fscrypt: add support for hardware-wrapped keys

+148 -37

Documentation/filesystems/fscrypt.rst

··· 70 70 -------------- 71 71 72 72 fscrypt (and storage encryption in general) can only provide limited 73 - protection, if any at all, against online attacks. In detail: 73 + protection against online attacks. In detail: 74 74 75 75 Side-channel attacks 76 76 ~~~~~~~~~~~~~~~~~~~~ ··· 99 99 be enforced by kernel *code* and therefore would be largely redundant 100 100 with the wide variety of access control mechanisms already available.) 101 101 102 - Kernel memory compromise 103 - ~~~~~~~~~~~~~~~~~~~~~~~~ 102 + Read-only kernel memory compromise 103 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 104 104 105 - An attacker who compromises the system enough to read from arbitrary 106 - memory, e.g. by mounting a physical attack or by exploiting a kernel 107 - security vulnerability, can compromise all encryption keys that are 108 - currently in use. 105 + Unless `hardware-wrapped keys`_ are used, an attacker who gains the 106 + ability to read from arbitrary kernel memory, e.g. by mounting a 107 + physical attack or by exploiting a kernel security vulnerability, can 108 + compromise all fscrypt keys that are currently in-use. This also 109 + extends to cold boot attacks; if the system is suddenly powered off, 110 + keys the system was using may remain in memory for a short time. 109 111 110 - However, fscrypt allows encryption keys to be removed from the kernel, 111 - which may protect them from later compromise. 112 + However, if hardware-wrapped keys are used, then the fscrypt master 113 + keys and file contents encryption keys (but not other types of fscrypt 114 + subkeys such as filenames encryption keys) are protected from 115 + compromises of arbitrary kernel memory. 116 + 117 + In addition, fscrypt allows encryption keys to be removed from the 118 + kernel, which may protect them from later compromise. 112 119 113 120 In more detail, the FS_IOC_REMOVE_ENCRYPTION_KEY ioctl (or the 114 121 FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS ioctl) can wipe a master ··· 151 144 accelerator hardware (if used by the crypto API to implement any of 152 145 the algorithms), or in other places not explicitly considered here. 153 146 147 + Full system compromise 148 + ~~~~~~~~~~~~~~~~~~~~~~ 149 + 150 + An attacker who gains "root" access and/or the ability to execute 151 + arbitrary kernel code can freely exfiltrate data that is protected by 152 + any in-use fscrypt keys. Thus, usually fscrypt provides no meaningful 153 + protection in this scenario. (Data that is protected by a key that is 154 + absent throughout the entire attack remains protected, modulo the 155 + limitations of key removal mentioned above in the case where the key 156 + was removed prior to the attack.) 157 + 158 + However, if `hardware-wrapped keys`_ are used, such attackers will be 159 + unable to exfiltrate the master keys or file contents keys in a form 160 + that will be usable after the system is powered off. This may be 161 + useful if the attacker is significantly time-limited and/or 162 + bandwidth-limited, so they can only exfiltrate some data and need to 163 + rely on a later offline attack to exfiltrate the rest of it. 164 + 154 165 Limitations of v1 policies 155 166 ~~~~~~~~~~~~~~~~~~~~~~~~~~ 156 167 ··· 194 169 195 170 Key hierarchy 196 171 ============= 172 + 173 + Note: this section assumes the use of raw keys rather than 174 + hardware-wrapped keys. The use of hardware-wrapped keys modifies the 175 + key hierarchy slightly. For details, see `Hardware-wrapped keys`_. 197 176 198 177 Master Keys 199 178 ----------- ··· 861 832 struct fscrypt_key_specifier key_spec; 862 833 __u32 raw_size; 863 834 __u32 key_id; 864 - __u32 __reserved[8]; 835 + #define FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED 0x00000001 836 + __u32 flags; 837 + __u32 __reserved[7]; 865 838 __u8 raw[]; 866 839 }; 867 840 ··· 882 851 883 852 struct fscrypt_provisioning_key_payload { 884 853 __u32 type; 885 - __u32 __reserved; 854 + __u32 flags; 886 855 __u8 raw[]; 887 856 }; 888 857 ··· 910 879 Alternatively, if ``key_id`` is nonzero, this field must be 0, since 911 880 in that case the size is implied by the specified Linux keyring key. 912 881 913 - - ``key_id`` is 0 if the raw key is given directly in the ``raw`` 914 - field. Otherwise ``key_id`` is the ID of a Linux keyring key of 915 - type "fscrypt-provisioning" whose payload is 916 - struct fscrypt_provisioning_key_payload whose ``raw`` field contains 917 - the raw key and whose ``type`` field matches ``key_spec.type``. 918 - Since ``raw`` is variable-length, the total size of this key's 919 - payload must be ``sizeof(struct fscrypt_provisioning_key_payload)`` 920 - plus the raw key size. The process must have Search permission on 921 - this key. 882 + - ``key_id`` is 0 if the key is given directly in the ``raw`` field. 