2 * Copyright (C) 2010 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
23 #include <sys/types.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
35 #include <sys/param.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
41 #include <linux/kdev_t.h>
44 #define LOG_TAG "Cryptfs"
45 #include "cutils/log.h"
46 #include "cutils/properties.h"
47 #include "cutils/android_reboot.h"
48 #include "hardware_legacy/power.h"
49 #include <logwrap/logwrap.h>
50 #include "VolumeManager.h"
52 #include "crypto_scrypt.h"
53 #include "ext4_utils.h"
54 #include "f2fs_sparseblock.h"
55 #include "CheckBattery.h"
57 #include <hardware/keymaster.h>
59 #define UNUSED __attribute__((unused))
61 #define UNUSED __attribute__((unused))
63 #define DM_CRYPT_BUF_SIZE 4096
65 #define HASH_COUNT 2000
66 #define KEY_LEN_BYTES 16
67 #define IV_LEN_BYTES 16
69 #define KEY_IN_FOOTER "footer"
71 // "default_password" encoded into hex (d=0x64 etc)
72 #define DEFAULT_PASSWORD "64656661756c745f70617373776f7264"
77 #define TABLE_LOAD_RETRIES 10
79 #define RSA_DEFAULT_KEY_SIZE 2048
80 #define RSA_DEFAULT_EXPONENT 0x10001
84 static unsigned char saved_master_key[KEY_LEN_BYTES];
85 static char *saved_mount_point;
86 static int master_key_saved = 0;
87 static struct crypt_persist_data *persist_data = NULL;
89 static int keymaster_init(keymaster_device_t **keymaster_dev)
93 const hw_module_t* mod;
94 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
96 ALOGE("could not find any keystore module");
100 rc = keymaster_open(mod, keymaster_dev);
102 ALOGE("could not open keymaster device in %s (%s)",
103 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
110 *keymaster_dev = NULL;
114 /* Should we use keymaster? */
115 static int keymaster_check_compatibility()
117 keymaster_device_t *keymaster_dev = 0;
120 if (keymaster_init(&keymaster_dev)) {
121 SLOGE("Failed to init keymaster");
126 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version);
128 if (keymaster_dev->common.module->module_api_version
129 < KEYMASTER_MODULE_API_VERSION_0_3) {
134 if (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE) {
139 keymaster_close(keymaster_dev);
143 /* Create a new keymaster key and store it in this footer */
144 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
147 keymaster_device_t *keymaster_dev = 0;
149 if (keymaster_init(&keymaster_dev)) {
150 SLOGE("Failed to init keymaster");
156 keymaster_rsa_keygen_params_t params;
157 memset(¶ms, '\0', sizeof(params));
158 params.public_exponent = RSA_DEFAULT_EXPONENT;
159 params.modulus_size = RSA_DEFAULT_KEY_SIZE;
162 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms,
164 SLOGE("Failed to generate keypair");
169 if (key_size > KEYMASTER_BLOB_SIZE) {
170 SLOGE("Keymaster key too large for crypto footer");
175 memcpy(ftr->keymaster_blob, key, key_size);
176 ftr->keymaster_blob_size = key_size;
179 keymaster_close(keymaster_dev);
184 /* This signs the given object using the keymaster key */
185 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
186 const unsigned char *object,
187 const size_t object_size,
188 unsigned char **signature,
189 size_t *signature_size)
192 keymaster_device_t *keymaster_dev = 0;
193 if (keymaster_init(&keymaster_dev)) {
194 SLOGE("Failed to init keymaster");
198 /* We currently set the digest type to DIGEST_NONE because it's the
199 * only supported value for keymaster. A similar issue exists with
200 * PADDING_NONE. Long term both of these should likely change.
202 keymaster_rsa_sign_params_t params;
203 params.digest_type = DIGEST_NONE;
204 params.padding_type = PADDING_NONE;
206 rc = keymaster_dev->sign_data(keymaster_dev,
209 ftr->keymaster_blob_size,
215 keymaster_close(keymaster_dev);
219 /* Store password when userdata is successfully decrypted and mounted.
220 * Cleared by cryptfs_clear_password
222 * To avoid a double prompt at boot, we need to store the CryptKeeper
223 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
224 * Since the entire framework is torn down and rebuilt after encryption,
225 * we have to use a daemon or similar to store the password. Since vold
226 * is secured against IPC except from system processes, it seems a reasonable
227 * place to store this.
229 * password should be cleared once it has been used.
231 * password is aged out after password_max_age_seconds seconds.
233 static char* password = 0;
234 static int password_expiry_time = 0;
235 static const int password_max_age_seconds = 60;
237 extern struct fstab *fstab;
239 enum RebootType {reboot, recovery, shutdown};
240 static void cryptfs_reboot(enum RebootType rt)
244 property_set(ANDROID_RB_PROPERTY, "reboot");
248 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
252 property_set(ANDROID_RB_PROPERTY, "shutdown");
258 /* Shouldn't get here, reboot should happen before sleep times out */
262 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
264 memset(io, 0, dataSize);
265 io->data_size = dataSize;
266 io->data_start = sizeof(struct dm_ioctl);
272 strncpy(io->name, name, sizeof(io->name));
277 * Gets the default device scrypt parameters for key derivation time tuning.
278 * The parameters should lead to about one second derivation time for the
281 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
282 const int default_params[] = SCRYPT_DEFAULTS;
283 int params[] = SCRYPT_DEFAULTS;
284 char paramstr[PROPERTY_VALUE_MAX];
289 property_get(SCRYPT_PROP, paramstr, "");
290 if (paramstr[0] != '\0') {
292 * The token we're looking for should be three integers separated by
293 * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
295 for (i = 0, token = strtok_r(paramstr, ":", &saveptr);
296 token != NULL && i < 3;
297 i++, token = strtok_r(NULL, ":", &saveptr)) {
299 params[i] = strtol(token, &endptr, 10);
302 * Check that there was a valid number and it's 8-bit. If not,
303 * break out and the end check will take the default values.
305 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
311 * If there were not enough tokens or a token was malformed (not an
312 * integer), it will end up here and the default parameters can be
315 if ((i != 3) || (token != NULL)) {
316 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
317 memcpy(params, default_params, sizeof(params));
321 ftr->N_factor = params[0];
322 ftr->r_factor = params[1];
323 ftr->p_factor = params[2];
326 static unsigned int get_fs_size(char *dev)
329 struct ext4_super_block sb;
332 if ((fd = open(dev, O_RDONLY)) < 0) {
333 SLOGE("Cannot open device to get filesystem size ");
337 if (lseek64(fd, 1024, SEEK_SET) < 0) {
338 SLOGE("Cannot seek to superblock");
342 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
343 SLOGE("Cannot read superblock");
349 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
350 SLOGE("Not a valid ext4 superblock");
353 block_size = 1024 << sb.s_log_block_size;
354 /* compute length in bytes */
355 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
357 /* return length in sectors */
358 return (unsigned int) (len / 512);
361 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
363 static int cached_data = 0;
364 static off64_t cached_off = 0;
365 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
367 char key_loc[PROPERTY_VALUE_MAX];
368 char real_blkdev[PROPERTY_VALUE_MAX];
373 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
375 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
376 if ( (fd = open(real_blkdev, O_RDWR)) < 0) {
377 SLOGE("Cannot open real block device %s\n", real_blkdev);
381 if ((nr_sec = get_blkdev_size(fd))) {
382 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
383 * encryption info footer and key, and plenty of bytes to spare for future
386 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
387 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
390 SLOGE("Cannot get size of block device %s\n", real_blkdev);
394 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
401 if (metadata_fname) {
402 *metadata_fname = cached_metadata_fname;
413 /* key or salt can be NULL, in which case just skip writing that value. Useful to
414 * update the failed mount count but not change the key.
416 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
419 unsigned int nr_sec, cnt;
420 /* starting_off is set to the SEEK_SET offset
421 * where the crypto structure starts
423 off64_t starting_off;
428 if (get_crypt_ftr_info(&fname, &starting_off)) {
429 SLOGE("Unable to get crypt_ftr_info\n");
432 if (fname[0] != '/') {
433 SLOGE("Unexpected value for crypto key location\n");
436 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) {
437 SLOGE("Cannot open footer file %s for put\n", fname);
441 /* Seek to the start of the crypt footer */
442 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
443 SLOGE("Cannot seek to real block device footer\n");
447 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
448 SLOGE("Cannot write real block device footer\n");
453 /* If the keys are kept on a raw block device, do not try to truncate it. */
454 if (S_ISREG(statbuf.st_mode)) {
455 if (ftruncate(fd, 0x4000)) {
456 SLOGE("Cannot set footer file size\n");
470 static inline int unix_read(int fd, void* buff, int len)
472 return TEMP_FAILURE_RETRY(read(fd, buff, len));
475 static inline int unix_write(int fd, const void* buff, int len)
477 return TEMP_FAILURE_RETRY(write(fd, buff, len));
480 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
482 memset(pdata, 0, len);
483 pdata->persist_magic = PERSIST_DATA_MAGIC;
484 pdata->persist_valid_entries = 0;
487 /* A routine to update the passed in crypt_ftr to the lastest version.
