tequilaOS/platform_system_vold
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Remove support for non-default root passwords in FBE

Browse source 
Change-Id: Ie179cb09f9f24382afd0fe0f3aa2a1ad943a7f5d
This commit is contained in:
Paul Lawrence 2016-02-02 11:14:59 -08:00
parent dac436f1fe
commit 7b6b565fa0
3 changed files with 24 additions and 185 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

157
Ext4Crypt.cpp
View file

@ -55,6 +55,9 @@
#include <android-base/logging.h>
#include <android-base/stringprintf.h>
// TODO - remove when switch to using keymaster keys for device data
static int e4crypt_check_passwd(const char* path, const char* password);
using android::base::StringPrintf;
static bool e4crypt_is_native() {
@ -73,19 +76,11 @@ namespace {
static_assert(key_length % 8 == 0,
"Key length must be multiple of 8 bits");
// How long do we store passwords for?
const int password_max_age_seconds = 60;
const std::string user_key_dir = std::string() + DATA_MNT_POINT + "/misc/vold/user_keys";
const std::string user_key_temp = user_key_dir + "/temp";
// How is device encrypted
struct keys {
std::string master_key;
std::string password;
time_t expiry_time;
};
std::map<std::string, keys> s_key_store;
bool s_enabled = false;
// Some users are ephemeral, don't try to wipe their keys from disk
std::set<userid_t> s_ephemeral_users;
// Map user ids to key references
@ -215,24 +210,10 @@ static UnencryptedProperties GetProps(const char* path)
return UnencryptedProperties(path);
}
static UnencryptedProperties GetAltProps(const char* path)
{
return UnencryptedProperties((std::string() + path + "/tmp_mnt").c_str());
}
static UnencryptedProperties GetPropsOrAltProps(const char* path)
{
UnencryptedProperties props = GetProps(path);
if (props.OK()) {
return props;
}
return GetAltProps(path);
}
int e4crypt_enable(const char* path)
{
// Already enabled?
if (s_key_store.find(path) != s_key_store.end()) {
if (s_enabled) {
return 0;
}
@ -279,52 +260,10 @@ int e4crypt_enable(const char* path)
return e4crypt_check_passwd(path, "");
}
int e4crypt_change_password(const char* path, int crypt_type,
const char* password)
{
SLOGI("e4crypt_change_password");
auto key_props = GetProps(path).GetChild(properties::key);
crypt_mnt_ftr ftr;
if (get_crypt_ftr_and_key(ftr, key_props)) {
SLOGE("Failed to read crypto footer back");
return -1;
}
auto mki = s_key_store.find(path);
if (mki == s_key_store.end()) {
SLOGE("No stored master key - can't change password");
return -1;
}
const unsigned char* master_key_bytes
= reinterpret_cast<const unsigned char*>(&mki->second.master_key[0]);
if (cryptfs_set_password(&ftr, password, master_key_bytes)) {
SLOGE("Failed to set password");
return -1;
}
ftr.crypt_type = crypt_type;
if (put_crypt_ftr_and_key(ftr, key_props)) {
SLOGE("Failed to write crypto footer");
return -1;
}
if (!UnencryptedProperties(path).Set(properties::is_default,
crypt_type == CRYPT_TYPE_DEFAULT)) {
SLOGE("Failed to update default flag");
return -1;
}
return 0;
}
int e4crypt_crypto_complete(const char* path)
{
SLOGI("ext4 crypto complete called on %s", path);
auto key_props = GetPropsOrAltProps(path).GetChild(properties::key);
auto key_props = GetProps(path).GetChild(properties::key);
if (key_props.Get<std::string>(tag::master_key).empty()) {
SLOGI("No master key, so not ext4enc");
return -1;
@ -351,10 +290,10 @@ static std::string generate_key_ref(const char* key, int length)
return std::string((char*)key_ref2, EXT4_KEY_DESCRIPTOR_SIZE);
}
int e4crypt_check_passwd(const char* path, const char* password)
static int e4crypt_check_passwd(const char* path, const char* password)
{
SLOGI("e4crypt_check_password");
auto props = GetPropsOrAltProps(path);
auto props = GetProps(path);
auto key_props = props.GetChild(properties::key);
crypt_mnt_ftr ftr;
@ -382,10 +321,6 @@ int e4crypt_check_passwd(const char* path, const char* password)
std::string master_key(reinterpret_cast<char*>(master_key_bytes),
sizeof(master_key_bytes));
struct timespec now;
clock_gettime(CLOCK_BOOTTIME, &now);
s_key_store[path] = keys{master_key, password,
now.tv_sec + password_max_age_seconds};
std::string raw_ref;
if (!install_key(master_key, raw_ref)) {
return -1;
@ -398,6 +333,7 @@ int e4crypt_check_passwd(const char* path, const char* password)
return -1;
}
s_enabled = true;
return 0;
}
@ -456,79 +392,10 @@ static bool install_key(const std::string &key, std::string &raw_ref)
return true;
}
int e4crypt_restart(const char* path)
{
SLOGI("e4crypt_restart");
int rc = 0;
SLOGI("ext4 restart called on %s", path);
property_set("vold.decrypt", "trigger_reset_main");
SLOGI("Just asked init to shut down class main");
sleep(2);
std::string tmp_path = std::string() + path + "/tmp_mnt";
rc = wait_and_unmount(tmp_path.c_str(), true);
if (rc) {
SLOGE("umount %s failed with rc %d, msg %s",
tmp_path.c_str(), rc, strerror(errno));
return rc;
}
rc = wait_and_unmount(path, true);
if (rc) {
SLOGE("umount %s failed with rc %d, msg %s",
path, rc, strerror(errno));
return rc;
}
return 0;
}
int e4crypt_get_password_type(const char* path)
{
SLOGI("e4crypt_get_password_type");
return GetPropsOrAltProps(path).GetChild(properties::key)
.Get<int>(tag::crypt_type, CRYPT_TYPE_DEFAULT);
}
const char* e4crypt_get_password(const char* path)
{
SLOGI("e4crypt_get_password");
auto i = s_key_store.find(path);
if (i == s_key_store.end()) {
return 0;
}
struct timespec now;
clock_gettime(CLOCK_BOOTTIME, &now);
if (i->second.expiry_time < now.tv_sec) {
e4crypt_clear_password(path);
return 0;
}
return i->second.password.c_str();
}
void e4crypt_clear_password(const char* path)
{
SLOGI("e4crypt_clear_password");
auto i = s_key_store.find(path);
if (i == s_key_store.end()) {
return;
}
memset(&i->second.password[0], 0, i->second.password.size());
i->second.password = std::string();
}
int e4crypt_get_field(const char* path, const char* fieldname,
char* value, size_t len)
{
auto v = GetPropsOrAltProps(path).GetChild(properties::props)
auto v = GetProps(path).GetChild(properties::props)
.Get<std::string>(fieldname);
if (v == "") {
@ -546,7 +413,7 @@ int e4crypt_get_field(const char* path, const char* fieldname,
int e4crypt_set_field(const char* path, const char* fieldname,
const char* value)
{
return GetPropsOrAltProps(path).GetChild(properties::props)
return GetProps(path).GetChild(properties::props)
.Set(fieldname, std::string(value)) ? 0 : -1;
}