883 + Otherwise ``key_id`` is the ID of a Linux keyring key of type 884 + "fscrypt-provisioning" whose payload is struct 885 + fscrypt_provisioning_key_payload whose ``raw`` field contains the 886 + key, whose ``type`` field matches ``key_spec.type``, and whose 887 + ``flags`` field matches ``flags``. Since ``raw`` is 888 + variable-length, the total size of this key's payload must be 889 + ``sizeof(struct fscrypt_provisioning_key_payload)`` plus the number 890 + of key bytes. The process must have Search permission on this key. 922 891 923 - Most users should leave this 0 and specify the raw key directly. 924 - The support for specifying a Linux keyring key is intended mainly to 892 + Most users should leave this 0 and specify the key directly. The 893 + support for specifying a Linux keyring key is intended mainly to 925 894 allow re-adding keys after a filesystem is unmounted and re-mounted, 926 - without having to store the raw keys in userspace memory. 895 + without having to store the keys in userspace memory. 896 + 897 + - ``flags`` contains optional flags from ``<linux/fscrypt.h>``: 898 + 899 + - FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED: This denotes that the key is a 900 + hardware-wrapped key. See `Hardware-wrapped keys`_. This flag 901 + can't be used if FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR is used. 927 902 928 903 - ``raw`` is a variable-length field which must contain the actual 929 904 key, ``raw_size`` bytes long. Alternatively, if ``key_id`` is 930 - nonzero, then this field is unused. 905 + nonzero, then this field is unused. Note that despite being named 906 + ``raw``, if FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED is specified then it 907 + will contain a wrapped key, not a raw key. 931 908 932 909 For v2 policy keys, the kernel keeps track of which user (identified 933 910 by effective user ID) added the key, and only allows the key to be ··· 947 908 FS_IOC_ADD_ENCRYPTION_KEY may also be used to add a v2 policy key 948 909 *again*, even if it's already added by other user(s). In this case, 949 910 FS_IOC_ADD_ENCRYPTION_KEY will just install a claim to the key for the 950 - current user, rather than actually add the key again (but the raw key 951 - must still be provided, as a proof of knowledge). 911 + current user, rather than actually add the key again (but the key must 912 + still be provided, as a proof of knowledge). 952 913 953 914 FS_IOC_ADD_ENCRYPTION_KEY returns 0 if either the key or a claim to 954 915 the key was either added or already exists. ··· 957 918 958 919 - ``EACCES``: FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR was specified, but the 959 920 caller does not have the CAP_SYS_ADMIN capability in the initial 960 - user namespace; or the raw key was specified by Linux key ID but the 921 + user namespace; or the key was specified by Linux key ID but the 961 922 process lacks Search permission on the key. 923 + - ``EBADMSG``: invalid hardware-wrapped key 962 924 - ``EDQUOT``: the key quota for this user would be exceeded by adding 963 925 the key 964 926 - ``EINVAL``: invalid key size or key specifier type, or reserved bits 965 927 were set 966 - - ``EKEYREJECTED``: the raw key was specified by Linux key ID, but the 967 - key has the wrong type 968 - - ``ENOKEY``: the raw key was specified by Linux key ID, but no key 969 - exists with that ID 928 + - ``EKEYREJECTED``: the key was specified by Linux key ID, but the key 929 + has the wrong type 930 + - ``ENOKEY``: the key was specified by Linux key ID, but no key exists 931 + with that ID 970 932 - ``ENOTTY``: this type of filesystem does not implement encryption 971 933 - ``EOPNOTSUPP``: the kernel was not configured with encryption 972 934 support for this filesystem, or the filesystem superblock has not 973 - had encryption enabled on it 935 + had encryption enabled on it; or a hardware wrapped key was specified 936 + but the filesystem does not support inline encryption or the hardware 937 + does not support hardware-wrapped keys 974 938 975 939 Legacy method 976 940 ~~~~~~~~~~~~~ ··· 1036 994 These ioctls don't work on keys that were added via the legacy 1037 995 process-subscribed keyrings mechanism. 1038 996 1039 - Before using these ioctls, read the `Kernel memory compromise`_ 1040 - section for a discussion of the security goals and limitations of 1041 - these ioctls. 997 + Before using these ioctls, read the `Online attacks`_ section for a 998 + discussion of the security goals and limitations of these ioctls. 