Gitiles
Code Review Sign In
gerrit.twrp.me / android_bootable_recovery / 8303e6d55d8764e860f679a84ed68d28608e28fa / . / crypto / fde / cryptfs.cpp
blob: 544d3eccf6ca5aa6092dbc460f7996ec84063f5c [file] [log] [blame]
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1/*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
23#include <sys/types.h>
24#include <sys/wait.h>
25#include <sys/stat.h>
26#include <ctype.h>
27#include <fcntl.h>
28#include <inttypes.h>
29#include <unistd.h>
30#include <stdio.h>
31#include <sys/ioctl.h>
32#include <linux/dm-ioctl.h>
33#include <libgen.h>
34#include <stdlib.h>
35#include <sys/param.h>
36#include <string.h>
37#include <sys/mount.h>
38#include <openssl/evp.h>
39#include <openssl/sha.h>
40#include <errno.h>
41//#include <ext4_utils/ext4_crypt.h>
42//#include <ext4_utils/ext4_utils.h>
43#include <linux/kdev_t.h>
44//#include <fs_mgr.h>
45#include <time.h>
46#include <math.h>
47//#include <selinux/selinux.h>
48#include "cryptfs.h"
49//#include "secontext.h"
50#define LOG_TAG "Cryptfs"
51//#include "cutils/log.h"
52#include "cutils/properties.h"
53//#include "cutils/android_reboot.h"
54//#include "hardware_legacy/power.h"
55//#include <logwrap/logwrap.h>
56//#include "ScryptParameters.h"
57//#include "VolumeManager.h"
58//#include "VoldUtil.h"
59//#include "Ext4Crypt.h"
60//#include "f2fs_sparseblock.h"
61//#include "EncryptInplace.h"
62//#include "Process.h"
Captain Throwback8303e6d2021-02-15 22:11:24 -0500[diff] [blame^]63#if TW_KEYMASTER_MAX_API > 1
64#include <hardware/keymaster2.h>
65#endif
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]66#if TW_KEYMASTER_MAX_API == 3
67#include "../ext4crypt/Keymaster3.h"
68#endif
69#if TW_KEYMASTER_MAX_API == 4
70#include "../ext4crypt/Keymaster4.h"
71#endif
72#if TW_KEYMASTER_MAX_API == 0
73#include <hardware/keymaster.h>
74#else // so far, all trees that have keymaster >= 1 have keymaster 1 support
75#include <stdbool.h>
76#include <openssl/evp.h>
77#include <openssl/sha.h>
78#include <hardware/keymaster0.h>
79#include <hardware/keymaster1.h>
80#endif
81//#include "android-base/properties.h"
82//#include <bootloader_message/bootloader_message.h>
83#ifdef CONFIG_HW_DISK_ENCRYPTION
84#include <cryptfs_hw.h>
85#endif
86extern "C" {
87#include <crypto_scrypt.h>
88}
89#include <string>
90#include <vector>
91
92#define ALOGE(...) fprintf(stdout, "E:" __VA_ARGS__)
93#define SLOGE(...) fprintf(stdout, "E:" __VA_ARGS__)
94#define SLOGW(...) fprintf(stdout, "W:" __VA_ARGS__)
95#define SLOGI(...) fprintf(stdout, "I:" __VA_ARGS__)
96#define SLOGD(...) fprintf(stdout, "D:" __VA_ARGS__)
97
98#define UNUSED __attribute__((unused))
99
100#define DM_CRYPT_BUF_SIZE 4096
101
102#define HASH_COUNT 2000
103
104#ifndef min /* already defined by windows.h */
105#define min(a, b) ((a) < (b) ? (a) : (b))
106#endif
107
108constexpr size_t INTERMEDIATE_KEY_LEN_BYTES = 16;
109constexpr size_t INTERMEDIATE_IV_LEN_BYTES = 16;
110constexpr size_t INTERMEDIATE_BUF_SIZE =
111 (INTERMEDIATE_KEY_LEN_BYTES + INTERMEDIATE_IV_LEN_BYTES);
112
113// SCRYPT_LEN is used by struct crypt_mnt_ftr for its intermediate key.
114static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN,
115 "Mismatch of intermediate key sizes");
116
117#define KEY_IN_FOOTER "footer"
118
119#define DEFAULT_HEX_PASSWORD "64656661756c745f70617373776f7264"
120#define DEFAULT_PASSWORD "default_password"
121
122#define CRYPTO_BLOCK_DEVICE "userdata"
123
124#define TABLE_LOAD_RETRIES 10
125
126#define RSA_KEY_SIZE 2048
127#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
128#define RSA_EXPONENT 0x10001
129#define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
130#define KEY_LEN_BYTES 16
131
132#define RETRY_MOUNT_ATTEMPTS 10
133#define RETRY_MOUNT_DELAY_SECONDS 1
134
135#define CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE (1)
136
137static unsigned char saved_master_key[MAX_KEY_LEN];
138static char *saved_mount_point;
139static int master_key_saved = 0;
140static struct crypt_persist_data *persist_data = NULL;
141
142static int previous_type;
143
144static char key_fname[PROPERTY_VALUE_MAX] = "";
145static char real_blkdev[PROPERTY_VALUE_MAX] = "";
146static char file_system[PROPERTY_VALUE_MAX] = "";
147
148static void get_blkdev_size(int fd, unsigned long *nr_sec)
149{
150 if ( (ioctl(fd, BLKGETSIZE, nr_sec)) == -1) {
151 *nr_sec = 0;
152 }
153}
154
Captain Throwback8303e6d2021-02-15 22:11:24 -0500[diff] [blame^]155#if TW_KEYMASTER_MAX_API == 0 //TW_KEYMASTER_MAX_API
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]156static int keymaster_init(keymaster_device_t **keymaster_dev)
157{
158 int rc;
159
160 const hw_module_t* mod;
161 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
162 if (rc) {
163 printf("could not find any keystore module\n");
164 goto out;
165 }
166
167 rc = keymaster_open(mod, keymaster_dev);
168 if (rc) {
169 printf("could not open keymaster device in %s (%s)\n",
170 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
171 goto out;
172 }
173
174 return 0;
175
176out:
177 *keymaster_dev = NULL;
178 return rc;
179}
Captain Throwback8303e6d2021-02-15 22:11:24 -0500[diff] [blame^]180#elif TW_KEYMASTER_MAX_API > 1
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]181static int keymaster_init(keymaster0_device_t **keymaster0_dev,
Peter Cai7a45b892019-11-02 20:04:34 +0800[diff] [blame]182 keymaster1_device_t **keymaster1_dev,
183 keymaster2_device_t **keymaster2_dev)
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]184{
185 int rc;
186
187 const hw_module_t* mod;
188 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
189 if (rc) {
190 printf("could not find any keystore module\n");
191 goto err;
192 }
193
194 printf("keymaster module name is %s\n", mod->name);
195 printf("keymaster version is %d\n", mod->module_api_version);
196
197 *keymaster0_dev = NULL;
198 *keymaster1_dev = NULL;
Peter Cai7a45b892019-11-02 20:04:34 +0800[diff] [blame]199 *keymaster2_dev = NULL;
200 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_2_0) {
201 printf("Found keymaster2 module, using keymaster2 API.\n");
202 rc = keymaster2_open(mod, keymaster2_dev);
203 } else if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]204 printf("Found keymaster1 module, using keymaster1 API.\n");
205 rc = keymaster1_open(mod, keymaster1_dev);
206 } else {
207 printf("Found keymaster0 module, using keymaster0 API.\n");
208 rc = keymaster0_open(mod, keymaster0_dev);
209 }
210
211 if (rc) {
212 printf("could not open keymaster device in %s (%s)\n",
213 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
214 goto err;
215 }
216
217 return 0;
218
219err:
220 *keymaster0_dev = NULL;
221 *keymaster1_dev = NULL;
Peter Cai7a45b892019-11-02 20:04:34 +0800[diff] [blame]222 *keymaster2_dev = NULL;
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]223 return rc;
224}
Captain Throwback8303e6d2021-02-15 22:11:24 -0500[diff] [blame^]225#else
226static int keymaster_init(keymaster0_device_t **keymaster0_dev,
227 keymaster1_device_t **keymaster1_dev)
228{
229 int rc;
230
231 const hw_module_t* mod;
232 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
233 if (rc) {
234 printf("could not find any keystore module\n");
235 goto err;
236 }
237
238 printf("keymaster module name is %s\n", mod->name);
239 printf("keymaster version is %d\n", mod->module_api_version);
240
241 *keymaster0_dev = NULL;
242 *keymaster1_dev = NULL;
243 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
244 printf("Found keymaster1 module, using keymaster1 API.\n");
245 rc = keymaster1_open(mod, keymaster1_dev);
246 } else {
247 printf("Found keymaster0 module, using keymaster0 API.\n");
248 rc = keymaster0_open(mod, keymaster0_dev);
249 }
250
251 if (rc) {
252 printf("could not open keymaster device in %s (%s)\n",
