-
Notifications
You must be signed in to change notification settings - Fork 8
/
cryptfs.cpp
3619 lines (3113 loc) · 124 KB
/
cryptfs.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/*
* Copyright (C) 2010 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define LOG_TAG "Cryptfs"
#include "cryptfs.h"
#include "Checkpoint.h"
#include "CryptoType.h"
#include "EncryptInplace.h"
#include "FsCrypt.h"
#include "Keymaster.h"
#include "Process.h"
#include "ScryptParameters.h"
#include "Utils.h"
#include "VoldUtil.h"
#include "VolumeManager.h"
#include <android-base/logging.h>
#include <android-base/parseint.h>
#include <android-base/properties.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
#include <bootloader_message/bootloader_message.h>
#include <cutils/android_reboot.h>
#include <cutils/properties.h>
#include <ext4_utils/ext4_utils.h>
#include <f2fs_sparseblock.h>
#include <fs_mgr.h>
#include <fscrypt/fscrypt.h>
#include <libdm/dm.h>
#include <log/log.h>
#include <logwrap/logwrap.h>
#include <openssl/evp.h>
#include <openssl/sha.h>
#include <selinux/selinux.h>
#include <wakelock/wakelock.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <inttypes.h>
#include <libgen.h>
#include <linux/kdev_t.h>
#include <math.h>
#include <mntent.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <chrono>
#include <thread>
#ifdef CONFIG_HW_DISK_ENCRYPTION
#include <linux/dm-ioctl.h>
#include <sys/ioctl.h>
#include <cryptfs_hw.h>
#endif
extern "C" {
#include <crypto_scrypt.h>
}
using android::base::ParseUint;
using android::base::StringPrintf;
using android::fs_mgr::GetEntryForMountPoint;
using android::vold::CryptoType;
using android::vold::KeyBuffer;
using android::vold::KeyGeneration;
using namespace android::vold;
using namespace android::dm;
using namespace std::chrono_literals;
/* The current cryptfs version */
#define CURRENT_MAJOR_VERSION 1
#define CURRENT_MINOR_VERSION 3
#define CRYPT_FOOTER_TO_PERSIST_OFFSET 0x1000
#define CRYPT_PERSIST_DATA_SIZE 0x1000
#define CRYPT_SECTOR_SIZE 512
#define MAX_CRYPTO_TYPE_NAME_LEN 64
#define MAX_KEY_LEN 48
#define SALT_LEN 16
#define SCRYPT_LEN 32
/* definitions of flags in the structure below */
#define CRYPT_MNT_KEY_UNENCRYPTED 0x1 /* The key for the partition is not encrypted. */
#define CRYPT_ENCRYPTION_IN_PROGRESS 0x2 /* no longer used */
#define CRYPT_INCONSISTENT_STATE \
0x4 /* Set when starting encryption, clear when \
exit cleanly, either through success or \
correctly marked partial encryption */
#define CRYPT_DATA_CORRUPT \
0x8 /* Set when encryption is fine, but the \
underlying volume is corrupt */
#define CRYPT_FORCE_ENCRYPTION \
0x10 /* Set when it is time to encrypt this \
volume on boot. Everything in this \
structure is set up correctly as \
though device is encrypted except \
that the master key is encrypted with the \
default password. */
#define CRYPT_FORCE_COMPLETE \
0x20 /* Set when the above encryption cycle is \
complete. On next cryptkeeper entry, match \
the password. If it matches fix the master \
key and remove this flag. */
/* Allowed values for type in the structure below */
#define CRYPT_TYPE_PASSWORD \
0 /* master_key is encrypted with a password \
* Must be zero to be compatible with pre-L \
* devices where type is always password.*/
#define CRYPT_TYPE_DEFAULT \
1 /* master_key is encrypted with default \
* password */
#define CRYPT_TYPE_PATTERN 2 /* master_key is encrypted with a pattern */
#define CRYPT_TYPE_PIN 3 /* master_key is encrypted with a pin */
#define CRYPT_TYPE_MAX_TYPE 3 /* type cannot be larger than this value */
#define CRYPT_MNT_MAGIC 0xD0B5B1C4
#define PERSIST_DATA_MAGIC 0xE950CD44
/* Key Derivation Function algorithms */
#define KDF_PBKDF2 1
#define KDF_SCRYPT 2
/* Algorithms 3 & 4 deprecated before shipping outside of google, so removed */
#define KDF_SCRYPT_KEYMASTER 5
/* Maximum allowed keymaster blob size. */
#define KEYMASTER_BLOB_SIZE 2048
/* __le32 and __le16 defined in system/extras/ext4_utils/ext4_utils.h */
#define __le8 unsigned char
#if !defined(SHA256_DIGEST_LENGTH)
#define SHA256_DIGEST_LENGTH 32
#endif
/* This structure starts 16,384 bytes before the end of a hardware
* partition that is encrypted, or in a separate partition. It's location
* is specified by a property set in init.<device>.rc.
