tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

fscrypt: add inline encryption support

Add support for inline encryption to fs/crypto/. With "inline
encryption", the block layer handles the decryption/encryption as part
of the bio, instead of the filesystem doing the crypto itself via
Linux's crypto API. This model is needed in order to take advantage of
the inline encryption hardware present on most modern mobile SoCs.

To use inline encryption, the filesystem needs to be mounted with
'-o inlinecrypt'. Blk-crypto will then be used instead of the traditional
filesystem-layer crypto whenever possible to encrypt the contents
of any encrypted files in that filesystem. Fscrypt still provides the key
and IV to use, and the actual ciphertext on-disk is still the same;
therefore it's testable using the existing fscrypt ciphertext verification
tests.

Note that since blk-crypto has a fallback to Linux's crypto API, and
also supports all the encryption modes currently supported by fscrypt,
this feature is usable and testable even without actual inline
encryption hardware.

Per-filesystem changes will be needed to set encryption contexts when
submitting bios and to implement the 'inlinecrypt' mount option. This
patch just adds the common code.

Signed-off-by: Satya Tangirala <satyat@google.com>
Reviewed-by: Jaegeuk Kim <jaegeuk@kernel.org>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Link: https://lore.kernel.org/r/20200702015607.1215430-3-satyat@google.com
Co-developed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>

authored by

Satya Tangirala and committed by
Eric Biggers 5fee3609 457e7a13

+674 -48
+3
Documentation/filesystems/fscrypt.rst
··· 1255 1255 <https://github.com/tytso/xfstests-bld/blob/master/Documentation/kvm-quickstart.md>`_:: 1256 1256 1257 1257 kvm-xfstests -c ext4,f2fs -g encrypt 1258 + kvm-xfstests -c ext4,f2fs -g encrypt -m inlinecrypt 1258 1259 1259 1260 UBIFS encryption can also be tested this way, but it should be done in 1260 1261 a separate command, and it takes some time for kvm-xfstests to set up ··· 1277 1276 kvm-xfstests, use the "encrypt" filesystem configuration:: 1278 1277 1279 1278 kvm-xfstests -c ext4/encrypt,f2fs/encrypt -g auto 1279 + kvm-xfstests -c ext4/encrypt,f2fs/encrypt -g auto -m inlinecrypt 1280 1280 1281 1281 Because this runs many more tests than "-g encrypt" does, it takes 1282 1282 much longer to run; so also consider using `gce-xfstests ··· 1285 1283 instead of kvm-xfstests:: 1286 1284 1287 1285 gce-xfstests -c ext4/encrypt,f2fs/encrypt -g auto 1286 + gce-xfstests -c ext4/encrypt,f2fs/encrypt -g auto -m inlinecrypt
+6
fs/crypto/Kconfig
··· 24 24 select CRYPTO_SHA256 25 25 select CRYPTO_SHA512 26 26 select CRYPTO_XTS 27 + 28 + config FS_ENCRYPTION_INLINE_CRYPT 29 + bool "Enable fscrypt to use inline crypto" 30 + depends on FS_ENCRYPTION && BLK_INLINE_ENCRYPTION 31 + help 32 + Enable fscrypt to use inline encryption hardware if available.
+1
fs/crypto/Makefile
··· 11 11 policy.o 12 12 13 13 fscrypto-$(CONFIG_BLOCK) += bio.o 14 + fscrypto-$(CONFIG_FS_ENCRYPTION_INLINE_CRYPT) += inline_crypt.o
+51
fs/crypto/bio.c
··· 41 41 } 42 42 EXPORT_SYMBOL(fscrypt_decrypt_bio); 43 43 44 + static int fscrypt_zeroout_range_inline_crypt(const struct inode *inode, 45 + pgoff_t lblk, sector_t pblk, 46 + unsigned int len) 47 + { 48 + const unsigned int blockbits = inode->i_blkbits; 49 + const unsigned int blocks_per_page = 1 << (PAGE_SHIFT - blockbits); 50 + struct bio *bio; 51 + int ret, err = 0; 52 + int num_pages = 0; 53 + 54 + /* This always succeeds since __GFP_DIRECT_RECLAIM is set. */ 55 + bio = bio_alloc(GFP_NOFS, BIO_MAX_PAGES); 56 + 57 + while (len) { 58 + unsigned int blocks_this_page = min(len, blocks_per_page); 59 + unsigned int bytes_this_page = blocks_this_page << blockbits; 60 + 61 + if (num_pages == 0) { 62 + fscrypt_set_bio_crypt_ctx(bio, inode, lblk, GFP_NOFS); 63 + bio_set_dev(bio, inode->i_sb->s_bdev); 64 + bio->bi_iter.bi_sector = 65 + pblk << (blockbits - SECTOR_SHIFT); 66 + bio_set_op_attrs(bio, REQ_OP_WRITE, 0); 67 + } 68 + ret = bio_add_page(bio, ZERO_PAGE(0), bytes_this_page, 0); 69 + if (WARN_ON(ret != bytes_this_page)) { 70 + err = -EIO; 71 + goto out; 72 + } 73 + num_pages++; 74 + len -= blocks_this_page; 75 + lblk += blocks_this_page; 76 + pblk += blocks_this_page; 77 + if (num_pages == BIO_MAX_PAGES || !len || 78 + !fscrypt_mergeable_bio(bio, inode, lblk)) { 79 + err = submit_bio_wait(bio); 80 + if (err) 81 + goto out; 82 + bio_reset(bio); 83 + num_pages = 0; 84 + } 85 + } 86 + out: 87 + bio_put(bio); 88 + return err; 89 + } 90 + 44 91 /** 45 92 * fscrypt_zeroout_range() - zero out a range of blocks in an encrypted file 46 93 * @inode: the file's inode ··· 121 74 122 75 if (len == 0) 123 76 return 0; 77 + 78 + if (fscrypt_inode_uses_inline_crypto(inode)) 79 + return fscrypt_zeroout_range_inline_crypt(inode, lblk, pblk, 80 + len); 124 81 125 82 BUILD_BUG_ON(ARRAY_SIZE(pages) > BIO_MAX_PAGES); 126 83 nr_pages = min_t(unsigned int, ARRAY_SIZE(pages),
