2 * Copyright (C) 2010 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
23 #define LOG_TAG "Cryptfs"
27 #include "Checkpoint.h"
28 #include "EncryptInplace.h"
30 #include "Keymaster.h"
32 #include "ScryptParameters.h"
35 #include "VolumeManager.h"
37 #include <android-base/parseint.h>
38 #include <android-base/properties.h>
39 #include <android-base/stringprintf.h>
40 #include <bootloader_message/bootloader_message.h>
41 #include <cutils/android_reboot.h>
42 #include <cutils/properties.h>
43 #include <ext4_utils/ext4_utils.h>
44 #include <f2fs_sparseblock.h>
46 #include <fscrypt/fscrypt.h>
47 #include <hardware_legacy/power.h>
49 #include <logwrap/logwrap.h>
50 #include <openssl/evp.h>
51 #include <openssl/sha.h>
52 #include <selinux/selinux.h>
59 #include <linux/dm-ioctl.h>
60 #include <linux/kdev_t.h>
65 #include <sys/ioctl.h>
66 #include <sys/mount.h>
67 #include <sys/param.h>
69 #include <sys/types.h>
75 #include <crypto_scrypt.h>
78 using android::base::ParseUint;
79 using android::base::StringPrintf;
80 using android::fs_mgr::GetEntryForMountPoint;
81 using namespace std::chrono_literals;
83 #define UNUSED __attribute__((unused))
85 #define DM_CRYPT_BUF_SIZE 4096
87 #define HASH_COUNT 2000
89 constexpr size_t INTERMEDIATE_KEY_LEN_BYTES = 16;
90 constexpr size_t INTERMEDIATE_IV_LEN_BYTES = 16;
91 constexpr size_t INTERMEDIATE_BUF_SIZE = (INTERMEDIATE_KEY_LEN_BYTES + INTERMEDIATE_IV_LEN_BYTES);
93 // SCRYPT_LEN is used by struct crypt_mnt_ftr for its intermediate key.
94 static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN, "Mismatch of intermediate key sizes");
96 #define KEY_IN_FOOTER "footer"
98 #define DEFAULT_PASSWORD "default_password"
100 #define CRYPTO_BLOCK_DEVICE "userdata"
102 #define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
107 #define TABLE_LOAD_RETRIES 10
109 #define RSA_KEY_SIZE 2048
110 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
111 #define RSA_EXPONENT 0x10001
112 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
114 #define RETRY_MOUNT_ATTEMPTS 10
115 #define RETRY_MOUNT_DELAY_SECONDS 1
117 #define CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE (1)
119 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr);
121 static unsigned char saved_master_key[MAX_KEY_LEN];
122 static char* saved_mount_point;
123 static int master_key_saved = 0;
124 static struct crypt_persist_data* persist_data = NULL;
126 /* Should we use keymaster? */
127 static int keymaster_check_compatibility() {
128 return keymaster_compatibility_cryptfs_scrypt();
131 /* Create a new keymaster key and store it in this footer */
132 static int keymaster_create_key(struct crypt_mnt_ftr* ftr) {
133 if (ftr->keymaster_blob_size) {
134 SLOGI("Already have key");
138 int rc = keymaster_create_key_for_cryptfs_scrypt(
139 RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
140 KEYMASTER_BLOB_SIZE, &ftr->keymaster_blob_size);
142 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
143 SLOGE("Keymaster key blob too large");
144 ftr->keymaster_blob_size = 0;
146 SLOGE("Failed to generate keypair");
152 /* This signs the given object using the keymaster key. */
153 static int keymaster_sign_object(struct crypt_mnt_ftr* ftr, const unsigned char* object,
154 const size_t object_size, unsigned char** signature,
155 size_t* signature_size) {
156 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
157 size_t to_sign_size = sizeof(to_sign);
158 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
160 // To sign a message with RSA, the message must satisfy two
163 // 1. The message, when interpreted as a big-endian numeric value, must
164 // be strictly less than the public modulus of the RSA key. Note
165 // that because the most significant bit of the public modulus is
166 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
167 // key), an n-bit message with most significant bit 0 always
168 // satisfies this requirement.
170 // 2. The message must have the same length in bits as the public
171 // modulus of the RSA key. This requirement isn't mathematically
172 // necessary, but is necessary to ensure consistency in
174 switch (ftr->kdf_type) {
175 case KDF_SCRYPT_KEYMASTER:
176 // This ensures the most significant byte of the signed message
177 // is zero. We could have zero-padded to the left instead, but
178 // this approach is slightly more robust against changes in
179 // object size. However, it's still broken (but not unusably
180 // so) because we really should be using a proper deterministic
181 // RSA padding function, such as PKCS1.
182 memcpy(to_sign + 1, object, std::min((size_t)RSA_KEY_SIZE_BYTES - 1, object_size));
183 SLOGI("Signing safely-padded object");
186 SLOGE("Unknown KDF type %d", ftr->kdf_type);
190 auto result = keymaster_sign_object_for_cryptfs_scrypt(
191 ftr->keymaster_blob, ftr->keymaster_blob_size, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign,
192 to_sign_size, signature, signature_size);
194 case KeymasterSignResult::ok:
196 case KeymasterSignResult::upgrade:
201 SLOGD("Upgrading key");
202 if (keymaster_upgrade_key_for_cryptfs_scrypt(
203 RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
204 ftr->keymaster_blob_size, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
205 &ftr->keymaster_blob_size) != 0) {
206 SLOGE("Failed to upgrade key");
209 if (put_crypt_ftr_and_key(ftr) != 0) {
210 SLOGE("Failed to write upgraded key to disk");
212 SLOGD("Key upgraded successfully");
216 /* Store password when userdata is successfully decrypted and mounted.
217 * Cleared by cryptfs_clear_password
219 * To avoid a double prompt at boot, we need to store the CryptKeeper
220 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
221 * Since the entire framework is torn down and rebuilt after encryption,
222 * we have to use a daemon or similar to store the password. Since vold
223 * is secured against IPC except from system processes, it seems a reasonable
224 * place to store this.
226 * password should be cleared once it has been used.
228 * password is aged out after password_max_age_seconds seconds.
230 static char* password = 0;
231 static int password_expiry_time = 0;
232 static const int password_max_age_seconds = 60;
234 enum class RebootType { reboot, recovery, shutdown };
235 static void cryptfs_reboot(RebootType rt) {
237 case RebootType::reboot:
238 property_set(ANDROID_RB_PROPERTY, "reboot");
241 case RebootType::recovery:
242 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
245 case RebootType::shutdown:
246 property_set(ANDROID_RB_PROPERTY, "shutdown");
252 /* Shouldn't get here, reboot should happen before sleep times out */
256 static void ioctl_init(struct dm_ioctl* io, size_t dataSize, const char* name, unsigned flags) {
257 memset(io, 0, dataSize);
258 io->data_size = dataSize;
259 io->data_start = sizeof(struct dm_ioctl);
265 strlcpy(io->name, name, sizeof(io->name));
273 // Use to get the CryptoType in use on this device.
274 const CryptoType& get_crypto_type();
277 // We should only be constructing CryptoTypes as part of
278 // supported_crypto_types[]. We do it via this pseudo-builder pattern,
279 // which isn't pure or fully protected as a concession to being able to
280 // do it all at compile time. Add new CryptoTypes in
281 // supported_crypto_types[] below.
282 constexpr CryptoType() : CryptoType(nullptr, nullptr, 0xFFFFFFFF) {}
283 constexpr CryptoType set_keysize(uint32_t size) const {
284 return CryptoType(this->property_name, this->crypto_name, size);
286 constexpr CryptoType set_property_name(const char* property) const {
287 return CryptoType(property, this->crypto_name, this->keysize);
289 constexpr CryptoType set_crypto_name(const char* crypto) const {
290 return CryptoType(this->property_name, crypto, this->keysize);
293 constexpr const char* get_property_name() const { return property_name; }
294 constexpr const char* get_crypto_name() const { return crypto_name; }
295 constexpr uint32_t get_keysize() const { return keysize; }
298 const char* property_name;
299 const char* crypto_name;
302 constexpr CryptoType(const char* property, const char* crypto, uint32_t ksize)
303 : property_name(property), crypto_name(crypto), keysize(ksize) {}
304 friend const CryptoType& get_crypto_type();
305 static const CryptoType& get_device_crypto_algorithm();
308 // We only want to parse this read-only property once. But we need to wait
309 // until the system is initialized before we can read it. So we use a static
310 // scoped within this function to get it only once.
311 const CryptoType& get_crypto_type() {
312 static CryptoType crypto_type = CryptoType::get_device_crypto_algorithm();
316 constexpr CryptoType default_crypto_type = CryptoType()
317 .set_property_name("AES-128-CBC")
318 .set_crypto_name("aes-cbc-essiv:sha256")
321 constexpr CryptoType supported_crypto_types[] = {
324 .set_property_name("adiantum")
325 .set_crypto_name("xchacha12,aes-adiantum-plain64")
327 // Add new CryptoTypes here. Order is not important.
330 // ---------- START COMPILE-TIME SANITY CHECK BLOCK -------------------------
331 // We confirm all supported_crypto_types have a small enough keysize and
332 // had both set_property_name() and set_crypto_name() called.