253 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
254 goto err;
255 }
256
257 return 0;
258
259err:
260 *keymaster0_dev = NULL;
261 *keymaster1_dev = NULL;
262 return rc;
263}
264#endif //TW_KEYMASTER_MAX_API
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]265
266#ifdef CONFIG_HW_DISK_ENCRYPTION
267static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
268 unsigned char *ikey, void *params);
269static void convert_key_to_hex_ascii(const unsigned char *master_key,
270 unsigned int keysize, char *master_key_ascii);
271static int test_mount_hw_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
272 const char *passwd, const char *mount_point, const char *label);
273int cryptfs_check_passwd_hw(char *passwd);
274int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
275 unsigned char* master_key);
276
277static void convert_key_to_hex_ascii_for_upgrade(const unsigned char *master_key,
278 unsigned int keysize, char *master_key_ascii)
279{
280 unsigned int i, a;
281 unsigned char nibble;
282
283 for (i = 0, a = 0; i < keysize; i++, a += 2) {
284 /* For each byte, write out two ascii hex digits */
285 nibble = (master_key[i] >> 4) & 0xf;
286 master_key_ascii[a] = nibble + (nibble > 9 ? 0x57 : 0x30);
287
288 nibble = master_key[i] & 0xf;
289 master_key_ascii[a + 1] = nibble + (nibble > 9 ? 0x57 : 0x30);
290 }
291
292 /* Add the null termination */
293 master_key_ascii[a] = '\0';
294}
295
296static int get_keymaster_hw_fde_passwd(const char* passwd, unsigned char* newpw,
297 unsigned char* salt,
298 const struct crypt_mnt_ftr *ftr)
299{
300 /* if newpw updated, return 0
301 * if newpw not updated return -1
302 */
303 int rc = -1;
304
305 if (should_use_keymaster()) {
306 if (scrypt_keymaster(passwd, salt, newpw, (void*)ftr)) {
Captain Throwback49cfb7e2020-01-28 17:37:00 -0500[diff] [blame]307 SLOGE("scrypt failed\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]308 } else {
309 rc = 0;
310 }
311 }
312
313 return rc;
314}
315
316static int verify_hw_fde_passwd(const char *passwd, struct crypt_mnt_ftr* crypt_ftr)
317{
318 unsigned char newpw[32] = {0};
319 int key_index;
320 SLOGI("starting verify_hw_fde_passwd\n");
321 if (get_keymaster_hw_fde_passwd(passwd, newpw, crypt_ftr->salt, crypt_ftr))
322 key_index = set_hw_device_encryption_key(passwd,
323 (char*) crypt_ftr->crypto_type_name);
324 else
325 key_index = set_hw_device_encryption_key((const char*)newpw,
326 (char*) crypt_ftr->crypto_type_name);
327 return key_index;
328}
329
330static int verify_and_update_hw_fde_passwd(const char *passwd,
331 struct crypt_mnt_ftr* crypt_ftr)
332{
333 char* new_passwd = NULL;
334 unsigned char newpw[32] = {0};
335 int key_index = -1;
336 int passwd_updated = -1;
337 int ascii_passwd_updated = (crypt_ftr->flags & CRYPT_ASCII_PASSWORD_UPDATED);
338
339 key_index = verify_hw_fde_passwd(passwd, crypt_ftr);
340 if (key_index < 0) {
341 ++crypt_ftr->failed_decrypt_count;
342
343 if (ascii_passwd_updated) {
Captain Throwback49cfb7e2020-01-28 17:37:00 -0500[diff] [blame]344 SLOGI("Ascii password was updated\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]345 } else {
346 /* Code in else part would execute only once:
347 * When device is upgraded from L->M release.
348 * Once upgraded, code flow should never come here.
349 * L release passed actual password in hex, so try with hex
350 * Each nible of passwd was encoded as a byte, so allocate memory
351 * twice of password len plus one more byte for null termination
352 */
353 if (crypt_ftr->crypt_type == CRYPT_TYPE_DEFAULT) {
354 new_passwd = (char*)malloc(strlen(DEFAULT_HEX_PASSWORD) + 1);
355 if (new_passwd == NULL) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]356 SLOGE("System out of memory. Password verification incomplete\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]357 goto out;
358 }
359 strlcpy(new_passwd, DEFAULT_HEX_PASSWORD, strlen(DEFAULT_HEX_PASSWORD) + 1);
360 } else {
361 new_passwd = (char*)malloc(strlen(passwd) * 2 + 1);
362 if (new_passwd == NULL) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]363 SLOGE("System out of memory. Password verification incomplete\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]364 goto out;
365 }
366 convert_key_to_hex_ascii_for_upgrade((const unsigned char*)passwd,
367 strlen(passwd), new_passwd);
368 }
369 key_index = set_hw_device_encryption_key((const char*)new_passwd,
370 (char*) crypt_ftr->crypto_type_name);
371 if (key_index >=0) {
372 crypt_ftr->failed_decrypt_count = 0;
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]373 SLOGI("Hex password verified...will try to update with Ascii value\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]374 /* Before updating password, tie that with keymaster to tie with ROT */
375
376 if (get_keymaster_hw_fde_passwd(passwd, newpw,
377 crypt_ftr->salt, crypt_ftr)) {
378 passwd_updated = update_hw_device_encryption_key(new_passwd,
379 passwd, (char*)crypt_ftr->crypto_type_name);
380 } else {
381 passwd_updated = update_hw_device_encryption_key(new_passwd,
382 (const char*)newpw, (char*)crypt_ftr->crypto_type_name);
383 }
384
385 if (passwd_updated >= 0) {
386 crypt_ftr->flags |= CRYPT_ASCII_PASSWORD_UPDATED;
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]387 SLOGI("Ascii password recorded and updated\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]388 } else {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]389 SLOGI("Passwd verified, could not update...Will try next time\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]390 }
391 } else {
392 ++crypt_ftr->failed_decrypt_count;
393 }
394 free(new_passwd);
395 }
396 } else {
397 if (!ascii_passwd_updated)
398 crypt_ftr->flags |= CRYPT_ASCII_PASSWORD_UPDATED;
399 }
400out:
401 // update footer before leaving
402 //put_crypt_ftr_and_key(crypt_ftr);
403 return key_index;
404}
405#endif
406
407void set_partition_data(const char* block_device, const char* key_location, const char* fs)
408{
409 strcpy(key_fname, key_location);
410 strcpy(real_blkdev, block_device);
411 strcpy(file_system, fs);
412}
413
414/* This signs the given object using the keymaster key. */
415static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
416 const unsigned char *object,
417 const size_t object_size,
418 unsigned char **signature,
419 size_t *signature_size)
420{
421 SLOGI("TWRP keymaster max API: %i\n", TW_KEYMASTER_MAX_API);
422 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
423 size_t to_sign_size = sizeof(to_sign);
424 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
425
426 // To sign a message with RSA, the message must satisfy two
427 // constraints:
428 //
429 // 1. The message, when interpreted as a big-endian numeric value, must
430 // be strictly less than the public modulus of the RSA key. Note
431 // that because the most significant bit of the public modulus is
432 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
433 // key), an n-bit message with most significant bit 0 always
434 // satisfies this requirement.
435 //
436 // 2. The message must have the same length in bits as the public
437 // modulus of the RSA key. This requirement isn't mathematically
438 // necessary, but is necessary to ensure consistency in
439 // implementations.
440 switch (ftr->kdf_type) {
441 case KDF_SCRYPT_KEYMASTER_UNPADDED:
442 // This is broken: It produces a message which is shorter than
443 // the public modulus, failing criterion 2.
444 memcpy(to_sign, object, object_size);
445 to_sign_size = object_size;
446 SLOGI("Signing unpadded object\n");
447 break;
448 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
449 // This is broken: Since the value of object is uniformly
450 // distributed, it produces a message that is larger than the
451 // public modulus with probability 0.25.
