2 * Copyright (C) 2010 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #define LOG_TAG "Cryptfs"
21 #include "Checkpoint.h"
22 #include "CryptoType.h"
23 #include "EncryptInplace.h"
25 #include "Keymaster.h"
27 #include "ScryptParameters.h"
30 #include "VolumeManager.h"
32 #include <android-base/logging.h>
33 #include <android-base/parseint.h>
34 #include <android-base/properties.h>
35 #include <android-base/stringprintf.h>
36 #include <android-base/strings.h>
37 #include <bootloader_message/bootloader_message.h>
38 #include <cutils/android_reboot.h>
39 #include <cutils/properties.h>
40 #include <ext4_utils/ext4_utils.h>
41 #include <f2fs_sparseblock.h>
43 #include <fscrypt/fscrypt.h>
46 #include <logwrap/logwrap.h>
47 #include <openssl/evp.h>
48 #include <openssl/sha.h>
49 #include <selinux/selinux.h>
50 #include <wakelock/wakelock.h>
57 #include <linux/kdev_t.h>
63 #include <sys/mount.h>
64 #include <sys/param.h>
66 #include <sys/types.h>
75 #include <crypto_scrypt.h>
78 using android::base::ParseUint;
79 using android::base::StringPrintf;
80 using android::fs_mgr::GetEntryForMountPoint;
81 using android::vold::CryptoType;
82 using android::vold::KeyBuffer;
83 using android::vold::KeyGeneration;
84 using namespace android::vold;
85 using namespace android::dm;
86 using namespace std::chrono_literals;
88 /* The current cryptfs version */
89 #define CURRENT_MAJOR_VERSION 1
90 #define CURRENT_MINOR_VERSION 3
92 #define CRYPT_FOOTER_TO_PERSIST_OFFSET 0x1000
93 #define CRYPT_PERSIST_DATA_SIZE 0x1000
95 #define CRYPT_SECTOR_SIZE 512
97 #define MAX_CRYPTO_TYPE_NAME_LEN 64
99 #define MAX_KEY_LEN 48
101 #define SCRYPT_LEN 32
103 /* definitions of flags in the structure below */
104 #define CRYPT_MNT_KEY_UNENCRYPTED 0x1 /* The key for the partition is not encrypted. */
105 #define CRYPT_ENCRYPTION_IN_PROGRESS 0x2 /* no longer used */
106 #define CRYPT_INCONSISTENT_STATE \
107 0x4 /* Set when starting encryption, clear when \
108 exit cleanly, either through success or \
109 correctly marked partial encryption */
110 #define CRYPT_DATA_CORRUPT \
111 0x8 /* Set when encryption is fine, but the \
112 underlying volume is corrupt */
113 #define CRYPT_FORCE_ENCRYPTION \
114 0x10 /* Set when it is time to encrypt this \
115 volume on boot. Everything in this \
116 structure is set up correctly as \
117 though device is encrypted except \
118 that the master key is encrypted with the \
120 #define CRYPT_FORCE_COMPLETE \
121 0x20 /* Set when the above encryption cycle is \
122 complete. On next cryptkeeper entry, match \
123 the password. If it matches fix the master \
124 key and remove this flag. */
126 /* Allowed values for type in the structure below */
127 #define CRYPT_TYPE_PASSWORD \
128 0 /* master_key is encrypted with a password \
129 * Must be zero to be compatible with pre-L \
130 * devices where type is always password.*/
131 #define CRYPT_TYPE_DEFAULT \
132 1 /* master_key is encrypted with default \
134 #define CRYPT_TYPE_PATTERN 2 /* master_key is encrypted with a pattern */
135 #define CRYPT_TYPE_PIN 3 /* master_key is encrypted with a pin */
136 #define CRYPT_TYPE_MAX_TYPE 3 /* type cannot be larger than this value */
138 #define CRYPT_MNT_MAGIC 0xD0B5B1C4
139 #define PERSIST_DATA_MAGIC 0xE950CD44
141 /* Key Derivation Function algorithms */
144 /* Algorithms 3 & 4 deprecated before shipping outside of google, so removed */
145 #define KDF_SCRYPT_KEYMASTER 5
147 /* Maximum allowed keymaster blob size. */
148 #define KEYMASTER_BLOB_SIZE 2048
150 /* __le32 and __le16 defined in system/extras/ext4_utils/ext4_utils.h */
151 #define __le8 unsigned char
153 #if !defined(SHA256_DIGEST_LENGTH)
154 #define SHA256_DIGEST_LENGTH 32
157 /* This structure starts 16,384 bytes before the end of a hardware
158 * partition that is encrypted, or in a separate partition. It's location
159 * is specified by a property set in init.<device>.rc.
160 * The structure allocates 48 bytes for a key, but the real key size is
161 * specified in the struct. Currently, the code is hardcoded to use 128
163 * The fields after salt are only valid in rev 1.1 and later stuctures.
164 * Obviously, the filesystem does not include the last 16 kbytes
165 * of the partition if the crypt_mnt_ftr lives at the end of the
169 struct crypt_mnt_ftr {
170 __le32 magic; /* See above */
171 __le16 major_version;
172 __le16 minor_version;
173 __le32 ftr_size; /* in bytes, not including key following */
174 __le32 flags; /* See above */
175 __le32 keysize; /* in bytes */
176 __le32 crypt_type; /* how master_key is encrypted. Must be a
177 * CRYPT_TYPE_XXX value */
178 __le64 fs_size; /* Size of the encrypted fs, in 512 byte sectors */
179 __le32 failed_decrypt_count; /* count of # of failed attempts to decrypt and
180 mount, set to 0 on successful mount */
181 unsigned char crypto_type_name[MAX_CRYPTO_TYPE_NAME_LEN]; /* The type of encryption
182 needed to decrypt this
183 partition, null terminated */
184 __le32 spare2; /* ignored */
185 unsigned char master_key[MAX_KEY_LEN]; /* The encrypted key for decrypting the filesystem */
186 unsigned char salt[SALT_LEN]; /* The salt used for this encryption */
187 __le64 persist_data_offset[2]; /* Absolute offset to both copies of crypt_persist_data
188 * on device with that info, either the footer of the
189 * real_blkdevice or the metadata partition. */
191 __le32 persist_data_size; /* The number of bytes allocated to each copy of the
192 * persistent data table*/
194 __le8 kdf_type; /* The key derivation function used. */
196 /* scrypt parameters. See www.tarsnap.com/scrypt/scrypt.pdf */
197 __le8 N_factor; /* (1 << N) */
198 __le8 r_factor; /* (1 << r) */
199 __le8 p_factor; /* (1 << p) */
200 __le64 encrypted_upto; /* no longer used */
201 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; /* no longer used */
203 /* key_master key, used to sign the derived key which is then used to generate
204 * the intermediate key
205 * This key should be used for no other purposes! We use this key to sign unpadded
206 * data, which is acceptable but only if the key is not reused elsewhere. */
207 __le8 keymaster_blob[KEYMASTER_BLOB_SIZE];
208 __le32 keymaster_blob_size;
210 /* Store scrypt of salted intermediate key. When decryption fails, we can
211 check if this matches, and if it does, we know that the problem is with the
212 drive, and there is no point in asking the user for more passwords.
214 Note that if any part of this structure is corrupt, this will not match and
215 we will continue to believe the user entered the wrong password. In that
216 case the only solution is for the user to enter a password enough times to
219 Note also that there is no need to worry about migration. If this data is
220 wrong, we simply won't recognise a right password, and will continue to
221 prompt. On the first password change, this value will be populated and
224 unsigned char scrypted_intermediate_key[SCRYPT_LEN];
226 /* sha of this structure with this element set to zero
227 Used when encrypting on reboot to validate structure before doing something
230 unsigned char sha256[SHA256_DIGEST_LENGTH];
233 /* Persistant data that should be available before decryption.
234 * Things like airplane mode, locale and timezone are kept
235 * here and can be retrieved by the CryptKeeper UI to properly
236 * configure the phone before asking for the password
237 * This is only valid if the major and minor version above
238 * is set to 1.1 or higher.
240 * This is a 4K structure. There are 2 copies, and the code alternates
241 * writing one and then clearing the previous one. The reading
242 * code reads the first valid copy it finds, based on the magic number.
243 * The absolute offset to the first of the two copies is kept in rev 1.1
244 * and higher crypt_mnt_ftr structures.
246 struct crypt_persist_entry {
247 char key[PROPERTY_KEY_MAX];
248 char val[PROPERTY_VALUE_MAX];
251 /* Should be exactly 4K in size */
252 struct crypt_persist_data {
253 __le32 persist_magic;
254 __le32 persist_valid_entries;
255 __le32 persist_spare[30];
256 struct crypt_persist_entry persist_entry[0];
259 static int wait_and_unmount(const char* mountpoint, bool kill);
261 typedef int (*kdf_func)(const char* passwd, const unsigned char* salt, unsigned char* ikey,
264 #define UNUSED __attribute__((unused))
266 #define HASH_COUNT 2000
268 constexpr size_t INTERMEDIATE_KEY_LEN_BYTES = 16;
269 constexpr size_t INTERMEDIATE_IV_LEN_BYTES = 16;
270 constexpr size_t INTERMEDIATE_BUF_SIZE = (INTERMEDIATE_KEY_LEN_BYTES + INTERMEDIATE_IV_LEN_BYTES);
272 // SCRYPT_LEN is used by struct crypt_mnt_ftr for its intermediate key.