334 template <typename T, size_t N>
335 constexpr size_t array_length(T (&)[N]) {
339 constexpr bool indexOutOfBoundsForCryptoTypes(size_t index) {
340 return (index >= array_length(supported_crypto_types));
343 constexpr bool isValidCryptoType(const CryptoType& crypto_type) {
344 return ((crypto_type.get_property_name() != nullptr) &&
345 (crypto_type.get_crypto_name() != nullptr) &&
346 (crypto_type.get_keysize() <= MAX_KEY_LEN));
349 // Note in C++11 that constexpr functions can only have a single line.
350 // So our code is a bit convoluted (using recursion instead of a loop),
351 // but it's asserting at compile time that all of our key lengths are valid.
352 constexpr bool validateSupportedCryptoTypes(size_t index) {
353 return indexOutOfBoundsForCryptoTypes(index) ||
354 (isValidCryptoType(supported_crypto_types[index]) &&
355 validateSupportedCryptoTypes(index + 1));
358 static_assert(validateSupportedCryptoTypes(0),
359 "We have a CryptoType with keysize > MAX_KEY_LEN or which was "
360 "incompletely constructed.");
361 // ---------- END COMPILE-TIME SANITY CHECK BLOCK -------------------------
363 // Don't call this directly, use get_crypto_type(), which caches this result.
364 const CryptoType& CryptoType::get_device_crypto_algorithm() {
365 constexpr char CRYPT_ALGO_PROP[] = "ro.crypto.fde_algorithm";
366 char paramstr[PROPERTY_VALUE_MAX];
368 property_get(CRYPT_ALGO_PROP, paramstr, default_crypto_type.get_property_name());
369 for (auto const& ctype : supported_crypto_types) {
370 if (strcmp(paramstr, ctype.get_property_name()) == 0) {
374 ALOGE("Invalid name (%s) for %s. Defaulting to %s\n", paramstr, CRYPT_ALGO_PROP,
375 default_crypto_type.get_property_name());
376 return default_crypto_type;
382 * Gets the default device scrypt parameters for key derivation time tuning.
383 * The parameters should lead to about one second derivation time for the
386 static void get_device_scrypt_params(struct crypt_mnt_ftr* ftr) {
387 char paramstr[PROPERTY_VALUE_MAX];
390 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
391 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
392 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
393 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
400 uint32_t cryptfs_get_keysize() {
401 return get_crypto_type().get_keysize();
404 const char* cryptfs_get_crypto_name() {
405 return get_crypto_type().get_crypto_name();
408 static uint64_t get_fs_size(const char* dev) {
410 struct ext4_super_block sb;
413 if ((fd = open(dev, O_RDONLY | O_CLOEXEC)) < 0) {
414 SLOGE("Cannot open device to get filesystem size ");
418 if (lseek64(fd, 1024, SEEK_SET) < 0) {
419 SLOGE("Cannot seek to superblock");
423 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
424 SLOGE("Cannot read superblock");
430 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
431 SLOGE("Not a valid ext4 superblock");
434 block_size = 1024 << sb.s_log_block_size;
435 /* compute length in bytes */
436 len = (((uint64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
438 /* return length in sectors */
442 static void get_crypt_info(std::string* key_loc, std::string* real_blk_device) {
443 for (const auto& entry : fstab_default) {
444 if (!entry.fs_mgr_flags.vold_managed &&
445 (entry.fs_mgr_flags.crypt || entry.fs_mgr_flags.force_crypt ||
446 entry.fs_mgr_flags.force_fde_or_fbe || entry.fs_mgr_flags.file_encryption)) {
447 if (key_loc != nullptr) {
448 *key_loc = entry.key_loc;
450 if (real_blk_device != nullptr) {
451 *real_blk_device = entry.blk_device;
458 static int get_crypt_ftr_info(char** metadata_fname, off64_t* off) {
459 static int cached_data = 0;
460 static uint64_t cached_off = 0;
461 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
462 char key_loc[PROPERTY_VALUE_MAX];
463 char real_blkdev[PROPERTY_VALUE_MAX];
468 std::string real_blkdev;
469 get_crypt_info(&key_loc, &real_blkdev);
471 if (key_loc == KEY_IN_FOOTER) {
472 if (android::vold::GetBlockDevSize(real_blkdev, &cached_off) == android::OK) {
473 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
474 * encryption info footer and key, and plenty of bytes to spare for future
477 strlcpy(cached_metadata_fname, real_blkdev.c_str(), sizeof(cached_metadata_fname));
478 cached_off -= CRYPT_FOOTER_OFFSET;
481 SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
484 strlcpy(cached_metadata_fname, key_loc.c_str(), sizeof(cached_metadata_fname));
491 if (metadata_fname) {
492 *metadata_fname = cached_metadata_fname;
503 /* Set sha256 checksum in structure */
504 static void set_ftr_sha(struct crypt_mnt_ftr* crypt_ftr) {
507 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
508 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
509 SHA256_Final(crypt_ftr->sha256, &c);
512 /* key or salt can be NULL, in which case just skip writing that value. Useful to
513 * update the failed mount count but not change the key.
515 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
518 /* starting_off is set to the SEEK_SET offset
519 * where the crypto structure starts
521 off64_t starting_off;
526 set_ftr_sha(crypt_ftr);
528 if (get_crypt_ftr_info(&fname, &starting_off)) {
529 SLOGE("Unable to get crypt_ftr_info\n");
532 if (fname[0] != '/') {
533 SLOGE("Unexpected value for crypto key location\n");
536 if ((fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0600)) < 0) {
537 SLOGE("Cannot open footer file %s for put\n", fname);
541 /* Seek to the start of the crypt footer */
542 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
543 SLOGE("Cannot seek to real block device footer\n");
547 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
548 SLOGE("Cannot write real block device footer\n");
553 /* If the keys are kept on a raw block device, do not try to truncate it. */
554 if (S_ISREG(statbuf.st_mode)) {
555 if (ftruncate(fd, 0x4000)) {
556 SLOGE("Cannot set footer file size\n");
569 static bool check_ftr_sha(const struct crypt_mnt_ftr* crypt_ftr) {
570 struct crypt_mnt_ftr copy;
571 memcpy(©, crypt_ftr, sizeof(copy));
573 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
576 static inline int unix_read(int fd, void* buff, int len) {
577 return TEMP_FAILURE_RETRY(read(fd, buff, len));
580 static inline int unix_write(int fd, const void* buff, int len) {
581 return TEMP_FAILURE_RETRY(write(fd, buff, len));
584 static void init_empty_persist_data(struct crypt_persist_data* pdata, int len) {
585 memset(pdata, 0, len);
586 pdata->persist_magic = PERSIST_DATA_MAGIC;
587 pdata->persist_valid_entries = 0;
590 /* A routine to update the passed in crypt_ftr to the lastest version.
591 * fd is open read/write on the device that holds the crypto footer and persistent
592 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
593 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
595 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr* crypt_ftr, off64_t offset) {
596 int orig_major = crypt_ftr->major_version;
597 int orig_minor = crypt_ftr->minor_version;
599 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
600 struct crypt_persist_data* pdata;
601 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
603 SLOGW("upgrading crypto footer to 1.1");
605 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
607 SLOGE("Cannot allocate persisent data\n");
610 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
612 /* Need to initialize the persistent data area */
613 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
614 SLOGE("Cannot seek to persisent data offset\n");
618 /* Write all zeros to the first copy, making it invalid */
619 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
621 /* Write a valid but empty structure to the second copy */
622 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
623 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
625 /* Update the footer */
626 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
627 crypt_ftr->persist_data_offset[0] = pdata_offset;
628 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
629 crypt_ftr->minor_version = 1;
633 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
634 SLOGW("upgrading crypto footer to 1.2");
635 /* But keep the old kdf_type.
636 * It will get updated later to KDF_SCRYPT after the password has been verified.
638 crypt_ftr->kdf_type = KDF_PBKDF2;
639 get_device_scrypt_params(crypt_ftr);
640 crypt_ftr->minor_version = 2;
643 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
644 SLOGW("upgrading crypto footer to 1.3");
645 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
646 crypt_ftr->minor_version = 3;
649 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
650 if (lseek64(fd, offset, SEEK_SET) == -1) {
651 SLOGE("Cannot seek to crypt footer\n");
654 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
658 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
661 off64_t starting_off;
666 if (get_crypt_ftr_info(&fname, &starting_off)) {
667 SLOGE("Unable to get crypt_ftr_info\n");
670 if (fname[0] != '/') {
671 SLOGE("Unexpected value for crypto key location\n");
674 if ((fd = open(fname, O_RDWR | O_CLOEXEC)) < 0) {
675 SLOGE("Cannot open footer file %s for get\n", fname);
679 /* Make sure it's 16 Kbytes in length */
681 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
682 SLOGE("footer file %s is not the expected size!\n", fname);
686 /* Seek to the start of the crypt footer */
687 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
688 SLOGE("Cannot seek to real block device footer\n");
692 if ((cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
693 SLOGE("Cannot read real block device footer\n");
697 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
698 SLOGE("Bad magic for real block device %s\n", fname);
702 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
703 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
704 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
708 // We risk buffer overflows with oversized keys, so we just reject them.
709 // 0-sized keys are problematic (essentially by-passing encryption), and
710 // AES-CBC key wrapping only works for multiples of 16 bytes.
711 if ((crypt_ftr->keysize == 0) || ((crypt_ftr->keysize % 16) != 0) ||
712 (crypt_ftr->keysize > MAX_KEY_LEN)) {
714 "Invalid keysize (%u) for block device %s; Must be non-zero, "
715 "divisible by 16, and <= %d\n",
716 crypt_ftr->keysize, fname, MAX_KEY_LEN);
720 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
721 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
722 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
725 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
726 * copy on disk before returning.