452 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size));
453 SLOGI("Signing end-padded object\n");
454 break;
455 case KDF_SCRYPT_KEYMASTER:
456 // This ensures the most significant byte of the signed message
457 // is zero. We could have zero-padded to the left instead, but
458 // this approach is slightly more robust against changes in
459 // object size. However, it's still broken (but not unusably
460 // so) because we really should be using a proper deterministic
461 // RSA padding function, such as PKCS1.
462 memcpy(to_sign + 1, object, min((size_t)RSA_KEY_SIZE_BYTES - 1, object_size));
Captain Throwback49cfb7e2020-01-28 17:37:00 -0500[diff] [blame]463 SLOGI("Signing safely-padded object\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]464 break;
465 default:
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]466 SLOGE("Unknown KDF type %d\n", ftr->kdf_type);
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]467 return -1;
468 }
469
470 int rc = -1;
471
472#if TW_KEYMASTER_MAX_API >= 1
473 keymaster0_device_t *keymaster0_dev = 0;
474 keymaster1_device_t *keymaster1_dev = 0;
Captain Throwback8303e6d2021-02-15 22:11:24 -0500[diff] [blame^]475#if TW_KEYMASTER_MAX_API > 1
Peter Cai7a45b892019-11-02 20:04:34 +0800[diff] [blame]476 keymaster2_device_t *keymaster2_dev = 0;
477 if (keymaster_init(&keymaster0_dev, &keymaster1_dev, &keymaster2_dev)) {
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]478#else
Captain Throwback8303e6d2021-02-15 22:11:24 -0500[diff] [blame^]479 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
480#endif
481#else
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]482 keymaster_device_t *keymaster0_dev = 0;
483 if (keymaster_init(&keymaster0_dev)) {
484#endif
485 printf("Failed to init keymaster 0/1\n");
486 goto initfail;
487 }
488 if (keymaster0_dev) {
489 keymaster_rsa_sign_params_t params;
490 params.digest_type = DIGEST_NONE;
491 params.padding_type = PADDING_NONE;
492
493 rc = keymaster0_dev->sign_data(keymaster0_dev,
494 &params,
495 ftr->keymaster_blob,
496 ftr->keymaster_blob_size,
497 to_sign,
498 to_sign_size,
499 signature,
500 signature_size);
501 goto out;
502 }
503#if TW_KEYMASTER_MAX_API >= 1
504 else if (keymaster1_dev) {
505 keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size };
506 keymaster_key_param_t params[] = {
507 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
508 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
509 };
510 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
511 keymaster_operation_handle_t op_handle;
512 keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
513 &param_set, NULL /* out_params */,
514 &op_handle);
515 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) {
516 // Key usage has been rate-limited. Wait a bit and try again.
517 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT);
518 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
519 &param_set, NULL /* out_params */,
520 &op_handle);
521 }
522 if (error != KM_ERROR_OK) {
523 printf("Error starting keymaster signature transaction: %d\n", error);
524 rc = -1;
525 goto out;
526 }
527
528 keymaster_blob_t input = { to_sign, to_sign_size };
529 size_t input_consumed;
530 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */,
531 &input, &input_consumed, NULL /* out_params */,
532 NULL /* output */);
533 if (error != KM_ERROR_OK) {
534 printf("Error sending data to keymaster signature transaction: %d\n", error);
535 rc = -1;
536 goto out;
537 }
538 if (input_consumed != to_sign_size) {
539 // This should never happen. If it does, it's a bug in the keymaster implementation.
540 printf("Keymaster update() did not consume all data.\n");
541 keymaster1_dev->abort(keymaster1_dev, op_handle);
542 rc = -1;
543 goto out;
544 }
545
546 keymaster_blob_t tmp_sig;
547 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */,
548 NULL /* verify signature */, NULL /* out_params */,
549 &tmp_sig);
550 if (error != KM_ERROR_OK) {
551 printf("Error finishing keymaster signature transaction: %d\n", error);
552 rc = -1;
553 goto out;
554 }
555
556 *signature = (uint8_t*)tmp_sig.data;
557 *signature_size = tmp_sig.data_length;
558 rc = 0;
559 }
Captain Throwback8303e6d2021-02-15 22:11:24 -0500[diff] [blame^]560#if TW_KEYMASTER_MAX_API > 1
Peter Cai7a45b892019-11-02 20:04:34 +0800[diff] [blame]561 else if (keymaster2_dev) {
562 keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size };
563 keymaster_key_param_t params[] = {
564 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
565 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
566 };
567 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
568 keymaster_operation_handle_t op_handle;
569 keymaster_key_param_t config_params[] = {
570 // Set these to crazy values so we don't need to synchronize
571 // the recovery with system updates.
572 // key upgrades will be required; it will be upgraded in-memory
573 keymaster_param_int(KM_TAG_OS_VERSION, 999999),
574 keymaster_param_int(KM_TAG_OS_PATCHLEVEL, 209912),
575 };
576 keymaster_key_param_set_t config_param_set = { config_params, sizeof(config_params)/sizeof(*config_params) };
577 keymaster2_dev->configure(keymaster2_dev, &config_param_set);
578 keymaster_error_t error = keymaster2_dev->begin(keymaster2_dev, KM_PURPOSE_SIGN, &key,
579 &param_set, NULL /* out_params */,
580 &op_handle);
581 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) {
582 // Key usage has been rate-limited. Wait a bit and try again.
583 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT);
584 error = keymaster2_dev->begin(keymaster2_dev, KM_PURPOSE_SIGN, &key,
585 &param_set, NULL /* out_params */,
586 &op_handle);
587 }
588
589 if (error == KM_ERROR_KEY_REQUIRES_UPGRADE) {
590 // Upgrade key in-memory if required
591 // Do not actually write it back; just keep it in memory
592 const keymaster_key_blob_t key_to_upd = key;
593 keymaster2_dev->upgrade_key(keymaster2_dev, &key_to_upd, &config_param_set, &key);
594 error = keymaster2_dev->begin(keymaster2_dev, KM_PURPOSE_SIGN, &key,
595 &param_set, NULL /* out_params */,
596 &op_handle);
597 }
598
599 if (error != KM_ERROR_OK) {
600 printf("Error starting keymaster signature transaction: %d\n", error);
601 rc = -1;
602 goto out;
603 }
604
605 keymaster_blob_t input = { to_sign, to_sign_size };
606 size_t input_consumed;
607 error = keymaster2_dev->update(keymaster2_dev, op_handle, NULL /* in_params */,
608 &input, &input_consumed, NULL /* out_params */,
609 NULL /* output */);
610 if (error != KM_ERROR_OK) {
611 printf("Error sending data to keymaster signature transaction: %d\n", error);
612 rc = -1;
613 goto out;
614 }
615 if (input_consumed != to_sign_size) {
616 // This should never happen. If it does, it's a bug in the keymaster implementation.
