2 * Copyright (C) 2010 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
23 #include <sys/types.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
35 #include <sys/param.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
41 #include <linux/kdev_t.h>
44 #define LOG_TAG "Cryptfs"
45 #include "cutils/log.h"
46 #include "cutils/properties.h"
47 #include "cutils/android_reboot.h"
48 #include "hardware_legacy/power.h"
49 #include <logwrap/logwrap.h>
50 #include "VolumeManager.h"
52 #include "crypto_scrypt.h"
53 #include "ext4_utils.h"
54 #include "CheckBattery.h"
56 #include <hardware/keymaster.h>
58 #define UNUSED __attribute__((unused))
60 #define UNUSED __attribute__((unused))
62 #define DM_CRYPT_BUF_SIZE 4096
64 #define HASH_COUNT 2000
65 #define KEY_LEN_BYTES 16
66 #define IV_LEN_BYTES 16
68 #define KEY_IN_FOOTER "footer"
70 // "default_password" encoded into hex (d=0x64 etc)
71 #define DEFAULT_PASSWORD "64656661756c745f70617373776f7264"
76 #define TABLE_LOAD_RETRIES 10
78 #define RSA_DEFAULT_KEY_SIZE 2048
79 #define RSA_DEFAULT_EXPONENT 0x10001
83 static unsigned char saved_master_key[KEY_LEN_BYTES];
84 static char *saved_mount_point;
85 static int master_key_saved = 0;
86 static struct crypt_persist_data *persist_data = NULL;
88 static int keymaster_init(keymaster_device_t **keymaster_dev)
92 const hw_module_t* mod;
93 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
95 ALOGE("could not find any keystore module");
99 rc = keymaster_open(mod, keymaster_dev);
101 ALOGE("could not open keymaster device in %s (%s)",
102 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
109 *keymaster_dev = NULL;
113 /* Should we use keymaster? */
114 static int keymaster_check_compatibility()
116 keymaster_device_t *keymaster_dev = 0;
119 if (keymaster_init(&keymaster_dev)) {
120 SLOGE("Failed to init keymaster");
125 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version);
127 if (keymaster_dev->common.module->module_api_version
128 < KEYMASTER_MODULE_API_VERSION_0_3) {
133 if (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE) {
138 keymaster_close(keymaster_dev);
142 /* Create a new keymaster key and store it in this footer */
143 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
146 keymaster_device_t *keymaster_dev = 0;
148 if (keymaster_init(&keymaster_dev)) {
149 SLOGE("Failed to init keymaster");
155 keymaster_rsa_keygen_params_t params;
156 memset(¶ms, '\0', sizeof(params));
157 params.public_exponent = RSA_DEFAULT_EXPONENT;
158 params.modulus_size = RSA_DEFAULT_KEY_SIZE;
161 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms,
163 SLOGE("Failed to generate keypair");
168 if (key_size > KEYMASTER_BLOB_SIZE) {
169 SLOGE("Keymaster key too large for crypto footer");
174 memcpy(ftr->keymaster_blob, key, key_size);
175 ftr->keymaster_blob_size = key_size;
178 keymaster_close(keymaster_dev);
183 /* This signs the given object using the keymaster key */
184 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
185 const unsigned char *object,
186 const size_t object_size,
187 unsigned char **signature,
188 size_t *signature_size)
191 keymaster_device_t *keymaster_dev = 0;
192 if (keymaster_init(&keymaster_dev)) {
193 SLOGE("Failed to init keymaster");
197 /* We currently set the digest type to DIGEST_NONE because it's the
198 * only supported value for keymaster. A similar issue exists with
199 * PADDING_NONE. Long term both of these should likely change.
201 keymaster_rsa_sign_params_t params;
202 params.digest_type = DIGEST_NONE;
203 params.padding_type = PADDING_NONE;
205 rc = keymaster_dev->sign_data(keymaster_dev,
208 ftr->keymaster_blob_size,
214 keymaster_close(keymaster_dev);
218 /* Store password when userdata is successfully decrypted and mounted.
219 * Cleared by cryptfs_clear_password
221 * To avoid a double prompt at boot, we need to store the CryptKeeper
222 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
223 * Since the entire framework is torn down and rebuilt after encryption,
224 * we have to use a daemon or similar to store the password. Since vold
225 * is secured against IPC except from system processes, it seems a reasonable
226 * place to store this.
228 * password should be cleared once it has been used.
230 * password is aged out after password_max_age_seconds seconds.
232 static char* password = 0;
233 static int password_expiry_time = 0;
234 static const int password_max_age_seconds = 60;
236 extern struct fstab *fstab;
238 enum RebootType {reboot, recovery, shutdown};
239 static void cryptfs_reboot(enum RebootType rt)
243 property_set(ANDROID_RB_PROPERTY, "reboot");
247 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
251 property_set(ANDROID_RB_PROPERTY, "shutdown");
257 /* Shouldn't get here, reboot should happen before sleep times out */
261 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
263 memset(io, 0, dataSize);
264 io->data_size = dataSize;
265 io->data_start = sizeof(struct dm_ioctl);
271 strncpy(io->name, name, sizeof(io->name));
276 * Gets the default device scrypt parameters for key derivation time tuning.
277 * The parameters should lead to about one second derivation time for the
280 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
281 const int default_params[] = SCRYPT_DEFAULTS;
282 int params[] = SCRYPT_DEFAULTS;
283 char paramstr[PROPERTY_VALUE_MAX];
288 property_get(SCRYPT_PROP, paramstr, "");
289 if (paramstr[0] != '\0') {
291 * The token we're looking for should be three integers separated by
292 * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
294 for (i = 0, token = strtok_r(paramstr, ":", &saveptr);
295 token != NULL && i < 3;
296 i++, token = strtok_r(NULL, ":", &saveptr)) {
298 params[i] = strtol(token, &endptr, 10);
301 * Check that there was a valid number and it's 8-bit. If not,
302 * break out and the end check will take the default values.
304 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
310 * If there were not enough tokens or a token was malformed (not an
311 * integer), it will end up here and the default parameters can be
314 if ((i != 3) || (token != NULL)) {
315 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
316 memcpy(params, default_params, sizeof(params));
320 ftr->N_factor = params[0];
321 ftr->r_factor = params[1];
322 ftr->p_factor = params[2];
325 static unsigned int get_fs_size(char *dev)
328 struct ext4_super_block sb;
331 if ((fd = open(dev, O_RDONLY)) < 0) {
332 SLOGE("Cannot open device to get filesystem size ");
336 if (lseek64(fd, 1024, SEEK_SET) < 0) {
337 SLOGE("Cannot seek to superblock");
341 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
342 SLOGE("Cannot read superblock");
348 block_size = 1024 << sb.s_log_block_size;
349 /* compute length in bytes */
350 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
352 /* return length in sectors */
353 return (unsigned int) (len / 512);
356 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
358 static int cached_data = 0;
359 static off64_t cached_off = 0;
360 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
362 char key_loc[PROPERTY_VALUE_MAX];
363 char real_blkdev[PROPERTY_VALUE_MAX];
368 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
370 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
371 if ( (fd = open(real_blkdev, O_RDWR)) < 0) {
372 SLOGE("Cannot open real block device %s\n", real_blkdev);
376 if ((nr_sec = get_blkdev_size(fd))) {
377 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
378 * encryption info footer and key, and plenty of bytes to spare for future
381 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
382 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
385 SLOGE("Cannot get size of block device %s\n", real_blkdev);
389 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
396 if (metadata_fname) {
397 *metadata_fname = cached_metadata_fname;
408 /* key or salt can be NULL, in which case just skip writing that value. Useful to
409 * update the failed mount count but not change the key.
