drivers/md/dm-crypt.c at v4.18-rc7

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / drivers / md / dm-crypt.c
at v4.18-rc7 3116 lines 81 kB view raw
wrap content
   1/*
   2 * Copyright (C) 2003 Jana Saout <jana@saout.de>
   3 * Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
   4 * Copyright (C) 2006-2017 Red Hat, Inc. All rights reserved.
   5 * Copyright (C) 2013-2017 Milan Broz <gmazyland@gmail.com>
   6 *
   7 * This file is released under the GPL.
   8 */
   9
  10#include <linux/completion.h>
  11#include <linux/err.h>
  12#include <linux/module.h>
  13#include <linux/init.h>
  14#include <linux/kernel.h>
  15#include <linux/key.h>
  16#include <linux/bio.h>
  17#include <linux/blkdev.h>
  18#include <linux/mempool.h>
  19#include <linux/slab.h>
  20#include <linux/crypto.h>
  21#include <linux/workqueue.h>
  22#include <linux/kthread.h>
  23#include <linux/backing-dev.h>
  24#include <linux/atomic.h>
  25#include <linux/scatterlist.h>
  26#include <linux/rbtree.h>
  27#include <linux/ctype.h>
  28#include <asm/page.h>
  29#include <asm/unaligned.h>
  30#include <crypto/hash.h>
  31#include <crypto/md5.h>
  32#include <crypto/algapi.h>
  33#include <crypto/skcipher.h>
  34#include <crypto/aead.h>
  35#include <crypto/authenc.h>
  36#include <linux/rtnetlink.h> /* for struct rtattr and RTA macros only */
  37#include <keys/user-type.h>
  38
  39#include <linux/device-mapper.h>
  40
  41#define DM_MSG_PREFIX "crypt"
  42
  43/*
  44 * context holding the current state of a multi-part conversion
  45 */
  46struct convert_context {
  47	struct completion restart;
  48	struct bio *bio_in;
  49	struct bio *bio_out;
  50	struct bvec_iter iter_in;
  51	struct bvec_iter iter_out;
  52	sector_t cc_sector;
  53	atomic_t cc_pending;
  54	union {
  55		struct skcipher_request *req;
  56		struct aead_request *req_aead;
  57	} r;
  58
  59};
  60
  61/*
  62 * per bio private data
  63 */
  64struct dm_crypt_io {
  65	struct crypt_config *cc;
  66	struct bio *base_bio;
  67	u8 *integrity_metadata;
  68	bool integrity_metadata_from_pool;
  69	struct work_struct work;
  70
  71	struct convert_context ctx;
  72
  73	atomic_t io_pending;
  74	blk_status_t error;
  75	sector_t sector;
  76
  77	struct rb_node rb_node;
  78} CRYPTO_MINALIGN_ATTR;
  79
  80struct dm_crypt_request {
  81	struct convert_context *ctx;
  82	struct scatterlist sg_in[4];
  83	struct scatterlist sg_out[4];
  84	sector_t iv_sector;
  85};
  86
  87struct crypt_config;
  88
  89struct crypt_iv_operations {
  90	int (*ctr)(struct crypt_config *cc, struct dm_target *ti,
  91		   const char *opts);
  92	void (*dtr)(struct crypt_config *cc);
  93	int (*init)(struct crypt_config *cc);
  94	int (*wipe)(struct crypt_config *cc);
  95	int (*generator)(struct crypt_config *cc, u8 *iv,
  96			 struct dm_crypt_request *dmreq);
  97	int (*post)(struct crypt_config *cc, u8 *iv,
  98		    struct dm_crypt_request *dmreq);
  99};
 100
 101struct iv_essiv_private {
 102	struct crypto_ahash *hash_tfm;
 103	u8 *salt;
 104};
 105
 106struct iv_benbi_private {
 107	int shift;
 108};
 109
 110#define LMK_SEED_SIZE 64 /* hash + 0 */
 111struct iv_lmk_private {
 112	struct crypto_shash *hash_tfm;
 113	u8 *seed;
 114};
 115
 116#define TCW_WHITENING_SIZE 16
 117struct iv_tcw_private {
 118	struct crypto_shash *crc32_tfm;
 119	u8 *iv_seed;
 120	u8 *whitening;
 121};
 122
 123/*
 124 * Crypt: maps a linear range of a block device
 125 * and encrypts / decrypts at the same time.
 126 */
 127enum flags { DM_CRYPT_SUSPENDED, DM_CRYPT_KEY_VALID,
 128	     DM_CRYPT_SAME_CPU, DM_CRYPT_NO_OFFLOAD };
 129
 130enum cipher_flags {
 131	CRYPT_MODE_INTEGRITY_AEAD,	/* Use authenticated mode for cihper */
 132	CRYPT_IV_LARGE_SECTORS,		/* Calculate IV from sector_size, not 512B sectors */
 133};
 134
 135/*
 136 * The fields in here must be read only after initialization.
 137 */
 138struct crypt_config {
 139	struct dm_dev *dev;
 140	sector_t start;
 141
 142	struct percpu_counter n_allocated_pages;
 143
 144	struct workqueue_struct *io_queue;
 145	struct workqueue_struct *crypt_queue;
 146
 147	wait_queue_head_t write_thread_wait;
 148	struct task_struct *write_thread;
 149	struct rb_root write_tree;
 150
 151	char *cipher;
 152	char *cipher_string;
 153	char *cipher_auth;
 154	char *key_string;
 155
 156	const struct crypt_iv_operations *iv_gen_ops;
 157	union {
 158		struct iv_essiv_private essiv;
 159		struct iv_benbi_private benbi;
 160		struct iv_lmk_private lmk;
 161		struct iv_tcw_private tcw;
 162	} iv_gen_private;
 163	sector_t iv_offset;
 164	unsigned int iv_size;
 165	unsigned short int sector_size;
 166	unsigned char sector_shift;
 167
 168	/* ESSIV: struct crypto_cipher *essiv_tfm */
 169	void *iv_private;
 170	union {
 171		struct crypto_skcipher **tfms;
 172		struct crypto_aead **tfms_aead;
 173	} cipher_tfm;
 174	unsigned tfms_count;
 175	unsigned long cipher_flags;
 176
 177	/*
 178	 * Layout of each crypto request:
 179	 *
 180	 *   struct skcipher_request
 181	 *      context
 182	 *      padding
 183	 *   struct dm_crypt_request
 184	 *      padding
 185	 *   IV
 186	 *
 187	 * The padding is added so that dm_crypt_request and the IV are
 188	 * correctly aligned.
 189	 */
 190	unsigned int dmreq_start;
 191
 192	unsigned int per_bio_data_size;
 193
 194	unsigned long flags;
 195	unsigned int key_size;
 196	unsigned int key_parts;      /* independent parts in key buffer */
 197	unsigned int key_extra_size; /* additional keys length */
 198	unsigned int key_mac_size;   /* MAC key size for authenc(...) */
 199
 200	unsigned int integrity_tag_size;
 201	unsigned int integrity_iv_size;
 202	unsigned int on_disk_tag_size;
 203
 204	/*
 205	 * pool for per bio private data, crypto requests,
 206	 * encryption requeusts/buffer pages and integrity tags
 207	 */
 208	unsigned tag_pool_max_sectors;
 209	mempool_t tag_pool;
 210	mempool_t req_pool;
 211	mempool_t page_pool;
 212
 213	struct bio_set bs;
 214	struct mutex bio_alloc_lock;
 215
 216	u8 *authenc_key; /* space for keys in authenc() format (if used) */
 217	u8 key[0];
 218};
 219
 220#define MIN_IOS		64
 221#define MAX_TAG_SIZE	480
 222#define POOL_ENTRY_SIZE	512
 223
 224static DEFINE_SPINLOCK(dm_crypt_clients_lock);
 225static unsigned dm_crypt_clients_n = 0;
 226static volatile unsigned long dm_crypt_pages_per_client;
 227#define DM_CRYPT_MEMORY_PERCENT			2
 228#define DM_CRYPT_MIN_PAGES_PER_CLIENT		(BIO_MAX_PAGES * 16)
 229
 230static void clone_init(struct dm_crypt_io *, struct bio *);
 231static void kcryptd_queue_crypt(struct dm_crypt_io *io);
 232static struct scatterlist *crypt_get_sg_data(struct crypt_config *cc,
 233					     struct scatterlist *sg);
 234
 235/*
 236 * Use this to access cipher attributes that are independent of the key.
 237 */
 238static struct crypto_skcipher *any_tfm(struct crypt_config *cc)
 239{
 240	return cc->cipher_tfm.tfms[0];
 241}
 242
 243static struct crypto_aead *any_tfm_aead(struct crypt_config *cc)
 244{
 245	return cc->cipher_tfm.tfms_aead[0];
 246}
 247
 248/*
 249 * Different IV generation algorithms:
 250 *
 251 * plain: the initial vector is the 32-bit little-endian version of the sector
 252 *        number, padded with zeros if necessary.
 253 *
 254 * plain64: the initial vector is the 64-bit little-endian version of the sector
 255 *        number, padded with zeros if necessary.
 256 *
 257 * plain64be: the initial vector is the 64-bit big-endian version of the sector
 258 *        number, padded with zeros if necessary.
 259 *
 260 * essiv: "encrypted sector|salt initial vector", the sector number is
 261 *        encrypted with the bulk cipher using a salt as key. The salt
 262 *        should be derived from the bulk cipher's key via hashing.
 263 *
 264 * benbi: the 64-bit "big-endian 'narrow block'-count", starting at 1
 265 *        (needed for LRW-32-AES and possible other narrow block modes)
 266 *
 267 * null: the initial vector is always zero.  Provides compatibility with
 268 *       obsolete loop_fish2 devices.  Do not use for new devices.
 269 *
 270 * lmk:  Compatible implementation of the block chaining mode used
 271 *       by the Loop-AES block device encryption system
 272 *       designed by Jari Ruusu. See http://loop-aes.sourceforge.net/
 273 *       It operates on full 512 byte sectors and uses CBC
 274 *       with an IV derived from the sector number, the data and
 275 *       optionally extra IV seed.
 276 *       This means that after decryption the first block
 277 *       of sector must be tweaked according to decrypted data.
 278 *       Loop-AES can use three encryption schemes:
 279 *         version 1: is plain aes-cbc mode
 280 *         version 2: uses 64 multikey scheme with lmk IV generator
 281 *         version 3: the same as version 2 with additional IV seed
 282 *                   (it uses 65 keys, last key is used as IV seed)
 283 *
 284 * tcw:  Compatible implementation of the block chaining mode used
 285 *       by the TrueCrypt device encryption system (prior to version 4.1).
 286 *       For more info see: https://gitlab.com/cryptsetup/cryptsetup/wikis/TrueCryptOnDiskFormat
 287 *       It operates on full 512 byte sectors and uses CBC
 288 *       with an IV derived from initial key and the sector number.
 289 *       In addition, whitening value is applied on every sector, whitening
 290 *       is calculated from initial key, sector number and mixed using CRC32.
 291 *       Note that this encryption scheme is vulnerable to watermarking attacks
 292 *       and should be used for old compatible containers access only.
