2 * Copyright (C) 2010 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
23 #include <sys/types.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
35 #include <sys/param.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
39 #include <openssl/sha.h>
41 #include <ext4_utils/ext4_crypt.h>
42 #include <ext4_utils/ext4_utils.h>
43 #include <linux/kdev_t.h>
47 #include <selinux/selinux.h>
49 #include "secontext.h"
50 #define LOG_TAG "Cryptfs"
51 #include "cutils/log.h"
52 #include "cutils/properties.h"
53 #include "cutils/android_reboot.h"
54 #include "hardware_legacy/power.h"
55 #include <logwrap/logwrap.h>
56 #include "ScryptParameters.h"
57 #include "VolumeManager.h"
59 #include "Ext4Crypt.h"
60 #include "f2fs_sparseblock.h"
61 #include "EncryptInplace.h"
63 #include "Keymaster.h"
64 #include "android-base/properties.h"
65 #include <bootloader_message/bootloader_message.h>
67 #include <crypto_scrypt.h>
70 #define UNUSED __attribute__((unused))
72 #define DM_CRYPT_BUF_SIZE 4096
74 #define HASH_COUNT 2000
76 constexpr size_t INTERMEDIATE_KEY_LEN_BYTES = 16;
77 constexpr size_t INTERMEDIATE_IV_LEN_BYTES = 16;
78 constexpr size_t INTERMEDIATE_BUF_SIZE =
79 (INTERMEDIATE_KEY_LEN_BYTES + INTERMEDIATE_IV_LEN_BYTES);
81 // SCRYPT_LEN is used by struct crypt_mnt_ftr for its intermediate key.
82 static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN,
83 "Mismatch of intermediate key sizes");
85 #define KEY_IN_FOOTER "footer"
87 #define DEFAULT_PASSWORD "default_password"
89 #define CRYPTO_BLOCK_DEVICE "userdata"
91 #define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
96 #define TABLE_LOAD_RETRIES 10
98 #define RSA_KEY_SIZE 2048
99 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
100 #define RSA_EXPONENT 0x10001
101 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
103 #define RETRY_MOUNT_ATTEMPTS 10
104 #define RETRY_MOUNT_DELAY_SECONDS 1
106 #define CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE (1)
108 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr);
110 static unsigned char saved_master_key[MAX_KEY_LEN];
111 static char *saved_mount_point;
112 static int master_key_saved = 0;
113 static struct crypt_persist_data *persist_data = NULL;
115 /* Should we use keymaster? */
116 static int keymaster_check_compatibility()
118 return keymaster_compatibility_cryptfs_scrypt();
121 /* Create a new keymaster key and store it in this footer */
122 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
124 if (ftr->keymaster_blob_size) {
125 SLOGI("Already have key");
129 int rc = keymaster_create_key_for_cryptfs_scrypt(RSA_KEY_SIZE, RSA_EXPONENT,
130 KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
131 &ftr->keymaster_blob_size);
133 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
134 SLOGE("Keymaster key blob too large");
135 ftr->keymaster_blob_size = 0;
137 SLOGE("Failed to generate keypair");
143 /* This signs the given object using the keymaster key. */
144 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
145 const unsigned char *object,
146 const size_t object_size,
147 unsigned char **signature,
148 size_t *signature_size)
150 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
151 size_t to_sign_size = sizeof(to_sign);
152 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
154 // To sign a message with RSA, the message must satisfy two
157 // 1. The message, when interpreted as a big-endian numeric value, must
158 // be strictly less than the public modulus of the RSA key. Note
159 // that because the most significant bit of the public modulus is
160 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
161 // key), an n-bit message with most significant bit 0 always
162 // satisfies this requirement.
164 // 2. The message must have the same length in bits as the public
165 // modulus of the RSA key. This requirement isn't mathematically
166 // necessary, but is necessary to ensure consistency in
168 switch (ftr->kdf_type) {
169 case KDF_SCRYPT_KEYMASTER:
170 // This ensures the most significant byte of the signed message
171 // is zero. We could have zero-padded to the left instead, but
172 // this approach is slightly more robust against changes in
173 // object size. However, it's still broken (but not unusably
174 // so) because we really should be using a proper deterministic
175 // RSA padding function, such as PKCS1.
176 memcpy(to_sign + 1, object, std::min((size_t)RSA_KEY_SIZE_BYTES - 1, object_size));
177 SLOGI("Signing safely-padded object");
180 SLOGE("Unknown KDF type %d", ftr->kdf_type);
184 auto result = keymaster_sign_object_for_cryptfs_scrypt(
185 ftr->keymaster_blob, ftr->keymaster_blob_size, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign,
186 to_sign_size, signature, signature_size);
188 case KeymasterSignResult::ok:
190 case KeymasterSignResult::upgrade:
195 SLOGD("Upgrading key");
196 if (keymaster_upgrade_key_for_cryptfs_scrypt(
197 RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
198 ftr->keymaster_blob_size, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
199 &ftr->keymaster_blob_size) != 0) {
200 SLOGE("Failed to upgrade key");
203 if (put_crypt_ftr_and_key(ftr) != 0) {
204 SLOGE("Failed to write upgraded key to disk");
206 SLOGD("Key upgraded successfully");
210 /* Store password when userdata is successfully decrypted and mounted.
211 * Cleared by cryptfs_clear_password
213 * To avoid a double prompt at boot, we need to store the CryptKeeper
214 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
215 * Since the entire framework is torn down and rebuilt after encryption,
216 * we have to use a daemon or similar to store the password. Since vold
217 * is secured against IPC except from system processes, it seems a reasonable
218 * place to store this.
220 * password should be cleared once it has been used.
222 * password is aged out after password_max_age_seconds seconds.
224 static char* password = 0;
225 static int password_expiry_time = 0;
226 static const int password_max_age_seconds = 60;
228 enum class RebootType {reboot, recovery, shutdown};
229 static void cryptfs_reboot(RebootType rt)
232 case RebootType::reboot:
233 property_set(ANDROID_RB_PROPERTY, "reboot");
236 case RebootType::recovery:
237 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
240 case RebootType::shutdown:
241 property_set(ANDROID_RB_PROPERTY, "shutdown");
247 /* Shouldn't get here, reboot should happen before sleep times out */
251 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
253 memset(io, 0, dataSize);
254 io->data_size = dataSize;
255 io->data_start = sizeof(struct dm_ioctl);
261 strlcpy(io->name, name, sizeof(io->name));
269 // Use to get the CryptoType in use on this device.
270 const CryptoType &get_crypto_type();
273 // We should only be constructing CryptoTypes as part of
274 // supported_crypto_types[]. We do it via this pseudo-builder pattern,
275 // which isn't pure or fully protected as a concession to being able to
276 // do it all at compile time. Add new CryptoTypes in
277 // supported_crypto_types[] below.
278 constexpr CryptoType() : CryptoType(nullptr, nullptr, 0xFFFFFFFF) {}
279 constexpr CryptoType set_keysize(uint32_t size) const {
280 return CryptoType(this->property_name, this->crypto_name, size);
282 constexpr CryptoType set_property_name(const char *property) const {
283 return CryptoType(property, this->crypto_name, this->keysize);
285 constexpr CryptoType set_crypto_name(const char *crypto) const {
286 return CryptoType(this->property_name, crypto, this->keysize);
289 constexpr const char *get_property_name() const { return property_name; }
290 constexpr const char *get_crypto_name() const { return crypto_name; }
291 constexpr uint32_t get_keysize() const { return keysize; }
294 const char *property_name;
295 const char *crypto_name;
298 constexpr CryptoType(const char *property, const char *crypto,
300 : property_name(property), crypto_name(crypto), keysize(ksize) {}
301 friend const CryptoType &get_crypto_type();
302 static const CryptoType &get_device_crypto_algorithm();
305 // We only want to parse this read-only property once. But we need to wait
306 // until the system is initialized before we can read it. So we use a static
307 // scoped within this function to get it only once.
308 const CryptoType &get_crypto_type() {
309 static CryptoType crypto_type = CryptoType::get_device_crypto_algorithm();
313 constexpr CryptoType default_crypto_type = CryptoType()
314 .set_property_name("AES-128-CBC")
315 .set_crypto_name("aes-cbc-essiv:sha256")
318 constexpr CryptoType supported_crypto_types[] = {
321 .set_property_name("Speck128/128-XTS")
322 .set_crypto_name("speck128-xts-plain64")
324 // Add new CryptoTypes here. Order is not important.
328 // ---------- START COMPILE-TIME SANITY CHECK BLOCK -------------------------
329 // We confirm all supported_crypto_types have a small enough keysize and
330 // had both set_property_name() and set_crypto_name() called.
