fscrypt: v2 encryption policy support · tjh.dev/kernel@5dae460

+1 -1

fs/crypto/crypto.c

··· 141 141 memset(iv, 0, ci->ci_mode->ivsize); 142 142 iv->lblk_num = cpu_to_le64(lblk_num); 143 143 144 - if (ci->ci_flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) 144 + if (fscrypt_is_direct_key_policy(&ci->ci_policy)) 145 145 memcpy(iv->nonce, ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE); 146 146 147 147 if (ci->ci_essiv_tfm != NULL)

+2 -1

fs/crypto/fname.c

··· 181 181 bool fscrypt_fname_encrypted_size(const struct inode *inode, u32 orig_len, 182 182 u32 max_len, u32 *encrypted_len_ret) 183 183 { 184 - int padding = 4 << (inode->i_crypt_info->ci_flags & 184 + const struct fscrypt_info *ci = inode->i_crypt_info; 185 + int padding = 4 << (fscrypt_policy_flags(&ci->ci_policy) & 185 186 FSCRYPT_POLICY_FLAGS_PAD_MASK); 186 187 u32 encrypted_len; 187 188

+162 -25

fs/crypto/fscrypt_private.h

··· 20 20 21 21 #define FSCRYPT_MIN_KEY_SIZE 16 22 22 23 - /** 24 - * Encryption context for inode 25 - * 26 - * Protector format: 27 - * 1 byte: Protector format (1 = this version) 28 - * 1 byte: File contents encryption mode 29 - * 1 byte: File names encryption mode 30 - * 1 byte: Flags 31 - * 8 bytes: Master Key descriptor 32 - * 16 bytes: Encryption Key derivation nonce 33 - */ 34 - struct fscrypt_context { 35 - u8 format; 23 + #define FSCRYPT_CONTEXT_V1 1 24 + #define FSCRYPT_CONTEXT_V2 2 25 + 26 + struct fscrypt_context_v1 { 27 + u8 version; /* FSCRYPT_CONTEXT_V1 */ 36 28 u8 contents_encryption_mode; 37 29 u8 filenames_encryption_mode; 38 30 u8 flags; 39 31 u8 master_key_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE]; 40 32 u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE]; 41 - } __packed; 33 + }; 42 34 43 - #define FS_ENCRYPTION_CONTEXT_FORMAT_V1 1 35 + struct fscrypt_context_v2 { 36 + u8 version; /* FSCRYPT_CONTEXT_V2 */ 37 + u8 contents_encryption_mode; 38 + u8 filenames_encryption_mode; 39 + u8 flags; 40 + u8 __reserved[4]; 41 + u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]; 42 + u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE]; 43 + }; 44 + 45 + /** 46 + * fscrypt_context - the encryption context of an inode 47 + * 48 + * This is the on-disk equivalent of an fscrypt_policy, stored alongside each 49 + * encrypted file usually in a hidden extended attribute. It contains the 50 + * fields from the fscrypt_policy, in order to identify the encryption algorithm 51 + * and key with which the file is encrypted. It also contains a nonce that was 52 + * randomly generated by fscrypt itself; this is used as KDF input or as a tweak 53 + * to cause different files to be encrypted differently. 54 + */ 55 + union fscrypt_context { 56 + u8 version; 57 + struct fscrypt_context_v1 v1; 58 + struct fscrypt_context_v2 v2; 59 + }; 60 + 61 + /* 62 + * Return the size expected for the given fscrypt_context based on its version 63 + * number, or 0 if the context version is unrecognized. 64 + */ 65 + static inline int fscrypt_context_size(const union fscrypt_context *ctx) 66 + { 67 + switch (ctx->version) { 68 + case FSCRYPT_CONTEXT_V1: 69 + BUILD_BUG_ON(sizeof(ctx->v1) != 28); 70 + return sizeof(ctx->v1); 71 + case FSCRYPT_CONTEXT_V2: 72 + BUILD_BUG_ON(sizeof(ctx->v2) != 40); 73 + return sizeof(ctx->v2); 74 + } 75 + return 0; 76 + } 77 + 78 + #undef fscrypt_policy 79 + union fscrypt_policy { 80 + u8 version; 81 + struct fscrypt_policy_v1 v1; 82 + struct fscrypt_policy_v2 v2; 83 + }; 84 + 85 + /* 86 + * Return the size expected for the given fscrypt_policy based on its version 87 + * number, or 0 if the policy version is unrecognized. 88 + */ 89 + static inline int fscrypt_policy_size(const union fscrypt_policy *policy) 90 + { 91 + switch (policy->version) { 92 + case FSCRYPT_POLICY_V1: 93 + return sizeof(policy->v1); 94 + case FSCRYPT_POLICY_V2: 95 + return sizeof(policy->v2); 96 + } 97 + return 0; 98 + } 99 + 100 + /* Return the contents encryption mode of a valid encryption policy */ 101 + static inline u8 102 + fscrypt_policy_contents_mode(const union fscrypt_policy *policy) 103 + { 104 + switch (policy->version) { 105 + case FSCRYPT_POLICY_V1: 106 + return policy->v1.contents_encryption_mode; 107 + case FSCRYPT_POLICY_V2: 108 + return policy->v2.contents_encryption_mode; 109 + } 110 + BUG(); 111 + } 112 + 113 + /* Return the filenames encryption mode of a valid encryption policy */ 114 + static inline u8 115 + fscrypt_policy_fnames_mode(const union fscrypt_policy *policy) 116 + { 117 + switch (policy->version) { 118 + case FSCRYPT_POLICY_V1: 119 + return policy->v1.filenames_encryption_mode; 120 + case FSCRYPT_POLICY_V2: 121 + return policy->v2.filenames_encryption_mode; 122 + } 123 + BUG(); 124 + } 125 + 126 + /* Return the flags (FSCRYPT_POLICY_FLAG*) of a valid encryption policy */ 127 + static inline u8 128 + fscrypt_policy_flags(const union fscrypt_policy *policy) 129 + { 130 + switch (policy->version) { 131 + case FSCRYPT_POLICY_V1: 132 + return policy->v1.flags; 133 + case FSCRYPT_POLICY_V2: 134 + return policy->v2.flags; 135 + } 136 + BUG(); 137 + } 138 + 139 + static inline bool 140 + fscrypt_is_direct_key_policy(const union fscrypt_policy *policy) 141 + { 142 + return fscrypt_policy_flags(policy) & FSCRYPT_POLICY_FLAG_DIRECT_KEY; 143 + } 44 144 45 145 /** 46 146 * For encrypted symlinks, the ciphertext length is stored at the beginning ··· 170 70 struct crypto_cipher *ci_essiv_tfm; 171 71 172 72 /* 173 - * Encryption mode used for this inode. It corresponds to either 174 - * ci_data_mode or ci_filename_mode, depending on the inode type. 73 + * Encryption mode used for this inode. It corresponds to either the 74 + * contents or filenames encryption mode, depending on the inode type. 175 75 */ 176 76 struct fscrypt_mode *ci_mode; 177 77 ··· 197 97 */ 198 98 struct fscrypt_direct_key *ci_direct_key; 199 99 200 - /* fields from the fscrypt_context */ 201 - u8 ci_data_mode; 202 - u8 ci_filename_mode; 203 - u8 ci_flags; 204 - u8 ci_master_key_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE]; 100 + /* The encryption policy used by this inode */ 101 + union fscrypt_policy ci_policy; 102 + 103 + /* This inode's nonce, copied from the fscrypt_context */ 205 104 u8 ci_nonce[FS_KEY_DERIVATION_NONCE_SIZE]; 206 105 }; 207 106 ··· 280 181 extern int fscrypt_init_hkdf(struct fscrypt_hkdf *hkdf, const u8 *master_key, 281 182 unsigned int master_key_size); 282 183 184 + /* 185 + * The list of contexts in which fscrypt uses HKDF. These values are used as 186 + * the first byte of the HKDF application-specific info string to guarantee that 187 + * info strings are never repeated between contexts. This ensures that all HKDF 188 + * outputs are unique and cryptographically isolated, i.e. knowledge of one 189 + * output doesn't reveal another. 190 + */ 191 + #define HKDF_CONTEXT_KEY_IDENTIFIER 1 192 + #define HKDF_CONTEXT_PER_FILE_KEY 2 193 + #define HKDF_CONTEXT_PER_MODE_KEY 3 194 + 283 195 extern int fscrypt_hkdf_expand(struct fscrypt_hkdf *hkdf, u8 context, 284 196 const u8 *info, unsigned int infolen, 285 197 u8 *okm, unsigned int okmlen); ··· 304 194 */ 305 195 struct fscrypt_master_key_secret { 306 196 307 - /* Size of the raw key in bytes */ 197 + /* 198 + * For v2 policy keys: HKDF context keyed by this master key. 199 + * For v1 policy keys: not set (hkdf.hmac_tfm == NULL). 200 + */ 201 + struct fscrypt_hkdf hkdf; 202 + 203 + /* Size of the raw key in bytes. Set even if ->raw isn't set. */ 308 204 u32 size; 309 205 310 - /* The raw key */ 206 + /* For v1 policy keys: the raw key. Wiped for v2 policy keys. */ 311 207 u8 raw[FSCRYPT_MAX_KEY_SIZE]; 312 208 313 209 } __randomize_layout; ··· 339 223 */ 340 224 struct fscrypt_master_key_secret mk_secret; 341 225 342 - /* Arbitrary key descriptor which was assigned by userspace */ 226 + /* 227 + * For v1 policy keys: an arbitrary key descriptor which was assigned by 228 + * userspace (->descriptor). 229 + * 230 + * For v2 policy keys: a cryptographic hash of this key (->identifier). 231 + */ 343 232 struct fscrypt_key_specifier mk_spec; 344 233 345 234 /* ··· 362 241 */ 363 242 struct list_head mk_decrypted_inodes; 364 243 spinlock_t mk_decrypted_inodes_lock; 244 + 245 + /* Per-mode tfms for DIRECT_KEY policies, allocated on-demand */ 246 + struct crypto_skcipher *mk_mode_keys[__FSCRYPT_MODE_MAX + 1]; 365 247 366 248 } __randomize_layout; 367 249 ··· 387 263 switch (spec->type) { 388 264 case FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR: 389 265 return "descriptor"; 266 + case FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER: 267 + return "identifier"; 390 268 } 391 269 return "[unknown]"; 392 270 } ··· 398 272 switch (spec->type) { 399 273 case FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR: 400 274 return FSCRYPT_KEY_DESCRIPTOR_SIZE; 275 + case FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER: 276 + return FSCRYPT_KEY_IDENTIFIER_SIZE; 401 277 } 402 278 return 0; 403 279 } ··· 443 315 444 316 extern int fscrypt_setup_v1_file_key_via_subscribed_keyrings( 445 317 struct fscrypt_info *ci); 318 + /* policy.c */ 319 + 320 + extern bool fscrypt_policies_equal(const union fscrypt_policy *policy1, 321 + const union fscrypt_policy *policy2); 322 + extern bool fscrypt_supported_policy(const union fscrypt_policy *policy_u, 323 + const struct inode *inode); 324 + extern int fscrypt_policy_from_context(union fscrypt_policy *policy_u, 325 + const union fscrypt_context *ctx_u, 326 + int ctx_size); 446 327 447 328 #endif /* _FSCRYPT_PRIVATE_H */