+1 -1
fs/crypto/crypto.c
··· 100 100 DECLARE_CRYPTO_WAIT(wait); 101 101 struct scatterlist dst, src; 102 102 struct fscrypt_info *ci = inode->i_crypt_info; 103 - struct crypto_skcipher *tfm = ci->ci_ctfm; 103 + struct crypto_skcipher *tfm = ci->ci_enc_key.tfm; 104 104 int res = 0; 105 105 106 106 if (WARN_ON_ONCE(len <= 0))
+2 -2
fs/crypto/fname.c
··· 115 115 struct skcipher_request *req = NULL; 116 116 DECLARE_CRYPTO_WAIT(wait); 117 117 const struct fscrypt_info *ci = inode->i_crypt_info; 118 - struct crypto_skcipher *tfm = ci->ci_ctfm; 118 + struct crypto_skcipher *tfm = ci->ci_enc_key.tfm; 119 119 union fscrypt_iv iv; 120 120 struct scatterlist sg; 121 121 int res; ··· 171 171 DECLARE_CRYPTO_WAIT(wait); 172 172 struct scatterlist src_sg, dst_sg; 173 173 const struct fscrypt_info *ci = inode->i_crypt_info; 174 - struct crypto_skcipher *tfm = ci->ci_ctfm; 174 + struct crypto_skcipher *tfm = ci->ci_enc_key.tfm; 175 175 union fscrypt_iv iv; 176 176 int res; 177 177
+105 -10
fs/crypto/fscrypt_private.h
··· 14 14 #include <linux/fscrypt.h> 15 15 #include <linux/siphash.h> 16 16 #include <crypto/hash.h> 17 + #include <linux/blk-crypto.h> 17 18 18 19 #define CONST_STRLEN(str) (sizeof(str) - 1) 19 20 ··· 167 166 char encrypted_path[1]; 168 167 } __packed; 169 168 169 + /** 170 + * struct fscrypt_prepared_key - a key prepared for actual encryption/decryption 171 + * @tfm: crypto API transform object 172 + * @blk_key: key for blk-crypto 173 + * 174 + * Normally only one of the fields will be non-NULL. 175 + */ 176 + struct fscrypt_prepared_key { 177 + struct crypto_skcipher *tfm; 178 + #ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT 179 + struct fscrypt_blk_crypto_key *blk_key; 180 + #endif 181 + }; 182 + 170 183 /* 171 184 * fscrypt_info - the "encryption key" for an inode 172 185 * ··· 190 175 */ 191 176 struct fscrypt_info { 192 177 193 - /* The actual crypto transform used for encryption and decryption */ 194 - struct crypto_skcipher *ci_ctfm; 178 + /* The key in a form prepared for actual encryption/decryption */ 179 + struct fscrypt_prepared_key ci_enc_key; 195 180 196 - /* True if the key should be freed when this fscrypt_info is freed */ 181 + /* True if ci_enc_key should be freed when this fscrypt_info is freed */ 197 182 bool ci_owns_key; 183 + 184 + #ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT 185 + /* 186 + * True if this inode will use inline encryption (blk-crypto) instead of 187 + * the traditional filesystem-layer encryption. 188 + */ 189 + bool ci_inlinecrypt; 190 + #endif 198 191 199 192 /* 200 193 * Encryption mode used for this inode. It corresponds to either the ··· 228 205 229 206 /* 230 207 * If non-NULL, then encryption is done using the master key directly 231 - * and ci_ctfm will equal ci_direct_key->dk_ctfm. 208 + * and ci_enc_key will equal ci_direct_key->dk_key. 232 209 */ 233 210 struct fscrypt_direct_key *ci_direct_key; 234 211 ··· 283 260 u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE]; 284 261 }; 285 262 u8 raw[FSCRYPT_MAX_IV_SIZE]; 263 + __le64 dun[FSCRYPT_MAX_IV_SIZE / sizeof(__le64)]; 286 264 }; 287 265 288 266 void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num, ··· 325 301 u8 *okm, unsigned int okmlen); 326 302 327 303 void fscrypt_destroy_hkdf(struct fscrypt_hkdf *hkdf); 304 + 305 + /* inline_crypt.c */ 306 + #ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT 307 + int fscrypt_select_encryption_impl(struct fscrypt_info *ci); 308 + 309 + static inline bool 310 + fscrypt_using_inline_encryption(const struct fscrypt_info *ci) 311 + { 312 + return ci->ci_inlinecrypt; 313 + } 314 + 315 + int fscrypt_prepare_inline_crypt_key(struct fscrypt_prepared_key *prep_key, 316 + const u8 *raw_key, 317 + const struct fscrypt_info *ci); 318 + 319 + void fscrypt_destroy_inline_crypt_key(struct fscrypt_prepared_key *prep_key); 320 + 321 + /* 322 + * Check whether the crypto transform or blk-crypto key has been allocated in 323 + * @prep_key, depending on which encryption implementation the file will use. 324 + */ 325 + static inline bool 326 + fscrypt_is_key_prepared(struct fscrypt_prepared_key *prep_key, 327 + const struct fscrypt_info *ci) 328 + { 329 + /* 330 + * The READ_ONCE() here pairs with the smp_store_release() in 331 + * fscrypt_prepare_key(). (This only matters for the per-mode keys, 332 + * which are shared by multiple inodes.) 