| From 3df1faeb7e70914cddefb4fb6ecd27bb989c4cc5 Mon Sep 17 00:00:00 2001 |
| From: Jackeagle <jackeagle102@gmail.com> |
| Date: Mon, 6 May 2019 19:57:11 +0200 |
| Subject: [PATCH 8/8] Revert "vold: Add Hardware FDE feature" |
| |
| This reverts commit 3585008ea98f4a1caf69d10c32a02e1169eeb248. |
| |
| Change-Id: I808cd01881cd9c968e9a631adccdbaf22501e650 |
| Signed-off-by: Jackeagle <jackeagle102@gmail.com> |
| --- |
| Android.bp | 8 - |
| VoldNativeService.cpp | 4 +- |
| VoldNativeService.h | 2 +- |
| binder/android/os/IVold.aidl | 2 +- |
| cryptfs.cpp | 638 +++-------------------------------- |
| cryptfs.h | 10 +- |
| 6 files changed, 50 insertions(+), 614 deletions(-) |
| |
| diff --git a/Android.bp b/Android.bp |
| index ffb139e..48dfaaf 100644 |
| --- a/Android.bp |
| +++ b/Android.bp |
| @@ -140,11 +140,6 @@ cc_library_static { |
| "libarcobbvolume", |
| ], |
| }, |
| - device_support_hwfde: { |
| - cflags: ["-DCONFIG_HW_DISK_ENCRYPTION"], |
| - header_libs: ["libcryptfs_hw_headers"], |
| - shared_libs: ["libcryptfs_hw"], |
| - }, |
| }, |
| } |
| |
| @@ -164,9 +159,6 @@ cc_binary { |
| "libarcobbvolume", |
| ], |
| }, |
| - device_support_hwfde: { |
| - shared_libs: ["libcryptfs_hw"], |
| - }, |
| }, |
| init_rc: [ |
| "vold.rc", |
| diff --git a/VoldNativeService.cpp b/VoldNativeService.cpp |
| index 6d6c6ec..81523c6 100644 |
| --- a/VoldNativeService.cpp |
| +++ b/VoldNativeService.cpp |
| @@ -581,11 +581,11 @@ binder::Status VoldNativeService::fdeEnable(int32_t passwordType, |
| } |
| |
| binder::Status VoldNativeService::fdeChangePassword(int32_t passwordType, |
| - const std::string& currentPassword, const std::string& password) { |
| + const std::string& password) { |
| ENFORCE_UID(AID_SYSTEM); |
| ACQUIRE_CRYPT_LOCK; |
| |
| - return translate(cryptfs_changepw(passwordType, currentPassword.c_str(), password.c_str())); |
| + return translate(cryptfs_changepw(passwordType, password.c_str())); |
| } |
| |
| binder::Status VoldNativeService::fdeVerifyPassword(const std::string& password) { |
| diff --git a/VoldNativeService.h b/VoldNativeService.h |
| index da8c660..2e90101 100644 |
| --- a/VoldNativeService.h |
| +++ b/VoldNativeService.h |
| @@ -82,7 +82,7 @@ public: |
| binder::Status fdeEnable(int32_t passwordType, |
| const std::string& password, int32_t encryptionFlags); |
| binder::Status fdeChangePassword(int32_t passwordType, |
| - const std::string& currentPassword, const std::string& password); |
| + const std::string& password); |
| binder::Status fdeVerifyPassword(const std::string& password); |
| binder::Status fdeGetField(const std::string& key, std::string* _aidl_return); |
| binder::Status fdeSetField(const std::string& key, const std::string& value); |
| diff --git a/binder/android/os/IVold.aidl b/binder/android/os/IVold.aidl |
| index 9f5b21a..f386889 100644 |
| --- a/binder/android/os/IVold.aidl |
| +++ b/binder/android/os/IVold.aidl |
| @@ -65,7 +65,7 @@ interface IVold { |
| void fdeRestart(); |
| int fdeComplete(); |
| void fdeEnable(int passwordType, @utf8InCpp String password, int encryptionFlags); |
| - void fdeChangePassword(int passwordType, @utf8InCpp String currentPassword, @utf8InCpp String password); |
| + void fdeChangePassword(int passwordType, @utf8InCpp String password); |
| void fdeVerifyPassword(@utf8InCpp String password); |
| @utf8InCpp String fdeGetField(@utf8InCpp String key); |
| void fdeSetField(@utf8InCpp String key, @utf8InCpp String value); |
| diff --git a/cryptfs.cpp b/cryptfs.cpp |
| index bea9b2f..7aee819 100644 |
| --- a/cryptfs.cpp |
| +++ b/cryptfs.cpp |
| @@ -66,9 +66,6 @@ |
| #include "android-base/properties.h" |
| #include "android-base/stringprintf.h" |
| #include <bootloader_message/bootloader_message.h> |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| -#include <cryptfs_hw.h> |
| -#endif |
| extern "C" { |
| #include <crypto_scrypt.h> |
| } |
| @@ -94,7 +91,6 @@ static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN, |
| |
| #define KEY_IN_FOOTER "footer" |
| |
| -#define DEFAULT_HEX_PASSWORD "64656661756c745f70617373776f7264" |
| #define DEFAULT_PASSWORD "default_password" |
| |
| #define CRYPTO_BLOCK_DEVICE "userdata" |
| @@ -110,7 +106,6 @@ static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN, |
| #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) |
| #define RSA_EXPONENT 0x10001 |
| #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second |
| -#define KEY_LEN_BYTES 16 |
| |
| #define RETRY_MOUNT_ATTEMPTS 10 |
| #define RETRY_MOUNT_DELAY_SECONDS 1 |
| @@ -124,151 +119,6 @@ static char *saved_mount_point; |
| static int master_key_saved = 0; |
| static struct crypt_persist_data *persist_data = NULL; |
| |
| -static int previous_type; |
