(temp_field), "%s_%u", fieldname, field_id);
Rubin Xu85c01f92014-10-13 12:49:54 +01002813
2814 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
2815 // fail to set key, should not happen as we have already checked the available space.
2816 SLOGE("persist_set_key() error during setfield()");
2817 goto out;
2818 }
2819 }
2820
Ken Sumrall160b4d62013-04-22 12:15:39 -07002821 /* If we are running encrypted, save the persistent data now */
2822 if (encrypted) {
2823 if (save_persistent_data()) {
2824 SLOGE("Setfield error, cannot save persistent data");
2825 goto out;
2826 }
2827 }
2828
Rubin Xu85c01f92014-10-13 12:49:54 +01002829 rc = CRYPTO_SETFIELD_OK;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002830
2831out:
2832 return rc;
2833}
Paul Lawrencef4faa572014-01-29 13:31:03 -08002834
2835/* Checks userdata. Attempt to mount the volume if default-
2836 * encrypted.
2837 * On success trigger next init phase and return 0.
2838 * Currently do not handle failure - see TODO below.
2839 */
Paul Crowley14c8c072018-09-18 13:30:21 -07002840int cryptfs_mount_default_encrypted(void) {
Paul Lawrence84274cc2016-04-15 15:41:33 -07002841 int crypt_type = cryptfs_get_password_type();
2842 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2843 SLOGE("Bad crypt type - error");
2844 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
Paul Crowley14c8c072018-09-18 13:30:21 -07002845 SLOGD(
2846 "Password is not default - "
2847 "starting min framework to prompt");
Paul Lawrence84274cc2016-04-15 15:41:33 -07002848 property_set("vold.decrypt", "trigger_restart_min_framework");
2849 return 0;
2850 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
2851 SLOGD("Password is default - restarting filesystem");
2852 cryptfs_restart_internal(0);
2853 return 0;
Paul Lawrencef4faa572014-01-29 13:31:03 -08002854 } else {
Paul Lawrence84274cc2016-04-15 15:41:33 -07002855 SLOGE("Encrypted, default crypt type but can't decrypt");
Paul Lawrencef4faa572014-01-29 13:31:03 -08002856 }
2857
Paul Lawrence6bfed202014-07-28 12:47:22 -07002858 /** Corrupt. Allow us to boot into framework, which will detect bad
2859 crypto when it calls do_crypto_complete, then do a factory reset
Paul Lawrencef4faa572014-01-29 13:31:03 -08002860 */
Paul Lawrence6bfed202014-07-28 12:47:22 -07002861 property_set("vold.decrypt", "trigger_restart_min_framework");
Paul Lawrencef4faa572014-01-29 13:31:03 -08002862 return 0;
2863}
2864
2865/* Returns type of the password, default, pattern, pin or password.
2866 */
Paul Crowley14c8c072018-09-18 13:30:21 -07002867int cryptfs_get_password_type(void) {
Eric Biggersa701c452018-10-23 13:06:55 -07002868 if (fscrypt_is_native()) {
Paul Lawrence7b6b5652016-02-02 11:14:59 -08002869 SLOGE("cryptfs_get_password_type not valid for file encryption");
2870 return -1;
Paul Lawrence05335c32015-03-05 09:46:23 -08002871 }
2872
Paul Lawrencef4faa572014-01-29 13:31:03 -08002873 struct crypt_mnt_ftr crypt_ftr;
2874
2875 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2876 SLOGE("Error getting crypt footer and key\n");
2877 return -1;
2878 }
2879
Paul Lawrence6bfed202014-07-28 12:47:22 -07002880 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
2881 return -1;
2882 }
2883
Paul Lawrencef4faa572014-01-29 13:31:03 -08002884 return crypt_ftr.crypt_type;
2885}
Paul Lawrence684dbdf2014-02-07 12:07:22 -08002886
Paul Crowley14c8c072018-09-18 13:30:21 -07002887const char* cryptfs_get_password() {
Eric Biggersa701c452018-10-23 13:06:55 -07002888 if (fscrypt_is_native()) {
Paul Lawrence7b6b5652016-02-02 11:14:59 -08002889 SLOGE("cryptfs_get_password not valid for file encryption");
2890 return 0;
Paul Lawrence05335c32015-03-05 09:46:23 -08002891 }
2892
Paul Lawrence399317e2014-03-10 13:20:50 -07002893 struct timespec now;
Paul Lawrenceef2b5be2014-11-11 12:47:03 -08002894 clock_gettime(CLOCK_BOOTTIME, &now);
Paul Lawrence399317e2014-03-10 13:20:50 -07002895 if (now.tv_sec < password_expiry_time) {
2896 return password;
2897 } else {
2898 cryptfs_clear_password();
2899 return 0;
2900 }
2901}
2902
Paul Crowley14c8c072018-09-18 13:30:21 -07002903void cryptfs_clear_password() {
Paul Lawrence399317e2014-03-10 13:20:50 -07002904 if (password) {
2905 size_t len = strlen(password);
2906 memset(password, 0, len);
2907 free(password);
2908 password = 0;
2909 password_expiry_time = 0;
2910 }
Paul Lawrence684dbdf2014-02-07 12:07:22 -08002911}
Paul Lawrence731a7a22015-04-28 22:14:15 +00002912
Paul Crowley14c8c072018-09-18 13:30:21 -07002913int cryptfs_isConvertibleToFBE() {
Tom Cherry4c5bde22019-01-29 14:34:01 -08002914 auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
2915 return entry && entry->fs_mgr_flags.force_fde_or_fbe;
Paul Lawrence0c247462015-10-29 10:30:57 -07002916}