2 * Copyright (C) 2010 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
23 #include <sys/types.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
35 #include <sys/param.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
39 #include <openssl/sha.h>
42 #include <linux/kdev_t.h>
46 #include <selinux/selinux.h>
48 #include "secontext.h"
49 #define LOG_TAG "Cryptfs"
50 #include "cutils/log.h"
51 #include "cutils/properties.h"
52 #include "cutils/android_reboot.h"
53 #include "hardware_legacy/power.h"
54 #include <logwrap/logwrap.h>
55 #include "ScryptParameters.h"
56 #include "VolumeManager.h"
58 #include "crypto_scrypt.h"
59 #include "Ext4Crypt.h"
60 #include "ext4_utils.h"
61 #include "f2fs_sparseblock.h"
62 #include "CheckBattery.h"
65 #include <bootloader_message_writer.h>
66 #include <hardware/keymaster0.h>
67 #include <hardware/keymaster1.h>
69 #define UNUSED __attribute__((unused))
71 #define UNUSED __attribute__((unused))
73 #ifdef CONFIG_HW_DISK_ENCRYPTION
74 #include "cryptfs_hw.h"
77 #define DM_CRYPT_BUF_SIZE 4096
79 #define HASH_COUNT 2000
80 #define KEY_LEN_BYTES 16
81 #define IV_LEN_BYTES 16
83 #define KEY_IN_FOOTER "footer"
85 #define DEFAULT_PASSWORD "default_password"
87 #define CRYPTO_BLOCK_DEVICE "userdata"
89 #define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
94 #define TABLE_LOAD_RETRIES 10
96 #define RSA_KEY_SIZE 2048
97 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
98 #define RSA_EXPONENT 0x10001
99 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
101 #define RETRY_MOUNT_ATTEMPTS 10
102 #define RETRY_MOUNT_DELAY_SECONDS 1
104 char *me = "cryptfs";
106 static unsigned char saved_master_key[KEY_LEN_BYTES];
107 static char *saved_mount_point;
108 static int master_key_saved = 0;
109 static struct crypt_persist_data *persist_data = NULL;
111 static int keymaster_init(keymaster0_device_t **keymaster0_dev,
112 keymaster1_device_t **keymaster1_dev)
116 const hw_module_t* mod;
117 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
119 ALOGE("could not find any keystore module");
123 SLOGI("keymaster module name is %s", mod->name);
124 SLOGI("keymaster version is %d", mod->module_api_version);
126 *keymaster0_dev = NULL;
127 *keymaster1_dev = NULL;
128 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
129 SLOGI("Found keymaster1 module, using keymaster1 API.");
130 rc = keymaster1_open(mod, keymaster1_dev);
132 SLOGI("Found keymaster0 module, using keymaster0 API.");
133 rc = keymaster0_open(mod, keymaster0_dev);
137 ALOGE("could not open keymaster device in %s (%s)",
138 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
145 *keymaster0_dev = NULL;
146 *keymaster1_dev = NULL;
150 /* Should we use keymaster? */
151 static int keymaster_check_compatibility()
153 keymaster0_device_t *keymaster0_dev = 0;
154 keymaster1_device_t *keymaster1_dev = 0;
157 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
158 SLOGE("Failed to init keymaster");
163 if (keymaster1_dev) {
168 if (!keymaster0_dev || !keymaster0_dev->common.module) {
173 // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2
175 if (keymaster0_dev->common.module->module_api_version
176 < KEYMASTER_MODULE_API_VERSION_0_3) {
181 if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
182 (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
187 if (keymaster1_dev) {
188 keymaster1_close(keymaster1_dev);
190 if (keymaster0_dev) {
191 keymaster0_close(keymaster0_dev);
196 /* Create a new keymaster key and store it in this footer */
197 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
200 keymaster0_device_t *keymaster0_dev = 0;
201 keymaster1_device_t *keymaster1_dev = 0;
203 if (ftr->keymaster_blob_size) {
204 SLOGI("Already have key");
208 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
209 SLOGE("Failed to init keymaster");
215 if (keymaster1_dev) {
216 keymaster_key_param_t params[] = {
217 /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */
218 keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA),
219 keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE),
220 keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT),
222 /* The only allowed purpose for this key is signing. */
223 keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN),
225 /* Padding & digest specifications. */
226 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
227 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
229 /* Require that the key be usable in standalone mode. File system isn't available. */
230 keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE),
232 /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */
233 keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED),
235 /* Rate-limit key usage attempts, to rate-limit brute force */
236 keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT),
238 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
239 keymaster_key_blob_t key_blob;
240 keymaster_error_t error = keymaster1_dev->generate_key(keymaster1_dev, ¶m_set,
242 NULL /* characteristics */);
243 if (error != KM_ERROR_OK) {
244 SLOGE("Failed to generate keymaster1 key, error %d", error);
249 key = (uint8_t*)key_blob.key_material;
250 key_size = key_blob.key_material_size;
252 else if (keymaster0_dev) {
253 keymaster_rsa_keygen_params_t params;
254 memset(¶ms, '\0', sizeof(params));
255 params.public_exponent = RSA_EXPONENT;
256 params.modulus_size = RSA_KEY_SIZE;
258 if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, ¶ms,
260 SLOGE("Failed to generate keypair");
265 SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device");
270 if (key_size > KEYMASTER_BLOB_SIZE) {
271 SLOGE("Keymaster key too large for crypto footer");
276 memcpy(ftr->keymaster_blob, key, key_size);
277 ftr->keymaster_blob_size = key_size;
281 keymaster0_close(keymaster0_dev);
283 keymaster1_close(keymaster1_dev);
288 /* This signs the given object using the keymaster key. */
289 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
290 const unsigned char *object,
291 const size_t object_size,
292 unsigned char **signature,
293 size_t *signature_size)
296 keymaster0_device_t *keymaster0_dev = 0;
297 keymaster1_device_t *keymaster1_dev = 0;
298 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
299 SLOGE("Failed to init keymaster");
304 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
305 size_t to_sign_size = sizeof(to_sign);
306 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
308 // To sign a message with RSA, the message must satisfy two
311 // 1. The message, when interpreted as a big-endian numeric value, must
312 // be strictly less than the public modulus of the RSA key. Note
313 // that because the most significant bit of the public modulus is
314 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
315 // key), an n-bit message with most significant bit 0 always
316 // satisfies this requirement.
318 // 2. The message must have the same length in bits as the public
319 // modulus of the RSA key. This requirement isn't mathematically
320 // necessary, but is necessary to ensure consistency in
322 switch (ftr->kdf_type) {
323 case KDF_SCRYPT_KEYMASTER:
324 // This ensures the most significant byte of the signed message
325 // is zero. We could have zero-padded to the left instead, but
326 // this approach is slightly more robust against changes in
327 // object size. However, it's still broken (but not unusably
328 // so) because we really should be using a proper deterministic
329 // RSA padding function, such as PKCS1.
330 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
331 SLOGI("Signing safely-padded object");
334 SLOGE("Unknown KDF type %d", ftr->kdf_type);
339 if (keymaster0_dev) {
340 keymaster_rsa_sign_params_t params;
341 params.digest_type = DIGEST_NONE;
342 params.padding_type = PADDING_NONE;
344 rc = keymaster0_dev->sign_data(keymaster0_dev,
347 ftr->keymaster_blob_size,
353 } else if (keymaster1_dev) {
354 keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size };
355 keymaster_key_param_t params[] = {
356 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
357 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
359 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
360 keymaster_operation_handle_t op_handle;
361 keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
362 ¶m_set, NULL /* out_params */,
364 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) {
365 // Key usage has been rate-limited. Wait a bit and try again.
366 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT);
367 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
368 ¶m_set, NULL /* out_params */,
371 if (error != KM_ERROR_OK) {
372 SLOGE("Error starting keymaster signature transaction: %d", error);
377 keymaster_blob_t input = { to_sign, to_sign_size };
378 size_t input_consumed;
379 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */,
380 &input, &input_consumed, NULL /* out_params */,
382 if (error != KM_ERROR_OK) {
383 SLOGE("Error sending data to keymaster signature transaction: %d", error);
387 if (input_consumed != to_sign_size) {
388 // This should never happen. If it does, it's a bug in the keymaster implementation.
389 SLOGE("Keymaster update() did not consume all data.");
390 keymaster1_dev->abort(keymaster1_dev, op_handle);
395 keymaster_blob_t tmp_sig;
396 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */,
397 NULL /* verify signature */, NULL /* out_params */,
399 if (error != KM_ERROR_OK) {
400 SLOGE("Error finishing keymaster signature transaction: %d", error);
405 *signature = (uint8_t*)tmp_sig.data;
406 *signature_size = tmp_sig.data_length;
408 SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device.");
415 keymaster1_close(keymaster1_dev);
417 keymaster0_close(keymaster0_dev);
422 /* Store password when userdata is successfully decrypted and mounted.
423 * Cleared by cryptfs_clear_password
425 * To avoid a double prompt at boot, we need to store the CryptKeeper
426 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
427 * Since the entire framework is torn down and rebuilt after encryption,
428 * we have to use a daemon or similar to store the password. Since vold
429 * is secured against IPC except from system processes, it seems a reasonable
430 * place to store this.
432 * password should be cleared once it has been used.
434 * password is aged out after password_max_age_seconds seconds.
436 static char* password = 0;
437 static int password_expiry_time = 0;
438 static const int password_max_age_seconds = 60;
440 extern struct fstab *fstab;
442 enum RebootType {reboot, recovery, shutdown};
443 static void cryptfs_reboot(enum RebootType rt)
447 property_set(ANDROID_RB_PROPERTY, "reboot");
451 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
455 property_set(ANDROID_RB_PROPERTY, "shutdown");
461 /* Shouldn't get here, reboot should happen before sleep times out */
465 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
467 memset(io, 0, dataSize);
468 io->data_size = dataSize;
469 io->data_start = sizeof(struct dm_ioctl);
475 strlcpy(io->name, name, sizeof(io->name));
480 * Gets the default device scrypt parameters for key derivation time tuning.