| - |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| -static int scrypt_keymaster(const char *passwd, const unsigned char *salt, |
| - unsigned char *ikey, void *params); |
| -static void convert_key_to_hex_ascii(const unsigned char *master_key, |
| - unsigned int keysize, char *master_key_ascii); |
| -static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr); |
| -static int test_mount_hw_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, |
| - const char *passwd, const char *mount_point, const char *label); |
| -int cryptfs_changepw_hw_fde(int crypt_type, const char *currentpw, |
| - const char *newpw); |
| -int cryptfs_check_passwd_hw(char *passwd); |
| -int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password, |
| - unsigned char* master_key); |
| - |
| -static void convert_key_to_hex_ascii_for_upgrade(const unsigned char *master_key, |
| - unsigned int keysize, char *master_key_ascii) |
| -{ |
| - unsigned int i, a; |
| - unsigned char nibble; |
| - |
| - for (i = 0, a = 0; i < keysize; i++, a += 2) { |
| - /* For each byte, write out two ascii hex digits */ |
| - nibble = (master_key[i] >> 4) & 0xf; |
| - master_key_ascii[a] = nibble + (nibble > 9 ? 0x57 : 0x30); |
| - |
| - nibble = master_key[i] & 0xf; |
| - master_key_ascii[a + 1] = nibble + (nibble > 9 ? 0x57 : 0x30); |
| - } |
| - |
| - /* Add the null termination */ |
| - master_key_ascii[a] = '\0'; |
| -} |
| - |
| -static int get_keymaster_hw_fde_passwd(const char* passwd, unsigned char* newpw, |
| - unsigned char* salt, |
| - const struct crypt_mnt_ftr *ftr) |
| -{ |
| - /* if newpw updated, return 0 |
| - * if newpw not updated return -1 |
| - */ |
| - int rc = -1; |
| - |
| - if (should_use_keymaster()) { |
| - if (scrypt_keymaster(passwd, salt, newpw, (void*)ftr)) { |
| - SLOGE("scrypt failed"); |
| - } else { |
| - rc = 0; |
| - } |
| - } |
| - |
| - return rc; |
| -} |
| - |
| -static int verify_hw_fde_passwd(const char *passwd, struct crypt_mnt_ftr* crypt_ftr) |
| -{ |
| - unsigned char newpw[32] = {0}; |
| - int key_index; |
| - if (get_keymaster_hw_fde_passwd(passwd, newpw, crypt_ftr->salt, crypt_ftr)) |
| - key_index = set_hw_device_encryption_key(passwd, |
| - (char*) crypt_ftr->crypto_type_name); |
| - else |
| - key_index = set_hw_device_encryption_key((const char*)newpw, |
| - (char*) crypt_ftr->crypto_type_name); |
| - return key_index; |
| -} |
| - |
| -static int verify_and_update_hw_fde_passwd(const char *passwd, |
| - struct crypt_mnt_ftr* crypt_ftr) |
| -{ |
| - char* new_passwd = NULL; |
| - unsigned char newpw[32] = {0}; |
| - int key_index = -1; |
| - int passwd_updated = -1; |
| - int ascii_passwd_updated = (crypt_ftr->flags & CRYPT_ASCII_PASSWORD_UPDATED); |
| - |
| - key_index = verify_hw_fde_passwd(passwd, crypt_ftr); |
| - if (key_index < 0) { |
| - ++crypt_ftr->failed_decrypt_count; |
| - |
| - if (ascii_passwd_updated) { |
| - SLOGI("Ascii password was updated"); |
| - } else { |
| - /* Code in else part would execute only once: |
| - * When device is upgraded from L->M release. |
| - * Once upgraded, code flow should never come here. |
| - * L release passed actual password in hex, so try with hex |
| - * Each nible of passwd was encoded as a byte, so allocate memory |
| - * twice of password len plus one more byte for null termination |
| - */ |
| - if (crypt_ftr->crypt_type == CRYPT_TYPE_DEFAULT) { |
| - new_passwd = (char*)malloc(strlen(DEFAULT_HEX_PASSWORD) + 1); |
| - if (new_passwd == NULL) { |
| - SLOGE("System out of memory. Password verification incomplete"); |
| - goto out; |
| - } |
| - strlcpy(new_passwd, DEFAULT_HEX_PASSWORD, strlen(DEFAULT_HEX_PASSWORD) + 1); |
| - } else { |
| - new_passwd = (char*)malloc(strlen(passwd) * 2 + 1); |
| - if (new_passwd == NULL) { |
| - SLOGE("System out of memory. Password verification incomplete"); |
| - goto out; |
| - } |
| - convert_key_to_hex_ascii_for_upgrade((const unsigned char*)passwd, |
| - strlen(passwd), new_passwd); |
| - } |
| - key_index = set_hw_device_encryption_key((const char*)new_passwd, |
| - (char*) crypt_ftr->crypto_type_name); |
| - if (key_index >=0) { |
| - crypt_ftr->failed_decrypt_count = 0; |
| - SLOGI("Hex password verified...will try to update with Ascii value"); |
| - /* Before updating password, tie that with keymaster to tie with ROT */ |
| - |
| - if (get_keymaster_hw_fde_passwd(passwd, newpw, |
| - crypt_ftr->salt, crypt_ftr)) { |
| - passwd_updated = update_hw_device_encryption_key(new_passwd, |
| - passwd, (char*)crypt_ftr->crypto_type_name); |
| - } else { |
| - passwd_updated = update_hw_device_encryption_key(new_passwd, |
| - (const char*)newpw, (char*)crypt_ftr->crypto_type_name); |
| - } |
| - |
| - if (passwd_updated >= 0) { |
