2 * Copyright (C) 2010 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
23 #include <sys/types.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
35 #include <sys/param.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
39 #include <openssl/sha.h>
41 #include <ext4_utils/ext4.h>
42 #include <ext4_utils/ext4_utils.h>
43 #include <linux/kdev_t.h>
47 #include <selinux/selinux.h>
49 #include "secontext.h"
50 #define LOG_TAG "Cryptfs"
51 #include "cutils/log.h"
52 #include "cutils/properties.h"
53 #include "cutils/android_reboot.h"
54 #include "hardware_legacy/power.h"
55 #include <logwrap/logwrap.h>
56 #include "ScryptParameters.h"
57 #include "VolumeManager.h"
59 #include "crypto_scrypt.h"
60 #include "Ext4Crypt.h"
61 #include "f2fs_sparseblock.h"
62 #include "CheckBattery.h"
65 #include <bootloader_message/bootloader_message.h>
66 #include <hardware/keymaster0.h>
67 #include <hardware/keymaster1.h>
69 #define UNUSED __attribute__((unused))
71 #define UNUSED __attribute__((unused))
73 #define DM_CRYPT_BUF_SIZE 4096
75 #define HASH_COUNT 2000
76 #define KEY_LEN_BYTES 16
77 #define IV_LEN_BYTES 16
79 #define KEY_IN_FOOTER "footer"
81 #define DEFAULT_PASSWORD "default_password"
83 #define CRYPTO_BLOCK_DEVICE "userdata"
85 #define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
90 #define TABLE_LOAD_RETRIES 10
92 #define RSA_KEY_SIZE 2048
93 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
94 #define RSA_EXPONENT 0x10001
95 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
97 #define RETRY_MOUNT_ATTEMPTS 10
98 #define RETRY_MOUNT_DELAY_SECONDS 1
100 char *me = "cryptfs";
102 static unsigned char saved_master_key[KEY_LEN_BYTES];
103 static char *saved_mount_point;
104 static int master_key_saved = 0;
105 static struct crypt_persist_data *persist_data = NULL;
107 static int keymaster_init(keymaster0_device_t **keymaster0_dev,
108 keymaster1_device_t **keymaster1_dev)
112 const hw_module_t* mod;
113 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
115 ALOGE("could not find any keystore module");
119 SLOGI("keymaster module name is %s", mod->name);
120 SLOGI("keymaster version is %d", mod->module_api_version);
122 *keymaster0_dev = NULL;
123 *keymaster1_dev = NULL;
124 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
125 SLOGI("Found keymaster1 module, using keymaster1 API.");
126 rc = keymaster1_open(mod, keymaster1_dev);
128 SLOGI("Found keymaster0 module, using keymaster0 API.");
129 rc = keymaster0_open(mod, keymaster0_dev);
133 ALOGE("could not open keymaster device in %s (%s)",
134 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
141 *keymaster0_dev = NULL;
142 *keymaster1_dev = NULL;
146 /* Should we use keymaster? */
147 static int keymaster_check_compatibility()
149 keymaster0_device_t *keymaster0_dev = 0;
150 keymaster1_device_t *keymaster1_dev = 0;
153 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
154 SLOGE("Failed to init keymaster");
159 if (keymaster1_dev) {
164 if (!keymaster0_dev || !keymaster0_dev->common.module) {
169 // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2
171 if (keymaster0_dev->common.module->module_api_version
172 < KEYMASTER_MODULE_API_VERSION_0_3) {
177 if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
178 (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
183 if (keymaster1_dev) {
184 keymaster1_close(keymaster1_dev);
186 if (keymaster0_dev) {
187 keymaster0_close(keymaster0_dev);
192 /* Create a new keymaster key and store it in this footer */
193 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
196 keymaster0_device_t *keymaster0_dev = 0;
197 keymaster1_device_t *keymaster1_dev = 0;
199 if (ftr->keymaster_blob_size) {
200 SLOGI("Already have key");
204 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
205 SLOGE("Failed to init keymaster");
211 if (keymaster1_dev) {
212 keymaster_key_param_t params[] = {
213 /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */
214 keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA),
215 keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE),
216 keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT),
218 /* The only allowed purpose for this key is signing. */
219 keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN),
221 /* Padding & digest specifications. */
222 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
223 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
225 /* Require that the key be usable in standalone mode. File system isn't available. */
226 keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE),
228 /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */
229 keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED),
231 /* Rate-limit key usage attempts, to rate-limit brute force */
232 keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT),
234 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
235 keymaster_key_blob_t key_blob;
236 keymaster_error_t error = keymaster1_dev->generate_key(keymaster1_dev, ¶m_set,
238 NULL /* characteristics */);
239 if (error != KM_ERROR_OK) {
240 SLOGE("Failed to generate keymaster1 key, error %d", error);
245 key = (uint8_t*)key_blob.key_material;
246 key_size = key_blob.key_material_size;
248 else if (keymaster0_dev) {
249 keymaster_rsa_keygen_params_t params;
250 memset(¶ms, '\0', sizeof(params));
251 params.public_exponent = RSA_EXPONENT;
252 params.modulus_size = RSA_KEY_SIZE;
254 if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, ¶ms,
256 SLOGE("Failed to generate keypair");
261 SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device");
266 if (key_size > KEYMASTER_BLOB_SIZE) {
267 SLOGE("Keymaster key too large for crypto footer");
272 memcpy(ftr->keymaster_blob, key, key_size);
273 ftr->keymaster_blob_size = key_size;
277 keymaster0_close(keymaster0_dev);
279 keymaster1_close(keymaster1_dev);
284 /* This signs the given object using the keymaster key. */
285 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
286 const unsigned char *object,
287 const size_t object_size,
288 unsigned char **signature,
289 size_t *signature_size)
292 keymaster0_device_t *keymaster0_dev = 0;
293 keymaster1_device_t *keymaster1_dev = 0;
294 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
295 SLOGE("Failed to init keymaster");
300 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
301 size_t to_sign_size = sizeof(to_sign);
302 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
304 // To sign a message with RSA, the message must satisfy two
307 // 1. The message, when interpreted as a big-endian numeric value, must
308 // be strictly less than the public modulus of the RSA key. Note
309 // that because the most significant bit of the public modulus is
310 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
311 // key), an n-bit message with most significant bit 0 always
312 // satisfies this requirement.
314 // 2. The message must have the same length in bits as the public
315 // modulus of the RSA key. This requirement isn't mathematically
316 // necessary, but is necessary to ensure consistency in
318 switch (ftr->kdf_type) {
319 case KDF_SCRYPT_KEYMASTER:
320 // This ensures the most significant byte of the signed message
321 // is zero. We could have zero-padded to the left instead, but
322 // this approach is slightly more robust against changes in
323 // object size. However, it's still broken (but not unusably
324 // so) because we really should be using a proper deterministic
325 // RSA padding function, such as PKCS1.
326 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
327 SLOGI("Signing safely-padded object");
330 SLOGE("Unknown KDF type %d", ftr->kdf_type);
335 if (keymaster0_dev) {
336 keymaster_rsa_sign_params_t params;
337 params.digest_type = DIGEST_NONE;
338 params.padding_type = PADDING_NONE;
340 rc = keymaster0_dev->sign_data(keymaster0_dev,
343 ftr->keymaster_blob_size,
349 } else if (keymaster1_dev) {
350 keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size };
351 keymaster_key_param_t params[] = {
352 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
353 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
355 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
356 keymaster_operation_handle_t op_handle;
357 keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
358 ¶m_set, NULL /* out_params */,
360 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) {
361 // Key usage has been rate-limited. Wait a bit and try again.
362 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT);
363 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
364 ¶m_set, NULL /* out_params */,
367 if (error != KM_ERROR_OK) {
368 SLOGE("Error starting keymaster signature transaction: %d", error);
373 keymaster_blob_t input = { to_sign, to_sign_size };
374 size_t input_consumed;
375 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */,
376 &input, &input_consumed, NULL /* out_params */,
378 if (error != KM_ERROR_OK) {
379 SLOGE("Error sending data to keymaster signature transaction: %d", error);
383 if (input_consumed != to_sign_size) {
384 // This should never happen. If it does, it's a bug in the keymaster implementation.
385 SLOGE("Keymaster update() did not consume all data.");
386 keymaster1_dev->abort(keymaster1_dev, op_handle);
391 keymaster_blob_t tmp_sig;
392 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */,
393 NULL /* verify signature */, NULL /* out_params */,
395 if (error != KM_ERROR_OK) {
396 SLOGE("Error finishing keymaster signature transaction: %d", error);
401 *signature = (uint8_t*)tmp_sig.data;
402 *signature_size = tmp_sig.data_length;
404 SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device.");
411 keymaster1_close(keymaster1_dev);
413 keymaster0_close(keymaster0_dev);
418 /* Store password when userdata is successfully decrypted and mounted.
419 * Cleared by cryptfs_clear_password
421 * To avoid a double prompt at boot, we need to store the CryptKeeper
422 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
423 * Since the entire framework is torn down and rebuilt after encryption,
424 * we have to use a daemon or similar to store the password. Since vold
425 * is secured against IPC except from system processes, it seems a reasonable
426 * place to store this.
428 * password should be cleared once it has been used.
430 * password is aged out after password_max_age_seconds seconds.
432 static char* password = 0;
433 static int password_expiry_time = 0;
434 static const int password_max_age_seconds = 60;
436 extern struct fstab *fstab;
438 enum RebootType {reboot, recovery, shutdown};
439 static void cryptfs_reboot(enum RebootType rt)
443 property_set(ANDROID_RB_PROPERTY, "reboot");
447 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
451 property_set(ANDROID_RB_PROPERTY, "shutdown");
457 /* Shouldn't get here, reboot should happen before sleep times out */
461 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
463 memset(io, 0, dataSize);
464 io->data_size = dataSize;
465 io->data_start = sizeof(struct dm_ioctl);
471 strlcpy(io->name, name, sizeof(io->name));
476 * Gets the default device scrypt parameters for key derivation time tuning.