333 + */ 334 + if (fscrypt_using_inline_encryption(ci)) 335 + return READ_ONCE(prep_key->blk_key) != NULL; 336 + return READ_ONCE(prep_key->tfm) != NULL; 337 + } 338 + 339 + #else /* CONFIG_FS_ENCRYPTION_INLINE_CRYPT */ 340 + 341 + static inline int fscrypt_select_encryption_impl(struct fscrypt_info *ci) 342 + { 343 + return 0; 344 + } 345 + 346 + static inline bool 347 + fscrypt_using_inline_encryption(const struct fscrypt_info *ci) 348 + { 349 + return false; 350 + } 351 + 352 + static inline int 353 + fscrypt_prepare_inline_crypt_key(struct fscrypt_prepared_key *prep_key, 354 + const u8 *raw_key, 355 + const struct fscrypt_info *ci) 356 + { 357 + WARN_ON(1); 358 + return -EOPNOTSUPP; 359 + } 360 + 361 + static inline void 362 + fscrypt_destroy_inline_crypt_key(struct fscrypt_prepared_key *prep_key) 363 + { 364 + } 365 + 366 + static inline bool 367 + fscrypt_is_key_prepared(struct fscrypt_prepared_key *prep_key, 368 + const struct fscrypt_info *ci) 369 + { 370 + return READ_ONCE(prep_key->tfm) != NULL; 371 + } 372 + #endif /* !CONFIG_FS_ENCRYPTION_INLINE_CRYPT */ 328 373 329 374 /* keyring.c */ 330 375 ··· 488 395 * Per-mode encryption keys for the various types of encryption policies 489 396 * that use them. Allocated and derived on-demand. 490 397 */ 491 - struct crypto_skcipher *mk_direct_keys[__FSCRYPT_MODE_MAX + 1]; 492 - struct crypto_skcipher *mk_iv_ino_lblk_64_keys[__FSCRYPT_MODE_MAX + 1]; 493 - struct crypto_skcipher *mk_iv_ino_lblk_32_keys[__FSCRYPT_MODE_MAX + 1]; 398 + struct fscrypt_prepared_key mk_direct_keys[__FSCRYPT_MODE_MAX + 1]; 399 + struct fscrypt_prepared_key mk_iv_ino_lblk_64_keys[__FSCRYPT_MODE_MAX + 1]; 400 + struct fscrypt_prepared_key mk_iv_ino_lblk_32_keys[__FSCRYPT_MODE_MAX + 1]; 494 401 495 402 /* Hash key for inode numbers. Initialized only when needed. */ 496 403 siphash_key_t mk_ino_hash_key; ··· 554 461 int keysize; 555 462 int ivsize; 556 463 int logged_impl_name; 464 + enum blk_crypto_mode_num blk_crypto_mode; 557 465 }; 558 466 559 467 extern struct fscrypt_mode fscrypt_modes[]; 560 468 561 - struct crypto_skcipher *fscrypt_allocate_skcipher(struct fscrypt_mode *mode, 562 - const u8 *raw_key, 563 - const struct inode *inode); 469 + int fscrypt_prepare_key(struct fscrypt_prepared_key *prep_key, 470 + const u8 *raw_key, const struct fscrypt_info *ci); 471 + 472 + void fscrypt_destroy_prepared_key(struct fscrypt_prepared_key *prep_key); 564 473 565 474 int fscrypt_set_per_file_enc_key(struct fscrypt_info *ci, const u8 *raw_key); 566 475
+364
fs/crypto/inline_crypt.c
··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Inline encryption support for fscrypt 4 + * 5 + * Copyright 2019 Google LLC 6 + */ 7 + 8 + /* 9 + * With "inline encryption", the block layer handles the decryption/encryption 10 + * as part of the bio, instead of the filesystem doing the crypto itself via 11 + * crypto API. See Documentation/block/inline-encryption.rst. fscrypt still 12 + * provides the key and IV to use. 13 + */ 14 + 15 + #include <linux/blk-crypto.h> 16 + #include <linux/blkdev.h> 17 + #include <linux/buffer_head.h> 18 + #include <linux/sched/mm.h> 19 + 20 + #include "fscrypt_private.h" 21 + 22 + struct fscrypt_blk_crypto_key { 23 + struct blk_crypto_key base; 24 + int num_devs; 25 + struct request_queue *devs[]; 26 + }; 27 + 28 + static int fscrypt_get_num_devices(struct super_block *sb) 29 + { 30 + if (sb->s_cop->get_num_devices) 31 + return sb->s_cop->get_num_devices(sb); 32 + return 1; 33 + } 34 + 35 + static void fscrypt_get_devices(struct super_block *sb, int num_devs, 36 + struct request_queue **devs) 37 + { 38 + if (num_devs == 1) 39 + devs[0] = bdev_get_queue(sb->s_bdev); 40 + else 41 + sb->s_cop->get_devices(sb, devs); 42 + } 43 + 44 + static unsigned int fscrypt_get_dun_bytes(const struct fscrypt_info *ci) 45 + { 46 + struct super_block *sb = ci->ci_inode->i_sb; 47 + unsigned int flags = fscrypt_policy_flags(&ci->ci_policy); 48 + int ino_bits = 64, lblk_bits = 64; 