488 * fd is open read/write on the device that holds the crypto footer and persistent
489 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
490 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
492 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
494 int orig_major = crypt_ftr->major_version;
495 int orig_minor = crypt_ftr->minor_version;
497 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
498 struct crypt_persist_data *pdata;
499 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
501 SLOGW("upgrading crypto footer to 1.1");
503 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
505 SLOGE("Cannot allocate persisent data\n");
508 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
510 /* Need to initialize the persistent data area */
511 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
512 SLOGE("Cannot seek to persisent data offset\n");
515 /* Write all zeros to the first copy, making it invalid */
516 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
518 /* Write a valid but empty structure to the second copy */
519 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
520 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
522 /* Update the footer */
523 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
524 crypt_ftr->persist_data_offset[0] = pdata_offset;
525 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
526 crypt_ftr->minor_version = 1;
529 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
530 SLOGW("upgrading crypto footer to 1.2");
531 /* But keep the old kdf_type.
532 * It will get updated later to KDF_SCRYPT after the password has been verified.
534 crypt_ftr->kdf_type = KDF_PBKDF2;
535 get_device_scrypt_params(crypt_ftr);
536 crypt_ftr->minor_version = 2;
539 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
540 SLOGW("upgrading crypto footer to 1.3");
541 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
542 crypt_ftr->minor_version = 3;
545 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
546 if (lseek64(fd, offset, SEEK_SET) == -1) {
547 SLOGE("Cannot seek to crypt footer\n");
550 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
555 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
558 unsigned int nr_sec, cnt;
559 off64_t starting_off;
564 if (get_crypt_ftr_info(&fname, &starting_off)) {
565 SLOGE("Unable to get crypt_ftr_info\n");
568 if (fname[0] != '/') {
569 SLOGE("Unexpected value for crypto key location\n");
572 if ( (fd = open(fname, O_RDWR)) < 0) {
573 SLOGE("Cannot open footer file %s for get\n", fname);
577 /* Make sure it's 16 Kbytes in length */
579 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
580 SLOGE("footer file %s is not the expected size!\n", fname);
584 /* Seek to the start of the crypt footer */
585 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
586 SLOGE("Cannot seek to real block device footer\n");
590 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
591 SLOGE("Cannot read real block device footer\n");
595 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
596 SLOGE("Bad magic for real block device %s\n", fname);
600 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
601 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
602 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
606 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
607 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
608 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
611 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
612 * copy on disk before returning.
614 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
615 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
626 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
628 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
629 crypt_ftr->persist_data_offset[1]) {
630 SLOGE("Crypt_ftr persist data regions overlap");
634 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
635 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
639 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
640 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
641 CRYPT_FOOTER_OFFSET) {
642 SLOGE("Persistent data extends past crypto footer");
649 static int load_persistent_data(void)
651 struct crypt_mnt_ftr crypt_ftr;
652 struct crypt_persist_data *pdata = NULL;
653 char encrypted_state[PROPERTY_VALUE_MAX];
661 /* Nothing to do, we've already loaded or initialized it */
666 /* If not encrypted, just allocate an empty table and initialize it */
667 property_get("ro.crypto.state", encrypted_state, "");
668 if (strcmp(encrypted_state, "encrypted") ) {
669 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
671 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
672 persist_data = pdata;
678 if(get_crypt_ftr_and_key(&crypt_ftr)) {
682 if ((crypt_ftr.major_version < 1)
683 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
684 SLOGE("Crypt_ftr version doesn't support persistent data");
688 if (get_crypt_ftr_info(&fname, NULL)) {
692 ret = validate_persistent_data_storage(&crypt_ftr);
697 fd = open(fname, O_RDONLY);
699 SLOGE("Cannot open %s metadata file", fname);
703 if (persist_data == NULL) {
704 pdata = malloc(crypt_ftr.persist_data_size);
706 SLOGE("Cannot allocate memory for persistent data");
711 for (i = 0; i < 2; i++) {
712 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
713 SLOGE("Cannot seek to read persistent data on %s", fname);
716 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
717 SLOGE("Error reading persistent data on iteration %d", i);
720 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
727 SLOGI("Could not find valid persistent data, creating");
728 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
732 persist_data = pdata;
744 static int save_persistent_data(void)
746 struct crypt_mnt_ftr crypt_ftr;
747 struct crypt_persist_data *pdata;
749 off64_t write_offset;
750 off64_t erase_offset;
755 if (persist_data == NULL) {
756 SLOGE("No persistent data to save");
760 if(get_crypt_ftr_and_key(&crypt_ftr)) {
764 if ((crypt_ftr.major_version < 1)
765 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
766 SLOGE("Crypt_ftr version doesn't support persistent data");
770 ret = validate_persistent_data_storage(&crypt_ftr);
775 if (get_crypt_ftr_info(&fname, NULL)) {
779 fd = open(fname, O_RDWR);
781 SLOGE("Cannot open %s metadata file", fname);
785 pdata = malloc(crypt_ftr.persist_data_size);
787 SLOGE("Cannot allocate persistant data");
791 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
792 SLOGE("Cannot seek to read persistent data on %s", fname);
796 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
797 SLOGE("Error reading persistent data before save");
801 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
802 /* The first copy is the curent valid copy, so write to
803 * the second copy and erase this one */
804 write_offset = crypt_ftr.persist_data_offset[1];
805 erase_offset = crypt_ftr.persist_data_offset[0];
807 /* The second copy must be the valid copy, so write to
808 * the first copy, and erase the second */
809 write_offset = crypt_ftr.persist_data_offset[0];
810 erase_offset = crypt_ftr.persist_data_offset[1];
813 /* Write the new copy first, if successful, then erase the old copy */
814 if (lseek(fd, write_offset, SEEK_SET) < 0) {
815 SLOGE("Cannot seek to write persistent data");
818 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
819 (int) crypt_ftr.persist_data_size) {
820 if (lseek(fd, erase_offset, SEEK_SET) < 0) {
821 SLOGE("Cannot seek to erase previous persistent data");
825 memset(pdata, 0, crypt_ftr.persist_data_size);
826 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
827 (int) crypt_ftr.persist_data_size) {
828 SLOGE("Cannot write to erase previous persistent data");
833 SLOGE("Cannot write to save persistent data");
849 static int hexdigit (char c)
851 if (c >= '0' && c <= '9') return c - '0';
853 if (c >= 'a' && c <= 'f') return c - 'a' + 10;
857 static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii,
858 unsigned int* out_keysize)
863 size_t size = strlen (master_key_ascii);
865 SLOGE("Trying to convert ascii string of odd length");
869 unsigned char* master_key = (unsigned char*) malloc(size / 2);
870 if (master_key == 0) {
871 SLOGE("Cannot allocate");
875 for (i = 0; i < size; i += 2) {
876 int high_nibble = hexdigit (master_key_ascii[i]);
877 int low_nibble = hexdigit (master_key_ascii[i + 1]);
879 if(high_nibble < 0 || low_nibble < 0) {
880 SLOGE("Invalid hex string");
885 master_key[*out_keysize] = high_nibble * 16 + low_nibble;
892 /* Convert a binary key of specified length into an ascii hex string equivalent,
893 * without the leading 0x and with null termination
895 static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize,
896 char *master_key_ascii)
899 unsigned char nibble;
901 for (i=0, a=0; i<keysize; i++, a+=2) {
902 /* For each byte, write out two ascii hex digits */
903 nibble = (master_key[i] >> 4) & 0xf;
904 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
906 nibble = master_key[i] & 0xf;
907 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
910 /* Add the null termination */
911 master_key_ascii[a] = '\0';
915 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
916 char *real_blk_name, const char *name, int fd,
919 char buffer[DM_CRYPT_BUF_SIZE];
921 struct dm_target_spec *tgt;
923 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
926 io = (struct dm_ioctl *) buffer;
928 /* Load the mapping table for this device */
929 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
931 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
932 io->target_count = 1;
934 tgt->sector_start = 0;
935 tgt->length = crypt_ftr->fs_size;
936 strcpy(tgt->target_type, "crypt");
938 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
939 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
940 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
941 master_key_ascii, real_blk_name, extra_params);
942 crypt_params += strlen(crypt_params) + 1;
943 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
944 tgt->next = crypt_params - buffer;
946 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
947 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
953 if (i == TABLE_LOAD_RETRIES) {
954 /* We failed to load the table, return an error */
962 static int get_dm_crypt_version(int fd, const char *name, int *version)
964 char buffer[DM_CRYPT_BUF_SIZE];
966 struct dm_target_versions *v;
969 io = (struct dm_ioctl *) buffer;
971 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
973 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
977 /* Iterate over the returned versions, looking for name of "crypt".