477 * The parameters should lead to about one second derivation time for the
480 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
481 char paramstr[PROPERTY_VALUE_MAX];
484 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
485 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
486 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
487 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
494 static unsigned int get_fs_size(char *dev)
497 struct ext4_super_block sb;
500 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) {
501 SLOGE("Cannot open device to get filesystem size ");
505 if (lseek64(fd, 1024, SEEK_SET) < 0) {
506 SLOGE("Cannot seek to superblock");
510 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
511 SLOGE("Cannot read superblock");
517 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
518 SLOGE("Not a valid ext4 superblock");
521 block_size = 1024 << sb.s_log_block_size;
522 /* compute length in bytes */
523 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
525 /* return length in sectors */
526 return (unsigned int) (len / 512);
529 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
531 static int cached_data = 0;
532 static off64_t cached_off = 0;
533 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
535 char key_loc[PROPERTY_VALUE_MAX];
536 char real_blkdev[PROPERTY_VALUE_MAX];
540 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
542 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
543 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
544 SLOGE("Cannot open real block device %s\n", real_blkdev);
548 unsigned long nr_sec = 0;
549 get_blkdev_size(fd, &nr_sec);
551 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
552 * encryption info footer and key, and plenty of bytes to spare for future
555 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
556 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
559 SLOGE("Cannot get size of block device %s\n", real_blkdev);
563 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
570 if (metadata_fname) {
571 *metadata_fname = cached_metadata_fname;
582 /* Set sha256 checksum in structure */
583 static void set_ftr_sha(struct crypt_mnt_ftr *crypt_ftr)
587 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
588 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
589 SHA256_Final(crypt_ftr->sha256, &c);
592 /* key or salt can be NULL, in which case just skip writing that value. Useful to
593 * update the failed mount count but not change the key.
595 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
599 /* starting_off is set to the SEEK_SET offset
600 * where the crypto structure starts
602 off64_t starting_off;
607 set_ftr_sha(crypt_ftr);
609 if (get_crypt_ftr_info(&fname, &starting_off)) {
610 SLOGE("Unable to get crypt_ftr_info\n");
613 if (fname[0] != '/') {
614 SLOGE("Unexpected value for crypto key location\n");
617 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) {
618 SLOGE("Cannot open footer file %s for put\n", fname);
622 /* Seek to the start of the crypt footer */
623 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
624 SLOGE("Cannot seek to real block device footer\n");
628 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
629 SLOGE("Cannot write real block device footer\n");
634 /* If the keys are kept on a raw block device, do not try to truncate it. */
635 if (S_ISREG(statbuf.st_mode)) {
636 if (ftruncate(fd, 0x4000)) {
637 SLOGE("Cannot set footer file size\n");
651 static bool check_ftr_sha(const struct crypt_mnt_ftr *crypt_ftr)
653 struct crypt_mnt_ftr copy;
654 memcpy(©, crypt_ftr, sizeof(copy));
656 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
659 static inline int unix_read(int fd, void* buff, int len)
661 return TEMP_FAILURE_RETRY(read(fd, buff, len));
664 static inline int unix_write(int fd, const void* buff, int len)
666 return TEMP_FAILURE_RETRY(write(fd, buff, len));
669 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
671 memset(pdata, 0, len);
672 pdata->persist_magic = PERSIST_DATA_MAGIC;
673 pdata->persist_valid_entries = 0;
676 /* A routine to update the passed in crypt_ftr to the lastest version.
677 * fd is open read/write on the device that holds the crypto footer and persistent
678 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
679 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
681 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
683 int orig_major = crypt_ftr->major_version;
684 int orig_minor = crypt_ftr->minor_version;
686 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
687 struct crypt_persist_data *pdata;
688 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
690 SLOGW("upgrading crypto footer to 1.1");
692 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
694 SLOGE("Cannot allocate persisent data\n");
697 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
699 /* Need to initialize the persistent data area */
700 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
701 SLOGE("Cannot seek to persisent data offset\n");
705 /* Write all zeros to the first copy, making it invalid */
706 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
708 /* Write a valid but empty structure to the second copy */
709 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
710 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
712 /* Update the footer */
713 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
714 crypt_ftr->persist_data_offset[0] = pdata_offset;
715 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
716 crypt_ftr->minor_version = 1;
720 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
721 SLOGW("upgrading crypto footer to 1.2");
722 /* But keep the old kdf_type.
723 * It will get updated later to KDF_SCRYPT after the password has been verified.
725 crypt_ftr->kdf_type = KDF_PBKDF2;
726 get_device_scrypt_params(crypt_ftr);
727 crypt_ftr->minor_version = 2;
730 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
731 SLOGW("upgrading crypto footer to 1.3");
732 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
733 crypt_ftr->minor_version = 3;
736 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
737 if (lseek64(fd, offset, SEEK_SET) == -1) {
738 SLOGE("Cannot seek to crypt footer\n");
741 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
746 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
750 off64_t starting_off;
755 if (get_crypt_ftr_info(&fname, &starting_off)) {
756 SLOGE("Unable to get crypt_ftr_info\n");
759 if (fname[0] != '/') {
760 SLOGE("Unexpected value for crypto key location\n");
763 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) {
764 SLOGE("Cannot open footer file %s for get\n", fname);
768 /* Make sure it's 16 Kbytes in length */
770 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
771 SLOGE("footer file %s is not the expected size!\n", fname);
775 /* Seek to the start of the crypt footer */
776 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
777 SLOGE("Cannot seek to real block device footer\n");
781 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
782 SLOGE("Cannot read real block device footer\n");
786 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
787 SLOGE("Bad magic for real block device %s\n", fname);
791 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
792 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
793 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
797 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
798 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
799 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
802 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
803 * copy on disk before returning.
805 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
806 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
817 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
819 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
820 crypt_ftr->persist_data_offset[1]) {
821 SLOGE("Crypt_ftr persist data regions overlap");
825 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
826 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
830 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
831 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
832 CRYPT_FOOTER_OFFSET) {
833 SLOGE("Persistent data extends past crypto footer");
840 static int load_persistent_data(void)
842 struct crypt_mnt_ftr crypt_ftr;
843 struct crypt_persist_data *pdata = NULL;
844 char encrypted_state[PROPERTY_VALUE_MAX];
852 /* Nothing to do, we've already loaded or initialized it */
857 /* If not encrypted, just allocate an empty table and initialize it */
858 property_get("ro.crypto.state", encrypted_state, "");
859 if (strcmp(encrypted_state, "encrypted") ) {
860 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
862 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
863 persist_data = pdata;
869 if(get_crypt_ftr_and_key(&crypt_ftr)) {
873 if ((crypt_ftr.major_version < 1)
874 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
875 SLOGE("Crypt_ftr version doesn't support persistent data");
879 if (get_crypt_ftr_info(&fname, NULL)) {
883 ret = validate_persistent_data_storage(&crypt_ftr);
888 fd = open(fname, O_RDONLY|O_CLOEXEC);
890 SLOGE("Cannot open %s metadata file", fname);
894 pdata = malloc(crypt_ftr.persist_data_size);
896 SLOGE("Cannot allocate memory for persistent data");
900 for (i = 0; i < 2; i++) {
901 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
902 SLOGE("Cannot seek to read persistent data on %s", fname);
905 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
906 SLOGE("Error reading persistent data on iteration %d", i);
909 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
916 SLOGI("Could not find valid persistent data, creating");
917 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
921 persist_data = pdata;
933 static int save_persistent_data(void)
935 struct crypt_mnt_ftr crypt_ftr;
936 struct crypt_persist_data *pdata;
938 off64_t write_offset;
939 off64_t erase_offset;
943 if (persist_data == NULL) {
944 SLOGE("No persistent data to save");
948 if(get_crypt_ftr_and_key(&crypt_ftr)) {
952 if ((crypt_ftr.major_version < 1)
953 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
954 SLOGE("Crypt_ftr version doesn't support persistent data");
958 ret = validate_persistent_data_storage(&crypt_ftr);
963 if (get_crypt_ftr_info(&fname, NULL)) {
967 fd = open(fname, O_RDWR|O_CLOEXEC);
969 SLOGE("Cannot open %s metadata file", fname);
973 pdata = malloc(crypt_ftr.persist_data_size);
975 SLOGE("Cannot allocate persistant data");
979 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
980 SLOGE("Cannot seek to read persistent data on %s", fname);
984 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
985 SLOGE("Error reading persistent data before save");
989 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
990 /* The first copy is the curent valid copy, so write to
991 * the second copy and erase this one */
992 write_offset = crypt_ftr.persist_data_offset[1];
993 erase_offset = crypt_ftr.persist_data_offset[0];
995 /* The second copy must be the valid copy, so write to
996 * the first copy, and erase the second */
997 write_offset = crypt_ftr.persist_data_offset[0];
998 erase_offset = crypt_ftr.persist_data_offset[1];
1001 /* Write the new copy first, if successful, then erase the old copy */
1002 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
1003 SLOGE("Cannot seek to write persistent data");
1006 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
1007 (int) crypt_ftr.persist_data_size) {
1008 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
1009 SLOGE("Cannot seek to erase previous persistent data");
1013 memset(pdata, 0, crypt_ftr.persist_data_size);
1014 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
1015 (int) crypt_ftr.persist_data_size) {
1016 SLOGE("Cannot write to erase previous persistent data");
1021 SLOGE("Cannot write to save persistent data");
1037 /* Convert a binary key of specified length into an ascii hex string equivalent,
1038 * without the leading 0x and with null termination
1040 static void convert_key_to_hex_ascii(const unsigned char *master_key,
1041 unsigned int keysize, char *master_key_ascii) {
1043 unsigned char nibble;
1045 for (i=0, a=0; i<keysize; i++, a+=2) {
1046 /* For each byte, write out two ascii hex digits */
1047 nibble = (master_key[i] >> 4) & 0xf;
1048 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
1050 nibble = master_key[i] & 0xf;
1051 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
1054 /* Add the null termination */
1055 master_key_ascii[a] = '\0';
1059 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
1060 const unsigned char *master_key, const char *real_blk_name,
1061 const char *name, int fd, const char *extra_params) {
1062 _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
1063 struct dm_ioctl *io;
1064 struct dm_target_spec *tgt;
1066 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
1069 io = (struct dm_ioctl *) buffer;
1071 /* Load the mapping table for this device */
1072 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
1074 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1075 io->target_count = 1;
1077 tgt->sector_start = 0;
1078 tgt->length = crypt_ftr->fs_size;
1079 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1081 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1082 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1083 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
1084 master_key_ascii, real_blk_name, extra_params);
1085 crypt_params += strlen(crypt_params) + 1;
1086 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1087 tgt->next = crypt_params - buffer;
1089 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1090 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
1096 if (i == TABLE_LOAD_RETRIES) {
1097 /* We failed to load the table, return an error */
1105 static int get_dm_crypt_version(int fd, const char *name, int *version)
1107 char buffer[DM_CRYPT_BUF_SIZE];
1108 struct dm_ioctl *io;
1109 struct dm_target_versions *v;
1111 io = (struct dm_ioctl *) buffer;
1113 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1115 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1119 /* Iterate over the returned versions, looking for name of "crypt".