728 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
729 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
740 static int validate_persistent_data_storage(struct crypt_mnt_ftr* crypt_ftr) {
741 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
742 crypt_ftr->persist_data_offset[1]) {
743 SLOGE("Crypt_ftr persist data regions overlap");
747 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
748 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
752 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
753 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
754 CRYPT_FOOTER_OFFSET) {
755 SLOGE("Persistent data extends past crypto footer");
762 static int load_persistent_data(void) {
763 struct crypt_mnt_ftr crypt_ftr;
764 struct crypt_persist_data* pdata = NULL;
765 char encrypted_state[PROPERTY_VALUE_MAX];
773 /* Nothing to do, we've already loaded or initialized it */
777 /* If not encrypted, just allocate an empty table and initialize it */
778 property_get("ro.crypto.state", encrypted_state, "");
779 if (strcmp(encrypted_state, "encrypted")) {
780 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
782 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
783 persist_data = pdata;
789 if (get_crypt_ftr_and_key(&crypt_ftr)) {
793 if ((crypt_ftr.major_version < 1) ||
794 (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
795 SLOGE("Crypt_ftr version doesn't support persistent data");
799 if (get_crypt_ftr_info(&fname, NULL)) {
803 ret = validate_persistent_data_storage(&crypt_ftr);
808 fd = open(fname, O_RDONLY | O_CLOEXEC);
810 SLOGE("Cannot open %s metadata file", fname);
814 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
816 SLOGE("Cannot allocate memory for persistent data");
820 for (i = 0; i < 2; i++) {
821 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
822 SLOGE("Cannot seek to read persistent data on %s", fname);
825 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
826 SLOGE("Error reading persistent data on iteration %d", i);
829 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
836 SLOGI("Could not find valid persistent data, creating");
837 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
841 persist_data = pdata;
853 static int save_persistent_data(void) {
854 struct crypt_mnt_ftr crypt_ftr;
855 struct crypt_persist_data* pdata;
857 off64_t write_offset;
858 off64_t erase_offset;
862 if (persist_data == NULL) {
863 SLOGE("No persistent data to save");
867 if (get_crypt_ftr_and_key(&crypt_ftr)) {
871 if ((crypt_ftr.major_version < 1) ||
872 (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
873 SLOGE("Crypt_ftr version doesn't support persistent data");
877 ret = validate_persistent_data_storage(&crypt_ftr);
882 if (get_crypt_ftr_info(&fname, NULL)) {
886 fd = open(fname, O_RDWR | O_CLOEXEC);
888 SLOGE("Cannot open %s metadata file", fname);
892 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
894 SLOGE("Cannot allocate persistant data");
898 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
899 SLOGE("Cannot seek to read persistent data on %s", fname);
903 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
904 SLOGE("Error reading persistent data before save");
908 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
909 /* The first copy is the curent valid copy, so write to
910 * the second copy and erase this one */
911 write_offset = crypt_ftr.persist_data_offset[1];
912 erase_offset = crypt_ftr.persist_data_offset[0];
914 /* The second copy must be the valid copy, so write to
915 * the first copy, and erase the second */
916 write_offset = crypt_ftr.persist_data_offset[0];
917 erase_offset = crypt_ftr.persist_data_offset[1];
920 /* Write the new copy first, if successful, then erase the old copy */
921 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
922 SLOGE("Cannot seek to write persistent data");
925 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
926 (int)crypt_ftr.persist_data_size) {
927 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
928 SLOGE("Cannot seek to erase previous persistent data");
932 memset(pdata, 0, crypt_ftr.persist_data_size);
933 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != (int)crypt_ftr.persist_data_size) {
934 SLOGE("Cannot write to erase previous persistent data");
939 SLOGE("Cannot write to save persistent data");
955 /* Convert a binary key of specified length into an ascii hex string equivalent,
956 * without the leading 0x and with null termination
958 static void convert_key_to_hex_ascii(const unsigned char* master_key, unsigned int keysize,
959 char* master_key_ascii) {
961 unsigned char nibble;
963 for (i = 0, a = 0; i < keysize; i++, a += 2) {
964 /* For each byte, write out two ascii hex digits */
965 nibble = (master_key[i] >> 4) & 0xf;
966 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
968 nibble = master_key[i] & 0xf;
969 master_key_ascii[a + 1] = nibble + (nibble > 9 ? 0x37 : 0x30);
972 /* Add the null termination */
973 master_key_ascii[a] = '\0';
976 static int load_crypto_mapping_table(struct crypt_mnt_ftr* crypt_ftr,
977 const unsigned char* master_key, const char* real_blk_name,
978 const char* name, int fd, const char* extra_params) {
979 alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
981 struct dm_target_spec* tgt;
983 // We need two ASCII characters to represent each byte, and need space for
984 // the '\0' terminator.
985 char master_key_ascii[MAX_KEY_LEN * 2 + 1];
989 io = (struct dm_ioctl*)buffer;
991 /* Load the mapping table for this device */
992 tgt = (struct dm_target_spec*)&buffer[sizeof(struct dm_ioctl)];
994 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
995 io->target_count = 1;
997 tgt->sector_start = 0;
998 tgt->length = crypt_ftr->fs_size;
999 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1001 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1002 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1004 buff_offset = crypt_params - buffer;
1006 "Creating crypto dev \"%s\"; cipher=%s, keysize=%u, real_dev=%s, len=%llu, params=\"%s\"\n",
1007 name, crypt_ftr->crypto_type_name, crypt_ftr->keysize, real_blk_name, tgt->length * 512,
1009 snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s",
1010 crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name, extra_params);
1011 crypt_params += strlen(crypt_params) + 1;
1013 (char*)(((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1014 tgt->next = crypt_params - buffer;
1016 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1017 if (!ioctl(fd, DM_TABLE_LOAD, io)) {
1023 if (i == TABLE_LOAD_RETRIES) {
1024 /* We failed to load the table, return an error */
1031 static int get_dm_crypt_version(int fd, const char* name, int* version) {
1032 char buffer[DM_CRYPT_BUF_SIZE];
1033 struct dm_ioctl* io;
1034 struct dm_target_versions* v;
1036 io = (struct dm_ioctl*)buffer;
1038 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1040 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1044 /* Iterate over the returned versions, looking for name of "crypt".
1045 * When found, get and return the version.
1047 v = (struct dm_target_versions*)&buffer[sizeof(struct dm_ioctl)];
1049 if (!strcmp(v->name, "crypt")) {
1050 /* We found the crypt driver, return the version, and get out */
1051 version[0] = v->version[0];
1052 version[1] = v->version[1];
1053 version[2] = v->version[2];
1056 v = (struct dm_target_versions*)(((char*)v) + v->next);
1062 static std::string extra_params_as_string(const std::vector<std::string>& extra_params_vec) {
1063 if (extra_params_vec.empty()) return "";
1064 std::string extra_params = std::to_string(extra_params_vec.size());
1065 for (const auto& p : extra_params_vec) {
1066 extra_params.append(" ");
1067 extra_params.append(p);
1069 return extra_params;
1073 * If the ro.crypto.fde_sector_size system property is set, append the
1074 * parameters to make dm-crypt use the specified crypto sector size and round
1075 * the crypto device size down to a crypto sector boundary.
1077 static int add_sector_size_param(std::vector<std::string>* extra_params_vec,
1078 struct crypt_mnt_ftr* ftr) {
1079 constexpr char DM_CRYPT_SECTOR_SIZE[] = "ro.crypto.fde_sector_size";
1080 char value[PROPERTY_VALUE_MAX];
1082 if (property_get(DM_CRYPT_SECTOR_SIZE, value, "") > 0) {
1083 unsigned int sector_size;
1085 if (!ParseUint(value, §or_size) || sector_size < 512 || sector_size > 4096 ||
1086 (sector_size & (sector_size - 1)) != 0) {
1087 SLOGE("Invalid value for %s: %s. Must be >= 512, <= 4096, and a power of 2\n",
1088 DM_CRYPT_SECTOR_SIZE, value);
1092 std::string param = StringPrintf("sector_size:%u", sector_size);
1093 extra_params_vec->push_back(std::move(param));
1095 // With this option, IVs will match the sector numbering, instead
1096 // of being hard-coded to being based on 512-byte sectors.
1097 extra_params_vec->emplace_back("iv_large_sectors");
1099 // Round the crypto device size down to a crypto sector boundary.