+34 -1

fs/crypto/keyring.c

··· 17 17 * information about these ioctls. 18 18 */ 19 19 20 + #include <crypto/skcipher.h> 20 21 #include <linux/key-type.h> 21 22 #include <linux/seq_file.h> 22 23 ··· 25 24 26 25 static void wipe_master_key_secret(struct fscrypt_master_key_secret *secret) 27 26 { 27 + fscrypt_destroy_hkdf(&secret->hkdf); 28 28 memzero_explicit(secret, sizeof(*secret)); 29 29 } 30 30 ··· 38 36 39 37 static void free_master_key(struct fscrypt_master_key *mk) 40 38 { 39 + size_t i; 40 + 41 41 wipe_master_key_secret(&mk->mk_secret); 42 + 43 + for (i = 0; i < ARRAY_SIZE(mk->mk_mode_keys); i++) 44 + crypto_free_skcipher(mk->mk_mode_keys[i]); 45 + 42 46 kzfree(mk); 43 47 } 44 48 ··· 117 109 #define FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE \ 118 110 (CONST_STRLEN("fscrypt-") + FIELD_SIZEOF(struct super_block, s_id)) 119 111 120 - #define FSCRYPT_MK_DESCRIPTION_SIZE (2 * FSCRYPT_KEY_DESCRIPTOR_SIZE + 1) 112 + #define FSCRYPT_MK_DESCRIPTION_SIZE (2 * FSCRYPT_KEY_IDENTIFIER_SIZE + 1) 121 113 122 114 static void format_fs_keyring_description( 123 115 char description[FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE], ··· 321 313 err = -EACCES; 322 314 if (!capable(CAP_SYS_ADMIN)) 323 315 goto out_wipe_secret; 316 + 317 + if (arg.key_spec.type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) { 318 + err = fscrypt_init_hkdf(&secret.hkdf, secret.raw, secret.size); 319 + if (err) 320 + goto out_wipe_secret; 321 + 322 + /* 323 + * Now that the HKDF context is initialized, the raw key is no 324 + * longer needed. 325 + */ 326 + memzero_explicit(secret.raw, secret.size); 327 + 328 + /* Calculate the key identifier and return it to userspace. */ 329 + err = fscrypt_hkdf_expand(&secret.hkdf, 330 + HKDF_CONTEXT_KEY_IDENTIFIER, 331 + NULL, 0, arg.key_spec.u.identifier, 332 + FSCRYPT_KEY_IDENTIFIER_SIZE); 333 + if (err) 334 + goto out_wipe_secret; 335 + err = -EFAULT; 336 + if (copy_to_user(uarg->key_spec.u.identifier, 337 + arg.key_spec.u.identifier, 338 + FSCRYPT_KEY_IDENTIFIER_SIZE)) 339 + goto out_wipe_secret; 340 + } 324 341 325 342 err = add_master_key(sb, &secret, &arg.key_spec); 326 343 out_wipe_secret:

+158 -44

fs/crypto/keysetup.c

··· 52 52 }; 53 53 54 54 static struct fscrypt_mode * 55 - select_encryption_mode(const struct fscrypt_info *ci, const struct inode *inode) 55 + select_encryption_mode(const union fscrypt_policy *policy, 56 + const struct inode *inode) 56 57 { 57 - if (!fscrypt_valid_enc_modes(ci->ci_data_mode, ci->ci_filename_mode)) { 58 - fscrypt_warn(inode, 59 - "Unsupported encryption modes (contents mode %d, filenames mode %d)", 60 - ci->ci_data_mode, ci->ci_filename_mode); 61 - return ERR_PTR(-EINVAL); 62 - } 63 - 64 58 if (S_ISREG(inode->i_mode)) 65 - return &available_modes[ci->ci_data_mode]; 59 + return &available_modes[fscrypt_policy_contents_mode(policy)]; 66 60 67 61 if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) 68 - return &available_modes[ci->ci_filename_mode]; 62 + return &available_modes[fscrypt_policy_fnames_mode(policy)]; 69 63 70 64 WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n", 71 65 inode->i_ino, (inode->i_mode & S_IFMT)); ··· 205 211 return 0; 206 212 } 207 213 214 + static int setup_per_mode_key(struct fscrypt_info *ci, 215 + struct fscrypt_master_key *mk) 216 + { 217 + struct fscrypt_mode *mode = ci->ci_mode; 218 + u8 mode_num = mode - available_modes; 219 + struct crypto_skcipher *tfm, *prev_tfm; 220 + u8 mode_key[FSCRYPT_MAX_KEY_SIZE]; 221 + int err; 222 + 223 + if (WARN_ON(mode_num >= ARRAY_SIZE(mk->mk_mode_keys))) 224 + return -EINVAL; 225 + 226 + /* pairs with cmpxchg() below */ 227 + tfm = READ_ONCE(mk->mk_mode_keys[mode_num]); 228 + if (likely(tfm != NULL)) 229 + goto done; 230 + 231 + BUILD_BUG_ON(sizeof(mode_num) != 1); 232 + err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, 233 + HKDF_CONTEXT_PER_MODE_KEY, 234 + &mode_num, sizeof(mode_num), 235 + mode_key, mode->keysize); 236 + if (err) 237 + return err; 238 + tfm = fscrypt_allocate_skcipher(mode, mode_key, ci->ci_inode); 239 + memzero_explicit(mode_key, mode->keysize); 240 + if (IS_ERR(tfm)) 241 + return PTR_ERR(tfm); 242 + 243 + /* pairs with READ_ONCE() above */ 244 + prev_tfm = cmpxchg(&mk->mk_mode_keys[mode_num], NULL, tfm); 245 + if (prev_tfm != NULL) { 246 + crypto_free_skcipher(tfm); 247 + tfm = prev_tfm; 248 + } 249 + done: 250 + ci->ci_ctfm = tfm; 251 + return 0; 252 + } 253 + 254 + static int fscrypt_setup_v2_file_key(struct fscrypt_info *ci, 255 + struct fscrypt_master_key *mk) 256 + { 257 + u8 derived_key[FSCRYPT_MAX_KEY_SIZE]; 258 + int err; 259 + 260 + if (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) { 261 + /* 262 + * DIRECT_KEY: instead of deriving per-file keys, the per-file 263 + * nonce will be included in all the IVs. But unlike v1 264 + * policies, for v2 policies in this case we don't encrypt with 265 + * the master key directly but rather derive a per-mode key. 266 + * This ensures that the master key is consistently used only 267 + * for HKDF, avoiding key reuse issues. 268 + */ 269 + if (!fscrypt_mode_supports_direct_key(ci->ci_mode)) { 270 + fscrypt_warn(ci->ci_inode, 271 + "Direct key flag not allowed with %s", 272 + ci->ci_mode->friendly_name); 273 + return -EINVAL; 274 + } 275 + return setup_per_mode_key(ci, mk); 276 + } 277 + 278 + err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, 279 + HKDF_CONTEXT_PER_FILE_KEY, 280 + ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE, 281 + derived_key, ci->ci_mode->keysize); 282 + if (err) 283 + return err; 284 + 285 + err = fscrypt_set_derived_key(ci, derived_key); 286 + memzero_explicit(derived_key, ci->ci_mode->keysize); 287 + return err; 288 + } 289 + 208 290 /* 209 291 * Find the master key, then set up the inode's actual encryption key. 210 292 * ··· 299 229 struct fscrypt_key_specifier mk_spec; 300 230 int err; 301 231 302 - mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR; 303 - memcpy(mk_spec.u.descriptor, ci->ci_master_key_descriptor, 304 - FSCRYPT_KEY_DESCRIPTOR_SIZE); 232 + switch (ci->ci_policy.version) { 233 + case FSCRYPT_POLICY_V1: 234 + mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR; 235 + memcpy(mk_spec.u.descriptor, 236 + ci->ci_policy.v1.master_key_descriptor, 237 + FSCRYPT_KEY_DESCRIPTOR_SIZE); 238 + break; 239 + case FSCRYPT_POLICY_V2: 240 + mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER; 241 + memcpy(mk_spec.u.identifier, 242 + ci->ci_policy.v2.master_key_identifier, 243 + FSCRYPT_KEY_IDENTIFIER_SIZE); 244 + break; 245 + default: 246 + WARN_ON(1); 247 + return -EINVAL; 248 + } 305 249 306 250 key = fscrypt_find_master_key(ci->ci_inode->i_sb, &mk_spec); 307 251 if (IS_ERR(key)) { 308 - if (key != ERR_PTR(-ENOKEY)) 252 + if (key != ERR_PTR(-ENOKEY) || 253 + ci->ci_policy.version != FSCRYPT_POLICY_V1) 309 254 return PTR_ERR(key); 310 255 256 + /* 257 + * As a legacy fallback for v1 policies, search for the key in 258 + * the current task's subscribed keyrings too. Don't move this 259 + * to before the search of ->s_master_keys, since users 260 + * shouldn't be able to override filesystem-level keys. 261 + */ 311 262 return fscrypt_setup_v1_file_key_via_subscribed_keyrings(ci); 312 263 } 313 264 ··· 341 250 goto out_release_key; 342 251 } 343 252 253 + /* 254 + * Require that the master key be at least as long as the derived key. 255 + * Otherwise, the derived key cannot possibly contain as much entropy as 256 + * that required by the encryption mode it will be used for. For v1 257 + * policies it's also required for the KDF to work at all. 258 + */ 344 259 if (mk->mk_secret.size < ci->ci_mode->keysize) { 345 260 fscrypt_warn(NULL, 346 261 "key with %s %*phN is too short (got %u bytes, need %u+ bytes)", ··· 357 260 goto out_release_key; 358 261 } 359 262 360 - err = fscrypt_setup_v1_file_key(ci, mk->mk_secret.raw); 263 + switch (ci->ci_policy.version) { 264 + case FSCRYPT_POLICY_V1: 265 + err = fscrypt_setup_v1_file_key(ci, mk->mk_secret.raw); 266 + break; 267 + case FSCRYPT_POLICY_V2: 268 + err = fscrypt_setup_v2_file_key(ci, mk); 269 + break; 270 + default: 271 + WARN_ON(1); 272 + err = -EINVAL; 273 + break; 274 + } 361 275 if (err) 362 276 goto out_release_key; 363 277 ··· 390 282 391 283 if (ci->ci_direct_key) { 392 284 fscrypt_put_direct_key(ci->ci_direct_key); 393 - } else { 285 + } else if ((ci->ci_ctfm != NULL || ci->ci_essiv_tfm != NULL) && 286 + !fscrypt_is_direct_key_policy(&ci->ci_policy)) { 394 287 crypto_free_skcipher(ci->ci_ctfm); 395 288 crypto_free_cipher(ci->ci_essiv_tfm); 396 289 } ··· 421 312 int fscrypt_get_encryption_info(struct inode *inode) 422 313 { 423 314 struct fscrypt_info *crypt_info; 424 - struct fscrypt_context ctx; 315 + union fscrypt_context ctx; 425 316 struct fscrypt_mode *mode; 426 317 struct key *master_key = NULL; 427 318 int res; ··· 444 335 } 445 336 /* Fake up a context for an unencrypted directory */ 446 337 memset(&ctx, 0, sizeof(ctx)); 447 - ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1; 448 - ctx.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; 449 - ctx.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; 450 - memset(ctx.master_key_descriptor, 0x42, 338 + ctx.version = FSCRYPT_CONTEXT_V1; 339 + ctx.v1.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; 340 + ctx.v1.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; 341 + memset(ctx.v1.master_key_descriptor, 0x42, 451 342 FSCRYPT_KEY_DESCRIPTOR_SIZE); 452 - } else if (res != sizeof(ctx)) { 453 - fscrypt_warn(inode, 454 - "Unknown encryption context size (%d bytes)", res); 455 - return -EINVAL; 456 - } 457 - 458 - if (ctx.format != FS_ENCRYPTION_CONTEXT_FORMAT_V1) { 459 - fscrypt_warn(inode, "Unknown encryption context version (%d)", 460 - ctx.format); 461 - return -EINVAL; 462 - } 463 - 464 - if (ctx.flags & ~FSCRYPT_POLICY_FLAGS_VALID) { 465 - fscrypt_warn(inode, "Unknown encryption context flags (0x%02x)", 466 - ctx.flags); 467 - return -EINVAL; 343 + res = sizeof(ctx.v1); 468 344 } 469 345 470 346 crypt_info = kmem_cache_zalloc(fscrypt_info_cachep, GFP_NOFS); ··· 458 364 459 365 crypt_info->ci_inode = inode; 460 366 461 - crypt_info->ci_flags = ctx.flags; 462 - crypt_info->ci_data_mode = ctx.contents_encryption_mode; 463 - crypt_info->ci_filename_mode = ctx.filenames_encryption_mode; 464 - memcpy(crypt_info->ci_master_key_descriptor, ctx.master_key_descriptor, 465 - FSCRYPT_KEY_DESCRIPTOR_SIZE); 466 - memcpy(crypt_info->ci_nonce, ctx.nonce, FS_KEY_DERIVATION_NONCE_SIZE); 367 + res = fscrypt_policy_from_context(&crypt_info->ci_policy, &ctx, res); 368 + if (res) { 369 + fscrypt_warn(inode, 370 + "Unrecognized or corrupt encryption context"); 371 + goto out; 372 + } 467 373 468 - mode = select_encryption_mode(crypt_info, inode); 374 + switch (ctx.version) { 375 + case FSCRYPT_CONTEXT_V1: 376 + memcpy(crypt_info->ci_nonce, ctx.v1.nonce, 377 + FS_KEY_DERIVATION_NONCE_SIZE); 378 + break; 379 + case FSCRYPT_CONTEXT_V2: 380 + memcpy(crypt_info->ci_nonce, ctx.v2.nonce, 381 + FS_KEY_DERIVATION_NONCE_SIZE); 382 + break; 383 + default: 384 + WARN_ON(1); 385 + res = -EINVAL; 386 + goto out; 387 + } 388 + 389 + if (!fscrypt_supported_policy(&crypt_info->ci_policy, inode)) { 390 + res = -EINVAL; 391 + goto out; 392 + } 393 + 394 + mode = select_encryption_mode(&crypt_info->ci_policy, inode); 469 395 if (IS_ERR(mode)) { 470 396 res = PTR_ERR(mode); 471 397 goto out;