1120 * When found, get and return the version.
1122 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
1124 if (! strcmp(v->name, "crypt")) {
1125 /* We found the crypt driver, return the version, and get out */
1126 version[0] = v->version[0];
1127 version[1] = v->version[1];
1128 version[2] = v->version[2];
1131 v = (struct dm_target_versions *)(((char *)v) + v->next);
1137 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr,
1138 const unsigned char *master_key, const char *real_blk_name,
1139 char *crypto_blk_name, const char *name) {
1140 char buffer[DM_CRYPT_BUF_SIZE];
1141 struct dm_ioctl *io;
1150 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1151 SLOGE("Cannot open device-mapper\n");
1155 io = (struct dm_ioctl *) buffer;
1157 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1158 err = ioctl(fd, DM_DEV_CREATE, io);
1160 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno));
1164 /* Get the device status, in particular, the name of it's device file */
1165 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1166 if (ioctl(fd, DM_DEV_STATUS, io)) {
1167 SLOGE("Cannot retrieve dm-crypt device status\n");
1170 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1171 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1174 if (! get_dm_crypt_version(fd, name, version)) {
1175 /* Support for allow_discards was added in version 1.11.0 */
1176 if ((version[0] >= 2) ||
1177 ((version[0] == 1) && (version[1] >= 11))) {
1178 extra_params = "1 allow_discards";
1179 SLOGI("Enabling support for allow_discards in dmcrypt.\n");
1183 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
1185 if (load_count < 0) {
1186 SLOGE("Cannot load dm-crypt mapping table.\n");
1188 } else if (load_count > 1) {
1189 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1192 /* Resume this device to activate it */
1193 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1195 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1196 SLOGE("Cannot resume the dm-crypt device\n");
1200 /* We made it here with no errors. Woot! */
1204 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1209 static int delete_crypto_blk_dev(char *name)
1212 char buffer[DM_CRYPT_BUF_SIZE];
1213 struct dm_ioctl *io;
1216 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1217 SLOGE("Cannot open device-mapper\n");
1221 io = (struct dm_ioctl *) buffer;
1223 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1224 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1225 SLOGE("Cannot remove dm-crypt device\n");
1229 /* We made it here with no errors. Woot! */
1233 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1239 static int pbkdf2(const char *passwd, const unsigned char *salt,
1240 unsigned char *ikey, void *params UNUSED)
1242 SLOGI("Using pbkdf2 for cryptfs KDF");
1244 /* Turn the password into a key and IV that can decrypt the master key */
1245 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN,
1246 HASH_COUNT, KEY_LEN_BYTES + IV_LEN_BYTES,
1250 static int scrypt(const char *passwd, const unsigned char *salt,
1251 unsigned char *ikey, void *params)
1253 SLOGI("Using scrypt for cryptfs KDF");
1255 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1257 int N = 1 << ftr->N_factor;
1258 int r = 1 << ftr->r_factor;
1259 int p = 1 << ftr->p_factor;
1261 /* Turn the password into a key and IV that can decrypt the master key */
1262 unsigned int keysize;
1263 crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1264 salt, SALT_LEN, N, r, p, ikey,
1265 KEY_LEN_BYTES + IV_LEN_BYTES);
1270 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1271 unsigned char *ikey, void *params)
1273 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1276 size_t signature_size;
1277 unsigned char* signature;
1278 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1280 int N = 1 << ftr->N_factor;
1281 int r = 1 << ftr->r_factor;
1282 int p = 1 << ftr->p_factor;
1284 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1285 salt, SALT_LEN, N, r, p, ikey,
1286 KEY_LEN_BYTES + IV_LEN_BYTES);
1289 SLOGE("scrypt failed");
1293 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1294 &signature, &signature_size)) {
1295 SLOGE("Signing failed");
1299 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1300 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1304 SLOGE("scrypt failed");
1311 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1312 const unsigned char *decrypted_master_key,
1313 unsigned char *encrypted_master_key,
1314 struct crypt_mnt_ftr *crypt_ftr)
1316 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1317 EVP_CIPHER_CTX e_ctx;
1318 int encrypted_len, final_len;
1321 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1322 get_device_scrypt_params(crypt_ftr);
1324 switch (crypt_ftr->kdf_type) {
1325 case KDF_SCRYPT_KEYMASTER:
1326 if (keymaster_create_key(crypt_ftr)) {
1327 SLOGE("keymaster_create_key failed");
1331 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1332 SLOGE("scrypt failed");
1338 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1339 SLOGE("scrypt failed");
1345 SLOGE("Invalid kdf_type");
1349 /* Initialize the decryption engine */
1350 EVP_CIPHER_CTX_init(&e_ctx);
1351 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1352 SLOGE("EVP_EncryptInit failed\n");
1355 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1357 /* Encrypt the master key */
1358 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1359 decrypted_master_key, KEY_LEN_BYTES)) {
1360 SLOGE("EVP_EncryptUpdate failed\n");
1363 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1364 SLOGE("EVP_EncryptFinal failed\n");
1368 if (encrypted_len + final_len != KEY_LEN_BYTES) {
1369 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1373 /* Store the scrypt of the intermediate key, so we can validate if it's a
1374 password error or mount error when things go wrong.
1375 Note there's no need to check for errors, since if this is incorrect, we
1376 simply won't wipe userdata, which is the correct default behavior
1378 int N = 1 << crypt_ftr->N_factor;
1379 int r = 1 << crypt_ftr->r_factor;
1380 int p = 1 << crypt_ftr->p_factor;
1382 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1383 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1384 crypt_ftr->scrypted_intermediate_key,
1385 sizeof(crypt_ftr->scrypted_intermediate_key));
1388 SLOGE("encrypt_master_key: crypto_scrypt failed");
1394 static int decrypt_master_key_aux(const char *passwd, unsigned char *salt,
1395 unsigned char *encrypted_master_key,
1396 unsigned char *decrypted_master_key,
1397 kdf_func kdf, void *kdf_params,
1398 unsigned char** intermediate_key,
1399 size_t* intermediate_key_size)
1401 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1402 EVP_CIPHER_CTX d_ctx;
1403 int decrypted_len, final_len;
1405 /* Turn the password into an intermediate key and IV that can decrypt the
1407 if (kdf(passwd, salt, ikey, kdf_params)) {
1408 SLOGE("kdf failed");
1412 /* Initialize the decryption engine */
1413 EVP_CIPHER_CTX_init(&d_ctx);
1414 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1417 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1418 /* Decrypt the master key */
1419 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1420 encrypted_master_key, KEY_LEN_BYTES)) {
1423 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1427 if (decrypted_len + final_len != KEY_LEN_BYTES) {
1431 /* Copy intermediate key if needed by params */
1432 if (intermediate_key && intermediate_key_size) {
1433 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1434 if (intermediate_key) {
1435 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1436 *intermediate_key_size = KEY_LEN_BYTES;
1443 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1445 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1446 *kdf = scrypt_keymaster;
1448 } else if (ftr->kdf_type == KDF_SCRYPT) {
1457 static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key,
1458 struct crypt_mnt_ftr *crypt_ftr,
1459 unsigned char** intermediate_key,
1460 size_t* intermediate_key_size)
1466 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1467 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1468 decrypted_master_key, kdf, kdf_params,
1469 intermediate_key, intermediate_key_size);
1471 SLOGW("failure decrypting master key");
1477 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
1478 struct crypt_mnt_ftr *crypt_ftr) {
1480 unsigned char key_buf[KEY_LEN_BYTES];
1482 /* Get some random bits for a key */
1483 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
1484 read(fd, key_buf, sizeof(key_buf));
1485 read(fd, salt, SALT_LEN);
1488 /* Now encrypt it with the password */
1489 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1492 int wait_and_unmount(const char *mountpoint, bool kill)
1495 #define WAIT_UNMOUNT_COUNT 20
1497 /* Now umount the tmpfs filesystem */
1498 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1499 if (umount(mountpoint) == 0) {
1503 if (errno == EINVAL) {
1504 /* EINVAL is returned if the directory is not a mountpoint,
1505 * i.e. there is no filesystem mounted there. So just get out.
1512 /* If allowed, be increasingly aggressive before the last two retries */
1514 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1515 SLOGW("sending SIGHUP to processes with open files\n");
1516 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM);
1517 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1518 SLOGW("sending SIGKILL to processes with open files\n");
1519 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL);
1526 if (i < WAIT_UNMOUNT_COUNT) {
1527 SLOGD("unmounting %s succeeded\n", mountpoint);
1530 vold_killProcessesWithOpenFiles(mountpoint, 0);
1531 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1538 #define DATA_PREP_TIMEOUT 1000
1539 static int prep_data_fs(void)
1543 // NOTE: post_fs_data results in init calling back around to vold, so all
1544 // callers to this method must be async
1546 /* Do the prep of the /data filesystem */
1547 property_set("vold.post_fs_data_done", "0");
1548 property_set("vold.decrypt", "trigger_post_fs_data");
1549 SLOGD("Just triggered post_fs_data\n");
1551 /* Wait a max of 50 seconds, hopefully it takes much less */
1552 for (i=0; i<DATA_PREP_TIMEOUT; i++) {
1553 char p[PROPERTY_VALUE_MAX];
1555 property_get("vold.post_fs_data_done", p, "0");
1562 if (i == DATA_PREP_TIMEOUT) {
1563 /* Ugh, we failed to prep /data in time. Bail. */
1564 SLOGE("post_fs_data timed out!\n");
1567 SLOGD("post_fs_data done\n");
1572 static void cryptfs_set_corrupt()
1574 // Mark the footer as bad
1575 struct crypt_mnt_ftr crypt_ftr;
1576 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1577 SLOGE("Failed to get crypto footer - panic");
1581 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1582 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1583 SLOGE("Failed to set crypto footer - panic");
1588 static void cryptfs_trigger_restart_min_framework()
1590 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1591 SLOGE("Failed to mount tmpfs on data - panic");
1595 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1596 SLOGE("Failed to trigger post fs data - panic");
1600 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1601 SLOGE("Failed to trigger restart min framework - panic");
1606 /* returns < 0 on failure */
1607 static int cryptfs_restart_internal(int restart_main)
1609 char crypto_blkdev[MAXPATHLEN];
1611 static int restart_successful = 0;
1613 /* Validate that it's OK to call this routine */
1614 if (! master_key_saved) {
1615 SLOGE("Encrypted filesystem not validated, aborting");
1619 if (restart_successful) {
1620 SLOGE("System already restarted with encrypted disk, aborting");
1625 /* Here is where we shut down the framework. The init scripts
1626 * start all services in one of three classes: core, main or late_start.