1100 ftr->fs_size &= ~((sector_size / 512) - 1);
1105 static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned char* master_key,
1106 const char* real_blk_name, char* crypto_blk_name, const char* name,
1108 char buffer[DM_CRYPT_BUF_SIZE];
1109 struct dm_ioctl* io;
1116 std::vector<std::string> extra_params_vec;
1118 if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
1119 SLOGE("Cannot open device-mapper\n");
1123 io = (struct dm_ioctl*)buffer;
1125 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1126 err = ioctl(fd, DM_DEV_CREATE, io);
1128 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno));
1132 /* Get the device status, in particular, the name of it's device file */
1133 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1134 if (ioctl(fd, DM_DEV_STATUS, io)) {
1135 SLOGE("Cannot retrieve dm-crypt device status\n");
1138 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1139 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1141 if (!get_dm_crypt_version(fd, name, version)) {
1142 /* Support for allow_discards was added in version 1.11.0 */
1143 if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) {
1144 extra_params_vec.emplace_back("allow_discards");
1147 if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) {
1148 extra_params_vec.emplace_back("allow_encrypt_override");
1150 if (add_sector_size_param(&extra_params_vec, crypt_ftr)) {
1151 SLOGE("Error processing dm-crypt sector size param\n");
1154 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd,
1155 extra_params_as_string(extra_params_vec).c_str());
1156 if (load_count < 0) {
1157 SLOGE("Cannot load dm-crypt mapping table.\n");
1159 } else if (load_count > 1) {
1160 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1163 /* Resume this device to activate it */
1164 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1166 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1167 SLOGE("Cannot resume the dm-crypt device\n");
1171 /* Ensure the dm device has been created before returning. */
1172 if (android::vold::WaitForFile(crypto_blk_name, 1s) < 0) {
1173 // WaitForFile generates a suitable log message
1177 /* We made it here with no errors. Woot! */
1181 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1186 static int delete_crypto_blk_dev(const char* name) {
1188 char buffer[DM_CRYPT_BUF_SIZE];
1189 struct dm_ioctl* io;
1193 if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
1194 SLOGE("Cannot open device-mapper\n");
1198 io = (struct dm_ioctl*)buffer;
1200 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1201 err = ioctl(fd, DM_DEV_REMOVE, io);
1203 SLOGE("Cannot remove dm-crypt device %s: %s\n", name, strerror(errno));
1207 /* We made it here with no errors. Woot! */
1211 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1216 static int pbkdf2(const char* passwd, const unsigned char* salt, unsigned char* ikey,
1217 void* params UNUSED) {
1218 SLOGI("Using pbkdf2 for cryptfs KDF");
1220 /* Turn the password into a key and IV that can decrypt the master key */
1221 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN, HASH_COUNT,
1222 INTERMEDIATE_BUF_SIZE, ikey) != 1;
1225 static int scrypt(const char* passwd, const unsigned char* salt, unsigned char* ikey, void* params) {
1226 SLOGI("Using scrypt for cryptfs KDF");
1228 struct crypt_mnt_ftr* ftr = (struct crypt_mnt_ftr*)params;
1230 int N = 1 << ftr->N_factor;
1231 int r = 1 << ftr->r_factor;
1232 int p = 1 << ftr->p_factor;
1234 /* Turn the password into a key and IV that can decrypt the master key */
1235 crypto_scrypt((const uint8_t*)passwd, strlen(passwd), salt, SALT_LEN, N, r, p, ikey,
1236 INTERMEDIATE_BUF_SIZE);
1241 static int scrypt_keymaster(const char* passwd, const unsigned char* salt, unsigned char* ikey,
1243 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1246 size_t signature_size;
1247 unsigned char* signature;
1248 struct crypt_mnt_ftr* ftr = (struct crypt_mnt_ftr*)params;
1250 int N = 1 << ftr->N_factor;
1251 int r = 1 << ftr->r_factor;
1252 int p = 1 << ftr->p_factor;
1254 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd), salt, SALT_LEN, N, r, p, ikey,
1255 INTERMEDIATE_BUF_SIZE);
1258 SLOGE("scrypt failed");
1262 if (keymaster_sign_object(ftr, ikey, INTERMEDIATE_BUF_SIZE, &signature, &signature_size)) {
1263 SLOGE("Signing failed");
1267 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, N, r, p, ikey,
1268 INTERMEDIATE_BUF_SIZE);
1272 SLOGE("scrypt failed");
1279 static int encrypt_master_key(const char* passwd, const unsigned char* salt,
1280 const unsigned char* decrypted_master_key,
1281 unsigned char* encrypted_master_key, struct crypt_mnt_ftr* crypt_ftr) {
1282 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = {0};
1283 EVP_CIPHER_CTX e_ctx;
1284 int encrypted_len, final_len;
1287 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1288 get_device_scrypt_params(crypt_ftr);
1290 switch (crypt_ftr->kdf_type) {
1291 case KDF_SCRYPT_KEYMASTER:
1292 if (keymaster_create_key(crypt_ftr)) {
1293 SLOGE("keymaster_create_key failed");
1297 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1298 SLOGE("scrypt failed");
1304 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1305 SLOGE("scrypt failed");
1311 SLOGE("Invalid kdf_type");
1315 /* Initialize the decryption engine */
1316 EVP_CIPHER_CTX_init(&e_ctx);
1317 if (!EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey,
1318 ikey + INTERMEDIATE_KEY_LEN_BYTES)) {
1319 SLOGE("EVP_EncryptInit failed\n");
1322 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1324 /* Encrypt the master key */
1325 if (!EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, decrypted_master_key,
1326 crypt_ftr->keysize)) {
1327 SLOGE("EVP_EncryptUpdate failed\n");
1330 if (!EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1331 SLOGE("EVP_EncryptFinal failed\n");
1335 if (encrypted_len + final_len != static_cast<int>(crypt_ftr->keysize)) {
1336 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1340 /* Store the scrypt of the intermediate key, so we can validate if it's a
1341 password error or mount error when things go wrong.
1342 Note there's no need to check for errors, since if this is incorrect, we
1343 simply won't wipe userdata, which is the correct default behavior
1345 int N = 1 << crypt_ftr->N_factor;
1346 int r = 1 << crypt_ftr->r_factor;
1347 int p = 1 << crypt_ftr->p_factor;
1349 rc = crypto_scrypt(ikey, INTERMEDIATE_KEY_LEN_BYTES, crypt_ftr->salt, sizeof(crypt_ftr->salt),
1350 N, r, p, crypt_ftr->scrypted_intermediate_key,
1351 sizeof(crypt_ftr->scrypted_intermediate_key));
1354 SLOGE("encrypt_master_key: crypto_scrypt failed");
1357 EVP_CIPHER_CTX_cleanup(&e_ctx);
1362 static int decrypt_master_key_aux(const char* passwd, unsigned char* salt,
1363 const unsigned char* encrypted_master_key, size_t keysize,
1364 unsigned char* decrypted_master_key, kdf_func kdf,
1365 void* kdf_params, unsigned char** intermediate_key,
1366 size_t* intermediate_key_size) {
1367 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = {0};
1368 EVP_CIPHER_CTX d_ctx;
1369 int decrypted_len, final_len;
1371 /* Turn the password into an intermediate key and IV that can decrypt the
1373 if (kdf(passwd, salt, ikey, kdf_params)) {
1374 SLOGE("kdf failed");
1378 /* Initialize the decryption engine */
1379 EVP_CIPHER_CTX_init(&d_ctx);
1380 if (!EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey,
1381 ikey + INTERMEDIATE_KEY_LEN_BYTES)) {
1384 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1385 /* Decrypt the master key */
1386 if (!EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, encrypted_master_key,
1390 if (!EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1394 if (decrypted_len + final_len != static_cast<int>(keysize)) {
1398 /* Copy intermediate key if needed by params */
1399 if (intermediate_key && intermediate_key_size) {
1400 *intermediate_key = (unsigned char*)malloc(INTERMEDIATE_KEY_LEN_BYTES);
1401 if (*intermediate_key) {
1402 memcpy(*intermediate_key, ikey, INTERMEDIATE_KEY_LEN_BYTES);
1403 *intermediate_key_size = INTERMEDIATE_KEY_LEN_BYTES;
1407 EVP_CIPHER_CTX_cleanup(&d_ctx);
1412 static void get_kdf_func(struct crypt_mnt_ftr* ftr, kdf_func* kdf, void** kdf_params) {
1413 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1414 *kdf = scrypt_keymaster;
1416 } else if (ftr->kdf_type == KDF_SCRYPT) {
1425 static int decrypt_master_key(const char* passwd, unsigned char* decrypted_master_key,
1426 struct crypt_mnt_ftr* crypt_ftr, unsigned char** intermediate_key,
1427 size_t* intermediate_key_size) {
1432 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1433 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, crypt_ftr->keysize,
1434 decrypted_master_key, kdf, kdf_params, intermediate_key,
1435 intermediate_key_size);
1437 SLOGW("failure decrypting master key");
1443 static int create_encrypted_random_key(const char* passwd, unsigned char* master_key,
1444 unsigned char* salt, struct crypt_mnt_ftr* crypt_ftr) {
1445 unsigned char key_buf[MAX_KEY_LEN];
1447 /* Get some random bits for a key and salt */
1448 if (android::vold::ReadRandomBytes(sizeof(key_buf), reinterpret_cast<char*>(key_buf)) != 0) {
1451 if (android::vold::ReadRandomBytes(SALT_LEN, reinterpret_cast<char*>(salt)) != 0) {
1455 /* Now encrypt it with the password */
1456 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1459 int wait_and_unmount(const char* mountpoint, bool kill) {
1461 #define WAIT_UNMOUNT_COUNT 20
1463 /* Now umount the tmpfs filesystem */
1464 for (i = 0; i < WAIT_UNMOUNT_COUNT; i++) {
1465 if (umount(mountpoint) == 0) {
1469 if (errno == EINVAL) {
1470 /* EINVAL is returned if the directory is not a mountpoint,
1471 * i.e. there is no filesystem mounted there. So just get out.
