blob: 692d7ee60ddf18122f7adbc011e324d3fb27f4f4 [file] [log] [blame]
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001/*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Paul Crowleyb64933a2017-10-31 08:25:55 -070017#ifndef ANDROID_VOLD_CRYPTFS_H
18#define ANDROID_VOLD_CRYPTFS_H
19
Ken Sumrall8f869aa2010-12-03 03:47:09 -080020/* This structure starts 16,384 bytes before the end of a hardware
Ken Sumrall160b4d62013-04-22 12:15:39 -070021 * partition that is encrypted, or in a separate partition. It's location
22 * is specified by a property set in init.<device>.rc.
23 * The structure allocates 48 bytes for a key, but the real key size is
24 * specified in the struct. Currently, the code is hardcoded to use 128
25 * bit keys.
26 * The fields after salt are only valid in rev 1.1 and later stuctures.
Ken Sumrall8f869aa2010-12-03 03:47:09 -080027 * Obviously, the filesystem does not include the last 16 kbytes
Ken Sumrall160b4d62013-04-22 12:15:39 -070028 * of the partition if the crypt_mnt_ftr lives at the end of the
29 * partition.
Ken Sumrall8f869aa2010-12-03 03:47:09 -080030 */
31
Logan Chien0267ccf2018-05-02 10:57:56 +080032#include <linux/types.h>
Paul Lawrence2f32cda2015-05-05 14:28:25 -070033#include <stdbool.h>
Greg Kaiser57f9af62018-02-16 13:13:58 -080034#include <stdint.h>
Logan Chien0267ccf2018-05-02 10:57:56 +080035
Ken Sumrall160b4d62013-04-22 12:15:39 -070036#include <cutils/properties.h>
37
Kenny Rootc96a5f82013-06-14 12:08:28 -070038/* The current cryptfs version */
39#define CURRENT_MAJOR_VERSION 1
Paul Lawrencef4faa572014-01-29 13:31:03 -080040#define CURRENT_MINOR_VERSION 3
Kenny Rootc96a5f82013-06-14 12:08:28 -070041
Ken Sumrall8f869aa2010-12-03 03:47:09 -080042#define CRYPT_FOOTER_OFFSET 0x4000
Ken Sumrall160b4d62013-04-22 12:15:39 -070043#define CRYPT_FOOTER_TO_PERSIST_OFFSET 0x1000
44#define CRYPT_PERSIST_DATA_SIZE 0x1000
Ken Sumrall8f869aa2010-12-03 03:47:09 -080045
46#define MAX_CRYPTO_TYPE_NAME_LEN 64
47
Ken Sumrall160b4d62013-04-22 12:15:39 -070048#define MAX_KEY_LEN 48
Ken Sumralle8744072011-01-18 22:01:55 -080049#define SALT_LEN 16
Paul Lawrenced0c7b172014-08-08 14:28:10 -070050#define SCRYPT_LEN 32
Ken Sumralle8744072011-01-18 22:01:55 -080051
Ken Sumrall8f869aa2010-12-03 03:47:09 -080052/* definitions of flags in the structure below */
53#define CRYPT_MNT_KEY_UNENCRYPTED 0x1 /* The key for the partition is not encrypted. */
Paul Crowley14c8c072018-09-18 13:30:21 -070054#define CRYPT_ENCRYPTION_IN_PROGRESS \
55 0x2 /* Encryption partially completed, \
56 encrypted_upto valid*/
57#define CRYPT_INCONSISTENT_STATE \
58 0x4 /* Set when starting encryption, clear when \
59 exit cleanly, either through success or \
60 correctly marked partial encryption */
61#define CRYPT_DATA_CORRUPT \
62 0x8 /* Set when encryption is fine, but the \
63 underlying volume is corrupt */
64#define CRYPT_FORCE_ENCRYPTION \
65 0x10 /* Set when it is time to encrypt this \
66 volume on boot. Everything in this \
67 structure is set up correctly as \
68 though device is encrypted except \
69 that the master key is encrypted with the \
70 default password. */
71#define CRYPT_FORCE_COMPLETE \
72 0x20 /* Set when the above encryption cycle is \
73 complete. On next cryptkeeper entry, match \
74 the password. If it matches fix the master \
75 key and remove this flag. */
Ken Sumrall8f869aa2010-12-03 03:47:09 -080076
Paul Lawrencef4faa572014-01-29 13:31:03 -080077/* Allowed values for type in the structure below */
Paul Crowley14c8c072018-09-18 13:30:21 -070078#define CRYPT_TYPE_PASSWORD \
79 0 /* master_key is encrypted with a password \
80 * Must be zero to be compatible with pre-L \
81 * devices where type is always password.*/
82#define CRYPT_TYPE_DEFAULT \
83 1 /* master_key is encrypted with default \
84 * password */
85#define CRYPT_TYPE_PATTERN 2 /* master_key is encrypted with a pattern */
86#define CRYPT_TYPE_PIN 3 /* master_key is encrypted with a pin */
Paul Lawrencef4faa572014-01-29 13:31:03 -080087#define CRYPT_TYPE_MAX_TYPE 3 /* type cannot be larger than this value */