1042 999 1043 1000 FS_IOC_REMOVE_ENCRYPTION_KEY 1044 1001 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ··· 1357 1316 (e.g. support for the needed encryption algorithm and data unit size) 1358 1317 and where blk-crypto-fallback is unusable. (For blk-crypto-fallback 1359 1318 to be usable, it must be enabled in the kernel configuration with 1360 - CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y.) 1319 + CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y, and the file must be 1320 + protected by a raw key rather than a hardware-wrapped key.) 1361 1321 1362 1322 Currently fscrypt always uses the filesystem block size (which is 1363 1323 usually 4096 bytes) as the data unit size. Therefore, it can only use ··· 1366 1324 1367 1325 Inline encryption doesn't affect the ciphertext or other aspects of 1368 1326 the on-disk format, so users may freely switch back and forth between 1369 - using "inlinecrypt" and not using "inlinecrypt". 1327 + using "inlinecrypt" and not using "inlinecrypt". An exception is that 1328 + files that are protected by a hardware-wrapped key can only be 1329 + encrypted/decrypted by the inline encryption hardware and therefore 1330 + can only be accessed when the "inlinecrypt" mount option is used. For 1331 + more information about hardware-wrapped keys, see below. 1332 + 1333 + Hardware-wrapped keys 1334 + --------------------- 1335 + 1336 + fscrypt supports using *hardware-wrapped keys* when the inline 1337 + encryption hardware supports it. Such keys are only present in kernel 1338 + memory in wrapped (encrypted) form; they can only be unwrapped 1339 + (decrypted) by the inline encryption hardware and are temporally bound 1340 + to the current boot. This prevents the keys from being compromised if 1341 + kernel memory is leaked. This is done without limiting the number of 1342 + keys that can be used and while still allowing the execution of 1343 + cryptographic tasks that are tied to the same key but can't use inline 1344 + encryption hardware, e.g. filenames encryption. 1345 + 1346 + Note that hardware-wrapped keys aren't specific to fscrypt; they are a 1347 + block layer feature (part of *blk-crypto*). For more details about 1348 + hardware-wrapped keys, see the block layer documentation at 1349 + :ref:`Documentation/block/inline-encryption.rst 1350 + <hardware_wrapped_keys>`. The rest of this section just focuses on 1351 + the details of how fscrypt can use hardware-wrapped keys. 1352 + 1353 + fscrypt supports hardware-wrapped keys by allowing the fscrypt master 1354 + keys to be hardware-wrapped keys as an alternative to raw keys. To 1355 + add a hardware-wrapped key with `FS_IOC_ADD_ENCRYPTION_KEY`_, 1356 + userspace must specify FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED in the 1357 + ``flags`` field of struct fscrypt_add_key_arg and also in the 1358 + ``flags`` field of struct fscrypt_provisioning_key_payload when 1359 + applicable. The key must be in ephemerally-wrapped form, not 1360 + long-term wrapped form. 1361 + 1362 + Some limitations apply. First, files protected by a hardware-wrapped 1363 + key are tied to the system's inline encryption hardware. Therefore 1364 + they can only be accessed when the "inlinecrypt" mount option is used, 1365 + and they can't be included in portable filesystem images. Second, 1366 + currently the hardware-wrapped key support is only compatible with 1367 + `IV_INO_LBLK_64 policies`_ and `IV_INO_LBLK_32 policies`_, as it 1368 + assumes that there is just one file contents encryption key per 1369 + fscrypt master key rather than one per file. Future work may address 1370 + this limitation by passing per-file nonces down the storage stack to 1371 + allow the hardware to derive per-file keys. 1372 + 1373 + Implementation-wise, to encrypt/decrypt the contents of files that are 1374 + protected by a hardware-wrapped key, fscrypt uses blk-crypto, 1375 + attaching the hardware-wrapped key to the bio crypt contexts. As is 1376 + the case with raw keys, the block layer will program the key into a 1377 + keyslot when it isn't already in one. However, when programming a 1378 + hardware-wrapped key, the hardware doesn't program the given key 1379 + directly into a keyslot but rather unwraps it (using the hardware's 1380 + ephemeral wrapping key) and derives the inline encryption key from it. 1381 + The inline encryption key is the key that actually gets programmed 1382 + into a keyslot, and it is never exposed to software. 1383 + 1384 + However, fscrypt doesn't just do file contents encryption; it also 1385 + uses its master keys to derive filenames encryption keys, key 1386 + identifiers, and sometimes some more obscure types of subkeys such as 1387 + dirhash keys. So even with file contents encryption out of the 1388 + picture, fscrypt still needs a raw key to work with. To get such a 1389 + key from a hardware-wrapped key, fscrypt asks the inline encryption 1390 + hardware to derive a cryptographically isolated "software secret" from 1391 + the hardware-wrapped key. fscrypt uses this "software secret" to key 1392 + its KDF to derive all subkeys other than file contents keys. 1393 + 1394 + Note that this implies that the hardware-wrapped key feature only 1395 + protects the file contents encryption keys. It doesn't protect other 1396 + fscrypt subkeys such as filenames encryption keys. 1370 1397 1371 1398 Direct I/O support 1372 1399 ==================

