blob: 67592a59162613317b9e56a8fcaf3b2f3ee9bd1d [file] [log] [blame]
Ken Sumrall8f869aa2010-12-03 03:47:09 -08001/*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* This structure starts 16,384 bytes before the end of a hardware
Ken Sumrall160b4d62013-04-22 12:15:39 -070018 * partition that is encrypted, or in a separate partition. It's location
19 * is specified by a property set in init.<device>.rc.
20 * The structure allocates 48 bytes for a key, but the real key size is
21 * specified in the struct. Currently, the code is hardcoded to use 128
22 * bit keys.
23 * The fields after salt are only valid in rev 1.1 and later stuctures.
Ken Sumrall8f869aa2010-12-03 03:47:09 -080024 * Obviously, the filesystem does not include the last 16 kbytes
Ken Sumrall160b4d62013-04-22 12:15:39 -070025 * of the partition if the crypt_mnt_ftr lives at the end of the
26 * partition.
Ken Sumrall8f869aa2010-12-03 03:47:09 -080027 */
28
Ken Sumrall160b4d62013-04-22 12:15:39 -070029#include <cutils/properties.h>
30
Kenny Rootc96a5f82013-06-14 12:08:28 -070031/* The current cryptfs version */
32#define CURRENT_MAJOR_VERSION 1
Paul Lawrencef4faa572014-01-29 13:31:03 -080033#define CURRENT_MINOR_VERSION 3
Kenny Rootc96a5f82013-06-14 12:08:28 -070034
Ken Sumrall8f869aa2010-12-03 03:47:09 -080035#define CRYPT_FOOTER_OFFSET 0x4000
Ken Sumrall160b4d62013-04-22 12:15:39 -070036#define CRYPT_FOOTER_TO_PERSIST_OFFSET 0x1000
37#define CRYPT_PERSIST_DATA_SIZE 0x1000
Ken Sumrall8f869aa2010-12-03 03:47:09 -080038
39#define MAX_CRYPTO_TYPE_NAME_LEN 64
40
Ken Sumrall160b4d62013-04-22 12:15:39 -070041#define MAX_KEY_LEN 48
Ken Sumralle8744072011-01-18 22:01:55 -080042#define SALT_LEN 16
Paul Lawrenced0c7b172014-08-08 14:28:10 -070043#define SCRYPT_LEN 32
Ken Sumralle8744072011-01-18 22:01:55 -080044
Ken Sumrall8f869aa2010-12-03 03:47:09 -080045/* definitions of flags in the structure below */
46#define CRYPT_MNT_KEY_UNENCRYPTED 0x1 /* The key for the partition is not encrypted. */
Paul Lawrence6bfed202014-07-28 12:47:22 -070047#define CRYPT_ENCRYPTION_IN_PROGRESS 0x2 /* Encryption partially completed,
48 encrypted_upto valid*/
49#define CRYPT_INCONSISTENT_STATE 0x4 /* Set when starting encryption, clear when
50 exit cleanly, either through success or
51 correctly marked partial encryption */
Paul Lawrence74f29f12014-08-28 15:54:10 -070052#define CRYPT_DATA_CORRUPT 0x8 /* Set when encryption is fine, but the
53 underlying volume is corrupt */
Ken Sumrall8f869aa2010-12-03 03:47:09 -080054
Paul Lawrencef4faa572014-01-29 13:31:03 -080055/* Allowed values for type in the structure below */
56#define CRYPT_TYPE_PASSWORD 0 /* master_key is encrypted with a password
57 * Must be zero to be compatible with pre-L
58 * devices where type is always password.*/
59#define CRYPT_TYPE_DEFAULT 1 /* master_key is encrypted with default
60 * password */
61#define CRYPT_TYPE_PATTERN 2 /* master_key is encrypted with a pattern */
62#define CRYPT_TYPE_PIN 3 /* master_key is encrypted with a pin */
63#define CRYPT_TYPE_MAX_TYPE 3 /* type cannot be larger than this value */
64
Ken Sumrall8f869aa2010-12-03 03:47:09 -080065#define CRYPT_MNT_MAGIC 0xD0B5B1C4
Ken Sumrall160b4d62013-04-22 12:15:39 -070066#define PERSIST_DATA_MAGIC 0xE950CD44
Ken Sumrall8f869aa2010-12-03 03:47:09 -080067
Kenny Rootc4c70f12013-06-14 12:11:38 -070068#define SCRYPT_PROP "ro.crypto.scrypt_params"
69#define SCRYPT_DEFAULTS { 15, 3, 1 }
70
71/* Key Derivation Function algorithms */
72#define KDF_PBKDF2 1
73#define KDF_SCRYPT 2
Shawn Willdene17a9c42014-09-08 13:04:08 -060074/* TODO(paullawrence): Remove KDF_SCRYPT_KEYMASTER_UNPADDED and KDF_SCRYPT_KEYMASTER_BADLY_PADDED
75 * when it is safe to do so. */
76#define KDF_SCRYPT_KEYMASTER_UNPADDED 3
77#define KDF_SCRYPT_KEYMASTER_BADLY_PADDED 4
78#define KDF_SCRYPT_KEYMASTER 5
Paul Lawrence69f4ebd2014-04-14 12:17:14 -070079
80/* Maximum allowed keymaster blob size. */
81#define KEYMASTER_BLOB_SIZE 2048
Kenny Rootc4c70f12013-06-14 12:11:38 -070082
Mark Salyzyn3e971272014-01-21 13:27:04 -080083/* __le32 and __le16 defined in system/extras/ext4_utils/ext4_utils.h */
