1 /*
2  * Copyright (C) 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 // Utility functions for VtsKernelEncryptionTest.
18 
19 #include <LzmaLib.h>
20 #include <android-base/properties.h>
21 #include <android-base/unique_fd.h>
22 #include <errno.h>
23 #include <ext4_utils/ext4.h>
24 #include <ext4_utils/ext4_sb.h>
25 #include <ext4_utils/ext4_utils.h>
26 #include <gtest/gtest.h>
27 #include <libdm/dm.h>
28 #include <linux/magic.h>
29 #include <mntent.h>
30 #include <openssl/cmac.h>
31 #include <unistd.h>
32 
33 #include "Keymaster.h"
34 #include "vts_kernel_encryption.h"
35 
36 using namespace android::dm;
37 
38 namespace android {
39 namespace kernel {
40 
41 // Offset in bytes to the filesystem superblock, relative to the beginning of
42 // the block device
43 constexpr int kExt4SuperBlockOffset = 1024;
44 constexpr int kF2fsSuperBlockOffset = 1024;
45 
46 // For F2FS: the offsets in bytes to the filesystem magic number and filesystem
47 // UUID, relative to the beginning of the block device
48 constexpr int kF2fsMagicOffset = kF2fsSuperBlockOffset;
49 constexpr int kF2fsUuidOffset = kF2fsSuperBlockOffset + 108;
50 
51 // hw-wrapped key size in bytes
52 constexpr int kHwWrappedKeySize = 32;
53 
Errno()54 std::string Errno() { return std::string(": ") + strerror(errno); }
55 
56 // Recursively deletes the file or directory at |path|, if it exists.
DeleteRecursively(const std::string & path)57 void DeleteRecursively(const std::string &path) {
58   if (unlink(path.c_str()) == 0 || errno == ENOENT) return;
59   ASSERT_EQ(EISDIR, errno) << "Failed to unlink " << path << Errno();
60 
61   std::unique_ptr<DIR, int (*)(DIR *)> dirp(opendir(path.c_str()), closedir);
62   // If the directory was assigned an encryption policy that the kernel lacks
63   // crypto API support for, then opening it will fail, and it will be empty.
64   // So, we have to allow opening the directory to fail.
65   if (dirp != nullptr) {
66     struct dirent *entry;
67     while ((entry = readdir(dirp.get())) != nullptr) {
68       std::string filename(entry->d_name);
69       if (filename != "." && filename != "..")
70         DeleteRecursively(path + "/" + filename);
71     }
72   }
73   ASSERT_EQ(0, rmdir(path.c_str()))
74       << "Failed to remove directory " << path << Errno();
75 }
76 
77 // Generates some "random" bytes.  Not secure; this is for testing only.
RandomBytesForTesting(std::vector<uint8_t> & bytes)78 void RandomBytesForTesting(std::vector<uint8_t> &bytes) {
79   for (size_t i = 0; i < bytes.size(); i++) {
80     bytes[i] = rand();
81   }
82 }
83 
84 // Generates a "random" key.  Not secure; this is for testing only.
GenerateTestKey(size_t size)85 std::vector<uint8_t> GenerateTestKey(size_t size) {
86   std::vector<uint8_t> key(size);
87   RandomBytesForTesting(key);
88   return key;
89 }
90 
BytesToHex(const std::vector<uint8_t> & bytes)91 std::string BytesToHex(const std::vector<uint8_t> &bytes) {
92   std::ostringstream o;
93   for (uint8_t b : bytes) {
94     o << std::hex << std::setw(2) << std::setfill('0') << (int)b;
95   }
96   return o.str();
97 }
98 
GetFirstApiLevel(int * first_api_level)99 bool GetFirstApiLevel(int *first_api_level) {
100   *first_api_level =
101       android::base::GetIntProperty("ro.product.first_api_level", 0);
102   if (*first_api_level == 0) {
103     ADD_FAILURE() << "ro.product.first_api_level is unset";
104     return false;
105   }
106   GTEST_LOG_(INFO) << "ro.product.first_api_level = " << *first_api_level;
107   return true;
108 }
109 
110 // Gets the block device and type of the filesystem mounted on |mountpoint|.