617 printf("Keymaster update() did not consume all data.\n");
618 keymaster2_dev->abort(keymaster2_dev, op_handle);
619 rc = -1;
620 goto out;
621 }
622
623 keymaster_blob_t tmp_sig;
624 error = keymaster2_dev->finish(keymaster2_dev, op_handle, NULL /* in_params */,
625 NULL, NULL /* verify signature */, NULL /* out_params */,
626 &tmp_sig);
627 if (error != KM_ERROR_OK) {
628 printf("Error finishing keymaster signature transaction: %d\n", error);
629 rc = -1;
630 goto out;
631 }
632
633 *signature = (uint8_t*)tmp_sig.data;
634 *signature_size = tmp_sig.data_length;
635 rc = 0;
636 }
Captain Throwback8303e6d2021-02-15 22:11:24 -0500[diff] [blame^]637#endif // TW_KEYMASTER_API > 1
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]638#endif // TW_KEYMASTER_API >= 1
639
640 out:
641#if TW_KEYMASTER_MAX_API >= 1
642 if (keymaster1_dev)
643 keymaster1_close(keymaster1_dev);
644#endif
645 if (keymaster0_dev)
646#if TW_KEYMASTER_MAX_API >= 1
647 keymaster0_close(keymaster0_dev);
648#else
649 keymaster_close(keymaster0_dev);
650#endif
651
652 if (rc == 0)
653 return 0; // otherwise we'll try for a newer keymaster API
654
655initfail:
656#if TW_KEYMASTER_MAX_API == 3
657 return keymaster_sign_object_for_cryptfs_scrypt(ftr->keymaster_blob, ftr->keymaster_blob_size,
658 KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign, to_sign_size, signature, signature_size,
659 ftr->keymaster_blob, KEYMASTER_BLOB_SIZE, &ftr->keymaster_blob_size);
660#endif //TW_KEYMASTER_MAX_API == 3
661#if TW_KEYMASTER_MAX_API >= 4
Mohd Farazb51f4af2020-02-11 11:13:32 +0530[diff] [blame]662 for (int c = 1;c <= 20;c++) { // 20 tries are enough for signing keymaster
663 if (c > 2)
664 usleep(5000); // if failed in two tries lets rest
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]665 auto result = keymaster_sign_object_for_cryptfs_scrypt(
666 ftr->keymaster_blob, ftr->keymaster_blob_size, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign,
667 to_sign_size, signature, signature_size);
668 switch (result) {
669 case KeymasterSignResult::ok:
670 return 0;
671 case KeymasterSignResult::upgrade:
672 break;
673 default:
674 return -1;
675 }
676 SLOGD("Upgrading key\n");
677 if (keymaster_upgrade_key_for_cryptfs_scrypt(
678 RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
679 ftr->keymaster_blob_size, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
680 &ftr->keymaster_blob_size) != 0) {
681 SLOGE("Failed to upgrade key\n");
682 return -1;
683 }
684 /*if (put_crypt_ftr_and_key(ftr) != 0) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]685 SLOGE("Failed to write upgraded key to disk\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]686 }*/
687 SLOGD("Key upgraded successfully\n");
Mohd Farazb51f4af2020-02-11 11:13:32 +0530[diff] [blame]688 }
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]689#endif
690 return -1;
691}
692
693static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
694{
695 memset(io, 0, dataSize);
696 io->data_size = dataSize;
697 io->data_start = sizeof(struct dm_ioctl);
698 io->version[0] = 4;
699 io->version[1] = 0;
700 io->version[2] = 0;
701 io->flags = flags;
702 if (name) {
703 strlcpy(io->name, name, sizeof(io->name));
704 }
705}
706
707namespace {
708
709struct CryptoType;
710
711// Use to get the CryptoType in use on this device.
712const CryptoType &get_crypto_type();
713
714struct CryptoType {
715 // We should only be constructing CryptoTypes as part of
716 // supported_crypto_types[]. We do it via this pseudo-builder pattern,
717 // which isn't pure or fully protected as a concession to being able to
718 // do it all at compile time. Add new CryptoTypes in
719 // supported_crypto_types[] below.
720 constexpr CryptoType() : CryptoType(nullptr, nullptr, 0xFFFFFFFF) {}
721 constexpr CryptoType set_keysize(uint32_t size) const {
722 return CryptoType(this->property_name, this->crypto_name, size);
723 }
724 constexpr CryptoType set_property_name(const char *property) const {
725 return CryptoType(property, this->crypto_name, this->keysize);
726 }
727 constexpr CryptoType set_crypto_name(const char *crypto) const {
728 return CryptoType(this->property_name, crypto, this->keysize);
729 }
730
731 constexpr const char *get_property_name() const { return property_name; }
732 constexpr const char *get_crypto_name() const { return crypto_name; }
733 constexpr uint32_t get_keysize() const { return keysize; }
734
735 private:
736 const char *property_name;
737 const char *crypto_name;
738 uint32_t keysize;
739
740 constexpr CryptoType(const char *property, const char *crypto,
741 uint32_t ksize)
742 : property_name(property), crypto_name(crypto), keysize(ksize) {}
743 friend const CryptoType &get_crypto_type();
744 static const CryptoType &get_device_crypto_algorithm();
745};
746
747// We only want to parse this read-only property once. But we need to wait
748// until the system is initialized before we can read it. So we use a static
749// scoped within this function to get it only once.
750const CryptoType &get_crypto_type() {
751 static CryptoType crypto_type = CryptoType::get_device_crypto_algorithm();
752 return crypto_type;
753}
754
755constexpr CryptoType default_crypto_type = CryptoType()
756 .set_property_name("AES-128-CBC")
757 .set_crypto_name("aes-cbc-essiv:sha256")
758 .set_keysize(16);
759
760constexpr CryptoType supported_crypto_types[] = {
761 default_crypto_type,
762 CryptoType()
763 .set_property_name("Speck128/128-XTS")
764 .set_crypto_name("speck128-xts-plain64")
765 .set_keysize(32),
766 // Add new CryptoTypes here. Order is not important.
767};
768
769
770// ---------- START COMPILE-TIME SANITY CHECK BLOCK -------------------------
771// We confirm all supported_crypto_types have a small enough keysize and
772// had both set_property_name() and set_crypto_name() called.
773
774template <typename T, size_t N>
775constexpr size_t array_length(T (&)[N]) { return N; }
776
777constexpr bool indexOutOfBoundsForCryptoTypes(size_t index) {
778 return (index >= array_length(supported_crypto_types));
779}
780
781constexpr bool isValidCryptoType(const CryptoType &crypto_type) {
782 return ((crypto_type.get_property_name() != nullptr) &&
783 (crypto_type.get_crypto_name() != nullptr) &&
784 (crypto_type.get_keysize() <= MAX_KEY_LEN));
785}
786
787// Note in C++11 that constexpr functions can only have a single line.
788// So our code is a bit convoluted (using recursion instead of a loop),
789// but it's asserting at compile time that all of our key lengths are valid.
790constexpr bool validateSupportedCryptoTypes(size_t index) {
791 return indexOutOfBoundsForCryptoTypes(index) ||
792 (isValidCryptoType(supported_crypto_types[index]) &&
793 validateSupportedCryptoTypes(index + 1));
794}
795
796static_assert(validateSupportedCryptoTypes(0),
797 "We have a CryptoType with keysize > MAX_KEY_LEN or which was "
798 "incompletely constructed.");
799// ---------- END COMPILE-TIME SANITY CHECK BLOCK -------------------------
800
801
802// Don't call this directly, use get_crypto_type(), which caches this result.
803const CryptoType &CryptoType::get_device_crypto_algorithm() {
804 constexpr char CRYPT_ALGO_PROP[] = "ro.crypto.fde_algorithm";
805 char paramstr[PROPERTY_VALUE_MAX];
806
807 property_get(CRYPT_ALGO_PROP, paramstr,
808 default_crypto_type.get_property_name());
809 for (auto const &ctype : supported_crypto_types) {
810 if (strcmp(paramstr, ctype.get_property_name()) == 0) {
811 return ctype;
812 }
813 }
814 ALOGE("Invalid name (%s) for %s. Defaulting to %s\n", paramstr,
815 CRYPT_ALGO_PROP, default_crypto_type.get_property_name());
816 return default_crypto_type;
817}
818
819} // namespace
820
821#define SCRYPT_PROP "ro.crypto.scrypt_params"
822#define SCRYPT_DEFAULTS "15:3:1"
823
824bool parse_scrypt_parameters(const char* paramstr, int *Nf, int *rf, int *pf) {
825 int params[3] = {};
826 char *token;
827 char *saveptr;
828 int i;
829
830 /*
831 * The token we're looking for should be three integers separated by
832 * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
833 */
834 for (i = 0, token = strtok_r(const_cast<char *>(paramstr), ":", &saveptr);
835 token != nullptr && i < 3;
836 i++, token = strtok_r(nullptr, ":", &saveptr)) {
837 char *endptr;
838 params[i] = strtol(token, &endptr, 10);
839
840 /*
841 * Check that there was a valid number and it's 8-bit.
842 */
843 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
844 return false;
845 }
846 }
847 if (token != nullptr) {
848 return false;
849 }
850 *Nf = params[0]; *rf = params[1]; *pf = params[2];
851 return true;
852}
853
854uint32_t cryptfs_get_keysize() {
855 return get_crypto_type().get_keysize();
856}
857
858const char *cryptfs_get_crypto_name() {
859 return get_crypto_type().get_crypto_name();
860}
861
862static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
863{
864 static int cached_data = 0;
865 static off64_t cached_off = 0;
866 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
867 int fd;
868 //char key_loc[PROPERTY_VALUE_MAX];
869 //char real_blkdev[PROPERTY_VALUE_MAX];
870 int rc = -1;
871
872 if (!cached_data) {
873 //fs_mgr_get_crypt_info(fstab_default, key_loc, real_blkdev, sizeof(key_loc));
874
875 if (!strcmp(key_fname, KEY_IN_FOOTER)) {
876 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
877 SLOGE("Cannot open real block device %s\n", real_blkdev);
878 return -1;
879 }
880
881 unsigned long nr_sec = 0;
882 get_blkdev_size(fd, &nr_sec);
883 if (nr_sec != 0) {
884 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
885 * encryption info footer and key, and plenty of bytes to spare for future
886 * growth.
