2 * Copyright (C) 2010 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
23 #include <sys/types.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
35 #include <sys/param.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
39 #include <openssl/sha.h>
41 #include <ext4_utils/ext4.h>
42 #include <ext4_utils/ext4_utils.h>
43 #include <linux/kdev_t.h>
47 #include <selinux/selinux.h>
49 #include "secontext.h"
50 #define LOG_TAG "Cryptfs"
51 #include "cutils/log.h"
52 #include "cutils/properties.h"
53 #include "cutils/android_reboot.h"
54 #include "hardware_legacy/power.h"
55 #include <logwrap/logwrap.h>
56 #include "ScryptParameters.h"
57 #include "VolumeManager.h"
59 #include "crypto_scrypt.h"
60 #include "Ext4Crypt.h"
61 #include "f2fs_sparseblock.h"
62 #include "CheckBattery.h"
64 #include "Keymaster.h"
66 #include <bootloader_message/bootloader_message.h>
68 #define UNUSED __attribute__((unused))
70 #define DM_CRYPT_BUF_SIZE 4096
72 #define HASH_COUNT 2000
73 #define KEY_LEN_BYTES 16
74 #define IV_LEN_BYTES 16
76 #define KEY_IN_FOOTER "footer"
78 #define DEFAULT_PASSWORD "default_password"
80 #define CRYPTO_BLOCK_DEVICE "userdata"
82 #define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
87 #define TABLE_LOAD_RETRIES 10
89 #define RSA_KEY_SIZE 2048
90 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
91 #define RSA_EXPONENT 0x10001
92 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
94 #define RETRY_MOUNT_ATTEMPTS 10
95 #define RETRY_MOUNT_DELAY_SECONDS 1
99 static unsigned char saved_master_key[KEY_LEN_BYTES];
100 static char *saved_mount_point;
101 static int master_key_saved = 0;
102 static struct crypt_persist_data *persist_data = NULL;
104 /* Should we use keymaster? */
105 static int keymaster_check_compatibility()
107 return keymaster_compatibility_cryptfs_scrypt();
110 /* Create a new keymaster key and store it in this footer */
111 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
113 if (ftr->keymaster_blob_size) {
114 SLOGI("Already have key");
118 int rc = keymaster_create_key_for_cryptfs_scrypt(RSA_KEY_SIZE, RSA_EXPONENT,
119 KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
120 &ftr->keymaster_blob_size);
122 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
123 SLOGE("Keymaster key blob to large)");
124 ftr->keymaster_blob_size = 0;
126 SLOGE("Failed to generate keypair");
132 /* This signs the given object using the keymaster key. */
133 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
134 const unsigned char *object,
135 const size_t object_size,
136 unsigned char **signature,
137 size_t *signature_size)
139 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
140 size_t to_sign_size = sizeof(to_sign);
141 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
143 // To sign a message with RSA, the message must satisfy two
146 // 1. The message, when interpreted as a big-endian numeric value, must
147 // be strictly less than the public modulus of the RSA key. Note
148 // that because the most significant bit of the public modulus is
149 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
150 // key), an n-bit message with most significant bit 0 always
151 // satisfies this requirement.
153 // 2. The message must have the same length in bits as the public
154 // modulus of the RSA key. This requirement isn't mathematically
155 // necessary, but is necessary to ensure consistency in
157 switch (ftr->kdf_type) {
158 case KDF_SCRYPT_KEYMASTER:
159 // This ensures the most significant byte of the signed message
160 // is zero. We could have zero-padded to the left instead, but
161 // this approach is slightly more robust against changes in
162 // object size. However, it's still broken (but not unusably
163 // so) because we really should be using a proper deterministic
164 // RSA padding function, such as PKCS1.
165 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
166 SLOGI("Signing safely-padded object");
169 SLOGE("Unknown KDF type %d", ftr->kdf_type);
172 return keymaster_sign_object_for_cryptfs_scrypt(ftr->keymaster_blob, ftr->keymaster_blob_size,
173 KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign, to_sign_size, signature, signature_size);
176 /* Store password when userdata is successfully decrypted and mounted.
177 * Cleared by cryptfs_clear_password
179 * To avoid a double prompt at boot, we need to store the CryptKeeper
180 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
181 * Since the entire framework is torn down and rebuilt after encryption,
182 * we have to use a daemon or similar to store the password. Since vold
183 * is secured against IPC except from system processes, it seems a reasonable
184 * place to store this.
186 * password should be cleared once it has been used.
188 * password is aged out after password_max_age_seconds seconds.
190 static char* password = 0;
191 static int password_expiry_time = 0;
192 static const int password_max_age_seconds = 60;
194 extern struct fstab *fstab;
196 enum RebootType {reboot, recovery, shutdown};
197 static void cryptfs_reboot(enum RebootType rt)
201 property_set(ANDROID_RB_PROPERTY, "reboot");
205 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
209 property_set(ANDROID_RB_PROPERTY, "shutdown");
215 /* Shouldn't get here, reboot should happen before sleep times out */
219 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
221 memset(io, 0, dataSize);
222 io->data_size = dataSize;
223 io->data_start = sizeof(struct dm_ioctl);
229 strlcpy(io->name, name, sizeof(io->name));
234 * Gets the default device scrypt parameters for key derivation time tuning.
235 * The parameters should lead to about one second derivation time for the
238 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
239 char paramstr[PROPERTY_VALUE_MAX];
242 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
243 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
244 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
245 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
252 static unsigned int get_fs_size(char *dev)
255 struct ext4_super_block sb;
258 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) {
259 SLOGE("Cannot open device to get filesystem size ");
263 if (lseek64(fd, 1024, SEEK_SET) < 0) {
264 SLOGE("Cannot seek to superblock");
268 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
269 SLOGE("Cannot read superblock");
275 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
276 SLOGE("Not a valid ext4 superblock");
279 block_size = 1024 << sb.s_log_block_size;
280 /* compute length in bytes */
281 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
283 /* return length in sectors */
284 return (unsigned int) (len / 512);
287 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
289 static int cached_data = 0;
290 static off64_t cached_off = 0;
291 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
293 char key_loc[PROPERTY_VALUE_MAX];
294 char real_blkdev[PROPERTY_VALUE_MAX];
298 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
300 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
301 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
302 SLOGE("Cannot open real block device %s\n", real_blkdev);
306 unsigned long nr_sec = 0;
307 get_blkdev_size(fd, &nr_sec);
309 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
310 * encryption info footer and key, and plenty of bytes to spare for future
313 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
314 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
317 SLOGE("Cannot get size of block device %s\n", real_blkdev);
321 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
328 if (metadata_fname) {
329 *metadata_fname = cached_metadata_fname;
340 /* Set sha256 checksum in structure */
341 static void set_ftr_sha(struct crypt_mnt_ftr *crypt_ftr)
345 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
346 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
347 SHA256_Final(crypt_ftr->sha256, &c);
350 /* key or salt can be NULL, in which case just skip writing that value. Useful to
351 * update the failed mount count but not change the key.
353 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
357 /* starting_off is set to the SEEK_SET offset
358 * where the crypto structure starts
360 off64_t starting_off;
365 set_ftr_sha(crypt_ftr);
367 if (get_crypt_ftr_info(&fname, &starting_off)) {
368 SLOGE("Unable to get crypt_ftr_info\n");
371 if (fname[0] != '/') {
372 SLOGE("Unexpected value for crypto key location\n");
375 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) {
376 SLOGE("Cannot open footer file %s for put\n", fname);
380 /* Seek to the start of the crypt footer */
381 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
382 SLOGE("Cannot seek to real block device footer\n");
386 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
387 SLOGE("Cannot write real block device footer\n");
392 /* If the keys are kept on a raw block device, do not try to truncate it. */
393 if (S_ISREG(statbuf.st_mode)) {
394 if (ftruncate(fd, 0x4000)) {
395 SLOGE("Cannot set footer file size\n");
409 static bool check_ftr_sha(const struct crypt_mnt_ftr *crypt_ftr)
411 struct crypt_mnt_ftr copy;
412 memcpy(©, crypt_ftr, sizeof(copy));
414 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
417 static inline int unix_read(int fd, void* buff, int len)
419 return TEMP_FAILURE_RETRY(read(fd, buff, len));
422 static inline int unix_write(int fd, const void* buff, int len)
424 return TEMP_FAILURE_RETRY(write(fd, buff, len));
427 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
429 memset(pdata, 0, len);
430 pdata->persist_magic = PERSIST_DATA_MAGIC;
431 pdata->persist_valid_entries = 0;
434 /* A routine to update the passed in crypt_ftr to the lastest version.
435 * fd is open read/write on the device that holds the crypto footer and persistent
436 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
437 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
439 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
441 int orig_major = crypt_ftr->major_version;
442 int orig_minor = crypt_ftr->minor_version;
444 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
445 struct crypt_persist_data *pdata;
446 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
448 SLOGW("upgrading crypto footer to 1.1");
450 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
452 SLOGE("Cannot allocate persisent data\n");
455 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
457 /* Need to initialize the persistent data area */
458 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
459 SLOGE("Cannot seek to persisent data offset\n");
463 /* Write all zeros to the first copy, making it invalid */
464 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
466 /* Write a valid but empty structure to the second copy */
467 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
468 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
470 /* Update the footer */
471 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
472 crypt_ftr->persist_data_offset[0] = pdata_offset;
473 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
474 crypt_ftr->minor_version = 1;
478 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
479 SLOGW("upgrading crypto footer to 1.2");
480 /* But keep the old kdf_type.
481 * It will get updated later to KDF_SCRYPT after the password has been verified.