88
Ken Sumrall8f869aa2010-12-03 03:47:09 -080089#define CRYPT_MNT_MAGIC 0xD0B5B1C4
Ken Sumrall160b4d62013-04-22 12:15:39 -070090#define PERSIST_DATA_MAGIC 0xE950CD44
Ken Sumrall8f869aa2010-12-03 03:47:09 -080091
Kenny Rootc4c70f12013-06-14 12:11:38 -070092/* Key Derivation Function algorithms */
93#define KDF_PBKDF2 1
94#define KDF_SCRYPT 2
Paul Lawrencedb3730c2015-02-03 13:08:10 -080095/* Algorithms 3 & 4 deprecated before shipping outside of google, so removed */
Shawn Willdene17a9c42014-09-08 13:04:08 -060096#define KDF_SCRYPT_KEYMASTER 5
Paul Lawrence69f4ebd2014-04-14 12:17:14 -070097
98/* Maximum allowed keymaster blob size. */
99#define KEYMASTER_BLOB_SIZE 2048
Kenny Rootc4c70f12013-06-14 12:11:38 -0700100
Mark Salyzyn3e971272014-01-21 13:27:04 -0800101/* __le32 and __le16 defined in system/extras/ext4_utils/ext4_utils.h */
Paul Crowley14c8c072018-09-18 13:30:21 -0700102#define __le8 unsigned char
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800103
Adam Langley41405bb2015-01-22 16:45:28 -0800104#if !defined(SHA256_DIGEST_LENGTH)
105#define SHA256_DIGEST_LENGTH 32
106#endif
107
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800108struct crypt_mnt_ftr {
Paul Crowley14c8c072018-09-18 13:30:21 -0700109 __le32 magic; /* See above */
110 __le16 major_version;
111 __le16 minor_version;
112 __le32 ftr_size; /* in bytes, not including key following */
113 __le32 flags; /* See above */
114 __le32 keysize; /* in bytes */
115 __le32 crypt_type; /* how master_key is encrypted. Must be a
116 * CRYPT_TYPE_XXX value */
117 __le64 fs_size; /* Size of the encrypted fs, in 512 byte sectors */
118 __le32 failed_decrypt_count; /* count of # of failed attempts to decrypt and
119 mount, set to 0 on successful mount */
120 unsigned char crypto_type_name[MAX_CRYPTO_TYPE_NAME_LEN]; /* The type of encryption
121 needed to decrypt this
122 partition, null terminated */
123 __le32 spare2; /* ignored */
124 unsigned char master_key[MAX_KEY_LEN]; /* The encrypted key for decrypting the filesystem */
125 unsigned char salt[SALT_LEN]; /* The salt used for this encryption */
126 __le64 persist_data_offset[2]; /* Absolute offset to both copies of crypt_persist_data
127 * on device with that info, either the footer of the
128 * real_blkdevice or the metadata partition. */
Ken Sumrall160b4d62013-04-22 12:15:39 -0700129
Paul Crowley14c8c072018-09-18 13:30:21 -0700130 __le32 persist_data_size; /* The number of bytes allocated to each copy of the
131 * persistent data table*/
Kenny Rootc4c70f12013-06-14 12:11:38 -0700132
Paul Crowley14c8c072018-09-18 13:30:21 -0700133 __le8 kdf_type; /* The key derivation function used. */
Kenny Rootc4c70f12013-06-14 12:11:38 -0700134
Paul Crowley14c8c072018-09-18 13:30:21 -0700135 /* scrypt parameters. See www.tarsnap.com/scrypt/scrypt.pdf */
136 __le8 N_factor; /* (1 << N) */
137 __le8 r_factor; /* (1 << r) */
138 __le8 p_factor; /* (1 << p) */
139 __le64 encrypted_upto; /* If we are in state CRYPT_ENCRYPTION_IN_PROGRESS and
140 we have to stop (e.g. power low) this is the last
141 encrypted 512 byte sector.*/
142 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; /* When CRYPT_ENCRYPTION_IN_PROGRESS
143 set, hash of first block, used
144 to validate before continuing*/
Paul Lawrence69f4ebd2014-04-14 12:17:14 -0700145
Paul Crowley14c8c072018-09-18 13:30:21 -0700146 /* key_master key, used to sign the derived key which is then used to generate
147 * the intermediate key
148 * This key should be used for no other purposes! We use this key to sign unpadded
149 * data, which is acceptable but only if the key is not reused elsewhere. */
150 __le8 keymaster_blob[KEYMASTER_BLOB_SIZE];
151 __le32 keymaster_blob_size;
Paul Lawrenced0c7b172014-08-08 14:28:10 -0700152
Paul Crowley14c8c072018-09-18 13:30:21 -0700153 /* Store scrypt of salted intermediate key. When decryption fails, we can
154 check if this matches, and if it does, we know that the problem is with the
155 drive, and there is no point in asking the user for more passwords.