Kenny Rootc4c70f12013-06-14 12:11:38 -070084#define __le8 unsigned char
Ken Sumrall8f869aa2010-12-03 03:47:09 -080085
Adam Langley41405bb2015-01-22 16:45:28 -080086#if !defined(SHA256_DIGEST_LENGTH)
87#define SHA256_DIGEST_LENGTH 32
88#endif
89
Ken Sumrall8f869aa2010-12-03 03:47:09 -080090struct crypt_mnt_ftr {
Paul Lawrencef4faa572014-01-29 13:31:03 -080091 __le32 magic; /* See above */
Ken Sumrall8f869aa2010-12-03 03:47:09 -080092 __le16 major_version;
93 __le16 minor_version;
Paul Lawrencef4faa572014-01-29 13:31:03 -080094 __le32 ftr_size; /* in bytes, not including key following */
95 __le32 flags; /* See above */
96 __le32 keysize; /* in bytes */
97 __le32 crypt_type; /* how master_key is encrypted. Must be a
98 * CRYPT_TYPE_XXX value */
Ken Sumrall8f869aa2010-12-03 03:47:09 -080099 __le64 fs_size; /* Size of the encrypted fs, in 512 byte sectors */
100 __le32 failed_decrypt_count; /* count of # of failed attempts to decrypt and
Paul Lawrence87999172014-02-20 12:21:31 -0800101 mount, set to 0 on successful mount */
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800102 unsigned char crypto_type_name[MAX_CRYPTO_TYPE_NAME_LEN]; /* The type of encryption
Paul Lawrence87999172014-02-20 12:21:31 -0800103 needed to decrypt this
104 partition, null terminated */
Ken Sumrall160b4d62013-04-22 12:15:39 -0700105 __le32 spare2; /* ignored */
106 unsigned char master_key[MAX_KEY_LEN]; /* The encrypted key for decrypting the filesystem */
107 unsigned char salt[SALT_LEN]; /* The salt used for this encryption */
108 __le64 persist_data_offset[2]; /* Absolute offset to both copies of crypt_persist_data
109 * on device with that info, either the footer of the
110 * real_blkdevice or the metadata partition. */
111
112 __le32 persist_data_size; /* The number of bytes allocated to each copy of the
113 * persistent data table*/
Kenny Rootc4c70f12013-06-14 12:11:38 -0700114
115 __le8 kdf_type; /* The key derivation function used. */
116
117 /* scrypt parameters. See www.tarsnap.com/scrypt/scrypt.pdf */
118 __le8 N_factor; /* (1 << N) */
119 __le8 r_factor; /* (1 << r) */
120 __le8 p_factor; /* (1 << p) */
Paul Lawrence87999172014-02-20 12:21:31 -0800121 __le64 encrypted_upto; /* If we are in state CRYPT_ENCRYPTION_IN_PROGRESS and
122 we have to stop (e.g. power low) this is the last
123 encrypted 512 byte sector.*/
124 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; /* When CRYPT_ENCRYPTION_IN_PROGRESS
125 set, hash of first block, used
126 to validate before continuing*/
Paul Lawrence69f4ebd2014-04-14 12:17:14 -0700127
Paul Lawrenced0c7b172014-08-08 14:28:10 -0700128 /* key_master key, used to sign the derived key which is then used to generate
129 * the intermediate key
Paul Lawrence69f4ebd2014-04-14 12:17:14 -0700130 * This key should be used for no other purposes! We use this key to sign unpadded
131 * data, which is acceptable but only if the key is not reused elsewhere. */
132 __le8 keymaster_blob[KEYMASTER_BLOB_SIZE];
133 __le32 keymaster_blob_size;
Paul Lawrenced0c7b172014-08-08 14:28:10 -0700134
135 /* Store scrypt of salted intermediate key. When decryption fails, we can
136 check if this matches, and if it does, we know that the problem is with the
137 drive, and there is no point in asking the user for more passwords.
138
139 Note that if any part of this structure is corrupt, this will not match and
140 we will continue to believe the user entered the wrong password. In that
141 case the only solution is for the user to enter a password enough times to
142 force a wipe.
143
144 Note also that there is no need to worry about migration. If this data is
145 wrong, we simply won't recognise a right password, and will continue to
146 prompt. On the first password change, this value will be populated and
147 then we will be OK.
148 */
149 unsigned char scrypted_intermediate_key[SCRYPT_LEN];
Ken Sumrall160b4d62013-04-22 12:15:39 -0700150};
151
152/* Persistant data that should be available before decryption.
