tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

fscrypt: support crypto data unit size less than filesystem block size

Until now, fscrypt has always used the filesystem block size as the
granularity of file contents encryption. Two scenarios have come up
where a sub-block granularity of contents encryption would be useful:

1. Inline crypto hardware that only supports a crypto data unit size
that is less than the filesystem block size.

2. Support for direct I/O at a granularity less than the filesystem
block size, for example at the block device's logical block size in
order to match the traditional direct I/O alignment requirement.

(1) first came up with older eMMC inline crypto hardware that only
supports a crypto data unit size of 512 bytes. That specific case
ultimately went away because all systems with that hardware continued
using out of tree code and never actually upgraded to the upstream
inline crypto framework. But, now it's coming back in a new way: some
current UFS controllers only support a data unit size of 4096 bytes, and
there is a proposal to increase the filesystem block size to 16K.

(2) was discussed as a "nice to have" feature, though not essential,
when support for direct I/O on encrypted files was being upstreamed.

Still, the fact that this feature has come up several times does suggest
it would be wise to have available. Therefore, this patch implements it
by using one of the reserved bytes in fscrypt_policy_v2 to allow users
to select a sub-block data unit size. Supported data unit sizes are
powers of 2 between 512 and the filesystem block size, inclusively.
Support is implemented for both the FS-layer and inline crypto cases.

This patch focuses on the basic support for sub-block data units. Some
things are out of scope for this patch but may be addressed later:

- Supporting sub-block data units in combination with
FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64, in most cases. Unfortunately this
combination usually causes data unit indices to exceed 32 bits, and
thus fscrypt_supported_policy() correctly disallows it. The users who
potentially need this combination are using f2fs. To support it, f2fs
would need to provide an option to slightly reduce its max file size.

- Supporting sub-block data units in combination with
FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32. This has the same problem
described above, but also it will need special code to make DUN
wraparound still happen on a FS block boundary.

- Supporting use case (2) mentioned above. The encrypted direct I/O
code will need to stop requiring and assuming FS block alignment.
This won't be hard, but it belongs in a separate patch.

- Supporting this feature on filesystems other than ext4 and f2fs.
(Filesystems declare support for it via their fscrypt_operations.)
On UBIFS, sub-block data units don't make sense because UBIFS encrypts
variable-length blocks as a result of compression. CephFS could
support it, but a bit more work would be needed to make the
fscrypt_*_block_inplace functions play nicely with sub-block data
units. I don't think there's a use case for this on CephFS anyway.

Link: https://lore.kernel.org/r/20230925055451.59499-6-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>