49 + 50 + if (flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) 51 + return offsetofend(union fscrypt_iv, nonce); 52 + 53 + if (flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) 54 + return sizeof(__le64); 55 + 56 + if (flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) 57 + return sizeof(__le32); 58 + 59 + /* Default case: IVs are just the file logical block number */ 60 + if (sb->s_cop->get_ino_and_lblk_bits) 61 + sb->s_cop->get_ino_and_lblk_bits(sb, &ino_bits, &lblk_bits); 62 + return DIV_ROUND_UP(lblk_bits, 8); 63 + } 64 + 65 + /* Enable inline encryption for this file if supported. */ 66 + int fscrypt_select_encryption_impl(struct fscrypt_info *ci) 67 + { 68 + const struct inode *inode = ci->ci_inode; 69 + struct super_block *sb = inode->i_sb; 70 + struct blk_crypto_config crypto_cfg; 71 + int num_devs; 72 + struct request_queue **devs; 73 + int i; 74 + 75 + /* The file must need contents encryption, not filenames encryption */ 76 + if (!fscrypt_needs_contents_encryption(inode)) 77 + return 0; 78 + 79 + /* The crypto mode must have a blk-crypto counterpart */ 80 + if (ci->ci_mode->blk_crypto_mode == BLK_ENCRYPTION_MODE_INVALID) 81 + return 0; 82 + 83 + /* The filesystem must be mounted with -o inlinecrypt */ 84 + if (!(sb->s_flags & SB_INLINECRYPT)) 85 + return 0; 86 + 87 + /* 88 + * When a page contains multiple logically contiguous filesystem blocks, 89 + * some filesystem code only calls fscrypt_mergeable_bio() for the first 90 + * block in the page. This is fine for most of fscrypt's IV generation 91 + * strategies, where contiguous blocks imply contiguous IVs. But it 92 + * doesn't work with IV_INO_LBLK_32. For now, simply exclude 93 + * IV_INO_LBLK_32 with blocksize != PAGE_SIZE from inline encryption. 94 + */ 95 + if ((fscrypt_policy_flags(&ci->ci_policy) & 96 + FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) && 97 + sb->s_blocksize != PAGE_SIZE) 98 + return 0; 99 + 100 + /* 101 + * On all the filesystem's devices, blk-crypto must support the crypto 102 + * configuration that the file would use. 103 + */ 104 + crypto_cfg.crypto_mode = ci->ci_mode->blk_crypto_mode; 105 + crypto_cfg.data_unit_size = sb->s_blocksize; 106 + crypto_cfg.dun_bytes = fscrypt_get_dun_bytes(ci); 107 + num_devs = fscrypt_get_num_devices(sb); 108 + devs = kmalloc_array(num_devs, sizeof(*devs), GFP_NOFS); 109 + if (!devs) 110 + return -ENOMEM; 111 + fscrypt_get_devices(sb, num_devs, devs); 112 + 113 + for (i = 0; i < num_devs; i++) { 114 + if (!blk_crypto_config_supported(devs[i], &crypto_cfg)) 115 + goto out_free_devs; 116 + } 117 + 118 + ci->ci_inlinecrypt = true; 119 + out_free_devs: 120 + kfree(devs); 121 + 122 + return 0; 123 + } 124 + 125 + int fscrypt_prepare_inline_crypt_key(struct fscrypt_prepared_key *prep_key, 126 + const u8 *raw_key, 127 + const struct fscrypt_info *ci) 128 + { 129 + const struct inode *inode = ci->ci_inode; 130 + struct super_block *sb = inode->i_sb; 131 + enum blk_crypto_mode_num crypto_mode = ci->ci_mode->blk_crypto_mode; 132 + int num_devs = fscrypt_get_num_devices(sb); 133 + int queue_refs = 0; 134 + struct fscrypt_blk_crypto_key *blk_key; 135 + int err; 136 + int i; 137 + unsigned int flags; 138 + 139 + blk_key = kzalloc(struct_size(blk_key, devs, num_devs), GFP_NOFS); 140 + if (!blk_key) 141 + return -ENOMEM; 142 + 143 + blk_key->num_devs = num_devs; 144 + fscrypt_get_devices(sb, num_devs, blk_key->devs); 145 + 146 + err = blk_crypto_init_key(&blk_key->base, raw_key, crypto_mode, 147 + fscrypt_get_dun_bytes(ci), sb->s_blocksize); 148 + if (err) { 149 + fscrypt_err(inode, "error %d initializing blk-crypto key", err); 150 + goto fail; 151 + } 152 + 153 + /* 154 + * We have to start using blk-crypto on all the filesystem's devices. 155 + * We also have to save all the request_queue's for later so that the 156 + * key can be evicted from them. This is needed because some keys 157 + * aren't destroyed until after the filesystem was already unmounted 158 + * (namely, the per-mode keys in struct fscrypt_master_key). 159 + */ 160 + for (i = 0; i < num_devs; i++) { 161 + if (!blk_get_queue(blk_key->devs[i])) { 162 + fscrypt_err(inode, "couldn't get request_queue"); 163 + err = -EAGAIN; 164 + goto fail; 165 + } 166 + queue_refs++; 167 + 168 + flags = memalloc_nofs_save(); 169 + err = blk_crypto_start_using_key(&blk_key->base, 170 + blk_key->devs[i]); 171 + memalloc_nofs_restore(flags); 172 + if (err) { 173 + fscrypt_err(inode, 174 + "error %d starting to use blk-crypto", err); 175 + goto fail; 176 + } 177 + } 178 + /* 179 + * Pairs with READ_ONCE() in fscrypt_is_key_prepared(). (Only matters 180 + * for the per-mode keys, which are shared by multiple inodes.) 