273 static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN, "Mismatch of intermediate key sizes");
275 #define KEY_IN_FOOTER "footer"
277 #define DEFAULT_PASSWORD "default_password"
279 #define CRYPTO_BLOCK_DEVICE "userdata"
281 #define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
286 #define TABLE_LOAD_RETRIES 10
288 #define RSA_KEY_SIZE 2048
289 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
290 #define RSA_EXPONENT 0x10001
291 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
293 #define RETRY_MOUNT_ATTEMPTS 10
294 #define RETRY_MOUNT_DELAY_SECONDS 1
296 #define CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE (1)
298 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr);
300 static unsigned char saved_master_key[MAX_KEY_LEN];
301 static char* saved_mount_point;
302 static int master_key_saved = 0;
303 static struct crypt_persist_data* persist_data = NULL;
305 constexpr CryptoType aes_128_cbc = CryptoType()
306 .set_config_name("AES-128-CBC")
307 .set_kernel_name("aes-cbc-essiv:sha256")
310 constexpr CryptoType supported_crypto_types[] = {aes_128_cbc, android::vold::adiantum};
312 static_assert(validateSupportedCryptoTypes(MAX_KEY_LEN, supported_crypto_types,
313 array_length(supported_crypto_types)),
314 "We have a CryptoType with keysize > MAX_KEY_LEN or which was "
315 "incompletely constructed.");
317 static const CryptoType& get_crypto_type() {
318 // We only want to parse this read-only property once. But we need to wait
319 // until the system is initialized before we can read it. So we use a static
320 // scoped within this function to get it only once.
321 static CryptoType crypto_type =
322 lookup_crypto_algorithm(supported_crypto_types, array_length(supported_crypto_types),
323 aes_128_cbc, "ro.crypto.fde_algorithm");
327 const KeyGeneration cryptfs_get_keygen() {
328 return KeyGeneration{get_crypto_type().get_keysize(), true, false};
331 static bool write_string_to_buf(const std::string& towrite, uint8_t* buffer, uint32_t buffer_size,
332 uint32_t* out_size) {
333 if (!buffer || !out_size) {
334 LOG(ERROR) << "Missing target pointers";
337 *out_size = towrite.size();
338 if (buffer_size < towrite.size()) {
339 LOG(ERROR) << "Buffer too small " << buffer_size << " < " << towrite.size();
342 memset(buffer, '\0', buffer_size);
343 std::copy(towrite.begin(), towrite.end(), buffer);
347 static int keymaster_create_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64_t rsa_exponent,
348 uint32_t ratelimit, uint8_t* key_buffer,
349 uint32_t key_buffer_size,
350 uint32_t* key_out_size) {
356 LOG(ERROR) << "Failed to initiate keymaster session";
359 auto keyParams = km::AuthorizationSetBuilder()
360 .RsaSigningKey(rsa_key_size, rsa_exponent)
362 .Authorization(km::TAG_NO_AUTH_REQUIRED)
363 .Authorization(km::TAG_MIN_SECONDS_BETWEEN_OPS, ratelimit);
365 if (!dev.generateKey(keyParams, &key)) return -1;
366 if (!write_string_to_buf(key, key_buffer, key_buffer_size, key_out_size)) return -1;
370 /* Create a new keymaster key and store it in this footer */
371 static int keymaster_create_key(struct crypt_mnt_ftr* ftr) {
372 if (ftr->keymaster_blob_size) {
373 SLOGI("Already have key");
377 int rc = keymaster_create_key_for_cryptfs_scrypt(
378 RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
379 KEYMASTER_BLOB_SIZE, &ftr->keymaster_blob_size);
381 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
382 SLOGE("Keymaster key blob too large");
383 ftr->keymaster_blob_size = 0;
385 SLOGE("Failed to generate keypair");
391 static int keymaster_sign_object_for_cryptfs_scrypt(struct crypt_mnt_ftr* ftr, uint32_t ratelimit,
392 const uint8_t* object, const size_t object_size,
393 uint8_t** signature_buffer,
394 size_t* signature_buffer_size) {
395 if (!object || !signature_buffer || !signature_buffer_size) {
396 LOG(ERROR) << __FILE__ << ":" << __LINE__ << ":Invalid argument";
402 LOG(ERROR) << "Failed to initiate keymaster session";
406 km::AuthorizationSet outParams;
407 std::string key(reinterpret_cast<const char*>(ftr->keymaster_blob), ftr->keymaster_blob_size);
408 std::string input(reinterpret_cast<const char*>(object), object_size);
410 KeymasterOperation op;
412 auto paramBuilder = km::AuthorizationSetBuilder().NoDigestOrPadding().Authorization(
413 km::TAG_PURPOSE, km::KeyPurpose::SIGN);
415 op = dev.begin(key, paramBuilder, &outParams);
416 if (op.getErrorCode() == km::ErrorCode::KEY_RATE_LIMIT_EXCEEDED) {
424 LOG(ERROR) << "Error starting keymaster signature transaction: "
425 << int32_t(op.getErrorCode());
429 if (op.getUpgradedBlob()) {
430 write_string_to_buf(*op.getUpgradedBlob(), ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
431 &ftr->keymaster_blob_size);
433 SLOGD("Upgrading key");
434 if (put_crypt_ftr_and_key(ftr) != 0) {
435 SLOGE("Failed to write upgraded key to disk");
438 SLOGD("Key upgraded successfully");
441 if (!op.updateCompletely(input, &output)) {
442 LOG(ERROR) << "Error sending data to keymaster signature transaction: "
443 << int32_t(op.getErrorCode());
447 if (!op.finish(&output)) {
448 LOG(ERROR) << "Error finalizing keymaster signature transaction: "
449 << int32_t(op.getErrorCode());
453 *signature_buffer = reinterpret_cast<uint8_t*>(malloc(output.size()));
454 if (*signature_buffer == nullptr) {
455 LOG(ERROR) << "Error allocation buffer for keymaster signature";
458 *signature_buffer_size = output.size();
459 std::copy(output.data(), output.data() + output.size(), *signature_buffer);
464 /* This signs the given object using the keymaster key. */
465 static int keymaster_sign_object(struct crypt_mnt_ftr* ftr, const unsigned char* object,
466 const size_t object_size, unsigned char** signature,
467 size_t* signature_size) {
468 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
469 size_t to_sign_size = sizeof(to_sign);
470 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
472 // To sign a message with RSA, the message must satisfy two
475 // 1. The message, when interpreted as a big-endian numeric value, must
476 // be strictly less than the public modulus of the RSA key. Note
477 // that because the most significant bit of the public modulus is
478 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
479 // key), an n-bit message with most significant bit 0 always
480 // satisfies this requirement.
482 // 2. The message must have the same length in bits as the public
483 // modulus of the RSA key. This requirement isn't mathematically
484 // necessary, but is necessary to ensure consistency in
486 switch (ftr->kdf_type) {
487 case KDF_SCRYPT_KEYMASTER:
488 // This ensures the most significant byte of the signed message
489 // is zero. We could have zero-padded to the left instead, but
490 // this approach is slightly more robust against changes in
491 // object size. However, it's still broken (but not unusably
492 // so) because we really should be using a proper deterministic
493 // RSA padding function, such as PKCS1.
494 memcpy(to_sign + 1, object, std::min((size_t)RSA_KEY_SIZE_BYTES - 1, object_size));
495 SLOGI("Signing safely-padded object");
498 SLOGE("Unknown KDF type %d", ftr->kdf_type);
501 return keymaster_sign_object_for_cryptfs_scrypt(ftr, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign,
502 to_sign_size, signature, signature_size);
505 /* Store password when userdata is successfully decrypted and mounted.
506 * Cleared by cryptfs_clear_password
508 * To avoid a double prompt at boot, we need to store the CryptKeeper
509 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
510 * Since the entire framework is torn down and rebuilt after encryption,
511 * we have to use a daemon or similar to store the password. Since vold
512 * is secured against IPC except from system processes, it seems a reasonable
513 * place to store this.
515 * password should be cleared once it has been used.
517 * password is aged out after password_max_age_seconds seconds.
519 static char* password = 0;
520 static int password_expiry_time = 0;
521 static const int password_max_age_seconds = 60;
523 enum class RebootType { reboot, recovery, shutdown };
524 static void cryptfs_reboot(RebootType rt) {
526 case RebootType::reboot:
527 property_set(ANDROID_RB_PROPERTY, "reboot");
530 case RebootType::recovery:
531 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
534 case RebootType::shutdown:
535 property_set(ANDROID_RB_PROPERTY, "shutdown");
541 /* Shouldn't get here, reboot should happen before sleep times out */
546 * Gets the default device scrypt parameters for key derivation time tuning.
547 * The parameters should lead to about one second derivation time for the
550 static void get_device_scrypt_params(struct crypt_mnt_ftr* ftr) {
551 char paramstr[PROPERTY_VALUE_MAX];
554 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
555 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
556 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
557 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
564 static uint64_t get_fs_size(const char* dev) {
566 struct ext4_super_block sb;
569 if ((fd = open(dev, O_RDONLY | O_CLOEXEC)) < 0) {
570 SLOGE("Cannot open device to get filesystem size ");
574 if (lseek64(fd, 1024, SEEK_SET) < 0) {
575 SLOGE("Cannot seek to superblock");
579 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
580 SLOGE("Cannot read superblock");
586 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
587 SLOGE("Not a valid ext4 superblock");
590 block_size = 1024 << sb.s_log_block_size;
591 /* compute length in bytes */
592 len = (((uint64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
594 /* return length in sectors */
598 static void get_crypt_info(std::string* key_loc, std::string* real_blk_device) {
599 for (const auto& entry : fstab_default) {
600 if (!entry.fs_mgr_flags.vold_managed &&
601 (entry.fs_mgr_flags.crypt || entry.fs_mgr_flags.force_crypt ||
602 entry.fs_mgr_flags.force_fde_or_fbe || entry.fs_mgr_flags.file_encryption)) {
603 if (key_loc != nullptr) {
604 *key_loc = entry.key_loc;
606 if (real_blk_device != nullptr) {
607 *real_blk_device = entry.blk_device;
614 static int get_crypt_ftr_info(char** metadata_fname, off64_t* off) {
615 static int cached_data = 0;
616 static uint64_t cached_off = 0;
617 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
618 char key_loc[PROPERTY_VALUE_MAX];
619 char real_blkdev[PROPERTY_VALUE_MAX];
624 std::string real_blkdev;
625 get_crypt_info(&key_loc, &real_blkdev);
627 if (key_loc == KEY_IN_FOOTER) {
628 if (android::vold::GetBlockDevSize(real_blkdev, &cached_off) == android::OK) {
629 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
630 * encryption info footer and key, and plenty of bytes to spare for future
633 strlcpy(cached_metadata_fname, real_blkdev.c_str(), sizeof(cached_metadata_fname));
634 cached_off -= CRYPT_FOOTER_OFFSET;
637 SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
640 strlcpy(cached_metadata_fname, key_loc.c_str(), sizeof(cached_metadata_fname));
647 if (metadata_fname) {
648 *metadata_fname = cached_metadata_fname;
659 /* Set sha256 checksum in structure */
660 static void set_ftr_sha(struct crypt_mnt_ftr* crypt_ftr) {
663 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
664 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
665 SHA256_Final(crypt_ftr->sha256, &c);
668 /* key or salt can be NULL, in which case just skip writing that value. Useful to
669 * update the failed mount count but not change the key.
