tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / fscrypto.h
at v4.7 11 kB view raw
1/* 2 * General per-file encryption definition 3 * 4 * Copyright (C) 2015, Google, Inc. 5 * 6 * Written by Michael Halcrow, 2015. 7 * Modified by Jaegeuk Kim, 2015. 8 */ 9 10#ifndef _LINUX_FSCRYPTO_H 11#define _LINUX_FSCRYPTO_H 12 13#include <linux/key.h> 14#include <linux/fs.h> 15#include <linux/mm.h> 16#include <linux/bio.h> 17#include <linux/dcache.h> 18#include <crypto/skcipher.h> 19#include <uapi/linux/fs.h> 20 21#define FS_KEY_DERIVATION_NONCE_SIZE 16 22#define FS_ENCRYPTION_CONTEXT_FORMAT_V1 1 23 24#define FS_POLICY_FLAGS_PAD_4 0x00 25#define FS_POLICY_FLAGS_PAD_8 0x01 26#define FS_POLICY_FLAGS_PAD_16 0x02 27#define FS_POLICY_FLAGS_PAD_32 0x03 28#define FS_POLICY_FLAGS_PAD_MASK 0x03 29#define FS_POLICY_FLAGS_VALID 0x03 30 31/* Encryption algorithms */ 32#define FS_ENCRYPTION_MODE_INVALID 0 33#define FS_ENCRYPTION_MODE_AES_256_XTS 1 34#define FS_ENCRYPTION_MODE_AES_256_GCM 2 35#define FS_ENCRYPTION_MODE_AES_256_CBC 3 36#define FS_ENCRYPTION_MODE_AES_256_CTS 4 37 38/** 39 * Encryption context for inode 40 * 41 * Protector format: 42 * 1 byte: Protector format (1 = this version) 43 * 1 byte: File contents encryption mode 44 * 1 byte: File names encryption mode 45 * 1 byte: Flags 46 * 8 bytes: Master Key descriptor 47 * 16 bytes: Encryption Key derivation nonce 48 */ 49struct fscrypt_context { 50 u8 format; 51 u8 contents_encryption_mode; 52 u8 filenames_encryption_mode; 53 u8 flags; 54 u8 master_key_descriptor[FS_KEY_DESCRIPTOR_SIZE]; 55 u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE]; 56} __packed; 57 58/* Encryption parameters */ 59#define FS_XTS_TWEAK_SIZE 16 60#define FS_AES_128_ECB_KEY_SIZE 16 61#define FS_AES_256_GCM_KEY_SIZE 32 62#define FS_AES_256_CBC_KEY_SIZE 32 63#define FS_AES_256_CTS_KEY_SIZE 32 64#define FS_AES_256_XTS_KEY_SIZE 64 65#define FS_MAX_KEY_SIZE 64 66 67#define FS_KEY_DESC_PREFIX "fscrypt:" 68#define FS_KEY_DESC_PREFIX_SIZE 8 69 70/* This is passed in from userspace into the kernel keyring */ 71struct fscrypt_key { 72 u32 mode; 73 u8 raw[FS_MAX_KEY_SIZE]; 74 u32 size; 75} __packed; 76 77struct fscrypt_info { 78 u8 ci_data_mode; 79 u8 ci_filename_mode; 80 u8 ci_flags; 81 struct crypto_skcipher *ci_ctfm; 82 struct key *ci_keyring_key; 83 u8 ci_master_key[FS_KEY_DESCRIPTOR_SIZE]; 84}; 85 86#define FS_CTX_REQUIRES_FREE_ENCRYPT_FL 0x00000001 87#define FS_WRITE_PATH_FL 0x00000002 88 89struct fscrypt_ctx { 90 union { 91 struct { 92 struct page *bounce_page; /* Ciphertext page */ 93 struct page *control_page; /* Original page */ 94 } w; 95 struct { 96 struct bio *bio; 97 struct work_struct work; 98 } r; 99 struct list_head free_list; /* Free list */ 100 }; 101 u8 flags; /* Flags */ 102 u8 mode; /* Encryption mode for tfm */ 103}; 104 105struct fscrypt_completion_result { 106 struct completion completion; 107 int res; 108}; 109 110#define DECLARE_FS_COMPLETION_RESULT(ecr) \ 111 struct fscrypt_completion_result ecr = { \ 112 COMPLETION_INITIALIZER((ecr).completion), 