include/linux/fscrypto.h at v4.9 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / include / linux / fscrypto.h
at v4.9 10 kB view raw
  1/*
  2 * General per-file encryption definition
  3 *
  4 * Copyright (C) 2015, Google, Inc.
  5 *
  6 * Written by Michael Halcrow, 2015.
  7 * Modified by Jaegeuk Kim, 2015.
  8 */
  9
 10#ifndef _LINUX_FSCRYPTO_H
 11#define _LINUX_FSCRYPTO_H
 12
 13#include <linux/key.h>
 14#include <linux/fs.h>
 15#include <linux/mm.h>
 16#include <linux/bio.h>
 17#include <linux/dcache.h>
 18#include <crypto/skcipher.h>
 19#include <uapi/linux/fs.h>
 20
 21#define FS_KEY_DERIVATION_NONCE_SIZE		16
 22#define FS_ENCRYPTION_CONTEXT_FORMAT_V1		1
 23
 24#define FS_POLICY_FLAGS_PAD_4		0x00
 25#define FS_POLICY_FLAGS_PAD_8		0x01
 26#define FS_POLICY_FLAGS_PAD_16		0x02
 27#define FS_POLICY_FLAGS_PAD_32		0x03
 28#define FS_POLICY_FLAGS_PAD_MASK	0x03
 29#define FS_POLICY_FLAGS_VALID		0x03
 30
 31/* Encryption algorithms */
 32#define FS_ENCRYPTION_MODE_INVALID		0
 33#define FS_ENCRYPTION_MODE_AES_256_XTS		1
 34#define FS_ENCRYPTION_MODE_AES_256_GCM		2
 35#define FS_ENCRYPTION_MODE_AES_256_CBC		3
 36#define FS_ENCRYPTION_MODE_AES_256_CTS		4
 37
 38/**
 39 * Encryption context for inode
 40 *
 41 * Protector format:
 42 *  1 byte: Protector format (1 = this version)
 43 *  1 byte: File contents encryption mode
 44 *  1 byte: File names encryption mode
 45 *  1 byte: Flags
 46 *  8 bytes: Master Key descriptor
 47 *  16 bytes: Encryption Key derivation nonce
 48 */
 49struct fscrypt_context {
 50	u8 format;
 51	u8 contents_encryption_mode;
 52	u8 filenames_encryption_mode;
 53	u8 flags;
 54	u8 master_key_descriptor[FS_KEY_DESCRIPTOR_SIZE];
 55	u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE];
 56} __packed;
 57
 58/* Encryption parameters */
 59#define FS_XTS_TWEAK_SIZE		16
 60#define FS_AES_128_ECB_KEY_SIZE		16
 61#define FS_AES_256_GCM_KEY_SIZE		32
 62#define FS_AES_256_CBC_KEY_SIZE		32
 63#define FS_AES_256_CTS_KEY_SIZE		32
 64#define FS_AES_256_XTS_KEY_SIZE		64
 65#define FS_MAX_KEY_SIZE			64
 66
 67#define FS_KEY_DESC_PREFIX		"fscrypt:"
 68#define FS_KEY_DESC_PREFIX_SIZE		8
 69
 70/* This is passed in from userspace into the kernel keyring */
 71struct fscrypt_key {
 72	u32 mode;
 73	u8 raw[FS_MAX_KEY_SIZE];
 74	u32 size;
 75} __packed;
 76
 77struct fscrypt_info {
 78	u8 ci_data_mode;
 79	u8 ci_filename_mode;
 80	u8 ci_flags;
 81	struct crypto_skcipher *ci_ctfm;
 82	struct key *ci_keyring_key;
 83	u8 ci_master_key[FS_KEY_DESCRIPTOR_SIZE];
 84};
 85
 86#define FS_CTX_REQUIRES_FREE_ENCRYPT_FL		0x00000001
 87#define FS_WRITE_PATH_FL			0x00000002
 88
 89struct fscrypt_ctx {
 90	union {
 91		struct {
 92			struct page *bounce_page;	/* Ciphertext page */
 93			struct page *control_page;	/* Original page  */
 94		} w;
 95		struct {
 96			struct bio *bio;
 97			struct work_struct work;
 98		} r;
 99		struct list_head free_list;	/* Free list */
100	};
101	u8 flags;				/* Flags */
102	u8 mode;				/* Encryption mode for tfm */
103};
104
105struct fscrypt_completion_result {
106	struct completion completion;
107	int res;
108};
109
110#define DECLARE_FS_COMPLETION_RESULT(ecr) \
111	struct fscrypt_completion_result ecr = { \
112		COMPLETION_INITIALIZER((ecr).completion), 0 }
113
114#define FS_FNAME_NUM_SCATTER_ENTRIES	4
115#define FS_CRYPTO_BLOCK_SIZE		16
116#define FS_FNAME_CRYPTO_DIGEST_SIZE	32
117
118/**
119 * For encrypted symlinks, the ciphertext length is stored at the beginning
120 * of the string in little-endian format.