+10 -8

fs/crypto/keysetup_v1.c

··· 189 189 */ 190 190 191 191 BUILD_BUG_ON(sizeof(hash_key) > FSCRYPT_KEY_DESCRIPTOR_SIZE); 192 - memcpy(&hash_key, ci->ci_master_key_descriptor, sizeof(hash_key)); 192 + memcpy(&hash_key, ci->ci_policy.v1.master_key_descriptor, 193 + sizeof(hash_key)); 193 194 194 195 spin_lock(&fscrypt_direct_keys_lock); 195 196 hash_for_each_possible(fscrypt_direct_keys, dk, dk_node, hash_key) { 196 - if (memcmp(ci->ci_master_key_descriptor, dk->dk_descriptor, 197 - FSCRYPT_KEY_DESCRIPTOR_SIZE) != 0) 197 + if (memcmp(ci->ci_policy.v1.master_key_descriptor, 198 + dk->dk_descriptor, FSCRYPT_KEY_DESCRIPTOR_SIZE) != 0) 198 199 continue; 199 200 if (ci->ci_mode != dk->dk_mode) 200 201 continue; ··· 238 237 dk->dk_ctfm = NULL; 239 238 goto err_free_dk; 240 239 } 241 - memcpy(dk->dk_descriptor, ci->ci_master_key_descriptor, 240 + memcpy(dk->dk_descriptor, ci->ci_policy.v1.master_key_descriptor, 242 241 FSCRYPT_KEY_DESCRIPTOR_SIZE); 243 242 memcpy(dk->dk_raw, raw_key, ci->ci_mode->keysize); 244 243 ··· 263 262 return -EINVAL; 264 263 } 265 264 266 - if (ci->ci_data_mode != ci->ci_filename_mode) { 265 + if (ci->ci_policy.v1.contents_encryption_mode != 266 + ci->ci_policy.v1.filenames_encryption_mode) { 267 267 fscrypt_warn(ci->ci_inode, 268 268 "Direct key mode not allowed with different contents and filenames modes"); 269 269 return -EINVAL; ··· 310 308 311 309 int fscrypt_setup_v1_file_key(struct fscrypt_info *ci, const u8 *raw_master_key) 312 310 { 313 - if (ci->ci_flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) 311 + if (ci->ci_policy.v1.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) 314 312 return setup_v1_file_key_direct(ci, raw_master_key); 315 313 else 316 314 return setup_v1_file_key_derived(ci, raw_master_key); ··· 323 321 int err; 324 322 325 323 key = find_and_lock_process_key(FSCRYPT_KEY_DESC_PREFIX, 326 - ci->ci_master_key_descriptor, 324 + ci->ci_policy.v1.master_key_descriptor, 327 325 ci->ci_mode->keysize, &payload); 328 326 if (key == ERR_PTR(-ENOKEY) && ci->ci_inode->i_sb->s_cop->key_prefix) { 329 327 key = find_and_lock_process_key(ci->ci_inode->i_sb->s_cop->key_prefix, 330 - ci->ci_master_key_descriptor, 328 + ci->ci_policy.v1.master_key_descriptor, 331 329 ci->ci_mode->keysize, &payload); 332 330 } 333 331 if (IS_ERR(key))