* The structure allocates 48 bytes for a key, but the real key size is
* specified in the struct. Currently, the code is hardcoded to use 128
* bit keys.
* The fields after salt are only valid in rev 1.1 and later stuctures.
* Obviously, the filesystem does not include the last 16 kbytes
* of the partition if the crypt_mnt_ftr lives at the end of the
* partition.
*/
struct crypt_mnt_ftr {
__le32 magic; /* See above */
__le16 major_version;
__le16 minor_version;
__le32 ftr_size; /* in bytes, not including key following */
__le32 flags; /* See above */
__le32 keysize; /* in bytes */
__le32 crypt_type; /* how master_key is encrypted. Must be a
* CRYPT_TYPE_XXX value */
__le64 fs_size; /* Size of the encrypted fs, in 512 byte sectors */
__le32 failed_decrypt_count; /* count of # of failed attempts to decrypt and
mount, set to 0 on successful mount */
unsigned char crypto_type_name[MAX_CRYPTO_TYPE_NAME_LEN]; /* The type of encryption
needed to decrypt this
partition, null terminated */
__le32 spare2; /* ignored */
unsigned char master_key[MAX_KEY_LEN]; /* The encrypted key for decrypting the filesystem */
unsigned char salt[SALT_LEN]; /* The salt used for this encryption */
__le64 persist_data_offset[2]; /* Absolute offset to both copies of crypt_persist_data
* on device with that info, either the footer of the
* real_blkdevice or the metadata partition. */
__le32 persist_data_size; /* The number of bytes allocated to each copy of the
* persistent data table*/
__le8 kdf_type; /* The key derivation function used. */
/* scrypt parameters. See www.tarsnap.com/scrypt/scrypt.pdf */
__le8 N_factor; /* (1 << N) */
__le8 r_factor; /* (1 << r) */
__le8 p_factor; /* (1 << p) */
__le64 encrypted_upto; /* no longer used */
__le8 hash_first_block[SHA256_DIGEST_LENGTH]; /* no longer used */
/* key_master key, used to sign the derived key which is then used to generate
* the intermediate key
* This key should be used for no other purposes! We use this key to sign unpadded
* data, which is acceptable but only if the key is not reused elsewhere. */
__le8 keymaster_blob[KEYMASTER_BLOB_SIZE];
__le32 keymaster_blob_size;
/* Store scrypt of salted intermediate key. When decryption fails, we can
check if this matches, and if it does, we know that the problem is with the
drive, and there is no point in asking the user for more passwords.
Note that if any part of this structure is corrupt, this will not match and
we will continue to believe the user entered the wrong password. In that
case the only solution is for the user to enter a password enough times to
force a wipe.
Note also that there is no need to worry about migration. If this data is
wrong, we simply won't recognise a right password, and will continue to
prompt. On the first password change, this value will be populated and
then we will be OK.
*/
unsigned char scrypted_intermediate_key[SCRYPT_LEN];
/* sha of this structure with this element set to zero
Used when encrypting on reboot to validate structure before doing something
fatal
*/
unsigned char sha256[SHA256_DIGEST_LENGTH];
};
/* Persistant data that should be available before decryption.