411 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
414 unsigned int nr_sec, cnt;
415 /* starting_off is set to the SEEK_SET offset
416 * where the crypto structure starts
418 off64_t starting_off;
423 if (get_crypt_ftr_info(&fname, &starting_off)) {
424 SLOGE("Unable to get crypt_ftr_info\n");
427 if (fname[0] != '/') {
428 SLOGE("Unexpected value for crypto key location\n");
431 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) {
432 SLOGE("Cannot open footer file %s for put\n", fname);
436 /* Seek to the start of the crypt footer */
437 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
438 SLOGE("Cannot seek to real block device footer\n");
442 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
443 SLOGE("Cannot write real block device footer\n");
448 /* If the keys are kept on a raw block device, do not try to truncate it. */
449 if (S_ISREG(statbuf.st_mode)) {
450 if (ftruncate(fd, 0x4000)) {
451 SLOGE("Cannot set footer file size\n");
465 static inline int unix_read(int fd, void* buff, int len)
467 return TEMP_FAILURE_RETRY(read(fd, buff, len));
470 static inline int unix_write(int fd, const void* buff, int len)
472 return TEMP_FAILURE_RETRY(write(fd, buff, len));
475 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
477 memset(pdata, 0, len);
478 pdata->persist_magic = PERSIST_DATA_MAGIC;
479 pdata->persist_valid_entries = 0;
482 /* A routine to update the passed in crypt_ftr to the lastest version.
483 * fd is open read/write on the device that holds the crypto footer and persistent
484 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
485 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
487 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
489 int orig_major = crypt_ftr->major_version;
490 int orig_minor = crypt_ftr->minor_version;
492 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
493 struct crypt_persist_data *pdata;
494 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
496 SLOGW("upgrading crypto footer to 1.1");
498 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
500 SLOGE("Cannot allocate persisent data\n");
503 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
505 /* Need to initialize the persistent data area */
506 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
507 SLOGE("Cannot seek to persisent data offset\n");
510 /* Write all zeros to the first copy, making it invalid */
511 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
513 /* Write a valid but empty structure to the second copy */
514 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
515 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
517 /* Update the footer */
518 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
519 crypt_ftr->persist_data_offset[0] = pdata_offset;
520 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
521 crypt_ftr->minor_version = 1;
524 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
525 SLOGW("upgrading crypto footer to 1.2");
526 /* But keep the old kdf_type.
527 * It will get updated later to KDF_SCRYPT after the password has been verified.
529 crypt_ftr->kdf_type = KDF_PBKDF2;
530 get_device_scrypt_params(crypt_ftr);
531 crypt_ftr->minor_version = 2;
534 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
535 SLOGW("upgrading crypto footer to 1.3");
536 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
537 crypt_ftr->minor_version = 3;
540 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
541 if (lseek64(fd, offset, SEEK_SET) == -1) {
542 SLOGE("Cannot seek to crypt footer\n");
545 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
550 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
553 unsigned int nr_sec, cnt;
554 off64_t starting_off;
559 if (get_crypt_ftr_info(&fname, &starting_off)) {
560 SLOGE("Unable to get crypt_ftr_info\n");
563 if (fname[0] != '/') {
564 SLOGE("Unexpected value for crypto key location\n");
567 if ( (fd = open(fname, O_RDWR)) < 0) {
568 SLOGE("Cannot open footer file %s for get\n", fname);
572 /* Make sure it's 16 Kbytes in length */
574 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
575 SLOGE("footer file %s is not the expected size!\n", fname);
579 /* Seek to the start of the crypt footer */
580 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
581 SLOGE("Cannot seek to real block device footer\n");
585 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
586 SLOGE("Cannot read real block device footer\n");
590 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
591 SLOGE("Bad magic for real block device %s\n", fname);
595 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
596 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
597 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
601 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
602 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
603 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
606 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
607 * copy on disk before returning.
609 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
610 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
621 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
623 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
624 crypt_ftr->persist_data_offset[1]) {
625 SLOGE("Crypt_ftr persist data regions overlap");
629 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
630 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
634 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
635 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
636 CRYPT_FOOTER_OFFSET) {
637 SLOGE("Persistent data extends past crypto footer");
644 static int load_persistent_data(void)
646 struct crypt_mnt_ftr crypt_ftr;
647 struct crypt_persist_data *pdata = NULL;
648 char encrypted_state[PROPERTY_VALUE_MAX];
656 /* Nothing to do, we've already loaded or initialized it */
661 /* If not encrypted, just allocate an empty table and initialize it */
662 property_get("ro.crypto.state", encrypted_state, "");
663 if (strcmp(encrypted_state, "encrypted") ) {
664 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
666 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
667 persist_data = pdata;
673 if(get_crypt_ftr_and_key(&crypt_ftr)) {
677 if ((crypt_ftr.major_version < 1)
678 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
679 SLOGE("Crypt_ftr version doesn't support persistent data");
683 if (get_crypt_ftr_info(&fname, NULL)) {
687 ret = validate_persistent_data_storage(&crypt_ftr);
692 fd = open(fname, O_RDONLY);
694 SLOGE("Cannot open %s metadata file", fname);
698 if (persist_data == NULL) {
699 pdata = malloc(crypt_ftr.persist_data_size);
701 SLOGE("Cannot allocate memory for persistent data");
706 for (i = 0; i < 2; i++) {
707 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
708 SLOGE("Cannot seek to read persistent data on %s", fname);
711 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
712 SLOGE("Error reading persistent data on iteration %d", i);
715 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
722 SLOGI("Could not find valid persistent data, creating");
723 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
727 persist_data = pdata;
739 static int save_persistent_data(void)
741 struct crypt_mnt_ftr crypt_ftr;
742 struct crypt_persist_data *pdata;
744 off64_t write_offset;
745 off64_t erase_offset;
750 if (persist_data == NULL) {
751 SLOGE("No persistent data to save");
755 if(get_crypt_ftr_and_key(&crypt_ftr)) {
759 if ((crypt_ftr.major_version < 1)
760 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
761 SLOGE("Crypt_ftr version doesn't support persistent data");
765 ret = validate_persistent_data_storage(&crypt_ftr);
770 if (get_crypt_ftr_info(&fname, NULL)) {
774 fd = open(fname, O_RDWR);
776 SLOGE("Cannot open %s metadata file", fname);
780 pdata = malloc(crypt_ftr.persist_data_size);
782 SLOGE("Cannot allocate persistant data");
786 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
787 SLOGE("Cannot seek to read persistent data on %s", fname);
791 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
792 SLOGE("Error reading persistent data before save");
796 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
797 /* The first copy is the curent valid copy, so write to
798 * the second copy and erase this one */
799 write_offset = crypt_ftr.persist_data_offset[1];
800 erase_offset = crypt_ftr.persist_data_offset[0];
802 /* The second copy must be the valid copy, so write to
803 * the first copy, and erase the second */
804 write_offset = crypt_ftr.persist_data_offset[0];
805 erase_offset = crypt_ftr.persist_data_offset[1];
808 /* Write the new copy first, if successful, then erase the old copy */
809 if (lseek(fd, write_offset, SEEK_SET) < 0) {
810 SLOGE("Cannot seek to write persistent data");
813 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
814 (int) crypt_ftr.persist_data_size) {
815 if (lseek(fd, erase_offset, SEEK_SET) < 0) {
816 SLOGE("Cannot seek to erase previous persistent data");
820 memset(pdata, 0, crypt_ftr.persist_data_size);
821 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
822 (int) crypt_ftr.persist_data_size) {
823 SLOGE("Cannot write to erase previous persistent data");
828 SLOGE("Cannot write to save persistent data");
844 static int hexdigit (char c)
846 if (c >= '0' && c <= '9') return c - '0';
848 if (c >= 'a' && c <= 'f') return c - 'a' + 10;
852 static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii,
853 unsigned int* out_keysize)
858 size_t size = strlen (master_key_ascii);
860 SLOGE("Trying to convert ascii string of odd length");
864 unsigned char* master_key = (unsigned char*) malloc(size / 2);
865 if (master_key == 0) {
866 SLOGE("Cannot allocate");
870 for (i = 0; i < size; i += 2) {
871 int high_nibble = hexdigit (master_key_ascii[i]);
872 int low_nibble = hexdigit (master_key_ascii[i + 1]);
874 if(high_nibble < 0 || low_nibble < 0) {
875 SLOGE("Invalid hex string");
880 master_key[*out_keysize] = high_nibble * 16 + low_nibble;
887 /* Convert a binary key of specified length into an ascii hex string equivalent,
888 * without the leading 0x and with null termination
890 static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize,
891 char *master_key_ascii)
894 unsigned char nibble;
896 for (i=0, a=0; i<keysize; i++, a+=2) {
897 /* For each byte, write out two ascii hex digits */
898 nibble = (master_key[i] >> 4) & 0xf;
899 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
901 nibble = master_key[i] & 0xf;
902 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
905 /* Add the null termination */
906 master_key_ascii[a] = '\0';
910 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
911 char *real_blk_name, const char *name, int fd,
914 char buffer[DM_CRYPT_BUF_SIZE];
916 struct dm_target_spec *tgt;
918 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
921 io = (struct dm_ioctl *) buffer;
923 /* Load the mapping table for this device */
924 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
926 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
927 io->target_count = 1;
929 tgt->sector_start = 0;
930 tgt->length = crypt_ftr->fs_size;
931 strcpy(tgt->target_type, "crypt");
933 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
934 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
935 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
936 master_key_ascii, real_blk_name, extra_params);
937 crypt_params += strlen(crypt_params) + 1;
938 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
939 tgt->next = crypt_params - buffer;
941 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
942 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
948 if (i == TABLE_LOAD_RETRIES) {
949 /* We failed to load the table, return an error */
957 static int get_dm_crypt_version(int fd, const char *name, int *version)
959 char buffer[DM_CRYPT_BUF_SIZE];
961 struct dm_target_versions *v;
964 io = (struct dm_ioctl *) buffer;
966 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
968 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
972 /* Iterate over the returned versions, looking for name of "crypt".