887 */
888 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
889 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
890 cached_data = 1;
891 } else {
892 SLOGE("Cannot get size of block device %s\n", real_blkdev);
893 }
894 close(fd);
895 } else {
896 strlcpy(cached_metadata_fname, key_fname, sizeof(cached_metadata_fname));
897 cached_off = 0;
898 cached_data = 1;
899 }
900 }
901
902 if (cached_data) {
903 if (metadata_fname) {
904 *metadata_fname = cached_metadata_fname;
905 }
906 if (off) {
907 *off = cached_off;
908 }
909 rc = 0;
910 }
911
912 return rc;
913}
914
915static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
916{
917 int fd;
918 unsigned int cnt;
919 off64_t starting_off;
920 int rc = -1;
921 char *fname = NULL;
922 struct stat statbuf;
923
924 if (get_crypt_ftr_info(&fname, &starting_off)) {
925 SLOGE("Unable to get crypt_ftr_info\n");
926 return -1;
927 }
928 if (fname[0] != '/') {
929 SLOGE("Unexpected value for crypto key location\n");
930 return -1;
931 }
932 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) {
933 SLOGE("Cannot open footer file %s for get\n", fname);
934 return -1;
935 }
936
937 /* Make sure it's 16 Kbytes in length */
938 fstat(fd, &statbuf);
939 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
940 SLOGE("footer file %s is not the expected size!\n", fname);
941 goto errout;
942 }
943
944 /* Seek to the start of the crypt footer */
945 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
946 SLOGE("Cannot seek to real block device footer\n");
947 goto errout;
948 }
949
950 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
951 SLOGE("Cannot read real block device footer\n");
952 goto errout;
953 }
954
955 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
956 SLOGE("Bad magic for real block device %s\n", fname);
957 goto errout;
958 }
959
960 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
961 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
962 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
963 goto errout;
964 }
965
966 // We risk buffer overflows with oversized keys, so we just reject them.
967 // 0-sized keys are problematic (essentially by-passing encryption), and
968 // AES-CBC key wrapping only works for multiples of 16 bytes.
969 if ((crypt_ftr->keysize == 0) || ((crypt_ftr->keysize % 16) != 0) ||
970 (crypt_ftr->keysize > MAX_KEY_LEN)) {
971 SLOGE("Invalid keysize (%u) for block device %s; Must be non-zero, "
972 "divisible by 16, and <= %d\n", crypt_ftr->keysize, fname,
973 MAX_KEY_LEN);
974 goto errout;
975 }
976
977 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
978 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
979 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
980 }
981
982 /* Success! */
983 rc = 0;
984
985errout:
986 close(fd);
987 return rc;
988}
989
990int cryptfs_check_footer()
991{
992 int rc = -1;
993 struct crypt_mnt_ftr crypt_ftr;
994
995 rc = get_crypt_ftr_and_key(&crypt_ftr);
996
997 return rc;
998}
999
1000/* Convert a binary key of specified length into an ascii hex string equivalent,
1001 * without the leading 0x and with null termination
1002 */
1003static void convert_key_to_hex_ascii(const unsigned char *master_key,
1004 unsigned int keysize, char *master_key_ascii) {
1005 unsigned int i, a;
1006 unsigned char nibble;
1007
1008 for (i=0, a=0; i<keysize; i++, a+=2) {
1009 /* For each byte, write out two ascii hex digits */
1010 nibble = (master_key[i] >> 4) & 0xf;
1011 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
1012
1013 nibble = master_key[i] & 0xf;
1014 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
1015 }
1016
1017 /* Add the null termination */
1018 master_key_ascii[a] = '\0';
1019
1020}
1021
1022static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
1023 const unsigned char *master_key, const char *real_blk_name,
1024 const char *name, int fd, const char *extra_params) {
1025 alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
1026 struct dm_ioctl *io;
1027 struct dm_target_spec *tgt;
1028 char *crypt_params;
1029 // We need two ASCII characters to represent each byte, and need space for
1030 // the '\0' terminator.
1031 char master_key_ascii[MAX_KEY_LEN * 2 + 1];
1032 size_t buff_offset;
1033 int i;
1034
1035 io = (struct dm_ioctl *) buffer;
1036
1037 /* Load the mapping table for this device */
1038 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
1039
1040 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1041 io->target_count = 1;
1042 tgt->status = 0;
1043 tgt->sector_start = 0;
1044 tgt->length = crypt_ftr->fs_size;
1045 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1046 buff_offset = crypt_params - buffer;
Mohd Farazb51f4af2020-02-11 11:13:32 +0530[diff] [blame]1047 SLOGI(
1048 "Creating crypto dev \"%s\"; cipher=%s, keysize=%u, real_dev=%s, len=%llu, params=\"%s\"\n",
1049 name, crypt_ftr->crypto_type_name, crypt_ftr->keysize, real_blk_name, tgt->length * 512,
1050 extra_params);
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1051
1052#ifdef CONFIG_HW_DISK_ENCRYPTION
1053 if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) {
1054 strlcpy(tgt->target_type, "req-crypt",DM_MAX_TYPE_NAME);
1055 if (is_ice_enabled())
1056 convert_key_to_hex_ascii(master_key, sizeof(int), master_key_ascii);
1057 else
1058 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1059 }
1060 else {
1061 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1062 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1063 }
1064 snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s 0",
1065 crypt_ftr->crypto_type_name, master_key_ascii,
1066 real_blk_name, extra_params);
1067
Captain Throwback49cfb7e2020-01-28 17:37:00 -0500[diff] [blame]1068 SLOGI("target_type = %s\n", tgt->target_type);
1069 SLOGI("real_blk_name = %s, extra_params = %s\n", real_blk_name, extra_params);
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1070#else
1071 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1072 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1073 snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s",
1074 crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name,
1075 extra_params);
1076#endif
1077
1078 crypt_params += strlen(crypt_params) + 1;
1079 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1080 tgt->next = crypt_params - buffer;
1081
1082 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
Peter Cai7a45b892019-11-02 20:04:34 +0800[diff] [blame]1083 int ret = ioctl(fd, DM_TABLE_LOAD, io);
1084 if (!ret) {
1085 SLOGI("ioctl err: %d", ret);
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1086 break;
1087 }
1088 usleep(500000);
1089 }
1090
1091 if (i == TABLE_LOAD_RETRIES) {
1092 /* We failed to load the table, return an error */
1093 return -1;
1094 } else {
1095 return i + 1;
1096 }
1097}
1098
1099static int get_dm_crypt_version(int fd, const char *name, int *version)
1100{
1101 char buffer[DM_CRYPT_BUF_SIZE];
1102 struct dm_ioctl *io;
1103 struct dm_target_versions *v;
1104
1105 io = (struct dm_ioctl *) buffer;
1106
1107 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1108
1109 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1110 return -1;
1111 }
1112
1113 /* Iterate over the returned versions, looking for name of "crypt".
1114 * When found, get and return the version.
