blob: 07617e95856803500478fc08ee626b078e1fb4fa [file] [log] [blame]
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001/*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
Logan Chiend557d762018-05-02 11:36:45 +080023#define LOG_TAG "Cryptfs"
24
25#include "cryptfs.h"
26
Daniel Rosenberg65f99c92018-08-28 01:58:49 -070027#include "Checkpoint.h"
Logan Chiend557d762018-05-02 11:36:45 +080028#include "EncryptInplace.h"
Eric Biggersa701c452018-10-23 13:06:55 -070029#include "FsCrypt.h"
Logan Chiend557d762018-05-02 11:36:45 +080030#include "Keymaster.h"
31#include "Process.h"
32#include "ScryptParameters.h"
Paul Crowleycfe39722018-10-30 15:59:24 -070033#include "Utils.h"
Logan Chiend557d762018-05-02 11:36:45 +080034#include "VoldUtil.h"
35#include "VolumeManager.h"
Logan Chiend557d762018-05-02 11:36:45 +080036
Eric Biggersed45ec32019-01-25 10:47:55 -080037#include <android-base/parseint.h>
Logan Chien3f2b1222018-05-02 11:39:03 +080038#include <android-base/properties.h>
Greg Kaiserab1e84a2018-12-11 12:40:51 -080039#include <android-base/stringprintf.h>
Logan Chiend557d762018-05-02 11:36:45 +080040#include <bootloader_message/bootloader_message.h>
Logan Chien3f2b1222018-05-02 11:39:03 +080041#include <cutils/android_reboot.h>
Logan Chien3f2b1222018-05-02 11:39:03 +080042#include <cutils/properties.h>
Tao Bao5a95ddb2016-10-05 18:01:19 -070043#include <ext4_utils/ext4_utils.h>
Logan Chien3f2b1222018-05-02 11:39:03 +080044#include <f2fs_sparseblock.h>
Ken Sumralle5032c42012-04-01 23:58:44 -070045#include <fs_mgr.h>
Eric Biggersa701c452018-10-23 13:06:55 -070046#include <fscrypt/fscrypt.h>
Logan Chien3f2b1222018-05-02 11:39:03 +080047#include <hardware_legacy/power.h>
Logan Chien188b0ab2018-04-23 13:37:39 +080048#include <log/log.h>
Logan Chiend557d762018-05-02 11:36:45 +080049#include <logwrap/logwrap.h>
50#include <openssl/evp.h>
51#include <openssl/sha.h>
Jeff Vander Stoepdf725752016-01-29 15:34:43 -080052#include <selinux/selinux.h>
Logan Chiend557d762018-05-02 11:36:45 +080053
54#include <ctype.h>
55#include <errno.h>
56#include <fcntl.h>
57#include <inttypes.h>
58#include <libgen.h>
59#include <linux/dm-ioctl.h>
60#include <linux/kdev_t.h>
61#include <math.h>
62#include <stdio.h>
63#include <stdlib.h>
64#include <string.h>
65#include <sys/ioctl.h>
66#include <sys/mount.h>
67#include <sys/param.h>
68#include <sys/stat.h>
69#include <sys/types.h>
70#include <sys/wait.h>
71#include <time.h>
72#include <unistd.h>
73
Wei Wang4375f1b2017-02-24 17:43:01 -080074extern "C" {
75#include <crypto_scrypt.h>
76}
Mark Salyzyn3e971272014-01-21 13:27:04 -080077
Eric Biggersed45ec32019-01-25 10:47:55 -080078using android::base::ParseUint;
Greg Kaiserab1e84a2018-12-11 12:40:51 -080079using android::base::StringPrintf;
Tom Cherry4c5bde22019-01-29 14:34:01 -080080using android::fs_mgr::GetEntryForMountPoint;
Paul Crowleycfe39722018-10-30 15:59:24 -070081using namespace std::chrono_literals;
82
Mark Salyzyn5eecc442014-02-12 14:16:14 -080083#define UNUSED __attribute__((unused))
84
Ken Sumrall8f869aa2010-12-03 03:47:09 -080085#define DM_CRYPT_BUF_SIZE 4096
86
Jason parks70a4b3f2011-01-28 10:10:47 -060087#define HASH_COUNT 2000
Greg Kaiserc0de9c72018-02-14 20:05:54 -080088
89constexpr size_t INTERMEDIATE_KEY_LEN_BYTES = 16;
90constexpr size_t INTERMEDIATE_IV_LEN_BYTES = 16;
Paul Crowley14c8c072018-09-18 13:30:21 -070091constexpr size_t INTERMEDIATE_BUF_SIZE = (INTERMEDIATE_KEY_LEN_BYTES + INTERMEDIATE_IV_LEN_BYTES);
Greg Kaiserc0de9c72018-02-14 20:05:54 -080092
93// SCRYPT_LEN is used by struct crypt_mnt_ftr for its intermediate key.
Paul Crowley14c8c072018-09-18 13:30:21 -070094static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN, "Mismatch of intermediate key sizes");
Jason parks70a4b3f2011-01-28 10:10:47 -060095
Paul Crowley14c8c072018-09-18 13:30:21 -070096#define KEY_IN_FOOTER "footer"
Ken Sumrall29d8da82011-05-18 17:20:07 -070097
Paul Lawrence3bd36d52015-06-09 13:37:44 -070098#define DEFAULT_PASSWORD "default_password"
Paul Lawrencef4faa572014-01-29 13:31:03 -080099
Paul Lawrence3d99eba2015-11-20 07:07:19 -0800100#define CRYPTO_BLOCK_DEVICE "userdata"
101
102#define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
103
Ken Sumrall29d8da82011-05-18 17:20:07 -0700104#define EXT4_FS 1
JP Abgrall62c7af32014-06-16 13:01:23 -0700105#define F2FS_FS 2
Ken Sumrall29d8da82011-05-18 17:20:07 -0700106
Ken Sumralle919efe2012-09-29 17:07:41 -0700107#define TABLE_LOAD_RETRIES 10
108
Shawn Willden47ba10d2014-09-03 17:07:06 -0600109#define RSA_KEY_SIZE 2048
110#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
111#define RSA_EXPONENT 0x10001
Shawn Willdenda6e8992015-06-03 09:40:45 -0600112#define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
Paul Lawrence69f4ebd2014-04-14 12:17:14 -0700113
Paul Lawrence8e3f4512014-09-08 10:11:17 -0700114#define RETRY_MOUNT_ATTEMPTS 10
115#define RETRY_MOUNT_DELAY_SECONDS 1
116
Paul Crowley5afbc622017-11-27 09:42:17 -0800117#define CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE (1)
118
Paul Crowley73473332017-11-21 15:43:51 -0800119static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr);
120
Greg Kaiser59ad0182018-02-16 13:01:36 -0800121static unsigned char saved_master_key[MAX_KEY_LEN];
Paul Crowley14c8c072018-09-18 13:30:21 -0700122static char* saved_mount_point;
123static int master_key_saved = 0;
124static struct crypt_persist_data* persist_data = NULL;
Ken Sumrall56ad03c2013-02-13 13:00:19 -0800125
Paul Lawrence69f4ebd2014-04-14 12:17:14 -0700126/* Should we use keymaster? */
Paul Crowley14c8c072018-09-18 13:30:21 -0700127static int keymaster_check_compatibility() {
Janis Danisevskis015ec302017-01-31 11:31:08 +0000128 return keymaster_compatibility_cryptfs_scrypt();
Paul Lawrence69f4ebd2014-04-14 12:17:14 -0700129}
130
131/* Create a new keymaster key and store it in this footer */
Paul Crowley14c8c072018-09-18 13:30:21 -0700132static int keymaster_create_key(struct crypt_mnt_ftr* ftr) {
Paul Lawrence3d99eba2015-11-20 07:07:19 -0800133 if (ftr->keymaster_blob_size) {
134 SLOGI("Already have key");
135 return 0;
136 }
137
Paul Crowley14c8c072018-09-18 13:30:21 -0700138 int rc = keymaster_create_key_for_cryptfs_scrypt(
139 RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
140 KEYMASTER_BLOB_SIZE, &ftr->keymaster_blob_size);
Janis Danisevskis015ec302017-01-31 11:31:08 +0000141 if (rc) {
142 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
Paul Crowley73473332017-11-21 15:43:51 -0800143 SLOGE("Keymaster key blob too large");
Janis Danisevskis015ec302017-01-31 11:31:08 +0000144 ftr->keymaster_blob_size = 0;
145 }
146 SLOGE("Failed to generate keypair");
Paul Lawrence69f4ebd2014-04-14 12:17:14 -0700147 return -1;
148 }
Janis Danisevskis015ec302017-01-31 11:31:08 +0000149 return 0;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -0700150}
151
Shawn Willdene17a9c42014-09-08 13:04:08 -0600152/* This signs the given object using the keymaster key. */
Paul Crowley14c8c072018-09-18 13:30:21 -0700153static int keymaster_sign_object(struct crypt_mnt_ftr* ftr, const unsigned char* object,
154 const size_t object_size, unsigned char** signature,
155 size_t* signature_size) {
Shawn Willden47ba10d2014-09-03 17:07:06 -0600156 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
Shawn Willdene17a9c42014-09-08 13:04:08 -0600157 size_t to_sign_size = sizeof(to_sign);
Shawn Willden47ba10d2014-09-03 17:07:06 -0600158 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
Shawn Willden47ba10d2014-09-03 17:07:06 -0600159
Shawn Willdene17a9c42014-09-08 13:04:08 -0600160 // To sign a message with RSA, the message must satisfy two
161 // constraints:
162 //
163 // 1. The message, when interpreted as a big-endian numeric value, must
164 // be strictly less than the public modulus of the RSA key. Note
165 // that because the most significant bit of the public modulus is
166 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
167 // key), an n-bit message with most significant bit 0 always
168 // satisfies this requirement.
169 //
170 // 2. The message must have the same length in bits as the public
171 // modulus of the RSA key. This requirement isn't mathematically
172 // necessary, but is necessary to ensure consistency in
173 // implementations.
174 switch (ftr->kdf_type) {
Shawn Willdene17a9c42014-09-08 13:04:08 -0600175 case KDF_SCRYPT_KEYMASTER:
176 // This ensures the most significant byte of the signed message
177 // is zero. We could have zero-padded to the left instead, but
178 // this approach is slightly more robust against changes in
179 // object size. However, it's still broken (but not unusably
Shawn Willdenda6e8992015-06-03 09:40:45 -0600180 // so) because we really should be using a proper deterministic
181 // RSA padding function, such as PKCS1.
Wei Wang4375f1b2017-02-24 17:43:01 -0800182 memcpy(to_sign + 1, object, std::min((size_t)RSA_KEY_SIZE_BYTES - 1, object_size));
Shawn Willdene17a9c42014-09-08 13:04:08 -0600183 SLOGI("Signing safely-padded object");
184 break;
185 default:
186 SLOGE("Unknown KDF type %d", ftr->kdf_type);
Janis Danisevskis015ec302017-01-31 11:31:08 +0000187 return -1;
Shawn Willdene17a9c42014-09-08 13:04:08 -0600188 }
Paul Crowley73473332017-11-21 15:43:51 -0800189 for (;;) {
190 auto result = keymaster_sign_object_for_cryptfs_scrypt(
191 ftr->keymaster_blob, ftr->keymaster_blob_size, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign,
192 to_sign_size, signature, signature_size);
193 switch (result) {
194 case KeymasterSignResult::ok:
195 return 0;
196 case KeymasterSignResult::upgrade:
197 break;
198 default:
199 return -1;
200 }
201 SLOGD("Upgrading key");
202 if (keymaster_upgrade_key_for_cryptfs_scrypt(
203 RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
204 ftr->keymaster_blob_size, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
205 &ftr->keymaster_blob_size) != 0) {
206 SLOGE("Failed to upgrade key");
207 return -1;
208 }
209 if (put_crypt_ftr_and_key(ftr) != 0) {
210 SLOGE("Failed to write upgraded key to disk");
211 }
212 SLOGD("Key upgraded successfully");
213 }
Shawn Willden47ba10d2014-09-03 17:07:06 -0600214}
215
Paul Lawrence399317e2014-03-10 13:20:50 -0700216/* Store password when userdata is successfully decrypted and mounted.
217 * Cleared by cryptfs_clear_password
218 *
219 * To avoid a double prompt at boot, we need to store the CryptKeeper
220 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
221 * Since the entire framework is torn down and rebuilt after encryption,
222 * we have to use a daemon or similar to store the password. Since vold
223 * is secured against IPC except from system processes, it seems a reasonable
224 * place to store this.
225 *
226 * password should be cleared once it has been used.
227 *
228 * password is aged out after password_max_age_seconds seconds.
Paul Lawrence684dbdf2014-02-07 12:07:22 -0800229 */
Paul Lawrence399317e2014-03-10 13:20:50 -0700230static char* password = 0;
231static int password_expiry_time = 0;
232static const int password_max_age_seconds = 60;
Paul Lawrence684dbdf2014-02-07 12:07:22 -0800233
Paul Crowley14c8c072018-09-18 13:30:21 -0700234enum class RebootType { reboot, recovery, shutdown };
235static void cryptfs_reboot(RebootType rt) {
236 switch (rt) {
237 case RebootType::reboot:
238 property_set(ANDROID_RB_PROPERTY, "reboot");
239 break;
Paul Lawrence87999172014-02-20 12:21:31 -0800240
Paul Crowley14c8c072018-09-18 13:30:21 -0700241 case RebootType::recovery:
242 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
243 break;
Paul Lawrence87999172014-02-20 12:21:31 -0800244
Paul Crowley14c8c072018-09-18 13:30:21 -0700245 case RebootType::shutdown:
246 property_set(ANDROID_RB_PROPERTY, "shutdown");
247 break;
Ken Sumralladfba362013-06-04 16:37:52 -0700248 }
Paul Lawrence87999172014-02-20 12:21:31 -0800249
Ken Sumralladfba362013-06-04 16:37:52 -0700250 sleep(20);
251
252 /* Shouldn't get here, reboot should happen before sleep times out */
253 return;
254}
255
Paul Crowley14c8c072018-09-18 13:30:21 -0700256static void ioctl_init(struct dm_ioctl* io, size_t dataSize, const char* name, unsigned flags) {
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800257 memset(io, 0, dataSize);
258 io->data_size = dataSize;
259 io->data_start = sizeof(struct dm_ioctl);
260 io->version[0] = 4;
261 io->version[1] = 0;
262 io->version[2] = 0;
263 io->flags = flags;
264 if (name) {
Marek Pola5e6b9142015-02-05 14:22:34 +0100265 strlcpy(io->name, name, sizeof(io->name));
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800266 }
267}
268
Greg Kaiser38723f22018-02-16 13:35:35 -0800269namespace {
270
271struct CryptoType;
272
273// Use to get the CryptoType in use on this device.
Paul Crowley14c8c072018-09-18 13:30:21 -0700274const CryptoType& get_crypto_type();
Greg Kaiser38723f22018-02-16 13:35:35 -0800275
276struct CryptoType {
277 // We should only be constructing CryptoTypes as part of
278 // supported_crypto_types[]. We do it via this pseudo-builder pattern,
279 // which isn't pure or fully protected as a concession to being able to
280 // do it all at compile time. Add new CryptoTypes in
281 // supported_crypto_types[] below.
282 constexpr CryptoType() : CryptoType(nullptr, nullptr, 0xFFFFFFFF) {}
283 constexpr CryptoType set_keysize(uint32_t size) const {
284 return CryptoType(this->property_name, this->crypto_name, size);
285 }
Paul Crowley14c8c072018-09-18 13:30:21 -0700286 constexpr CryptoType set_property_name(const char* property) const {
Greg Kaiser38723f22018-02-16 13:35:35 -0800287 return CryptoType(property, this->crypto_name, this->keysize);
288 }
Paul Crowley14c8c072018-09-18 13:30:21 -0700289 constexpr CryptoType set_crypto_name(const char* crypto) const {
Greg Kaiser38723f22018-02-16 13:35:35 -0800290 return CryptoType(this->property_name, crypto, this->keysize);
291 }
292
Paul Crowley14c8c072018-09-18 13:30:21 -0700293 constexpr const char* get_property_name() const { return property_name; }
294 constexpr const char* get_crypto_name() const { return crypto_name; }
Greg Kaiser38723f22018-02-16 13:35:35 -0800295 constexpr uint32_t get_keysize() const { return keysize; }
296
Paul Crowley14c8c072018-09-18 13:30:21 -0700297 private:
298 const char* property_name;
299 const char* crypto_name;
Greg Kaiser38723f22018-02-16 13:35:35 -0800300 uint32_t keysize;
301
Paul Crowley14c8c072018-09-18 13:30:21 -0700302 constexpr CryptoType(const char* property, const char* crypto, uint32_t ksize)
Greg Kaiser38723f22018-02-16 13:35:35 -0800303 : property_name(property), crypto_name(crypto), keysize(ksize) {}
Paul Crowley14c8c072018-09-18 13:30:21 -0700304 friend const CryptoType& get_crypto_type();
305 static const CryptoType& get_device_crypto_algorithm();
Greg Kaiser38723f22018-02-16 13:35:35 -0800306};
307
308// We only want to parse this read-only property once. But we need to wait
309// until the system is initialized before we can read it. So we use a static
310// scoped within this function to get it only once.
Paul Crowley14c8c072018-09-18 13:30:21 -0700311const CryptoType& get_crypto_type() {
Greg Kaiser38723f22018-02-16 13:35:35 -0800312 static CryptoType crypto_type = CryptoType::get_device_crypto_algorithm();
313 return crypto_type;
314}
315
316constexpr CryptoType default_crypto_type = CryptoType()
Paul Crowley14c8c072018-09-18 13:30:21 -0700317 .set_property_name("AES-128-CBC")
318 .set_crypto_name("aes-cbc-essiv:sha256")
319 .set_keysize(16);
Greg Kaiser38723f22018-02-16 13:35:35 -0800320
321constexpr CryptoType supported_crypto_types[] = {
322 default_crypto_type,
Greg Kaiser8cb4c9f2018-12-03 11:23:19 -0800323 CryptoType()
324 .set_property_name("adiantum")
325 .set_crypto_name("xchacha12,aes-adiantum-plain64")
326 .set_keysize(32),
Greg Kaiser38723f22018-02-16 13:35:35 -0800327 // Add new CryptoTypes here. Order is not important.