332 template <typename T, size_t N>
333 constexpr size_t array_length(T (&)[N]) { return N; }
335 constexpr bool indexOutOfBoundsForCryptoTypes(size_t index) {
336 return (index >= array_length(supported_crypto_types));
339 constexpr bool isValidCryptoType(const CryptoType &crypto_type) {
340 return ((crypto_type.get_property_name() != nullptr) &&
341 (crypto_type.get_crypto_name() != nullptr) &&
342 (crypto_type.get_keysize() <= MAX_KEY_LEN));
345 // Note in C++11 that constexpr functions can only have a single line.
346 // So our code is a bit convoluted (using recursion instead of a loop),
347 // but it's asserting at compile time that all of our key lengths are valid.
348 constexpr bool validateSupportedCryptoTypes(size_t index) {
349 return indexOutOfBoundsForCryptoTypes(index) ||
350 (isValidCryptoType(supported_crypto_types[index]) &&
351 validateSupportedCryptoTypes(index + 1));
354 static_assert(validateSupportedCryptoTypes(0),
355 "We have a CryptoType with keysize > MAX_KEY_LEN or which was "
356 "incompletely constructed.");
357 // ---------- END COMPILE-TIME SANITY CHECK BLOCK -------------------------
360 // Don't call this directly, use get_crypto_type(), which caches this result.
361 const CryptoType &CryptoType::get_device_crypto_algorithm() {
362 constexpr char CRYPT_ALGO_PROP[] = "ro.crypto.fde_algorithm";
363 char paramstr[PROPERTY_VALUE_MAX];
365 property_get(CRYPT_ALGO_PROP, paramstr,
366 default_crypto_type.get_property_name());
367 for (auto const &ctype : supported_crypto_types) {
368 if (strcmp(paramstr, ctype.get_property_name()) == 0) {
372 ALOGE("Invalid name (%s) for %s. Defaulting to %s\n", paramstr,
373 CRYPT_ALGO_PROP, default_crypto_type.get_property_name());
374 return default_crypto_type;
382 * Gets the default device scrypt parameters for key derivation time tuning.
383 * The parameters should lead to about one second derivation time for the
386 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
387 char paramstr[PROPERTY_VALUE_MAX];
390 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
391 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
392 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
393 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
400 uint32_t cryptfs_get_keysize() {
401 return get_crypto_type().get_keysize();
404 const char *cryptfs_get_crypto_name() {
405 return get_crypto_type().get_crypto_name();
408 static unsigned int get_fs_size(char *dev)
411 struct ext4_super_block sb;
414 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) {
415 SLOGE("Cannot open device to get filesystem size ");
419 if (lseek64(fd, 1024, SEEK_SET) < 0) {
420 SLOGE("Cannot seek to superblock");
424 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
425 SLOGE("Cannot read superblock");
431 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
432 SLOGE("Not a valid ext4 superblock");
435 block_size = 1024 << sb.s_log_block_size;
436 /* compute length in bytes */
437 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
439 /* return length in sectors */
440 return (unsigned int) (len / 512);
443 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
445 static int cached_data = 0;
446 static off64_t cached_off = 0;
447 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
449 char key_loc[PROPERTY_VALUE_MAX];
450 char real_blkdev[PROPERTY_VALUE_MAX];
454 fs_mgr_get_crypt_info(fstab_default, key_loc, real_blkdev, sizeof(key_loc));
456 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
457 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
458 SLOGE("Cannot open real block device %s\n", real_blkdev);
462 unsigned long nr_sec = 0;
463 get_blkdev_size(fd, &nr_sec);
465 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
466 * encryption info footer and key, and plenty of bytes to spare for future
469 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
470 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
473 SLOGE("Cannot get size of block device %s\n", real_blkdev);
477 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
484 if (metadata_fname) {
485 *metadata_fname = cached_metadata_fname;
496 /* Set sha256 checksum in structure */
497 static void set_ftr_sha(struct crypt_mnt_ftr *crypt_ftr)
501 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
502 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
503 SHA256_Final(crypt_ftr->sha256, &c);
506 /* key or salt can be NULL, in which case just skip writing that value. Useful to
507 * update the failed mount count but not change the key.
509 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
513 /* starting_off is set to the SEEK_SET offset
514 * where the crypto structure starts
516 off64_t starting_off;
521 set_ftr_sha(crypt_ftr);
523 if (get_crypt_ftr_info(&fname, &starting_off)) {
524 SLOGE("Unable to get crypt_ftr_info\n");
527 if (fname[0] != '/') {
528 SLOGE("Unexpected value for crypto key location\n");
531 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) {
532 SLOGE("Cannot open footer file %s for put\n", fname);
536 /* Seek to the start of the crypt footer */
537 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
538 SLOGE("Cannot seek to real block device footer\n");
542 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
543 SLOGE("Cannot write real block device footer\n");
548 /* If the keys are kept on a raw block device, do not try to truncate it. */
549 if (S_ISREG(statbuf.st_mode)) {
550 if (ftruncate(fd, 0x4000)) {
551 SLOGE("Cannot set footer file size\n");
565 static bool check_ftr_sha(const struct crypt_mnt_ftr *crypt_ftr)
567 struct crypt_mnt_ftr copy;
568 memcpy(©, crypt_ftr, sizeof(copy));
570 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
573 static inline int unix_read(int fd, void* buff, int len)
575 return TEMP_FAILURE_RETRY(read(fd, buff, len));
578 static inline int unix_write(int fd, const void* buff, int len)
580 return TEMP_FAILURE_RETRY(write(fd, buff, len));
583 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
585 memset(pdata, 0, len);
586 pdata->persist_magic = PERSIST_DATA_MAGIC;
587 pdata->persist_valid_entries = 0;
590 /* A routine to update the passed in crypt_ftr to the lastest version.
591 * fd is open read/write on the device that holds the crypto footer and persistent
592 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
593 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
595 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
597 int orig_major = crypt_ftr->major_version;
598 int orig_minor = crypt_ftr->minor_version;
600 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
601 struct crypt_persist_data *pdata;
602 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
604 SLOGW("upgrading crypto footer to 1.1");
606 pdata = (crypt_persist_data *)malloc(CRYPT_PERSIST_DATA_SIZE);
608 SLOGE("Cannot allocate persisent data\n");
611 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
613 /* Need to initialize the persistent data area */
614 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
615 SLOGE("Cannot seek to persisent data offset\n");
619 /* Write all zeros to the first copy, making it invalid */
620 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
622 /* Write a valid but empty structure to the second copy */
623 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
624 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
626 /* Update the footer */
627 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
628 crypt_ftr->persist_data_offset[0] = pdata_offset;
629 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
630 crypt_ftr->minor_version = 1;
634 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
635 SLOGW("upgrading crypto footer to 1.2");
636 /* But keep the old kdf_type.
637 * It will get updated later to KDF_SCRYPT after the password has been verified.
639 crypt_ftr->kdf_type = KDF_PBKDF2;
640 get_device_scrypt_params(crypt_ftr);
641 crypt_ftr->minor_version = 2;
644 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
645 SLOGW("upgrading crypto footer to 1.3");
646 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
647 crypt_ftr->minor_version = 3;
650 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
651 if (lseek64(fd, offset, SEEK_SET) == -1) {
652 SLOGE("Cannot seek to crypt footer\n");
655 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
660 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
664 off64_t starting_off;
669 if (get_crypt_ftr_info(&fname, &starting_off)) {
670 SLOGE("Unable to get crypt_ftr_info\n");
673 if (fname[0] != '/') {
674 SLOGE("Unexpected value for crypto key location\n");
677 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) {
678 SLOGE("Cannot open footer file %s for get\n", fname);
682 /* Make sure it's 16 Kbytes in length */
684 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
685 SLOGE("footer file %s is not the expected size!\n", fname);
689 /* Seek to the start of the crypt footer */
690 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
691 SLOGE("Cannot seek to real block device footer\n");
695 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
696 SLOGE("Cannot read real block device footer\n");
700 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
701 SLOGE("Bad magic for real block device %s\n", fname);
705 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
706 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
707 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
711 // We risk buffer overflows with oversized keys, so we just reject them.
712 // 0-sized keys are problematic (essentially by-passing encryption), and
713 // AES-CBC key wrapping only works for multiples of 16 bytes.
714 if ((crypt_ftr->keysize == 0) || ((crypt_ftr->keysize % 16) != 0) ||
715 (crypt_ftr->keysize > MAX_KEY_LEN)) {
716 SLOGE("Invalid keysize (%u) for block device %s; Must be non-zero, "
717 "divisible by 16, and <= %d\n", crypt_ftr->keysize, fname,
722 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
723 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
724 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
727 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
728 * copy on disk before returning.
