vold: Add a versioned superblock to secure containers.

Add an un-encrypted superblock to the end of a secure container to
help identify the crypto cipher used. This is required in order to
provide some semblence of versioning, in case we have cause to
change the crypto type on an update - say for example switching
from software to hardware encryption, or from 128 -> a zillion
bit keys.

NOTE: This format is incompatible with previous secure containers.
After this change they will no longer be mountable.

Signed-off-by: San Mehat <san@google.com>

Asec.h

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef _ASEC_H
+#define _ASEC_H
+
+struct asec_superblock {
+#define ASEC_SB_MAGIC 0xc0def00d
+    unsigned int magic;
+
+#define ASEC_SB_VER 1
+    unsigned char ver;
+
+#define ASEC_SB_C_CIPHER_NONE    0
+#define ASEC_SB_C_CIPHER_TWOFISH 1
+#define ASEC_SB_C_CIPHER_AES     2
+    unsigned char c_cipher;
+
+#define ASEC_SB_C_CHAIN_NONE 0
+    unsigned char c_chain;
+
+#define ASEC_SB_C_OPTS_NONE 0
+    unsigned char c_opts;
+
+#define ASEC_SB_C_MODE_NONE 0
+    unsigned char c_mode;
+} __attribute__((packed));
+
+#endif

Devmapper.cpp

@@ -136,8 +136,10 @@ int Devmapper::create(const char *name, const char *loopFile, const char *key,
     ioctlInit(io, 4096, name, DM_STATUS_TABLE_FLAG);
     io->target_count = 1;
     tgt->status = 0;
+
     tgt->sector_start = 0;
     tgt->length = numSectors;
+
     strcpy(tgt->target_type, "crypt");
 
     char *cryptParams = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);

Fat.cpp

@@ -148,24 +148,11 @@ int Fat::doMount(const char *fsPath, const char *mountPoint,
     return rc;
 }
 
-int Fat::format(const char *fsPath) {
-    unsigned int nr_sec;
+int Fat::format(const char *fsPath, unsigned int numSectors) {
     int fd;
-
-    if ((fd = open(fsPath, O_RDWR)) < 0) {
-        LOGE("Error opening disk file (%s)", strerror(errno));
-        return -1;
-    }
-
-    if (ioctl(fd, BLKGETSIZE, &nr_sec)) {
-        LOGE("Unable to get device size (%s)", strerror(errno));
-        close(fd);
-        return -1;
-    }
-    close(fd);
-
-    const char *args[9];
+    const char *args[11];
     int rc;
+
     args[0] = MKDOSFS_PATH;
     args[1] = "-F";
     args[2] = "32";
@@ -173,9 +160,21 @@ int Fat::format(const char *fsPath) {
     args[4] = "android";
     args[5] = "-c";
     args[6] = "8";
-    args[7] = fsPath;
-    args[8] = NULL;
-    rc = logwrap(9, args, 1);
+
+    if (numSectors) {
+        char tmp[32];
+        snprintf(tmp, sizeof(tmp), "%u", numSectors);
+        const char *size = tmp;
+        args[7] = "-s";
+        args[8] = size;
+        args[9] = fsPath;
+        args[10] = NULL;
+        rc = logwrap(11, args, 1);
+    } else {
+        args[7] = fsPath;
+        args[8] = NULL;
+        rc = logwrap(9, args, 1);
+    }
 
     if (rc == 0) {
         LOGI("Filesystem formatted OK");

Fat.h

@@ -25,7 +25,7 @@ public:
     static int doMount(const char *fsPath, const char *mountPoint, bool ro,
                        bool remount, int ownerUid, int ownerGid, int permMask,
                        bool createLost);
-    static int format(const char *fsPath);
+    static int format(const char *fsPath, unsigned int numSectors);
 };
 
 #endif

Volume.cpp

@@ -194,7 +194,7 @@ int Volume::formatVol() {
     sprintf(devicePath, "/dev/block/vold/%d:%d",
             MAJOR(partNode), MINOR(partNode));
 
-    if (Fat::format(devicePath)) {
+    if (Fat::format(devicePath, 0)) {
         LOGE("Failed to format (%s)", strerror(errno));
         goto err;
     }

VolumeManager.cpp

@@ -38,6 +38,7 @@
 #include "Fat.h"
 #include "Devmapper.h"
 #include "Process.h"
+#include "Asec.h"
 
 VolumeManager *VolumeManager::sInstance = NULL;
 
@@ -168,6 +169,11 @@ int VolumeManager::getAsecMountPath(const char *id, char *buffer, int maxlen) {
 
 int VolumeManager::createAsec(const char *id, unsigned int numSectors,
                               const char *fstype, const char *key, int ownerUid) {
+    struct asec_superblock sb;
+    memset(&sb, 0, sizeof(sb));
+
+    sb.magic = ASEC_SB_MAGIC;
+    sb.ver = ASEC_SB_VER;
 
     if (numSectors < ((1024*1024)/512)) {
         LOGE("Invalid container size specified (%d sectors)", numSectors);
@@ -191,7 +197,18 @@ int VolumeManager::createAsec(const char *id, unsigned int numSectors,
         return -1;
     }
 