671 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
674 /* starting_off is set to the SEEK_SET offset
675 * where the crypto structure starts
677 off64_t starting_off;
682 set_ftr_sha(crypt_ftr);
684 if (get_crypt_ftr_info(&fname, &starting_off)) {
685 SLOGE("Unable to get crypt_ftr_info\n");
688 if (fname[0] != '/') {
689 SLOGE("Unexpected value for crypto key location\n");
692 if ((fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0600)) < 0) {
693 SLOGE("Cannot open footer file %s for put\n", fname);
697 /* Seek to the start of the crypt footer */
698 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
699 SLOGE("Cannot seek to real block device footer\n");
703 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
704 SLOGE("Cannot write real block device footer\n");
709 /* If the keys are kept on a raw block device, do not try to truncate it. */
710 if (S_ISREG(statbuf.st_mode)) {
711 if (ftruncate(fd, 0x4000)) {
712 SLOGE("Cannot set footer file size\n");
725 static bool check_ftr_sha(const struct crypt_mnt_ftr* crypt_ftr) {
726 struct crypt_mnt_ftr copy;
727 memcpy(©, crypt_ftr, sizeof(copy));
729 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
732 static inline int unix_read(int fd, void* buff, int len) {
733 return TEMP_FAILURE_RETRY(read(fd, buff, len));
736 static inline int unix_write(int fd, const void* buff, int len) {
737 return TEMP_FAILURE_RETRY(write(fd, buff, len));
740 static void init_empty_persist_data(struct crypt_persist_data* pdata, int len) {
741 memset(pdata, 0, len);
742 pdata->persist_magic = PERSIST_DATA_MAGIC;
743 pdata->persist_valid_entries = 0;
746 /* A routine to update the passed in crypt_ftr to the lastest version.
747 * fd is open read/write on the device that holds the crypto footer and persistent
748 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
749 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
751 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr* crypt_ftr, off64_t offset) {
752 int orig_major = crypt_ftr->major_version;
753 int orig_minor = crypt_ftr->minor_version;
755 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
756 struct crypt_persist_data* pdata;
757 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
759 SLOGW("upgrading crypto footer to 1.1");
761 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
763 SLOGE("Cannot allocate persisent data\n");
766 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
768 /* Need to initialize the persistent data area */
769 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
770 SLOGE("Cannot seek to persisent data offset\n");
774 /* Write all zeros to the first copy, making it invalid */
775 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
777 /* Write a valid but empty structure to the second copy */
778 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
779 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
781 /* Update the footer */
782 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
783 crypt_ftr->persist_data_offset[0] = pdata_offset;
784 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
785 crypt_ftr->minor_version = 1;
789 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
790 SLOGW("upgrading crypto footer to 1.2");
791 /* But keep the old kdf_type.
792 * It will get updated later to KDF_SCRYPT after the password has been verified.
794 crypt_ftr->kdf_type = KDF_PBKDF2;
795 get_device_scrypt_params(crypt_ftr);
796 crypt_ftr->minor_version = 2;
799 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
800 SLOGW("upgrading crypto footer to 1.3");
801 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
802 crypt_ftr->minor_version = 3;
805 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
806 if (lseek64(fd, offset, SEEK_SET) == -1) {
807 SLOGE("Cannot seek to crypt footer\n");
810 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
814 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
817 off64_t starting_off;
822 if (get_crypt_ftr_info(&fname, &starting_off)) {
823 SLOGE("Unable to get crypt_ftr_info\n");
826 if (fname[0] != '/') {
827 SLOGE("Unexpected value for crypto key location\n");
830 if ((fd = open(fname, O_RDWR | O_CLOEXEC)) < 0) {
831 SLOGE("Cannot open footer file %s for get\n", fname);
835 /* Make sure it's 16 Kbytes in length */
837 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
838 SLOGE("footer file %s is not the expected size!\n", fname);
842 /* Seek to the start of the crypt footer */
843 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
844 SLOGE("Cannot seek to real block device footer\n");
848 if ((cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
849 SLOGE("Cannot read real block device footer\n");
853 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
854 SLOGE("Bad magic for real block device %s\n", fname);
858 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
859 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
860 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
864 // We risk buffer overflows with oversized keys, so we just reject them.
865 // 0-sized keys are problematic (essentially by-passing encryption), and
866 // AES-CBC key wrapping only works for multiples of 16 bytes.
867 if ((crypt_ftr->keysize == 0) || ((crypt_ftr->keysize % 16) != 0) ||
868 (crypt_ftr->keysize > MAX_KEY_LEN)) {
870 "Invalid keysize (%u) for block device %s; Must be non-zero, "
871 "divisible by 16, and <= %d\n",
872 crypt_ftr->keysize, fname, MAX_KEY_LEN);
876 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
877 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
878 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
881 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
882 * copy on disk before returning.
884 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
885 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
896 static int validate_persistent_data_storage(struct crypt_mnt_ftr* crypt_ftr) {
897 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
898 crypt_ftr->persist_data_offset[1]) {
899 SLOGE("Crypt_ftr persist data regions overlap");
903 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
904 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
908 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
909 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
910 CRYPT_FOOTER_OFFSET) {
911 SLOGE("Persistent data extends past crypto footer");
918 static int load_persistent_data(void) {
919 struct crypt_mnt_ftr crypt_ftr;
920 struct crypt_persist_data* pdata = NULL;
921 char encrypted_state[PROPERTY_VALUE_MAX];
929 /* Nothing to do, we've already loaded or initialized it */
933 /* If not encrypted, just allocate an empty table and initialize it */
934 property_get("ro.crypto.state", encrypted_state, "");
935 if (strcmp(encrypted_state, "encrypted")) {
936 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
938 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
939 persist_data = pdata;
945 if (get_crypt_ftr_and_key(&crypt_ftr)) {
949 if ((crypt_ftr.major_version < 1) ||
950 (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
951 SLOGE("Crypt_ftr version doesn't support persistent data");
955 if (get_crypt_ftr_info(&fname, NULL)) {
959 ret = validate_persistent_data_storage(&crypt_ftr);
964 fd = open(fname, O_RDONLY | O_CLOEXEC);
966 SLOGE("Cannot open %s metadata file", fname);
970 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
972 SLOGE("Cannot allocate memory for persistent data");
976 for (i = 0; i < 2; i++) {
977 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
978 SLOGE("Cannot seek to read persistent data on %s", fname);
981 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
982 SLOGE("Error reading persistent data on iteration %d", i);
985 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
992 SLOGI("Could not find valid persistent data, creating");
993 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
997 persist_data = pdata;
1009 static int save_persistent_data(void) {
1010 struct crypt_mnt_ftr crypt_ftr;
1011 struct crypt_persist_data* pdata;
1013 off64_t write_offset;
1014 off64_t erase_offset;
1018 if (persist_data == NULL) {
1019 SLOGE("No persistent data to save");
1023 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1027 if ((crypt_ftr.major_version < 1) ||
1028 (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
1029 SLOGE("Crypt_ftr version doesn't support persistent data");
1033 ret = validate_persistent_data_storage(&crypt_ftr);
1038 if (get_crypt_ftr_info(&fname, NULL)) {
1042 fd = open(fname, O_RDWR | O_CLOEXEC);
1044 SLOGE("Cannot open %s metadata file", fname);
1048 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
1049 if (pdata == NULL) {
1050 SLOGE("Cannot allocate persistant data");
1054 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
1055 SLOGE("Cannot seek to read persistent data on %s", fname);
1059 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
1060 SLOGE("Error reading persistent data before save");
1064 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
1065 /* The first copy is the curent valid copy, so write to
1066 * the second copy and erase this one */
1067 write_offset = crypt_ftr.persist_data_offset[1];
1068 erase_offset = crypt_ftr.persist_data_offset[0];
1070 /* The second copy must be the valid copy, so write to
1071 * the first copy, and erase the second */
1072 write_offset = crypt_ftr.persist_data_offset[0];
1073 erase_offset = crypt_ftr.persist_data_offset[1];
1076 /* Write the new copy first, if successful, then erase the old copy */
1077 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
1078 SLOGE("Cannot seek to write persistent data");
1081 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
1082 (int)crypt_ftr.persist_data_size) {
1083 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
1084 SLOGE("Cannot seek to erase previous persistent data");
1088 memset(pdata, 0, crypt_ftr.persist_data_size);
1089 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != (int)crypt_ftr.persist_data_size) {
1090 SLOGE("Cannot write to erase previous persistent data");
1095 SLOGE("Cannot write to save persistent data");
1111 /* Convert a binary key of specified length into an ascii hex string equivalent,
1112 * without the leading 0x and with null termination
1114 static void convert_key_to_hex_ascii(const unsigned char* master_key, unsigned int keysize,
1115 char* master_key_ascii) {
1117 unsigned char nibble;
1119 for (i = 0, a = 0; i < keysize; i++, a += 2) {
1120 /* For each byte, write out two ascii hex digits */
1121 nibble = (master_key[i] >> 4) & 0xf;
1122 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
1124 nibble = master_key[i] & 0xf;
1125 master_key_ascii[a + 1] = nibble + (nibble > 9 ? 0x37 : 0x30);
1128 /* Add the null termination */
1129 master_key_ascii[a] = '\0';
1133 * If the ro.crypto.fde_sector_size system property is set, append the
1134 * parameters to make dm-crypt use the specified crypto sector size and round
1135 * the crypto device size down to a crypto sector boundary.