* Things like airplane mode, locale and timezone are kept
* here and can be retrieved by the CryptKeeper UI to properly
* configure the phone before asking for the password
* This is only valid if the major and minor version above
* is set to 1.1 or higher.
*
* This is a 4K structure. There are 2 copies, and the code alternates
* writing one and then clearing the previous one. The reading
* code reads the first valid copy it finds, based on the magic number.
* The absolute offset to the first of the two copies is kept in rev 1.1
* and higher crypt_mnt_ftr structures.
*/
struct crypt_persist_entry {
char key[PROPERTY_KEY_MAX];
char val[PROPERTY_VALUE_MAX];
};
/* Should be exactly 4K in size */
struct crypt_persist_data {
__le32 persist_magic;
__le32 persist_valid_entries;
__le32 persist_spare[30];
struct crypt_persist_entry persist_entry[0];
};
typedef int (*kdf_func)(const char* passwd, const unsigned char* salt, unsigned char* ikey,
void* params);
#define UNUSED __attribute__((unused))
#define HASH_COUNT 2000
constexpr size_t INTERMEDIATE_KEY_LEN_BYTES = 16;
constexpr size_t INTERMEDIATE_IV_LEN_BYTES = 16;
constexpr size_t INTERMEDIATE_BUF_SIZE = (INTERMEDIATE_KEY_LEN_BYTES + INTERMEDIATE_IV_LEN_BYTES);
// SCRYPT_LEN is used by struct crypt_mnt_ftr for its intermediate key.
static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN, "Mismatch of intermediate key sizes");
#define KEY_IN_FOOTER "footer"
#define DEFAULT_HEX_PASSWORD "64656661756c745f70617373776f7264"
#define DEFAULT_PASSWORD "default_password"
#define CRYPTO_BLOCK_DEVICE "userdata"
#define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
#define EXT4_FS 1
#define F2FS_FS 2
#define TABLE_LOAD_RETRIES 10
#define RSA_KEY_SIZE 2048
#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
#define RSA_EXPONENT 0x10001
#define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
#define KEY_LEN_BYTES 16
#define RETRY_MOUNT_ATTEMPTS 10
#define RETRY_MOUNT_DELAY_SECONDS 1
#define CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE (1)
static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr);
static unsigned char saved_master_key[MAX_KEY_LEN];
static char* saved_mount_point;
static int master_key_saved = 0;
static struct crypt_persist_data* persist_data = NULL;
static int previous_type;
static char twrp_key_fname[PROPERTY_VALUE_MAX] = "";
static char twrp_real_blkdev[PROPERTY_VALUE_MAX] = "";
#ifdef CONFIG_HW_DISK_ENCRYPTION
static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
unsigned char *ikey, void *params);
static void convert_key_to_hex_ascii(const unsigned char *master_key,
unsigned int keysize, char *master_key_ascii);
static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr);
static int test_mount_hw_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
const char *passwd, const char *mount_point, const char *label);
int cryptfs_changepw_hw_fde(int crypt_type, const char *currentpw,
const char *newpw);
int cryptfs_check_passwd_hw(char *passwd);
int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
unsigned char* master_key);
static void convert_key_to_hex_ascii_for_upgrade(const unsigned char *master_key,
unsigned int keysize, char *master_key_ascii)
{
unsigned int i, a;
unsigned char nibble;
for (i = 0, a = 0; i < keysize; i++, a += 2) {
/* For each byte, write out two ascii hex digits */
nibble = (master_key[i] >> 4) & 0xf;
master_key_ascii[a] = nibble + (nibble > 9 ? 0x57 : 0x30);
nibble = master_key[i] & 0xf;
master_key_ascii[a + 1] = nibble + (nibble > 9 ? 0x57 : 0x30);
}
/* Add the null termination */
master_key_ascii[a] = '\0';
}
static int get_keymaster_hw_fde_passwd(const char* passwd, unsigned char* newpw,
unsigned char* salt,
const struct crypt_mnt_ftr *ftr)
{