Eric Biggers 5b118884 7a0263dc

+282 -127
+80 -25
Documentation/filesystems/fscrypt.rst
··· 261 261 262 262 The Adiantum encryption mode (see `Encryption modes and usage`_) is 263 263 suitable for both contents and filenames encryption, and it accepts 264 - long IVs --- long enough to hold both an 8-byte logical block number 265 - and a 16-byte per-file nonce. Also, the overhead of each Adiantum key 266 - is greater than that of an AES-256-XTS key. 264 + long IVs --- long enough to hold both an 8-byte data unit index and a 265 + 16-byte per-file nonce. Also, the overhead of each Adiantum key is 266 + greater than that of an AES-256-XTS key. 267 267 268 268 Therefore, to improve performance and save memory, for Adiantum a 269 269 "direct key" configuration is supported. When the user has enabled ··· 300 300 301 301 IV_INO_LBLK_32 policies work like IV_INO_LBLK_64, except that for 302 302 IV_INO_LBLK_32, the inode number is hashed with SipHash-2-4 (where the 303 - SipHash key is derived from the master key) and added to the file 304 - logical block number mod 2^32 to produce a 32-bit IV. 303 + SipHash key is derived from the master key) and added to the file data 304 + unit index mod 2^32 to produce a 32-bit IV. 305 305 306 306 This format is optimized for use with inline encryption hardware 307 307 compliant with the eMMC v5.2 standard, which supports only 32 IV bits ··· 451 451 Contents encryption 452 452 ------------------- 453 453 454 - For file contents, each filesystem block is encrypted independently. 455 - Starting from Linux kernel 5.5, encryption of filesystems with block 456 - size less than system's page size is supported. 454 + For contents encryption, each file's contents is divided into "data 455 + units". Each data unit is encrypted independently. The IV for each 456 + data unit incorporates the zero-based index of the data unit within 457 + the file. This ensures that each data unit within a file is encrypted 458 + differently, which is essential to prevent leaking information. 457 459 458 - Each block's IV is set to the logical block number within the file as 459 - a little endian number, except that: 460 + Note: the encryption depending on the offset into the file means that 461 + operations like "collapse range" and "insert range" that rearrange the 462 + extent mapping of files are not supported on encrypted files. 460 463 461 - - With CBC mode encryption, ESSIV is also used. Specifically, each IV 462 - is encrypted with AES-256 where the AES-256 key is the SHA-256 hash 463 - of the file's data encryption key. 464 + There are two cases for the sizes of the data units: 464 465 465 - - With `DIRECT_KEY policies`_, the file's nonce is appended to the IV. 466 - Currently this is only allowed with the Adiantum encryption mode. 466 + * Fixed-size data units. This is how all filesystems other than UBIFS 467 + work. A file's data units are all the same size; the last data unit 468 + is zero-padded if needed. By default, the data unit size is equal 469 + to the filesystem block size. On some filesystems, users can select 470 + a sub-block data unit size via the ``log2_data_unit_size`` field of 471 + the encryption policy; see `FS_IOC_SET_ENCRYPTION_POLICY`_. 467 472 468 - - With `IV_INO_LBLK_64 policies`_, the logical block number is limited 469 - to 32 bits and is placed in bits 0-31 of the IV. The inode number 470 - (which is also limited to 32 bits) is placed in bits 32-63. 473 + * Variable-size data units. This is what UBIFS does. Each "UBIFS 474 + data node" is treated as a crypto data unit. Each contains variable 475 + length, possibly compressed data, zero-padded to the next 16-byte 476 + boundary. Users cannot select a sub-block data unit size on UBIFS. 471 477 472 - - With `IV_INO_LBLK_32 policies`_, the logical block number is limited 473 - to 32 bits and is placed in bits 0-31 of the IV. The inode number 474 - is then hashed and added mod 2^32. 478 + In the case of compression + encryption, the compressed data is 479 + encrypted. UBIFS compression works as described above. f2fs 480 + compression works a bit differently; it compresses a number of 481 + filesystem blocks into a smaller number of filesystem blocks. 482 + Therefore a f2fs-compressed file still uses fixed-size data units, and 483 + it is encrypted in a similar way to a file containing holes. 475 484 476 - Note that because file logical block numbers are included in the IVs, 477 - filesystems must enforce that blocks are never shifted around within 478 - encrypted files, e.g. via "collapse range" or "insert range". 