| - crypt_ftr->flags |= CRYPT_ASCII_PASSWORD_UPDATED; |
| - SLOGI("Ascii password recorded and updated"); |
| - } else { |
| - SLOGI("Passwd verified, could not update...Will try next time"); |
| - } |
| - } else { |
| - ++crypt_ftr->failed_decrypt_count; |
| - } |
| - free(new_passwd); |
| - } |
| - } else { |
| - if (!ascii_passwd_updated) |
| - crypt_ftr->flags |= CRYPT_ASCII_PASSWORD_UPDATED; |
| - } |
| -out: |
| - // update footer before leaving |
| - put_crypt_ftr_and_key(crypt_ftr); |
| - return key_index; |
| -} |
| -#endif |
| - |
| /* Should we use keymaster? */ |
| static int keymaster_check_compatibility() |
| { |
| @@ -1161,40 +1011,21 @@ static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, |
| tgt->status = 0; |
| tgt->sector_start = 0; |
| tgt->length = crypt_ftr->fs_size; |
| + strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); |
| + |
| crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); |
| + convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); |
| + |
| buff_offset = crypt_params - buffer; |
| + |
| SLOGI( |
| "Creating crypto dev \"%s\"; cipher=%s, keysize=%u, real_dev=%s, len=%llu, params=\"%s\"\n", |
| name, crypt_ftr->crypto_type_name, crypt_ftr->keysize, real_blk_name, tgt->length * 512, |
| extra_params); |
| - |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| - if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) { |
| - strlcpy(tgt->target_type, "req-crypt",DM_MAX_TYPE_NAME); |
| - if (is_ice_enabled()) |
| - convert_key_to_hex_ascii(master_key, sizeof(int), master_key_ascii); |
| - else |
| - convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); |
| - } |
| - else { |
| - convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); |
| - strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); |
| - } |
| - snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s 0", |
| - crypt_ftr->crypto_type_name, master_key_ascii, |
| - real_blk_name, extra_params); |
| - |
| - SLOGI("target_type = %s", tgt->target_type); |
| - SLOGI("real_blk_name = %s, extra_params = %s", real_blk_name, extra_params); |
| -#else |
| - convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); |
| - strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); |
| |
| snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s", |
| crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name, |
| extra_params); |
| -#endif |
| - |
| crypt_params += strlen(crypt_params) + 1; |
| crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ |
| tgt->next = crypt_params - buffer; |
| @@ -1214,6 +1045,7 @@ static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, |
| } |
| } |
| |
| + |
| static int get_dm_crypt_version(int fd, const char *name, int *version) |
| { |
| char buffer[DM_CRYPT_BUF_SIZE]; |
| @@ -1233,11 +1065,7 @@ static int get_dm_crypt_version(int fd, const char *name, int *version) |
| */ |
| v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; |
| while (v->next) { |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| - if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) { |
| -#else |
| if (! strcmp(v->name, "crypt")) { |
| -#endif |
| /* We found the crypt driver, return the version, and get out */ |
| version[0] = v->version[0]; |
| version[1] = v->version[1]; |
| @@ -1250,7 +1078,6 @@ static int get_dm_crypt_version(int fd, const char *name, int *version) |
| return -1; |
| } |
| |
| -#ifndef CONFIG_HW_DISK_ENCRYPTION |
| static std::string extra_params_as_string(const std::vector<std::string>& extra_params_vec) { |
| if (extra_params_vec.empty()) return ""; |
| std::string extra_params = std::to_string(extra_params_vec.size()); |
| @@ -1260,7 +1087,6 @@ static std::string extra_params_as_string(const std::vector<std::string>& extra_ |
| } |
| return extra_params; |
| } |
| -#endif |
| |
| /* |
| * If the ro.crypto.fde_sector_size system property is set, append the |
| @@ -1306,13 +1132,7 @@ static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned |
| int retval = -1; |
| int version[3]; |
| int load_count; |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| - char encrypted_state[PROPERTY_VALUE_MAX] = {0}; |
| - char progress[PROPERTY_VALUE_MAX] = {0}; |
| - const char *extra_params; |
| -#else |
| std::vector<std::string> extra_params_vec; |
| -#endif |
| |
| if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) { |
| SLOGE("Cannot open device-mapper\n"); |
| @@ -1337,45 +1157,6 @@ static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned |
| minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); |
| snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); |
| |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| - if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) { |