481 * The parameters should lead to about one second derivation time for the
484 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
485 char paramstr[PROPERTY_VALUE_MAX];
488 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
489 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
490 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
491 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
498 static unsigned int get_fs_size(char *dev)
501 struct ext4_super_block sb;
504 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) {
505 SLOGE("Cannot open device to get filesystem size ");
509 if (lseek64(fd, 1024, SEEK_SET) < 0) {
510 SLOGE("Cannot seek to superblock");
514 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
515 SLOGE("Cannot read superblock");
521 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
522 SLOGE("Not a valid ext4 superblock");
525 block_size = 1024 << sb.s_log_block_size;
526 /* compute length in bytes */
527 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
529 /* return length in sectors */
530 return (unsigned int) (len / 512);
533 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
535 static int cached_data = 0;
536 static off64_t cached_off = 0;
537 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
539 char key_loc[PROPERTY_VALUE_MAX];
540 char real_blkdev[PROPERTY_VALUE_MAX];
544 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
546 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
547 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
548 SLOGE("Cannot open real block device %s\n", real_blkdev);
552 unsigned long nr_sec = 0;
553 get_blkdev_size(fd, &nr_sec);
555 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
556 * encryption info footer and key, and plenty of bytes to spare for future
559 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
560 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
563 SLOGE("Cannot get size of block device %s\n", real_blkdev);
567 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
574 if (metadata_fname) {
575 *metadata_fname = cached_metadata_fname;
586 /* Set sha256 checksum in structure */
587 static void set_ftr_sha(struct crypt_mnt_ftr *crypt_ftr)
591 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
592 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
593 SHA256_Final(crypt_ftr->sha256, &c);
596 /* key or salt can be NULL, in which case just skip writing that value. Useful to
597 * update the failed mount count but not change the key.
599 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
603 /* starting_off is set to the SEEK_SET offset
604 * where the crypto structure starts
606 off64_t starting_off;
611 set_ftr_sha(crypt_ftr);
613 if (get_crypt_ftr_info(&fname, &starting_off)) {
614 SLOGE("Unable to get crypt_ftr_info\n");
617 if (fname[0] != '/') {
618 SLOGE("Unexpected value for crypto key location\n");
621 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) {
622 SLOGE("Cannot open footer file %s for put\n", fname);
626 /* Seek to the start of the crypt footer */
627 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
628 SLOGE("Cannot seek to real block device footer\n");
632 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
633 SLOGE("Cannot write real block device footer\n");
638 /* If the keys are kept on a raw block device, do not try to truncate it. */
639 if (S_ISREG(statbuf.st_mode)) {
640 if (ftruncate(fd, 0x4000)) {
641 SLOGE("Cannot set footer file size\n");
655 static bool check_ftr_sha(const struct crypt_mnt_ftr *crypt_ftr)
657 struct crypt_mnt_ftr copy;
658 memcpy(©, crypt_ftr, sizeof(copy));
660 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
663 static inline int unix_read(int fd, void* buff, int len)
665 return TEMP_FAILURE_RETRY(read(fd, buff, len));
668 static inline int unix_write(int fd, const void* buff, int len)
670 return TEMP_FAILURE_RETRY(write(fd, buff, len));
673 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
675 memset(pdata, 0, len);
676 pdata->persist_magic = PERSIST_DATA_MAGIC;
677 pdata->persist_valid_entries = 0;
680 /* A routine to update the passed in crypt_ftr to the lastest version.
681 * fd is open read/write on the device that holds the crypto footer and persistent
682 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
683 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
685 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
687 int orig_major = crypt_ftr->major_version;
688 int orig_minor = crypt_ftr->minor_version;
690 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
691 struct crypt_persist_data *pdata;
692 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
694 SLOGW("upgrading crypto footer to 1.1");
696 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
698 SLOGE("Cannot allocate persisent data\n");
701 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
703 /* Need to initialize the persistent data area */
704 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
705 SLOGE("Cannot seek to persisent data offset\n");
709 /* Write all zeros to the first copy, making it invalid */
710 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
712 /* Write a valid but empty structure to the second copy */
713 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
714 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
716 /* Update the footer */
717 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
718 crypt_ftr->persist_data_offset[0] = pdata_offset;
719 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
720 crypt_ftr->minor_version = 1;
724 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
725 SLOGW("upgrading crypto footer to 1.2");
726 /* But keep the old kdf_type.
727 * It will get updated later to KDF_SCRYPT after the password has been verified.
729 crypt_ftr->kdf_type = KDF_PBKDF2;
730 get_device_scrypt_params(crypt_ftr);
731 crypt_ftr->minor_version = 2;
734 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
735 SLOGW("upgrading crypto footer to 1.3");
736 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
737 crypt_ftr->minor_version = 3;
740 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
741 if (lseek64(fd, offset, SEEK_SET) == -1) {
742 SLOGE("Cannot seek to crypt footer\n");
745 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
750 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
754 off64_t starting_off;
759 if (get_crypt_ftr_info(&fname, &starting_off)) {
760 SLOGE("Unable to get crypt_ftr_info\n");
763 if (fname[0] != '/') {
764 SLOGE("Unexpected value for crypto key location\n");
767 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) {
768 SLOGE("Cannot open footer file %s for get\n", fname);
772 /* Make sure it's 16 Kbytes in length */
774 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
775 SLOGE("footer file %s is not the expected size!\n", fname);
779 /* Seek to the start of the crypt footer */
780 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
781 SLOGE("Cannot seek to real block device footer\n");
785 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
786 SLOGE("Cannot read real block device footer\n");
790 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
791 SLOGE("Bad magic for real block device %s\n", fname);
795 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
796 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
797 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
801 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
802 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
803 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
806 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
807 * copy on disk before returning.
809 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
810 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
821 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
823 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
824 crypt_ftr->persist_data_offset[1]) {
825 SLOGE("Crypt_ftr persist data regions overlap");
829 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
830 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
834 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
835 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
836 CRYPT_FOOTER_OFFSET) {
837 SLOGE("Persistent data extends past crypto footer");
844 static int load_persistent_data(void)
846 struct crypt_mnt_ftr crypt_ftr;
847 struct crypt_persist_data *pdata = NULL;
848 char encrypted_state[PROPERTY_VALUE_MAX];
856 /* Nothing to do, we've already loaded or initialized it */
861 /* If not encrypted, just allocate an empty table and initialize it */
862 property_get("ro.crypto.state", encrypted_state, "");
863 if (strcmp(encrypted_state, "encrypted") ) {
864 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
866 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
867 persist_data = pdata;
873 if(get_crypt_ftr_and_key(&crypt_ftr)) {
877 if ((crypt_ftr.major_version < 1)
878 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
879 SLOGE("Crypt_ftr version doesn't support persistent data");
883 if (get_crypt_ftr_info(&fname, NULL)) {
887 ret = validate_persistent_data_storage(&crypt_ftr);
892 fd = open(fname, O_RDONLY|O_CLOEXEC);
894 SLOGE("Cannot open %s metadata file", fname);
898 pdata = malloc(crypt_ftr.persist_data_size);
900 SLOGE("Cannot allocate memory for persistent data");
904 for (i = 0; i < 2; i++) {
905 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
906 SLOGE("Cannot seek to read persistent data on %s", fname);
909 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
910 SLOGE("Error reading persistent data on iteration %d", i);
913 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
920 SLOGI("Could not find valid persistent data, creating");
921 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
925 persist_data = pdata;
937 static int save_persistent_data(void)
939 struct crypt_mnt_ftr crypt_ftr;
940 struct crypt_persist_data *pdata;
942 off64_t write_offset;
943 off64_t erase_offset;
947 if (persist_data == NULL) {
948 SLOGE("No persistent data to save");
952 if(get_crypt_ftr_and_key(&crypt_ftr)) {
956 if ((crypt_ftr.major_version < 1)
957 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
958 SLOGE("Crypt_ftr version doesn't support persistent data");
962 ret = validate_persistent_data_storage(&crypt_ftr);
967 if (get_crypt_ftr_info(&fname, NULL)) {
971 fd = open(fname, O_RDWR|O_CLOEXEC);
973 SLOGE("Cannot open %s metadata file", fname);
977 pdata = malloc(crypt_ftr.persist_data_size);
979 SLOGE("Cannot allocate persistant data");
983 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
984 SLOGE("Cannot seek to read persistent data on %s", fname);
988 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
989 SLOGE("Error reading persistent data before save");
993 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
994 /* The first copy is the curent valid copy, so write to
995 * the second copy and erase this one */
996 write_offset = crypt_ftr.persist_data_offset[1];
997 erase_offset = crypt_ftr.persist_data_offset[0];
999 /* The second copy must be the valid copy, so write to
1000 * the first copy, and erase the second */
1001 write_offset = crypt_ftr.persist_data_offset[0];
1002 erase_offset = crypt_ftr.persist_data_offset[1];
1005 /* Write the new copy first, if successful, then erase the old copy */
1006 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
1007 SLOGE("Cannot seek to write persistent data");
1010 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
1011 (int) crypt_ftr.persist_data_size) {
1012 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
1013 SLOGE("Cannot seek to erase previous persistent data");
1017 memset(pdata, 0, crypt_ftr.persist_data_size);
1018 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
1019 (int) crypt_ftr.persist_data_size) {
1020 SLOGE("Cannot write to erase previous persistent data");
1025 SLOGE("Cannot write to save persistent data");
1041 /* Convert a binary key of specified length into an ascii hex string equivalent,
1042 * without the leading 0x and with null termination
1044 static void convert_key_to_hex_ascii(const unsigned char *master_key,
1045 unsigned int keysize, char *master_key_ascii) {
1047 unsigned char nibble;
1049 for (i=0, a=0; i<keysize; i++, a+=2) {
1050 /* For each byte, write out two ascii hex digits */
1051 nibble = (master_key[i] >> 4) & 0xf;
1052 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
1054 nibble = master_key[i] & 0xf;
1055 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
1058 /* Add the null termination */
1059 master_key_ascii[a] = '\0';
1063 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
1064 const unsigned char *master_key, const char *real_blk_name,
1065 const char *name, int fd, const char *extra_params) {
1066 _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
1067 struct dm_ioctl *io;
1068 struct dm_target_spec *tgt;
1070 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
1074 io = (struct dm_ioctl *) buffer;
1076 /* Load the mapping table for this device */
1077 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
1079 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1080 io->target_count = 1;
1082 tgt->sector_start = 0;
1083 tgt->length = crypt_ftr->fs_size;
1084 #ifdef CONFIG_HW_DISK_ENCRYPTION
1085 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
1086 strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME);
1089 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1092 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1095 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1096 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1098 buff_offset = crypt_params - buffer;
1099 snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s",
1100 crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name,
1102 crypt_params += strlen(crypt_params) + 1;
1103 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1104 tgt->next = crypt_params - buffer;
1106 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1107 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
1113 if (i == TABLE_LOAD_RETRIES) {
1114 /* We failed to load the table, return an error */
1122 static int get_dm_crypt_version(int fd, const char *name, int *version)
1124 char buffer[DM_CRYPT_BUF_SIZE];
1125 struct dm_ioctl *io;
1126 struct dm_target_versions *v;
1128 io = (struct dm_ioctl *) buffer;
1130 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1132 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1136 /* Iterate over the returned versions, looking for name of "crypt".