1627 * On boot, we start core and main. Now, we stop main, but not core,
1628 * as core includes vold and a few other really important things that
1629 * we need to keep running. Once main has stopped, we should be able
1630 * to umount the tmpfs /data, then mount the encrypted /data.
1631 * We then restart the class main, and also the class late_start.
1632 * At the moment, I've only put a few things in late_start that I know
1633 * are not needed to bring up the framework, and that also cause problems
1634 * with unmounting the tmpfs /data, but I hope to add add more services
1635 * to the late_start class as we optimize this to decrease the delay
1636 * till the user is asked for the password to the filesystem.
1639 /* The init files are setup to stop the class main when vold.decrypt is
1640 * set to trigger_reset_main.
1642 property_set("vold.decrypt", "trigger_reset_main");
1643 SLOGD("Just asked init to shut down class main\n");
1645 /* Ugh, shutting down the framework is not synchronous, so until it
1646 * can be fixed, this horrible hack will wait a moment for it all to
1647 * shut down before proceeding. Without it, some devices cannot
1648 * restart the graphics services.
1653 /* Now that the framework is shutdown, we should be able to umount()
1654 * the tmpfs filesystem, and mount the real one.
1657 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1658 if (strlen(crypto_blkdev) == 0) {
1659 SLOGE("fs_crypto_blkdev not set\n");
1663 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1664 /* If ro.crypto.readonly is set to 1, mount the decrypted
1665 * filesystem readonly. This is used when /data is mounted by
1668 char ro_prop[PROPERTY_VALUE_MAX];
1669 property_get("ro.crypto.readonly", ro_prop, "");
1670 if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
1671 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1672 rec->flags |= MS_RDONLY;
1675 /* If that succeeded, then mount the decrypted filesystem */
1676 int retries = RETRY_MOUNT_ATTEMPTS;
1680 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
1681 * partitions in the fsck domain.
1683 if (setexeccon(secontextFsck())){
1684 SLOGE("Failed to setexeccon");
1687 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
1690 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1691 /* TODO: invoke something similar to
1692 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1693 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1694 SLOGI("Failed to mount %s because it is busy - waiting",
1697 sleep(RETRY_MOUNT_DELAY_SECONDS);
1699 /* Let's hope that a reboot clears away whatever is keeping
1701 cryptfs_reboot(reboot);
1704 SLOGE("Failed to mount decrypted data");
1705 cryptfs_set_corrupt();
1706 cryptfs_trigger_restart_min_framework();
1707 SLOGI("Started framework to offer wipe");
1708 if (setexeccon(NULL)) {
1709 SLOGE("Failed to setexeccon");
1714 if (setexeccon(NULL)) {
1715 SLOGE("Failed to setexeccon");
1719 property_set("vold.decrypt", "trigger_load_persist_props");
1720 /* Create necessary paths on /data */
1721 if (prep_data_fs()) {
1725 /* startup service classes main and late_start */
1726 property_set("vold.decrypt", "trigger_restart_framework");
1727 SLOGD("Just triggered restart_framework\n");
1729 /* Give it a few moments to get started */
1734 restart_successful = 1;
1740 int cryptfs_restart(void)
1742 SLOGI("cryptfs_restart");
1743 if (e4crypt_is_native()) {
1744 SLOGE("cryptfs_restart not valid for file encryption:");
1748 /* Call internal implementation forcing a restart of main service group */
1749 return cryptfs_restart_internal(1);
1752 static int do_crypto_complete(char *mount_point)
1754 struct crypt_mnt_ftr crypt_ftr;
1755 char encrypted_state[PROPERTY_VALUE_MAX];
1756 char key_loc[PROPERTY_VALUE_MAX];
1758 property_get("ro.crypto.state", encrypted_state, "");
1759 if (strcmp(encrypted_state, "encrypted") ) {
1760 SLOGE("not running with encryption, aborting");
1761 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1764 // crypto_complete is full disk encrypted status
1765 if (e4crypt_is_native()) {
1766 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1769 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1770 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1773 * Only report this error if key_loc is a file and it exists.
1774 * If the device was never encrypted, and /data is not mountable for
1775 * some reason, returning 1 should prevent the UI from presenting the
1776 * a "enter password" screen, or worse, a "press button to wipe the
1779 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1780 SLOGE("master key file does not exist, aborting");
1781 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1783 SLOGE("Error getting crypt footer and key\n");
1784 return CRYPTO_COMPLETE_BAD_METADATA;
1788 // Test for possible error flags
1789 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1790 SLOGE("Encryption process is partway completed\n");
1791 return CRYPTO_COMPLETE_PARTIAL;
1794 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1795 SLOGE("Encryption process was interrupted but cannot continue\n");
1796 return CRYPTO_COMPLETE_INCONSISTENT;
1799 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1800 SLOGE("Encryption is successful but data is corrupt\n");
1801 return CRYPTO_COMPLETE_CORRUPT;
1804 /* We passed the test! We shall diminish, and return to the west */
1805 return CRYPTO_COMPLETE_ENCRYPTED;
1808 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1809 char *passwd, char *mount_point, char *label)
1811 /* Allocate enough space for a 256 bit key, but we may use less */
1812 unsigned char decrypted_master_key[32];
1813 char crypto_blkdev[MAXPATHLEN];
1814 char real_blkdev[MAXPATHLEN];
1815 char tmp_mount_point[64];
1816 unsigned int orig_failed_decrypt_count;
1818 int use_keymaster = 0;
1820 unsigned char* intermediate_key = 0;
1821 size_t intermediate_key_size = 0;
1823 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1824 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1826 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1827 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1828 &intermediate_key, &intermediate_key_size)) {
1829 SLOGE("Failed to decrypt master key\n");
1835 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
1837 // Create crypto block device - all (non fatal) code paths
1839 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1840 real_blkdev, crypto_blkdev, label)) {
1841 SLOGE("Error creating decrypted block device\n");
1846 /* Work out if the problem is the password or the data */
1847 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1848 scrypted_intermediate_key)];
1849 int N = 1 << crypt_ftr->N_factor;
1850 int r = 1 << crypt_ftr->r_factor;
1851 int p = 1 << crypt_ftr->p_factor;
1853 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1854 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1855 N, r, p, scrypted_intermediate_key,
1856 sizeof(scrypted_intermediate_key));
1858 // Does the key match the crypto footer?
1859 if (rc == 0 && memcmp(scrypted_intermediate_key,
1860 crypt_ftr->scrypted_intermediate_key,
1861 sizeof(scrypted_intermediate_key)) == 0) {
1862 SLOGI("Password matches");
1865 /* Try mounting the file system anyway, just in case the problem's with
1866 * the footer, not the key. */
1867 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
1868 mkdir(tmp_mount_point, 0755);
1869 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1870 SLOGE("Error temp mounting decrypted block device\n");
1871 delete_crypto_blk_dev(label);
1873 rc = ++crypt_ftr->failed_decrypt_count;
1874 put_crypt_ftr_and_key(crypt_ftr);
1877 SLOGI("Password did not match but decrypted drive mounted - continue");
1878 umount(tmp_mount_point);
1884 crypt_ftr->failed_decrypt_count = 0;
1885 if (orig_failed_decrypt_count != 0) {
1886 put_crypt_ftr_and_key(crypt_ftr);
1889 /* Save the name of the crypto block device
1890 * so we can mount it when restarting the framework. */
1891 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1893 /* Also save a the master key so we can reencrypted the key
1894 * the key when we want to change the password on it. */
1895 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1896 saved_mount_point = strdup(mount_point);
1897 master_key_saved = 1;
1898 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1901 // Upgrade if we're not using the latest KDF.
1902 use_keymaster = keymaster_check_compatibility();
1903 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1904 // Don't allow downgrade
1905 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1906 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1908 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1909 crypt_ftr->kdf_type = KDF_SCRYPT;
1914 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1915 crypt_ftr->master_key, crypt_ftr);
1917 rc = put_crypt_ftr_and_key(crypt_ftr);
1919 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1921 // Do not fail even if upgrade failed - machine is bootable
1922 // Note that if this code is ever hit, there is a *serious* problem
1923 // since KDFs should never fail. You *must* fix the kdf before
1926 SLOGW("Upgrade failed with error %d,"
1927 " but continuing with previous state",
1935 if (intermediate_key) {
1936 memset(intermediate_key, 0, intermediate_key_size);
1937 free(intermediate_key);
1943 * Called by vold when it's asked to mount an encrypted external
1944 * storage volume. The incoming partition has no crypto header/footer,
1945 * as any metadata is been stored in a separate, small partition.
1947 * out_crypto_blkdev must be MAXPATHLEN.