0 } 113 114static inline int fscrypt_key_size(int mode) 115{ 116 switch (mode) { 117 case FS_ENCRYPTION_MODE_AES_256_XTS: 118 return FS_AES_256_XTS_KEY_SIZE; 119 case FS_ENCRYPTION_MODE_AES_256_GCM: 120 return FS_AES_256_GCM_KEY_SIZE; 121 case FS_ENCRYPTION_MODE_AES_256_CBC: 122 return FS_AES_256_CBC_KEY_SIZE; 123 case FS_ENCRYPTION_MODE_AES_256_CTS: 124 return FS_AES_256_CTS_KEY_SIZE; 125 default: 126 BUG(); 127 } 128 return 0; 129} 130 131#define FS_FNAME_NUM_SCATTER_ENTRIES 4 132#define FS_CRYPTO_BLOCK_SIZE 16 133#define FS_FNAME_CRYPTO_DIGEST_SIZE 32 134 135/** 136 * For encrypted symlinks, the ciphertext length is stored at the beginning 137 * of the string in little-endian format. 138 */ 139struct fscrypt_symlink_data { 140 __le16 len; 141 char encrypted_path[1]; 142} __packed; 143 144/** 145 * This function is used to calculate the disk space required to 146 * store a filename of length l in encrypted symlink format. 147 */ 148static inline u32 fscrypt_symlink_data_len(u32 l) 149{ 150 if (l < FS_CRYPTO_BLOCK_SIZE) 151 l = FS_CRYPTO_BLOCK_SIZE; 152 return (l + sizeof(struct fscrypt_symlink_data) - 1); 153} 154 155struct fscrypt_str { 156 unsigned char *name; 157 u32 len; 158}; 159 160struct fscrypt_name { 161 const struct qstr *usr_fname; 162 struct fscrypt_str disk_name; 163 u32 hash; 164 u32 minor_hash; 165 struct fscrypt_str crypto_buf; 166}; 167 168#define FSTR_INIT(n, l) { .name = n, .len = l } 169#define FSTR_TO_QSTR(f) QSTR_INIT((f)->name, (f)->len) 170#define fname_name(p) ((p)->disk_name.name) 171#define fname_len(p) ((p)->disk_name.len) 172 173/* 174 * crypto opertions for filesystems 175 */ 176struct fscrypt_operations { 177 int (*get_context)(struct inode *, void *, size_t); 178 int (*key_prefix)(struct inode *, u8 **); 179 int (*prepare_context)(struct inode *); 180 int (*set_context)(struct inode *, const void *, size_t, void *); 181 int (*dummy_context)(struct inode *); 182 bool (*is_encrypted)(struct inode *); 183 bool (*empty_dir)(struct inode *); 184 unsigned (*max_namelen)(struct inode *); 185}; 186 187static inline bool fscrypt_dummy_context_enabled(struct inode *inode) 188{ 189 if (inode->i_sb->s_cop->dummy_context && 190 inode->i_sb->s_cop->dummy_context(inode)) 191 return true; 192 return false; 193} 194 195static inline bool fscrypt_valid_contents_enc_mode(u32 mode) 196{ 197 return (mode == FS_ENCRYPTION_MODE_AES_256_XTS); 198} 199 200static inline bool fscrypt_valid_filenames_enc_mode(u32 mode) 201{ 202 return (mode == FS_ENCRYPTION_MODE_AES_256_CTS); 203} 204 205static inline u32 fscrypt_validate_encryption_key_size(u32 mode, u32 size) 206{ 207 if (size == fscrypt_key_size(mode)) 208 return size; 209 return 0; 210} 211 212static inline bool fscrypt_is_dot_dotdot(const struct qstr *str) 213{ 214 if (str->len == 1 && str->name[0] == '.') 215 return true; 216 217 if (str->len == 2 && str->name[0] == '.' && str->name[1] == '.') 