tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
fscrypt: remove filesystem specific build config option
In order to have a common code base for fscrypt "post read" processing
for all filesystems which support encryption, this commit removes
filesystem specific build config option (e.g. CONFIG_EXT4_FS_ENCRYPTION)
and replaces it with a build option (i.e. CONFIG_FS_ENCRYPTION) whose
value affects all the filesystems making use of fscrypt.
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
authored by
Chandan Rajendra
and committed by
Theodore Ts'o
643fa961
62230e0d
+460
-535
+2
-2
Documentation/filesystems/fscrypt.rst
+2
-2
Documentation/filesystems/fscrypt.rst
···
343
343
- ``ENOTEMPTY``: the file is unencrypted and is a nonempty directory
344
344
- ``ENOTTY``: this type of filesystem does not implement encryption
345
345
- ``EOPNOTSUPP``: the kernel was not configured with encryption
346
-
support for this filesystem, or the filesystem superblock has not
346
+
support for filesystems, or the filesystem superblock has not
347
347
had encryption enabled on it. (For example, to use encryption on an
348
-
ext4 filesystem, CONFIG_EXT4_ENCRYPTION must be enabled in the
348
+
ext4 filesystem, CONFIG_FS_ENCRYPTION must be enabled in the
349
349
kernel config, and the superblock must have had the "encrypt"
350
350
feature flag enabled using ``tune2fs -O encrypt`` or ``mkfs.ext4 -O
351
351
encrypt``.)
+1
-1
arch/mips/configs/generic_defconfig
+1
-1
arch/mips/configs/generic_defconfig
+1
-1
arch/nds32/configs/defconfig
+1
-1
arch/nds32/configs/defconfig
+1
-1
arch/s390/configs/debug_defconfig
+1
-1
arch/s390/configs/debug_defconfig
···
500
500
CONFIG_EXT4_FS=y
501
501
CONFIG_EXT4_FS_POSIX_ACL=y
502
502
CONFIG_EXT4_FS_SECURITY=y
503
-
CONFIG_EXT4_ENCRYPTION=y
504
503
CONFIG_JBD2_DEBUG=y
505
504
CONFIG_JFS_FS=m
506
505
CONFIG_JFS_POSIX_ACL=y
···
519
520
CONFIG_NILFS2_FS=m
520
521
CONFIG_FS_DAX=y
521
522
CONFIG_EXPORTFS_BLOCK_OPS=y
523
+
CONFIG_FS_ENCRYPTION=y
522
524
CONFIG_FANOTIFY=y
523
525
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
524
526
CONFIG_QUOTA_NETLINK_INTERFACE=y
+1
-1
arch/s390/configs/performance_defconfig
+1
-1
arch/s390/configs/performance_defconfig
···
497
497
CONFIG_EXT4_FS=y
498
498
CONFIG_EXT4_FS_POSIX_ACL=y
499
499
CONFIG_EXT4_FS_SECURITY=y
500
-
CONFIG_EXT4_ENCRYPTION=y
501
500
CONFIG_JBD2_DEBUG=y
502
501
CONFIG_JFS_FS=m
503
502
CONFIG_JFS_POSIX_ACL=y
···
514
515
CONFIG_NILFS2_FS=m
515
516
CONFIG_FS_DAX=y
516
517
CONFIG_EXPORTFS_BLOCK_OPS=y
518
+
CONFIG_FS_ENCRYPTION=y
517
519
CONFIG_FANOTIFY=y
518
520
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
519
521
CONFIG_QUOTA_NETLINK_INTERFACE=y
+3
-2
fs/crypto/Kconfig
+3
-2
fs/crypto/Kconfig
···
1
1
config FS_ENCRYPTION
2
-
tristate "FS Encryption (Per-file encryption)"
2
+
bool "FS Encryption (Per-file encryption)"
3
3
select CRYPTO
4
4
select CRYPTO_AES
5
5
select CRYPTO_CBC
···
12
12
Enable encryption of files and directories. This
13
13
feature is similar to ecryptfs, but it is more memory
14
14
efficient since it avoids caching the encrypted and
15
-
decrypted pages in the page cache.
15
+
decrypted pages in the page cache. Currently Ext4,
16
+
F2FS and UBIFS make use of this feature.
-1
fs/crypto/fscrypt_private.h
-1
fs/crypto/fscrypt_private.h
-15
fs/ext4/Kconfig
-15
fs/ext4/Kconfig
···
96
96
If you are not using a security module that requires using
97
97
extended attributes for file security labels, say N.
98
98
99
-
config EXT4_ENCRYPTION
100
-
bool "Ext4 Encryption"
101
-
depends on EXT4_FS
102
-
select FS_ENCRYPTION
103
-
help
104
-
Enable encryption of ext4 files and directories. This
105
-
feature is similar to ecryptfs, but it is more memory
106
-
efficient since it avoids caching the encrypted and
107
-
decrypted pages in the page cache.
108
-
109
-
config EXT4_FS_ENCRYPTION
110
-
bool
111
-
default y
112
-
depends on EXT4_ENCRYPTION
113
-
114
99
config EXT4_DEBUG
115
100
bool "EXT4 debugging support"
116
101
depends on EXT4_FS
-2
fs/ext4/dir.c
-2
fs/ext4/dir.c
+3
-4
fs/ext4/ext4.h
+3
-4
fs/ext4/ext4.h
···
40
40
#include <linux/compat.h>
41
41
#endif
42
42
43
-
#define __FS_HAS_ENCRYPTION IS_ENABLED(CONFIG_EXT4_FS_ENCRYPTION)
44
43
#include <linux/fscrypt.h>
45
44
46
45
#include <linux/compiler.h>
···
1325
1326
#define EXT4_MF_FS_ABORTED 0x0002 /* Fatal error detected */
1326
1327
#define EXT4_MF_TEST_DUMMY_ENCRYPTION 0x0004
1327
1328
1328
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
1329
+
#ifdef CONFIG_FS_ENCRYPTION
1329
1330
#define DUMMY_ENCRYPTION_ENABLED(sbi) (unlikely((sbi)->s_mount_flags & \
1330
1331
EXT4_MF_TEST_DUMMY_ENCRYPTION))
1331
1332
#else
···
2050
2051
const struct qstr *usr_fname;
2051
2052
struct fscrypt_str disk_name;
2052
2053
struct dx_hash_info hinfo;
2053
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
2054
+
#ifdef CONFIG_FS_ENCRYPTION
2054
2055
struct fscrypt_str crypto_buf;
2055
2056
#endif
2056
2057
};
···
2278
2279
struct ext4_group_desc *gdp);
2279
2280
ext4_fsblk_t ext4_inode_to_goal_block(struct inode *);
2280
2281
2281
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
2282
+
#ifdef CONFIG_FS_ENCRYPTION
2282
2283
static inline int ext4_fname_setup_filename(struct inode *dir,
2283
2284
const struct qstr *iname,
2284
2285
int lookup, struct ext4_filename *fname)
+4
-4
fs/ext4/inode.c
+4
-4
fs/ext4/inode.c
···
1150
1150
return ret;
1151
1151
}
1152
1152
1153
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
1153
+
#ifdef CONFIG_FS_ENCRYPTION
1154
1154
static int ext4_block_write_begin(struct page *page, loff_t pos, unsigned len,
1155
1155
get_block_t *get_block)
1156
1156
{
···
1302
1302
/* In case writeback began while the page was unlocked */
1303
1303
wait_for_stable_page(page);
1304
1304
1305
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
1305
+
#ifdef CONFIG_FS_ENCRYPTION
1306
1306
if (ext4_should_dioread_nolock(inode))
1307
1307
ret = ext4_block_write_begin(page, pos, len,
1308
1308
ext4_get_block_unwritten);
···
3104
3104