| - /* Set fde_enabled if either FDE completed or in-progress */ |
| - property_get("ro.crypto.state", encrypted_state, ""); /* FDE completed */ |
| - property_get("vold.encrypt_progress", progress, ""); /* FDE in progress */ |
| - if (!strcmp(encrypted_state, "encrypted") || strcmp(progress, "")) { |
| - if (is_ice_enabled()) { |
| - if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) |
| - extra_params = "fde_enabled ice allow_encrypt_override"; |
| - else |
| - extra_params = "fde_enabled ice"; |
| - } else { |
| - if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) |
| - extra_params = "fde_enabled allow_encrypt_override"; |
| - else |
| - extra_params = "fde_enabled"; |
| - } |
| - } else { |
| - if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) |
| - extra_params = "fde_enabled allow_encrypt_override"; |
| - else |
| - extra_params = "fde_enabled"; |
| - } |
| - } else { |
| - extra_params = ""; |
| - if (! get_dm_crypt_version(fd, name, version)) { |
| - /* Support for allow_discards was added in version 1.11.0 */ |
| - if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) { |
| - if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) |
| - extra_params = "2 allow_discards allow_encrypt_override"; |
| - else |
| - extra_params = "1 allow_discards"; |
| - SLOGI("Enabling support for allow_discards in dmcrypt.\n"); |
| - } |
| - } |
| - } |
| - load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd, |
| - extra_params); |
| -#else |
| if (!get_dm_crypt_version(fd, name, version)) { |
| /* Support for allow_discards was added in version 1.11.0 */ |
| if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) { |
| @@ -1391,7 +1172,6 @@ static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned |
| } |
| load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd, |
| extra_params_as_string(extra_params_vec).c_str()); |
| -#endif |
| if (load_count < 0) { |
| SLOGE("Cannot load dm-crypt mapping table.\n"); |
| goto errout; |
| @@ -1526,8 +1306,7 @@ static int scrypt_keymaster(const char *passwd, const unsigned char *salt, |
| static int encrypt_master_key(const char *passwd, const unsigned char *salt, |
| const unsigned char *decrypted_master_key, |
| unsigned char *encrypted_master_key, |
| - struct crypt_mnt_ftr *crypt_ftr, |
| - bool create_keymaster_key) |
| + struct crypt_mnt_ftr *crypt_ftr) |
| { |
| unsigned char ikey[INTERMEDIATE_BUF_SIZE] = { 0 }; |
| EVP_CIPHER_CTX e_ctx; |
| @@ -1539,7 +1318,7 @@ static int encrypt_master_key(const char *passwd, const unsigned char *salt, |
| |
| switch (crypt_ftr->kdf_type) { |
| case KDF_SCRYPT_KEYMASTER: |
| - if (create_keymaster_key && keymaster_create_key(crypt_ftr)) { |
| + if (keymaster_create_key(crypt_ftr)) { |
| SLOGE("keymaster_create_key failed"); |
| return -1; |
| } |
| @@ -1709,13 +1488,13 @@ static int create_encrypted_random_key(const char *passwd, unsigned char *master |
| close(fd); |
| |
| /* Now encrypt it with the password */ |
| - return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr, true); |
| + return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); |
| } |
| |
| int wait_and_unmount(const char *mountpoint, bool kill) |
| { |
| int i, err, rc; |
| -#define WAIT_UNMOUNT_COUNT 200 |
| +#define WAIT_UNMOUNT_COUNT 20 |
| |
| /* Now umount the tmpfs filesystem */ |
| for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { |
| @@ -1732,18 +1511,18 @@ int wait_and_unmount(const char *mountpoint, bool kill) |
| |
| err = errno; |
| |
| - /* If allowed, be increasingly aggressive before the last 2 seconds */ |
| + /* If allowed, be increasingly aggressive before the last two retries */ |
| if (kill) { |
| - if (i == (WAIT_UNMOUNT_COUNT - 30)) { |
| + if (i == (WAIT_UNMOUNT_COUNT - 3)) { |
| SLOGW("sending SIGHUP to processes with open files\n"); |
| android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM); |
| - } else if (i == (WAIT_UNMOUNT_COUNT - 20)) { |
| + } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { |
| SLOGW("sending SIGKILL to processes with open files\n"); |
| android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL); |
| } |
| } |
| |
| - usleep(100000); |
| + sleep(1); |
| } |
| |
| if (i < WAIT_UNMOUNT_COUNT) { |
| @@ -1910,17 +1689,6 @@ static int cryptfs_restart_internal(int restart_main) |
| cryptfs_reboot(RebootType::reboot); |
| } |
| } else { |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| - if (--retries) { |
| - sleep(RETRY_MOUNT_DELAY_SECONDS); |
| - } else { |
| - SLOGE("Failed to mount decrypted data"); |
| - cryptfs_set_corrupt(); |
| - cryptfs_trigger_restart_min_framework(); |
| - SLOGI("Started framework to offer wipe"); |
| - return -1; |
| - } |
| -#else |
| SLOGE("Failed to mount decrypted data"); |