973 * When found, get and return the version.
975 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
977 if (! strcmp(v->name, "crypt")) {
978 /* We found the crypt driver, return the version, and get out */
979 version[0] = v->version[0];
980 version[1] = v->version[1];
981 version[2] = v->version[2];
984 v = (struct dm_target_versions *)(((char *)v) + v->next);
990 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
991 char *real_blk_name, char *crypto_blk_name, const char *name)
993 char buffer[DM_CRYPT_BUF_SIZE];
994 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
997 struct dm_target_spec *tgt;
1006 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
1007 SLOGE("Cannot open device-mapper\n");
1011 io = (struct dm_ioctl *) buffer;
1013 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1014 if (ioctl(fd, DM_DEV_CREATE, io)) {
1015 SLOGE("Cannot create dm-crypt device\n");
1019 /* Get the device status, in particular, the name of it's device file */
1020 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1021 if (ioctl(fd, DM_DEV_STATUS, io)) {
1022 SLOGE("Cannot retrieve dm-crypt device status\n");
1025 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1026 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1029 if (! get_dm_crypt_version(fd, name, version)) {
1030 /* Support for allow_discards was added in version 1.11.0 */
1031 if ((version[0] >= 2) ||
1032 ((version[0] == 1) && (version[1] >= 11))) {
1033 extra_params = "1 allow_discards";
1034 SLOGI("Enabling support for allow_discards in dmcrypt.\n");
1038 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
1040 if (load_count < 0) {
1041 SLOGE("Cannot load dm-crypt mapping table.\n");
1043 } else if (load_count > 1) {
1044 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1047 /* Resume this device to activate it */
1048 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1050 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1051 SLOGE("Cannot resume the dm-crypt device\n");
1055 /* We made it here with no errors. Woot! */
1059 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1064 static int delete_crypto_blk_dev(char *name)
1067 char buffer[DM_CRYPT_BUF_SIZE];
1068 struct dm_ioctl *io;
1071 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
1072 SLOGE("Cannot open device-mapper\n");
1076 io = (struct dm_ioctl *) buffer;
1078 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1079 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1080 SLOGE("Cannot remove dm-crypt device\n");
1084 /* We made it here with no errors. Woot! */
1088 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1094 static int pbkdf2(const char *passwd, const unsigned char *salt,
1095 unsigned char *ikey, void *params UNUSED)
1097 SLOGI("Using pbkdf2 for cryptfs KDF");
1099 /* Turn the password into a key and IV that can decrypt the master key */
1100 unsigned int keysize;
1101 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize);
1102 if (!master_key) return -1;
1103 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN,
1104 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey);
1106 memset(master_key, 0, keysize);
1111 static int scrypt(const char *passwd, const unsigned char *salt,
1112 unsigned char *ikey, void *params)
1114 SLOGI("Using scrypt for cryptfs KDF");
1116 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1118 int N = 1 << ftr->N_factor;
1119 int r = 1 << ftr->r_factor;
1120 int p = 1 << ftr->p_factor;
1122 /* Turn the password into a key and IV that can decrypt the master key */
1123 unsigned int keysize;
1124 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize);
1125 if (!master_key) return -1;
1126 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey,
1127 KEY_LEN_BYTES + IV_LEN_BYTES);
1129 memset(master_key, 0, keysize);
1134 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1135 unsigned char *ikey, void *params)
1137 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1140 unsigned int key_size;
1141 size_t signature_size;
1142 unsigned char* signature;
1143 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1145 int N = 1 << ftr->N_factor;
1146 int r = 1 << ftr->r_factor;
1147 int p = 1 << ftr->p_factor;
1149 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size);
1151 SLOGE("Failed to convert passwd from hex");
1155 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN,
1156 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1157 memset(master_key, 0, key_size);
1161 SLOGE("scrypt failed");
1165 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1166 &signature, &signature_size)) {
1167 SLOGE("Signing failed");
1171 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1172 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1176 SLOGE("scrypt failed");
1183 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1184 const unsigned char *decrypted_master_key,
1185 unsigned char *encrypted_master_key,
1186 struct crypt_mnt_ftr *crypt_ftr)
1188 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1189 EVP_CIPHER_CTX e_ctx;
1190 int encrypted_len, final_len;
1193 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1194 get_device_scrypt_params(crypt_ftr);
1196 switch (crypt_ftr->kdf_type) {
1197 case KDF_SCRYPT_KEYMASTER:
1198 if (keymaster_create_key(crypt_ftr)) {
1199 SLOGE("keymaster_create_key failed");
1203 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1204 SLOGE("scrypt failed");
1210 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1211 SLOGE("scrypt failed");
1217 SLOGE("Invalid kdf_type");
1221 /* Initialize the decryption engine */
1222 if (! EVP_EncryptInit(&e_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
1223 SLOGE("EVP_EncryptInit failed\n");
1226 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1228 /* Encrypt the master key */
1229 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1230 decrypted_master_key, KEY_LEN_BYTES)) {
1231 SLOGE("EVP_EncryptUpdate failed\n");
1234 if (! EVP_EncryptFinal(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1235 SLOGE("EVP_EncryptFinal failed\n");
1239 if (encrypted_len + final_len != KEY_LEN_BYTES) {
1240 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1244 /* Store the scrypt of the intermediate key, so we can validate if it's a
1245 password error or mount error when things go wrong.