1137 static int add_sector_size_param(DmTargetCrypt* target, struct crypt_mnt_ftr* ftr) {
1138 constexpr char DM_CRYPT_SECTOR_SIZE[] = "ro.crypto.fde_sector_size";
1139 char value[PROPERTY_VALUE_MAX];
1141 if (property_get(DM_CRYPT_SECTOR_SIZE, value, "") > 0) {
1142 unsigned int sector_size;
1144 if (!ParseUint(value, §or_size) || sector_size < 512 || sector_size > 4096 ||
1145 (sector_size & (sector_size - 1)) != 0) {
1146 SLOGE("Invalid value for %s: %s. Must be >= 512, <= 4096, and a power of 2\n",
1147 DM_CRYPT_SECTOR_SIZE, value);
1151 target->SetSectorSize(sector_size);
1153 // With this option, IVs will match the sector numbering, instead
1154 // of being hard-coded to being based on 512-byte sectors.
1155 target->SetIvLargeSectors();
1157 // Round the crypto device size down to a crypto sector boundary.
1158 ftr->fs_size &= ~((sector_size / 512) - 1);
1163 static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned char* master_key,
1164 const char* real_blk_name, std::string* crypto_blk_name,
1165 const char* name, uint32_t flags) {
1166 auto& dm = DeviceMapper::Instance();
1168 // We need two ASCII characters to represent each byte, and need space for
1169 // the '\0' terminator.
1170 char master_key_ascii[MAX_KEY_LEN * 2 + 1];
1171 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1173 auto target = std::make_unique<DmTargetCrypt>(0, crypt_ftr->fs_size,
1174 (const char*)crypt_ftr->crypto_type_name,
1175 master_key_ascii, 0, real_blk_name, 0);
1176 target->AllowDiscards();
1178 if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) {
1179 target->AllowEncryptOverride();
1181 if (add_sector_size_param(target.get(), crypt_ftr)) {
1182 SLOGE("Error processing dm-crypt sector size param\n");
1187 table.AddTarget(std::move(target));
1190 while (load_count < TABLE_LOAD_RETRIES) {
1191 if (dm.CreateDevice(name, table)) {
1197 if (load_count >= TABLE_LOAD_RETRIES) {
1198 SLOGE("Cannot load dm-crypt mapping table.\n");
1201 if (load_count > 1) {
1202 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1205 if (!dm.GetDmDevicePathByName(name, crypto_blk_name)) {
1206 SLOGE("Cannot determine dm-crypt path for %s.\n", name);
1210 /* Ensure the dm device has been created before returning. */
1211 if (android::vold::WaitForFile(crypto_blk_name->c_str(), 1s) < 0) {
1212 // WaitForFile generates a suitable log message
1218 static int delete_crypto_blk_dev(const std::string& name) {
1220 auto& dm = DeviceMapper::Instance();
1221 // TODO(b/149396179) there appears to be a race somewhere in the system where trying
1222 // to delete the device fails with EBUSY; for now, work around this by retrying.
1224 while (tries-- > 0) {
1225 ret = dm.DeleteDevice(name);
1226 if (ret || errno != EBUSY) {
1229 SLOGW("DM_DEV Cannot remove dm-crypt device %s: %s, retrying...\n", name.c_str(),
1231 std::this_thread::sleep_for(std::chrono::milliseconds(100));
1234 SLOGE("DM_DEV Cannot remove dm-crypt device %s: %s\n", name.c_str(), strerror(errno));
1240 static int pbkdf2(const char* passwd, const unsigned char* salt, unsigned char* ikey,
1241 void* params UNUSED) {
1242 SLOGI("Using pbkdf2 for cryptfs KDF");
1244 /* Turn the password into a key and IV that can decrypt the master key */
1245 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN, HASH_COUNT,
1246 INTERMEDIATE_BUF_SIZE, ikey) != 1;
1249 static int scrypt(const char* passwd, const unsigned char* salt, unsigned char* ikey, void* params) {
1250 SLOGI("Using scrypt for cryptfs KDF");
1252 struct crypt_mnt_ftr* ftr = (struct crypt_mnt_ftr*)params;
1254 int N = 1 << ftr->N_factor;
1255 int r = 1 << ftr->r_factor;
1256 int p = 1 << ftr->p_factor;
1258 /* Turn the password into a key and IV that can decrypt the master key */
1259 crypto_scrypt((const uint8_t*)passwd, strlen(passwd), salt, SALT_LEN, N, r, p, ikey,
1260 INTERMEDIATE_BUF_SIZE);
1265 static int scrypt_keymaster(const char* passwd, const unsigned char* salt, unsigned char* ikey,
1267 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1270 size_t signature_size;
1271 unsigned char* signature;
1272 struct crypt_mnt_ftr* ftr = (struct crypt_mnt_ftr*)params;
1274 int N = 1 << ftr->N_factor;
1275 int r = 1 << ftr->r_factor;
1276 int p = 1 << ftr->p_factor;
1278 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd), salt, SALT_LEN, N, r, p, ikey,
1279 INTERMEDIATE_BUF_SIZE);
1282 SLOGE("scrypt failed");
1286 if (keymaster_sign_object(ftr, ikey, INTERMEDIATE_BUF_SIZE, &signature, &signature_size)) {
1287 SLOGE("Signing failed");
1291 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, N, r, p, ikey,
1292 INTERMEDIATE_BUF_SIZE);
1296 SLOGE("scrypt failed");
1303 static int encrypt_master_key(const char* passwd, const unsigned char* salt,
1304 const unsigned char* decrypted_master_key,
1305 unsigned char* encrypted_master_key, struct crypt_mnt_ftr* crypt_ftr) {
1306 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = {0};
1307 EVP_CIPHER_CTX e_ctx;
1308 int encrypted_len, final_len;
1311 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1312 get_device_scrypt_params(crypt_ftr);
1314 switch (crypt_ftr->kdf_type) {
1315 case KDF_SCRYPT_KEYMASTER:
1316 if (keymaster_create_key(crypt_ftr)) {
1317 SLOGE("keymaster_create_key failed");
1321 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1322 SLOGE("scrypt failed");
1328 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1329 SLOGE("scrypt failed");
1335 SLOGE("Invalid kdf_type");
1339 /* Initialize the decryption engine */
1340 EVP_CIPHER_CTX_init(&e_ctx);
1341 if (!EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey,
1342 ikey + INTERMEDIATE_KEY_LEN_BYTES)) {
1343 SLOGE("EVP_EncryptInit failed\n");
1346 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1348 /* Encrypt the master key */
1349 if (!EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, decrypted_master_key,
1350 crypt_ftr->keysize)) {
1351 SLOGE("EVP_EncryptUpdate failed\n");
1354 if (!EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1355 SLOGE("EVP_EncryptFinal failed\n");
1359 if (encrypted_len + final_len != static_cast<int>(crypt_ftr->keysize)) {
1360 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1364 /* Store the scrypt of the intermediate key, so we can validate if it's a
1365 password error or mount error when things go wrong.
