fscrypt: clarify what is meant by a per-file key

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Now that there's sometimes a second type of per-file key (the dirhash
key), clarify some function names, macros, and documentation that
specifically deal with per-file *encryption* keys.

Link: https://lore.kernel.org/r/20200120223201.241390-4-ebiggers@kernel.org
Reviewed-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>

Eric Biggers 6 years ago f592efe7 aa408f83

+37 -36

4 changed files

expand all

Documentation

filesystems

fscrypt.rst

crypto

fscrypt_private.h

keysetup.c

keysetup_v1.c

+12 -12

Documentation/filesystems/fscrypt.rst

··· 234 234 entropy from the master key. HKDF is also standardized and widely 235 235 used by other software, whereas the AES-128-ECB based KDF is ad-hoc. 236 236 237 - Per-file keys 238 - ------------- 237 + Per-file encryption keys 238 + ------------------------ 239 239 240 240 Since each master key can protect many files, it is necessary to 241 241 "tweak" the encryption of each file so that the same plaintext in two ··· 268 268 Therefore, to improve performance and save memory, for Adiantum a 269 269 "direct key" configuration is supported. When the user has enabled 270 270 this by setting FSCRYPT_POLICY_FLAG_DIRECT_KEY in the fscrypt policy, 271 - per-file keys are not used. Instead, whenever any data (contents or 272 - filenames) is encrypted, the file's 16-byte nonce is included in the 273 - IV. Moreover: 271 + per-file encryption keys are not used. Instead, whenever any data 272 + (contents or filenames) is encrypted, the file's 16-byte nonce is 273 + included in the IV. Moreover: 274 274 275 275 - For v1 encryption policies, the encryption is done directly with the 276 276 master key. Because of this, users **must not** use the same master ··· 335 335 Adiantum is a (primarily) stream cipher-based mode that is fast even 336 336 on CPUs without dedicated crypto instructions. It's also a true 337 337 wide-block mode, unlike XTS. It can also eliminate the need to derive 338 - per-file keys. However, it depends on the security of two primitives, 339 - XChaCha12 and AES-256, rather than just one. See the paper 340 - "Adiantum: length-preserving encryption for entry-level processors" 341 - (https://eprint.iacr.org/2018/720.pdf) for more details. To use 342 - Adiantum, CONFIG_CRYPTO_ADIANTUM must be enabled. Also, fast 338 + per-file encryption keys. However, it depends on the security of two 339 + primitives, XChaCha12 and AES-256, rather than just one. See the 340 + paper "Adiantum: length-preserving encryption for entry-level 341 + processors" (https://eprint.iacr.org/2018/720.pdf) for more details. 342 + To use Adiantum, CONFIG_CRYPTO_ADIANTUM must be enabled. Also, fast 343 343 implementations of ChaCha and NHPoly1305 should be enabled, e.g. 344 344 CONFIG_CRYPTO_CHACHA20_NEON and CONFIG_CRYPTO_NHPOLY1305_NEON for ARM. 345 345 ··· 1149 1149 policy structs (see `Setting an encryption policy`_), except that the 1150 1150 context structs also contain a nonce. The nonce is randomly generated 1151 1151 by the kernel and is used as KDF input or as a tweak to cause 1152 - different files to be encrypted differently; see `Per-file keys`_ and 1153 - `DIRECT_KEY policies`_. 1152 + different files to be encrypted differently; see `Per-file encryption 1153 + keys`_ and `DIRECT_KEY policies`_. 1154 1154 1155 1155 Data path changes 1156 1156 -----------------

+3 -3

fs/crypto/fscrypt_private.h

··· 269 269 * output doesn't reveal another. 270 270 */ 271 271 #define HKDF_CONTEXT_KEY_IDENTIFIER 1 272 - #define HKDF_CONTEXT_PER_FILE_KEY 2 272 + #define HKDF_CONTEXT_PER_FILE_ENC_KEY 2 273 273 #define HKDF_CONTEXT_DIRECT_KEY 3 274 274 #define HKDF_CONTEXT_IV_INO_LBLK_64_KEY 4 275 275 #define HKDF_CONTEXT_DIRHASH_KEY 5 ··· 441 441 fscrypt_allocate_skcipher(struct fscrypt_mode *mode, const u8 *raw_key, 442 442 const struct inode *inode); 443 443 444 - extern int fscrypt_set_derived_key(struct fscrypt_info *ci, 445 - const u8 *derived_key); 444 + extern int fscrypt_set_per_file_enc_key(struct fscrypt_info *ci, 445 + const u8 *raw_key); 446 446 447 447 extern int fscrypt_derive_dirhash_key(struct fscrypt_info *ci, 448 448 const struct fscrypt_master_key *mk);