 293 *
 294 * plumb: unimplemented, see:
 295 * http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/454
 296 */
 297
 298static int crypt_iv_plain_gen(struct crypt_config *cc, u8 *iv,
 299			      struct dm_crypt_request *dmreq)
 300{
 301	memset(iv, 0, cc->iv_size);
 302	*(__le32 *)iv = cpu_to_le32(dmreq->iv_sector & 0xffffffff);
 303
 304	return 0;
 305}
 306
 307static int crypt_iv_plain64_gen(struct crypt_config *cc, u8 *iv,
 308				struct dm_crypt_request *dmreq)
 309{
 310	memset(iv, 0, cc->iv_size);
 311	*(__le64 *)iv = cpu_to_le64(dmreq->iv_sector);
 312
 313	return 0;
 314}
 315
 316static int crypt_iv_plain64be_gen(struct crypt_config *cc, u8 *iv,
 317				  struct dm_crypt_request *dmreq)
 318{
 319	memset(iv, 0, cc->iv_size);
 320	/* iv_size is at least of size u64; usually it is 16 bytes */
 321	*(__be64 *)&iv[cc->iv_size - sizeof(u64)] = cpu_to_be64(dmreq->iv_sector);
 322
 323	return 0;
 324}
 325
 326/* Initialise ESSIV - compute salt but no local memory allocations */
 327static int crypt_iv_essiv_init(struct crypt_config *cc)
 328{
 329	struct iv_essiv_private *essiv = &cc->iv_gen_private.essiv;
 330	AHASH_REQUEST_ON_STACK(req, essiv->hash_tfm);
 331	struct scatterlist sg;
 332	struct crypto_cipher *essiv_tfm;
 333	int err;
 334
 335	sg_init_one(&sg, cc->key, cc->key_size);
 336	ahash_request_set_tfm(req, essiv->hash_tfm);
 337	ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
 338	ahash_request_set_crypt(req, &sg, essiv->salt, cc->key_size);
 339
 340	err = crypto_ahash_digest(req);
 341	ahash_request_zero(req);
 342	if (err)
 343		return err;
 344
 345	essiv_tfm = cc->iv_private;
 346
 347	err = crypto_cipher_setkey(essiv_tfm, essiv->salt,
 348			    crypto_ahash_digestsize(essiv->hash_tfm));
 349	if (err)
 350		return err;
 351
 352	return 0;
 353}
 354
 355/* Wipe salt and reset key derived from volume key */
 356static int crypt_iv_essiv_wipe(struct crypt_config *cc)
 357{
 358	struct iv_essiv_private *essiv = &cc->iv_gen_private.essiv;
 359	unsigned salt_size = crypto_ahash_digestsize(essiv->hash_tfm);
 360	struct crypto_cipher *essiv_tfm;
 361	int r, err = 0;
 362
 363	memset(essiv->salt, 0, salt_size);
 364
 365	essiv_tfm = cc->iv_private;
 366	r = crypto_cipher_setkey(essiv_tfm, essiv->salt, salt_size);
 367	if (r)
 368		err = r;
 369
 370	return err;
 371}
 372
 373/* Allocate the cipher for ESSIV */
 374static struct crypto_cipher *alloc_essiv_cipher(struct crypt_config *cc,
 375						struct dm_target *ti,
 376						const u8 *salt,
 377						unsigned int saltsize)
 378{
 379	struct crypto_cipher *essiv_tfm;
 380	int err;
 381
 382	/* Setup the essiv_tfm with the given salt */
 383	essiv_tfm = crypto_alloc_cipher(cc->cipher, 0, CRYPTO_ALG_ASYNC);
 384	if (IS_ERR(essiv_tfm)) {
 385		ti->error = "Error allocating crypto tfm for ESSIV";
 386		return essiv_tfm;
 387	}
 388
 389	if (crypto_cipher_blocksize(essiv_tfm) != cc->iv_size) {
 390		ti->error = "Block size of ESSIV cipher does "
 391			    "not match IV size of block cipher";
 392		crypto_free_cipher(essiv_tfm);
 393		return ERR_PTR(-EINVAL);
 394	}
 395
 396	err = crypto_cipher_setkey(essiv_tfm, salt, saltsize);
 397	if (err) {
 398		ti->error = "Failed to set key for ESSIV cipher";
 399		crypto_free_cipher(essiv_tfm);
 400		return ERR_PTR(err);
 401	}
 402
 403	return essiv_tfm;
 404}
 405
 406static void crypt_iv_essiv_dtr(struct crypt_config *cc)
 407{
 408	struct crypto_cipher *essiv_tfm;
 409	struct iv_essiv_private *essiv = &cc->iv_gen_private.essiv;
 410
 411	crypto_free_ahash(essiv->hash_tfm);
 412	essiv->hash_tfm = NULL;
 413
 414	kzfree(essiv->salt);
 415	essiv->salt = NULL;
 416
 417	essiv_tfm = cc->iv_private;
 418
 419	if (essiv_tfm)
 420		crypto_free_cipher(essiv_tfm);
 421
 422	cc->iv_private = NULL;
 423}
 424
 425static int crypt_iv_essiv_ctr(struct crypt_config *cc, struct dm_target *ti,
 426			      const char *opts)
 427{
 428	struct crypto_cipher *essiv_tfm = NULL;
 429	struct crypto_ahash *hash_tfm = NULL;
 430	u8 *salt = NULL;
 431	int err;
 432
 433	if (!opts) {
 434		ti->error = "Digest algorithm missing for ESSIV mode";
 435		return -EINVAL;
 436	}
 437
 438	/* Allocate hash algorithm */
 439	hash_tfm = crypto_alloc_ahash(opts, 0, CRYPTO_ALG_ASYNC);
 440	if (IS_ERR(hash_tfm)) {
 441		ti->error = "Error initializing ESSIV hash";
 442		err = PTR_ERR(hash_tfm);
 443		goto bad;
 444	}
 445
 446	salt = kzalloc(crypto_ahash_digestsize(hash_tfm), GFP_KERNEL);
 447	if (!salt) {
 448		ti->error = "Error kmallocing salt storage in ESSIV";
 449		err = -ENOMEM;
 450		goto bad;
 451	}
 452
 453	cc->iv_gen_private.essiv.salt = salt;
 454	cc->iv_gen_private.essiv.hash_tfm = hash_tfm;
 455
 456	essiv_tfm = alloc_essiv_cipher(cc, ti, salt,
 457				       crypto_ahash_digestsize(hash_tfm));
 458	if (IS_ERR(essiv_tfm)) {
 459		crypt_iv_essiv_dtr(cc);
 460		return PTR_ERR(essiv_tfm);
 461	}
 462	cc->iv_private = essiv_tfm;
 463
 464	return 0;
 465
 466bad:
 467	if (hash_tfm && !IS_ERR(hash_tfm))
 468		crypto_free_ahash(hash_tfm);
 469	kfree(salt);
 470	return err;
 471}
 472
 473static int crypt_iv_essiv_gen(struct crypt_config *cc, u8 *iv,
 474			      struct dm_crypt_request *dmreq)
 475{
 476	struct crypto_cipher *essiv_tfm = cc->iv_private;
 477
 478	memset(iv, 0, cc->iv_size);
 479	*(__le64 *)iv = cpu_to_le64(dmreq->iv_sector);
 480	crypto_cipher_encrypt_one(essiv_tfm, iv, iv);
 481
 482	return 0;
 483}
 484
 485static int crypt_iv_benbi_ctr(struct crypt_config *cc, struct dm_target *ti,
 486			      const char *opts)
 487{
 488	unsigned bs = crypto_skcipher_blocksize(any_tfm(cc));
 489	int log = ilog2(bs);
 490
 491	/* we need to calculate how far we must shift the sector count
 492	 * to get the cipher block count, we use this shift in _gen */
 493
 494	if (1 << log != bs) {
 495		ti->error = "cypher blocksize is not a power of 2";
 496		return -EINVAL;
 497	}
 498
 499	if (log > 9) {
 500		ti->error = "cypher blocksize is > 512";
 501		return -EINVAL;
 502	}
 503
 504	cc->iv_gen_private.benbi.shift = 9 - log;
 505
 506	return 0;
 507}
 508
 509static void crypt_iv_benbi_dtr(struct crypt_config *cc)
 510{
 511}
 512
 513static int crypt_iv_benbi_gen(struct crypt_config *cc, u8 *iv,
 514			      struct dm_crypt_request *dmreq)
 515{
 516	__be64 val;
 517
 518	memset(iv, 0, cc->iv_size - sizeof(u64)); /* rest is cleared below */
 519
 520	val = cpu_to_be64(((u64)dmreq->iv_sector << cc->iv_gen_private.benbi.shift) + 1);
 521	put_unaligned(val, (__be64 *)(iv + cc->iv_size - sizeof(u64)));
 522
 523	return 0;
 524}
 525
 526static int crypt_iv_null_gen(struct crypt_config *cc, u8 *iv,
 527			     struct dm_crypt_request *dmreq)
 528{
 529	memset(iv, 0, cc->iv_size);
 530
 531	return 0;
 532}
 533
 534static void crypt_iv_lmk_dtr(struct crypt_config *cc)
 535{
 536	struct iv_lmk_private *lmk = &cc->iv_gen_private.lmk;
 537
 538	if (lmk->hash_tfm && !IS_ERR(lmk->hash_tfm))
 539		crypto_free_shash(lmk->hash_tfm);
 540	lmk->hash_tfm = NULL;
 541
 542	kzfree(lmk->seed);
 543	lmk->seed = NULL;
 544}
 545
 546static int crypt_iv_lmk_ctr(struct crypt_config *cc, struct dm_target *ti,
 547			    const char *opts)
 548{
 549	struct iv_lmk_private *lmk = &cc->iv_gen_private.lmk;
 550
 551	if (cc->sector_size != (1 << SECTOR_SHIFT)) {
 552		ti->error = "Unsupported sector size for LMK";
 553		return -EINVAL;
 554	}
 555
 556	lmk->hash_tfm = crypto_alloc_shash("md5", 0, 0);
 557	if (IS_ERR(lmk->hash_tfm)) {
 558		ti->error = "Error initializing LMK hash";
 559		return PTR_ERR(lmk->hash_tfm);
 560	}
 561
 562	/* No seed in LMK version 2 */
 563	if (cc->key_parts == cc->tfms_count) {
 564		lmk->seed = NULL;
 565		return 0;
 566	}
 567
 568	lmk->seed = kzalloc(LMK_SEED_SIZE, GFP_KERNEL);
 569	if (!lmk->seed) {
 570		crypt_iv_lmk_dtr(cc);
 571		ti->error = "Error kmallocing seed storage in LMK";
 572		return -ENOMEM;
 573	}
 574
 575	return 0;
 576}
 577
 578static int crypt_iv_lmk_init(struct crypt_config *cc)
 579{
 580	struct iv_lmk_private *lmk = &cc->iv_gen_private.lmk;
 581	int subkey_size = cc->key_size / cc->key_parts;
 582
 583	/* LMK seed is on the position of LMK_KEYS + 1 key */
 584	if (lmk->seed)
 585		memcpy(lmk->seed, cc->key + (cc->tfms_count * subkey_size),
 586		       crypto_shash_digestsize(lmk->hash_tfm));
 587
 588	return 0;
 589}
 590
 591static int crypt_iv_lmk_wipe(struct crypt_config *cc)
 592{
 593	struct iv_lmk_private *lmk = &cc->iv_gen_private.lmk;
 594
 595	if (lmk->seed)
 596		memset(lmk->seed, 0, LMK_SEED_SIZE);
 597
 598	return 0;
 599}
 600
 601static int crypt_iv_lmk_one(struct crypt_config *cc, u8 *iv,
 602			    struct dm_crypt_request *dmreq,
 603			    u8 *data)
 604{
 605	struct iv_lmk_private *lmk = &cc->iv_gen_private.lmk;
 606	SHASH_DESC_ON_STACK(desc, lmk->hash_tfm);
 607	struct md5_state md5state;
 608	__le32 buf[4];
 609	int i, r;
 610
 611	desc->tfm = lmk->hash_tfm;
 612	desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
 613
 614	r = crypto_shash_init(desc);
 615	if (r)
 616		return r;
 617
 618	if (lmk->seed) {
 619		r = crypto_shash_update(desc, lmk->seed, LMK_SEED_SIZE);
 620		if (r)
 621			return r;
 622	}
 623
 624	/* Sector is always 512B, block size 16, add data of blocks 1-31 */
 625	r = crypto_shash_update(desc, data + 16, 16 * 31);
 626	if (r)
 627		return r;
 628
 629	/* Sector is cropped to 56 bits here */
 630	buf[0] = cpu_to_le32(dmreq->iv_sector & 0xFFFFFFFF);
 631	buf[1] = cpu_to_le32((((u64)dmreq->iv_sector >> 32) & 0x00FFFFFF) | 0x80000000);
 632	buf[2] = cpu_to_le32(4024);
 633	buf[3] = 0;
 634	r = crypto_shash_update(desc, (u8 *)buf, sizeof(buf));
 635	if (r)
 636		return r;
 637
 638	/* No MD5 padding here */
 639	r = crypto_shash_export(desc, &md5state);
 640	if (r)
 641		return r;
 642
 643	for (i = 0; i < MD5_HASH_WORDS; i++)
 644		__cpu_to_le32s(&md5state.hash[i]);
 645	memcpy(iv, &md5state.hash, cc->iv_size);
 646
 647	return 0;
 648}
 649
 650static int crypt_iv_lmk_gen(struct crypt_config *cc, u8 *iv,
 651			    struct dm_crypt_request *dmreq)
 652{
 653	struct scatterlist *sg;
 654	u8 *src;
 655	int r = 0;
 656
 657	if (bio_data_dir(dmreq->ctx->bio_in) == WRITE) {
 658		sg = crypt_get_sg_data(cc, dmreq->sg_in);
 659		src = kmap_atomic(sg_page(sg));
 660		r = crypt_iv_lmk_one(cc, iv, dmreq, src + sg->offset);
 661		kunmap_atomic(src);
 662	} else
 663		memset(iv, 0, cc->iv_size);
 664
 665	return r;
 666}
 667
 668static int crypt_iv_lmk_post(struct crypt_config *cc, u8 *iv,
 669			     struct dm_crypt_request *dmreq)
 670{
 671	struct scatterlist *sg;
 672	u8 *dst;
 673	int r;
 674
 675	if (bio_data_dir(dmreq->ctx->bio_in) == WRITE)
 676		return 0;
 677
 678	sg = crypt_get_sg_data(cc, dmreq->sg_out);
 679	dst = kmap_atomic(sg_page(sg));
 680	r = crypt_iv_lmk_one(cc, iv, dmreq, dst + sg->offset);
 681
 682	/* Tweak the first block of plaintext sector */
 683	if (!r)
 684		crypto_xor(dst + sg->offset, iv, cc->iv_size);
 685
 686	kunmap_atomic(dst);
 687	return r;
 688}
 689
 690static void crypt_iv_tcw_dtr(struct crypt_config *cc)
 691{
 692	struct iv_tcw_private *tcw = &cc->iv_gen_private.tcw;
 693
 694	kzfree(tcw->iv_seed);
 695	tcw->iv_seed = NULL;
 696	kzfree(tcw->whitening);
 697	tcw->whitening = NULL;
 698
 699	if (tcw->crc32_tfm && !IS_ERR(tcw->crc32_tfm))
 700		crypto_free_shash(tcw->crc32_tfm);
 701	tcw->crc32_tfm = NULL;
 702}
 703
 704static int crypt_iv_tcw_ctr(struct crypt_config *cc, struct dm_target *ti,
 705			    const char *opts)
 706{
 707	struct iv_tcw_private *tcw = &cc->iv_gen_private.tcw;
 708
 709	if (cc->sector_size != (1 << SECTOR_SHIFT)) {
 710		ti->error = "Unsupported sector size for TCW";
 711		return -EINVAL;
 712	}
 713
 714	if (cc->key_size <= (cc->iv_size + TCW_WHITENING_SIZE)) {
 715		ti->error = "Wrong key size for TCW";
 716		return -EINVAL;
 717	}
 718
 719	tcw->crc32_tfm = crypto_alloc_shash("crc32", 0, 0);
 720	if (IS_ERR(tcw->crc32_tfm)) {
 721		ti->error = "Error initializing CRC32 in TCW";
 722		return PTR_ERR(tcw->crc32_tfm);
 723	}
 724
 725	tcw->iv_seed = kzalloc(cc->iv_size, GFP_KERNEL);
 726	tcw->whitening = kzalloc(TCW_WHITENING_SIZE, GFP_KERNEL);
 727	if (!tcw->iv_seed || !tcw->whitening) {
 728		crypt_iv_tcw_dtr(cc);
 729		ti->error = "Error allocating seed storage in TCW";
 730		return -ENOMEM;
 731	}
 732
 733	return 0;
 734}
 735
 736static int crypt_iv_tcw_init(struct crypt_config *cc)
 737{
 738	struct iv_tcw_private *tcw = &cc->iv_gen_private.tcw;
 739	int key_offset = cc->key_size - cc->iv_size - TCW_WHITENING_SIZE;
 740