328};
329
Greg Kaiser38723f22018-02-16 13:35:35 -0800330// ---------- START COMPILE-TIME SANITY CHECK BLOCK -------------------------
331// We confirm all supported_crypto_types have a small enough keysize and
332// had both set_property_name() and set_crypto_name() called.
333
334template <typename T, size_t N>
Paul Crowley14c8c072018-09-18 13:30:21 -0700335constexpr size_t array_length(T (&)[N]) {
336 return N;
337}
Greg Kaiser38723f22018-02-16 13:35:35 -0800338
339constexpr bool indexOutOfBoundsForCryptoTypes(size_t index) {
340 return (index >= array_length(supported_crypto_types));
341}
342
Paul Crowley14c8c072018-09-18 13:30:21 -0700343constexpr bool isValidCryptoType(const CryptoType& crypto_type) {
Greg Kaiser38723f22018-02-16 13:35:35 -0800344 return ((crypto_type.get_property_name() != nullptr) &&
345 (crypto_type.get_crypto_name() != nullptr) &&
346 (crypto_type.get_keysize() <= MAX_KEY_LEN));
347}
348
349// Note in C++11 that constexpr functions can only have a single line.
350// So our code is a bit convoluted (using recursion instead of a loop),
351// but it's asserting at compile time that all of our key lengths are valid.
352constexpr bool validateSupportedCryptoTypes(size_t index) {
353 return indexOutOfBoundsForCryptoTypes(index) ||
Paul Crowley14c8c072018-09-18 13:30:21 -0700354 (isValidCryptoType(supported_crypto_types[index]) &&
355 validateSupportedCryptoTypes(index + 1));
Greg Kaiser38723f22018-02-16 13:35:35 -0800356}
357
358static_assert(validateSupportedCryptoTypes(0),
359 "We have a CryptoType with keysize > MAX_KEY_LEN or which was "
360 "incompletely constructed.");
361// ---------- END COMPILE-TIME SANITY CHECK BLOCK -------------------------
362
Greg Kaiser38723f22018-02-16 13:35:35 -0800363// Don't call this directly, use get_crypto_type(), which caches this result.
Paul Crowley14c8c072018-09-18 13:30:21 -0700364const CryptoType& CryptoType::get_device_crypto_algorithm() {
Greg Kaiser38723f22018-02-16 13:35:35 -0800365 constexpr char CRYPT_ALGO_PROP[] = "ro.crypto.fde_algorithm";
366 char paramstr[PROPERTY_VALUE_MAX];
367
Paul Crowley14c8c072018-09-18 13:30:21 -0700368 property_get(CRYPT_ALGO_PROP, paramstr, default_crypto_type.get_property_name());
369 for (auto const& ctype : supported_crypto_types) {
Greg Kaiser38723f22018-02-16 13:35:35 -0800370 if (strcmp(paramstr, ctype.get_property_name()) == 0) {
371 return ctype;
372 }
373 }
Paul Crowley14c8c072018-09-18 13:30:21 -0700374 ALOGE("Invalid name (%s) for %s. Defaulting to %s\n", paramstr, CRYPT_ALGO_PROP,
375 default_crypto_type.get_property_name());
Greg Kaiser38723f22018-02-16 13:35:35 -0800376 return default_crypto_type;
377}
378
379} // namespace
380
Kenny Rootc4c70f12013-06-14 12:11:38 -0700381/**
382 * Gets the default device scrypt parameters for key derivation time tuning.
383 * The parameters should lead to about one second derivation time for the
384 * given device.
385 */
Paul Crowley14c8c072018-09-18 13:30:21 -0700386static void get_device_scrypt_params(struct crypt_mnt_ftr* ftr) {
Kenny Rootc4c70f12013-06-14 12:11:38 -0700387 char paramstr[PROPERTY_VALUE_MAX];
Paul Crowley63c18d32016-02-10 14:02:47 +0000388 int Nf, rf, pf;
Kenny Rootc4c70f12013-06-14 12:11:38 -0700389
Paul Crowley63c18d32016-02-10 14:02:47 +0000390 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
391 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
392 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
393 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
Kenny Rootc4c70f12013-06-14 12:11:38 -0700394 }
Paul Crowley63c18d32016-02-10 14:02:47 +0000395 ftr->N_factor = Nf;
396 ftr->r_factor = rf;
397 ftr->p_factor = pf;
Kenny Rootc4c70f12013-06-14 12:11:38 -0700398}
399
Greg Kaiser57f9af62018-02-16 13:13:58 -0800400uint32_t cryptfs_get_keysize() {
Greg Kaiser38723f22018-02-16 13:35:35 -0800401 return get_crypto_type().get_keysize();
Greg Kaiser57f9af62018-02-16 13:13:58 -0800402}
403
Paul Crowley14c8c072018-09-18 13:30:21 -0700404const char* cryptfs_get_crypto_name() {
Greg Kaiser38723f22018-02-16 13:35:35 -0800405 return get_crypto_type().get_crypto_name();
Greg Kaiser57f9af62018-02-16 13:13:58 -0800406}
407
Tom Cherry4c5bde22019-01-29 14:34:01 -0800408static uint64_t get_fs_size(const char* dev) {
Ken Sumrall3ed82362011-01-28 23:31:16 -0800409 int fd, block_size;
410 struct ext4_super_block sb;
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +0200411 uint64_t len;
Ken Sumrall3ed82362011-01-28 23:31:16 -0800412
Paul Crowley14c8c072018-09-18 13:30:21 -0700413 if ((fd = open(dev, O_RDONLY | O_CLOEXEC)) < 0) {
Ken Sumrall3ed82362011-01-28 23:31:16 -0800414 SLOGE("Cannot open device to get filesystem size ");
415 return 0;
416 }
417
418 if (lseek64(fd, 1024, SEEK_SET) < 0) {
419 SLOGE("Cannot seek to superblock");
420 return 0;
421 }
422
423 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
424 SLOGE("Cannot read superblock");
425 return 0;
426 }
427
428 close(fd);
429
Daniel Rosenberge82df162014-08-15 22:19:23 +0000430 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
431 SLOGE("Not a valid ext4 superblock");
432 return 0;
433 }
Ken Sumrall3ed82362011-01-28 23:31:16 -0800434 block_size = 1024 << sb.s_log_block_size;
435 /* compute length in bytes */
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +0200436 len = (((uint64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
Ken Sumrall3ed82362011-01-28 23:31:16 -0800437
438 /* return length in sectors */
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +0200439 return len / 512;
Ken Sumrall3ed82362011-01-28 23:31:16 -0800440}
441
Tom Cherry4c5bde22019-01-29 14:34:01 -0800442static void get_crypt_info(std::string* key_loc, std::string* real_blk_device) {
443 for (const auto& entry : fstab_default) {
444 if (!entry.fs_mgr_flags.vold_managed &&
445 (entry.fs_mgr_flags.crypt || entry.fs_mgr_flags.force_crypt ||
446 entry.fs_mgr_flags.force_fde_or_fbe || entry.fs_mgr_flags.file_encryption)) {
447 if (key_loc != nullptr) {
448 *key_loc = entry.key_loc;
449 }
450 if (real_blk_device != nullptr) {
451 *real_blk_device = entry.blk_device;
452 }
453 return;
454 }
455 }
456}
457
Paul Crowley14c8c072018-09-18 13:30:21 -0700458static int get_crypt_ftr_info(char** metadata_fname, off64_t* off) {
459 static int cached_data = 0;
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +0200460 static uint64_t cached_off = 0;
Paul Crowley14c8c072018-09-18 13:30:21 -0700461 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
Paul Crowley14c8c072018-09-18 13:30:21 -0700462 char key_loc[PROPERTY_VALUE_MAX];
463 char real_blkdev[PROPERTY_VALUE_MAX];
464 int rc = -1;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700465
Paul Crowley14c8c072018-09-18 13:30:21 -0700466 if (!cached_data) {
Tom Cherry4c5bde22019-01-29 14:34:01 -0800467 std::string key_loc;
468 std::string real_blkdev;
469 get_crypt_info(&key_loc, &real_blkdev);
Ken Sumrall160b4d62013-04-22 12:15:39 -0700470
Tom Cherry4c5bde22019-01-29 14:34:01 -0800471 if (key_loc == KEY_IN_FOOTER) {
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +0200472 if (android::vold::GetBlockDevSize(real_blkdev, &cached_off) == android::OK) {
Paul Crowley14c8c072018-09-18 13:30:21 -0700473 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
474 * encryption info footer and key, and plenty of bytes to spare for future
475 * growth.
476 */
Tom Cherry4c5bde22019-01-29 14:34:01 -0800477 strlcpy(cached_metadata_fname, real_blkdev.c_str(), sizeof(cached_metadata_fname));
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +0200478 cached_off -= CRYPT_FOOTER_OFFSET;
Paul Crowley14c8c072018-09-18 13:30:21 -0700479 cached_data = 1;
480 } else {
Tom Cherry4c5bde22019-01-29 14:34:01 -0800481 SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
Paul Crowley14c8c072018-09-18 13:30:21 -0700482 }
Paul Crowley14c8c072018-09-18 13:30:21 -0700483 } else {
Tom Cherry4c5bde22019-01-29 14:34:01 -0800484 strlcpy(cached_metadata_fname, key_loc.c_str(), sizeof(cached_metadata_fname));
Paul Crowley14c8c072018-09-18 13:30:21 -0700485 cached_off = 0;
486 cached_data = 1;
487 }
Ken Sumrall160b4d62013-04-22 12:15:39 -0700488 }
Ken Sumrall160b4d62013-04-22 12:15:39 -0700489
Paul Crowley14c8c072018-09-18 13:30:21 -0700490 if (cached_data) {
491 if (metadata_fname) {
492 *metadata_fname = cached_metadata_fname;
493 }
494 if (off) {
495 *off = cached_off;
496 }
497 rc = 0;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700498 }
Ken Sumrall160b4d62013-04-22 12:15:39 -0700499
Paul Crowley14c8c072018-09-18 13:30:21 -0700500 return rc;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700501}
502
Paul Lawrence3d99eba2015-11-20 07:07:19 -0800503/* Set sha256 checksum in structure */
Paul Crowley14c8c072018-09-18 13:30:21 -0700504static void set_ftr_sha(struct crypt_mnt_ftr* crypt_ftr) {
Paul Lawrence3d99eba2015-11-20 07:07:19 -0800505 SHA256_CTX c;
506 SHA256_Init(&c);
507 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
508 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
509 SHA256_Final(crypt_ftr->sha256, &c);
510}
511
Ken Sumralle8744072011-01-18 22:01:55 -0800512/* key or salt can be NULL, in which case just skip writing that value. Useful to
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800513 * update the failed mount count but not change the key.
514 */
Paul Crowley14c8c072018-09-18 13:30:21 -0700515static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
516 int fd;
517 unsigned int cnt;
518 /* starting_off is set to the SEEK_SET offset
519 * where the crypto structure starts
520 */
521 off64_t starting_off;
522 int rc = -1;
523 char* fname = NULL;
524 struct stat statbuf;
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800525
Paul Crowley14c8c072018-09-18 13:30:21 -0700526 set_ftr_sha(crypt_ftr);
Paul Lawrence3d99eba2015-11-20 07:07:19 -0800527
Paul Crowley14c8c072018-09-18 13:30:21 -0700528 if (get_crypt_ftr_info(&fname, &starting_off)) {
529 SLOGE("Unable to get crypt_ftr_info\n");
530 return -1;
Ken Sumralle8744072011-01-18 22:01:55 -0800531 }
Paul Crowley14c8c072018-09-18 13:30:21 -0700532 if (fname[0] != '/') {
533 SLOGE("Unexpected value for crypto key location\n");
534 return -1;
535 }
536 if ((fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0600)) < 0) {
537 SLOGE("Cannot open footer file %s for put\n", fname);
538 return -1;
539 }
Ken Sumralle8744072011-01-18 22:01:55 -0800540
Paul Crowley14c8c072018-09-18 13:30:21 -0700541 /* Seek to the start of the crypt footer */
542 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
543 SLOGE("Cannot seek to real block device footer\n");
544 goto errout;
545 }
546
547 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
548 SLOGE("Cannot write real block device footer\n");
549 goto errout;
550 }
551
552 fstat(fd, &statbuf);
553 /* If the keys are kept on a raw block device, do not try to truncate it. */
554 if (S_ISREG(statbuf.st_mode)) {
555 if (ftruncate(fd, 0x4000)) {
556 SLOGE("Cannot set footer file size\n");
557 goto errout;
558 }
559 }
560
561 /* Success! */
562 rc = 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800563
564errout:
Paul Crowley14c8c072018-09-18 13:30:21 -0700565 close(fd);
566 return rc;
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800567}
568
Paul Crowley14c8c072018-09-18 13:30:21 -0700569static bool check_ftr_sha(const struct crypt_mnt_ftr* crypt_ftr) {
Paul Lawrence3d99eba2015-11-20 07:07:19 -0800570 struct crypt_mnt_ftr copy;
571 memcpy(&copy, crypt_ftr, sizeof(copy));
572 set_ftr_sha(&copy);
573 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
574}
575
Paul Crowley14c8c072018-09-18 13:30:21 -0700576static inline int unix_read(int fd, void* buff, int len) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700577 return TEMP_FAILURE_RETRY(read(fd, buff, len));
578}
579
Paul Crowley14c8c072018-09-18 13:30:21 -0700580static inline int unix_write(int fd, const void* buff, int len) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700581 return TEMP_FAILURE_RETRY(write(fd, buff, len));
582}
583
Paul Crowley14c8c072018-09-18 13:30:21 -0700584static void init_empty_persist_data(struct crypt_persist_data* pdata, int len) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700585 memset(pdata, 0, len);
586 pdata->persist_magic = PERSIST_DATA_MAGIC;
587 pdata->persist_valid_entries = 0;
588}
589
590/* A routine to update the passed in crypt_ftr to the lastest version.
591 * fd is open read/write on the device that holds the crypto footer and persistent
592 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
593 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
594 */
Paul Crowley14c8c072018-09-18 13:30:21 -0700595static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr* crypt_ftr, off64_t offset) {
Kenny Root7434b312013-06-14 11:29:53 -0700596 int orig_major = crypt_ftr->major_version;
597 int orig_minor = crypt_ftr->minor_version;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700598
Kenny Root7434b312013-06-14 11:29:53 -0700599 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
Paul Crowley14c8c072018-09-18 13:30:21 -0700600 struct crypt_persist_data* pdata;
Kenny Root7434b312013-06-14 11:29:53 -0700601 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700602
Kenny Rootc4c70f12013-06-14 12:11:38 -0700603 SLOGW("upgrading crypto footer to 1.1");
604
Paul Crowley14c8c072018-09-18 13:30:21 -0700605 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
Kenny Root7434b312013-06-14 11:29:53 -0700606 if (pdata == NULL) {
607 SLOGE("Cannot allocate persisent data\n");
608 return;
609 }
610 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
611
612 /* Need to initialize the persistent data area */
613 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
614 SLOGE("Cannot seek to persisent data offset\n");
Henrik Baard91064632015-02-05 15:09:17 +0100615 free(pdata);
Kenny Root7434b312013-06-14 11:29:53 -0700616 return;
617 }
618 /* Write all zeros to the first copy, making it invalid */
619 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
620
621 /* Write a valid but empty structure to the second copy */
622 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
623 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
624
625 /* Update the footer */
626 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
627 crypt_ftr->persist_data_offset[0] = pdata_offset;
628 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
629 crypt_ftr->minor_version = 1;
Henrik Baard91064632015-02-05 15:09:17 +0100630 free(pdata);
Ken Sumrall160b4d62013-04-22 12:15:39 -0700631 }
632
Paul Lawrencef4faa572014-01-29 13:31:03 -0800633 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
Kenny Rootc4c70f12013-06-14 12:11:38 -0700634 SLOGW("upgrading crypto footer to 1.2");
JP Abgrall7bdfa522013-11-15 13:42:56 -0800635 /* But keep the old kdf_type.
636 * It will get updated later to KDF_SCRYPT after the password has been verified.
637 */
Kenny Rootc4c70f12013-06-14 12:11:38 -0700638 crypt_ftr->kdf_type = KDF_PBKDF2;
639 get_device_scrypt_params(crypt_ftr);
640 crypt_ftr->minor_version = 2;
641 }
642
Paul Lawrencef4faa572014-01-29 13:31:03 -0800643 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
644 SLOGW("upgrading crypto footer to 1.3");
645 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
646 crypt_ftr->minor_version = 3;
647 }
648
Kenny Root7434b312013-06-14 11:29:53 -0700649 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
650 if (lseek64(fd, offset, SEEK_SET) == -1) {
651 SLOGE("Cannot seek to crypt footer\n");
652 return;
653 }
654 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
Ken Sumrall160b4d62013-04-22 12:15:39 -0700655 }
Ken Sumrall160b4d62013-04-22 12:15:39 -0700656}
657
Paul Crowley14c8c072018-09-18 13:30:21 -0700658static int get_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
659 int fd;
660 unsigned int cnt;
661 off64_t starting_off;
662 int rc = -1;
663 char* fname = NULL;
664 struct stat statbuf;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700665
Paul Crowley14c8c072018-09-18 13:30:21 -0700666 if (get_crypt_ftr_info(&fname, &starting_off)) {
667 SLOGE("Unable to get crypt_ftr_info\n");
668 return -1;
669 }
670 if (fname[0] != '/') {
671 SLOGE("Unexpected value for crypto key location\n");
672 return -1;
673 }
674 if ((fd = open(fname, O_RDWR | O_CLOEXEC)) < 0) {
675 SLOGE("Cannot open footer file %s for get\n", fname);
676 return -1;
677 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800678
Paul Crowley14c8c072018-09-18 13:30:21 -0700679 /* Make sure it's 16 Kbytes in length */
680 fstat(fd, &statbuf);
681 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
682 SLOGE("footer file %s is not the expected size!\n", fname);
683 goto errout;
684 }
Ken Sumrall160b4d62013-04-22 12:15:39 -0700685
Paul Crowley14c8c072018-09-18 13:30:21 -0700686 /* Seek to the start of the crypt footer */
687 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
688 SLOGE("Cannot seek to real block device footer\n");
689 goto errout;
690 }
Ken Sumrall160b4d62013-04-22 12:15:39 -0700691
Paul Crowley14c8c072018-09-18 13:30:21 -0700692 if ((cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
693 SLOGE("Cannot read real block device footer\n");
694 goto errout;
695 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800696
Paul Crowley14c8c072018-09-18 13:30:21 -0700697 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
698 SLOGE("Bad magic for real block device %s\n", fname);
699 goto errout;
700 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800701
Paul Crowley14c8c072018-09-18 13:30:21 -0700702 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
703 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
704 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
705 goto errout;
706 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800707
Paul Crowley14c8c072018-09-18 13:30:21 -0700708 // We risk buffer overflows with oversized keys, so we just reject them.
