2 * Copyright (c) 2015-2017 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
23 #include <sys/mount.h>
24 #include <sys/reboot.h>
30 #include <tzplatform_config.h>
31 #include <klay/process.h>
32 #include <klay/file-user.h>
33 #include <klay/filesystem.h>
34 #include <klay/dbus/connection.h>
35 #include <klay/error.h>
39 #include "progress-bar.h"
40 #include "rmi/common.h"
42 #include "internal-encryption.h"
43 #include "internal-encryption-common.h"
49 const char *PRIVILEGE_PLATFORM = "http://tizen.org/privilege/internal/default/platform";
51 // TODO: see recovery()
52 const std::string PROG_FACTORY_RESET = "/usr/bin/dbus-send";
53 const std::vector<std::string> wipeCommand = {
58 "--dest=com.samsung.factoryreset",
59 "/com/samsung/factoryreset",
60 "com.samsung.factoryreset.start.setting"
63 void stopKnownSystemdUnits()
65 std::vector<std::string> knownSystemdUnits;
66 dbus::Connection& systemDBus = dbus::Connection::getSystem();
67 dbus::VariantIterator iter;
69 systemDBus.methodcall("org.freedesktop.systemd1",
70 "/org/freedesktop/systemd1",
71 "org.freedesktop.systemd1.Manager",
73 -1, "(a(ssssssouso))", "")
74 .get("(a(ssssssouso))", &iter);
77 unsigned int dataUint;
81 ret = iter.get("(ssssssouso)", dataStr, dataStr + 1, dataStr + 2,
82 dataStr + 3, dataStr + 4, dataStr + 5,
83 dataStr + 6, &dataUint, dataStr + 7,
90 std::string unit(dataStr[0]);
91 if (unit == "security-manager.socket") {
92 knownSystemdUnits.insert(knownSystemdUnits.begin(), unit);
93 } else if (unit.compare(0, 5, "user@") == 0 ||
94 unit == "tlm.service" ||
95 unit == "resourced.service" ||
96 unit == "security-manager.service") {
97 knownSystemdUnits.push_back(unit);
101 for (const std::string& unit : knownSystemdUnits) {
102 INFO(SINK, "Stopping unit: " + unit);
103 systemDBus.methodcall("org.freedesktop.systemd1",
104 "/org/freedesktop/systemd1",
105 "org.freedesktop.systemd1.Manager",
107 -1, "", "(ss)", unit.c_str(), "flush");
110 sleep(1); // TODO wait for confirmation from systemd instead
113 void stopDependedSystemdUnits()
115 dbus::Connection& systemDBus = dbus::Connection::getSystem();
116 std::set<std::string> unitsToStop;
118 for (pid_t pid : runtime::FileUser::getList(INTERNAL_PATH, true)) {
121 systemDBus.methodcall("org.freedesktop.systemd1",
122 "/org/freedesktop/systemd1",
123 "org.freedesktop.systemd1.Manager",
125 -1, "(o)", "(u)", (unsigned int)pid)
127 unitsToStop.insert(unit);
128 } catch (runtime::Exception &e) {
129 INFO(SINK, "Killing process: " + std::to_string(pid));
130 ::kill(pid, SIGKILL);
134 for (const std::string& unit : unitsToStop) {
135 INFO(SINK, "Stopping unit: " + unit);
136 systemDBus.methodcall("org.freedesktop.systemd1",
138 "org.freedesktop.systemd1.Unit",
140 -1, "", "(s)", "flush");
144 void showProgressUI(const std::string type)
146 ::tzplatform_set_user(::tzplatform_getuid(TZ_SYS_DEFAULT_USER));
147 std::string defaultUserHome(::tzplatform_getenv(TZ_USER_HOME));
148 ::tzplatform_reset_user();
151 runtime::File shareDirectory("/opt/home/root/share");
152 if (!shareDirectory.exists()) {
153 shareDirectory.makeDirectory(true);
156 runtime::File elmConfigDir(shareDirectory.getPath() + "/.elementary");
157 if (!elmConfigDir.exists()) {
158 runtime::File defaultElmConfigDir(defaultUserHome + "/share/.elementary");
159 defaultElmConfigDir.copyTo(shareDirectory.getPath());
161 } catch (runtime::Exception &e) {
162 ERROR(SINK, "Failed to set up elm configuration: " + std::string(e.what()));
165 std::vector<std::string> args = {
166 "ode", "progress", type, "Internal"
169 runtime::Process proc("/usr/bin/ode", args);
173 unsigned int getOptions()
175 unsigned int result = 0;
179 ::vconf_get_bool(VCONFKEY_ODE_FAST_ENCRYPTION, &value);
181 result |= InternalEncryption::Option::IncludeUnusedRegion;
187 void setOptions(unsigned int options)
191 if (options & InternalEncryption::Option::IncludeUnusedRegion) {
196 ::vconf_set_bool(VCONFKEY_ODE_FAST_ENCRYPTION, value);