485 + As mentioned in `Key hierarchy`_, the default encryption setting uses 486 + per-file keys. In this case, the IV for each data unit is simply the 487 + index of the data unit in the file. However, users can select an 488 + encryption setting that does not use per-file keys. For these, some 489 + kind of file identifier is incorporated into the IVs as follows: 490 + 491 + - With `DIRECT_KEY policies`_, the data unit index is placed in bits 492 + 0-63 of the IV, and the file's nonce is placed in bits 64-191. 493 + 494 + - With `IV_INO_LBLK_64 policies`_, the data unit index is placed in 495 + bits 0-31 of the IV, and the file's inode number is placed in bits 496 + 32-63. This setting is only allowed when data unit indices and 497 + inode numbers fit in 32 bits. 498 + 499 + - With `IV_INO_LBLK_32 policies`_, the file's inode number is hashed 500 + and added to the data unit index. The resulting value is truncated 501 + to 32 bits and placed in bits 0-31 of the IV. This setting is only 502 + allowed when data unit indices and inode numbers fit in 32 bits. 503 + 504 + The byte order of the IV is always little endian. 505 + 506 + If the user selects FSCRYPT_MODE_AES_128_CBC for the contents mode, an 507 + ESSIV layer is automatically included. In this case, before the IV is 508 + passed to AES-128-CBC, it is encrypted with AES-256 where the AES-256 509 + key is the SHA-256 hash of the file's contents encryption key. 479 510 480 511 Filenames encryption 481 512 -------------------- ··· 575 544 __u8 contents_encryption_mode; 576 545 __u8 filenames_encryption_mode; 577 546 __u8 flags; 578 - __u8 __reserved[4]; 547 + __u8 log2_data_unit_size; 548 + __u8 __reserved[3]; 579 549 __u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]; 580 550 }; 581 551 ··· 617 585 618 586 The DIRECT_KEY, IV_INO_LBLK_64, and IV_INO_LBLK_32 flags are 619 587 mutually exclusive. 588 + 589 + - ``log2_data_unit_size`` is the log2 of the data unit size in bytes, 590 + or 0 to select the default data unit size. The data unit size is 591 + the granularity of file contents encryption. For example, setting 592 + ``log2_data_unit_size`` to 12 causes file contents be passed to the 593 + underlying encryption algorithm (such as AES-256-XTS) in 4096-byte 594 + data units, each with its own IV. 595 + 596 + Not all filesystems support setting ``log2_data_unit_size``. ext4 597 + and f2fs support it since Linux v6.7. On filesystems that support 598 + it, the supported nonzero values are 9 through the log2 of the 599 + filesystem block size, inclusively. The default value of 0 selects 600 + the filesystem block size. 601 + 602 + The main use case for ``log2_data_unit_size`` is for selecting a 603 + data unit size smaller than the filesystem block size for 604 + compatibility with inline encryption hardware that only supports 605 + smaller data unit sizes. ``/sys/block/$disk/queue/crypto/`` may be 606 + useful for checking which data unit sizes are supported by a 607 + particular system's inline encryption hardware. 608 + 609 + Leave this field zeroed unless you are certain you need it. Using 610 + an unnecessarily small data unit size reduces performance. 620 611 621 612 - For v2 encryption policies, ``__reserved`` must be zeroed. 622 613
+22 -17
fs/crypto/bio.c
··· 111 111 int fscrypt_zeroout_range(const struct inode *inode, pgoff_t lblk, 112 112 sector_t pblk, unsigned int len) 113 113 { 114 - const unsigned int blockbits = inode->i_blkbits; 115 - const unsigned int blocksize = 1 << blockbits; 116 - const unsigned int blocks_per_page_bits = PAGE_SHIFT - blockbits; 117 - const unsigned int blocks_per_page = 1 << blocks_per_page_bits; 114 + const struct fscrypt_info *ci = inode->i_crypt_info; 115 + const unsigned int du_bits = ci->ci_data_unit_bits; 116 + const unsigned int du_size = 1U << du_bits; 117 + const unsigned int du_per_page_bits = PAGE_SHIFT - du_bits; 118 + const unsigned int du_per_page = 1U << du_per_page_bits; 119 + u64 du_index = (u64)lblk << (inode->i_blkbits - du_bits); 120 + u64 du_remaining = (u64)len << (inode->i_blkbits - du_bits); 121 + sector_t sector = pblk << (inode->i_blkbits - SECTOR_SHIFT); 118 122 struct page *pages[16]; /* write up to 16 pages at a time */ 119 123 unsigned int nr_pages; 120 124 unsigned int i; ··· 134 130 len); 135 131 136 132 BUILD_BUG_ON(ARRAY_SIZE(pages) > BIO_MAX_VECS); 137 - nr_pages = min_t(unsigned int, ARRAY_SIZE(pages), 138 - (len + blocks_per_page - 1) >> blocks_per_page_bits); 133 + nr_pages = min_t(u64, ARRAY_SIZE(pages), 134 + (du_remaining + du_per_page - 1) >> du_per_page_bits); 139 135 140 136 /* 141 137 * We need at least one page for ciphertext. Allocate the first one ··· 158 154 bio = bio_alloc(inode->i_sb->s_bdev, nr_pages, REQ_OP_WRITE, GFP_NOFS); 159 155 160 156 do { 161 - bio->bi_iter.bi_sector = pblk << (blockbits - 9); 157 + bio->bi_iter.bi_sector = sector; 162 158 163 159 i = 0; 164 160 offset = 0; 165 161 do { 166 - err = fscrypt_crypt_block(inode, FS_ENCRYPT, lblk, 167 - ZERO_PAGE(0), pages[i], 168 - blocksize, offset, GFP_NOFS); 162 + err = fscrypt_crypt_data_unit(ci, FS_ENCRYPT, du_index, 163 + ZERO_PAGE(0), pages[i], 164 + du_size, offset, 165 + GFP_NOFS); 169 166 if (err) 170 167 goto out; 171 - lblk++; 172 - pblk++; 173 - len--; 174 - offset += blocksize; 175 - if (offset == PAGE_SIZE || len == 0) { 168 + du_index++; 169 + sector += 1U << (du_bits - SECTOR_SHIFT); 170 + du_remaining--; 171 + offset += du_size; 172 + if (offset == PAGE_SIZE || du_remaining == 0) { 176 173 ret = bio_add_page(bio, pages[i++], offset, 0); 177 174 if (WARN_ON_ONCE(ret != offset)) { 178 175 err = -EIO; ··· 181 176 } 182 177 offset = 0; 183 178 } 184 - } while (i != nr_pages && len != 0); 179 + } while (i != nr_pages && du_remaining != 0); 185 180 186 181 err = submit_bio_wait(bio); 187 182 if (err) 188 183 goto out; 189 184 bio_reset(bio, inode->i_sb->s_bdev, REQ_OP_WRITE); 190 - } while (len != 0); 185 + } while (du_remaining != 0); 191 186 err = 0; 192 187 out: 193 188 bio_put(bio);
+75 -64
fs/crypto/crypto.c
··· 77 77 EXPORT_SYMBOL(fscrypt_free_bounce_page); 78 78 79 79 /* 80 - * Generate the IV for the given logical block number within the given file. 81 - * For filenames encryption, lblk_num == 0. 80 + * Generate the IV for the given data unit index within the given file. 81 + * For filenames encryption, index == 0. 82 82 * 83 83 * Keep this in sync with fscrypt_limit_io_blocks(). fscrypt_limit_io_blocks() 84 84 * needs to know about any IV generation methods where the low bits of IV don't 85 - * simply contain the lblk_num (e.g., IV_INO_LBLK_32). 85 + * simply contain the data unit index (e.g., IV_INO_LBLK_32). 86 86 */ 87 - void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num, 87 + void fscrypt_generate_iv(union fscrypt_iv *iv, u64 index, 88 88 const struct fscrypt_info *ci) 89 89 { 90 90 u8 flags = fscrypt_policy_flags(&ci->ci_policy); ··· 92 92 memset(iv, 0, ci->ci_mode->ivsize); 93 93 94 94 if (flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) { 95 - WARN_ON_ONCE(lblk_num > U32_MAX); 95 + WARN_ON_ONCE(index > U32_MAX); 96 96 WARN_ON_ONCE(ci->ci_inode->i_ino > U32_MAX); 97 - lblk_num |= (u64)ci->ci_inode->i_ino << 32; 97 + index |= (u64)ci->ci_inode->i_ino << 32; 98 98 } else if (flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) { 99 - WARN_ON_ONCE(lblk_num > U32_MAX); 100 - lblk_num = (u32)(ci->ci_hashed_ino + lblk_num); 99 + WARN_ON_ONCE(index > U32_MAX); 100 + index = (u32)(ci->ci_hashed_ino + index); 101 101 } else if (flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) { 102 102 memcpy(iv->nonce, ci->ci_nonce, FSCRYPT_FILE_NONCE_SIZE); 103 103 } 104 - iv->lblk_num = cpu_to_le64(lblk_num); 104 + iv->index = cpu_to_le64(index); 105 105 } 106 106 107 - /* Encrypt or decrypt a single filesystem block of file contents */ 108 - int fscrypt_crypt_block(const struct inode *inode, fscrypt_direction_t rw, 109 - u64 lblk_num, struct page *src_page, 110 - struct page *dest_page, unsigned int len, 111 - unsigned int offs, gfp_t gfp_flags) 107 + /* Encrypt or decrypt a single "data unit" of file contents. */ 108 + int fscrypt_crypt_data_unit(const struct fscrypt_info *ci, 109 + fscrypt_direction_t rw, u64 index, 110 + struct page *src_page, struct page *dest_page, 111 + unsigned int len, unsigned int offs, 112 + gfp_t gfp_flags) 112 113 { 113 114 union fscrypt_iv iv; 114 115 struct skcipher_request *req = NULL; 115 116 DECLARE_CRYPTO_WAIT(wait); 116 117 struct scatterlist dst, src; 117 - struct fscrypt_info *ci = inode->i_crypt_info; 118 118 struct crypto_skcipher *tfm = ci->ci_enc_key.tfm; 119 119 int res = 0; 120 120 ··· 123 123 if (WARN_ON_ONCE(len % FSCRYPT_CONTENTS_ALIGNMENT != 0)) 124 124 return -EINVAL; 125 125 126 - fscrypt_generate_iv(&iv, lblk_num, ci); 126 + fscrypt_generate_iv(&iv, index, ci); 127 127 128 128 req = skcipher_request_alloc(tfm, gfp_flags); 129 129 if (!req) ··· 144 144 res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait); 145 145 skcipher_request_free(req); 146 146 if (res) { 147 - fscrypt_err(inode, "%scryption failed for block %llu: %d", 148 - (rw == FS_DECRYPT ? "De" : "En"), lblk_num, res); 147 + fscrypt_err(ci->ci_inode, 148 + "%scryption failed for data unit %llu: %d", 149 + (rw == FS_DECRYPT ? "De" : "En"), index, res); 149 150 return res; 150 151 } 151 152 return 0; 152 153 } 153 154 154 155 /** 155 - * fscrypt_encrypt_pagecache_blocks() - Encrypt filesystem blocks from a 156 - * pagecache page 157 - * @page: The locked pagecache page containing the block(s) to encrypt 158 - * @len: Total size of the block(s) to encrypt. Must be a nonzero 159 - * multiple of the filesystem's block size. 160 - * @offs: Byte offset within @page of the first block to encrypt. Must be 161 - * a multiple of the filesystem's block size. 162 - * @gfp_flags: Memory allocation flags. See details below. 156 + * fscrypt_encrypt_pagecache_blocks() - Encrypt data from a pagecache page 157 + * @page: the locked pagecache page containing the data to encrypt 158 + * @len: size of the data to encrypt, in bytes 159 + * @offs: offset within @page of the data to encrypt, in bytes 160 + * @gfp_flags: memory allocation flags; see details below 163 161 * 164 - * A new bounce page is allocated, and the specified block(s) are encrypted into 165 - * it. In the bounce page, the ciphertext block(s) will be located at the same 166 - * offsets at which the plaintext block(s) were located in the source page; any 167 - * other parts of the bounce page will be left uninitialized. However, normally 168 - * blocksize == PAGE_SIZE and the whole page is encrypted at once. 162 + * This allocates a new bounce page and encrypts the given data into it. The 163 + * length and offset of the data must be aligned to the file's crypto data unit 164 + * size. Alignment to the filesystem block size fulfills this requirement, as 165 + * the filesystem block size is always a multiple of the data unit size. 166 + * 167 + * In the bounce page, the ciphertext data will be located at the same offset at 168 + * which the plaintext data was located in the source page. Any other parts of 169 + * the bounce page will be left uninitialized. 169 170 * 170 171 * This is for use by the filesystem's ->writepages() method. 171 172 * ··· 184 183 185 184 { 186 185 const struct inode *inode = page->mapping->host; 187 - const unsigned int blockbits = inode->i_blkbits; 188 - const unsigned int blocksize = 1 << blockbits; 186 + const struct fscrypt_info *ci = inode->i_crypt_info; 187 + const unsigned int du_bits = ci->ci_data_unit_bits; 188 + const unsigned int du_size = 1U << du_bits; 189 189 struct page *ciphertext_page; 190 - u64 lblk_num = ((u64)page->index << (PAGE_SHIFT - blockbits)) + 191 - (offs >> blockbits); 190 + u64 index = ((u64)page->index << (PAGE_SHIFT - du_bits)) + 191 + (offs >> du_bits); 192 192 unsigned int i; 193 193 int err; 194 194 195 195 if (WARN_ON_ONCE(!PageLocked(page))) 196 196 return ERR_PTR(-EINVAL); 197 197 198 - if (WARN_ON_ONCE(len <= 0 || !IS_ALIGNED(len | offs, blocksize))) 198 + if (WARN_ON_ONCE(len <= 0 || !IS_ALIGNED(len | offs, du_size))) 199 199 return ERR_PTR(-EINVAL); 200 200 201 201 ciphertext_page = fscrypt_alloc_bounce_page(gfp_flags); 202 202 if (!ciphertext_page) 203 203 return ERR_PTR(-ENOMEM); 204 204 205 - for (i = offs; i < offs + len; i += blocksize, lblk_num++) { 206 - err = fscrypt_crypt_block(inode, FS_ENCRYPT, lblk_num, 207 - page, ciphertext_page, 208 - blocksize, i, gfp_flags); 205 + for (i = offs; i < offs + len; i += du_size, index++) { 206 + err = fscrypt_crypt_data_unit(ci, FS_ENCRYPT, index, 207 + page, ciphertext_page, 208 + du_size, i, gfp_flags); 209 209 if (err) { 210 210 fscrypt_free_bounce_page(ciphertext_page); 211 211 return ERR_PTR(err); ··· 233 231 * arbitrary page, not necessarily in the original pagecache page. The @inode 234 232 * and @lblk_num must be specified, as they can't be determined from @page. 235 233 * 234 + * This is not compatible with fscrypt_operations::supports_subblock_data_units. 