181 + */ 182 + smp_store_release(&prep_key->blk_key, blk_key); 183 + return 0; 184 + 185 + fail: 186 + for (i = 0; i < queue_refs; i++) 187 + blk_put_queue(blk_key->devs[i]); 188 + kzfree(blk_key); 189 + return err; 190 + } 191 + 192 + void fscrypt_destroy_inline_crypt_key(struct fscrypt_prepared_key *prep_key) 193 + { 194 + struct fscrypt_blk_crypto_key *blk_key = prep_key->blk_key; 195 + int i; 196 + 197 + if (blk_key) { 198 + for (i = 0; i < blk_key->num_devs; i++) { 199 + blk_crypto_evict_key(blk_key->devs[i], &blk_key->base); 200 + blk_put_queue(blk_key->devs[i]); 201 + } 202 + kzfree(blk_key); 203 + } 204 + } 205 + 206 + bool __fscrypt_inode_uses_inline_crypto(const struct inode *inode) 207 + { 208 + return inode->i_crypt_info->ci_inlinecrypt; 209 + } 210 + EXPORT_SYMBOL_GPL(__fscrypt_inode_uses_inline_crypto); 211 + 212 + static void fscrypt_generate_dun(const struct fscrypt_info *ci, u64 lblk_num, 213 + u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE]) 214 + { 215 + union fscrypt_iv iv; 216 + int i; 217 + 218 + fscrypt_generate_iv(&iv, lblk_num, ci); 219 + 220 + BUILD_BUG_ON(FSCRYPT_MAX_IV_SIZE > BLK_CRYPTO_MAX_IV_SIZE); 221 + memset(dun, 0, BLK_CRYPTO_MAX_IV_SIZE); 222 + for (i = 0; i < ci->ci_mode->ivsize/sizeof(dun[0]); i++) 223 + dun[i] = le64_to_cpu(iv.dun[i]); 224 + } 225 + 226 + /** 227 + * fscrypt_set_bio_crypt_ctx() - prepare a file contents bio for inline crypto 228 + * @bio: a bio which will eventually be submitted to the file 229 + * @inode: the file's inode 230 + * @first_lblk: the first file logical block number in the I/O 231 + * @gfp_mask: memory allocation flags - these must be a waiting mask so that 232 + * bio_crypt_set_ctx can't fail. 233 + * 234 + * If the contents of the file should be encrypted (or decrypted) with inline 235 + * encryption, then assign the appropriate encryption context to the bio. 236 + * 237 + * Normally the bio should be newly allocated (i.e. no pages added yet), as 238 + * otherwise fscrypt_mergeable_bio() won't work as intended. 239 + * 240 + * The encryption context will be freed automatically when the bio is freed. 241 + */ 242 + void fscrypt_set_bio_crypt_ctx(struct bio *bio, const struct inode *inode, 243 + u64 first_lblk, gfp_t gfp_mask) 244 + { 245 + const struct fscrypt_info *ci = inode->i_crypt_info; 246 + u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE]; 247 + 248 + if (!fscrypt_inode_uses_inline_crypto(inode)) 249 + return; 250 + 251 + fscrypt_generate_dun(ci, first_lblk, dun); 252 + bio_crypt_set_ctx(bio, &ci->ci_enc_key.blk_key->base, dun, gfp_mask); 253 + } 254 + EXPORT_SYMBOL_GPL(fscrypt_set_bio_crypt_ctx); 255 + 256 + /* Extract the inode and logical block number from a buffer_head. */ 257 + static bool bh_get_inode_and_lblk_num(const struct buffer_head *bh, 258 + const struct inode **inode_ret, 259 + u64 *lblk_num_ret) 260 + { 261 + struct page *page = bh->b_page; 262 + const struct address_space *mapping; 263 + const struct inode *inode; 264 + 265 + /* 266 + * The ext4 journal (jbd2) can submit a buffer_head it directly created 267 + * for a non-pagecache page. fscrypt doesn't care about these. 268 + */ 269 + mapping = page_mapping(page); 270 + if (!mapping) 271 + return false; 272 + inode = mapping->host; 273 + 274 + *inode_ret = inode; 275 + *lblk_num_ret = ((u64)page->index << (PAGE_SHIFT - inode->i_blkbits)) + 276 + (bh_offset(bh) >> inode->i_blkbits); 277 + return true; 278 + } 279 + 280 + /** 281 + * fscrypt_set_bio_crypt_ctx_bh() - prepare a file contents bio for inline 282 + * crypto 283 + * @bio: a bio which will eventually be submitted to the file 284 + * @first_bh: the first buffer_head for which I/O will be submitted 285 + * @gfp_mask: memory allocation flags 286 + * 287 + * Same as fscrypt_set_bio_crypt_ctx(), except this takes a buffer_head instead 288 + * of an inode and block number directly. 