| cryptfs_set_corrupt(); |
| cryptfs_trigger_restart_min_framework(); |
| @@ -1929,7 +1697,6 @@ static int cryptfs_restart_internal(int restart_main) |
| SLOGE("Failed to setexeccon"); |
| } |
| return -1; |
| -#endif |
| } |
| } |
| if (setexeccon(NULL)) { |
| @@ -2024,66 +1791,6 @@ static int do_crypto_complete(const char *mount_point) |
| return CRYPTO_COMPLETE_ENCRYPTED; |
| } |
| |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| -static int test_mount_hw_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, |
| - const char *passwd, const char *mount_point, const char *label) |
| -{ |
| - /* Allocate enough space for a 256 bit key, but we may use less */ |
| - unsigned char decrypted_master_key[32]; |
| - char crypto_blkdev[MAXPATHLEN]; |
| - char real_blkdev[MAXPATHLEN]; |
| - unsigned int orig_failed_decrypt_count; |
| - int rc = 0; |
| - |
| - SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); |
| - orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; |
| - |
| - fs_mgr_get_crypt_info(fstab_default, 0, real_blkdev, sizeof(real_blkdev)); |
| - |
| - int key_index = 0; |
| - if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) { |
| - key_index = verify_and_update_hw_fde_passwd(passwd, crypt_ftr); |
| - if (key_index < 0) { |
| - rc = crypt_ftr->failed_decrypt_count; |
| - goto errout; |
| - } |
| - else { |
| - if (is_ice_enabled()) { |
| - if (create_crypto_blk_dev(crypt_ftr, (unsigned char*)&key_index, |
| - real_blkdev, crypto_blkdev, label, 0)) { |
| - SLOGE("Error creating decrypted block device"); |
| - rc = -1; |
| - goto errout; |
| - } |
| - } else { |
| - if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, |
| - real_blkdev, crypto_blkdev, label, 0)) { |
| - SLOGE("Error creating decrypted block device"); |
| - rc = -1; |
| - goto errout; |
| - } |
| - } |
| - } |
| - } |
| - |
| - if (rc == 0) { |
| - crypt_ftr->failed_decrypt_count = 0; |
| - if (orig_failed_decrypt_count != 0) { |
| - put_crypt_ftr_and_key(crypt_ftr); |
| - } |
| - |
| - /* Save the name of the crypto block device |
| - * so we can mount it when restarting the framework. */ |
| - property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); |
| - master_key_saved = 1; |
| - } |
| - |
| - errout: |
| - return rc; |
| -} |
| -#endif |
| - |
| - |
| static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, |
| const char *passwd, const char *mount_point, const char *label) |
| { |
| @@ -2190,7 +1897,7 @@ static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, |
| |
| if (upgrade) { |
| rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, |
| - crypt_ftr->master_key, crypt_ftr, true); |
| + crypt_ftr->master_key, crypt_ftr); |
| if (!rc) { |
| rc = put_crypt_ftr_and_key(crypt_ftr); |
| } |
| @@ -2287,66 +1994,6 @@ int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) |
| return 0; |
| } |
| |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| -int cryptfs_check_passwd_hw(const char* passwd) |
| -{ |
| - struct crypt_mnt_ftr crypt_ftr; |
| - int rc; |
| - unsigned char master_key[KEY_LEN_BYTES]; |
| - |
| - /* get key */ |
| - if (get_crypt_ftr_and_key(&crypt_ftr)) { |
| - SLOGE("Error getting crypt footer and key"); |
| - return -1; |
| - } |
| - |
| - /* |
| - * in case of manual encryption (from GUI), the encryption is done with |
| - * default password |
| - */ |
| - if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) { |
| - /* compare scrypted_intermediate_key with stored scrypted_intermediate_key |
| - * which was created with actual password before reboot. |
| - */ |
| - rc = cryptfs_get_master_key(&crypt_ftr, passwd, master_key); |
| - if (rc) { |
| - SLOGE("password doesn't match"); |
| - rc = ++crypt_ftr.failed_decrypt_count; |
| - put_crypt_ftr_and_key(&crypt_ftr); |
| - return rc; |
| - } |
| - |
| - rc = test_mount_hw_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD, |
| - DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE); |
| - |
| - if (rc) { |
| - SLOGE("Default password did not match on reboot encryption"); |
| - return rc; |
| - } |
| - |
| - crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE; |
| - put_crypt_ftr_and_key(&crypt_ftr); |
| - rc = cryptfs_changepw(crypt_ftr.crypt_type, DEFAULT_PASSWORD, passwd); |
| - if (rc) { |
| - SLOGE("Could not change password on reboot encryption"); |
| - return rc; |
| - } |
| - } else |
| - rc = test_mount_hw_encrypted_fs(&crypt_ftr, passwd, |
| - DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE); |
| - |
| - if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { |
| - cryptfs_clear_password(); |
| - password = strdup(passwd); |
| - struct timespec now; |
| - clock_gettime(CLOCK_BOOTTIME, &now); |