1949 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
1950 const unsigned char* key, int keysize, char* out_crypto_blkdev) {
1951 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
1953 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno));
1957 unsigned long nr_sec = 0;
1958 get_blkdev_size(fd, &nr_sec);
1962 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1966 struct crypt_mnt_ftr ext_crypt_ftr;
1967 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1968 ext_crypt_ftr.fs_size = nr_sec;
1969 ext_crypt_ftr.keysize = keysize;
1970 strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
1972 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev,
1973 out_crypto_blkdev, label);
1977 * Called by vold when it's asked to unmount an encrypted external
1980 int cryptfs_revert_ext_volume(const char* label) {
1981 return delete_crypto_blk_dev((char*) label);
1984 int cryptfs_crypto_complete(void)
1986 return do_crypto_complete("/data");
1989 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
1991 char encrypted_state[PROPERTY_VALUE_MAX];
1992 property_get("ro.crypto.state", encrypted_state, "");
1993 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
1994 SLOGE("encrypted fs already validated or not running with encryption,"
1999 if (get_crypt_ftr_and_key(crypt_ftr)) {
2000 SLOGE("Error getting crypt footer and key");
2007 int cryptfs_check_passwd(char *passwd)
2009 SLOGI("cryptfs_check_passwd");
2010 if (e4crypt_is_native()) {
2011 SLOGE("cryptfs_check_passwd not valid for file encryption");
2015 struct crypt_mnt_ftr crypt_ftr;
2018 rc = check_unmounted_and_get_ftr(&crypt_ftr);
2020 SLOGE("Could not get footer");
2024 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
2025 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
2027 SLOGE("Password did not match");
2031 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
2032 // Here we have a default actual password but a real password
2033 // we must test against the scrypted value
2034 // First, we must delete the crypto block device that
2035 // test_mount_encrypted_fs leaves behind as a side effect
2036 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
2037 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD,
2038 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
2040 SLOGE("Default password did not match on reboot encryption");
2044 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
2045 put_crypt_ftr_and_key(&crypt_ftr);
2046 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
2048 SLOGE("Could not change password on reboot encryption");
2053 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2054 cryptfs_clear_password();
2055 password = strdup(passwd);
2056 struct timespec now;
2057 clock_gettime(CLOCK_BOOTTIME, &now);
2058 password_expiry_time = now.tv_sec + password_max_age_seconds;
2064 int cryptfs_verify_passwd(char *passwd)
2066 struct crypt_mnt_ftr crypt_ftr;
2067 /* Allocate enough space for a 256 bit key, but we may use less */
2068 unsigned char decrypted_master_key[32];
2069 char encrypted_state[PROPERTY_VALUE_MAX];
2072 property_get("ro.crypto.state", encrypted_state, "");
2073 if (strcmp(encrypted_state, "encrypted") ) {
2074 SLOGE("device not encrypted, aborting");
2078 if (!master_key_saved) {
2079 SLOGE("encrypted fs not yet mounted, aborting");
2083 if (!saved_mount_point) {
2084 SLOGE("encrypted fs failed to save mount point, aborting");
2088 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2089 SLOGE("Error getting crypt footer and key\n");
2093 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2094 /* If the device has no password, then just say the password is valid */
2097 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2098 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2099 /* They match, the password is correct */
2102 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2111 /* Initialize a crypt_mnt_ftr structure. The keysize is
2112 * defaulted to 16 bytes, and the filesystem size to 0.
2113 * Presumably, at a minimum, the caller will update the
2114 * filesystem size and crypto_type_name after calling this function.
2116 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
2120 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2121 ftr->magic = CRYPT_MNT_MAGIC;
2122 ftr->major_version = CURRENT_MAJOR_VERSION;
2123 ftr->minor_version = CURRENT_MINOR_VERSION;
2124 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2125 ftr->keysize = KEY_LEN_BYTES;
2127 switch (keymaster_check_compatibility()) {
2129 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2133 ftr->kdf_type = KDF_SCRYPT;
2137 SLOGE("keymaster_check_compatibility failed");
2141 get_device_scrypt_params(ftr);
2143 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2144 if (get_crypt_ftr_info(NULL, &off) == 0) {
2145 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2146 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
2147 ftr->persist_data_size;
2153 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
2155 const char *args[10];
2156 char size_str[32]; /* Must be large enough to hold a %lld and null byte */
2162 if (type == EXT4_FS) {
2163 #ifdef TARGET_USES_MKE2FS
2164 args[0] = "/system/bin/mke2fs";
2171 args[7] = crypto_blkdev;
2172 snprintf(size_str, sizeof(size_str), "%" PRId64, size / (4096 / 512));
2176 args[0] = "/system/bin/make_ext4fs";
2180 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
2182 args[5] = crypto_blkdev;
2185 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
2186 args[0], args[1], args[2], args[3], args[4], args[5]);
2187 } else if (type == F2FS_FS) {
2188 args[0] = "/system/bin/mkfs.f2fs";
2191 args[3] = crypto_blkdev;
2192 snprintf(size_str, sizeof(size_str), "%" PRId64, size);
2195 SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
2196 args[0], args[1], args[2], args[3], args[4]);
2198 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
2202 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
2205 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
2207 if (WIFEXITED(status)) {
2208 if (WEXITSTATUS(status)) {
2209 SLOGE("Error creating filesystem on %s, exit status %d ",
2210 crypto_blkdev, WEXITSTATUS(status));
2212 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
2216 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
2223 #define CRYPT_INPLACE_BUFSIZE 4096
2224 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
2225 #define CRYPT_SECTOR_SIZE 512
2227 /* aligned 32K writes tends to make flash happy.
2228 * SD card association recommends it.
2230 #define BLOCKS_AT_A_TIME 8
2232 struct encryptGroupsData
2237 off64_t one_pct, cur_pct, new_pct;
2238 off64_t blocks_already_done, tot_numblocks;
2239 off64_t used_blocks_already_done, tot_used_blocks;
2240 char* real_blkdev, * crypto_blkdev;
2244 off64_t last_written_sector;
2246 time_t time_started;
2250 static void update_progress(struct encryptGroupsData* data, int is_used)
2252 data->blocks_already_done++;
2255 data->used_blocks_already_done++;
2257 if (data->tot_used_blocks) {
2258 data->new_pct = data->used_blocks_already_done / data->one_pct;
2260 data->new_pct = data->blocks_already_done / data->one_pct;
2263 if (data->new_pct > data->cur_pct) {
2265 data->cur_pct = data->new_pct;
2266 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
2267 property_set("vold.encrypt_progress", buf);
2270 if (data->cur_pct >= 5) {
2271 struct timespec time_now;
2272 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
2273 SLOGW("Error getting time");
2275 double elapsed_time = difftime(time_now.tv_sec, data->time_started);
2276 off64_t remaining_blocks = data->tot_used_blocks
2277 - data->used_blocks_already_done;
2278 int remaining_time = (int)(elapsed_time * remaining_blocks
2279 / data->used_blocks_already_done);
2281 // Change time only if not yet set, lower, or a lot higher for
2282 // best user experience
2283 if (data->remaining_time == -1
2284 || remaining_time < data->remaining_time
2285 || remaining_time > data->remaining_time + 60) {
2287 snprintf(buf, sizeof(buf), "%d", remaining_time);
2288 property_set("vold.encrypt_time_remaining", buf);
2289 data->remaining_time = remaining_time;
2295 static void log_progress(struct encryptGroupsData const* data, bool completed)
2297 // Precondition - if completed data = 0 else data != 0
2299 // Track progress so we can skip logging blocks
2300 static off64_t offset = -1;
2302 // Need to close existing 'Encrypting from' log?
2303 if (completed || (offset != -1 && data->offset != offset)) {
2304 SLOGI("Encrypted to sector %" PRId64,
2305 offset / info.block_size * CRYPT_SECTOR_SIZE);
2309 // Need to start new 'Encrypting from' log?
2310 if (!completed && offset != data->offset) {
2311 SLOGI("Encrypting from sector %" PRId64,
2312 data->offset / info.block_size * CRYPT_SECTOR_SIZE);
2317 offset = data->offset + (off64_t)data->count * info.block_size;
2321 static int flush_outstanding_data(struct encryptGroupsData* data)
2323 if (data->count == 0) {
2327 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
2329 if (pread64(data->realfd, data->buffer,
2330 info.block_size * data->count, data->offset)
2332 SLOGE("Error reading real_blkdev %s for inplace encrypt",
2337 if (pwrite64(data->cryptofd, data->buffer,
2338 info.block_size * data->count, data->offset)
2340 SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
2341 data->crypto_blkdev);
2344 log_progress(data, false);
2348 data->last_written_sector = (data->offset + data->count)
2349 / info.block_size * CRYPT_SECTOR_SIZE - 1;
2353 static int encrypt_groups(struct encryptGroupsData* data)
2356 u8 *block_bitmap = 0;
2361 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
2362 if (!data->buffer) {
2363 SLOGE("Failed to allocate crypto buffer");
2367 block_bitmap = malloc(info.block_size);
2368 if (!block_bitmap) {
2369 SLOGE("failed to allocate block bitmap");
2373 for (i = 0; i < aux_info.groups; ++i) {
2374 SLOGI("Encrypting group %d", i);
2376 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
2377 u32 block_count = min(info.blocks_per_group,
2378 aux_info.len_blocks - first_block);
2380 off64_t offset = (u64)info.block_size
2381 * aux_info.bg_desc[i].bg_block_bitmap;
2383 ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
2384 if (ret != (int)info.block_size) {
2385 SLOGE("failed to read all of block group bitmap %d", i);
2389 offset = (u64)info.block_size * first_block;
2393 for (block = 0; block < block_count; block++) {
2394 int used = (aux_info.bg_desc[i].bg_flags & EXT4_BG_BLOCK_UNINIT) ?
2395 0 : bitmap_get_bit(block_bitmap, block);
2396 update_progress(data, used);
2398 if (data->count == 0) {
2399 data->offset = offset;
2403 if (flush_outstanding_data(data)) {
2408 offset += info.block_size;
2410 /* Write data if we are aligned or buffer size reached */
2411 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
2412 || data->count == BLOCKS_AT_A_TIME) {
2413 if (flush_outstanding_data(data)) {
2418 if (!is_battery_ok_to_continue()) {
2419 SLOGE("Stopping encryption due to low battery");
2425 if (flush_outstanding_data(data)) {
2430 data->completed = 1;
2434 log_progress(0, true);
2440 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
2443 off64_t *size_already_done,
2445 off64_t previously_encrypted_upto)
2448 struct encryptGroupsData data;
2449 int rc; // Can't initialize without causing warning -Wclobbered
2451 if (previously_encrypted_upto > *size_already_done) {
2452 SLOGD("Not fast encrypting since resuming part way through");
2456 memset(&data, 0, sizeof(data));
2457 data.real_blkdev = real_blkdev;
2458 data.crypto_blkdev = crypto_blkdev;
2460 if ( (data.realfd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2461 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n",
2462 real_blkdev, errno, strerror(errno));
2467 // Wait until the block device appears. Re-use the mount retry values since it is reasonable.