709 // 0-sized keys are problematic (essentially by-passing encryption), and
710 // AES-CBC key wrapping only works for multiples of 16 bytes.
711 if ((crypt_ftr->keysize == 0) || ((crypt_ftr->keysize % 16) != 0) ||
712 (crypt_ftr->keysize > MAX_KEY_LEN)) {
713 SLOGE(
714 "Invalid keysize (%u) for block device %s; Must be non-zero, "
715 "divisible by 16, and <= %d\n",
716 crypt_ftr->keysize, fname, MAX_KEY_LEN);
717 goto errout;
718 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800719
Paul Crowley14c8c072018-09-18 13:30:21 -0700720 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
721 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
722 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
723 }
Greg Kaiser59ad0182018-02-16 13:01:36 -0800724
Paul Crowley14c8c072018-09-18 13:30:21 -0700725 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
726 * copy on disk before returning.
727 */
728 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
729 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
730 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800731
Paul Crowley14c8c072018-09-18 13:30:21 -0700732 /* Success! */
733 rc = 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800734
735errout:
Paul Crowley14c8c072018-09-18 13:30:21 -0700736 close(fd);
737 return rc;
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800738}
739
Paul Crowley14c8c072018-09-18 13:30:21 -0700740static int validate_persistent_data_storage(struct crypt_mnt_ftr* crypt_ftr) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700741 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
742 crypt_ftr->persist_data_offset[1]) {
743 SLOGE("Crypt_ftr persist data regions overlap");
744 return -1;
745 }
746
747 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
748 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
749 return -1;
750 }
751
752 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
Paul Crowley14c8c072018-09-18 13:30:21 -0700753 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
Ken Sumrall160b4d62013-04-22 12:15:39 -0700754 CRYPT_FOOTER_OFFSET) {
755 SLOGE("Persistent data extends past crypto footer");
756 return -1;
757 }
758
759 return 0;
760}
761
Paul Crowley14c8c072018-09-18 13:30:21 -0700762static int load_persistent_data(void) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700763 struct crypt_mnt_ftr crypt_ftr;
Paul Crowley14c8c072018-09-18 13:30:21 -0700764 struct crypt_persist_data* pdata = NULL;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700765 char encrypted_state[PROPERTY_VALUE_MAX];
Paul Crowley14c8c072018-09-18 13:30:21 -0700766 char* fname;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700767 int found = 0;
768 int fd;
769 int ret;
770 int i;
771
772 if (persist_data) {
773 /* Nothing to do, we've already loaded or initialized it */
774 return 0;
775 }
776
Ken Sumrall160b4d62013-04-22 12:15:39 -0700777 /* If not encrypted, just allocate an empty table and initialize it */
778 property_get("ro.crypto.state", encrypted_state, "");
Paul Crowley14c8c072018-09-18 13:30:21 -0700779 if (strcmp(encrypted_state, "encrypted")) {
Wei Wang4375f1b2017-02-24 17:43:01 -0800780 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
Ken Sumrall160b4d62013-04-22 12:15:39 -0700781 if (pdata) {
782 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
783 persist_data = pdata;
784 return 0;
785 }
786 return -1;
787 }
788
Paul Crowley14c8c072018-09-18 13:30:21 -0700789 if (get_crypt_ftr_and_key(&crypt_ftr)) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700790 return -1;
791 }
792
Paul Crowley14c8c072018-09-18 13:30:21 -0700793 if ((crypt_ftr.major_version < 1) ||
794 (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700795 SLOGE("Crypt_ftr version doesn't support persistent data");
796 return -1;
797 }
798
799 if (get_crypt_ftr_info(&fname, NULL)) {
800 return -1;
801 }
802
803 ret = validate_persistent_data_storage(&crypt_ftr);
804 if (ret) {
805 return -1;
806 }
807
Paul Crowley14c8c072018-09-18 13:30:21 -0700808 fd = open(fname, O_RDONLY | O_CLOEXEC);
Ken Sumrall160b4d62013-04-22 12:15:39 -0700809 if (fd < 0) {
810 SLOGE("Cannot open %s metadata file", fname);
811 return -1;
812 }
813
Wei Wang4375f1b2017-02-24 17:43:01 -0800814 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
Paul Lawrence300dae72016-03-11 11:02:52 -0800815 if (pdata == NULL) {
816 SLOGE("Cannot allocate memory for persistent data");
817 goto err;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700818 }
819
820 for (i = 0; i < 2; i++) {
821 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
822 SLOGE("Cannot seek to read persistent data on %s", fname);
823 goto err2;
824 }
Paul Crowley14c8c072018-09-18 13:30:21 -0700825 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700826 SLOGE("Error reading persistent data on iteration %d", i);
827 goto err2;
828 }
829 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
830 found = 1;
831 break;
832 }
833 }
834
835 if (!found) {
836 SLOGI("Could not find valid persistent data, creating");
837 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
838 }
839
840 /* Success */
841 persist_data = pdata;
842 close(fd);
843 return 0;
844
845err2:
846 free(pdata);
847
848err:
849 close(fd);
850 return -1;
851}
852
Paul Crowley14c8c072018-09-18 13:30:21 -0700853static int save_persistent_data(void) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700854 struct crypt_mnt_ftr crypt_ftr;
Paul Crowley14c8c072018-09-18 13:30:21 -0700855 struct crypt_persist_data* pdata;
856 char* fname;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700857 off64_t write_offset;
858 off64_t erase_offset;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700859 int fd;
860 int ret;
861
862 if (persist_data == NULL) {
863 SLOGE("No persistent data to save");
864 return -1;
865 }
866
Paul Crowley14c8c072018-09-18 13:30:21 -0700867 if (get_crypt_ftr_and_key(&crypt_ftr)) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700868 return -1;
869 }
870
Paul Crowley14c8c072018-09-18 13:30:21 -0700871 if ((crypt_ftr.major_version < 1) ||
872 (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700873 SLOGE("Crypt_ftr version doesn't support persistent data");
874 return -1;
875 }
876
877 ret = validate_persistent_data_storage(&crypt_ftr);
878 if (ret) {
879 return -1;
880 }
881
882 if (get_crypt_ftr_info(&fname, NULL)) {
883 return -1;
884 }
885
Paul Crowley14c8c072018-09-18 13:30:21 -0700886 fd = open(fname, O_RDWR | O_CLOEXEC);
Ken Sumrall160b4d62013-04-22 12:15:39 -0700887 if (fd < 0) {
888 SLOGE("Cannot open %s metadata file", fname);
889 return -1;
890 }
891
Wei Wang4375f1b2017-02-24 17:43:01 -0800892 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
Ken Sumrall160b4d62013-04-22 12:15:39 -0700893 if (pdata == NULL) {
894 SLOGE("Cannot allocate persistant data");
895 goto err;
896 }
897
898 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
899 SLOGE("Cannot seek to read persistent data on %s", fname);
900 goto err2;
901 }
902
903 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
Paul Crowley14c8c072018-09-18 13:30:21 -0700904 SLOGE("Error reading persistent data before save");
905 goto err2;
Ken Sumrall160b4d62013-04-22 12:15:39 -0700906 }
907
908 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
909 /* The first copy is the curent valid copy, so write to
910 * the second copy and erase this one */
Paul Crowley14c8c072018-09-18 13:30:21 -0700911 write_offset = crypt_ftr.persist_data_offset[1];
912 erase_offset = crypt_ftr.persist_data_offset[0];
Ken Sumrall160b4d62013-04-22 12:15:39 -0700913 } else {
914 /* The second copy must be the valid copy, so write to
915 * the first copy, and erase the second */
Paul Crowley14c8c072018-09-18 13:30:21 -0700916 write_offset = crypt_ftr.persist_data_offset[0];
917 erase_offset = crypt_ftr.persist_data_offset[1];
Ken Sumrall160b4d62013-04-22 12:15:39 -0700918 }
919
920 /* Write the new copy first, if successful, then erase the old copy */
Björn Landström96dbee72015-01-20 12:43:56 +0100921 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700922 SLOGE("Cannot seek to write persistent data");
923 goto err2;
924 }
925 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
Paul Crowley14c8c072018-09-18 13:30:21 -0700926 (int)crypt_ftr.persist_data_size) {
Björn Landström96dbee72015-01-20 12:43:56 +0100927 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700928 SLOGE("Cannot seek to erase previous persistent data");
929 goto err2;
930 }
931 fsync(fd);
932 memset(pdata, 0, crypt_ftr.persist_data_size);
Paul Crowley14c8c072018-09-18 13:30:21 -0700933 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != (int)crypt_ftr.persist_data_size) {
Ken Sumrall160b4d62013-04-22 12:15:39 -0700934 SLOGE("Cannot write to erase previous persistent data");
935 goto err2;
936 }
937 fsync(fd);
938 } else {
939 SLOGE("Cannot write to save persistent data");
940 goto err2;
941 }
942
943 /* Success */
944 free(pdata);
945 close(fd);
946 return 0;
947
948err2:
949 free(pdata);
950err:
951 close(fd);
952 return -1;
953}
954
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800955/* Convert a binary key of specified length into an ascii hex string equivalent,
956 * without the leading 0x and with null termination
957 */
Paul Crowley14c8c072018-09-18 13:30:21 -0700958static void convert_key_to_hex_ascii(const unsigned char* master_key, unsigned int keysize,
959 char* master_key_ascii) {
Paul Lawrence3bd36d52015-06-09 13:37:44 -0700960 unsigned int i, a;
961 unsigned char nibble;
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800962
Paul Crowley14c8c072018-09-18 13:30:21 -0700963 for (i = 0, a = 0; i < keysize; i++, a += 2) {
Paul Lawrence3bd36d52015-06-09 13:37:44 -0700964 /* For each byte, write out two ascii hex digits */
965 nibble = (master_key[i] >> 4) & 0xf;
966 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800967
Paul Lawrence3bd36d52015-06-09 13:37:44 -0700968 nibble = master_key[i] & 0xf;
Paul Crowley14c8c072018-09-18 13:30:21 -0700969 master_key_ascii[a + 1] = nibble + (nibble > 9 ? 0x37 : 0x30);
Paul Lawrence3bd36d52015-06-09 13:37:44 -0700970 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800971
Paul Lawrence3bd36d52015-06-09 13:37:44 -0700972 /* Add the null termination */
973 master_key_ascii[a] = '\0';
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800974}
975
Paul Crowley14c8c072018-09-18 13:30:21 -0700976static int load_crypto_mapping_table(struct crypt_mnt_ftr* crypt_ftr,
977 const unsigned char* master_key, const char* real_blk_name,
978 const char* name, int fd, const char* extra_params) {
979 alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
980 struct dm_ioctl* io;
981 struct dm_target_spec* tgt;
982 char* crypt_params;
983 // We need two ASCII characters to represent each byte, and need space for
984 // the '\0' terminator.
985 char master_key_ascii[MAX_KEY_LEN * 2 + 1];
986 size_t buff_offset;
987 int i;
Ken Sumralldb5e0262013-02-05 17:39:48 -0800988
Paul Crowley14c8c072018-09-18 13:30:21 -0700989 io = (struct dm_ioctl*)buffer;
Ken Sumralldb5e0262013-02-05 17:39:48 -0800990
Paul Crowley14c8c072018-09-18 13:30:21 -0700991 /* Load the mapping table for this device */
992 tgt = (struct dm_target_spec*)&buffer[sizeof(struct dm_ioctl)];
Ken Sumralldb5e0262013-02-05 17:39:48 -0800993
Paul Crowley14c8c072018-09-18 13:30:21 -0700994 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
995 io->target_count = 1;
996 tgt->status = 0;
997 tgt->sector_start = 0;
998 tgt->length = crypt_ftr->fs_size;
999 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
Ken Sumralldb5e0262013-02-05 17:39:48 -08001000
Paul Crowley14c8c072018-09-18 13:30:21 -07001001 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1002 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
George Burgess IV605d7ae2016-02-29 13:39:17 -08001003
Paul Crowley14c8c072018-09-18 13:30:21 -07001004 buff_offset = crypt_params - buffer;
Eric Biggerse1a7e772019-01-25 12:11:25 -08001005 SLOGI(
1006 "Creating crypto dev \"%s\"; cipher=%s, keysize=%u, real_dev=%s, len=%llu, params=\"%s\"\n",
1007 name, crypt_ftr->crypto_type_name, crypt_ftr->keysize, real_blk_name, tgt->length * 512,
1008 extra_params);
Paul Crowley14c8c072018-09-18 13:30:21 -07001009 snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s",
1010 crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name, extra_params);
1011 crypt_params += strlen(crypt_params) + 1;
1012 crypt_params =
1013 (char*)(((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1014 tgt->next = crypt_params - buffer;
Ken Sumralldb5e0262013-02-05 17:39:48 -08001015
Paul Crowley14c8c072018-09-18 13:30:21 -07001016 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1017 if (!ioctl(fd, DM_TABLE_LOAD, io)) {
1018 break;
1019 }
1020 usleep(500000);
Ken Sumralldb5e0262013-02-05 17:39:48 -08001021 }
Ken Sumralldb5e0262013-02-05 17:39:48 -08001022
Paul Crowley14c8c072018-09-18 13:30:21 -07001023 if (i == TABLE_LOAD_RETRIES) {
1024 /* We failed to load the table, return an error */
1025 return -1;
1026 } else {
1027 return i + 1;
1028 }
Ken Sumralldb5e0262013-02-05 17:39:48 -08001029}
1030
Paul Crowley14c8c072018-09-18 13:30:21 -07001031static int get_dm_crypt_version(int fd, const char* name, int* version) {
Ken Sumralldb5e0262013-02-05 17:39:48 -08001032 char buffer[DM_CRYPT_BUF_SIZE];
Paul Crowley14c8c072018-09-18 13:30:21 -07001033 struct dm_ioctl* io;
1034 struct dm_target_versions* v;
Ken Sumralldb5e0262013-02-05 17:39:48 -08001035
Paul Crowley14c8c072018-09-18 13:30:21 -07001036 io = (struct dm_ioctl*)buffer;
Ken Sumralldb5e0262013-02-05 17:39:48 -08001037
1038 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1039
1040 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1041 return -1;
1042 }
1043
1044 /* Iterate over the returned versions, looking for name of "crypt".
1045 * When found, get and return the version.
1046 */
Paul Crowley14c8c072018-09-18 13:30:21 -07001047 v = (struct dm_target_versions*)&buffer[sizeof(struct dm_ioctl)];
Ken Sumralldb5e0262013-02-05 17:39:48 -08001048 while (v->next) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001049 if (!strcmp(v->name, "crypt")) {
Ken Sumralldb5e0262013-02-05 17:39:48 -08001050 /* We found the crypt driver, return the version, and get out */
1051 version[0] = v->version[0];
1052 version[1] = v->version[1];
1053 version[2] = v->version[2];
1054 return 0;
1055 }
Paul Crowley14c8c072018-09-18 13:30:21 -07001056 v = (struct dm_target_versions*)(((char*)v) + v->next);
Ken Sumralldb5e0262013-02-05 17:39:48 -08001057 }
1058
1059 return -1;
1060}
1061
Paul Crowley5afbc622017-11-27 09:42:17 -08001062static std::string extra_params_as_string(const std::vector<std::string>& extra_params_vec) {
1063 if (extra_params_vec.empty()) return "";
1064 std::string extra_params = std::to_string(extra_params_vec.size());
1065 for (const auto& p : extra_params_vec) {
1066 extra_params.append(" ");
1067 extra_params.append(p);
1068 }
1069 return extra_params;
1070}
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001071
Eric Biggersed45ec32019-01-25 10:47:55 -08001072/*
1073 * If the ro.crypto.fde_sector_size system property is set, append the
1074 * parameters to make dm-crypt use the specified crypto sector size and round
1075 * the crypto device size down to a crypto sector boundary.
1076 */
1077static int add_sector_size_param(std::vector<std::string>* extra_params_vec,
1078 struct crypt_mnt_ftr* ftr) {
Greg Kaiserab1e84a2018-12-11 12:40:51 -08001079 constexpr char DM_CRYPT_SECTOR_SIZE[] = "ro.crypto.fde_sector_size";
Eric Biggersed45ec32019-01-25 10:47:55 -08001080 char value[PROPERTY_VALUE_MAX];
Greg Kaiserab1e84a2018-12-11 12:40:51 -08001081
Eric Biggersed45ec32019-01-25 10:47:55 -08001082 if (property_get(DM_CRYPT_SECTOR_SIZE, value, "") > 0) {
1083 unsigned int sector_size;
1084
1085 if (!ParseUint(value, &sector_size) || sector_size < 512 || sector_size > 4096 ||
1086 (sector_size & (sector_size - 1)) != 0) {
1087 SLOGE("Invalid value for %s: %s. Must be >= 512, <= 4096, and a power of 2\n",
1088 DM_CRYPT_SECTOR_SIZE, value);
1089 return -1;
1090 }
1091
1092 std::string param = StringPrintf("sector_size:%u", sector_size);
Greg Kaiserab1e84a2018-12-11 12:40:51 -08001093 extra_params_vec->push_back(std::move(param));
1094
1095 // With this option, IVs will match the sector numbering, instead
1096 // of being hard-coded to being based on 512-byte sectors.
1097 extra_params_vec->emplace_back("iv_large_sectors");
Eric Biggersed45ec32019-01-25 10:47:55 -08001098
1099 // Round the crypto device size down to a crypto sector boundary.