/* In case writeback began while the page was unlocked */
3105
3105
wait_for_stable_page(page);
3106
3106
3107
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
3107
+
#ifdef CONFIG_FS_ENCRYPTION
3108
3108
ret = ext4_block_write_begin(page, pos, len,
3109
3109
ext4_da_get_block_prep);
3110
3110
#else
···
3879
3879
loff_t offset = iocb->ki_pos;
3880
3880
ssize_t ret;
3881
3881
3882
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
3882
+
#ifdef CONFIG_FS_ENCRYPTION
3883
3883
if (IS_ENCRYPTED(inode) && S_ISREG(inode->i_mode))
3884
3884
return 0;
3885
3885
#endif
+2
-2
fs/ext4/ioctl.c
+2
-2
fs/ext4/ioctl.c
···
210
210
return err;
211
211
}
212
212
213
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
213
+
#ifdef CONFIG_FS_ENCRYPTION
214
214
static int uuid_is_zero(__u8 u[16])
215
215
{
216
216
int i;
···
978
978
return fscrypt_ioctl_set_policy(filp, (const void __user *)arg);
979
979
980
980
case EXT4_IOC_GET_ENCRYPTION_PWSALT: {
981
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
981
+
#ifdef CONFIG_FS_ENCRYPTION
982
982
int err, err2;
983
983
struct ext4_sb_info *sbi = EXT4_SB(sb);
984
984
handle_t *handle;
+5
-5
fs/ext4/namei.c
+5
-5
fs/ext4/namei.c
···
612
612
{
613
613
if (show_names)
614
614
{
615
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
615
+
#ifdef CONFIG_FS_ENCRYPTION
616
616
int len;
617
617
char *name;
618
618
struct fscrypt_str fname_crypto_str =
···
984
984
top = (struct ext4_dir_entry_2 *) ((char *) de +
985
985
dir->i_sb->s_blocksize -
986
986
EXT4_DIR_REC_LEN(0));
987
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
987
+
#ifdef CONFIG_FS_ENCRYPTION
988
988
/* Check if the directory is encrypted */
989
989
if (IS_ENCRYPTED(dir)) {
990
990
err = fscrypt_get_encryption_info(dir);
···
1047
1047
}
1048
1048
errout:
1049
1049
brelse(bh);
1050
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
1050
+
#ifdef CONFIG_FS_ENCRYPTION
1051
1051
fscrypt_fname_free_buffer(&fname_crypto_str);
1052
1052
#endif
1053
1053
return count;
···
1267
1267
1268
1268
f.usr_fname = fname->usr_fname;
1269
1269
f.disk_name = fname->disk_name;
1270
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
1270
+
#ifdef CONFIG_FS_ENCRYPTION
1271
1271
f.crypto_buf = fname->crypto_buf;
1272
1272
#endif
1273
1273
return fscrypt_match_name(&f, de->name, de->name_len);
···
1498
1498
ext4_lblk_t block;
1499
1499
int retval;
1500
1500
1501
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
1501
+
#ifdef CONFIG_FS_ENCRYPTION
1502
1502
*res_dir = NULL;
1503
1503
#endif
1504
1504
frame = dx_probe(fname, dir, NULL, frames);
+3
-3
fs/ext4/page-io.c
+3
-3
fs/ext4/page-io.c
···
66
66
67
67
bio_for_each_segment_all(bvec, bio, i) {
68
68
struct page *page = bvec->bv_page;
69
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
69
+
#ifdef CONFIG_FS_ENCRYPTION
70
70
struct page *data_page = NULL;
71
71
#endif
72
72
struct buffer_head *bh, *head;
···
78
78
if (!page)
79
79
continue;
80
80
81
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
81
+
#ifdef CONFIG_FS_ENCRYPTION
82
82
if (!page->mapping) {
83
83
/* The bounce data pages are unmapped. */
84
84
data_page = page;
···
111
111
bit_spin_unlock(BH_Uptodate_Lock, &head->b_state);
112
112
local_irq_restore(flags);
113
113
if (!under_io) {
114
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
114
+
#ifdef CONFIG_FS_ENCRYPTION
115
115
if (data_page)
116
116
fscrypt_restore_control_page(data_page);
117
117
#endif
+1
-1
fs/ext4/readpage.c
+1
-1
fs/ext4/readpage.c
+3
-3
fs/ext4/super.c
+3
-3
fs/ext4/super.c
···
1232
1232
return try_to_free_buffers(page);
1233
1233
}
1234
1234
1235
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
1235
+
#ifdef CONFIG_FS_ENCRYPTION
1236
1236
static int ext4_get_context(struct inode *inode, void *ctx, size_t len)
1237
1237
{
1238
1238
return ext4_xattr_get(inode, EXT4_XATTR_INDEX_ENCRYPTION,
···
1922
1922
*journal_ioprio =
1923
1923
IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, arg);
1924
1924
} else if (token == Opt_test_dummy_encryption) {
1925
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
1925
+
#ifdef CONFIG_FS_ENCRYPTION
1926
1926
sbi->s_mount_flags |= EXT4_MF_TEST_DUMMY_ENCRYPTION;
1927
1927
ext4_msg(sb, KERN_WARNING,
1928
1928
"Test dummy encryption mode enabled");
···
4167
4167
sb->s_op = &ext4_sops;
4168
4168
sb->s_export_op = &ext4_export_ops;
4169
4169
sb->s_xattr = ext4_xattr_handlers;
4170
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
4170
+
#ifdef CONFIG_FS_ENCRYPTION
4171
4171
sb->s_cop = &ext4_cryptops;
4172
4172
#endif
4173
4173
#ifdef CONFIG_QUOTA
+2
-2
fs/ext4/sysfs.c
+2
-2
fs/ext4/sysfs.c
···
224
224
EXT4_ATTR_FEATURE(lazy_itable_init);
225
225
EXT4_ATTR_FEATURE(batched_discard);
226
226
EXT4_ATTR_FEATURE(meta_bg_resize);
227
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
227
+
#ifdef CONFIG_FS_ENCRYPTION
228
228
EXT4_ATTR_FEATURE(encryption);
229
229
#endif
230
230
EXT4_ATTR_FEATURE(metadata_csum_seed);
···
233
233
ATTR_LIST(lazy_itable_init),
234
234
ATTR_LIST(batched_discard),
235
235
ATTR_LIST(meta_bg_resize),
236
-
#ifdef CONFIG_EXT4_FS_ENCRYPTION
236
+
#ifdef CONFIG_FS_ENCRYPTION
237
237
ATTR_LIST(encryption),
238
238
#endif
239
239
ATTR_LIST(metadata_csum_seed),
+1
-11
fs/f2fs/Kconfig
+1
-11
fs/f2fs/Kconfig
···
3
3
depends on BLOCK
4
4
select CRYPTO
5
5
select CRYPTO_CRC32
6
+
select F2FS_FS_XATTR if FS_ENCRYPTION
6
7
help
7
8
F2FS is based on Log-structured File System (LFS), which supports
8
9
versatile "flash-friendly" features. The design has been focused on
···
70
69
Enables BUG_ONs which check the filesystem consistency in runtime.
71
70
72
71
If you want to improve the performance, say N.
73
-
74
-
config F2FS_FS_ENCRYPTION
75
-
bool "F2FS Encryption"
76
-
depends on F2FS_FS
77
-
depends on F2FS_FS_XATTR
78
-
select FS_ENCRYPTION
79
-
help
80
-
Enable encryption of f2fs files and directories. This
81
-
feature is similar to ecryptfs, but it is more memory
82
-
efficient since it avoids caching the encrypted and
83
-
decrypted pages in the page cache.