1478 /* If allowed, be increasingly aggressive before the last two retries */
1480 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1481 SLOGW("sending SIGHUP to processes with open files\n");
1482 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM);
1483 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1484 SLOGW("sending SIGKILL to processes with open files\n");
1485 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL);
1492 if (i < WAIT_UNMOUNT_COUNT) {
1493 SLOGD("unmounting %s succeeded\n", mountpoint);
1496 android::vold::KillProcessesWithOpenFiles(mountpoint, 0);
1497 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1504 static void prep_data_fs(void) {
1505 // NOTE: post_fs_data results in init calling back around to vold, so all
1506 // callers to this method must be async
1508 /* Do the prep of the /data filesystem */
1509 property_set("vold.post_fs_data_done", "0");
1510 property_set("vold.decrypt", "trigger_post_fs_data");
1511 SLOGD("Just triggered post_fs_data");
1513 /* Wait a max of 50 seconds, hopefully it takes much less */
1514 while (!android::base::WaitForProperty("vold.post_fs_data_done", "1", std::chrono::seconds(15))) {
1515 /* We timed out to prep /data in time. Continue wait. */
1516 SLOGE("waited 15s for vold.post_fs_data_done, still waiting...");
1518 SLOGD("post_fs_data done");
1521 static void cryptfs_set_corrupt() {
1522 // Mark the footer as bad
1523 struct crypt_mnt_ftr crypt_ftr;
1524 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1525 SLOGE("Failed to get crypto footer - panic");
1529 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1530 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1531 SLOGE("Failed to set crypto footer - panic");
1536 static void cryptfs_trigger_restart_min_framework() {
1537 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1538 SLOGE("Failed to mount tmpfs on data - panic");
1542 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1543 SLOGE("Failed to trigger post fs data - panic");
1547 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1548 SLOGE("Failed to trigger restart min framework - panic");
1553 /* returns < 0 on failure */
1554 static int cryptfs_restart_internal(int restart_main) {
1555 char crypto_blkdev[MAXPATHLEN];
1557 static int restart_successful = 0;
1559 /* Validate that it's OK to call this routine */
1560 if (!master_key_saved) {
1561 SLOGE("Encrypted filesystem not validated, aborting");
1565 if (restart_successful) {
1566 SLOGE("System already restarted with encrypted disk, aborting");
1571 /* Here is where we shut down the framework. The init scripts
1572 * start all services in one of three classes: core, main or late_start.
1573 * On boot, we start core and main. Now, we stop main, but not core,
1574 * as core includes vold and a few other really important things that
1575 * we need to keep running. Once main has stopped, we should be able
1576 * to umount the tmpfs /data, then mount the encrypted /data.
1577 * We then restart the class main, and also the class late_start.
1578 * At the moment, I've only put a few things in late_start that I know
1579 * are not needed to bring up the framework, and that also cause problems
1580 * with unmounting the tmpfs /data, but I hope to add add more services
1581 * to the late_start class as we optimize this to decrease the delay
1582 * till the user is asked for the password to the filesystem.
1585 /* The init files are setup to stop the class main when vold.decrypt is
1586 * set to trigger_reset_main.
1588 property_set("vold.decrypt", "trigger_reset_main");
1589 SLOGD("Just asked init to shut down class main\n");
1591 /* Ugh, shutting down the framework is not synchronous, so until it
1592 * can be fixed, this horrible hack will wait a moment for it all to
1593 * shut down before proceeding. Without it, some devices cannot
1594 * restart the graphics services.
1599 /* Now that the framework is shutdown, we should be able to umount()
1600 * the tmpfs filesystem, and mount the real one.
1603 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1604 if (strlen(crypto_blkdev) == 0) {
1605 SLOGE("fs_crypto_blkdev not set\n");
1609 if (!(rc = wait_and_unmount(DATA_MNT_POINT, true))) {
1610 /* If ro.crypto.readonly is set to 1, mount the decrypted
1611 * filesystem readonly. This is used when /data is mounted by
1614 char ro_prop[PROPERTY_VALUE_MAX];
1615 property_get("ro.crypto.readonly", ro_prop, "");
1616 if (strlen(ro_prop) > 0 && std::stoi(ro_prop)) {
1617 auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
1618 if (entry != nullptr) {
1619 entry->flags |= MS_RDONLY;
1623 /* If that succeeded, then mount the decrypted filesystem */
1624 int retries = RETRY_MOUNT_ATTEMPTS;
1628 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
1629 * partitions in the fsck domain.
1631 if (setexeccon(android::vold::sFsckContext)) {
1632 SLOGE("Failed to setexeccon");
1635 bool needs_cp = android::vold::cp_needsCheckpoint();
1636 while ((mount_rc = fs_mgr_do_mount(&fstab_default, DATA_MNT_POINT, crypto_blkdev, 0,
1638 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1639 /* TODO: invoke something similar to
1640 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1641 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1642 SLOGI("Failed to mount %s because it is busy - waiting", crypto_blkdev);
1644 sleep(RETRY_MOUNT_DELAY_SECONDS);
1646 /* Let's hope that a reboot clears away whatever is keeping
1648 cryptfs_reboot(RebootType::reboot);
1651 SLOGE("Failed to mount decrypted data");
1652 cryptfs_set_corrupt();
1653 cryptfs_trigger_restart_min_framework();
1654 SLOGI("Started framework to offer wipe");
1655 if (setexeccon(NULL)) {
1656 SLOGE("Failed to setexeccon");
1661 if (setexeccon(NULL)) {
1662 SLOGE("Failed to setexeccon");
1666 /* Create necessary paths on /data */
1668 property_set("vold.decrypt", "trigger_load_persist_props");
1670 /* startup service classes main and late_start */
1671 property_set("vold.decrypt", "trigger_restart_framework");
1672 SLOGD("Just triggered restart_framework\n");
1674 /* Give it a few moments to get started */
1679 restart_successful = 1;
1685 int cryptfs_restart(void) {
1686 SLOGI("cryptfs_restart");
1687 if (fscrypt_is_native()) {
1688 SLOGE("cryptfs_restart not valid for file encryption:");
1692 /* Call internal implementation forcing a restart of main service group */
1693 return cryptfs_restart_internal(1);
1696 static int do_crypto_complete(const char* mount_point) {
1697 struct crypt_mnt_ftr crypt_ftr;
1698 char encrypted_state[PROPERTY_VALUE_MAX];
1700 property_get("ro.crypto.state", encrypted_state, "");
1701 if (strcmp(encrypted_state, "encrypted")) {
1702 SLOGE("not running with encryption, aborting");
1703 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1706 // crypto_complete is full disk encrypted status
1707 if (fscrypt_is_native()) {
1708 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1711 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1712 std::string key_loc;
1713 get_crypt_info(&key_loc, nullptr);
1716 * Only report this error if key_loc is a file and it exists.
1717 * If the device was never encrypted, and /data is not mountable for
1718 * some reason, returning 1 should prevent the UI from presenting the
1719 * a "enter password" screen, or worse, a "press button to wipe the
1722 if (!key_loc.empty() && key_loc[0] == '/' && (access("key_loc", F_OK) == -1)) {
1723 SLOGE("master key file does not exist, aborting");
1724 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1726 SLOGE("Error getting crypt footer and key\n");
1727 return CRYPTO_COMPLETE_BAD_METADATA;
1731 // Test for possible error flags
1732 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
1733 SLOGE("Encryption process is partway completed\n");
1734 return CRYPTO_COMPLETE_PARTIAL;
1737 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
1738 SLOGE("Encryption process was interrupted but cannot continue\n");
1739 return CRYPTO_COMPLETE_INCONSISTENT;
1742 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT) {
1743 SLOGE("Encryption is successful but data is corrupt\n");
1744 return CRYPTO_COMPLETE_CORRUPT;
1747 /* We passed the test! We shall diminish, and return to the west */
1748 return CRYPTO_COMPLETE_ENCRYPTED;
1751 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, const char* passwd,
1752 const char* mount_point, const char* label) {
1753 unsigned char decrypted_master_key[MAX_KEY_LEN];
1754 char crypto_blkdev[MAXPATHLEN];
1755 std::string real_blkdev;
1756 char tmp_mount_point[64];
1757 unsigned int orig_failed_decrypt_count;
1759 int use_keymaster = 0;
1761 unsigned char* intermediate_key = 0;
1762 size_t intermediate_key_size = 0;
1763 int N = 1 << crypt_ftr->N_factor;
1764 int r = 1 << crypt_ftr->r_factor;
1765 int p = 1 << crypt_ftr->p_factor;
1767 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1768 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1770 if (!(crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED)) {
1771 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, &intermediate_key,
1772 &intermediate_key_size)) {
1773 SLOGE("Failed to decrypt master key\n");
1779 get_crypt_info(nullptr, &real_blkdev);
1781 // Create crypto block device - all (non fatal) code paths
1783 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, real_blkdev.c_str(), crypto_blkdev,
1785 SLOGE("Error creating decrypted block device\n");
1790 /* Work out if the problem is the password or the data */
1791 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->scrypted_intermediate_key)];
1793 rc = crypto_scrypt(intermediate_key, intermediate_key_size, crypt_ftr->salt,
1794 sizeof(crypt_ftr->salt), N, r, p, scrypted_intermediate_key,
1795 sizeof(scrypted_intermediate_key));
1797 // Does the key match the crypto footer?
