diff options
author | Ajay Dudani <adudani@codeaurora.org> | 2014-09-17 21:19:25 -0700 |
---|---|---|
committer | Iliyan Malchev <malchev@google.com> | 2014-11-21 08:20:28 +0000 |
commit | bf4d341dcfd8b57125960784220dc26384e70dd6 (patch) | |
tree | 9b3b9a9dde2915e3f817fe7dd36ea389da8c4c16 /cryptfs_hw | |
parent | 429207c5554830912eb3084faed120e459c5575b (diff) | |
download | shamu-bf4d341dcfd8b57125960784220dc26384e70dd6.tar.gz |
shamu: Add support for HW based full disk encryption
b/17475056 Enable hardware crypto for userdata encryption
Change-Id: I77fb3a47d62dd84811941582d6223e4656e26494
Diffstat (limited to 'cryptfs_hw')
-rw-r--r-- | cryptfs_hw/Android.mk | 25 | ||||
-rw-r--r-- | cryptfs_hw/cryptfs_hw.c | 173 | ||||
-rw-r--r-- | cryptfs_hw/cryptfs_hw.h | 44 |
3 files changed, 242 insertions, 0 deletions
diff --git a/cryptfs_hw/Android.mk b/cryptfs_hw/Android.mk new file mode 100644 index 00000000..69ace0d2 --- /dev/null +++ b/cryptfs_hw/Android.mk @@ -0,0 +1,25 @@ +ifeq ($(TARGET_HW_DISK_ENCRYPTION),true) +LOCAL_PATH:= $(call my-dir) +include $(CLEAR_VARS) + +LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR_SHARED_LIBRARIES) + +sourceFiles := \ + cryptfs_hw.c + +commonSharedLibraries := \ + libcutils \ + libutils \ + libdl + +LOCAL_C_INCLUDES := $(commonIncludes) +LOCAL_SRC_FILES := $(sourceFiles) + +LOCAL_MODULE_TAGS := optional +LOCAL_MODULE:= libcryptfs_hw +LOCAL_SHARED_LIBRARIES := $(commonSharedLibraries) + +LOCAL_MODULE_OWNER := qcom + +include $(BUILD_SHARED_LIBRARY) +endif diff --git a/cryptfs_hw/cryptfs_hw.c b/cryptfs_hw/cryptfs_hw.c new file mode 100644 index 00000000..8406d981 --- /dev/null +++ b/cryptfs_hw/cryptfs_hw.c @@ -0,0 +1,173 @@ +/* Copyright (c) 2014, The Linux Foundation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * * Neither the name of The Linux Foundation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN + * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <cryptfs_hw.h> +#include <stdlib.h> +#include <sys/limits.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <dirent.h> +#include <dlfcn.h> +#define LOG_TAG "Cryptfs_HW" +#include "cutils/log.h" +#include "cutils/android_reboot.h" + + +// When device comes up or when user tries to change the password, user can +// try wrong password upto a certain number of times. If user enters wrong +// password further, HW would wipe all disk encryption related crypto data +// and would return an error ERR_MAX_PASSWORD_ATTEMPTS to VOLD. VOLD would +// wipe userdata partition once this error is received. +#define ERR_MAX_PASSWORD_ATTEMPTS -10 +#define QSEECOM_DISK_ENCRYPTION 1 +#define MAX_PASSWORD_LEN 32 + +/* Operations that be performed on HW based device encryption key */ +#define SET_HW_DISK_ENC_KEY 1 +#define UPDATE_HW_DISK_ENC_KEY 2 + +static int loaded_library = 0; +static unsigned char current_passwd[MAX_PASSWORD_LEN]; +static int (*qseecom_create_key)(int, void*); +static int (*qseecom_update_key)(int, void*, void*); +static int (*qseecom_wipe_key)(int); + +static unsigned char* get_tmp_passwd(const char* passwd) +{ + int passwd_len = 0; + unsigned char * tmp_passwd = NULL; + if(passwd) { + tmp_passwd = (unsigned char*)malloc(MAX_PASSWORD_LEN); + if(tmp_passwd) { + memset(tmp_passwd, 0, MAX_PASSWORD_LEN); + passwd_len = (strlen(passwd) > MAX_PASSWORD_LEN) ? MAX_PASSWORD_LEN : strlen(passwd); + memcpy(tmp_passwd, passwd, passwd_len); + } else { + SLOGE("%s: Failed to allocate memory for tmp passwd \n", __func__); + } + } else { + SLOGE("%s: Passed argument is NULL \n", __func__); + } + return tmp_passwd; +} + +static int load_qseecom_library() +{ + const char *error = NULL; + if (loaded_library) + return loaded_library; + + void * handle = dlopen("libQSEEComAPI.so", RTLD_NOW); + if(handle) { + dlerror(); /* Clear any existing error */ + *(void **) (&qseecom_create_key) = dlsym(handle,"QSEECom_create_key"); + + if((error = dlerror()) == NULL) { + *(void **) (&qseecom_update_key) = dlsym(handle,"QSEECom_update_key_user_info"); + if((error = dlerror()) == NULL) { + *(void **) (&qseecom_wipe_key) = dlsym(handle,"QSEECom_wipe_key"); + if ((error = dlerror()) == NULL) + loaded_library = 1; + else + SLOGE("Error %s loading symbols for QSEECom APIs", error); + } + } + } else { + SLOGE("Could not load libQSEEComAPI.so"); + } + + if(error) + dlclose(handle); + + return loaded_library; +} + +static unsigned int set_key(const char* passwd, const char* enc_mode, int operation) +{ + int ret = 0; + int err = -1; + if (is_hw_disk_encryption(enc_mode) && load_qseecom_library()) { + unsigned char* tmp_passwd = get_tmp_passwd(passwd); + if(tmp_passwd) { + + if (operation == UPDATE_HW_DISK_ENC_KEY) + err = qseecom_update_key(QSEECOM_DISK_ENCRYPTION, current_passwd, tmp_passwd); + else if (operation == SET_HW_DISK_ENC_KEY) + err = qseecom_create_key(QSEECOM_DISK_ENCRYPTION, tmp_passwd); + + if(!err) { + memset(current_passwd, 0, MAX_PASSWORD_LEN); + memcpy(current_passwd, tmp_passwd, MAX_PASSWORD_LEN); + ret = 1; + } else { + if(ERR_MAX_PASSWORD_ATTEMPTS == err) + SLOGE("Maximum password attempts reached. Need factory data reset to recover."); + } + free(tmp_passwd); + } + } + return ret; +} + +unsigned int set_hw_device_encryption_key(const char* passwd, const char* enc_mode) +{ + SLOGI("Set key for HW disk encryption operation"); + return set_key(passwd, enc_mode, SET_HW_DISK_ENC_KEY); +} + +unsigned int update_hw_device_encryption_key(const char* newpw, const char* enc_mode) +{ + SLOGI("Update key for HW disk encryption operation"); + return set_key(newpw, enc_mode, UPDATE_HW_DISK_ENC_KEY); +} + +unsigned int is_hw_disk_encryption(const char* encryption_mode) +{ + int ret = 0; + if(encryption_mode) { + if (!strcmp(encryption_mode, "aes-xts")) { + ret = 1; + } + } + return ret; +} + +unsigned int clear_hw_device_encryption_key() +{ + int err = -1; + int rc = 0; + SLOGI("Clear HW disk encryption key"); + if (load_qseecom_library()) { + err = qseecom_wipe_key(1); + } + + if (!err) rc = 1; + + return rc; +} diff --git a/cryptfs_hw/cryptfs_hw.h b/cryptfs_hw/cryptfs_hw.h new file mode 100644 index 00000000..94adc0a2 --- /dev/null +++ b/cryptfs_hw/cryptfs_hw.h @@ -0,0 +1,44 @@ +/* Copyright (c) 2014, The Linux Foundation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * * Neither the name of The Linux Foundation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN + * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __CRYPTFS_HW_H_ +#define __CRYPTFS_HW_H_ + +#ifdef __cplusplus +extern "C" { +#endif + +unsigned int set_hw_device_encryption_key(const char*, const char*); +unsigned int update_hw_device_encryption_key(const char*, const char*); +unsigned int clear_hw_device_encryption_key(); +unsigned int is_hw_disk_encryption(const char*); + +#ifdef __cplusplus +} +#endif +#endif |