blob: 67ebbba95dc1cb889952c6f0237538ecc3d8d22d [file] [log] [blame]
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001/*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* This structure starts 16,384 bytes before the end of a hardware
18 * partition that is encrypted, or in a separate partition. It's location
19 * is specified by a property set in init.<device>.rc.
20 * The structure allocates 48 bytes for a key, but the real key size is
21 * specified in the struct. Currently, the code is hardcoded to use 128
22 * bit keys.
23 * The fields after salt are only valid in rev 1.1 and later stuctures.
24 * Obviously, the filesystem does not include the last 16 kbytes
25 * of the partition if the crypt_mnt_ftr lives at the end of the
26 * partition.
27 */
28
29#include <cutils/properties.h>
30#include "openssl/sha.h"
31
32/* The current cryptfs version */
33#define CURRENT_MAJOR_VERSION 1
34#define CURRENT_MINOR_VERSION 3
35
36#define CRYPT_FOOTER_OFFSET 0x4000
37#define CRYPT_FOOTER_TO_PERSIST_OFFSET 0x1000
38#define CRYPT_PERSIST_DATA_SIZE 0x1000
39
40#define MAX_CRYPTO_TYPE_NAME_LEN 64
41
42#define MAX_KEY_LEN 48
43#define SALT_LEN 16
44#define SCRYPT_LEN 32
45
46/* definitions of flags in the structure below */
47#define CRYPT_MNT_KEY_UNENCRYPTED 0x1 /* The key for the partition is not encrypted. */
48#define CRYPT_ENCRYPTION_IN_PROGRESS 0x2 /* Encryption partially completed,
49 encrypted_upto valid*/
50#define CRYPT_INCONSISTENT_STATE 0x4 /* Set when starting encryption, clear when
51 exit cleanly, either through success or
52 correctly marked partial encryption */
53#define CRYPT_DATA_CORRUPT 0x8 /* Set when encryption is fine, but the
54 underlying volume is corrupt */
Ethan Yonkerba95ad12016-01-18 15:18:15 -060055#ifdef CONFIG_HW_DISK_ENCRYPTION
56/* This flag is used to transition from L->M upgrade. L release passed
57 * a byte for every nible of user password while M release is passing
58 * ascii value of user password.
59 * Random flag value is chosen so that it does not conflict with other use cases
60 */
61#define CRYPT_ASCII_PASSWORD_UPDATED 0x1000
62#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -060063/* Allowed values for type in the structure below */
64#define CRYPT_TYPE_PASSWORD 0 /* master_key is encrypted with a password
65 * Must be zero to be compatible with pre-L
66 * devices where type is always password.*/
67#define CRYPT_TYPE_DEFAULT 1 /* master_key is encrypted with default
68 * password */
69#define CRYPT_TYPE_PATTERN 2 /* master_key is encrypted with a pattern */
70#define CRYPT_TYPE_PIN 3 /* master_key is encrypted with a pin */
71#define CRYPT_TYPE_MAX_TYPE 3 /* type cannot be larger than this value */
72
73#define CRYPT_MNT_MAGIC 0xD0B5B1C4
74#define PERSIST_DATA_MAGIC 0xE950CD44
75
76#define SCRYPT_PROP "ro.crypto.scrypt_params"
77#define SCRYPT_DEFAULTS { 15, 3, 1 }
78
79/* Key Derivation Function algorithms */
80#define KDF_PBKDF2 1
81#define KDF_SCRYPT 2
82/* TODO(paullawrence): Remove KDF_SCRYPT_KEYMASTER_UNPADDED and KDF_SCRYPT_KEYMASTER_BADLY_PADDED
83 * when it is safe to do so. */
84#define KDF_SCRYPT_KEYMASTER_UNPADDED 3
85#define KDF_SCRYPT_KEYMASTER_BADLY_PADDED 4
86#define KDF_SCRYPT_KEYMASTER 5
87
88/* Maximum allowed keymaster blob size. */
89#define KEYMASTER_BLOB_SIZE 2048
90
91/* __le32 and __le16 defined in system/extras/ext4_utils/ext4_utils.h */
92#define __le8 unsigned char
93
94struct crypt_mnt_ftr {
95 __le32 magic; /* See above */
96 __le16 major_version;
97 __le16 minor_version;
98 __le32 ftr_size; /* in bytes, not including key following */
99 __le32 flags; /* See above */
100 __le32 keysize; /* in bytes */
101 __le32 crypt_type; /* how master_key is encrypted. Must be a
102 * CRYPT_TYPE_XXX value */
103 __le64 fs_size; /* Size of the encrypted fs, in 512 byte sectors */
104 __le32 failed_decrypt_count; /* count of # of failed attempts to decrypt and
105 mount, set to 0 on successful mount */
106 unsigned char crypto_type_name[MAX_CRYPTO_TYPE_NAME_LEN]; /* The type of encryption
107 needed to decrypt this
108 partition, null terminated */
109 __le32 spare2; /* ignored */
110 unsigned char master_key[MAX_KEY_LEN]; /* The encrypted key for decrypting the filesystem */
111 unsigned char salt[SALT_LEN]; /* The salt used for this encryption */
112 __le64 persist_data_offset[2]; /* Absolute offset to both copies of crypt_persist_data
113 * on device with that info, either the footer of the
114 * real_blkdevice or the metadata partition. */
115