1137 * When found, get and return the version.
1139 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
1141 #ifdef CONFIG_HW_DISK_ENCRYPTION
1142 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) {
1144 if (! strcmp(v->name, "crypt")) {
1146 /* We found the crypt driver, return the version, and get out */
1147 version[0] = v->version[0];
1148 version[1] = v->version[1];
1149 version[2] = v->version[2];
1152 v = (struct dm_target_versions *)(((char *)v) + v->next);
1158 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr,
1159 const unsigned char *master_key, const char *real_blk_name,
1160 char *crypto_blk_name, const char *name) {
1161 char buffer[DM_CRYPT_BUF_SIZE];
1162 struct dm_ioctl *io;
1171 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1172 SLOGE("Cannot open device-mapper\n");
1176 io = (struct dm_ioctl *) buffer;
1178 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1179 err = ioctl(fd, DM_DEV_CREATE, io);
1181 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno));
1185 /* Get the device status, in particular, the name of it's device file */
1186 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1187 if (ioctl(fd, DM_DEV_STATUS, io)) {
1188 SLOGE("Cannot retrieve dm-crypt device status\n");
1191 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1192 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1195 if (! get_dm_crypt_version(fd, name, version)) {
1196 /* Support for allow_discards was added in version 1.11.0 */
1197 if ((version[0] >= 2) ||
1198 ((version[0] == 1) && (version[1] >= 11))) {
1199 extra_params = "1 allow_discards";
1200 SLOGI("Enabling support for allow_discards in dmcrypt.\n");
1204 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
1206 if (load_count < 0) {
1207 SLOGE("Cannot load dm-crypt mapping table.\n");
1209 } else if (load_count > 1) {
1210 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1213 /* Resume this device to activate it */
1214 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1216 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1217 SLOGE("Cannot resume the dm-crypt device\n");
1221 /* We made it here with no errors. Woot! */
1225 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1230 static int delete_crypto_blk_dev(char *name)
1233 char buffer[DM_CRYPT_BUF_SIZE];
1234 struct dm_ioctl *io;
1237 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1238 SLOGE("Cannot open device-mapper\n");
1242 io = (struct dm_ioctl *) buffer;
1244 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1245 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1246 SLOGE("Cannot remove dm-crypt device\n");
1250 /* We made it here with no errors. Woot! */
1254 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1260 static int pbkdf2(const char *passwd, const unsigned char *salt,
1261 unsigned char *ikey, void *params UNUSED)
1263 SLOGI("Using pbkdf2 for cryptfs KDF");
1265 /* Turn the password into a key and IV that can decrypt the master key */
1266 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN,
1267 HASH_COUNT, KEY_LEN_BYTES + IV_LEN_BYTES,
1271 static int scrypt(const char *passwd, const unsigned char *salt,
1272 unsigned char *ikey, void *params)
1274 SLOGI("Using scrypt for cryptfs KDF");
1276 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1278 int N = 1 << ftr->N_factor;
1279 int r = 1 << ftr->r_factor;
1280 int p = 1 << ftr->p_factor;
1282 /* Turn the password into a key and IV that can decrypt the master key */
1283 unsigned int keysize;
1284 crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1285 salt, SALT_LEN, N, r, p, ikey,
1286 KEY_LEN_BYTES + IV_LEN_BYTES);
1291 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1292 unsigned char *ikey, void *params)
1294 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1297 size_t signature_size;
1298 unsigned char* signature;
1299 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1301 int N = 1 << ftr->N_factor;
1302 int r = 1 << ftr->r_factor;
1303 int p = 1 << ftr->p_factor;
1305 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1306 salt, SALT_LEN, N, r, p, ikey,
1307 KEY_LEN_BYTES + IV_LEN_BYTES);
1310 SLOGE("scrypt failed");
1314 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1315 &signature, &signature_size)) {
1316 SLOGE("Signing failed");
1320 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1321 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1325 SLOGE("scrypt failed");
1332 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1333 const unsigned char *decrypted_master_key,
1334 unsigned char *encrypted_master_key,
1335 struct crypt_mnt_ftr *crypt_ftr)
1337 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1338 EVP_CIPHER_CTX e_ctx;
1339 int encrypted_len, final_len;
1342 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1343 get_device_scrypt_params(crypt_ftr);
1345 switch (crypt_ftr->kdf_type) {
1346 case KDF_SCRYPT_KEYMASTER:
1347 if (keymaster_create_key(crypt_ftr)) {
1348 SLOGE("keymaster_create_key failed");
1352 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1353 SLOGE("scrypt failed");
1359 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1360 SLOGE("scrypt failed");
1366 SLOGE("Invalid kdf_type");
1370 /* Initialize the decryption engine */
1371 EVP_CIPHER_CTX_init(&e_ctx);
1372 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1373 SLOGE("EVP_EncryptInit failed\n");
1376 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1378 /* Encrypt the master key */
1379 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1380 decrypted_master_key, KEY_LEN_BYTES)) {
1381 SLOGE("EVP_EncryptUpdate failed\n");
1384 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1385 SLOGE("EVP_EncryptFinal failed\n");
1389 if (encrypted_len + final_len != KEY_LEN_BYTES) {
1390 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1394 /* Store the scrypt of the intermediate key, so we can validate if it's a
1395 password error or mount error when things go wrong.
1396 Note there's no need to check for errors, since if this is incorrect, we
1397 simply won't wipe userdata, which is the correct default behavior
1399 int N = 1 << crypt_ftr->N_factor;
1400 int r = 1 << crypt_ftr->r_factor;
1401 int p = 1 << crypt_ftr->p_factor;
1403 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1404 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1405 crypt_ftr->scrypted_intermediate_key,
1406 sizeof(crypt_ftr->scrypted_intermediate_key));
1409 SLOGE("encrypt_master_key: crypto_scrypt failed");
1415 static int decrypt_master_key_aux(const char *passwd, unsigned char *salt,
1416 unsigned char *encrypted_master_key,
1417 unsigned char *decrypted_master_key,
1418 kdf_func kdf, void *kdf_params,
1419 unsigned char** intermediate_key,
1420 size_t* intermediate_key_size)
1422 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1423 EVP_CIPHER_CTX d_ctx;
1424 int decrypted_len, final_len;
1426 /* Turn the password into an intermediate key and IV that can decrypt the
1428 if (kdf(passwd, salt, ikey, kdf_params)) {
1429 SLOGE("kdf failed");
1433 /* Initialize the decryption engine */
1434 EVP_CIPHER_CTX_init(&d_ctx);
1435 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1438 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1439 /* Decrypt the master key */
1440 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1441 encrypted_master_key, KEY_LEN_BYTES)) {
1444 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1448 if (decrypted_len + final_len != KEY_LEN_BYTES) {
1452 /* Copy intermediate key if needed by params */
1453 if (intermediate_key && intermediate_key_size) {
1454 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1455 if (*intermediate_key) {
1456 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1457 *intermediate_key_size = KEY_LEN_BYTES;
1464 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1466 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1467 *kdf = scrypt_keymaster;
1469 } else if (ftr->kdf_type == KDF_SCRYPT) {
1478 static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key,
1479 struct crypt_mnt_ftr *crypt_ftr,
1480 unsigned char** intermediate_key,
1481 size_t* intermediate_key_size)
1487 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1488 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1489 decrypted_master_key, kdf, kdf_params,
1490 intermediate_key, intermediate_key_size);
1492 SLOGW("failure decrypting master key");
1498 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
1499 struct crypt_mnt_ftr *crypt_ftr) {
1501 unsigned char key_buf[KEY_LEN_BYTES];
1503 /* Get some random bits for a key */
1504 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
1505 read(fd, key_buf, sizeof(key_buf));
1506 read(fd, salt, SALT_LEN);
1509 /* Now encrypt it with the password */
1510 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1513 int wait_and_unmount(const char *mountpoint, bool kill)
1516 #define WAIT_UNMOUNT_COUNT 20
1518 /* Now umount the tmpfs filesystem */
1519 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1520 if (umount(mountpoint) == 0) {
1524 if (errno == EINVAL) {
1525 /* EINVAL is returned if the directory is not a mountpoint,
1526 * i.e. there is no filesystem mounted there. So just get out.
1533 /* If allowed, be increasingly aggressive before the last two retries */
1535 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1536 SLOGW("sending SIGHUP to processes with open files\n");
1537 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM);
1538 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1539 SLOGW("sending SIGKILL to processes with open files\n");
1540 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL);
1547 if (i < WAIT_UNMOUNT_COUNT) {
1548 SLOGD("unmounting %s succeeded\n", mountpoint);
1551 vold_killProcessesWithOpenFiles(mountpoint, 0);
1552 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1559 #define DATA_PREP_TIMEOUT 1000
1560 static int prep_data_fs(void)
1564 // NOTE: post_fs_data results in init calling back around to vold, so all
1565 // callers to this method must be async
1567 /* Do the prep of the /data filesystem */
1568 property_set("vold.post_fs_data_done", "0");
1569 property_set("vold.decrypt", "trigger_post_fs_data");
1570 SLOGD("Just triggered post_fs_data\n");
1572 /* Wait a max of 50 seconds, hopefully it takes much less */
1573 for (i=0; i<DATA_PREP_TIMEOUT; i++) {
1574 char p[PROPERTY_VALUE_MAX];
1576 property_get("vold.post_fs_data_done", p, "0");
1583 if (i == DATA_PREP_TIMEOUT) {
1584 /* Ugh, we failed to prep /data in time. Bail. */
1585 SLOGE("post_fs_data timed out!\n");
1588 SLOGD("post_fs_data done\n");
1593 static void cryptfs_set_corrupt()
1595 // Mark the footer as bad
1596 struct crypt_mnt_ftr crypt_ftr;
1597 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1598 SLOGE("Failed to get crypto footer - panic");
1602 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1603 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1604 SLOGE("Failed to set crypto footer - panic");
1609 static void cryptfs_trigger_restart_min_framework()
1611 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1612 SLOGE("Failed to mount tmpfs on data - panic");
1616 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1617 SLOGE("Failed to trigger post fs data - panic");
1621 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1622 SLOGE("Failed to trigger restart min framework - panic");
1627 /* returns < 0 on failure */
1628 static int cryptfs_restart_internal(int restart_main)
1630 char crypto_blkdev[MAXPATHLEN];
1632 static int restart_successful = 0;
1634 /* Validate that it's OK to call this routine */
1635 if (! master_key_saved) {
1636 SLOGE("Encrypted filesystem not validated, aborting");
1640 if (restart_successful) {
1641 SLOGE("System already restarted with encrypted disk, aborting");
1646 /* Here is where we shut down the framework. The init scripts
1647 * start all services in one of three classes: core, main or late_start.