+319 -107

fs/crypto/policy.c

··· 5 5 * Copyright (C) 2015, Google, Inc. 6 6 * Copyright (C) 2015, Motorola Mobility. 7 7 * 8 - * Written by Michael Halcrow, 2015. 8 + * Originally written by Michael Halcrow, 2015. 9 9 * Modified by Jaegeuk Kim, 2015. 10 + * Modified by Eric Biggers, 2019 for v2 policy support. 10 11 */ 11 12 12 13 #include <linux/random.h> ··· 15 14 #include <linux/mount.h> 16 15 #include "fscrypt_private.h" 17 16 18 - /* 19 - * check whether an encryption policy is consistent with an encryption context 17 + /** 18 + * fscrypt_policies_equal - check whether two encryption policies are the same 19 + * 20 + * Return: %true if equal, else %false 20 21 */ 21 - static bool is_encryption_context_consistent_with_policy( 22 - const struct fscrypt_context *ctx, 23 - const struct fscrypt_policy *policy) 22 + bool fscrypt_policies_equal(const union fscrypt_policy *policy1, 23 + const union fscrypt_policy *policy2) 24 24 { 25 - return memcmp(ctx->master_key_descriptor, policy->master_key_descriptor, 26 - FSCRYPT_KEY_DESCRIPTOR_SIZE) == 0 && 27 - (ctx->flags == policy->flags) && 28 - (ctx->contents_encryption_mode == 29 - policy->contents_encryption_mode) && 30 - (ctx->filenames_encryption_mode == 31 - policy->filenames_encryption_mode); 25 + if (policy1->version != policy2->version) 26 + return false; 27 + 28 + return !memcmp(policy1, policy2, fscrypt_policy_size(policy1)); 32 29 } 33 30 34 - static int create_encryption_context_from_policy(struct inode *inode, 35 - const struct fscrypt_policy *policy) 31 + /** 32 + * fscrypt_supported_policy - check whether an encryption policy is supported 33 + * 34 + * Given an encryption policy, check whether all its encryption modes and other 35 + * settings are supported by this kernel. (But we don't currently don't check 36 + * for crypto API support here, so attempting to use an algorithm not configured 37 + * into the crypto API will still fail later.) 38 + * 39 + * Return: %true if supported, else %false 40 + */ 41 + bool fscrypt_supported_policy(const union fscrypt_policy *policy_u, 42 + const struct inode *inode) 36 43 { 37 - struct fscrypt_context ctx; 44 + switch (policy_u->version) { 45 + case FSCRYPT_POLICY_V1: { 46 + const struct fscrypt_policy_v1 *policy = &policy_u->v1; 38 47 39 - ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1; 40 - memcpy(ctx.master_key_descriptor, policy->master_key_descriptor, 41 - FSCRYPT_KEY_DESCRIPTOR_SIZE); 48 + if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode, 49 + policy->filenames_encryption_mode)) { 50 + fscrypt_warn(inode, 51 + "Unsupported encryption modes (contents %d, filenames %d)", 52 + policy->contents_encryption_mode, 53 + policy->filenames_encryption_mode); 54 + return false; 55 + } 42 56 43 - if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode, 44 - policy->filenames_encryption_mode)) 57 + if (policy->flags & ~FSCRYPT_POLICY_FLAGS_VALID) { 58 + fscrypt_warn(inode, 59 + "Unsupported encryption flags (0x%02x)", 60 + policy->flags); 61 + return false; 62 + } 63 + 64 + return true; 65 + } 66 + case FSCRYPT_POLICY_V2: { 67 + const struct fscrypt_policy_v2 *policy = &policy_u->v2; 68 + 69 + if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode, 70 + policy->filenames_encryption_mode)) { 71 + fscrypt_warn(inode, 72 + "Unsupported encryption modes (contents %d, filenames %d)", 73 + policy->contents_encryption_mode, 74 + policy->filenames_encryption_mode); 75 + return false; 76 + } 77 + 78 + if (policy->flags & ~FSCRYPT_POLICY_FLAGS_VALID) { 79 + fscrypt_warn(inode, 80 + "Unsupported encryption flags (0x%02x)", 81 + policy->flags); 82 + return false; 83 + } 84 + 85 + if (memchr_inv(policy->__reserved, 0, 86 + sizeof(policy->__reserved))) { 87 + fscrypt_warn(inode, 88 + "Reserved bits set in encryption policy"); 89 + return false; 90 + } 91 + 92 + return true; 93 + } 94 + } 95 + return false; 96 + } 97 + 98 + /** 99 + * fscrypt_new_context_from_policy - create a new fscrypt_context from a policy 100 + * 101 + * Create an fscrypt_context for an inode that is being assigned the given 102 + * encryption policy. A new nonce is randomly generated. 103 + * 104 + * Return: the size of the new context in bytes. 105 + */ 106 + static int fscrypt_new_context_from_policy(union fscrypt_context *ctx_u, 107 + const union fscrypt_policy *policy_u) 108 + { 109 + memset(ctx_u, 0, sizeof(*ctx_u)); 110 + 111 + switch (policy_u->version) { 112 + case FSCRYPT_POLICY_V1: { 113 + const struct fscrypt_policy_v1 *policy = &policy_u->v1; 114 + struct fscrypt_context_v1 *ctx = &ctx_u->v1; 115 + 116 + ctx->version = FSCRYPT_CONTEXT_V1; 117 + ctx->contents_encryption_mode = 118 + policy->contents_encryption_mode; 119 + ctx->filenames_encryption_mode = 120 + policy->filenames_encryption_mode; 121 + ctx->flags = policy->flags; 122 + memcpy(ctx->master_key_descriptor, 123 + policy->master_key_descriptor, 124 + sizeof(ctx->master_key_descriptor)); 125 + get_random_bytes(ctx->nonce, sizeof(ctx->nonce)); 126 + return sizeof(*ctx); 127 + } 128 + case FSCRYPT_POLICY_V2: { 129 + const struct fscrypt_policy_v2 *policy = &policy_u->v2; 130 + struct fscrypt_context_v2 *ctx = &ctx_u->v2; 131 + 132 + ctx->version = FSCRYPT_CONTEXT_V2; 133 + ctx->contents_encryption_mode = 134 + policy->contents_encryption_mode; 135 + ctx->filenames_encryption_mode = 136 + policy->filenames_encryption_mode; 137 + ctx->flags = policy->flags; 138 + memcpy(ctx->master_key_identifier, 139 + policy->master_key_identifier, 140 + sizeof(ctx->master_key_identifier)); 141 + get_random_bytes(ctx->nonce, sizeof(ctx->nonce)); 142 + return sizeof(*ctx); 143 + } 144 + } 145 + BUG(); 146 + } 147 + 148 + /** 149 + * fscrypt_policy_from_context - convert an fscrypt_context to an fscrypt_policy 150 + * 151 + * Given an fscrypt_context, build the corresponding fscrypt_policy. 