111 // This block device is the one on which the filesystem is directly located.  In
112 // the case of device-mapper that means something like /dev/mapper/dm-5, not the
113 // underlying device like /dev/block/by-name/userdata.
GetFsBlockDeviceAndType(const std::string & mountpoint,std::string * fs_blk_device,std::string * fs_type)114 static bool GetFsBlockDeviceAndType(const std::string &mountpoint,
115                                     std::string *fs_blk_device,
116                                     std::string *fs_type) {
117   std::unique_ptr<FILE, int (*)(FILE *)> mnts(setmntent("/proc/mounts", "re"),
118                                               endmntent);
119   if (!mnts) {
120     ADD_FAILURE() << "Failed to open /proc/mounts" << Errno();
121     return false;
122   }
123   struct mntent *mnt;
124   while ((mnt = getmntent(mnts.get())) != nullptr) {
125     if (mnt->mnt_dir == mountpoint) {
126       *fs_blk_device = mnt->mnt_fsname;
127       *fs_type = mnt->mnt_type;
128       return true;
129     }
130   }
131   ADD_FAILURE() << "No /proc/mounts entry found for " << mountpoint;
132   return false;
133 }
134 
135 // Gets the UUID of the filesystem of type |fs_type| that's located on
136 // |fs_blk_device|.
137 //
138 // Unfortunately there's no kernel API to get the UUID; instead we have to read
139 // it from the filesystem superblock.
GetFilesystemUuid(const std::string & fs_blk_device,const std::string & fs_type,FilesystemUuid * fs_uuid)140 static bool GetFilesystemUuid(const std::string &fs_blk_device,
141                               const std::string &fs_type,
142                               FilesystemUuid *fs_uuid) {
143   android::base::unique_fd fd(
144       open(fs_blk_device.c_str(), O_RDONLY | O_CLOEXEC));
145   if (fd < 0) {
146     ADD_FAILURE() << "Failed to open fs block device " << fs_blk_device
147                   << Errno();
148     return false;
149   }
150 
151   if (fs_type == "ext4") {
152     struct ext4_super_block sb;
153 
154     if (pread(fd, &sb, sizeof(sb), kExt4SuperBlockOffset) != sizeof(sb)) {
155       ADD_FAILURE() << "Error reading ext4 superblock from " << fs_blk_device
156                     << Errno();
157       return false;
158     }
159     if (sb.s_magic != cpu_to_le16(EXT4_SUPER_MAGIC)) {
160       ADD_FAILURE() << "Failed to find ext4 superblock on " << fs_blk_device;
161       return false;
162     }
163     static_assert(sizeof(sb.s_uuid) == kFilesystemUuidSize);
164     memcpy(fs_uuid->bytes, sb.s_uuid, kFilesystemUuidSize);
165   } else if (fs_type == "f2fs") {
166     // Android doesn't have an f2fs equivalent of libext4_utils, so we have to
167     // hard-code the offset to the magic number and UUID.
168 
169     __le32 magic;
170     if (pread(fd, &magic, sizeof(magic), kF2fsMagicOffset) != sizeof(magic)) {
171       ADD_FAILURE() << "Error reading f2fs superblock from " << fs_blk_device
172                     << Errno();
173       return false;
174     }
175     if (magic != cpu_to_le32(F2FS_SUPER_MAGIC)) {
176       ADD_FAILURE() << "Failed to find f2fs superblock on " << fs_blk_device;
177       return false;
178     }
179     if (pread(fd, fs_uuid->bytes, kFilesystemUuidSize, kF2fsUuidOffset) !=
180         kFilesystemUuidSize) {
181       ADD_FAILURE() << "Failed to read f2fs filesystem UUID from "
182                     << fs_blk_device << Errno();
183       return false;
184     }
185   } else {
186     ADD_FAILURE() << "Unknown filesystem type " << fs_type;
187     return false;
188   }
189   return true;
190 }
191 
192 // Gets the raw block device of the filesystem that is mounted from
193 // |fs_blk_device|.  By "raw block device" we mean a block device from which we
194 // can read the encrypted file contents and filesystem metadata.  When metadata
195 // encryption is disabled, this is simply |fs_blk_device|.  When metadata
196 // encryption is enabled, then |fs_blk_device| is a dm-default-key device and
197 // the "raw block device" is the parent of this dm-default-key device.