84
72
85
73
config F2FS_IO_TRACE
86
74
bool "F2FS IO tracer"
+3
-4
fs/f2fs/f2fs.h
+3
-4
fs/f2fs/f2fs.h
···
24
24
#include <linux/quotaops.h>
25
25
#include <crypto/hash.h>
26
26
27
-
#define __FS_HAS_ENCRYPTION IS_ENABLED(CONFIG_F2FS_FS_ENCRYPTION)
28
27
#include <linux/fscrypt.h>
29
28
30
29
#ifdef CONFIG_F2FS_CHECK_FS
···
1136
1137
FSYNC_MODE_NOBARRIER, /* fsync behaves nobarrier based on posix */
1137
1138
};
1138
1139
1139
-
#ifdef CONFIG_F2FS_FS_ENCRYPTION
1140
+
#ifdef CONFIG_FS_ENCRYPTION
1140
1141
#define DUMMY_ENCRYPTION_ENABLED(sbi) \
1141
1142
(unlikely(F2FS_OPTION(sbi).test_dummy_encryption))
1142
1143
#else
···
3469
3470
3470
3471
static inline void f2fs_set_encrypted_inode(struct inode *inode)
3471
3472
{
3472
-
#ifdef CONFIG_F2FS_FS_ENCRYPTION
3473
+
#ifdef CONFIG_FS_ENCRYPTION
3473
3474
file_set_encrypt(inode);
3474
3475
f2fs_set_inode_flags(inode);
3475
3476
#endif
···
3548
3549
3549
3550
static inline bool f2fs_may_encrypt(struct inode *inode)
3550
3551
{
3551
-
#ifdef CONFIG_F2FS_FS_ENCRYPTION
3552
+
#ifdef CONFIG_FS_ENCRYPTION
3552
3553
umode_t mode = inode->i_mode;
3553
3554
3554
3555
return (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode));
+4
-4
fs/f2fs/super.c
+4
-4
fs/f2fs/super.c
···
757
757
kvfree(name);
758
758
break;
759
759
case Opt_test_dummy_encryption:
760
-
#ifdef CONFIG_F2FS_FS_ENCRYPTION
760
+
#ifdef CONFIG_FS_ENCRYPTION
761
761
if (!f2fs_sb_has_encrypt(sbi)) {
762
762
f2fs_msg(sb, KERN_ERR, "Encrypt feature is off");
763
763
return -EINVAL;
···
1390
1390
seq_printf(seq, ",whint_mode=%s", "user-based");
1391
1391
else if (F2FS_OPTION(sbi).whint_mode == WHINT_MODE_FS)
1392
1392
seq_printf(seq, ",whint_mode=%s", "fs-based");
1393
-
#ifdef CONFIG_F2FS_FS_ENCRYPTION
1393
+
#ifdef CONFIG_FS_ENCRYPTION
1394
1394
if (F2FS_OPTION(sbi).test_dummy_encryption)
1395
1395
seq_puts(seq, ",test_dummy_encryption");
1396
1396
#endif
···
2154
2154
.remount_fs = f2fs_remount,
2155
2155
};
2156
2156
2157
-
#ifdef CONFIG_F2FS_FS_ENCRYPTION
2157
+
#ifdef CONFIG_FS_ENCRYPTION
2158
2158
static int f2fs_get_context(struct inode *inode, void *ctx, size_t len)
2159
2159
{
2160
2160
return f2fs_getxattr(inode, F2FS_XATTR_INDEX_ENCRYPTION,
···
3116
3116
#endif
3117
3117
3118
3118
sb->s_op = &f2fs_sops;
3119
-
#ifdef CONFIG_F2FS_FS_ENCRYPTION
3119
+
#ifdef CONFIG_FS_ENCRYPTION
3120
3120
sb->s_cop = &f2fs_cryptops;
3121
3121
#endif
3122
3122
sb->s_xattr = f2fs_xattr_handlers;
+2
-2
fs/f2fs/sysfs.c
+2
-2
fs/f2fs/sysfs.c
···
431
431
F2FS_GENERAL_RO_ATTR(features);
432
432
F2FS_GENERAL_RO_ATTR(current_reserved_blocks);
433
433
434
-
#ifdef CONFIG_F2FS_FS_ENCRYPTION
434
+
#ifdef CONFIG_FS_ENCRYPTION
435
435
F2FS_FEATURE_RO_ATTR(encryption, FEAT_CRYPTO);
436
436
#endif
437
437
#ifdef CONFIG_BLK_DEV_ZONED
···
492
492
};
493
493
494
494
static struct attribute *f2fs_feat_attrs[] = {
495
-
#ifdef CONFIG_F2FS_FS_ENCRYPTION
495
+
#ifdef CONFIG_FS_ENCRYPTION
496
496
ATTR_LIST(encryption),
497
497
#endif
498
498
#ifdef CONFIG_BLK_DEV_ZONED
+1
-11
fs/ubifs/Kconfig
+1
-11
fs/ubifs/Kconfig
···
8
8
select CRYPTO_LZO if UBIFS_FS_LZO
9
9
select CRYPTO_DEFLATE if UBIFS_FS_ZLIB
10
10
select CRYPTO_HASH_INFO
11
+
select UBIFS_FS_XATTR if FS_ENCRYPTION
11
12
depends on MTD_UBI
12
13
help
13
14
UBIFS is a file system for flash devices which works on top of UBI.
···
60
59
the kernel or by users (see the attr(5) manual page).
61
60
62
61
If unsure, say Y.
63
-
64
-
config UBIFS_FS_ENCRYPTION
65
-
bool "UBIFS Encryption"
66
-
depends on UBIFS_FS_XATTR && BLOCK
67
-
select FS_ENCRYPTION
68
-
default n
69
-
help
70
-
Enable encryption of UBIFS files and directories. This
71
-
feature is similar to ecryptfs, but it is more memory
72
-
efficient since it avoids caching the encrypted and
73
-
decrypted pages in the page cache.