483 crypt_ftr->kdf_type = KDF_PBKDF2;
484 get_device_scrypt_params(crypt_ftr);
485 crypt_ftr->minor_version = 2;
488 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
489 SLOGW("upgrading crypto footer to 1.3");
490 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
491 crypt_ftr->minor_version = 3;
494 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
495 if (lseek64(fd, offset, SEEK_SET) == -1) {
496 SLOGE("Cannot seek to crypt footer\n");
499 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
504 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
508 off64_t starting_off;
513 if (get_crypt_ftr_info(&fname, &starting_off)) {
514 SLOGE("Unable to get crypt_ftr_info\n");
517 if (fname[0] != '/') {
518 SLOGE("Unexpected value for crypto key location\n");
521 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) {
522 SLOGE("Cannot open footer file %s for get\n", fname);
526 /* Make sure it's 16 Kbytes in length */
528 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
529 SLOGE("footer file %s is not the expected size!\n", fname);
533 /* Seek to the start of the crypt footer */
534 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
535 SLOGE("Cannot seek to real block device footer\n");
539 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
540 SLOGE("Cannot read real block device footer\n");
544 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
545 SLOGE("Bad magic for real block device %s\n", fname);
549 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
550 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
551 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
555 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
556 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
557 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
560 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
561 * copy on disk before returning.
563 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
564 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
575 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
577 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
578 crypt_ftr->persist_data_offset[1]) {
579 SLOGE("Crypt_ftr persist data regions overlap");
583 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
584 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
588 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
589 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
590 CRYPT_FOOTER_OFFSET) {
591 SLOGE("Persistent data extends past crypto footer");
598 static int load_persistent_data(void)
600 struct crypt_mnt_ftr crypt_ftr;
601 struct crypt_persist_data *pdata = NULL;
602 char encrypted_state[PROPERTY_VALUE_MAX];
610 /* Nothing to do, we've already loaded or initialized it */
615 /* If not encrypted, just allocate an empty table and initialize it */
616 property_get("ro.crypto.state", encrypted_state, "");
617 if (strcmp(encrypted_state, "encrypted") ) {
618 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
620 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
621 persist_data = pdata;
627 if(get_crypt_ftr_and_key(&crypt_ftr)) {
631 if ((crypt_ftr.major_version < 1)
632 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
633 SLOGE("Crypt_ftr version doesn't support persistent data");
637 if (get_crypt_ftr_info(&fname, NULL)) {
641 ret = validate_persistent_data_storage(&crypt_ftr);
646 fd = open(fname, O_RDONLY|O_CLOEXEC);
648 SLOGE("Cannot open %s metadata file", fname);
652 pdata = malloc(crypt_ftr.persist_data_size);
654 SLOGE("Cannot allocate memory for persistent data");
658 for (i = 0; i < 2; i++) {
659 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
660 SLOGE("Cannot seek to read persistent data on %s", fname);
663 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
664 SLOGE("Error reading persistent data on iteration %d", i);
667 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
674 SLOGI("Could not find valid persistent data, creating");
675 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
679 persist_data = pdata;
691 static int save_persistent_data(void)
693 struct crypt_mnt_ftr crypt_ftr;
694 struct crypt_persist_data *pdata;
696 off64_t write_offset;
697 off64_t erase_offset;
701 if (persist_data == NULL) {
702 SLOGE("No persistent data to save");
706 if(get_crypt_ftr_and_key(&crypt_ftr)) {
710 if ((crypt_ftr.major_version < 1)
711 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
712 SLOGE("Crypt_ftr version doesn't support persistent data");
716 ret = validate_persistent_data_storage(&crypt_ftr);
721 if (get_crypt_ftr_info(&fname, NULL)) {
725 fd = open(fname, O_RDWR|O_CLOEXEC);
727 SLOGE("Cannot open %s metadata file", fname);
731 pdata = malloc(crypt_ftr.persist_data_size);
733 SLOGE("Cannot allocate persistant data");
737 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
738 SLOGE("Cannot seek to read persistent data on %s", fname);
742 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
743 SLOGE("Error reading persistent data before save");
747 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
748 /* The first copy is the curent valid copy, so write to
749 * the second copy and erase this one */
750 write_offset = crypt_ftr.persist_data_offset[1];
751 erase_offset = crypt_ftr.persist_data_offset[0];
753 /* The second copy must be the valid copy, so write to
754 * the first copy, and erase the second */
755 write_offset = crypt_ftr.persist_data_offset[0];
756 erase_offset = crypt_ftr.persist_data_offset[1];
759 /* Write the new copy first, if successful, then erase the old copy */
760 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
761 SLOGE("Cannot seek to write persistent data");
764 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
765 (int) crypt_ftr.persist_data_size) {
766 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
767 SLOGE("Cannot seek to erase previous persistent data");
771 memset(pdata, 0, crypt_ftr.persist_data_size);
772 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
773 (int) crypt_ftr.persist_data_size) {
774 SLOGE("Cannot write to erase previous persistent data");
779 SLOGE("Cannot write to save persistent data");
795 /* Convert a binary key of specified length into an ascii hex string equivalent,
796 * without the leading 0x and with null termination
798 static void convert_key_to_hex_ascii(const unsigned char *master_key,
799 unsigned int keysize, char *master_key_ascii) {
801 unsigned char nibble;
803 for (i=0, a=0; i<keysize; i++, a+=2) {
804 /* For each byte, write out two ascii hex digits */
805 nibble = (master_key[i] >> 4) & 0xf;
806 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
808 nibble = master_key[i] & 0xf;
809 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
812 /* Add the null termination */
813 master_key_ascii[a] = '\0';
817 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
818 const unsigned char *master_key, const char *real_blk_name,
819 const char *name, int fd, const char *extra_params) {
820 _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
822 struct dm_target_spec *tgt;
824 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
828 io = (struct dm_ioctl *) buffer;
830 /* Load the mapping table for this device */
831 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
833 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
834 io->target_count = 1;
836 tgt->sector_start = 0;
837 tgt->length = crypt_ftr->fs_size;
838 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
840 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
841 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
843 buff_offset = crypt_params - buffer;
844 snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s",
845 crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name,
847 crypt_params += strlen(crypt_params) + 1;
848 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
849 tgt->next = crypt_params - buffer;
851 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
852 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
858 if (i == TABLE_LOAD_RETRIES) {
859 /* We failed to load the table, return an error */
867 static int get_dm_crypt_version(int fd, const char *name, int *version)
869 char buffer[DM_CRYPT_BUF_SIZE];
871 struct dm_target_versions *v;
873 io = (struct dm_ioctl *) buffer;
875 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
877 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
881 /* Iterate over the returned versions, looking for name of "crypt".
882 * When found, get and return the version.
884 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
886 if (! strcmp(v->name, "crypt")) {
887 /* We found the crypt driver, return the version, and get out */
888 version[0] = v->version[0];
889 version[1] = v->version[1];
890 version[2] = v->version[2];
893 v = (struct dm_target_versions *)(((char *)v) + v->next);
899 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr,
900 const unsigned char *master_key, const char *real_blk_name,
901 char *crypto_blk_name, const char *name) {
902 char buffer[DM_CRYPT_BUF_SIZE];
912 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
913 SLOGE("Cannot open device-mapper\n");
917 io = (struct dm_ioctl *) buffer;
919 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
920 err = ioctl(fd, DM_DEV_CREATE, io);
922 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno));
926 /* Get the device status, in particular, the name of it's device file */
927 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
928 if (ioctl(fd, DM_DEV_STATUS, io)) {
929 SLOGE("Cannot retrieve dm-crypt device status\n");
932 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
933 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
936 if (! get_dm_crypt_version(fd, name, version)) {
937 /* Support for allow_discards was added in version 1.11.0 */
938 if ((version[0] >= 2) ||
939 ((version[0] == 1) && (version[1] >= 11))) {
940 extra_params = "1 allow_discards";
941 SLOGI("Enabling support for allow_discards in dmcrypt.\n");
945 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
947 if (load_count < 0) {
948 SLOGE("Cannot load dm-crypt mapping table.\n");
950 } else if (load_count > 1) {
951 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
954 /* Resume this device to activate it */
955 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
957 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
958 SLOGE("Cannot resume the dm-crypt device\n");
962 /* We made it here with no errors. Woot! */
966 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
971 static int delete_crypto_blk_dev(char *name)
974 char buffer[DM_CRYPT_BUF_SIZE];
978 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
979 SLOGE("Cannot open device-mapper\n");
983 io = (struct dm_ioctl *) buffer;
985 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
986 if (ioctl(fd, DM_DEV_REMOVE, io)) {
987 SLOGE("Cannot remove dm-crypt device\n");
991 /* We made it here with no errors. Woot! */
995 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1001 static int pbkdf2(const char *passwd, const unsigned char *salt,
1002 unsigned char *ikey, void *params UNUSED)
1004 SLOGI("Using pbkdf2 for cryptfs KDF");
1006 /* Turn the password into a key and IV that can decrypt the master key */
1007 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN,
1008 HASH_COUNT, KEY_LEN_BYTES + IV_LEN_BYTES,
1012 static int scrypt(const char *passwd, const unsigned char *salt,
1013 unsigned char *ikey, void *params)
1015 SLOGI("Using scrypt for cryptfs KDF");
1017 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1019 int N = 1 << ftr->N_factor;
1020 int r = 1 << ftr->r_factor;
1021 int p = 1 << ftr->p_factor;
1023 /* Turn the password into a key and IV that can decrypt the master key */
1024 unsigned int keysize;
1025 crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1026 salt, SALT_LEN, N, r, p, ikey,
1027 KEY_LEN_BYTES + IV_LEN_BYTES);
1032 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1033 unsigned char *ikey, void *params)
1035 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1038 size_t signature_size;
1039 unsigned char* signature;
1040 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1042 int N = 1 << ftr->N_factor;
1043 int r = 1 << ftr->r_factor;
1044 int p = 1 << ftr->p_factor;
1046 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1047 salt, SALT_LEN, N, r, p, ikey,
1048 KEY_LEN_BYTES + IV_LEN_BYTES);
1051 SLOGE("scrypt failed");
1055 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1056 &signature, &signature_size)) {
1057 SLOGE("Signing failed");
1061 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1062 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1066 SLOGE("scrypt failed");
1073 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1074 const unsigned char *decrypted_master_key,
1075 unsigned char *encrypted_master_key,
1076 struct crypt_mnt_ftr *crypt_ftr)
1078 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1079 EVP_CIPHER_CTX e_ctx;
1080 int encrypted_len, final_len;
1083 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1084 get_device_scrypt_params(crypt_ftr);
1086 switch (crypt_ftr->kdf_type) {
1087 case KDF_SCRYPT_KEYMASTER:
1088 if (keymaster_create_key(crypt_ftr)) {
1089 SLOGE("keymaster_create_key failed");
1093 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1094 SLOGE("scrypt failed");
1100 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1101 SLOGE("scrypt failed");
1107 SLOGE("Invalid kdf_type");
1111 /* Initialize the decryption engine */
1112 EVP_CIPHER_CTX_init(&e_ctx);
1113 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1114 SLOGE("EVP_EncryptInit failed\n");
1117 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1119 /* Encrypt the master key */
1120 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1121 decrypted_master_key, KEY_LEN_BYTES)) {
1122 SLOGE("EVP_EncryptUpdate failed\n");
1125 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1126 SLOGE("EVP_EncryptFinal failed\n");
1130 if (encrypted_len + final_len != KEY_LEN_BYTES) {
1131 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1135 /* Store the scrypt of the intermediate key, so we can validate if it's a
1136 password error or mount error when things go wrong.