1798 if (rc == 0 && memcmp(scrypted_intermediate_key, crypt_ftr->scrypted_intermediate_key,
1799 sizeof(scrypted_intermediate_key)) == 0) {
1800 SLOGI("Password matches");
1803 /* Try mounting the file system anyway, just in case the problem's with
1804 * the footer, not the key. */
1805 snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt", mount_point);
1806 mkdir(tmp_mount_point, 0755);
1807 if (fs_mgr_do_mount(&fstab_default, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1808 SLOGE("Error temp mounting decrypted block device\n");
1809 delete_crypto_blk_dev(label);
1811 rc = ++crypt_ftr->failed_decrypt_count;
1812 put_crypt_ftr_and_key(crypt_ftr);
1815 SLOGI("Password did not match but decrypted drive mounted - continue");
1816 umount(tmp_mount_point);
1822 crypt_ftr->failed_decrypt_count = 0;
1823 if (orig_failed_decrypt_count != 0) {
1824 put_crypt_ftr_and_key(crypt_ftr);
1827 /* Save the name of the crypto block device
1828 * so we can mount it when restarting the framework. */
1829 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1831 /* Also save a the master key so we can reencrypted the key
1832 * the key when we want to change the password on it. */
1833 memcpy(saved_master_key, decrypted_master_key, crypt_ftr->keysize);
1834 saved_mount_point = strdup(mount_point);
1835 master_key_saved = 1;
1836 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1839 // Upgrade if we're not using the latest KDF.
1840 use_keymaster = keymaster_check_compatibility();
1841 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1842 // Don't allow downgrade
1843 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1844 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1846 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1847 crypt_ftr->kdf_type = KDF_SCRYPT;
1852 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1853 crypt_ftr->master_key, crypt_ftr);
1855 rc = put_crypt_ftr_and_key(crypt_ftr);
1857 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1859 // Do not fail even if upgrade failed - machine is bootable
1860 // Note that if this code is ever hit, there is a *serious* problem
1861 // since KDFs should never fail. You *must* fix the kdf before
1865 "Upgrade failed with error %d,"
1866 " but continuing with previous state",
1874 if (intermediate_key) {
1875 memset(intermediate_key, 0, intermediate_key_size);
1876 free(intermediate_key);
1882 * Called by vold when it's asked to mount an encrypted external
1883 * storage volume. The incoming partition has no crypto header/footer,
1884 * as any metadata is been stored in a separate, small partition. We
1885 * assume it must be using our same crypt type and keysize.
1887 * out_crypto_blkdev must be MAXPATHLEN.
1889 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, const unsigned char* key,
1890 char* out_crypto_blkdev) {
1891 uint64_t nr_sec = 0;
1892 if (android::vold::GetBlockDev512Sectors(real_blkdev, &nr_sec) != android::OK) {
1893 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1897 struct crypt_mnt_ftr ext_crypt_ftr;
1898 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1899 ext_crypt_ftr.fs_size = nr_sec;
1900 ext_crypt_ftr.keysize = cryptfs_get_keysize();
1901 strlcpy((char*)ext_crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(),
1902 MAX_CRYPTO_TYPE_NAME_LEN);
1904 if (fscrypt_is_native() &&
1905 android::base::GetBoolProperty("ro.crypto.allow_encrypt_override", false))
1906 flags |= CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE;
1908 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev, out_crypto_blkdev, label, flags);
1912 * Called by vold when it's asked to unmount an encrypted external
1915 int cryptfs_revert_ext_volume(const char* label) {
1916 return delete_crypto_blk_dev((char*)label);
1919 int cryptfs_crypto_complete(void) {
1920 return do_crypto_complete("/data");
1923 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) {
1924 char encrypted_state[PROPERTY_VALUE_MAX];
1925 property_get("ro.crypto.state", encrypted_state, "");
1926 if (master_key_saved || strcmp(encrypted_state, "encrypted")) {
1928 "encrypted fs already validated or not running with encryption,"
1933 if (get_crypt_ftr_and_key(crypt_ftr)) {
1934 SLOGE("Error getting crypt footer and key");
1941 int cryptfs_check_passwd(const char* passwd) {
1942 SLOGI("cryptfs_check_passwd");
1943 if (fscrypt_is_native()) {
1944 SLOGE("cryptfs_check_passwd not valid for file encryption");
1948 struct crypt_mnt_ftr crypt_ftr;
1951 rc = check_unmounted_and_get_ftr(&crypt_ftr);
1953 SLOGE("Could not get footer");
1957 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
1959 SLOGE("Password did not match");
1963 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
1964 // Here we have a default actual password but a real password
1965 // we must test against the scrypted value
1966 // First, we must delete the crypto block device that
1967 // test_mount_encrypted_fs leaves behind as a side effect
1968 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
1969 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD, DATA_MNT_POINT,
1970 CRYPTO_BLOCK_DEVICE);
1972 SLOGE("Default password did not match on reboot encryption");
1976 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
1977 put_crypt_ftr_and_key(&crypt_ftr);
1978 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
1980 SLOGE("Could not change password on reboot encryption");
1985 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
1986 cryptfs_clear_password();
1987 password = strdup(passwd);
1988 struct timespec now;
1989 clock_gettime(CLOCK_BOOTTIME, &now);
1990 password_expiry_time = now.tv_sec + password_max_age_seconds;
1996 int cryptfs_verify_passwd(const char* passwd) {
1997 struct crypt_mnt_ftr crypt_ftr;
1998 unsigned char decrypted_master_key[MAX_KEY_LEN];
1999 char encrypted_state[PROPERTY_VALUE_MAX];
2002 property_get("ro.crypto.state", encrypted_state, "");
2003 if (strcmp(encrypted_state, "encrypted")) {
2004 SLOGE("device not encrypted, aborting");
2008 if (!master_key_saved) {
2009 SLOGE("encrypted fs not yet mounted, aborting");
2013 if (!saved_mount_point) {
2014 SLOGE("encrypted fs failed to save mount point, aborting");
2018 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2019 SLOGE("Error getting crypt footer and key\n");
2023 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2024 /* If the device has no password, then just say the password is valid */
2027 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2028 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2029 /* They match, the password is correct */
2032 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2041 /* Initialize a crypt_mnt_ftr structure. The keysize is
2042 * defaulted to cryptfs_get_keysize() bytes, and the filesystem size to 0.
2043 * Presumably, at a minimum, the caller will update the
2044 * filesystem size and crypto_type_name after calling this function.
2046 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr* ftr) {
2049 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2050 ftr->magic = CRYPT_MNT_MAGIC;
2051 ftr->major_version = CURRENT_MAJOR_VERSION;
2052 ftr->minor_version = CURRENT_MINOR_VERSION;
2053 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2054 ftr->keysize = cryptfs_get_keysize();
2056 switch (keymaster_check_compatibility()) {
2058 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2062 ftr->kdf_type = KDF_SCRYPT;
2066 SLOGE("keymaster_check_compatibility failed");
2070 get_device_scrypt_params(ftr);
2072 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2073 if (get_crypt_ftr_info(NULL, &off) == 0) {
2074 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2075 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + ftr->persist_data_size;
2081 #define FRAMEWORK_BOOT_WAIT 60
2083 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) {
2084 int fd = open(filename, O_RDONLY | O_CLOEXEC);
2086 SLOGE("Error opening file %s", filename);
2090 char block[CRYPT_INPLACE_BUFSIZE];
2091 memset(block, 0, sizeof(block));
2092 if (unix_read(fd, block, sizeof(block)) < 0) {
2093 SLOGE("Error reading file %s", filename);
2102 SHA256_Update(&c, block, sizeof(block));
2103 SHA256_Final(buf, &c);
2108 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr* crypt_ftr, char* crypto_blkdev,
2109 char* real_blkdev, int previously_encrypted_upto) {
2110 off64_t cur_encryption_done = 0, tot_encryption_size = 0;
2113 /* The size of the userdata partition, and add in the vold volumes below */
2114 tot_encryption_size = crypt_ftr->fs_size;
2116 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, crypt_ftr->fs_size, &cur_encryption_done,
2117 tot_encryption_size, previously_encrypted_upto, true);
2119 if (rc == ENABLE_INPLACE_ERR_DEV) {
2120 /* Hack for b/17898962 */
2121 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2122 cryptfs_reboot(RebootType::reboot);
2126 crypt_ftr->encrypted_upto = cur_encryption_done;
2129 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2130 /* The inplace routine never actually sets the progress to 100% due
2131 * to the round down nature of integer division, so set it here */
2132 property_set("vold.encrypt_progress", "100");
2138 static int vold_unmountAll(void) {
2139 VolumeManager* vm = VolumeManager::Instance();
2140 return vm->unmountAll();
2143 int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
2144 char crypto_blkdev[MAXPATHLEN];
2145 std::string real_blkdev;
2146 unsigned char decrypted_master_key[MAX_KEY_LEN];
2148 struct crypt_mnt_ftr crypt_ftr;
2149 struct crypt_persist_data* pdata;
2150 char encrypted_state[PROPERTY_VALUE_MAX];
2151 char lockid[32] = {0};
2152 std::string key_loc;
2154 off64_t previously_encrypted_upto = 0;
2155 bool rebootEncryption = false;
2156 bool onlyCreateHeader = false;
2158 if (get_crypt_ftr_and_key(&crypt_ftr) == 0) {
2159 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
2160 /* An encryption was underway and was interrupted */
2161 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2162 crypt_ftr.encrypted_upto = 0;
2163 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2165 /* At this point, we are in an inconsistent state. Until we successfully
2166 complete encryption, a reboot will leave us broken. So mark the
2167 encryption failed in case that happens.