1648 * On boot, we start core and main. Now, we stop main, but not core,
1649 * as core includes vold and a few other really important things that
1650 * we need to keep running. Once main has stopped, we should be able
1651 * to umount the tmpfs /data, then mount the encrypted /data.
1652 * We then restart the class main, and also the class late_start.
1653 * At the moment, I've only put a few things in late_start that I know
1654 * are not needed to bring up the framework, and that also cause problems
1655 * with unmounting the tmpfs /data, but I hope to add add more services
1656 * to the late_start class as we optimize this to decrease the delay
1657 * till the user is asked for the password to the filesystem.
1660 /* The init files are setup to stop the class main when vold.decrypt is
1661 * set to trigger_reset_main.
1663 property_set("vold.decrypt", "trigger_reset_main");
1664 SLOGD("Just asked init to shut down class main\n");
1666 /* Ugh, shutting down the framework is not synchronous, so until it
1667 * can be fixed, this horrible hack will wait a moment for it all to
1668 * shut down before proceeding. Without it, some devices cannot
1669 * restart the graphics services.
1674 /* Now that the framework is shutdown, we should be able to umount()
1675 * the tmpfs filesystem, and mount the real one.
1678 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1679 if (strlen(crypto_blkdev) == 0) {
1680 SLOGE("fs_crypto_blkdev not set\n");
1684 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1685 /* If ro.crypto.readonly is set to 1, mount the decrypted
1686 * filesystem readonly. This is used when /data is mounted by
1689 char ro_prop[PROPERTY_VALUE_MAX];
1690 property_get("ro.crypto.readonly", ro_prop, "");
1691 if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
1692 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1693 rec->flags |= MS_RDONLY;
1696 /* If that succeeded, then mount the decrypted filesystem */
1697 int retries = RETRY_MOUNT_ATTEMPTS;
1701 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
1702 * partitions in the fsck domain.
1704 if (setexeccon(secontextFsck())){
1705 SLOGE("Failed to setexeccon");
1708 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
1711 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1712 /* TODO: invoke something similar to
1713 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1714 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1715 SLOGI("Failed to mount %s because it is busy - waiting",
1718 sleep(RETRY_MOUNT_DELAY_SECONDS);
1720 /* Let's hope that a reboot clears away whatever is keeping
1722 cryptfs_reboot(reboot);
1725 SLOGE("Failed to mount decrypted data");
1726 cryptfs_set_corrupt();
1727 cryptfs_trigger_restart_min_framework();
1728 SLOGI("Started framework to offer wipe");
1729 if (setexeccon(NULL)) {
1730 SLOGE("Failed to setexeccon");
1735 if (setexeccon(NULL)) {
1736 SLOGE("Failed to setexeccon");
1740 property_set("vold.decrypt", "trigger_load_persist_props");
1741 /* Create necessary paths on /data */
1742 if (prep_data_fs()) {
1746 /* startup service classes main and late_start */
1747 property_set("vold.decrypt", "trigger_restart_framework");
1748 SLOGD("Just triggered restart_framework\n");
1750 /* Give it a few moments to get started */
1755 restart_successful = 1;
1761 int cryptfs_restart(void)
1763 SLOGI("cryptfs_restart");
1764 if (e4crypt_is_native()) {
1765 SLOGE("cryptfs_restart not valid for file encryption:");
1769 /* Call internal implementation forcing a restart of main service group */
1770 return cryptfs_restart_internal(1);
1773 static int do_crypto_complete(char *mount_point)
1775 struct crypt_mnt_ftr crypt_ftr;
1776 char encrypted_state[PROPERTY_VALUE_MAX];
1777 char key_loc[PROPERTY_VALUE_MAX];
1779 property_get("ro.crypto.state", encrypted_state, "");
1780 if (strcmp(encrypted_state, "encrypted") ) {
1781 SLOGE("not running with encryption, aborting");
1782 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1785 // crypto_complete is full disk encrypted status
1786 if (e4crypt_is_native()) {
1787 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1790 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1791 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1794 * Only report this error if key_loc is a file and it exists.
1795 * If the device was never encrypted, and /data is not mountable for
1796 * some reason, returning 1 should prevent the UI from presenting the
1797 * a "enter password" screen, or worse, a "press button to wipe the
1800 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1801 SLOGE("master key file does not exist, aborting");
1802 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1804 SLOGE("Error getting crypt footer and key\n");
1805 return CRYPTO_COMPLETE_BAD_METADATA;
1809 // Test for possible error flags
1810 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1811 SLOGE("Encryption process is partway completed\n");
1812 return CRYPTO_COMPLETE_PARTIAL;
1815 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1816 SLOGE("Encryption process was interrupted but cannot continue\n");
1817 return CRYPTO_COMPLETE_INCONSISTENT;
1820 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1821 SLOGE("Encryption is successful but data is corrupt\n");
1822 return CRYPTO_COMPLETE_CORRUPT;
1825 /* We passed the test! We shall diminish, and return to the west */
1826 return CRYPTO_COMPLETE_ENCRYPTED;
1829 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1830 char *passwd, char *mount_point, char *label)
1832 /* Allocate enough space for a 256 bit key, but we may use less */
1833 unsigned char decrypted_master_key[32];
1834 char crypto_blkdev[MAXPATHLEN];
1835 char real_blkdev[MAXPATHLEN];
1836 char tmp_mount_point[64];
1837 unsigned int orig_failed_decrypt_count;
1839 int use_keymaster = 0;
1841 unsigned char* intermediate_key = 0;
1842 size_t intermediate_key_size = 0;
1844 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1845 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1847 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1848 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1849 &intermediate_key, &intermediate_key_size)) {
1850 SLOGE("Failed to decrypt master key\n");
1856 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
1858 #ifdef CONFIG_HW_DISK_ENCRYPTION
1859 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
1860 if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) {
1861 SLOGE("Hardware encryption key does not match");
1866 // Create crypto block device - all (non fatal) code paths
1868 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1869 real_blkdev, crypto_blkdev, label)) {
1870 SLOGE("Error creating decrypted block device\n");
1875 /* Work out if the problem is the password or the data */
1876 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1877 scrypted_intermediate_key)];
1878 int N = 1 << crypt_ftr->N_factor;
1879 int r = 1 << crypt_ftr->r_factor;
1880 int p = 1 << crypt_ftr->p_factor;
1882 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1883 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1884 N, r, p, scrypted_intermediate_key,
1885 sizeof(scrypted_intermediate_key));
1887 // Does the key match the crypto footer?
1888 if (rc == 0 && memcmp(scrypted_intermediate_key,
1889 crypt_ftr->scrypted_intermediate_key,
1890 sizeof(scrypted_intermediate_key)) == 0) {
1891 SLOGI("Password matches");
1894 /* Try mounting the file system anyway, just in case the problem's with
1895 * the footer, not the key. */
1896 snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt",
1898 mkdir(tmp_mount_point, 0755);
1899 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1900 SLOGE("Error temp mounting decrypted block device\n");
1901 delete_crypto_blk_dev(label);
1903 rc = ++crypt_ftr->failed_decrypt_count;
1904 put_crypt_ftr_and_key(crypt_ftr);
1907 SLOGI("Password did not match but decrypted drive mounted - continue");
1908 umount(tmp_mount_point);
1914 crypt_ftr->failed_decrypt_count = 0;
1915 if (orig_failed_decrypt_count != 0) {
1916 put_crypt_ftr_and_key(crypt_ftr);
1919 /* Save the name of the crypto block device
1920 * so we can mount it when restarting the framework. */
1921 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1923 /* Also save a the master key so we can reencrypted the key
1924 * the key when we want to change the password on it. */
1925 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1926 saved_mount_point = strdup(mount_point);
1927 master_key_saved = 1;
1928 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1931 // Upgrade if we're not using the latest KDF.
1932 use_keymaster = keymaster_check_compatibility();
1933 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1934 // Don't allow downgrade
1935 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1936 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1938 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1939 crypt_ftr->kdf_type = KDF_SCRYPT;
1944 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1945 crypt_ftr->master_key, crypt_ftr);
1947 rc = put_crypt_ftr_and_key(crypt_ftr);
1949 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1951 // Do not fail even if upgrade failed - machine is bootable
1952 // Note that if this code is ever hit, there is a *serious* problem
1953 // since KDFs should never fail. You *must* fix the kdf before
1956 SLOGW("Upgrade failed with error %d,"
1957 " but continuing with previous state",
1965 if (intermediate_key) {
1966 memset(intermediate_key, 0, intermediate_key_size);
1967 free(intermediate_key);
1973 * Called by vold when it's asked to mount an encrypted external
1974 * storage volume. The incoming partition has no crypto header/footer,
1975 * as any metadata is been stored in a separate, small partition.
1977 * out_crypto_blkdev must be MAXPATHLEN.