| - password_expiry_time = now.tv_sec + password_max_age_seconds; |
| - } |
| - |
| - return rc; |
| -} |
| -#endif |
| - |
| int cryptfs_check_passwd(const char *passwd) |
| { |
| SLOGI("cryptfs_check_passwd"); |
| @@ -2364,14 +2011,8 @@ int cryptfs_check_passwd(const char *passwd) |
| return rc; |
| } |
| |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| - if (is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name)) |
| - return cryptfs_check_passwd_hw(passwd); |
| -#endif |
| - |
| rc = test_mount_encrypted_fs(&crypt_ftr, passwd, |
| DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE); |
| - |
| if (rc) { |
| SLOGE("Password did not match"); |
| return rc; |
| @@ -2392,7 +2033,7 @@ int cryptfs_check_passwd(const char *passwd) |
| |
| crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE; |
| put_crypt_ftr_and_key(&crypt_ftr); |
| - rc = cryptfs_changepw(crypt_ftr.crypt_type, DEFAULT_PASSWORD, passwd); |
| + rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd); |
| if (rc) { |
| SLOGE("Could not change password on reboot encryption"); |
| return rc; |
| @@ -2442,24 +2083,6 @@ int cryptfs_verify_passwd(const char *passwd) |
| /* If the device has no password, then just say the password is valid */ |
| rc = 0; |
| } else { |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| - if(is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name)) { |
| - if (verify_hw_fde_passwd(passwd, &crypt_ftr) >= 0) |
| - rc = 0; |
| - else |
| - rc = -1; |
| - } else { |
| - decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); |
| - if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { |
| - /* They match, the password is correct */ |
| - rc = 0; |
| - } else { |
| - /* If incorrect, sleep for a bit to prevent dictionary attacks */ |
| - sleep(1); |
| - rc = 1; |
| - } |
| - } |
| -#else |
| decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); |
| if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { |
| /* They match, the password is correct */ |
| @@ -2469,7 +2092,6 @@ int cryptfs_verify_passwd(const char *passwd) |
| sleep(1); |
| rc = 1; |
| } |
| -#endif |
| } |
| |
| return rc; |
| @@ -2593,12 +2215,6 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) { |
| off64_t previously_encrypted_upto = 0; |
| bool rebootEncryption = false; |
| bool onlyCreateHeader = false; |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| - unsigned char newpw[32]; |
| - int key_index = 0; |
| -#endif |
| - int index = 0; |
| - |
| int fd = -1; |
| |
| if (get_crypt_ftr_and_key(&crypt_ftr) == 0) { |
| @@ -2703,6 +2319,30 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) { |
| fclose(breadcrumb); |
| } |
| |
| + /* Do extra work for a better UX when doing the long inplace encryption */ |
| + if (!onlyCreateHeader) { |
| + /* Now that /data is unmounted, we need to mount a tmpfs |
| + * /data, set a property saying we're doing inplace encryption, |
| + * and restart the framework. |
| + */ |
| + if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { |
| + goto error_shutting_down; |
| + } |
| + /* Tells the framework that inplace encryption is starting */ |
| + property_set("vold.encrypt_progress", "0"); |
| + |
| + /* restart the framework. */ |
| + /* Create necessary paths on /data */ |
| + prep_data_fs(); |
| + |
| + /* Ugh, shutting down the framework is not synchronous, so until it |
| + * can be fixed, this horrible hack will wait a moment for it all to |
| + * shut down before proceeding. Without it, some devices cannot |
| + * restart the graphics services. |
| + */ |
| + sleep(2); |
| + } |
| + |
| /* Start the actual work of making an encrypted filesystem */ |
| /* Initialize a crypt_mnt_ftr for the partition */ |
| if (previously_encrypted_upto == 0 && !rebootEncryption) { |
| @@ -2726,11 +2366,7 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) { |
| crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; |
| } |
| crypt_ftr.crypt_type = crypt_type; |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| - strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN); |
| -#else |
| strlcpy((char *)crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(), MAX_CRYPTO_TYPE_NAME_LEN); |
| -#endif |
| |
| /* Make an encrypted master key */ |
| if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd, |
| @@ -2745,7 +2381,7 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) { |
| unsigned char encrypted_fake_master_key[MAX_KEY_LEN]; |
| memset(fake_master_key, 0, sizeof(fake_master_key)); |
| encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key, |
| - encrypted_fake_master_key, &crypt_ftr, true); |
| + encrypted_fake_master_key, &crypt_ftr); |
| } |
| |
| /* Write the key to the end of the partition */ |