1115 */
1116 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
1117 while (v->next) {
1118#ifdef CONFIG_HW_DISK_ENCRYPTION
1119 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) {
1120#else
1121 if (! strcmp(v->name, "crypt")) {
1122#endif
1123 /* We found the crypt driver, return the version, and get out */
1124 version[0] = v->version[0];
1125 version[1] = v->version[1];
1126 version[2] = v->version[2];
1127 return 0;
1128 }
1129 v = (struct dm_target_versions *)(((char *)v) + v->next);
1130 }
1131
1132 return -1;
1133}
1134
1135#ifndef CONFIG_HW_DISK_ENCRYPTION
1136static std::string extra_params_as_string(const std::vector<std::string>& extra_params_vec) {
1137 if (extra_params_vec.empty()) return "";
1138 char temp[10];
1139 snprintf(temp, sizeof(temp), "%zd", extra_params_vec.size());
1140 std::string extra_params = temp; //std::to_string(extra_params_vec.size());
1141 for (const auto& p : extra_params_vec) {
1142 extra_params.append(" ");
1143 extra_params.append(p);
1144 }
1145 return extra_params;
1146}
1147#endif
1148
1149static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned char* master_key,
1150 const char* real_blk_name, char* crypto_blk_name, const char* name,
1151 uint32_t flags) {
1152 char buffer[DM_CRYPT_BUF_SIZE];
1153 struct dm_ioctl* io;
1154 unsigned int minor;
1155 int fd = 0;
1156 int err;
1157 int retval = -1;
1158 int version[3];
1159 int load_count;
1160#ifdef CONFIG_HW_DISK_ENCRYPTION
1161 char encrypted_state[PROPERTY_VALUE_MAX] = {0};
1162 char progress[PROPERTY_VALUE_MAX] = {0};
1163 const char *extra_params;
1164#else
1165 std::vector<std::string> extra_params_vec;
1166#endif
1167
1168 if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
1169 SLOGE("Cannot open device-mapper\n");
1170 goto errout;
1171 }
1172
1173 io = (struct dm_ioctl*)buffer;
1174
1175 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1176 err = ioctl(fd, DM_DEV_CREATE, io);
1177 if (err) {
1178 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno));
1179 goto errout;
1180 }
1181
1182 /* Get the device status, in particular, the name of it's device file */
1183 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1184 if (ioctl(fd, DM_DEV_STATUS, io)) {
1185 SLOGE("Cannot retrieve dm-crypt device status\n");
1186 goto errout;
1187 }
1188 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1189 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1190
1191#ifdef CONFIG_HW_DISK_ENCRYPTION
1192 if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) {
1193 /* Set fde_enabled if either FDE completed or in-progress */
1194 property_get("ro.crypto.state", encrypted_state, ""); /* FDE completed */
1195 property_get("vold.encrypt_progress", progress, ""); /* FDE in progress */
1196 if (!strcmp(encrypted_state, "encrypted") || strcmp(progress, "")) {
1197 if (is_ice_enabled()) {
1198 if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE)
1199 extra_params = "fde_enabled ice allow_encrypt_override";
1200 else
1201 extra_params = "fde_enabled ice";
1202 } else {
1203 if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE)
1204 extra_params = "fde_enabled allow_encrypt_override";
1205 else
1206 extra_params = "fde_enabled";
1207 }
1208 } else {
1209 if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE)
1210 extra_params = "fde_enabled allow_encrypt_override";
1211 else
1212 extra_params = "fde_enabled";
1213 }
1214 } else {
1215 extra_params = "";
1216 if (! get_dm_crypt_version(fd, name, version)) {
1217 /* Support for allow_discards was added in version 1.11.0 */
1218 if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) {
1219 if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE)
1220 extra_params = "2 allow_discards allow_encrypt_override";
1221 else
1222 extra_params = "1 allow_discards";
1223 SLOGI("Enabling support for allow_discards in dmcrypt.\n");
1224 }
1225 }
1226 }
1227 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd,
1228 extra_params);
1229#else
1230 if (!get_dm_crypt_version(fd, name, version)) {
1231 /* Support for allow_discards was added in version 1.11.0 */
1232 if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) {
1233 extra_params_vec.push_back(std::string("allow_discards")); // Used to be extra_params_vec.emplace_back("allow_discards"); but this won't compile in 5.1 trees
1234 }
1235 }
1236 if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) {
1237 extra_params_vec.push_back(std::string("allow_encrypt_override")); // Used to be extra_params_vec.emplace_back("allow_encrypt_override"); but this won't compile in 5.1 trees
1238 }
1239 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd,
1240 extra_params_as_string(extra_params_vec).c_str());
1241#endif
1242 if (load_count < 0) {
1243 SLOGE("Cannot load dm-crypt mapping table.\n");
1244 goto errout;
1245 } else if (load_count > 1) {
1246 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1247 }
1248
1249 /* Resume this device to activate it */
1250 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1251
1252 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1253 SLOGE("Cannot resume the dm-crypt device\n");
1254 goto errout;
1255 }
1256
1257 /* We made it here with no errors. Woot! */
1258 retval = 0;
1259
1260errout:
1261 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1262
1263 return retval;
1264}
1265
1266int delete_crypto_blk_dev(const char *name)
1267{
1268 int fd;
1269 char buffer[DM_CRYPT_BUF_SIZE];
1270 struct dm_ioctl *io;
1271 int retval = -1;
1272
1273 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1274 SLOGE("Cannot open device-mapper\n");
1275 goto errout;
1276 }
1277
1278 io = (struct dm_ioctl *) buffer;
1279
1280 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1281 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1282 SLOGE("Cannot remove dm-crypt device\n");
1283 goto errout;
1284 }
1285
1286 /* We made it here with no errors. Woot! */
1287 retval = 0;
1288
1289errout:
1290 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1291
1292 return retval;
1293
1294}
1295
1296static int pbkdf2(const char *passwd, const unsigned char *salt,
1297 unsigned char *ikey, void *params UNUSED)
1298{
1299 SLOGI("Using pbkdf2 for cryptfs KDF\n");
1300
1301 /* Turn the password into a key and IV that can decrypt the master key */
1302 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN,
1303 HASH_COUNT, INTERMEDIATE_BUF_SIZE,
1304 ikey) != 1;
1305}
1306
1307static int scrypt(const char *passwd, const unsigned char *salt,
1308 unsigned char *ikey, void *params)
1309{
1310 SLOGI("Using scrypt for cryptfs KDF\n");
1311
1312 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1313
1314 int N = 1 << ftr->N_factor;
1315 int r = 1 << ftr->r_factor;
1316 int p = 1 << ftr->p_factor;
1317
1318 /* Turn the password into a key and IV that can decrypt the master key */
1319 crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1320 salt, SALT_LEN, N, r, p, ikey,
1321 INTERMEDIATE_BUF_SIZE);
1322
1323 return 0;
1324}
1325
1326static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1327 unsigned char *ikey, void *params)
1328{
1329 SLOGI("Using scrypt with keymaster for cryptfs KDF\n");
1330
1331 int rc;
1332 size_t signature_size;
1333 unsigned char* signature;
1334 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1335
1336 int N = 1 << ftr->N_factor;
1337 int r = 1 << ftr->r_factor;
1338 int p = 1 << ftr->p_factor;
1339
1340 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1341 salt, SALT_LEN, N, r, p, ikey,
1342 INTERMEDIATE_BUF_SIZE);
1343
1344 if (rc) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1345 SLOGE("scrypt failed\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1346 return -1;
1347 }
1348
1349 if (keymaster_sign_object(ftr, ikey, INTERMEDIATE_BUF_SIZE,
1350 &signature, &signature_size)) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1351 SLOGE("Keymaster signing failed\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1352 return -1;
1353 }
1354
1355 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1356 N, r, p, ikey, INTERMEDIATE_BUF_SIZE);
1357 free(signature);
1358
1359 if (rc) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1360 SLOGE("scrypt failed\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1361 return -1;
1362 }
1363
1364 return 0;
1365}
1366
1367static int decrypt_master_key_aux(const char *passwd, unsigned char *salt,
1368 const unsigned char *encrypted_master_key,
1369 size_t keysize,
1370 unsigned char *decrypted_master_key,
1371 kdf_func kdf, void *kdf_params,
1372 unsigned char** intermediate_key,
1373 size_t* intermediate_key_size)
1374{
1375 unsigned char ikey[INTERMEDIATE_BUF_SIZE] = { 0 };
1376 EVP_CIPHER_CTX d_ctx;
1377 int decrypted_len, final_len;
1378
1379 /* Turn the password into an intermediate key and IV that can decrypt the
1380 master key */