978 * When found, get and return the version.
980 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
982 if (! strcmp(v->name, "crypt")) {
983 /* We found the crypt driver, return the version, and get out */
984 version[0] = v->version[0];
985 version[1] = v->version[1];
986 version[2] = v->version[2];
989 v = (struct dm_target_versions *)(((char *)v) + v->next);
995 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
996 char *real_blk_name, char *crypto_blk_name, const char *name)
998 char buffer[DM_CRYPT_BUF_SIZE];
999 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
1001 struct dm_ioctl *io;
1002 struct dm_target_spec *tgt;
1011 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
1012 SLOGE("Cannot open device-mapper\n");
1016 io = (struct dm_ioctl *) buffer;
1018 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1019 if (ioctl(fd, DM_DEV_CREATE, io)) {
1020 SLOGE("Cannot create dm-crypt device\n");
1024 /* Get the device status, in particular, the name of it's device file */
1025 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1026 if (ioctl(fd, DM_DEV_STATUS, io)) {
1027 SLOGE("Cannot retrieve dm-crypt device status\n");
1030 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1031 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1034 if (! get_dm_crypt_version(fd, name, version)) {
1035 /* Support for allow_discards was added in version 1.11.0 */
1036 if ((version[0] >= 2) ||
1037 ((version[0] == 1) && (version[1] >= 11))) {
1038 extra_params = "1 allow_discards";
1039 SLOGI("Enabling support for allow_discards in dmcrypt.\n");
1043 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
1045 if (load_count < 0) {
1046 SLOGE("Cannot load dm-crypt mapping table.\n");
1048 } else if (load_count > 1) {
1049 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1052 /* Resume this device to activate it */
1053 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1055 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1056 SLOGE("Cannot resume the dm-crypt device\n");
1060 /* We made it here with no errors. Woot! */
1064 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1069 static int delete_crypto_blk_dev(char *name)
1072 char buffer[DM_CRYPT_BUF_SIZE];
1073 struct dm_ioctl *io;
1076 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
1077 SLOGE("Cannot open device-mapper\n");
1081 io = (struct dm_ioctl *) buffer;
1083 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1084 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1085 SLOGE("Cannot remove dm-crypt device\n");
1089 /* We made it here with no errors. Woot! */
1093 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1099 static int pbkdf2(const char *passwd, const unsigned char *salt,
1100 unsigned char *ikey, void *params UNUSED)
1102 SLOGI("Using pbkdf2 for cryptfs KDF");
1104 /* Turn the password into a key and IV that can decrypt the master key */
1105 unsigned int keysize;
1106 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize);
1107 if (!master_key) return -1;
1108 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN,
1109 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey);
1111 memset(master_key, 0, keysize);
1116 static int scrypt(const char *passwd, const unsigned char *salt,
1117 unsigned char *ikey, void *params)
1119 SLOGI("Using scrypt for cryptfs KDF");
1121 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1123 int N = 1 << ftr->N_factor;
1124 int r = 1 << ftr->r_factor;
1125 int p = 1 << ftr->p_factor;
1127 /* Turn the password into a key and IV that can decrypt the master key */
1128 unsigned int keysize;
1129 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize);
1130 if (!master_key) return -1;
1131 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey,
1132 KEY_LEN_BYTES + IV_LEN_BYTES);
1134 memset(master_key, 0, keysize);
1139 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1140 unsigned char *ikey, void *params)
1142 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1145 unsigned int key_size;
1146 size_t signature_size;
1147 unsigned char* signature;
1148 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1150 int N = 1 << ftr->N_factor;
1151 int r = 1 << ftr->r_factor;
1152 int p = 1 << ftr->p_factor;
1154 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size);
1156 SLOGE("Failed to convert passwd from hex");
1160 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN,
1161 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1162 memset(master_key, 0, key_size);
1166 SLOGE("scrypt failed");
1170 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1171 &signature, &signature_size)) {
1172 SLOGE("Signing failed");
1176 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1177 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1181 SLOGE("scrypt failed");
1188 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1189 const unsigned char *decrypted_master_key,
1190 unsigned char *encrypted_master_key,
1191 struct crypt_mnt_ftr *crypt_ftr)
1193 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1194 EVP_CIPHER_CTX e_ctx;
1195 int encrypted_len, final_len;
1198 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1199 get_device_scrypt_params(crypt_ftr);
1201 switch (crypt_ftr->kdf_type) {
1202 case KDF_SCRYPT_KEYMASTER:
1203 if (keymaster_create_key(crypt_ftr)) {
1204 SLOGE("keymaster_create_key failed");
1208 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1209 SLOGE("scrypt failed");
1215 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1216 SLOGE("scrypt failed");
1222 SLOGE("Invalid kdf_type");
1226 /* Initialize the decryption engine */
1227 if (! EVP_EncryptInit(&e_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
1228 SLOGE("EVP_EncryptInit failed\n");
1231 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1233 /* Encrypt the master key */
1234 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1235 decrypted_master_key, KEY_LEN_BYTES)) {
1236 SLOGE("EVP_EncryptUpdate failed\n");
1239 if (! EVP_EncryptFinal(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1240 SLOGE("EVP_EncryptFinal failed\n");
1244 if (encrypted_len + final_len != KEY_LEN_BYTES) {
1245 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1249 /* Store the scrypt of the intermediate key, so we can validate if it's a
1250 password error or mount error when things go wrong.
1251 Note there's no need to check for errors, since if this is incorrect, we
1252 simply won't wipe userdata, which is the correct default behavior
1254 int N = 1 << crypt_ftr->N_factor;
1255 int r = 1 << crypt_ftr->r_factor;
1256 int p = 1 << crypt_ftr->p_factor;
1258 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1259 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1260 crypt_ftr->scrypted_intermediate_key,
1261 sizeof(crypt_ftr->scrypted_intermediate_key));
1264 SLOGE("encrypt_master_key: crypto_scrypt failed");
1270 static int decrypt_master_key_aux(char *passwd, unsigned char *salt,
1271 unsigned char *encrypted_master_key,
1272 unsigned char *decrypted_master_key,
1273 kdf_func kdf, void *kdf_params,
1274 unsigned char** intermediate_key,
1275 size_t* intermediate_key_size)
1277 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1278 EVP_CIPHER_CTX d_ctx;
1279 int decrypted_len, final_len;
1281 /* Turn the password into an intermediate key and IV that can decrypt the
1283 if (kdf(passwd, salt, ikey, kdf_params)) {
1284 SLOGE("kdf failed");
1288 /* Initialize the decryption engine */
1289 if (! EVP_DecryptInit(&d_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
1292 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1293 /* Decrypt the master key */
1294 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1295 encrypted_master_key, KEY_LEN_BYTES)) {
1298 if (! EVP_DecryptFinal(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1302 if (decrypted_len + final_len != KEY_LEN_BYTES) {
1306 /* Copy intermediate key if needed by params */
1307 if (intermediate_key && intermediate_key_size) {
1308 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1309 if (intermediate_key) {
1310 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1311 *intermediate_key_size = KEY_LEN_BYTES;
1318 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1320 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1321 *kdf = scrypt_keymaster;
1323 } else if (ftr->kdf_type == KDF_SCRYPT) {
1332 static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key,
1333 struct crypt_mnt_ftr *crypt_ftr,
1334 unsigned char** intermediate_key,
1335 size_t* intermediate_key_size)
1341 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1342 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1343 decrypted_master_key, kdf, kdf_params,
1344 intermediate_key, intermediate_key_size);
1346 SLOGW("failure decrypting master key");
1352 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
1353 struct crypt_mnt_ftr *crypt_ftr) {
1355 unsigned char key_buf[KEY_LEN_BYTES];
1356 EVP_CIPHER_CTX e_ctx;
1357 int encrypted_len, final_len;
1359 /* Get some random bits for a key */
1360 fd = open("/dev/urandom", O_RDONLY);
1361 read(fd, key_buf, sizeof(key_buf));
1362 read(fd, salt, SALT_LEN);
1365 /* Now encrypt it with the password */
1366 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1369 static int wait_and_unmount(char *mountpoint)
1372 #define WAIT_UNMOUNT_COUNT 20
1374 /* Now umount the tmpfs filesystem */
1375 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1376 if (umount(mountpoint)) {
1377 if (errno == EINVAL) {
1378 /* EINVAL is returned if the directory is not a mountpoint,
1379 * i.e. there is no filesystem mounted there. So just get out.