2468 int retries = RETRY_MOUNT_ATTEMPTS;
2469 while ((data.cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2471 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s), retrying\n",
2472 crypto_blkdev, errno, strerror(errno));
2473 sleep(RETRY_MOUNT_DELAY_SECONDS);
2475 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n",
2476 crypto_blkdev, errno, strerror(errno));
2477 rc = ENABLE_INPLACE_ERR_DEV;
2482 if (setjmp(setjmp_env)) {
2483 SLOGE("Reading ext4 extent caused an exception\n");
2488 if (read_ext(data.realfd, 0) != 0) {
2489 SLOGE("Failed to read ext4 extent\n");
2494 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2495 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2496 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2498 SLOGI("Encrypting ext4 filesystem in place...");
2500 data.tot_used_blocks = data.numblocks;
2501 for (i = 0; i < aux_info.groups; ++i) {
2502 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
2505 data.one_pct = data.tot_used_blocks / 100;
2508 struct timespec time_started = {0};
2509 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
2510 SLOGW("Error getting time at start");
2511 // Note - continue anyway - we'll run with 0
2513 data.time_started = time_started.tv_sec;
2514 data.remaining_time = -1;
2516 rc = encrypt_groups(&data);
2518 SLOGE("Error encrypting groups");
2522 *size_already_done += data.completed ? size : data.last_written_sector;
2527 close(data.cryptofd);
2532 static void log_progress_f2fs(u64 block, bool completed)
2534 // Precondition - if completed data = 0 else data != 0
2536 // Track progress so we can skip logging blocks
2537 static u64 last_block = (u64)-1;
2539 // Need to close existing 'Encrypting from' log?
2540 if (completed || (last_block != (u64)-1 && block != last_block + 1)) {
2541 SLOGI("Encrypted to block %" PRId64, last_block);
2545 // Need to start new 'Encrypting from' log?
2546 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) {
2547 SLOGI("Encrypting from block %" PRId64, block);
2556 static int encrypt_one_block_f2fs(u64 pos, void *data)
2558 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;
2560 priv_dat->blocks_already_done = pos - 1;
2561 update_progress(priv_dat, 1);
2563 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;
2565 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2566 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2570 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2571 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2574 log_progress_f2fs(pos, false);
2580 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
2583 off64_t *size_already_done,
2585 off64_t previously_encrypted_upto)
2587 struct encryptGroupsData data;
2588 struct f2fs_info *f2fs_info = NULL;
2589 int rc = ENABLE_INPLACE_ERR_OTHER;
2590 if (previously_encrypted_upto > *size_already_done) {
2591 SLOGD("Not fast encrypting since resuming part way through");
2592 return ENABLE_INPLACE_ERR_OTHER;
2594 memset(&data, 0, sizeof(data));
2595 data.real_blkdev = real_blkdev;
2596 data.crypto_blkdev = crypto_blkdev;
2599 if ( (data.realfd = open64(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2600 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n",
2604 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2605 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n",
2606 crypto_blkdev, errno, strerror(errno));
2607 rc = ENABLE_INPLACE_ERR_DEV;
2611 f2fs_info = generate_f2fs_info(data.realfd);
2615 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2616 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2617 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2619 data.tot_used_blocks = get_num_blocks_used(f2fs_info);
2621 data.one_pct = data.tot_used_blocks / 100;
2623 data.time_started = time(NULL);
2624 data.remaining_time = -1;
2626 data.buffer = malloc(f2fs_info->block_size);
2628 SLOGE("Failed to allocate crypto buffer");
2634 /* Currently, this either runs to completion, or hits a nonrecoverable error */
2635 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);
2638 SLOGE("Error in running over f2fs blocks");
2639 rc = ENABLE_INPLACE_ERR_OTHER;
2643 *size_already_done += size;
2648 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev);
2650 log_progress_f2fs(0, true);
2654 close(data.cryptofd);
2659 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
2660 off64_t size, off64_t *size_already_done,
2662 off64_t previously_encrypted_upto)
2664 int realfd, cryptofd;
2665 char *buf[CRYPT_INPLACE_BUFSIZE];
2666 int rc = ENABLE_INPLACE_ERR_OTHER;
2667 off64_t numblocks, i, remainder;
2668 off64_t one_pct, cur_pct, new_pct;
2669 off64_t blocks_already_done, tot_numblocks;
2671 if ( (realfd = open(real_blkdev, O_RDONLY|O_CLOEXEC)) < 0) {
2672 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2673 return ENABLE_INPLACE_ERR_OTHER;
2676 if ( (cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2677 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n",
2678 crypto_blkdev, errno, strerror(errno));
2680 return ENABLE_INPLACE_ERR_DEV;
2683 /* This is pretty much a simple loop of reading 4K, and writing 4K.
2684 * The size passed in is the number of 512 byte sectors in the filesystem.
2685 * So compute the number of whole 4K blocks we should read/write,
2686 * and the remainder.
2688 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2689 remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2690 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2691 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2693 SLOGE("Encrypting filesystem in place...");
2695 i = previously_encrypted_upto + 1 - *size_already_done;
2697 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2698 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
2702 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2703 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
2707 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
2708 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2709 SLOGE("Error reading initial sectors from real_blkdev %s for "
2710 "inplace encrypt\n", crypto_blkdev);
2713 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2714 SLOGE("Error writing initial sectors to crypto_blkdev %s for "
2715 "inplace encrypt\n", crypto_blkdev);
2718 SLOGI("Encrypted 1 block at %" PRId64, i);
2722 one_pct = tot_numblocks / 100;
2724 /* process the majority of the filesystem in blocks */
2725 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2726 new_pct = (i + blocks_already_done) / one_pct;
2727 if (new_pct > cur_pct) {
2731 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
2732 property_set("vold.encrypt_progress", buf);
2734 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2735 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2738 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2739 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2742 SLOGD("Encrypted %d block at %" PRId64,
2743 CRYPT_SECTORS_PER_BUFSIZE,
2744 i * CRYPT_SECTORS_PER_BUFSIZE);
2747 if (!is_battery_ok_to_continue()) {
2748 SLOGE("Stopping encryption due to low battery");
2749 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
2755 /* Do any remaining sectors */
2756 for (i=0; i<remainder; i++) {
2757 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2758 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2761 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2762 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2765 SLOGI("Encrypted 1 block at next location");
2769 *size_already_done += size;
2779 /* returns on of the ENABLE_INPLACE_* return codes */
2780 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
2781 off64_t size, off64_t *size_already_done,
2783 off64_t previously_encrypted_upto)
2785 int rc_ext4, rc_f2fs, rc_full;
2786 if (previously_encrypted_upto) {
2787 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
2790 if (*size_already_done + size < previously_encrypted_upto) {
2791 *size_already_done += size;
2795 /* TODO: identify filesystem type.
2796 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
2797 * then we will drop down to cryptfs_enable_inplace_f2fs.
2799 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2800 size, size_already_done,
2801 tot_size, previously_encrypted_upto)) == 0) {
2804 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4);
2806 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
2807 size, size_already_done,
2808 tot_size, previously_encrypted_upto)) == 0) {
2811 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs);
2813 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2814 size, size_already_done, tot_size,
2815 previously_encrypted_upto);
2816 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full);
2818 /* Hack for b/17898962, the following is the symptom... */
2819 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV
2820 && rc_f2fs == ENABLE_INPLACE_ERR_DEV
2821 && rc_full == ENABLE_INPLACE_ERR_DEV) {
2822 return ENABLE_INPLACE_ERR_DEV;
2827 #define CRYPTO_ENABLE_WIPE 1
2828 #define CRYPTO_ENABLE_INPLACE 2
2830 #define FRAMEWORK_BOOT_WAIT 60
2832 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2834 int fd = open(filename, O_RDONLY|O_CLOEXEC);
2836 SLOGE("Error opening file %s", filename);
2840 char block[CRYPT_INPLACE_BUFSIZE];
2841 memset(block, 0, sizeof(block));
2842 if (unix_read(fd, block, sizeof(block)) < 0) {
2843 SLOGE("Error reading file %s", filename);
2852 SHA256_Update(&c, block, sizeof(block));
2853 SHA256_Final(buf, &c);
2858 static int get_fs_type(struct fstab_rec *rec)
2860 if (!strcmp(rec->fs_type, "ext4")) {
2862 } else if (!strcmp(rec->fs_type, "f2fs")) {
2869 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
2870 char *crypto_blkdev, char *real_blkdev,
2871 int previously_encrypted_upto)
2873 off64_t cur_encryption_done=0, tot_encryption_size=0;
2876 if (!is_battery_ok_to_start()) {
2877 SLOGW("Not starting encryption due to low battery");
2881 /* The size of the userdata partition, and add in the vold volumes below */
2882 tot_encryption_size = crypt_ftr->fs_size;
2884 if (how == CRYPTO_ENABLE_WIPE) {
2885 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
2886 int fs_type = get_fs_type(rec);
2888 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
2891 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2892 } else if (how == CRYPTO_ENABLE_INPLACE) {
2893 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
2894 crypt_ftr->fs_size, &cur_encryption_done,
2895 tot_encryption_size,
2896 previously_encrypted_upto);
2898 if (rc == ENABLE_INPLACE_ERR_DEV) {
2899 /* Hack for b/17898962 */
2900 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2901 cryptfs_reboot(reboot);
2905 crypt_ftr->encrypted_upto = cur_encryption_done;
2908 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2909 /* The inplace routine never actually sets the progress to 100% due
2910 * to the round down nature of integer division, so set it here */
2911 property_set("vold.encrypt_progress", "100");
2914 /* Shouldn't happen */
2915 SLOGE("cryptfs_enable: internal error, unknown option\n");
2922 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
2926 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2927 unsigned char decrypted_master_key[KEY_LEN_BYTES];
2929 struct crypt_mnt_ftr crypt_ftr;
2930 struct crypt_persist_data *pdata;
2931 char encrypted_state[PROPERTY_VALUE_MAX];
2932 char lockid[32] = { 0 };
2933 char key_loc[PROPERTY_VALUE_MAX];
2935 off64_t previously_encrypted_upto = 0;
2936 bool rebootEncryption = false;
2938 if (!strcmp(howarg, "wipe")) {
2939 how = CRYPTO_ENABLE_WIPE;
2940 } else if (! strcmp(howarg, "inplace")) {
2941 how = CRYPTO_ENABLE_INPLACE;
2943 /* Shouldn't happen, as CommandListener vets the args */
2944 goto error_unencrypted;
2947 if (how == CRYPTO_ENABLE_INPLACE
2948 && get_crypt_ftr_and_key(&crypt_ftr) == 0) {
2949 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
2950 /* An encryption was underway and was interrupted */
2951 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2952 crypt_ftr.encrypted_upto = 0;
2953 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2955 /* At this point, we are in an inconsistent state. Until we successfully
2956 complete encryption, a reboot will leave us broken. So mark the
2957 encryption failed in case that happens.