198 //
199 // We don't just use the block device listed in the fstab, because (a) it can be
200 // a logical partition name which needs extra code to map to a block device, and
201 // (b) due to block-level checkpointing, there can be a dm-bow device between
202 // the fstab partition and dm-default-key.  dm-bow can remap sectors, but for
203 // encryption testing we don't want any sector remapping.  So the correct block
204 // device to read ciphertext from is the one directly underneath dm-default-key.
GetRawBlockDevice(const std::string & fs_blk_device,std::string * raw_blk_device)205 static bool GetRawBlockDevice(const std::string &fs_blk_device,
206                               std::string *raw_blk_device) {
207   DeviceMapper &dm = DeviceMapper::Instance();
208 
209   if (!dm.IsDmBlockDevice(fs_blk_device)) {
210     GTEST_LOG_(INFO)
211         << fs_blk_device
212         << " is not a device-mapper device; metadata encryption is disabled";
213     *raw_blk_device = fs_blk_device;
214     return true;
215   }
216   const std::optional<std::string> name =
217       dm.GetDmDeviceNameByPath(fs_blk_device);
218   if (!name) {
219     ADD_FAILURE() << "Failed to get name of device-mapper device "
220                   << fs_blk_device;
221     return false;
222   }
223 
224   std::vector<DeviceMapper::TargetInfo> table;
225   if (!dm.GetTableInfo(*name, &table)) {
226     ADD_FAILURE() << "Failed to get table of device-mapper device " << *name;
227     return false;
228   }
229   if (table.size() != 1) {
230     GTEST_LOG_(INFO) << fs_blk_device
231                      << " has multiple device-mapper targets; assuming "
232                         "metadata encryption is disabled";
233     *raw_blk_device = fs_blk_device;
234     return true;
235   }
236   const std::string target_type = dm.GetTargetType(table[0].spec);
237   if (target_type != "default-key") {
238     GTEST_LOG_(INFO) << fs_blk_device << " is a dm-" << target_type
239                      << " device, not dm-default-key; assuming metadata "
240                         "encryption is disabled";
241     *raw_blk_device = fs_blk_device;
242     return true;
243   }
244   std::optional<std::string> parent =
245       dm.GetParentBlockDeviceByPath(fs_blk_device);
246   if (!parent) {
247     ADD_FAILURE() << "Failed to get parent of dm-default-key device " << *name;
248     return false;
249   }
250   *raw_blk_device = *parent;
251   return true;
252 }
253 
254 // Gets information about the filesystem mounted on |mountpoint|.
GetFilesystemInfo(const std::string & mountpoint,FilesystemInfo * info)255 bool GetFilesystemInfo(const std::string &mountpoint, FilesystemInfo *info) {
256   if (!GetFsBlockDeviceAndType(mountpoint, &info->fs_blk_device, &info->type))
257     return false;
258 
259   if (!GetFilesystemUuid(info->fs_blk_device, info->type, &info->uuid))
260     return false;
261 
262   if (!GetRawBlockDevice(info->fs_blk_device, &info->raw_blk_device))
263     return false;
264 
265   GTEST_LOG_(INFO) << info->fs_blk_device << " is mounted on " << mountpoint
266                    << " with type " << info->type << "; UUID is "
267                    << BytesToHex(info->uuid.bytes) << ", raw block device is "
268                    << info->raw_blk_device;
269   return true;
270 }
271 
272 // Returns true if the given data seems to be random.
273 //
274 // Check compressibility rather than byte frequencies.  Compressibility is a
275 // stronger test since it also detects repetitions.
276 //
277 // To check compressibility, use LZMA rather than DEFLATE/zlib/gzip because LZMA
278 // compression is stronger and supports a much larger dictionary.  DEFLATE is
279 // limited to a 32 KiB dictionary.  So, data repeating after 32 KiB (or more)
280 // would not be detected with DEFLATE.  But LZMA can detect it.
VerifyDataRandomness(const std::vector<uint8_t> & bytes)281 bool VerifyDataRandomness(const std::vector<uint8_t> &bytes) {
282   // To avoid flakiness, allow the data to be compressed a tiny bit by chance.