| @@ -2766,57 +2402,12 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) { |
| } |
| } |
| |
| - /* When encryption triggered from settings, encryption starts after reboot. |
| - So set the encryption key when the actual encryption starts. |
| - */ |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| - if (previously_encrypted_upto == 0) { |
| - if (!rebootEncryption) |
| - clear_hw_device_encryption_key(); |
| - |
| - if (get_keymaster_hw_fde_passwd( |
| - onlyCreateHeader ? DEFAULT_PASSWORD : passwd, |
| - newpw, crypt_ftr.salt, &crypt_ftr)) |
| - key_index = set_hw_device_encryption_key( |
| - onlyCreateHeader ? DEFAULT_PASSWORD : passwd, |
| - (char*)crypt_ftr.crypto_type_name); |
| - else |
| - key_index = set_hw_device_encryption_key((const char*)newpw, |
| - (char*) crypt_ftr.crypto_type_name); |
| - if (key_index < 0) |
| - goto error_shutting_down; |
| - |
| - crypt_ftr.flags |= CRYPT_ASCII_PASSWORD_UPDATED; |
| - put_crypt_ftr_and_key(&crypt_ftr); |
| - } |
| -#endif |
| - |
| if (onlyCreateHeader) { |
| sleep(2); |
| cryptfs_reboot(RebootType::reboot); |
| - } else { |
| - /* Do extra work for a better UX when doing the long inplace encryption */ |
| - /* Now that /data is unmounted, we need to mount a tmpfs |
| - * /data, set a property saying we're doing inplace encryption, |
| - * and restart the framework. |
| - */ |
| - if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { |
| - goto error_shutting_down; |
| - } |
| - /* Tells the framework that inplace encryption is starting */ |
| - property_set("vold.encrypt_progress", "0"); |
| - |
| - /* restart the framework. */ |
| - /* Create necessary paths on /data */ |
| - prep_data_fs(); |
| - |
| - /* Ugh, shutting down the framework is not synchronous, so until it |
| - * can be fixed, this horrible hack will wait a moment for it all to |
| - * shut down before proceeding. Without it, some devices cannot |
| - * restart the graphics services. |
| - */ |
| - sleep(2); |
| + } |
| |
| + if (!no_ui || rebootEncryption) { |
| /* startup service classes main and late_start */ |
| property_set("vold.decrypt", "trigger_restart_min_framework"); |
| SLOGD("Just triggered restart_min_framework\n"); |
| @@ -2829,17 +2420,8 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) { |
| } |
| |
| decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| - if (is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name) && is_ice_enabled()) |
| - create_crypto_blk_dev(&crypt_ftr, (unsigned char*)&key_index, real_blkdev, crypto_blkdev, |
| - CRYPTO_BLOCK_DEVICE, 0); |
| - else |
| - create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, |
| - CRYPTO_BLOCK_DEVICE, 0); |
| -#else |
| create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, |
| CRYPTO_BLOCK_DEVICE, 0); |
| -#endif |
| |
| /* If we are continuing, check checksums match */ |
| rc = 0; |
| @@ -2973,7 +2555,7 @@ int cryptfs_enable_default(int no_ui) { |
| return cryptfs_enable_internal(CRYPT_TYPE_DEFAULT, DEFAULT_PASSWORD, no_ui); |
| } |
| |
| -int cryptfs_changepw(int crypt_type, const char *currentpw, const char *newpw) |
| +int cryptfs_changepw(int crypt_type, const char *newpw) |
| { |
| if (e4crypt_is_native()) { |
| SLOGE("cryptfs_changepw not valid for file encryption"); |
| @@ -3000,28 +2582,6 @@ int cryptfs_changepw(int crypt_type, const char *currentpw, const char *newpw) |
| return -1; |
| } |
| |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| - if(is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name)) |
| - return cryptfs_changepw_hw_fde(crypt_type, currentpw, newpw); |
| - else { |
| - crypt_ftr.crypt_type = crypt_type; |
| - |
| - rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? |
| - DEFAULT_PASSWORD : newpw, |
| - crypt_ftr.salt, |
| - saved_master_key, |
| - crypt_ftr.master_key, |
| - &crypt_ftr, false); |
| - if (rc) { |
| - SLOGE("Encrypt master key failed: %d", rc); |
| - return -1; |
| - } |
| - /* save the key */ |
| - put_crypt_ftr_and_key(&crypt_ftr); |
| - |
| - return 0; |
| - } |
| -#else |
| crypt_ftr.crypt_type = crypt_type; |
| |
| rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD |
| @@ -3029,7 +2589,7 @@ int cryptfs_changepw(int crypt_type, const char *currentpw, const char *newpw) |
| crypt_ftr.salt, |
| saved_master_key, |
| crypt_ftr.master_key, |
| - &crypt_ftr, false); |
| + &crypt_ftr); |
| if (rc) { |
| SLOGE("Encrypt master key failed: %d", rc); |
| return -1; |
| @@ -3037,57 +2597,8 @@ int cryptfs_changepw(int crypt_type, const char *currentpw, const char *newpw) |
| /* save the key */ |
| put_crypt_ftr_and_key(&crypt_ftr); |
| |
| - return 0; |
| -#endif |
| -} |
| - |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| -int cryptfs_changepw_hw_fde(int crypt_type, const char *currentpw, const char *newpw) |