74
62
75
63
config UBIFS_FS_SECURITY
76
64
bool "UBIFS Security Labels"
+1
-1
fs/ubifs/Makefile
+1
-1
fs/ubifs/Makefile
···
6
6
ubifs-y += budget.o find.o tnc_commit.o compress.o lpt.o lprops.o
7
7
ubifs-y += recovery.o ioctl.o lpt_commit.o tnc_misc.o debug.o
8
8
ubifs-y += misc.o
9
-
ubifs-$(CONFIG_UBIFS_FS_ENCRYPTION) += crypto.o
9
+
ubifs-$(CONFIG_FS_ENCRYPTION) += crypto.o
10
10
ubifs-$(CONFIG_UBIFS_FS_XATTR) += xattr.o
11
11
ubifs-$(CONFIG_UBIFS_FS_AUTHENTICATION) += auth.o
+2
-2
fs/ubifs/ioctl.c
+2
-2
fs/ubifs/ioctl.c
···
185
185
return err;
186
186
}
187
187
case FS_IOC_SET_ENCRYPTION_POLICY: {
188
-
#ifdef CONFIG_UBIFS_FS_ENCRYPTION
188
+
#ifdef CONFIG_FS_ENCRYPTION
189
189
struct ubifs_info *c = inode->i_sb->s_fs_info;
190
190
191
191
err = ubifs_enable_encryption(c);
···
198
198
#endif
199
199
}
200
200
case FS_IOC_GET_ENCRYPTION_POLICY: {
201
-
#ifdef CONFIG_UBIFS_FS_ENCRYPTION
201
+
#ifdef CONFIG_FS_ENCRYPTION
202
202
return fscrypt_ioctl_get_policy(file, (void __user *)arg);
203
203
#else
204
204
return -EOPNOTSUPP;
+1
-1
fs/ubifs/sb.c
+1
-1
fs/ubifs/sb.c
+1
-1
fs/ubifs/super.c
+1
-1
fs/ubifs/super.c
+2
-3
fs/ubifs/ubifs.h
+2
-3
fs/ubifs/ubifs.h
···
43
43
#include <crypto/hash.h>
44
44
#include <crypto/algapi.h>
45
45
46
-
#define __FS_HAS_ENCRYPTION IS_ENABLED(CONFIG_UBIFS_FS_ENCRYPTION)
47
46
#include <linux/fscrypt.h>
48
47
49
48
#include "ubifs-media.h"
···
141
142
*/
142
143
#define WORST_COMPR_FACTOR 2
143
144
144
-
#ifdef CONFIG_UBIFS_FS_ENCRYPTION
145
+
#ifdef CONFIG_FS_ENCRYPTION
145
146
#define UBIFS_CIPHER_BLOCK_SIZE FS_CRYPTO_BLOCK_SIZE
146
147
#else
147
148
#define UBIFS_CIPHER_BLOCK_SIZE 0
···
2071
2072
#include "misc.h"
2072
2073
#include "key.h"
2073
2074
2074
-
#ifndef CONFIG_UBIFS_FS_ENCRYPTION
2075
+
#ifndef CONFIG_FS_ENCRYPTION
2075
2076
static inline int ubifs_encrypt(const struct inode *inode,
2076
2077
struct ubifs_data_node *dn,
2077
2078
unsigned int in_len, unsigned int *out_len,
+2
-2
include/linux/fs.h
+2
-2
include/linux/fs.h
···
698
698
struct fsnotify_mark_connector __rcu *i_fsnotify_marks;
699
699
#endif
700
700
701
-
#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
701
+
#ifdef CONFIG_FS_ENCRYPTION
702
702
struct fscrypt_info *i_crypt_info;
703
703
#endif
704
704
···
1403
1403
void *s_security;
1404
1404
#endif
1405
1405
const struct xattr_handler **s_xattr;
1406
-
#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
1406
+
#ifdef CONFIG_FS_ENCRYPTION
1407
1407
const struct fscrypt_operations *s_cop;
1408
1408
#endif
1409
1409
struct hlist_bl_head s_roots; /* alternate root dentries for NFS */
+408
-8
include/linux/fscrypt.h
+408
-8
include/linux/fscrypt.h
···
2
2
/*
3
3
* fscrypt.h: declarations for per-file encryption
4
4
*
5
-
* Filesystems that implement per-file encryption include this header
6
-
* file with the __FS_HAS_ENCRYPTION set according to whether that filesystem
7
-
* is being built with encryption support or not.
5
+
* Filesystems that implement per-file encryption must include this header
6
+
* file.
8
7
*
9
8
* Copyright (C) 2015, Google, Inc.
10
9
*
···
14
15
#define _LINUX_FSCRYPT_H
15
16
16
17
#include <linux/fs.h>
18
+
#include <linux/mm.h>
19
+
#include <linux/slab.h>
17
20
18
21
#define FS_CRYPTO_BLOCK_SIZE 16
19
22
···
43
42
/* Maximum value for the third parameter of fscrypt_operations.set_context(). */
44
43
#define FSCRYPT_SET_CONTEXT_MAX_SIZE 28
45
44
46
-
#if __FS_HAS_ENCRYPTION
47
-
#include <linux/fscrypt_supp.h>
48
-
#else
49
-
#include <linux/fscrypt_notsupp.h>
50
-
#endif
45
+
#ifdef CONFIG_FS_ENCRYPTION
46
+
/*
47
+
* fscrypt superblock flags
48
+
*/
49
+
#define FS_CFLG_OWN_PAGES (1U << 1)
50
+
51
+
/*
52
+
* crypto operations for filesystems
53
+
*/
54
+
struct fscrypt_operations {
55
+
unsigned int flags;
56
+
const char *key_prefix;
57
+
int (*get_context)(struct inode *, void *, size_t);
58
+
int (*set_context)(struct inode *, const void *, size_t, void *);
59
+
bool (*dummy_context)(struct inode *);
60
+
bool (*empty_dir)(struct inode *);
61
+
unsigned int max_namelen;
62
+
};
63
+
64
+
struct fscrypt_ctx {
65
+
union {
66
+
struct {
67
+
struct page *bounce_page; /* Ciphertext page */
68
+
struct page *control_page; /* Original page */
69
+
} w;
70
+
struct {
71
+
struct bio *bio;
72
+
struct work_struct work;
73
+
} r;
74
+
struct list_head free_list; /* Free list */
75
+
};
76
+
u8 flags; /* Flags */
77
+
};
78
+
79
+
static inline bool fscrypt_has_encryption_key(const struct inode *inode)
80
+
{
81
+
return (inode->i_crypt_info != NULL);
82
+
}
83
+
84
+
static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
85
+
{
86
+
return inode->i_sb->s_cop->dummy_context &&
87
+
inode->i_sb->s_cop->dummy_context(inode);
88
+
}
89
+
90
+
/* crypto.c */
91
+
extern void fscrypt_enqueue_decrypt_work(struct work_struct *);
92
+
extern struct fscrypt_ctx *fscrypt_get_ctx(const struct inode *, gfp_t);
93
+
extern void fscrypt_release_ctx(struct fscrypt_ctx *);
94
+
extern struct page *fscrypt_encrypt_page(const struct inode *, struct page *,
95
+
unsigned int, unsigned int,
96
+
u64, gfp_t);
97
+
extern int fscrypt_decrypt_page(const struct inode *, struct page *, unsigned int,
98
+
unsigned int, u64);
99
+
100
+
static inline struct page *fscrypt_control_page(struct page *page)
101
+
{
102
+
return ((struct fscrypt_ctx *)page_private(page))->w.control_page;
103
+
}
104
+
105
+
extern void fscrypt_restore_control_page(struct page *);
106
+
107
+
/* policy.c */
108
+
extern int fscrypt_ioctl_set_policy(struct file *, const void __user *);
109
+
extern int fscrypt_ioctl_get_policy(struct file *, void __user *);
110
+
extern int fscrypt_has_permitted_context(struct inode *, struct inode *);
111
+
extern int fscrypt_inherit_context(struct inode *, struct inode *,
112
+
void *, bool);
113
+
/* keyinfo.c */
114
+
extern int fscrypt_get_encryption_info(struct inode *);
115
+
extern void fscrypt_put_encryption_info(struct inode *);
116
+
117
+
/* fname.c */
118
+
extern int fscrypt_setup_filename(struct inode *, const struct qstr *,
119
+
int lookup, struct fscrypt_name *);
120
+
121
+
static inline void fscrypt_free_filename(struct fscrypt_name *fname)
122
+
{
123
+
kfree(fname->crypto_buf.name);
124
+
}
125
+
126
+
extern int fscrypt_fname_alloc_buffer(const struct inode *, u32,
127
+
struct fscrypt_str *);
128
+
extern void fscrypt_fname_free_buffer(struct fscrypt_str *);
129
+
extern int fscrypt_fname_disk_to_usr(struct inode *, u32, u32,
130
+
const struct fscrypt_str *, struct fscrypt_str *);
131
+
132
+
#define FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE 32
133
+
134
+
/* Extracts the second-to-last ciphertext block; see explanation below */
135
+
#define FSCRYPT_FNAME_DIGEST(name, len) \
136
+
((name) + round_down((len) - FS_CRYPTO_BLOCK_SIZE - 1, \
137
+
FS_CRYPTO_BLOCK_SIZE))
138
+
139
+
#define FSCRYPT_FNAME_DIGEST_SIZE FS_CRYPTO_BLOCK_SIZE
140
+
141
+
/**
142
+
* fscrypt_digested_name - alternate identifier for an on-disk filename
143
+
*
144
+
* When userspace lists an encrypted directory without access to the key,
145
+
* filenames whose ciphertext is longer than FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE
146
+
* bytes are shown in this abbreviated form (base64-encoded) rather than as the
147
+
* full ciphertext (base64-encoded). This is necessary to allow supporting
148
+
* filenames up to NAME_MAX bytes, since base64 encoding expands the length.
