tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / fscrypto.h
at v4.8 11 kB view raw
1/* 2 * General per-file encryption definition 3 * 4 * Copyright (C) 2015, Google, Inc. 5 * 6 * Written by Michael Halcrow, 2015. 7 * Modified by Jaegeuk Kim, 2015. 8 */ 9 10#ifndef _LINUX_FSCRYPTO_H 11#define _LINUX_FSCRYPTO_H 12 13#include <linux/key.h> 14#include <linux/fs.h> 15#include <linux/mm.h> 16#include <linux/bio.h> 17#include <linux/dcache.h> 18#include <crypto/skcipher.h> 19#include <uapi/linux/fs.h> 20 21#define FS_KEY_DERIVATION_NONCE_SIZE 16 22#define FS_ENCRYPTION_CONTEXT_FORMAT_V1 1 23 24#define FS_POLICY_FLAGS_PAD_4 0x00 25#define FS_POLICY_FLAGS_PAD_8 0x01 26#define FS_POLICY_FLAGS_PAD_16 0x02 27#define FS_POLICY_FLAGS_PAD_32 0x03 28#define FS_POLICY_FLAGS_PAD_MASK 0x03 29#define FS_POLICY_FLAGS_VALID 0x03 30 31/* Encryption algorithms */ 32#define FS_ENCRYPTION_MODE_INVALID 0 33#define FS_ENCRYPTION_MODE_AES_256_XTS 1 34#define FS_ENCRYPTION_MODE_AES_256_GCM 2 35#define FS_ENCRYPTION_MODE_AES_256_CBC 3 36#define FS_ENCRYPTION_MODE_AES_256_CTS 4 37 38/** 39 * Encryption context for inode 40 * 41 * Protector format: 42 * 1 byte: Protector format (1 = this version) 43 * 1 byte: File contents encryption mode 44 * 1 byte: File names encryption mode 45 * 1 byte: Flags 46 * 8 bytes: Master Key descriptor 47 * 16 bytes: Encryption Key derivation nonce 48 */ 49struct fscrypt_context { 50 u8 format; 51 u8 contents_encryption_mode; 52 u8 filenames_encryption_mode; 53 u8 flags; 54 u8 master_key_descriptor[FS_KEY_DESCRIPTOR_SIZE]; 55 u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE]; 56} __packed; 57 58/* Encryption parameters */ 59#define FS_XTS_TWEAK_SIZE 16 60#define FS_AES_128_ECB_KEY_SIZE 16 61#define FS_AES_256_GCM_KEY_SIZE 32 62#define FS_AES_256_CBC_KEY_SIZE 32 63#define FS_AES_256_CTS_KEY_SIZE 32 64#define FS_AES_256_XTS_KEY_SIZE 64 65#define FS_MAX_KEY_SIZE 64 66 67#define FS_KEY_DESC_PREFIX "fscrypt:" 68#define FS_KEY_DESC_PREFIX_SIZE 8 69 70/* This is passed in from userspace into the kernel keyring */ 71struct fscrypt_key { 72 u32 mode; 73 u8 raw[FS_MAX_KEY_SIZE]; 74 u32 size; 75} __packed; 76 77struct fscrypt_info { 78 u8 ci_data_mode; 79 u8 ci_filename_mode; 80 u8 ci_flags; 81 struct crypto_skcipher *ci_ctfm; 82 struct key *ci_keyring_key; 83 u8 ci_master_key[FS_KEY_DESCRIPTOR_SIZE]; 84}; 85 86#define FS_CTX_REQUIRES_FREE_ENCRYPT_FL 0x00000001 87#define FS_WRITE_PATH_FL 0x00000002 88 89struct fscrypt_ctx { 90 union { 91 struct { 92 struct page *bounce_page; /* Ciphertext page */ 93 struct page *control_page; /* Original page */ 94 } w; 95 struct { 96 struct bio *bio; 97 struct work_struct work; 98 } r; 99 struct list_head free_list; /* Free list */ 100 }; 101 u8 flags; /* Flags */ 102 u8 mode; /* Encryption mode for tfm */ 103}; 104 105struct fscrypt_completion_result { 106 struct completion completion; 107 int res; 108}; 109 110#define DECLARE_FS_COMPLETION_RESULT(ecr) \ 111 struct fscrypt_completion_result ecr = { \ 112 COMPLETION_INITIALIZER((ecr).completion), 