199 void unmountInternalStorage(const std::string& source)
202 auto mntPaths = findMountPointsByDevice(source);
206 bool unmounted = true;
207 for(const auto& path : mntPaths) {
208 INFO(SINK, "Unmounting " + path);
209 if (::umount(path.c_str()) == -1) {
210 // If it's busy or was already unmounted ignore the error
211 if (errno != EBUSY && errno != EINVAL) {
212 throw runtime::Exception("umount() error: " + runtime::GetSystemErrorMessage());
218 stopDependedSystemdUnits();
224 InternalEncryptionServer::InternalEncryptionServer(ServerContext& srv,
229 server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::setMountPassword)(std::string));
230 server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::mount)());
231 server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::umount)());
232 server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::encrypt)(std::string, unsigned int));
233 server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::decrypt)(std::string));
234 server.expose(this, "", (int)(InternalEncryptionServer::isPasswordInitialized)());
235 server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::initPassword)(std::string));
236 server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::cleanPassword)(std::string));
237 server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::changePassword)(std::string, std::string));
238 server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::verifyPassword)(std::string));
239 server.expose(this, "", (int)(InternalEncryptionServer::getState)());
240 server.expose(this, "", (unsigned int)(InternalEncryptionServer::getSupportedOptions)());
241 server.expose(this, "", (std::string)(InternalEncryptionServer::getDevicePath)());
243 server.createNotification("InternalEncryptionServer::mount");
245 std::string source = findDevPath();
247 engine.reset(new INTERNAL_ENGINE(
248 source, INTERNAL_PATH,
249 ProgressBar([](int v) {
250 ::vconf_set_str(VCONFKEY_ODE_ENCRYPT_PROGRESS,
251 std::to_string(v).c_str());
256 InternalEncryptionServer::~InternalEncryptionServer()
260 int InternalEncryptionServer::setMountPassword(const std::string& password)
262 return keyServer.get(engine->getSource(), password, mountKey);
265 int InternalEncryptionServer::mount()
267 if (mountKey.empty()) {
268 ERROR(SINK, "You need to call set_mount_password() first.");
269 return error::NoData;
272 BinaryData key = mountKey;
275 if (getState() != State::Encrypted) {
276 INFO(SINK, "Cannot mount, SD partition's state incorrect.");
277 return error::NoSuchDevice;
280 if (engine->isMounted()) {
281 INFO(SINK, "Partition already mounted.");
285 INFO(SINK, "Mounting internal storage.");
287 engine->mount(key, getOptions());
289 server.notify("InternalEncryptionServer::mount");
291 runtime::File("/tmp/.lazy_mount").create(O_WRONLY);
292 runtime::File("/tmp/.unlock_mnt").create(O_WRONLY);
293 } catch (runtime::Exception &e) {
294 ERROR(SINK, "Mount failed: " + std::string(e.what()));
295 return error::Unknown;
301 int InternalEncryptionServer::umount()
303 if (getState() != State::Encrypted) {
304 ERROR(SINK, "Cannot umount, partition's state incorrect.");
305 return error::NoSuchDevice;
308 if (!engine->isMounted()) {
309 INFO(SINK, "Partition already umounted.");
313 INFO(SINK, "Closing all processes using internal storage.");
315 stopDependedSystemdUnits();
316 INFO(SINK, "Umounting internal storage.");
318 } catch (runtime::Exception &e) {
319 ERROR(SINK, "Umount failed: " + std::string(e.what()));
320 return error::Unknown;
326 int InternalEncryptionServer::encrypt(const std::string& password, unsigned int options)
328 if (getState() != State::Unencrypted) {
329 ERROR(SINK, "Cannot encrypt, partition's state incorrect.");
330 return error::NoSuchDevice;
333 BinaryData masterKey;
334 int ret = keyServer.get(engine->getSource(), password, masterKey);
335 if (ret != error::None)
338 auto encryptWorker = [masterKey, options, this]() {