1390 if (i < WAIT_UNMOUNT_COUNT) {
1391 SLOGD("unmounting %s succeeded\n", mountpoint);
1394 SLOGE("unmounting %s failed\n", mountpoint);
1401 #define DATA_PREP_TIMEOUT 200
1402 static int prep_data_fs(void)
1406 /* Do the prep of the /data filesystem */
1407 property_set("vold.post_fs_data_done", "0");
1408 property_set("vold.decrypt", "trigger_post_fs_data");
1409 SLOGD("Just triggered post_fs_data\n");
1411 /* Wait a max of 50 seconds, hopefully it takes much less */
1412 for (i=0; i<DATA_PREP_TIMEOUT; i++) {
1413 char p[PROPERTY_VALUE_MAX];
1415 property_get("vold.post_fs_data_done", p, "0");
1422 if (i == DATA_PREP_TIMEOUT) {
1423 /* Ugh, we failed to prep /data in time. Bail. */
1424 SLOGE("post_fs_data timed out!\n");
1427 SLOGD("post_fs_data done\n");
1432 static void cryptfs_set_corrupt()
1434 // Mark the footer as bad
1435 struct crypt_mnt_ftr crypt_ftr;
1436 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1437 SLOGE("Failed to get crypto footer - panic");
1441 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1442 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1443 SLOGE("Failed to set crypto footer - panic");
1448 static void cryptfs_trigger_restart_min_framework()
1450 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1451 SLOGE("Failed to mount tmpfs on data - panic");
1455 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1456 SLOGE("Failed to trigger post fs data - panic");
1460 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1461 SLOGE("Failed to trigger restart min framework - panic");
1466 static int cryptfs_restart_internal(int restart_main)
1469 char real_blkdev[MAXPATHLEN];
1470 char crypto_blkdev[MAXPATHLEN];
1471 char fs_options[256];
1472 unsigned long mnt_flags;
1473 struct stat statbuf;
1475 static int restart_successful = 0;
1477 /* Validate that it's OK to call this routine */
1478 if (! master_key_saved) {
1479 SLOGE("Encrypted filesystem not validated, aborting");
1483 if (restart_successful) {
1484 SLOGE("System already restarted with encrypted disk, aborting");
1489 /* Here is where we shut down the framework. The init scripts
1490 * start all services in one of three classes: core, main or late_start.
1491 * On boot, we start core and main. Now, we stop main, but not core,
1492 * as core includes vold and a few other really important things that
1493 * we need to keep running. Once main has stopped, we should be able
1494 * to umount the tmpfs /data, then mount the encrypted /data.
1495 * We then restart the class main, and also the class late_start.
1496 * At the moment, I've only put a few things in late_start that I know
1497 * are not needed to bring up the framework, and that also cause problems
1498 * with unmounting the tmpfs /data, but I hope to add add more services
1499 * to the late_start class as we optimize this to decrease the delay
1500 * till the user is asked for the password to the filesystem.
1503 /* The init files are setup to stop the class main when vold.decrypt is
1504 * set to trigger_reset_main.
1506 property_set("vold.decrypt", "trigger_reset_main");
1507 SLOGD("Just asked init to shut down class main\n");
1509 /* Ugh, shutting down the framework is not synchronous, so until it
1510 * can be fixed, this horrible hack will wait a moment for it all to
1511 * shut down before proceeding. Without it, some devices cannot
1512 * restart the graphics services.
1517 /* Now that the framework is shutdown, we should be able to umount()
1518 * the tmpfs filesystem, and mount the real one.
1521 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1522 if (strlen(crypto_blkdev) == 0) {
1523 SLOGE("fs_crypto_blkdev not set\n");
1527 if (! (rc = wait_and_unmount(DATA_MNT_POINT)) ) {
1528 /* If ro.crypto.readonly is set to 1, mount the decrypted
1529 * filesystem readonly. This is used when /data is mounted by
1532 char ro_prop[PROPERTY_VALUE_MAX];
1533 property_get("ro.crypto.readonly", ro_prop, "");
1534 if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
1535 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1536 rec->flags |= MS_RDONLY;
1539 /* If that succeeded, then mount the decrypted filesystem */
1540 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, 0)) {
1541 SLOGE("Failed to mount decrypted data");
1542 cryptfs_set_corrupt();
1543 cryptfs_trigger_restart_min_framework();
1544 SLOGI("Started framework to offer wipe");
1548 property_set("vold.decrypt", "trigger_load_persist_props");
1549 /* Create necessary paths on /data */
1550 if (prep_data_fs()) {
1554 /* startup service classes main and late_start */
1555 property_set("vold.decrypt", "trigger_restart_framework");
1556 SLOGD("Just triggered restart_framework\n");
1558 /* Give it a few moments to get started */
1563 restart_successful = 1;
1569 int cryptfs_restart(void)
1571 /* Call internal implementation forcing a restart of main service group */
1572 return cryptfs_restart_internal(1);
1575 static int do_crypto_complete(char *mount_point UNUSED)
1577 struct crypt_mnt_ftr crypt_ftr;
1578 char encrypted_state[PROPERTY_VALUE_MAX];
1579 char key_loc[PROPERTY_VALUE_MAX];
1581 property_get("ro.crypto.state", encrypted_state, "");
1582 if (strcmp(encrypted_state, "encrypted") ) {
1583 SLOGE("not running with encryption, aborting");
1584 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1587 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1588 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1591 * Only report this error if key_loc is a file and it exists.
1592 * If the device was never encrypted, and /data is not mountable for
1593 * some reason, returning 1 should prevent the UI from presenting the
1594 * a "enter password" screen, or worse, a "press button to wipe the
1597 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1598 SLOGE("master key file does not exist, aborting");
1599 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1601 SLOGE("Error getting crypt footer and key\n");
1602 return CRYPTO_COMPLETE_BAD_METADATA;
1606 // Test for possible error flags
1607 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1608 SLOGE("Encryption process is partway completed\n");
1609 return CRYPTO_COMPLETE_PARTIAL;
1612 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1613 SLOGE("Encryption process was interrupted but cannot continue\n");
1614 return CRYPTO_COMPLETE_INCONSISTENT;
1617 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1618 SLOGE("Encryption is successful but data is corrupt\n");
1619 return CRYPTO_COMPLETE_CORRUPT;
1622 /* We passed the test! We shall diminish, and return to the west */
1623 return CRYPTO_COMPLETE_ENCRYPTED;
1626 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1627 char *passwd, char *mount_point, char *label)
1629 /* Allocate enough space for a 256 bit key, but we may use less */
1630 unsigned char decrypted_master_key[32];
1631 char crypto_blkdev[MAXPATHLEN];
1632 char real_blkdev[MAXPATHLEN];
1633 char tmp_mount_point[64];
1634 unsigned int orig_failed_decrypt_count;
1638 int use_keymaster = 0;
1640 unsigned char* intermediate_key = 0;
1641 size_t intermediate_key_size = 0;
1643 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1644 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1646 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1647 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1648 &intermediate_key, &intermediate_key_size)) {
1649 SLOGE("Failed to decrypt master key\n");
1655 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
1657 // Create crypto block device - all (non fatal) code paths
1659 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1660 real_blkdev, crypto_blkdev, label)) {
1661 SLOGE("Error creating decrypted block device\n");
1666 /* Work out if the problem is the password or the data */
1667 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1668 scrypted_intermediate_key)];
1669 int N = 1 << crypt_ftr->N_factor;
1670 int r = 1 << crypt_ftr->r_factor;
1671 int p = 1 << crypt_ftr->p_factor;
1673 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1674 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1675 N, r, p, scrypted_intermediate_key,
1676 sizeof(scrypted_intermediate_key));
1678 // Does the key match the crypto footer?
