Merge tag 'fscrypt_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/fscrypt

+10

Documentation/filesystems/fscrypt.rst

··· 191 191 192 192 - AES-256-XTS for contents and AES-256-CTS-CBC for filenames 193 193 - AES-128-CBC for contents and AES-128-CTS-CBC for filenames 194 + - Speck128/256-XTS for contents and Speck128/256-CTS-CBC for filenames 194 195 195 196 It is strongly recommended to use AES-256-XTS for contents encryption. 196 197 AES-128-CBC was added only for low-powered embedded devices with 197 198 crypto accelerators such as CAAM or CESA that do not support XTS. 199 + 200 + Similarly, Speck128/256 support was only added for older or low-end 201 + CPUs which cannot do AES fast enough -- especially ARM CPUs which have 202 + NEON instructions but not the Cryptography Extensions -- and for which 203 + it would not otherwise be feasible to use encryption at all. It is 204 + not recommended to use Speck on CPUs that have AES instructions. 205 + Speck support is only available if it has been enabled in the crypto 206 + API via CONFIG_CRYPTO_SPECK. Also, on ARM platforms, to get 207 + acceptable performance CONFIG_CRYPTO_SPECK_NEON must be enabled. 198 208 199 209 New encryption modes can be added relatively easily, without changes 200 210 to individual filesystems. However, authenticated encryption (AE)

+36 -11

fs/crypto/crypto.c

··· 156 156 } 157 157 158 158 req = skcipher_request_alloc(tfm, gfp_flags); 159 - if (!req) { 160 - printk_ratelimited(KERN_ERR 161 - "%s: crypto_request_alloc() failed\n", 162 - __func__); 159 + if (!req) 163 160 return -ENOMEM; 164 - } 165 161 166 162 skcipher_request_set_callback( 167 163 req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, ··· 174 178 res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait); 175 179 skcipher_request_free(req); 176 180 if (res) { 177 - printk_ratelimited(KERN_ERR 178 - "%s: crypto_skcipher_encrypt() returned %d\n", 179 - __func__, res); 181 + fscrypt_err(inode->i_sb, 182 + "%scryption failed for inode %lu, block %llu: %d", 183 + (rw == FS_DECRYPT ? "de" : "en"), 184 + inode->i_ino, lblk_num, res); 180 185 return res; 181 186 } 182 187 return 0; ··· 323 326 return 0; 324 327 } 325 328 326 - /* this should eventually be an flag in d_flags */ 327 329 spin_lock(&dentry->d_lock); 328 330 cached_with_key = dentry->d_flags & DCACHE_ENCRYPTED_WITH_KEY; 329 331 spin_unlock(&dentry->d_lock); ··· 349 353 const struct dentry_operations fscrypt_d_ops = { 350 354 .d_revalidate = fscrypt_d_revalidate, 351 355 }; 352 - EXPORT_SYMBOL(fscrypt_d_ops); 353 356 354 357 void fscrypt_restore_control_page(struct page *page) 355 358 { ··· 417 422 return res; 418 423 } 419 424 425 + void fscrypt_msg(struct super_block *sb, const char *level, 426 + const char *fmt, ...) 427 + { 428 + static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL, 429 + DEFAULT_RATELIMIT_BURST); 430 + struct va_format vaf; 431 + va_list args; 432 + 433 + if (!__ratelimit(&rs)) 434 + return; 435 + 436 + va_start(args, fmt); 437 + vaf.fmt = fmt; 438 + vaf.va = &args; 439 + if (sb) 440 + printk("%sfscrypt (%s): %pV\n", level, sb->s_id, &vaf); 441 + else 442 + printk("%sfscrypt: %pV\n", level, &vaf); 443 + va_end(args); 444 + } 445 + 420 446 /** 421 447 * fscrypt_init() - Set up for fs encryption. 422 448 */ 423 449 static int __init fscrypt_init(void) 424 450 { 451 + /* 452 + * Use an unbound workqueue to allow bios to be decrypted in parallel 453 + * even when they happen to complete on the same CPU. This sacrifices 454 + * locality, but it's worthwhile since decryption is CPU-intensive. 455 + * 456 + * Also use a high-priority workqueue to prioritize decryption work, 457 + * which blocks reads from completing, over regular application tasks. 458 + */ 425 459 fscrypt_read_workqueue = alloc_workqueue("fscrypt_read_queue", 426 - WQ_HIGHPRI, 0); 460 + WQ_UNBOUND | WQ_HIGHPRI, 461 + num_online_cpus()); 427 462 if (!fscrypt_read_workqueue) 428 463 goto fail; 429 464