153 * Things like airplane mode, locale and timezone are kept
154 * here and can be retrieved by the CryptKeeper UI to properly
155 * configure the phone before asking for the password
156 * This is only valid if the major and minor version above
157 * is set to 1.1 or higher.
158 *
159 * This is a 4K structure. There are 2 copies, and the code alternates
160 * writing one and then clearing the previous one. The reading
161 * code reads the first valid copy it finds, based on the magic number.
162 * The absolute offset to the first of the two copies is kept in rev 1.1
163 * and higher crypt_mnt_ftr structures.
164 */
165struct crypt_persist_entry {
166 char key[PROPERTY_KEY_MAX];
167 char val[PROPERTY_VALUE_MAX];
168};
169
170/* Should be exactly 4K in size */
171struct crypt_persist_data {
172 __le32 persist_magic;
173 __le32 persist_valid_entries;
174 __le32 persist_spare[30];
175 struct crypt_persist_entry persist_entry[0];
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800176};
177
Ken Sumrall29d8da82011-05-18 17:20:07 -0700178struct volume_info {
179 unsigned int size;
180 unsigned int flags;
181 struct crypt_mnt_ftr crypt_ftr;
182 char mnt_point[256];
183 char blk_dev[256];
184 char crypto_blkdev[256];
185 char label[256];
186};
Jeff Sharkeyba6ae8d2013-07-15 18:14:25 -0700187#define VOL_NONREMOVABLE 0x1
188#define VOL_ENCRYPTABLE 0x2
189#define VOL_PRIMARY 0x4
190#define VOL_PROVIDES_ASEC 0x8
Ken Sumrall29d8da82011-05-18 17:20:07 -0700191
JP Abgrall502dc742013-11-01 13:06:20 -0700192#define DATA_MNT_POINT "/data"
193
Paul Lawrence74f29f12014-08-28 15:54:10 -0700194/* Return values for cryptfs_crypto_complete */
195#define CRYPTO_COMPLETE_NOT_ENCRYPTED 1
196#define CRYPTO_COMPLETE_ENCRYPTED 0
197#define CRYPTO_COMPLETE_BAD_METADATA -1
198#define CRYPTO_COMPLETE_PARTIAL -2
199#define CRYPTO_COMPLETE_INCONSISTENT -3
200#define CRYPTO_COMPLETE_CORRUPT -4
201
JP Abgrall512f0d52014-10-10 18:43:41 -0700202/* Return values for cryptfs_enable_inplace*() */
203#define ENABLE_INPLACE_OK 0
204#define ENABLE_INPLACE_ERR_OTHER -1
205#define ENABLE_INPLACE_ERR_DEV -2 /* crypto_blkdev issue */
206
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800207#ifdef __cplusplus
208extern "C" {
209#endif
Kenny Rootc4c70f12013-06-14 12:11:38 -0700210
Paul Lawrence69f4ebd2014-04-14 12:17:14 -0700211 typedef int (*kdf_func)(const char *passwd, const unsigned char *salt,
Paul Lawrence13486032014-02-03 13:28:11 -0800212 unsigned char *ikey, void *params);
Kenny Rootc4c70f12013-06-14 12:11:38 -0700213
Ken Sumrall7f7dbaa2011-02-01 15:46:41 -0800214 int cryptfs_crypto_complete(void);
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800215 int cryptfs_check_passwd(char *pw);
Ken Sumrall3ad90722011-10-04 20:38:29 -0700216 int cryptfs_verify_passwd(char *newpw);
Ken Sumrall6864b7e2011-01-14 15:20:02 -0800217 int cryptfs_restart(void);
Paul Lawrence45f10532014-04-04 18:11:56 +0000218 int cryptfs_enable(char *flag, int type, char *passwd, int allow_reboot);
Paul Lawrence13486032014-02-03 13:28:11 -0800219 int cryptfs_changepw(int type, const char *newpw);
220 int cryptfs_enable_default(char *flag, int allow_reboot);
Paul Lawrencec19cb9c2015-01-21 09:58:26 -0800221 int cryptfs_maybe_enable_default_crypto();
Ken Sumrall29d8da82011-05-18 17:20:07 -0700222 int cryptfs_setup_volume(const char *label, int major, int minor,
223 char *crypto_dev_path, unsigned int max_pathlen,
224 int *new_major, int *new_minor);
Ken Sumrall0b8b5972011-08-31 16:14:23 -0700225 int cryptfs_revert_volume(const char *label);
Ken Sumrall160b4d62013-04-22 12:15:39 -0700226 int cryptfs_getfield(char *fieldname, char *value, int len);
227 int cryptfs_setfield(char *fieldname, char *value);
Paul Lawrencef4faa572014-01-29 13:31:03 -0800228 int cryptfs_mount_default_encrypted(void);
229 int cryptfs_get_password_type(void);
Paul Lawrence399317e2014-03-10 13:20:50 -0700230 char* cryptfs_get_password(void);
231 void cryptfs_clear_password(void);
Ken Sumrall8f869aa2010-12-03 03:47:09 -0800232#ifdef __cplusplus
233}
234#endif