1679 if (rc == 0 && memcmp(scrypted_intermediate_key,
1680 crypt_ftr->scrypted_intermediate_key,
1681 sizeof(scrypted_intermediate_key)) == 0) {
1682 SLOGI("Password matches");
1685 /* Try mounting the file system anyway, just in case the problem's with
1686 * the footer, not the key. */
1687 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
1688 mkdir(tmp_mount_point, 0755);
1689 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1690 SLOGE("Error temp mounting decrypted block device\n");
1691 delete_crypto_blk_dev(label);
1693 rc = ++crypt_ftr->failed_decrypt_count;
1694 put_crypt_ftr_and_key(crypt_ftr);
1697 SLOGI("Password did not match but decrypted drive mounted - continue");
1698 umount(tmp_mount_point);
1704 crypt_ftr->failed_decrypt_count = 0;
1706 /* Save the name of the crypto block device
1707 * so we can mount it when restarting the framework. */
1708 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1710 /* Also save a the master key so we can reencrypted the key
1711 * the key when we want to change the password on it. */
1712 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1713 saved_mount_point = strdup(mount_point);
1714 master_key_saved = 1;
1715 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1718 // Upgrade if we're not using the latest KDF.
1719 use_keymaster = keymaster_check_compatibility();
1720 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1721 // Don't allow downgrade to KDF_SCRYPT
1722 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1723 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1725 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1726 crypt_ftr->kdf_type = KDF_SCRYPT;
1731 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1732 crypt_ftr->master_key, crypt_ftr);
1734 rc = put_crypt_ftr_and_key(crypt_ftr);
1736 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1741 if (intermediate_key) {
1742 memset(intermediate_key, 0, intermediate_key_size);
1743 free(intermediate_key);
1748 /* Called by vold when it wants to undo the crypto mapping of a volume it
1749 * manages. This is usually in response to a factory reset, when we want
1750 * to undo the crypto mapping so the volume is formatted in the clear.
1752 int cryptfs_revert_volume(const char *label)
1754 return delete_crypto_blk_dev((char *)label);
1758 * Called by vold when it's asked to mount an encrypted, nonremovable volume.
1759 * Setup a dm-crypt mapping, use the saved master key from
1760 * setting up the /data mapping, and return the new device path.
1762 int cryptfs_setup_volume(const char *label, int major, int minor,
1763 char *crypto_sys_path, unsigned int max_path,
1764 int *new_major, int *new_minor)
1766 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN];
1767 struct crypt_mnt_ftr sd_crypt_ftr;
1768 struct stat statbuf;
1771 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor);
1773 get_crypt_ftr_and_key(&sd_crypt_ftr);
1775 /* Update the fs_size field to be the size of the volume */
1776 fd = open(real_blkdev, O_RDONLY);
1777 nr_sec = get_blkdev_size(fd);
1780 SLOGE("Cannot get size of volume %s\n", real_blkdev);
1784 sd_crypt_ftr.fs_size = nr_sec;
1785 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev,
1786 crypto_blkdev, label);
1788 stat(crypto_blkdev, &statbuf);
1789 *new_major = MAJOR(statbuf.st_rdev);
1790 *new_minor = MINOR(statbuf.st_rdev);
1792 /* Create path to sys entry for this block device */
1793 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1);
1798 int cryptfs_crypto_complete(void)
1800 return do_crypto_complete("/data");
1803 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
1805 char encrypted_state[PROPERTY_VALUE_MAX];
1806 property_get("ro.crypto.state", encrypted_state, "");
1807 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
1808 SLOGE("encrypted fs already validated or not running with encryption,"
1813 if (get_crypt_ftr_and_key(crypt_ftr)) {
1814 SLOGE("Error getting crypt footer and key");
1821 int cryptfs_check_passwd(char *passwd)
1823 struct crypt_mnt_ftr crypt_ftr;
1826 rc = check_unmounted_and_get_ftr(&crypt_ftr);
1830 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
1831 DATA_MNT_POINT, "userdata");
1833 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
1834 cryptfs_clear_password();
1835 password = strdup(passwd);
1836 struct timespec now;
1837 clock_gettime(CLOCK_BOOTTIME, &now);
1838 password_expiry_time = now.tv_sec + password_max_age_seconds;
1844 int cryptfs_verify_passwd(char *passwd)
1846 struct crypt_mnt_ftr crypt_ftr;
1847 /* Allocate enough space for a 256 bit key, but we may use less */
1848 unsigned char decrypted_master_key[32];
1849 char encrypted_state[PROPERTY_VALUE_MAX];
1852 property_get("ro.crypto.state", encrypted_state, "");
1853 if (strcmp(encrypted_state, "encrypted") ) {
1854 SLOGE("device not encrypted, aborting");
1858 if (!master_key_saved) {
1859 SLOGE("encrypted fs not yet mounted, aborting");
1863 if (!saved_mount_point) {
1864 SLOGE("encrypted fs failed to save mount point, aborting");
1868 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1869 SLOGE("Error getting crypt footer and key\n");
1873 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
1874 /* If the device has no password, then just say the password is valid */
1877 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
1878 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
1879 /* They match, the password is correct */
1882 /* If incorrect, sleep for a bit to prevent dictionary attacks */
1891 /* Initialize a crypt_mnt_ftr structure. The keysize is
1892 * defaulted to 16 bytes, and the filesystem size to 0.
1893 * Presumably, at a minimum, the caller will update the
1894 * filesystem size and crypto_type_name after calling this function.
1896 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
1900 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
1901 ftr->magic = CRYPT_MNT_MAGIC;
1902 ftr->major_version = CURRENT_MAJOR_VERSION;
1903 ftr->minor_version = CURRENT_MINOR_VERSION;
1904 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
1905 ftr->keysize = KEY_LEN_BYTES;
1907 switch (keymaster_check_compatibility()) {
1909 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1913 ftr->kdf_type = KDF_SCRYPT;
1917 SLOGE("keymaster_check_compatibility failed");
1921 get_device_scrypt_params(ftr);
1923 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
1924 if (get_crypt_ftr_info(NULL, &off) == 0) {
1925 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
1926 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
1927 ftr->persist_data_size;
1933 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
1935 const char *args[10];
1936 char size_str[32]; /* Must be large enough to hold a %lld and null byte */
1942 if (type == EXT4_FS) {
1943 args[0] = "/system/bin/make_ext4fs";
1947 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
1949 args[5] = crypto_blkdev;
1951 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
1952 args[0], args[1], args[2], args[3], args[4], args[5]);
1953 } else if (type == F2FS_FS) {
1954 args[0] = "/system/bin/mkfs.f2fs";
1957 args[3] = crypto_blkdev;
1958 snprintf(size_str, sizeof(size_str), "%" PRId64, size);
1961 SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
1962 args[0], args[1], args[2], args[3], args[4]);
1964 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
1968 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
1971 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
1973 if (WIFEXITED(status)) {
1974 if (WEXITSTATUS(status)) {
1975 SLOGE("Error creating filesystem on %s, exit status %d ",
1976 crypto_blkdev, WEXITSTATUS(status));
1978 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
1982 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
1989 #define CRYPT_INPLACE_BUFSIZE 4096
1990 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
1991 #define CRYPT_SECTOR_SIZE 512
1993 /* aligned 32K writes tends to make flash happy.
1994 * SD card association recommends it.