1137 Note there's no need to check for errors, since if this is incorrect, we
1138 simply won't wipe userdata, which is the correct default behavior
1140 int N = 1 << crypt_ftr->N_factor;
1141 int r = 1 << crypt_ftr->r_factor;
1142 int p = 1 << crypt_ftr->p_factor;
1144 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1145 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1146 crypt_ftr->scrypted_intermediate_key,
1147 sizeof(crypt_ftr->scrypted_intermediate_key));
1150 SLOGE("encrypt_master_key: crypto_scrypt failed");
1153 EVP_CIPHER_CTX_cleanup(&e_ctx);
1158 static int decrypt_master_key_aux(const char *passwd, unsigned char *salt,
1159 unsigned char *encrypted_master_key,
1160 unsigned char *decrypted_master_key,
1161 kdf_func kdf, void *kdf_params,
1162 unsigned char** intermediate_key,
1163 size_t* intermediate_key_size)
1165 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1166 EVP_CIPHER_CTX d_ctx;
1167 int decrypted_len, final_len;
1169 /* Turn the password into an intermediate key and IV that can decrypt the
1171 if (kdf(passwd, salt, ikey, kdf_params)) {
1172 SLOGE("kdf failed");
1176 /* Initialize the decryption engine */
1177 EVP_CIPHER_CTX_init(&d_ctx);
1178 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1181 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1182 /* Decrypt the master key */
1183 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1184 encrypted_master_key, KEY_LEN_BYTES)) {
1187 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1191 if (decrypted_len + final_len != KEY_LEN_BYTES) {
1195 /* Copy intermediate key if needed by params */
1196 if (intermediate_key && intermediate_key_size) {
1197 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1198 if (*intermediate_key) {
1199 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1200 *intermediate_key_size = KEY_LEN_BYTES;
1204 EVP_CIPHER_CTX_cleanup(&d_ctx);
1209 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1211 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1212 *kdf = scrypt_keymaster;
1214 } else if (ftr->kdf_type == KDF_SCRYPT) {
1223 static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key,
1224 struct crypt_mnt_ftr *crypt_ftr,
1225 unsigned char** intermediate_key,
1226 size_t* intermediate_key_size)
1232 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1233 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1234 decrypted_master_key, kdf, kdf_params,
1235 intermediate_key, intermediate_key_size);
1237 SLOGW("failure decrypting master key");
1243 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
1244 struct crypt_mnt_ftr *crypt_ftr) {
1246 unsigned char key_buf[KEY_LEN_BYTES];
1248 /* Get some random bits for a key */
1249 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
1250 read(fd, key_buf, sizeof(key_buf));
1251 read(fd, salt, SALT_LEN);
1254 /* Now encrypt it with the password */
1255 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1258 int wait_and_unmount(const char *mountpoint, bool kill)
1261 #define WAIT_UNMOUNT_COUNT 20
1263 /* Now umount the tmpfs filesystem */
1264 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1265 if (umount(mountpoint) == 0) {
1269 if (errno == EINVAL) {
1270 /* EINVAL is returned if the directory is not a mountpoint,
1271 * i.e. there is no filesystem mounted there. So just get out.
1278 /* If allowed, be increasingly aggressive before the last two retries */
1280 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1281 SLOGW("sending SIGHUP to processes with open files\n");
1282 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM);
1283 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1284 SLOGW("sending SIGKILL to processes with open files\n");
1285 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL);
1292 if (i < WAIT_UNMOUNT_COUNT) {
1293 SLOGD("unmounting %s succeeded\n", mountpoint);
1296 vold_killProcessesWithOpenFiles(mountpoint, 0);
1297 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1304 #define DATA_PREP_TIMEOUT 1000
1305 static int prep_data_fs(void)
1309 // NOTE: post_fs_data results in init calling back around to vold, so all
1310 // callers to this method must be async
1312 /* Do the prep of the /data filesystem */
1313 property_set("vold.post_fs_data_done", "0");
1314 property_set("vold.decrypt", "trigger_post_fs_data");
1315 SLOGD("Just triggered post_fs_data\n");
1317 /* Wait a max of 50 seconds, hopefully it takes much less */
1318 for (i=0; i<DATA_PREP_TIMEOUT; i++) {
1319 char p[PROPERTY_VALUE_MAX];
1321 property_get("vold.post_fs_data_done", p, "0");
1328 if (i == DATA_PREP_TIMEOUT) {
1329 /* Ugh, we failed to prep /data in time. Bail. */
1330 SLOGE("post_fs_data timed out!\n");
1333 SLOGD("post_fs_data done\n");
1338 static void cryptfs_set_corrupt()
1340 // Mark the footer as bad
1341 struct crypt_mnt_ftr crypt_ftr;
1342 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1343 SLOGE("Failed to get crypto footer - panic");
1347 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1348 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1349 SLOGE("Failed to set crypto footer - panic");
1354 static void cryptfs_trigger_restart_min_framework()
1356 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1357 SLOGE("Failed to mount tmpfs on data - panic");
1361 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1362 SLOGE("Failed to trigger post fs data - panic");
1366 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1367 SLOGE("Failed to trigger restart min framework - panic");
1372 /* returns < 0 on failure */
1373 static int cryptfs_restart_internal(int restart_main)
1375 char crypto_blkdev[MAXPATHLEN];
1377 static int restart_successful = 0;
1379 /* Validate that it's OK to call this routine */
1380 if (! master_key_saved) {
1381 SLOGE("Encrypted filesystem not validated, aborting");
1385 if (restart_successful) {
1386 SLOGE("System already restarted with encrypted disk, aborting");
1391 /* Here is where we shut down the framework. The init scripts
1392 * start all services in one of three classes: core, main or late_start.
1393 * On boot, we start core and main. Now, we stop main, but not core,
1394 * as core includes vold and a few other really important things that
1395 * we need to keep running. Once main has stopped, we should be able
1396 * to umount the tmpfs /data, then mount the encrypted /data.
1397 * We then restart the class main, and also the class late_start.
1398 * At the moment, I've only put a few things in late_start that I know
1399 * are not needed to bring up the framework, and that also cause problems
1400 * with unmounting the tmpfs /data, but I hope to add add more services
1401 * to the late_start class as we optimize this to decrease the delay
1402 * till the user is asked for the password to the filesystem.
1405 /* The init files are setup to stop the class main when vold.decrypt is
1406 * set to trigger_reset_main.
1408 property_set("vold.decrypt", "trigger_reset_main");
1409 SLOGD("Just asked init to shut down class main\n");
1411 /* Ugh, shutting down the framework is not synchronous, so until it
1412 * can be fixed, this horrible hack will wait a moment for it all to
1413 * shut down before proceeding. Without it, some devices cannot
1414 * restart the graphics services.
1419 /* Now that the framework is shutdown, we should be able to umount()
1420 * the tmpfs filesystem, and mount the real one.
1423 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1424 if (strlen(crypto_blkdev) == 0) {
1425 SLOGE("fs_crypto_blkdev not set\n");
1429 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1430 /* If ro.crypto.readonly is set to 1, mount the decrypted
1431 * filesystem readonly. This is used when /data is mounted by
1434 char ro_prop[PROPERTY_VALUE_MAX];
1435 property_get("ro.crypto.readonly", ro_prop, "");
1436 if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
1437 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1438 rec->flags |= MS_RDONLY;
1441 /* If that succeeded, then mount the decrypted filesystem */
1442 int retries = RETRY_MOUNT_ATTEMPTS;
1446 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
1447 * partitions in the fsck domain.