2958 On successfully completing encryption, remove this flag */
2959 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2961 put_crypt_ftr_and_key(&crypt_ftr);
2962 } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
2963 if (!check_ftr_sha(&crypt_ftr)) {
2964 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2965 put_crypt_ftr_and_key(&crypt_ftr);
2966 goto error_unencrypted;
2969 /* Doing a reboot-encryption*/
2970 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
2971 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
2972 rebootEncryption = true;
2976 property_get("ro.crypto.state", encrypted_state, "");
2977 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2978 SLOGE("Device is already running encrypted, aborting");
2979 goto error_unencrypted;
2982 // TODO refactor fs_mgr_get_crypt_info to get both in one call
2983 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
2984 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
2986 /* Get the size of the real block device */
2987 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
2989 SLOGE("Cannot open block device %s\n", real_blkdev);
2990 goto error_unencrypted;
2992 unsigned long nr_sec;
2993 get_blkdev_size(fd, &nr_sec);
2995 SLOGE("Cannot get size of block device %s\n", real_blkdev);
2996 goto error_unencrypted;
3000 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
3001 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
3002 unsigned int fs_size_sec, max_fs_size_sec;
3003 fs_size_sec = get_fs_size(real_blkdev);
3004 if (fs_size_sec == 0)
3005 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
3007 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3009 if (fs_size_sec > max_fs_size_sec) {
3010 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
3011 goto error_unencrypted;
3015 /* Get a wakelock as this may take a while, and we don't want the
3016 * device to sleep on us. We'll grab a partial wakelock, and if the UI
3017 * wants to keep the screen on, it can grab a full wakelock.
3019 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
3020 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
3022 /* The init files are setup to stop the class main and late start when
3023 * vold sets trigger_shutdown_framework.
3025 property_set("vold.decrypt", "trigger_shutdown_framework");
3026 SLOGD("Just asked init to shut down class main\n");
3028 /* Ask vold to unmount all devices that it manages */
3029 if (vold_unmountAll()) {
3030 SLOGE("Failed to unmount all vold managed devices");
3033 /* no_ui means we are being called from init, not settings.
3034 Now we always reboot from settings, so !no_ui means reboot
3036 bool onlyCreateHeader = false;
3038 /* Try fallback, which is to reboot and try there */
3039 onlyCreateHeader = true;
3040 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
3041 if (breadcrumb == 0) {
3042 SLOGE("Failed to create breadcrumb file");
3043 goto error_shutting_down;
3048 /* Do extra work for a better UX when doing the long inplace encryption */
3049 if (how == CRYPTO_ENABLE_INPLACE && !onlyCreateHeader) {
3050 /* Now that /data is unmounted, we need to mount a tmpfs
3051 * /data, set a property saying we're doing inplace encryption,
3052 * and restart the framework.
3054 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
3055 goto error_shutting_down;
3057 /* Tells the framework that inplace encryption is starting */
3058 property_set("vold.encrypt_progress", "0");
3060 /* restart the framework. */
3061 /* Create necessary paths on /data */
3062 if (prep_data_fs()) {
3063 goto error_shutting_down;
3066 /* Ugh, shutting down the framework is not synchronous, so until it
3067 * can be fixed, this horrible hack will wait a moment for it all to
3068 * shut down before proceeding. Without it, some devices cannot
3069 * restart the graphics services.
3074 /* Start the actual work of making an encrypted filesystem */
3075 /* Initialize a crypt_mnt_ftr for the partition */
3076 if (previously_encrypted_upto == 0 && !rebootEncryption) {
3077 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
3078 goto error_shutting_down;
3081 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
3082 crypt_ftr.fs_size = nr_sec
3083 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3085 crypt_ftr.fs_size = nr_sec;
3087 /* At this point, we are in an inconsistent state. Until we successfully
3088 complete encryption, a reboot will leave us broken. So mark the
3089 encryption failed in case that happens.
3090 On successfully completing encryption, remove this flag */
3091 if (onlyCreateHeader) {
3092 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
3094 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
3096 crypt_ftr.crypt_type = crypt_type;
3097 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN);
3099 /* Make an encrypted master key */
3100 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
3101 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
3102 SLOGE("Cannot create encrypted master key\n");
3103 goto error_shutting_down;
3106 /* Replace scrypted intermediate key if we are preparing for a reboot */
3107 if (onlyCreateHeader) {
3108 unsigned char fake_master_key[KEY_LEN_BYTES];
3109 unsigned char encrypted_fake_master_key[KEY_LEN_BYTES];
3110 memset(fake_master_key, 0, sizeof(fake_master_key));
3111 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key,
3112 encrypted_fake_master_key, &crypt_ftr);
3115 /* Write the key to the end of the partition */
3116 put_crypt_ftr_and_key(&crypt_ftr);
3118 /* If any persistent data has been remembered, save it.
3119 * If none, create a valid empty table and save that.
3121 if (!persist_data) {
3122 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
3124 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
3125 persist_data = pdata;
3129 save_persistent_data();
3133 if (onlyCreateHeader) {
3135 cryptfs_reboot(reboot);
3138 if (how == CRYPTO_ENABLE_INPLACE && (!no_ui || rebootEncryption)) {
3139 /* startup service classes main and late_start */
3140 property_set("vold.decrypt", "trigger_restart_min_framework");
3141 SLOGD("Just triggered restart_min_framework\n");
3143 /* OK, the framework is restarted and will soon be showing a
3144 * progress bar. Time to setup an encrypted mapping, and
3145 * either write a new filesystem, or encrypt in place updating
3146 * the progress bar as we work.
3150 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
3151 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
3152 CRYPTO_BLOCK_DEVICE);
3154 /* If we are continuing, check checksums match */
3156 if (previously_encrypted_upto) {
3157 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
3158 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
3160 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
3161 sizeof(hash_first_block)) != 0) {
3162 SLOGE("Checksums do not match - trigger wipe");
3168 rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
3169 crypto_blkdev, real_blkdev,
3170 previously_encrypted_upto);
3173 /* Calculate checksum if we are not finished */
3174 if (!rc && how == CRYPTO_ENABLE_INPLACE
3175 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3176 rc = cryptfs_SHA256_fileblock(crypto_blkdev,
3177 crypt_ftr.hash_first_block);
3179 SLOGE("Error calculating checksum for continuing encryption");
3184 /* Undo the dm-crypt mapping whether we succeed or not */
3185 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
3189 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
3191 if (how == CRYPTO_ENABLE_INPLACE
3192 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3193 SLOGD("Encrypted up to sector %lld - will continue after reboot",
3194 crypt_ftr.encrypted_upto);
3195 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
3198 put_crypt_ftr_and_key(&crypt_ftr);
3200 if (how == CRYPTO_ENABLE_WIPE
3201 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
3202 char value[PROPERTY_VALUE_MAX];
3203 property_get("ro.crypto.state", value, "");
3204 if (!strcmp(value, "")) {
3205 /* default encryption - continue first boot sequence */
3206 property_set("ro.crypto.state", "encrypted");
3207 property_set("ro.crypto.type", "block");
3208 release_wake_lock(lockid);
3209 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
3210 // Bring up cryptkeeper that will check the password and set it
3211 property_set("vold.decrypt", "trigger_shutdown_framework");
3213 property_set("vold.encrypt_progress", "");
3214 cryptfs_trigger_restart_min_framework();
3216 cryptfs_check_passwd(DEFAULT_PASSWORD);
3217 cryptfs_restart_internal(1);
3221 sleep(2); /* Give the UI a chance to show 100% progress */
3222 cryptfs_reboot(reboot);
3225 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
3226 cryptfs_reboot(shutdown);
3229 char value[PROPERTY_VALUE_MAX];
3231 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
3232 if (!strcmp(value, "1")) {
3233 /* wipe data if encryption failed */
3234 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
3235 if (!write_bootloader_message("--wipe_data\n--reason=cryptfs_enable_internal\n")) {
3236 SLOGE("could not write bootloader message\n");
3238 cryptfs_reboot(recovery);
3240 /* set property to trigger dialog */
3241 property_set("vold.encrypt_progress", "error_partially_encrypted");
3242 release_wake_lock(lockid);
3247 /* hrm, the encrypt step claims success, but the reboot failed.
3248 * This should not happen.
3249 * Set the property and return. Hope the framework can deal with it.
3251 property_set("vold.encrypt_progress", "error_reboot_failed");
3252 release_wake_lock(lockid);
3256 property_set("vold.encrypt_progress", "error_not_encrypted");
3258 release_wake_lock(lockid);
3262 error_shutting_down:
3263 /* we failed, and have not encrypted anthing, so the users's data is still intact,
3264 * but the framework is stopped and not restarted to show the error, so it's up to
3265 * vold to restart the system.
3267 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
3268 cryptfs_reboot(reboot);
3270 /* shouldn't get here */
3271 property_set("vold.encrypt_progress", "error_shutting_down");
3273 release_wake_lock(lockid);
3278 int cryptfs_enable(char *howarg, int type, char *passwd, int no_ui)
3280 return cryptfs_enable_internal(howarg, type, passwd, no_ui);
3283 int cryptfs_enable_default(char *howarg, int no_ui)
3285 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
3286 DEFAULT_PASSWORD, no_ui);
3289 int cryptfs_changepw(int crypt_type, const char *newpw)
3291 if (e4crypt_is_native()) {
3292 SLOGE("cryptfs_changepw not valid for file encryption");
3296 struct crypt_mnt_ftr crypt_ftr;
3299 /* This is only allowed after we've successfully decrypted the master key */
3300 if (!master_key_saved) {
3301 SLOGE("Key not saved, aborting");
3305 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3306 SLOGE("Invalid crypt_type %d", crypt_type);
3311 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3312 SLOGE("Error getting crypt footer and key");
3316 crypt_ftr.crypt_type = crypt_type;
3318 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
3322 crypt_ftr.master_key,
3325 SLOGE("Encrypt master key failed: %d", rc);
3329 put_crypt_ftr_and_key(&crypt_ftr);
3334 static unsigned int persist_get_max_entries(int encrypted) {
3335 struct crypt_mnt_ftr crypt_ftr;
3337 unsigned int max_persistent_entries;
3339 /* If encrypted, use the values from the crypt_ftr, otherwise
3340 * use the values for the current spec.