| -{ |
| - struct crypt_mnt_ftr crypt_ftr; |
| - int rc; |
| - int previous_type; |
| - |
| - /* get key */ |
| - if (get_crypt_ftr_and_key(&crypt_ftr)) { |
| - SLOGE("Error getting crypt footer and key"); |
| - return -1; |
| - } |
| - |
| - previous_type = crypt_ftr.crypt_type; |
| - int rc1; |
| - unsigned char tmp_curpw[32] = {0}; |
| - rc1 = get_keymaster_hw_fde_passwd(crypt_ftr.crypt_type == CRYPT_TYPE_DEFAULT ? |
| - DEFAULT_PASSWORD : currentpw, tmp_curpw, |
| - crypt_ftr.salt, &crypt_ftr); |
| - |
| - crypt_ftr.crypt_type = crypt_type; |
| - |
| - int ret, rc2; |
| - unsigned char tmp_newpw[32] = {0}; |
| - |
| - rc2 = get_keymaster_hw_fde_passwd(crypt_type == CRYPT_TYPE_DEFAULT ? |
| - DEFAULT_PASSWORD : newpw , tmp_newpw, |
| - crypt_ftr.salt, &crypt_ftr); |
| - |
| - if (is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name)) { |
| - ret = update_hw_device_encryption_key( |
| - rc1 ? (previous_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD : currentpw) : (const char*)tmp_curpw, |
| - rc2 ? (crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD : newpw): (const char*)tmp_newpw, |
| - (char*)crypt_ftr.crypto_type_name); |
| - if (ret) { |
| - SLOGE("Error updating device encryption hardware key ret %d", ret); |
| - return -1; |
| - } else { |
| - SLOGI("Encryption hardware key updated"); |
| - } |
| - } |
| - |
| - /* save the key */ |
| - put_crypt_ftr_and_key(&crypt_ftr); |
| return 0; |
| } |
| -#endif |
| |
| static unsigned int persist_get_max_entries(int encrypted) { |
| struct crypt_mnt_ftr crypt_ftr; |
| @@ -3489,62 +3000,3 @@ int cryptfs_isConvertibleToFBE() |
| struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab_default, DATA_MNT_POINT); |
| return fs_mgr_is_convertible_to_fbe(rec) ? 1 : 0; |
| } |
| - |
| -int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length) |
| -{ |
| - if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) { |
| - SLOGE("Failed to initialize crypt_ftr"); |
| - return -1; |
| - } |
| - |
| - if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key, |
| - crypt_ftr->salt, crypt_ftr)) { |
| - SLOGE("Cannot create encrypted master key\n"); |
| - return -1; |
| - } |
| - |
| - //crypt_ftr->keysize = key_length / 8; |
| - return 0; |
| -} |
| - |
| -int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password, |
| - unsigned char* master_key) |
| -{ |
| - int rc; |
| - |
| - unsigned char* intermediate_key = 0; |
| - size_t intermediate_key_size = 0; |
| - |
| - if (password == 0 || *password == 0) { |
| - password = DEFAULT_PASSWORD; |
| - } |
| - |
| - rc = decrypt_master_key(password, master_key, ftr, &intermediate_key, |
| - &intermediate_key_size); |
| - |
| - if (rc) { |
| - SLOGE("Can't calculate intermediate key"); |
| - return rc; |
| - } |
| - |
| - int N = 1 << ftr->N_factor; |
| - int r = 1 << ftr->r_factor; |
| - int p = 1 << ftr->p_factor; |
| - |
| - unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)]; |
| - |
| - rc = crypto_scrypt(intermediate_key, intermediate_key_size, |
| - ftr->salt, sizeof(ftr->salt), N, r, p, |
| - scrypted_intermediate_key, |
| - sizeof(scrypted_intermediate_key)); |
| - |
| - free(intermediate_key); |
| - |
| - if (rc) { |
| - SLOGE("Can't scrypt intermediate key"); |
| - return rc; |
| - } |
| - |
| - return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key, |
| - intermediate_key_size); |
| -} |
| diff --git a/cryptfs.h b/cryptfs.h |
| index d8923db..d6c7dc5 100644 |
| --- a/cryptfs.h |
| +++ b/cryptfs.h |
| @@ -66,14 +66,6 @@ |
| complete. On next cryptkeeper entry, match |
| the password. If it matches fix the master |
| key and remove this flag. */ |
| -#ifdef CONFIG_HW_DISK_ENCRYPTION |
| -/* This flag is used to transition from L->M upgrade. L release passed |
| - * a byte for every nible of user password while M release is passing |
| - * ascii value of user password. |
| - * Random flag value is chosen so that it does not conflict with other use cases |
| - */ |
| -#define CRYPT_ASCII_PASSWORD_UPDATED 0x1000 |
| -#endif |
| |
| /* Allowed values for type in the structure below */ |
| #define CRYPT_TYPE_PASSWORD 0 /* master_key is encrypted with a password |
| @@ -241,7 +233,7 @@ int cryptfs_check_passwd(const char* pw); |
| int cryptfs_verify_passwd(const char* pw); |
| int cryptfs_restart(void); |
| int cryptfs_enable(int type, const char* passwd, int no_ui); |
| -int cryptfs_changepw(int type, const char *currentpw, const char* newpw); |
| +int cryptfs_changepw(int type, const char* newpw); |
| int cryptfs_enable_default(int no_ui); |
| int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, const unsigned char* key, |
| char* out_crypto_blkdev); |
| -- |
| 2.21.0 |
| |