0 } 113 114static inline int fscrypt_key_size(int mode) 115{ 116 switch (mode) { 117 case FS_ENCRYPTION_MODE_AES_256_XTS: 118 return FS_AES_256_XTS_KEY_SIZE; 119 case FS_ENCRYPTION_MODE_AES_256_GCM: 120 return FS_AES_256_GCM_KEY_SIZE; 121 case FS_ENCRYPTION_MODE_AES_256_CBC: 122 return FS_AES_256_CBC_KEY_SIZE; 123 case FS_ENCRYPTION_MODE_AES_256_CTS: 124 return FS_AES_256_CTS_KEY_SIZE; 125 default: 126 BUG(); 127 } 128 return 0; 129} 130 131#define FS_FNAME_NUM_SCATTER_ENTRIES 4 132#define FS_CRYPTO_BLOCK_SIZE 16 133#define FS_FNAME_CRYPTO_DIGEST_SIZE 32 134 135/** 136 * For encrypted symlinks, the ciphertext length is stored at the beginning 137 * of the string in little-endian format. 138 */ 139struct fscrypt_symlink_data { 140 __le16 len; 141 char encrypted_path[1]; 142} __packed; 143 144/** 145 * This function is used to calculate the disk space required to 146 * store a filename of length l in encrypted symlink format. 147 */ 148static inline u32 fscrypt_symlink_data_len(u32 l) 149{ 150 if (l < FS_CRYPTO_BLOCK_SIZE) 151 l = FS_CRYPTO_BLOCK_SIZE; 152 return (l + sizeof(struct fscrypt_symlink_data) - 1); 153} 154 155struct fscrypt_str { 156 unsigned char *name; 157 u32 len; 158}; 159 160struct fscrypt_name { 161 const struct qstr *usr_fname; 162 struct fscrypt_str disk_name; 163 u32 hash; 164 u32 minor_hash; 165 struct fscrypt_str crypto_buf; 166}; 167 168#define FSTR_INIT(n, l) { .name = n, .len = l } 169#define FSTR_TO_QSTR(f) QSTR_INIT((f)->name, (f)->len) 170#define fname_name(p) ((p)->disk_name.name) 171#define fname_len(p) ((p)->disk_name.len) 172 173/* 174 * crypto opertions for filesystems 175 */ 176struct fscrypt_operations { 177 int (*get_context)(struct inode *, void *, size_t); 178 int (*key_prefix)(struct inode *, u8 **); 179 int (*prepare_context)(struct inode *); 180 int (*set_context)(struct inode *, const void *, size_t, void *); 181 int (*dummy_context)(struct inode *); 182 bool (*is_encrypted)(struct inode *); 183 bool (*empty_dir)(struct inode *); 184 unsigned (*max_namelen)(struct inode *); 185}; 186 187static inline bool fscrypt_dummy_context_enabled(struct inode *inode) 188{ 189 if (inode->i_sb->s_cop->dummy_context && 190 inode->i_sb->s_cop->dummy_context(inode)) 191 return true; 192 return false; 193} 194 195static inline bool fscrypt_valid_contents_enc_mode(u32 mode) 196{ 197 return (mode == FS_ENCRYPTION_MODE_AES_256_XTS); 198} 199 200static inline bool fscrypt_valid_filenames_enc_mode(u32 mode) 201{ 202 return (mode == FS_ENCRYPTION_MODE_AES_256_CTS); 203} 204 205static inline u32 fscrypt_validate_encryption_key_size(u32 mode, u32 size) 206{ 207 if (size == fscrypt_key_size(mode)) 208 return size; 209 return 0; 210} 211 212static inline bool fscrypt_is_dot_dotdot(const struct qstr *str) 213{ 214 if (str->len == 1 && str->name[0] == '.') 215 return true; 216 217 if (str->len == 2 && str->name[0] == '.' && str->name[1] == '.') 