1246 Note there's no need to check for errors, since if this is incorrect, we
1247 simply won't wipe userdata, which is the correct default behavior
1249 int N = 1 << crypt_ftr->N_factor;
1250 int r = 1 << crypt_ftr->r_factor;
1251 int p = 1 << crypt_ftr->p_factor;
1253 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1254 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1255 crypt_ftr->scrypted_intermediate_key,
1256 sizeof(crypt_ftr->scrypted_intermediate_key));
1259 SLOGE("encrypt_master_key: crypto_scrypt failed");
1265 static int decrypt_master_key_aux(char *passwd, unsigned char *salt,
1266 unsigned char *encrypted_master_key,
1267 unsigned char *decrypted_master_key,
1268 kdf_func kdf, void *kdf_params,
1269 unsigned char** intermediate_key,
1270 size_t* intermediate_key_size)
1272 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1273 EVP_CIPHER_CTX d_ctx;
1274 int decrypted_len, final_len;
1276 /* Turn the password into an intermediate key and IV that can decrypt the
1278 if (kdf(passwd, salt, ikey, kdf_params)) {
1279 SLOGE("kdf failed");
1283 /* Initialize the decryption engine */
1284 if (! EVP_DecryptInit(&d_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
1287 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1288 /* Decrypt the master key */
1289 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1290 encrypted_master_key, KEY_LEN_BYTES)) {
1293 if (! EVP_DecryptFinal(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1297 if (decrypted_len + final_len != KEY_LEN_BYTES) {
1301 /* Copy intermediate key if needed by params */
1302 if (intermediate_key && intermediate_key_size) {
1303 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1304 if (intermediate_key) {
1305 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1306 *intermediate_key_size = KEY_LEN_BYTES;
1313 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1315 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1316 *kdf = scrypt_keymaster;
1318 } else if (ftr->kdf_type == KDF_SCRYPT) {
1327 static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key,
1328 struct crypt_mnt_ftr *crypt_ftr,
1329 unsigned char** intermediate_key,
1330 size_t* intermediate_key_size)
1336 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1337 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1338 decrypted_master_key, kdf, kdf_params,
1339 intermediate_key, intermediate_key_size);
1341 SLOGW("failure decrypting master key");
1347 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
1348 struct crypt_mnt_ftr *crypt_ftr) {
1350 unsigned char key_buf[KEY_LEN_BYTES];
1351 EVP_CIPHER_CTX e_ctx;
1352 int encrypted_len, final_len;
1354 /* Get some random bits for a key */
1355 fd = open("/dev/urandom", O_RDONLY);
1356 read(fd, key_buf, sizeof(key_buf));
1357 read(fd, salt, SALT_LEN);
1360 /* Now encrypt it with the password */
1361 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1364 static int wait_and_unmount(char *mountpoint)
1367 #define WAIT_UNMOUNT_COUNT 20
1369 /* Now umount the tmpfs filesystem */
1370 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1371 if (umount(mountpoint)) {
1372 if (errno == EINVAL) {
1373 /* EINVAL is returned if the directory is not a mountpoint,
1374 * i.e. there is no filesystem mounted there. So just get out.
1385 if (i < WAIT_UNMOUNT_COUNT) {
1386 SLOGD("unmounting %s succeeded\n", mountpoint);
1389 SLOGE("unmounting %s failed\n", mountpoint);
1396 #define DATA_PREP_TIMEOUT 200
1397 static int prep_data_fs(void)
1401 /* Do the prep of the /data filesystem */
1402 property_set("vold.post_fs_data_done", "0");
1403 property_set("vold.decrypt", "trigger_post_fs_data");
1404 SLOGD("Just triggered post_fs_data\n");
1406 /* Wait a max of 50 seconds, hopefully it takes much less */
1407 for (i=0; i<DATA_PREP_TIMEOUT; i++) {
1408 char p[PROPERTY_VALUE_MAX];
1410 property_get("vold.post_fs_data_done", p, "0");
1417 if (i == DATA_PREP_TIMEOUT) {
1418 /* Ugh, we failed to prep /data in time. Bail. */
1419 SLOGE("post_fs_data timed out!\n");
1422 SLOGD("post_fs_data done\n");
1427 static int cryptfs_restart_internal(int restart_main)
1430 char real_blkdev[MAXPATHLEN];
1431 char crypto_blkdev[MAXPATHLEN];
1432 char fs_options[256];
1433 unsigned long mnt_flags;
1434 struct stat statbuf;
1436 static int restart_successful = 0;
1438 /* Validate that it's OK to call this routine */
1439 if (! master_key_saved) {
1440 SLOGE("Encrypted filesystem not validated, aborting");
1444 if (restart_successful) {
1445 SLOGE("System already restarted with encrypted disk, aborting");
1450 /* Here is where we shut down the framework. The init scripts
1451 * start all services in one of three classes: core, main or late_start.
1452 * On boot, we start core and main. Now, we stop main, but not core,
1453 * as core includes vold and a few other really important things that
1454 * we need to keep running. Once main has stopped, we should be able
1455 * to umount the tmpfs /data, then mount the encrypted /data.
1456 * We then restart the class main, and also the class late_start.
1457 * At the moment, I've only put a few things in late_start that I know
1458 * are not needed to bring up the framework, and that also cause problems
1459 * with unmounting the tmpfs /data, but I hope to add add more services
1460 * to the late_start class as we optimize this to decrease the delay
1461 * till the user is asked for the password to the filesystem.
1464 /* The init files are setup to stop the class main when vold.decrypt is
1465 * set to trigger_reset_main.
1467 property_set("vold.decrypt", "trigger_reset_main");
1468 SLOGD("Just asked init to shut down class main\n");
1470 /* Ugh, shutting down the framework is not synchronous, so until it
1471 * can be fixed, this horrible hack will wait a moment for it all to
1472 * shut down before proceeding. Without it, some devices cannot
1473 * restart the graphics services.
1478 /* Now that the framework is shutdown, we should be able to umount()
1479 * the tmpfs filesystem, and mount the real one.
1482 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1483 if (strlen(crypto_blkdev) == 0) {
1484 SLOGE("fs_crypto_blkdev not set\n");
1488 if (! (rc = wait_and_unmount(DATA_MNT_POINT)) ) {
1489 /* If ro.crypto.readonly is set to 1, mount the decrypted
1490 * filesystem readonly. This is used when /data is mounted by
1493 char ro_prop[PROPERTY_VALUE_MAX];
1494 property_get("ro.crypto.readonly", ro_prop, "");
1495 if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
1496 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1497 rec->flags |= MS_RDONLY;
1500 /* If that succeeded, then mount the decrypted filesystem */
1501 fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, 0);
1503 property_set("vold.decrypt", "trigger_load_persist_props");
1504 /* Create necessary paths on /data */
1505 if (prep_data_fs()) {
1509 /* startup service classes main and late_start */
1510 property_set("vold.decrypt", "trigger_restart_framework");
1511 SLOGD("Just triggered restart_framework\n");
1513 /* Give it a few moments to get started */
1518 restart_successful = 1;
1524 int cryptfs_restart(void)
1526 /* Call internal implementation forcing a restart of main service group */
1527 return cryptfs_restart_internal(1);
1530 static int do_crypto_complete(char *mount_point UNUSED)
1532 struct crypt_mnt_ftr crypt_ftr;
1533 char encrypted_state[PROPERTY_VALUE_MAX];
1534 char key_loc[PROPERTY_VALUE_MAX];
1536 property_get("ro.crypto.state", encrypted_state, "");
1537 if (strcmp(encrypted_state, "encrypted") ) {
1538 SLOGE("not running with encryption, aborting");
1542 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1543 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1546 * Only report this error if key_loc is a file and it exists.
1547 * If the device was never encrypted, and /data is not mountable for
1548 * some reason, returning 1 should prevent the UI from presenting the
1549 * a "enter password" screen, or worse, a "press button to wipe the
1552 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1553 SLOGE("master key file does not exist, aborting");
1556 SLOGE("Error getting crypt footer and key\n");
1562 & (CRYPT_ENCRYPTION_IN_PROGRESS | CRYPT_INCONSISTENT_STATE)) {
1563 SLOGE("Encryption process didn't finish successfully\n");
1564 return -2; /* -2 is the clue to the UI that there is no usable data on the disk,
1565 * and give the user an option to wipe the disk */
1568 /* We passed the test! We shall diminish, and return to the west */
1572 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1573 char *passwd, char *mount_point, char *label)
1575 /* Allocate enough space for a 256 bit key, but we may use less */
1576 unsigned char decrypted_master_key[32];
1577 char crypto_blkdev[MAXPATHLEN];
1578 char real_blkdev[MAXPATHLEN];
1579 char tmp_mount_point[64];
1580 unsigned int orig_failed_decrypt_count;
1584 int use_keymaster = 0;
1586 unsigned char* intermediate_key = 0;
1587 size_t intermediate_key_size = 0;
1589 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1590 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1592 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1593 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1594 &intermediate_key, &intermediate_key_size)) {
1595 SLOGE("Failed to decrypt master key\n");
1601 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
1603 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1604 real_blkdev, crypto_blkdev, label)) {
1605 SLOGE("Error creating decrypted block device\n");
1610 /* If init detects an encrypted filesystem, it writes a file for each such
1611 * encrypted fs into the tmpfs /data filesystem, and then the framework finds those
1612 * files and passes that data to me */
1613 /* Create a tmp mount point to try mounting the decryptd fs
1614 * Since we're here, the mount_point should be a tmpfs filesystem, so make
1615 * a directory in it to test mount the decrypted filesystem.