1996 #define BLOCKS_AT_A_TIME 8
1998 struct encryptGroupsData
2003 off64_t one_pct, cur_pct, new_pct;
2004 off64_t blocks_already_done, tot_numblocks;
2005 off64_t used_blocks_already_done, tot_used_blocks;
2006 char* real_blkdev, * crypto_blkdev;
2010 off64_t last_written_sector;
2012 time_t time_started;
2016 static void update_progress(struct encryptGroupsData* data, int is_used)
2018 data->blocks_already_done++;
2021 data->used_blocks_already_done++;
2023 if (data->tot_used_blocks) {
2024 data->new_pct = data->used_blocks_already_done / data->one_pct;
2026 data->new_pct = data->blocks_already_done / data->one_pct;
2029 if (data->new_pct > data->cur_pct) {
2031 data->cur_pct = data->new_pct;
2032 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
2033 property_set("vold.encrypt_progress", buf);
2034 SLOGI("Encrypted %" PRId64 " percent of drive", data->cur_pct);
2037 if (data->cur_pct >= 5) {
2038 double elapsed_time = difftime(time(NULL), data->time_started);
2039 off64_t remaining_blocks = data->tot_used_blocks
2040 - data->used_blocks_already_done;
2041 int remaining_time = (int)(elapsed_time * remaining_blocks
2042 / data->used_blocks_already_done);
2044 // Change time only if not yet set, lower, or a lot higher for
2045 // best user experience
2046 if (data->remaining_time == -1
2047 || remaining_time < data->remaining_time
2048 || remaining_time > data->remaining_time + 60) {
2050 snprintf(buf, sizeof(buf), "%d", remaining_time);
2051 property_set("vold.encrypt_time_remaining", buf);
2053 SLOGI("Encrypted %" PRId64 " percent of drive, %d seconds to go",
2054 data->cur_pct, remaining_time);
2055 data->remaining_time = remaining_time;
2060 static int flush_outstanding_data(struct encryptGroupsData* data)
2062 if (data->count == 0) {
2066 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
2068 if (pread64(data->realfd, data->buffer,
2069 info.block_size * data->count, data->offset)
2071 SLOGE("Error reading real_blkdev %s for inplace encrypt",
2076 if (pwrite64(data->cryptofd, data->buffer,
2077 info.block_size * data->count, data->offset)
2079 SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
2080 data->crypto_blkdev);
2083 SLOGI("Encrypted %d blocks at sector %" PRId64,
2084 data->count, data->offset / info.block_size * CRYPT_SECTOR_SIZE);
2088 data->last_written_sector = (data->offset + data->count)
2089 / info.block_size * CRYPT_SECTOR_SIZE - 1;
2093 static int encrypt_groups(struct encryptGroupsData* data)
2096 u8 *block_bitmap = 0;
2101 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
2102 if (!data->buffer) {
2103 SLOGE("Failed to allocate crypto buffer");
2107 block_bitmap = malloc(info.block_size);
2108 if (!block_bitmap) {
2109 SLOGE("failed to allocate block bitmap");
2113 for (i = 0; i < aux_info.groups; ++i) {
2114 SLOGI("Encrypting group %d", i);
2116 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
2117 u32 block_count = min(info.blocks_per_group,
2118 aux_info.len_blocks - first_block);
2120 off64_t offset = (u64)info.block_size
2121 * aux_info.bg_desc[i].bg_block_bitmap;
2123 ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
2124 if (ret != (int)info.block_size) {
2125 SLOGE("failed to read all of block group bitmap %d", i);
2129 offset = (u64)info.block_size * first_block;
2133 for (block = 0; block < block_count; block++) {
2134 int used = bitmap_get_bit(block_bitmap, block);
2135 update_progress(data, used);
2137 if (data->count == 0) {
2138 data->offset = offset;
2142 if (flush_outstanding_data(data)) {
2147 offset += info.block_size;
2149 /* Write data if we are aligned or buffer size reached */
2150 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
2151 || data->count == BLOCKS_AT_A_TIME) {
2152 if (flush_outstanding_data(data)) {
2157 if (!is_battery_ok_to_continue()) {
2158 SLOGE("Stopping encryption due to low battery");
2164 if (flush_outstanding_data(data)) {
2169 data->completed = 1;
2178 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
2181 off64_t *size_already_done,
2183 off64_t previously_encrypted_upto)
2186 struct encryptGroupsData data;
2187 int rc; // Can't initialize without causing warning -Wclobbered
2189 if (previously_encrypted_upto > *size_already_done) {
2190 SLOGD("Not fast encrypting since resuming part way through");
2194 memset(&data, 0, sizeof(data));
2195 data.real_blkdev = real_blkdev;
2196 data.crypto_blkdev = crypto_blkdev;
2198 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) {
2199 SLOGE("Error opening real_blkdev %s for inplace encrypt\n",
2205 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) {
2206 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n",
2212 if (setjmp(setjmp_env)) {
2213 SLOGE("Reading extent caused an exception");
2218 if (read_ext(data.realfd, 0) != 0) {
2219 SLOGE("Failed to read extent");
2224 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2225 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2226 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2228 SLOGI("Encrypting filesystem in place...");
2230 data.tot_used_blocks = data.numblocks;
2231 for (i = 0; i < aux_info.groups; ++i) {
2232 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
2235 data.one_pct = data.tot_used_blocks / 100;
2237 data.time_started = time(NULL);
2238 data.remaining_time = -1;
2240 rc = encrypt_groups(&data);
2242 SLOGE("Error encrypting groups");
2246 *size_already_done += data.completed ? size : data.last_written_sector;
2251 close(data.cryptofd);
2256 static int encrypt_one_block_f2fs(u64 pos, void *data)
2258 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;
2260 priv_dat->blocks_already_done = pos - 1;
2261 update_progress(priv_dat, 1);
2263 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;
2265 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2266 SLOGE("Error reading real_blkdev %s for inplace encrypt", priv_dat->crypto_blkdev);
2270 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2271 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", priv_dat->crypto_blkdev);
2274 SLOGD("Encrypted block %"PRIu64, pos);
2280 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
2283 off64_t *size_already_done,
2285 off64_t previously_encrypted_upto)
2288 struct encryptGroupsData data;
2289 struct f2fs_info *f2fs_info = NULL;
2291 if (previously_encrypted_upto > *size_already_done) {
2292 SLOGD("Not fast encrypting since resuming part way through");
2295 memset(&data, 0, sizeof(data));
2296 data.real_blkdev = real_blkdev;
2297 data.crypto_blkdev = crypto_blkdev;
2300 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) {
2301 SLOGE("Error opening real_blkdev %s for inplace encrypt\n",
2305 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) {
2306 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n",
2311 f2fs_info = generate_f2fs_info(data.realfd);
2315 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2316 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2317 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2319 data.tot_used_blocks = get_num_blocks_used(f2fs_info);
2321 data.one_pct = data.tot_used_blocks / 100;
2323 data.time_started = time(NULL);
2324 data.remaining_time = -1;
2326 data.buffer = malloc(f2fs_info->block_size);
2328 SLOGE("Failed to allocate crypto buffer");
2334 /* Currently, this either runs to completion, or hits a nonrecoverable error */
2335 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);
2338 SLOGE("Error in running over blocks");
2342 *size_already_done += size;
2347 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev);
2352 close(data.cryptofd);
2357 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
2358 off64_t size, off64_t *size_already_done,
2360 off64_t previously_encrypted_upto)
2362 int realfd, cryptofd;
2363 char *buf[CRYPT_INPLACE_BUFSIZE];
2365 off64_t numblocks, i, remainder;
2366 off64_t one_pct, cur_pct, new_pct;
2367 off64_t blocks_already_done, tot_numblocks;
2369 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) {
2370 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2374 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) {
2375 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n", crypto_blkdev);
2380 /* This is pretty much a simple loop of reading 4K, and writing 4K.
2381 * The size passed in is the number of 512 byte sectors in the filesystem.
2382 * So compute the number of whole 4K blocks we should read/write,
2383 * and the remainder.
2385 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2386 remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2387 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2388 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2390 SLOGE("Encrypting filesystem in place...");
2392 i = previously_encrypted_upto + 1 - *size_already_done;
2394 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2395 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
2399 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2400 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
2404 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
2405 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2406 SLOGE("Error reading initial sectors from real_blkdev %s for "
2407 "inplace encrypt\n", crypto_blkdev);
2410 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2411 SLOGE("Error writing initial sectors to crypto_blkdev %s for "
2412 "inplace encrypt\n", crypto_blkdev);
2415 SLOGI("Encrypted 1 block at %" PRId64, i);
2419 one_pct = tot_numblocks / 100;
2421 /* process the majority of the filesystem in blocks */
2422 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2423 new_pct = (i + blocks_already_done) / one_pct;
2424 if (new_pct > cur_pct) {
2428 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
2429 property_set("vold.encrypt_progress", buf);
2431 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2432 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2435 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2436 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2439 SLOGD("Encrypted %d block at %" PRId64,
2440 CRYPT_SECTORS_PER_BUFSIZE,
2441 i * CRYPT_SECTORS_PER_BUFSIZE);
2444 if (!is_battery_ok_to_continue()) {
2445 SLOGE("Stopping encryption due to low battery");
2446 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
2452 /* Do any remaining sectors */
2453 for (i=0; i<remainder; i++) {
2454 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2455 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2458 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2459 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2462 SLOGI("Encrypted 1 block at next location");
2466 *size_already_done += size;
2476 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
2477 off64_t size, off64_t *size_already_done,
2479 off64_t previously_encrypted_upto)
2481 if (previously_encrypted_upto) {
2482 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
2485 if (*size_already_done + size < previously_encrypted_upto) {
2486 *size_already_done += size;
2490 /* TODO: identify filesystem type.
2491 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
2492 * then we will drop down to cryptfs_enable_inplace_f2fs.