 741	memcpy(tcw->iv_seed, &cc->key[key_offset], cc->iv_size);
 742	memcpy(tcw->whitening, &cc->key[key_offset + cc->iv_size],
 743	       TCW_WHITENING_SIZE);
 744
 745	return 0;
 746}
 747
 748static int crypt_iv_tcw_wipe(struct crypt_config *cc)
 749{
 750	struct iv_tcw_private *tcw = &cc->iv_gen_private.tcw;
 751
 752	memset(tcw->iv_seed, 0, cc->iv_size);
 753	memset(tcw->whitening, 0, TCW_WHITENING_SIZE);
 754
 755	return 0;
 756}
 757
 758static int crypt_iv_tcw_whitening(struct crypt_config *cc,
 759				  struct dm_crypt_request *dmreq,
 760				  u8 *data)
 761{
 762	struct iv_tcw_private *tcw = &cc->iv_gen_private.tcw;
 763	__le64 sector = cpu_to_le64(dmreq->iv_sector);
 764	u8 buf[TCW_WHITENING_SIZE];
 765	SHASH_DESC_ON_STACK(desc, tcw->crc32_tfm);
 766	int i, r;
 767
 768	/* xor whitening with sector number */
 769	crypto_xor_cpy(buf, tcw->whitening, (u8 *)&sector, 8);
 770	crypto_xor_cpy(&buf[8], tcw->whitening + 8, (u8 *)&sector, 8);
 771
 772	/* calculate crc32 for every 32bit part and xor it */
 773	desc->tfm = tcw->crc32_tfm;
 774	desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
 775	for (i = 0; i < 4; i++) {
 776		r = crypto_shash_init(desc);
 777		if (r)
 778			goto out;
 779		r = crypto_shash_update(desc, &buf[i * 4], 4);
 780		if (r)
 781			goto out;
 782		r = crypto_shash_final(desc, &buf[i * 4]);
 783		if (r)
 784			goto out;
 785	}
 786	crypto_xor(&buf[0], &buf[12], 4);
 787	crypto_xor(&buf[4], &buf[8], 4);
 788
 789	/* apply whitening (8 bytes) to whole sector */
 790	for (i = 0; i < ((1 << SECTOR_SHIFT) / 8); i++)
 791		crypto_xor(data + i * 8, buf, 8);
 792out:
 793	memzero_explicit(buf, sizeof(buf));
 794	return r;
 795}
 796
 797static int crypt_iv_tcw_gen(struct crypt_config *cc, u8 *iv,
 798			    struct dm_crypt_request *dmreq)
 799{
 800	struct scatterlist *sg;
 801	struct iv_tcw_private *tcw = &cc->iv_gen_private.tcw;
 802	__le64 sector = cpu_to_le64(dmreq->iv_sector);
 803	u8 *src;
 804	int r = 0;
 805
 806	/* Remove whitening from ciphertext */
 807	if (bio_data_dir(dmreq->ctx->bio_in) != WRITE) {
 808		sg = crypt_get_sg_data(cc, dmreq->sg_in);
 809		src = kmap_atomic(sg_page(sg));
 810		r = crypt_iv_tcw_whitening(cc, dmreq, src + sg->offset);
 811		kunmap_atomic(src);
 812	}
 813
 814	/* Calculate IV */
 815	crypto_xor_cpy(iv, tcw->iv_seed, (u8 *)&sector, 8);
 816	if (cc->iv_size > 8)
 817		crypto_xor_cpy(&iv[8], tcw->iv_seed + 8, (u8 *)&sector,
 818			       cc->iv_size - 8);
 819
 820	return r;
 821}
 822
 823static int crypt_iv_tcw_post(struct crypt_config *cc, u8 *iv,
 824			     struct dm_crypt_request *dmreq)
 825{
 826	struct scatterlist *sg;
 827	u8 *dst;
 828	int r;
 829
 830	if (bio_data_dir(dmreq->ctx->bio_in) != WRITE)
 831		return 0;
 832
 833	/* Apply whitening on ciphertext */
 834	sg = crypt_get_sg_data(cc, dmreq->sg_out);
 835	dst = kmap_atomic(sg_page(sg));
 836	r = crypt_iv_tcw_whitening(cc, dmreq, dst + sg->offset);
 837	kunmap_atomic(dst);
 838
 839	return r;
 840}
 841
 842static int crypt_iv_random_gen(struct crypt_config *cc, u8 *iv,
 843				struct dm_crypt_request *dmreq)
 844{
 845	/* Used only for writes, there must be an additional space to store IV */
 846	get_random_bytes(iv, cc->iv_size);
 847	return 0;
 848}
 849
 850static const struct crypt_iv_operations crypt_iv_plain_ops = {
 851	.generator = crypt_iv_plain_gen
 852};
 853
 854static const struct crypt_iv_operations crypt_iv_plain64_ops = {
 855	.generator = crypt_iv_plain64_gen
 856};
 857
 858static const struct crypt_iv_operations crypt_iv_plain64be_ops = {
 859	.generator = crypt_iv_plain64be_gen
 860};
 861
 862static const struct crypt_iv_operations crypt_iv_essiv_ops = {
 863	.ctr       = crypt_iv_essiv_ctr,
 864	.dtr       = crypt_iv_essiv_dtr,
 865	.init      = crypt_iv_essiv_init,
 866	.wipe      = crypt_iv_essiv_wipe,
 867	.generator = crypt_iv_essiv_gen
 868};
 869
 870static const struct crypt_iv_operations crypt_iv_benbi_ops = {
 871	.ctr	   = crypt_iv_benbi_ctr,
 872	.dtr	   = crypt_iv_benbi_dtr,
 873	.generator = crypt_iv_benbi_gen
 874};
 875
 876static const struct crypt_iv_operations crypt_iv_null_ops = {
 877	.generator = crypt_iv_null_gen
 878};
 879
 880static const struct crypt_iv_operations crypt_iv_lmk_ops = {
 881	.ctr	   = crypt_iv_lmk_ctr,
 882	.dtr	   = crypt_iv_lmk_dtr,
 883	.init	   = crypt_iv_lmk_init,
 884	.wipe	   = crypt_iv_lmk_wipe,
 885	.generator = crypt_iv_lmk_gen,
 886	.post	   = crypt_iv_lmk_post
 887};
 888
 889static const struct crypt_iv_operations crypt_iv_tcw_ops = {
 890	.ctr	   = crypt_iv_tcw_ctr,
 891	.dtr	   = crypt_iv_tcw_dtr,
 892	.init	   = crypt_iv_tcw_init,
 893	.wipe	   = crypt_iv_tcw_wipe,
 894	.generator = crypt_iv_tcw_gen,
 895	.post	   = crypt_iv_tcw_post
 896};
 897
 898static struct crypt_iv_operations crypt_iv_random_ops = {
 899	.generator = crypt_iv_random_gen
 900};
 901
 902/*
 903 * Integrity extensions
 904 */
 905static bool crypt_integrity_aead(struct crypt_config *cc)
 906{
 907	return test_bit(CRYPT_MODE_INTEGRITY_AEAD, &cc->cipher_flags);
 908}
 909
 910static bool crypt_integrity_hmac(struct crypt_config *cc)
 911{
 912	return crypt_integrity_aead(cc) && cc->key_mac_size;
 913}
 914
 915/* Get sg containing data */
 916static struct scatterlist *crypt_get_sg_data(struct crypt_config *cc,
 917					     struct scatterlist *sg)
 918{
 919	if (unlikely(crypt_integrity_aead(cc)))
 920		return &sg[2];
 921
 922	return sg;
 923}
 924
 925static int dm_crypt_integrity_io_alloc(struct dm_crypt_io *io, struct bio *bio)
 926{
 927	struct bio_integrity_payload *bip;
 928	unsigned int tag_len;
 929	int ret;
 930
 931	if (!bio_sectors(bio) || !io->cc->on_disk_tag_size)
 932		return 0;
 933
 934	bip = bio_integrity_alloc(bio, GFP_NOIO, 1);
 935	if (IS_ERR(bip))
 936		return PTR_ERR(bip);
 937
 938	tag_len = io->cc->on_disk_tag_size * bio_sectors(bio);
 939
 940	bip->bip_iter.bi_size = tag_len;
 941	bip->bip_iter.bi_sector = io->cc->start + io->sector;
 942
 943	ret = bio_integrity_add_page(bio, virt_to_page(io->integrity_metadata),
 944				     tag_len, offset_in_page(io->integrity_metadata));
 945	if (unlikely(ret != tag_len))
 946		return -ENOMEM;
 947
 948	return 0;
 949}
 950
 951static int crypt_integrity_ctr(struct crypt_config *cc, struct dm_target *ti)
 952{
 953#ifdef CONFIG_BLK_DEV_INTEGRITY
 954	struct blk_integrity *bi = blk_get_integrity(cc->dev->bdev->bd_disk);
 955
 956	/* From now we require underlying device with our integrity profile */
 957	if (!bi || strcasecmp(bi->profile->name, "DM-DIF-EXT-TAG")) {
 958		ti->error = "Integrity profile not supported.";
 959		return -EINVAL;
 960	}
 961
 962	if (bi->tag_size != cc->on_disk_tag_size ||
 963	    bi->tuple_size != cc->on_disk_tag_size) {
 964		ti->error = "Integrity profile tag size mismatch.";
 965		return -EINVAL;
 966	}
 967	if (1 << bi->interval_exp != cc->sector_size) {
 968		ti->error = "Integrity profile sector size mismatch.";
 969		return -EINVAL;
 970	}
 971
 972	if (crypt_integrity_aead(cc)) {
 973		cc->integrity_tag_size = cc->on_disk_tag_size - cc->integrity_iv_size;
 974		DMINFO("Integrity AEAD, tag size %u, IV size %u.",
 975		       cc->integrity_tag_size, cc->integrity_iv_size);
 976
 977		if (crypto_aead_setauthsize(any_tfm_aead(cc), cc->integrity_tag_size)) {
 978			ti->error = "Integrity AEAD auth tag size is not supported.";
 979			return -EINVAL;
 980		}
 981	} else if (cc->integrity_iv_size)
 982		DMINFO("Additional per-sector space %u bytes for IV.",
 983		       cc->integrity_iv_size);
 984
 985	if ((cc->integrity_tag_size + cc->integrity_iv_size) != bi->tag_size) {
 986		ti->error = "Not enough space for integrity tag in the profile.";
 987		return -EINVAL;
 988	}
 989
 990	return 0;
 991#else
 992	ti->error = "Integrity profile not supported.";
 993	return -EINVAL;
 994#endif
 995}
 996
 997static void crypt_convert_init(struct crypt_config *cc,
 998			       struct convert_context *ctx,
 999			       struct bio *bio_out, struct bio *bio_in,
1000			       sector_t sector)
1001{
1002	ctx->bio_in = bio_in;
1003	ctx->bio_out = bio_out;
1004	if (bio_in)
1005		ctx->iter_in = bio_in->bi_iter;
1006	if (bio_out)
1007		ctx->iter_out = bio_out->bi_iter;
1008	ctx->cc_sector = sector + cc->iv_offset;
1009	init_completion(&ctx->restart);
1010}
1011
1012static struct dm_crypt_request *dmreq_of_req(struct crypt_config *cc,
1013					     void *req)
1014{
1015	return (struct dm_crypt_request *)((char *)req + cc->dmreq_start);
1016}
1017
1018static void *req_of_dmreq(struct crypt_config *cc, struct dm_crypt_request *dmreq)
1019{
1020	return (void *)((char *)dmreq - cc->dmreq_start);
1021}
1022
1023static u8 *iv_of_dmreq(struct crypt_config *cc,
1024		       struct dm_crypt_request *dmreq)
1025{
1026	if (crypt_integrity_aead(cc))
1027		return (u8 *)ALIGN((unsigned long)(dmreq + 1),
1028			crypto_aead_alignmask(any_tfm_aead(cc)) + 1);
1029	else
1030		return (u8 *)ALIGN((unsigned long)(dmreq + 1),
1031			crypto_skcipher_alignmask(any_tfm(cc)) + 1);
1032}
1033
1034static u8 *org_iv_of_dmreq(struct crypt_config *cc,
1035		       struct dm_crypt_request *dmreq)
1036{
1037	return iv_of_dmreq(cc, dmreq) + cc->iv_size;
1038}
1039
1040static uint64_t *org_sector_of_dmreq(struct crypt_config *cc,
1041		       struct dm_crypt_request *dmreq)
1042{
1043	u8 *ptr = iv_of_dmreq(cc, dmreq) + cc->iv_size + cc->iv_size;
1044	return (uint64_t*) ptr;
1045}
1046
1047static unsigned int *org_tag_of_dmreq(struct crypt_config *cc,
1048		       struct dm_crypt_request *dmreq)
1049{
1050	u8 *ptr = iv_of_dmreq(cc, dmreq) + cc->iv_size +
1051		  cc->iv_size + sizeof(uint64_t);
1052	return (unsigned int*)ptr;
1053}
1054
1055static void *tag_from_dmreq(struct crypt_config *cc,
1056				struct dm_crypt_request *dmreq)
1057{
1058	struct convert_context *ctx = dmreq->ctx;
1059	struct dm_crypt_io *io = container_of(ctx, struct dm_crypt_io, ctx);
1060
1061	return &io->integrity_metadata[*org_tag_of_dmreq(cc, dmreq) *
1062		cc->on_disk_tag_size];
1063}
1064
1065static void *iv_tag_from_dmreq(struct crypt_config *cc,
1066			       struct dm_crypt_request *dmreq)
1067{
1068	return tag_from_dmreq(cc, dmreq) + cc->integrity_tag_size;
1069}
1070
1071static int crypt_convert_block_aead(struct crypt_config *cc,
1072				     struct convert_context *ctx,
1073				     struct aead_request *req,
1074				     unsigned int tag_offset)
1075{
1076	struct bio_vec bv_in = bio_iter_iovec(ctx->bio_in, ctx->iter_in);
1077	struct bio_vec bv_out = bio_iter_iovec(ctx->bio_out, ctx->iter_out);
1078	struct dm_crypt_request *dmreq;
1079	u8 *iv, *org_iv, *tag_iv, *tag;
1080	uint64_t *sector;
1081	int r = 0;
1082
1083	BUG_ON(cc->integrity_iv_size && cc->integrity_iv_size != cc->iv_size);
1084
1085	/* Reject unexpected unaligned bio. */
1086	if (unlikely(bv_in.bv_len & (cc->sector_size - 1)))
1087		return -EIO;
1088
1089	dmreq = dmreq_of_req(cc, req);
1090	dmreq->iv_sector = ctx->cc_sector;
1091	if (test_bit(CRYPT_IV_LARGE_SECTORS, &cc->cipher_flags))
1092		dmreq->iv_sector >>= cc->sector_shift;
1093	dmreq->ctx = ctx;
1094
1095	*org_tag_of_dmreq(cc, dmreq) = tag_offset;
1096
1097	sector = org_sector_of_dmreq(cc, dmreq);
1098	*sector = cpu_to_le64(ctx->cc_sector - cc->iv_offset);
1099
1100	iv = iv_of_dmreq(cc, dmreq);
1101	org_iv = org_iv_of_dmreq(cc, dmreq);
1102	tag = tag_from_dmreq(cc, dmreq);
1103	tag_iv = iv_tag_from_dmreq(cc, dmreq);
1104
1105	/* AEAD request:
1106	 *  |----- AAD -------|------ DATA -------|-- AUTH TAG --|
1107	 *  | (authenticated) | (auth+encryption) |              |
1108	 *  | sector_LE |  IV |  sector in/out    |  tag in/out  |
1109	 */
1110	sg_init_table(dmreq->sg_in, 4);
1111	sg_set_buf(&dmreq->sg_in[0], sector, sizeof(uint64_t));
1112	sg_set_buf(&dmreq->sg_in[1], org_iv, cc->iv_size);
1113	sg_set_page(&dmreq->sg_in[2], bv_in.bv_page, cc->sector_size, bv_in.bv_offset);
1114	sg_set_buf(&dmreq->sg_in[3], tag, cc->integrity_tag_size);
1115
1116	sg_init_table(dmreq->sg_out, 4);
1117	sg_set_buf(&dmreq->sg_out[0], sector, sizeof(uint64_t));
1118	sg_set_buf(&dmreq->sg_out[1], org_iv, cc->iv_size);
1119	sg_set_page(&dmreq->sg_out[2], bv_out.bv_page, cc->sector_size, bv_out.bv_offset);
1120	sg_set_buf(&dmreq->sg_out[3], tag, cc->integrity_tag_size);
1121
1122	if (cc->iv_gen_ops) {
1123		/* For READs use IV stored in integrity metadata */
1124		if (cc->integrity_iv_size && bio_data_dir(ctx->bio_in) != WRITE) {
1125			memcpy(org_iv, tag_iv, cc->iv_size);
1126		} else {
1127			r = cc->iv_gen_ops->generator(cc, org_iv, dmreq);
1128			if (r < 0)