/* if newpw updated, return 0
* if newpw not updated return -1
*/
int rc = -1;
if (should_use_keymaster()) {
if (scrypt_keymaster(passwd, salt, newpw, (void*)ftr)) {
SLOGE("scrypt failed");
} else {
rc = 0;
}
}
return rc;
}
static int verify_hw_fde_passwd(const char *passwd, struct crypt_mnt_ftr* crypt_ftr)
{
unsigned char newpw[32] = {0};
int key_index;
if (get_keymaster_hw_fde_passwd(passwd, newpw, crypt_ftr->salt, crypt_ftr))
key_index = set_hw_device_encryption_key(passwd,
(char*) crypt_ftr->crypto_type_name);
else
key_index = set_hw_device_encryption_key((const char*)newpw,
(char*) crypt_ftr->crypto_type_name);
return key_index;
}
static int verify_and_update_hw_fde_passwd(const char *passwd,
struct crypt_mnt_ftr* crypt_ftr)
{
char* new_passwd = NULL;
unsigned char newpw[32] = {0};
int key_index = -1;
int passwd_updated = -1;
int ascii_passwd_updated = (crypt_ftr->flags & CRYPT_ASCII_PASSWORD_UPDATED);
key_index = verify_hw_fde_passwd(passwd, crypt_ftr);
if (key_index < 0) {
++crypt_ftr->failed_decrypt_count;
if (ascii_passwd_updated) {
SLOGI("Ascii password was updated");
} else {
/* Code in else part would execute only once:
* When device is upgraded from L->M release.
* Once upgraded, code flow should never come here.
* L release passed actual password in hex, so try with hex
* Each nible of passwd was encoded as a byte, so allocate memory
* twice of password len plus one more byte for null termination
*/
if (crypt_ftr->crypt_type == CRYPT_TYPE_DEFAULT) {
new_passwd = (char*)malloc(strlen(DEFAULT_HEX_PASSWORD) + 1);
if (new_passwd == NULL) {
SLOGE("System out of memory. Password verification incomplete");
goto out;
}
strlcpy(new_passwd, DEFAULT_HEX_PASSWORD, strlen(DEFAULT_HEX_PASSWORD) + 1);
} else {
new_passwd = (char*)malloc(strlen(passwd) * 2 + 1);
if (new_passwd == NULL) {
SLOGE("System out of memory. Password verification incomplete");
goto out;
}
convert_key_to_hex_ascii_for_upgrade((const unsigned char*)passwd,
strlen(passwd), new_passwd);
}
key_index = set_hw_device_encryption_key((const char*)new_passwd,
(char*) crypt_ftr->crypto_type_name);
if (key_index >=0) {
crypt_ftr->failed_decrypt_count = 0;
SLOGI("Hex password verified...will try to update with Ascii value");
/* Before updating password, tie that with keymaster to tie with ROT */
if (get_keymaster_hw_fde_passwd(passwd, newpw,
crypt_ftr->salt, crypt_ftr)) {
passwd_updated = update_hw_device_encryption_key(new_passwd,
passwd, (char*)crypt_ftr->crypto_type_name);
} else {
passwd_updated = update_hw_device_encryption_key(new_passwd,
(const char*)newpw, (char*)crypt_ftr->crypto_type_name);
}
if (passwd_updated >= 0) {
crypt_ftr->flags |= CRYPT_ASCII_PASSWORD_UPDATED;
SLOGI("Ascii password recorded and updated");
} else {
SLOGI("Passwd verified, could not update...Will try next time");
}
} else {
++crypt_ftr->failed_decrypt_count;
}
free(new_passwd);
}
} else {
if (!ascii_passwd_updated)
crypt_ftr->flags |= CRYPT_ASCII_PASSWORD_UPDATED;
}
out:
// update footer before leaving
put_crypt_ftr_and_key(crypt_ftr);
return key_index;
}
#endif
constexpr CryptoType aes_128_cbc = CryptoType()
.set_config_name("AES-128-CBC")
.set_kernel_name("aes-cbc-essiv:sha256")
.set_keysize(16);
constexpr CryptoType supported_crypto_types[] = {aes_128_cbc, android::vold::adiantum};
static_assert(validateSupportedCryptoTypes(MAX_KEY_LEN, supported_crypto_types,
array_length(supported_crypto_types)),
"We have a CryptoType with keysize > MAX_KEY_LEN or which was "
"incompletely constructed.");
static const CryptoType& get_crypto_type() {
// We only want to parse this read-only property once. But we need to wait
// until the system is initialized before we can read it. So we use a static
// scoped within this function to get it only once.