1617 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
1618 mkdir(tmp_mount_point, 0755);
1619 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1620 SLOGE("Error temp mounting decrypted block device\n");
1621 delete_crypto_blk_dev(label);
1623 /* Work out if the problem is the password or the data */
1624 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1625 scrypted_intermediate_key)];
1626 int N = 1 << crypt_ftr->N_factor;
1627 int r = 1 << crypt_ftr->r_factor;
1628 int p = 1 << crypt_ftr->p_factor;
1630 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1631 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1632 N, r, p, scrypted_intermediate_key,
1633 sizeof(scrypted_intermediate_key));
1634 if (rc == 0 && memcmp(scrypted_intermediate_key,
1635 crypt_ftr->scrypted_intermediate_key,
1636 sizeof(scrypted_intermediate_key)) == 0) {
1637 SLOGE("Right password, so wipe");
1640 SLOGE(rc ? "scrypt failure, so allow retry" :
1641 "Wrong password, so allow retry");
1642 rc = ++crypt_ftr->failed_decrypt_count;
1643 put_crypt_ftr_and_key(crypt_ftr);
1647 * umount and we'll mount it properly when we restart the framework.
1649 umount(tmp_mount_point);
1650 crypt_ftr->failed_decrypt_count = 0;
1652 /* Save the name of the crypto block device
1653 * so we can mount it when restarting the framework.
1655 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1657 /* Also save a the master key so we can reencrypted the key
1658 * the key when we want to change the password on it.
1660 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1661 saved_mount_point = strdup(mount_point);
1662 master_key_saved = 1;
1663 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1667 * Upgrade if we're not using the latest KDF.
1669 use_keymaster = keymaster_check_compatibility();
1670 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1671 // Don't allow downgrade to KDF_SCRYPT
1672 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1673 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1675 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1676 crypt_ftr->kdf_type = KDF_SCRYPT;
1681 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1682 crypt_ftr->master_key, crypt_ftr);
1684 rc = put_crypt_ftr_and_key(crypt_ftr);
1686 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1691 if (intermediate_key) {
1692 memset(intermediate_key, 0, intermediate_key_size);
1693 free(intermediate_key);
1698 /* Called by vold when it wants to undo the crypto mapping of a volume it
1699 * manages. This is usually in response to a factory reset, when we want
1700 * to undo the crypto mapping so the volume is formatted in the clear.
1702 int cryptfs_revert_volume(const char *label)
1704 return delete_crypto_blk_dev((char *)label);
1708 * Called by vold when it's asked to mount an encrypted, nonremovable volume.
1709 * Setup a dm-crypt mapping, use the saved master key from
1710 * setting up the /data mapping, and return the new device path.
1712 int cryptfs_setup_volume(const char *label, int major, int minor,
1713 char *crypto_sys_path, unsigned int max_path,
1714 int *new_major, int *new_minor)
1716 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN];
1717 struct crypt_mnt_ftr sd_crypt_ftr;
1718 struct stat statbuf;
1721 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor);
1723 get_crypt_ftr_and_key(&sd_crypt_ftr);
1725 /* Update the fs_size field to be the size of the volume */
1726 fd = open(real_blkdev, O_RDONLY);
1727 nr_sec = get_blkdev_size(fd);
1730 SLOGE("Cannot get size of volume %s\n", real_blkdev);
1734 sd_crypt_ftr.fs_size = nr_sec;
1735 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev,
1736 crypto_blkdev, label);
1738 stat(crypto_blkdev, &statbuf);
1739 *new_major = MAJOR(statbuf.st_rdev);
1740 *new_minor = MINOR(statbuf.st_rdev);
1742 /* Create path to sys entry for this block device */
1743 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1);
1748 int cryptfs_crypto_complete(void)
1750 return do_crypto_complete("/data");
1753 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
1755 char encrypted_state[PROPERTY_VALUE_MAX];
1756 property_get("ro.crypto.state", encrypted_state, "");
1757 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
1758 SLOGE("encrypted fs already validated or not running with encryption,"
1763 if (get_crypt_ftr_and_key(crypt_ftr)) {
1764 SLOGE("Error getting crypt footer and key");
1771 int cryptfs_check_passwd(char *passwd)
1773 struct crypt_mnt_ftr crypt_ftr;
1776 rc = check_unmounted_and_get_ftr(&crypt_ftr);
1780 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
1781 DATA_MNT_POINT, "userdata");
1783 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
1784 cryptfs_clear_password();
1785 password = strdup(passwd);
1786 struct timespec now;
1787 clock_gettime(CLOCK_BOOTTIME, &now);
1788 password_expiry_time = now.tv_sec + password_max_age_seconds;
1794 int cryptfs_verify_passwd(char *passwd)
1796 struct crypt_mnt_ftr crypt_ftr;
1797 /* Allocate enough space for a 256 bit key, but we may use less */
1798 unsigned char decrypted_master_key[32];
1799 char encrypted_state[PROPERTY_VALUE_MAX];
1802 property_get("ro.crypto.state", encrypted_state, "");
1803 if (strcmp(encrypted_state, "encrypted") ) {
1804 SLOGE("device not encrypted, aborting");
1808 if (!master_key_saved) {
1809 SLOGE("encrypted fs not yet mounted, aborting");
1813 if (!saved_mount_point) {
1814 SLOGE("encrypted fs failed to save mount point, aborting");
1818 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1819 SLOGE("Error getting crypt footer and key\n");
1823 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
1824 /* If the device has no password, then just say the password is valid */
1827 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
1828 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
1829 /* They match, the password is correct */
1832 /* If incorrect, sleep for a bit to prevent dictionary attacks */
1841 /* Initialize a crypt_mnt_ftr structure. The keysize is
1842 * defaulted to 16 bytes, and the filesystem size to 0.
1843 * Presumably, at a minimum, the caller will update the
1844 * filesystem size and crypto_type_name after calling this function.
1846 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
1850 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
1851 ftr->magic = CRYPT_MNT_MAGIC;
1852 ftr->major_version = CURRENT_MAJOR_VERSION;
1853 ftr->minor_version = CURRENT_MINOR_VERSION;
1854 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
1855 ftr->keysize = KEY_LEN_BYTES;
1857 switch (keymaster_check_compatibility()) {
1859 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1863 ftr->kdf_type = KDF_SCRYPT;
1867 SLOGE("keymaster_check_compatibility failed");
1871 get_device_scrypt_params(ftr);
1873 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
1874 if (get_crypt_ftr_info(NULL, &off) == 0) {
1875 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
1876 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
1877 ftr->persist_data_size;
1883 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
1885 const char *args[10];
1886 char size_str[32]; /* Must be large enough to hold a %lld and null byte */
1892 if (type == EXT4_FS) {
1893 args[0] = "/system/bin/make_ext4fs";
1897 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
1899 args[5] = crypto_blkdev;
1901 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
1902 args[0], args[1], args[2], args[3], args[4], args[5]);
1903 } else if (type == F2FS_FS) {
1904 args[0] = "/system/bin/mkfs.f2fs";
1907 args[3] = crypto_blkdev;
1908 snprintf(size_str, sizeof(size_str), "%" PRId64, size);
1911 SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
1912 args[0], args[1], args[2], args[3], args[4]);
1914 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
1918 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
1921 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
1923 if (WIFEXITED(status)) {
1924 if (WEXITSTATUS(status)) {
1925 SLOGE("Error creating filesystem on %s, exit status %d ",
1926 crypto_blkdev, WEXITSTATUS(status));
1928 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
1932 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
1939 #define CRYPT_INPLACE_BUFSIZE 4096
1940 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
1941 #define CRYPT_SECTOR_SIZE 512
1943 /* aligned 32K writes tends to make flash happy.
1944 * SD card association recommends it.