2168 On successfully completing encryption, remove this flag */
2169 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2171 put_crypt_ftr_and_key(&crypt_ftr);
2172 } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
2173 if (!check_ftr_sha(&crypt_ftr)) {
2174 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2175 put_crypt_ftr_and_key(&crypt_ftr);
2176 goto error_unencrypted;
2179 /* Doing a reboot-encryption*/
2180 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
2181 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
2182 rebootEncryption = true;
2185 // We don't want to accidentally reference invalid data.
2186 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2189 property_get("ro.crypto.state", encrypted_state, "");
2190 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2191 SLOGE("Device is already running encrypted, aborting");
2192 goto error_unencrypted;
2195 get_crypt_info(&key_loc, &real_blkdev);
2197 /* Get the size of the real block device */
2199 if (android::vold::GetBlockDev512Sectors(real_blkdev, &nr_sec) != android::OK) {
2200 SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
2201 goto error_unencrypted;
2204 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2205 if (key_loc == KEY_IN_FOOTER) {
2206 uint64_t fs_size_sec, max_fs_size_sec;
2207 fs_size_sec = get_fs_size(real_blkdev.c_str());
2208 if (fs_size_sec == 0) fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev.data());
2210 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2212 if (fs_size_sec > max_fs_size_sec) {
2213 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2214 goto error_unencrypted;
2218 /* Get a wakelock as this may take a while, and we don't want the
2219 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2220 * wants to keep the screen on, it can grab a full wakelock.
2222 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int)getpid());
2223 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
2225 /* The init files are setup to stop the class main and late start when
2226 * vold sets trigger_shutdown_framework.
2228 property_set("vold.decrypt", "trigger_shutdown_framework");
2229 SLOGD("Just asked init to shut down class main\n");
2231 /* Ask vold to unmount all devices that it manages */
2232 if (vold_unmountAll()) {
2233 SLOGE("Failed to unmount all vold managed devices");
2236 /* no_ui means we are being called from init, not settings.
2237 Now we always reboot from settings, so !no_ui means reboot
2240 /* Try fallback, which is to reboot and try there */
2241 onlyCreateHeader = true;
2242 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
2243 if (breadcrumb == 0) {
2244 SLOGE("Failed to create breadcrumb file");
2245 goto error_shutting_down;
2250 /* Do extra work for a better UX when doing the long inplace encryption */
2251 if (!onlyCreateHeader) {
2252 /* Now that /data is unmounted, we need to mount a tmpfs
2253 * /data, set a property saying we're doing inplace encryption,
2254 * and restart the framework.
2256 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
2257 goto error_shutting_down;
2259 /* Tells the framework that inplace encryption is starting */
2260 property_set("vold.encrypt_progress", "0");
2262 /* restart the framework. */
2263 /* Create necessary paths on /data */
2266 /* Ugh, shutting down the framework is not synchronous, so until it
2267 * can be fixed, this horrible hack will wait a moment for it all to
2268 * shut down before proceeding. Without it, some devices cannot
2269 * restart the graphics services.
2274 /* Start the actual work of making an encrypted filesystem */
2275 /* Initialize a crypt_mnt_ftr for the partition */
2276 if (previously_encrypted_upto == 0 && !rebootEncryption) {
2277 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
2278 goto error_shutting_down;
2281 if (key_loc == KEY_IN_FOOTER) {
2282 crypt_ftr.fs_size = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2284 crypt_ftr.fs_size = nr_sec;
2286 /* At this point, we are in an inconsistent state. Until we successfully
2287 complete encryption, a reboot will leave us broken. So mark the
2288 encryption failed in case that happens.
2289 On successfully completing encryption, remove this flag */
2290 if (onlyCreateHeader) {
2291 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
2293 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2295 crypt_ftr.crypt_type = crypt_type;
2296 strlcpy((char*)crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(),
2297 MAX_CRYPTO_TYPE_NAME_LEN);
2299 /* Make an encrypted master key */
2300 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
2301 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
2302 SLOGE("Cannot create encrypted master key\n");
2303 goto error_shutting_down;
2306 /* Replace scrypted intermediate key if we are preparing for a reboot */
2307 if (onlyCreateHeader) {
2308 unsigned char fake_master_key[MAX_KEY_LEN];
2309 unsigned char encrypted_fake_master_key[MAX_KEY_LEN];
2310 memset(fake_master_key, 0, sizeof(fake_master_key));
2311 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key, encrypted_fake_master_key,
2315 /* Write the key to the end of the partition */
2316 put_crypt_ftr_and_key(&crypt_ftr);
2318 /* If any persistent data has been remembered, save it.
2319 * If none, create a valid empty table and save that.
2321 if (!persist_data) {
2322 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
2324 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
2325 persist_data = pdata;
2329 save_persistent_data();
2333 if (onlyCreateHeader) {
2335 cryptfs_reboot(RebootType::reboot);
2338 if (!no_ui || rebootEncryption) {
2339 /* startup service classes main and late_start */
2340 property_set("vold.decrypt", "trigger_restart_min_framework");
2341 SLOGD("Just triggered restart_min_framework\n");
2343 /* OK, the framework is restarted and will soon be showing a
2344 * progress bar. Time to setup an encrypted mapping, and
2345 * either write a new filesystem, or encrypt in place updating
2346 * the progress bar as we work.
2350 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2351 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev.c_str(), crypto_blkdev,
2352 CRYPTO_BLOCK_DEVICE, 0);
2354 /* If we are continuing, check checksums match */
2356 if (previously_encrypted_upto) {
2357 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
2358 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
2361 memcmp(hash_first_block, crypt_ftr.hash_first_block, sizeof(hash_first_block)) != 0) {
2362 SLOGE("Checksums do not match - trigger wipe");
2368 rc = cryptfs_enable_all_volumes(&crypt_ftr, crypto_blkdev, real_blkdev.data(),
2369 previously_encrypted_upto);
2372 /* Calculate checksum if we are not finished */
2373 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2374 rc = cryptfs_SHA256_fileblock(crypto_blkdev, crypt_ftr.hash_first_block);
2376 SLOGE("Error calculating checksum for continuing encryption");
2381 /* Undo the dm-crypt mapping whether we succeed or not */
2382 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
2386 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
2388 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
2389 SLOGD("Encrypted up to sector %lld - will continue after reboot",
2390 crypt_ftr.encrypted_upto);
2391 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
2394 put_crypt_ftr_and_key(&crypt_ftr);
2396 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
2397 char value[PROPERTY_VALUE_MAX];
2398 property_get("ro.crypto.state", value, "");
2399 if (!strcmp(value, "")) {
2400 /* default encryption - continue first boot sequence */
2401 property_set("ro.crypto.state", "encrypted");
2402 property_set("ro.crypto.type", "block");
2403 release_wake_lock(lockid);
2404 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2405 // Bring up cryptkeeper that will check the password and set it
2406 property_set("vold.decrypt", "trigger_shutdown_framework");
2408 property_set("vold.encrypt_progress", "");
2409 cryptfs_trigger_restart_min_framework();
2411 cryptfs_check_passwd(DEFAULT_PASSWORD);
2412 cryptfs_restart_internal(1);
2416 sleep(2); /* Give the UI a chance to show 100% progress */
2417 cryptfs_reboot(RebootType::reboot);
2420 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
2421 cryptfs_reboot(RebootType::shutdown);
2424 char value[PROPERTY_VALUE_MAX];
2426 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
2427 if (!strcmp(value, "1")) {
2428 /* wipe data if encryption failed */
2429 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
2431 const std::vector<std::string> options = {
2432 "--wipe_data\n--reason=cryptfs_enable_internal\n"};
2433 if (!write_bootloader_message(options, &err)) {
2434 SLOGE("could not write bootloader message: %s", err.c_str());
2436 cryptfs_reboot(RebootType::recovery);
2438 /* set property to trigger dialog */
2439 property_set("vold.encrypt_progress", "error_partially_encrypted");
2440 release_wake_lock(lockid);
2445 /* hrm, the encrypt step claims success, but the reboot failed.
2446 * This should not happen.
2447 * Set the property and return. Hope the framework can deal with it.
2449 property_set("vold.encrypt_progress", "error_reboot_failed");
2450 release_wake_lock(lockid);
2454 property_set("vold.encrypt_progress", "error_not_encrypted");
2456 release_wake_lock(lockid);
2460 error_shutting_down:
2461 /* we failed, and have not encrypted anthing, so the users's data is still intact,
2462 * but the framework is stopped and not restarted to show the error, so it's up to
2463 * vold to restart the system.