1100 ftr->fs_size &= ~((sector_size / 512) - 1);
Greg Kaiserab1e84a2018-12-11 12:40:51 -08001101 }
Eric Biggersed45ec32019-01-25 10:47:55 -08001102 return 0;
Greg Kaiserab1e84a2018-12-11 12:40:51 -08001103}
1104
Paul Crowley5afbc622017-11-27 09:42:17 -08001105static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned char* master_key,
1106 const char* real_blk_name, char* crypto_blk_name, const char* name,
1107 uint32_t flags) {
1108 char buffer[DM_CRYPT_BUF_SIZE];
1109 struct dm_ioctl* io;
1110 unsigned int minor;
1111 int fd = 0;
1112 int err;
1113 int retval = -1;
1114 int version[3];
1115 int load_count;
1116 std::vector<std::string> extra_params_vec;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001117
Paul Crowley5afbc622017-11-27 09:42:17 -08001118 if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
1119 SLOGE("Cannot open device-mapper\n");
1120 goto errout;
1121 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001122
Paul Crowley5afbc622017-11-27 09:42:17 -08001123 io = (struct dm_ioctl*)buffer;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001124
Paul Crowley5afbc622017-11-27 09:42:17 -08001125 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1126 err = ioctl(fd, DM_DEV_CREATE, io);
1127 if (err) {
1128 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno));
1129 goto errout;
1130 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001131
Paul Crowley5afbc622017-11-27 09:42:17 -08001132 /* Get the device status, in particular, the name of it's device file */
1133 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1134 if (ioctl(fd, DM_DEV_STATUS, io)) {
1135 SLOGE("Cannot retrieve dm-crypt device status\n");
1136 goto errout;
1137 }
1138 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1139 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
Ken Sumralle919efe2012-09-29 17:07:41 -07001140
Paul Crowley5afbc622017-11-27 09:42:17 -08001141 if (!get_dm_crypt_version(fd, name, version)) {
1142 /* Support for allow_discards was added in version 1.11.0 */
1143 if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) {
1144 extra_params_vec.emplace_back("allow_discards");
1145 }
1146 }
1147 if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) {
1148 extra_params_vec.emplace_back("allow_encrypt_override");
1149 }
Eric Biggersed45ec32019-01-25 10:47:55 -08001150 if (add_sector_size_param(&extra_params_vec, crypt_ftr)) {
1151 SLOGE("Error processing dm-crypt sector size param\n");
1152 goto errout;
1153 }
Paul Crowley5afbc622017-11-27 09:42:17 -08001154 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd,
1155 extra_params_as_string(extra_params_vec).c_str());
1156 if (load_count < 0) {
1157 SLOGE("Cannot load dm-crypt mapping table.\n");
1158 goto errout;
1159 } else if (load_count > 1) {
1160 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1161 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001162
Paul Crowley5afbc622017-11-27 09:42:17 -08001163 /* Resume this device to activate it */
1164 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001165
Paul Crowley5afbc622017-11-27 09:42:17 -08001166 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1167 SLOGE("Cannot resume the dm-crypt device\n");
1168 goto errout;
1169 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001170
Paul Crowleycfe39722018-10-30 15:59:24 -07001171 /* Ensure the dm device has been created before returning. */
1172 if (android::vold::WaitForFile(crypto_blk_name, 1s) < 0) {
1173 // WaitForFile generates a suitable log message
1174 goto errout;
1175 }
1176
Paul Crowley5afbc622017-11-27 09:42:17 -08001177 /* We made it here with no errors. Woot! */
1178 retval = 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001179
1180errout:
Paul Crowley14c8c072018-09-18 13:30:21 -07001181 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001182
Paul Crowley14c8c072018-09-18 13:30:21 -07001183 return retval;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001184}
1185
Paul Crowley14c8c072018-09-18 13:30:21 -07001186static int delete_crypto_blk_dev(const char* name) {
1187 int fd;
1188 char buffer[DM_CRYPT_BUF_SIZE];
1189 struct dm_ioctl* io;
1190 int retval = -1;
Yue Hu9d6cc182018-12-17 17:09:55 +08001191 int err;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001192
Paul Crowley14c8c072018-09-18 13:30:21 -07001193 if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
1194 SLOGE("Cannot open device-mapper\n");
1195 goto errout;
1196 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001197
Paul Crowley14c8c072018-09-18 13:30:21 -07001198 io = (struct dm_ioctl*)buffer;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001199
Paul Crowley14c8c072018-09-18 13:30:21 -07001200 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
Yue Hu9d6cc182018-12-17 17:09:55 +08001201 err = ioctl(fd, DM_DEV_REMOVE, io);
1202 if (err) {
1203 SLOGE("Cannot remove dm-crypt device %s: %s\n", name, strerror(errno));
Paul Crowley14c8c072018-09-18 13:30:21 -07001204 goto errout;
1205 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001206
Paul Crowley14c8c072018-09-18 13:30:21 -07001207 /* We made it here with no errors. Woot! */
1208 retval = 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001209
1210errout:
Paul Crowley14c8c072018-09-18 13:30:21 -07001211 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001212
Paul Crowley14c8c072018-09-18 13:30:21 -07001213 return retval;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001214}
1215
Paul Crowley14c8c072018-09-18 13:30:21 -07001216static int pbkdf2(const char* passwd, const unsigned char* salt, unsigned char* ikey,
1217 void* params UNUSED) {
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001218 SLOGI("Using pbkdf2 for cryptfs KDF");
1219
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001220 /* Turn the password into a key and IV that can decrypt the master key */
Paul Crowley14c8c072018-09-18 13:30:21 -07001221 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN, HASH_COUNT,
1222 INTERMEDIATE_BUF_SIZE, ikey) != 1;
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001223}
1224
Paul Crowley14c8c072018-09-18 13:30:21 -07001225static int scrypt(const char* passwd, const unsigned char* salt, unsigned char* ikey, void* params) {
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001226 SLOGI("Using scrypt for cryptfs KDF");
1227
Paul Crowley14c8c072018-09-18 13:30:21 -07001228 struct crypt_mnt_ftr* ftr = (struct crypt_mnt_ftr*)params;
Kenny Rootc4c70f12013-06-14 12:11:38 -07001229
1230 int N = 1 << ftr->N_factor;
1231 int r = 1 << ftr->r_factor;
1232 int p = 1 << ftr->p_factor;
1233
1234 /* Turn the password into a key and IV that can decrypt the master key */
Paul Crowley14c8c072018-09-18 13:30:21 -07001235 crypto_scrypt((const uint8_t*)passwd, strlen(passwd), salt, SALT_LEN, N, r, p, ikey,
Greg Kaiserc0de9c72018-02-14 20:05:54 -08001236 INTERMEDIATE_BUF_SIZE);
Paul Lawrencef4faa572014-01-29 13:31:03 -08001237
Paul Crowley14c8c072018-09-18 13:30:21 -07001238 return 0;
Kenny Rootc4c70f12013-06-14 12:11:38 -07001239}
1240
Paul Crowley14c8c072018-09-18 13:30:21 -07001241static int scrypt_keymaster(const char* passwd, const unsigned char* salt, unsigned char* ikey,
1242 void* params) {
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001243 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1244
1245 int rc;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001246 size_t signature_size;
1247 unsigned char* signature;
Paul Crowley14c8c072018-09-18 13:30:21 -07001248 struct crypt_mnt_ftr* ftr = (struct crypt_mnt_ftr*)params;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001249
1250 int N = 1 << ftr->N_factor;
1251 int r = 1 << ftr->r_factor;
1252 int p = 1 << ftr->p_factor;
1253
Paul Crowley14c8c072018-09-18 13:30:21 -07001254 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd), salt, SALT_LEN, N, r, p, ikey,
Greg Kaiserc0de9c72018-02-14 20:05:54 -08001255 INTERMEDIATE_BUF_SIZE);
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001256
1257 if (rc) {
1258 SLOGE("scrypt failed");
1259 return -1;
1260 }
1261
Paul Crowley14c8c072018-09-18 13:30:21 -07001262 if (keymaster_sign_object(ftr, ikey, INTERMEDIATE_BUF_SIZE, &signature, &signature_size)) {
Shawn Willdene17a9c42014-09-08 13:04:08 -06001263 SLOGE("Signing failed");
1264 return -1;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001265 }
1266
Paul Crowley14c8c072018-09-18 13:30:21 -07001267 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, N, r, p, ikey,
1268 INTERMEDIATE_BUF_SIZE);
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001269 free(signature);
1270
1271 if (rc) {
1272 SLOGE("scrypt failed");
1273 return -1;
1274 }
1275
1276 return 0;
1277}
1278
Paul Crowley14c8c072018-09-18 13:30:21 -07001279static int encrypt_master_key(const char* passwd, const unsigned char* salt,
1280 const unsigned char* decrypted_master_key,
1281 unsigned char* encrypted_master_key, struct crypt_mnt_ftr* crypt_ftr) {
1282 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = {0};
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001283 EVP_CIPHER_CTX e_ctx;
1284 int encrypted_len, final_len;
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001285 int rc = 0;
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001286
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001287 /* Turn the password into an intermediate key and IV that can decrypt the master key */
Kenny Rootc4c70f12013-06-14 12:11:38 -07001288 get_device_scrypt_params(crypt_ftr);
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001289
1290 switch (crypt_ftr->kdf_type) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001291 case KDF_SCRYPT_KEYMASTER:
1292 if (keymaster_create_key(crypt_ftr)) {
1293 SLOGE("keymaster_create_key failed");
1294 return -1;
1295 }
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001296
Paul Crowley14c8c072018-09-18 13:30:21 -07001297 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1298 SLOGE("scrypt failed");
1299 return -1;
1300 }
1301 break;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001302
Paul Crowley14c8c072018-09-18 13:30:21 -07001303 case KDF_SCRYPT:
1304 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1305 SLOGE("scrypt failed");
1306 return -1;
1307 }
1308 break;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001309
Paul Crowley14c8c072018-09-18 13:30:21 -07001310 default:
1311 SLOGE("Invalid kdf_type");
1312 return -1;
Paul Lawrencef4faa572014-01-29 13:31:03 -08001313 }
Kenny Rootc4c70f12013-06-14 12:11:38 -07001314
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001315 /* Initialize the decryption engine */
Adam Langley889c4f12014-09-03 14:23:13 -07001316 EVP_CIPHER_CTX_init(&e_ctx);
Paul Crowley14c8c072018-09-18 13:30:21 -07001317 if (!EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey,
1318 ikey + INTERMEDIATE_KEY_LEN_BYTES)) {
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001319 SLOGE("EVP_EncryptInit failed\n");
1320 return -1;
1321 }
1322 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001323
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001324 /* Encrypt the master key */
Paul Crowley14c8c072018-09-18 13:30:21 -07001325 if (!EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, decrypted_master_key,
1326 crypt_ftr->keysize)) {
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001327 SLOGE("EVP_EncryptUpdate failed\n");
1328 return -1;
1329 }
Paul Crowley14c8c072018-09-18 13:30:21 -07001330 if (!EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001331 SLOGE("EVP_EncryptFinal failed\n");
1332 return -1;
1333 }
1334
Greg Kaiser59ad0182018-02-16 13:01:36 -08001335 if (encrypted_len + final_len != static_cast<int>(crypt_ftr->keysize)) {
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001336 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1337 return -1;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001338 }
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001339
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001340 /* Store the scrypt of the intermediate key, so we can validate if it's a
1341 password error or mount error when things go wrong.
1342 Note there's no need to check for errors, since if this is incorrect, we
1343 simply won't wipe userdata, which is the correct default behavior
1344 */
1345 int N = 1 << crypt_ftr->N_factor;
1346 int r = 1 << crypt_ftr->r_factor;
1347 int p = 1 << crypt_ftr->p_factor;
1348
Paul Crowley14c8c072018-09-18 13:30:21 -07001349 rc = crypto_scrypt(ikey, INTERMEDIATE_KEY_LEN_BYTES, crypt_ftr->salt, sizeof(crypt_ftr->salt),
1350 N, r, p, crypt_ftr->scrypted_intermediate_key,
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001351 sizeof(crypt_ftr->scrypted_intermediate_key));
1352
1353 if (rc) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001354 SLOGE("encrypt_master_key: crypto_scrypt failed");
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001355 }
1356
Thurston Hou Yeen Dang06dc3112016-07-18 14:16:37 -07001357 EVP_CIPHER_CTX_cleanup(&e_ctx);
1358
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001359 return 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001360}
1361
Paul Crowley14c8c072018-09-18 13:30:21 -07001362static int decrypt_master_key_aux(const char* passwd, unsigned char* salt,
1363 const unsigned char* encrypted_master_key, size_t keysize,
1364 unsigned char* decrypted_master_key, kdf_func kdf,
1365 void* kdf_params, unsigned char** intermediate_key,
1366 size_t* intermediate_key_size) {
1367 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = {0};
1368 EVP_CIPHER_CTX d_ctx;
1369 int decrypted_len, final_len;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001370
Paul Crowley14c8c072018-09-18 13:30:21 -07001371 /* Turn the password into an intermediate key and IV that can decrypt the
1372 master key */
1373 if (kdf(passwd, salt, ikey, kdf_params)) {
1374 SLOGE("kdf failed");
1375 return -1;
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001376 }
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001377
Paul Crowley14c8c072018-09-18 13:30:21 -07001378 /* Initialize the decryption engine */
1379 EVP_CIPHER_CTX_init(&d_ctx);
1380 if (!EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey,
1381 ikey + INTERMEDIATE_KEY_LEN_BYTES)) {
1382 return -1;
1383 }
1384 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1385 /* Decrypt the master key */
1386 if (!EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, encrypted_master_key,
1387 keysize)) {
1388 return -1;
1389 }
1390 if (!EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1391 return -1;
1392 }
Thurston Hou Yeen Dang06dc3112016-07-18 14:16:37 -07001393
Paul Crowley14c8c072018-09-18 13:30:21 -07001394 if (decrypted_len + final_len != static_cast<int>(keysize)) {
1395 return -1;
1396 }
1397
1398 /* Copy intermediate key if needed by params */
1399 if (intermediate_key && intermediate_key_size) {
1400 *intermediate_key = (unsigned char*)malloc(INTERMEDIATE_KEY_LEN_BYTES);
1401 if (*intermediate_key) {
1402 memcpy(*intermediate_key, ikey, INTERMEDIATE_KEY_LEN_BYTES);
1403 *intermediate_key_size = INTERMEDIATE_KEY_LEN_BYTES;
1404 }
1405 }
1406
1407 EVP_CIPHER_CTX_cleanup(&d_ctx);
1408
1409 return 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001410}
1411
Paul Crowley14c8c072018-09-18 13:30:21 -07001412static void get_kdf_func(struct crypt_mnt_ftr* ftr, kdf_func* kdf, void** kdf_params) {
Paul Lawrencedb3730c2015-02-03 13:08:10 -08001413 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07001414 *kdf = scrypt_keymaster;
1415 *kdf_params = ftr;
1416 } else if (ftr->kdf_type == KDF_SCRYPT) {
Kenny Rootc4c70f12013-06-14 12:11:38 -07001417 *kdf = scrypt;
1418 *kdf_params = ftr;
1419 } else {
1420 *kdf = pbkdf2;
1421 *kdf_params = NULL;
1422 }
1423}
1424
Paul Crowley14c8c072018-09-18 13:30:21 -07001425static int decrypt_master_key(const char* passwd, unsigned char* decrypted_master_key,
1426 struct crypt_mnt_ftr* crypt_ftr, unsigned char** intermediate_key,
1427 size_t* intermediate_key_size) {
Kenny Rootc4c70f12013-06-14 12:11:38 -07001428 kdf_func kdf;
Paul Crowley14c8c072018-09-18 13:30:21 -07001429 void* kdf_params;
Kenny Rootc4c70f12013-06-14 12:11:38 -07001430 int ret;
1431
1432 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
Paul Crowley14c8c072018-09-18 13:30:21 -07001433 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, crypt_ftr->keysize,
1434 decrypted_master_key, kdf, kdf_params, intermediate_key,
1435 intermediate_key_size);
Kenny Rootc4c70f12013-06-14 12:11:38 -07001436 if (ret != 0) {
1437 SLOGW("failure decrypting master key");
Kenny Rootc4c70f12013-06-14 12:11:38 -07001438 }
1439
1440 return ret;
1441}
1442
Paul Crowley14c8c072018-09-18 13:30:21 -07001443static int create_encrypted_random_key(const char* passwd, unsigned char* master_key,
1444 unsigned char* salt, struct crypt_mnt_ftr* crypt_ftr) {
Greg Kaiser59ad0182018-02-16 13:01:36 -08001445 unsigned char key_buf[MAX_KEY_LEN];
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001446
Eric Biggers3a2f7db2019-01-16 13:05:34 -08001447 /* Get some random bits for a key and salt */
1448 if (android::vold::ReadRandomBytes(sizeof(key_buf), reinterpret_cast<char*>(key_buf)) != 0) {
1449 return -1;
1450 }
1451 if (android::vold::ReadRandomBytes(SALT_LEN, reinterpret_cast<char*>(salt)) != 0) {
1452 return -1;
1453 }
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001454
1455 /* Now encrypt it with the password */
Kenny Rootc4c70f12013-06-14 12:11:38 -07001456 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001457}
1458
Paul Crowley14c8c072018-09-18 13:30:21 -07001459int wait_and_unmount(const char* mountpoint, bool kill) {
Greg Hackmann955653e2014-09-24 14:55:20 -07001460 int i, err, rc;
Ken Sumrall2eaf7132011-01-14 12:45:48 -08001461#define WAIT_UNMOUNT_COUNT 20
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001462
1463 /* Now umount the tmpfs filesystem */
Paul Crowley14c8c072018-09-18 13:30:21 -07001464 for (i = 0; i < WAIT_UNMOUNT_COUNT; i++) {
Greg Hackmann6e8440f2014-10-02 17:18:20 -07001465 if (umount(mountpoint) == 0) {
1466 break;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001467 }
Greg Hackmann6e8440f2014-10-02 17:18:20 -07001468
1469 if (errno == EINVAL) {
1470 /* EINVAL is returned if the directory is not a mountpoint,
1471 * i.e. there is no filesystem mounted there. So just get out.