+65 -10

fs/crypto/fscrypt_private.h

··· 12 12 #define _FSCRYPT_PRIVATE_H 13 13 14 14 #include <linux/fscrypt.h> 15 + #include <linux/minmax.h> 15 16 #include <linux/siphash.h> 16 17 #include <crypto/hash.h> 17 18 #include <linux/blk-crypto.h> ··· 27 26 * absolute minimum, which applies when only 128-bit encryption is used. 28 27 */ 29 28 #define FSCRYPT_MIN_KEY_SIZE 16 29 + 30 + /* Maximum size of a raw fscrypt master key */ 31 + #define FSCRYPT_MAX_RAW_KEY_SIZE 64 32 + 33 + /* Maximum size of a hardware-wrapped fscrypt master key */ 34 + #define FSCRYPT_MAX_HW_WRAPPED_KEY_SIZE BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE 35 + 36 + /* Maximum size of an fscrypt master key across both key types */ 37 + #define FSCRYPT_MAX_ANY_KEY_SIZE \ 38 + MAX(FSCRYPT_MAX_RAW_KEY_SIZE, FSCRYPT_MAX_HW_WRAPPED_KEY_SIZE) 39 + 40 + /* 41 + * FSCRYPT_MAX_KEY_SIZE is defined in the UAPI header, but the addition of 42 + * hardware-wrapped keys has made it misleading as it's only for raw keys. 43 + * Don't use it in kernel code; use one of the above constants instead. 44 + */ 45 + #undef FSCRYPT_MAX_KEY_SIZE 30 46 31 47 #define FSCRYPT_CONTEXT_V1 1 32 48 #define FSCRYPT_CONTEXT_V2 2 ··· 378 360 * outputs are unique and cryptographically isolated, i.e. knowledge of one 379 361 * output doesn't reveal another. 380 362 */ 381 - #define HKDF_CONTEXT_KEY_IDENTIFIER 1 /* info=<empty> */ 363 + #define HKDF_CONTEXT_KEY_IDENTIFIER_FOR_RAW_KEY 1 /* info=<empty> */ 382 364 #define HKDF_CONTEXT_PER_FILE_ENC_KEY 2 /* info=file_nonce */ 383 365 #define HKDF_CONTEXT_DIRECT_KEY 3 /* info=mode_num */ 384 366 #define HKDF_CONTEXT_IV_INO_LBLK_64_KEY 4 /* info=mode_num||fs_uuid */ 385 367 #define HKDF_CONTEXT_DIRHASH_KEY 5 /* info=file_nonce */ 386 368 #define HKDF_CONTEXT_IV_INO_LBLK_32_KEY 6 /* info=mode_num||fs_uuid */ 387 369 #define HKDF_CONTEXT_INODE_HASH_KEY 7 /* info=<empty> */ 370 + #define HKDF_CONTEXT_KEY_IDENTIFIER_FOR_HW_WRAPPED_KEY \ 371 + 8 /* info=<empty> */ 388 372 389 373 int fscrypt_hkdf_expand(const struct fscrypt_hkdf *hkdf, u8 context, 390 374 const u8 *info, unsigned int infolen, ··· 396 376 397 377 /* inline_crypt.c */ 398 378 #ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT 399 - int fscrypt_select_encryption_impl(struct fscrypt_inode_info *ci); 379 + int fscrypt_select_encryption_impl(struct fscrypt_inode_info *ci, 380 + bool is_hw_wrapped_key); 400 381 401 382 static inline bool 402 383 fscrypt_using_inline_encryption(const struct fscrypt_inode_info *ci) ··· 406 385 } 407 386 408 387 int fscrypt_prepare_inline_crypt_key(struct fscrypt_prepared_key *prep_key, 409 - const u8 *raw_key, 388 + const u8 *key_bytes, size_t key_size, 389 + bool is_hw_wrapped, 410 390 const struct fscrypt_inode_info *ci); 411 391 412 392 void fscrypt_destroy_inline_crypt_key(struct super_block *sb, 413 393 struct fscrypt_prepared_key *prep_key); 394 + 395 + int fscrypt_derive_sw_secret(struct super_block *sb, 396 + const u8 *wrapped_key, size_t wrapped_key_size, 397 + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]); 414 398 415 399 /* 416 400 * Check whether the crypto transform or blk-crypto key has been allocated in ··· 440 414 441 415 #else /* CONFIG_FS_ENCRYPTION_INLINE_CRYPT */ 442 416 443 - static inline int fscrypt_select_encryption_impl(struct fscrypt_inode_info *ci) 417 + static inline int fscrypt_select_encryption_impl(struct fscrypt_inode_info *ci, 418 + bool is_hw_wrapped_key) 444 419 { 445 420 return 0; 446 421 } ··· 454 427 455 428 static inline int 456 429 fscrypt_prepare_inline_crypt_key(struct fscrypt_prepared_key *prep_key, 457 - const u8 *raw_key, 430 + const u8 *key_bytes, size_t key_size, 431 + bool is_hw_wrapped, 458 432 const struct fscrypt_inode_info *ci) 459 433 { 460 434 WARN_ON_ONCE(1); ··· 466 438 fscrypt_destroy_inline_crypt_key(struct super_block *sb, 467 439 struct fscrypt_prepared_key *prep_key) 468 440 { 441 + } 442 + 443 + static inline int 444 + fscrypt_derive_sw_secret(struct super_block *sb, 445 + const u8 *wrapped_key, size_t wrapped_key_size, 446 + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]) 447 + { 448 + fscrypt_warn(NULL, "kernel doesn't support hardware-wrapped keys"); 449 + return -EOPNOTSUPP; 469 450 } 470 451 471 452 static inline bool ··· 493 456 struct fscrypt_master_key_secret { 494 457 495 458 /* 496 - * For v2 policy keys: HKDF context keyed by this master key. 497 - * For v1 policy keys: not set (hkdf.hmac_tfm == NULL). 459 + * The KDF with which subkeys of this key can be derived. 460 + * 461 + * For v1 policy keys, this isn't applicable and won't be set. 462 + * Otherwise, this KDF will be keyed by this master key if 463 + * ->is_hw_wrapped=false, or by the "software secret" that hardware 464 + * derived from this master key if ->is_hw_wrapped=true. 498 465 */ 499 466 struct fscrypt_hkdf hkdf; 500 467 501 468 /* 502 - * Size of the raw key in bytes. This remains set even if ->raw was 469 + * True if this key is a hardware-wrapped key; false if this key is a 470 + * raw key (i.e. a "software key"). For v1 policy keys this will always 471 + * be false, as v1 policy support is a legacy feature which doesn't 472 + * support newer functionality such as hardware-wrapped keys. 473 + */ 474 + bool is_hw_wrapped; 475 + 476 + /* 477 + * Size of the key in bytes. This remains set even if ->bytes was 503 478 * zeroized due to no longer being needed. I.e. we still remember the 504 479 * size of the key even if we don't need to remember the key itself. 505 480 */ 506 481 u32 size; 507 482 508 - /* For v1 policy keys: the raw key. Wiped for v2 policy keys. */ 509 - u8 raw[FSCRYPT_MAX_KEY_SIZE]; 483 + /* 484 + * The bytes of the key, when still needed. This can be either a raw 485 + * key or a hardware-wrapped key, as indicated by ->is_hw_wrapped. In 486 + * the case of a raw, v2 policy key, there is no need to remember the 487 + * actual key separately from ->hkdf so this field will be zeroized as 488 + * soon as ->hkdf is initialized. 489 + */ 490 + u8 bytes[FSCRYPT_MAX_ANY_KEY_SIZE]; 510 491 511 492 } __randomize_layout; 512 493