235 + * 236 236 * Return: 0 on success; -errno on failure 237 237 */ 238 238 int fscrypt_encrypt_block_inplace(const struct inode *inode, struct page *page, 239 239 unsigned int len, unsigned int offs, 240 240 u64 lblk_num, gfp_t gfp_flags) 241 241 { 242 - return fscrypt_crypt_block(inode, FS_ENCRYPT, lblk_num, page, page, 243 - len, offs, gfp_flags); 242 + if (WARN_ON_ONCE(inode->i_sb->s_cop->supports_subblock_data_units)) 243 + return -EOPNOTSUPP; 244 + return fscrypt_crypt_data_unit(inode->i_crypt_info, FS_ENCRYPT, 245 + lblk_num, page, page, len, offs, 246 + gfp_flags); 244 247 } 245 248 EXPORT_SYMBOL(fscrypt_encrypt_block_inplace); 246 249 247 250 /** 248 - * fscrypt_decrypt_pagecache_blocks() - Decrypt filesystem blocks in a 249 - * pagecache folio 250 - * @folio: The locked pagecache folio containing the block(s) to decrypt 251 - * @len: Total size of the block(s) to decrypt. Must be a nonzero 252 - * multiple of the filesystem's block size. 253 - * @offs: Byte offset within @folio of the first block to decrypt. Must be 254 - * a multiple of the filesystem's block size. 251 + * fscrypt_decrypt_pagecache_blocks() - Decrypt data from a pagecache folio 252 + * @folio: the pagecache folio containing the data to decrypt 253 + * @len: size of the data to decrypt, in bytes 254 + * @offs: offset within @folio of the data to decrypt, in bytes 255 255 * 256 - * The specified block(s) are decrypted in-place within the pagecache folio, 257 - * which must still be locked and not uptodate. 258 - * 259 - * This is for use by the filesystem's ->readahead() method. 256 + * Decrypt data that has just been read from an encrypted file. The data must 257 + * be located in a pagecache folio that is still locked and not yet uptodate. 258 + * The length and offset of the data must be aligned to the file's crypto data 259 + * unit size. Alignment to the filesystem block size fulfills this requirement, 260 + * as the filesystem block size is always a multiple of the data unit size. 260 261 * 261 262 * Return: 0 on success; -errno on failure 262 263 */ ··· 267 262 size_t offs) 268 263 { 269 264 const struct inode *inode = folio->mapping->host; 270 - const unsigned int blockbits = inode->i_blkbits; 271 - const unsigned int blocksize = 1 << blockbits; 272 - u64 lblk_num = ((u64)folio->index << (PAGE_SHIFT - blockbits)) + 273 - (offs >> blockbits); 265 + const struct fscrypt_info *ci = inode->i_crypt_info; 266 + const unsigned int du_bits = ci->ci_data_unit_bits; 267 + const unsigned int du_size = 1U << du_bits; 268 + u64 index = ((u64)folio->index << (PAGE_SHIFT - du_bits)) + 269 + (offs >> du_bits); 274 270 size_t i; 275 271 int err; 276 272 277 273 if (WARN_ON_ONCE(!folio_test_locked(folio))) 278 274 return -EINVAL; 279 275 280 - if (WARN_ON_ONCE(len <= 0 || !IS_ALIGNED(len | offs, blocksize))) 276 + if (WARN_ON_ONCE(len <= 0 || !IS_ALIGNED(len | offs, du_size))) 281 277 return -EINVAL; 282 278 283 - for (i = offs; i < offs + len; i += blocksize, lblk_num++) { 279 + for (i = offs; i < offs + len; i += du_size, index++) { 284 280 struct page *page = folio_page(folio, i >> PAGE_SHIFT); 285 281 286 - err = fscrypt_crypt_block(inode, FS_DECRYPT, lblk_num, page, 287 - page, blocksize, i & ~PAGE_MASK, 288 - GFP_NOFS); 282 + err = fscrypt_crypt_data_unit(ci, FS_DECRYPT, index, page, 283 + page, du_size, i & ~PAGE_MASK, 284 + GFP_NOFS); 289 285 if (err) 290 286 return err; 291 287 } ··· 308 302 * arbitrary page, not necessarily in the original pagecache page. The @inode 309 303 * and @lblk_num must be specified, as they can't be determined from @page. 310 304 * 305 + * This is not compatible with fscrypt_operations::supports_subblock_data_units. 306 + * 311 307 * Return: 0 on success; -errno on failure 312 308 */ 313 309 int fscrypt_decrypt_block_inplace(const struct inode *inode, struct page *page, 314 310 unsigned int len, unsigned int offs, 315 311 u64 lblk_num) 316 312 { 317 - return fscrypt_crypt_block(inode, FS_DECRYPT, lblk_num, page, page, 318 - len, offs, GFP_NOFS); 313 + if (WARN_ON_ONCE(inode->i_sb->s_cop->supports_subblock_data_units)) 314 + return -EOPNOTSUPP; 315 + return fscrypt_crypt_data_unit(inode->i_crypt_info, FS_DECRYPT, 316 + lblk_num, page, page, len, offs, 317 + GFP_NOFS); 319 318 } 320 319 EXPORT_SYMBOL(fscrypt_decrypt_block_inplace); 321 320
+44 -12
fs/crypto/fscrypt_private.h
··· 47 47 u8 contents_encryption_mode; 48 48 u8 filenames_encryption_mode; 49 49 u8 flags; 50 - u8 __reserved[4]; 50 + u8 log2_data_unit_size; 51 + u8 __reserved[3]; 51 52 u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]; 52 53 u8 nonce[FSCRYPT_FILE_NONCE_SIZE]; 53 54 }; ··· 166 165 BUG(); 167 166 } 168 167 168 + static inline int 169 + fscrypt_policy_v2_du_bits(const struct fscrypt_policy_v2 *policy, 170 + const struct inode *inode) 171 + { 172 + return policy->log2_data_unit_size ?: inode->i_blkbits; 173 + } 174 + 175 + static inline int 176 + fscrypt_policy_du_bits(const union fscrypt_policy *policy, 177 + const struct inode *inode) 178 + { 179 + switch (policy->version) { 180 + case FSCRYPT_POLICY_V1: 181 + return inode->i_blkbits; 182 + case FSCRYPT_POLICY_V2: 183 + return fscrypt_policy_v2_du_bits(&policy->v2, inode); 184 + } 185 + BUG(); 186 + } 187 + 169 188 /* 170 189 * For encrypted symlinks, the ciphertext length is stored at the beginning 171 190 * of the string in little-endian format. ··· 231 210 */ 232 211 bool ci_inlinecrypt; 233 212 #endif 213 + 214 + /* 215 + * log2 of the data unit size (granularity of contents encryption) of 216 + * this file. This is computable from ci_policy and ci_inode but is 217 + * cached here for efficiency. Only used for regular files. 