116 __le32 persist_data_size; /* The number of bytes allocated to each copy of the
117 * persistent data table*/
118
119 __le8 kdf_type; /* The key derivation function used. */
120
121 /* scrypt parameters. See www.tarsnap.com/scrypt/scrypt.pdf */
122 __le8 N_factor; /* (1 << N) */
123 __le8 r_factor; /* (1 << r) */
124 __le8 p_factor; /* (1 << p) */
125 __le64 encrypted_upto; /* If we are in state CRYPT_ENCRYPTION_IN_PROGRESS and
126 we have to stop (e.g. power low) this is the last
127 encrypted 512 byte sector.*/
128 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; /* When CRYPT_ENCRYPTION_IN_PROGRESS
129 set, hash of first block, used
130 to validate before continuing*/
131
132 /* key_master key, used to sign the derived key which is then used to generate
133 * the intermediate key
134 * This key should be used for no other purposes! We use this key to sign unpadded
135 * data, which is acceptable but only if the key is not reused elsewhere. */
136 __le8 keymaster_blob[KEYMASTER_BLOB_SIZE];
137 __le32 keymaster_blob_size;
138
139 /* Store scrypt of salted intermediate key. When decryption fails, we can
140 check if this matches, and if it does, we know that the problem is with the
141 drive, and there is no point in asking the user for more passwords.
142
143 Note that if any part of this structure is corrupt, this will not match and
144 we will continue to believe the user entered the wrong password. In that
145 case the only solution is for the user to enter a password enough times to
146 force a wipe.
147
148 Note also that there is no need to worry about migration. If this data is
149 wrong, we simply won't recognise a right password, and will continue to
150 prompt. On the first password change, this value will be populated and
151 then we will be OK.
152 */
153 unsigned char scrypted_intermediate_key[SCRYPT_LEN];
154};
155
156/* Persistant data that should be available before decryption.
157 * Things like airplane mode, locale and timezone are kept
158 * here and can be retrieved by the CryptKeeper UI to properly
159 * configure the phone before asking for the password
160 * This is only valid if the major and minor version above
161 * is set to 1.1 or higher.
162 *
163 * This is a 4K structure. There are 2 copies, and the code alternates
164 * writing one and then clearing the previous one. The reading
165 * code reads the first valid copy it finds, based on the magic number.
166 * The absolute offset to the first of the two copies is kept in rev 1.1
167 * and higher crypt_mnt_ftr structures.
168 */
169struct crypt_persist_entry {
170 char key[PROPERTY_KEY_MAX];
171 char val[PROPERTY_VALUE_MAX];
172};
173
174/* Should be exactly 4K in size */
175struct crypt_persist_data {
176 __le32 persist_magic;
177 __le32 persist_valid_entries;
178 __le32 persist_spare[30];
179 struct crypt_persist_entry persist_entry[0];
180};
181
182struct volume_info {
183 unsigned int size;
184 unsigned int flags;
185 struct crypt_mnt_ftr crypt_ftr;
186 char mnt_point[256];
187 char blk_dev[256];
188 char crypto_blkdev[256];
189 char label[256];
190};
191#define VOL_NONREMOVABLE 0x1
192#define VOL_ENCRYPTABLE 0x2
193#define VOL_PRIMARY 0x4
194#define VOL_PROVIDES_ASEC 0x8
195
196#define DATA_MNT_POINT "/data"
197
198/* Return values for cryptfs_crypto_complete */
199#define CRYPTO_COMPLETE_NOT_ENCRYPTED 1
200#define CRYPTO_COMPLETE_ENCRYPTED 0
201#define CRYPTO_COMPLETE_BAD_METADATA -1
202#define CRYPTO_COMPLETE_PARTIAL -2
203#define CRYPTO_COMPLETE_INCONSISTENT -3
204#define CRYPTO_COMPLETE_CORRUPT -4
205
206/* Return values for cryptfs_enable_inplace*() */
207#define ENABLE_INPLACE_OK 0
208#define ENABLE_INPLACE_ERR_OTHER -1
209#define ENABLE_INPLACE_ERR_DEV -2 /* crypto_blkdev issue */
210
211#ifdef __cplusplus
212extern "C" {
213#endif
214
215 typedef int (*kdf_func)(const char *passwd, const unsigned char *salt,
216 unsigned char *ikey, void *params);
217
Ethan Yonker253368a2014-11-25 15:00:52 -0600218 void set_partition_data(const char* block_device, const char* key_location, const char* fs);
219 int cryptfs_check_footer();
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600220 int cryptfs_check_passwd(char *pw);
221 int cryptfs_verify_passwd(char *newpw);
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600222 int cryptfs_get_password_type(void);
Ethan Yonkerd79d9bc2014-12-20 15:38:29 -0600223 int delete_crypto_blk_dev(char *name);
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600224#ifdef __cplusplus
225}
226#endif