+3 -1

fs/crypto/hkdf.c

··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 /* 3 - * This is used to derive keys from the fscrypt master keys. 3 + * This is used to derive keys from the fscrypt master keys (or from the 4 + * "software secrets" which hardware derives from the fscrypt master keys, in 5 + * the case that the fscrypt master keys are hardware-wrapped keys). 4 6 * 5 7 * Copyright 2019 Google LLC 6 8 */

+38 -6

fs/crypto/inline_crypt.c

··· 89 89 } 90 90 91 91 /* Enable inline encryption for this file if supported. */ 92 - int fscrypt_select_encryption_impl(struct fscrypt_inode_info *ci) 92 + int fscrypt_select_encryption_impl(struct fscrypt_inode_info *ci, 93 + bool is_hw_wrapped_key) 93 94 { 94 95 const struct inode *inode = ci->ci_inode; 95 96 struct super_block *sb = inode->i_sb; ··· 131 130 crypto_cfg.crypto_mode = ci->ci_mode->blk_crypto_mode; 132 131 crypto_cfg.data_unit_size = 1U << ci->ci_data_unit_bits; 133 132 crypto_cfg.dun_bytes = fscrypt_get_dun_bytes(ci); 134 - crypto_cfg.key_type = BLK_CRYPTO_KEY_TYPE_RAW; 133 + crypto_cfg.key_type = is_hw_wrapped_key ? 134 + BLK_CRYPTO_KEY_TYPE_HW_WRAPPED : BLK_CRYPTO_KEY_TYPE_RAW; 135 135 136 136 devs = fscrypt_get_devices(sb, &num_devs); 137 137 if (IS_ERR(devs)) ··· 153 151 } 154 152 155 153 int fscrypt_prepare_inline_crypt_key(struct fscrypt_prepared_key *prep_key, 156 - const u8 *raw_key, 154 + const u8 *key_bytes, size_t key_size, 155 + bool is_hw_wrapped, 157 156 const struct fscrypt_inode_info *ci) 158 157 { 159 158 const struct inode *inode = ci->ci_inode; 160 159 struct super_block *sb = inode->i_sb; 161 160 enum blk_crypto_mode_num crypto_mode = ci->ci_mode->blk_crypto_mode; 161 + enum blk_crypto_key_type key_type = is_hw_wrapped ? 162 + BLK_CRYPTO_KEY_TYPE_HW_WRAPPED : BLK_CRYPTO_KEY_TYPE_RAW; 162 163 struct blk_crypto_key *blk_key; 163 164 struct block_device **devs; 164 165 unsigned int num_devs; ··· 172 167 if (!blk_key) 173 168 return -ENOMEM; 174 169 175 - err = blk_crypto_init_key(blk_key, raw_key, ci->ci_mode->keysize, 176 - BLK_CRYPTO_KEY_TYPE_RAW, crypto_mode, 177 - fscrypt_get_dun_bytes(ci), 170 + err = blk_crypto_init_key(blk_key, key_bytes, key_size, key_type, 171 + crypto_mode, fscrypt_get_dun_bytes(ci), 178 172 1U << ci->ci_data_unit_bits); 179 173 if (err) { 180 174 fscrypt_err(inode, "error %d initializing blk-crypto key", err); ··· 230 226 kfree(devs); 231 227 } 232 228 kfree_sensitive(blk_key); 229 + } 230 + 231 + /* 232 + * Ask the inline encryption hardware to derive the software secret from a 233 + * hardware-wrapped key. Returns -EOPNOTSUPP if hardware-wrapped keys aren't 234 + * supported on this filesystem or hardware. 235 + */ 236 + int fscrypt_derive_sw_secret(struct super_block *sb, 237 + const u8 *wrapped_key, size_t wrapped_key_size, 238 + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]) 239 + { 240 + int err; 241 + 242 + /* The filesystem must be mounted with -o inlinecrypt. */ 243 + if (!(sb->s_flags & SB_INLINECRYPT)) { 244 + fscrypt_warn(NULL, 245 + "%s: filesystem not mounted with inlinecrypt\n", 246 + sb->s_id); 247 + return -EOPNOTSUPP; 248 + } 249 + 250 + err = blk_crypto_derive_sw_secret(sb->s_bdev, wrapped_key, 251 + wrapped_key_size, sw_secret); 252 + if (err == -EOPNOTSUPP) 253 + fscrypt_warn(NULL, 254 + "%s: block device doesn't support hardware-wrapped keys\n", 255 + sb->s_id); 256 + return err; 233 257 } 234 258 235 259 bool __fscrypt_inode_uses_inline_crypto(const struct inode *inode)