1366 Note there's no need to check for errors, since if this is incorrect, we
1367 simply won't wipe userdata, which is the correct default behavior
1369 int N = 1 << crypt_ftr->N_factor;
1370 int r = 1 << crypt_ftr->r_factor;
1371 int p = 1 << crypt_ftr->p_factor;
1373 rc = crypto_scrypt(ikey, INTERMEDIATE_KEY_LEN_BYTES, crypt_ftr->salt, sizeof(crypt_ftr->salt),
1374 N, r, p, crypt_ftr->scrypted_intermediate_key,
1375 sizeof(crypt_ftr->scrypted_intermediate_key));
1378 SLOGE("encrypt_master_key: crypto_scrypt failed");
1381 EVP_CIPHER_CTX_cleanup(&e_ctx);
1386 static int decrypt_master_key_aux(const char* passwd, unsigned char* salt,
1387 const unsigned char* encrypted_master_key, size_t keysize,
1388 unsigned char* decrypted_master_key, kdf_func kdf,
1389 void* kdf_params, unsigned char** intermediate_key,
1390 size_t* intermediate_key_size) {
1391 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = {0};
1392 EVP_CIPHER_CTX d_ctx;
1393 int decrypted_len, final_len;
1395 /* Turn the password into an intermediate key and IV that can decrypt the
1397 if (kdf(passwd, salt, ikey, kdf_params)) {
1398 SLOGE("kdf failed");
1402 /* Initialize the decryption engine */
1403 EVP_CIPHER_CTX_init(&d_ctx);
1404 if (!EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey,
1405 ikey + INTERMEDIATE_KEY_LEN_BYTES)) {
1408 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1409 /* Decrypt the master key */
1410 if (!EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, encrypted_master_key,
1414 if (!EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1418 if (decrypted_len + final_len != static_cast<int>(keysize)) {
1422 /* Copy intermediate key if needed by params */
1423 if (intermediate_key && intermediate_key_size) {
1424 *intermediate_key = (unsigned char*)malloc(INTERMEDIATE_KEY_LEN_BYTES);
1425 if (*intermediate_key) {
1426 memcpy(*intermediate_key, ikey, INTERMEDIATE_KEY_LEN_BYTES);
1427 *intermediate_key_size = INTERMEDIATE_KEY_LEN_BYTES;
1431 EVP_CIPHER_CTX_cleanup(&d_ctx);
1436 static void get_kdf_func(struct crypt_mnt_ftr* ftr, kdf_func* kdf, void** kdf_params) {
1437 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1438 *kdf = scrypt_keymaster;
1440 } else if (ftr->kdf_type == KDF_SCRYPT) {
1449 static int decrypt_master_key(const char* passwd, unsigned char* decrypted_master_key,
1450 struct crypt_mnt_ftr* crypt_ftr, unsigned char** intermediate_key,
1451 size_t* intermediate_key_size) {
1456 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1457 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, crypt_ftr->keysize,
1458 decrypted_master_key, kdf, kdf_params, intermediate_key,
1459 intermediate_key_size);
1461 SLOGW("failure decrypting master key");
1467 static int create_encrypted_random_key(const char* passwd, unsigned char* master_key,
1468 unsigned char* salt, struct crypt_mnt_ftr* crypt_ftr) {
1469 unsigned char key_buf[MAX_KEY_LEN];
1471 /* Get some random bits for a key and salt */
1472 if (android::vold::ReadRandomBytes(sizeof(key_buf), reinterpret_cast<char*>(key_buf)) != 0) {
1475 if (android::vold::ReadRandomBytes(SALT_LEN, reinterpret_cast<char*>(salt)) != 0) {
1479 /* Now encrypt it with the password */
1480 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1483 static void ensure_subdirectory_unmounted(const char *prefix) {
1484 std::vector<std::string> umount_points;
1485 std::unique_ptr<FILE, int (*)(FILE*)> mnts(setmntent("/proc/mounts", "r"), endmntent);
1487 SLOGW("could not read mount files");
1491 //Find sudirectory mount point
1493 std::string top_directory(prefix);
1494 if (!android::base::EndsWith(prefix, "/")) {
1495 top_directory = top_directory + "/";
1497 while ((mentry = getmntent(mnts.get())) != nullptr) {
1498 if (strcmp(mentry->mnt_dir, top_directory.c_str()) == 0) {
1502 if (android::base::StartsWith(mentry->mnt_dir, top_directory)) {
1503 SLOGW("found sub-directory mount %s - %s\n", prefix, mentry->mnt_dir);
1504 umount_points.push_back(mentry->mnt_dir);
1508 //Sort by path length to umount longest path first
1509 std::sort(std::begin(umount_points), std::end(umount_points),
1510 [](const std::string& s1, const std::string& s2) {return s1.length() > s2.length(); });
1512 for (std::string& mount_point : umount_points) {
1513 umount(mount_point.c_str());
1514 SLOGW("umount sub-directory mount %s\n", mount_point.c_str());
1518 static int wait_and_unmount(const char* mountpoint, bool kill) {
1521 // Subdirectory mount will cause a failure of umount.
1522 ensure_subdirectory_unmounted(mountpoint);
1523 #define WAIT_UNMOUNT_COUNT 20
1525 /* Now umount the tmpfs filesystem */
1526 for (i = 0; i < WAIT_UNMOUNT_COUNT; i++) {
1527 if (umount(mountpoint) == 0) {
1531 if (errno == EINVAL) {
1532 /* EINVAL is returned if the directory is not a mountpoint,
1533 * i.e. there is no filesystem mounted there. So just get out.
1540 /* If allowed, be increasingly aggressive before the last two retries */
1542 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1543 SLOGW("sending SIGHUP to processes with open files\n");
1544 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM);
1545 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1546 SLOGW("sending SIGKILL to processes with open files\n");
1547 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL);
1554 if (i < WAIT_UNMOUNT_COUNT) {
1555 SLOGD("unmounting %s succeeded\n", mountpoint);
1558 android::vold::KillProcessesWithOpenFiles(mountpoint, 0);
1559 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1566 static void prep_data_fs(void) {
1567 // NOTE: post_fs_data results in init calling back around to vold, so all
1568 // callers to this method must be async
1570 /* Do the prep of the /data filesystem */
1571 property_set("vold.post_fs_data_done", "0");
1572 property_set("vold.decrypt", "trigger_post_fs_data");
1573 SLOGD("Just triggered post_fs_data");
1575 /* Wait a max of 50 seconds, hopefully it takes much less */
1576 while (!android::base::WaitForProperty("vold.post_fs_data_done", "1", std::chrono::seconds(15))) {
1577 /* We timed out to prep /data in time. Continue wait. */
1578 SLOGE("waited 15s for vold.post_fs_data_done, still waiting...");
1580 SLOGD("post_fs_data done");
1583 static void cryptfs_set_corrupt() {
1584 // Mark the footer as bad
1585 struct crypt_mnt_ftr crypt_ftr;
1586 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1587 SLOGE("Failed to get crypto footer - panic");
1591 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1592 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1593 SLOGE("Failed to set crypto footer - panic");
1598 static void cryptfs_trigger_restart_min_framework() {
1599 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1600 SLOGE("Failed to mount tmpfs on data - panic");
1604 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1605 SLOGE("Failed to trigger post fs data - panic");
1609 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1610 SLOGE("Failed to trigger restart min framework - panic");
1615 /* returns < 0 on failure */
1616 static int cryptfs_restart_internal(int restart_main) {
1617 char crypto_blkdev[MAXPATHLEN];
1619 static int restart_successful = 0;
1621 /* Validate that it's OK to call this routine */
1622 if (!master_key_saved) {
1623 SLOGE("Encrypted filesystem not validated, aborting");
1627 if (restart_successful) {
1628 SLOGE("System already restarted with encrypted disk, aborting");
1633 /* Here is where we shut down the framework. The init scripts
1634 * start all services in one of these classes: core, early_hal, hal,
1635 * main and late_start. To get to the minimal UI for PIN entry, we
1636 * need to start core, early_hal, hal and main. When we want to
1637 * shutdown the framework again, we need to stop most of the services in
1638 * these classes, but only those services that were started after
1639 * /data was mounted. This excludes critical services like vold and
1640 * ueventd, which need to keep running. We could possible stop
1641 * even fewer services, but because we want services to pick up APEX
1642 * libraries from the real /data, restarting is better, as it makes
1643 * these devices consistent with FBE devices and lets them use the
1646 * Once these services have stopped, we should be able
1647 * to umount the tmpfs /data, then mount the encrypted /data.
1648 * We then restart the class core, hal, main, and also the class
1651 * At the moment, I've only put a few things in late_start that I know
1652 * are not needed to bring up the framework, and that also cause problems
1653 * with unmounting the tmpfs /data, but I hope to add add more services
1654 * to the late_start class as we optimize this to decrease the delay
1655 * till the user is asked for the password to the filesystem.
1658 /* The init files are setup to stop the right set of services when
1659 * vold.decrypt is set to trigger_shutdown_framework.
1661 property_set("vold.decrypt", "trigger_shutdown_framework");
1662 SLOGD("Just asked init to shut down class main\n");
1664 /* Ugh, shutting down the framework is not synchronous, so until it
1665 * can be fixed, this horrible hack will wait a moment for it all to
1666 * shut down before proceeding. Without it, some devices cannot
1667 * restart the graphics services.
1672 /* Now that the framework is shutdown, we should be able to umount()
1673 * the tmpfs filesystem, and mount the real one.
1676 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1677 if (strlen(crypto_blkdev) == 0) {
1678 SLOGE("fs_crypto_blkdev not set\n");
1682 if (!(rc = wait_and_unmount(DATA_MNT_POINT, true))) {
1683 /* If ro.crypto.readonly is set to 1, mount the decrypted
1684 * filesystem readonly. This is used when /data is mounted by
1687 char ro_prop[PROPERTY_VALUE_MAX];
1688 property_get("ro.crypto.readonly", ro_prop, "");
1689 if (strlen(ro_prop) > 0 && std::stoi(ro_prop)) {
1690 auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
1691 if (entry != nullptr) {
1692 entry->flags |= MS_RDONLY;
1696 /* If that succeeded, then mount the decrypted filesystem */
1697 int retries = RETRY_MOUNT_ATTEMPTS;
1701 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
1702 * partitions in the fsck domain.
1704 if (setexeccon(android::vold::sFsckContext)) {
1705 SLOGE("Failed to setexeccon");
1708 bool needs_cp = android::vold::cp_needsCheckpoint();
1709 while ((mount_rc = fs_mgr_do_mount(&fstab_default, DATA_MNT_POINT, crypto_blkdev, 0,
1710 needs_cp, false)) != 0) {
1711 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1712 /* TODO: invoke something similar to
1713 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1714 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1715 SLOGI("Failed to mount %s because it is busy - waiting", crypto_blkdev);
1717 sleep(RETRY_MOUNT_DELAY_SECONDS);
1719 /* Let's hope that a reboot clears away whatever is keeping
1721 cryptfs_reboot(RebootType::reboot);
1724 SLOGE("Failed to mount decrypted data");
1725 cryptfs_set_corrupt();
1726 cryptfs_trigger_restart_min_framework();
1727 SLOGI("Started framework to offer wipe");
1728 if (setexeccon(NULL)) {
1729 SLOGE("Failed to setexeccon");
1734 if (setexeccon(NULL)) {
1735 SLOGE("Failed to setexeccon");
1739 /* Create necessary paths on /data */
1741 property_set("vold.decrypt", "trigger_load_persist_props");
1743 /* startup service classes main and late_start */
1744 property_set("vold.decrypt", "trigger_restart_framework");
1745 SLOGD("Just triggered restart_framework\n");
1747 /* Give it a few moments to get started */
1752 restart_successful = 1;
1758 int cryptfs_restart(void) {
1759 SLOGI("cryptfs_restart");
1760 if (fscrypt_is_native()) {
1761 SLOGE("cryptfs_restart not valid for file encryption:");
1765 /* Call internal implementation forcing a restart of main service group */
1766 return cryptfs_restart_internal(1);
1769 static int do_crypto_complete(const char* mount_point) {
1770 struct crypt_mnt_ftr crypt_ftr;
1771 char encrypted_state[PROPERTY_VALUE_MAX];
1773 property_get("ro.crypto.state", encrypted_state, "");
1774 if (strcmp(encrypted_state, "encrypted")) {
1775 SLOGE("not running with encryption, aborting");
1776 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1779 // crypto_complete is full disk encrypted status
1780 if (fscrypt_is_native()) {
1781 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1784 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1785 std::string key_loc;
1786 get_crypt_info(&key_loc, nullptr);
1789 * Only report this error if key_loc is a file and it exists.