218 return true; 219 220 return false; 221} 222 223static inline struct page *fscrypt_control_page(struct page *page) 224{ 225#if IS_ENABLED(CONFIG_FS_ENCRYPTION) 226 return ((struct fscrypt_ctx *)page_private(page))->w.control_page; 227#else 228 WARN_ON_ONCE(1); 229 return ERR_PTR(-EINVAL); 230#endif 231} 232 233static inline int fscrypt_has_encryption_key(struct inode *inode) 234{ 235#if IS_ENABLED(CONFIG_FS_ENCRYPTION) 236 return (inode->i_crypt_info != NULL); 237#else 238 return 0; 239#endif 240} 241 242static inline void fscrypt_set_encrypted_dentry(struct dentry *dentry) 243{ 244#if IS_ENABLED(CONFIG_FS_ENCRYPTION) 245 spin_lock(&dentry->d_lock); 246 dentry->d_flags |= DCACHE_ENCRYPTED_WITH_KEY; 247 spin_unlock(&dentry->d_lock); 248#endif 249} 250 251#if IS_ENABLED(CONFIG_FS_ENCRYPTION) 252extern const struct dentry_operations fscrypt_d_ops; 253#endif 254 255static inline void fscrypt_set_d_op(struct dentry *dentry) 256{ 257#if IS_ENABLED(CONFIG_FS_ENCRYPTION) 258 d_set_d_op(dentry, &fscrypt_d_ops); 259#endif 260} 261 262#if IS_ENABLED(CONFIG_FS_ENCRYPTION) 263/* crypto.c */ 264extern struct kmem_cache *fscrypt_info_cachep; 265int fscrypt_initialize(void); 266 267extern struct fscrypt_ctx *fscrypt_get_ctx(struct inode *, gfp_t); 268extern void fscrypt_release_ctx(struct fscrypt_ctx *); 269extern struct page *fscrypt_encrypt_page(struct inode *, struct page *, gfp_t); 270extern int fscrypt_decrypt_page(struct page *); 271extern void fscrypt_decrypt_bio_pages(struct fscrypt_ctx *, struct bio *); 272extern void fscrypt_pullback_bio_page(struct page **, bool); 273extern void fscrypt_restore_control_page(struct page *); 274extern int fscrypt_zeroout_range(struct inode *, pgoff_t, sector_t, 275 unsigned int); 276/* policy.c */ 277extern int fscrypt_process_policy(struct file *, const struct fscrypt_policy *); 278extern int fscrypt_get_policy(struct inode *, struct fscrypt_policy *); 279extern int fscrypt_has_permitted_context(struct inode *, struct inode *); 280extern int fscrypt_inherit_context(struct inode *, struct inode *, 281 void *, bool); 282/* keyinfo.c */ 283extern int get_crypt_info(struct inode *); 284extern int fscrypt_get_encryption_info(struct inode *); 285extern void fscrypt_put_encryption_info(struct inode *, struct fscrypt_info *); 286 287/* fname.c */ 288extern int fscrypt_setup_filename(struct inode *, const struct qstr *, 289 int lookup, struct fscrypt_name *); 290extern void fscrypt_free_filename(struct fscrypt_name *); 291extern u32 fscrypt_fname_encrypted_size(struct inode *, u32); 292extern int fscrypt_fname_alloc_buffer(struct inode *, u32, 293 struct fscrypt_str *); 294extern void fscrypt_fname_free_buffer(struct fscrypt_str *); 295extern int fscrypt_fname_disk_to_usr(struct inode *, u32, u32, 296 const struct fscrypt_str *, struct fscrypt_str *); 297extern int fscrypt_fname_usr_to_disk(struct inode *, const struct qstr *, 298 struct fscrypt_str *); 299#endif 300 301/* crypto.c */ 302static inline struct fscrypt_ctx *fscrypt_notsupp_get_ctx(struct inode *i, 303 gfp_t f) 304{ 305 return ERR_PTR(-EOPNOTSUPP); 306} 307 308static inline