Paul Lawrenced0c7b172014-08-08 14:28:10 -0700156
Paul Crowley14c8c072018-09-18 13:30:21 -0700157 Note that if any part of this structure is corrupt, this will not match and
158 we will continue to believe the user entered the wrong password. In that
159 case the only solution is for the user to enter a password enough times to
160 force a wipe.
Paul Lawrenced0c7b172014-08-08 14:28:10 -0700161
Paul Crowley14c8c072018-09-18 13:30:21 -0700162 Note also that there is no need to worry about migration. If this data is
163 wrong, we simply won't recognise a right password, and will continue to
164 prompt. On the first password change, this value will be populated and
165 then we will be OK.
166 */
167 unsigned char scrypted_intermediate_key[SCRYPT_LEN];
Paul Lawrence3d99eba2015-11-20 07:07:19 -0800168
Paul Crowley14c8c072018-09-18 13:30:21 -0700169 /* sha of this structure with this element set to zero
170 Used when encrypting on reboot to validate structure before doing something
171 fatal
172 */
173 unsigned char sha256[SHA256_DIGEST_LENGTH];
Ken Sumrall160b4d62013-04-22 12:15:39 -0700174};
175
176/* Persistant data that should be available before decryption.
177 * Things like airplane mode, locale and timezone are kept
178 * here and can be retrieved by the CryptKeeper UI to properly
179 * configure the phone before asking for the password
180 * This is only valid if the major and minor version above
181 * is set to 1.1 or higher.
182 *
183 * This is a 4K structure. There are 2 copies, and the code alternates
184 * writing one and then clearing the previous one. The reading
185 * code reads the first valid copy it finds, based on the magic number.
186 * The absolute offset to the first of the two copies is kept in rev 1.1
187 * and higher crypt_mnt_ftr structures.
188 */
189struct crypt_persist_entry {
Paul Crowley14c8c072018-09-18 13:30:21 -0700190 char key[PROPERTY_KEY_MAX];
191 char val[PROPERTY_VALUE_MAX];
Ken Sumrall160b4d62013-04-22 12:15:39 -0700192};
193
194/* Should be exactly 4K in size */
195struct crypt_persist_data {
Paul Crowley14c8c072018-09-18 13:30:21 -0700196 __le32 persist_magic;
197 __le32 persist_valid_entries;
198 __le32 persist_spare[30];
199 struct crypt_persist_entry persist_entry[0];
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800200};
201
JP Abgrall502dc742013-11-01 13:06:20 -0700202#define DATA_MNT_POINT "/data"
203
Paul Lawrence74f29f12014-08-28 15:54:10 -0700204/* Return values for cryptfs_crypto_complete */
Paul Crowley14c8c072018-09-18 13:30:21 -0700205#define CRYPTO_COMPLETE_NOT_ENCRYPTED 1
206#define CRYPTO_COMPLETE_ENCRYPTED 0
207#define CRYPTO_COMPLETE_BAD_METADATA (-1)
208#define CRYPTO_COMPLETE_PARTIAL (-2)
209#define CRYPTO_COMPLETE_INCONSISTENT (-3)
210#define CRYPTO_COMPLETE_CORRUPT (-4)
Paul Lawrence74f29f12014-08-28 15:54:10 -0700211
JP Abgrall7fc1de82014-10-10 18:43:41 -0700212/* Return values for cryptfs_enable_inplace*() */
213#define ENABLE_INPLACE_OK 0
Chih-Hung Hsiehaae79382016-06-10 14:13:59 -0700214#define ENABLE_INPLACE_ERR_OTHER (-1)