121 */
122struct fscrypt_symlink_data {
123	__le16 len;
124	char encrypted_path[1];
125} __packed;
126
127/**
128 * This function is used to calculate the disk space required to
129 * store a filename of length l in encrypted symlink format.
130 */
131static inline u32 fscrypt_symlink_data_len(u32 l)
132{
133	if (l < FS_CRYPTO_BLOCK_SIZE)
134		l = FS_CRYPTO_BLOCK_SIZE;
135	return (l + sizeof(struct fscrypt_symlink_data) - 1);
136}
137
138struct fscrypt_str {
139	unsigned char *name;
140	u32 len;
141};
142
143struct fscrypt_name {
144	const struct qstr *usr_fname;
145	struct fscrypt_str disk_name;
146	u32 hash;
147	u32 minor_hash;
148	struct fscrypt_str crypto_buf;
149};
150
151#define FSTR_INIT(n, l)		{ .name = n, .len = l }
152#define FSTR_TO_QSTR(f)		QSTR_INIT((f)->name, (f)->len)
153#define fname_name(p)		((p)->disk_name.name)
154#define fname_len(p)		((p)->disk_name.len)
155
156/*
157 * crypto opertions for filesystems
158 */
159struct fscrypt_operations {
160	int (*get_context)(struct inode *, void *, size_t);
161	int (*key_prefix)(struct inode *, u8 **);
162	int (*prepare_context)(struct inode *);
163	int (*set_context)(struct inode *, const void *, size_t, void *);
164	int (*dummy_context)(struct inode *);
165	bool (*is_encrypted)(struct inode *);
166	bool (*empty_dir)(struct inode *);
167	unsigned (*max_namelen)(struct inode *);
168};
169
170static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
171{
172	if (inode->i_sb->s_cop->dummy_context &&
173				inode->i_sb->s_cop->dummy_context(inode))
174		return true;
175	return false;
176}
177
178static inline bool fscrypt_valid_contents_enc_mode(u32 mode)
179{
180	return (mode == FS_ENCRYPTION_MODE_AES_256_XTS);
181}
182
183static inline bool fscrypt_valid_filenames_enc_mode(u32 mode)
184{
185	return (mode == FS_ENCRYPTION_MODE_AES_256_CTS);
186}
187
188static inline bool fscrypt_is_dot_dotdot(const struct qstr *str)
189{
190	if (str->len == 1 && str->name[0] == '.')
191		return true;
192
193	if (str->len == 2 && str->name[0] == '.' && str->name[1] == '.')
194		return true;
195
196	return false;
197}
198
199static inline struct page *fscrypt_control_page(struct page *page)
200{
201#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
202	return ((struct fscrypt_ctx *)page_private(page))->w.control_page;
203#else
204	WARN_ON_ONCE(1);
205	return ERR_PTR(-EINVAL);
206#endif
207}
208
209static inline int fscrypt_has_encryption_key(struct inode *inode)
210{
211#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
212	return (inode->i_crypt_info != NULL);
213#else
214	return 0;
215#endif
216}
217
218static inline void fscrypt_set_encrypted_dentry(struct dentry *dentry)
219{
220#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
221	spin_lock(&dentry->d_lock);
222	dentry->d_flags |= DCACHE_ENCRYPTED_WITH_KEY;
223	spin_unlock(&dentry->d_lock);
224#endif
225}
226
227#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
228extern const struct dentry_operations fscrypt_d_ops;
229#endif
230
231static inline void fscrypt_set_d_op(struct dentry *dentry)
232{
233#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
234	d_set_d_op(dentry, &fscrypt_d_ops);
235#endif
236}
237
238#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
239/* crypto.c */
240extern struct kmem_cache *fscrypt_info_cachep;
241int fscrypt_initialize(void);
242
243extern struct fscrypt_ctx *fscrypt_get_ctx(struct inode *, gfp_t);
244extern void fscrypt_release_ctx(struct fscrypt_ctx *);
245extern struct page *fscrypt_encrypt_page(struct inode *, struct page *, gfp_t);
246extern int fscrypt_decrypt_page(struct page *);
247extern void fscrypt_decrypt_bio_pages(struct fscrypt_ctx *, struct bio *);
248extern void fscrypt_pullback_bio_page(struct page **, bool);
249extern void fscrypt_restore_control_page(struct page *);
250extern int fscrypt_zeroout_range(struct inode *, pgoff_t, sector_t,
251						unsigned int);
252/* policy.c */
253extern int fscrypt_process_policy(struct file *, const struct fscrypt_policy *);
254extern int fscrypt_get_policy(struct inode *, struct fscrypt_policy *);
255extern int fscrypt_has_permitted_context(struct inode *, struct inode *);