149
+
*
150
+
* To make it possible for filesystems to still find the correct directory entry
151
+
* despite not knowing the full on-disk name, we encode any filesystem-specific
152
+
* 'hash' and/or 'minor_hash' which the filesystem may need for its lookups,
153
+
* followed by the second-to-last ciphertext block of the filename. Due to the
154
+
* use of the CBC-CTS encryption mode, the second-to-last ciphertext block
155
+
* depends on the full plaintext. (Note that ciphertext stealing causes the
156
+
* last two blocks to appear "flipped".) This makes accidental collisions very
157
+
* unlikely: just a 1 in 2^128 chance for two filenames to collide even if they
158
+
* share the same filesystem-specific hashes.
159
+
*
160
+
* However, this scheme isn't immune to intentional collisions, which can be
161
+
* created by anyone able to create arbitrary plaintext filenames and view them
162
+
* without the key. Making the "digest" be a real cryptographic hash like
163
+
* SHA-256 over the full ciphertext would prevent this, although it would be
164
+
* less efficient and harder to implement, especially since the filesystem would
165
+
* need to calculate it for each directory entry examined during a search.
166
+
*/
167
+
struct fscrypt_digested_name {
168
+
u32 hash;
169
+
u32 minor_hash;
170
+
u8 digest[FSCRYPT_FNAME_DIGEST_SIZE];
171
+
};
172
+
173
+
/**
174
+
* fscrypt_match_name() - test whether the given name matches a directory entry
175
+
* @fname: the name being searched for
176
+
* @de_name: the name from the directory entry
177
+
* @de_name_len: the length of @de_name in bytes
178
+
*
179
+
* Normally @fname->disk_name will be set, and in that case we simply compare
180
+
* that to the name stored in the directory entry. The only exception is that
181
+
* if we don't have the key for an encrypted directory and a filename in it is
182
+
* very long, then we won't have the full disk_name and we'll instead need to
183
+
* match against the fscrypt_digested_name.
184
+
*
185
+
* Return: %true if the name matches, otherwise %false.
186
+
*/
187
+
static inline bool fscrypt_match_name(const struct fscrypt_name *fname,
188
+
const u8 *de_name, u32 de_name_len)
189
+
{
190
+
if (unlikely(!fname->disk_name.name)) {
191
+
const struct fscrypt_digested_name *n =
192
+
(const void *)fname->crypto_buf.name;
193
+
if (WARN_ON_ONCE(fname->usr_fname->name[0] != '_'))
194
+
return false;
195
+
if (de_name_len <= FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE)
196
+
return false;
197
+
return !memcmp(FSCRYPT_FNAME_DIGEST(de_name, de_name_len),
198
+
n->digest, FSCRYPT_FNAME_DIGEST_SIZE);
199
+
}
200
+
201
+
if (de_name_len != fname->disk_name.len)
202
+
return false;
203
+
return !memcmp(de_name, fname->disk_name.name, fname->disk_name.len);
204
+
}
205
+
206
+
/* bio.c */
207
+
extern void fscrypt_decrypt_bio(struct bio *);
208
+
extern void fscrypt_enqueue_decrypt_bio(struct fscrypt_ctx *ctx,
209
+
struct bio *bio);
210
+
extern void fscrypt_pullback_bio_page(struct page **, bool);
211
+
extern int fscrypt_zeroout_range(const struct inode *, pgoff_t, sector_t,
212
+
unsigned int);
213
+
214
+
/* hooks.c */
215
+
extern int fscrypt_file_open(struct inode *inode, struct file *filp);
216
+
extern int __fscrypt_prepare_link(struct inode *inode, struct inode *dir);
217
+
extern int __fscrypt_prepare_rename(struct inode *old_dir,
218
+
struct dentry *old_dentry,
219
+
struct inode *new_dir,
220
+
struct dentry *new_dentry,
221
+
unsigned int flags);
222
+
extern int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry);
223
+
extern int __fscrypt_prepare_symlink(struct inode *dir, unsigned int len,
224
+
unsigned int max_len,
225
+
struct fscrypt_str *disk_link);
226
+
extern int __fscrypt_encrypt_symlink(struct inode *inode, const char *target,
227
+
unsigned int len,
228
+
struct fscrypt_str *disk_link);
229
+
extern const char *fscrypt_get_symlink(struct inode *inode, const void *caddr,
230
+
unsigned int max_size,
231
+
struct delayed_call *done);
232
+
#else /* !CONFIG_FS_ENCRYPTION */
233
+
234
+
static inline bool fscrypt_has_encryption_key(const struct inode *inode)
235
+
{
236
+
return false;
237
+
}
238
+
239
+
static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
240
+
{
241
+
return false;
242
+
}
243
+
244
+
/* crypto.c */
245
+
static inline void fscrypt_enqueue_decrypt_work(struct work_struct *work)
246
+
{
247
+
}
248
+
249
+
static inline struct fscrypt_ctx *fscrypt_get_ctx(const struct inode *inode,
250
+
gfp_t gfp_flags)
251
+
{
252
+
return ERR_PTR(-EOPNOTSUPP);
253
+
}
254
+
255
+
static inline void fscrypt_release_ctx(struct fscrypt_ctx *ctx)
256
+
{
257
+
return;
258
+
}
259
+
260
+
static inline struct page *fscrypt_encrypt_page(const struct inode *inode,
261
+
struct page *page,
262
+
unsigned int len,
263
+
unsigned int offs,
264
+
u64 lblk_num, gfp_t gfp_flags)
265
+
{
266
+
return ERR_PTR(-EOPNOTSUPP);
267
+
}
268
+
269
+
static inline int fscrypt_decrypt_page(const struct inode *inode,
270
+
struct page *page,
271
+
unsigned int len, unsigned int offs,