730 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
731 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
742 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
744 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
745 crypt_ftr->persist_data_offset[1]) {
746 SLOGE("Crypt_ftr persist data regions overlap");
750 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
751 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
755 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
756 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
757 CRYPT_FOOTER_OFFSET) {
758 SLOGE("Persistent data extends past crypto footer");
765 static int load_persistent_data(void)
767 struct crypt_mnt_ftr crypt_ftr;
768 struct crypt_persist_data *pdata = NULL;
769 char encrypted_state[PROPERTY_VALUE_MAX];
777 /* Nothing to do, we've already loaded or initialized it */
782 /* If not encrypted, just allocate an empty table and initialize it */
783 property_get("ro.crypto.state", encrypted_state, "");
784 if (strcmp(encrypted_state, "encrypted") ) {
785 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
787 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
788 persist_data = pdata;
794 if(get_crypt_ftr_and_key(&crypt_ftr)) {
798 if ((crypt_ftr.major_version < 1)
799 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
800 SLOGE("Crypt_ftr version doesn't support persistent data");
804 if (get_crypt_ftr_info(&fname, NULL)) {
808 ret = validate_persistent_data_storage(&crypt_ftr);
813 fd = open(fname, O_RDONLY|O_CLOEXEC);
815 SLOGE("Cannot open %s metadata file", fname);
819 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
821 SLOGE("Cannot allocate memory for persistent data");
825 for (i = 0; i < 2; i++) {
826 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
827 SLOGE("Cannot seek to read persistent data on %s", fname);
830 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
831 SLOGE("Error reading persistent data on iteration %d", i);
834 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
841 SLOGI("Could not find valid persistent data, creating");
842 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
846 persist_data = pdata;
858 static int save_persistent_data(void)
860 struct crypt_mnt_ftr crypt_ftr;
861 struct crypt_persist_data *pdata;
863 off64_t write_offset;
864 off64_t erase_offset;
868 if (persist_data == NULL) {
869 SLOGE("No persistent data to save");
873 if(get_crypt_ftr_and_key(&crypt_ftr)) {
877 if ((crypt_ftr.major_version < 1)
878 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
879 SLOGE("Crypt_ftr version doesn't support persistent data");
883 ret = validate_persistent_data_storage(&crypt_ftr);
888 if (get_crypt_ftr_info(&fname, NULL)) {
892 fd = open(fname, O_RDWR|O_CLOEXEC);
894 SLOGE("Cannot open %s metadata file", fname);
898 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
900 SLOGE("Cannot allocate persistant data");
904 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
905 SLOGE("Cannot seek to read persistent data on %s", fname);
909 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
910 SLOGE("Error reading persistent data before save");
914 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
915 /* The first copy is the curent valid copy, so write to
916 * the second copy and erase this one */
917 write_offset = crypt_ftr.persist_data_offset[1];
918 erase_offset = crypt_ftr.persist_data_offset[0];
920 /* The second copy must be the valid copy, so write to
921 * the first copy, and erase the second */
922 write_offset = crypt_ftr.persist_data_offset[0];
923 erase_offset = crypt_ftr.persist_data_offset[1];
926 /* Write the new copy first, if successful, then erase the old copy */
927 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
928 SLOGE("Cannot seek to write persistent data");
931 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
932 (int) crypt_ftr.persist_data_size) {
933 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
934 SLOGE("Cannot seek to erase previous persistent data");
938 memset(pdata, 0, crypt_ftr.persist_data_size);
939 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
940 (int) crypt_ftr.persist_data_size) {
941 SLOGE("Cannot write to erase previous persistent data");
946 SLOGE("Cannot write to save persistent data");
962 /* Convert a binary key of specified length into an ascii hex string equivalent,
963 * without the leading 0x and with null termination
965 static void convert_key_to_hex_ascii(const unsigned char *master_key,
966 unsigned int keysize, char *master_key_ascii) {
968 unsigned char nibble;
970 for (i=0, a=0; i<keysize; i++, a+=2) {
971 /* For each byte, write out two ascii hex digits */
972 nibble = (master_key[i] >> 4) & 0xf;
973 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
975 nibble = master_key[i] & 0xf;
976 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
979 /* Add the null termination */
980 master_key_ascii[a] = '\0';
984 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
985 const unsigned char *master_key, const char *real_blk_name,
986 const char *name, int fd, const char *extra_params) {
987 alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
989 struct dm_target_spec *tgt;
991 // We need two ASCII characters to represent each byte, and need space for
992 // the '\0' terminator.
993 char master_key_ascii[MAX_KEY_LEN * 2 + 1];
997 io = (struct dm_ioctl *) buffer;
999 /* Load the mapping table for this device */
1000 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
1002 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1003 io->target_count = 1;
1005 tgt->sector_start = 0;
1006 tgt->length = crypt_ftr->fs_size;
1007 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1009 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1010 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1012 buff_offset = crypt_params - buffer;
1013 SLOGI("Extra parameters for dm_crypt: %s\n", extra_params);
1014 snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s",
1015 crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name,
1017 crypt_params += strlen(crypt_params) + 1;
1018 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1019 tgt->next = crypt_params - buffer;
1021 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1022 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
1028 if (i == TABLE_LOAD_RETRIES) {
1029 /* We failed to load the table, return an error */
1037 static int get_dm_crypt_version(int fd, const char *name, int *version)
1039 char buffer[DM_CRYPT_BUF_SIZE];
1040 struct dm_ioctl *io;
1041 struct dm_target_versions *v;
1043 io = (struct dm_ioctl *) buffer;
1045 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1047 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1051 /* Iterate over the returned versions, looking for name of "crypt".
1052 * When found, get and return the version.
1054 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
1056 if (! strcmp(v->name, "crypt")) {
1057 /* We found the crypt driver, return the version, and get out */
1058 version[0] = v->version[0];
1059 version[1] = v->version[1];
1060 version[2] = v->version[2];
1063 v = (struct dm_target_versions *)(((char *)v) + v->next);
1069 static std::string extra_params_as_string(const std::vector<std::string>& extra_params_vec) {
1070 if (extra_params_vec.empty()) return "";
1071 std::string extra_params = std::to_string(extra_params_vec.size());
1072 for (const auto& p : extra_params_vec) {
1073 extra_params.append(" ");
1074 extra_params.append(p);
1076 return extra_params;
1079 static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned char* master_key,
1080 const char* real_blk_name, char* crypto_blk_name, const char* name,
1082 char buffer[DM_CRYPT_BUF_SIZE];
1083 struct dm_ioctl* io;
1090 std::vector<std::string> extra_params_vec;
1092 if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
1093 SLOGE("Cannot open device-mapper\n");
1097 io = (struct dm_ioctl*)buffer;
1099 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1100 err = ioctl(fd, DM_DEV_CREATE, io);
1102 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno));
1106 /* Get the device status, in particular, the name of it's device file */
1107 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1108 if (ioctl(fd, DM_DEV_STATUS, io)) {
1109 SLOGE("Cannot retrieve dm-crypt device status\n");
1112 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1113 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1115 if (!get_dm_crypt_version(fd, name, version)) {
1116 /* Support for allow_discards was added in version 1.11.0 */
1117 if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) {
1118 extra_params_vec.emplace_back("allow_discards");
1121 if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) {
1122 extra_params_vec.emplace_back("allow_encrypt_override");
1124 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd,
1125 extra_params_as_string(extra_params_vec).c_str());
1126 if (load_count < 0) {
1127 SLOGE("Cannot load dm-crypt mapping table.\n");
1129 } else if (load_count > 1) {
1130 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1133 /* Resume this device to activate it */
1134 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1136 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1137 SLOGE("Cannot resume the dm-crypt device\n");
1141 /* We made it here with no errors. Woot! */
1145 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1150 static int delete_crypto_blk_dev(const char *name)
1153 char buffer[DM_CRYPT_BUF_SIZE];
1154 struct dm_ioctl *io;
1157 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1158 SLOGE("Cannot open device-mapper\n");
1162 io = (struct dm_ioctl *) buffer;
1164 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1165 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1166 SLOGE("Cannot remove dm-crypt device\n");