7
Ext4Crypt.h
View file

@ -23,14 +23,7 @@ __BEGIN_DECLS
// General functions
int e4crypt_enable(const char* path);
int e4crypt_change_password(const char* path, int crypt_type,
const char* password);
int e4crypt_crypto_complete(const char* path);
int e4crypt_check_passwd(const char* path, const char* password);
int e4crypt_get_password_type(const char* path);
const char* e4crypt_get_password(const char* path);
void e4crypt_clear_password(const char* path);
int e4crypt_restart(const char* path);
int e4crypt_get_field(const char* path, const char* fieldname,
char* value, size_t len);
int e4crypt_set_field(const char* path, const char* fieldname,

45
cryptfs.c
View file

@ -1780,28 +1780,8 @@ int cryptfs_restart(void)
{
SLOGI("cryptfs_restart");
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
struct fstab_rec* rec;
int rc;
if (e4crypt_restart(DATA_MNT_POINT)) {
SLOGE("Can't unmount e4crypt temp volume\n");
return -1;
}
rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
if (!rec) {
SLOGE("Can't get fstab record for %s\n", DATA_MNT_POINT);
return -1;
}
rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, rec->blk_device, 0);
if (rc) {
SLOGE("Can't mount %s\n", DATA_MNT_POINT);
return rc;
}
property_set("vold.decrypt", "trigger_restart_framework");
return 0;
SLOGE("cryptfs_restart not valid for file encryption:");
return -1;
}
/* Call internal implementation forcing a restart of main service group */
@ -1820,8 +1800,9 @@ static int do_crypto_complete(char *mount_point)
return CRYPTO_COMPLETE_NOT_ENCRYPTED;
}
// crypto_complete is full disk encrypted status
if (e4crypt_crypto_complete(mount_point) == 0) {
return CRYPTO_COMPLETE_ENCRYPTED;
return CRYPTO_COMPLETE_NOT_ENCRYPTED;
}
if (get_crypt_ftr_and_key(&crypt_ftr)) {
@ -2074,7 +2055,8 @@ int cryptfs_check_passwd(char *passwd)
{
SLOGI("cryptfs_check_passwd");
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
return e4crypt_check_passwd(DATA_MNT_POINT, passwd);
SLOGE("cryptfs_check_passwd not valid for file encryption");
return -1;
}
struct crypt_mnt_ftr crypt_ftr;
@ -3365,9 +3347,8 @@ int cryptfs_enable_default(char *howarg, int no_ui)
int cryptfs_changepw(int crypt_type, const char *newpw)
{
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
return e4crypt_change_password(DATA_MNT_POINT, crypt_type,
crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
: newpw);
SLOGE("cryptfs_changepw not valid for file encryption");
return -1;
}
struct crypt_mnt_ftr crypt_ftr;
@ -3783,7 +3764,8 @@ int cryptfs_mount_default_encrypted(void)
int cryptfs_get_password_type(void)
{
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
return e4crypt_get_password_type(DATA_MNT_POINT);
SLOGE("cryptfs_get_password_type not valid for file encryption");
return -1;
}
struct crypt_mnt_ftr crypt_ftr;
@ -3803,7 +3785,8 @@ int cryptfs_get_password_type(void)
const char* cryptfs_get_password()
{
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
return e4crypt_get_password(DATA_MNT_POINT);
SLOGE("cryptfs_get_password not valid for file encryption");
return 0;
}
struct timespec now;
@ -3818,10 +3801,6 @@ const char* cryptfs_get_password()
void cryptfs_clear_password()
{
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
e4crypt_clear_password(DATA_MNT_POINT);
}
if (password) {
size_t len = strlen(password);
memset(password, 0, len);