1472 */
1473 break;
1474 }
1475
1476 err = errno;
1477
1478 /* If allowed, be increasingly aggressive before the last two retries */
1479 if (kill) {
1480 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1481 SLOGW("sending SIGHUP to processes with open files\n");
Jeff Sharkey3472e522017-10-06 18:02:53 -06001482 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM);
Greg Hackmann6e8440f2014-10-02 17:18:20 -07001483 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1484 SLOGW("sending SIGKILL to processes with open files\n");
Jeff Sharkey3472e522017-10-06 18:02:53 -06001485 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL);
Greg Hackmann6e8440f2014-10-02 17:18:20 -07001486 }
1487 }
1488
1489 sleep(1);
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001490 }
1491
1492 if (i < WAIT_UNMOUNT_COUNT) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001493 SLOGD("unmounting %s succeeded\n", mountpoint);
1494 rc = 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001495 } else {
Paul Crowley14c8c072018-09-18 13:30:21 -07001496 android::vold::KillProcessesWithOpenFiles(mountpoint, 0);
1497 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1498 rc = -1;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001499 }
1500
1501 return rc;
1502}
1503
Paul Crowley14c8c072018-09-18 13:30:21 -07001504static void prep_data_fs(void) {
Jeff Sharkey47695b22016-02-01 17:02:29 -07001505 // NOTE: post_fs_data results in init calling back around to vold, so all
1506 // callers to this method must be async
1507
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001508 /* Do the prep of the /data filesystem */
1509 property_set("vold.post_fs_data_done", "0");
1510 property_set("vold.decrypt", "trigger_post_fs_data");
Wei Wang42e38102017-06-07 10:46:12 -07001511 SLOGD("Just triggered post_fs_data");
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001512
Ken Sumrallc5872692013-05-14 15:26:31 -07001513 /* Wait a max of 50 seconds, hopefully it takes much less */
Paul Crowley14c8c072018-09-18 13:30:21 -07001514 while (!android::base::WaitForProperty("vold.post_fs_data_done", "1", std::chrono::seconds(15))) {
Wei Wang42e38102017-06-07 10:46:12 -07001515 /* We timed out to prep /data in time. Continue wait. */
1516 SLOGE("waited 15s for vold.post_fs_data_done, still waiting...");
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001517 }
Wei Wang42e38102017-06-07 10:46:12 -07001518 SLOGD("post_fs_data done");
Ken Sumrall8ddbe402011-01-17 15:26:29 -08001519}
1520
Paul Crowley14c8c072018-09-18 13:30:21 -07001521static void cryptfs_set_corrupt() {
Paul Lawrence74f29f12014-08-28 15:54:10 -07001522 // Mark the footer as bad
1523 struct crypt_mnt_ftr crypt_ftr;
1524 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1525 SLOGE("Failed to get crypto footer - panic");
1526 return;
1527 }
1528
1529 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1530 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1531 SLOGE("Failed to set crypto footer - panic");
1532 return;
1533 }
1534}
1535
Paul Crowley14c8c072018-09-18 13:30:21 -07001536static void cryptfs_trigger_restart_min_framework() {
Paul Lawrence74f29f12014-08-28 15:54:10 -07001537 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001538 SLOGE("Failed to mount tmpfs on data - panic");
1539 return;
Paul Lawrence74f29f12014-08-28 15:54:10 -07001540 }
1541
1542 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1543 SLOGE("Failed to trigger post fs data - panic");
1544 return;
1545 }
1546
1547 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1548 SLOGE("Failed to trigger restart min framework - panic");
1549 return;
1550 }
1551}
1552
Paul Lawrence8e3f4512014-09-08 10:11:17 -07001553/* returns < 0 on failure */
Paul Crowley14c8c072018-09-18 13:30:21 -07001554static int cryptfs_restart_internal(int restart_main) {
Ken Sumrall6864b7e2011-01-14 15:20:02 -08001555 char crypto_blkdev[MAXPATHLEN];
Tim Murray8439dc92014-12-15 11:56:11 -08001556 int rc = -1;
Ken Sumrall0cc16632011-01-18 20:32:26 -08001557 static int restart_successful = 0;
1558
1559 /* Validate that it's OK to call this routine */
Paul Crowley14c8c072018-09-18 13:30:21 -07001560 if (!master_key_saved) {
Ken Sumrall0cc16632011-01-18 20:32:26 -08001561 SLOGE("Encrypted filesystem not validated, aborting");
1562 return -1;
1563 }
1564
1565 if (restart_successful) {
1566 SLOGE("System already restarted with encrypted disk, aborting");
1567 return -1;
1568 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001569
Paul Lawrencef4faa572014-01-29 13:31:03 -08001570 if (restart_main) {
1571 /* Here is where we shut down the framework. The init scripts
Martijn Coenenf629b002019-04-24 10:41:11 +02001572 * start all services in one of these classes: core, early_hal, hal,
1573 * main and late_start. To get to the minimal UI for PIN entry, we
1574 * need to start core, early_hal, hal and main. When we want to
1575 * shutdown the framework again, we need to stop most of the services in
1576 * these classes, but only those services that were started after
1577 * /data was mounted. This excludes critical services like vold and
1578 * ueventd, which need to keep running. We could possible stop
1579 * even fewer services, but because we want services to pick up APEX
1580 * libraries from the real /data, restarting is better, as it makes
1581 * these devices consistent with FBE devices and lets them use the
1582 * most recent code.
1583 *
1584 * Once these services have stopped, we should be able
Paul Lawrencef4faa572014-01-29 13:31:03 -08001585 * to umount the tmpfs /data, then mount the encrypted /data.
Martijn Coenenf629b002019-04-24 10:41:11 +02001586 * We then restart the class core, hal, main, and also the class
1587 * late_start.
1588 *
Paul Lawrencef4faa572014-01-29 13:31:03 -08001589 * At the moment, I've only put a few things in late_start that I know
1590 * are not needed to bring up the framework, and that also cause problems
1591 * with unmounting the tmpfs /data, but I hope to add add more services
1592 * to the late_start class as we optimize this to decrease the delay
1593 * till the user is asked for the password to the filesystem.
1594 */
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001595
Martijn Coenenf629b002019-04-24 10:41:11 +02001596 /* The init files are setup to stop the right set of services when
1597 * vold.decrypt is set to trigger_shutdown_framework.
Paul Lawrencef4faa572014-01-29 13:31:03 -08001598 */
Martijn Coenenf629b002019-04-24 10:41:11 +02001599 property_set("vold.decrypt", "trigger_shutdown_framework");
Paul Lawrencef4faa572014-01-29 13:31:03 -08001600 SLOGD("Just asked init to shut down class main\n");
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001601
Paul Lawrencef4faa572014-01-29 13:31:03 -08001602 /* Ugh, shutting down the framework is not synchronous, so until it
1603 * can be fixed, this horrible hack will wait a moment for it all to
1604 * shut down before proceeding. Without it, some devices cannot
1605 * restart the graphics services.
1606 */
1607 sleep(2);
1608 }
Ken Sumrall9dedfd42012-10-09 14:16:59 -07001609
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001610 /* Now that the framework is shutdown, we should be able to umount()
1611 * the tmpfs filesystem, and mount the real one.
1612 */
1613
Ken Sumrall6864b7e2011-01-14 15:20:02 -08001614 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1615 if (strlen(crypto_blkdev) == 0) {
1616 SLOGE("fs_crypto_blkdev not set\n");
1617 return -1;
1618 }
1619
Paul Crowley14c8c072018-09-18 13:30:21 -07001620 if (!(rc = wait_and_unmount(DATA_MNT_POINT, true))) {
Doug Zongker6fd57712013-12-17 09:43:23 -08001621 /* If ro.crypto.readonly is set to 1, mount the decrypted
1622 * filesystem readonly. This is used when /data is mounted by
1623 * recovery mode.
1624 */
1625 char ro_prop[PROPERTY_VALUE_MAX];
1626 property_get("ro.crypto.readonly", ro_prop, "");
Jeff Sharkey95440eb2017-09-18 18:19:28 -06001627 if (strlen(ro_prop) > 0 && std::stoi(ro_prop)) {
Tom Cherry4c5bde22019-01-29 14:34:01 -08001628 auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
1629 if (entry != nullptr) {
1630 entry->flags |= MS_RDONLY;
Luis Hector Chavezbbb512d2018-05-30 15:47:50 -07001631 }
Doug Zongker6fd57712013-12-17 09:43:23 -08001632 }
JP Abgrall62c7af32014-06-16 13:01:23 -07001633
Ken Sumralle5032c42012-04-01 23:58:44 -07001634 /* If that succeeded, then mount the decrypted filesystem */
Paul Lawrence8e3f4512014-09-08 10:11:17 -07001635 int retries = RETRY_MOUNT_ATTEMPTS;
1636 int mount_rc;
Jeff Vander Stoepdf725752016-01-29 15:34:43 -08001637
1638 /*
1639 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
1640 * partitions in the fsck domain.
1641 */
LongPing Wei7f3ab952019-01-30 16:03:14 +08001642 if (setexeccon(android::vold::sFsckContext)) {
Jeff Vander Stoepdf725752016-01-29 15:34:43 -08001643 SLOGE("Failed to setexeccon");
1644 return -1;
1645 }
Daniel Rosenberg65f99c92018-08-28 01:58:49 -07001646 bool needs_cp = android::vold::cp_needsCheckpoint();
Tom Cherry4c5bde22019-01-29 14:34:01 -08001647 while ((mount_rc = fs_mgr_do_mount(&fstab_default, DATA_MNT_POINT, crypto_blkdev, 0,
Daniel Rosenberg65f99c92018-08-28 01:58:49 -07001648 needs_cp)) != 0) {
Paul Lawrence8e3f4512014-09-08 10:11:17 -07001649 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1650 /* TODO: invoke something similar to
1651 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1652 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
Paul Crowley14c8c072018-09-18 13:30:21 -07001653 SLOGI("Failed to mount %s because it is busy - waiting", crypto_blkdev);
Paul Lawrence8e3f4512014-09-08 10:11:17 -07001654 if (--retries) {
1655 sleep(RETRY_MOUNT_DELAY_SECONDS);
1656 } else {
1657 /* Let's hope that a reboot clears away whatever is keeping
1658 the mount busy */
Josh Gaofec44372017-08-28 13:22:55 -07001659 cryptfs_reboot(RebootType::reboot);
Paul Lawrence8e3f4512014-09-08 10:11:17 -07001660 }
1661 } else {
1662 SLOGE("Failed to mount decrypted data");
1663 cryptfs_set_corrupt();
1664 cryptfs_trigger_restart_min_framework();
1665 SLOGI("Started framework to offer wipe");
Jeff Vander Stoepdf725752016-01-29 15:34:43 -08001666 if (setexeccon(NULL)) {
1667 SLOGE("Failed to setexeccon");
1668 }
Paul Lawrence8e3f4512014-09-08 10:11:17 -07001669 return -1;
1670 }
Paul Lawrence74f29f12014-08-28 15:54:10 -07001671 }
Jeff Vander Stoepdf725752016-01-29 15:34:43 -08001672 if (setexeccon(NULL)) {
1673 SLOGE("Failed to setexeccon");
1674 return -1;
1675 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001676
Ken Sumralle5032c42012-04-01 23:58:44 -07001677 /* Create necessary paths on /data */
Wei Wang42e38102017-06-07 10:46:12 -07001678 prep_data_fs();
Seigo Nonakae2ef0c02016-06-20 17:05:40 +09001679 property_set("vold.decrypt", "trigger_load_persist_props");
Ken Sumralle5032c42012-04-01 23:58:44 -07001680
1681 /* startup service classes main and late_start */
1682 property_set("vold.decrypt", "trigger_restart_framework");
1683 SLOGD("Just triggered restart_framework\n");
1684
1685 /* Give it a few moments to get started */
1686 sleep(1);
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001687 }
1688
Ken Sumrall0cc16632011-01-18 20:32:26 -08001689 if (rc == 0) {
1690 restart_successful = 1;
1691 }
1692
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001693 return rc;
1694}
1695
Paul Crowley14c8c072018-09-18 13:30:21 -07001696int cryptfs_restart(void) {
Paul Lawrence05335c32015-03-05 09:46:23 -08001697 SLOGI("cryptfs_restart");
Eric Biggersa701c452018-10-23 13:06:55 -07001698 if (fscrypt_is_native()) {
Paul Lawrence7b6b5652016-02-02 11:14:59 -08001699 SLOGE("cryptfs_restart not valid for file encryption:");
1700 return -1;
Paul Lawrence05335c32015-03-05 09:46:23 -08001701 }
1702
Paul Lawrencef4faa572014-01-29 13:31:03 -08001703 /* Call internal implementation forcing a restart of main service group */
1704 return cryptfs_restart_internal(1);
1705}
1706
Paul Crowley14c8c072018-09-18 13:30:21 -07001707static int do_crypto_complete(const char* mount_point) {
1708 struct crypt_mnt_ftr crypt_ftr;
1709 char encrypted_state[PROPERTY_VALUE_MAX];
Ken Sumrall7f7dbaa2011-02-01 15:46:41 -08001710
Paul Crowley14c8c072018-09-18 13:30:21 -07001711 property_get("ro.crypto.state", encrypted_state, "");
1712 if (strcmp(encrypted_state, "encrypted")) {
1713 SLOGE("not running with encryption, aborting");
1714 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
Ken Sumralle1a45852011-12-14 21:24:27 -08001715 }
Ken Sumrall7f7dbaa2011-02-01 15:46:41 -08001716
Paul Crowley14c8c072018-09-18 13:30:21 -07001717 // crypto_complete is full disk encrypted status
Eric Biggersa701c452018-10-23 13:06:55 -07001718 if (fscrypt_is_native()) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001719 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1720 }
Paul Lawrence74f29f12014-08-28 15:54:10 -07001721
Paul Crowley14c8c072018-09-18 13:30:21 -07001722 if (get_crypt_ftr_and_key(&crypt_ftr)) {
Tom Cherry4c5bde22019-01-29 14:34:01 -08001723 std::string key_loc;
1724 get_crypt_info(&key_loc, nullptr);
Paul Lawrence74f29f12014-08-28 15:54:10 -07001725
Paul Crowley14c8c072018-09-18 13:30:21 -07001726 /*
1727 * Only report this error if key_loc is a file and it exists.
1728 * If the device was never encrypted, and /data is not mountable for
1729 * some reason, returning 1 should prevent the UI from presenting the
1730 * a "enter password" screen, or worse, a "press button to wipe the
1731 * device" screen.
1732 */
Tom Cherry4c5bde22019-01-29 14:34:01 -08001733 if (!key_loc.empty() && key_loc[0] == '/' && (access("key_loc", F_OK) == -1)) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001734 SLOGE("master key file does not exist, aborting");
1735 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1736 } else {
1737 SLOGE("Error getting crypt footer and key\n");
1738 return CRYPTO_COMPLETE_BAD_METADATA;
1739 }
1740 }
Ken Sumrall7f7dbaa2011-02-01 15:46:41 -08001741
Paul Crowley14c8c072018-09-18 13:30:21 -07001742 // Test for possible error flags
1743 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
1744 SLOGE("Encryption process is partway completed\n");
1745 return CRYPTO_COMPLETE_PARTIAL;
1746 }
1747
1748 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
1749 SLOGE("Encryption process was interrupted but cannot continue\n");
1750 return CRYPTO_COMPLETE_INCONSISTENT;
1751 }
1752
1753 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT) {
1754 SLOGE("Encryption is successful but data is corrupt\n");
1755 return CRYPTO_COMPLETE_CORRUPT;
1756 }
1757
1758 /* We passed the test! We shall diminish, and return to the west */
1759 return CRYPTO_COMPLETE_ENCRYPTED;
Ken Sumrall7f7dbaa2011-02-01 15:46:41 -08001760}
1761
Paul Crowley14c8c072018-09-18 13:30:21 -07001762static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, const char* passwd,
1763 const char* mount_point, const char* label) {
1764 unsigned char decrypted_master_key[MAX_KEY_LEN];
1765 char crypto_blkdev[MAXPATHLEN];
Tom Cherry4c5bde22019-01-29 14:34:01 -08001766 std::string real_blkdev;
Paul Crowley14c8c072018-09-18 13:30:21 -07001767 char tmp_mount_point[64];
1768 unsigned int orig_failed_decrypt_count;
1769 int rc;
1770 int use_keymaster = 0;
1771 int upgrade = 0;
1772 unsigned char* intermediate_key = 0;
1773 size_t intermediate_key_size = 0;
1774 int N = 1 << crypt_ftr->N_factor;
1775 int r = 1 << crypt_ftr->r_factor;
1776 int p = 1 << crypt_ftr->p_factor;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001777
Paul Crowley14c8c072018-09-18 13:30:21 -07001778 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1779 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
Ken Sumrall0cc16632011-01-18 20:32:26 -08001780
Paul Crowley14c8c072018-09-18 13:30:21 -07001781 if (!(crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED)) {
1782 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, &intermediate_key,
1783 &intermediate_key_size)) {
1784 SLOGE("Failed to decrypt master key\n");
1785 rc = -1;
1786 goto errout;
1787 }
JP Abgrall7bdfa522013-11-15 13:42:56 -08001788 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001789
Tom Cherry4c5bde22019-01-29 14:34:01 -08001790 get_crypt_info(nullptr, &real_blkdev);
Paul Lawrencef4faa572014-01-29 13:31:03 -08001791
Paul Crowley14c8c072018-09-18 13:30:21 -07001792 // Create crypto block device - all (non fatal) code paths
1793 // need it
Tom Cherry4c5bde22019-01-29 14:34:01 -08001794 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, real_blkdev.c_str(), crypto_blkdev,
1795 label, 0)) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001796 SLOGE("Error creating decrypted block device\n");
1797 rc = -1;
1798 goto errout;
1799 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001800
Paul Crowley14c8c072018-09-18 13:30:21 -07001801 /* Work out if the problem is the password or the data */
1802 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->scrypted_intermediate_key)];
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001803
Paul Crowley14c8c072018-09-18 13:30:21 -07001804 rc = crypto_scrypt(intermediate_key, intermediate_key_size, crypt_ftr->salt,
1805 sizeof(crypt_ftr->salt), N, r, p, scrypted_intermediate_key,
1806 sizeof(scrypted_intermediate_key));
Paul Lawrenced0c7b172014-08-08 14:28:10 -07001807
Paul Crowley14c8c072018-09-18 13:30:21 -07001808 // Does the key match the crypto footer?