1129				return r;
1130			/* Store generated IV in integrity metadata */
1131			if (cc->integrity_iv_size)
1132				memcpy(tag_iv, org_iv, cc->iv_size);
1133		}
1134		/* Working copy of IV, to be modified in crypto API */
1135		memcpy(iv, org_iv, cc->iv_size);
1136	}
1137
1138	aead_request_set_ad(req, sizeof(uint64_t) + cc->iv_size);
1139	if (bio_data_dir(ctx->bio_in) == WRITE) {
1140		aead_request_set_crypt(req, dmreq->sg_in, dmreq->sg_out,
1141				       cc->sector_size, iv);
1142		r = crypto_aead_encrypt(req);
1143		if (cc->integrity_tag_size + cc->integrity_iv_size != cc->on_disk_tag_size)
1144			memset(tag + cc->integrity_tag_size + cc->integrity_iv_size, 0,
1145			       cc->on_disk_tag_size - (cc->integrity_tag_size + cc->integrity_iv_size));
1146	} else {
1147		aead_request_set_crypt(req, dmreq->sg_in, dmreq->sg_out,
1148				       cc->sector_size + cc->integrity_tag_size, iv);
1149		r = crypto_aead_decrypt(req);
1150	}
1151
1152	if (r == -EBADMSG)
1153		DMERR_LIMIT("INTEGRITY AEAD ERROR, sector %llu",
1154			    (unsigned long long)le64_to_cpu(*sector));
1155
1156	if (!r && cc->iv_gen_ops && cc->iv_gen_ops->post)
1157		r = cc->iv_gen_ops->post(cc, org_iv, dmreq);
1158
1159	bio_advance_iter(ctx->bio_in, &ctx->iter_in, cc->sector_size);
1160	bio_advance_iter(ctx->bio_out, &ctx->iter_out, cc->sector_size);
1161
1162	return r;
1163}
1164
1165static int crypt_convert_block_skcipher(struct crypt_config *cc,
1166					struct convert_context *ctx,
1167					struct skcipher_request *req,
1168					unsigned int tag_offset)
1169{
1170	struct bio_vec bv_in = bio_iter_iovec(ctx->bio_in, ctx->iter_in);
1171	struct bio_vec bv_out = bio_iter_iovec(ctx->bio_out, ctx->iter_out);
1172	struct scatterlist *sg_in, *sg_out;
1173	struct dm_crypt_request *dmreq;
1174	u8 *iv, *org_iv, *tag_iv;
1175	uint64_t *sector;
1176	int r = 0;
1177
1178	/* Reject unexpected unaligned bio. */
1179	if (unlikely(bv_in.bv_len & (cc->sector_size - 1)))
1180		return -EIO;
1181
1182	dmreq = dmreq_of_req(cc, req);
1183	dmreq->iv_sector = ctx->cc_sector;
1184	if (test_bit(CRYPT_IV_LARGE_SECTORS, &cc->cipher_flags))
1185		dmreq->iv_sector >>= cc->sector_shift;
1186	dmreq->ctx = ctx;
1187
1188	*org_tag_of_dmreq(cc, dmreq) = tag_offset;
1189
1190	iv = iv_of_dmreq(cc, dmreq);
1191	org_iv = org_iv_of_dmreq(cc, dmreq);
1192	tag_iv = iv_tag_from_dmreq(cc, dmreq);
1193
1194	sector = org_sector_of_dmreq(cc, dmreq);
1195	*sector = cpu_to_le64(ctx->cc_sector - cc->iv_offset);
1196
1197	/* For skcipher we use only the first sg item */
1198	sg_in  = &dmreq->sg_in[0];
1199	sg_out = &dmreq->sg_out[0];
1200
1201	sg_init_table(sg_in, 1);
1202	sg_set_page(sg_in, bv_in.bv_page, cc->sector_size, bv_in.bv_offset);
1203
1204	sg_init_table(sg_out, 1);
1205	sg_set_page(sg_out, bv_out.bv_page, cc->sector_size, bv_out.bv_offset);
1206
1207	if (cc->iv_gen_ops) {
1208		/* For READs use IV stored in integrity metadata */
1209		if (cc->integrity_iv_size && bio_data_dir(ctx->bio_in) != WRITE) {
1210			memcpy(org_iv, tag_iv, cc->integrity_iv_size);
1211		} else {
1212			r = cc->iv_gen_ops->generator(cc, org_iv, dmreq);
1213			if (r < 0)
1214				return r;
1215			/* Store generated IV in integrity metadata */
1216			if (cc->integrity_iv_size)
1217				memcpy(tag_iv, org_iv, cc->integrity_iv_size);
1218		}
1219		/* Working copy of IV, to be modified in crypto API */
1220		memcpy(iv, org_iv, cc->iv_size);
1221	}
1222
1223	skcipher_request_set_crypt(req, sg_in, sg_out, cc->sector_size, iv);
1224
1225	if (bio_data_dir(ctx->bio_in) == WRITE)
1226		r = crypto_skcipher_encrypt(req);
1227	else
1228		r = crypto_skcipher_decrypt(req);
1229
1230	if (!r && cc->iv_gen_ops && cc->iv_gen_ops->post)
1231		r = cc->iv_gen_ops->post(cc, org_iv, dmreq);
1232
1233	bio_advance_iter(ctx->bio_in, &ctx->iter_in, cc->sector_size);
1234	bio_advance_iter(ctx->bio_out, &ctx->iter_out, cc->sector_size);
1235
1236	return r;
1237}
1238
1239static void kcryptd_async_done(struct crypto_async_request *async_req,
1240			       int error);
1241
1242static void crypt_alloc_req_skcipher(struct crypt_config *cc,
1243				     struct convert_context *ctx)
1244{
1245	unsigned key_index = ctx->cc_sector & (cc->tfms_count - 1);
1246
1247	if (!ctx->r.req)
1248		ctx->r.req = mempool_alloc(&cc->req_pool, GFP_NOIO);
1249
1250	skcipher_request_set_tfm(ctx->r.req, cc->cipher_tfm.tfms[key_index]);
1251
1252	/*
1253	 * Use REQ_MAY_BACKLOG so a cipher driver internally backlogs
1254	 * requests if driver request queue is full.
1255	 */
1256	skcipher_request_set_callback(ctx->r.req,
1257	    CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
1258	    kcryptd_async_done, dmreq_of_req(cc, ctx->r.req));
1259}
1260
1261static void crypt_alloc_req_aead(struct crypt_config *cc,
1262				 struct convert_context *ctx)
1263{
1264	if (!ctx->r.req_aead)
1265		ctx->r.req_aead = mempool_alloc(&cc->req_pool, GFP_NOIO);
1266
1267	aead_request_set_tfm(ctx->r.req_aead, cc->cipher_tfm.tfms_aead[0]);
1268
1269	/*
1270	 * Use REQ_MAY_BACKLOG so a cipher driver internally backlogs
1271	 * requests if driver request queue is full.
1272	 */
1273	aead_request_set_callback(ctx->r.req_aead,
1274	    CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
1275	    kcryptd_async_done, dmreq_of_req(cc, ctx->r.req_aead));
1276}
1277
1278static void crypt_alloc_req(struct crypt_config *cc,
1279			    struct convert_context *ctx)
1280{
1281	if (crypt_integrity_aead(cc))
1282		crypt_alloc_req_aead(cc, ctx);
1283	else
1284		crypt_alloc_req_skcipher(cc, ctx);
1285}
1286
1287static void crypt_free_req_skcipher(struct crypt_config *cc,
1288				    struct skcipher_request *req, struct bio *base_bio)
1289{
1290	struct dm_crypt_io *io = dm_per_bio_data(base_bio, cc->per_bio_data_size);
1291
1292	if ((struct skcipher_request *)(io + 1) != req)
1293		mempool_free(req, &cc->req_pool);
1294}
1295
1296static void crypt_free_req_aead(struct crypt_config *cc,
1297				struct aead_request *req, struct bio *base_bio)
1298{
1299	struct dm_crypt_io *io = dm_per_bio_data(base_bio, cc->per_bio_data_size);
1300
1301	if ((struct aead_request *)(io + 1) != req)
1302		mempool_free(req, &cc->req_pool);
1303}
1304
1305static void crypt_free_req(struct crypt_config *cc, void *req, struct bio *base_bio)
1306{
1307	if (crypt_integrity_aead(cc))
1308		crypt_free_req_aead(cc, req, base_bio);
1309	else
1310		crypt_free_req_skcipher(cc, req, base_bio);
1311}
1312
1313/*
1314 * Encrypt / decrypt data from one bio to another one (can be the same one)
1315 */
1316static blk_status_t crypt_convert(struct crypt_config *cc,
1317			 struct convert_context *ctx)
1318{
1319	unsigned int tag_offset = 0;
1320	unsigned int sector_step = cc->sector_size >> SECTOR_SHIFT;
1321	int r;
1322
1323	atomic_set(&ctx->cc_pending, 1);
1324
1325	while (ctx->iter_in.bi_size && ctx->iter_out.bi_size) {
1326
1327		crypt_alloc_req(cc, ctx);
1328		atomic_inc(&ctx->cc_pending);
1329
1330		if (crypt_integrity_aead(cc))
1331			r = crypt_convert_block_aead(cc, ctx, ctx->r.req_aead, tag_offset);
1332		else
1333			r = crypt_convert_block_skcipher(cc, ctx, ctx->r.req, tag_offset);
1334
1335		switch (r) {
1336		/*
1337		 * The request was queued by a crypto driver
1338		 * but the driver request queue is full, let's wait.
1339		 */
1340		case -EBUSY:
1341			wait_for_completion(&ctx->restart);
1342			reinit_completion(&ctx->restart);
1343			/* fall through */
1344		/*
1345		 * The request is queued and processed asynchronously,
1346		 * completion function kcryptd_async_done() will be called.
1347		 */
1348		case -EINPROGRESS:
1349			ctx->r.req = NULL;
1350			ctx->cc_sector += sector_step;
1351			tag_offset++;
1352			continue;
1353		/*
1354		 * The request was already processed (synchronously).
1355		 */
1356		case 0:
1357			atomic_dec(&ctx->cc_pending);
1358			ctx->cc_sector += sector_step;
1359			tag_offset++;
1360			cond_resched();
1361			continue;
1362		/*
1363		 * There was a data integrity error.
1364		 */
1365		case -EBADMSG:
1366			atomic_dec(&ctx->cc_pending);
1367			return BLK_STS_PROTECTION;
1368		/*
1369		 * There was an error while processing the request.
1370		 */
1371		default:
1372			atomic_dec(&ctx->cc_pending);
1373			return BLK_STS_IOERR;
1374		}
1375	}
1376
1377	return 0;
1378}
1379
1380static void crypt_free_buffer_pages(struct crypt_config *cc, struct bio *clone);
1381
1382/*
1383 * Generate a new unfragmented bio with the given size
1384 * This should never violate the device limitations (but only because
1385 * max_segment_size is being constrained to PAGE_SIZE).
1386 *
1387 * This function may be called concurrently. If we allocate from the mempool
1388 * concurrently, there is a possibility of deadlock. For example, if we have
1389 * mempool of 256 pages, two processes, each wanting 256, pages allocate from
1390 * the mempool concurrently, it may deadlock in a situation where both processes
1391 * have allocated 128 pages and the mempool is exhausted.
1392 *
1393 * In order to avoid this scenario we allocate the pages under a mutex.
1394 *
1395 * In order to not degrade performance with excessive locking, we try
1396 * non-blocking allocations without a mutex first but on failure we fallback
1397 * to blocking allocations with a mutex.
1398 */
1399static struct bio *crypt_alloc_buffer(struct dm_crypt_io *io, unsigned size)
1400{
1401	struct crypt_config *cc = io->cc;
1402	struct bio *clone;
1403	unsigned int nr_iovecs = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
1404	gfp_t gfp_mask = GFP_NOWAIT | __GFP_HIGHMEM;
1405	unsigned i, len, remaining_size;
1406	struct page *page;
1407
1408retry:
1409	if (unlikely(gfp_mask & __GFP_DIRECT_RECLAIM))
1410		mutex_lock(&cc->bio_alloc_lock);
1411
1412	clone = bio_alloc_bioset(GFP_NOIO, nr_iovecs, &cc->bs);
1413	if (!clone)
1414		goto out;
1415
1416	clone_init(io, clone);
1417
1418	remaining_size = size;
1419
1420	for (i = 0; i < nr_iovecs; i++) {
1421		page = mempool_alloc(&cc->page_pool, gfp_mask);
1422		if (!page) {
1423			crypt_free_buffer_pages(cc, clone);
1424			bio_put(clone);
1425			gfp_mask |= __GFP_DIRECT_RECLAIM;
1426			goto retry;
1427		}
1428
1429		len = (remaining_size > PAGE_SIZE) ? PAGE_SIZE : remaining_size;
1430
1431		bio_add_page(clone, page, len, 0);
1432
1433		remaining_size -= len;
1434	}
1435
1436	/* Allocate space for integrity tags */
1437	if (dm_crypt_integrity_io_alloc(io, clone)) {
1438		crypt_free_buffer_pages(cc, clone);
1439		bio_put(clone);
1440		clone = NULL;
1441	}
1442out:
1443	if (unlikely(gfp_mask & __GFP_DIRECT_RECLAIM))
1444		mutex_unlock(&cc->bio_alloc_lock);
1445
1446	return clone;
1447}
1448
1449static void crypt_free_buffer_pages(struct crypt_config *cc, struct bio *clone)
1450{
1451	unsigned int i;
1452	struct bio_vec *bv;
1453
1454	bio_for_each_segment_all(bv, clone, i) {
1455		BUG_ON(!bv->bv_page);
1456		mempool_free(bv->bv_page, &cc->page_pool);
1457	}
1458}
1459
1460static void crypt_io_init(struct dm_crypt_io *io, struct crypt_config *cc,
1461			  struct bio *bio, sector_t sector)
1462{
1463	io->cc = cc;
1464	io->base_bio = bio;
1465	io->sector = sector;
1466	io->error = 0;
1467	io->ctx.r.req = NULL;
1468	io->integrity_metadata = NULL;
1469	io->integrity_metadata_from_pool = false;
1470	atomic_set(&io->io_pending, 0);
1471}
1472
1473static void crypt_inc_pending(struct dm_crypt_io *io)
1474{
1475	atomic_inc(&io->io_pending);
1476}
1477
1478/*
1479 * One of the bios was finished. Check for completion of
1480 * the whole request and correctly clean up the buffer.
1481 */
1482static void crypt_dec_pending(struct dm_crypt_io *io)
1483{
1484	struct crypt_config *cc = io->cc;
1485	struct bio *base_bio = io->base_bio;
1486	blk_status_t error = io->error;
1487
1488	if (!atomic_dec_and_test(&io->io_pending))
1489		return;
1490
1491	if (io->ctx.r.req)
1492		crypt_free_req(cc, io->ctx.r.req, base_bio);
1493
1494	if (unlikely(io->integrity_metadata_from_pool))
1495		mempool_free(io->integrity_metadata, &io->cc->tag_pool);
1496	else
1497		kfree(io->integrity_metadata);
1498
1499	base_bio->bi_status = error;
1500	bio_endio(base_bio);
1501}
1502
1503/*
1504 * kcryptd/kcryptd_io:
1505 *
1506 * Needed because it would be very unwise to do decryption in an
1507 * interrupt context.
1508 *
1509 * kcryptd performs the actual encryption or decryption.
1510 *
1511 * kcryptd_io performs the IO submission.
1512 *
1513 * They must be separated as otherwise the final stages could be
1514 * starved by new requests which can block in the first stages due
1515 * to memory allocation.