1449 if (setexeccon(secontextFsck())){
1450 SLOGE("Failed to setexeccon");
1453 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
1456 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1457 /* TODO: invoke something similar to
1458 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1459 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1460 SLOGI("Failed to mount %s because it is busy - waiting",
1463 sleep(RETRY_MOUNT_DELAY_SECONDS);
1465 /* Let's hope that a reboot clears away whatever is keeping
1467 cryptfs_reboot(reboot);
1470 SLOGE("Failed to mount decrypted data");
1471 cryptfs_set_corrupt();
1472 cryptfs_trigger_restart_min_framework();
1473 SLOGI("Started framework to offer wipe");
1474 if (setexeccon(NULL)) {
1475 SLOGE("Failed to setexeccon");
1480 if (setexeccon(NULL)) {
1481 SLOGE("Failed to setexeccon");
1485 /* Create necessary paths on /data */
1486 if (prep_data_fs()) {
1489 property_set("vold.decrypt", "trigger_load_persist_props");
1491 /* startup service classes main and late_start */
1492 property_set("vold.decrypt", "trigger_restart_framework");
1493 SLOGD("Just triggered restart_framework\n");
1495 /* Give it a few moments to get started */
1500 restart_successful = 1;
1506 int cryptfs_restart(void)
1508 SLOGI("cryptfs_restart");
1509 if (e4crypt_is_native()) {
1510 SLOGE("cryptfs_restart not valid for file encryption:");
1514 /* Call internal implementation forcing a restart of main service group */
1515 return cryptfs_restart_internal(1);
1518 static int do_crypto_complete(char *mount_point)
1520 struct crypt_mnt_ftr crypt_ftr;
1521 char encrypted_state[PROPERTY_VALUE_MAX];
1522 char key_loc[PROPERTY_VALUE_MAX];
1524 property_get("ro.crypto.state", encrypted_state, "");
1525 if (strcmp(encrypted_state, "encrypted") ) {
1526 SLOGE("not running with encryption, aborting");
1527 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1530 // crypto_complete is full disk encrypted status
1531 if (e4crypt_is_native()) {
1532 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1535 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1536 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1539 * Only report this error if key_loc is a file and it exists.
1540 * If the device was never encrypted, and /data is not mountable for
1541 * some reason, returning 1 should prevent the UI from presenting the
1542 * a "enter password" screen, or worse, a "press button to wipe the
1545 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1546 SLOGE("master key file does not exist, aborting");
1547 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1549 SLOGE("Error getting crypt footer and key\n");
1550 return CRYPTO_COMPLETE_BAD_METADATA;
1554 // Test for possible error flags
1555 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1556 SLOGE("Encryption process is partway completed\n");
1557 return CRYPTO_COMPLETE_PARTIAL;
1560 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1561 SLOGE("Encryption process was interrupted but cannot continue\n");
1562 return CRYPTO_COMPLETE_INCONSISTENT;
1565 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1566 SLOGE("Encryption is successful but data is corrupt\n");
1567 return CRYPTO_COMPLETE_CORRUPT;
1570 /* We passed the test! We shall diminish, and return to the west */
1571 return CRYPTO_COMPLETE_ENCRYPTED;
1574 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1575 char *passwd, char *mount_point, char *label)
1577 /* Allocate enough space for a 256 bit key, but we may use less */
1578 unsigned char decrypted_master_key[32];
1579 char crypto_blkdev[MAXPATHLEN];
1580 char real_blkdev[MAXPATHLEN];
1581 char tmp_mount_point[64];
1582 unsigned int orig_failed_decrypt_count;
1584 int use_keymaster = 0;
1586 unsigned char* intermediate_key = 0;
1587 size_t intermediate_key_size = 0;
1589 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1590 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1592 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1593 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1594 &intermediate_key, &intermediate_key_size)) {
1595 SLOGE("Failed to decrypt master key\n");
1601 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
1603 // Create crypto block device - all (non fatal) code paths
1605 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1606 real_blkdev, crypto_blkdev, label)) {
1607 SLOGE("Error creating decrypted block device\n");
1612 /* Work out if the problem is the password or the data */
1613 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1614 scrypted_intermediate_key)];
1615 int N = 1 << crypt_ftr->N_factor;
1616 int r = 1 << crypt_ftr->r_factor;
1617 int p = 1 << crypt_ftr->p_factor;
1619 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1620 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1621 N, r, p, scrypted_intermediate_key,
1622 sizeof(scrypted_intermediate_key));
1624 // Does the key match the crypto footer?
1625 if (rc == 0 && memcmp(scrypted_intermediate_key,
1626 crypt_ftr->scrypted_intermediate_key,
1627 sizeof(scrypted_intermediate_key)) == 0) {
1628 SLOGI("Password matches");
1631 /* Try mounting the file system anyway, just in case the problem's with
1632 * the footer, not the key. */
1633 snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt",
1635 mkdir(tmp_mount_point, 0755);
1636 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1637 SLOGE("Error temp mounting decrypted block device\n");
1638 delete_crypto_blk_dev(label);
1640 rc = ++crypt_ftr->failed_decrypt_count;
1641 put_crypt_ftr_and_key(crypt_ftr);
1644 SLOGI("Password did not match but decrypted drive mounted - continue");
1645 umount(tmp_mount_point);
1651 crypt_ftr->failed_decrypt_count = 0;
1652 if (orig_failed_decrypt_count != 0) {
1653 put_crypt_ftr_and_key(crypt_ftr);
1656 /* Save the name of the crypto block device
1657 * so we can mount it when restarting the framework. */
1658 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1660 /* Also save a the master key so we can reencrypted the key
1661 * the key when we want to change the password on it. */
1662 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1663 saved_mount_point = strdup(mount_point);
1664 master_key_saved = 1;
1665 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1668 // Upgrade if we're not using the latest KDF.
1669 use_keymaster = keymaster_check_compatibility();
1670 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1671 // Don't allow downgrade
1672 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1673 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1675 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1676 crypt_ftr->kdf_type = KDF_SCRYPT;
1681 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1682 crypt_ftr->master_key, crypt_ftr);
1684 rc = put_crypt_ftr_and_key(crypt_ftr);
1686 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1688 // Do not fail even if upgrade failed - machine is bootable
1689 // Note that if this code is ever hit, there is a *serious* problem
1690 // since KDFs should never fail. You *must* fix the kdf before
1693 SLOGW("Upgrade failed with error %d,"
1694 " but continuing with previous state",
1702 if (intermediate_key) {
1703 memset(intermediate_key, 0, intermediate_key_size);
1704 free(intermediate_key);
1710 * Called by vold when it's asked to mount an encrypted external
1711 * storage volume. The incoming partition has no crypto header/footer,
1712 * as any metadata is been stored in a separate, small partition.
1714 * out_crypto_blkdev must be MAXPATHLEN.
1716 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
1717 const unsigned char* key, int keysize, char* out_crypto_blkdev) {
1718 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
1720 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno));
1724 unsigned long nr_sec = 0;
1725 get_blkdev_size(fd, &nr_sec);
1729 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1733 struct crypt_mnt_ftr ext_crypt_ftr;
1734 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1735 ext_crypt_ftr.fs_size = nr_sec;
1736 ext_crypt_ftr.keysize = keysize;
1737 strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
1739 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev,
1740 out_crypto_blkdev, label);
1744 * Called by vold when it's asked to unmount an encrypted external
1747 int cryptfs_revert_ext_volume(const char* label) {
1748 return delete_crypto_blk_dev((char*) label);
1751 int cryptfs_crypto_complete(void)
1753 return do_crypto_complete("/data");
1756 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
1758 char encrypted_state[PROPERTY_VALUE_MAX];
1759 property_get("ro.crypto.state", encrypted_state, "");
1760 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
1761 SLOGE("encrypted fs already validated or not running with encryption,"
1766 if (get_crypt_ftr_and_key(crypt_ftr)) {
1767 SLOGE("Error getting crypt footer and key");
1774 int cryptfs_check_passwd(char *passwd)
1776 SLOGI("cryptfs_check_passwd");
1777 if (e4crypt_is_native()) {
1778 SLOGE("cryptfs_check_passwd not valid for file encryption");
1782 struct crypt_mnt_ftr crypt_ftr;
1785 rc = check_unmounted_and_get_ftr(&crypt_ftr);
1787 SLOGE("Could not get footer");
1791 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
1792 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
1794 SLOGE("Password did not match");
1798 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
1799 // Here we have a default actual password but a real password
1800 // we must test against the scrypted value
1801 // First, we must delete the crypto block device that
1802 // test_mount_encrypted_fs leaves behind as a side effect
1803 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
1804 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD,
1805 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
1807 SLOGE("Default password did not match on reboot encryption");
1811 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
1812 put_crypt_ftr_and_key(&crypt_ftr);
1813 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
1815 SLOGE("Could not change password on reboot encryption");
1820 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
1821 cryptfs_clear_password();
1822 password = strdup(passwd);
1823 struct timespec now;
1824 clock_gettime(CLOCK_BOOTTIME, &now);
1825 password_expiry_time = now.tv_sec + password_max_age_seconds;
1831 int cryptfs_verify_passwd(char *passwd)
1833 struct crypt_mnt_ftr crypt_ftr;
1834 /* Allocate enough space for a 256 bit key, but we may use less */
1835 unsigned char decrypted_master_key[32];
1836 char encrypted_state[PROPERTY_VALUE_MAX];
1839 property_get("ro.crypto.state", encrypted_state, "");
1840 if (strcmp(encrypted_state, "encrypted") ) {
1841 SLOGE("device not encrypted, aborting");
1845 if (!master_key_saved) {
1846 SLOGE("encrypted fs not yet mounted, aborting");
1850 if (!saved_mount_point) {
1851 SLOGE("encrypted fs failed to save mount point, aborting");
1855 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1856 SLOGE("Error getting crypt footer and key\n");
1860 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
1861 /* If the device has no password, then just say the password is valid */
1864 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
1865 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
1866 /* They match, the password is correct */
1869 /* If incorrect, sleep for a bit to prevent dictionary attacks */
1878 /* Initialize a crypt_mnt_ftr structure. The keysize is
1879 * defaulted to 16 bytes, and the filesystem size to 0.