1809 if (rc == 0 && memcmp(scrypted_intermediate_key, crypt_ftr->scrypted_intermediate_key,
1810 sizeof(scrypted_intermediate_key)) == 0) {
1811 SLOGI("Password matches");
1812 rc = 0;
Paul Lawrence74f29f12014-08-28 15:54:10 -07001813 } else {
Paul Crowley14c8c072018-09-18 13:30:21 -07001814 /* Try mounting the file system anyway, just in case the problem's with
1815 * the footer, not the key. */
1816 snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt", mount_point);
1817 mkdir(tmp_mount_point, 0755);
Tom Cherry4c5bde22019-01-29 14:34:01 -08001818 if (fs_mgr_do_mount(&fstab_default, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001819 SLOGE("Error temp mounting decrypted block device\n");
1820 delete_crypto_blk_dev(label);
Paul Lawrence74f29f12014-08-28 15:54:10 -07001821
Paul Crowley14c8c072018-09-18 13:30:21 -07001822 rc = ++crypt_ftr->failed_decrypt_count;
1823 put_crypt_ftr_and_key(crypt_ftr);
1824 } else {
1825 /* Success! */
1826 SLOGI("Password did not match but decrypted drive mounted - continue");
1827 umount(tmp_mount_point);
1828 rc = 0;
Paul Lawrenceb2f682b2014-09-08 11:28:19 -07001829 }
JP Abgrall7bdfa522013-11-15 13:42:56 -08001830 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001831
Paul Crowley14c8c072018-09-18 13:30:21 -07001832 if (rc == 0) {
1833 crypt_ftr->failed_decrypt_count = 0;
1834 if (orig_failed_decrypt_count != 0) {
1835 put_crypt_ftr_and_key(crypt_ftr);
1836 }
1837
1838 /* Save the name of the crypto block device
1839 * so we can mount it when restarting the framework. */
1840 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1841
1842 /* Also save a the master key so we can reencrypted the key
1843 * the key when we want to change the password on it. */
1844 memcpy(saved_master_key, decrypted_master_key, crypt_ftr->keysize);
1845 saved_mount_point = strdup(mount_point);
1846 master_key_saved = 1;
1847 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1848 rc = 0;
1849
1850 // Upgrade if we're not using the latest KDF.
1851 use_keymaster = keymaster_check_compatibility();
1852 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1853 // Don't allow downgrade
1854 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1855 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1856 upgrade = 1;
1857 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1858 crypt_ftr->kdf_type = KDF_SCRYPT;
1859 upgrade = 1;
1860 }
1861
1862 if (upgrade) {
1863 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1864 crypt_ftr->master_key, crypt_ftr);
1865 if (!rc) {
1866 rc = put_crypt_ftr_and_key(crypt_ftr);
1867 }
1868 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1869
1870 // Do not fail even if upgrade failed - machine is bootable
1871 // Note that if this code is ever hit, there is a *serious* problem
1872 // since KDFs should never fail. You *must* fix the kdf before
1873 // proceeding!
1874 if (rc) {
1875 SLOGW(
1876 "Upgrade failed with error %d,"
1877 " but continuing with previous state",
1878 rc);
1879 rc = 0;
1880 }
1881 }
1882 }
1883
1884errout:
1885 if (intermediate_key) {
1886 memset(intermediate_key, 0, intermediate_key_size);
1887 free(intermediate_key);
1888 }
1889 return rc;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001890}
1891
Ken Sumrall29d8da82011-05-18 17:20:07 -07001892/*
Jeff Sharkey9c484982015-03-31 10:35:33 -07001893 * Called by vold when it's asked to mount an encrypted external
1894 * storage volume. The incoming partition has no crypto header/footer,
Greg Kaiser57f9af62018-02-16 13:13:58 -08001895 * as any metadata is been stored in a separate, small partition. We
1896 * assume it must be using our same crypt type and keysize.
Jeff Sharkey9c484982015-03-31 10:35:33 -07001897 *
1898 * out_crypto_blkdev must be MAXPATHLEN.
Ken Sumrall29d8da82011-05-18 17:20:07 -07001899 */
Paul Crowley14c8c072018-09-18 13:30:21 -07001900int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, const unsigned char* key,
1901 char* out_crypto_blkdev) {
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +02001902 uint64_t nr_sec = 0;
1903 if (android::vold::GetBlockDev512Sectors(real_blkdev, &nr_sec) != android::OK) {
Jeff Sharkey9c484982015-03-31 10:35:33 -07001904 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
Ken Sumrall29d8da82011-05-18 17:20:07 -07001905 return -1;
1906 }
1907
Jeff Sharkey9c484982015-03-31 10:35:33 -07001908 struct crypt_mnt_ftr ext_crypt_ftr;
1909 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1910 ext_crypt_ftr.fs_size = nr_sec;
Greg Kaiser57f9af62018-02-16 13:13:58 -08001911 ext_crypt_ftr.keysize = cryptfs_get_keysize();
Paul Crowley14c8c072018-09-18 13:30:21 -07001912 strlcpy((char*)ext_crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(),
Jeff Sharkey32ebb732017-03-27 16:18:50 -06001913 MAX_CRYPTO_TYPE_NAME_LEN);
Paul Crowley385cb8c2018-03-29 13:27:23 -07001914 uint32_t flags = 0;
Eric Biggersa701c452018-10-23 13:06:55 -07001915 if (fscrypt_is_native() &&
Paul Crowley385cb8c2018-03-29 13:27:23 -07001916 android::base::GetBoolProperty("ro.crypto.allow_encrypt_override", false))
1917 flags |= CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE;
Ken Sumrall29d8da82011-05-18 17:20:07 -07001918
Paul Crowley385cb8c2018-03-29 13:27:23 -07001919 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev, out_crypto_blkdev, label, flags);
Jeff Sharkey9c484982015-03-31 10:35:33 -07001920}
Ken Sumrall29d8da82011-05-18 17:20:07 -07001921
Jeff Sharkey9c484982015-03-31 10:35:33 -07001922/*
1923 * Called by vold when it's asked to unmount an encrypted external
1924 * storage volume.
1925 */
1926int cryptfs_revert_ext_volume(const char* label) {
Paul Crowley14c8c072018-09-18 13:30:21 -07001927 return delete_crypto_blk_dev((char*)label);
Ken Sumrall29d8da82011-05-18 17:20:07 -07001928}
1929
Paul Crowley14c8c072018-09-18 13:30:21 -07001930int cryptfs_crypto_complete(void) {
1931 return do_crypto_complete("/data");
Ken Sumrall7f7dbaa2011-02-01 15:46:41 -08001932}
1933
Paul Crowley14c8c072018-09-18 13:30:21 -07001934int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) {
Paul Lawrencef4faa572014-01-29 13:31:03 -08001935 char encrypted_state[PROPERTY_VALUE_MAX];
1936 property_get("ro.crypto.state", encrypted_state, "");
Paul Crowley14c8c072018-09-18 13:30:21 -07001937 if (master_key_saved || strcmp(encrypted_state, "encrypted")) {
1938 SLOGE(
1939 "encrypted fs already validated or not running with encryption,"
1940 " aborting");
Paul Lawrencef4faa572014-01-29 13:31:03 -08001941 return -1;
1942 }
1943
1944 if (get_crypt_ftr_and_key(crypt_ftr)) {
1945 SLOGE("Error getting crypt footer and key");
1946 return -1;
1947 }
1948
1949 return 0;
1950}
1951
Paul Crowley14c8c072018-09-18 13:30:21 -07001952int cryptfs_check_passwd(const char* passwd) {
Paul Lawrence05335c32015-03-05 09:46:23 -08001953 SLOGI("cryptfs_check_passwd");
Eric Biggersa701c452018-10-23 13:06:55 -07001954 if (fscrypt_is_native()) {
Paul Lawrence7b6b5652016-02-02 11:14:59 -08001955 SLOGE("cryptfs_check_passwd not valid for file encryption");
1956 return -1;
Paul Lawrence05335c32015-03-05 09:46:23 -08001957 }
1958
Paul Lawrencef4faa572014-01-29 13:31:03 -08001959 struct crypt_mnt_ftr crypt_ftr;
1960 int rc;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001961
Paul Lawrencef4faa572014-01-29 13:31:03 -08001962 rc = check_unmounted_and_get_ftr(&crypt_ftr);
Paul Lawrence3d99eba2015-11-20 07:07:19 -08001963 if (rc) {
1964 SLOGE("Could not get footer");
Paul Lawrencef4faa572014-01-29 13:31:03 -08001965 return rc;
Paul Lawrence3d99eba2015-11-20 07:07:19 -08001966 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001967
Paul Crowley14c8c072018-09-18 13:30:21 -07001968 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
Paul Lawrence3d99eba2015-11-20 07:07:19 -08001969 if (rc) {
1970 SLOGE("Password did not match");
1971 return rc;
1972 }
Paul Lawrence684dbdf2014-02-07 12:07:22 -08001973
Paul Lawrence3d99eba2015-11-20 07:07:19 -08001974 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
1975 // Here we have a default actual password but a real password
1976 // we must test against the scrypted value
1977 // First, we must delete the crypto block device that
1978 // test_mount_encrypted_fs leaves behind as a side effect
1979 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
Paul Crowley14c8c072018-09-18 13:30:21 -07001980 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD, DATA_MNT_POINT,
1981 CRYPTO_BLOCK_DEVICE);
Paul Lawrence3d99eba2015-11-20 07:07:19 -08001982 if (rc) {
1983 SLOGE("Default password did not match on reboot encryption");
1984 return rc;
1985 }
1986
1987 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
1988 put_crypt_ftr_and_key(&crypt_ftr);
1989 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
1990 if (rc) {
1991 SLOGE("Could not change password on reboot encryption");
1992 return rc;
1993 }
1994 }
1995
1996 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
Paul Lawrence399317e2014-03-10 13:20:50 -07001997 cryptfs_clear_password();
1998 password = strdup(passwd);
1999 struct timespec now;
2000 clock_gettime(CLOCK_BOOTTIME, &now);
2001 password_expiry_time = now.tv_sec + password_max_age_seconds;
Paul Lawrence684dbdf2014-02-07 12:07:22 -08002002 }
2003
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002004 return rc;
2005}
2006
Paul Crowley14c8c072018-09-18 13:30:21 -07002007int cryptfs_verify_passwd(const char* passwd) {
Ken Sumrall3ad90722011-10-04 20:38:29 -07002008 struct crypt_mnt_ftr crypt_ftr;
Greg Kaiser59ad0182018-02-16 13:01:36 -08002009 unsigned char decrypted_master_key[MAX_KEY_LEN];
Ken Sumrall3ad90722011-10-04 20:38:29 -07002010 char encrypted_state[PROPERTY_VALUE_MAX];
2011 int rc;
2012
2013 property_get("ro.crypto.state", encrypted_state, "");
Paul Crowley14c8c072018-09-18 13:30:21 -07002014 if (strcmp(encrypted_state, "encrypted")) {
Ken Sumrall3ad90722011-10-04 20:38:29 -07002015 SLOGE("device not encrypted, aborting");
2016 return -2;
2017 }
2018
2019 if (!master_key_saved) {
2020 SLOGE("encrypted fs not yet mounted, aborting");
2021 return -1;
2022 }
2023
2024 if (!saved_mount_point) {
2025 SLOGE("encrypted fs failed to save mount point, aborting");
2026 return -1;
2027 }
2028
Ken Sumrall160b4d62013-04-22 12:15:39 -07002029 if (get_crypt_ftr_and_key(&crypt_ftr)) {
Ken Sumrall3ad90722011-10-04 20:38:29 -07002030 SLOGE("Error getting crypt footer and key\n");
2031 return -1;
2032 }
2033
2034 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2035 /* If the device has no password, then just say the password is valid */
2036 rc = 0;
2037 } else {
Paul Lawrenced0c7b172014-08-08 14:28:10 -07002038 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
Ken Sumrall3ad90722011-10-04 20:38:29 -07002039 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2040 /* They match, the password is correct */
2041 rc = 0;
2042 } else {
2043 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2044 sleep(1);
2045 rc = 1;
2046 }
2047 }
2048
2049 return rc;
2050}
2051
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002052/* Initialize a crypt_mnt_ftr structure. The keysize is
Greg Kaiser57f9af62018-02-16 13:13:58 -08002053 * defaulted to cryptfs_get_keysize() bytes, and the filesystem size to 0.
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002054 * Presumably, at a minimum, the caller will update the
2055 * filesystem size and crypto_type_name after calling this function.
2056 */
Paul Crowley14c8c072018-09-18 13:30:21 -07002057static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr* ftr) {
Ken Sumrall160b4d62013-04-22 12:15:39 -07002058 off64_t off;
2059
2060 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002061 ftr->magic = CRYPT_MNT_MAGIC;
Kenny Rootc96a5f82013-06-14 12:08:28 -07002062 ftr->major_version = CURRENT_MAJOR_VERSION;
2063 ftr->minor_version = CURRENT_MINOR_VERSION;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002064 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
Greg Kaiser57f9af62018-02-16 13:13:58 -08002065 ftr->keysize = cryptfs_get_keysize();
Ken Sumrall160b4d62013-04-22 12:15:39 -07002066
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07002067 switch (keymaster_check_compatibility()) {
Paul Crowley14c8c072018-09-18 13:30:21 -07002068 case 1:
2069 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2070 break;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07002071
Paul Crowley14c8c072018-09-18 13:30:21 -07002072 case 0:
2073 ftr->kdf_type = KDF_SCRYPT;
2074 break;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07002075
Paul Crowley14c8c072018-09-18 13:30:21 -07002076 default:
2077 SLOGE("keymaster_check_compatibility failed");
2078 return -1;
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07002079 }
2080
Kenny Rootc4c70f12013-06-14 12:11:38 -07002081 get_device_scrypt_params(ftr);
2082
Ken Sumrall160b4d62013-04-22 12:15:39 -07002083 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2084 if (get_crypt_ftr_info(NULL, &off) == 0) {
2085 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
Paul Crowley14c8c072018-09-18 13:30:21 -07002086 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + ftr->persist_data_size;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002087 }
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07002088
2089 return 0;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002090}
2091
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002092#define FRAMEWORK_BOOT_WAIT 60
2093
Paul Crowley14c8c072018-09-18 13:30:21 -07002094static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) {
2095 int fd = open(filename, O_RDONLY | O_CLOEXEC);
Paul Lawrence87999172014-02-20 12:21:31 -08002096 if (fd == -1) {
2097 SLOGE("Error opening file %s", filename);
2098 return -1;
2099 }
2100
2101 char block[CRYPT_INPLACE_BUFSIZE];
2102 memset(block, 0, sizeof(block));
2103 if (unix_read(fd, block, sizeof(block)) < 0) {
2104 SLOGE("Error reading file %s", filename);
2105 close(fd);
2106 return -1;
2107 }
2108
2109 close(fd);
2110
2111 SHA256_CTX c;
2112 SHA256_Init(&c);
2113 SHA256_Update(&c, block, sizeof(block));
2114 SHA256_Final(buf, &c);
2115
2116 return 0;
2117}
2118
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002119static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr* crypt_ftr, char* crypto_blkdev,
2120 char* real_blkdev, int previously_encrypted_upto) {
Paul Crowley14c8c072018-09-18 13:30:21 -07002121 off64_t cur_encryption_done = 0, tot_encryption_size = 0;
Tim Murray8439dc92014-12-15 11:56:11 -08002122 int rc = -1;
Paul Lawrence87999172014-02-20 12:21:31 -08002123
Paul Lawrence87999172014-02-20 12:21:31 -08002124 /* The size of the userdata partition, and add in the vold volumes below */
2125 tot_encryption_size = crypt_ftr->fs_size;
2126
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002127 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, crypt_ftr->fs_size, &cur_encryption_done,
Paul Crowley0fd26262018-01-30 09:48:19 -08002128 tot_encryption_size, previously_encrypted_upto, true);
Paul Lawrence87999172014-02-20 12:21:31 -08002129
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002130 if (rc == ENABLE_INPLACE_ERR_DEV) {
2131 /* Hack for b/17898962 */
2132 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2133 cryptfs_reboot(RebootType::reboot);
2134 }
JP Abgrall7fc1de82014-10-10 18:43:41 -07002135
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002136 if (!rc) {
2137 crypt_ftr->encrypted_upto = cur_encryption_done;
2138 }
Paul Lawrence87999172014-02-20 12:21:31 -08002139
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002140 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2141 /* The inplace routine never actually sets the progress to 100% due
2142 * to the round down nature of integer division, so set it here */
2143 property_set("vold.encrypt_progress", "100");
Paul Lawrence87999172014-02-20 12:21:31 -08002144 }
2145
2146 return rc;
2147}
2148
Paul Crowleyb64933a2017-10-31 08:25:55 -07002149static int vold_unmountAll(void) {
2150 VolumeManager* vm = VolumeManager::Instance();
2151 return vm->unmountAll();
2152}
2153
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002154int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
Tom Cherry4c5bde22019-01-29 14:34:01 -08002155 char crypto_blkdev[MAXPATHLEN];
2156 std::string real_blkdev;
Greg Kaiser59ad0182018-02-16 13:01:36 -08002157 unsigned char decrypted_master_key[MAX_KEY_LEN];
Paul Crowley14c8c072018-09-18 13:30:21 -07002158 int rc = -1, i;
Paul Lawrence87999172014-02-20 12:21:31 -08002159 struct crypt_mnt_ftr crypt_ftr;
Paul Crowley14c8c072018-09-18 13:30:21 -07002160 struct crypt_persist_data* pdata;
Ken Sumrall29d8da82011-05-18 17:20:07 -07002161 char encrypted_state[PROPERTY_VALUE_MAX];
Paul Crowley14c8c072018-09-18 13:30:21 -07002162 char lockid[32] = {0};
Tom Cherry4c5bde22019-01-29 14:34:01 -08002163 std::string key_loc;
Ken Sumrall29d8da82011-05-18 17:20:07 -07002164 int num_vols;
Paul Lawrence87999172014-02-20 12:21:31 -08002165 off64_t previously_encrypted_upto = 0;
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002166 bool rebootEncryption = false;
Wei Wang4375f1b2017-02-24 17:43:01 -08002167 bool onlyCreateHeader = false;
Ken Sumrall29d8da82011-05-18 17:20:07 -07002168
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002169 if (get_crypt_ftr_and_key(&crypt_ftr) == 0) {
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002170 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
2171 /* An encryption was underway and was interrupted */
2172 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2173 crypt_ftr.encrypted_upto = 0;
2174 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
Paul Lawrence6bfed202014-07-28 12:47:22 -07002175
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002176 /* At this point, we are in an inconsistent state. Until we successfully
2177 complete encryption, a reboot will leave us broken. So mark the
2178 encryption failed in case that happens.
2179 On successfully completing encryption, remove this flag */
2180 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
Paul Lawrence6bfed202014-07-28 12:47:22 -07002181
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002182 put_crypt_ftr_and_key(&crypt_ftr);
2183 } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
2184 if (!check_ftr_sha(&crypt_ftr)) {
2185 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2186 put_crypt_ftr_and_key(&crypt_ftr);
2187 goto error_unencrypted;
2188 }
2189
2190 /* Doing a reboot-encryption*/
2191 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
2192 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
2193 rebootEncryption = true;
2194 }
Greg Kaiser59ad0182018-02-16 13:01:36 -08002195 } else {
2196 // We don't want to accidentally reference invalid data.