218 return true; 219 220 return false; 221} 222 223static inline struct page *fscrypt_control_page(struct page *page) 224{ 225#if IS_ENABLED(CONFIG_FS_ENCRYPTION) 226 return ((struct fscrypt_ctx *)page_private(page))->w.control_page; 227#else 228 WARN_ON_ONCE(1); 229 return ERR_PTR(-EINVAL); 230#endif 231} 232 233static inline int fscrypt_has_encryption_key(struct inode *inode) 234{ 235#if IS_ENABLED(CONFIG_FS_ENCRYPTION) 236 return (inode->i_crypt_info != NULL); 237#else 238 return 0; 239#endif 240} 241 242static inline void fscrypt_set_encrypted_dentry(struct dentry *dentry) 243{ 244#if IS_ENABLED(CONFIG_FS_ENCRYPTION) 245 spin_lock(&dentry->d_lock); 246 dentry->d_flags |= DCACHE_ENCRYPTED_WITH_KEY; 247 spin_unlock(&dentry->d_lock); 248#endif 249} 250 251#if IS_ENABLED(CONFIG_FS_ENCRYPTION) 252extern const struct dentry_operations fscrypt_d_ops; 253#endif 254 255static inline void fscrypt_set_d_op(struct dentry *dentry) 256{ 257#if IS_ENABLED(CONFIG_FS_ENCRYPTION) 258 d_set_d_op(dentry, &fscrypt_d_ops); 259#endif 260} 261 262#if IS_ENABLED(CONFIG_FS_ENCRYPTION) 263/* crypto.c */ 264extern struct kmem_cache *fscrypt_info_cachep; 265int fscrypt_initialize(void); 266 267extern struct fscrypt_ctx *fscrypt_get_ctx(struct inode *, gfp_t); 268extern void fscrypt_release_ctx(struct fscrypt_ctx *); 269extern struct page *fscrypt_encrypt_page(struct inode *, struct page *, gfp_t); 270extern int fscrypt_decrypt_page(struct page *); 271extern void fscrypt_decrypt_bio_pages(struct fscrypt_ctx *, struct bio *); 272extern void fscrypt_pullback_bio_page(struct page **, bool); 273extern void fscrypt_restore_control_page(struct page *); 274extern int fscrypt_zeroout_range(struct inode *, pgoff_t, sector_t, 275 unsigned int); 276/* policy.c */ 277extern int fscrypt_process_policy(struct inode *, 278 const struct fscrypt_policy *); 279extern int fscrypt_get_policy(struct inode *, struct fscrypt_policy *); 280extern int fscrypt_has_permitted_context(struct inode *, struct inode *); 281extern int fscrypt_inherit_context(struct inode *, struct inode *, 282 void *, bool); 283/* keyinfo.c */ 284extern int get_crypt_info(struct inode *); 285extern int fscrypt_get_encryption_info(struct inode *); 286extern void fscrypt_put_encryption_info(struct inode *, struct fscrypt_info *); 287 288/* fname.c */ 289extern int fscrypt_setup_filename(struct inode *, const struct qstr *, 290 int lookup, struct fscrypt_name *); 291extern void fscrypt_free_filename(struct fscrypt_name *); 292extern u32 fscrypt_fname_encrypted_size(struct inode *, u32); 293extern int fscrypt_fname_alloc_buffer(struct inode *, u32, 294 struct fscrypt_str *); 295extern void fscrypt_fname_free_buffer(struct fscrypt_str *); 296extern int fscrypt_fname_disk_to_usr(struct inode *, u32, u32, 297 const struct fscrypt_str *, struct fscrypt_str *); 298extern int fscrypt_fname_usr_to_disk(struct inode *, const struct qstr *, 299 struct fscrypt_str *); 300#endif 301 302/* crypto.c */ 303static inline struct fscrypt_ctx *fscrypt_notsupp_get_ctx(struct inode *i, 304 gfp_t f) 305{ 306 return ERR_PTR(-EOPNOTSUPP); 307} 308 309static inline