From: Simon Sickle Date: Tue, 5 Dec 2017 06:00:20 +0000 (-0600) Subject: Revert "Small update" X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=5ecc00fcf27bb8a87fd55fbb67c5975f7a6a60db;p=GitHub%2Fmoto-9609%2Ftwrp_device_motorola_troika.git Revert "Small update" This reverts commit 26aff9bbe391d7d1abac643e9d13bdc9181ebd53. --- diff --git a/cryptfs_hw/cryptfs_hw.c b/cryptfs_hw/cryptfs_hw.c index 697818d..725a55c 100755 --- a/cryptfs_hw/cryptfs_hw.c +++ b/cryptfs_hw/cryptfs_hw.c @@ -28,6 +28,7 @@ #include #include +#include #include #include #include @@ -37,6 +38,14 @@ #include "cutils/log.h" #include "cutils/properties.h" #include "cutils/android_reboot.h" +#include "keymaster_common.h" +#include "hardware.h" + +#if defined(__LP64__) +#define QSEECOM_LIBRARY_PATH "/vendor/lib64/libQSEEComAPI.so" +#else +#define QSEECOM_LIBRARY_PATH "/vendor/lib/libQSEEComAPI.so" +#endif // When device comes up or when user tries to change the password, user can @@ -46,26 +55,44 @@ // wipe userdata partition once this error is received. #define ERR_MAX_PASSWORD_ATTEMPTS -10 #define QSEECOM_DISK_ENCRYPTION 1 -#define QSEECOM_ICE_DISK_ENCRYPTION 3 +#define QSEECOM_UFS_ICE_DISK_ENCRYPTION 3 +#define QSEECOM_SDCC_ICE_DISK_ENCRYPTION 4 #define MAX_PASSWORD_LEN 32 +#define QCOM_ICE_STORAGE_UFS 1 +#define QCOM_ICE_STORAGE_SDCC 2 /* Operations that be performed on HW based device encryption key */ #define SET_HW_DISK_ENC_KEY 1 #define UPDATE_HW_DISK_ENC_KEY 2 +#define QSEECOM_UP_CHECK_COUNT 10 + static int loaded_library = 0; -static unsigned char current_passwd[MAX_PASSWORD_LEN]; static int (*qseecom_create_key)(int, void*); static int (*qseecom_update_key)(int, void*, void*); static int (*qseecom_wipe_key)(int); +inline void* secure_memset(void* v, int c , size_t n) { + volatile unsigned char* p = (volatile unsigned char* )v; + while (n--) *p++ = c; + return v; +} + + static int map_usage(int usage) { - return (is_ice_enabled() && (usage == QSEECOM_DISK_ENCRYPTION)) ? - QSEECOM_ICE_DISK_ENCRYPTION : usage; + int storage_type = is_ice_enabled(); + if (usage == QSEECOM_DISK_ENCRYPTION) { + if (storage_type == QCOM_ICE_STORAGE_UFS) { + return QSEECOM_UFS_ICE_DISK_ENCRYPTION; + } + else if (storage_type == QCOM_ICE_STORAGE_SDCC) { + return QSEECOM_SDCC_ICE_DISK_ENCRYPTION ; + } + } + return usage; } - static unsigned char* get_tmp_passwd(const char* passwd) { int passwd_len = 0; @@ -74,7 +101,7 @@ static unsigned char* get_tmp_passwd(const char* passwd) tmp_passwd = (unsigned char*)malloc(MAX_PASSWORD_LEN); if(tmp_passwd) { memset(tmp_passwd, 0, MAX_PASSWORD_LEN); - passwd_len = (strlen(passwd) > MAX_PASSWORD_LEN) ? MAX_PASSWORD_LEN : strlen(passwd); + passwd_len = strnlen(passwd, MAX_PASSWORD_LEN); memcpy(tmp_passwd, passwd, passwd_len); } else { SLOGE("%s: Failed to allocate memory for tmp passwd \n", __func__); @@ -85,26 +112,33 @@ static unsigned char* get_tmp_passwd(const char* passwd) return tmp_passwd; } -static void wipe_userdata() +static int is_qseecom_up() { - mkdir("/cache/recovery", 0700); - int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC|O_NOFOLLOW, 0600); - if (fd >= 0) { - write(fd, "--wipe_data", strlen("--wipe_data") + 1); - close(fd); - } else { - SLOGE("could not open /cache/recovery/command\n"); + int i = 0; + char value[PROPERTY_VALUE_MAX] = {0}; + + for (; i= 0) { - memset(current_passwd, 0, MAX_PASSWORD_LEN); - memcpy(current_passwd, tmp_passwd, MAX_PASSWORD_LEN); - } else { + } + if(err < 0) { if(ERR_MAX_PASSWORD_ATTEMPTS == err) - wipe_userdata(); + SLOGI("Maximum wrong password attempts reached, will erase userdata\n"); } + secure_memset(tmp_passwd, 0, MAX_PASSWORD_LEN); free(tmp_passwd); + free(tmp_currentpasswd); } } return