1516 *
1517 * The work is done per CPU global for all dm-crypt instances.
1518 * They should not depend on each other and do not block.
1519 */
1520static void crypt_endio(struct bio *clone)
1521{
1522	struct dm_crypt_io *io = clone->bi_private;
1523	struct crypt_config *cc = io->cc;
1524	unsigned rw = bio_data_dir(clone);
1525	blk_status_t error;
1526
1527	/*
1528	 * free the processed pages
1529	 */
1530	if (rw == WRITE)
1531		crypt_free_buffer_pages(cc, clone);
1532
1533	error = clone->bi_status;
1534	bio_put(clone);
1535
1536	if (rw == READ && !error) {
1537		kcryptd_queue_crypt(io);
1538		return;
1539	}
1540
1541	if (unlikely(error))
1542		io->error = error;
1543
1544	crypt_dec_pending(io);
1545}
1546
1547static void clone_init(struct dm_crypt_io *io, struct bio *clone)
1548{
1549	struct crypt_config *cc = io->cc;
1550
1551	clone->bi_private = io;
1552	clone->bi_end_io  = crypt_endio;
1553	bio_set_dev(clone, cc->dev->bdev);
1554	clone->bi_opf	  = io->base_bio->bi_opf;
1555}
1556
1557static int kcryptd_io_read(struct dm_crypt_io *io, gfp_t gfp)
1558{
1559	struct crypt_config *cc = io->cc;
1560	struct bio *clone;
1561
1562	/*
1563	 * We need the original biovec array in order to decrypt
1564	 * the whole bio data *afterwards* -- thanks to immutable
1565	 * biovecs we don't need to worry about the block layer
1566	 * modifying the biovec array; so leverage bio_clone_fast().
1567	 */
1568	clone = bio_clone_fast(io->base_bio, gfp, &cc->bs);
1569	if (!clone)
1570		return 1;
1571
1572	crypt_inc_pending(io);
1573
1574	clone_init(io, clone);
1575	clone->bi_iter.bi_sector = cc->start + io->sector;
1576
1577	if (dm_crypt_integrity_io_alloc(io, clone)) {
1578		crypt_dec_pending(io);
1579		bio_put(clone);
1580		return 1;
1581	}
1582
1583	generic_make_request(clone);
1584	return 0;
1585}
1586
1587static void kcryptd_io_read_work(struct work_struct *work)
1588{
1589	struct dm_crypt_io *io = container_of(work, struct dm_crypt_io, work);
1590
1591	crypt_inc_pending(io);
1592	if (kcryptd_io_read(io, GFP_NOIO))
1593		io->error = BLK_STS_RESOURCE;
1594	crypt_dec_pending(io);
1595}
1596
1597static void kcryptd_queue_read(struct dm_crypt_io *io)
1598{
1599	struct crypt_config *cc = io->cc;
1600
1601	INIT_WORK(&io->work, kcryptd_io_read_work);
1602	queue_work(cc->io_queue, &io->work);
1603}
1604
1605static void kcryptd_io_write(struct dm_crypt_io *io)
1606{
1607	struct bio *clone = io->ctx.bio_out;
1608
1609	generic_make_request(clone);
1610}
1611
1612#define crypt_io_from_node(node) rb_entry((node), struct dm_crypt_io, rb_node)
1613
1614static int dmcrypt_write(void *data)
1615{
1616	struct crypt_config *cc = data;
1617	struct dm_crypt_io *io;
1618
1619	while (1) {
1620		struct rb_root write_tree;
1621		struct blk_plug plug;
1622
1623		DECLARE_WAITQUEUE(wait, current);
1624
1625		spin_lock_irq(&cc->write_thread_wait.lock);
1626continue_locked:
1627
1628		if (!RB_EMPTY_ROOT(&cc->write_tree))
1629			goto pop_from_list;
1630
1631		set_current_state(TASK_INTERRUPTIBLE);
1632		__add_wait_queue(&cc->write_thread_wait, &wait);
1633
1634		spin_unlock_irq(&cc->write_thread_wait.lock);
1635
1636		if (unlikely(kthread_should_stop())) {
1637			set_current_state(TASK_RUNNING);
1638			remove_wait_queue(&cc->write_thread_wait, &wait);
1639			break;
1640		}
1641
1642		schedule();
1643
1644		set_current_state(TASK_RUNNING);
1645		spin_lock_irq(&cc->write_thread_wait.lock);
1646		__remove_wait_queue(&cc->write_thread_wait, &wait);
1647		goto continue_locked;
1648
1649pop_from_list:
1650		write_tree = cc->write_tree;
1651		cc->write_tree = RB_ROOT;
1652		spin_unlock_irq(&cc->write_thread_wait.lock);
1653
1654		BUG_ON(rb_parent(write_tree.rb_node));
1655
1656		/*
1657		 * Note: we cannot walk the tree here with rb_next because
1658		 * the structures may be freed when kcryptd_io_write is called.
1659		 */
1660		blk_start_plug(&plug);
1661		do {
1662			io = crypt_io_from_node(rb_first(&write_tree));
1663			rb_erase(&io->rb_node, &write_tree);
1664			kcryptd_io_write(io);
1665		} while (!RB_EMPTY_ROOT(&write_tree));
1666		blk_finish_plug(&plug);
1667	}
1668	return 0;
1669}
1670
1671static void kcryptd_crypt_write_io_submit(struct dm_crypt_io *io, int async)
1672{
1673	struct bio *clone = io->ctx.bio_out;
1674	struct crypt_config *cc = io->cc;
1675	unsigned long flags;
1676	sector_t sector;
1677	struct rb_node **rbp, *parent;
1678
1679	if (unlikely(io->error)) {
1680		crypt_free_buffer_pages(cc, clone);
1681		bio_put(clone);
1682		crypt_dec_pending(io);
1683		return;
1684	}
1685
1686	/* crypt_convert should have filled the clone bio */
1687	BUG_ON(io->ctx.iter_out.bi_size);
1688
1689	clone->bi_iter.bi_sector = cc->start + io->sector;
1690
1691	if (likely(!async) && test_bit(DM_CRYPT_NO_OFFLOAD, &cc->flags)) {
1692		generic_make_request(clone);
1693		return;
1694	}
1695
1696	spin_lock_irqsave(&cc->write_thread_wait.lock, flags);
1697	rbp = &cc->write_tree.rb_node;
1698	parent = NULL;
1699	sector = io->sector;
1700	while (*rbp) {
1701		parent = *rbp;
1702		if (sector < crypt_io_from_node(parent)->sector)
1703			rbp = &(*rbp)->rb_left;
1704		else
1705			rbp = &(*rbp)->rb_right;
1706	}
1707	rb_link_node(&io->rb_node, parent, rbp);
1708	rb_insert_color(&io->rb_node, &cc->write_tree);
1709
1710	wake_up_locked(&cc->write_thread_wait);
1711	spin_unlock_irqrestore(&cc->write_thread_wait.lock, flags);
1712}
1713
1714static void kcryptd_crypt_write_convert(struct dm_crypt_io *io)
1715{
1716	struct crypt_config *cc = io->cc;
1717	struct bio *clone;
1718	int crypt_finished;
1719	sector_t sector = io->sector;
1720	blk_status_t r;
1721
1722	/*
1723	 * Prevent io from disappearing until this function completes.
1724	 */
1725	crypt_inc_pending(io);
1726	crypt_convert_init(cc, &io->ctx, NULL, io->base_bio, sector);
1727
1728	clone = crypt_alloc_buffer(io, io->base_bio->bi_iter.bi_size);
1729	if (unlikely(!clone)) {
1730		io->error = BLK_STS_IOERR;
1731		goto dec;
1732	}
1733
1734	io->ctx.bio_out = clone;
1735	io->ctx.iter_out = clone->bi_iter;
1736
1737	sector += bio_sectors(clone);
1738
1739	crypt_inc_pending(io);
1740	r = crypt_convert(cc, &io->ctx);
1741	if (r)
1742		io->error = r;
1743	crypt_finished = atomic_dec_and_test(&io->ctx.cc_pending);
1744
1745	/* Encryption was already finished, submit io now */
1746	if (crypt_finished) {
1747		kcryptd_crypt_write_io_submit(io, 0);
1748		io->sector = sector;
1749	}
1750
1751dec:
1752	crypt_dec_pending(io);
1753}
1754
1755static void kcryptd_crypt_read_done(struct dm_crypt_io *io)
1756{
1757	crypt_dec_pending(io);
1758}
1759
1760static void kcryptd_crypt_read_convert(struct dm_crypt_io *io)
1761{
1762	struct crypt_config *cc = io->cc;
1763	blk_status_t r;
1764
1765	crypt_inc_pending(io);
1766
1767	crypt_convert_init(cc, &io->ctx, io->base_bio, io->base_bio,
1768			   io->sector);
1769
1770	r = crypt_convert(cc, &io->ctx);
1771	if (r)
1772		io->error = r;
1773
1774	if (atomic_dec_and_test(&io->ctx.cc_pending))
1775		kcryptd_crypt_read_done(io);
1776
1777	crypt_dec_pending(io);
1778}
1779
1780static void kcryptd_async_done(struct crypto_async_request *async_req,
1781			       int error)
1782{
1783	struct dm_crypt_request *dmreq = async_req->data;
1784	struct convert_context *ctx = dmreq->ctx;
1785	struct dm_crypt_io *io = container_of(ctx, struct dm_crypt_io, ctx);
1786	struct crypt_config *cc = io->cc;
1787
1788	/*
1789	 * A request from crypto driver backlog is going to be processed now,
1790	 * finish the completion and continue in crypt_convert().
1791	 * (Callback will be called for the second time for this request.)
1792	 */
1793	if (error == -EINPROGRESS) {
1794		complete(&ctx->restart);
1795		return;
1796	}
1797
1798	if (!error && cc->iv_gen_ops && cc->iv_gen_ops->post)
1799		error = cc->iv_gen_ops->post(cc, org_iv_of_dmreq(cc, dmreq), dmreq);
1800
1801	if (error == -EBADMSG) {
1802		DMERR_LIMIT("INTEGRITY AEAD ERROR, sector %llu",
1803			    (unsigned long long)le64_to_cpu(*org_sector_of_dmreq(cc, dmreq)));
1804		io->error = BLK_STS_PROTECTION;
1805	} else if (error < 0)
1806		io->error = BLK_STS_IOERR;
1807
1808	crypt_free_req(cc, req_of_dmreq(cc, dmreq), io->base_bio);
1809
1810	if (!atomic_dec_and_test(&ctx->cc_pending))
1811		return;
1812
1813	if (bio_data_dir(io->base_bio) == READ)
1814		kcryptd_crypt_read_done(io);
1815	else
1816		kcryptd_crypt_write_io_submit(io, 1);
1817}
1818
1819static void kcryptd_crypt(struct work_struct *work)
1820{
1821	struct dm_crypt_io *io = container_of(work, struct dm_crypt_io, work);
1822
1823	if (bio_data_dir(io->base_bio) == READ)
1824		kcryptd_crypt_read_convert(io);
1825	else
1826		kcryptd_crypt_write_convert(io);
1827}
1828
1829static void kcryptd_queue_crypt(struct dm_crypt_io *io)
1830{
1831	struct crypt_config *cc = io->cc;
1832
1833	INIT_WORK(&io->work, kcryptd_crypt);
1834	queue_work(cc->crypt_queue, &io->work);
1835}
1836
1837static void crypt_free_tfms_aead(struct crypt_config *cc)
1838{
1839	if (!cc->cipher_tfm.tfms_aead)
1840		return;
1841
1842	if (cc->cipher_tfm.tfms_aead[0] && !IS_ERR(cc->cipher_tfm.tfms_aead[0])) {
1843		crypto_free_aead(cc->cipher_tfm.tfms_aead[0]);
1844		cc->cipher_tfm.tfms_aead[0] = NULL;
1845	}
1846
1847	kfree(cc->cipher_tfm.tfms_aead);
1848	cc->cipher_tfm.tfms_aead = NULL;
1849}
1850
1851static void crypt_free_tfms_skcipher(struct crypt_config *cc)
1852{
1853	unsigned i;
1854
1855	if (!cc->cipher_tfm.tfms)
1856		return;
1857
1858	for (i = 0; i < cc->tfms_count; i++)
1859		if (cc->cipher_tfm.tfms[i] && !IS_ERR(cc->cipher_tfm.tfms[i])) {
1860			crypto_free_skcipher(cc->cipher_tfm.tfms[i]);
1861			cc->cipher_tfm.tfms[i] = NULL;
1862		}
1863
1864	kfree(cc->cipher_tfm.tfms);
1865	cc->cipher_tfm.tfms = NULL;
1866}
1867
1868static void crypt_free_tfms(struct crypt_config *cc)
1869{
1870	if (crypt_integrity_aead(cc))
1871		crypt_free_tfms_aead(cc);
1872	else
1873		crypt_free_tfms_skcipher(cc);
1874}
1875
1876static int crypt_alloc_tfms_skcipher(struct crypt_config *cc, char *ciphermode)
1877{
1878	unsigned i;
1879	int err;
1880
1881	cc->cipher_tfm.tfms = kcalloc(cc->tfms_count,
1882				      sizeof(struct crypto_skcipher *),
1883				      GFP_KERNEL);
1884	if (!cc->cipher_tfm.tfms)
1885		return -ENOMEM;
1886
1887	for (i = 0; i < cc->tfms_count; i++) {
1888		cc->cipher_tfm.tfms[i] = crypto_alloc_skcipher(ciphermode, 0, 0);
1889		if (IS_ERR(cc->cipher_tfm.tfms[i])) {
1890			err = PTR_ERR(cc->cipher_tfm.tfms[i]);
1891			crypt_free_tfms(cc);
1892			return err;
1893		}
1894	}
1895
1896	return 0;
1897}
1898
1899static int crypt_alloc_tfms_aead(struct crypt_config *cc, char *ciphermode)
1900{
1901	int err;
1902
1903	cc->cipher_tfm.tfms = kmalloc(sizeof(struct crypto_aead *), GFP_KERNEL);
1904	if (!cc->cipher_tfm.tfms)
1905		return -ENOMEM;
1906
1907	cc->cipher_tfm.tfms_aead[0] = crypto_alloc_aead(ciphermode, 0, 0);
1908	if (IS_ERR(cc->cipher_tfm.tfms_aead[0])) {
1909		err = PTR_ERR(cc->cipher_tfm.tfms_aead[0]);
1910		crypt_free_tfms(cc);
1911		return err;
1912	}
1913
1914	return 0;
1915}
1916
1917static int crypt_alloc_tfms(struct crypt_config *cc, char *ciphermode)
1918{
1919	if (crypt_integrity_aead(cc))
1920		return crypt_alloc_tfms_aead(cc, ciphermode);
1921	else
1922		return crypt_alloc_tfms_skcipher(cc, ciphermode);
1923}
1924
1925static unsigned crypt_subkey_size(struct crypt_config *cc)
1926{
1927	return (cc->key_size - cc->key_extra_size) >> ilog2(cc->tfms_count);
1928}
1929
1930static unsigned crypt_authenckey_size(struct crypt_config *cc)
1931{
1932	return crypt_subkey_size(cc) + RTA_SPACE(sizeof(struct crypto_authenc_key_param));
1933}
1934
1935/*
1936 * If AEAD is composed like authenc(hmac(sha256),xts(aes)),
1937 * the key must be for some reason in special format.