-    if (Loop::createImageFile(asecFileName, numSectors)) {
+    /*
+     * Add some headroom
+     */
+    unsigned fatSize = (((numSectors * 4) / 512) + 1) * 2;
+    unsigned numImgSectors = numSectors + fatSize + 2;
+
+    if (numImgSectors % 63) {
+        numImgSectors += (63 - (numImgSectors % 63));
+    }
+
+    // Add +1 for our superblock which is at the end
+    if (Loop::createImageFile(asecFileName, numImgSectors + 1)) {
         LOGE("ASEC image file creation failed (%s)", strerror(errno));
         return -1;
     }
@@ -207,7 +224,9 @@ int VolumeManager::createAsec(const char *id, unsigned int numSectors,
     bool cleanupDm = false;
 
     if (strcmp(key, "none")) {
-        if (Devmapper::create(id, loopDevice, key, numSectors, dmDevice,
+        // XXX: This is all we support for now
+        sb.c_cipher = ASEC_SB_C_CIPHER_TWOFISH;
+        if (Devmapper::create(id, loopDevice, key, numImgSectors, dmDevice,
                              sizeof(dmDevice))) {
             LOGE("ASEC device mapping failed (%s)", strerror(errno));
             Loop::destroyByDevice(loopDevice);
@@ -216,15 +235,54 @@ int VolumeManager::createAsec(const char *id, unsigned int numSectors,
         }
         cleanupDm = true;
     } else {
+        sb.c_cipher = ASEC_SB_C_CIPHER_NONE;
         strcpy(dmDevice, loopDevice);
     }
 
+    /*
+     * Drop down the superblock at the end of the file
+     */
+
+    int sbfd = open(loopDevice, O_RDWR);
+    if (sbfd < 0) {
+        LOGE("Failed to open new DM device for superblock write (%s)", strerror(errno));
+        if (cleanupDm) {
+            Devmapper::destroy(id);
+        }
+        Loop::destroyByDevice(loopDevice);
+        unlink(asecFileName);
+        return -1;
+    }
+
+    if (lseek(sbfd, (numImgSectors * 512), SEEK_SET) < 0) {
+        close(sbfd);
+        LOGE("Failed to lseek for superblock (%s)", strerror(errno));
+        if (cleanupDm) {
+            Devmapper::destroy(id);
+        }
+        Loop::destroyByDevice(loopDevice);
+        unlink(asecFileName);
+        return -1;
+    }
+
+    if (write(sbfd, &sb, sizeof(sb)) != sizeof(sb)) {
+        close(sbfd);
+        LOGE("Failed to write superblock (%s)", strerror(errno));
+        if (cleanupDm) {
+            Devmapper::destroy(id);
+        }
+        Loop::destroyByDevice(loopDevice);
+        unlink(asecFileName);
+        return -1;
+    }
+    close(sbfd);
+
     if (strcmp(fstype, "none")) {
         if (strcmp(fstype, "fat")) {
             LOGW("Unknown fstype '%s' specified for container", fstype);
         }
 
-        if (Fat::format(dmDevice)) {
+        if (Fat::format(dmDevice, numImgSectors)) {
             LOGE("ASEC FAT format failed (%s)", strerror(errno));
             if (cleanupDm) {
                 Devmapper::destroy(id);
@@ -467,24 +525,53 @@ int VolumeManager::mountAsec(const char *id, const char *key, int ownerUid) {
 
     char dmDevice[255];
     bool cleanupDm = false;
-    if (strcmp(key, "none")) {
-        if (Devmapper::lookupActive(id, dmDevice, sizeof(dmDevice))) {
-            unsigned int nr_sec = 0;
-            int fd;
+    int fd;
+    unsigned int nr_sec = 0;
 
-            if ((fd = open(loopDevice, O_RDWR)) < 0) {
-                LOGE("Failed to open loopdevice (%s)", strerror(errno));
-                Loop::destroyByDevice(loopDevice);
-                return -1;
-            }
+    if ((fd = open(loopDevice, O_RDWR)) < 0) {
+        LOGE("Failed to open loopdevice (%s)", strerror(errno));
+        Loop::destroyByDevice(loopDevice);
+        return -1;
+    }
 
-            if (ioctl(fd, BLKGETSIZE, &nr_sec)) {
-                LOGE("Failed to get loop size (%s)", strerror(errno));
-                Loop::destroyByDevice(loopDevice);
-                close(fd);
-                return -1;
-            }
-            close(fd);
+    if (ioctl(fd, BLKGETSIZE, &nr_sec)) {
+        LOGE("Failed to get loop size (%s)", strerror(errno));
+        Loop::destroyByDevice(loopDevice);
+        close(fd);
+        return -1;
+    }
+
+    /*
+     * Validate superblock
+     */
+    struct asec_superblock sb;
+    memset(&sb, 0, sizeof(sb));
+    if (lseek(fd, ((nr_sec-1) * 512), SEEK_SET) < 0) {
+        LOGE("lseek failed (%s)", strerror(errno));
+        close(fd);
+        Loop::destroyByDevice(loopDevice);
+        return -1;
+    }
+    if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
+        LOGE("superblock read failed (%s)", strerror(errno));
+        close(fd);
+        Loop::destroyByDevice(loopDevice);
+        return -1;
+    }
+
+    close(fd);
+
+    LOGD("Container sb magic/ver (%.8x/%.2x)", sb.magic, sb.ver);
+    if (sb.magic != ASEC_SB_MAGIC || sb.ver != ASEC_SB_VER) {
+        LOGE("Bad container magic/version (%.8x/%.2x)", sb.magic, sb.ver);
+        Loop::destroyByDevice(loopDevice);
+        errno = EMEDIUMTYPE;
+        return -1;
+    }
+    nr_sec--; // We don't want the devmapping to extend onto our superblock
+
+    if (strcmp(key, "none")) {
+        if (Devmapper::lookupActive(id, dmDevice, sizeof(dmDevice))) {
             if (Devmapper::create(id, loopDevice, key, nr_sec,
                                   dmDevice, sizeof(dmDevice))) {
                 LOGE("ASEC device mapping failed (%s)", strerror(errno));