1790 * If the device was never encrypted, and /data is not mountable for
1791 * some reason, returning 1 should prevent the UI from presenting the
1792 * a "enter password" screen, or worse, a "press button to wipe the
1795 if (!key_loc.empty() && key_loc[0] == '/' && (access("key_loc", F_OK) == -1)) {
1796 SLOGE("master key file does not exist, aborting");
1797 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1799 SLOGE("Error getting crypt footer and key\n");
1800 return CRYPTO_COMPLETE_BAD_METADATA;
1804 // Test for possible error flags
1805 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
1806 SLOGE("Encryption process is partway completed\n");
1807 return CRYPTO_COMPLETE_PARTIAL;
1810 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
1811 SLOGE("Encryption process was interrupted but cannot continue\n");
1812 return CRYPTO_COMPLETE_INCONSISTENT;
1815 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT) {
1816 SLOGE("Encryption is successful but data is corrupt\n");
1817 return CRYPTO_COMPLETE_CORRUPT;
1820 /* We passed the test! We shall diminish, and return to the west */
1821 return CRYPTO_COMPLETE_ENCRYPTED;
1824 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, const char* passwd,
1825 const char* mount_point, const char* label) {
1826 unsigned char decrypted_master_key[MAX_KEY_LEN];
1827 std::string crypto_blkdev;
1828 std::string real_blkdev;
1829 char tmp_mount_point[64];
1830 unsigned int orig_failed_decrypt_count;
1833 unsigned char* intermediate_key = 0;
1834 size_t intermediate_key_size = 0;
1835 int N = 1 << crypt_ftr->N_factor;
1836 int r = 1 << crypt_ftr->r_factor;
1837 int p = 1 << crypt_ftr->p_factor;
1839 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1840 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1842 if (!(crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED)) {
1843 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, &intermediate_key,
1844 &intermediate_key_size)) {
1845 SLOGE("Failed to decrypt master key\n");
1851 get_crypt_info(nullptr, &real_blkdev);
1853 // Create crypto block device - all (non fatal) code paths
1855 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, real_blkdev.c_str(), &crypto_blkdev,
1857 SLOGE("Error creating decrypted block device\n");
1862 /* Work out if the problem is the password or the data */
1863 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->scrypted_intermediate_key)];
1865 rc = crypto_scrypt(intermediate_key, intermediate_key_size, crypt_ftr->salt,
1866 sizeof(crypt_ftr->salt), N, r, p, scrypted_intermediate_key,
1867 sizeof(scrypted_intermediate_key));
1869 // Does the key match the crypto footer?
1870 if (rc == 0 && memcmp(scrypted_intermediate_key, crypt_ftr->scrypted_intermediate_key,
1871 sizeof(scrypted_intermediate_key)) == 0) {
1872 SLOGI("Password matches");
1875 /* Try mounting the file system anyway, just in case the problem's with
1876 * the footer, not the key. */
1877 snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt", mount_point);
1878 mkdir(tmp_mount_point, 0755);
1879 if (fs_mgr_do_mount(&fstab_default, DATA_MNT_POINT,
1880 const_cast<char*>(crypto_blkdev.c_str()), tmp_mount_point)) {
1881 SLOGE("Error temp mounting decrypted block device\n");
1882 delete_crypto_blk_dev(label);
1884 rc = ++crypt_ftr->failed_decrypt_count;
1885 put_crypt_ftr_and_key(crypt_ftr);
1888 SLOGI("Password did not match but decrypted drive mounted - continue");
1889 umount(tmp_mount_point);
1895 crypt_ftr->failed_decrypt_count = 0;
1896 if (orig_failed_decrypt_count != 0) {
1897 put_crypt_ftr_and_key(crypt_ftr);
1900 /* Save the name of the crypto block device
1901 * so we can mount it when restarting the framework. */
1902 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev.c_str());
1904 /* Also save a the master key so we can reencrypted the key
1905 * the key when we want to change the password on it. */
1906 memcpy(saved_master_key, decrypted_master_key, crypt_ftr->keysize);
1907 saved_mount_point = strdup(mount_point);
1908 master_key_saved = 1;
1909 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1912 // Upgrade if we're not using the latest KDF.
1913 if (crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1914 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1919 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1920 crypt_ftr->master_key, crypt_ftr);
1922 rc = put_crypt_ftr_and_key(crypt_ftr);
1924 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1926 // Do not fail even if upgrade failed - machine is bootable
1927 // Note that if this code is ever hit, there is a *serious* problem
1928 // since KDFs should never fail. You *must* fix the kdf before
1932 "Upgrade failed with error %d,"
1933 " but continuing with previous state",
1941 if (intermediate_key) {
1942 memset(intermediate_key, 0, intermediate_key_size);
1943 free(intermediate_key);
1949 * Called by vold when it's asked to mount an encrypted external
1950 * storage volume. The incoming partition has no crypto header/footer,
1951 * as any metadata is been stored in a separate, small partition. We
1952 * assume it must be using our same crypt type and keysize.
1954 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, const KeyBuffer& key,
1955 std::string* out_crypto_blkdev) {
1956 auto crypto_type = get_crypto_type();
1957 if (key.size() != crypto_type.get_keysize()) {
1958 SLOGE("Raw keysize %zu does not match crypt keysize %zu", key.size(),
1959 crypto_type.get_keysize());
1962 uint64_t nr_sec = 0;
1963 if (android::vold::GetBlockDev512Sectors(real_blkdev, &nr_sec) != android::OK) {
1964 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1968 struct crypt_mnt_ftr ext_crypt_ftr;
1969 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1970 ext_crypt_ftr.fs_size = nr_sec;
1971 ext_crypt_ftr.keysize = crypto_type.get_keysize();
1972 strlcpy((char*)ext_crypt_ftr.crypto_type_name, crypto_type.get_kernel_name(),
1973 MAX_CRYPTO_TYPE_NAME_LEN);
1975 if (fscrypt_is_native() &&
1976 android::base::GetBoolProperty("ro.crypto.allow_encrypt_override", false))
1977 flags |= CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE;
1979 return create_crypto_blk_dev(&ext_crypt_ftr, reinterpret_cast<const unsigned char*>(key.data()),
1980 real_blkdev, out_crypto_blkdev, label, flags);
1983 int cryptfs_crypto_complete(void) {
1984 return do_crypto_complete("/data");
1987 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) {
1988 char encrypted_state[PROPERTY_VALUE_MAX];
1989 property_get("ro.crypto.state", encrypted_state, "");
1990 if (master_key_saved || strcmp(encrypted_state, "encrypted")) {
1992 "encrypted fs already validated or not running with encryption,"
1997 if (get_crypt_ftr_and_key(crypt_ftr)) {
1998 SLOGE("Error getting crypt footer and key");
2005 int cryptfs_check_passwd(const char* passwd) {
2006 SLOGI("cryptfs_check_passwd");
2007 if (fscrypt_is_native()) {
2008 SLOGE("cryptfs_check_passwd not valid for file encryption");
2012 struct crypt_mnt_ftr crypt_ftr;
2015 rc = check_unmounted_and_get_ftr(&crypt_ftr);
2017 SLOGE("Could not get footer");
2021 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
2023 SLOGE("Password did not match");
2027 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
2028 // Here we have a default actual password but a real password
2029 // we must test against the scrypted value
2030 // First, we must delete the crypto block device that
2031 // test_mount_encrypted_fs leaves behind as a side effect
2032 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
2033 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD, DATA_MNT_POINT,
2034 CRYPTO_BLOCK_DEVICE);
2036 SLOGE("Default password did not match on reboot encryption");
2040 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
2041 put_crypt_ftr_and_key(&crypt_ftr);
2042 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
2044 SLOGE("Could not change password on reboot encryption");
2049 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2050 cryptfs_clear_password();
2051 password = strdup(passwd);
2052 struct timespec now;
2053 clock_gettime(CLOCK_BOOTTIME, &now);
2054 password_expiry_time = now.tv_sec + password_max_age_seconds;
2060 int cryptfs_verify_passwd(const char* passwd) {
2061 struct crypt_mnt_ftr crypt_ftr;
2062 unsigned char decrypted_master_key[MAX_KEY_LEN];
2063 char encrypted_state[PROPERTY_VALUE_MAX];
2066 property_get("ro.crypto.state", encrypted_state, "");
2067 if (strcmp(encrypted_state, "encrypted")) {
2068 SLOGE("device not encrypted, aborting");
2072 if (!master_key_saved) {
2073 SLOGE("encrypted fs not yet mounted, aborting");
2077 if (!saved_mount_point) {
2078 SLOGE("encrypted fs failed to save mount point, aborting");
2082 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2083 SLOGE("Error getting crypt footer and key\n");
2087 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2088 /* If the device has no password, then just say the password is valid */
2091 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2092 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2093 /* They match, the password is correct */
2096 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2105 /* Initialize a crypt_mnt_ftr structure. The keysize is
2106 * defaulted to get_crypto_type().get_keysize() bytes, and the filesystem size to 0.