289 + */ 290 + void fscrypt_set_bio_crypt_ctx_bh(struct bio *bio, 291 + const struct buffer_head *first_bh, 292 + gfp_t gfp_mask) 293 + { 294 + const struct inode *inode; 295 + u64 first_lblk; 296 + 297 + if (bh_get_inode_and_lblk_num(first_bh, &inode, &first_lblk)) 298 + fscrypt_set_bio_crypt_ctx(bio, inode, first_lblk, gfp_mask); 299 + } 300 + EXPORT_SYMBOL_GPL(fscrypt_set_bio_crypt_ctx_bh); 301 + 302 + /** 303 + * fscrypt_mergeable_bio() - test whether data can be added to a bio 304 + * @bio: the bio being built up 305 + * @inode: the inode for the next part of the I/O 306 + * @next_lblk: the next file logical block number in the I/O 307 + * 308 + * When building a bio which may contain data which should undergo inline 309 + * encryption (or decryption) via fscrypt, filesystems should call this function 310 + * to ensure that the resulting bio contains only contiguous data unit numbers. 311 + * This will return false if the next part of the I/O cannot be merged with the 312 + * bio because either the encryption key would be different or the encryption 313 + * data unit numbers would be discontiguous. 314 + * 315 + * fscrypt_set_bio_crypt_ctx() must have already been called on the bio. 316 + * 317 + * Return: true iff the I/O is mergeable 318 + */ 319 + bool fscrypt_mergeable_bio(struct bio *bio, const struct inode *inode, 320 + u64 next_lblk) 321 + { 322 + const struct bio_crypt_ctx *bc = bio->bi_crypt_context; 323 + u64 next_dun[BLK_CRYPTO_DUN_ARRAY_SIZE]; 324 + 325 + if (!!bc != fscrypt_inode_uses_inline_crypto(inode)) 326 + return false; 327 + if (!bc) 328 + return true; 329 + 330 + /* 331 + * Comparing the key pointers is good enough, as all I/O for each key 332 + * uses the same pointer. I.e., there's currently no need to support 333 + * merging requests where the keys are the same but the pointers differ. 334 + */ 335 + if (bc->bc_key != &inode->i_crypt_info->ci_enc_key.blk_key->base) 336 + return false; 337 + 338 + fscrypt_generate_dun(inode->i_crypt_info, next_lblk, next_dun); 339 + return bio_crypt_dun_is_contiguous(bc, bio->bi_iter.bi_size, next_dun); 340 + } 341 + EXPORT_SYMBOL_GPL(fscrypt_mergeable_bio); 342 + 343 + /** 344 + * fscrypt_mergeable_bio_bh() - test whether data can be added to a bio 345 + * @bio: the bio being built up 346 + * @next_bh: the next buffer_head for which I/O will be submitted 347 + * 348 + * Same as fscrypt_mergeable_bio(), except this takes a buffer_head instead of 349 + * an inode and block number directly. 350 + * 351 + * Return: true iff the I/O is mergeable 352 + */ 353 + bool fscrypt_mergeable_bio_bh(struct bio *bio, 354 + const struct buffer_head *next_bh) 355 + { 356 + const struct inode *inode; 357 + u64 next_lblk; 358 + 359 + if (!bh_get_inode_and_lblk_num(next_bh, &inode, &next_lblk)) 360 + return !bio->bi_crypt_context; 361 + 362 + return fscrypt_mergeable_bio(bio, inode, next_lblk); 363 + } 364 + EXPORT_SYMBOL_GPL(fscrypt_mergeable_bio_bh);
+3 -3
fs/crypto/keyring.c
··· 45 45 wipe_master_key_secret(&mk->mk_secret); 46 46 47 47 for (i = 0; i <= __FSCRYPT_MODE_MAX; i++) { 48 - crypto_free_skcipher(mk->mk_direct_keys[i]); 49 - crypto_free_skcipher(mk->mk_iv_ino_lblk_64_keys[i]); 50 - crypto_free_skcipher(mk->mk_iv_ino_lblk_32_keys[i]); 48 + fscrypt_destroy_prepared_key(&mk->mk_direct_keys[i]); 49 + fscrypt_destroy_prepared_key(&mk->mk_iv_ino_lblk_64_keys[i]); 50 + fscrypt_destroy_prepared_key(&mk->mk_iv_ino_lblk_32_keys[i]); 51 51 } 52 52 53 53 key_put(mk->mk_users);
+49 -23
fs/crypto/keysetup.c
··· 19 19 .cipher_str = "xts(aes)", 20 20 .keysize = 64, 21 21 .ivsize = 16, 22 + .blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_256_XTS, 22 23 }, 23 24 [FSCRYPT_MODE_AES_256_CTS] = { 24 25 .friendly_name = "AES-256-CTS-CBC", ··· 32 31 .cipher_str = "essiv(cbc(aes),sha256)", 33 32 .keysize = 16, 34 33 .ivsize = 16, 34 + .blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV, 35 35 }, 36 36 [FSCRYPT_MODE_AES_128_CTS] = { 37 37 .friendly_name = "AES-128-CTS-CBC", ··· 45 43 .cipher_str = "adiantum(xchacha12,aes)", 46 44 .keysize = 32, 47 45 .ivsize = 32, 46 + .blk_crypto_mode = BLK_ENCRYPTION_MODE_ADIANTUM, 48 47 }, 49 48 }; 50 49 ··· 67 64 } 68 65 69 66 /* Create a symmetric cipher object for the given encryption mode and key */ 70 - struct crypto_skcipher *fscrypt_allocate_skcipher(struct fscrypt_mode *mode, 71 - const u8 *raw_key, 72 - const struct inode *inode) 67 + static struct crypto_skcipher * 68 + fscrypt_allocate_skcipher(struct fscrypt_mode *mode, const u8 *raw_key, 69 + const struct inode *inode) 73 70 { 74 71 struct crypto_skcipher *tfm; 75 72 int err; ··· 112 109 return ERR_PTR(err); 113 110 } 114 111 115 - /* Given a per-file encryption key, set up the file's crypto transform object */ 116 - int fscrypt_set_per_file_enc_key(struct fscrypt_info *ci, const