static CryptoType crypto_type =
lookup_crypto_algorithm(supported_crypto_types, array_length(supported_crypto_types),
aes_128_cbc, "ro.crypto.fde_algorithm");
return crypto_type;
}
const KeyGeneration cryptfs_get_keygen() {
return KeyGeneration{get_crypto_type().get_keysize(), true, false};
}
static bool write_string_to_buf(const std::string& towrite, uint8_t* buffer, uint32_t buffer_size,
uint32_t* out_size) {
if (!buffer || !out_size) {
LOG(ERROR) << "Missing target pointers";
return false;
}
*out_size = towrite.size();
if (buffer_size < towrite.size()) {
LOG(ERROR) << "Buffer too small " << buffer_size << " < " << towrite.size();
return false;
}
memset(buffer, '\0', buffer_size);
std::copy(towrite.begin(), towrite.end(), buffer);
return true;
}
static int keymaster_create_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64_t rsa_exponent,
uint32_t ratelimit, uint8_t* key_buffer,
uint32_t key_buffer_size,
uint32_t* key_out_size) {
if (key_out_size) {
*key_out_size = 0;
}
Keymaster dev;
if (!dev) {
LOG(ERROR) << "Failed to initiate keymaster session";
return -1;
}
auto keyParams = km::AuthorizationSetBuilder()
.RsaSigningKey(rsa_key_size, rsa_exponent)
.NoDigestOrPadding()
.Authorization(km::TAG_NO_AUTH_REQUIRED)
.Authorization(km::TAG_MIN_SECONDS_BETWEEN_OPS, ratelimit);
std::string key;
if (!dev.generateKey(keyParams, &key)) return -1;
if (!write_string_to_buf(key, key_buffer, key_buffer_size, key_out_size)) return -1;
return 0;
}
/* Create a new keymaster key and store it in this footer */
static int keymaster_create_key(struct crypt_mnt_ftr* ftr) {
if (ftr->keymaster_blob_size) {
SLOGI("Already have key");
return 0;
}
int rc = keymaster_create_key_for_cryptfs_scrypt(
RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
KEYMASTER_BLOB_SIZE, &ftr->keymaster_blob_size);
if (rc) {
if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
SLOGE("Keymaster key blob too large");
ftr->keymaster_blob_size = 0;
}
SLOGE("Failed to generate keypair");
return -1;
}
return 0;
}
static int keymaster_sign_object_for_cryptfs_scrypt(struct crypt_mnt_ftr* ftr, uint32_t ratelimit,
const uint8_t* object, const size_t object_size,
uint8_t** signature_buffer,
size_t* signature_buffer_size) {
if (!object || !signature_buffer || !signature_buffer_size) {
LOG(ERROR) << __FILE__ << ":" << __LINE__ << ":Invalid argument";
return -1;
}
Keymaster dev;
if (!dev) {
LOG(ERROR) << "Failed to initiate keymaster session";
return -1;
}
km::AuthorizationSet outParams;
std::string key(reinterpret_cast<const char*>(ftr->keymaster_blob), ftr->keymaster_blob_size);
std::string input(reinterpret_cast<const char*>(object), object_size);
std::string output;
KeymasterOperation op;
auto paramBuilder = km::AuthorizationSetBuilder().NoDigestOrPadding().Authorization(
km::TAG_PURPOSE, km::KeyPurpose::SIGN);
while (true) {
op = dev.begin(key, paramBuilder, &outParams);
if (op.getErrorCode() == km::ErrorCode::KEY_RATE_LIMIT_EXCEEDED) {
sleep(ratelimit);
continue;
} else
break;
}
if (!op) {
LOG(ERROR) << "Error starting keymaster signature transaction: "
<< int32_t(op.getErrorCode());
return -1;
}
if (op.getUpgradedBlob()) {
write_string_to_buf(*op.getUpgradedBlob(), ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
&ftr->keymaster_blob_size);
SLOGD("Upgrading key");
if (put_crypt_ftr_and_key(ftr) != 0) {
SLOGE("Failed to write upgraded key to disk");
return -1;
}
SLOGD("Key upgraded successfully");
}
if (!op.updateCompletely(input, &output)) {
LOG(ERROR) << "Error sending data to keymaster signature transaction: "
<< int32_t(op.getErrorCode());
return -1;
}
if (!op.finish(&output)) {
