| Ethan Yonker | 79f88bd | 2016-12-09 14:52:12 -0600 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2015 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | /* TWRP NOTE: Kanged from system/extras/ext4_utils/ext4_crypt.cpp |
| 18 | * because policy_to_hex, e4crypt_policy_set, and e4crypt_policy_get |
| 19 | * are not exposed to be used. There was also a bug in e4crypt_policy_get |
| 20 | * that may or may not be fixed in the user's local repo: |
| 21 | * https://android.googlesource.com/platform/system/extras/+/30b93dd5715abcabd621235733733c0503f9c552 |
| 22 | */ |
| 23 | |
| 24 | #include "ext4_crypt.h" |
| 25 | |
| 26 | #include <dirent.h> |
| 27 | #include <errno.h> |
| 28 | #include <string.h> |
| 29 | #include <unistd.h> |
| 30 | |
| 31 | #include <fcntl.h> |
| 32 | #include <asm/ioctl.h> |
| 33 | #include <sys/syscall.h> |
| 34 | #include <sys/stat.h> |
| 35 | #include <sys/types.h> |
| 36 | |
| 37 | #include <android-base/file.h> |
| 38 | #include <android-base/logging.h> |
| 39 | #include <cutils/properties.h> |
| 40 | |
| 41 | #define XATTR_NAME_ENCRYPTION_POLICY "encryption.policy" |
| 42 | #define EXT4_KEYREF_DELIMITER ((char)'.') |
| 43 | |
| 44 | // ext4enc:TODO Include structure from somewhere sensible |
| 45 | // MUST be in sync with ext4_crypto.c in kernel |
| 46 | #define EXT4_KEY_DESCRIPTOR_SIZE 8 |
| 47 | #define EXT4_KEY_DESCRIPTOR_SIZE_HEX 17 |
| 48 | |
| 49 | struct ext4_encryption_policy { |
| 50 | char version; |
| 51 | char contents_encryption_mode; |
| 52 | char filenames_encryption_mode; |
| 53 | char flags; |
| 54 | char master_key_descriptor[EXT4_KEY_DESCRIPTOR_SIZE]; |
| 55 | } __attribute__((__packed__)); |
| 56 | |
| 57 | #define EXT4_ENCRYPTION_MODE_AES_256_XTS 1 |
| 58 | #define EXT4_ENCRYPTION_MODE_AES_256_CTS 4 |
| 59 | #define EXT4_ENCRYPTION_MODE_PRIVATE 127 |
| 60 | |
| 61 | static int encryption_mode = EXT4_ENCRYPTION_MODE_PRIVATE; |
| 62 | |
| 63 | // ext4enc:TODO Get value from somewhere sensible |
| 64 | #define EXT4_IOC_SET_ENCRYPTION_POLICY _IOR('f', 19, struct ext4_encryption_policy) |
| 65 | #define EXT4_IOC_GET_ENCRYPTION_POLICY _IOW('f', 21, struct ext4_encryption_policy) |
| 66 | |
| 67 | #define HEX_LOOKUP "0123456789abcdef" |
| 68 | |
| 69 | extern "C" void policy_to_hex(const char* policy, char* hex) { |
| 70 | for (size_t i = 0, j = 0; i < EXT4_KEY_DESCRIPTOR_SIZE; i++) { |
| 71 | hex[j++] = HEX_LOOKUP[(policy[i] & 0xF0) >> 4]; |
| 72 | hex[j++] = HEX_LOOKUP[policy[i] & 0x0F]; |
| 73 | } |
| 74 | hex[EXT4_KEY_DESCRIPTOR_SIZE_HEX - 1] = '\0'; |
| 75 | } |
| 76 | |
| 77 | extern "C" bool e4crypt_policy_set(const char *directory, const char *policy, |
| 78 | size_t policy_length, int contents_encryption_mode) { |
| 79 | if (contents_encryption_mode == 0) |
| 80 | contents_encryption_mode = encryption_mode; |
| 81 | if (policy_length != EXT4_KEY_DESCRIPTOR_SIZE) { |
| 82 | printf("policy wrong length\n"); |
| 83 | LOG(ERROR) << "Policy wrong length: " << policy_length; |
| 84 | return false; |
| 85 | } |
| 86 | int fd = open(directory, O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC); |
| 87 | if (fd == -1) { |
| 88 | printf("failed to open %s\n", directory); |
| 89 | PLOG(ERROR) << "Failed to open directory " << directory; |
| 90 | return false; |
| 91 | } |
| 92 | |
| 93 | ext4_encryption_policy eep; |
| 94 | eep.version = 0; |
| 95 | eep.contents_encryption_mode = contents_encryption_mode; |
| 96 | eep.filenames_encryption_mode = EXT4_ENCRYPTION_MODE_AES_256_CTS; |