u8 *raw_key) 112 + /* 113 + * Prepare the crypto transform object or blk-crypto key in @prep_key, given the 114 + * raw key, encryption mode, and flag indicating which encryption implementation 115 + * (fs-layer or blk-crypto) will be used. 116 + */ 117 + int fscrypt_prepare_key(struct fscrypt_prepared_key *prep_key, 118 + const u8 *raw_key, const struct fscrypt_info *ci) 117 119 { 118 120 struct crypto_skcipher *tfm; 121 + 122 + if (fscrypt_using_inline_encryption(ci)) 123 + return fscrypt_prepare_inline_crypt_key(prep_key, raw_key, ci); 119 124 120 125 tfm = fscrypt_allocate_skcipher(ci->ci_mode, raw_key, ci->ci_inode); 121 126 if (IS_ERR(tfm)) 122 127 return PTR_ERR(tfm); 123 - 124 - ci->ci_ctfm = tfm; 125 - ci->ci_owns_key = true; 128 + /* 129 + * Pairs with READ_ONCE() in fscrypt_is_key_prepared(). (Only matters 130 + * for the per-mode keys, which are shared by multiple inodes.) 131 + */ 132 + smp_store_release(&prep_key->tfm, tfm); 126 133 return 0; 134 + } 135 + 136 + /* Destroy a crypto transform object and/or blk-crypto key. */ 137 + void fscrypt_destroy_prepared_key(struct fscrypt_prepared_key *prep_key) 138 + { 139 + crypto_free_skcipher(prep_key->tfm); 140 + fscrypt_destroy_inline_crypt_key(prep_key); 141 + } 142 + 143 + /* Given a per-file encryption key, set up the file's crypto transform object */ 144 + int fscrypt_set_per_file_enc_key(struct fscrypt_info *ci, const u8 *raw_key) 145 + { 146 + ci->ci_owns_key = true; 147 + return fscrypt_prepare_key(&ci->ci_enc_key, raw_key, ci); 127 148 } 128 149 129 150 static int setup_per_mode_enc_key(struct fscrypt_info *ci, 130 151 struct fscrypt_master_key *mk, 131 - struct crypto_skcipher **tfms, 152 + struct fscrypt_prepared_key *keys, 132 153 u8 hkdf_context, bool include_fs_uuid) 133 154 { 134 155 const struct inode *inode = ci->ci_inode; 135 156 const struct super_block *sb = inode->i_sb; 136 157 struct fscrypt_mode *mode = ci->ci_mode; 137 158 const u8 mode_num = mode - fscrypt_modes; 138 - struct crypto_skcipher *tfm; 159 + struct fscrypt_prepared_key *prep_key; 139 160 u8 mode_key[FSCRYPT_MAX_KEY_SIZE]; 140 161 u8 hkdf_info[sizeof(mode_num) + sizeof(sb->s_uuid)]; 141 162 unsigned int hkdf_infolen = 0; ··· 168 141 if (WARN_ON(mode_num > __FSCRYPT_MODE_MAX)) 169 142 return -EINVAL; 170 143 171 - /* pairs with smp_store_release() below */ 172 - tfm = READ_ONCE(tfms[mode_num]); 173 - if (likely(tfm != NULL)) { 174 - ci->ci_ctfm = tfm; 144 + prep_key = &keys[mode_num]; 145 + if (fscrypt_is_key_prepared(prep_key, ci)) { 146 + ci->ci_enc_key = *prep_key; 175 147 return 0; 176 148 } 177 149 178 150 mutex_lock(&fscrypt_mode_key_setup_mutex); 179 151 180 - if (tfms[mode_num]) 152 + if (fscrypt_is_key_prepared(prep_key, ci)) 181 153 goto done_unlock; 182 154 183 155 BUILD_BUG_ON(sizeof(mode_num) != 1); ··· 193 167 mode_key, mode->keysize); 194 168 if (err) 195 169 goto out_unlock; 196 - tfm = fscrypt_allocate_skcipher(mode, mode_key, inode); 170 + err = fscrypt_prepare_key(prep_key, mode_key, ci); 197 171 memzero_explicit(mode_key, mode->keysize); 198 - if (IS_ERR(tfm)) { 199 - err = PTR_ERR(tfm); 172 + if (err) 200 173 goto out_unlock; 201 - } 202 - /* pairs with READ_ONCE() above */ 203 - smp_store_release(&tfms[mode_num], tfm); 204 174 done_unlock: 205 - ci->ci_ctfm = tfm; 175 + ci->ci_enc_key = *prep_key; 206 176 err = 0; 207 177 out_unlock: 208 178 mutex_unlock(&fscrypt_mode_key_setup_mutex); ··· 332 310 struct fscrypt_key_specifier mk_spec; 333 311 int err; 334 312 313 + err = fscrypt_select_encryption_impl(ci); 314 + if (err) 315 + return err; 316 + 335 317 switch (ci->ci_policy.version) { 336 318 case FSCRYPT_POLICY_V1: 337 319 mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR; ··· 428 402 if (ci->ci_direct_key) 429 403 fscrypt_put_direct_key(ci->ci_direct_key); 430 404 else if (ci->ci_owns_key) 431 - crypto_free_skcipher(ci->ci_ctfm); 405 + fscrypt_destroy_prepared_key(&ci->ci_enc_key); 432 406 433 407 key = ci->ci_master_key; 434 408 if (key) {
+7 -9
fs/crypto/keysetup_v1.c