LOG(ERROR) << "Error finalizing keymaster signature transaction: "
<< int32_t(op.getErrorCode());
return -1;
}
*signature_buffer = reinterpret_cast<uint8_t*>(malloc(output.size()));
if (*signature_buffer == nullptr) {
LOG(ERROR) << "Error allocation buffer for keymaster signature";
return -1;
}
*signature_buffer_size = output.size();
std::copy(output.data(), output.data() + output.size(), *signature_buffer);
return 0;
}
void set_partition_data(const char* block_device, const char* key_location)
{
strncpy(twrp_key_fname, key_location, strlen(key_location));
strncpy(twrp_real_blkdev, block_device, strlen(block_device));
}
/* This signs the given object using the keymaster key. */
static int keymaster_sign_object(struct crypt_mnt_ftr* ftr, const unsigned char* object,
const size_t object_size, unsigned char** signature,
size_t* signature_size) {
unsigned char to_sign[RSA_KEY_SIZE_BYTES];
size_t to_sign_size = sizeof(to_sign);
memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
// To sign a message with RSA, the message must satisfy two
// constraints:
//
// 1. The message, when interpreted as a big-endian numeric value, must
// be strictly less than the public modulus of the RSA key. Note
// that because the most significant bit of the public modulus is
// guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
// key), an n-bit message with most significant bit 0 always
// satisfies this requirement.
//
// 2. The message must have the same length in bits as the public
// modulus of the RSA key. This requirement isn't mathematically
// necessary, but is necessary to ensure consistency in
// implementations.
switch (ftr->kdf_type) {
case KDF_SCRYPT_KEYMASTER:
// This ensures the most significant byte of the signed message
// is zero. We could have zero-padded to the left instead, but
// this approach is slightly more robust against changes in
// object size. However, it's still broken (but not unusably
// so) because we really should be using a proper deterministic
// RSA padding function, such as PKCS1.
memcpy(to_sign + 1, object, std::min((size_t)RSA_KEY_SIZE_BYTES - 1, object_size));
SLOGI("Signing safely-padded object");
break;
default:
SLOGE("Unknown KDF type %d", ftr->kdf_type);
return -1;
}
return keymaster_sign_object_for_cryptfs_scrypt(ftr, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign,
to_sign_size, signature, signature_size);
}
/* Store password when userdata is successfully decrypted and mounted.
* Cleared by cryptfs_clear_password
*
* To avoid a double prompt at boot, we need to store the CryptKeeper
* password and pass it to KeyGuard, which uses it to unlock KeyStore.
* Since the entire framework is torn down and rebuilt after encryption,
* we have to use a daemon or similar to store the password. Since vold
* is secured against IPC except from system processes, it seems a reasonable
* place to store this.
*
* password should be cleared once it has been used.
*
* password is aged out after password_max_age_seconds seconds.
*/
static char* password = 0;
static int password_expiry_time = 0;
static const int password_max_age_seconds = 60;
enum class RebootType { reboot, recovery, shutdown };
static void cryptfs_reboot(RebootType rt) {
switch (rt) {
case RebootType::reboot:
property_set(ANDROID_RB_PROPERTY, "reboot");
break;
case RebootType::recovery:
property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
break;
case RebootType::shutdown:
property_set(ANDROID_RB_PROPERTY, "shutdown");
break;
}
sleep(20);
/* Shouldn't get here, reboot should happen before sleep times out */
return;
}
/**
* Gets the default device scrypt parameters for key derivation time tuning.