3343 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3346 dsize = crypt_ftr.persist_data_size;
3348 dsize = CRYPT_PERSIST_DATA_SIZE;
3351 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
3352 sizeof(struct crypt_persist_entry);
3354 return max_persistent_entries;
3357 static int persist_get_key(const char *fieldname, char *value)
3361 if (persist_data == NULL) {
3364 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3365 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3367 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
3375 static int persist_set_key(const char *fieldname, const char *value, int encrypted)
3379 unsigned int max_persistent_entries;
3381 if (persist_data == NULL) {
3385 max_persistent_entries = persist_get_max_entries(encrypted);
3387 num = persist_data->persist_valid_entries;
3389 for (i = 0; i < num; i++) {
3390 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3391 /* We found an existing entry, update it! */
3392 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
3393 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
3398 /* We didn't find it, add it to the end, if there is room */
3399 if (persist_data->persist_valid_entries < max_persistent_entries) {
3400 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
3401 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
3402 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
3403 persist_data->persist_valid_entries++;
3411 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
3412 * sequence and its index is greater than or equal to index. Return 0 otherwise.
3414 static int match_multi_entry(const char *key, const char *field, unsigned index) {
3415 unsigned int field_len;
3416 unsigned int key_index;
3417 field_len = strlen(field);
3420 // The first key in a multi-entry field is just the filedname itself.
3421 if (!strcmp(key, field)) {
3425 // Match key against "%s_%d" % (field, index)
3426 if (strlen(key) < field_len + 1 + 1) {
3427 // Need at least a '_' and a digit.
3430 if (strncmp(key, field, field_len)) {
3431 // If the key does not begin with field, it's not a match.
3434 if (1 != sscanf(&key[field_len],"_%d", &key_index)) {
3437 return key_index >= index;
3441 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
3442 * remaining entries starting from index will be deleted.
3443 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
3444 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
3445 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
3448 static int persist_del_keys(const char *fieldname, unsigned index)
3454 if (persist_data == NULL) {
3455 return PERSIST_DEL_KEY_ERROR_OTHER;
3458 num = persist_data->persist_valid_entries;
3460 j = 0; // points to the end of non-deleted entries.
3461 // Filter out to-be-deleted entries in place.
3462 for (i = 0; i < num; i++) {
3463 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
3464 persist_data->persist_entry[j] = persist_data->persist_entry[i];
3470 persist_data->persist_valid_entries = j;
3471 // Zeroise the remaining entries
3472 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
3473 return PERSIST_DEL_KEY_OK;
3475 // Did not find an entry matching the given fieldname
3476 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
3480 static int persist_count_keys(const char *fieldname)
3485 if (persist_data == NULL) {
3490 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3491 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
3499 /* Return the value of the specified field. */
3500 int cryptfs_getfield(const char *fieldname, char *value, int len)
3502 if (e4crypt_is_native()) {
3503 SLOGE("Cannot get field when file encrypted");
3507 char temp_value[PROPERTY_VALUE_MAX];
3508 /* CRYPTO_GETFIELD_OK is success,
3509 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
3510 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
3511 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
3513 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
3515 char temp_field[PROPERTY_KEY_MAX];
3517 if (persist_data == NULL) {
3518 load_persistent_data();
3519 if (persist_data == NULL) {
3520 SLOGE("Getfield error, cannot load persistent data");
3525 // Read value from persistent entries. If the original value is split into multiple entries,
3526 // stitch them back together.
3527 if (!persist_get_key(fieldname, temp_value)) {
3528 // We found it, copy it to the caller's buffer and keep going until all entries are read.
3529 if (strlcpy(value, temp_value, len) >= (unsigned) len) {
3531 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3534 rc = CRYPTO_GETFIELD_OK;
3536 for (i = 1; /* break explicitly */; i++) {
3537 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
3538 (int) sizeof(temp_field)) {
3539 // If the fieldname is very long, we stop as soon as it begins to overflow the
3540 // maximum field length. At this point we have in fact fully read out the original
3541 // value because cryptfs_setfield would not allow fields with longer names to be
3542 // written in the first place.
3545 if (!persist_get_key(temp_field, temp_value)) {
3546 if (strlcat(value, temp_value, len) >= (unsigned)len) {
3548 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3552 // Exhaust all entries.
3557 /* Sadness, it's not there. Return the error */
3558 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
3565 /* Set the value of the specified field. */
3566 int cryptfs_setfield(const char *fieldname, const char *value)
3568 if (e4crypt_is_native()) {
3569 SLOGE("Cannot set field when file encrypted");
3573 char encrypted_state[PROPERTY_VALUE_MAX];
3574 /* 0 is success, negative values are error */
3575 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
3577 unsigned int field_id;
3578 char temp_field[PROPERTY_KEY_MAX];
3579 unsigned int num_entries;
3580 unsigned int max_keylen;
3582 if (persist_data == NULL) {
3583 load_persistent_data();
3584 if (persist_data == NULL) {
3585 SLOGE("Setfield error, cannot load persistent data");
3590 property_get("ro.crypto.state", encrypted_state, "");
3591 if (!strcmp(encrypted_state, "encrypted") ) {
3595 // Compute the number of entries required to store value, each entry can store up to
3596 // (PROPERTY_VALUE_MAX - 1) chars
3597 if (strlen(value) == 0) {
3598 // Empty value also needs one entry to store.
3601 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
3604 max_keylen = strlen(fieldname);
3605 if (num_entries > 1) {
3606 // Need an extra "_%d" suffix.
3607 max_keylen += 1 + log10(num_entries);
3609 if (max_keylen > PROPERTY_KEY_MAX - 1) {
3610 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
3614 // Make sure we have enough space to write the new value
3615 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
3616 persist_get_max_entries(encrypted)) {
3617 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
3621 // Now that we know persist_data has enough space for value, let's delete the old field first
3622 // to make up space.
3623 persist_del_keys(fieldname, 0);
3625 if (persist_set_key(fieldname, value, encrypted)) {
3626 // fail to set key, should not happen as we have already checked the available space
3627 SLOGE("persist_set_key() error during setfield()");
3631 for (field_id = 1; field_id < num_entries; field_id++) {
3632 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id);
3634 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
3635 // fail to set key, should not happen as we have already checked the available space.
3636 SLOGE("persist_set_key() error during setfield()");
3641 /* If we are running encrypted, save the persistent data now */
3643 if (save_persistent_data()) {
3644 SLOGE("Setfield error, cannot save persistent data");
3649 rc = CRYPTO_SETFIELD_OK;
3655 /* Checks userdata. Attempt to mount the volume if default-
3657 * On success trigger next init phase and return 0.
3658 * Currently do not handle failure - see TODO below.
3660 int cryptfs_mount_default_encrypted(void)
3662 int crypt_type = cryptfs_get_password_type();
3663 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3664 SLOGE("Bad crypt type - error");
3665 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
3666 SLOGD("Password is not default - "
3667 "starting min framework to prompt");
3668 property_set("vold.decrypt", "trigger_restart_min_framework");
3670 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
3671 SLOGD("Password is default - restarting filesystem");
3672 cryptfs_restart_internal(0);
3675 SLOGE("Encrypted, default crypt type but can't decrypt");
3678 /** Corrupt. Allow us to boot into framework, which will detect bad
3679 crypto when it calls do_crypto_complete, then do a factory reset
3681 property_set("vold.decrypt", "trigger_restart_min_framework");
3685 /* Returns type of the password, default, pattern, pin or password.
3687 int cryptfs_get_password_type(void)
3689 if (e4crypt_is_native()) {
3690 SLOGE("cryptfs_get_password_type not valid for file encryption");
3694 struct crypt_mnt_ftr crypt_ftr;
3696 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3697 SLOGE("Error getting crypt footer and key\n");
3701 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
3705 return crypt_ftr.crypt_type;
3708 const char* cryptfs_get_password()
3710 if (e4crypt_is_native()) {
3711 SLOGE("cryptfs_get_password not valid for file encryption");
3715 struct timespec now;
3716 clock_gettime(CLOCK_BOOTTIME, &now);
3717 if (now.tv_sec < password_expiry_time) {
3720 cryptfs_clear_password();
3725 void cryptfs_clear_password()
3728 size_t len = strlen(password);
3729 memset(password, 0, len);
3732 password_expiry_time = 0;
3736 int cryptfs_enable_file()
3738 return e4crypt_initialize_global_de();
3741 int cryptfs_isConvertibleToFBE()
3743 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
3744 return fs_mgr_is_convertible_to_fbe(rec) ? 1 : 0;
3747 int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length)
3749 if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) {
3750 SLOGE("Failed to initialize crypt_ftr");
3754 if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key,
3755 crypt_ftr->salt, crypt_ftr)) {
3756 SLOGE("Cannot create encrypted master key\n");
3760 //crypt_ftr->keysize = key_length / 8;
3764 int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
3765 unsigned char* master_key)
3769 unsigned char* intermediate_key = 0;
3770 size_t intermediate_key_size = 0;
3772 if (password == 0 || *password == 0) {
3773 password = DEFAULT_PASSWORD;
3776 rc = decrypt_master_key(password, master_key, ftr, &intermediate_key,
3777 &intermediate_key_size);
3780 SLOGE("Can't calculate intermediate key");
3784 int N = 1 << ftr->N_factor;
3785 int r = 1 << ftr->r_factor;
3786 int p = 1 << ftr->p_factor;
3788 unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)];
3790 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
3791 ftr->salt, sizeof(ftr->salt), N, r, p,
3792 scrypted_intermediate_key,
3793 sizeof(scrypted_intermediate_key));
3795 free(intermediate_key);
3798 SLOGE("Can't scrypt intermediate key");
3802 return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key,
3803 intermediate_key_size);
3806 int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password,
3807 const unsigned char* master_key)
3809 return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key,
3813 const char* cryptfs_get_file_encryption_mode()
3815 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
3816 return fs_mgr_get_file_encryption_mode(rec);