1979 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
1980 const unsigned char* key, int keysize, char* out_crypto_blkdev) {
1981 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
1983 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno));
1987 unsigned long nr_sec = 0;
1988 get_blkdev_size(fd, &nr_sec);
1992 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1996 struct crypt_mnt_ftr ext_crypt_ftr;
1997 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1998 ext_crypt_ftr.fs_size = nr_sec;
1999 ext_crypt_ftr.keysize = keysize;
2000 strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
2002 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev,
2003 out_crypto_blkdev, label);
2007 * Called by vold when it's asked to unmount an encrypted external
2010 int cryptfs_revert_ext_volume(const char* label) {
2011 return delete_crypto_blk_dev((char*) label);
2014 int cryptfs_crypto_complete(void)
2016 return do_crypto_complete("/data");
2019 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
2021 char encrypted_state[PROPERTY_VALUE_MAX];
2022 property_get("ro.crypto.state", encrypted_state, "");
2023 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
2024 SLOGE("encrypted fs already validated or not running with encryption,"
2029 if (get_crypt_ftr_and_key(crypt_ftr)) {
2030 SLOGE("Error getting crypt footer and key");
2037 int cryptfs_check_passwd(char *passwd)
2039 SLOGI("cryptfs_check_passwd");
2040 if (e4crypt_is_native()) {
2041 SLOGE("cryptfs_check_passwd not valid for file encryption");
2045 struct crypt_mnt_ftr crypt_ftr;
2048 rc = check_unmounted_and_get_ftr(&crypt_ftr);
2050 SLOGE("Could not get footer");
2054 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
2055 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
2057 SLOGE("Password did not match");
2061 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
2062 // Here we have a default actual password but a real password
2063 // we must test against the scrypted value
2064 // First, we must delete the crypto block device that
2065 // test_mount_encrypted_fs leaves behind as a side effect
2066 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
2067 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD,
2068 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
2070 SLOGE("Default password did not match on reboot encryption");
2074 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
2075 put_crypt_ftr_and_key(&crypt_ftr);
2076 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
2078 SLOGE("Could not change password on reboot encryption");
2083 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2084 cryptfs_clear_password();
2085 password = strdup(passwd);
2086 struct timespec now;
2087 clock_gettime(CLOCK_BOOTTIME, &now);
2088 password_expiry_time = now.tv_sec + password_max_age_seconds;
2094 int cryptfs_verify_passwd(char *passwd)
2096 struct crypt_mnt_ftr crypt_ftr;
2097 /* Allocate enough space for a 256 bit key, but we may use less */
2098 unsigned char decrypted_master_key[32];
2099 char encrypted_state[PROPERTY_VALUE_MAX];
2102 property_get("ro.crypto.state", encrypted_state, "");
2103 if (strcmp(encrypted_state, "encrypted") ) {
2104 SLOGE("device not encrypted, aborting");
2108 if (!master_key_saved) {
2109 SLOGE("encrypted fs not yet mounted, aborting");
2113 if (!saved_mount_point) {
2114 SLOGE("encrypted fs failed to save mount point, aborting");
2118 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2119 SLOGE("Error getting crypt footer and key\n");
2123 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2124 /* If the device has no password, then just say the password is valid */
2127 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2128 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2129 /* They match, the password is correct */
2132 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2141 /* Initialize a crypt_mnt_ftr structure. The keysize is
2142 * defaulted to 16 bytes, and the filesystem size to 0.
2143 * Presumably, at a minimum, the caller will update the
2144 * filesystem size and crypto_type_name after calling this function.
2146 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
2150 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2151 ftr->magic = CRYPT_MNT_MAGIC;
2152 ftr->major_version = CURRENT_MAJOR_VERSION;
2153 ftr->minor_version = CURRENT_MINOR_VERSION;
2154 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2155 ftr->keysize = KEY_LEN_BYTES;
2157 switch (keymaster_check_compatibility()) {
2159 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2163 ftr->kdf_type = KDF_SCRYPT;
2167 SLOGE("keymaster_check_compatibility failed");
2171 get_device_scrypt_params(ftr);
2173 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2174 if (get_crypt_ftr_info(NULL, &off) == 0) {
2175 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2176 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
2177 ftr->persist_data_size;
2183 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
2185 const char *args[10];
2186 char size_str[32]; /* Must be large enough to hold a %lld and null byte */
2192 if (type == EXT4_FS) {
2193 args[0] = "/system/bin/make_ext4fs";
2197 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
2199 args[5] = crypto_blkdev;
2201 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
2202 args[0], args[1], args[2], args[3], args[4], args[5]);
2203 } else if (type == F2FS_FS) {
2204 args[0] = "/system/bin/mkfs.f2fs";
2207 args[3] = crypto_blkdev;
2208 snprintf(size_str, sizeof(size_str), "%" PRId64, size);
2211 SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
2212 args[0], args[1], args[2], args[3], args[4]);
2214 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
2218 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
2221 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
2223 if (WIFEXITED(status)) {
2224 if (WEXITSTATUS(status)) {
2225 SLOGE("Error creating filesystem on %s, exit status %d ",
2226 crypto_blkdev, WEXITSTATUS(status));
2228 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
2232 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
2239 #define CRYPT_INPLACE_BUFSIZE 4096
2240 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
2241 #define CRYPT_SECTOR_SIZE 512
2243 /* aligned 32K writes tends to make flash happy.
2244 * SD card association recommends it.
2246 #ifndef CONFIG_HW_DISK_ENCRYPTION
2247 #define BLOCKS_AT_A_TIME 8
2249 #define BLOCKS_AT_A_TIME 1024
2252 struct encryptGroupsData
2257 off64_t one_pct, cur_pct, new_pct;
2258 off64_t blocks_already_done, tot_numblocks;
2259 off64_t used_blocks_already_done, tot_used_blocks;
2260 char* real_blkdev, * crypto_blkdev;
2264 off64_t last_written_sector;
2266 time_t time_started;
2270 static void update_progress(struct encryptGroupsData* data, int is_used)
2272 data->blocks_already_done++;
2275 data->used_blocks_already_done++;
2277 if (data->tot_used_blocks) {
2278 data->new_pct = data->used_blocks_already_done / data->one_pct;
2280 data->new_pct = data->blocks_already_done / data->one_pct;
2283 if (data->new_pct > data->cur_pct) {
2285 data->cur_pct = data->new_pct;
2286 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
2287 property_set("vold.encrypt_progress", buf);
2290 if (data->cur_pct >= 5) {
2291 struct timespec time_now;
2292 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
2293 SLOGW("Error getting time");
2295 double elapsed_time = difftime(time_now.tv_sec, data->time_started);
2296 off64_t remaining_blocks = data->tot_used_blocks
2297 - data->used_blocks_already_done;
2298 int remaining_time = (int)(elapsed_time * remaining_blocks
2299 / data->used_blocks_already_done);
2301 // Change time only if not yet set, lower, or a lot higher for
2302 // best user experience
2303 if (data->remaining_time == -1
2304 || remaining_time < data->remaining_time
2305 || remaining_time > data->remaining_time + 60) {
2307 snprintf(buf, sizeof(buf), "%d", remaining_time);
2308 property_set("vold.encrypt_time_remaining", buf);
2309 data->remaining_time = remaining_time;
2315 static void log_progress(struct encryptGroupsData const* data, bool completed)
2317 // Precondition - if completed data = 0 else data != 0
2319 // Track progress so we can skip logging blocks
2320 static off64_t offset = -1;
2322 // Need to close existing 'Encrypting from' log?
2323 if (completed || (offset != -1 && data->offset != offset)) {
2324 SLOGI("Encrypted to sector %" PRId64,
2325 offset / info.block_size * CRYPT_SECTOR_SIZE);
2329 // Need to start new 'Encrypting from' log?
2330 if (!completed && offset != data->offset) {
2331 SLOGI("Encrypting from sector %" PRId64,
2332 data->offset / info.block_size * CRYPT_SECTOR_SIZE);
2337 offset = data->offset + (off64_t)data->count * info.block_size;
2341 static int flush_outstanding_data(struct encryptGroupsData* data)
2343 if (data->count == 0) {
2347 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
2349 if (pread64(data->realfd, data->buffer,
2350 info.block_size * data->count, data->offset)
2352 SLOGE("Error reading real_blkdev %s for inplace encrypt",
2357 if (pwrite64(data->cryptofd, data->buffer,
2358 info.block_size * data->count, data->offset)
2360 SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
2361 data->crypto_blkdev);
2364 log_progress(data, false);
2368 data->last_written_sector = (data->offset + data->count)
2369 / info.block_size * CRYPT_SECTOR_SIZE - 1;
2373 static int encrypt_groups(struct encryptGroupsData* data)
2376 u8 *block_bitmap = 0;
2381 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
2382 if (!data->buffer) {
2383 SLOGE("Failed to allocate crypto buffer");
2387 block_bitmap = malloc(info.block_size);
2388 if (!block_bitmap) {
2389 SLOGE("failed to allocate block bitmap");
2393 for (i = 0; i < aux_info.groups; ++i) {
2394 SLOGI("Encrypting group %d", i);
2396 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
2397 u32 block_count = min(info.blocks_per_group,
2398 aux_info.len_blocks - first_block);
2400 off64_t offset = (u64)info.block_size
2401 * aux_info.bg_desc[i].bg_block_bitmap;
2403 ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
2404 if (ret != (int)info.block_size) {
2405 SLOGE("failed to read all of block group bitmap %d", i);
2409 offset = (u64)info.block_size * first_block;
2413 for (block = 0; block < block_count; block++) {
2414 int used = (aux_info.bg_desc[i].bg_flags & EXT4_BG_BLOCK_UNINIT) ?
2415 0 : bitmap_get_bit(block_bitmap, block);
2416 update_progress(data, used);
2418 if (data->count == 0) {
2419 data->offset = offset;
2423 if (flush_outstanding_data(data)) {
2428 offset += info.block_size;
2430 /* Write data if we are aligned or buffer size reached */
2431 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
2432 || data->count == BLOCKS_AT_A_TIME) {
2433 if (flush_outstanding_data(data)) {
2438 if (!is_battery_ok_to_continue()) {
2439 SLOGE("Stopping encryption due to low battery");
2445 if (flush_outstanding_data(data)) {
2450 data->completed = 1;
2454 log_progress(0, true);
2460 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
2463 off64_t *size_already_done,
2465 off64_t previously_encrypted_upto)
2468 struct encryptGroupsData data;
2469 int rc; // Can't initialize without causing warning -Wclobbered
2471 if (previously_encrypted_upto > *size_already_done) {
2472 SLOGD("Not fast encrypting since resuming part way through");
2476 memset(&data, 0, sizeof(data));
2477 data.real_blkdev = real_blkdev;
2478 data.crypto_blkdev = crypto_blkdev;
2480 if ( (data.realfd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2481 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n",
2482 real_blkdev, errno, strerror(errno));
2487 // Wait until the block device appears. Re-use the mount retry values since it is reasonable.