272
+
u64 lblk_num)
273
+
{
274
+
return -EOPNOTSUPP;
275
+
}
276
+
277
+
static inline struct page *fscrypt_control_page(struct page *page)
278
+
{
279
+
WARN_ON_ONCE(1);
280
+
return ERR_PTR(-EINVAL);
281
+
}
282
+
283
+
static inline void fscrypt_restore_control_page(struct page *page)
284
+
{
285
+
return;
286
+
}
287
+
288
+
/* policy.c */
289
+
static inline int fscrypt_ioctl_set_policy(struct file *filp,
290
+
const void __user *arg)
291
+
{
292
+
return -EOPNOTSUPP;
293
+
}
294
+
295
+
static inline int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg)
296
+
{
297
+
return -EOPNOTSUPP;
298
+
}
299
+
300
+
static inline int fscrypt_has_permitted_context(struct inode *parent,
301
+
struct inode *child)
302
+
{
303
+
return 0;
304
+
}
305
+
306
+
static inline int fscrypt_inherit_context(struct inode *parent,
307
+
struct inode *child,
308
+
void *fs_data, bool preload)
309
+
{
310
+
return -EOPNOTSUPP;
311
+
}
312
+
313
+
/* keyinfo.c */
314
+
static inline int fscrypt_get_encryption_info(struct inode *inode)
315
+
{
316
+
return -EOPNOTSUPP;
317
+
}
318
+
319
+
static inline void fscrypt_put_encryption_info(struct inode *inode)
320
+
{
321
+
return;
322
+
}
323
+
324
+
/* fname.c */
325
+
static inline int fscrypt_setup_filename(struct inode *dir,
326
+
const struct qstr *iname,
327
+
int lookup, struct fscrypt_name *fname)
328
+
{
329
+
if (IS_ENCRYPTED(dir))
330
+
return -EOPNOTSUPP;
331
+
332
+
memset(fname, 0, sizeof(struct fscrypt_name));
333
+
fname->usr_fname = iname;
334
+
fname->disk_name.name = (unsigned char *)iname->name;
335
+
fname->disk_name.len = iname->len;
336
+
return 0;
337
+
}
338
+
339
+
static inline void fscrypt_free_filename(struct fscrypt_name *fname)
340
+
{
341
+
return;
342
+
}
343
+
344
+
static inline int fscrypt_fname_alloc_buffer(const struct inode *inode,
345
+
u32 max_encrypted_len,
346
+
struct fscrypt_str *crypto_str)
347
+
{
348
+
return -EOPNOTSUPP;
349
+
}
350
+
351
+
static inline void fscrypt_fname_free_buffer(struct fscrypt_str *crypto_str)
352
+
{
353
+
return;
354
+
}
355
+
356
+
static inline int fscrypt_fname_disk_to_usr(struct inode *inode,
357
+
u32 hash, u32 minor_hash,
358
+
const struct fscrypt_str *iname,
359
+
struct fscrypt_str *oname)
360
+
{
361
+
return -EOPNOTSUPP;
362
+
}
363
+
364
+
static inline bool fscrypt_match_name(const struct fscrypt_name *fname,
365
+
const u8 *de_name, u32 de_name_len)
366
+
{
367
+
/* Encryption support disabled; use standard comparison */
368
+
if (de_name_len != fname->disk_name.len)
369
+
return false;
370
+
return !memcmp(de_name, fname->disk_name.name, fname->disk_name.len);
371
+
}
372
+
373
+
/* bio.c */
374
+
static inline void fscrypt_decrypt_bio(struct bio *bio)
375
+
{
376
+
}
377
+
378
+
static inline void fscrypt_enqueue_decrypt_bio(struct fscrypt_ctx *ctx,
379
+
struct bio *bio)
380
+
{
381
+
}
382
+
383
+
static inline void fscrypt_pullback_bio_page(struct page **page, bool restore)
384
+
{
385
+
return;
386
+
}
387
+
388
+
static inline int fscrypt_zeroout_range(const struct inode *inode, pgoff_t lblk,
389
+
sector_t pblk, unsigned int len)
390
+
{
391
+
return -EOPNOTSUPP;
392
+
}
393
+
394
+
/* hooks.c */
395
+
396
+
static inline int fscrypt_file_open(struct inode *inode, struct file *filp)
397
+
{
398
+
if (IS_ENCRYPTED(inode))
399
+
return -EOPNOTSUPP;
400
+
return 0;
401
+
}
402
+
403
+
static inline int __fscrypt_prepare_link(struct inode *inode,
404
+
struct inode *dir)
405
+
{
406
+
return -EOPNOTSUPP;
407
+
}
408
+
409
+
static inline int __fscrypt_prepare_rename(struct inode *old_dir,
410
+
struct dentry *old_dentry,
411
+
struct inode *new_dir,
412
+
struct dentry *new_dentry,
413
+
unsigned int flags)
414
+
{
415
+
return -EOPNOTSUPP;
416
+
}
417
+
418
+
static inline int __fscrypt_prepare_lookup(struct inode *dir,
419
+
struct dentry *dentry)
420
+
{
421
+
return -EOPNOTSUPP;
422
+
}
423
+
424
+
static inline int __fscrypt_prepare_symlink(struct inode *dir,
425
+
unsigned int len,
426
+
unsigned int max_len,
427
+
struct fscrypt_str *disk_link)
428
+
{
429
+
return -EOPNOTSUPP;
430
+
}
431
+
432
+
433
+
static inline int __fscrypt_encrypt_symlink(struct inode *inode,
434
+
const char *target,
435
+
unsigned int len,
436
+
struct fscrypt_str *disk_link)
437
+
{
438
+
return -EOPNOTSUPP;
439
+
}
440
+
441
+
static inline const char *fscrypt_get_symlink(struct inode *inode,
442
+
const void *caddr,
443
+
unsigned int max_size,
444
+
struct delayed_call *done)
445
+
{
446
+
return ERR_PTR(-EOPNOTSUPP);
447
+
}
448
+
#endif /* !CONFIG_FS_ENCRYPTION */
51
449
52
450
/**
53
451
* fscrypt_require_key - require an inode's encryption key
-231
include/linux/fscrypt_notsupp.h
-231
include/linux/fscrypt_notsupp.h
···
1
-
/* SPDX-License-Identifier: GPL-2.0 */
2
-
/*
3
-
* fscrypt_notsupp.h
4
-
*
5
-
* This stubs out the fscrypt functions for filesystems configured without
6
-
* encryption support.
7
-
*
8
-
* Do not include this file directly. Use fscrypt.h instead!
9
-
*/
10
-
#ifndef _LINUX_FSCRYPT_H
11
-
#error "Incorrect include of linux/fscrypt_notsupp.h!"