err; @@ -165,13 +202,12 @@ static int set_key(const char* passwd, const char* enc_mode, int operation) int set_hw_device_encryption_key(const char* passwd, const char* enc_mode) { - return set_key(passwd, enc_mode, SET_HW_DISK_ENC_KEY); + return set_key(NULL, passwd, enc_mode, SET_HW_DISK_ENC_KEY); } -int update_hw_device_encryption_key(const char* newpw, const char* enc_mode) +int update_hw_device_encryption_key(const char* oldpw, const char* newpw, const char* enc_mode) { - - return set_key(newpw, enc_mode, UPDATE_HW_DISK_ENC_KEY); + return set_key(oldpw, newpw, enc_mode, UPDATE_HW_DISK_ENC_KEY); } unsigned int is_hw_disk_encryption(const char* encryption_mode) @@ -188,45 +224,56 @@ unsigned int is_hw_disk_encryption(const char* encryption_mode) int is_ice_enabled(void) { - /* If (USE_ICE_FLAG) => return 1 - * if (property set to use gpce) return 0 - * we are using property to test UFS + GPCE, even though not required - * if (storage is ufs) return 1 - * else return 0 so that emmc based device can work properly - */ -#ifdef USE_ICE_FOR_STORAGE_ENCRYPTION - SLOGD("Ice enabled = true"); - return 1; -#else - char enc_hw_type[PATH_MAX]; - char prop_storage[PATH_MAX]; - int ice = 0; - int i; - if (property_get("crypto.fde_enc_hw_type", enc_hw_type, "")) { - if(!strncmp(enc_hw_type, "gpce", PROPERTY_VALUE_MAX)) { - SLOGD("GPCE would be used for HW FDE"); - return 0; - } - } + char prop_storage[PATH_MAX]; + int storage_type = 0; + int fd; - if (property_get("ro.boot.bootdevice", prop_storage, "")) { - if(strstr(prop_storage, "ufs")) { - SLOGD("ICE would be used for HW FDE"); - return 1; - } + if (property_get("ro.boot.bootdevice", prop_storage, "")) { + if (strstr(prop_storage, "ufs")) { + /* All UFS based devices has ICE in it. So we dont need + * to check if corresponding device exists or not + */ + storage_type = QCOM_ICE_STORAGE_UFS; + } else if (strstr(prop_storage, "sdhc")) { + if (access("/dev/icesdcc", F_OK) != -1) + storage_type = QCOM_ICE_STORAGE_SDCC; } - SLOGD("GPCE would be used for HW FDE"); - return 0; -#endif + } + return storage_type; } -int wipe_hw_device_encryption_key(const char* enc_mode) +int clear_hw_device_encryption_key() { - if (!enc_mode) - return -1; - - if (is_hw_disk_encryption(enc_mode) && load_qseecom_library()) + if (load_qseecom_library()) return qseecom_wipe_key(map_usage(QSEECOM_DISK_ENCRYPTION)); return 0; -} \ No newline at end of file +} + +static int get_keymaster_version() +{ + int rc = -1; + const hw_module_t* mod; + rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); + if (rc) { + SLOGE("could not find any keystore module"); + return rc; + } + + return mod->module_api_version; +} + +int should_use_keymaster() +{ + /* HW FDE key would be tied to keymaster only if: + * New Keymaster is available + * keymaster partition exists on the device + */ + int rc = 0; + if (get_keymaster_version() != KEYMASTER_MODULE_API_VERSION_1_0) { + SLOGI("Keymaster version is not 1.0"); + return rc; + } + + return 1; +} diff --git a/cryptfs_hw/cryptfs_hw.h b/cryptfs_hw/cryptfs_hw.h index 9ff23c7..e857c47 100755 --- a/cryptfs_hw/cryptfs_hw.h +++ b/cryptfs_hw/cryptfs_hw.h @@ -34,12 +34,13 @@ extern "C" { #endif int set_hw_device_encryption_key(const char*, const char*); -int update_hw_device_encryption_key(const char*, const char*); -int wipe_hw_device_encryption_key(const char*); +int update_hw_device_encryption_key(const char*, const char*, const char*); +int clear_hw_device_encryption_key(); unsigned int is_hw_disk_encryption(const char*); int is_ice_enabled(void); +int should_use_keymaster(); #ifdef __cplusplus } #endif -#endif \ No newline at end of file +#endif