152 + * 153 + * Return: 0 on success, or -EINVAL if the fscrypt_context has an unrecognized 154 + * version number or size. 155 + * 156 + * This does *not* validate the settings within the policy itself, e.g. the 157 + * modes, flags, and reserved bits. Use fscrypt_supported_policy() for that. 158 + */ 159 + int fscrypt_policy_from_context(union fscrypt_policy *policy_u, 160 + const union fscrypt_context *ctx_u, 161 + int ctx_size) 162 + { 163 + memset(policy_u, 0, sizeof(*policy_u)); 164 + 165 + if (ctx_size <= 0 || ctx_size != fscrypt_context_size(ctx_u)) 45 166 return -EINVAL; 46 167 47 - if (policy->flags & ~FSCRYPT_POLICY_FLAGS_VALID) 168 + switch (ctx_u->version) { 169 + case FSCRYPT_CONTEXT_V1: { 170 + const struct fscrypt_context_v1 *ctx = &ctx_u->v1; 171 + struct fscrypt_policy_v1 *policy = &policy_u->v1; 172 + 173 + policy->version = FSCRYPT_POLICY_V1; 174 + policy->contents_encryption_mode = 175 + ctx->contents_encryption_mode; 176 + policy->filenames_encryption_mode = 177 + ctx->filenames_encryption_mode; 178 + policy->flags = ctx->flags; 179 + memcpy(policy->master_key_descriptor, 180 + ctx->master_key_descriptor, 181 + sizeof(policy->master_key_descriptor)); 182 + return 0; 183 + } 184 + case FSCRYPT_CONTEXT_V2: { 185 + const struct fscrypt_context_v2 *ctx = &ctx_u->v2; 186 + struct fscrypt_policy_v2 *policy = &policy_u->v2; 187 + 188 + policy->version = FSCRYPT_POLICY_V2; 189 + policy->contents_encryption_mode = 190 + ctx->contents_encryption_mode; 191 + policy->filenames_encryption_mode = 192 + ctx->filenames_encryption_mode; 193 + policy->flags = ctx->flags; 194 + memcpy(policy->__reserved, ctx->__reserved, 195 + sizeof(policy->__reserved)); 196 + memcpy(policy->master_key_identifier, 197 + ctx->master_key_identifier, 198 + sizeof(policy->master_key_identifier)); 199 + return 0; 200 + } 201 + } 202 + /* unreachable */ 203 + return -EINVAL; 204 + } 205 + 206 + /* Retrieve an inode's encryption policy */ 207 + static int fscrypt_get_policy(struct inode *inode, union fscrypt_policy *policy) 208 + { 209 + const struct fscrypt_info *ci; 210 + union fscrypt_context ctx; 211 + int ret; 212 + 213 + ci = READ_ONCE(inode->i_crypt_info); 214 + if (ci) { 215 + /* key available, use the cached policy */ 216 + *policy = ci->ci_policy; 217 + return 0; 218 + } 219 + 220 + if (!IS_ENCRYPTED(inode)) 221 + return -ENODATA; 222 + 223 + ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); 224 + if (ret < 0) 225 + return (ret == -ERANGE) ? -EINVAL : ret; 226 + 227 + return fscrypt_policy_from_context(policy, &ctx, ret); 228 + } 229 + 230 + static int set_encryption_policy(struct inode *inode, 231 + const union fscrypt_policy *policy) 232 + { 233 + union fscrypt_context ctx; 234 + int ctxsize; 235 + 236 + if (!fscrypt_supported_policy(policy, inode)) 48 237 return -EINVAL; 49 238 50 - ctx.contents_encryption_mode = policy->contents_encryption_mode; 51 - ctx.filenames_encryption_mode = policy->filenames_encryption_mode; 52 - ctx.flags = policy->flags; 53 - BUILD_BUG_ON(sizeof(ctx.nonce) != FS_KEY_DERIVATION_NONCE_SIZE); 54 - get_random_bytes(ctx.nonce, FS_KEY_DERIVATION_NONCE_SIZE); 239 + if (policy->version == FSCRYPT_POLICY_V1) { 240 + /* 241 + * The original encryption policy version provided no way of 242 + * verifying that the correct master key was supplied, which was 243 + * insecure in scenarios where multiple users have access to the 244 + * same encrypted files (even just read-only access). The new 245 + * encryption policy version fixes this and also implies use of 246 + * an improved key derivation function and allows non-root users 247 + * to securely remove keys. So as long as compatibility with 248 + * old kernels isn't required, it is recommended to use the new 249 + * policy version for all new encrypted directories. 250 + */ 251 + pr_warn_once("%s (pid %d) is setting deprecated v1 encryption policy; recommend upgrading to v2.\n", 252 + current->comm, current->pid); 253 + } 55 254 56 - return inode->i_sb->s_cop->set_context(inode, &ctx, sizeof(ctx), NULL); 255 + ctxsize = fscrypt_new_context_from_policy(&ctx, policy); 256 + 257 + return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, NULL); 57 258 } 58 259 59 260 int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg) 60 261 { 61 - struct fscrypt_policy policy; 262 + union fscrypt_policy policy; 263 + union fscrypt_policy existing_policy; 62 264 struct inode *inode = file_inode(filp); 265 + u8 version; 266 + int size; 63 267 int ret; 64 - struct fscrypt_context ctx; 65 268 66 - if (copy_from_user(&policy, arg, sizeof(policy))) 269 + if (get_user(policy.version, (const u8 __user *)arg)) 67 270 return -EFAULT; 271 + 272 + size = fscrypt_policy_size(&policy); 273 + if (size <= 0) 274 + return -EINVAL; 275 + 276 + /* 277 + * We should just copy the remaining 'size - 1' bytes here, but a 278 + * bizarre bug in gcc 7 and earlier (fixed by gcc r255731) causes gcc to 279 + * think that size can be 0 here (despite the check above!) *and* that 280 + * it's a compile-time constant. Thus it would think copy_from_user() 281 + * is passed compile-time constant ULONG_MAX, causing the compile-time 282 + * buffer overflow check to fail, breaking the build. This only occurred 283 + * when building an i386 kernel with -Os and branch profiling enabled. 284 + * 285 + * Work around it by just copying the first byte again... 286 + */ 287 + version = policy.version; 288 + if (copy_from_user(&policy, arg, size)) 289 + return -EFAULT; 290 + policy.version = version; 68 291 69 292 if (!inode_owner_or_capable(inode)) 70 293 return -EACCES; 71 - 72 - if (policy.version != 0) 73 - return -EINVAL; 74 294 75 295 ret = mnt_want_write_file(filp); 76 296 if (ret) ··· 299 77 300 78 inode_lock(inode); 301 79 302 - ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); 80 + ret = fscrypt_get_policy(inode, &existing_policy); 303 81 if (ret == -ENODATA) { 304 82 if (!S_ISDIR(inode->i_mode)) 305 83 ret = -ENOTDIR; ··· 308 86 else if (!inode->i_sb->s_cop->empty_dir(inode)) 309 87 ret = -ENOTEMPTY; 310 88 else 311 - ret = create_encryption_context_from_policy(inode, 312 - &policy); 313 - } else if (ret == sizeof(ctx) && 314 - is_encryption_context_consistent_with_policy(&ctx, 315 - &policy)) { 316 - /* The file already uses the same encryption policy. */ 317 - ret = 0; 318 - } else if (ret >= 0 || ret == -ERANGE) { 89 + ret = set_encryption_policy(inode, &policy); 90 + } else if (ret == -EINVAL || 91 + (ret == 0 && !fscrypt_policies_equal(&policy, 92 + &existing_policy))) { 319 