2488 int retries = RETRY_MOUNT_ATTEMPTS;
2489 while ((data.cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2491 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s), retrying\n",
2492 crypto_blkdev, errno, strerror(errno));
2493 sleep(RETRY_MOUNT_DELAY_SECONDS);
2495 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n",
2496 crypto_blkdev, errno, strerror(errno));
2497 rc = ENABLE_INPLACE_ERR_DEV;
2502 if (setjmp(setjmp_env)) {
2503 SLOGE("Reading ext4 extent caused an exception\n");
2508 if (read_ext(data.realfd, 0) != 0) {
2509 SLOGE("Failed to read ext4 extent\n");
2514 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2515 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2516 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2518 SLOGI("Encrypting ext4 filesystem in place...");
2520 data.tot_used_blocks = data.numblocks;
2521 for (i = 0; i < aux_info.groups; ++i) {
2522 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
2525 data.one_pct = data.tot_used_blocks / 100;
2528 struct timespec time_started = {0};
2529 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
2530 SLOGW("Error getting time at start");
2531 // Note - continue anyway - we'll run with 0
2533 data.time_started = time_started.tv_sec;
2534 data.remaining_time = -1;
2536 rc = encrypt_groups(&data);
2538 SLOGE("Error encrypting groups");
2542 *size_already_done += data.completed ? size : data.last_written_sector;
2547 close(data.cryptofd);
2552 static void log_progress_f2fs(u64 block, bool completed)
2554 // Precondition - if completed data = 0 else data != 0
2556 // Track progress so we can skip logging blocks
2557 static u64 last_block = (u64)-1;
2559 // Need to close existing 'Encrypting from' log?
2560 if (completed || (last_block != (u64)-1 && block != last_block + 1)) {
2561 SLOGI("Encrypted to block %" PRId64, last_block);
2565 // Need to start new 'Encrypting from' log?
2566 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) {
2567 SLOGI("Encrypting from block %" PRId64, block);
2576 static int encrypt_one_block_f2fs(u64 pos, void *data)
2578 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;
2580 priv_dat->blocks_already_done = pos - 1;
2581 update_progress(priv_dat, 1);
2583 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;
2585 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2586 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2590 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2591 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2594 log_progress_f2fs(pos, false);
2600 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
2603 off64_t *size_already_done,
2605 off64_t previously_encrypted_upto)
2607 struct encryptGroupsData data;
2608 struct f2fs_info *f2fs_info = NULL;
2609 int rc = ENABLE_INPLACE_ERR_OTHER;
2610 if (previously_encrypted_upto > *size_already_done) {
2611 SLOGD("Not fast encrypting since resuming part way through");
2612 return ENABLE_INPLACE_ERR_OTHER;
2614 memset(&data, 0, sizeof(data));
2615 data.real_blkdev = real_blkdev;
2616 data.crypto_blkdev = crypto_blkdev;
2619 if ( (data.realfd = open64(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2620 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n",
2624 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2625 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n",
2626 crypto_blkdev, errno, strerror(errno));
2627 rc = ENABLE_INPLACE_ERR_DEV;
2631 f2fs_info = generate_f2fs_info(data.realfd);
2635 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2636 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2637 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2639 data.tot_used_blocks = get_num_blocks_used(f2fs_info);
2641 data.one_pct = data.tot_used_blocks / 100;
2643 data.time_started = time(NULL);
2644 data.remaining_time = -1;
2646 data.buffer = malloc(f2fs_info->block_size);
2648 SLOGE("Failed to allocate crypto buffer");
2654 /* Currently, this either runs to completion, or hits a nonrecoverable error */
2655 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);
2658 SLOGE("Error in running over f2fs blocks");
2659 rc = ENABLE_INPLACE_ERR_OTHER;
2663 *size_already_done += size;
2668 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev);
2670 log_progress_f2fs(0, true);
2674 close(data.cryptofd);
2679 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
2680 off64_t size, off64_t *size_already_done,
2682 off64_t previously_encrypted_upto)
2684 int realfd, cryptofd;
2685 char *buf[CRYPT_INPLACE_BUFSIZE];
2686 int rc = ENABLE_INPLACE_ERR_OTHER;
2687 off64_t numblocks, i, remainder;
2688 off64_t one_pct, cur_pct, new_pct;
2689 off64_t blocks_already_done, tot_numblocks;
2691 if ( (realfd = open(real_blkdev, O_RDONLY|O_CLOEXEC)) < 0) {
2692 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2693 return ENABLE_INPLACE_ERR_OTHER;
2696 if ( (cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2697 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n",
2698 crypto_blkdev, errno, strerror(errno));
2700 return ENABLE_INPLACE_ERR_DEV;
2703 /* This is pretty much a simple loop of reading 4K, and writing 4K.
2704 * The size passed in is the number of 512 byte sectors in the filesystem.
2705 * So compute the number of whole 4K blocks we should read/write,
2706 * and the remainder.
2708 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2709 remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2710 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2711 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2713 SLOGE("Encrypting filesystem in place...");
2715 i = previously_encrypted_upto + 1 - *size_already_done;
2717 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2718 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
2722 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2723 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
2727 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
2728 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2729 SLOGE("Error reading initial sectors from real_blkdev %s for "
2730 "inplace encrypt\n", crypto_blkdev);
2733 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2734 SLOGE("Error writing initial sectors to crypto_blkdev %s for "
2735 "inplace encrypt\n", crypto_blkdev);
2738 SLOGI("Encrypted 1 block at %" PRId64, i);
2742 one_pct = tot_numblocks / 100;
2744 /* process the majority of the filesystem in blocks */
2745 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2746 new_pct = (i + blocks_already_done) / one_pct;
2747 if (new_pct > cur_pct) {
2751 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
2752 property_set("vold.encrypt_progress", buf);
2754 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2755 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2758 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2759 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2762 SLOGD("Encrypted %d block at %" PRId64,
2763 CRYPT_SECTORS_PER_BUFSIZE,
2764 i * CRYPT_SECTORS_PER_BUFSIZE);
2767 if (!is_battery_ok_to_continue()) {
2768 SLOGE("Stopping encryption due to low battery");
2769 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
2775 /* Do any remaining sectors */
2776 for (i=0; i<remainder; i++) {
2777 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2778 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2781 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2782 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2785 SLOGI("Encrypted 1 block at next location");
2789 *size_already_done += size;
2799 /* returns on of the ENABLE_INPLACE_* return codes */
2800 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
2801 off64_t size, off64_t *size_already_done,
2803 off64_t previously_encrypted_upto)
2805 int rc_ext4, rc_f2fs, rc_full;
2806 if (previously_encrypted_upto) {
2807 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
2810 if (*size_already_done + size < previously_encrypted_upto) {
2811 *size_already_done += size;
2815 /* TODO: identify filesystem type.
2816 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
2817 * then we will drop down to cryptfs_enable_inplace_f2fs.
2819 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2820 size, size_already_done,
2821 tot_size, previously_encrypted_upto)) == 0) {
2824 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4);
2826 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
2827 size, size_already_done,
2828 tot_size, previously_encrypted_upto)) == 0) {
2831 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs);
2833 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2834 size, size_already_done, tot_size,
2835 previously_encrypted_upto);
2836 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full);
2838 /* Hack for b/17898962, the following is the symptom... */
2839 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV
2840 && rc_f2fs == ENABLE_INPLACE_ERR_DEV
2841 && rc_full == ENABLE_INPLACE_ERR_DEV) {
2842 return ENABLE_INPLACE_ERR_DEV;
2847 #define CRYPTO_ENABLE_WIPE 1
2848 #define CRYPTO_ENABLE_INPLACE 2
2850 #define FRAMEWORK_BOOT_WAIT 60
2852 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2854 int fd = open(filename, O_RDONLY|O_CLOEXEC);
2856 SLOGE("Error opening file %s", filename);
2860 char block[CRYPT_INPLACE_BUFSIZE];
2861 memset(block, 0, sizeof(block));
2862 if (unix_read(fd, block, sizeof(block)) < 0) {
2863 SLOGE("Error reading file %s", filename);
2872 SHA256_Update(&c, block, sizeof(block));
2873 SHA256_Final(buf, &c);
2878 static int get_fs_type(struct fstab_rec *rec)
2880 if (!strcmp(rec->fs_type, "ext4")) {
2882 } else if (!strcmp(rec->fs_type, "f2fs")) {
2889 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
2890 char *crypto_blkdev, char *real_blkdev,
2891 int previously_encrypted_upto)
2893 off64_t cur_encryption_done=0, tot_encryption_size=0;
2896 if (!is_battery_ok_to_start()) {
2897 SLOGW("Not starting encryption due to low battery");
2901 /* The size of the userdata partition, and add in the vold volumes below */
2902 tot_encryption_size = crypt_ftr->fs_size;
2904 if (how == CRYPTO_ENABLE_WIPE) {
2905 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
2906 int fs_type = get_fs_type(rec);
2908 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
2911 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2912 } else if (how == CRYPTO_ENABLE_INPLACE) {
2913 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
2914 crypt_ftr->fs_size, &cur_encryption_done,
2915 tot_encryption_size,
2916 previously_encrypted_upto);
2918 if (rc == ENABLE_INPLACE_ERR_DEV) {
2919 /* Hack for b/17898962 */
2920 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2921 cryptfs_reboot(reboot);
2925 crypt_ftr->encrypted_upto = cur_encryption_done;
2928 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2929 /* The inplace routine never actually sets the progress to 100% due
2930 * to the round down nature of integer division, so set it here */
2931 property_set("vold.encrypt_progress", "100");
2934 /* Shouldn't happen */
2935 SLOGE("cryptfs_enable: internal error, unknown option\n");
2942 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
2946 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2947 unsigned char decrypted_master_key[KEY_LEN_BYTES];
2949 struct crypt_mnt_ftr crypt_ftr;
2950 struct crypt_persist_data *pdata;
2951 char encrypted_state[PROPERTY_VALUE_MAX];
2952 char lockid[32] = { 0 };
2953 char key_loc[PROPERTY_VALUE_MAX];
2955 off64_t previously_encrypted_upto = 0;
2956 bool rebootEncryption = false;
2958 if (!strcmp(howarg, "wipe")) {
2959 how = CRYPTO_ENABLE_WIPE;
2960 } else if (! strcmp(howarg, "inplace")) {
2961 how = CRYPTO_ENABLE_INPLACE;
2963 /* Shouldn't happen, as CommandListener vets the args */
2964 goto error_unencrypted;
2967 if (how == CRYPTO_ENABLE_INPLACE
2968 && get_crypt_ftr_and_key(&crypt_ftr) == 0) {
2969 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
2970 /* An encryption was underway and was interrupted */
2971 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2972 crypt_ftr.encrypted_upto = 0;
2973 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2975 /* At this point, we are in an inconsistent state. Until we successfully
2976 complete encryption, a reboot will leave us broken. So mark the
2977 encryption failed in case that happens.