2107 * Presumably, at a minimum, the caller will update the
2108 * filesystem size and crypto_type_name after calling this function.
2110 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr* ftr) {
2113 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2114 ftr->magic = CRYPT_MNT_MAGIC;
2115 ftr->major_version = CURRENT_MAJOR_VERSION;
2116 ftr->minor_version = CURRENT_MINOR_VERSION;
2117 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2118 ftr->keysize = get_crypto_type().get_keysize();
2119 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2121 get_device_scrypt_params(ftr);
2123 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2124 if (get_crypt_ftr_info(NULL, &off) == 0) {
2125 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2126 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + ftr->persist_data_size;
2132 #define FRAMEWORK_BOOT_WAIT 60
2134 static int vold_unmountAll(void) {
2135 VolumeManager* vm = VolumeManager::Instance();
2136 return vm->unmountAll();
2139 int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
2140 std::string crypto_blkdev;
2141 std::string real_blkdev;
2142 unsigned char decrypted_master_key[MAX_KEY_LEN];
2144 struct crypt_mnt_ftr crypt_ftr;
2145 struct crypt_persist_data* pdata;
2146 char encrypted_state[PROPERTY_VALUE_MAX];
2147 char lockid[32] = {0};
2148 std::string key_loc;
2150 bool rebootEncryption = false;
2151 bool onlyCreateHeader = false;
2153 /* Get a wakelock as this may take a while, and we don't want the
2154 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2155 * wants to keep the screen on, it can grab a full wakelock.
2157 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int)getpid());
2158 auto wl = android::wakelock::WakeLock::tryGet(lockid);
2159 if (!wl.has_value()) {
2160 return android::UNEXPECTED_NULL;
2163 if (get_crypt_ftr_and_key(&crypt_ftr) == 0) {
2164 if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
2165 if (!check_ftr_sha(&crypt_ftr)) {
2166 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2167 put_crypt_ftr_and_key(&crypt_ftr);
2168 goto error_unencrypted;
2171 /* Doing a reboot-encryption*/
2172 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
2173 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
2174 rebootEncryption = true;
2177 // We don't want to accidentally reference invalid data.
2178 memset(&crypt_ftr, 0, sizeof(crypt_ftr));
2181 property_get("ro.crypto.state", encrypted_state, "");
2182 if (!strcmp(encrypted_state, "encrypted")) {
2183 SLOGE("Device is already running encrypted, aborting");
2184 goto error_unencrypted;
2187 get_crypt_info(&key_loc, &real_blkdev);
2189 /* Get the size of the real block device */
2191 if (android::vold::GetBlockDev512Sectors(real_blkdev, &nr_sec) != android::OK) {
2192 SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
2193 goto error_unencrypted;
2196 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2197 if (key_loc == KEY_IN_FOOTER) {
2198 uint64_t fs_size_sec, max_fs_size_sec;
2199 fs_size_sec = get_fs_size(real_blkdev.c_str());
2200 if (fs_size_sec == 0) fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev.data());
2202 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2204 if (fs_size_sec > max_fs_size_sec) {
2205 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2206 goto error_unencrypted;
2210 /* The init files are setup to stop the class main and late start when
2211 * vold sets trigger_shutdown_framework.
2213 property_set("vold.decrypt", "trigger_shutdown_framework");
2214 SLOGD("Just asked init to shut down class main\n");
2216 /* Ask vold to unmount all devices that it manages */
2217 if (vold_unmountAll()) {
2218 SLOGE("Failed to unmount all vold managed devices");
2221 /* no_ui means we are being called from init, not settings.
2222 Now we always reboot from settings, so !no_ui means reboot
2225 /* Try fallback, which is to reboot and try there */
2226 onlyCreateHeader = true;
2227 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
2228 if (breadcrumb == 0) {
2229 SLOGE("Failed to create breadcrumb file");
2230 goto error_shutting_down;
2235 /* Do extra work for a better UX when doing the long inplace encryption */
2236 if (!onlyCreateHeader) {
2237 /* Now that /data is unmounted, we need to mount a tmpfs
2238 * /data, set a property saying we're doing inplace encryption,
2239 * and restart the framework.
2241 wait_and_unmount(DATA_MNT_POINT, true);
2242 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
2243 goto error_shutting_down;
2245 /* Tells the framework that inplace encryption is starting */
2246 property_set("vold.encrypt_progress", "0");
2248 /* restart the framework. */
2249 /* Create necessary paths on /data */
2252 /* Ugh, shutting down the framework is not synchronous, so until it
2253 * can be fixed, this horrible hack will wait a moment for it all to
2254 * shut down before proceeding. Without it, some devices cannot
2255 * restart the graphics services.
2260 /* Start the actual work of making an encrypted filesystem */
2261 /* Initialize a crypt_mnt_ftr for the partition */
2262 if (!rebootEncryption) {
2263 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
2264 goto error_shutting_down;
2267 if (key_loc == KEY_IN_FOOTER) {
2268 crypt_ftr.fs_size = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2270 crypt_ftr.fs_size = nr_sec;
2272 /* At this point, we are in an inconsistent state. Until we successfully
2273 complete encryption, a reboot will leave us broken. So mark the
2274 encryption failed in case that happens.
2275 On successfully completing encryption, remove this flag */
2276 if (onlyCreateHeader) {
2277 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
2279 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2281 crypt_ftr.crypt_type = crypt_type;
2282 strlcpy((char*)crypt_ftr.crypto_type_name, get_crypto_type().get_kernel_name(),
2283 MAX_CRYPTO_TYPE_NAME_LEN);
2285 /* Make an encrypted master key */
2286 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
2287 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
2288 SLOGE("Cannot create encrypted master key\n");
2289 goto error_shutting_down;
2292 /* Replace scrypted intermediate key if we are preparing for a reboot */
2293 if (onlyCreateHeader) {
2294 unsigned char fake_master_key[MAX_KEY_LEN];
2295 unsigned char encrypted_fake_master_key[MAX_KEY_LEN];
2296 memset(fake_master_key, 0, sizeof(fake_master_key));
2297 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key, encrypted_fake_master_key,
2301 /* Write the key to the end of the partition */
2302 put_crypt_ftr_and_key(&crypt_ftr);
2304 /* If any persistent data has been remembered, save it.
2305 * If none, create a valid empty table and save that.
2307 if (!persist_data) {
2308 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
2310 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
2311 persist_data = pdata;
2315 save_persistent_data();
2319 if (onlyCreateHeader) {
2321 cryptfs_reboot(RebootType::reboot);
2324 if (!no_ui || rebootEncryption) {
2325 /* startup service classes main and late_start */
2326 property_set("vold.decrypt", "trigger_restart_min_framework");
2327 SLOGD("Just triggered restart_min_framework\n");
2329 /* OK, the framework is restarted and will soon be showing a
2330 * progress bar. Time to setup an encrypted mapping, and
2331 * either write a new filesystem, or encrypt in place updating
2332 * the progress bar as we work.
2336 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2337 rc = create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev.c_str(),
2338 &crypto_blkdev, CRYPTO_BLOCK_DEVICE, 0);
2340 if (encrypt_inplace(crypto_blkdev, real_blkdev, crypt_ftr.fs_size, true)) {
2341 crypt_ftr.encrypted_upto = crypt_ftr.fs_size;
2346 /* Undo the dm-crypt mapping whether we succeed or not */
2347 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
2352 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
2354 put_crypt_ftr_and_key(&crypt_ftr);
2356 char value[PROPERTY_VALUE_MAX];
2357 property_get("ro.crypto.state", value, "");
2358 if (!strcmp(value, "")) {
2359 /* default encryption - continue first boot sequence */
2360 property_set("ro.crypto.state", "encrypted");
2361 property_set("ro.crypto.type", "block");
2363 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2364 // Bring up cryptkeeper that will check the password and set it
2365 property_set("vold.decrypt", "trigger_shutdown_framework");
2367 property_set("vold.encrypt_progress", "");
2368 cryptfs_trigger_restart_min_framework();
2370 cryptfs_check_passwd(DEFAULT_PASSWORD);
2371 cryptfs_restart_internal(1);
2375 sleep(2); /* Give the UI a chance to show 100% progress */
2376 cryptfs_reboot(RebootType::reboot);
2379 char value[PROPERTY_VALUE_MAX];
2381 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
2382 if (!strcmp(value, "1")) {
2383 /* wipe data if encryption failed */
2384 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
2386 const std::vector<std::string> options = {
2387 "--wipe_data\n--reason=cryptfs_enable_internal\n"};
2388 if (!write_bootloader_message(options, &err)) {
2389 SLOGE("could not write bootloader message: %s", err.c_str());
2391 cryptfs_reboot(RebootType::recovery);
2393 /* set property to trigger dialog */
2394 property_set("vold.encrypt_progress", "error_partially_encrypted");
2399 /* hrm, the encrypt step claims success, but the reboot failed.
2400 * This should not happen.
2401 * Set the property and return. Hope the framework can deal with it.
2403 property_set("vold.encrypt_progress", "error_reboot_failed");
2407 property_set("vold.encrypt_progress", "error_not_encrypted");
2410 error_shutting_down:
2411 /* we failed, and have not encrypted anthing, so the users's data is still intact,
2412 * but the framework is stopped and not restarted to show the error, so it's up to
2413 * vold to restart the system.