| 97 | eep.flags = 0; |
| 98 | memcpy(eep.master_key_descriptor, policy, EXT4_KEY_DESCRIPTOR_SIZE); |
| 99 | if (ioctl(fd, EXT4_IOC_SET_ENCRYPTION_POLICY, &eep)) { |
| 100 | printf("failed to set policy for '%s' '%s'\n", directory, policy); |
| 101 | PLOG(ERROR) << "Failed to set encryption policy for " << directory; |
| 102 | close(fd); |
| 103 | return false; |
| 104 | } |
| 105 | close(fd); |
| 106 | |
| 107 | char policy_hex[EXT4_KEY_DESCRIPTOR_SIZE_HEX]; |
| 108 | policy_to_hex(policy, policy_hex); |
| 109 | LOG(INFO) << "Policy for " << directory << " set to " << policy_hex; |
| 110 | return true; |
| 111 | } |
| 112 | |
| 113 | extern "C" bool e4crypt_policy_get(const char *directory, char *policy, |
| 114 | size_t policy_length, int contents_encryption_mode) { |
| 115 | if (contents_encryption_mode == 0) |
| 116 | contents_encryption_mode = encryption_mode; |
| 117 | if (policy_length != EXT4_KEY_DESCRIPTOR_SIZE) { |
| 118 | LOG(ERROR) << "Policy wrong length: " << policy_length; |
| 119 | return false; |
| 120 | } |
| 121 | |
| 122 | int fd = open(directory, O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC); |
| 123 | if (fd == -1) { |
| 124 | PLOG(ERROR) << "Failed to open directory " << directory; |
| 125 | return false; |
| 126 | } |
| 127 | |
| 128 | ext4_encryption_policy eep; |
| 129 | memset(&eep, 0, sizeof(ext4_encryption_policy)); |
| 130 | if (ioctl(fd, EXT4_IOC_GET_ENCRYPTION_POLICY, &eep) != 0) { |
| 131 | PLOG(ERROR) << "Failed to get encryption policy for " << directory; |
| 132 | close(fd); |
| 133 | return false; |
| 134 | } |
| 135 | close(fd); |
| 136 | |
| 137 | if ((eep.version != 0) |
| 138 | || (eep.contents_encryption_mode != contents_encryption_mode) |
| 139 | || (eep.filenames_encryption_mode != EXT4_ENCRYPTION_MODE_AES_256_CTS) |
| 140 | || (eep.flags != 0)) { |
| 141 | LOG(ERROR) << "Failed to find matching encryption policy for " << directory; |
| 142 | return false; |
| 143 | } |
| 144 | memcpy(policy, eep.master_key_descriptor, EXT4_KEY_DESCRIPTOR_SIZE); |
| 145 | |
| 146 | return true; |
| 147 | } |
| 148 | |
| 149 | extern "C" bool e4crypt_set_mode() { |
| 150 | const char* mode_file = "/data/unencrypted/mode"; |
| 151 | struct stat st; |
| 152 | if (stat(mode_file, &st) != 0 || st.st_size <= 0) { |
| 153 | printf("Invalid encryption mode file %s\n", mode_file); |
| 154 | return false; |
| 155 | } |
| 156 | size_t mode_size = st.st_size; |
| 157 | char contents_encryption_mode[mode_size + 1]; |
| 158 | memset((void*)contents_encryption_mode, 0, mode_size + 1); |
| 159 | int fd = open(mode_file, O_RDONLY); |
| 160 | if (fd < 0) { |
| 161 | printf("error opening '%s': %s\n", mode_file, strerror(errno)); |
| 162 | return false; |
| 163 | } |
| 164 | if (read(fd, contents_encryption_mode, mode_size) != mode_size) { |
| 165 | printf("read error on '%s': %s\n", mode_file, strerror(errno)); |
| 166 | close(fd); |
| 167 | return false; |
| 168 | } |
| 169 | close(fd); |
| 170 | if (!strcmp(contents_encryption_mode, "software")) { |
| 171 | encryption_mode = EXT4_ENCRYPTION_MODE_AES_256_XTS; |
| 172 | } else if (!strcmp(contents_encryption_mode, "ice")) { |
| 173 | encryption_mode = EXT4_ENCRYPTION_MODE_PRIVATE; |
| 174 | } else { |
| 175 | printf("Invalid encryption mode '%s'\n", contents_encryption_mode); |
| 176 | return false; |
| 177 | } |
| 178 | printf("set encryption mode to %i\n", encryption_mode); |
| 179 | return true; |
| 180 | } |