1170 /* We made it here with no errors. Woot! */
1174 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1180 static int pbkdf2(const char *passwd, const unsigned char *salt,
1181 unsigned char *ikey, void *params UNUSED)
1183 SLOGI("Using pbkdf2 for cryptfs KDF");
1185 /* Turn the password into a key and IV that can decrypt the master key */
1186 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN,
1187 HASH_COUNT, INTERMEDIATE_BUF_SIZE,
1191 static int scrypt(const char *passwd, const unsigned char *salt,
1192 unsigned char *ikey, void *params)
1194 SLOGI("Using scrypt for cryptfs KDF");
1196 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1198 int N = 1 << ftr->N_factor;
1199 int r = 1 << ftr->r_factor;
1200 int p = 1 << ftr->p_factor;
1202 /* Turn the password into a key and IV that can decrypt the master key */
1203 crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1204 salt, SALT_LEN, N, r, p, ikey,
1205 INTERMEDIATE_BUF_SIZE);
1210 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1211 unsigned char *ikey, void *params)
1213 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1216 size_t signature_size;
1217 unsigned char* signature;
1218 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1220 int N = 1 << ftr->N_factor;
1221 int r = 1 << ftr->r_factor;
1222 int p = 1 << ftr->p_factor;
1224 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1225 salt, SALT_LEN, N, r, p, ikey,
1226 INTERMEDIATE_BUF_SIZE);
1229 SLOGE("scrypt failed");
1233 if (keymaster_sign_object(ftr, ikey, INTERMEDIATE_BUF_SIZE,
1234 &signature, &signature_size)) {
1235 SLOGE("Signing failed");
1239 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1240 N, r, p, ikey, INTERMEDIATE_BUF_SIZE);
1244 SLOGE("scrypt failed");
1251 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1252 const unsigned char *decrypted_master_key,
1253 unsigned char *encrypted_master_key,
1254 struct crypt_mnt_ftr *crypt_ftr)
1256 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = { 0 };
1257 EVP_CIPHER_CTX e_ctx;
1258 int encrypted_len, final_len;
1261 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1262 get_device_scrypt_params(crypt_ftr);
1264 switch (crypt_ftr->kdf_type) {
1265 case KDF_SCRYPT_KEYMASTER:
1266 if (keymaster_create_key(crypt_ftr)) {
1267 SLOGE("keymaster_create_key failed");
1271 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1272 SLOGE("scrypt failed");
1278 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1279 SLOGE("scrypt failed");
1285 SLOGE("Invalid kdf_type");
1289 /* Initialize the decryption engine */
1290 EVP_CIPHER_CTX_init(&e_ctx);
1291 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey,
1292 ikey+INTERMEDIATE_KEY_LEN_BYTES)) {
1293 SLOGE("EVP_EncryptInit failed\n");
1296 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1298 /* Encrypt the master key */
1299 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1300 decrypted_master_key, crypt_ftr->keysize)) {
1301 SLOGE("EVP_EncryptUpdate failed\n");
1304 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1305 SLOGE("EVP_EncryptFinal failed\n");
1309 if (encrypted_len + final_len != static_cast<int>(crypt_ftr->keysize)) {
1310 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1314 /* Store the scrypt of the intermediate key, so we can validate if it's a
1315 password error or mount error when things go wrong.
1316 Note there's no need to check for errors, since if this is incorrect, we
1317 simply won't wipe userdata, which is the correct default behavior
1319 int N = 1 << crypt_ftr->N_factor;
1320 int r = 1 << crypt_ftr->r_factor;
1321 int p = 1 << crypt_ftr->p_factor;
1323 rc = crypto_scrypt(ikey, INTERMEDIATE_KEY_LEN_BYTES,
1324 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1325 crypt_ftr->scrypted_intermediate_key,
1326 sizeof(crypt_ftr->scrypted_intermediate_key));
1329 SLOGE("encrypt_master_key: crypto_scrypt failed");
1332 EVP_CIPHER_CTX_cleanup(&e_ctx);
1337 static int decrypt_master_key_aux(const char *passwd, unsigned char *salt,
1338 const unsigned char *encrypted_master_key,
1340 unsigned char *decrypted_master_key,
1341 kdf_func kdf, void *kdf_params,
1342 unsigned char** intermediate_key,
1343 size_t* intermediate_key_size)
1345 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = { 0 };
1346 EVP_CIPHER_CTX d_ctx;
1347 int decrypted_len, final_len;
1349 /* Turn the password into an intermediate key and IV that can decrypt the
1351 if (kdf(passwd, salt, ikey, kdf_params)) {
1352 SLOGE("kdf failed");
1356 /* Initialize the decryption engine */
1357 EVP_CIPHER_CTX_init(&d_ctx);
1358 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+INTERMEDIATE_KEY_LEN_BYTES)) {
1361 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1362 /* Decrypt the master key */
1363 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1364 encrypted_master_key, keysize)) {
1367 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1371 if (decrypted_len + final_len != static_cast<int>(keysize)) {
1375 /* Copy intermediate key if needed by params */
1376 if (intermediate_key && intermediate_key_size) {
1377 *intermediate_key = (unsigned char*) malloc(INTERMEDIATE_KEY_LEN_BYTES);
1378 if (*intermediate_key) {
1379 memcpy(*intermediate_key, ikey, INTERMEDIATE_KEY_LEN_BYTES);
1380 *intermediate_key_size = INTERMEDIATE_KEY_LEN_BYTES;
1384 EVP_CIPHER_CTX_cleanup(&d_ctx);
1389 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1391 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1392 *kdf = scrypt_keymaster;
1394 } else if (ftr->kdf_type == KDF_SCRYPT) {
1403 static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key,
1404 struct crypt_mnt_ftr *crypt_ftr,
1405 unsigned char** intermediate_key,
1406 size_t* intermediate_key_size)
1412 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1413 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1415 decrypted_master_key, kdf, kdf_params,
1416 intermediate_key, intermediate_key_size);
1418 SLOGW("failure decrypting master key");
1424 static int create_encrypted_random_key(const char *passwd, unsigned char *master_key, unsigned char *salt,
1425 struct crypt_mnt_ftr *crypt_ftr) {
1427 unsigned char key_buf[MAX_KEY_LEN];
1429 /* Get some random bits for a key */
1430 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
1431 read(fd, key_buf, sizeof(key_buf));
1432 read(fd, salt, SALT_LEN);
1435 /* Now encrypt it with the password */
1436 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1439 int wait_and_unmount(const char *mountpoint, bool kill)
1442 #define WAIT_UNMOUNT_COUNT 20
1444 /* Now umount the tmpfs filesystem */
1445 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1446 if (umount(mountpoint) == 0) {
1450 if (errno == EINVAL) {
1451 /* EINVAL is returned if the directory is not a mountpoint,
1452 * i.e. there is no filesystem mounted there. So just get out.
1459 /* If allowed, be increasingly aggressive before the last two retries */
1461 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1462 SLOGW("sending SIGHUP to processes with open files\n");
1463 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM);
1464 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1465 SLOGW("sending SIGKILL to processes with open files\n");
1466 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL);
1473 if (i < WAIT_UNMOUNT_COUNT) {
1474 SLOGD("unmounting %s succeeded\n", mountpoint);
1477 android::vold::KillProcessesWithOpenFiles(mountpoint, 0);
1478 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1485 static void prep_data_fs(void)
1487 // NOTE: post_fs_data results in init calling back around to vold, so all
1488 // callers to this method must be async
1490 /* Do the prep of the /data filesystem */
1491 property_set("vold.post_fs_data_done", "0");
1492 property_set("vold.decrypt", "trigger_post_fs_data");
1493 SLOGD("Just triggered post_fs_data");
1495 /* Wait a max of 50 seconds, hopefully it takes much less */
1496 while (!android::base::WaitForProperty("vold.post_fs_data_done",
1498 std::chrono::seconds(15))) {
1499 /* We timed out to prep /data in time. Continue wait. */
1500 SLOGE("waited 15s for vold.post_fs_data_done, still waiting...");
1502 SLOGD("post_fs_data done");
1505 static void cryptfs_set_corrupt()
1507 // Mark the footer as bad
1508 struct crypt_mnt_ftr crypt_ftr;
1509 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1510 SLOGE("Failed to get crypto footer - panic");
1514 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1515 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1516 SLOGE("Failed to set crypto footer - panic");
1521 static void cryptfs_trigger_restart_min_framework()
1523 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1524 SLOGE("Failed to mount tmpfs on data - panic");
1528 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1529 SLOGE("Failed to trigger post fs data - panic");
1533 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1534 SLOGE("Failed to trigger restart min framework - panic");
1539 /* returns < 0 on failure */
1540 static int cryptfs_restart_internal(int restart_main)
1542 char crypto_blkdev[MAXPATHLEN];
1544 static int restart_successful = 0;
1546 /* Validate that it's OK to call this routine */
1547 if (! master_key_saved) {
1548 SLOGE("Encrypted filesystem not validated, aborting");
1552 if (restart_successful) {
1553 SLOGE("System already restarted with encrypted disk, aborting");
1558 /* Here is where we shut down the framework. The init scripts
1559 * start all services in one of three classes: core, main or late_start.
1560 * On boot, we start core and main. Now, we stop main, but not core,
1561 * as core includes vold and a few other really important things that
1562 * we need to keep running. Once main has stopped, we should be able
1563 * to umount the tmpfs /data, then mount the encrypted /data.