1938 * This funcion converts cc->key to this special format.
1939 */
1940static void crypt_copy_authenckey(char *p, const void *key,
1941				  unsigned enckeylen, unsigned authkeylen)
1942{
1943	struct crypto_authenc_key_param *param;
1944	struct rtattr *rta;
1945
1946	rta = (struct rtattr *)p;
1947	param = RTA_DATA(rta);
1948	param->enckeylen = cpu_to_be32(enckeylen);
1949	rta->rta_len = RTA_LENGTH(sizeof(*param));
1950	rta->rta_type = CRYPTO_AUTHENC_KEYA_PARAM;
1951	p += RTA_SPACE(sizeof(*param));
1952	memcpy(p, key + enckeylen, authkeylen);
1953	p += authkeylen;
1954	memcpy(p, key, enckeylen);
1955}
1956
1957static int crypt_setkey(struct crypt_config *cc)
1958{
1959	unsigned subkey_size;
1960	int err = 0, i, r;
1961
1962	/* Ignore extra keys (which are used for IV etc) */
1963	subkey_size = crypt_subkey_size(cc);
1964
1965	if (crypt_integrity_hmac(cc)) {
1966		if (subkey_size < cc->key_mac_size)
1967			return -EINVAL;
1968
1969		crypt_copy_authenckey(cc->authenc_key, cc->key,
1970				      subkey_size - cc->key_mac_size,
1971				      cc->key_mac_size);
1972	}
1973
1974	for (i = 0; i < cc->tfms_count; i++) {
1975		if (crypt_integrity_hmac(cc))
1976			r = crypto_aead_setkey(cc->cipher_tfm.tfms_aead[i],
1977				cc->authenc_key, crypt_authenckey_size(cc));
1978		else if (crypt_integrity_aead(cc))
1979			r = crypto_aead_setkey(cc->cipher_tfm.tfms_aead[i],
1980					       cc->key + (i * subkey_size),
1981					       subkey_size);
1982		else
1983			r = crypto_skcipher_setkey(cc->cipher_tfm.tfms[i],
1984						   cc->key + (i * subkey_size),
1985						   subkey_size);
1986		if (r)
1987			err = r;
1988	}
1989
1990	if (crypt_integrity_hmac(cc))
1991		memzero_explicit(cc->authenc_key, crypt_authenckey_size(cc));
1992
1993	return err;
1994}
1995
1996#ifdef CONFIG_KEYS
1997
1998static bool contains_whitespace(const char *str)
1999{
2000	while (*str)
2001		if (isspace(*str++))
2002			return true;
2003	return false;
2004}
2005
2006static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string)
2007{
2008	char *new_key_string, *key_desc;
2009	int ret;
2010	struct key *key;
2011	const struct user_key_payload *ukp;
2012
2013	/*
2014	 * Reject key_string with whitespace. dm core currently lacks code for
2015	 * proper whitespace escaping in arguments on DM_TABLE_STATUS path.
2016	 */
2017	if (contains_whitespace(key_string)) {
2018		DMERR("whitespace chars not allowed in key string");
2019		return -EINVAL;
2020	}
2021
2022	/* look for next ':' separating key_type from key_description */
2023	key_desc = strpbrk(key_string, ":");
2024	if (!key_desc || key_desc == key_string || !strlen(key_desc + 1))
2025		return -EINVAL;
2026
2027	if (strncmp(key_string, "logon:", key_desc - key_string + 1) &&
2028	    strncmp(key_string, "user:", key_desc - key_string + 1))
2029		return -EINVAL;
2030
2031	new_key_string = kstrdup(key_string, GFP_KERNEL);
2032	if (!new_key_string)
2033		return -ENOMEM;
2034
2035	key = request_key(key_string[0] == 'l' ? &key_type_logon : &key_type_user,
2036			  key_desc + 1, NULL);
2037	if (IS_ERR(key)) {
2038		kzfree(new_key_string);
2039		return PTR_ERR(key);
2040	}
2041
2042	down_read(&key->sem);
2043
2044	ukp = user_key_payload_locked(key);
2045	if (!ukp) {
2046		up_read(&key->sem);
2047		key_put(key);
2048		kzfree(new_key_string);
2049		return -EKEYREVOKED;
2050	}
2051
2052	if (cc->key_size != ukp->datalen) {
2053		up_read(&key->sem);
2054		key_put(key);
2055		kzfree(new_key_string);
2056		return -EINVAL;
2057	}
2058
2059	memcpy(cc->key, ukp->data, cc->key_size);
2060
2061	up_read(&key->sem);
2062	key_put(key);
2063
2064	/* clear the flag since following operations may invalidate previously valid key */
2065	clear_bit(DM_CRYPT_KEY_VALID, &cc->flags);
2066
2067	ret = crypt_setkey(cc);
2068
2069	if (!ret) {
2070		set_bit(DM_CRYPT_KEY_VALID, &cc->flags);
2071		kzfree(cc->key_string);
2072		cc->key_string = new_key_string;
2073	} else
2074		kzfree(new_key_string);
2075
2076	return ret;
2077}
2078
2079static int get_key_size(char **key_string)
2080{
2081	char *colon, dummy;
2082	int ret;
2083
2084	if (*key_string[0] != ':')
2085		return strlen(*key_string) >> 1;
2086
2087	/* look for next ':' in key string */
2088	colon = strpbrk(*key_string + 1, ":");
2089	if (!colon)
2090		return -EINVAL;
2091
2092	if (sscanf(*key_string + 1, "%u%c", &ret, &dummy) != 2 || dummy != ':')
2093		return -EINVAL;
2094
2095	*key_string = colon;
2096
2097	/* remaining key string should be :<logon|user>:<key_desc> */
2098
2099	return ret;
2100}
2101
2102#else
2103
2104static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string)
2105{
2106	return -EINVAL;
2107}
2108
2109static int get_key_size(char **key_string)
2110{
2111	return (*key_string[0] == ':') ? -EINVAL : strlen(*key_string) >> 1;
2112}
2113
2114#endif
2115
2116static int crypt_set_key(struct crypt_config *cc, char *key)
2117{
2118	int r = -EINVAL;
2119	int key_string_len = strlen(key);
2120
2121	/* Hyphen (which gives a key_size of zero) means there is no key. */
2122	if (!cc->key_size && strcmp(key, "-"))
2123		goto out;
2124
2125	/* ':' means the key is in kernel keyring, short-circuit normal key processing */
2126	if (key[0] == ':') {
2127		r = crypt_set_keyring_key(cc, key + 1);
2128		goto out;
2129	}
2130
2131	/* clear the flag since following operations may invalidate previously valid key */
2132	clear_bit(DM_CRYPT_KEY_VALID, &cc->flags);
2133
2134	/* wipe references to any kernel keyring key */
2135	kzfree(cc->key_string);
2136	cc->key_string = NULL;
2137
2138	/* Decode key from its hex representation. */
2139	if (cc->key_size && hex2bin(cc->key, key, cc->key_size) < 0)
2140		goto out;
2141
2142	r = crypt_setkey(cc);
2143	if (!r)
2144		set_bit(DM_CRYPT_KEY_VALID, &cc->flags);
2145
2146out:
2147	/* Hex key string not needed after here, so wipe it. */
2148	memset(key, '0', key_string_len);
2149
2150	return r;
2151}
2152
2153static int crypt_wipe_key(struct crypt_config *cc)
2154{
2155	int r;
2156
2157	clear_bit(DM_CRYPT_KEY_VALID, &cc->flags);
2158	get_random_bytes(&cc->key, cc->key_size);
2159	kzfree(cc->key_string);
2160	cc->key_string = NULL;
2161	r = crypt_setkey(cc);
2162	memset(&cc->key, 0, cc->key_size * sizeof(u8));
2163
2164	return r;
2165}
2166
2167static void crypt_calculate_pages_per_client(void)
2168{
2169	unsigned long pages = (totalram_pages - totalhigh_pages) * DM_CRYPT_MEMORY_PERCENT / 100;
2170
2171	if (!dm_crypt_clients_n)
2172		return;
2173
2174	pages /= dm_crypt_clients_n;
2175	if (pages < DM_CRYPT_MIN_PAGES_PER_CLIENT)
2176		pages = DM_CRYPT_MIN_PAGES_PER_CLIENT;
2177	dm_crypt_pages_per_client = pages;
2178}
2179
2180static void *crypt_page_alloc(gfp_t gfp_mask, void *pool_data)
2181{
2182	struct crypt_config *cc = pool_data;
2183	struct page *page;
2184
2185	if (unlikely(percpu_counter_compare(&cc->n_allocated_pages, dm_crypt_pages_per_client) >= 0) &&
2186	    likely(gfp_mask & __GFP_NORETRY))
2187		return NULL;
2188
2189	page = alloc_page(gfp_mask);
2190	if (likely(page != NULL))
2191		percpu_counter_add(&cc->n_allocated_pages, 1);
2192
2193	return page;
2194}
2195
2196static void crypt_page_free(void *page, void *pool_data)
2197{
2198	struct crypt_config *cc = pool_data;
2199
2200	__free_page(page);
2201	percpu_counter_sub(&cc->n_allocated_pages, 1);
2202}
2203
2204static void crypt_dtr(struct dm_target *ti)
2205{
2206	struct crypt_config *cc = ti->private;
2207
2208	ti->private = NULL;
2209
2210	if (!cc)
2211		return;
2212
2213	if (cc->write_thread)
2214		kthread_stop(cc->write_thread);
2215
2216	if (cc->io_queue)
2217		destroy_workqueue(cc->io_queue);
2218	if (cc->crypt_queue)
2219		destroy_workqueue(cc->crypt_queue);
2220
2221	crypt_free_tfms(cc);
2222
2223	bioset_exit(&cc->bs);
2224
2225	mempool_exit(&cc->page_pool);
2226	mempool_exit(&cc->req_pool);
2227	mempool_exit(&cc->tag_pool);
2228
2229	WARN_ON(percpu_counter_sum(&cc->n_allocated_pages) != 0);
2230	percpu_counter_destroy(&cc->n_allocated_pages);
2231
2232	if (cc->iv_gen_ops && cc->iv_gen_ops->dtr)
2233		cc->iv_gen_ops->dtr(cc);
2234
2235	if (cc->dev)
2236		dm_put_device(ti, cc->dev);
2237
2238	kzfree(cc->cipher);
2239	kzfree(cc->cipher_string);
2240	kzfree(cc->key_string);
2241	kzfree(cc->cipher_auth);
2242	kzfree(cc->authenc_key);
2243
2244	mutex_destroy(&cc->bio_alloc_lock);
2245
2246	/* Must zero key material before freeing */
2247	kzfree(cc);
2248
2249	spin_lock(&dm_crypt_clients_lock);
2250	WARN_ON(!dm_crypt_clients_n);
2251	dm_crypt_clients_n--;
2252	crypt_calculate_pages_per_client();
2253	spin_unlock(&dm_crypt_clients_lock);
2254}
2255
2256static int crypt_ctr_ivmode(struct dm_target *ti, const char *ivmode)
2257{
2258	struct crypt_config *cc = ti->private;
2259
2260	if (crypt_integrity_aead(cc))
2261		cc->iv_size = crypto_aead_ivsize(any_tfm_aead(cc));
2262	else
2263		cc->iv_size = crypto_skcipher_ivsize(any_tfm(cc));
2264
2265	if (cc->iv_size)
2266		/* at least a 64 bit sector number should fit in our buffer */
2267		cc->iv_size = max(cc->iv_size,
2268				  (unsigned int)(sizeof(u64) / sizeof(u8)));
2269	else if (ivmode) {
2270		DMWARN("Selected cipher does not support IVs");
2271		ivmode = NULL;
2272	}
2273
2274	/* Choose ivmode, see comments at iv code. */
2275	if (ivmode == NULL)
2276		cc->iv_gen_ops = NULL;
2277	else if (strcmp(ivmode, "plain") == 0)
2278		cc->iv_gen_ops = &crypt_iv_plain_ops;
2279	else if (strcmp(ivmode, "plain64") == 0)
2280		cc->iv_gen_ops = &crypt_iv_plain64_ops;
2281	else if (strcmp(ivmode, "plain64be") == 0)
2282		cc->iv_gen_ops = &crypt_iv_plain64be_ops;
2283	else if (strcmp(ivmode, "essiv") == 0)
2284		cc->iv_gen_ops = &crypt_iv_essiv_ops;
2285	else if (strcmp(ivmode, "benbi") == 0)
2286		cc->iv_gen_ops = &crypt_iv_benbi_ops;
2287	else if (strcmp(ivmode, "null") == 0)
2288		cc->iv_gen_ops = &crypt_iv_null_ops;
2289	else if (strcmp(ivmode, "lmk") == 0) {
2290		cc->iv_gen_ops = &crypt_iv_lmk_ops;
2291		/*
2292		 * Version 2 and 3 is recognised according
2293		 * to length of provided multi-key string.
2294		 * If present (version 3), last key is used as IV seed.
2295		 * All keys (including IV seed) are always the same size.
2296		 */
2297		if (cc->key_size % cc->key_parts) {
2298			cc->key_parts++;
2299			cc->key_extra_size = cc->key_size / cc->key_parts;
2300		}
2301	} else if (strcmp(ivmode, "tcw") == 0) {
2302		cc->iv_gen_ops = &crypt_iv_tcw_ops;
2303		cc->key_parts += 2; /* IV + whitening */
2304		cc->key_extra_size = cc->iv_size + TCW_WHITENING_SIZE;
2305	} else if (strcmp(ivmode, "random") == 0) {
2306		cc->iv_gen_ops = &crypt_iv_random_ops;
2307		/* Need storage space in integrity fields. */
2308		cc->integrity_iv_size = cc->iv_size;
2309	} else {
2310		ti->error = "Invalid IV mode";
2311		return -EINVAL;
2312	}
2313
2314	return 0;
2315}
2316
2317/*
2318 * Workaround to parse cipher algorithm from crypto API spec.
2319 * The cc->cipher is currently used only in ESSIV.
2320 * This should be probably done by crypto-api calls (once available...)
2321 */
2322static int crypt_ctr_blkdev_cipher(struct crypt_config *cc)
2323{
2324	const char *alg_name = NULL;
2325	char *start, *end;
2326
2327	if (crypt_integrity_aead(cc)) {
2328		alg_name = crypto_tfm_alg_name(crypto_aead_tfm(any_tfm_aead(cc)));
2329		if (!alg_name)
2330			return -EINVAL;
2331		if (crypt_integrity_hmac(cc)) {
2332			alg_name = strchr(alg_name, ',');
2333			if (!alg_name)
2334				return -EINVAL;
2335		}
2336		alg_name++;
2337	} else {
2338		alg_name = crypto_tfm_alg_name(crypto_skcipher_tfm(any_tfm(cc)));
2339		if (!alg_name)
2340			return -EINVAL;
2341	}
2342
2343	start = strchr(alg_name, '(');
2344	end = strchr(alg_name, ')');
2345
2346	if (!start && !end) {
2347		cc->cipher = kstrdup(alg_name, GFP_KERNEL);
2348		return cc->cipher ? 0 : -ENOMEM;
2349	}
2350
2351	if (!start || !end || ++start >= end)
2352		return -EINVAL;
2353
2354	cc->cipher = kzalloc(end - start + 1, GFP_KERNEL);
2355	if (!cc->cipher)
2356		return -ENOMEM;
2357
2358	strncpy(cc->cipher, start, end - start);
2359
2360	return 0;
2361}
2362
2363/*
2364 * Workaround to parse HMAC algorithm from AEAD crypto API spec.