2494 if (cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2495 size, size_already_done,
2496 tot_size, previously_encrypted_upto) == 0) {
2500 if (cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
2501 size, size_already_done,
2502 tot_size, previously_encrypted_upto) == 0) {
2506 return cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2507 size, size_already_done, tot_size,
2508 previously_encrypted_upto);
2511 #define CRYPTO_ENABLE_WIPE 1
2512 #define CRYPTO_ENABLE_INPLACE 2
2514 #define FRAMEWORK_BOOT_WAIT 60
2516 static inline int should_encrypt(struct volume_info *volume)
2518 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) ==
2519 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE);
2522 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2524 int fd = open(filename, O_RDONLY);
2526 SLOGE("Error opening file %s", filename);
2530 char block[CRYPT_INPLACE_BUFSIZE];
2531 memset(block, 0, sizeof(block));
2532 if (unix_read(fd, block, sizeof(block)) < 0) {
2533 SLOGE("Error reading file %s", filename);
2542 SHA256_Update(&c, block, sizeof(block));
2543 SHA256_Final(buf, &c);
2548 static int get_fs_type(struct fstab_rec *rec)
2550 if (!strcmp(rec->fs_type, "ext4")) {
2552 } else if (!strcmp(rec->fs_type, "f2fs")) {
2559 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
2560 char *crypto_blkdev, char *real_blkdev,
2561 int previously_encrypted_upto)
2563 off64_t cur_encryption_done=0, tot_encryption_size=0;
2566 if (!is_battery_ok_to_start()) {
2567 SLOGW("Not starting encryption due to low battery");
2571 /* The size of the userdata partition, and add in the vold volumes below */
2572 tot_encryption_size = crypt_ftr->fs_size;
2574 if (how == CRYPTO_ENABLE_WIPE) {
2575 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
2576 int fs_type = get_fs_type(rec);
2578 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
2581 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2582 } else if (how == CRYPTO_ENABLE_INPLACE) {
2583 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
2584 crypt_ftr->fs_size, &cur_encryption_done,
2585 tot_encryption_size,
2586 previously_encrypted_upto);
2589 crypt_ftr->encrypted_upto = cur_encryption_done;
2592 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2593 /* The inplace routine never actually sets the progress to 100% due
2594 * to the round down nature of integer division, so set it here */
2595 property_set("vold.encrypt_progress", "100");
2598 /* Shouldn't happen */
2599 SLOGE("cryptfs_enable: internal error, unknown option\n");
2606 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
2610 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2611 unsigned long nr_sec;
2612 unsigned char decrypted_master_key[KEY_LEN_BYTES];
2613 int rc=-1, fd, i, ret;
2614 struct crypt_mnt_ftr crypt_ftr;
2615 struct crypt_persist_data *pdata;
2616 char encrypted_state[PROPERTY_VALUE_MAX];
2617 char lockid[32] = { 0 };
2618 char key_loc[PROPERTY_VALUE_MAX];
2619 char fuse_sdcard[PROPERTY_VALUE_MAX];
2622 struct volume_info *vol_list = 0;
2623 off64_t previously_encrypted_upto = 0;
2625 if (!strcmp(howarg, "wipe")) {
2626 how = CRYPTO_ENABLE_WIPE;
2627 } else if (! strcmp(howarg, "inplace")) {
2628 how = CRYPTO_ENABLE_INPLACE;
2630 /* Shouldn't happen, as CommandListener vets the args */
2631 goto error_unencrypted;
2634 /* See if an encryption was underway and interrupted */
2635 if (how == CRYPTO_ENABLE_INPLACE
2636 && get_crypt_ftr_and_key(&crypt_ftr) == 0
2637 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) {
2638 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2639 crypt_ftr.encrypted_upto = 0;
2640 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2642 /* At this point, we are in an inconsistent state. Until we successfully
2643 complete encryption, a reboot will leave us broken. So mark the
2644 encryption failed in case that happens.
2645 On successfully completing encryption, remove this flag */
2646 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2648 put_crypt_ftr_and_key(&crypt_ftr);
2651 property_get("ro.crypto.state", encrypted_state, "");
2652 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2653 SLOGE("Device is already running encrypted, aborting");
2654 goto error_unencrypted;
2657 // TODO refactor fs_mgr_get_crypt_info to get both in one call
2658 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
2659 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
2661 /* Get the size of the real block device */
2662 fd = open(real_blkdev, O_RDONLY);
2663 if ( (nr_sec = get_blkdev_size(fd)) == 0) {
2664 SLOGE("Cannot get size of block device %s\n", real_blkdev);
2665 goto error_unencrypted;
2669 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2670 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
2671 unsigned int fs_size_sec, max_fs_size_sec;
2672 fs_size_sec = get_fs_size(real_blkdev);
2673 if (fs_size_sec == 0)
2674 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
2676 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2678 if (fs_size_sec > max_fs_size_sec) {
2679 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2680 goto error_unencrypted;
2684 /* Get a wakelock as this may take a while, and we don't want the
2685 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2686 * wants to keep the screen on, it can grab a full wakelock.
2688 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
2689 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
2691 /* Get the sdcard mount point */
2692 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE");
2693 if (!sd_mnt_point) {
2694 sd_mnt_point = getenv("EXTERNAL_STORAGE");
2696 if (!sd_mnt_point) {
2697 sd_mnt_point = "/mnt/sdcard";
2701 * Currently do not have test devices with multiple encryptable volumes.
2702 * When we acquire some, re-add support.
2704 num_vols=vold_getNumDirectVolumes();
2705 vol_list = malloc(sizeof(struct volume_info) * num_vols);
2706 vold_getDirectVolumeList(vol_list);
2708 for (i=0; i<num_vols; i++) {
2709 if (should_encrypt(&vol_list[i])) {
2710 SLOGE("Cannot encrypt if there are multiple encryptable volumes"
2711 "%s\n", vol_list[i].label);
2712 goto error_unencrypted;
2716 /* The init files are setup to stop the class main and late start when
2717 * vold sets trigger_shutdown_framework.
2719 property_set("vold.decrypt", "trigger_shutdown_framework");
2720 SLOGD("Just asked init to shut down class main\n");
2722 if (vold_unmountAllAsecs()) {
2723 /* Just report the error. If any are left mounted,
2724 * umounting /data below will fail and handle the error.
2726 SLOGE("Error unmounting internal asecs");
2729 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, "");
2730 if (!strcmp(fuse_sdcard, "true")) {
2731 /* This is a device using the fuse layer to emulate the sdcard semantics
2732 * on top of the userdata partition. vold does not manage it, it is managed
2733 * by the sdcard service. The sdcard service was killed by the property trigger
2734 * above, so just unmount it now. We must do this _AFTER_ killing the framework,
2735 * unlike the case for vold managed devices above.
2737 if (wait_and_unmount(sd_mnt_point)) {
2738 goto error_shutting_down;
2742 /* Now unmount the /data partition. */
2743 if (wait_and_unmount(DATA_MNT_POINT)) {
2745 goto error_shutting_down;
2747 goto error_unencrypted;
2751 /* Do extra work for a better UX when doing the long inplace encryption */
2752 if (how == CRYPTO_ENABLE_INPLACE) {
2753 /* Now that /data is unmounted, we need to mount a tmpfs
2754 * /data, set a property saying we're doing inplace encryption,
2755 * and restart the framework.
2757 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
2758 goto error_shutting_down;
2760 /* Tells the framework that inplace encryption is starting */
2761 property_set("vold.encrypt_progress", "0");
2763 /* restart the framework. */
2764 /* Create necessary paths on /data */
2765 if (prep_data_fs()) {
2766 goto error_shutting_down;
2769 /* Ugh, shutting down the framework is not synchronous, so until it
2770 * can be fixed, this horrible hack will wait a moment for it all to
2771 * shut down before proceeding. Without it, some devices cannot
2772 * restart the graphics services.
2776 /* startup service classes main and late_start */
2777 property_set("vold.decrypt", "trigger_restart_min_framework");
2778 SLOGD("Just triggered restart_min_framework\n");
2780 /* OK, the framework is restarted and will soon be showing a
2781 * progress bar. Time to setup an encrypted mapping, and
2782 * either write a new filesystem, or encrypt in place updating
2783 * the progress bar as we work.
2787 /* Start the actual work of making an encrypted filesystem */
2788 /* Initialize a crypt_mnt_ftr for the partition */
2789 if (previously_encrypted_upto == 0) {
2790 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
2791 goto error_shutting_down;
2794 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
2795 crypt_ftr.fs_size = nr_sec
2796 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2798 crypt_ftr.fs_size = nr_sec;
2800 /* At this point, we are in an inconsistent state. Until we successfully
2801 complete encryption, a reboot will leave us broken. So mark the
2802 encryption failed in case that happens.
2803 On successfully completing encryption, remove this flag */
2804 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2805 crypt_ftr.crypt_type = crypt_type;
2806 strcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
2808 /* Make an encrypted master key */
2809 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
2810 SLOGE("Cannot create encrypted master key\n");
2811 goto error_shutting_down;
2814 /* Write the key to the end of the partition */
2815 put_crypt_ftr_and_key(&crypt_ftr);
2817 /* If any persistent data has been remembered, save it.