1564 * We then restart the class main, and also the class late_start.
1565 * At the moment, I've only put a few things in late_start that I know
1566 * are not needed to bring up the framework, and that also cause problems
1567 * with unmounting the tmpfs /data, but I hope to add add more services
1568 * to the late_start class as we optimize this to decrease the delay
1569 * till the user is asked for the password to the filesystem.
1572 /* The init files are setup to stop the class main when vold.decrypt is
1573 * set to trigger_reset_main.
1575 property_set("vold.decrypt", "trigger_reset_main");
1576 SLOGD("Just asked init to shut down class main\n");
1578 /* Ugh, shutting down the framework is not synchronous, so until it
1579 * can be fixed, this horrible hack will wait a moment for it all to
1580 * shut down before proceeding. Without it, some devices cannot
1581 * restart the graphics services.
1586 /* Now that the framework is shutdown, we should be able to umount()
1587 * the tmpfs filesystem, and mount the real one.
1590 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1591 if (strlen(crypto_blkdev) == 0) {
1592 SLOGE("fs_crypto_blkdev not set\n");
1596 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1597 /* If ro.crypto.readonly is set to 1, mount the decrypted
1598 * filesystem readonly. This is used when /data is mounted by
1601 char ro_prop[PROPERTY_VALUE_MAX];
1602 property_get("ro.crypto.readonly", ro_prop, "");
1603 if (strlen(ro_prop) > 0 && std::stoi(ro_prop)) {
1604 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab_default, DATA_MNT_POINT);
1605 rec->flags |= MS_RDONLY;
1608 /* If that succeeded, then mount the decrypted filesystem */
1609 int retries = RETRY_MOUNT_ATTEMPTS;
1613 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
1614 * partitions in the fsck domain.
1616 if (setexeccon(secontextFsck())){
1617 SLOGE("Failed to setexeccon");
1620 while ((mount_rc = fs_mgr_do_mount(fstab_default, DATA_MNT_POINT,
1623 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1624 /* TODO: invoke something similar to
1625 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1626 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1627 SLOGI("Failed to mount %s because it is busy - waiting",
1630 sleep(RETRY_MOUNT_DELAY_SECONDS);
1632 /* Let's hope that a reboot clears away whatever is keeping
1634 cryptfs_reboot(RebootType::reboot);
1637 SLOGE("Failed to mount decrypted data");
1638 cryptfs_set_corrupt();
1639 cryptfs_trigger_restart_min_framework();
1640 SLOGI("Started framework to offer wipe");
1641 if (setexeccon(NULL)) {
1642 SLOGE("Failed to setexeccon");
1647 if (setexeccon(NULL)) {
1648 SLOGE("Failed to setexeccon");
1652 /* Create necessary paths on /data */
1654 property_set("vold.decrypt", "trigger_load_persist_props");
1656 /* startup service classes main and late_start */
1657 property_set("vold.decrypt", "trigger_restart_framework");
1658 SLOGD("Just triggered restart_framework\n");
1660 /* Give it a few moments to get started */
1665 restart_successful = 1;
1671 int cryptfs_restart(void)
1673 SLOGI("cryptfs_restart");
1674 if (e4crypt_is_native()) {
1675 SLOGE("cryptfs_restart not valid for file encryption:");
1679 /* Call internal implementation forcing a restart of main service group */
1680 return cryptfs_restart_internal(1);
1683 static int do_crypto_complete(const char *mount_point)
1685 struct crypt_mnt_ftr crypt_ftr;
1686 char encrypted_state[PROPERTY_VALUE_MAX];
1687 char key_loc[PROPERTY_VALUE_MAX];
1689 property_get("ro.crypto.state", encrypted_state, "");
1690 if (strcmp(encrypted_state, "encrypted") ) {
1691 SLOGE("not running with encryption, aborting");
1692 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1695 // crypto_complete is full disk encrypted status
1696 if (e4crypt_is_native()) {
1697 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1700 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1701 fs_mgr_get_crypt_info(fstab_default, key_loc, 0, sizeof(key_loc));
1704 * Only report this error if key_loc is a file and it exists.
1705 * If the device was never encrypted, and /data is not mountable for
1706 * some reason, returning 1 should prevent the UI from presenting the
1707 * a "enter password" screen, or worse, a "press button to wipe the
1710 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1711 SLOGE("master key file does not exist, aborting");
1712 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1714 SLOGE("Error getting crypt footer and key\n");
1715 return CRYPTO_COMPLETE_BAD_METADATA;
1719 // Test for possible error flags
1720 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1721 SLOGE("Encryption process is partway completed\n");
1722 return CRYPTO_COMPLETE_PARTIAL;
1725 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1726 SLOGE("Encryption process was interrupted but cannot continue\n");
1727 return CRYPTO_COMPLETE_INCONSISTENT;
1730 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1731 SLOGE("Encryption is successful but data is corrupt\n");
1732 return CRYPTO_COMPLETE_CORRUPT;
1735 /* We passed the test! We shall diminish, and return to the west */
1736 return CRYPTO_COMPLETE_ENCRYPTED;
1739 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1740 const char *passwd, const char *mount_point, const char *label)
1742 unsigned char decrypted_master_key[MAX_KEY_LEN];
1743 char crypto_blkdev[MAXPATHLEN];
1744 char real_blkdev[MAXPATHLEN];
1745 char tmp_mount_point[64];
1746 unsigned int orig_failed_decrypt_count;
1748 int use_keymaster = 0;
1750 unsigned char* intermediate_key = 0;
1751 size_t intermediate_key_size = 0;
1752 int N = 1 << crypt_ftr->N_factor;
1753 int r = 1 << crypt_ftr->r_factor;
1754 int p = 1 << crypt_ftr->p_factor;
1756 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1757 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1759 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1760 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1761 &intermediate_key, &intermediate_key_size)) {
1762 SLOGE("Failed to decrypt master key\n");
1768 fs_mgr_get_crypt_info(fstab_default, 0, real_blkdev, sizeof(real_blkdev));
1770 // Create crypto block device - all (non fatal) code paths
1772 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, label, 0)) {
1773 SLOGE("Error creating decrypted block device\n");
1778 /* Work out if the problem is the password or the data */
1779 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1780 scrypted_intermediate_key)];
1782 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1783 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1784 N, r, p, scrypted_intermediate_key,
1785 sizeof(scrypted_intermediate_key));
1787 // Does the key match the crypto footer?
1788 if (rc == 0 && memcmp(scrypted_intermediate_key,
1789 crypt_ftr->scrypted_intermediate_key,
1790 sizeof(scrypted_intermediate_key)) == 0) {
1791 SLOGI("Password matches");
1794 /* Try mounting the file system anyway, just in case the problem's with
1795 * the footer, not the key. */
1796 snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt",
1798 mkdir(tmp_mount_point, 0755);
1799 if (fs_mgr_do_mount(fstab_default, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1800 SLOGE("Error temp mounting decrypted block device\n");
1801 delete_crypto_blk_dev(label);
1803 rc = ++crypt_ftr->failed_decrypt_count;
1804 put_crypt_ftr_and_key(crypt_ftr);
1807 SLOGI("Password did not match but decrypted drive mounted - continue");
1808 umount(tmp_mount_point);
1814 crypt_ftr->failed_decrypt_count = 0;
1815 if (orig_failed_decrypt_count != 0) {
1816 put_crypt_ftr_and_key(crypt_ftr);
1819 /* Save the name of the crypto block device
1820 * so we can mount it when restarting the framework. */
1821 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1823 /* Also save a the master key so we can reencrypted the key
1824 * the key when we want to change the password on it. */
1825 memcpy(saved_master_key, decrypted_master_key, crypt_ftr->keysize);
1826 saved_mount_point = strdup(mount_point);
1827 master_key_saved = 1;
1828 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1831 // Upgrade if we're not using the latest KDF.
1832 use_keymaster = keymaster_check_compatibility();
1833 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1834 // Don't allow downgrade
1835 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1836 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1838 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1839 crypt_ftr->kdf_type = KDF_SCRYPT;
1844 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1845 crypt_ftr->master_key, crypt_ftr);
1847 rc = put_crypt_ftr_and_key(crypt_ftr);
1849 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1851 // Do not fail even if upgrade failed - machine is bootable
1852 // Note that if this code is ever hit, there is a *serious* problem
1853 // since KDFs should never fail. You *must* fix the kdf before
1856 SLOGW("Upgrade failed with error %d,"
1857 " but continuing with previous state",
1865 if (intermediate_key) {
1866 memset(intermediate_key, 0, intermediate_key_size);
1867 free(intermediate_key);
1873 * Called by vold when it's asked to mount an encrypted external
1874 * storage volume. The incoming partition has no crypto header/footer,
1875 * as any metadata is been stored in a separate, small partition. We
1876 * assume it must be using our same crypt type and keysize.