93 /* The file already uses a different encryption policy. */ 320 94 ret = -EEXIST; 321 95 } ··· 323 105 } 324 106 EXPORT_SYMBOL(fscrypt_ioctl_set_policy); 325 107 108 + /* Original ioctl version; can only get the original policy version */ 326 109 int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg) 327 110 { 328 - struct inode *inode = file_inode(filp); 329 - struct fscrypt_context ctx; 330 - struct fscrypt_policy policy; 331 - int res; 111 + union fscrypt_policy policy; 112 + int err; 332 113 333 - if (!IS_ENCRYPTED(inode)) 334 - return -ENODATA; 114 + err = fscrypt_get_policy(file_inode(filp), &policy); 115 + if (err) 116 + return err; 335 117 336 - res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); 337 - if (res < 0 && res != -ERANGE) 338 - return res; 339 - if (res != sizeof(ctx)) 340 - return -EINVAL; 341 - if (ctx.format != FS_ENCRYPTION_CONTEXT_FORMAT_V1) 118 + if (policy.version != FSCRYPT_POLICY_V1) 342 119 return -EINVAL; 343 120 344 - policy.version = 0; 345 - policy.contents_encryption_mode = ctx.contents_encryption_mode; 346 - policy.filenames_encryption_mode = ctx.filenames_encryption_mode; 347 - policy.flags = ctx.flags; 348 - memcpy(policy.master_key_descriptor, ctx.master_key_descriptor, 349 - FSCRYPT_KEY_DESCRIPTOR_SIZE); 350 - 351 - if (copy_to_user(arg, &policy, sizeof(policy))) 121 + if (copy_to_user(arg, &policy, sizeof(policy.v1))) 352 122 return -EFAULT; 353 123 return 0; 354 124 } 355 125 EXPORT_SYMBOL(fscrypt_ioctl_get_policy); 126 + 127 + /* Extended ioctl version; can get policies of any version */ 128 + int fscrypt_ioctl_get_policy_ex(struct file *filp, void __user *uarg) 129 + { 130 + struct fscrypt_get_policy_ex_arg arg; 131 + union fscrypt_policy *policy = (union fscrypt_policy *)&arg.policy; 132 + size_t policy_size; 133 + int err; 134 + 135 + /* arg is policy_size, then policy */ 136 + BUILD_BUG_ON(offsetof(typeof(arg), policy_size) != 0); 137 + BUILD_BUG_ON(offsetofend(typeof(arg), policy_size) != 138 + offsetof(typeof(arg), policy)); 139 + BUILD_BUG_ON(sizeof(arg.policy) != sizeof(*policy)); 140 + 141 + err = fscrypt_get_policy(file_inode(filp), policy); 142 + if (err) 143 + return err; 144 + policy_size = fscrypt_policy_size(policy); 145 + 146 + if (copy_from_user(&arg, uarg, sizeof(arg.policy_size))) 147 + return -EFAULT; 148 + 149 + if (policy_size > arg.policy_size) 150 + return -EOVERFLOW; 151 + arg.policy_size = policy_size; 152 + 153 + if (copy_to_user(uarg, &arg, sizeof(arg.policy_size) + policy_size)) 154 + return -EFAULT; 155 + return 0; 156 + } 157 + EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_policy_ex); 356 158 357 159 /** 358 160 * fscrypt_has_permitted_context() - is a file's encryption policy permitted ··· 395 157 */ 396 158 int fscrypt_has_permitted_context(struct inode *parent, struct inode *child) 397 159 { 398 - const struct fscrypt_operations *cops = parent->i_sb->s_cop; 399 - const struct fscrypt_info *parent_ci, *child_ci; 400 - struct fscrypt_context parent_ctx, child_ctx; 401 - int res; 160 + union fscrypt_policy parent_policy, child_policy; 161 + int err; 402 162 403 163 /* No restrictions on file types which are never encrypted */ 404 164 if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) && ··· 426 190 * In any case, if an unexpected error occurs, fall back to "forbidden". 427 191 */ 428 192 429 - res = fscrypt_get_encryption_info(parent); 430 - if (res) 193 + err = fscrypt_get_encryption_info(parent); 194 + if (err) 431 195 return 0; 432 - res = fscrypt_get_encryption_info(child); 433 - if (res) 434 - return 0; 435 - parent_ci = READ_ONCE(parent->i_crypt_info); 436 - child_ci = READ_ONCE(child->i_crypt_info); 437 - 438 - if (parent_ci && child_ci) { 439 - return memcmp(parent_ci->ci_master_key_descriptor, 440 - child_ci->ci_master_key_descriptor, 441 - FSCRYPT_KEY_DESCRIPTOR_SIZE) == 0 && 442 - (parent_ci->ci_data_mode == child_ci->ci_data_mode) && 443 - (parent_ci->ci_filename_mode == 444 - child_ci->ci_filename_mode) && 445 - (parent_ci->ci_flags == child_ci->ci_flags); 446 - } 447 - 448 - res = cops->get_context(parent, &parent_ctx, sizeof(parent_ctx)); 449 - if (res != sizeof(parent_ctx)) 196 + err = fscrypt_get_encryption_info(child); 197 + if (err) 450 198 return 0; 451 199 452 - res = cops->get_context(child, &child_ctx, sizeof(child_ctx)); 453 - if (res != sizeof(child_ctx)) 200 + err = fscrypt_get_policy(parent, &parent_policy); 201 + if (err) 454 202 return 0; 455 203 456 - return memcmp(parent_ctx.master_key_descriptor, 457 - child_ctx.master_key_descriptor, 458 - FSCRYPT_KEY_DESCRIPTOR_SIZE) == 0 && 459 - (parent_ctx.contents_encryption_mode == 460 - child_ctx.contents_encryption_mode) && 461 - (parent_ctx.filenames_encryption_mode == 462 - child_ctx.filenames_encryption_mode) && 463 - (parent_ctx.flags == child_ctx.flags); 204 + err = fscrypt_get_policy(child, &child_policy); 205 + if (err) 206 + return 0; 207 + 208 + return fscrypt_policies_equal(&parent_policy, &child_policy); 464 209 } 465 210 EXPORT_SYMBOL(fscrypt_has_permitted_context); 466 211 ··· 457 240 int fscrypt_inherit_context(struct inode *parent, struct inode *child, 458 241 void *fs_data, bool preload) 459 242 { 460 - struct fscrypt_context ctx; 243 + union fscrypt_context ctx; 244 + int ctxsize; 461 245 struct fscrypt_info *ci; 462 246 int res; 463 247 ··· 470 252 if (ci == NULL) 471 253 return -ENOKEY; 472 254 473 - ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1; 474 - ctx.contents_encryption_mode = ci->ci_data_mode; 475 - ctx.filenames_encryption_mode = ci->ci_filename_mode; 476 - ctx.flags = ci->ci_flags; 477 - memcpy(ctx.master_key_descriptor, ci->ci_master_key_descriptor, 478 - FSCRYPT_KEY_DESCRIPTOR_SIZE); 479 - get_random_bytes(ctx.nonce, FS_KEY_DERIVATION_NONCE_SIZE); 255 + ctxsize = fscrypt_new_context_from_policy(&ctx, &ci->ci_policy); 256 + 480 257 BUILD_BUG_ON(sizeof(ctx) != FSCRYPT_SET_CONTEXT_MAX_SIZE); 481 - res = parent->i_sb->s_cop->set_context(child, &ctx, 482 - sizeof(ctx), fs_data); 258 + res = parent->i_sb->s_cop->set_context(child, &ctx, ctxsize, fs_data); 483 259 if (res) 484 260 return res; 485 261 return preload ? fscrypt_get_encryption_info(child): 0;