1880 * Presumably, at a minimum, the caller will update the
1881 * filesystem size and crypto_type_name after calling this function.
1883 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
1887 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
1888 ftr->magic = CRYPT_MNT_MAGIC;
1889 ftr->major_version = CURRENT_MAJOR_VERSION;
1890 ftr->minor_version = CURRENT_MINOR_VERSION;
1891 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
1892 ftr->keysize = KEY_LEN_BYTES;
1894 switch (keymaster_check_compatibility()) {
1896 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1900 ftr->kdf_type = KDF_SCRYPT;
1904 SLOGE("keymaster_check_compatibility failed");
1908 get_device_scrypt_params(ftr);
1910 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
1911 if (get_crypt_ftr_info(NULL, &off) == 0) {
1912 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
1913 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
1914 ftr->persist_data_size;
1920 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
1922 const char *args[10];
1923 char size_str[32]; /* Must be large enough to hold a %lld and null byte */
1929 if (type == EXT4_FS) {
1930 #ifdef TARGET_USES_MKE2FS
1931 args[0] = "/system/bin/mke2fs";
1938 args[7] = crypto_blkdev;
1939 snprintf(size_str, sizeof(size_str), "%" PRId64, size / (4096 / 512));
1943 args[0] = "/system/bin/make_ext4fs";
1947 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
1949 args[5] = crypto_blkdev;
1952 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
1953 args[0], args[1], args[2], args[3], args[4], args[5]);
1954 } else if (type == F2FS_FS) {
1955 args[0] = "/system/bin/mkfs.f2fs";
1958 args[3] = crypto_blkdev;
1959 snprintf(size_str, sizeof(size_str), "%" PRId64, size);
1962 SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
1963 args[0], args[1], args[2], args[3], args[4]);
1965 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
1969 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
1972 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
1974 if (WIFEXITED(status)) {
1975 if (WEXITSTATUS(status)) {
1976 SLOGE("Error creating filesystem on %s, exit status %d ",
1977 crypto_blkdev, WEXITSTATUS(status));
1979 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
1983 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
1990 #define CRYPT_INPLACE_BUFSIZE 4096
1991 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
1992 #define CRYPT_SECTOR_SIZE 512
1994 /* aligned 32K writes tends to make flash happy.
1995 * SD card association recommends it.
1997 #define BLOCKS_AT_A_TIME 8
1999 struct encryptGroupsData
2004 off64_t one_pct, cur_pct, new_pct;
2005 off64_t blocks_already_done, tot_numblocks;
2006 off64_t used_blocks_already_done, tot_used_blocks;
2007 char* real_blkdev, * crypto_blkdev;
2011 off64_t last_written_sector;
2013 time_t time_started;
2017 static void update_progress(struct encryptGroupsData* data, int is_used)
2019 data->blocks_already_done++;
2022 data->used_blocks_already_done++;
2024 if (data->tot_used_blocks) {
2025 data->new_pct = data->used_blocks_already_done / data->one_pct;
2027 data->new_pct = data->blocks_already_done / data->one_pct;
2030 if (data->new_pct > data->cur_pct) {
2032 data->cur_pct = data->new_pct;
2033 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
2034 property_set("vold.encrypt_progress", buf);
2037 if (data->cur_pct >= 5) {
2038 struct timespec time_now;
2039 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
2040 SLOGW("Error getting time");
2042 double elapsed_time = difftime(time_now.tv_sec, data->time_started);
2043 off64_t remaining_blocks = data->tot_used_blocks
2044 - data->used_blocks_already_done;
2045 int remaining_time = (int)(elapsed_time * remaining_blocks
2046 / data->used_blocks_already_done);
2048 // Change time only if not yet set, lower, or a lot higher for
2049 // best user experience
2050 if (data->remaining_time == -1
2051 || remaining_time < data->remaining_time
2052 || remaining_time > data->remaining_time + 60) {
2054 snprintf(buf, sizeof(buf), "%d", remaining_time);
2055 property_set("vold.encrypt_time_remaining", buf);
2056 data->remaining_time = remaining_time;
2062 static void log_progress(struct encryptGroupsData const* data, bool completed)
2064 // Precondition - if completed data = 0 else data != 0
2066 // Track progress so we can skip logging blocks
2067 static off64_t offset = -1;
2069 // Need to close existing 'Encrypting from' log?
2070 if (completed || (offset != -1 && data->offset != offset)) {
2071 SLOGI("Encrypted to sector %" PRId64,
2072 offset / info.block_size * CRYPT_SECTOR_SIZE);
2076 // Need to start new 'Encrypting from' log?
2077 if (!completed && offset != data->offset) {
2078 SLOGI("Encrypting from sector %" PRId64,
2079 data->offset / info.block_size * CRYPT_SECTOR_SIZE);
2084 offset = data->offset + (off64_t)data->count * info.block_size;
2088 static int flush_outstanding_data(struct encryptGroupsData* data)
2090 if (data->count == 0) {
2094 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
2096 if (pread64(data->realfd, data->buffer,
2097 info.block_size * data->count, data->offset)
2099 SLOGE("Error reading real_blkdev %s for inplace encrypt",
2104 if (pwrite64(data->cryptofd, data->buffer,
2105 info.block_size * data->count, data->offset)
2107 SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
2108 data->crypto_blkdev);
2111 log_progress(data, false);
2115 data->last_written_sector = (data->offset + data->count)
2116 / info.block_size * CRYPT_SECTOR_SIZE - 1;
2120 static int encrypt_groups(struct encryptGroupsData* data)
2123 u8 *block_bitmap = 0;
2128 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
2129 if (!data->buffer) {
2130 SLOGE("Failed to allocate crypto buffer");
2134 block_bitmap = malloc(info.block_size);
2135 if (!block_bitmap) {
2136 SLOGE("failed to allocate block bitmap");
2140 for (i = 0; i < aux_info.groups; ++i) {
2141 SLOGI("Encrypting group %d", i);
2143 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
2144 u32 block_count = min(info.blocks_per_group,
2145 aux_info.len_blocks - first_block);
2147 off64_t offset = (u64)info.block_size
2148 * aux_info.bg_desc[i].bg_block_bitmap;
2150 ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
2151 if (ret != (int)info.block_size) {
2152 SLOGE("failed to read all of block group bitmap %d", i);
2156 offset = (u64)info.block_size * first_block;
2160 for (block = 0; block < block_count; block++) {
2161 int used = (aux_info.bg_desc[i].bg_flags & EXT4_BG_BLOCK_UNINIT) ?
2162 0 : bitmap_get_bit(block_bitmap, block);
2163 update_progress(data, used);
2165 if (data->count == 0) {
2166 data->offset = offset;
2170 if (flush_outstanding_data(data)) {
2175 offset += info.block_size;
2177 /* Write data if we are aligned or buffer size reached */
2178 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
2179 || data->count == BLOCKS_AT_A_TIME) {
2180 if (flush_outstanding_data(data)) {
2185 if (!is_battery_ok_to_continue()) {
2186 SLOGE("Stopping encryption due to low battery");
2192 if (flush_outstanding_data(data)) {
2197 data->completed = 1;
2201 log_progress(0, true);
2207 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
2210 off64_t *size_already_done,
2212 off64_t previously_encrypted_upto)
2215 struct encryptGroupsData data;
2216 int rc; // Can't initialize without causing warning -Wclobbered
2218 if (previously_encrypted_upto > *size_already_done) {
2219 SLOGD("Not fast encrypting since resuming part way through");
2223 memset(&data, 0, sizeof(data));
2224 data.real_blkdev = real_blkdev;
2225 data.crypto_blkdev = crypto_blkdev;
2227 if ( (data.realfd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2228 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n",
2229 real_blkdev, errno, strerror(errno));
2234 // Wait until the block device appears. Re-use the mount retry values since it is reasonable.
2235 int retries = RETRY_MOUNT_ATTEMPTS;
2236 while ((data.cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2238 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s), retrying\n",
2239 crypto_blkdev, errno, strerror(errno));
2240 sleep(RETRY_MOUNT_DELAY_SECONDS);
2242 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n",
2243 crypto_blkdev, errno, strerror(errno));
2244 rc = ENABLE_INPLACE_ERR_DEV;
2249 if (setjmp(setjmp_env)) {
2250 SLOGE("Reading ext4 extent caused an exception\n");
2255 if (read_ext(data.realfd, 0) != 0) {
2256 SLOGE("Failed to read ext4 extent\n");
2261 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2262 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2263 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2265 SLOGI("Encrypting ext4 filesystem in place...");
2267 data.tot_used_blocks = data.numblocks;
2268 for (i = 0; i < aux_info.groups; ++i) {
2269 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
2272 data.one_pct = data.tot_used_blocks / 100;
2275 struct timespec time_started = {0};
2276 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
2277 SLOGW("Error getting time at start");
2278 // Note - continue anyway - we'll run with 0
2280 data.time_started = time_started.tv_sec;
2281 data.remaining_time = -1;
2283 rc = encrypt_groups(&data);
2285 SLOGE("Error encrypting groups");
2289 *size_already_done += data.completed ? size : data.last_written_sector;
2294 close(data.cryptofd);
2299 static void log_progress_f2fs(u64 block, bool completed)
2301 // Precondition - if completed data = 0 else data != 0
2303 // Track progress so we can skip logging blocks
2304 static u64 last_block = (u64)-1;
2306 // Need to close existing 'Encrypting from' log?
2307 if (completed || (last_block != (u64)-1 && block != last_block + 1)) {
2308 SLOGI("Encrypted to block %" PRId64, last_block);
2312 // Need to start new 'Encrypting from' log?