1381 if (kdf(passwd, salt, ikey, kdf_params)) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1382 SLOGE("kdf failed\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1383 return -1;
1384 }
1385
1386 /* Initialize the decryption engine */
1387 EVP_CIPHER_CTX_init(&d_ctx);
1388 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+INTERMEDIATE_KEY_LEN_BYTES)) {
1389 return -1;
1390 }
1391 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1392 /* Decrypt the master key */
1393 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1394 encrypted_master_key, keysize)) {
1395 return -1;
1396 }
1397 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1398 return -1;
1399 }
1400
1401 if (decrypted_len + final_len != static_cast<int>(keysize)) {
1402 return -1;
1403 }
1404
1405 /* Copy intermediate key if needed by params */
1406 if (intermediate_key && intermediate_key_size) {
1407 *intermediate_key = (unsigned char*) malloc(INTERMEDIATE_KEY_LEN_BYTES);
1408 if (*intermediate_key) {
1409 memcpy(*intermediate_key, ikey, INTERMEDIATE_KEY_LEN_BYTES);
1410 *intermediate_key_size = INTERMEDIATE_KEY_LEN_BYTES;
1411 }
1412 }
1413
1414 EVP_CIPHER_CTX_cleanup(&d_ctx);
1415
1416 return 0;
1417}
1418
1419static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1420{
1421 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1422 *kdf = scrypt_keymaster;
1423 *kdf_params = ftr;
1424 } else if (ftr->kdf_type == KDF_SCRYPT) {
1425 *kdf = scrypt;
1426 *kdf_params = ftr;
1427 } else {
1428 *kdf = pbkdf2;
1429 *kdf_params = NULL;
1430 }
1431}
1432
1433static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key,
1434 struct crypt_mnt_ftr *crypt_ftr,
1435 unsigned char** intermediate_key,
1436 size_t* intermediate_key_size)
1437{
1438 kdf_func kdf;
1439 void *kdf_params;
1440 int ret;
1441
1442 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1443 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1444 crypt_ftr->keysize,
1445 decrypted_master_key, kdf, kdf_params,
1446 intermediate_key, intermediate_key_size);
1447 if (ret != 0) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1448 SLOGW("failure decrypting master key\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1449 }
1450
1451 return ret;
1452}
1453
1454#ifdef CONFIG_HW_DISK_ENCRYPTION
1455static int test_mount_hw_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1456 const char *passwd, const char *mount_point, const char *label)
1457{
1458 /* Allocate enough space for a 256 bit key, but we may use less */
1459 unsigned char decrypted_master_key[32];
1460 char crypto_blkdev[MAXPATHLEN];
1461 //char real_blkdev[MAXPATHLEN];
1462 unsigned int orig_failed_decrypt_count;
1463 int rc = 0;
1464
1465 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1466 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1467
1468 //fs_mgr_get_crypt_info(fstab_default, 0, real_blkdev, sizeof(real_blkdev));
1469
1470 int key_index = 0;
1471 if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) {
Mohd Faraz191a6942020-02-15 22:06:14 +0530[diff] [blame]1472 if (crypt_ftr->flags & CRYPT_FORCE_COMPLETE) {
1473 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 0, 0)) {
1474 printf("Failed to decrypt master key\n");
1475 rc = -1;
1476 goto errout;
1477 }
1478 }
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1479 key_index = verify_and_update_hw_fde_passwd(passwd, crypt_ftr);
1480 if (key_index < 0) {
1481 rc = -1;
1482 goto errout;
1483 }
1484 else {
1485 if (is_ice_enabled()) {
1486#ifndef CONFIG_HW_DISK_ENCRYPT_PERF
1487 if (create_crypto_blk_dev(crypt_ftr, (unsigned char*)&key_index,
1488 real_blkdev, crypto_blkdev, label, 0)) {
Captain Throwback49cfb7e2020-01-28 17:37:00 -0500[diff] [blame]1489 SLOGE("Error creating decrypted block device\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1490 rc = -1;
1491 goto errout;
1492 }
1493#endif
1494 } else {
1495 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1496 real_blkdev, crypto_blkdev, label, 0)) {
Captain Throwback49cfb7e2020-01-28 17:37:00 -0500[diff] [blame]1497 SLOGE("Error creating decrypted block device\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1498 rc = -1;
1499 goto errout;
1500 }
1501 }
1502 }
1503 }
1504
1505 if (rc == 0) {
1506 /* Save the name of the crypto block device
1507 * so we can mount it when restarting the framework. */
1508#ifdef CONFIG_HW_DISK_ENCRYPT_PERF
1509 if (!is_ice_enabled())
1510#endif
1511 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1512 master_key_saved = 1;
1513 }
1514
1515 errout:
1516 return rc;
1517}
1518#endif
1519
1520static int try_mount_multiple_fs(const char *crypto_blkdev,
1521 const char *mount_point,
1522 const char *file_system)
1523{
1524 if (!mount(crypto_blkdev, mount_point, file_system, 0, NULL))
1525 return 0;
1526 if (strcmp(file_system, "ext4") &&
1527 !mount(crypto_blkdev, mount_point, "ext4", 0, NULL))
1528 return 0;
1529 if (strcmp(file_system, "f2fs") &&
1530 !mount(crypto_blkdev, mount_point, "f2fs", 0, NULL))
1531 return 0;
1532 return 1;
1533}
1534
1535static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1536 const char *passwd, const char *mount_point, const char *label)
1537{
1538 unsigned char decrypted_master_key[MAX_KEY_LEN];
1539 char crypto_blkdev[MAXPATHLEN];
1540 //char real_blkdev[MAXPATHLEN];
1541 char tmp_mount_point[64];
1542 unsigned int orig_failed_decrypt_count;
Mohd Faraz191a6942020-02-15 22:06:14 +0530[diff] [blame]1543 int rc = 0;
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1544 int use_keymaster = 0;
1545 unsigned char* intermediate_key = 0;
1546 size_t intermediate_key_size = 0;
1547 int N = 1 << crypt_ftr->N_factor;
1548 int r = 1 << crypt_ftr->r_factor;
1549 int p = 1 << crypt_ftr->p_factor;
1550
1551 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1552 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1553
1554 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1555 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1556 &intermediate_key, &intermediate_key_size)) {
1557 SLOGE("Failed to decrypt master key\n");
1558 rc = -1;
1559 goto errout;
1560 }
1561 }
1562
1563 //fs_mgr_get_crypt_info(fstab_default, 0, real_blkdev, sizeof(real_blkdev));
1564
1565 // Create crypto block device - all (non fatal) code paths
1566 // need it
1567 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, label, 0)) {
1568 SLOGE("Error creating decrypted block device\n");
1569 rc = -1;
1570 goto errout;
1571 }
1572
1573 /* Work out if the problem is the password or the data */
1574 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1575 scrypted_intermediate_key)];
1576
1577 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1578 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1579 N, r, p, scrypted_intermediate_key,
1580 sizeof(scrypted_intermediate_key));
1581
1582 // Does the key match the crypto footer?
1583 if (rc == 0 && memcmp(scrypted_intermediate_key,
1584 crypt_ftr->scrypted_intermediate_key,
1585 sizeof(scrypted_intermediate_key)) == 0) {
Captain Throwback49cfb7e2020-01-28 17:37:00 -0500[diff] [blame]1586 SLOGI("Password matches\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1587 rc = 0;
1588 } else {
1589 /* Try mounting the file system anyway, just in case the problem's with
1590 * the footer, not the key. */
1591 snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt",
1592 mount_point);
1593 mkdir(tmp_mount_point, 0755);
1594 if (try_mount_multiple_fs(crypto_blkdev, tmp_mount_point, file_system)) {
1595 SLOGE("Error temp mounting decrypted block device\n");
1596 delete_crypto_blk_dev(label);
1597
1598 rc = -1;
1599 } else {
1600 /* Success! */
Captain Throwback49cfb7e2020-01-28 17:37:00 -0500[diff] [blame]1601 SLOGI("Password did not match but decrypted drive mounted - continue\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1602 umount(tmp_mount_point);
1603 rc = 0;
1604 }
1605 }
1606
1607 if (rc == 0) {
1608 /* Save the name of the crypto block device
1609 * so we can mount it when restarting the framework. */
1610 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1611
1612 /* Also save a the master key so we can reencrypted the key
1613 * the key when we want to change the password on it. */
1614 memcpy(saved_master_key, decrypted_master_key, crypt_ftr->keysize);
1615 saved_mount_point = strdup(mount_point);
1616 master_key_saved = 1;
1617 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1618 rc = 0;
1619 }
1620
1621 errout:
1622 if (intermediate_key) {
1623 memset(intermediate_key, 0, intermediate_key_size);
1624 free(intermediate_key);
1625 }
1626 return rc;
1627}
1628
1629/*
1630 * Called by vold when it's asked to mount an encrypted external
1631 * storage volume. The incoming partition has no crypto header/footer,
1632 * as any metadata is been stored in a separate, small partition. We
1633 * assume it must be using our same crypt type and keysize.