2466 "Error enabling encryption after framework is shutdown, no data changed, restarting "
2468 cryptfs_reboot(RebootType::reboot);
2470 /* shouldn't get here */
2471 property_set("vold.encrypt_progress", "error_shutting_down");
2473 release_wake_lock(lockid);
2478 int cryptfs_enable(int type, const char* passwd, int no_ui) {
2479 return cryptfs_enable_internal(type, passwd, no_ui);
2482 int cryptfs_enable_default(int no_ui) {
2483 return cryptfs_enable_internal(CRYPT_TYPE_DEFAULT, DEFAULT_PASSWORD, no_ui);
2486 int cryptfs_changepw(int crypt_type, const char* newpw) {
2487 if (fscrypt_is_native()) {
2488 SLOGE("cryptfs_changepw not valid for file encryption");
2492 struct crypt_mnt_ftr crypt_ftr;
2495 /* This is only allowed after we've successfully decrypted the master key */
2496 if (!master_key_saved) {
2497 SLOGE("Key not saved, aborting");
2501 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2502 SLOGE("Invalid crypt_type %d", crypt_type);
2507 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2508 SLOGE("Error getting crypt footer and key");
2512 crypt_ftr.crypt_type = crypt_type;
2514 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD : newpw,
2515 crypt_ftr.salt, saved_master_key, crypt_ftr.master_key, &crypt_ftr);
2517 SLOGE("Encrypt master key failed: %d", rc);
2521 put_crypt_ftr_and_key(&crypt_ftr);
2526 static unsigned int persist_get_max_entries(int encrypted) {
2527 struct crypt_mnt_ftr crypt_ftr;
2530 /* If encrypted, use the values from the crypt_ftr, otherwise
2531 * use the values for the current spec.
2534 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2535 /* Something is wrong, assume no space for entries */
2538 dsize = crypt_ftr.persist_data_size;
2540 dsize = CRYPT_PERSIST_DATA_SIZE;
2543 if (dsize > sizeof(struct crypt_persist_data)) {
2544 return (dsize - sizeof(struct crypt_persist_data)) / sizeof(struct crypt_persist_entry);
2550 static int persist_get_key(const char* fieldname, char* value) {
2553 if (persist_data == NULL) {
2556 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2557 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2559 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
2567 static int persist_set_key(const char* fieldname, const char* value, int encrypted) {
2570 unsigned int max_persistent_entries;
2572 if (persist_data == NULL) {
2576 max_persistent_entries = persist_get_max_entries(encrypted);
2578 num = persist_data->persist_valid_entries;
2580 for (i = 0; i < num; i++) {
2581 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2582 /* We found an existing entry, update it! */
2583 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
2584 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
2589 /* We didn't find it, add it to the end, if there is room */
2590 if (persist_data->persist_valid_entries < max_persistent_entries) {
2591 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
2592 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
2593 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
2594 persist_data->persist_valid_entries++;
2602 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
2603 * sequence and its index is greater than or equal to index. Return 0 otherwise.
2605 int match_multi_entry(const char* key, const char* field, unsigned index) {
2606 std::string key_ = key;
2607 std::string field_ = field;
2609 std::string parsed_field;
2610 unsigned parsed_index;
2612 std::string::size_type split = key_.find_last_of('_');
2613 if (split == std::string::npos) {
2614 parsed_field = key_;
2617 parsed_field = key_.substr(0, split);
2618 parsed_index = std::stoi(key_.substr(split + 1));
2621 return parsed_field == field_ && parsed_index >= index;
2625 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
2626 * remaining entries starting from index will be deleted.
2627 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
2628 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
2629 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
2632 static int persist_del_keys(const char* fieldname, unsigned index) {
2637 if (persist_data == NULL) {
2638 return PERSIST_DEL_KEY_ERROR_OTHER;
2641 num = persist_data->persist_valid_entries;
2643 j = 0; // points to the end of non-deleted entries.
2644 // Filter out to-be-deleted entries in place.
2645 for (i = 0; i < num; i++) {
2646 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
2647 persist_data->persist_entry[j] = persist_data->persist_entry[i];
2653 persist_data->persist_valid_entries = j;
2654 // Zeroise the remaining entries
2655 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
2656 return PERSIST_DEL_KEY_OK;
2658 // Did not find an entry matching the given fieldname
2659 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
2663 static int persist_count_keys(const char* fieldname) {
2667 if (persist_data == NULL) {
2672 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2673 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
2681 /* Return the value of the specified field. */
2682 int cryptfs_getfield(const char* fieldname, char* value, int len) {
2683 if (fscrypt_is_native()) {
2684 SLOGE("Cannot get field when file encrypted");
2688 char temp_value[PROPERTY_VALUE_MAX];
2689 /* CRYPTO_GETFIELD_OK is success,
2690 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
2691 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
2692 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
2694 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
2696 char temp_field[PROPERTY_KEY_MAX];
2698 if (persist_data == NULL) {
2699 load_persistent_data();
2700 if (persist_data == NULL) {
2701 SLOGE("Getfield error, cannot load persistent data");
2706 // Read value from persistent entries. If the original value is split into multiple entries,
2707 // stitch them back together.
2708 if (!persist_get_key(fieldname, temp_value)) {
2709 // We found it, copy it to the caller's buffer and keep going until all entries are read.
2710 if (strlcpy(value, temp_value, len) >= (unsigned)len) {
2712 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2715 rc = CRYPTO_GETFIELD_OK;
2717 for (i = 1; /* break explicitly */; i++) {
2718 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
2719 (int)sizeof(temp_field)) {
2720 // If the fieldname is very long, we stop as soon as it begins to overflow the
2721 // maximum field length. At this point we have in fact fully read out the original
2722 // value because cryptfs_setfield would not allow fields with longer names to be
2723 // written in the first place.
2726 if (!persist_get_key(temp_field, temp_value)) {
2727 if (strlcat(value, temp_value, len) >= (unsigned)len) {
2729 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2733 // Exhaust all entries.
2738 /* Sadness, it's not there. Return the error */
2739 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
2746 /* Set the value of the specified field. */
2747 int cryptfs_setfield(const char* fieldname, const char* value) {
2748 if (fscrypt_is_native()) {
2749 SLOGE("Cannot set field when file encrypted");
2753 char encrypted_state[PROPERTY_VALUE_MAX];
2754 /* 0 is success, negative values are error */
2755 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
2757 unsigned int field_id;
2758 char temp_field[PROPERTY_KEY_MAX];
2759 unsigned int num_entries;
2760 unsigned int max_keylen;
2762 if (persist_data == NULL) {
2763 load_persistent_data();
2764 if (persist_data == NULL) {
2765 SLOGE("Setfield error, cannot load persistent data");
2770 property_get("ro.crypto.state", encrypted_state, "");
2771 if (!strcmp(encrypted_state, "encrypted")) {
2775 // Compute the number of entries required to store value, each entry can store up to
2776 // (PROPERTY_VALUE_MAX - 1) chars
2777 if (strlen(value) == 0) {
2778 // Empty value also needs one entry to store.
2781 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
2784 max_keylen = strlen(fieldname);
2785 if (num_entries > 1) {
2786 // Need an extra "_%d" suffix.
2787 max_keylen += 1 + log10(num_entries);
2789 if (max_keylen > PROPERTY_KEY_MAX - 1) {
2790 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
2794 // Make sure we have enough space to write the new value
2795 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
2796 persist_get_max_entries(encrypted)) {
2797 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
2801 // Now that we know persist_data has enough space for value, let's delete the old field first
2802 // to make up space.
2803 persist_del_keys(fieldname, 0);
2805 if (persist_set_key(fieldname, value, encrypted)) {
2806 // fail to set key, should not happen as we have already checked the available space
2807 SLOGE("persist_set_key() error during setfield()");
2811 for (field_id = 1; field_id < num_entries; field_id++) {
2812 snprintf(temp_field, sizeof(temp_field), "%s_%u", fieldname, field_id);
2814 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
2815 // fail to set key, should not happen as we have already checked the available space.
2816 SLOGE("persist_set_key() error during setfield()");
2821 /* If we are running encrypted, save the persistent data now */
2823 if (save_persistent_data()) {
2824 SLOGE("Setfield error, cannot save persistent data");
2829 rc = CRYPTO_SETFIELD_OK;
2835 /* Checks userdata. Attempt to mount the volume if default-
2837 * On success trigger next init phase and return 0.
2838 * Currently do not handle failure - see TODO below.
2840 int cryptfs_mount_default_encrypted(void) {
2841 int crypt_type = cryptfs_get_password_type();
2842 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2843 SLOGE("Bad crypt type - error");
2844 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
2846 "Password is not default - "
2847 "starting min framework to prompt");
2848 property_set("vold.decrypt", "trigger_restart_min_framework");
2850 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
2851 SLOGD("Password is default - restarting filesystem");
2852 cryptfs_restart_internal(0);
2855 SLOGE("Encrypted, default crypt type but can't decrypt");
2858 /** Corrupt. Allow us to boot into framework, which will detect bad
2859 crypto when it calls do_crypto_complete, then do a factory reset
2861 property_set("vold.decrypt", "trigger_restart_min_framework");
2865 /* Returns type of the password, default, pattern, pin or password.
2867 int cryptfs_get_password_type(void) {
2868 if (fscrypt_is_native()) {
2869 SLOGE("cryptfs_get_password_type not valid for file encryption");
2873 struct crypt_mnt_ftr crypt_ftr;
2875 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2876 SLOGE("Error getting crypt footer and key\n");
2880 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
2884 return crypt_ftr.crypt_type;
2887 const char* cryptfs_get_password() {
2888 if (fscrypt_is_native()) {
2889 SLOGE("cryptfs_get_password not valid for file encryption");
2893 struct timespec now;
2894 clock_gettime(CLOCK_BOOTTIME, &now);
2895 if (now.tv_sec < password_expiry_time) {
2898 cryptfs_clear_password();
2903 void cryptfs_clear_password() {
2905 size_t len = strlen(password);
2906 memset(password, 0, len);
2909 password_expiry_time = 0;
2913 int cryptfs_isConvertibleToFBE() {
2914 auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
2915 return entry && entry->fs_mgr_flags.force_fde_or_fbe;