2313 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) {
2314 SLOGI("Encrypting from block %" PRId64, block);
2323 static int encrypt_one_block_f2fs(u64 pos, void *data)
2325 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;
2327 priv_dat->blocks_already_done = pos - 1;
2328 update_progress(priv_dat, 1);
2330 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;
2332 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2333 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2337 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2338 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2341 log_progress_f2fs(pos, false);
2347 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
2350 off64_t *size_already_done,
2352 off64_t previously_encrypted_upto)
2354 struct encryptGroupsData data;
2355 struct f2fs_info *f2fs_info = NULL;
2356 int rc = ENABLE_INPLACE_ERR_OTHER;
2357 if (previously_encrypted_upto > *size_already_done) {
2358 SLOGD("Not fast encrypting since resuming part way through");
2359 return ENABLE_INPLACE_ERR_OTHER;
2361 memset(&data, 0, sizeof(data));
2362 data.real_blkdev = real_blkdev;
2363 data.crypto_blkdev = crypto_blkdev;
2366 if ( (data.realfd = open64(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2367 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n",
2371 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2372 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n",
2373 crypto_blkdev, errno, strerror(errno));
2374 rc = ENABLE_INPLACE_ERR_DEV;
2378 f2fs_info = generate_f2fs_info(data.realfd);
2382 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2383 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2384 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2386 data.tot_used_blocks = get_num_blocks_used(f2fs_info);
2388 data.one_pct = data.tot_used_blocks / 100;
2390 data.time_started = time(NULL);
2391 data.remaining_time = -1;
2393 data.buffer = malloc(f2fs_info->block_size);
2395 SLOGE("Failed to allocate crypto buffer");
2401 /* Currently, this either runs to completion, or hits a nonrecoverable error */
2402 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);
2405 SLOGE("Error in running over f2fs blocks");
2406 rc = ENABLE_INPLACE_ERR_OTHER;
2410 *size_already_done += size;
2415 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev);
2417 log_progress_f2fs(0, true);
2421 close(data.cryptofd);
2426 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
2427 off64_t size, off64_t *size_already_done,
2429 off64_t previously_encrypted_upto)
2431 int realfd, cryptofd;
2432 char *buf[CRYPT_INPLACE_BUFSIZE];
2433 int rc = ENABLE_INPLACE_ERR_OTHER;
2434 off64_t numblocks, i, remainder;
2435 off64_t one_pct, cur_pct, new_pct;
2436 off64_t blocks_already_done, tot_numblocks;
2438 if ( (realfd = open(real_blkdev, O_RDONLY|O_CLOEXEC)) < 0) {
2439 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2440 return ENABLE_INPLACE_ERR_OTHER;
2443 if ( (cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2444 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n",
2445 crypto_blkdev, errno, strerror(errno));
2447 return ENABLE_INPLACE_ERR_DEV;
2450 /* This is pretty much a simple loop of reading 4K, and writing 4K.
2451 * The size passed in is the number of 512 byte sectors in the filesystem.
2452 * So compute the number of whole 4K blocks we should read/write,
2453 * and the remainder.
2455 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2456 remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2457 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2458 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2460 SLOGE("Encrypting filesystem in place...");
2462 i = previously_encrypted_upto + 1 - *size_already_done;
2464 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2465 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
2469 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2470 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
2474 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
2475 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2476 SLOGE("Error reading initial sectors from real_blkdev %s for "
2477 "inplace encrypt\n", crypto_blkdev);
2480 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2481 SLOGE("Error writing initial sectors to crypto_blkdev %s for "
2482 "inplace encrypt\n", crypto_blkdev);
2485 SLOGI("Encrypted 1 block at %" PRId64, i);
2489 one_pct = tot_numblocks / 100;
2491 /* process the majority of the filesystem in blocks */
2492 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2493 new_pct = (i + blocks_already_done) / one_pct;
2494 if (new_pct > cur_pct) {
2498 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
2499 property_set("vold.encrypt_progress", buf);
2501 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2502 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2505 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2506 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2509 SLOGD("Encrypted %d block at %" PRId64,
2510 CRYPT_SECTORS_PER_BUFSIZE,
2511 i * CRYPT_SECTORS_PER_BUFSIZE);
2514 if (!is_battery_ok_to_continue()) {
2515 SLOGE("Stopping encryption due to low battery");
2516 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
2522 /* Do any remaining sectors */
2523 for (i=0; i<remainder; i++) {
2524 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2525 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2528 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2529 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2532 SLOGI("Encrypted 1 block at next location");
2536 *size_already_done += size;
2546 /* returns on of the ENABLE_INPLACE_* return codes */
2547 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
2548 off64_t size, off64_t *size_already_done,
2550 off64_t previously_encrypted_upto)
2552 int rc_ext4, rc_f2fs, rc_full;
2553 if (previously_encrypted_upto) {
2554 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
2557 if (*size_already_done + size < previously_encrypted_upto) {
2558 *size_already_done += size;
2562 /* TODO: identify filesystem type.
2563 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
2564 * then we will drop down to cryptfs_enable_inplace_f2fs.
2566 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2567 size, size_already_done,
2568 tot_size, previously_encrypted_upto)) == 0) {
2571 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4);
2573 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
2574 size, size_already_done,
2575 tot_size, previously_encrypted_upto)) == 0) {
2578 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs);
2580 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2581 size, size_already_done, tot_size,
2582 previously_encrypted_upto);
2583 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full);
2585 /* Hack for b/17898962, the following is the symptom... */
2586 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV
2587 && rc_f2fs == ENABLE_INPLACE_ERR_DEV
2588 && rc_full == ENABLE_INPLACE_ERR_DEV) {
2589 return ENABLE_INPLACE_ERR_DEV;
2594 #define CRYPTO_ENABLE_WIPE 1
2595 #define CRYPTO_ENABLE_INPLACE 2
2597 #define FRAMEWORK_BOOT_WAIT 60
2599 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2601 int fd = open(filename, O_RDONLY|O_CLOEXEC);
2603 SLOGE("Error opening file %s", filename);
2607 char block[CRYPT_INPLACE_BUFSIZE];
2608 memset(block, 0, sizeof(block));
2609 if (unix_read(fd, block, sizeof(block)) < 0) {
2610 SLOGE("Error reading file %s", filename);
2619 SHA256_Update(&c, block, sizeof(block));
2620 SHA256_Final(buf, &c);
2625 static int get_fs_type(struct fstab_rec *rec)
2627 if (!strcmp(rec->fs_type, "ext4")) {
2629 } else if (!strcmp(rec->fs_type, "f2fs")) {
2636 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
2637 char *crypto_blkdev, char *real_blkdev,
2638 int previously_encrypted_upto)
2640 off64_t cur_encryption_done=0, tot_encryption_size=0;
2643 if (!is_battery_ok_to_start()) {
2644 SLOGW("Not starting encryption due to low battery");
2648 /* The size of the userdata partition, and add in the vold volumes below */
2649 tot_encryption_size = crypt_ftr->fs_size;
2651 if (how == CRYPTO_ENABLE_WIPE) {
2652 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
2653 int fs_type = get_fs_type(rec);
2655 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
2658 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2659 } else if (how == CRYPTO_ENABLE_INPLACE) {
2660 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
2661 crypt_ftr->fs_size, &cur_encryption_done,
2662 tot_encryption_size,
2663 previously_encrypted_upto);
2665 if (rc == ENABLE_INPLACE_ERR_DEV) {
2666 /* Hack for b/17898962 */
2667 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2668 cryptfs_reboot(reboot);
2672 crypt_ftr->encrypted_upto = cur_encryption_done;
2675 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2676 /* The inplace routine never actually sets the progress to 100% due
2677 * to the round down nature of integer division, so set it here */
2678 property_set("vold.encrypt_progress", "100");
2681 /* Shouldn't happen */
2682 SLOGE("cryptfs_enable: internal error, unknown option\n");
2689 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
2693 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2694 unsigned char decrypted_master_key[KEY_LEN_BYTES];
2696 struct crypt_mnt_ftr crypt_ftr;
2697 struct crypt_persist_data *pdata;
2698 char encrypted_state[PROPERTY_VALUE_MAX];
2699 char lockid[32] = { 0 };
2700 char key_loc[PROPERTY_VALUE_MAX];
2702 off64_t previously_encrypted_upto = 0;
2703 bool rebootEncryption = false;
2705 if (!strcmp(howarg, "wipe")) {
2706 how = CRYPTO_ENABLE_WIPE;
2707 } else if (! strcmp(howarg, "inplace")) {
2708 how = CRYPTO_ENABLE_INPLACE;
2710 /* Shouldn't happen, as CommandListener vets the args */
2711 goto error_unencrypted;
2714 if (how == CRYPTO_ENABLE_INPLACE
2715 && get_crypt_ftr_and_key(&crypt_ftr) == 0) {
2716 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
2717 /* An encryption was underway and was interrupted */
2718 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2719 crypt_ftr.encrypted_upto = 0;
2720 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2722 /* At this point, we are in an inconsistent state. Until we successfully
2723 complete encryption, a reboot will leave us broken. So mark the
2724 encryption failed in case that happens.