+11 -21

fs/crypto/fname.c

··· 59 59 60 60 /* Set up the encryption request */ 61 61 req = skcipher_request_alloc(tfm, GFP_NOFS); 62 - if (!req) { 63 - printk_ratelimited(KERN_ERR 64 - "%s: skcipher_request_alloc() failed\n", __func__); 62 + if (!req) 65 63 return -ENOMEM; 66 - } 67 64 skcipher_request_set_callback(req, 68 65 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, 69 66 crypto_req_done, &wait); ··· 71 74 res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait); 72 75 skcipher_request_free(req); 73 76 if (res < 0) { 74 - printk_ratelimited(KERN_ERR 75 - "%s: Error (error code %d)\n", __func__, res); 77 + fscrypt_err(inode->i_sb, 78 + "Filename encryption failed for inode %lu: %d", 79 + inode->i_ino, res); 76 80 return res; 77 81 } 78 82 ··· 94 96 struct skcipher_request *req = NULL; 95 97 DECLARE_CRYPTO_WAIT(wait); 96 98 struct scatterlist src_sg, dst_sg; 97 - struct fscrypt_info *ci = inode->i_crypt_info; 98 - struct crypto_skcipher *tfm = ci->ci_ctfm; 99 + struct crypto_skcipher *tfm = inode->i_crypt_info->ci_ctfm; 99 100 int res = 0; 100 101 char iv[FS_CRYPTO_BLOCK_SIZE]; 101 - unsigned lim; 102 - 103 - lim = inode->i_sb->s_cop->max_namelen(inode); 104 - if (iname->len <= 0 || iname->len > lim) 105 - return -EIO; 106 102 107 103 /* Allocate request */ 108 104 req = skcipher_request_alloc(tfm, GFP_NOFS); 109 - if (!req) { 110 - printk_ratelimited(KERN_ERR 111 - "%s: crypto_request_alloc() failed\n", __func__); 105 + if (!req) 112 106 return -ENOMEM; 113 - } 114 107 skcipher_request_set_callback(req, 115 108 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, 116 109 crypto_req_done, &wait); ··· 116 127 res = crypto_wait_req(crypto_skcipher_decrypt(req), &wait); 117 128 skcipher_request_free(req); 118 129 if (res < 0) { 119 - printk_ratelimited(KERN_ERR 120 - "%s: Error (error code %d)\n", __func__, res); 130 + fscrypt_err(inode->i_sb, 131 + "Filename decryption failed for inode %lu: %d", 132 + inode->i_ino, res); 121 133 return res; 122 134 } 123 135 ··· 331 341 return 0; 332 342 } 333 343 ret = fscrypt_get_encryption_info(dir); 334 - if (ret && ret != -EOPNOTSUPP) 344 + if (ret) 335 345 return ret; 336 346 337 347 if (dir->i_crypt_info) { 338 348 if (!fscrypt_fname_encrypted_size(dir, iname->len, 339 - dir->i_sb->s_cop->max_namelen(dir), 349 + dir->i_sb->s_cop->max_namelen, 340 350 &fname->crypto_buf.len)) 341 351 return -ENAMETOOLONG; 342 352 fname->crypto_buf.name = kmalloc(fname->crypto_buf.len,

+14 -9

fs/crypto/fscrypt_private.h

··· 18 18 19 19 /* Encryption parameters */ 20 20 #define FS_IV_SIZE 16 21 - #define FS_AES_128_ECB_KEY_SIZE 16 22 - #define FS_AES_128_CBC_KEY_SIZE 16 23 - #define FS_AES_128_CTS_KEY_SIZE 16 24 - #define FS_AES_256_GCM_KEY_SIZE 32 25 - #define FS_AES_256_CBC_KEY_SIZE 32 26 - #define FS_AES_256_CTS_KEY_SIZE 32 27 - #define FS_AES_256_XTS_KEY_SIZE 64 28 - 29 - #define FS_KEY_DERIVATION_NONCE_SIZE 16 21 + #define FS_KEY_DERIVATION_NONCE_SIZE 16 30 22 31 23 /** 32 24 * Encryption context for inode ··· 83 91 filenames_mode == FS_ENCRYPTION_MODE_AES_256_CTS) 84 92 return true; 85 93 94 + if (contents_mode == FS_ENCRYPTION_MODE_SPECK128_256_XTS && 95 + filenames_mode == FS_ENCRYPTION_MODE_SPECK128_256_CTS) 96 + return true; 97 + 86 98 return false; 87 99 } 88 100 ··· 102 106 gfp_t gfp_flags); 103 107 extern struct page *fscrypt_alloc_bounce_page(struct fscrypt_ctx *ctx, 104 108 gfp_t gfp_flags); 109 + extern const struct dentry_operations fscrypt_d_ops; 110 + 111 + extern void __printf(3, 4) __cold 112 + fscrypt_msg(struct super_block *sb, const char *level, const char *fmt, ...); 113 + 114 + #define fscrypt_warn(sb, fmt, ...) \ 115 + fscrypt_msg(sb, KERN_WARNING, fmt, ##__VA_ARGS__) 116 + #define fscrypt_err(sb, fmt, ...) \ 117 + fscrypt_msg(sb, KERN_ERR, fmt, ##__VA_ARGS__) 105 118 106 119 /* fname.c */ 107 120 extern int fname_encrypt(struct inode *inode, const struct qstr *iname,