12
-
#endif
13
-
14
-
#ifndef _LINUX_FSCRYPT_NOTSUPP_H
15
-
#define _LINUX_FSCRYPT_NOTSUPP_H
16
-
17
-
static inline bool fscrypt_has_encryption_key(const struct inode *inode)
18
-
{
19
-
return false;
20
-
}
21
-
22
-
static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
23
-
{
24
-
return false;
25
-
}
26
-
27
-
/* crypto.c */
28
-
static inline void fscrypt_enqueue_decrypt_work(struct work_struct *work)
29
-
{
30
-
}
31
-
32
-
static inline struct fscrypt_ctx *fscrypt_get_ctx(const struct inode *inode,
33
-
gfp_t gfp_flags)
34
-
{
35
-
return ERR_PTR(-EOPNOTSUPP);
36
-
}
37
-
38
-
static inline void fscrypt_release_ctx(struct fscrypt_ctx *ctx)
39
-
{
40
-
return;
41
-
}
42
-
43
-
static inline struct page *fscrypt_encrypt_page(const struct inode *inode,
44
-
struct page *page,
45
-
unsigned int len,
46
-
unsigned int offs,
47
-
u64 lblk_num, gfp_t gfp_flags)
48
-
{
49
-
return ERR_PTR(-EOPNOTSUPP);
50
-
}
51
-
52
-
static inline int fscrypt_decrypt_page(const struct inode *inode,
53
-
struct page *page,
54
-
unsigned int len, unsigned int offs,
55
-
u64 lblk_num)
56
-
{
57
-
return -EOPNOTSUPP;
58
-
}
59
-
60
-
static inline struct page *fscrypt_control_page(struct page *page)
61
-
{
62
-
WARN_ON_ONCE(1);
63
-
return ERR_PTR(-EINVAL);
64
-
}
65
-
66
-
static inline void fscrypt_restore_control_page(struct page *page)
67
-
{
68
-
return;
69
-
}
70
-
71
-
/* policy.c */
72
-
static inline int fscrypt_ioctl_set_policy(struct file *filp,
73
-
const void __user *arg)
74
-
{
75
-
return -EOPNOTSUPP;
76
-
}
77
-
78
-
static inline int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg)
79
-
{
80
-
return -EOPNOTSUPP;
81
-
}
82
-
83
-
static inline int fscrypt_has_permitted_context(struct inode *parent,
84
-
struct inode *child)
85
-
{
86
-
return 0;
87
-
}
88
-
89
-
static inline int fscrypt_inherit_context(struct inode *parent,
90
-
struct inode *child,
91
-
void *fs_data, bool preload)
92
-
{
93
-
return -EOPNOTSUPP;
94
-
}
95
-
96
-
/* keyinfo.c */
97
-
static inline int fscrypt_get_encryption_info(struct inode *inode)
98
-
{
99
-
return -EOPNOTSUPP;
100
-
}
101
-
102
-
static inline void fscrypt_put_encryption_info(struct inode *inode)
103
-
{
104
-
return;
105
-
}
106
-
107
-
/* fname.c */
108
-
static inline int fscrypt_setup_filename(struct inode *dir,
109
-
const struct qstr *iname,
110
-
int lookup, struct fscrypt_name *fname)
111
-
{
112
-
if (IS_ENCRYPTED(dir))
113
-
return -EOPNOTSUPP;
114
-
115
-
memset(fname, 0, sizeof(struct fscrypt_name));
116
-
fname->usr_fname = iname;
117
-
fname->disk_name.name = (unsigned char *)iname->name;
118
-
fname->disk_name.len = iname->len;
119
-
return 0;
120
-
}
121
-
122
-
static inline void fscrypt_free_filename(struct fscrypt_name *fname)
123
-
{
124
-
return;
125
-
}
126
-
127
-
static inline int fscrypt_fname_alloc_buffer(const struct inode *inode,
128
-
u32 max_encrypted_len,
129
-
struct fscrypt_str *crypto_str)
130
-
{
131
-
return -EOPNOTSUPP;
132
-
}
133
-
134
-
static inline void fscrypt_fname_free_buffer(struct fscrypt_str *crypto_str)
135
-
{
136
-
return;
137
-
}
138
-
139
-
static inline int fscrypt_fname_disk_to_usr(struct inode *inode,
140
-
u32 hash, u32 minor_hash,
141
-
const struct fscrypt_str *iname,
142
-
struct fscrypt_str *oname)
143
-
{
144
-
return -EOPNOTSUPP;
145
-
}
146
-
147
-
static inline bool fscrypt_match_name(const struct fscrypt_name *fname,
148
-
const u8 *de_name, u32 de_name_len)
149
-
{
150
-
/* Encryption support disabled; use standard comparison */
151
-
if (de_name_len != fname->disk_name.len)
152
-
return false;
153
-
return !memcmp(de_name, fname->disk_name.name, fname->disk_name.len);
154
-
}
155
-
156
-
/* bio.c */
157
-
static inline void fscrypt_decrypt_bio(struct bio *bio)
158
-
{
159
-
}
160
-
161
-
static inline void fscrypt_enqueue_decrypt_bio(struct fscrypt_ctx *ctx,
162
-
struct bio *bio)
163
-
{
164
-
}
165
-
166
-
static inline void fscrypt_pullback_bio_page(struct page **page, bool restore)
167
-
{
168
-
return;
169
-
}
170
-
171
-
static inline int fscrypt_zeroout_range(const struct inode *inode, pgoff_t lblk,
172
-
sector_t pblk, unsigned int len)
173
-
{
174
-
return -EOPNOTSUPP;
175
-
}
176
-
177
-
/* hooks.c */
178
-
179
-
static inline int fscrypt_file_open(struct inode *inode, struct file *filp)
180
-
{
181
-
if (IS_ENCRYPTED(inode))
182
-
return -EOPNOTSUPP;
183
-
return 0;
184
-
}
185
-
186
-
static inline int __fscrypt_prepare_link(struct inode *inode,
187
-
struct inode *dir)
188
-
{
189
-
return -EOPNOTSUPP;
190
-
}
191
-
192
-
static inline int __fscrypt_prepare_rename(struct inode *old_dir,
193
-
struct dentry *old_dentry,
194
-
struct inode *new_dir,
195
-
struct dentry *new_dentry,
196
-
unsigned int flags)
197
-
{
198
-
return -EOPNOTSUPP;
199
-
}
200
-
201
-
static inline int __fscrypt_prepare_lookup(struct inode *dir,
202
-
struct dentry *dentry)
203
-
{
204
-
return -EOPNOTSUPP;
205
-
}
206
-
207
-
static inline int __fscrypt_prepare_symlink(struct inode *dir,
208
-
unsigned int len,
209
-
unsigned int max_len,
210
-
struct fscrypt_str *disk_link)
211
-
{
212
-
return -EOPNOTSUPP;
213
-
}
214
-
215
-
static inline int __fscrypt_encrypt_symlink(struct inode *inode,
216
-
const char *target,
217
-
unsigned int len,
218
-
struct fscrypt_str *disk_link)
219
-
{
220
-
return -EOPNOTSUPP;
221
-
}
222
-
223
-
static inline const char *fscrypt_get_symlink(struct inode *inode,
224
-
const void *caddr,
225
-
unsigned int max_size,
226
-
struct delayed_call *done)
227
-
{
228
-
return ERR_PTR(-EOPNOTSUPP);
229
-
}
230
-
231
-
#endif /* _LINUX_FSCRYPT_NOTSUPP_H */
-204
include/linux/fscrypt_supp.h
-204
include/linux/fscrypt_supp.h
···
1
-
/* SPDX-License-Identifier: GPL-2.0 */
2
-
/*
3
-
* fscrypt_supp.h
4
-
*
5
-
* Do not include this file directly. Use fscrypt.h instead!
6
-
*/
7
-
#ifndef _LINUX_FSCRYPT_H
8
-
#error "Incorrect include of linux/fscrypt_supp.h!"