2725 On successfully completing encryption, remove this flag */
2726 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2728 put_crypt_ftr_and_key(&crypt_ftr);
2729 } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
2730 if (!check_ftr_sha(&crypt_ftr)) {
2731 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2732 put_crypt_ftr_and_key(&crypt_ftr);
2733 goto error_unencrypted;
2736 /* Doing a reboot-encryption*/
2737 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
2738 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
2739 rebootEncryption = true;
2743 property_get("ro.crypto.state", encrypted_state, "");
2744 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2745 SLOGE("Device is already running encrypted, aborting");
2746 goto error_unencrypted;
2749 // TODO refactor fs_mgr_get_crypt_info to get both in one call
2750 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
2751 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
2753 /* Get the size of the real block device */
2754 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
2756 SLOGE("Cannot open block device %s\n", real_blkdev);
2757 goto error_unencrypted;
2759 unsigned long nr_sec;
2760 get_blkdev_size(fd, &nr_sec);
2762 SLOGE("Cannot get size of block device %s\n", real_blkdev);
2763 goto error_unencrypted;
2767 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2768 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
2769 unsigned int fs_size_sec, max_fs_size_sec;
2770 fs_size_sec = get_fs_size(real_blkdev);
2771 if (fs_size_sec == 0)
2772 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
2774 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2776 if (fs_size_sec > max_fs_size_sec) {
2777 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2778 goto error_unencrypted;
2782 /* Get a wakelock as this may take a while, and we don't want the
2783 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2784 * wants to keep the screen on, it can grab a full wakelock.
2786 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
2787 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
2789 /* The init files are setup to stop the class main and late start when
2790 * vold sets trigger_shutdown_framework.
2792 property_set("vold.decrypt", "trigger_shutdown_framework");
2793 SLOGD("Just asked init to shut down class main\n");
2795 /* Ask vold to unmount all devices that it manages */
2796 if (vold_unmountAll()) {
2797 SLOGE("Failed to unmount all vold managed devices");
2800 /* no_ui means we are being called from init, not settings.
2801 Now we always reboot from settings, so !no_ui means reboot
2803 bool onlyCreateHeader = false;
2805 /* Try fallback, which is to reboot and try there */
2806 onlyCreateHeader = true;
2807 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
2808 if (breadcrumb == 0) {
2809 SLOGE("Failed to create breadcrumb file");
2810 goto error_shutting_down;
2815 /* Do extra work for a better UX when doing the long inplace encryption */
2816 if (how == CRYPTO_ENABLE_INPLACE && !onlyCreateHeader) {
2817 /* Now that /data is unmounted, we need to mount a tmpfs
2818 * /data, set a property saying we're doing inplace encryption,
2819 * and restart the framework.
2821 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
2822 goto error_shutting_down;
2824 /* Tells the framework that inplace encryption is starting */
2825 property_set("vold.encrypt_progress", "0");
2827 /* restart the framework. */
2828 /* Create necessary paths on /data */
2829 if (prep_data_fs()) {
2830 goto error_shutting_down;
2833 /* Ugh, shutting down the framework is not synchronous, so until it
2834 * can be fixed, this horrible hack will wait a moment for it all to
2835 * shut down before proceeding. Without it, some devices cannot
2836 * restart the graphics services.
2841 /* Start the actual work of making an encrypted filesystem */
2842 /* Initialize a crypt_mnt_ftr for the partition */
2843 if (previously_encrypted_upto == 0 && !rebootEncryption) {
2844 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
2845 goto error_shutting_down;
2848 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
2849 crypt_ftr.fs_size = nr_sec
2850 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2852 crypt_ftr.fs_size = nr_sec;
2854 /* At this point, we are in an inconsistent state. Until we successfully
2855 complete encryption, a reboot will leave us broken. So mark the
2856 encryption failed in case that happens.
2857 On successfully completing encryption, remove this flag */
2858 if (onlyCreateHeader) {
2859 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
2861 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2863 crypt_ftr.crypt_type = crypt_type;
2864 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN);
2866 /* Make an encrypted master key */
2867 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
2868 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
2869 SLOGE("Cannot create encrypted master key\n");
2870 goto error_shutting_down;
2873 /* Replace scrypted intermediate key if we are preparing for a reboot */
2874 if (onlyCreateHeader) {
2875 unsigned char fake_master_key[KEY_LEN_BYTES];
2876 unsigned char encrypted_fake_master_key[KEY_LEN_BYTES];
2877 memset(fake_master_key, 0, sizeof(fake_master_key));
2878 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key,
2879 encrypted_fake_master_key, &crypt_ftr);
2882 /* Write the key to the end of the partition */
2883 put_crypt_ftr_and_key(&crypt_ftr);
2885 /* If any persistent data has been remembered, save it.
2886 * If none, create a valid empty table and save that.
2888 if (!persist_data) {
2889 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
2891 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
2892 persist_data = pdata;
2896 save_persistent_data();
2900 if (onlyCreateHeader) {
2902 cryptfs_reboot(reboot);
2905 if (how == CRYPTO_ENABLE_INPLACE && (!no_ui || rebootEncryption)) {
2906 /* startup service classes main and late_start */
2907 property_set("vold.decrypt", "trigger_restart_min_framework");
2908 SLOGD("Just triggered restart_min_framework\n");
2910 /* OK, the framework is restarted and will soon be showing a
2911 * progress bar. Time to setup an encrypted mapping, and
2912 * either write a new filesystem, or encrypt in place updating
2913 * the progress bar as we work.
2917 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2918 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
2919 CRYPTO_BLOCK_DEVICE);
2921 /* If we are continuing, check checksums match */
2923 if (previously_encrypted_upto) {
2924 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
2925 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
2927 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
2928 sizeof(hash_first_block)) != 0) {
2929 SLOGE("Checksums do not match - trigger wipe");
2935 rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
2936 crypto_blkdev, real_blkdev,
2937 previously_encrypted_upto);
2940 /* Calculate checksum if we are not finished */
2941 if (!rc && how == CRYPTO_ENABLE_INPLACE
2942 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2943 rc = cryptfs_SHA256_fileblock(crypto_blkdev,
2944 crypt_ftr.hash_first_block);
2946 SLOGE("Error calculating checksum for continuing encryption");
2951 /* Undo the dm-crypt mapping whether we succeed or not */
2952 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
2956 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
2958 if (how == CRYPTO_ENABLE_INPLACE
2959 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2960 SLOGD("Encrypted up to sector %lld - will continue after reboot",
2961 crypt_ftr.encrypted_upto);
2962 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
2965 put_crypt_ftr_and_key(&crypt_ftr);
2967 if (how == CRYPTO_ENABLE_WIPE
2968 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
2969 char value[PROPERTY_VALUE_MAX];
2970 property_get("ro.crypto.state", value, "");
2971 if (!strcmp(value, "")) {
2972 /* default encryption - continue first boot sequence */
2973 property_set("ro.crypto.state", "encrypted");
2974 property_set("ro.crypto.type", "block");
2975 release_wake_lock(lockid);
2976 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2977 // Bring up cryptkeeper that will check the password and set it
2978 property_set("vold.decrypt", "trigger_shutdown_framework");
2980 property_set("vold.encrypt_progress", "");
2981 cryptfs_trigger_restart_min_framework();
2983 cryptfs_check_passwd(DEFAULT_PASSWORD);
2984 cryptfs_restart_internal(1);
2988 sleep(2); /* Give the UI a chance to show 100% progress */
2989 cryptfs_reboot(reboot);
2992 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
2993 cryptfs_reboot(shutdown);
2996 char value[PROPERTY_VALUE_MAX];
2998 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
2999 if (!strcmp(value, "1")) {
3000 /* wipe data if encryption failed */
3001 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
3002 if (!write_bootloader_message("--wipe_data\n--reason=cryptfs_enable_internal\n")) {
3003 SLOGE("could not write bootloader message\n");
3005 cryptfs_reboot(recovery);
3007 /* set property to trigger dialog */
3008 property_set("vold.encrypt_progress", "error_partially_encrypted");
3009 release_wake_lock(lockid);
3014 /* hrm, the encrypt step claims success, but the reboot failed.
3015 * This should not happen.
3016 * Set the property and return. Hope the framework can deal with it.
3018 property_set("vold.encrypt_progress", "error_reboot_failed");
3019 release_wake_lock(lockid);
3023 property_set("vold.encrypt_progress", "error_not_encrypted");
3025 release_wake_lock(lockid);
3029 error_shutting_down:
3030 /* we failed, and have not encrypted anthing, so the users's data is still intact,
3031 * but the framework is stopped and not restarted to show the error, so it's up to
3032 * vold to restart the system.
3034 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
3035 cryptfs_reboot(reboot);
3037 /* shouldn't get here */
3038 property_set("vold.encrypt_progress", "error_shutting_down");
3040 release_wake_lock(lockid);
3045 int cryptfs_enable(char *howarg, int type, char *passwd, int no_ui)
3047 return cryptfs_enable_internal(howarg, type, passwd, no_ui);
3050 int cryptfs_enable_default(char *howarg, int no_ui)
3052 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
3053 DEFAULT_PASSWORD, no_ui);
3056 int cryptfs_changepw(int crypt_type, const char *newpw)
3058 if (e4crypt_is_native()) {
3059 SLOGE("cryptfs_changepw not valid for file encryption");
3063 struct crypt_mnt_ftr crypt_ftr;
3066 /* This is only allowed after we've successfully decrypted the master key */
3067 if (!master_key_saved) {
3068 SLOGE("Key not saved, aborting");
3072 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3073 SLOGE("Invalid crypt_type %d", crypt_type);
3078 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3079 SLOGE("Error getting crypt footer and key");
3083 crypt_ftr.crypt_type = crypt_type;
3085 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
3089 crypt_ftr.master_key,
3092 SLOGE("Encrypt master key failed: %d", rc);
3096 put_crypt_ftr_and_key(&crypt_ftr);
3101 static unsigned int persist_get_max_entries(int encrypted) {
3102 struct crypt_mnt_ftr crypt_ftr;
3104 unsigned int max_persistent_entries;
3106 /* If encrypted, use the values from the crypt_ftr, otherwise
3107 * use the values for the current spec.