340 INFO(SINK, "Closing all known systemd services that might be using internal storage.");
341 stopKnownSystemdUnits();
343 std::string source = engine->getSource();
344 auto mntPaths = findMountPointsByDevice(source);
346 if (!mntPaths.empty()) {
347 INFO(SINK, "Closing all processes using internal storage.");
348 stopDependedSystemdUnits();
350 INFO(SINK, "Unmounting internal storage.");
351 unmountInternalStorage(source);
354 showProgressUI("Encrypting");
356 INFO(SINK, "Encryption started.");
357 ::vconf_set_str(VCONFKEY_ODE_CRYPTO_STATE, "error_partially_encrypted");
358 engine->encrypt(masterKey, options);
359 setOptions(options & getSupportedOptions());
361 INFO(SINK, "Encryption completed.");
362 ::vconf_set_str(VCONFKEY_ODE_CRYPTO_STATE, "encrypted");
363 server.notify("InternalEncryptionServer::mount");
365 INFO(SINK, "Syncing disk and rebooting.");
367 ::reboot(RB_AUTOBOOT);
368 } catch (runtime::Exception &e) {
369 ERROR(SINK, "Encryption failed: " + std::string(e.what()));
373 std::thread asyncWork(encryptWorker);
379 int InternalEncryptionServer::decrypt(const std::string& password)
381 if (getState() != State::Encrypted) {
382 ERROR(SINK, "Cannot decrypt, partition's state incorrect.");
383 return error::NoSuchDevice;
386 BinaryData masterKey;
387 int ret = keyServer.get(engine->getSource(), password, masterKey);
388 if (ret != error::None)
391 auto decryptWorker = [masterKey, this]() {
393 if (engine->isMounted()) {
394 INFO(SINK, "Closing all known systemd services that might be using internal storage.");
395 stopKnownSystemdUnits();
396 INFO(SINK, "Closing all processes using internal storage.");
397 stopDependedSystemdUnits();
399 INFO(SINK, "Umounting internal storage.");
404 } catch (runtime::Exception& e) {
405 stopDependedSystemdUnits();
410 showProgressUI("Decrypting");
412 INFO(SINK, "Decryption started.");
413 ::vconf_set_str(VCONFKEY_ODE_CRYPTO_STATE, "error_partially_encrypted");
414 engine->decrypt(masterKey, getOptions());
416 INFO(SINK, "Decryption complete.");
417 ::vconf_set_str(VCONFKEY_ODE_CRYPTO_STATE, "unencrypted");
419 INFO(SINK, "Syncing disk and rebooting.");
421 ::reboot(RB_AUTOBOOT);
422 } catch (runtime::Exception &e) {
423 ERROR(SINK, "Decryption failed: " + std::string(e.what()));
427 std::thread asyncWork(decryptWorker);
433 int InternalEncryptionServer::recovery()
435 if (getState() == State::Unencrypted) {
436 return error::NoSuchDevice;
440 runtime::Process proc(PROG_FACTORY_RESET, wipeCommand);
441 if (proc.execute() == -1) {
442 ERROR(SINK, "Failed to launch factory-reset");
443 return error::WrongPassword;
449 int InternalEncryptionServer::isPasswordInitialized()
451 return keyServer.isInitialized(engine->getSource());
454 int InternalEncryptionServer::initPassword(const std::string& password)
456 return keyServer.init(engine->getSource(), password, Key::DEFAULT_256BIT);
459 int InternalEncryptionServer::cleanPassword(const std::string& password)
461 return keyServer.remove(engine->getSource(), password);
464 int InternalEncryptionServer::changePassword(const std::string& oldPassword,
465 const std::string& newPassword)
467 return keyServer.changePassword(engine->getSource(), oldPassword, newPassword);
470 int InternalEncryptionServer::verifyPassword(const std::string& password)
472 return keyServer.verifyPassword(engine->getSource(), password);
475 int InternalEncryptionServer::getState()
477 char *value = ::vconf_get_str(VCONFKEY_ODE_CRYPTO_STATE);
479 throw runtime::Exception("Failed to get vconf value.");
482 std::string valueStr(value);
485 if (valueStr == "encrypted") {
486 return State::Encrypted;
487 } else if (valueStr == "unencrypted") {
488 return State::Unencrypted;
490 return State::Corrupted;
494 unsigned int InternalEncryptionServer::getSupportedOptions()
496 return engine->getSupportedOptions();
499 std::string InternalEncryptionServer::getDevicePath() const
501 return engine->getSource();