1634 *
1635 * out_crypto_blkdev must be MAXPATHLEN.
1636 */
1637int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
1638 const unsigned char* key, int keysize, char* out_crypto_blkdev) {
1639 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
1640 if (fd == -1) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1641 SLOGE("Failed to open %s: %s\n", real_blkdev, strerror(errno));
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1642 return -1;
1643 }
1644
1645 unsigned long nr_sec = 0;
1646 get_blkdev_size(fd, &nr_sec);
1647 close(fd);
1648
1649 if (nr_sec == 0) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1650 SLOGE("Failed to get size of %s: %s\n", real_blkdev, strerror(errno));
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1651 return -1;
1652 }
1653
1654 struct crypt_mnt_ftr ext_crypt_ftr;
1655 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1656 ext_crypt_ftr.fs_size = nr_sec;
1657 ext_crypt_ftr.keysize = cryptfs_get_keysize();
1658 strlcpy((char*) ext_crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(),
1659 MAX_CRYPTO_TYPE_NAME_LEN);
1660 uint32_t flags = 0;
1661 /*if (e4crypt_is_native() &&
1662 android::base::GetBoolProperty("ro.crypto.allow_encrypt_override", false))
1663 flags |= CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE;*/
1664
1665 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev, out_crypto_blkdev, label, flags);
1666}
1667
1668/*
1669 * Called by vold when it's asked to unmount an encrypted external
1670 * storage volume.
1671 */
1672int cryptfs_revert_ext_volume(const char* label) {
1673 return delete_crypto_blk_dev(label);
1674}
1675
1676int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
1677{
1678 char encrypted_state[PROPERTY_VALUE_MAX];
1679 property_get("ro.crypto.state", encrypted_state, "");
1680 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
1681 SLOGE("encrypted fs already validated or not running with encryption,"
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1682 " aborting\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1683 return -1;
1684 }
1685
1686 if (get_crypt_ftr_and_key(crypt_ftr)) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1687 SLOGE("Error getting crypt footer and key\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1688 return -1;
1689 }
1690
1691 return 0;
1692}
1693
1694#ifdef CONFIG_HW_DISK_ENCRYPTION
1695int cryptfs_check_passwd_hw(const char* passwd)
1696{
1697 struct crypt_mnt_ftr crypt_ftr;
Mohd Faraz191a6942020-02-15 22:06:14 +0530[diff] [blame]1698 int rc = 0;
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1699 unsigned char master_key[KEY_LEN_BYTES];
1700 /* get key */
1701 if (get_crypt_ftr_and_key(&crypt_ftr)) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1702 SLOGE("Error getting crypt footer and key\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1703 return -1;
1704 }
1705
1706 /*
1707 * in case of manual encryption (from GUI), the encryption is done with
1708 * default password
1709 */
1710 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
1711 /* compare scrypted_intermediate_key with stored scrypted_intermediate_key
1712 * which was created with actual password before reboot.
1713 */
1714 rc = cryptfs_get_master_key(&crypt_ftr, passwd, master_key);
1715 if (rc) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1716 SLOGE("password doesn't match\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1717 return rc;
1718 }
1719
1720 rc = test_mount_hw_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD,
1721 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
1722
1723 if (rc) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1724 SLOGE("Default password did not match on reboot encryption\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1725 return rc;
1726 }
1727 } else {
1728 rc = test_mount_hw_encrypted_fs(&crypt_ftr, passwd,
1729 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
1730 SLOGE("test mount returned %i\n", rc);
1731 }
1732
1733 return rc;
1734}
1735#endif
1736
1737int cryptfs_check_passwd(const char *passwd)
1738{
1739 /*if (e4crypt_is_native()) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1740 SLOGE("cryptfs_check_passwd not valid for file encryption\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1741 return -1;
1742 }*/
1743
1744 struct crypt_mnt_ftr crypt_ftr;
1745 int rc;
1746
1747 rc = check_unmounted_and_get_ftr(&crypt_ftr);
1748 if (rc) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1749 SLOGE("Could not get footer\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1750 return rc;
1751 }
1752
1753#ifdef CONFIG_HW_DISK_ENCRYPTION
1754 if (is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name))
1755 return cryptfs_check_passwd_hw(passwd);
1756#endif
1757
1758 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
1759 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
1760
1761 if (rc) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1762 SLOGE("Password did not match\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1763 return rc;
1764 }
1765
1766 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
1767 // Here we have a default actual password but a real password
1768 // we must test against the scrypted value
1769 // First, we must delete the crypto block device that
1770 // test_mount_encrypted_fs leaves behind as a side effect
1771 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
1772 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD,
1773 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
1774 if (rc) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1775 SLOGE("Default password did not match on reboot encryption\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1776 return rc;
1777 }
1778 }
1779
1780 return rc;
1781}
1782
1783int cryptfs_verify_passwd(const char *passwd)
1784{
1785 struct crypt_mnt_ftr crypt_ftr;
1786 unsigned char decrypted_master_key[MAX_KEY_LEN];
1787 char encrypted_state[PROPERTY_VALUE_MAX];
1788 int rc;
1789
1790 property_get("ro.crypto.state", encrypted_state, "");
1791 if (strcmp(encrypted_state, "encrypted") ) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1792 SLOGE("device not encrypted, aborting\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1793 return -2;
1794 }
1795
1796 if (!master_key_saved) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1797 SLOGE("encrypted fs not yet mounted, aborting\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1798 return -1;
1799 }
1800
1801 if (!saved_mount_point) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1802 SLOGE("encrypted fs failed to save mount point, aborting\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1803 return -1;
1804 }
1805
1806 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1807 SLOGE("Error getting crypt footer and key\n");
1808 return -1;
1809 }
1810
1811 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
1812 /* If the device has no password, then just say the password is valid */
1813 rc = 0;
1814 } else {
1815#ifdef CONFIG_HW_DISK_ENCRYPTION
1816 if(is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name)) {
1817 if (verify_hw_fde_passwd(passwd, &crypt_ftr) >= 0)
1818 rc = 0;
1819 else
1820 rc = -1;
1821 } else {
1822 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
1823 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
1824 /* They match, the password is correct */
1825 rc = 0;
1826 } else {
1827 /* If incorrect, sleep for a bit to prevent dictionary attacks */
1828 sleep(1);
1829 rc = 1;
1830 }
1831 }
1832#else
1833 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
1834 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
1835 /* They match, the password is correct */
1836 rc = 0;
1837 } else {
1838 /* If incorrect, sleep for a bit to prevent dictionary attacks */
1839 sleep(1);
1840 rc = 1;
1841 }
1842#endif
1843 }
1844
1845 return rc;
1846}
1847
1848/* Returns type of the password, default, pattern, pin or password.
1849 */
1850int cryptfs_get_password_type(void)
1851{
1852 struct crypt_mnt_ftr crypt_ftr;
1853
1854 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1855 SLOGE("Error getting crypt footer and key\n");
1856 return -1;
1857 }
1858
1859 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
1860 return -1;
1861 }
1862
1863 return crypt_ftr.crypt_type;
1864}
1865
1866int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
1867 unsigned char* master_key)
1868{
1869 int rc;
1870
1871 unsigned char* intermediate_key = 0;
1872 size_t intermediate_key_size = 0;
1873
1874 if (password == 0 || *password == 0) {
1875 password = DEFAULT_PASSWORD;
1876 }
1877
1878 rc = decrypt_master_key(password, master_key, ftr, &intermediate_key,
1879 &intermediate_key_size);
1880
1881 if (rc) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1882 SLOGE("Can't calculate intermediate key\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1883 return rc;
1884 }
1885
1886 int N = 1 << ftr->N_factor;
1887 int r = 1 << ftr->r_factor;
1888 int p = 1 << ftr->p_factor;
1889
1890 unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)];
1891
1892 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1893 ftr->salt, sizeof(ftr->salt), N, r, p,
1894 scrypted_intermediate_key,
1895 sizeof(scrypted_intermediate_key));
1896
1897 free(intermediate_key);
1898
1899 if (rc) {
Captain Throwbacka5283b32020-02-19 12:11:23 -0500[diff] [blame]1900 SLOGE("Can't scrypt intermediate key\n");
Ethan Yonker98661c12018-10-17 08:39:28 -0500[diff] [blame]1901 return rc;
1902 }
1903
1904 return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key,
1905 intermediate_key_size);
1906}
1907