+8 -1

include/linux/fscrypt.h

··· 43 43 #define fname_len(p) ((p)->disk_name.len) 44 44 45 45 /* Maximum value for the third parameter of fscrypt_operations.set_context(). */ 46 - #define FSCRYPT_SET_CONTEXT_MAX_SIZE 28 46 + #define FSCRYPT_SET_CONTEXT_MAX_SIZE 40 47 47 48 48 #ifdef CONFIG_FS_ENCRYPTION 49 49 /* ··· 135 135 /* policy.c */ 136 136 extern int fscrypt_ioctl_set_policy(struct file *, const void __user *); 137 137 extern int fscrypt_ioctl_get_policy(struct file *, void __user *); 138 + extern int fscrypt_ioctl_get_policy_ex(struct file *, void __user *); 138 139 extern int fscrypt_has_permitted_context(struct inode *, struct inode *); 139 140 extern int fscrypt_inherit_context(struct inode *, struct inode *, 140 141 void *, bool); ··· 358 357 } 359 358 360 359 static inline int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg) 360 + { 361 + return -EOPNOTSUPP; 362 + } 363 + 364 + static inline int fscrypt_ioctl_get_policy_ex(struct file *filp, 365 + void __user *arg) 361 366 { 362 367 return -EOPNOTSUPP; 363 368 }

+49 -8

include/uapi/linux/fscrypt.h

··· 10 10 11 11 #include <linux/types.h> 12 12 13 - #define FSCRYPT_KEY_DESCRIPTOR_SIZE 8 14 - 15 13 /* Encryption policy flags */ 16 14 #define FSCRYPT_POLICY_FLAGS_PAD_4 0x00 17 15 #define FSCRYPT_POLICY_FLAGS_PAD_8 0x01 18 16 #define FSCRYPT_POLICY_FLAGS_PAD_16 0x02 19 17 #define FSCRYPT_POLICY_FLAGS_PAD_32 0x03 20 18 #define FSCRYPT_POLICY_FLAGS_PAD_MASK 0x03 21 - #define FSCRYPT_POLICY_FLAG_DIRECT_KEY 0x04 /* use master key directly */ 19 + #define FSCRYPT_POLICY_FLAG_DIRECT_KEY 0x04 22 20 #define FSCRYPT_POLICY_FLAGS_VALID 0x07 23 21 24 22 /* Encryption algorithms */ ··· 25 27 #define FSCRYPT_MODE_AES_128_CBC 5 26 28 #define FSCRYPT_MODE_AES_128_CTS 6 27 29 #define FSCRYPT_MODE_ADIANTUM 9 30 + #define __FSCRYPT_MODE_MAX 9 28 31 29 - struct fscrypt_policy { 32 + /* 33 + * Legacy policy version; ad-hoc KDF and no key verification. 34 + * For new encrypted directories, use fscrypt_policy_v2 instead. 35 + * 36 + * Careful: the .version field for this is actually 0, not 1. 37 + */ 38 + #define FSCRYPT_POLICY_V1 0 39 + #define FSCRYPT_KEY_DESCRIPTOR_SIZE 8 40 + struct fscrypt_policy_v1 { 30 41 __u8 version; 31 42 __u8 contents_encryption_mode; 32 43 __u8 filenames_encryption_mode; 33 44 __u8 flags; 34 45 __u8 master_key_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE]; 35 46 }; 47 + #define fscrypt_policy fscrypt_policy_v1 36 48 37 49 /* 38 50 * Process-subscribed "logon" key description prefix and payload format. ··· 58 50 }; 59 51 60 52 /* 61 - * Keys are specified by an arbitrary 8-byte key "descriptor", 62 - * matching fscrypt_policy::master_key_descriptor. 53 + * New policy version with HKDF and key verification (recommended). 54 + */ 55 + #define FSCRYPT_POLICY_V2 2 56 + #define FSCRYPT_KEY_IDENTIFIER_SIZE 16 57 + struct fscrypt_policy_v2 { 58 + __u8 version; 59 + __u8 contents_encryption_mode; 60 + __u8 filenames_encryption_mode; 61 + __u8 flags; 62 + __u8 __reserved[4]; 63 + __u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]; 64 + }; 65 + 66 + /* Struct passed to FS_IOC_GET_ENCRYPTION_POLICY_EX */ 67 + struct fscrypt_get_policy_ex_arg { 68 + __u64 policy_size; /* input/output */ 69 + union { 70 + __u8 version; 71 + struct fscrypt_policy_v1 v1; 72 + struct fscrypt_policy_v2 v2; 73 + } policy; /* output */ 74 + }; 75 + 76 + /* 77 + * v1 policy keys are specified by an arbitrary 8-byte key "descriptor", 78 + * matching fscrypt_policy_v1::master_key_descriptor. 63 79 */ 64 80 #define FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR 1 65 81 66 82 /* 67 - * Specifies a key. This doesn't contain the actual key itself; this is just 68 - * the "name" of the key. 83 + * v2 policy keys are specified by a 16-byte key "identifier" which the kernel 84 + * calculates as a cryptographic hash of the key itself, 85 + * matching fscrypt_policy_v2::master_key_identifier. 86 + */ 87 + #define FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER 2 88 + 89 + /* 90 + * Specifies a key, either for v1 or v2 policies. This doesn't contain the 91 + * actual key itself; this is just the "name" of the key. 69 92 */ 70 93 struct fscrypt_key_specifier { 71 94 __u32 type; /* one of FSCRYPT_KEY_SPEC_TYPE_* */ ··· 104 65 union { 105 66 __u8 __reserved[32]; /* reserve some extra space */ 106 67 __u8 descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE]; 68 + __u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]; 107 69 } u; 108 70 }; 109 71 ··· 141 101 #define FS_IOC_SET_ENCRYPTION_POLICY _IOR('f', 19, struct fscrypt_policy) 142 102 #define FS_IOC_GET_ENCRYPTION_PWSALT _IOW('f', 20, __u8[16]) 143 103 #define FS_IOC_GET_ENCRYPTION_POLICY _IOW('f', 21, struct fscrypt_policy) 104 + #define FS_IOC_GET_ENCRYPTION_POLICY_EX _IOWR('f', 22, __u8[9]) /* size + version */ 144 105 #define FS_IOC_ADD_ENCRYPTION_KEY _IOWR('f', 23, struct fscrypt_add_key_arg) 145 106 #define FS_IOC_REMOVE_ENCRYPTION_KEY _IOWR('f', 24, struct fscrypt_remove_key_arg) 146 107 #define FS_IOC_GET_ENCRYPTION_KEY_STATUS _IOWR('f', 26, struct fscrypt_get_key_status_arg)