256extern int fscrypt_inherit_context(struct inode *, struct inode *,
257					void *, bool);
258/* keyinfo.c */
259extern int get_crypt_info(struct inode *);
260extern int fscrypt_get_encryption_info(struct inode *);
261extern void fscrypt_put_encryption_info(struct inode *, struct fscrypt_info *);
262
263/* fname.c */
264extern int fscrypt_setup_filename(struct inode *, const struct qstr *,
265				int lookup, struct fscrypt_name *);
266extern void fscrypt_free_filename(struct fscrypt_name *);
267extern u32 fscrypt_fname_encrypted_size(struct inode *, u32);
268extern int fscrypt_fname_alloc_buffer(struct inode *, u32,
269				struct fscrypt_str *);
270extern void fscrypt_fname_free_buffer(struct fscrypt_str *);
271extern int fscrypt_fname_disk_to_usr(struct inode *, u32, u32,
272			const struct fscrypt_str *, struct fscrypt_str *);
273extern int fscrypt_fname_usr_to_disk(struct inode *, const struct qstr *,
274			struct fscrypt_str *);
275#endif
276
277/* crypto.c */
278static inline struct fscrypt_ctx *fscrypt_notsupp_get_ctx(struct inode *i,
279							gfp_t f)
280{
281	return ERR_PTR(-EOPNOTSUPP);
282}
283
284static inline void fscrypt_notsupp_release_ctx(struct fscrypt_ctx *c)
285{
286	return;
287}
288
289static inline struct page *fscrypt_notsupp_encrypt_page(struct inode *i,
290						struct page *p, gfp_t f)
291{
292	return ERR_PTR(-EOPNOTSUPP);
293}
294
295static inline int fscrypt_notsupp_decrypt_page(struct page *p)
296{
297	return -EOPNOTSUPP;
298}
299
300static inline void fscrypt_notsupp_decrypt_bio_pages(struct fscrypt_ctx *c,
301						struct bio *b)
302{
303	return;
304}
305
306static inline void fscrypt_notsupp_pullback_bio_page(struct page **p, bool b)
307{
308	return;
309}
310
311static inline void fscrypt_notsupp_restore_control_page(struct page *p)
312{
313	return;
314}
315
316static inline int fscrypt_notsupp_zeroout_range(struct inode *i, pgoff_t p,
317					sector_t s, unsigned int f)
318{
319	return -EOPNOTSUPP;
320}
321
322/* policy.c */
323static inline int fscrypt_notsupp_process_policy(struct file *f,
324				const struct fscrypt_policy *p)
325{
326	return -EOPNOTSUPP;
327}
328
329static inline int fscrypt_notsupp_get_policy(struct inode *i,
330				struct fscrypt_policy *p)
331{
332	return -EOPNOTSUPP;
333}
334
335static inline int fscrypt_notsupp_has_permitted_context(struct inode *p,
336				struct inode *i)
337{
338	return 0;
339}
340
341static inline int fscrypt_notsupp_inherit_context(struct inode *p,
342				struct inode *i, void *v, bool b)
343{
344	return -EOPNOTSUPP;
345}
346
347/* keyinfo.c */
348static inline int fscrypt_notsupp_get_encryption_info(struct inode *i)
349{
350	return -EOPNOTSUPP;
351}
352
353static inline void fscrypt_notsupp_put_encryption_info(struct inode *i,
354					struct fscrypt_info *f)
355{
356	return;
357}
358
359 /* fname.c */
360static inline int fscrypt_notsupp_setup_filename(struct inode *dir,
361			const struct qstr *iname,
362			int lookup, struct fscrypt_name *fname)
363{
364	if (dir->i_sb->s_cop->is_encrypted(dir))
365		return -EOPNOTSUPP;
366
367	memset(fname, 0, sizeof(struct fscrypt_name));
368	fname->usr_fname = iname;
369	fname->disk_name.name = (unsigned char *)iname->name;
370	fname->disk_name.len = iname->len;
371	return 0;
372}
373
374static inline void fscrypt_notsupp_free_filename(struct fscrypt_name *fname)
375{
376	return;
377}
378
379static inline u32 fscrypt_notsupp_fname_encrypted_size(struct inode *i, u32 s)
380{
381	/* never happens */
382	WARN_ON(1);
383	return 0;
384}
385
386static inline int fscrypt_notsupp_fname_alloc_buffer(struct inode *inode,
387				u32 ilen, struct fscrypt_str *crypto_str)
388{
389	return -EOPNOTSUPP;
390}
391
392static inline void fscrypt_notsupp_fname_free_buffer(struct fscrypt_str *c)
393{
394	return;
395}
396
397static inline int fscrypt_notsupp_fname_disk_to_usr(struct inode *inode,
398			u32 hash, u32 minor_hash,
399			const struct fscrypt_str *iname,
400			struct fscrypt_str *oname)
401{
402	return -EOPNOTSUPP;
403}
404
405static inline int fscrypt_notsupp_fname_usr_to_disk(struct inode *inode,
406			const struct qstr *iname,
407			struct fscrypt_str *oname)
408{
409	return -EOPNOTSUPP;
410}
411#endif	/* _LINUX_FSCRYPTO_H */