9
-
#endif
10
-
11
-
#ifndef _LINUX_FSCRYPT_SUPP_H
12
-
#define _LINUX_FSCRYPT_SUPP_H
13
-
14
-
#include <linux/mm.h>
15
-
#include <linux/slab.h>
16
-
17
-
/*
18
-
* fscrypt superblock flags
19
-
*/
20
-
#define FS_CFLG_OWN_PAGES (1U << 1)
21
-
22
-
/*
23
-
* crypto operations for filesystems
24
-
*/
25
-
struct fscrypt_operations {
26
-
unsigned int flags;
27
-
const char *key_prefix;
28
-
int (*get_context)(struct inode *, void *, size_t);
29
-
int (*set_context)(struct inode *, const void *, size_t, void *);
30
-
bool (*dummy_context)(struct inode *);
31
-
bool (*empty_dir)(struct inode *);
32
-
unsigned int max_namelen;
33
-
};
34
-
35
-
struct fscrypt_ctx {
36
-
union {
37
-
struct {
38
-
struct page *bounce_page; /* Ciphertext page */
39
-
struct page *control_page; /* Original page */
40
-
} w;
41
-
struct {
42
-
struct bio *bio;
43
-
struct work_struct work;
44
-
} r;
45
-
struct list_head free_list; /* Free list */
46
-
};
47
-
u8 flags; /* Flags */
48
-
};
49
-
50
-
static inline bool fscrypt_has_encryption_key(const struct inode *inode)
51
-
{
52
-
return (inode->i_crypt_info != NULL);
53
-
}
54
-
55
-
static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
56
-
{
57
-
return inode->i_sb->s_cop->dummy_context &&
58
-
inode->i_sb->s_cop->dummy_context(inode);
59
-
}
60
-
61
-
/* crypto.c */
62
-
extern void fscrypt_enqueue_decrypt_work(struct work_struct *);
63
-
extern struct fscrypt_ctx *fscrypt_get_ctx(const struct inode *, gfp_t);
64
-
extern void fscrypt_release_ctx(struct fscrypt_ctx *);
65
-
extern struct page *fscrypt_encrypt_page(const struct inode *, struct page *,
66
-
unsigned int, unsigned int,
67
-
u64, gfp_t);
68
-
extern int fscrypt_decrypt_page(const struct inode *, struct page *, unsigned int,
69
-
unsigned int, u64);
70
-
71
-
static inline struct page *fscrypt_control_page(struct page *page)
72
-
{
73
-
return ((struct fscrypt_ctx *)page_private(page))->w.control_page;
74
-
}
75
-
76
-
extern void fscrypt_restore_control_page(struct page *);
77
-
78
-
/* policy.c */
79
-
extern int fscrypt_ioctl_set_policy(struct file *, const void __user *);
80
-
extern int fscrypt_ioctl_get_policy(struct file *, void __user *);
81
-
extern int fscrypt_has_permitted_context(struct inode *, struct inode *);
82
-
extern int fscrypt_inherit_context(struct inode *, struct inode *,
83
-
void *, bool);
84
-
/* keyinfo.c */
85
-
extern int fscrypt_get_encryption_info(struct inode *);
86
-
extern void fscrypt_put_encryption_info(struct inode *);
87
-
88
-
/* fname.c */
89
-
extern int fscrypt_setup_filename(struct inode *, const struct qstr *,
90
-
int lookup, struct fscrypt_name *);
91
-
92
-
static inline void fscrypt_free_filename(struct fscrypt_name *fname)
93
-
{
94
-
kfree(fname->crypto_buf.name);
95
-
}
96
-
97
-
extern int fscrypt_fname_alloc_buffer(const struct inode *, u32,
98
-
struct fscrypt_str *);
99
-
extern void fscrypt_fname_free_buffer(struct fscrypt_str *);
100
-
extern int fscrypt_fname_disk_to_usr(struct inode *, u32, u32,
101
-
const struct fscrypt_str *, struct fscrypt_str *);
102
-
103
-
#define FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE 32
104
-
105
-
/* Extracts the second-to-last ciphertext block; see explanation below */
106
-
#define FSCRYPT_FNAME_DIGEST(name, len) \
107
-
((name) + round_down((len) - FS_CRYPTO_BLOCK_SIZE - 1, \
108
-
FS_CRYPTO_BLOCK_SIZE))
109
-
110
-
#define FSCRYPT_FNAME_DIGEST_SIZE FS_CRYPTO_BLOCK_SIZE
111
-
112
-
/**
113
-
* fscrypt_digested_name - alternate identifier for an on-disk filename
114
-
*
115
-
* When userspace lists an encrypted directory without access to the key,
116
-
* filenames whose ciphertext is longer than FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE
117
-
* bytes are shown in this abbreviated form (base64-encoded) rather than as the
118
-
* full ciphertext (base64-encoded). This is necessary to allow supporting
119
-
* filenames up to NAME_MAX bytes, since base64 encoding expands the length.
120
-
*
121
-
* To make it possible for filesystems to still find the correct directory entry
122
-
* despite not knowing the full on-disk name, we encode any filesystem-specific
123
-
* 'hash' and/or 'minor_hash' which the filesystem may need for its lookups,
124
-
* followed by the second-to-last ciphertext block of the filename. Due to the
125
-
* use of the CBC-CTS encryption mode, the second-to-last ciphertext block
126
-
* depends on the full plaintext. (Note that ciphertext stealing causes the
127
-
* last two blocks to appear "flipped".) This makes accidental collisions very
128
-
* unlikely: just a 1 in 2^128 chance for two filenames to collide even if they
129
-
* share the same filesystem-specific hashes.
130
-
*
131
-
* However, this scheme isn't immune to intentional collisions, which can be
132
-
* created by anyone able to create arbitrary plaintext filenames and view them
133
-
* without the key. Making the "digest" be a real cryptographic hash like
134
-
* SHA-256 over the full ciphertext would prevent this, although it would be
135
-
* less efficient and harder to implement, especially since the filesystem would
136
-
* need to calculate it for each directory entry examined during a search.
137
-
*/
138
-
struct fscrypt_digested_name {
139
-
u32 hash;
140
-
u32 minor_hash;
141
-
u8 digest[FSCRYPT_FNAME_DIGEST_SIZE];
142
-
};
143
-
144
-
/**
145
-
* fscrypt_match_name() - test whether the given name matches a directory entry
146
-
* @fname: the name being searched for
147
-
* @de_name: the name from the directory entry
148
-
* @de_name_len: the length of @de_name in bytes
149
-
*
150
-
* Normally @fname->disk_name will be set, and in that case we simply compare
151
-
* that to the name stored in the directory entry. The only exception is that
152
-
* if we don't have the key for an encrypted directory and a filename in it is
153
-
* very long, then we won't have the full disk_name and we'll instead need to
154
-
* match against the fscrypt_digested_name.
155
-
*
156
-
* Return: %true if the name matches, otherwise %false.
157
-
*/
158
-
static inline bool fscrypt_match_name(const struct fscrypt_name *fname,
159
-
const u8 *de_name, u32 de_name_len)
160
-
{
161
-
if (unlikely(!fname->disk_name.name)) {
162
-
const struct fscrypt_digested_name *n =
163
-
(const void *)fname->crypto_buf.name;
164
-
if (WARN_ON_ONCE(fname->usr_fname->name[0] != '_'))
165
-
return false;
166
-
if (de_name_len <= FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE)
167
-
return false;
168
-
return !memcmp(FSCRYPT_FNAME_DIGEST(de_name, de_name_len),
169
-
n->digest, FSCRYPT_FNAME_DIGEST_SIZE);
170
-
}
171
-
172
-
if (de_name_len != fname->disk_name.len)
173
-
return false;
174
-
return !memcmp(de_name, fname->disk_name.name, fname->disk_name.len);
175
-
}
176
-
177
-
/* bio.c */
178
-
extern void fscrypt_decrypt_bio(struct bio *);
179
-
extern void fscrypt_enqueue_decrypt_bio(struct fscrypt_ctx *ctx,
180
-
struct bio *bio);
181
-
extern void fscrypt_pullback_bio_page(struct page **, bool);
182
-
extern int fscrypt_zeroout_range(const struct inode *, pgoff_t, sector_t,
183
-
unsigned int);
184
-
185
-
/* hooks.c */
186
-
extern int fscrypt_file_open(struct inode *inode, struct file *filp);
187
-
extern int __fscrypt_prepare_link(struct inode *inode, struct inode *dir);
188
-
extern int __fscrypt_prepare_rename(struct inode *old_dir,
189
-
struct dentry *old_dentry,
190
-
struct inode *new_dir,
191
-
struct dentry *new_dentry,
192
-
unsigned int flags);
193
-
extern int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry);
194
-
extern int __fscrypt_prepare_symlink(struct inode *dir, unsigned int len,
195
-
unsigned int max_len,
196
-
struct fscrypt_str *disk_link);
197
-
extern int __fscrypt_encrypt_symlink(struct inode *inode, const char *target,
198
-
unsigned int len,
199
-
struct fscrypt_str *disk_link);
200
-
extern const char *fscrypt_get_symlink(struct inode *inode, const void *caddr,
201
-
unsigned int max_size,
202
-
struct delayed_call *done);
203
-
204
-
#endif /* _LINUX_FSCRYPT_SUPP_H */