+95 -39

fs/crypto/keyring.c

··· 149 149 struct key_preparsed_payload *prep) 150 150 { 151 151 /* 152 - * We just charge FSCRYPT_MAX_KEY_SIZE bytes to the user's key quota for 153 - * each key, regardless of the exact key size. The amount of memory 152 + * We just charge FSCRYPT_MAX_RAW_KEY_SIZE bytes to the user's key quota 153 + * for each key, regardless of the exact key size. The amount of memory 154 154 * actually used is greater than the size of the raw key anyway. 155 155 */ 156 - return key_payload_reserve(key, FSCRYPT_MAX_KEY_SIZE); 156 + return key_payload_reserve(key, FSCRYPT_MAX_RAW_KEY_SIZE); 157 157 } 158 158 159 159 static void fscrypt_user_key_describe(const struct key *key, struct seq_file *m) ··· 558 558 int err; 559 559 560 560 if (key_spec->type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) { 561 - err = fscrypt_init_hkdf(&secret->hkdf, secret->raw, 562 - secret->size); 561 + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]; 562 + u8 *kdf_key = secret->bytes; 563 + unsigned int kdf_key_size = secret->size; 564 + u8 keyid_kdf_ctx = HKDF_CONTEXT_KEY_IDENTIFIER_FOR_RAW_KEY; 565 + 566 + /* 567 + * For raw keys, the fscrypt master key is used directly as the 568 + * fscrypt KDF key. For hardware-wrapped keys, we have to pass 569 + * the master key to the hardware to derive the KDF key, which 570 + * is then only used to derive non-file-contents subkeys. 571 + */ 572 + if (secret->is_hw_wrapped) { 573 + err = fscrypt_derive_sw_secret(sb, secret->bytes, 574 + secret->size, sw_secret); 575 + if (err) 576 + return err; 577 + kdf_key = sw_secret; 578 + kdf_key_size = sizeof(sw_secret); 579 + /* 580 + * To avoid weird behavior if someone manages to 581 + * determine sw_secret and add it as a raw key, ensure 582 + * that hardware-wrapped keys and raw keys will have 583 + * different key identifiers by deriving their key 584 + * identifiers using different KDF contexts. 585 + */ 586 + keyid_kdf_ctx = 587 + HKDF_CONTEXT_KEY_IDENTIFIER_FOR_HW_WRAPPED_KEY; 588 + } 589 + err = fscrypt_init_hkdf(&secret->hkdf, kdf_key, kdf_key_size); 590 + /* 591 + * Now that the KDF context is initialized, the raw KDF key is 592 + * no longer needed. 593 + */ 594 + memzero_explicit(kdf_key, kdf_key_size); 563 595 if (err) 564 596 return err; 565 597 566 - /* 567 - * Now that the HKDF context is initialized, the raw key is no 568 - * longer needed. 569 - */ 570 - memzero_explicit(secret->raw, secret->size); 571 - 572 598 /* Calculate the key identifier */ 573 - err = fscrypt_hkdf_expand(&secret->hkdf, 574 - HKDF_CONTEXT_KEY_IDENTIFIER, NULL, 0, 599 + err = fscrypt_hkdf_expand(&secret->hkdf, keyid_kdf_ctx, NULL, 0, 575 600 key_spec->u.identifier, 576 601 FSCRYPT_KEY_IDENTIFIER_SIZE); 577 602 if (err) ··· 605 580 return do_add_master_key(sb, secret, key_spec); 606 581 } 607 582 583 + /* 584 + * Validate the size of an fscrypt master key being added. Note that this is 585 + * just an initial check, as we don't know which ciphers will be used yet. 586 + * There is a stricter size check later when the key is actually used by a file. 587 + */ 588 + static inline bool fscrypt_valid_key_size(size_t size, u32 add_key_flags) 589 + { 590 + u32 max_size = (add_key_flags & FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED) ? 591 + FSCRYPT_MAX_HW_WRAPPED_KEY_SIZE : 592 + FSCRYPT_MAX_RAW_KEY_SIZE; 593 + 594 + return size >= FSCRYPT_MIN_KEY_SIZE && size <= max_size; 595 + } 596 + 608 597 static int fscrypt_provisioning_key_preparse(struct key_preparsed_payload *prep) 609 598 { 610 599 const struct fscrypt_provisioning_key_payload *payload = prep->data; 611 600 612 - if (prep->datalen < sizeof(*payload) + FSCRYPT_MIN_KEY_SIZE || 613 - prep->datalen > sizeof(*payload) + FSCRYPT_MAX_KEY_SIZE) 601 + if (prep->datalen < sizeof(*payload)) 602 + return -EINVAL; 603 + 604 + if (!fscrypt_valid_key_size(prep->datalen - sizeof(*payload), 605 + payload->flags)) 614 606 return -EINVAL; 615 607 616 608 if (payload->type != FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR && 617 609 payload->type != FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) 618 610 return -EINVAL; 619 611 620 - if (payload->__reserved) 612 + if (payload->flags & ~FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED) 621 613 return -EINVAL; 622 614 623 615 prep->payload.data[0] = kmemdup(payload, prep->datalen, GFP_KERNEL); ··· 678 636 }; 679 637 680 638 /* 681 - * Retrieve the raw key from the Linux keyring key specified by 'key_id', and 682 - * store it into 'secret'. 