2365 * The HMAC is needed to calculate tag size (HMAC digest size).
2366 * This should be probably done by crypto-api calls (once available...)
2367 */
2368static int crypt_ctr_auth_cipher(struct crypt_config *cc, char *cipher_api)
2369{
2370	char *start, *end, *mac_alg = NULL;
2371	struct crypto_ahash *mac;
2372
2373	if (!strstarts(cipher_api, "authenc("))
2374		return 0;
2375
2376	start = strchr(cipher_api, '(');
2377	end = strchr(cipher_api, ',');
2378	if (!start || !end || ++start > end)
2379		return -EINVAL;
2380
2381	mac_alg = kzalloc(end - start + 1, GFP_KERNEL);
2382	if (!mac_alg)
2383		return -ENOMEM;
2384	strncpy(mac_alg, start, end - start);
2385
2386	mac = crypto_alloc_ahash(mac_alg, 0, 0);
2387	kfree(mac_alg);
2388
2389	if (IS_ERR(mac))
2390		return PTR_ERR(mac);
2391
2392	cc->key_mac_size = crypto_ahash_digestsize(mac);
2393	crypto_free_ahash(mac);
2394
2395	cc->authenc_key = kmalloc(crypt_authenckey_size(cc), GFP_KERNEL);
2396	if (!cc->authenc_key)
2397		return -ENOMEM;
2398
2399	return 0;
2400}
2401
2402static int crypt_ctr_cipher_new(struct dm_target *ti, char *cipher_in, char *key,
2403				char **ivmode, char **ivopts)
2404{
2405	struct crypt_config *cc = ti->private;
2406	char *tmp, *cipher_api;
2407	int ret = -EINVAL;
2408
2409	cc->tfms_count = 1;
2410
2411	/*
2412	 * New format (capi: prefix)
2413	 * capi:cipher_api_spec-iv:ivopts
2414	 */
2415	tmp = &cipher_in[strlen("capi:")];
2416	cipher_api = strsep(&tmp, "-");
2417	*ivmode = strsep(&tmp, ":");
2418	*ivopts = tmp;
2419
2420	if (*ivmode && !strcmp(*ivmode, "lmk"))
2421		cc->tfms_count = 64;
2422
2423	cc->key_parts = cc->tfms_count;
2424
2425	/* Allocate cipher */
2426	ret = crypt_alloc_tfms(cc, cipher_api);
2427	if (ret < 0) {
2428		ti->error = "Error allocating crypto tfm";
2429		return ret;
2430	}
2431
2432	/* Alloc AEAD, can be used only in new format. */
2433	if (crypt_integrity_aead(cc)) {
2434		ret = crypt_ctr_auth_cipher(cc, cipher_api);
2435		if (ret < 0) {
2436			ti->error = "Invalid AEAD cipher spec";
2437			return -ENOMEM;
2438		}
2439		cc->iv_size = crypto_aead_ivsize(any_tfm_aead(cc));
2440	} else
2441		cc->iv_size = crypto_skcipher_ivsize(any_tfm(cc));
2442
2443	ret = crypt_ctr_blkdev_cipher(cc);
2444	if (ret < 0) {
2445		ti->error = "Cannot allocate cipher string";
2446		return -ENOMEM;
2447	}
2448
2449	return 0;
2450}
2451
2452static int crypt_ctr_cipher_old(struct dm_target *ti, char *cipher_in, char *key,
2453				char **ivmode, char **ivopts)
2454{
2455	struct crypt_config *cc = ti->private;
2456	char *tmp, *cipher, *chainmode, *keycount;
2457	char *cipher_api = NULL;
2458	int ret = -EINVAL;
2459	char dummy;
2460
2461	if (strchr(cipher_in, '(') || crypt_integrity_aead(cc)) {
2462		ti->error = "Bad cipher specification";
2463		return -EINVAL;
2464	}
2465
2466	/*
2467	 * Legacy dm-crypt cipher specification
2468	 * cipher[:keycount]-mode-iv:ivopts
2469	 */
2470	tmp = cipher_in;
2471	keycount = strsep(&tmp, "-");
2472	cipher = strsep(&keycount, ":");
2473
2474	if (!keycount)
2475		cc->tfms_count = 1;
2476	else if (sscanf(keycount, "%u%c", &cc->tfms_count, &dummy) != 1 ||
2477		 !is_power_of_2(cc->tfms_count)) {
2478		ti->error = "Bad cipher key count specification";
2479		return -EINVAL;
2480	}
2481	cc->key_parts = cc->tfms_count;
2482
2483	cc->cipher = kstrdup(cipher, GFP_KERNEL);
2484	if (!cc->cipher)
2485		goto bad_mem;
2486
2487	chainmode = strsep(&tmp, "-");
2488	*ivopts = strsep(&tmp, "-");
2489	*ivmode = strsep(&*ivopts, ":");
2490
2491	if (tmp)
2492		DMWARN("Ignoring unexpected additional cipher options");
2493
2494	/*
2495	 * For compatibility with the original dm-crypt mapping format, if
2496	 * only the cipher name is supplied, use cbc-plain.
2497	 */
2498	if (!chainmode || (!strcmp(chainmode, "plain") && !*ivmode)) {
2499		chainmode = "cbc";
2500		*ivmode = "plain";
2501	}
2502
2503	if (strcmp(chainmode, "ecb") && !*ivmode) {
2504		ti->error = "IV mechanism required";
2505		return -EINVAL;
2506	}
2507
2508	cipher_api = kmalloc(CRYPTO_MAX_ALG_NAME, GFP_KERNEL);
2509	if (!cipher_api)
2510		goto bad_mem;
2511
2512	ret = snprintf(cipher_api, CRYPTO_MAX_ALG_NAME,
2513		       "%s(%s)", chainmode, cipher);
2514	if (ret < 0) {
2515		kfree(cipher_api);
2516		goto bad_mem;
2517	}
2518
2519	/* Allocate cipher */
2520	ret = crypt_alloc_tfms(cc, cipher_api);
2521	if (ret < 0) {
2522		ti->error = "Error allocating crypto tfm";
2523		kfree(cipher_api);
2524		return ret;
2525	}
2526	kfree(cipher_api);
2527
2528	return 0;
2529bad_mem:
2530	ti->error = "Cannot allocate cipher strings";
2531	return -ENOMEM;
2532}
2533
2534static int crypt_ctr_cipher(struct dm_target *ti, char *cipher_in, char *key)
2535{
2536	struct crypt_config *cc = ti->private;
2537	char *ivmode = NULL, *ivopts = NULL;
2538	int ret;
2539
2540	cc->cipher_string = kstrdup(cipher_in, GFP_KERNEL);
2541	if (!cc->cipher_string) {
2542		ti->error = "Cannot allocate cipher strings";
2543		return -ENOMEM;
2544	}
2545
2546	if (strstarts(cipher_in, "capi:"))
2547		ret = crypt_ctr_cipher_new(ti, cipher_in, key, &ivmode, &ivopts);
2548	else
2549		ret = crypt_ctr_cipher_old(ti, cipher_in, key, &ivmode, &ivopts);
2550	if (ret)
2551		return ret;
2552
2553	/* Initialize IV */
2554	ret = crypt_ctr_ivmode(ti, ivmode);
2555	if (ret < 0)
2556		return ret;
2557
2558	/* Initialize and set key */
2559	ret = crypt_set_key(cc, key);
2560	if (ret < 0) {
2561		ti->error = "Error decoding and setting key";
2562		return ret;
2563	}
2564
2565	/* Allocate IV */
2566	if (cc->iv_gen_ops && cc->iv_gen_ops->ctr) {
2567		ret = cc->iv_gen_ops->ctr(cc, ti, ivopts);
2568		if (ret < 0) {
2569			ti->error = "Error creating IV";
2570			return ret;
2571		}
2572	}
2573
2574	/* Initialize IV (set keys for ESSIV etc) */
2575	if (cc->iv_gen_ops && cc->iv_gen_ops->init) {
2576		ret = cc->iv_gen_ops->init(cc);
2577		if (ret < 0) {
2578			ti->error = "Error initialising IV";
2579			return ret;
2580		}
2581	}
2582
2583	/* wipe the kernel key payload copy */
2584	if (cc->key_string)
2585		memset(cc->key, 0, cc->key_size * sizeof(u8));
2586
2587	return ret;
2588}
2589
2590static int crypt_ctr_optional(struct dm_target *ti, unsigned int argc, char **argv)
2591{
2592	struct crypt_config *cc = ti->private;
2593	struct dm_arg_set as;
2594	static const struct dm_arg _args[] = {
2595		{0, 6, "Invalid number of feature args"},
2596	};
2597	unsigned int opt_params, val;
2598	const char *opt_string, *sval;
2599	char dummy;
2600	int ret;
2601
2602	/* Optional parameters */
2603	as.argc = argc;
2604	as.argv = argv;
2605
2606	ret = dm_read_arg_group(_args, &as, &opt_params, &ti->error);
2607	if (ret)
2608		return ret;
2609
2610	while (opt_params--) {
2611		opt_string = dm_shift_arg(&as);
2612		if (!opt_string) {
2613			ti->error = "Not enough feature arguments";
2614			return -EINVAL;
2615		}
2616
2617		if (!strcasecmp(opt_string, "allow_discards"))
2618			ti->num_discard_bios = 1;
2619
2620		else if (!strcasecmp(opt_string, "same_cpu_crypt"))
2621			set_bit(DM_CRYPT_SAME_CPU, &cc->flags);
2622
2623		else if (!strcasecmp(opt_string, "submit_from_crypt_cpus"))
2624			set_bit(DM_CRYPT_NO_OFFLOAD, &cc->flags);
2625		else if (sscanf(opt_string, "integrity:%u:", &val) == 1) {
2626			if (val == 0 || val > MAX_TAG_SIZE) {
2627				ti->error = "Invalid integrity arguments";
2628				return -EINVAL;
2629			}
2630			cc->on_disk_tag_size = val;
2631			sval = strchr(opt_string + strlen("integrity:"), ':') + 1;
2632			if (!strcasecmp(sval, "aead")) {
2633				set_bit(CRYPT_MODE_INTEGRITY_AEAD, &cc->cipher_flags);
2634			} else  if (strcasecmp(sval, "none")) {
2635				ti->error = "Unknown integrity profile";
2636				return -EINVAL;
2637			}
2638
2639			cc->cipher_auth = kstrdup(sval, GFP_KERNEL);
2640			if (!cc->cipher_auth)
2641				return -ENOMEM;
2642		} else if (sscanf(opt_string, "sector_size:%hu%c", &cc->sector_size, &dummy) == 1) {
2643			if (cc->sector_size < (1 << SECTOR_SHIFT) ||
2644			    cc->sector_size > 4096 ||
2645			    (cc->sector_size & (cc->sector_size - 1))) {
2646				ti->error = "Invalid feature value for sector_size";
2647				return -EINVAL;
2648			}
2649			if (ti->len & ((cc->sector_size >> SECTOR_SHIFT) - 1)) {
2650				ti->error = "Device size is not multiple of sector_size feature";
2651				return -EINVAL;
2652			}
2653			cc->sector_shift = __ffs(cc->sector_size) - SECTOR_SHIFT;
2654		} else if (!strcasecmp(opt_string, "iv_large_sectors"))
2655			set_bit(CRYPT_IV_LARGE_SECTORS, &cc->cipher_flags);
2656		else {
2657			ti->error = "Invalid feature arguments";
2658			return -EINVAL;
2659		}
2660	}
2661
2662	return 0;
2663}
2664
2665/*
2666 * Construct an encryption mapping:
2667 * <cipher> [<key>|:<key_size>:<user|logon>:<key_description>] <iv_offset> <dev_path> <start>
2668 */
2669static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv)
2670{
2671	struct crypt_config *cc;
2672	int key_size;
2673	unsigned int align_mask;
2674	unsigned long long tmpll;
2675	int ret;
2676	size_t iv_size_padding, additional_req_size;
2677	char dummy;
2678
2679	if (argc < 5) {
2680		ti->error = "Not enough arguments";
2681		return -EINVAL;
2682	}
2683
2684	key_size = get_key_size(&argv[1]);
2685	if (key_size < 0) {
2686		ti->error = "Cannot parse key size";
2687		return -EINVAL;
2688	}
2689
2690	cc = kzalloc(sizeof(*cc) + key_size * sizeof(u8), GFP_KERNEL);
2691	if (!cc) {
2692		ti->error = "Cannot allocate encryption context";
2693		return -ENOMEM;
2694	}
2695	cc->key_size = key_size;
2696	cc->sector_size = (1 << SECTOR_SHIFT);
2697	cc->sector_shift = 0;
2698
2699	ti->private = cc;
2700
2701	spin_lock(&dm_crypt_clients_lock);
2702	dm_crypt_clients_n++;
2703	crypt_calculate_pages_per_client();
2704	spin_unlock(&dm_crypt_clients_lock);
2705
2706	ret = percpu_counter_init(&cc->n_allocated_pages, 0, GFP_KERNEL);
2707	if (ret < 0)
2708		goto bad;
2709
2710	/* Optional parameters need to be read before cipher constructor */
2711	if (argc > 5) {
2712		ret = crypt_ctr_optional(ti, argc - 5, &argv[5]);
2713		if (ret)
2714			goto bad;
2715	}
2716
2717	ret = crypt_ctr_cipher(ti, argv[0], argv[1]);
2718	if (ret < 0)
2719		goto bad;
2720
2721	if (crypt_integrity_aead(cc)) {
2722		cc->dmreq_start = sizeof(struct aead_request);
2723		cc->dmreq_start += crypto_aead_reqsize(any_tfm_aead(cc));
2724		align_mask = crypto_aead_alignmask(any_tfm_aead(cc));
2725	} else {
2726		cc->dmreq_start = sizeof(struct skcipher_request);
2727		cc->dmreq_start += crypto_skcipher_reqsize(any_tfm(cc));
2728		align_mask = crypto_skcipher_alignmask(any_tfm(cc));
2729	}
2730	cc->dmreq_start = ALIGN(cc->dmreq_start, __alignof__(struct dm_crypt_request));
2731
2732	if (align_mask < CRYPTO_MINALIGN) {
2733		/* Allocate the padding exactly */
2734		iv_size_padding = -(cc->dmreq_start + sizeof(struct dm_crypt_request))
2735				& align_mask;
2736	} else {
2737		/*
2738		 * If the cipher requires greater alignment than kmalloc
2739		 * alignment, we don't know the exact position of the
2740		 * initialization vector. We must assume worst case.