283   // There is at most a 2^-32 chance that random data can be compressed to be 4
284   // bytes shorter.  In practice it's even lower due to compression overhead.
285   size_t destLen = bytes.size() - std::min<size_t>(4, bytes.size());
286   std::vector<uint8_t> dest(destLen);
287   uint8_t outProps[LZMA_PROPS_SIZE];
288   size_t outPropsSize = LZMA_PROPS_SIZE;
289   int ret;
290 
291   ret = LzmaCompress(dest.data(), &destLen, bytes.data(), bytes.size(),
292                      outProps, &outPropsSize,
293                      6,               // compression level (0 <= level <= 9)
294                      bytes.size(),    // dictionary size
295                      -1, -1, -1, -1,  // lc, lp, bp, fb (-1 selects the default)
296                      1);              // number of threads
297 
298   if (ret == SZ_ERROR_OUTPUT_EOF) return true;  // incompressible
299 
300   if (ret == SZ_OK) {
301     ADD_FAILURE() << "Data is not random!  Compressed " << bytes.size()
302                   << " to " << destLen << " bytes";
303   } else {
304     ADD_FAILURE() << "LZMA compression error: ret=" << ret;
305   }
306   return false;
307 }
308 
TryPrepareHwWrappedKey(Keymaster & keymaster,const std::string & master_key_string,std::string * exported_key_string,bool rollback_resistance)309 static bool TryPrepareHwWrappedKey(Keymaster &keymaster,
310                                    const std::string &master_key_string,
311                                    std::string *exported_key_string,
312                                    bool rollback_resistance) {
313   // This key is used to drive a CMAC-based KDF
314   auto paramBuilder =
315       km::AuthorizationSetBuilder().AesEncryptionKey(kHwWrappedKeySize * 8);
316   if (rollback_resistance) {
317     paramBuilder.Authorization(km::TAG_ROLLBACK_RESISTANCE);
318   }
319   paramBuilder.Authorization(km::TAG_STORAGE_KEY);
320 
321   std::string wrapped_key_blob;
322   if (keymaster.importKey(paramBuilder, km::KeyFormat::RAW, master_key_string,
323                           &wrapped_key_blob) &&
324       keymaster.exportKey(wrapped_key_blob, exported_key_string)) {
325     return true;
326   }
327   // It's fine for Keymaster not to support hardware-wrapped keys, but
328   // if generateKey works, importKey must too.
329   if (keymaster.generateKey(paramBuilder, &wrapped_key_blob) &&
330       keymaster.exportKey(wrapped_key_blob, exported_key_string)) {
331     ADD_FAILURE() << "generateKey succeeded but importKey failed";
332   }
333   return false;
334 }
335 
CreateHwWrappedKey(std::vector<uint8_t> * master_key,std::vector<uint8_t> * exported_key)336 bool CreateHwWrappedKey(std::vector<uint8_t> *master_key,
337                         std::vector<uint8_t> *exported_key) {
338   *master_key = GenerateTestKey(kHwWrappedKeySize);
339 
340   Keymaster keymaster;
341   if (!keymaster) {
342     ADD_FAILURE() << "Unable to find keymaster";
343     return false;
344   }
345   std::string master_key_string(master_key->begin(), master_key->end());
346   std::string exported_key_string;
347   // Make two attempts to create a key, first with and then without
348   // rollback resistance.