2197 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
Paul Lawrence87999172014-02-20 12:21:31 -08002198 }
2199
2200 property_get("ro.crypto.state", encrypted_state, "");
2201 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2202 SLOGE("Device is already running encrypted, aborting");
2203 goto error_unencrypted;
2204 }
2205
Tom Cherry4c5bde22019-01-29 14:34:01 -08002206 get_crypt_info(&key_loc, &real_blkdev);
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002207
Ken Sumrall3ed82362011-01-28 23:31:16 -08002208 /* Get the size of the real block device */
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +02002209 uint64_t nr_sec;
2210 if (android::vold::GetBlockDev512Sectors(real_blkdev, &nr_sec) != android::OK) {
Tom Cherry4c5bde22019-01-29 14:34:01 -08002211 SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
Ken Sumrall3ed82362011-01-28 23:31:16 -08002212 goto error_unencrypted;
2213 }
Ken Sumrall3ed82362011-01-28 23:31:16 -08002214
2215 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
Tom Cherry4c5bde22019-01-29 14:34:01 -08002216 if (key_loc == KEY_IN_FOOTER) {
Oleksiy Avramchenko625dc782018-05-23 10:50:46 +02002217 uint64_t fs_size_sec, max_fs_size_sec;
Tom Cherry4c5bde22019-01-29 14:34:01 -08002218 fs_size_sec = get_fs_size(real_blkdev.c_str());
2219 if (fs_size_sec == 0) fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev.data());
Daniel Rosenberge82df162014-08-15 22:19:23 +00002220
Paul Lawrence87999172014-02-20 12:21:31 -08002221 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
Ken Sumrall3ed82362011-01-28 23:31:16 -08002222
2223 if (fs_size_sec > max_fs_size_sec) {
2224 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2225 goto error_unencrypted;
2226 }
2227 }
2228
Ken Sumrall5d4c68e2011-01-30 19:06:03 -08002229 /* Get a wakelock as this may take a while, and we don't want the
2230 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2231 * wants to keep the screen on, it can grab a full wakelock.
2232 */
Paul Crowley14c8c072018-09-18 13:30:21 -07002233 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int)getpid());
Ken Sumrall5d4c68e2011-01-30 19:06:03 -08002234 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
2235
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002236 /* The init files are setup to stop the class main and late start when
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002237 * vold sets trigger_shutdown_framework.
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002238 */
2239 property_set("vold.decrypt", "trigger_shutdown_framework");
2240 SLOGD("Just asked init to shut down class main\n");
2241
Jeff Sharkey9c484982015-03-31 10:35:33 -07002242 /* Ask vold to unmount all devices that it manages */
2243 if (vold_unmountAll()) {
2244 SLOGE("Failed to unmount all vold managed devices");
Ken Sumrall2eaf7132011-01-14 12:45:48 -08002245 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002246
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002247 /* no_ui means we are being called from init, not settings.
2248 Now we always reboot from settings, so !no_ui means reboot
2249 */
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002250 if (!no_ui) {
2251 /* Try fallback, which is to reboot and try there */
2252 onlyCreateHeader = true;
2253 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
2254 if (breadcrumb == 0) {
2255 SLOGE("Failed to create breadcrumb file");
2256 goto error_shutting_down;
2257 }
2258 fclose(breadcrumb);
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002259 }
2260
2261 /* Do extra work for a better UX when doing the long inplace encryption */
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002262 if (!onlyCreateHeader) {
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002263 /* Now that /data is unmounted, we need to mount a tmpfs
2264 * /data, set a property saying we're doing inplace encryption,
2265 * and restart the framework.
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002266 */
Ken Sumralle5032c42012-04-01 23:58:44 -07002267 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
Ken Sumrall3ed82362011-01-28 23:31:16 -08002268 goto error_shutting_down;
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002269 }
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002270 /* Tells the framework that inplace encryption is starting */
Ken Sumrall7df84122011-01-18 14:04:08 -08002271 property_set("vold.encrypt_progress", "0");
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002272
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002273 /* restart the framework. */
2274 /* Create necessary paths on /data */
Wei Wang42e38102017-06-07 10:46:12 -07002275 prep_data_fs();
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002276
Ken Sumrall92736ef2012-10-17 20:57:14 -07002277 /* Ugh, shutting down the framework is not synchronous, so until it
2278 * can be fixed, this horrible hack will wait a moment for it all to
2279 * shut down before proceeding. Without it, some devices cannot
2280 * restart the graphics services.
2281 */
2282 sleep(2);
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002283 }
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002284
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002285 /* Start the actual work of making an encrypted filesystem */
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002286 /* Initialize a crypt_mnt_ftr for the partition */
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002287 if (previously_encrypted_upto == 0 && !rebootEncryption) {
Paul Lawrence69f4ebd2014-04-14 12:17:14 -07002288 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
2289 goto error_shutting_down;
2290 }
Ken Sumrall160b4d62013-04-22 12:15:39 -07002291
Tom Cherry4c5bde22019-01-29 14:34:01 -08002292 if (key_loc == KEY_IN_FOOTER) {
Paul Crowley14c8c072018-09-18 13:30:21 -07002293 crypt_ftr.fs_size = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
Paul Lawrence87999172014-02-20 12:21:31 -08002294 } else {
2295 crypt_ftr.fs_size = nr_sec;
2296 }
Paul Lawrence6bfed202014-07-28 12:47:22 -07002297 /* At this point, we are in an inconsistent state. Until we successfully
2298 complete encryption, a reboot will leave us broken. So mark the
2299 encryption failed in case that happens.
2300 On successfully completing encryption, remove this flag */
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002301 if (onlyCreateHeader) {
2302 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
2303 } else {
2304 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2305 }
Paul Lawrence87999172014-02-20 12:21:31 -08002306 crypt_ftr.crypt_type = crypt_type;
Paul Crowley14c8c072018-09-18 13:30:21 -07002307 strlcpy((char*)crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(),
2308 MAX_CRYPTO_TYPE_NAME_LEN);
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002309
Paul Lawrence87999172014-02-20 12:21:31 -08002310 /* Make an encrypted master key */
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002311 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
2312 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
Paul Lawrence87999172014-02-20 12:21:31 -08002313 SLOGE("Cannot create encrypted master key\n");
2314 goto error_shutting_down;
2315 }
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002316
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002317 /* Replace scrypted intermediate key if we are preparing for a reboot */
2318 if (onlyCreateHeader) {
Greg Kaiser59ad0182018-02-16 13:01:36 -08002319 unsigned char fake_master_key[MAX_KEY_LEN];
2320 unsigned char encrypted_fake_master_key[MAX_KEY_LEN];
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002321 memset(fake_master_key, 0, sizeof(fake_master_key));
Paul Crowley14c8c072018-09-18 13:30:21 -07002322 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key, encrypted_fake_master_key,
2323 &crypt_ftr);
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002324 }
2325
Paul Lawrence87999172014-02-20 12:21:31 -08002326 /* Write the key to the end of the partition */
2327 put_crypt_ftr_and_key(&crypt_ftr);
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002328
Paul Lawrence87999172014-02-20 12:21:31 -08002329 /* If any persistent data has been remembered, save it.
2330 * If none, create a valid empty table and save that.
2331 */
2332 if (!persist_data) {
Paul Crowley14c8c072018-09-18 13:30:21 -07002333 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
2334 if (pdata) {
2335 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
2336 persist_data = pdata;
2337 }
Paul Lawrence87999172014-02-20 12:21:31 -08002338 }
2339 if (persist_data) {
2340 save_persistent_data();
2341 }
Ken Sumrall160b4d62013-04-22 12:15:39 -07002342 }
2343
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002344 if (onlyCreateHeader) {
2345 sleep(2);
Josh Gaofec44372017-08-28 13:22:55 -07002346 cryptfs_reboot(RebootType::reboot);
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002347 }
2348
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002349 if (!no_ui || rebootEncryption) {
Ajay Dudani87701e22014-09-17 21:02:52 -07002350 /* startup service classes main and late_start */
2351 property_set("vold.decrypt", "trigger_restart_min_framework");
2352 SLOGD("Just triggered restart_min_framework\n");
2353
2354 /* OK, the framework is restarted and will soon be showing a
2355 * progress bar. Time to setup an encrypted mapping, and
2356 * either write a new filesystem, or encrypt in place updating
2357 * the progress bar as we work.
2358 */
2359 }
2360
Paul Lawrenced0c7b172014-08-08 14:28:10 -07002361 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
Tom Cherry4c5bde22019-01-29 14:34:01 -08002362 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev.c_str(), crypto_blkdev,
Paul Crowley5afbc622017-11-27 09:42:17 -08002363 CRYPTO_BLOCK_DEVICE, 0);
Ken Sumrall29d8da82011-05-18 17:20:07 -07002364
Paul Lawrence87999172014-02-20 12:21:31 -08002365 /* If we are continuing, check checksums match */
2366 rc = 0;
2367 if (previously_encrypted_upto) {
2368 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
2369 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
Ken Sumrall128626f2011-06-28 18:45:14 -07002370
Paul Crowley14c8c072018-09-18 13:30:21 -07002371 if (!rc &&
2372 memcmp(hash_first_block, crypt_ftr.hash_first_block, sizeof(hash_first_block)) != 0) {
Paul Lawrence87999172014-02-20 12:21:31 -08002373 SLOGE("Checksums do not match - trigger wipe");
2374 rc = -1;
Ken Sumrall29d8da82011-05-18 17:20:07 -07002375 }
2376 }
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002377
Paul Lawrence87999172014-02-20 12:21:31 -08002378 if (!rc) {
Tom Cherry4c5bde22019-01-29 14:34:01 -08002379 rc = cryptfs_enable_all_volumes(&crypt_ftr, crypto_blkdev, real_blkdev.data(),
Paul Lawrence87999172014-02-20 12:21:31 -08002380 previously_encrypted_upto);
2381 }
2382
2383 /* Calculate checksum if we are not finished */
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002384 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
Paul Crowley14c8c072018-09-18 13:30:21 -07002385 rc = cryptfs_SHA256_fileblock(crypto_blkdev, crypt_ftr.hash_first_block);
Paul Lawrence73d7a022014-06-09 14:10:09 -07002386 if (rc) {
Paul Lawrence87999172014-02-20 12:21:31 -08002387 SLOGE("Error calculating checksum for continuing encryption");
2388 rc = -1;
Ken Sumrall29d8da82011-05-18 17:20:07 -07002389 }
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002390 }
2391
2392 /* Undo the dm-crypt mapping whether we succeed or not */
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002393 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
Ken Sumrall29d8da82011-05-18 17:20:07 -07002394
Paul Crowley14c8c072018-09-18 13:30:21 -07002395 if (!rc) {
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002396 /* Success */
Paul Lawrence6bfed202014-07-28 12:47:22 -07002397 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
Ken Sumrall7f7dbaa2011-02-01 15:46:41 -08002398
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002399 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
Paul Lawrence87999172014-02-20 12:21:31 -08002400 SLOGD("Encrypted up to sector %lld - will continue after reboot",
2401 crypt_ftr.encrypted_upto);
Paul Lawrence6bfed202014-07-28 12:47:22 -07002402 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
Paul Lawrence87999172014-02-20 12:21:31 -08002403 }
Paul Lawrence73d7a022014-06-09 14:10:09 -07002404
Paul Lawrence6bfed202014-07-28 12:47:22 -07002405 put_crypt_ftr_and_key(&crypt_ftr);
Ken Sumralld33d4172011-02-01 00:49:13 -08002406
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002407 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
2408 char value[PROPERTY_VALUE_MAX];
2409 property_get("ro.crypto.state", value, "");
2410 if (!strcmp(value, "")) {
2411 /* default encryption - continue first boot sequence */
2412 property_set("ro.crypto.state", "encrypted");
2413 property_set("ro.crypto.type", "block");
2414 release_wake_lock(lockid);
2415 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2416 // Bring up cryptkeeper that will check the password and set it
2417 property_set("vold.decrypt", "trigger_shutdown_framework");
2418 sleep(2);
2419 property_set("vold.encrypt_progress", "");
2420 cryptfs_trigger_restart_min_framework();
2421 } else {
2422 cryptfs_check_passwd(DEFAULT_PASSWORD);
2423 cryptfs_restart_internal(1);
2424 }
2425 return 0;
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002426 } else {
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002427 sleep(2); /* Give the UI a chance to show 100% progress */
2428 cryptfs_reboot(RebootType::reboot);
Paul Lawrence3d99eba2015-11-20 07:07:19 -08002429 }
Paul Lawrence87999172014-02-20 12:21:31 -08002430 } else {
Paul Lawrenceb6672e12014-08-15 07:37:28 -07002431 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
Josh Gaofec44372017-08-28 13:22:55 -07002432 cryptfs_reboot(RebootType::shutdown);
Paul Lawrence87999172014-02-20 12:21:31 -08002433 }
Ken Sumrall3ed82362011-01-28 23:31:16 -08002434 } else {
Mike Lockwoodee6d8c42012-02-15 13:43:28 -08002435 char value[PROPERTY_VALUE_MAX];
2436
Ken Sumrall319369a2012-06-27 16:30:18 -07002437 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
Mike Lockwoodee6d8c42012-02-15 13:43:28 -08002438 if (!strcmp(value, "1")) {
2439 /* wipe data if encryption failed */
2440 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
Wei Wang4375f1b2017-02-24 17:43:01 -08002441 std::string err;
2442 const std::vector<std::string> options = {
Paul Crowley14c8c072018-09-18 13:30:21 -07002443 "--wipe_data\n--reason=cryptfs_enable_internal\n"};
Wei Wang4375f1b2017-02-24 17:43:01 -08002444 if (!write_bootloader_message(options, &err)) {
2445 SLOGE("could not write bootloader message: %s", err.c_str());
Mike Lockwoodee6d8c42012-02-15 13:43:28 -08002446 }
Josh Gaofec44372017-08-28 13:22:55 -07002447 cryptfs_reboot(RebootType::recovery);
Mike Lockwoodee6d8c42012-02-15 13:43:28 -08002448 } else {
2449 /* set property to trigger dialog */
2450 property_set("vold.encrypt_progress", "error_partially_encrypted");
2451 release_wake_lock(lockid);
2452 }
Ken Sumrall3ed82362011-01-28 23:31:16 -08002453 return -1;
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002454 }
2455
Ken Sumrall3ed82362011-01-28 23:31:16 -08002456 /* hrm, the encrypt step claims success, but the reboot failed.
2457 * This should not happen.
2458 * Set the property and return. Hope the framework can deal with it.
2459 */
2460 property_set("vold.encrypt_progress", "error_reboot_failed");
Ken Sumrall5d4c68e2011-01-30 19:06:03 -08002461 release_wake_lock(lockid);
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002462 return rc;
Ken Sumrall3ed82362011-01-28 23:31:16 -08002463
2464error_unencrypted:
2465 property_set("vold.encrypt_progress", "error_not_encrypted");
Ken Sumrall5d4c68e2011-01-30 19:06:03 -08002466 if (lockid[0]) {
2467 release_wake_lock(lockid);
2468 }
Ken Sumrall3ed82362011-01-28 23:31:16 -08002469 return -1;
2470
2471error_shutting_down:
2472 /* we failed, and have not encrypted anthing, so the users's data is still intact,
2473 * but the framework is stopped and not restarted to show the error, so it's up to
2474 * vold to restart the system.
2475 */
Paul Crowley14c8c072018-09-18 13:30:21 -07002476 SLOGE(
2477 "Error enabling encryption after framework is shutdown, no data changed, restarting "
2478 "system");
Josh Gaofec44372017-08-28 13:22:55 -07002479 cryptfs_reboot(RebootType::reboot);
Ken Sumrall3ed82362011-01-28 23:31:16 -08002480
2481 /* shouldn't get here */
2482 property_set("vold.encrypt_progress", "error_shutting_down");
Ken Sumrall5d4c68e2011-01-30 19:06:03 -08002483 if (lockid[0]) {
2484 release_wake_lock(lockid);
2485 }
Ken Sumrall3ed82362011-01-28 23:31:16 -08002486 return -1;
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002487}
2488
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002489int cryptfs_enable(int type, const char* passwd, int no_ui) {
2490 return cryptfs_enable_internal(type, passwd, no_ui);
Paul Lawrence13486032014-02-03 13:28:11 -08002491}
2492
Paul Lawrence7ee87cf2017-12-22 10:12:06 -08002493int cryptfs_enable_default(int no_ui) {
2494 return cryptfs_enable_internal(CRYPT_TYPE_DEFAULT, DEFAULT_PASSWORD, no_ui);
Paul Lawrence13486032014-02-03 13:28:11 -08002495}
2496
Paul Crowley14c8c072018-09-18 13:30:21 -07002497int cryptfs_changepw(int crypt_type, const char* newpw) {
Eric Biggersa701c452018-10-23 13:06:55 -07002498 if (fscrypt_is_native()) {
Paul Lawrence7b6b5652016-02-02 11:14:59 -08002499 SLOGE("cryptfs_changepw not valid for file encryption");
2500 return -1;
Paul Lawrence05335c32015-03-05 09:46:23 -08002501 }
2502
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002503 struct crypt_mnt_ftr crypt_ftr;
JP Abgrall933216c2015-02-11 13:44:32 -08002504 int rc;
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002505
2506 /* This is only allowed after we've successfully decrypted the master key */
Paul Lawrencef4faa572014-01-29 13:31:03 -08002507 if (!master_key_saved) {
Ken Sumrall0cc16632011-01-18 20:32:26 -08002508 SLOGE("Key not saved, aborting");
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002509 return -1;
2510 }
2511
Paul Lawrencef4faa572014-01-29 13:31:03 -08002512 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2513 SLOGE("Invalid crypt_type %d", crypt_type);
2514 return -1;
2515 }
2516
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002517 /* get key */
Ken Sumrall160b4d62013-04-22 12:15:39 -07002518 if (get_crypt_ftr_and_key(&crypt_ftr)) {
Paul Lawrencef4faa572014-01-29 13:31:03 -08002519 SLOGE("Error getting crypt footer and key");
2520 return -1;
Ken Sumrall8ddbe402011-01-17 15:26:29 -08002521 }
2522
Paul Lawrencef4faa572014-01-29 13:31:03 -08002523 crypt_ftr.crypt_type = crypt_type;
2524
Paul Crowley14c8c072018-09-18 13:30:21 -07002525 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD : newpw,
2526 crypt_ftr.salt, saved_master_key, crypt_ftr.master_key, &crypt_ftr);
JP Abgrall933216c2015-02-11 13:44:32 -08002527 if (rc) {
2528 SLOGE("Encrypt master key failed: %d", rc);
2529 return -1;
2530 }
Jason parks70a4b3f2011-01-28 10:10:47 -06002531 /* save the key */
Ken Sumrall160b4d62013-04-22 12:15:39 -07002532 put_crypt_ftr_and_key(&crypt_ftr);
Ken Sumrall8f869aa2010-12-03 03:47:09 -08002533
2534 return 0;
2535}
Ken Sumrall160b4d62013-04-22 12:15:39 -07002536
Rubin Xu85c01f92014-10-13 12:49:54 +01002537static unsigned int persist_get_max_entries(int encrypted) {
2538 struct crypt_mnt_ftr crypt_ftr;
2539 unsigned int dsize;
Rubin Xu85c01f92014-10-13 12:49:54 +01002540
2541 /* If encrypted, use the values from the crypt_ftr, otherwise
2542 * use the values for the current spec.