Paul Crowley14c8c072018-09-18 13:30:21 -0700215#define ENABLE_INPLACE_ERR_DEV (-2) /* crypto_blkdev issue */
JP Abgrall7fc1de82014-10-10 18:43:41 -0700216
Rubin Xu85c01f92014-10-13 12:49:54 +0100217/* Return values for cryptfs_getfield */
Paul Crowley14c8c072018-09-18 13:30:21 -0700218#define CRYPTO_GETFIELD_OK 0
219#define CRYPTO_GETFIELD_ERROR_NO_FIELD (-1)
220#define CRYPTO_GETFIELD_ERROR_OTHER (-2)
Chih-Hung Hsiehaae79382016-06-10 14:13:59 -0700221#define CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL (-3)
Rubin Xu85c01f92014-10-13 12:49:54 +0100222
223/* Return values for cryptfs_setfield */
Paul Crowley14c8c072018-09-18 13:30:21 -0700224#define CRYPTO_SETFIELD_OK 0
225#define CRYPTO_SETFIELD_ERROR_OTHER (-1)
Chih-Hung Hsiehaae79382016-06-10 14:13:59 -0700226#define CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG (-2)
227#define CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG (-3)
Rubin Xu85c01f92014-10-13 12:49:54 +0100228
229/* Return values for persist_del_key */
Paul Crowley14c8c072018-09-18 13:30:21 -0700230#define PERSIST_DEL_KEY_OK 0
231#define PERSIST_DEL_KEY_ERROR_OTHER (-1)
232#define PERSIST_DEL_KEY_ERROR_NO_FIELD (-2)
Rubin Xu85c01f92014-10-13 12:49:54 +0100233
Paul Crowleyb64933a2017-10-31 08:25:55 -0700234int match_multi_entry(const char* key, const char* field, unsigned index);
235int wait_and_unmount(const char* mountpoint, bool kill);
Kenny Rootc4c70f12013-06-14 12:11:38 -0700236
Paul Crowleyb64933a2017-10-31 08:25:55 -0700237typedef int (*kdf_func)(const char* passwd, const unsigned char* salt, unsigned char* ikey,
238 void* params);
Paul Lawrence2f32cda2015-05-05 14:28:25 -0700239
Paul Crowleyb64933a2017-10-31 08:25:55 -0700240int cryptfs_crypto_complete(void);
241int cryptfs_check_passwd(const char* pw);
242int cryptfs_verify_passwd(const char* pw);
243int cryptfs_restart(void);
Paul Lawrence7ee87cf2017-12-22 10:12:06 -0800244int cryptfs_enable(int type, const char* passwd, int no_ui);
Paul Crowleyb64933a2017-10-31 08:25:55 -0700245int cryptfs_changepw(int type, const char* newpw);
Paul Lawrence7ee87cf2017-12-22 10:12:06 -0800246int cryptfs_enable_default(int no_ui);
Paul Crowleyb64933a2017-10-31 08:25:55 -0700247int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, const unsigned char* key,
Greg Kaiser57f9af62018-02-16 13:13:58 -0800248 char* out_crypto_blkdev);
Paul Crowleyb64933a2017-10-31 08:25:55 -0700249int cryptfs_revert_ext_volume(const char* label);
250int cryptfs_getfield(const char* fieldname, char* value, int len);
251int cryptfs_setfield(const char* fieldname, const char* value);
252int cryptfs_mount_default_encrypted(void);
253int cryptfs_get_password_type(void);
254const char* cryptfs_get_password(void);
255void cryptfs_clear_password(void);
256int cryptfs_isConvertibleToFBE(void);
Kenny Rootc4c70f12013-06-14 12:11:38 -0700257
Greg Kaiser57f9af62018-02-16 13:13:58 -0800258uint32_t cryptfs_get_keysize();
259const char* cryptfs_get_crypto_name();
260
Paul Crowleyb64933a2017-10-31 08:25:55 -0700261#endif /* ANDROID_VOLD_CRYPTFS_H */