1878 * out_crypto_blkdev must be MAXPATHLEN.
1880 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
1881 const unsigned char* key, char* out_crypto_blkdev) {
1882 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
1884 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno));
1888 unsigned long nr_sec = 0;
1889 get_blkdev_size(fd, &nr_sec);
1893 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1897 struct crypt_mnt_ftr ext_crypt_ftr;
1898 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1899 ext_crypt_ftr.fs_size = nr_sec;
1900 ext_crypt_ftr.keysize = cryptfs_get_keysize();
1901 strlcpy((char*) ext_crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(),
1902 MAX_CRYPTO_TYPE_NAME_LEN);
1904 return create_crypto_blk_dev(
1905 &ext_crypt_ftr, key, real_blkdev, out_crypto_blkdev, label,
1906 e4crypt_is_native() ? CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE : 0);
1910 * Called by vold when it's asked to unmount an encrypted external
1913 int cryptfs_revert_ext_volume(const char* label) {
1914 return delete_crypto_blk_dev((char*) label);
1917 int cryptfs_crypto_complete(void)
1919 return do_crypto_complete("/data");
1922 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
1924 char encrypted_state[PROPERTY_VALUE_MAX];
1925 property_get("ro.crypto.state", encrypted_state, "");
1926 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
1927 SLOGE("encrypted fs already validated or not running with encryption,"
1932 if (get_crypt_ftr_and_key(crypt_ftr)) {
1933 SLOGE("Error getting crypt footer and key");
1940 int cryptfs_check_passwd(const char *passwd)
1942 SLOGI("cryptfs_check_passwd");
1943 if (e4crypt_is_native()) {
1944 SLOGE("cryptfs_check_passwd not valid for file encryption");
1948 struct crypt_mnt_ftr crypt_ftr;
1951 rc = check_unmounted_and_get_ftr(&crypt_ftr);
1953 SLOGE("Could not get footer");
1957 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
1958 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
1960 SLOGE("Password did not match");
1964 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
1965 // Here we have a default actual password but a real password
1966 // we must test against the scrypted value
1967 // First, we must delete the crypto block device that
1968 // test_mount_encrypted_fs leaves behind as a side effect
1969 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
1970 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD,
1971 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
1973 SLOGE("Default password did not match on reboot encryption");
1977 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
1978 put_crypt_ftr_and_key(&crypt_ftr);
1979 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
1981 SLOGE("Could not change password on reboot encryption");
1986 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
1987 cryptfs_clear_password();
1988 password = strdup(passwd);
1989 struct timespec now;
1990 clock_gettime(CLOCK_BOOTTIME, &now);
1991 password_expiry_time = now.tv_sec + password_max_age_seconds;
1997 int cryptfs_verify_passwd(const char *passwd)
1999 struct crypt_mnt_ftr crypt_ftr;
2000 unsigned char decrypted_master_key[MAX_KEY_LEN];
2001 char encrypted_state[PROPERTY_VALUE_MAX];
2004 property_get("ro.crypto.state", encrypted_state, "");
2005 if (strcmp(encrypted_state, "encrypted") ) {
2006 SLOGE("device not encrypted, aborting");
2010 if (!master_key_saved) {
2011 SLOGE("encrypted fs not yet mounted, aborting");
2015 if (!saved_mount_point) {
2016 SLOGE("encrypted fs failed to save mount point, aborting");
2020 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2021 SLOGE("Error getting crypt footer and key\n");
2025 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2026 /* If the device has no password, then just say the password is valid */
2029 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2030 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2031 /* They match, the password is correct */
2034 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2043 /* Initialize a crypt_mnt_ftr structure. The keysize is
2044 * defaulted to cryptfs_get_keysize() bytes, and the filesystem size to 0.
2045 * Presumably, at a minimum, the caller will update the
2046 * filesystem size and crypto_type_name after calling this function.
2048 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
2052 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2053 ftr->magic = CRYPT_MNT_MAGIC;
2054 ftr->major_version = CURRENT_MAJOR_VERSION;
2055 ftr->minor_version = CURRENT_MINOR_VERSION;
2056 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2057 ftr->keysize = cryptfs_get_keysize();
2059 switch (keymaster_check_compatibility()) {
2061 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2065 ftr->kdf_type = KDF_SCRYPT;
2069 SLOGE("keymaster_check_compatibility failed");
2073 get_device_scrypt_params(ftr);
2075 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2076 if (get_crypt_ftr_info(NULL, &off) == 0) {
2077 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2078 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
2079 ftr->persist_data_size;
2085 #define FRAMEWORK_BOOT_WAIT 60
2087 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2089 int fd = open(filename, O_RDONLY|O_CLOEXEC);
2091 SLOGE("Error opening file %s", filename);
2095 char block[CRYPT_INPLACE_BUFSIZE];
2096 memset(block, 0, sizeof(block));
2097 if (unix_read(fd, block, sizeof(block)) < 0) {
2098 SLOGE("Error reading file %s", filename);
2107 SHA256_Update(&c, block, sizeof(block));
2108 SHA256_Final(buf, &c);
2113 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr* crypt_ftr, char* crypto_blkdev,
2114 char* real_blkdev, int previously_encrypted_upto) {
2115 off64_t cur_encryption_done=0, tot_encryption_size=0;
2118 /* The size of the userdata partition, and add in the vold volumes below */
2119 tot_encryption_size = crypt_ftr->fs_size;
2121 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, crypt_ftr->fs_size, &cur_encryption_done,
2122 tot_encryption_size, previously_encrypted_upto, true);
2124 if (rc == ENABLE_INPLACE_ERR_DEV) {
2125 /* Hack for b/17898962 */
2126 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2127 cryptfs_reboot(RebootType::reboot);
2131 crypt_ftr->encrypted_upto = cur_encryption_done;
2134 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2135 /* The inplace routine never actually sets the progress to 100% due
2136 * to the round down nature of integer division, so set it here */
2137 property_set("vold.encrypt_progress", "100");
2143 static int vold_unmountAll(void) {
2144 VolumeManager* vm = VolumeManager::Instance();
2145 return vm->unmountAll();
2148 int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
2149 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2150 unsigned char decrypted_master_key[MAX_KEY_LEN];
2152 struct crypt_mnt_ftr crypt_ftr;
2153 struct crypt_persist_data *pdata;
2154 char encrypted_state[PROPERTY_VALUE_MAX];
2155 char lockid[32] = { 0 };
2156 char key_loc[PROPERTY_VALUE_MAX];
2158 off64_t previously_encrypted_upto = 0;
2159 bool rebootEncryption = false;
2160 bool onlyCreateHeader = false;
2163 if (get_crypt_ftr_and_key(&crypt_ftr) == 0) {
2164 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
2165 /* An encryption was underway and was interrupted */
2166 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2167 crypt_ftr.encrypted_upto = 0;
2168 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2170 /* At this point, we are in an inconsistent state. Until we successfully
2171 complete encryption, a reboot will leave us broken. So mark the
2172 encryption failed in case that happens.
2173 On successfully completing encryption, remove this flag */
2174 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2176 put_crypt_ftr_and_key(&crypt_ftr);
2177 } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
2178 if (!check_ftr_sha(&crypt_ftr)) {
2179 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2180 put_crypt_ftr_and_key(&crypt_ftr);
2181 goto error_unencrypted;
2184 /* Doing a reboot-encryption*/
2185 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
2186 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
2187 rebootEncryption = true;
2190 // We don't want to accidentally reference invalid data.
2191 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2194 property_get("ro.crypto.state", encrypted_state, "");
2195 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2196 SLOGE("Device is already running encrypted, aborting");
2197 goto error_unencrypted;
2200 // TODO refactor fs_mgr_get_crypt_info to get both in one call
2201 fs_mgr_get_crypt_info(fstab_default, key_loc, 0, sizeof(key_loc));
2202 fs_mgr_get_crypt_info(fstab_default, 0, real_blkdev, sizeof(real_blkdev));
2204 /* Get the size of the real block device */
2205 fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
2207 SLOGE("Cannot open block device %s\n", real_blkdev);
2208 goto error_unencrypted;
2210 unsigned long nr_sec;
2211 get_blkdev_size(fd, &nr_sec);
2213 SLOGE("Cannot get size of block device %s\n", real_blkdev);
2214 goto error_unencrypted;
2218 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2219 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
2220 unsigned int fs_size_sec, max_fs_size_sec;
2221 fs_size_sec = get_fs_size(real_blkdev);
2222 if (fs_size_sec == 0)
2223 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
2225 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2227 if (fs_size_sec > max_fs_size_sec) {
2228 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2229 goto error_unencrypted;
2233 /* Get a wakelock as this may take a while, and we don't want the
2234 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2235 * wants to keep the screen on, it can grab a full wakelock.