3110 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3113 dsize = crypt_ftr.persist_data_size;
3115 dsize = CRYPT_PERSIST_DATA_SIZE;
3118 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
3119 sizeof(struct crypt_persist_entry);
3121 return max_persistent_entries;
3124 static int persist_get_key(const char *fieldname, char *value)
3128 if (persist_data == NULL) {
3131 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3132 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3134 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
3142 static int persist_set_key(const char *fieldname, const char *value, int encrypted)
3146 unsigned int max_persistent_entries;
3148 if (persist_data == NULL) {
3152 max_persistent_entries = persist_get_max_entries(encrypted);
3154 num = persist_data->persist_valid_entries;
3156 for (i = 0; i < num; i++) {
3157 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3158 /* We found an existing entry, update it! */
3159 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
3160 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
3165 /* We didn't find it, add it to the end, if there is room */
3166 if (persist_data->persist_valid_entries < max_persistent_entries) {
3167 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
3168 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
3169 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
3170 persist_data->persist_valid_entries++;
3178 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
3179 * sequence and its index is greater than or equal to index. Return 0 otherwise.
3181 static int match_multi_entry(const char *key, const char *field, unsigned index) {
3182 unsigned int field_len;
3183 unsigned int key_index;
3184 field_len = strlen(field);
3187 // The first key in a multi-entry field is just the filedname itself.
3188 if (!strcmp(key, field)) {
3192 // Match key against "%s_%d" % (field, index)
3193 if (strlen(key) < field_len + 1 + 1) {
3194 // Need at least a '_' and a digit.
3197 if (strncmp(key, field, field_len)) {
3198 // If the key does not begin with field, it's not a match.
3201 if (1 != sscanf(&key[field_len],"_%d", &key_index)) {
3204 return key_index >= index;
3208 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
3209 * remaining entries starting from index will be deleted.
3210 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
3211 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
3212 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
3215 static int persist_del_keys(const char *fieldname, unsigned index)
3221 if (persist_data == NULL) {
3222 return PERSIST_DEL_KEY_ERROR_OTHER;
3225 num = persist_data->persist_valid_entries;
3227 j = 0; // points to the end of non-deleted entries.
3228 // Filter out to-be-deleted entries in place.
3229 for (i = 0; i < num; i++) {
3230 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
3231 persist_data->persist_entry[j] = persist_data->persist_entry[i];
3237 persist_data->persist_valid_entries = j;
3238 // Zeroise the remaining entries
3239 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
3240 return PERSIST_DEL_KEY_OK;
3242 // Did not find an entry matching the given fieldname
3243 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
3247 static int persist_count_keys(const char *fieldname)
3252 if (persist_data == NULL) {
3257 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3258 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
3266 /* Return the value of the specified field. */
3267 int cryptfs_getfield(const char *fieldname, char *value, int len)
3269 if (e4crypt_is_native()) {
3270 SLOGE("Cannot get field when file encrypted");
3274 char temp_value[PROPERTY_VALUE_MAX];
3275 /* CRYPTO_GETFIELD_OK is success,
3276 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
3277 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
3278 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
3280 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
3282 char temp_field[PROPERTY_KEY_MAX];
3284 if (persist_data == NULL) {
3285 load_persistent_data();
3286 if (persist_data == NULL) {
3287 SLOGE("Getfield error, cannot load persistent data");
3292 // Read value from persistent entries. If the original value is split into multiple entries,
3293 // stitch them back together.
3294 if (!persist_get_key(fieldname, temp_value)) {
3295 // We found it, copy it to the caller's buffer and keep going until all entries are read.
3296 if (strlcpy(value, temp_value, len) >= (unsigned) len) {
3298 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3301 rc = CRYPTO_GETFIELD_OK;
3303 for (i = 1; /* break explicitly */; i++) {
3304 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
3305 (int) sizeof(temp_field)) {
3306 // If the fieldname is very long, we stop as soon as it begins to overflow the
3307 // maximum field length. At this point we have in fact fully read out the original
3308 // value because cryptfs_setfield would not allow fields with longer names to be
3309 // written in the first place.
3312 if (!persist_get_key(temp_field, temp_value)) {
3313 if (strlcat(value, temp_value, len) >= (unsigned)len) {
3315 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3319 // Exhaust all entries.
3324 /* Sadness, it's not there. Return the error */
3325 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
3332 /* Set the value of the specified field. */
3333 int cryptfs_setfield(const char *fieldname, const char *value)
3335 if (e4crypt_is_native()) {
3336 SLOGE("Cannot set field when file encrypted");
3340 char encrypted_state[PROPERTY_VALUE_MAX];
3341 /* 0 is success, negative values are error */
3342 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
3344 unsigned int field_id;
3345 char temp_field[PROPERTY_KEY_MAX];
3346 unsigned int num_entries;
3347 unsigned int max_keylen;
3349 if (persist_data == NULL) {
3350 load_persistent_data();
3351 if (persist_data == NULL) {
3352 SLOGE("Setfield error, cannot load persistent data");
3357 property_get("ro.crypto.state", encrypted_state, "");
3358 if (!strcmp(encrypted_state, "encrypted") ) {
3362 // Compute the number of entries required to store value, each entry can store up to
3363 // (PROPERTY_VALUE_MAX - 1) chars
3364 if (strlen(value) == 0) {
3365 // Empty value also needs one entry to store.
3368 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
3371 max_keylen = strlen(fieldname);
3372 if (num_entries > 1) {
3373 // Need an extra "_%d" suffix.
3374 max_keylen += 1 + log10(num_entries);
3376 if (max_keylen > PROPERTY_KEY_MAX - 1) {
3377 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
3381 // Make sure we have enough space to write the new value
3382 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
3383 persist_get_max_entries(encrypted)) {
3384 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
3388 // Now that we know persist_data has enough space for value, let's delete the old field first
3389 // to make up space.
3390 persist_del_keys(fieldname, 0);
3392 if (persist_set_key(fieldname, value, encrypted)) {
3393 // fail to set key, should not happen as we have already checked the available space
3394 SLOGE("persist_set_key() error during setfield()");
3398 for (field_id = 1; field_id < num_entries; field_id++) {
3399 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id);
3401 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
3402 // fail to set key, should not happen as we have already checked the available space.
3403 SLOGE("persist_set_key() error during setfield()");
3408 /* If we are running encrypted, save the persistent data now */
3410 if (save_persistent_data()) {
3411 SLOGE("Setfield error, cannot save persistent data");
3416 rc = CRYPTO_SETFIELD_OK;
3422 /* Checks userdata. Attempt to mount the volume if default-
3424 * On success trigger next init phase and return 0.
3425 * Currently do not handle failure - see TODO below.
3427 int cryptfs_mount_default_encrypted(void)
3429 int crypt_type = cryptfs_get_password_type();
3430 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3431 SLOGE("Bad crypt type - error");
3432 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
3433 SLOGD("Password is not default - "
3434 "starting min framework to prompt");
3435 property_set("vold.decrypt", "trigger_restart_min_framework");
3437 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
3438 SLOGD("Password is default - restarting filesystem");
3439 cryptfs_restart_internal(0);
3442 SLOGE("Encrypted, default crypt type but can't decrypt");
3445 /** Corrupt. Allow us to boot into framework, which will detect bad
3446 crypto when it calls do_crypto_complete, then do a factory reset
3448 property_set("vold.decrypt", "trigger_restart_min_framework");
3452 /* Returns type of the password, default, pattern, pin or password.
3454 int cryptfs_get_password_type(void)
3456 if (e4crypt_is_native()) {
3457 SLOGE("cryptfs_get_password_type not valid for file encryption");
3461 struct crypt_mnt_ftr crypt_ftr;
3463 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3464 SLOGE("Error getting crypt footer and key\n");
3468 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
3472 return crypt_ftr.crypt_type;
3475 const char* cryptfs_get_password()
3477 if (e4crypt_is_native()) {
3478 SLOGE("cryptfs_get_password not valid for file encryption");
3482 struct timespec now;
3483 clock_gettime(CLOCK_BOOTTIME, &now);
3484 if (now.tv_sec < password_expiry_time) {
3487 cryptfs_clear_password();
3492 void cryptfs_clear_password()
3495 size_t len = strlen(password);
3496 memset(password, 0, len);
3499 password_expiry_time = 0;
3503 int cryptfs_enable_file()
3505 return e4crypt_initialize_global_de();
3508 int cryptfs_isConvertibleToFBE()
3510 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
3511 return fs_mgr_is_convertible_to_fbe(rec) ? 1 : 0;
3514 int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length)
3516 if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) {
3517 SLOGE("Failed to initialize crypt_ftr");
3521 if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key,
3522 crypt_ftr->salt, crypt_ftr)) {
3523 SLOGE("Cannot create encrypted master key\n");
3527 //crypt_ftr->keysize = key_length / 8;
3531 int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
3532 unsigned char* master_key)
3536 unsigned char* intermediate_key = 0;
3537 size_t intermediate_key_size = 0;
3539 if (password == 0 || *password == 0) {
3540 password = DEFAULT_PASSWORD;
3543 rc = decrypt_master_key(password, master_key, ftr, &intermediate_key,
3544 &intermediate_key_size);
3547 SLOGE("Can't calculate intermediate key");
3551 int N = 1 << ftr->N_factor;
3552 int r = 1 << ftr->r_factor;
3553 int p = 1 << ftr->p_factor;
3555 unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)];
3557 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
3558 ftr->salt, sizeof(ftr->salt), N, r, p,
3559 scrypted_intermediate_key,
3560 sizeof(scrypted_intermediate_key));
3562 free(intermediate_key);
3565 SLOGE("Can't scrypt intermediate key");
3569 return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key,
3570 intermediate_key_size);
3573 int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password,
3574 const unsigned char* master_key)
3576 return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key,
3580 void cryptfs_get_file_encryption_modes(const char **contents_mode_ret,
3581 const char **filenames_mode_ret)
3583 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
3584 fs_mgr_get_file_encryption_modes(rec, contents_mode_ret, filenames_mode_ret);