218 + */ 219 + u8 ci_data_unit_bits; 220 + 221 + /* Cached value: log2 of number of data units per FS block */ 222 + u8 ci_data_units_per_block_bits; 234 223 235 224 /* 236 225 * Encryption mode used for this inode. It corresponds to either the ··· 296 265 /* crypto.c */ 297 266 extern struct kmem_cache *fscrypt_info_cachep; 298 267 int fscrypt_initialize(struct super_block *sb); 299 - int fscrypt_crypt_block(const struct inode *inode, fscrypt_direction_t rw, 300 - u64 lblk_num, struct page *src_page, 301 - struct page *dest_page, unsigned int len, 302 - unsigned int offs, gfp_t gfp_flags); 268 + int fscrypt_crypt_data_unit(const struct fscrypt_info *ci, 269 + fscrypt_direction_t rw, u64 index, 270 + struct page *src_page, struct page *dest_page, 271 + unsigned int len, unsigned int offs, 272 + gfp_t gfp_flags); 303 273 struct page *fscrypt_alloc_bounce_page(gfp_t gfp_flags); 304 274 305 275 void __printf(3, 4) __cold ··· 315 283 316 284 union fscrypt_iv { 317 285 struct { 318 - /* logical block number within the file */ 319 - __le64 lblk_num; 286 + /* zero-based index of data unit within the file */ 287 + __le64 index; 320 288 321 289 /* per-file nonce; only set in DIRECT_KEY mode */ 322 290 u8 nonce[FSCRYPT_FILE_NONCE_SIZE]; ··· 325 293 __le64 dun[FSCRYPT_MAX_IV_SIZE / sizeof(__le64)]; 326 294 }; 327 295 328 - void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num, 296 + void fscrypt_generate_iv(union fscrypt_iv *iv, u64 index, 329 297 const struct fscrypt_info *ci); 330 298 331 299 /* 332 - * Return the number of bits used by the maximum file logical block number that 333 - * is possible on the given filesystem. 300 + * Return the number of bits used by the maximum file data unit index that is 301 + * possible on the given filesystem, using the given log2 data unit size. 334 302 */ 335 303 static inline int 336 - fscrypt_max_file_lblk_bits(const struct super_block *sb) 304 + fscrypt_max_file_dun_bits(const struct super_block *sb, int du_bits) 337 305 { 338 - return fls64(sb->s_maxbytes - 1) - sb->s_blocksize_bits; 306 + return fls64(sb->s_maxbytes - 1) - du_bits; 339 307 } 340 308 341 309 /* fname.c */
+9 -5
fs/crypto/inline_crypt.c
··· 43 43 { 44 44 const struct super_block *sb = ci->ci_inode->i_sb; 45 45 unsigned int flags = fscrypt_policy_flags(&ci->ci_policy); 46 + int dun_bits; 46 47 47 48 if (flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) 48 49 return offsetofend(union fscrypt_iv, nonce); ··· 54 53 if (flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) 55 54 return sizeof(__le32); 56 55 57 - /* Default case: IVs are just the file logical block number */ 58 - return DIV_ROUND_UP(fscrypt_max_file_lblk_bits(sb), 8); 56 + /* Default case: IVs are just the file data unit index */ 57 + dun_bits = fscrypt_max_file_dun_bits(sb, ci->ci_data_unit_bits); 58 + return DIV_ROUND_UP(dun_bits, 8); 59 59 } 60 60 61 61 /* ··· 128 126 * crypto configuration that the file would use. 129 127 */ 130 128 crypto_cfg.crypto_mode = ci->ci_mode->blk_crypto_mode; 131 - crypto_cfg.data_unit_size = sb->s_blocksize; 129 + crypto_cfg.data_unit_size = 1U << ci->ci_data_unit_bits; 132 130 crypto_cfg.dun_bytes = fscrypt_get_dun_bytes(ci); 133 131 134 132 devs = fscrypt_get_devices(sb, &num_devs); ··· 167 165 return -ENOMEM; 168 166 169 167 err = blk_crypto_init_key(blk_key, raw_key, crypto_mode, 170 - fscrypt_get_dun_bytes(ci), sb->s_blocksize); 168 + fscrypt_get_dun_bytes(ci), 169 + 1U << ci->ci_data_unit_bits); 171 170 if (err) { 172 171 fscrypt_err(inode, "error %d initializing blk-crypto key", err); 173 172 goto fail; ··· 235 232 static void fscrypt_generate_dun(const struct fscrypt_info *ci, u64 lblk_num, 236 233 u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE]) 237 234 { 235 + u64 index = lblk_num << ci->ci_data_units_per_block_bits; 238 236 union fscrypt_iv iv; 239 237 int i; 240 238 241 - fscrypt_generate_iv(&iv, lblk_num, ci); 239 + fscrypt_generate_iv(&iv, index, ci); 242 240 243 241 BUILD_BUG_ON(FSCRYPT_MAX_IV_SIZE > BLK_CRYPTO_MAX_IV_SIZE); 244 242 memset(dun, 0, BLK_CRYPTO_MAX_IV_SIZE);
+5
fs/crypto/keysetup.c