2237 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
2238 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
2240 /* The init files are setup to stop the class main and late start when
2241 * vold sets trigger_shutdown_framework.
2243 property_set("vold.decrypt", "trigger_shutdown_framework");
2244 SLOGD("Just asked init to shut down class main\n");
2246 /* Ask vold to unmount all devices that it manages */
2247 if (vold_unmountAll()) {
2248 SLOGE("Failed to unmount all vold managed devices");
2251 /* no_ui means we are being called from init, not settings.
2252 Now we always reboot from settings, so !no_ui means reboot
2255 /* Try fallback, which is to reboot and try there */
2256 onlyCreateHeader = true;
2257 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
2258 if (breadcrumb == 0) {
2259 SLOGE("Failed to create breadcrumb file");
2260 goto error_shutting_down;
2265 /* Do extra work for a better UX when doing the long inplace encryption */
2266 if (!onlyCreateHeader) {
2267 /* Now that /data is unmounted, we need to mount a tmpfs
2268 * /data, set a property saying we're doing inplace encryption,
2269 * and restart the framework.
2271 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
2272 goto error_shutting_down;
2274 /* Tells the framework that inplace encryption is starting */
2275 property_set("vold.encrypt_progress", "0");
2277 /* restart the framework. */
2278 /* Create necessary paths on /data */
2281 /* Ugh, shutting down the framework is not synchronous, so until it
2282 * can be fixed, this horrible hack will wait a moment for it all to
2283 * shut down before proceeding. Without it, some devices cannot
2284 * restart the graphics services.
2289 /* Start the actual work of making an encrypted filesystem */
2290 /* Initialize a crypt_mnt_ftr for the partition */
2291 if (previously_encrypted_upto == 0 && !rebootEncryption) {
2292 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
2293 goto error_shutting_down;
2296 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
2297 crypt_ftr.fs_size = nr_sec
2298 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2300 crypt_ftr.fs_size = nr_sec;
2302 /* At this point, we are in an inconsistent state. Until we successfully
2303 complete encryption, a reboot will leave us broken. So mark the
2304 encryption failed in case that happens.
2305 On successfully completing encryption, remove this flag */
2306 if (onlyCreateHeader) {
2307 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
2309 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2311 crypt_ftr.crypt_type = crypt_type;
2312 strlcpy((char *)crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(), MAX_CRYPTO_TYPE_NAME_LEN);
2314 /* Make an encrypted master key */
2315 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
2316 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
2317 SLOGE("Cannot create encrypted master key\n");
2318 goto error_shutting_down;
2321 /* Replace scrypted intermediate key if we are preparing for a reboot */
2322 if (onlyCreateHeader) {
2323 unsigned char fake_master_key[MAX_KEY_LEN];
2324 unsigned char encrypted_fake_master_key[MAX_KEY_LEN];
2325 memset(fake_master_key, 0, sizeof(fake_master_key));
2326 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key,
2327 encrypted_fake_master_key, &crypt_ftr);
2330 /* Write the key to the end of the partition */
2331 put_crypt_ftr_and_key(&crypt_ftr);
2333 /* If any persistent data has been remembered, save it.
2334 * If none, create a valid empty table and save that.
2336 if (!persist_data) {
2337 pdata = (crypt_persist_data *)malloc(CRYPT_PERSIST_DATA_SIZE);
2339 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
2340 persist_data = pdata;
2344 save_persistent_data();
2348 if (onlyCreateHeader) {
2350 cryptfs_reboot(RebootType::reboot);
2353 if (!no_ui || rebootEncryption) {
2354 /* startup service classes main and late_start */
2355 property_set("vold.decrypt", "trigger_restart_min_framework");
2356 SLOGD("Just triggered restart_min_framework\n");
2358 /* OK, the framework is restarted and will soon be showing a
2359 * progress bar. Time to setup an encrypted mapping, and
2360 * either write a new filesystem, or encrypt in place updating
2361 * the progress bar as we work.
2365 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2366 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
2367 CRYPTO_BLOCK_DEVICE, 0);
2369 /* If we are continuing, check checksums match */
2371 if (previously_encrypted_upto) {
2372 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
2373 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
2375 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
2376 sizeof(hash_first_block)) != 0) {
2377 SLOGE("Checksums do not match - trigger wipe");
2383 rc = cryptfs_enable_all_volumes(&crypt_ftr, crypto_blkdev, real_blkdev,
2384 previously_encrypted_upto);
2387 /* Calculate checksum if we are not finished */
2388 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2389 rc = cryptfs_SHA256_fileblock(crypto_blkdev,
2390 crypt_ftr.hash_first_block);
2392 SLOGE("Error calculating checksum for continuing encryption");
2397 /* Undo the dm-crypt mapping whether we succeed or not */
2398 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
2402 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
2404 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2405 SLOGD("Encrypted up to sector %lld - will continue after reboot",
2406 crypt_ftr.encrypted_upto);
2407 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
2410 put_crypt_ftr_and_key(&crypt_ftr);
2412 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
2413 char value[PROPERTY_VALUE_MAX];
2414 property_get("ro.crypto.state", value, "");
2415 if (!strcmp(value, "")) {
2416 /* default encryption - continue first boot sequence */
2417 property_set("ro.crypto.state", "encrypted");
2418 property_set("ro.crypto.type", "block");
2419 release_wake_lock(lockid);
2420 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2421 // Bring up cryptkeeper that will check the password and set it
2422 property_set("vold.decrypt", "trigger_shutdown_framework");
2424 property_set("vold.encrypt_progress", "");
2425 cryptfs_trigger_restart_min_framework();
2427 cryptfs_check_passwd(DEFAULT_PASSWORD);
2428 cryptfs_restart_internal(1);
2432 sleep(2); /* Give the UI a chance to show 100% progress */
2433 cryptfs_reboot(RebootType::reboot);
2436 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
2437 cryptfs_reboot(RebootType::shutdown);
2440 char value[PROPERTY_VALUE_MAX];
2442 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
2443 if (!strcmp(value, "1")) {
2444 /* wipe data if encryption failed */
2445 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
2447 const std::vector<std::string> options = {
2448 "--wipe_data\n--reason=cryptfs_enable_internal\n"
2450 if (!write_bootloader_message(options, &err)) {
2451 SLOGE("could not write bootloader message: %s", err.c_str());
2453 cryptfs_reboot(RebootType::recovery);
2455 /* set property to trigger dialog */
2456 property_set("vold.encrypt_progress", "error_partially_encrypted");
2457 release_wake_lock(lockid);
2462 /* hrm, the encrypt step claims success, but the reboot failed.
2463 * This should not happen.
2464 * Set the property and return. Hope the framework can deal with it.
2466 property_set("vold.encrypt_progress", "error_reboot_failed");
2467 release_wake_lock(lockid);
2471 property_set("vold.encrypt_progress", "error_not_encrypted");
2473 release_wake_lock(lockid);
2477 error_shutting_down:
2478 /* we failed, and have not encrypted anthing, so the users's data is still intact,
2479 * but the framework is stopped and not restarted to show the error, so it's up to
2480 * vold to restart the system.
2482 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
2483 cryptfs_reboot(RebootType::reboot);
2485 /* shouldn't get here */
2486 property_set("vold.encrypt_progress", "error_shutting_down");
2488 release_wake_lock(lockid);
2493 int cryptfs_enable(int type, const char* passwd, int no_ui) {
2494 return cryptfs_enable_internal(type, passwd, no_ui);
2497 int cryptfs_enable_default(int no_ui) {
2498 return cryptfs_enable_internal(CRYPT_TYPE_DEFAULT, DEFAULT_PASSWORD, no_ui);
2501 int cryptfs_changepw(int crypt_type, const char *newpw)
2503 if (e4crypt_is_native()) {
2504 SLOGE("cryptfs_changepw not valid for file encryption");
2508 struct crypt_mnt_ftr crypt_ftr;
2511 /* This is only allowed after we've successfully decrypted the master key */
2512 if (!master_key_saved) {
2513 SLOGE("Key not saved, aborting");
2517 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2518 SLOGE("Invalid crypt_type %d", crypt_type);
2523 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2524 SLOGE("Error getting crypt footer and key");
2528 crypt_ftr.crypt_type = crypt_type;
2530 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
2534 crypt_ftr.master_key,
2537 SLOGE("Encrypt master key failed: %d", rc);
2541 put_crypt_ftr_and_key(&crypt_ftr);
2546 static unsigned int persist_get_max_entries(int encrypted) {
2547 struct crypt_mnt_ftr crypt_ftr;
2549 unsigned int max_persistent_entries;
2551 /* If encrypted, use the values from the crypt_ftr, otherwise
2552 * use the values for the current spec.