* The parameters should lead to about one second derivation time for the
* given device.
*/
static void get_device_scrypt_params(struct crypt_mnt_ftr* ftr) {
char paramstr[PROPERTY_VALUE_MAX];
int Nf, rf, pf;
property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
}
ftr->N_factor = Nf;
ftr->r_factor = rf;
ftr->p_factor = pf;
}
static uint64_t get_fs_size(const char* dev) {
int fd, block_size;
struct ext4_super_block sb;
uint64_t len;
if ((fd = open(dev, O_RDONLY | O_CLOEXEC)) < 0) {
SLOGE("Cannot open device to get filesystem size ");
return 0;
}
if (lseek64(fd, 1024, SEEK_SET) < 0) {
SLOGE("Cannot seek to superblock");
return 0;
}
if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
SLOGE("Cannot read superblock");
return 0;
}
close(fd);
if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
SLOGE("Not a valid ext4 superblock");
return 0;
}
block_size = 1024 << sb.s_log_block_size;
/* compute length in bytes */
len = (((uint64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
/* return length in sectors */
return len / 512;
}
static void get_crypt_info(std::string* key_loc, std::string* real_blk_device) {
/*
for (const auto& entry : fstab_default) {
if (!entry.fs_mgr_flags.vold_managed &&
(entry.fs_mgr_flags.crypt || entry.fs_mgr_flags.force_crypt ||
entry.fs_mgr_flags.force_fde_or_fbe || entry.fs_mgr_flags.file_encryption)) {
if (key_loc != nullptr) {
*key_loc = entry.key_loc;
}
if (real_blk_device != nullptr) {
*real_blk_device = entry.blk_device;
}
return;
}
}
*/
if (key_loc != nullptr) {
*key_loc = std::string(twrp_key_fname);
}
if (real_blk_device != nullptr) {
*real_blk_device = std::string(twrp_real_blkdev);
}
return;
}
static int get_crypt_ftr_info(char** metadata_fname, off64_t* off) {
static int cached_data = 0;
static uint64_t cached_off = 0;
static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
char key_loc[PROPERTY_VALUE_MAX];
char real_blkdev[PROPERTY_VALUE_MAX];
int rc = -1;
if (!cached_data) {
std::string key_loc;
std::string real_blkdev;
get_crypt_info(&key_loc, &real_blkdev);
if (key_loc == KEY_IN_FOOTER) {
if (android::vold::GetBlockDevSize(real_blkdev, &cached_off) == android::OK) {
/* If it's an encrypted Android partition, the last 16 Kbytes contain the
* encryption info footer and key, and plenty of bytes to spare for future
* growth.
*/
strlcpy(cached_metadata_fname, real_blkdev.c_str(), sizeof(cached_metadata_fname));
cached_off -= CRYPT_FOOTER_OFFSET;
cached_data = 1;
} else {
SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
}
} else {
strlcpy(cached_metadata_fname, key_loc.c_str(), sizeof(cached_metadata_fname));
cached_off = 0;
cached_data = 1;
}
}
if (cached_data) {
if (metadata_fname) {
*metadata_fname = cached_metadata_fname;
}
if (off) {
*off = cached_off;
}
rc = 0;
}
return rc;
}
/* Set sha256 checksum in structure */
static void set_ftr_sha(struct crypt_mnt_ftr* crypt_ftr) {
SHA256_CTX c;
SHA256_Init(&c);
memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
SHA256_Final(crypt_ftr->sha256, &c);
}
/* key or salt can be NULL, in which case just skip writing that value. Useful to
* update the failed mount count but not change the key.