1946 #define BLOCKS_AT_A_TIME 8
1948 struct encryptGroupsData
1953 off64_t one_pct, cur_pct, new_pct;
1954 off64_t blocks_already_done, tot_numblocks;
1955 off64_t used_blocks_already_done, tot_used_blocks;
1956 char* real_blkdev, * crypto_blkdev;
1960 off64_t last_written_sector;
1962 time_t time_started;
1966 static void update_progress(struct encryptGroupsData* data, int is_used)
1968 data->blocks_already_done++;
1971 data->used_blocks_already_done++;
1974 if (data->tot_used_blocks) {
1975 data->new_pct = data->used_blocks_already_done / data->one_pct;
1977 data->new_pct = data->blocks_already_done / data->one_pct;
1980 if (data->new_pct > data->cur_pct) {
1982 data->cur_pct = data->new_pct;
1983 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
1984 property_set("vold.encrypt_progress", buf);
1985 SLOGI("Encrypted %" PRId64 " percent of drive", data->cur_pct);
1988 if (data->cur_pct >= 5) {
1989 double elapsed_time = difftime(time(NULL), data->time_started);
1990 off64_t remaining_blocks = data->tot_used_blocks
1991 - data->used_blocks_already_done;
1992 int remaining_time = (int)(elapsed_time * remaining_blocks
1993 / data->used_blocks_already_done);
1994 if (data->remaining_time == -1
1995 || remaining_time < data->remaining_time) {
1997 snprintf(buf, sizeof(buf), "%d", remaining_time);
1998 property_set("vold.encrypt_time_remaining", buf);
2000 SLOGI("Encrypted %" PRId64 " percent of drive, %d seconds to go",
2001 data->cur_pct, remaining_time);
2002 data->remaining_time = remaining_time;
2007 static int flush_outstanding_data(struct encryptGroupsData* data)
2009 if (data->count == 0) {
2013 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
2015 if (pread64(data->realfd, data->buffer,
2016 info.block_size * data->count, data->offset)
2018 SLOGE("Error reading real_blkdev %s for inplace encrypt",
2023 if (pwrite64(data->cryptofd, data->buffer,
2024 info.block_size * data->count, data->offset)
2026 SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
2027 data->crypto_blkdev);
2030 SLOGI("Encrypted %d blocks at sector %" PRId64,
2031 data->count, data->offset / info.block_size * CRYPT_SECTOR_SIZE);
2035 data->last_written_sector = (data->offset + data->count)
2036 / info.block_size * CRYPT_SECTOR_SIZE - 1;
2040 static int encrypt_groups(struct encryptGroupsData* data)
2043 u8 *block_bitmap = 0;
2048 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
2049 if (!data->buffer) {
2050 SLOGE("Failed to allocate crypto buffer");
2054 block_bitmap = malloc(info.block_size);
2055 if (!block_bitmap) {
2056 SLOGE("failed to allocate block bitmap");
2060 for (i = 0; i < aux_info.groups; ++i) {
2061 SLOGI("Encrypting group %d", i);
2063 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
2064 u32 block_count = min(info.blocks_per_group,
2065 aux_info.len_blocks - first_block);
2067 off64_t offset = (u64)info.block_size
2068 * aux_info.bg_desc[i].bg_block_bitmap;
2070 ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
2071 if (ret != (int)info.block_size) {
2072 SLOGE("failed to read all of block group bitmap %d", i);
2076 offset = (u64)info.block_size * first_block;
2080 for (block = 0; block < block_count; block++) {
2081 int used = bitmap_get_bit(block_bitmap, block);
2082 update_progress(data, used);
2084 if (data->count == 0) {
2085 data->offset = offset;
2089 if (flush_outstanding_data(data)) {
2094 offset += info.block_size;
2096 /* Write data if we are aligned or buffer size reached */
2097 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
2098 || data->count == BLOCKS_AT_A_TIME) {
2099 if (flush_outstanding_data(data)) {
2104 if (!is_battery_ok_to_continue()) {
2105 SLOGE("Stopping encryption due to low battery");
2111 if (flush_outstanding_data(data)) {
2116 data->completed = 1;
2125 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
2128 off64_t *size_already_done,
2130 off64_t previously_encrypted_upto)
2133 struct encryptGroupsData data;
2136 if (previously_encrypted_upto > *size_already_done) {
2137 SLOGD("Not fast encrypting since resuming part way through");
2141 memset(&data, 0, sizeof(data));
2142 data.real_blkdev = real_blkdev;
2143 data.crypto_blkdev = crypto_blkdev;
2145 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) {
2146 SLOGE("Error opening real_blkdev %s for inplace encrypt\n",
2151 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) {
2152 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n",
2157 if (setjmp(setjmp_env)) {
2158 SLOGE("Reading extent caused an exception");
2162 if (read_ext(data.realfd, 0) != 0) {
2163 SLOGE("Failed to read extent");
2167 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2168 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2169 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2171 SLOGI("Encrypting filesystem in place...");
2173 data.tot_used_blocks = data.numblocks;
2174 for (i = 0; i < aux_info.groups; ++i) {
2175 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
2178 data.one_pct = data.tot_used_blocks / 100;
2180 data.time_started = time(NULL);
2181 data.remaining_time = -1;
2183 rc = encrypt_groups(&data);
2185 SLOGE("Error encrypting groups");
2189 *size_already_done += data.completed ? size : data.last_written_sector;
2194 close(data.cryptofd);
2199 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
2200 off64_t size, off64_t *size_already_done,
2202 off64_t previously_encrypted_upto)
2204 int realfd, cryptofd;
2205 char *buf[CRYPT_INPLACE_BUFSIZE];
2207 off64_t numblocks, i, remainder;
2208 off64_t one_pct, cur_pct, new_pct;
2209 off64_t blocks_already_done, tot_numblocks;
2211 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) {
2212 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2216 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) {
2217 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n", crypto_blkdev);
2222 /* This is pretty much a simple loop of reading 4K, and writing 4K.
2223 * The size passed in is the number of 512 byte sectors in the filesystem.
2224 * So compute the number of whole 4K blocks we should read/write,
2225 * and the remainder.
2227 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2228 remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2229 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2230 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2232 SLOGE("Encrypting filesystem in place...");
2234 i = previously_encrypted_upto + 1 - *size_already_done;
2236 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2237 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
2241 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2242 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
2246 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
2247 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2248 SLOGE("Error reading initial sectors from real_blkdev %s for "
2249 "inplace encrypt\n", crypto_blkdev);
2252 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2253 SLOGE("Error writing initial sectors to crypto_blkdev %s for "
2254 "inplace encrypt\n", crypto_blkdev);
2257 SLOGI("Encrypted 1 block at %" PRId64, i);
2261 one_pct = tot_numblocks / 100;
2263 /* process the majority of the filesystem in blocks */
2264 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2265 new_pct = (i + blocks_already_done) / one_pct;
2266 if (new_pct > cur_pct) {
2270 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
2271 property_set("vold.encrypt_progress", buf);
2273 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2274 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2277 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2278 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2281 SLOGD("Encrypted %d block at %" PRId64,
2282 CRYPT_SECTORS_PER_BUFSIZE,
2283 i * CRYPT_SECTORS_PER_BUFSIZE);
2286 if (!is_battery_ok_to_continue()) {
2287 SLOGE("Stopping encryption due to low battery");
2288 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
2294 /* Do any remaining sectors */
2295 for (i=0; i<remainder; i++) {
2296 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2297 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2300 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2301 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2304 SLOGI("Encrypted 1 block at next location");
2308 *size_already_done += size;
2318 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
2319 off64_t size, off64_t *size_already_done,
2321 off64_t previously_encrypted_upto)
2323 if (previously_encrypted_upto) {
2324 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
2327 if (*size_already_done + size < previously_encrypted_upto) {
2328 *size_already_done += size;
2332 if (cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2333 size, size_already_done,
2334 tot_size, previously_encrypted_upto) == 0) {
2338 return cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2339 size, size_already_done, tot_size,
2340 previously_encrypted_upto);
2343 #define CRYPTO_ENABLE_WIPE 1
2344 #define CRYPTO_ENABLE_INPLACE 2
2346 #define FRAMEWORK_BOOT_WAIT 60
2348 static inline int should_encrypt(struct volume_info *volume)