2741		 */
2742		iv_size_padding = align_mask;
2743	}
2744
2745	/*  ...| IV + padding | original IV | original sec. number | bio tag offset | */
2746	additional_req_size = sizeof(struct dm_crypt_request) +
2747		iv_size_padding + cc->iv_size +
2748		cc->iv_size +
2749		sizeof(uint64_t) +
2750		sizeof(unsigned int);
2751
2752	ret = mempool_init_kmalloc_pool(&cc->req_pool, MIN_IOS, cc->dmreq_start + additional_req_size);
2753	if (ret) {
2754		ti->error = "Cannot allocate crypt request mempool";
2755		goto bad;
2756	}
2757
2758	cc->per_bio_data_size = ti->per_io_data_size =
2759		ALIGN(sizeof(struct dm_crypt_io) + cc->dmreq_start + additional_req_size,
2760		      ARCH_KMALLOC_MINALIGN);
2761
2762	ret = mempool_init(&cc->page_pool, BIO_MAX_PAGES, crypt_page_alloc, crypt_page_free, cc);
2763	if (ret) {
2764		ti->error = "Cannot allocate page mempool";
2765		goto bad;
2766	}
2767
2768	ret = bioset_init(&cc->bs, MIN_IOS, 0, BIOSET_NEED_BVECS);
2769	if (ret) {
2770		ti->error = "Cannot allocate crypt bioset";
2771		goto bad;
2772	}
2773
2774	mutex_init(&cc->bio_alloc_lock);
2775
2776	ret = -EINVAL;
2777	if ((sscanf(argv[2], "%llu%c", &tmpll, &dummy) != 1) ||
2778	    (tmpll & ((cc->sector_size >> SECTOR_SHIFT) - 1))) {
2779		ti->error = "Invalid iv_offset sector";
2780		goto bad;
2781	}
2782	cc->iv_offset = tmpll;
2783
2784	ret = dm_get_device(ti, argv[3], dm_table_get_mode(ti->table), &cc->dev);
2785	if (ret) {
2786		ti->error = "Device lookup failed";
2787		goto bad;
2788	}
2789
2790	ret = -EINVAL;
2791	if (sscanf(argv[4], "%llu%c", &tmpll, &dummy) != 1) {
2792		ti->error = "Invalid device sector";
2793		goto bad;
2794	}
2795	cc->start = tmpll;
2796
2797	if (crypt_integrity_aead(cc) || cc->integrity_iv_size) {
2798		ret = crypt_integrity_ctr(cc, ti);
2799		if (ret)
2800			goto bad;
2801
2802		cc->tag_pool_max_sectors = POOL_ENTRY_SIZE / cc->on_disk_tag_size;
2803		if (!cc->tag_pool_max_sectors)
2804			cc->tag_pool_max_sectors = 1;
2805
2806		ret = mempool_init_kmalloc_pool(&cc->tag_pool, MIN_IOS,
2807			cc->tag_pool_max_sectors * cc->on_disk_tag_size);
2808		if (ret) {
2809			ti->error = "Cannot allocate integrity tags mempool";
2810			goto bad;
2811		}
2812
2813		cc->tag_pool_max_sectors <<= cc->sector_shift;
2814	}
2815
2816	ret = -ENOMEM;
2817	cc->io_queue = alloc_workqueue("kcryptd_io", WQ_HIGHPRI | WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM, 1);
2818	if (!cc->io_queue) {
2819		ti->error = "Couldn't create kcryptd io queue";
2820		goto bad;
2821	}
2822
2823	if (test_bit(DM_CRYPT_SAME_CPU, &cc->flags))
2824		cc->crypt_queue = alloc_workqueue("kcryptd", WQ_HIGHPRI | WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM, 1);
2825	else
2826		cc->crypt_queue = alloc_workqueue("kcryptd",
2827						  WQ_HIGHPRI | WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM | WQ_UNBOUND,
2828						  num_online_cpus());
2829	if (!cc->crypt_queue) {
2830		ti->error = "Couldn't create kcryptd queue";
2831		goto bad;
2832	}
2833
2834	init_waitqueue_head(&cc->write_thread_wait);
2835	cc->write_tree = RB_ROOT;
2836
2837	cc->write_thread = kthread_create(dmcrypt_write, cc, "dmcrypt_write");
2838	if (IS_ERR(cc->write_thread)) {
2839		ret = PTR_ERR(cc->write_thread);
2840		cc->write_thread = NULL;
2841		ti->error = "Couldn't spawn write thread";
2842		goto bad;
2843	}
2844	wake_up_process(cc->write_thread);
2845
2846	ti->num_flush_bios = 1;
2847
2848	return 0;
2849
2850bad:
2851	crypt_dtr(ti);
2852	return ret;
2853}
2854
2855static int crypt_map(struct dm_target *ti, struct bio *bio)
2856{
2857	struct dm_crypt_io *io;
2858	struct crypt_config *cc = ti->private;
2859
2860	/*
2861	 * If bio is REQ_PREFLUSH or REQ_OP_DISCARD, just bypass crypt queues.
2862	 * - for REQ_PREFLUSH device-mapper core ensures that no IO is in-flight
2863	 * - for REQ_OP_DISCARD caller must use flush if IO ordering matters
2864	 */
2865	if (unlikely(bio->bi_opf & REQ_PREFLUSH ||
2866	    bio_op(bio) == REQ_OP_DISCARD)) {
2867		bio_set_dev(bio, cc->dev->bdev);
2868		if (bio_sectors(bio))
2869			bio->bi_iter.bi_sector = cc->start +
2870				dm_target_offset(ti, bio->bi_iter.bi_sector);
2871		return DM_MAPIO_REMAPPED;
2872	}
2873
2874	/*
2875	 * Check if bio is too large, split as needed.
2876	 */
2877	if (unlikely(bio->bi_iter.bi_size > (BIO_MAX_PAGES << PAGE_SHIFT)) &&
2878	    (bio_data_dir(bio) == WRITE || cc->on_disk_tag_size))
2879		dm_accept_partial_bio(bio, ((BIO_MAX_PAGES << PAGE_SHIFT) >> SECTOR_SHIFT));
2880
2881	/*
2882	 * Ensure that bio is a multiple of internal sector encryption size
2883	 * and is aligned to this size as defined in IO hints.
2884	 */
2885	if (unlikely((bio->bi_iter.bi_sector & ((cc->sector_size >> SECTOR_SHIFT) - 1)) != 0))
2886		return DM_MAPIO_KILL;
2887
2888	if (unlikely(bio->bi_iter.bi_size & (cc->sector_size - 1)))
2889		return DM_MAPIO_KILL;
2890
2891	io = dm_per_bio_data(bio, cc->per_bio_data_size);
2892	crypt_io_init(io, cc, bio, dm_target_offset(ti, bio->bi_iter.bi_sector));
2893
2894	if (cc->on_disk_tag_size) {
2895		unsigned tag_len = cc->on_disk_tag_size * (bio_sectors(bio) >> cc->sector_shift);
2896
2897		if (unlikely(tag_len > KMALLOC_MAX_SIZE) ||
2898		    unlikely(!(io->integrity_metadata = kmalloc(tag_len,
2899				GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN)))) {
2900			if (bio_sectors(bio) > cc->tag_pool_max_sectors)
2901				dm_accept_partial_bio(bio, cc->tag_pool_max_sectors);
2902			io->integrity_metadata = mempool_alloc(&cc->tag_pool, GFP_NOIO);
2903			io->integrity_metadata_from_pool = true;
2904		}
2905	}
2906
2907	if (crypt_integrity_aead(cc))
2908		io->ctx.r.req_aead = (struct aead_request *)(io + 1);
2909	else
2910		io->ctx.r.req = (struct skcipher_request *)(io + 1);
2911
2912	if (bio_data_dir(io->base_bio) == READ) {
2913		if (kcryptd_io_read(io, GFP_NOWAIT))
2914			kcryptd_queue_read(io);
2915	} else
2916		kcryptd_queue_crypt(io);
2917
2918	return DM_MAPIO_SUBMITTED;
2919}
2920
2921static void crypt_status(struct dm_target *ti, status_type_t type,
2922			 unsigned status_flags, char *result, unsigned maxlen)
2923{
2924	struct crypt_config *cc = ti->private;
2925	unsigned i, sz = 0;
2926	int num_feature_args = 0;
2927
2928	switch (type) {
2929	case STATUSTYPE_INFO:
2930		result[0] = '\0';
2931		break;
2932
2933	case STATUSTYPE_TABLE:
2934		DMEMIT("%s ", cc->cipher_string);
2935
2936		if (cc->key_size > 0) {
2937			if (cc->key_string)
2938				DMEMIT(":%u:%s", cc->key_size, cc->key_string);
2939			else
2940				for (i = 0; i < cc->key_size; i++)
2941					DMEMIT("%02x", cc->key[i]);
2942		} else
2943			DMEMIT("-");
2944
2945		DMEMIT(" %llu %s %llu", (unsigned long long)cc->iv_offset,
2946				cc->dev->name, (unsigned long long)cc->start);
2947
2948		num_feature_args += !!ti->num_discard_bios;
2949		num_feature_args += test_bit(DM_CRYPT_SAME_CPU, &cc->flags);
2950		num_feature_args += test_bit(DM_CRYPT_NO_OFFLOAD, &cc->flags);
2951		num_feature_args += cc->sector_size != (1 << SECTOR_SHIFT);
2952		num_feature_args += test_bit(CRYPT_IV_LARGE_SECTORS, &cc->cipher_flags);
2953		if (cc->on_disk_tag_size)
2954			num_feature_args++;
2955		if (num_feature_args) {
2956			DMEMIT(" %d", num_feature_args);
2957			if (ti->num_discard_bios)
2958				DMEMIT(" allow_discards");
2959			if (test_bit(DM_CRYPT_SAME_CPU, &cc->flags))
2960				DMEMIT(" same_cpu_crypt");
2961			if (test_bit(DM_CRYPT_NO_OFFLOAD, &cc->flags))
2962				DMEMIT(" submit_from_crypt_cpus");
2963			if (cc->on_disk_tag_size)
2964				DMEMIT(" integrity:%u:%s", cc->on_disk_tag_size, cc->cipher_auth);
2965			if (cc->sector_size != (1 << SECTOR_SHIFT))
2966				DMEMIT(" sector_size:%d", cc->sector_size);
2967			if (test_bit(CRYPT_IV_LARGE_SECTORS, &cc->cipher_flags))
2968				DMEMIT(" iv_large_sectors");
2969		}
2970
2971		break;
2972	}
2973}
2974
2975static void crypt_postsuspend(struct dm_target *ti)
2976{
2977	struct crypt_config *cc = ti->private;
2978
2979	set_bit(DM_CRYPT_SUSPENDED, &cc->flags);
2980}
2981
2982static int crypt_preresume(struct dm_target *ti)
2983{
2984	struct crypt_config *cc = ti->private;
2985
2986	if (!test_bit(DM_CRYPT_KEY_VALID, &cc->flags)) {
2987		DMERR("aborting resume - crypt key is not set.");
2988		return -EAGAIN;
2989	}
2990
2991	return 0;
2992}
2993
2994static void crypt_resume(struct dm_target *ti)
2995{
2996	struct crypt_config *cc = ti->private;
2997
2998	clear_bit(DM_CRYPT_SUSPENDED, &cc->flags);
2999}
3000
3001/* Message interface
3002 *	key set <key>
3003 *	key wipe
3004 */
3005static int crypt_message(struct dm_target *ti, unsigned argc, char **argv,
3006			 char *result, unsigned maxlen)
3007{
3008	struct crypt_config *cc = ti->private;
3009	int key_size, ret = -EINVAL;
3010
3011	if (argc < 2)
3012		goto error;
3013
3014	if (!strcasecmp(argv[0], "key")) {
3015		if (!test_bit(DM_CRYPT_SUSPENDED, &cc->flags)) {
3016			DMWARN("not suspended during key manipulation.");
3017			return -EINVAL;
3018		}
3019		if (argc == 3 && !strcasecmp(argv[1], "set")) {
3020			/* The key size may not be changed. */
3021			key_size = get_key_size(&argv[2]);
3022			if (key_size < 0 || cc->key_size != key_size) {
3023				memset(argv[2], '0', strlen(argv[2]));
3024				return -EINVAL;
3025			}
3026
3027			ret = crypt_set_key(cc, argv[2]);
3028			if (ret)
3029				return ret;
3030			if (cc->iv_gen_ops && cc->iv_gen_ops->init)
3031				ret = cc->iv_gen_ops->init(cc);
3032			/* wipe the kernel key payload copy */
3033			if (cc->key_string)
3034				memset(cc->key, 0, cc->key_size * sizeof(u8));
3035			return ret;
3036		}
3037		if (argc == 2 && !strcasecmp(argv[1], "wipe")) {
3038			if (cc->iv_gen_ops && cc->iv_gen_ops->wipe) {
3039				ret = cc->iv_gen_ops->wipe(cc);
3040				if (ret)
3041					return ret;
3042			}
3043			return crypt_wipe_key(cc);
3044		}
3045	}
3046
3047error:
3048	DMWARN("unrecognised message received.");
3049	return -EINVAL;
3050}
3051
3052static int crypt_iterate_devices(struct dm_target *ti,
3053				 iterate_devices_callout_fn fn, void *data)
3054{
3055	struct crypt_config *cc = ti->private;
3056
3057	return fn(ti, cc->dev, cc->start, ti->len, data);
3058}
3059
3060static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits)
3061{
3062	struct crypt_config *cc = ti->private;
3063
3064	/*
3065	 * Unfortunate constraint that is required to avoid the potential
3066	 * for exceeding underlying device's max_segments limits -- due to
3067	 * crypt_alloc_buffer() possibly allocating pages for the encryption
3068	 * bio that are not as physically contiguous as the original bio.
3069	 */
3070	limits->max_segment_size = PAGE_SIZE;
3071
3072	if (cc->sector_size != (1 << SECTOR_SHIFT)) {
3073		limits->logical_block_size = cc->sector_size;
3074		limits->physical_block_size = cc->sector_size;
3075		blk_limits_io_min(limits, cc->sector_size);
3076	}
3077}
3078
3079static struct target_type crypt_target = {
3080	.name   = "crypt",
3081	.version = {1, 18, 1},
3082	.module = THIS_MODULE,
3083	.ctr    = crypt_ctr,
3084	.dtr    = crypt_dtr,
3085	.map    = crypt_map,
3086	.status = crypt_status,
3087	.postsuspend = crypt_postsuspend,
3088	.preresume = crypt_preresume,
3089	.resume = crypt_resume,
3090	.message = crypt_message,
3091	.iterate_devices = crypt_iterate_devices,
3092	.io_hints = crypt_io_hints,
3093};
3094
3095static int __init dm_crypt_init(void)
3096{
3097	int r;
3098
3099	r = dm_register_target(&crypt_target);
3100	if (r < 0)
3101		DMERR("register failed %d", r);
3102
3103	return r;
3104}
3105
3106static void __exit dm_crypt_exit(void)
3107{
3108	dm_unregister_target(&crypt_target);
3109}
3110
3111module_init(dm_crypt_init);
3112module_exit(dm_crypt_exit);
3113
3114MODULE_AUTHOR("Jana Saout <jana@saout.de>");
3115MODULE_DESCRIPTION(DM_NAME " target for transparent encryption / decryption");
3116MODULE_LICENSE("GPL");
Configure Feed

Configure Feed