2555 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2558 dsize = crypt_ftr.persist_data_size;
2560 dsize = CRYPT_PERSIST_DATA_SIZE;
2563 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
2564 sizeof(struct crypt_persist_entry);
2566 return max_persistent_entries;
2569 static int persist_get_key(const char *fieldname, char *value)
2573 if (persist_data == NULL) {
2576 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2577 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2579 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
2587 static int persist_set_key(const char *fieldname, const char *value, int encrypted)
2591 unsigned int max_persistent_entries;
2593 if (persist_data == NULL) {
2597 max_persistent_entries = persist_get_max_entries(encrypted);
2599 num = persist_data->persist_valid_entries;
2601 for (i = 0; i < num; i++) {
2602 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2603 /* We found an existing entry, update it! */
2604 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
2605 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
2610 /* We didn't find it, add it to the end, if there is room */
2611 if (persist_data->persist_valid_entries < max_persistent_entries) {
2612 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
2613 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
2614 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
2615 persist_data->persist_valid_entries++;
2623 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
2624 * sequence and its index is greater than or equal to index. Return 0 otherwise.
2626 int match_multi_entry(const char *key, const char *field, unsigned index) {
2627 std::string key_ = key;
2628 std::string field_ = field;
2630 std::string parsed_field;
2631 unsigned parsed_index;
2633 std::string::size_type split = key_.find_last_of('_');
2634 if (split == std::string::npos) {
2635 parsed_field = key_;
2638 parsed_field = key_.substr(0, split);
2639 parsed_index = std::stoi(key_.substr(split + 1));
2642 return parsed_field == field_ && parsed_index >= index;
2646 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
2647 * remaining entries starting from index will be deleted.
2648 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
2649 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
2650 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
2653 static int persist_del_keys(const char *fieldname, unsigned index)
2659 if (persist_data == NULL) {
2660 return PERSIST_DEL_KEY_ERROR_OTHER;
2663 num = persist_data->persist_valid_entries;
2665 j = 0; // points to the end of non-deleted entries.
2666 // Filter out to-be-deleted entries in place.
2667 for (i = 0; i < num; i++) {
2668 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
2669 persist_data->persist_entry[j] = persist_data->persist_entry[i];
2675 persist_data->persist_valid_entries = j;
2676 // Zeroise the remaining entries
2677 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
2678 return PERSIST_DEL_KEY_OK;
2680 // Did not find an entry matching the given fieldname
2681 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
2685 static int persist_count_keys(const char *fieldname)
2690 if (persist_data == NULL) {
2695 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2696 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
2704 /* Return the value of the specified field. */
2705 int cryptfs_getfield(const char *fieldname, char *value, int len)
2707 if (e4crypt_is_native()) {
2708 SLOGE("Cannot get field when file encrypted");
2712 char temp_value[PROPERTY_VALUE_MAX];
2713 /* CRYPTO_GETFIELD_OK is success,
2714 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
2715 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
2716 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
2718 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
2720 char temp_field[PROPERTY_KEY_MAX];
2722 if (persist_data == NULL) {
2723 load_persistent_data();
2724 if (persist_data == NULL) {
2725 SLOGE("Getfield error, cannot load persistent data");
2730 // Read value from persistent entries. If the original value is split into multiple entries,
2731 // stitch them back together.
2732 if (!persist_get_key(fieldname, temp_value)) {
2733 // We found it, copy it to the caller's buffer and keep going until all entries are read.
2734 if (strlcpy(value, temp_value, len) >= (unsigned) len) {
2736 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2739 rc = CRYPTO_GETFIELD_OK;
2741 for (i = 1; /* break explicitly */; i++) {
2742 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
2743 (int) sizeof(temp_field)) {
2744 // If the fieldname is very long, we stop as soon as it begins to overflow the
2745 // maximum field length. At this point we have in fact fully read out the original
2746 // value because cryptfs_setfield would not allow fields with longer names to be
2747 // written in the first place.
2750 if (!persist_get_key(temp_field, temp_value)) {
2751 if (strlcat(value, temp_value, len) >= (unsigned)len) {
2753 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2757 // Exhaust all entries.
2762 /* Sadness, it's not there. Return the error */
2763 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
2770 /* Set the value of the specified field. */
2771 int cryptfs_setfield(const char *fieldname, const char *value)
2773 if (e4crypt_is_native()) {
2774 SLOGE("Cannot set field when file encrypted");
2778 char encrypted_state[PROPERTY_VALUE_MAX];
2779 /* 0 is success, negative values are error */
2780 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
2782 unsigned int field_id;
2783 char temp_field[PROPERTY_KEY_MAX];
2784 unsigned int num_entries;
2785 unsigned int max_keylen;
2787 if (persist_data == NULL) {
2788 load_persistent_data();
2789 if (persist_data == NULL) {
2790 SLOGE("Setfield error, cannot load persistent data");
2795 property_get("ro.crypto.state", encrypted_state, "");
2796 if (!strcmp(encrypted_state, "encrypted") ) {
2800 // Compute the number of entries required to store value, each entry can store up to
2801 // (PROPERTY_VALUE_MAX - 1) chars
2802 if (strlen(value) == 0) {
2803 // Empty value also needs one entry to store.
2806 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
2809 max_keylen = strlen(fieldname);
2810 if (num_entries > 1) {
2811 // Need an extra "_%d" suffix.
2812 max_keylen += 1 + log10(num_entries);
2814 if (max_keylen > PROPERTY_KEY_MAX - 1) {
2815 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
2819 // Make sure we have enough space to write the new value
2820 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
2821 persist_get_max_entries(encrypted)) {
2822 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
2826 // Now that we know persist_data has enough space for value, let's delete the old field first
2827 // to make up space.
2828 persist_del_keys(fieldname, 0);
2830 if (persist_set_key(fieldname, value, encrypted)) {
2831 // fail to set key, should not happen as we have already checked the available space
2832 SLOGE("persist_set_key() error during setfield()");
2836 for (field_id = 1; field_id < num_entries; field_id++) {
2837 snprintf(temp_field, sizeof(temp_field), "%s_%u", fieldname, field_id);
2839 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
2840 // fail to set key, should not happen as we have already checked the available space.
2841 SLOGE("persist_set_key() error during setfield()");
2846 /* If we are running encrypted, save the persistent data now */
2848 if (save_persistent_data()) {
2849 SLOGE("Setfield error, cannot save persistent data");
2854 rc = CRYPTO_SETFIELD_OK;
2860 /* Checks userdata. Attempt to mount the volume if default-
2862 * On success trigger next init phase and return 0.
2863 * Currently do not handle failure - see TODO below.
2865 int cryptfs_mount_default_encrypted(void)
2867 int crypt_type = cryptfs_get_password_type();
2868 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2869 SLOGE("Bad crypt type - error");
2870 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
2871 SLOGD("Password is not default - "
2872 "starting min framework to prompt");
2873 property_set("vold.decrypt", "trigger_restart_min_framework");
2875 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
2876 SLOGD("Password is default - restarting filesystem");
2877 cryptfs_restart_internal(0);
2880 SLOGE("Encrypted, default crypt type but can't decrypt");
2883 /** Corrupt. Allow us to boot into framework, which will detect bad
2884 crypto when it calls do_crypto_complete, then do a factory reset
2886 property_set("vold.decrypt", "trigger_restart_min_framework");
2890 /* Returns type of the password, default, pattern, pin or password.
2892 int cryptfs_get_password_type(void)
2894 if (e4crypt_is_native()) {
2895 SLOGE("cryptfs_get_password_type not valid for file encryption");
2899 struct crypt_mnt_ftr crypt_ftr;
2901 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2902 SLOGE("Error getting crypt footer and key\n");
2906 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
2910 return crypt_ftr.crypt_type;
2913 const char* cryptfs_get_password()
2915 if (e4crypt_is_native()) {
2916 SLOGE("cryptfs_get_password not valid for file encryption");
2920 struct timespec now;
2921 clock_gettime(CLOCK_BOOTTIME, &now);
2922 if (now.tv_sec < password_expiry_time) {
2925 cryptfs_clear_password();
2930 void cryptfs_clear_password()
2933 size_t len = strlen(password);
2934 memset(password, 0, len);
2937 password_expiry_time = 0;
2941 int cryptfs_isConvertibleToFBE()
2943 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab_default, DATA_MNT_POINT);
2944 return fs_mgr_is_convertible_to_fbe(rec) ? 1 : 0;