+20 -19

fs/crypto/keysetup.c

··· 107 107 return ERR_PTR(err); 108 108 } 109 109 110 - /* Given the per-file key, set up the file's crypto transform object */ 111 - int fscrypt_set_derived_key(struct fscrypt_info *ci, const u8 *derived_key) 110 + /* Given a per-file encryption key, set up the file's crypto transform object */ 111 + int fscrypt_set_per_file_enc_key(struct fscrypt_info *ci, const u8 *raw_key) 112 112 { 113 113 struct crypto_skcipher *tfm; 114 114 115 - tfm = fscrypt_allocate_skcipher(ci->ci_mode, derived_key, ci->ci_inode); 115 + tfm = fscrypt_allocate_skcipher(ci->ci_mode, raw_key, ci->ci_inode); 116 116 if (IS_ERR(tfm)) 117 117 return PTR_ERR(tfm); 118 118 ··· 121 121 return 0; 122 122 } 123 123 124 - static int setup_per_mode_key(struct fscrypt_info *ci, 125 - struct fscrypt_master_key *mk, 126 - struct crypto_skcipher **tfms, 127 - u8 hkdf_context, bool include_fs_uuid) 124 + static int setup_per_mode_enc_key(struct fscrypt_info *ci, 125 + struct fscrypt_master_key *mk, 126 + struct crypto_skcipher **tfms, 127 + u8 hkdf_context, bool include_fs_uuid) 128 128 { 129 129 const struct inode *inode = ci->ci_inode; 130 130 const struct super_block *sb = inode->i_sb; ··· 196 196 197 197 if (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) { 198 198 /* 199 - * DIRECT_KEY: instead of deriving per-file keys, the per-file 200 - * nonce will be included in all the IVs. But unlike v1 201 - * policies, for v2 policies in this case we don't encrypt with 202 - * the master key directly but rather derive a per-mode key. 203 - * This ensures that the master key is consistently used only 204 - * for HKDF, avoiding key reuse issues. 199 + * DIRECT_KEY: instead of deriving per-file encryption keys, the 200 + * per-file nonce will be included in all the IVs. But unlike 201 + * v1 policies, for v2 policies in this case we don't encrypt 202 + * with the master key directly but rather derive a per-mode 203 + * encryption key. This ensures that the master key is 204 + * consistently used only for HKDF, avoiding key reuse issues. 205 205 */ 206 - err = setup_per_mode_key(ci, mk, mk->mk_direct_tfms, 207 - HKDF_CONTEXT_DIRECT_KEY, false); 206 + err = setup_per_mode_enc_key(ci, mk, mk->mk_direct_tfms, 207 + HKDF_CONTEXT_DIRECT_KEY, false); 208 208 } else if (ci->ci_policy.v2.flags & 209 209 FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) { 210 210 /* ··· 213 213 * the IVs. This format is optimized for use with inline 214 214 * encryption hardware compliant with the UFS or eMMC standards. 215 215 */ 216 - err = setup_per_mode_key(ci, mk, mk->mk_iv_ino_lblk_64_tfms, 217 - HKDF_CONTEXT_IV_INO_LBLK_64_KEY, true); 216 + err = setup_per_mode_enc_key(ci, mk, mk->mk_iv_ino_lblk_64_tfms, 217 + HKDF_CONTEXT_IV_INO_LBLK_64_KEY, 218 + true); 218 219 } else { 219 220 u8 derived_key[FSCRYPT_MAX_KEY_SIZE]; 220 221 221 222 err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, 222 - HKDF_CONTEXT_PER_FILE_KEY, 223 + HKDF_CONTEXT_PER_FILE_ENC_KEY, 223 224 ci->ci_nonce, 224 225 FS_KEY_DERIVATION_NONCE_SIZE, 225 226 derived_key, ci->ci_mode->keysize); 226 227 if (err) 227 228 return err; 228 229 229 - err = fscrypt_set_derived_key(ci, derived_key); 230 + err = fscrypt_set_per_file_enc_key(ci, derived_key); 230 231 memzero_explicit(derived_key, ci->ci_mode->keysize); 231 232 } 232 233 if (err)

+2 -2

fs/crypto/keysetup_v1.c

··· 9 9 * This file implements compatibility functions for the original encryption 10 10 * policy version ("v1"), including: 11 11 * 12 - * - Deriving per-file keys using the AES-128-ECB based KDF 12 + * - Deriving per-file encryption keys using the AES-128-ECB based KDF 13 13 * (rather than the new method of using HKDF-SHA512) 14 14 * 15 15 * - Retrieving fscrypt master keys from process-subscribed keyrings ··· 283 283 if (err) 284 284 goto out; 285 285 286 - err = fscrypt_set_derived_key(ci, derived_key); 286 + err = fscrypt_set_per_file_enc_key(ci, derived_key); 287 287 out: 288 288 kzfree(derived_key); 289 289 return err;