349   if (TryPrepareHwWrappedKey(keymaster, master_key_string, &exported_key_string,
350                              true) ||
351       TryPrepareHwWrappedKey(keymaster, master_key_string, &exported_key_string,
352                              false)) {
353     exported_key->assign(exported_key_string.begin(),
354                          exported_key_string.end());
355     return true;
356   }
357   GTEST_LOG_(INFO) << "Skipping test because device doesn't support "
358                       "hardware-wrapped keys";
359   return false;
360 }
361 
PushBigEndian32(uint32_t val,std::vector<uint8_t> * vec)362 static void PushBigEndian32(uint32_t val, std::vector<uint8_t> *vec) {
363   for (int i = 24; i >= 0; i -= 8) {
364     vec->push_back((val >> i) & 0xFF);
365   }
366 }
367 
GetFixedInputString(uint32_t counter,const std::vector<uint8_t> & label,const std::vector<uint8_t> & context,uint32_t derived_key_len,std::vector<uint8_t> * fixed_input_string)368 static void GetFixedInputString(uint32_t counter,
369                                 const std::vector<uint8_t> &label,
370                                 const std::vector<uint8_t> &context,
371                                 uint32_t derived_key_len,
372                                 std::vector<uint8_t> *fixed_input_string) {
373   PushBigEndian32(counter, fixed_input_string);
374   fixed_input_string->insert(fixed_input_string->end(), label.begin(),
375                              label.end());
376   fixed_input_string->push_back(0);
377   fixed_input_string->insert(fixed_input_string->end(), context.begin(),
378                              context.end());
379   PushBigEndian32(derived_key_len, fixed_input_string);
380 }
381 
AesCmacKdfHelper(const std::vector<uint8_t> & key,const std::vector<uint8_t> & label,const std::vector<uint8_t> & context,uint32_t output_key_size,std::vector<uint8_t> * output_data)382 static bool AesCmacKdfHelper(const std::vector<uint8_t> &key,
383                              const std::vector<uint8_t> &label,
384                              const std::vector<uint8_t> &context,
385                              uint32_t output_key_size,
386                              std::vector<uint8_t> *output_data) {
387   output_data->resize(output_key_size);
388   for (size_t count = 0; count < (output_key_size / kAesBlockSize); count++) {
389     std::vector<uint8_t> fixed_input_string;
390     GetFixedInputString(count + 1, label, context, (output_key_size * 8),
391                         &fixed_input_string);
392     if (!AES_CMAC(output_data->data() + (kAesBlockSize * count), key.data(),
393                   key.size(), fixed_input_string.data(),
394                   fixed_input_string.size())) {
395       ADD_FAILURE()
396           << "AES_CMAC failed while deriving subkey from HW wrapped key";
397       return false;
398     }
399   }
400   return true;
401 }
402 
DeriveHwWrappedEncryptionKey(const std::vector<uint8_t> & master_key,std::vector<uint8_t> * enc_key)403 bool DeriveHwWrappedEncryptionKey(const std::vector<uint8_t> &master_key,
404                                   std::vector<uint8_t> *enc_key) {
405   std::vector<uint8_t> label{0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
406                              0x00, 0x00, 0x00, 0x00, 0x20};
407   // Context in fixed input string comprises of software provided context,
408   // padding to eight bytes (if required) and the key policy.
409   std::vector<uint8_t> context = {
410       'i', 'n', 'l', 'i', 'n', 'e', ' ', 'e',
411       'n', 'c', 'r', 'y', 'p', 't', 'i', 'o',
412       'n', ' ', 'k', 'e', 'y', 0x0, 0x0, 0x0,
413       0x00, 0x00, 0x00, 0x02, 0x43, 0x00, 0x82, 0x50,
414       0x0,  0x0,  0x0,  0x0};
415 
416   return AesCmacKdfHelper(master_key, label, context, kAes256XtsKeySize,
417                           enc_key);
418 }
419 
DeriveHwWrappedRawSecret(const std::vector<uint8_t> & master_key,std::vector<uint8_t> * secret)420 bool DeriveHwWrappedRawSecret(const std::vector<uint8_t> &master_key,
421                               std::vector<uint8_t> *secret) {
422   std::vector<uint8_t> label{0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
423                              0x00, 0x00, 0x00, 0x00, 0x20};
424   // Context in fixed input string comprises of software provided context,
425   // padding to eight bytes (if required) and the key policy.
426   std::vector<uint8_t> context = {'r',  'a',  'w',  ' ',  's',  'e',  'c',
427                                   'r',  'e',  't',  0x0,  0x0,  0x0,  0x0,
428                                   0x0,  0x0,  0x00, 0x00, 0x00, 0x02, 0x17,
429                                   0x00, 0x80, 0x50, 0x0,  0x0,  0x0,  0x0};
430 
431   return AesCmacKdfHelper(master_key, label, context, kAes256KeySize, secret);
432 }
433 
434 }  // namespace kernel
435 }  // namespace android
436