void fscrypt_notsupp_release_ctx(struct fscrypt_ctx *c) 309{ 310 return; 311} 312 313static inline struct page *fscrypt_notsupp_encrypt_page(struct inode *i, 314 struct page *p, gfp_t f) 315{ 316 return ERR_PTR(-EOPNOTSUPP); 317} 318 319static inline int fscrypt_notsupp_decrypt_page(struct page *p) 320{ 321 return -EOPNOTSUPP; 322} 323 324static inline void fscrypt_notsupp_decrypt_bio_pages(struct fscrypt_ctx *c, 325 struct bio *b) 326{ 327 return; 328} 329 330static inline void fscrypt_notsupp_pullback_bio_page(struct page **p, bool b) 331{ 332 return; 333} 334 335static inline void fscrypt_notsupp_restore_control_page(struct page *p) 336{ 337 return; 338} 339 340static inline int fscrypt_notsupp_zeroout_range(struct inode *i, pgoff_t p, 341 sector_t s, unsigned int f) 342{ 343 return -EOPNOTSUPP; 344} 345 346/* policy.c */ 347static inline int fscrypt_notsupp_process_policy(struct file *f, 348 const struct fscrypt_policy *p) 349{ 350 return -EOPNOTSUPP; 351} 352 353static inline int fscrypt_notsupp_get_policy(struct inode *i, 354 struct fscrypt_policy *p) 355{ 356 return -EOPNOTSUPP; 357} 358 359static inline int fscrypt_notsupp_has_permitted_context(struct inode *p, 360 struct inode *i) 361{ 362 return 0; 363} 364 365static inline int fscrypt_notsupp_inherit_context(struct inode *p, 366 struct inode *i, void *v, bool b) 367{ 368 return -EOPNOTSUPP; 369} 370 371/* keyinfo.c */ 372static inline int fscrypt_notsupp_get_encryption_info(struct inode *i) 373{ 374 return -EOPNOTSUPP; 375} 376 377static inline void fscrypt_notsupp_put_encryption_info(struct inode *i, 378 struct fscrypt_info *f) 379{ 380 return; 381} 382 383 /* fname.c */ 384static inline int fscrypt_notsupp_setup_filename(struct inode *dir, 385 const struct qstr *iname, 386 int lookup, struct fscrypt_name *fname) 387{ 388 if (dir->i_sb->s_cop->is_encrypted(dir)) 389 return -EOPNOTSUPP; 390 391 memset(fname, 0, sizeof(struct fscrypt_name)); 392 fname->usr_fname = iname; 393 fname->disk_name.name = (unsigned char *)iname->name; 394 fname->disk_name.len = iname->len; 395 return 0; 396} 397 398static inline void fscrypt_notsupp_free_filename(struct fscrypt_name *fname) 399{ 400 return; 401} 402 403static inline u32 fscrypt_notsupp_fname_encrypted_size(struct inode *i, u32 s) 404{ 405 /* never happens */ 406 WARN_ON(1); 407 return 0; 408} 409 410static inline int fscrypt_notsupp_fname_alloc_buffer(struct inode *inode, 411 u32 ilen, struct fscrypt_str *crypto_str) 412{ 413 return -EOPNOTSUPP; 414} 415 416static inline void fscrypt_notsupp_fname_free_buffer(struct fscrypt_str *c) 417{ 418 return; 419} 420 421static inline int fscrypt_notsupp_fname_disk_to_usr(struct inode *inode, 422 u32 hash, u32 minor_hash, 423 const struct fscrypt_str *iname, 424 struct fscrypt_str *oname) 425{ 426 return -EOPNOTSUPP; 427} 428 429static inline int fscrypt_notsupp_fname_usr_to_disk(struct inode *inode, 430 const struct qstr *iname, 431 struct fscrypt_str *oname) 432{ 433 return -EOPNOTSUPP; 434} 435#endif /* _LINUX_FSCRYPTO_H */