··· 146 146 struct hlist_node dk_node; 147 147 refcount_t dk_refcount; 148 148 const struct fscrypt_mode *dk_mode; 149 - struct crypto_skcipher *dk_ctfm; 149 + struct fscrypt_prepared_key dk_key; 150 150 u8 dk_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE]; 151 151 u8 dk_raw[FSCRYPT_MAX_KEY_SIZE]; 152 152 }; ··· 154 154 static void free_direct_key(struct fscrypt_direct_key *dk) 155 155 { 156 156 if (dk) { 157 - crypto_free_skcipher(dk->dk_ctfm); 157 + fscrypt_destroy_prepared_key(&dk->dk_key); 158 158 kzfree(dk); 159 159 } 160 160 } ··· 199 199 continue; 200 200 if (ci->ci_mode != dk->dk_mode) 201 201 continue; 202 + if (!fscrypt_is_key_prepared(&dk->dk_key, ci)) 203 + continue; 202 204 if (crypto_memneq(raw_key, dk->dk_raw, ci->ci_mode->keysize)) 203 205 continue; 204 206 /* using existing tfm with same (descriptor, mode, raw_key) */ ··· 233 231 return ERR_PTR(-ENOMEM); 234 232 refcount_set(&dk->dk_refcount, 1); 235 233 dk->dk_mode = ci->ci_mode; 236 - dk->dk_ctfm = fscrypt_allocate_skcipher(ci->ci_mode, raw_key, 237 - ci->ci_inode); 238 - if (IS_ERR(dk->dk_ctfm)) { 239 - err = PTR_ERR(dk->dk_ctfm); 240 - dk->dk_ctfm = NULL; 234 + err = fscrypt_prepare_key(&dk->dk_key, raw_key, ci); 235 + if (err) 241 236 goto err_free_dk; 242 - } 243 237 memcpy(dk->dk_descriptor, ci->ci_policy.v1.master_key_descriptor, 244 238 FSCRYPT_KEY_DESCRIPTOR_SIZE); 245 239 memcpy(dk->dk_raw, raw_key, ci->ci_mode->keysize); ··· 257 259 if (IS_ERR(dk)) 258 260 return PTR_ERR(dk); 259 261 ci->ci_direct_key = dk; 260 - ci->ci_ctfm = dk->dk_ctfm; 262 + ci->ci_enc_key = dk->dk_key; 261 263 return 0; 262 264 } 263 265
+82
include/linux/fscrypt.h
··· 69 69 bool (*has_stable_inodes)(struct super_block *sb); 70 70 void (*get_ino_and_lblk_bits)(struct super_block *sb, 71 71 int *ino_bits_ret, int *lblk_bits_ret); 72 + int (*get_num_devices)(struct super_block *sb); 73 + void (*get_devices)(struct super_block *sb, 74 + struct request_queue **devs); 72 75 }; 73 76 74 77 static inline bool fscrypt_has_encryption_key(const struct inode *inode) ··· 539 536 } 540 537 541 538 #endif /* !CONFIG_FS_ENCRYPTION */ 539 + 540 + /* inline_crypt.c */ 541 + #ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT 542 + 543 + bool __fscrypt_inode_uses_inline_crypto(const struct inode *inode); 544 + 545 + void fscrypt_set_bio_crypt_ctx(struct bio *bio, 546 + const struct inode *inode, u64 first_lblk, 547 + gfp_t gfp_mask); 548 + 549 + void fscrypt_set_bio_crypt_ctx_bh(struct bio *bio, 550 + const struct buffer_head *first_bh, 551 + gfp_t gfp_mask); 552 + 553 + bool fscrypt_mergeable_bio(struct bio *bio, const struct inode *inode, 554 + u64 next_lblk); 555 + 556 + bool fscrypt_mergeable_bio_bh(struct bio *bio, 557 + const struct buffer_head *next_bh); 558 + 559 + #else /* CONFIG_FS_ENCRYPTION_INLINE_CRYPT */ 560 + 561 + static inline bool __fscrypt_inode_uses_inline_crypto(const struct inode *inode) 562 + { 563 + return false; 564 + } 565 + 566 + static inline void fscrypt_set_bio_crypt_ctx(struct bio *bio, 567 + const struct inode *inode, 568 + u64 first_lblk, gfp_t gfp_mask) { } 569 + 570 + static inline void fscrypt_set_bio_crypt_ctx_bh( 571 + struct bio *bio, 572 + const struct buffer_head *first_bh, 573 + gfp_t gfp_mask) { } 574 + 575 + static inline bool fscrypt_mergeable_bio(struct bio *bio, 576 + const struct inode *inode, 577 + u64 next_lblk) 578 + { 579 + return true; 580 + } 581 + 582 + static inline bool fscrypt_mergeable_bio_bh(struct bio *bio, 583 + const struct buffer_head *next_bh) 584 + { 585 + return true; 586 + } 587 + #endif /* !CONFIG_FS_ENCRYPTION_INLINE_CRYPT */ 588 + 589 + /** 590 + * fscrypt_inode_uses_inline_crypto() - test whether an inode uses inline 591 + * encryption 592 + * @inode: an inode. If encrypted, its key must be set up. 593 + * 594 + * Return: true if the inode requires file contents encryption and if the 595 + * encryption should be done in the block layer via blk-crypto rather 596 + * than in the filesystem layer. 597 + */ 598 + static inline bool fscrypt_inode_uses_inline_crypto(const struct inode *inode) 599 + { 600 + return fscrypt_needs_contents_encryption(inode) && 601 + __fscrypt_inode_uses_inline_crypto(inode); 602 + } 603 + 604 + /** 605 + * fscrypt_inode_uses_fs_layer_crypto() - test whether an inode uses fs-layer 606 + * encryption 607 + * @inode: an inode. If encrypted, its key must be set up. 608 + * 609 + * Return: true if the inode requires file contents encryption and if the 610 + * encryption should be done in the filesystem layer rather than in the 611 + * block layer via blk-crypto. 612 + */ 613 + static inline bool fscrypt_inode_uses_fs_layer_crypto(const struct inode *inode) 614 + { 615 + return fscrypt_needs_contents_encryption(inode) && 616 + !__fscrypt_inode_uses_inline_crypto(inode); 617 + } 542 618 543 619 /** 544 620 * fscrypt_require_key() - require an inode's encryption key