2978 On successfully completing encryption, remove this flag */
2979 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2981 put_crypt_ftr_and_key(&crypt_ftr);
2982 } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
2983 if (!check_ftr_sha(&crypt_ftr)) {
2984 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2985 put_crypt_ftr_and_key(&crypt_ftr);
2986 goto error_unencrypted;
2989 /* Doing a reboot-encryption*/
2990 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
2991 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
2992 rebootEncryption = true;
2996 property_get("ro.crypto.state", encrypted_state, "");
2997 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2998 SLOGE("Device is already running encrypted, aborting");
2999 goto error_unencrypted;
3002 // TODO refactor fs_mgr_get_crypt_info to get both in one call
3003 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
3004 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
3006 /* Get the size of the real block device */
3007 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
3009 SLOGE("Cannot open block device %s\n", real_blkdev);
3010 goto error_unencrypted;
3012 unsigned long nr_sec;
3013 get_blkdev_size(fd, &nr_sec);
3015 SLOGE("Cannot get size of block device %s\n", real_blkdev);
3016 goto error_unencrypted;
3020 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
3021 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
3022 unsigned int fs_size_sec, max_fs_size_sec;
3023 fs_size_sec = get_fs_size(real_blkdev);
3024 if (fs_size_sec == 0)
3025 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
3027 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3029 if (fs_size_sec > max_fs_size_sec) {
3030 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
3031 goto error_unencrypted;
3035 /* Get a wakelock as this may take a while, and we don't want the
3036 * device to sleep on us. We'll grab a partial wakelock, and if the UI
3037 * wants to keep the screen on, it can grab a full wakelock.
3039 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
3040 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
3042 /* The init files are setup to stop the class main and late start when
3043 * vold sets trigger_shutdown_framework.
3045 property_set("vold.decrypt", "trigger_shutdown_framework");
3046 SLOGD("Just asked init to shut down class main\n");
3048 /* Ask vold to unmount all devices that it manages */
3049 if (vold_unmountAll()) {
3050 SLOGE("Failed to unmount all vold managed devices");
3053 /* no_ui means we are being called from init, not settings.
3054 Now we always reboot from settings, so !no_ui means reboot
3056 bool onlyCreateHeader = false;
3058 /* Try fallback, which is to reboot and try there */
3059 onlyCreateHeader = true;
3060 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
3061 if (breadcrumb == 0) {
3062 SLOGE("Failed to create breadcrumb file");
3063 goto error_shutting_down;
3068 /* Do extra work for a better UX when doing the long inplace encryption */
3069 if (how == CRYPTO_ENABLE_INPLACE && !onlyCreateHeader) {
3070 /* Now that /data is unmounted, we need to mount a tmpfs
3071 * /data, set a property saying we're doing inplace encryption,
3072 * and restart the framework.
3074 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
3075 goto error_shutting_down;
3077 /* Tells the framework that inplace encryption is starting */
3078 property_set("vold.encrypt_progress", "0");
3080 /* restart the framework. */
3081 /* Create necessary paths on /data */
3082 if (prep_data_fs()) {
3083 goto error_shutting_down;
3086 /* Ugh, shutting down the framework is not synchronous, so until it
3087 * can be fixed, this horrible hack will wait a moment for it all to
3088 * shut down before proceeding. Without it, some devices cannot
3089 * restart the graphics services.
3094 /* Start the actual work of making an encrypted filesystem */
3095 /* Initialize a crypt_mnt_ftr for the partition */
3096 if (previously_encrypted_upto == 0 && !rebootEncryption) {
3097 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
3098 goto error_shutting_down;
3101 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
3102 crypt_ftr.fs_size = nr_sec
3103 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3105 crypt_ftr.fs_size = nr_sec;
3107 /* At this point, we are in an inconsistent state. Until we successfully
3108 complete encryption, a reboot will leave us broken. So mark the
3109 encryption failed in case that happens.
3110 On successfully completing encryption, remove this flag */
3111 if (onlyCreateHeader) {
3112 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
3114 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
3116 crypt_ftr.crypt_type = crypt_type;
3117 #ifndef CONFIG_HW_DISK_ENCRYPTION
3118 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN);
3120 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN);
3122 rc = clear_hw_device_encryption_key();
3124 SLOGE("Error clearing device encryption hardware key. rc = %d", rc);
3127 rc = set_hw_device_encryption_key(passwd,
3128 (char*) crypt_ftr.crypto_type_name);
3130 SLOGE("Error initializing device encryption hardware key. rc = %d", rc);
3131 goto error_shutting_down;
3135 /* Make an encrypted master key */
3136 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
3137 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
3138 SLOGE("Cannot create encrypted master key\n");
3139 goto error_shutting_down;
3142 /* Replace scrypted intermediate key if we are preparing for a reboot */
3143 if (onlyCreateHeader) {
3144 unsigned char fake_master_key[KEY_LEN_BYTES];
3145 unsigned char encrypted_fake_master_key[KEY_LEN_BYTES];
3146 memset(fake_master_key, 0, sizeof(fake_master_key));
3147 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key,
3148 encrypted_fake_master_key, &crypt_ftr);
3151 /* Write the key to the end of the partition */
3152 put_crypt_ftr_and_key(&crypt_ftr);
3154 /* If any persistent data has been remembered, save it.
3155 * If none, create a valid empty table and save that.
3157 if (!persist_data) {
3158 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
3160 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
3161 persist_data = pdata;
3165 save_persistent_data();
3169 if (onlyCreateHeader) {
3171 cryptfs_reboot(reboot);
3174 if (how == CRYPTO_ENABLE_INPLACE && (!no_ui || rebootEncryption)) {
3175 /* startup service classes main and late_start */
3176 property_set("vold.decrypt", "trigger_restart_min_framework");
3177 SLOGD("Just triggered restart_min_framework\n");
3179 /* OK, the framework is restarted and will soon be showing a
3180 * progress bar. Time to setup an encrypted mapping, and
3181 * either write a new filesystem, or encrypt in place updating
3182 * the progress bar as we work.
3186 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
3187 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
3188 CRYPTO_BLOCK_DEVICE);
3190 /* If we are continuing, check checksums match */
3192 if (previously_encrypted_upto) {
3193 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
3194 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
3196 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
3197 sizeof(hash_first_block)) != 0) {
3198 SLOGE("Checksums do not match - trigger wipe");
3204 rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
3205 crypto_blkdev, real_blkdev,
3206 previously_encrypted_upto);
3209 /* Calculate checksum if we are not finished */
3210 if (!rc && how == CRYPTO_ENABLE_INPLACE
3211 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3212 rc = cryptfs_SHA256_fileblock(crypto_blkdev,
3213 crypt_ftr.hash_first_block);
3215 SLOGE("Error calculating checksum for continuing encryption");
3220 /* Undo the dm-crypt mapping whether we succeed or not */
3221 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
3225 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
3227 if (how == CRYPTO_ENABLE_INPLACE
3228 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3229 SLOGD("Encrypted up to sector %lld - will continue after reboot",
3230 crypt_ftr.encrypted_upto);
3231 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
3234 put_crypt_ftr_and_key(&crypt_ftr);
3236 if (how == CRYPTO_ENABLE_WIPE
3237 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
3238 char value[PROPERTY_VALUE_MAX];
3239 property_get("ro.crypto.state", value, "");
3240 if (!strcmp(value, "")) {
3241 /* default encryption - continue first boot sequence */
3242 property_set("ro.crypto.state", "encrypted");
3243 property_set("ro.crypto.type", "block");
3244 release_wake_lock(lockid);
3245 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
3246 // Bring up cryptkeeper that will check the password and set it
3247 property_set("vold.decrypt", "trigger_shutdown_framework");
3249 property_set("vold.encrypt_progress", "");
3250 cryptfs_trigger_restart_min_framework();
3252 cryptfs_check_passwd(DEFAULT_PASSWORD);
3253 cryptfs_restart_internal(1);
3257 sleep(2); /* Give the UI a chance to show 100% progress */
3258 cryptfs_reboot(reboot);
3261 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
3262 cryptfs_reboot(shutdown);
3265 char value[PROPERTY_VALUE_MAX];
3267 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
3268 if (!strcmp(value, "1")) {
3269 /* wipe data if encryption failed */
3270 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
3271 if (!write_bootloader_message("--wipe_data\n--reason=cryptfs_enable_internal\n")) {
3272 SLOGE("could not write bootloader message\n");
3274 cryptfs_reboot(recovery);
3276 /* set property to trigger dialog */
3277 property_set("vold.encrypt_progress", "error_partially_encrypted");
3278 release_wake_lock(lockid);
3283 /* hrm, the encrypt step claims success, but the reboot failed.
3284 * This should not happen.
3285 * Set the property and return. Hope the framework can deal with it.
3287 property_set("vold.encrypt_progress", "error_reboot_failed");
3288 release_wake_lock(lockid);
3292 property_set("vold.encrypt_progress", "error_not_encrypted");
3294 release_wake_lock(lockid);
3298 error_shutting_down:
3299 /* we failed, and have not encrypted anthing, so the users's data is still intact,
3300 * but the framework is stopped and not restarted to show the error, so it's up to
3301 * vold to restart the system.
3303 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
3304 cryptfs_reboot(reboot);
3306 /* shouldn't get here */
3307 property_set("vold.encrypt_progress", "error_shutting_down");
3309 release_wake_lock(lockid);
3314 int cryptfs_enable(char *howarg, int type, char *passwd, int no_ui)
3316 return cryptfs_enable_internal(howarg, type, passwd, no_ui);
3319 int cryptfs_enable_default(char *howarg, int no_ui)
3321 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
3322 DEFAULT_PASSWORD, no_ui);
3325 int cryptfs_changepw(int crypt_type, const char *newpw)
3327 if (e4crypt_is_native()) {
3328 SLOGE("cryptfs_changepw not valid for file encryption");
3332 struct crypt_mnt_ftr crypt_ftr;
3335 /* This is only allowed after we've successfully decrypted the master key */
3336 if (!master_key_saved) {
3337 SLOGE("Key not saved, aborting");
3341 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3342 SLOGE("Invalid crypt_type %d", crypt_type);
3347 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3348 SLOGE("Error getting crypt footer and key");
3352 crypt_ftr.crypt_type = crypt_type;
3354 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
3358 crypt_ftr.master_key,
3361 SLOGE("Encrypt master key failed: %d", rc);
3365 put_crypt_ftr_and_key(&crypt_ftr);
3367 #ifdef CONFIG_HW_DISK_ENCRYPTION
3368 if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) {
3369 if (crypt_type == CRYPT_TYPE_DEFAULT) {
3370 int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name);
3371 SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc);
3375 int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name);
3376 SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc);
3385 static unsigned int persist_get_max_entries(int encrypted) {
3386 struct crypt_mnt_ftr crypt_ftr;
3388 unsigned int max_persistent_entries;
3390 /* If encrypted, use the values from the crypt_ftr, otherwise
3391 * use the values for the current spec.