void fscrypt_notsupp_release_ctx(struct fscrypt_ctx *c) 310{ 311 return; 312} 313 314static inline struct page *fscrypt_notsupp_encrypt_page(struct inode *i, 315 struct page *p, gfp_t f) 316{ 317 return ERR_PTR(-EOPNOTSUPP); 318} 319 320static inline int fscrypt_notsupp_decrypt_page(struct page *p) 321{ 322 return -EOPNOTSUPP; 323} 324 325static inline void fscrypt_notsupp_decrypt_bio_pages(struct fscrypt_ctx *c, 326 struct bio *b) 327{ 328 return; 329} 330 331static inline void fscrypt_notsupp_pullback_bio_page(struct page **p, bool b) 332{ 333 return; 334} 335 336static inline void fscrypt_notsupp_restore_control_page(struct page *p) 337{ 338 return; 339} 340 341static inline int fscrypt_notsupp_zeroout_range(struct inode *i, pgoff_t p, 342 sector_t s, unsigned int f) 343{ 344 return -EOPNOTSUPP; 345} 346 347/* policy.c */ 348static inline int fscrypt_notsupp_process_policy(struct inode *i, 349 const struct fscrypt_policy *p) 350{ 351 return -EOPNOTSUPP; 352} 353 354static inline int fscrypt_notsupp_get_policy(struct inode *i, 355 struct fscrypt_policy *p) 356{ 357 return -EOPNOTSUPP; 358} 359 360static inline int fscrypt_notsupp_has_permitted_context(struct inode *p, 361 struct inode *i) 362{ 363 return 0; 364} 365 366static inline int fscrypt_notsupp_inherit_context(struct inode *p, 367 struct inode *i, void *v, bool b) 368{ 369 return -EOPNOTSUPP; 370} 371 372/* keyinfo.c */ 373static inline int fscrypt_notsupp_get_encryption_info(struct inode *i) 374{ 375 return -EOPNOTSUPP; 376} 377 378static inline void fscrypt_notsupp_put_encryption_info(struct inode *i, 379 struct fscrypt_info *f) 380{ 381 return; 382} 383 384 /* fname.c */ 385static inline int fscrypt_notsupp_setup_filename(struct inode *dir, 386 const struct qstr *iname, 387 int lookup, struct fscrypt_name *fname) 388{ 389 if (dir->i_sb->s_cop->is_encrypted(dir)) 390 return -EOPNOTSUPP; 391 392 memset(fname, 0, sizeof(struct fscrypt_name)); 393 fname->usr_fname = iname; 394 fname->disk_name.name = (unsigned char *)iname->name; 395 fname->disk_name.len = iname->len; 396 return 0; 397} 398 399static inline void fscrypt_notsupp_free_filename(struct fscrypt_name *fname) 400{ 401 return; 402} 403 404static inline u32 fscrypt_notsupp_fname_encrypted_size(struct inode *i, u32 s) 405{ 406 /* never happens */ 407 WARN_ON(1); 408 return 0; 409} 410 411static inline int fscrypt_notsupp_fname_alloc_buffer(struct inode *inode, 412 u32 ilen, struct fscrypt_str *crypto_str) 413{ 414 return -EOPNOTSUPP; 415} 416 417static inline void fscrypt_notsupp_fname_free_buffer(struct fscrypt_str *c) 418{ 419 return; 420} 421 422static inline int fscrypt_notsupp_fname_disk_to_usr(struct inode *inode, 423 u32 hash, u32 minor_hash, 424 const struct fscrypt_str *iname, 425 struct fscrypt_str *oname) 426{ 427 return -EOPNOTSUPP; 428} 429 430static inline int fscrypt_notsupp_fname_usr_to_disk(struct inode *inode, 431 const struct qstr *iname, 432 struct fscrypt_str *oname) 433{ 434 return -EOPNOTSUPP; 435} 436#endif /* _LINUX_FSCRYPTO_H */