··· 580 580 WARN_ON_ONCE(mode->ivsize > FSCRYPT_MAX_IV_SIZE); 581 581 crypt_info->ci_mode = mode; 582 582 583 + crypt_info->ci_data_unit_bits = 584 + fscrypt_policy_du_bits(&crypt_info->ci_policy, inode); 585 + crypt_info->ci_data_units_per_block_bits = 586 + inode->i_blkbits - crypt_info->ci_data_unit_bits; 587 + 583 588 res = setup_file_encryption_key(crypt_info, need_dirhash_key, &mk); 584 589 if (res) 585 590 goto out;
+31 -3
fs/crypto/policy.c
··· 165 165 } 166 166 167 167 /* 168 - * IV_INO_LBLK_64 and IV_INO_LBLK_32 both require that file logical 169 - * block numbers fit in 32 bits. 168 + * IV_INO_LBLK_64 and IV_INO_LBLK_32 both require that file data unit 169 + * indices fit in 32 bits. 170 170 */ 171 - if (fscrypt_max_file_lblk_bits(sb) > 32) { 171 + if (fscrypt_max_file_dun_bits(sb, 172 + fscrypt_policy_v2_du_bits(policy, inode)) > 32) { 172 173 fscrypt_warn(inode, 173 174 "Can't use %s policy on filesystem '%s' because its maximum file size is too large", 174 175 type, sb->s_id); ··· 242 241 fscrypt_warn(inode, "Mutually exclusive encryption flags (0x%02x)", 243 242 policy->flags); 244 243 return false; 244 + } 245 + 246 + if (policy->log2_data_unit_size) { 247 + if (!inode->i_sb->s_cop->supports_subblock_data_units) { 248 + fscrypt_warn(inode, 249 + "Filesystem does not support configuring crypto data unit size"); 250 + return false; 251 + } 252 + if (policy->log2_data_unit_size > inode->i_blkbits || 253 + policy->log2_data_unit_size < SECTOR_SHIFT /* 9 */) { 254 + fscrypt_warn(inode, 255 + "Unsupported log2_data_unit_size in encryption policy: %d", 256 + policy->log2_data_unit_size); 257 + return false; 258 + } 259 + if (policy->log2_data_unit_size != inode->i_blkbits && 260 + (policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) { 261 + /* 262 + * Not safe to enable yet, as we need to ensure that DUN 263 + * wraparound can only occur on a FS block boundary. 264 + */ 265 + fscrypt_warn(inode, 266 + "Sub-block data units not yet supported with IV_INO_LBLK_32"); 267 + return false; 268 + } 245 269 } 246 270 247 271 if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) && ··· 355 329 ctx->filenames_encryption_mode = 356 330 policy->filenames_encryption_mode; 357 331 ctx->flags = policy->flags; 332 + ctx->log2_data_unit_size = policy->log2_data_unit_size; 358 333 memcpy(ctx->master_key_identifier, 359 334 policy->master_key_identifier, 360 335 sizeof(ctx->master_key_identifier)); ··· 416 389 policy->filenames_encryption_mode = 417 390 ctx->filenames_encryption_mode; 418 391 policy->flags = ctx->flags; 392 + policy->log2_data_unit_size = ctx->log2_data_unit_size; 419 393 memcpy(policy->__reserved, ctx->__reserved, 420 394 sizeof(policy->__reserved)); 421 395 memcpy(policy->master_key_identifier,
+1
fs/ext4/crypto.c
··· 235 235 const struct fscrypt_operations ext4_cryptops = { 236 236 .needs_bounce_pages = 1, 237 237 .has_32bit_inodes = 1, 238 + .supports_subblock_data_units = 1, 238 239 .legacy_key_prefix = "ext4:", 239 240 .get_context = ext4_get_context, 240 241 .set_context = ext4_set_context,
+1
fs/f2fs/super.c
··· 3226 3226 static const struct fscrypt_operations f2fs_cryptops = { 3227 3227 .needs_bounce_pages = 1, 3228 3228 .has_32bit_inodes = 1, 3229 + .supports_subblock_data_units = 1, 3229 3230 .legacy_key_prefix = "f2fs:", 3230 3231 .get_context = f2fs_get_context, 3231 3232 .set_context = f2fs_set_context,
+12
include/linux/fscrypt.h
··· 86 86 unsigned int has_32bit_inodes : 1; 87 87 88 88 /* 89 + * If set, then fs/crypto/ will allow users to select a crypto data unit 90 + * size that is less than the filesystem block size. This is done via 91 + * the log2_data_unit_size field of the fscrypt policy. This flag is 92 + * not compatible with filesystems that encrypt variable-length blocks 93 + * (i.e. blocks that aren't all equal to filesystem's block size), for 94 + * example as a result of compression. It's also not compatible with 95 + * the fscrypt_encrypt_block_inplace() and 96 + * fscrypt_decrypt_block_inplace() functions. 97 + */ 98 + unsigned int supports_subblock_data_units : 1; 99 + 100 + /* 89 101 * This field exists only for backwards compatibility reasons and should 90 102 * only be set by the filesystems that are setting it already. It 91 103 * contains the filesystem-specific key description prefix that is
+2 -1
include/uapi/linux/fscrypt.h
··· 71 71 __u8 contents_encryption_mode; 72 72 __u8 filenames_encryption_mode; 73 73 __u8 flags; 74 - __u8 __reserved[4]; 74 + __u8 log2_data_unit_size; 75 + __u8 __reserved[3]; 75 76 __u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]; 76 77 }; 77 78