*/
static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
int fd;
unsigned int cnt;
/* starting_off is set to the SEEK_SET offset
* where the crypto structure starts
*/
off64_t starting_off;
int rc = -1;
char* fname = NULL;
struct stat statbuf;
set_ftr_sha(crypt_ftr);
if (get_crypt_ftr_info(&fname, &starting_off)) {
SLOGE("Unable to get crypt_ftr_info\n");
return -1;
}
if (fname[0] != '/') {
SLOGE("Unexpected value for crypto key location\n");
return -1;
}
if ((fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0600)) < 0) {
SLOGE("Cannot open footer file %s for put\n", fname);
return -1;
}
/* Seek to the start of the crypt footer */
if (lseek64(fd, starting_off, SEEK_SET) == -1) {
SLOGE("Cannot seek to real block device footer\n");
goto errout;
}
if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
SLOGE("Cannot write real block device footer\n");
goto errout;
}
fstat(fd, &statbuf);
/* If the keys are kept on a raw block device, do not try to truncate it. */
if (S_ISREG(statbuf.st_mode)) {
if (ftruncate(fd, 0x4000)) {
SLOGE("Cannot set footer file size\n");
goto errout;
}
}
/* Success! */
rc = 0;
errout:
close(fd);
return rc;
}
static bool check_ftr_sha(const struct crypt_mnt_ftr* crypt_ftr) {
struct crypt_mnt_ftr copy;
memcpy(©, crypt_ftr, sizeof(copy));
set_ftr_sha(©);
return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
}
static inline int unix_read(int fd, void* buff, int len) {
return TEMP_FAILURE_RETRY(read(fd, buff, len));
}
static inline int unix_write(int fd, const void* buff, int len) {
return TEMP_FAILURE_RETRY(write(fd, buff, len));
}
static void init_empty_persist_data(struct crypt_persist_data* pdata, int len) {
memset(pdata, 0, len);
pdata->persist_magic = PERSIST_DATA_MAGIC;
pdata->persist_valid_entries = 0;
}
/* A routine to update the passed in crypt_ftr to the lastest version.
* fd is open read/write on the device that holds the crypto footer and persistent
* data, crypt_ftr is a pointer to the struct to be updated, and offset is the
* absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
*/
static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr* crypt_ftr, off64_t offset) {
int orig_major = crypt_ftr->major_version;
int orig_minor = crypt_ftr->minor_version;
if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
struct crypt_persist_data* pdata;
off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
SLOGW("upgrading crypto footer to 1.1");
pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
if (pdata == NULL) {
SLOGE("Cannot allocate persisent data\n");
return;
}
memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
/* Need to initialize the persistent data area */
if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
SLOGE("Cannot seek to persisent data offset\n");
free(pdata);
return;
}
/* Write all zeros to the first copy, making it invalid */
unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
/* Write a valid but empty structure to the second copy */
init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
/* Update the footer */
crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
crypt_ftr->persist_data_offset[0] = pdata_offset;
crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
crypt_ftr->minor_version = 1;
free(pdata);
}
if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
SLOGW("upgrading crypto footer to 1.2");
/* But keep the old kdf_type.
* It will get updated later to KDF_SCRYPT after the password has been verified.
*/
crypt_ftr->kdf_type = KDF_PBKDF2;
get_device_scrypt_params(crypt_ftr);
crypt_ftr->minor_version = 2;
}
if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
SLOGW("upgrading crypto footer to 1.3");
crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
crypt_ftr->minor_version = 3;
}
if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
if (lseek64(fd, offset, SEEK_SET) == -1) {
SLOGE("Cannot seek to crypt footer\n");
return;
}
unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
}
}
static int get_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
int fd;
unsigned int cnt;
off64_t starting_off;
int rc = -1;
char* fname = NULL;
struct stat statbuf;
if (get_crypt_ftr_info(&fname, &starting_off)) {
SLOGE("Unable to get crypt_ftr_info\n");
return -1;
}
if (fname[0] != '/') {
SLOGE("Unexpected value for crypto key location\n");
return -1;
}
if ((fd = open(fname, O_RDWR | O_CLOEXEC)) < 0) {
SLOGE("Cannot open footer file %s for get\n", fname);
return -1;