3394 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3397 dsize = crypt_ftr.persist_data_size;
3399 dsize = CRYPT_PERSIST_DATA_SIZE;
3402 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
3403 sizeof(struct crypt_persist_entry);
3405 return max_persistent_entries;
3408 static int persist_get_key(const char *fieldname, char *value)
3412 if (persist_data == NULL) {
3415 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3416 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3418 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
3426 static int persist_set_key(const char *fieldname, const char *value, int encrypted)
3430 unsigned int max_persistent_entries;
3432 if (persist_data == NULL) {
3436 max_persistent_entries = persist_get_max_entries(encrypted);
3438 num = persist_data->persist_valid_entries;
3440 for (i = 0; i < num; i++) {
3441 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3442 /* We found an existing entry, update it! */
3443 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
3444 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
3449 /* We didn't find it, add it to the end, if there is room */
3450 if (persist_data->persist_valid_entries < max_persistent_entries) {
3451 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
3452 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
3453 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
3454 persist_data->persist_valid_entries++;
3462 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
3463 * sequence and its index is greater than or equal to index. Return 0 otherwise.
3465 static int match_multi_entry(const char *key, const char *field, unsigned index) {
3466 unsigned int field_len;
3467 unsigned int key_index;
3468 field_len = strlen(field);
3471 // The first key in a multi-entry field is just the filedname itself.
3472 if (!strcmp(key, field)) {
3476 // Match key against "%s_%d" % (field, index)
3477 if (strlen(key) < field_len + 1 + 1) {
3478 // Need at least a '_' and a digit.
3481 if (strncmp(key, field, field_len)) {
3482 // If the key does not begin with field, it's not a match.
3485 if (1 != sscanf(&key[field_len],"_%d", &key_index)) {
3488 return key_index >= index;
3492 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
3493 * remaining entries starting from index will be deleted.
3494 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
3495 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
3496 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
3499 static int persist_del_keys(const char *fieldname, unsigned index)
3505 if (persist_data == NULL) {
3506 return PERSIST_DEL_KEY_ERROR_OTHER;
3509 num = persist_data->persist_valid_entries;
3511 j = 0; // points to the end of non-deleted entries.
3512 // Filter out to-be-deleted entries in place.
3513 for (i = 0; i < num; i++) {
3514 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
3515 persist_data->persist_entry[j] = persist_data->persist_entry[i];
3521 persist_data->persist_valid_entries = j;
3522 // Zeroise the remaining entries
3523 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
3524 return PERSIST_DEL_KEY_OK;
3526 // Did not find an entry matching the given fieldname
3527 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
3531 static int persist_count_keys(const char *fieldname)
3536 if (persist_data == NULL) {
3541 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3542 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
3550 /* Return the value of the specified field. */
3551 int cryptfs_getfield(const char *fieldname, char *value, int len)
3553 if (e4crypt_is_native()) {
3554 SLOGE("Cannot get field when file encrypted");
3558 char temp_value[PROPERTY_VALUE_MAX];
3559 /* CRYPTO_GETFIELD_OK is success,
3560 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
3561 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
3562 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
3564 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
3566 char temp_field[PROPERTY_KEY_MAX];
3568 if (persist_data == NULL) {
3569 load_persistent_data();
3570 if (persist_data == NULL) {
3571 SLOGE("Getfield error, cannot load persistent data");
3576 // Read value from persistent entries. If the original value is split into multiple entries,
3577 // stitch them back together.
3578 if (!persist_get_key(fieldname, temp_value)) {
3579 // We found it, copy it to the caller's buffer and keep going until all entries are read.
3580 if (strlcpy(value, temp_value, len) >= (unsigned) len) {
3582 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3585 rc = CRYPTO_GETFIELD_OK;
3587 for (i = 1; /* break explicitly */; i++) {
3588 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
3589 (int) sizeof(temp_field)) {
3590 // If the fieldname is very long, we stop as soon as it begins to overflow the
3591 // maximum field length. At this point we have in fact fully read out the original
3592 // value because cryptfs_setfield would not allow fields with longer names to be
3593 // written in the first place.
3596 if (!persist_get_key(temp_field, temp_value)) {
3597 if (strlcat(value, temp_value, len) >= (unsigned)len) {
3599 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3603 // Exhaust all entries.
3608 /* Sadness, it's not there. Return the error */
3609 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
3616 /* Set the value of the specified field. */
3617 int cryptfs_setfield(const char *fieldname, const char *value)
3619 if (e4crypt_is_native()) {
3620 SLOGE("Cannot set field when file encrypted");
3624 char encrypted_state[PROPERTY_VALUE_MAX];
3625 /* 0 is success, negative values are error */
3626 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
3628 unsigned int field_id;
3629 char temp_field[PROPERTY_KEY_MAX];
3630 unsigned int num_entries;
3631 unsigned int max_keylen;
3633 if (persist_data == NULL) {
3634 load_persistent_data();
3635 if (persist_data == NULL) {
3636 SLOGE("Setfield error, cannot load persistent data");
3641 property_get("ro.crypto.state", encrypted_state, "");
3642 if (!strcmp(encrypted_state, "encrypted") ) {
3646 // Compute the number of entries required to store value, each entry can store up to
3647 // (PROPERTY_VALUE_MAX - 1) chars
3648 if (strlen(value) == 0) {
3649 // Empty value also needs one entry to store.
3652 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
3655 max_keylen = strlen(fieldname);
3656 if (num_entries > 1) {
3657 // Need an extra "_%d" suffix.
3658 max_keylen += 1 + log10(num_entries);
3660 if (max_keylen > PROPERTY_KEY_MAX - 1) {
3661 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
3665 // Make sure we have enough space to write the new value
3666 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
3667 persist_get_max_entries(encrypted)) {
3668 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
3672 // Now that we know persist_data has enough space for value, let's delete the old field first
3673 // to make up space.
3674 persist_del_keys(fieldname, 0);
3676 if (persist_set_key(fieldname, value, encrypted)) {
3677 // fail to set key, should not happen as we have already checked the available space
3678 SLOGE("persist_set_key() error during setfield()");
3682 for (field_id = 1; field_id < num_entries; field_id++) {
3683 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id);
3685 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
3686 // fail to set key, should not happen as we have already checked the available space.
3687 SLOGE("persist_set_key() error during setfield()");
3692 /* If we are running encrypted, save the persistent data now */
3694 if (save_persistent_data()) {
3695 SLOGE("Setfield error, cannot save persistent data");
3700 rc = CRYPTO_SETFIELD_OK;
3706 /* Checks userdata. Attempt to mount the volume if default-
3708 * On success trigger next init phase and return 0.
3709 * Currently do not handle failure - see TODO below.
3711 int cryptfs_mount_default_encrypted(void)
3713 int crypt_type = cryptfs_get_password_type();
3714 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3715 SLOGE("Bad crypt type - error");
3716 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
3717 SLOGD("Password is not default - "
3718 "starting min framework to prompt");
3719 property_set("vold.decrypt", "trigger_restart_min_framework");
3721 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
3722 SLOGD("Password is default - restarting filesystem");
3723 cryptfs_restart_internal(0);
3726 SLOGE("Encrypted, default crypt type but can't decrypt");
3729 /** Corrupt. Allow us to boot into framework, which will detect bad
3730 crypto when it calls do_crypto_complete, then do a factory reset
3732 property_set("vold.decrypt", "trigger_restart_min_framework");
3736 /* Returns type of the password, default, pattern, pin or password.
3738 int cryptfs_get_password_type(void)
3740 if (e4crypt_is_native()) {
3741 SLOGE("cryptfs_get_password_type not valid for file encryption");
3745 struct crypt_mnt_ftr crypt_ftr;
3747 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3748 SLOGE("Error getting crypt footer and key\n");
3752 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
3756 return crypt_ftr.crypt_type;
3759 const char* cryptfs_get_password()
3761 if (e4crypt_is_native()) {
3762 SLOGE("cryptfs_get_password not valid for file encryption");
3766 struct timespec now;
3767 clock_gettime(CLOCK_BOOTTIME, &now);
3768 if (now.tv_sec < password_expiry_time) {
3771 cryptfs_clear_password();
3776 void cryptfs_clear_password()
3779 size_t len = strlen(password);
3780 memset(password, 0, len);
3783 password_expiry_time = 0;
3787 int cryptfs_enable_file()
3789 return e4crypt_initialize_global_de();
3792 int cryptfs_isConvertibleToFBE()
3794 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
3795 return fs_mgr_is_convertible_to_fbe(rec) ? 1 : 0;
3798 int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length)
3800 if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) {
3801 SLOGE("Failed to initialize crypt_ftr");
3805 if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key,
3806 crypt_ftr->salt, crypt_ftr)) {
3807 SLOGE("Cannot create encrypted master key\n");
3811 //crypt_ftr->keysize = key_length / 8;
3815 int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
3816 unsigned char* master_key)
3820 unsigned char* intermediate_key = 0;
3821 size_t intermediate_key_size = 0;
3823 if (password == 0 || *password == 0) {
3824 password = DEFAULT_PASSWORD;
3827 rc = decrypt_master_key(password, master_key, ftr, &intermediate_key,
3828 &intermediate_key_size);
3831 SLOGE("Can't calculate intermediate key");
3835 int N = 1 << ftr->N_factor;
3836 int r = 1 << ftr->r_factor;
3837 int p = 1 << ftr->p_factor;
3839 unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)];
3841 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
3842 ftr->salt, sizeof(ftr->salt), N, r, p,
3843 scrypted_intermediate_key,
3844 sizeof(scrypted_intermediate_key));
3846 free(intermediate_key);
3849 SLOGE("Can't scrypt intermediate key");
3853 return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key,
3854 intermediate_key_size);
3857 int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password,
3858 const unsigned char* master_key)
3860 return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key,