2818 * If none, create a valid empty table and save that.
2820 if (!persist_data) {
2821 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
2823 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
2824 persist_data = pdata;
2828 save_persistent_data();
2832 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2833 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
2836 /* If we are continuing, check checksums match */
2838 if (previously_encrypted_upto) {
2839 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
2840 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
2842 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
2843 sizeof(hash_first_block)) != 0) {
2844 SLOGE("Checksums do not match - trigger wipe");
2850 rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
2851 crypto_blkdev, real_blkdev,
2852 previously_encrypted_upto);
2855 /* Calculate checksum if we are not finished */
2856 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2857 rc = cryptfs_SHA256_fileblock(crypto_blkdev,
2858 crypt_ftr.hash_first_block);
2860 SLOGE("Error calculating checksum for continuing encryption");
2865 /* Undo the dm-crypt mapping whether we succeed or not */
2866 delete_crypto_blk_dev("userdata");
2872 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
2874 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2875 SLOGD("Encrypted up to sector %lld - will continue after reboot",
2876 crypt_ftr.encrypted_upto);
2877 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
2880 put_crypt_ftr_and_key(&crypt_ftr);
2882 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
2883 char value[PROPERTY_VALUE_MAX];
2884 property_get("ro.crypto.state", value, "");
2885 if (!strcmp(value, "")) {
2886 /* default encryption - continue first boot sequence */
2887 property_set("ro.crypto.state", "encrypted");
2888 release_wake_lock(lockid);
2889 cryptfs_check_passwd(DEFAULT_PASSWORD);
2890 cryptfs_restart_internal(1);
2893 sleep(2); /* Give the UI a chance to show 100% progress */
2894 cryptfs_reboot(reboot);
2897 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
2898 cryptfs_reboot(shutdown);
2901 char value[PROPERTY_VALUE_MAX];
2903 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
2904 if (!strcmp(value, "1")) {
2905 /* wipe data if encryption failed */
2906 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
2907 mkdir("/cache/recovery", 0700);
2908 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600);
2910 write(fd, "--wipe_data", strlen("--wipe_data") + 1);
2913 SLOGE("could not open /cache/recovery/command\n");
2915 cryptfs_reboot(recovery);
2917 /* set property to trigger dialog */
2918 property_set("vold.encrypt_progress", "error_partially_encrypted");
2919 release_wake_lock(lockid);
2924 /* hrm, the encrypt step claims success, but the reboot failed.
2925 * This should not happen.
2926 * Set the property and return. Hope the framework can deal with it.
2928 property_set("vold.encrypt_progress", "error_reboot_failed");
2929 release_wake_lock(lockid);
2934 property_set("vold.encrypt_progress", "error_not_encrypted");
2936 release_wake_lock(lockid);
2940 error_shutting_down:
2941 /* we failed, and have not encrypted anthing, so the users's data is still intact,
2942 * but the framework is stopped and not restarted to show the error, so it's up to
2943 * vold to restart the system.
2945 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
2946 cryptfs_reboot(reboot);
2948 /* shouldn't get here */
2949 property_set("vold.encrypt_progress", "error_shutting_down");
2952 release_wake_lock(lockid);
2957 int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot)
2959 return cryptfs_enable_internal(howarg, type, passwd, allow_reboot);
2962 int cryptfs_enable_default(char *howarg, int allow_reboot)
2964 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
2965 DEFAULT_PASSWORD, allow_reboot);
2968 int cryptfs_changepw(int crypt_type, const char *newpw)
2970 struct crypt_mnt_ftr crypt_ftr;
2971 unsigned char decrypted_master_key[KEY_LEN_BYTES];
2973 /* This is only allowed after we've successfully decrypted the master key */
2974 if (!master_key_saved) {
2975 SLOGE("Key not saved, aborting");
2979 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2980 SLOGE("Invalid crypt_type %d", crypt_type);
2985 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2986 SLOGE("Error getting crypt footer and key");
2990 crypt_ftr.crypt_type = crypt_type;
2992 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
2996 crypt_ftr.master_key,
3000 put_crypt_ftr_and_key(&crypt_ftr);
3005 static int persist_get_key(char *fieldname, char *value)
3009 if (persist_data == NULL) {
3012 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3013 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3015 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
3023 static int persist_set_key(char *fieldname, char *value, int encrypted)
3027 struct crypt_mnt_ftr crypt_ftr;
3028 unsigned int max_persistent_entries;
3031 if (persist_data == NULL) {
3035 /* If encrypted, use the values from the crypt_ftr, otherwise
3036 * use the values for the current spec.
3039 if(get_crypt_ftr_and_key(&crypt_ftr)) {
3042 dsize = crypt_ftr.persist_data_size;
3044 dsize = CRYPT_PERSIST_DATA_SIZE;
3046 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
3047 sizeof(struct crypt_persist_entry);
3049 num = persist_data->persist_valid_entries;
3051 for (i = 0; i < num; i++) {
3052 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3053 /* We found an existing entry, update it! */
3054 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
3055 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
3060 /* We didn't find it, add it to the end, if there is room */
3061 if (persist_data->persist_valid_entries < max_persistent_entries) {
3062 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
3063 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
3064 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
3065 persist_data->persist_valid_entries++;
3072 /* Return the value of the specified field. */
3073 int cryptfs_getfield(char *fieldname, char *value, int len)
3075 char temp_value[PROPERTY_VALUE_MAX];
3076 char real_blkdev[MAXPATHLEN];
3077 /* 0 is success, 1 is not encrypted,
3078 * -1 is value not set, -2 is any other error
3082 if (persist_data == NULL) {
3083 load_persistent_data();
3084 if (persist_data == NULL) {
3085 SLOGE("Getfield error, cannot load persistent data");
3090 if (!persist_get_key(fieldname, temp_value)) {
3091 /* We found it, copy it to the caller's buffer and return */
3092 strlcpy(value, temp_value, len);
3095 /* Sadness, it's not there. Return the error */
3103 /* Set the value of the specified field. */
3104 int cryptfs_setfield(char *fieldname, char *value)
3106 struct crypt_persist_data stored_pdata;
3107 struct crypt_persist_data *pdata_p;
3108 struct crypt_mnt_ftr crypt_ftr;
3109 char encrypted_state[PROPERTY_VALUE_MAX];
3110 /* 0 is success, -1 is an error */
3114 if (persist_data == NULL) {
3115 load_persistent_data();
3116 if (persist_data == NULL) {
3117 SLOGE("Setfield error, cannot load persistent data");
3122 property_get("ro.crypto.state", encrypted_state, "");
3123 if (!strcmp(encrypted_state, "encrypted") ) {
3127 if (persist_set_key(fieldname, value, encrypted)) {
3131 /* If we are running encrypted, save the persistent data now */
3133 if (save_persistent_data()) {
3134 SLOGE("Setfield error, cannot save persistent data");
3145 /* Checks userdata. Attempt to mount the volume if default-
3147 * On success trigger next init phase and return 0.
3148 * Currently do not handle failure - see TODO below.
3150 int cryptfs_mount_default_encrypted(void)
3152 char decrypt_state[PROPERTY_VALUE_MAX];
3153 property_get("vold.decrypt", decrypt_state, "0");
3154 if (!strcmp(decrypt_state, "0")) {
3155 SLOGE("Not encrypted - should not call here");
3157 int crypt_type = cryptfs_get_password_type();
3158 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3159 SLOGE("Bad crypt type - error");
3160 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
3161 SLOGD("Password is not default - "
3162 "starting min framework to prompt");
3163 property_set("vold.decrypt", "trigger_restart_min_framework");
3165 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
3166 SLOGD("Password is default - restarting filesystem");
3167 cryptfs_restart_internal(0);
3170 SLOGE("Encrypted, default crypt type but can't decrypt");
3174 /** Corrupt. Allow us to boot into framework, which will detect bad
3175 crypto when it calls do_crypto_complete, then do a factory reset
3177 property_set("vold.decrypt", "trigger_restart_min_framework");
3181 /* Returns type of the password, default, pattern, pin or password.
3183 int cryptfs_get_password_type(void)
3185 struct crypt_mnt_ftr crypt_ftr;
3187 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3188 SLOGE("Error getting crypt footer and key\n");
3192 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
3196 return crypt_ftr.crypt_type;
3199 char* cryptfs_get_password()
3201 struct timespec now;
3202 clock_gettime(CLOCK_MONOTONIC, &now);
3203 if (now.tv_sec < password_expiry_time) {
3206 cryptfs_clear_password();
3211 void cryptfs_clear_password()
3214 size_t len = strlen(password);
3215 memset(password, 0, len);
3218 password_expiry_time = 0;