639 + * Retrieve the key from the Linux keyring key specified by 'key_id', and store 640 + * it into 'secret'. 683 641 * 684 - * The key must be of type "fscrypt-provisioning" and must have the field 685 - * fscrypt_provisioning_key_payload::type set to 'type', indicating that it's 686 - * only usable with fscrypt with the particular KDF version identified by 687 - * 'type'. We don't use the "logon" key type because there's no way to 688 - * completely restrict the use of such keys; they can be used by any kernel API 689 - * that accepts "logon" keys and doesn't require a specific service prefix. 642 + * The key must be of type "fscrypt-provisioning" and must have the 'type' and 643 + * 'flags' field of the payload set to the given values, indicating that the key 644 + * is intended for use for the specified purpose. We don't use the "logon" key 645 + * type because there's no way to completely restrict the use of such keys; they 646 + * can be used by any kernel API that accepts "logon" keys and doesn't require a 647 + * specific service prefix. 690 648 * 691 649 * The ability to specify the key via Linux keyring key is intended for cases 692 650 * where userspace needs to re-add keys after the filesystem is unmounted and 693 - * re-mounted. Most users should just provide the raw key directly instead. 651 + * re-mounted. Most users should just provide the key directly instead. 694 652 */ 695 - static int get_keyring_key(u32 key_id, u32 type, 653 + static int get_keyring_key(u32 key_id, u32 type, u32 flags, 696 654 struct fscrypt_master_key_secret *secret) 697 655 { 698 656 key_ref_t ref; ··· 709 667 goto bad_key; 710 668 payload = key->payload.data[0]; 711 669 712 - /* Don't allow fscrypt v1 keys to be used as v2 keys and vice versa. */ 713 - if (payload->type != type) 670 + /* 671 + * Don't allow fscrypt v1 keys to be used as v2 keys and vice versa. 672 + * Similarly, don't allow hardware-wrapped keys to be used as 673 + * non-hardware-wrapped keys and vice versa. 674 + */ 675 + if (payload->type != type || payload->flags != flags) 714 676 goto bad_key; 715 677 716 678 secret->size = key->datalen - sizeof(*payload); 717 - memcpy(secret->raw, payload->raw, secret->size); 679 + memcpy(secret->bytes, payload->raw, secret->size); 718 680 err = 0; 719 681 goto out_put; 720 682 ··· 780 734 return -EACCES; 781 735 782 736 memset(&secret, 0, sizeof(secret)); 737 + 738 + if (arg.flags) { 739 + if (arg.flags & ~FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED) 740 + return -EINVAL; 741 + if (arg.key_spec.type != FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) 742 + return -EINVAL; 743 + secret.is_hw_wrapped = true; 744 + } 745 + 783 746 if (arg.key_id) { 784 747 if (arg.raw_size != 0) 785 748 return -EINVAL; 786 - err = get_keyring_key(arg.key_id, arg.key_spec.type, &secret); 749 + err = get_keyring_key(arg.key_id, arg.key_spec.type, arg.flags, 750 + &secret); 787 751 if (err) 788 752 goto out_wipe_secret; 789 753 } else { 790 - if (arg.raw_size < FSCRYPT_MIN_KEY_SIZE || 791 - arg.raw_size > FSCRYPT_MAX_KEY_SIZE) 754 + if (!fscrypt_valid_key_size(arg.raw_size, arg.flags)) 792 755 return -EINVAL; 793 756 secret.size = arg.raw_size; 794 757 err = -EFAULT; 795 - if (copy_from_user(secret.raw, uarg->raw, secret.size)) 758 + if (copy_from_user(secret.bytes, uarg->raw, secret.size)) 796 759 goto out_wipe_secret; 797 760 } 798 761 ··· 825 770 static void 826 771 fscrypt_get_test_dummy_secret(struct fscrypt_master_key_secret *secret) 827 772 { 828 - static u8 test_key[FSCRYPT_MAX_KEY_SIZE]; 773 + static u8 test_key[FSCRYPT_MAX_RAW_KEY_SIZE]; 829 774 830 - get_random_once(test_key, FSCRYPT_MAX_KEY_SIZE); 775 + get_random_once(test_key, sizeof(test_key)); 831 776 832 777 memset(secret, 0, sizeof(*secret)); 833 - secret->size = FSCRYPT_MAX_KEY_SIZE; 834 - memcpy(secret->raw, test_key, FSCRYPT_MAX_KEY_SIZE); 778 + secret->size = sizeof(test_key); 779 + memcpy(secret->bytes, test_key, sizeof(test_key)); 835 780 } 836 781 837 782 int fscrypt_get_test_dummy_key_identifier( ··· 842 787 843 788 fscrypt_get_test_dummy_secret(&secret); 844 789 845 - err = fscrypt_init_hkdf(&secret.hkdf, secret.raw, secret.size); 790 + err = fscrypt_init_hkdf(&secret.hkdf, secret.bytes, secret.size); 846 791 if (err) 847 792 goto out; 848 - err = fscrypt_hkdf_expand(&secret.hkdf, HKDF_CONTEXT_KEY_IDENTIFIER, 793 + err = fscrypt_hkdf_expand(&secret.hkdf, 794 + HKDF_CONTEXT_KEY_IDENTIFIER_FOR_RAW_KEY, 849 795 NULL, 0, key_identifier, 850 796 FSCRYPT_KEY_IDENTIFIER_SIZE); 851 797 out:

+55 -8

fs/crypto/keysetup.c

··· 153 153 struct crypto_skcipher *tfm; 154 154 155 155 if (fscrypt_using_inline_encryption(ci)) 156 - return fscrypt_prepare_inline_crypt_key(prep_key, raw_key, ci); 156 + return fscrypt_prepare_inline_crypt_key(prep_key, raw_key, 157 + ci->ci_mode->keysize, 158 + false, ci); 157 159 158 160 tfm = fscrypt_allocate_skcipher(ci->ci_mode, raw_key, ci->ci_inode); 159 161 if (IS_ERR(tfm)) ··· 197 195 struct fscrypt_mode *mode = ci->ci_mode; 198 196 const u8 mode_num = mode - fscrypt_modes; 199 197 struct fscrypt_prepared_key *prep_key; 200 - u8 mode_key[FSCRYPT_MAX_KEY_SIZE]; 198 + u8 mode_key[FSCRYPT_MAX_RAW_KEY_SIZE]; 201 199 u8 hkdf_info[sizeof(mode_num) + sizeof(sb->s_uuid)]; 202 200 unsigned int hkdf_infolen = 0; 201 + bool use_hw_wrapped_key = false; 203 202 int err; 204 203 205 204 if (WARN_ON_ONCE(mode_num > FSCRYPT_MODE_MAX)) 206 205 return -EINVAL; 206 + 207 + if (mk->mk_secret.is_hw_wrapped && S_ISREG(inode->i_mode)) { 208 + /* Using a hardware-wrapped key for file contents encryption */ 209 + if (!fscrypt_using_inline_encryption(ci)) { 210 + if (sb->s_flags & SB_INLINECRYPT) 211 + fscrypt_warn(ci->ci_inode, 212 + "Hardware-wrapped key required, but no suitable inline encryption capabilities are available"); 213 + else 214 + fscrypt_warn(ci->ci_inode, 215 + "Hardware-wrapped keys require inline encryption (-o inlinecrypt)"); 216 + return -EINVAL; 217 + } 218 + use_hw_wrapped_key = true; 219 + } 207 220 208 221 prep_key = &keys[mode_num]; 209 222 if (fscrypt_is_key_prepared(prep_key, ci)) { ··· 230 213 231 214 if (fscrypt_is_key_prepared(prep_key, ci)) 232 215 goto done_unlock; 216 + 217 + if (use_hw_wrapped_key) { 218 + err = fscrypt_prepare_inline_crypt_key(prep_key, 219 + mk->mk_secret.bytes, 220 + mk->mk_secret.size, true, 221 + ci); 222 + if (err) 223 + goto out_unlock; 224 + goto done_unlock; 225 + } 233 226 234 227 BUILD_BUG_ON(sizeof(mode_num) != 1); 235 228 BUILD_BUG_ON(sizeof(sb->s_uuid) != 16); ··· 363 336 { 364 337 int err; 365 338 339 + if (mk->mk_secret.is_hw_wrapped && 340 + !(ci->ci_policy.v2.flags & (FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 | 341 + FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32))) { 342 + fscrypt_warn(ci->ci_inode, 343 + "Hardware-wrapped keys are only supported with IV_INO_LBLK policies"); 344 + return -EINVAL; 345 + } 346 + 366 347 if (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) { 367 348 /* 368 349 * DIRECT_KEY: instead of deriving per-file encryption keys, the ··· 397 362 FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) { 398 363 err = fscrypt_setup_iv_ino_lblk_32_key(ci, mk); 399 364 } else { 400 - u8 derived_key[FSCRYPT_MAX_KEY_SIZE]; 365 + u8 derived_key[FSCRYPT_MAX_RAW_KEY_SIZE]; 401 366 402 367 err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, 403 368 HKDF_CONTEXT_PER_FILE_ENC_KEY, ··· 480 445 struct fscrypt_master_key *mk; 481 446 int err; 482 447 483 - err = fscrypt_select_encryption_impl(ci); 484 - if (err) 485 - return err; 486 - 487 448 err = fscrypt_policy_to_key_spec(&ci->ci_policy, &mk_spec); 488 449 if (err) 489 450 return err; ··· 507 476 if (ci->ci_policy.version != FSCRYPT_POLICY_V1) 508 477 return -ENOKEY; 509 478 479 + err = fscrypt_select_encryption_impl(ci, false); 480 + if (err) 481 + return err; 482 + 510 483 /* 511 484 * As a legacy fallback for v1 policies, search for the key in 512 485 * the current task's subscribed keyrings too. Don't move this ··· 532 497 goto out_release_key; 533 498 } 534 499 500 + err = fscrypt_select_encryption_impl(ci, mk->mk_secret.is_hw_wrapped); 501 + if (err) 502 + goto out_release_key; 503 + 535 504 switch (ci->ci_policy.version) { 536 505 case FSCRYPT_POLICY_V1: 537 - err = fscrypt_setup_v1_file_key(ci, mk->mk_secret.raw); 506 + if (WARN_ON_ONCE(mk->mk_secret.is_hw_wrapped)) { 507 + /* 508 + * This should never happen, as adding a v1 policy key 509 + * that is hardware-wrapped isn't allowed. 510 + */ 511 + err = -EINVAL; 512 + goto out_release_key; 513 + } 514 + err = fscrypt_setup_v1_file_key(ci, mk->mk_secret.bytes); 538 515 break; 539 516 case FSCRYPT_POLICY_V2: 540 517 err = fscrypt_setup_v2_file_key(ci, mk, need_dirhash_key);

+2 -2

fs/crypto/keysetup_v1.c

··· 118 118 payload = (const struct fscrypt_key *)ukp->data; 119 119 120 120 if (ukp->datalen != sizeof(struct fscrypt_key) || 121 - payload->size < 1 || payload->size > FSCRYPT_MAX_KEY_SIZE) { 121 + payload->size < 1 || payload->size > sizeof(payload->raw)) { 122 122 fscrypt_warn(NULL, 123 123 "key with description '%s' has invalid payload", 124 124 key->description); ··· 149 149 const struct fscrypt_mode *dk_mode; 150 150 struct fscrypt_prepared_key dk_key; 151 151 u8 dk_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE]; 152 - u8 dk_raw[FSCRYPT_MAX_KEY_SIZE]; 152 + u8 dk_raw[FSCRYPT_MAX_RAW_KEY_SIZE]; 153 153 }; 154 154 155 155 static void free_direct_key(struct fscrypt_direct_key *dk)

+4 -2

include/uapi/linux/fscrypt.h

··· 119 119 */ 120 120 struct fscrypt_provisioning_key_payload { 121 121 __u32 type; 122 - __u32 __reserved; 122 + __u32 flags; 123 123 __u8 raw[]; 124 124 }; 125 125 ··· 128 128 struct fscrypt_key_specifier key_spec; 129 129 __u32 raw_size; 130 130 __u32 key_id; 131 - __u32 __reserved[8]; 131 + #define FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED 0x00000001 132 + __u32 flags; 133 + __u32 __reserved[7]; 132 134 __u8 raw[]; 133 135 }; 134 136