fscrypt: improve documentation for inline encryption

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Currently the fscrypt inline encryption support is documented in the
"Implementation details" section, and it doesn't go into much detail.
It's really more than just an "implementation detail" though, as there
is a user-facing mount option. Also, hardware-wrapped key support (an
upcoming feature) will depend on inline encryption and will affect the
on-disk format; by definition that's not just an implementation detail.

Therefore, move this documentation into its own section and expand it.

Link: https://lore.kernel.org/r/20210916174928.65529-4-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>

Eric Biggers 4 years ago abb861fa f262ca7d

+58 -17

2 changed files

expand all

Documentation

block

inline-encryption.rst

filesystems

fscrypt.rst

Documentation/block/inline-encryption.rst

··· 1 1 .. SPDX-License-Identifier: GPL-2.0 2 2 3 + .. _inline_encryption: 4 + 3 5 ================= 4 6 Inline Encryption 5 7 =================

+56 -17

Documentation/filesystems/fscrypt.rst

··· 77 77 78 78 fscrypt is only resistant to side-channel attacks, such as timing or 79 79 electromagnetic attacks, to the extent that the underlying Linux 80 - Cryptographic API algorithms are. If a vulnerable algorithm is used, 81 - such as a table-based implementation of AES, it may be possible for an 82 - attacker to mount a side channel attack against the online system. 83 - Side channel attacks may also be mounted against applications 84 - consuming decrypted data. 80 + Cryptographic API algorithms or inline encryption hardware are. If a 81 + vulnerable algorithm is used, such as a table-based implementation of 82 + AES, it may be possible for an attacker to mount a side channel attack 83 + against the online system. Side channel attacks may also be mounted 84 + against applications consuming decrypted data. 85 85 86 86 Unauthorized file access 87 87 ~~~~~~~~~~~~~~~~~~~~~~~~ ··· 1135 1135 that systems implementing a form of "verified boot" take advantage of 1136 1136 this by validating all top-level encryption policies prior to access. 1137 1137 1138 + Inline encryption support 1139 + ========================= 1140 + 1141 + By default, fscrypt uses the kernel crypto API for all cryptographic 1142 + operations (other than HKDF, which fscrypt partially implements 1143 + itself). The kernel crypto API supports hardware crypto accelerators, 1144 + but only ones that work in the traditional way where all inputs and 1145 + outputs (e.g. plaintexts and ciphertexts) are in memory. fscrypt can 1146 + take advantage of such hardware, but the traditional acceleration 1147 + model isn't particularly efficient and fscrypt hasn't been optimized 1148 + for it. 1149 + 1150 + Instead, many newer systems (especially mobile SoCs) have *inline 1151 + encryption hardware* that can encrypt/decrypt data while it is on its 1152 + way to/from the storage device. Linux supports inline encryption 1153 + through a set of extensions to the block layer called *blk-crypto*. 1154 + blk-crypto allows filesystems to attach encryption contexts to bios 1155 + (I/O requests) to specify how the data will be encrypted or decrypted 1156 + in-line. For more information about blk-crypto, see 1157 + :ref:`Documentation/block/inline-encryption.rst <inline_encryption>`. 1158 + 1159 + On supported filesystems (currently ext4 and f2fs), fscrypt can use 1160 + blk-crypto instead of the kernel crypto API to encrypt/decrypt file 1161 + contents. To enable this, set CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y in 1162 + the kernel configuration, and specify the "inlinecrypt" mount option 1163 + when mounting the filesystem. 1164 + 1165 + Note that the "inlinecrypt" mount option just specifies to use inline 1166 + encryption when possible; it doesn't force its use. fscrypt will 1167 + still fall back to using the kernel crypto API on files where the 1168 + inline encryption hardware doesn't have the needed crypto capabilities 1169 + (e.g. support for the needed encryption algorithm and data unit size) 1170 + and where blk-crypto-fallback is unusable. (For blk-crypto-fallback 1171 + to be usable, it must be enabled in the kernel configuration with 1172 + CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y.) 1173 + 1174 + Currently fscrypt always uses the filesystem block size (which is 1175 + usually 4096 bytes) as the data unit size. Therefore, it can only use 1176 + inline encryption hardware that supports that data unit size. 1177 + 1178 + Inline encryption doesn't affect the ciphertext or other aspects of 1179 + the on-disk format, so users may freely switch back and forth between 1180 + using "inlinecrypt" and not using "inlinecrypt". 1181 + 1138 1182 Implementation details 1139 1183 ====================== 1140 1184 ··· 1228 1184 Data path changes 1229 1185 ----------------- 1230 1186 1187 + When inline encryption is used, filesystems just need to associate 1188 + encryption contexts with bios to specify how the block layer or the 1189 + inline encryption hardware will encrypt/decrypt the file contents. 1190 + 1191 + When inline encryption isn't used, filesystems must encrypt/decrypt 1192 + the file contents themselves, as described below: 1193 + 1231 1194 For the read path (->readpage()) of regular files, filesystems can 1232 1195 read the ciphertext into the page cache and decrypt it in-place. The 1233 1196 page lock must be held until decryption has finished, to prevent the ··· 1247 1196 buffer. Some filesystems, such as UBIFS, already use temporary 1248 1197 buffers regardless of encryption. Other filesystems, such as ext4 and 1249 1198 F2FS, have to allocate bounce pages specially for encryption. 1250 - 1251 - Fscrypt is also able to use inline encryption hardware instead of the 1252 - kernel crypto API for en/decryption of file contents. When possible, 1253 - and if directed to do so (by specifying the 'inlinecrypt' mount option 1254 - for an ext4/F2FS filesystem), it adds encryption contexts to bios and 1255 - uses blk-crypto to perform the en/decryption instead of making use of 1256 - the above read/write path changes. Of course, even if directed to 1257 - make use of inline encryption, fscrypt will only be able to do so if 1258 - either hardware inline encryption support is available for the 1259 - selected encryption algorithm or CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK 1260 - is selected. If neither is the case, fscrypt will fall back to using 1261 - the above mentioned read/write path changes for en/decryption. 1262 1199 1263 1200 Filename hashing and encoding 1264 1201 -----------------------------