2350 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) ==
2351 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE);
2354 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2356 int fd = open(filename, O_RDONLY);
2358 SLOGE("Error opening file %s", filename);
2362 char block[CRYPT_INPLACE_BUFSIZE];
2363 memset(block, 0, sizeof(block));
2364 if (unix_read(fd, block, sizeof(block)) < 0) {
2365 SLOGE("Error reading file %s", filename);
2374 SHA256_Update(&c, block, sizeof(block));
2375 SHA256_Final(buf, &c);
2380 static int get_fs_type(struct fstab_rec *rec)
2382 if (!strcmp(rec->fs_type, "ext4")) {
2384 } else if (!strcmp(rec->fs_type, "f2fs")) {
2391 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
2392 char *crypto_blkdev, char *real_blkdev,
2393 int previously_encrypted_upto)
2395 off64_t cur_encryption_done=0, tot_encryption_size=0;
2398 if (!is_battery_ok_to_start()) {
2399 SLOGW("Not starting encryption due to low battery");
2403 /* The size of the userdata partition, and add in the vold volumes below */
2404 tot_encryption_size = crypt_ftr->fs_size;
2406 if (how == CRYPTO_ENABLE_WIPE) {
2407 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
2408 int fs_type = get_fs_type(rec);
2410 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
2413 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2414 } else if (how == CRYPTO_ENABLE_INPLACE) {
2415 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
2416 crypt_ftr->fs_size, &cur_encryption_done,
2417 tot_encryption_size,
2418 previously_encrypted_upto);
2421 crypt_ftr->encrypted_upto = cur_encryption_done;
2424 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2425 /* The inplace routine never actually sets the progress to 100% due
2426 * to the round down nature of integer division, so set it here */
2427 property_set("vold.encrypt_progress", "100");
2430 /* Shouldn't happen */
2431 SLOGE("cryptfs_enable: internal error, unknown option\n");
2438 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
2442 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2443 unsigned long nr_sec;
2444 unsigned char decrypted_master_key[KEY_LEN_BYTES];
2445 int rc=-1, fd, i, ret;
2446 struct crypt_mnt_ftr crypt_ftr;
2447 struct crypt_persist_data *pdata;
2448 char encrypted_state[PROPERTY_VALUE_MAX];
2449 char lockid[32] = { 0 };
2450 char key_loc[PROPERTY_VALUE_MAX];
2451 char fuse_sdcard[PROPERTY_VALUE_MAX];
2454 struct volume_info *vol_list = 0;
2455 off64_t previously_encrypted_upto = 0;
2457 if (!strcmp(howarg, "wipe")) {
2458 how = CRYPTO_ENABLE_WIPE;
2459 } else if (! strcmp(howarg, "inplace")) {
2460 how = CRYPTO_ENABLE_INPLACE;
2462 /* Shouldn't happen, as CommandListener vets the args */
2463 goto error_unencrypted;
2466 /* See if an encryption was underway and interrupted */
2467 if (how == CRYPTO_ENABLE_INPLACE
2468 && get_crypt_ftr_and_key(&crypt_ftr) == 0
2469 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) {
2470 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2471 crypt_ftr.encrypted_upto = 0;
2472 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2474 /* At this point, we are in an inconsistent state. Until we successfully
2475 complete encryption, a reboot will leave us broken. So mark the
2476 encryption failed in case that happens.
2477 On successfully completing encryption, remove this flag */
2478 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2480 put_crypt_ftr_and_key(&crypt_ftr);
2483 property_get("ro.crypto.state", encrypted_state, "");
2484 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2485 SLOGE("Device is already running encrypted, aborting");
2486 goto error_unencrypted;
2489 // TODO refactor fs_mgr_get_crypt_info to get both in one call
2490 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
2491 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
2493 /* Get the size of the real block device */
2494 fd = open(real_blkdev, O_RDONLY);
2495 if ( (nr_sec = get_blkdev_size(fd)) == 0) {
2496 SLOGE("Cannot get size of block device %s\n", real_blkdev);
2497 goto error_unencrypted;
2501 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2502 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
2503 unsigned int fs_size_sec, max_fs_size_sec;
2505 fs_size_sec = get_fs_size(real_blkdev);
2506 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2508 if (fs_size_sec > max_fs_size_sec) {
2509 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2510 goto error_unencrypted;
2514 /* Get a wakelock as this may take a while, and we don't want the
2515 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2516 * wants to keep the screen on, it can grab a full wakelock.
2518 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
2519 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
2521 /* Get the sdcard mount point */
2522 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE");
2523 if (!sd_mnt_point) {
2524 sd_mnt_point = getenv("EXTERNAL_STORAGE");
2526 if (!sd_mnt_point) {
2527 sd_mnt_point = "/mnt/sdcard";
2531 * Currently do not have test devices with multiple encryptable volumes.
2532 * When we acquire some, re-add support.
2534 num_vols=vold_getNumDirectVolumes();
2535 vol_list = malloc(sizeof(struct volume_info) * num_vols);
2536 vold_getDirectVolumeList(vol_list);
2538 for (i=0; i<num_vols; i++) {
2539 if (should_encrypt(&vol_list[i])) {
2540 SLOGE("Cannot encrypt if there are multiple encryptable volumes"
2541 "%s\n", vol_list[i].label);
2542 goto error_unencrypted;
2546 /* The init files are setup to stop the class main and late start when
2547 * vold sets trigger_shutdown_framework.
2549 property_set("vold.decrypt", "trigger_shutdown_framework");
2550 SLOGD("Just asked init to shut down class main\n");
2552 if (vold_unmountAllAsecs()) {
2553 /* Just report the error. If any are left mounted,
2554 * umounting /data below will fail and handle the error.
2556 SLOGE("Error unmounting internal asecs");
2559 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, "");
2560 if (!strcmp(fuse_sdcard, "true")) {
2561 /* This is a device using the fuse layer to emulate the sdcard semantics
2562 * on top of the userdata partition. vold does not manage it, it is managed
2563 * by the sdcard service. The sdcard service was killed by the property trigger
2564 * above, so just unmount it now. We must do this _AFTER_ killing the framework,
2565 * unlike the case for vold managed devices above.
2567 if (wait_and_unmount(sd_mnt_point)) {
2568 goto error_shutting_down;
2572 /* Now unmount the /data partition. */
2573 if (wait_and_unmount(DATA_MNT_POINT)) {
2575 goto error_shutting_down;
2577 goto error_unencrypted;
2581 /* Do extra work for a better UX when doing the long inplace encryption */
2582 if (how == CRYPTO_ENABLE_INPLACE) {
2583 /* Now that /data is unmounted, we need to mount a tmpfs
2584 * /data, set a property saying we're doing inplace encryption,
2585 * and restart the framework.
2587 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
2588 goto error_shutting_down;
2590 /* Tells the framework that inplace encryption is starting */
2591 property_set("vold.encrypt_progress", "0");
2593 /* restart the framework. */
2594 /* Create necessary paths on /data */
2595 if (prep_data_fs()) {
2596 goto error_shutting_down;
2599 /* Ugh, shutting down the framework is not synchronous, so until it
2600 * can be fixed, this horrible hack will wait a moment for it all to
2601 * shut down before proceeding. Without it, some devices cannot
2602 * restart the graphics services.
2606 /* startup service classes main and late_start */
2607 property_set("vold.decrypt", "trigger_restart_min_framework");
2608 SLOGD("Just triggered restart_min_framework\n");
2610 /* OK, the framework is restarted and will soon be showing a
2611 * progress bar. Time to setup an encrypted mapping, and
2612 * either write a new filesystem, or encrypt in place updating
2613 * the progress bar as we work.
2617 /* Start the actual work of making an encrypted filesystem */
2618 /* Initialize a crypt_mnt_ftr for the partition */
2619 if (previously_encrypted_upto == 0) {
2620 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
2621 goto error_shutting_down;
2624 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
2625 crypt_ftr.fs_size = nr_sec
2626 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2628 crypt_ftr.fs_size = nr_sec;
2630 /* At this point, we are in an inconsistent state. Until we successfully
2631 complete encryption, a reboot will leave us broken. So mark the
2632 encryption failed in case that happens.
2633 On successfully completing encryption, remove this flag */
2634 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2635 crypt_ftr.crypt_type = crypt_type;
2636 strcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
2638 /* Make an encrypted master key */
2639 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
2640 SLOGE("Cannot create encrypted master key\n");
2641 goto error_shutting_down;
2644 /* Write the key to the end of the partition */
2645 put_crypt_ftr_and_key(&crypt_ftr);
2647 /* If any persistent data has been remembered, save it.
2648 * If none, create a valid empty table and save that.