2416 "Error enabling encryption after framework is shutdown, no data changed, restarting "
2418 cryptfs_reboot(RebootType::reboot);
2420 /* shouldn't get here */
2421 property_set("vold.encrypt_progress", "error_shutting_down");
2425 int cryptfs_enable(int type, const char* passwd, int no_ui) {
2426 return cryptfs_enable_internal(type, passwd, no_ui);
2429 int cryptfs_enable_default(int no_ui) {
2430 return cryptfs_enable_internal(CRYPT_TYPE_DEFAULT, DEFAULT_PASSWORD, no_ui);
2433 int cryptfs_changepw(int crypt_type, const char* newpw) {
2434 if (fscrypt_is_native()) {
2435 SLOGE("cryptfs_changepw not valid for file encryption");
2439 struct crypt_mnt_ftr crypt_ftr;
2442 /* This is only allowed after we've successfully decrypted the master key */
2443 if (!master_key_saved) {
2444 SLOGE("Key not saved, aborting");
2448 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2449 SLOGE("Invalid crypt_type %d", crypt_type);
2454 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2455 SLOGE("Error getting crypt footer and key");
2459 crypt_ftr.crypt_type = crypt_type;
2461 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD : newpw,
2462 crypt_ftr.salt, saved_master_key, crypt_ftr.master_key, &crypt_ftr);
2464 SLOGE("Encrypt master key failed: %d", rc);
2468 put_crypt_ftr_and_key(&crypt_ftr);
2473 static unsigned int persist_get_max_entries(int encrypted) {
2474 struct crypt_mnt_ftr crypt_ftr;
2477 /* If encrypted, use the values from the crypt_ftr, otherwise
2478 * use the values for the current spec.
2481 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2482 /* Something is wrong, assume no space for entries */
2485 dsize = crypt_ftr.persist_data_size;
2487 dsize = CRYPT_PERSIST_DATA_SIZE;
2490 if (dsize > sizeof(struct crypt_persist_data)) {
2491 return (dsize - sizeof(struct crypt_persist_data)) / sizeof(struct crypt_persist_entry);
2497 static int persist_get_key(const char* fieldname, char* value) {
2500 if (persist_data == NULL) {
2503 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2504 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2506 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
2514 static int persist_set_key(const char* fieldname, const char* value, int encrypted) {
2517 unsigned int max_persistent_entries;
2519 if (persist_data == NULL) {
2523 max_persistent_entries = persist_get_max_entries(encrypted);
2525 num = persist_data->persist_valid_entries;
2527 for (i = 0; i < num; i++) {
2528 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
2529 /* We found an existing entry, update it! */
2530 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
2531 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
2536 /* We didn't find it, add it to the end, if there is room */
2537 if (persist_data->persist_valid_entries < max_persistent_entries) {
2538 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
2539 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
2540 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
2541 persist_data->persist_valid_entries++;
2549 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
2550 * sequence and its index is greater than or equal to index. Return 0 otherwise.
2552 int match_multi_entry(const char* key, const char* field, unsigned index) {
2553 std::string key_ = key;
2554 std::string field_ = field;
2556 std::string parsed_field;
2557 unsigned parsed_index;
2559 std::string::size_type split = key_.find_last_of('_');
2560 if (split == std::string::npos) {
2561 parsed_field = key_;
2564 parsed_field = key_.substr(0, split);
2565 parsed_index = std::stoi(key_.substr(split + 1));
2568 return parsed_field == field_ && parsed_index >= index;
2572 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
2573 * remaining entries starting from index will be deleted.
2574 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
2575 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
2576 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
2579 static int persist_del_keys(const char* fieldname, unsigned index) {
2584 if (persist_data == NULL) {
2585 return PERSIST_DEL_KEY_ERROR_OTHER;
2588 num = persist_data->persist_valid_entries;
2590 j = 0; // points to the end of non-deleted entries.
2591 // Filter out to-be-deleted entries in place.
2592 for (i = 0; i < num; i++) {
2593 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
2594 persist_data->persist_entry[j] = persist_data->persist_entry[i];
2600 persist_data->persist_valid_entries = j;
2601 // Zeroise the remaining entries
2602 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
2603 return PERSIST_DEL_KEY_OK;
2605 // Did not find an entry matching the given fieldname
2606 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
2610 static int persist_count_keys(const char* fieldname) {
2614 if (persist_data == NULL) {
2619 for (i = 0; i < persist_data->persist_valid_entries; i++) {
2620 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
2628 /* Return the value of the specified field. */
2629 int cryptfs_getfield(const char* fieldname, char* value, int len) {
2630 if (fscrypt_is_native()) {
2631 SLOGE("Cannot get field when file encrypted");
2635 char temp_value[PROPERTY_VALUE_MAX];
2636 /* CRYPTO_GETFIELD_OK is success,
2637 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
2638 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
2639 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
2641 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
2643 char temp_field[PROPERTY_KEY_MAX];
2645 if (persist_data == NULL) {
2646 load_persistent_data();
2647 if (persist_data == NULL) {
2648 SLOGE("Getfield error, cannot load persistent data");
2653 // Read value from persistent entries. If the original value is split into multiple entries,
2654 // stitch them back together.
2655 if (!persist_get_key(fieldname, temp_value)) {
2656 // We found it, copy it to the caller's buffer and keep going until all entries are read.
2657 if (strlcpy(value, temp_value, len) >= (unsigned)len) {
2659 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2662 rc = CRYPTO_GETFIELD_OK;
2664 for (i = 1; /* break explicitly */; i++) {
2665 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
2666 (int)sizeof(temp_field)) {
2667 // If the fieldname is very long, we stop as soon as it begins to overflow the
2668 // maximum field length. At this point we have in fact fully read out the original
2669 // value because cryptfs_setfield would not allow fields with longer names to be
2670 // written in the first place.
2673 if (!persist_get_key(temp_field, temp_value)) {
2674 if (strlcat(value, temp_value, len) >= (unsigned)len) {
2676 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
2680 // Exhaust all entries.
2685 /* Sadness, it's not there. Return the error */
2686 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
2693 /* Set the value of the specified field. */
2694 int cryptfs_setfield(const char* fieldname, const char* value) {
2695 if (fscrypt_is_native()) {
2696 SLOGE("Cannot set field when file encrypted");
2700 char encrypted_state[PROPERTY_VALUE_MAX];
2701 /* 0 is success, negative values are error */
2702 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
2704 unsigned int field_id;
2705 char temp_field[PROPERTY_KEY_MAX];
2706 unsigned int num_entries;
2707 unsigned int max_keylen;
2709 if (persist_data == NULL) {
2710 load_persistent_data();
2711 if (persist_data == NULL) {
2712 SLOGE("Setfield error, cannot load persistent data");
2717 property_get("ro.crypto.state", encrypted_state, "");
2718 if (!strcmp(encrypted_state, "encrypted")) {
2722 // Compute the number of entries required to store value, each entry can store up to
2723 // (PROPERTY_VALUE_MAX - 1) chars
2724 if (strlen(value) == 0) {
2725 // Empty value also needs one entry to store.
2728 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
2731 max_keylen = strlen(fieldname);
2732 if (num_entries > 1) {
2733 // Need an extra "_%d" suffix.
2734 max_keylen += 1 + log10(num_entries);
2736 if (max_keylen > PROPERTY_KEY_MAX - 1) {
2737 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
2741 // Make sure we have enough space to write the new value
2742 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
2743 persist_get_max_entries(encrypted)) {
2744 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
2748 // Now that we know persist_data has enough space for value, let's delete the old field first
2749 // to make up space.
2750 persist_del_keys(fieldname, 0);
2752 if (persist_set_key(fieldname, value, encrypted)) {
2753 // fail to set key, should not happen as we have already checked the available space
2754 SLOGE("persist_set_key() error during setfield()");
2758 for (field_id = 1; field_id < num_entries; field_id++) {
2759 snprintf(temp_field, sizeof(temp_field), "%s_%u", fieldname, field_id);
2761 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
2762 // fail to set key, should not happen as we have already checked the available space.
2763 SLOGE("persist_set_key() error during setfield()");
2768 /* If we are running encrypted, save the persistent data now */
2770 if (save_persistent_data()) {
2771 SLOGE("Setfield error, cannot save persistent data");
2776 rc = CRYPTO_SETFIELD_OK;
2782 /* Checks userdata. Attempt to mount the volume if default-
2784 * On success trigger next init phase and return 0.
2785 * Currently do not handle failure - see TODO below.
2787 int cryptfs_mount_default_encrypted(void) {
2788 int crypt_type = cryptfs_get_password_type();
2789 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
2790 SLOGE("Bad crypt type - error");
2791 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
2793 "Password is not default - "
2794 "starting min framework to prompt");
2795 property_set("vold.decrypt", "trigger_restart_min_framework");
2797 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
2798 SLOGD("Password is default - restarting filesystem");
2799 cryptfs_restart_internal(0);
2802 SLOGE("Encrypted, default crypt type but can't decrypt");
2805 /** Corrupt. Allow us to boot into framework, which will detect bad
2806 crypto when it calls do_crypto_complete, then do a factory reset
2808 property_set("vold.decrypt", "trigger_restart_min_framework");
2812 /* Returns type of the password, default, pattern, pin or password.
2814 int cryptfs_get_password_type(void) {
2815 if (fscrypt_is_native()) {
2816 SLOGE("cryptfs_get_password_type not valid for file encryption");
2820 struct crypt_mnt_ftr crypt_ftr;
2822 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2823 SLOGE("Error getting crypt footer and key\n");
2827 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
2831 return crypt_ftr.crypt_type;
2834 const char* cryptfs_get_password() {
2835 if (fscrypt_is_native()) {
2836 SLOGE("cryptfs_get_password not valid for file encryption");
2840 struct timespec now;
2841 clock_gettime(CLOCK_BOOTTIME, &now);
2842 if (now.tv_sec < password_expiry_time) {
2845 cryptfs_clear_password();
2850 void cryptfs_clear_password() {
2852 size_t len = strlen(password);
2853 memset(password, 0, len);
2856 password_expiry_time = 0;
2860 int cryptfs_isConvertibleToFBE() {
2861 auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
2862 return entry && entry->fs_mgr_flags.force_fde_or_fbe;