2543 */
2544 if (encrypted) {
2545 if (get_crypt_ftr_and_key(&crypt_ftr)) {
Rubin Xuf83cc612018-10-09 16:13:38 +01002546 /* Something is wrong, assume no space for entries */
2547 return 0;
Rubin Xu85c01f92014-10-13 12:49:54 +01002548 }
2549 dsize = crypt_ftr.persist_data_size;
2550 } else {
2551 dsize = CRYPT_PERSIST_DATA_SIZE;
2552 }
2553
Rubin Xuf83cc612018-10-09 16:13:38 +01002554 if (dsize > sizeof(struct crypt_persist_data)) {
2555 return (dsize - sizeof(struct crypt_persist_data)) / sizeof(struct crypt_persist_entry);
2556 } else {
2557 return 0;
2558 }
Rubin Xu85c01f92014-10-13 12:49:54 +01002559}
2560
Paul Crowley14c8c072018-09-18 13:30:21 -07002561static int persist_get_key(const char* fieldname, char* value) {
Ken Sumrall160b4d62013-04-22 12:15:39 -07002562 unsigned int i;
2563
2564 if (persist_data == NULL) {
2565 return -1;
2566 }
2567 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2568 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2569 /* We found it! */
2570 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
2571 return 0;
2572 }
2573 }
2574
2575 return -1;
2576}
2577
Paul Crowley14c8c072018-09-18 13:30:21 -07002578static int persist_set_key(const char* fieldname, const char* value, int encrypted) {
Ken Sumrall160b4d62013-04-22 12:15:39 -07002579 unsigned int i;
2580 unsigned int num;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002581 unsigned int max_persistent_entries;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002582
2583 if (persist_data == NULL) {
2584 return -1;
2585 }
2586
Rubin Xu85c01f92014-10-13 12:49:54 +01002587 max_persistent_entries = persist_get_max_entries(encrypted);
Ken Sumrall160b4d62013-04-22 12:15:39 -07002588
2589 num = persist_data->persist_valid_entries;
2590
2591 for (i = 0; i < num; i++) {
2592 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2593 /* We found an existing entry, update it! */
2594 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
2595 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
2596 return 0;
2597 }
2598 }
2599
2600 /* We didn't find it, add it to the end, if there is room */
2601 if (persist_data->persist_valid_entries < max_persistent_entries) {
2602 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
2603 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
2604 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
2605 persist_data->persist_valid_entries++;
2606 return 0;
2607 }
2608
2609 return -1;
2610}
2611
Rubin Xu85c01f92014-10-13 12:49:54 +01002612/**
2613 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
2614 * sequence and its index is greater than or equal to index. Return 0 otherwise.
2615 */
Paul Crowley14c8c072018-09-18 13:30:21 -07002616int match_multi_entry(const char* key, const char* field, unsigned index) {
Jeff Sharkey95440eb2017-09-18 18:19:28 -06002617 std::string key_ = key;
2618 std::string field_ = field;
Rubin Xu85c01f92014-10-13 12:49:54 +01002619
Jeff Sharkey95440eb2017-09-18 18:19:28 -06002620 std::string parsed_field;
2621 unsigned parsed_index;
2622
2623 std::string::size_type split = key_.find_last_of('_');
2624 if (split == std::string::npos) {
2625 parsed_field = key_;
2626 parsed_index = 0;
2627 } else {
2628 parsed_field = key_.substr(0, split);
2629 parsed_index = std::stoi(key_.substr(split + 1));
Rubin Xu85c01f92014-10-13 12:49:54 +01002630 }
Jeff Sharkey95440eb2017-09-18 18:19:28 -06002631
2632 return parsed_field == field_ && parsed_index >= index;
Rubin Xu85c01f92014-10-13 12:49:54 +01002633}
2634
2635/*
2636 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
2637 * remaining entries starting from index will be deleted.
2638 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
2639 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
2640 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
2641 *
2642 */
Paul Crowley14c8c072018-09-18 13:30:21 -07002643static int persist_del_keys(const char* fieldname, unsigned index) {
Rubin Xu85c01f92014-10-13 12:49:54 +01002644 unsigned int i;
2645 unsigned int j;
2646 unsigned int num;
2647
2648 if (persist_data == NULL) {
2649 return PERSIST_DEL_KEY_ERROR_OTHER;
2650 }
2651
2652 num = persist_data->persist_valid_entries;
2653
Paul Crowley14c8c072018-09-18 13:30:21 -07002654 j = 0; // points to the end of non-deleted entries.
Rubin Xu85c01f92014-10-13 12:49:54 +01002655 // Filter out to-be-deleted entries in place.
2656 for (i = 0; i < num; i++) {
2657 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
2658 persist_data->persist_entry[j] = persist_data->persist_entry[i];
2659 j++;
2660 }
2661 }
2662
2663 if (j < num) {
2664 persist_data->persist_valid_entries = j;
2665 // Zeroise the remaining entries
2666 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
2667 return PERSIST_DEL_KEY_OK;
2668 } else {
2669 // Did not find an entry matching the given fieldname
2670 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
2671 }
2672}
2673
Paul Crowley14c8c072018-09-18 13:30:21 -07002674static int persist_count_keys(const char* fieldname) {
Rubin Xu85c01f92014-10-13 12:49:54 +01002675 unsigned int i;
2676 unsigned int count;
2677
2678 if (persist_data == NULL) {
2679 return -1;
2680 }
2681
2682 count = 0;
2683 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2684 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
2685 count++;
2686 }
2687 }
2688
2689 return count;
2690}
2691
Ken Sumrall160b4d62013-04-22 12:15:39 -07002692/* Return the value of the specified field. */
Paul Crowley14c8c072018-09-18 13:30:21 -07002693int cryptfs_getfield(const char* fieldname, char* value, int len) {
Eric Biggersa701c452018-10-23 13:06:55 -07002694 if (fscrypt_is_native()) {
Paul Lawrence5a06a642016-02-03 13:39:13 -08002695 SLOGE("Cannot get field when file encrypted");
2696 return -1;
Paul Lawrence368d7942015-04-15 14:12:00 -07002697 }
2698
Ken Sumrall160b4d62013-04-22 12:15:39 -07002699 char temp_value[PROPERTY_VALUE_MAX];
Rubin Xu85c01f92014-10-13 12:49:54 +01002700 /* CRYPTO_GETFIELD_OK is success,
2701 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
2702 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
2703 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
Ken Sumrall160b4d62013-04-22 12:15:39 -07002704 */
Rubin Xu85c01f92014-10-13 12:49:54 +01002705 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
2706 int i;
2707 char temp_field[PROPERTY_KEY_MAX];
Ken Sumrall160b4d62013-04-22 12:15:39 -07002708
2709 if (persist_data == NULL) {
2710 load_persistent_data();
2711 if (persist_data == NULL) {
2712 SLOGE("Getfield error, cannot load persistent data");
2713 goto out;
2714 }
2715 }
2716
Rubin Xu85c01f92014-10-13 12:49:54 +01002717 // Read value from persistent entries. If the original value is split into multiple entries,
2718 // stitch them back together.
Ken Sumrall160b4d62013-04-22 12:15:39 -07002719 if (!persist_get_key(fieldname, temp_value)) {
Rubin Xu85c01f92014-10-13 12:49:54 +01002720 // We found it, copy it to the caller's buffer and keep going until all entries are read.
Paul Crowley14c8c072018-09-18 13:30:21 -07002721 if (strlcpy(value, temp_value, len) >= (unsigned)len) {
Rubin Xu85c01f92014-10-13 12:49:54 +01002722 // value too small
2723 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2724 goto out;
2725 }
2726 rc = CRYPTO_GETFIELD_OK;
2727
2728 for (i = 1; /* break explicitly */; i++) {
2729 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
Paul Crowley14c8c072018-09-18 13:30:21 -07002730 (int)sizeof(temp_field)) {
Rubin Xu85c01f92014-10-13 12:49:54 +01002731 // If the fieldname is very long, we stop as soon as it begins to overflow the
2732 // maximum field length. At this point we have in fact fully read out the original
2733 // value because cryptfs_setfield would not allow fields with longer names to be
2734 // written in the first place.
2735 break;
2736 }
2737 if (!persist_get_key(temp_field, temp_value)) {
Paul Crowley14c8c072018-09-18 13:30:21 -07002738 if (strlcat(value, temp_value, len) >= (unsigned)len) {
2739 // value too small.
2740 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2741 goto out;
2742 }
Rubin Xu85c01f92014-10-13 12:49:54 +01002743 } else {
2744 // Exhaust all entries.
2745 break;
2746 }
2747 }
Ken Sumrall160b4d62013-04-22 12:15:39 -07002748 } else {
2749 /* Sadness, it's not there. Return the error */
Rubin Xu85c01f92014-10-13 12:49:54 +01002750 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002751 }
2752
2753out:
2754 return rc;
2755}
2756
2757/* Set the value of the specified field. */
Paul Crowley14c8c072018-09-18 13:30:21 -07002758int cryptfs_setfield(const char* fieldname, const char* value) {
Eric Biggersa701c452018-10-23 13:06:55 -07002759 if (fscrypt_is_native()) {
Paul Lawrence5a06a642016-02-03 13:39:13 -08002760 SLOGE("Cannot set field when file encrypted");
2761 return -1;
Paul Lawrence368d7942015-04-15 14:12:00 -07002762 }
2763
Ken Sumrall160b4d62013-04-22 12:15:39 -07002764 char encrypted_state[PROPERTY_VALUE_MAX];
Rubin Xu85c01f92014-10-13 12:49:54 +01002765 /* 0 is success, negative values are error */
2766 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002767 int encrypted = 0;
Rubin Xu85c01f92014-10-13 12:49:54 +01002768 unsigned int field_id;
2769 char temp_field[PROPERTY_KEY_MAX];
2770 unsigned int num_entries;
2771 unsigned int max_keylen;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002772
2773 if (persist_data == NULL) {
2774 load_persistent_data();
2775 if (persist_data == NULL) {
2776 SLOGE("Setfield error, cannot load persistent data");
2777 goto out;
2778 }
2779 }
2780
2781 property_get("ro.crypto.state", encrypted_state, "");
Paul Crowley14c8c072018-09-18 13:30:21 -07002782 if (!strcmp(encrypted_state, "encrypted")) {
Ken Sumrall160b4d62013-04-22 12:15:39 -07002783 encrypted = 1;
2784 }
2785
Rubin Xu85c01f92014-10-13 12:49:54 +01002786 // Compute the number of entries required to store value, each entry can store up to
2787 // (PROPERTY_VALUE_MAX - 1) chars
2788 if (strlen(value) == 0) {
2789 // Empty value also needs one entry to store.
2790 num_entries = 1;
2791 } else {
2792 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
2793 }
2794
2795 max_keylen = strlen(fieldname);
2796 if (num_entries > 1) {
2797 // Need an extra "_%d" suffix.
2798 max_keylen += 1 + log10(num_entries);
2799 }
2800 if (max_keylen > PROPERTY_KEY_MAX - 1) {
2801 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002802 goto out;
2803 }
2804
Rubin Xu85c01f92014-10-13 12:49:54 +01002805 // Make sure we have enough space to write the new value
2806 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
2807 persist_get_max_entries(encrypted)) {
2808 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
2809 goto out;
2810 }
2811
2812 // Now that we know persist_data has enough space for value, let's delete the old field first
2813 // to make up space.
2814 persist_del_keys(fieldname, 0);
2815
2816 if (persist_set_key(fieldname, value, encrypted)) {
2817 // fail to set key, should not happen as we have already checked the available space
2818 SLOGE("persist_set_key() error during setfield()");
2819 goto out;
2820 }
2821
2822 for (field_id = 1; field_id < num_entries; field_id++) {
Greg Kaiserb610e772018-02-09 09:19:54 -08002823 snprintf(temp_field, sizeof(temp_field), "%s_%u", fieldname, field_id);
Rubin Xu85c01f92014-10-13 12:49:54 +01002824
2825 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
2826 // fail to set key, should not happen as we have already checked the available space.
2827 SLOGE("persist_set_key() error during setfield()");
2828 goto out;
2829 }
2830 }
2831
Ken Sumrall160b4d62013-04-22 12:15:39 -07002832 /* If we are running encrypted, save the persistent data now */
2833 if (encrypted) {
2834 if (save_persistent_data()) {
2835 SLOGE("Setfield error, cannot save persistent data");
2836 goto out;
2837 }
2838 }
2839
Rubin Xu85c01f92014-10-13 12:49:54 +01002840 rc = CRYPTO_SETFIELD_OK;
Ken Sumrall160b4d62013-04-22 12:15:39 -07002841
2842out:
2843 return rc;
2844}
Paul Lawrencef4faa572014-01-29 13:31:03 -08002845
2846/* Checks userdata. Attempt to mount the volume if default-
2847 * encrypted.
2848 * On success trigger next init phase and return 0.
2849 * Currently do not handle failure - see TODO below.
2850 */
Paul Crowley14c8c072018-09-18 13:30:21 -07002851int cryptfs_mount_default_encrypted(void) {
Paul Lawrence84274cc2016-04-15 15:41:33 -07002852 int crypt_type = cryptfs_get_password_type();
2853 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2854 SLOGE("Bad crypt type - error");
2855 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
Paul Crowley14c8c072018-09-18 13:30:21 -07002856 SLOGD(
2857 "Password is not default - "
2858 "starting min framework to prompt");
Paul Lawrence84274cc2016-04-15 15:41:33 -07002859 property_set("vold.decrypt", "trigger_restart_min_framework");
2860 return 0;
2861 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
2862 SLOGD("Password is default - restarting filesystem");
2863 cryptfs_restart_internal(0);
2864 return 0;
Paul Lawrencef4faa572014-01-29 13:31:03 -08002865 } else {
Paul Lawrence84274cc2016-04-15 15:41:33 -07002866 SLOGE("Encrypted, default crypt type but can't decrypt");
Paul Lawrencef4faa572014-01-29 13:31:03 -08002867 }
2868
Paul Lawrence6bfed202014-07-28 12:47:22 -07002869 /** Corrupt. Allow us to boot into framework, which will detect bad
2870 crypto when it calls do_crypto_complete, then do a factory reset
Paul Lawrencef4faa572014-01-29 13:31:03 -08002871 */
Paul Lawrence6bfed202014-07-28 12:47:22 -07002872 property_set("vold.decrypt", "trigger_restart_min_framework");
Paul Lawrencef4faa572014-01-29 13:31:03 -08002873 return 0;
2874}
2875
2876/* Returns type of the password, default, pattern, pin or password.
2877 */
Paul Crowley14c8c072018-09-18 13:30:21 -07002878int cryptfs_get_password_type(void) {
Eric Biggersa701c452018-10-23 13:06:55 -07002879 if (fscrypt_is_native()) {
Paul Lawrence7b6b5652016-02-02 11:14:59 -08002880 SLOGE("cryptfs_get_password_type not valid for file encryption");
2881 return -1;
Paul Lawrence05335c32015-03-05 09:46:23 -08002882 }
2883
Paul Lawrencef4faa572014-01-29 13:31:03 -08002884 struct crypt_mnt_ftr crypt_ftr;
2885
2886 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2887 SLOGE("Error getting crypt footer and key\n");
2888 return -1;
2889 }
2890
Paul Lawrence6bfed202014-07-28 12:47:22 -07002891 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
2892 return -1;
2893 }
2894
Paul Lawrencef4faa572014-01-29 13:31:03 -08002895 return crypt_ftr.crypt_type;
2896}
Paul Lawrence684dbdf2014-02-07 12:07:22 -08002897
Paul Crowley14c8c072018-09-18 13:30:21 -07002898const char* cryptfs_get_password() {
Eric Biggersa701c452018-10-23 13:06:55 -07002899 if (fscrypt_is_native()) {
Paul Lawrence7b6b5652016-02-02 11:14:59 -08002900 SLOGE("cryptfs_get_password not valid for file encryption");
2901 return 0;
Paul Lawrence05335c32015-03-05 09:46:23 -08002902 }
2903
Paul Lawrence399317e2014-03-10 13:20:50 -07002904 struct timespec now;
Paul Lawrenceef2b5be2014-11-11 12:47:03 -08002905 clock_gettime(CLOCK_BOOTTIME, &now);
Paul Lawrence399317e2014-03-10 13:20:50 -07002906 if (now.tv_sec < password_expiry_time) {
2907 return password;
2908 } else {
2909 cryptfs_clear_password();
2910 return 0;
2911 }
2912}
2913
Paul Crowley14c8c072018-09-18 13:30:21 -07002914void cryptfs_clear_password() {
Paul Lawrence399317e2014-03-10 13:20:50 -07002915 if (password) {
2916 size_t len = strlen(password);
2917 memset(password, 0, len);
2918 free(password);
2919 password = 0;
2920 password_expiry_time = 0;
2921 }
Paul Lawrence684dbdf2014-02-07 12:07:22 -08002922}
Paul Lawrence731a7a22015-04-28 22:14:15 +00002923
Paul Crowley14c8c072018-09-18 13:30:21 -07002924int cryptfs_isConvertibleToFBE() {
Tom Cherry4c5bde22019-01-29 14:34:01 -08002925 auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
2926 return entry && entry->fs_mgr_flags.force_fde_or_fbe;
Paul Lawrence0c247462015-10-29 10:30:57 -07002927}