server/internal-encryption.cpp

   1 /*
   2  *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
   3  *
   4  *  Licensed under the Apache License, Version 2.0 (the "License");
   5  *  you may not use this file except in compliance with the License.
   6  *  You may obtain a copy of the License at
   7  *
   8  *      http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *  Unless required by applicable law or agreed to in writing, software
  11  *  distributed under the License is distributed on an "AS IS" BASIS,
  12  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *  See the License for the specific language governing permissions and
  14  *  limitations under the License
  15  */
  16 #include <set>
  17
  18 #include <signal.h>
  19 #include <unistd.h>
  20 #include <sys/mount.h>
  21 #include <sys/reboot.h>
  22
  23 #include <klay/file-user.h>
  24 #include <klay/filesystem.h>
  25 #include <klay/dbus/connection.h>
  26 #include <klay/audit/logger.h>
  27
  28 #include "engine/dmcrypt-engine.h"
  29 #include "key-manager/key-manager.h"
  30
  31 #include "rmi/internal-encryption.h"
  32
  33 #define INTERNAL_STORAGE_PATH   "/opt/usr"
  34
  35 namespace ode {
  36
  37 namespace {
  38
  39 KeyManager keyManager(INTERNAL_STORAGE_PATH);
  40 DMCryptEngine engine("/dev/mmcblk0p25", INTERNAL_STORAGE_PATH);
  41
  42 void stopDependedSystemdServices()
  43 {
  44         dbus::Connection& systemDBus = dbus::Connection::getSystem();
  45         std::set<std::string> servicesToStop;
  46
  47         for (pid_t pid : runtime::FileUser::getList(INTERNAL_STORAGE_PATH, true)) {
  48                 try {
  49                         char *service;
  50                         systemDBus.methodcall("org.freedesktop.systemd1",
  51                                                                         "/org/freedesktop/systemd1",
  52                                                                         "org.freedesktop.systemd1.Manager",
  53                                                                         "GetUnitByPID",
  54                                                                         -1, "(o)", "(u)", (unsigned int)pid)
  55                                                                                 .get("(o)", &service);
  56                         servicesToStop.insert(service);
  57                 } catch (runtime::Exception &e) {
  58                         INFO("Close process - " + std::to_string(pid));
  59                         ::kill(pid, SIGKILL);
  60                 }
  61         }
  62
  63         for (const std::string& service : servicesToStop) {
  64                 INFO("Close service - " + service);
  65                 systemDBus.methodcall("org.freedesktop.systemd1",
  66                                                                 service,
  67                                                                 "org.freedesktop.systemd1.Unit",
  68                                                                 "Stop",
  69                                                                 -1, "", "(s)", "flush");
  70         }
  71 }
  72
  73 }
  74
  75 InternalEncryption::InternalEncryption(ODEControlContext& ctx) :
  76         context(ctx)
  77 {
  78         context.registerParametricMethod(this, "", (int)(InternalEncryption::mount)(std::string));
  79         context.registerNonparametricMethod(this, "", (int)(InternalEncryption::umount));
  80         context.registerParametricMethod(this, "", (int)(InternalEncryption::encrypt)(std::string));
  81         context.registerParametricMethod(this, "", (int)(InternalEncryption::decrypt)(std::string));
  82         context.registerParametricMethod(this, "", (int)(InternalEncryption::changePassword)(std::string, std::string));
  83         context.registerNonparametricMethod(this, "", (int)(InternalEncryption::getState));
  84 }
  85
  86 InternalEncryption::~InternalEncryption()
  87 {
  88 }
  89
  90 int InternalEncryption::mount(const std::string& password)
  91 {
  92         bool isVerified = false;
  93         KeyManager::data pwData(password.begin(), password.end());
  94
  95         try {
  96                 isVerified = keyManager.verifyPassword(pwData);
  97         } catch (runtime::Exception& e) {}
  98
  99         if (!isVerified) {
 100                 return -1;
 101         }
 102
 103         engine.mount(keyManager.getDEK(pwData));
 104         return 0;
 105 }
 106
 107 int InternalEncryption::umount()
 108 {
 109         INFO("Close all processes using internal storage...");
 110         stopDependedSystemdServices();
 111         INFO("Umount internal storage...");
 112         engine.umount();
 113
 114         return 0;
 115 }
 116
 117 int InternalEncryption::encrypt(const std::string& password)
 118 {
 119         KeyManager::data pwData(password.begin(), password.end());
 120
 121         if (keyManager.isInitialized()) {
 122                 bool isVerified = false;
 123                 try {
 124                         isVerified = keyManager.verifyPassword(pwData);
 125                 } catch (runtime::Exception& e) {}
 126
 127                 if (!isVerified) {
 128                         return -2;
 129                 }
 130         } else {
 131                 keyManager.initPassword(pwData);
 132         }
 133
 134         KeyManager::data DEK = keyManager.getDEK(pwData);
 135         auto encryptWorker = [DEK, this]() {
 136                 INFO("Close all processes using internal storage...");
 137                 stopDependedSystemdServices();
 138                 INFO("Umount internal storage...");
 139                 while (::umount(INTERNAL_STORAGE_PATH) == -1) {
 140                         if (errno != EBUSY) {
 141                                 break;
 142                         }
 143                 }
 144                 INFO("Encryption started...");
 145                 engine.encrypt(DEK);
 146                 INFO("Sync disk...");
 147                 sync();
 148                 INFO("Encryption completed");
 149                 ::reboot(RB_AUTOBOOT);
 150         };
 151
 152         std::thread asyncWork(encryptWorker);
 153         asyncWork.detach();
 154
 155         return 0;
 156 }
 157
 158 int InternalEncryption::decrypt(const std::string& password)
 159 {
 160         bool isVerified = false;
 161         KeyManager::data pwData(password.begin(), password.end());
 162
 163         try {
 164                 isVerified = keyManager.verifyPassword(pwData);
 165         } catch (runtime::Exception& e) {}
 166
 167         if (!isVerified) {
 168                 return -1;
 169         }
 170
 171         KeyManager::data DEK = keyManager.getDEK(pwData);
 172         auto decryptWorker = [DEK, this]() {
 173                 INFO("Close all processes using internal storage...");
 174                 stopDependedSystemdServices();
 175                 INFO("Umount internal storage...");
 176                 try {
 177                         engine.umount();
 178                 } catch (runtime::Exception& e) {}
 179                 INFO("Decryption started...");
 180                 engine.decrypt(DEK);
 181                 INFO("Sync disk...");
 182                 sync();
 183                 INFO("Decryption completed");
 184                 ::reboot(RB_AUTOBOOT);
 185         };
 186
 187         std::thread asyncWork(decryptWorker);
 188         asyncWork.detach();
 189
 190         keyManager.clearPassword();
 191
 192         return 0;
 193 }
 194
 195 int InternalEncryption::changePassword(const std::string& oldPassword,
 196                                                                                 const std::string& newPassword)
 197 {
 198         KeyManager::data oldPwData(oldPassword.begin(), oldPassword.end());
 199         KeyManager::data newPwData(newPassword.begin(), oldPassword.end());
 200
 201         bool isVerified = false;
 202         try     {
 203                 isVerified = keyManager.verifyPassword(newPwData);
 204         } catch (runtime::Exception& e) {}
 205
 206         if (!isVerified) {
 207                 return -1;
 208         }
 209
 210         keyManager.changePassword(oldPwData, newPwData);
 211         return 0;
 212 }
 213
 214 int InternalEncryption::getState()
 215 {
 216         //TODO
 217         return 0;
 218 }
 219
 220 } // namespace ode