2650 if (!persist_data) {
2651 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
2653 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
2654 persist_data = pdata;
2658 save_persistent_data();
2662 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2663 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
2666 /* If we are continuing, check checksums match */
2668 if (previously_encrypted_upto) {
2669 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
2670 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
2672 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
2673 sizeof(hash_first_block)) != 0) {
2674 SLOGE("Checksums do not match - trigger wipe");
2680 rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
2681 crypto_blkdev, real_blkdev,
2682 previously_encrypted_upto);
2685 /* Calculate checksum if we are not finished */
2686 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2687 rc = cryptfs_SHA256_fileblock(crypto_blkdev,
2688 crypt_ftr.hash_first_block);
2690 SLOGE("Error calculating checksum for continuing encryption");
2695 /* Undo the dm-crypt mapping whether we succeed or not */
2696 delete_crypto_blk_dev("userdata");
2702 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
2704 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2705 SLOGD("Encrypted up to sector %lld - will continue after reboot",
2706 crypt_ftr.encrypted_upto);
2707 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
2710 put_crypt_ftr_and_key(&crypt_ftr);
2712 sleep(2); /* Give the UI a chance to show 100% progress */
2713 /* Partially encrypted - ensure writes are flushed to ssd */
2715 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
2716 cryptfs_reboot(reboot);
2718 cryptfs_reboot(shutdown);
2721 char value[PROPERTY_VALUE_MAX];
2723 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
2724 if (!strcmp(value, "1")) {
2725 /* wipe data if encryption failed */
2726 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
2727 mkdir("/cache/recovery", 0700);
2728 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600);
2730 write(fd, "--wipe_data", strlen("--wipe_data") + 1);
2733 SLOGE("could not open /cache/recovery/command\n");
2735 cryptfs_reboot(recovery);
2737 /* set property to trigger dialog */
2738 property_set("vold.encrypt_progress", "error_partially_encrypted");
2739 release_wake_lock(lockid);
2744 /* hrm, the encrypt step claims success, but the reboot failed.
2745 * This should not happen.
2746 * Set the property and return. Hope the framework can deal with it.
2748 property_set("vold.encrypt_progress", "error_reboot_failed");
2749 release_wake_lock(lockid);
2754 property_set("vold.encrypt_progress", "error_not_encrypted");
2756 release_wake_lock(lockid);
2760 error_shutting_down:
2761 /* we failed, and have not encrypted anthing, so the users's data is still intact,
2762 * but the framework is stopped and not restarted to show the error, so it's up to
2763 * vold to restart the system.
2765 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
2766 cryptfs_reboot(reboot);
2768 /* shouldn't get here */
2769 property_set("vold.encrypt_progress", "error_shutting_down");
2772 release_wake_lock(lockid);
2777 int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot)
2779 return cryptfs_enable_internal(howarg, type, passwd, allow_reboot);
2782 int cryptfs_enable_default(char *howarg, int allow_reboot)
2784 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
2785 DEFAULT_PASSWORD, allow_reboot);
2788 int cryptfs_changepw(int crypt_type, const char *newpw)
2790 struct crypt_mnt_ftr crypt_ftr;
2791 unsigned char decrypted_master_key[KEY_LEN_BYTES];
2793 /* This is only allowed after we've successfully decrypted the master key */
2794 if (!master_key_saved) {
2795 SLOGE("Key not saved, aborting");
2799 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2800 SLOGE("Invalid crypt_type %d", crypt_type);
2805 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2806 SLOGE("Error getting crypt footer and key");
2810 crypt_ftr.crypt_type = crypt_type;
2812 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
2816 crypt_ftr.master_key,
2820 put_crypt_ftr_and_key(&crypt_ftr);
2825 static int persist_get_key(char *fieldname, char *value)
2829 if (persist_data == NULL) {
2832 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2833 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2835 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
2843 static int persist_set_key(char *fieldname, char *value, int encrypted)
2847 struct crypt_mnt_ftr crypt_ftr;
2848 unsigned int max_persistent_entries;
2851 if (persist_data == NULL) {
2855 /* If encrypted, use the values from the crypt_ftr, otherwise
2856 * use the values for the current spec.
2859 if(get_crypt_ftr_and_key(&crypt_ftr)) {
2862 dsize = crypt_ftr.persist_data_size;
2864 dsize = CRYPT_PERSIST_DATA_SIZE;
2866 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
2867 sizeof(struct crypt_persist_entry);
2869 num = persist_data->persist_valid_entries;
2871 for (i = 0; i < num; i++) {
2872 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2873 /* We found an existing entry, update it! */
2874 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
2875 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
2880 /* We didn't find it, add it to the end, if there is room */
2881 if (persist_data->persist_valid_entries < max_persistent_entries) {
2882 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
2883 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
2884 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
2885 persist_data->persist_valid_entries++;
2892 /* Return the value of the specified field. */
2893 int cryptfs_getfield(char *fieldname, char *value, int len)
2895 char temp_value[PROPERTY_VALUE_MAX];
2896 char real_blkdev[MAXPATHLEN];
2897 /* 0 is success, 1 is not encrypted,
2898 * -1 is value not set, -2 is any other error
2902 if (persist_data == NULL) {
2903 load_persistent_data();
2904 if (persist_data == NULL) {
2905 SLOGE("Getfield error, cannot load persistent data");
2910 if (!persist_get_key(fieldname, temp_value)) {
2911 /* We found it, copy it to the caller's buffer and return */
2912 strlcpy(value, temp_value, len);
2915 /* Sadness, it's not there. Return the error */
2923 /* Set the value of the specified field. */
2924 int cryptfs_setfield(char *fieldname, char *value)
2926 struct crypt_persist_data stored_pdata;
2927 struct crypt_persist_data *pdata_p;
2928 struct crypt_mnt_ftr crypt_ftr;
2929 char encrypted_state[PROPERTY_VALUE_MAX];
2930 /* 0 is success, -1 is an error */
2934 if (persist_data == NULL) {
2935 load_persistent_data();
2936 if (persist_data == NULL) {
2937 SLOGE("Setfield error, cannot load persistent data");
2942 property_get("ro.crypto.state", encrypted_state, "");
2943 if (!strcmp(encrypted_state, "encrypted") ) {
2947 if (persist_set_key(fieldname, value, encrypted)) {
2951 /* If we are running encrypted, save the persistent data now */
2953 if (save_persistent_data()) {
2954 SLOGE("Setfield error, cannot save persistent data");
2965 /* Checks userdata. Attempt to mount the volume if default-
2967 * On success trigger next init phase and return 0.
2968 * Currently do not handle failure - see TODO below.
2970 int cryptfs_mount_default_encrypted(void)
2972 char decrypt_state[PROPERTY_VALUE_MAX];
2973 property_get("vold.decrypt", decrypt_state, "0");
2974 if (!strcmp(decrypt_state, "0")) {
2975 SLOGE("Not encrypted - should not call here");
2977 int crypt_type = cryptfs_get_password_type();
2978 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2979 SLOGE("Bad crypt type - error");
2980 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
2981 SLOGD("Password is not default - "
2982 "starting min framework to prompt");
2983 property_set("vold.decrypt", "trigger_restart_min_framework");
2985 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
2986 SLOGD("Password is default - restarting filesystem");
2987 cryptfs_restart_internal(0);
2990 SLOGE("Encrypted, default crypt type but can't decrypt");
2994 /** Corrupt. Allow us to boot into framework, which will detect bad
2995 crypto when it calls do_crypto_complete, then do a factory reset
2997 property_set("vold.decrypt", "trigger_restart_min_framework");
3001 /* Returns type of the password, default, pattern, pin or password.
3003 int cryptfs_get_password_type(void)
3005 struct crypt_mnt_ftr crypt_ftr;
3007 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3008 SLOGE("Error getting crypt footer and key\n");
3012 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
3016 return crypt_ftr.crypt_type;
3019 char* cryptfs_get_password()
3021 struct timespec now;
3022 clock_gettime(CLOCK_MONOTONIC, &now);
3023 if (now.tv_sec < password_expiry_time) {
3026 cryptfs_clear_password();
3031 void cryptfs_clear_password()
3034 size_t len = strlen(password);
3035 memset(password, 0, len);
3038 password_expiry_time = 0;