+3 -2

fs/crypto/hooks.c

··· 39 39 dir = dget_parent(file_dentry(filp)); 40 40 if (IS_ENCRYPTED(d_inode(dir)) && 41 41 !fscrypt_has_permitted_context(d_inode(dir), inode)) { 42 - pr_warn_ratelimited("fscrypt: inconsistent encryption contexts: %lu/%lu", 43 - d_inode(dir)->i_ino, inode->i_ino); 42 + fscrypt_warn(inode->i_sb, 43 + "inconsistent encryption contexts: %lu/%lu", 44 + d_inode(dir)->i_ino, inode->i_ino); 44 45 err = -EPERM; 45 46 } 46 47 dput(dir);

+166 -120

fs/crypto/keyinfo.c

··· 19 19 20 20 static struct crypto_shash *essiv_hash_tfm; 21 21 22 - /** 23 - * derive_key_aes() - Derive a key using AES-128-ECB 24 - * @deriving_key: Encryption key used for derivation. 25 - * @source_key: Source key to which to apply derivation. 26 - * @derived_raw_key: Derived raw key. 22 + /* 23 + * Key derivation function. This generates the derived key by encrypting the 24 + * master key with AES-128-ECB using the inode's nonce as the AES key. 27 25 * 28 - * Return: Zero on success; non-zero otherwise. 26 + * The master key must be at least as long as the derived key. If the master 27 + * key is longer, then only the first 'derived_keysize' bytes are used. 29 28 */ 30 - static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE], 31 - const struct fscrypt_key *source_key, 32 - u8 derived_raw_key[FS_MAX_KEY_SIZE]) 29 + static int derive_key_aes(const u8 *master_key, 30 + const struct fscrypt_context *ctx, 31 + u8 *derived_key, unsigned int derived_keysize) 33 32 { 34 33 int res = 0; 35 34 struct skcipher_request *req = NULL; ··· 50 51 skcipher_request_set_callback(req, 51 52 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, 52 53 crypto_req_done, &wait); 53 - res = crypto_skcipher_setkey(tfm, deriving_key, 54 - FS_AES_128_ECB_KEY_SIZE); 54 + res = crypto_skcipher_setkey(tfm, ctx->nonce, sizeof(ctx->nonce)); 55 55 if (res < 0) 56 56 goto out; 57 57 58 - sg_init_one(&src_sg, source_key->raw, source_key->size); 59 - sg_init_one(&dst_sg, derived_raw_key, source_key->size); 60 - skcipher_request_set_crypt(req, &src_sg, &dst_sg, source_key->size, 58 + sg_init_one(&src_sg, master_key, derived_keysize); 59 + sg_init_one(&dst_sg, derived_key, derived_keysize); 60 + skcipher_request_set_crypt(req, &src_sg, &dst_sg, derived_keysize, 61 61 NULL); 62 62 res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait); 63 63 out: ··· 65 67 return res; 66 68 } 67 69 68 - static int validate_user_key(struct fscrypt_info *crypt_info, 69 - struct fscrypt_context *ctx, u8 *raw_key, 70 - const char *prefix, int min_keysize) 70 + /* 71 + * Search the current task's subscribed keyrings for a "logon" key with 72 + * description prefix:descriptor, and if found acquire a read lock on it and 73 + * return a pointer to its validated payload in *payload_ret. 74 + */ 75 + static struct key * 76 + find_and_lock_process_key(const char *prefix, 77 + const u8 descriptor[FS_KEY_DESCRIPTOR_SIZE], 78 + unsigned int min_keysize, 79 + const struct fscrypt_key **payload_ret) 71 80 { 72 81 char *description; 73 - struct key *keyring_key; 74 - struct fscrypt_key *master_key; 82 + struct key *key; 75 83 const struct user_key_payload *ukp; 76 - int res; 84 + const struct fscrypt_key *payload; 77 85 78 86 description = kasprintf(GFP_NOFS, "%s%*phN", prefix, 79 - FS_KEY_DESCRIPTOR_SIZE, 80 - ctx->master_key_descriptor); 87 + FS_KEY_DESCRIPTOR_SIZE, descriptor); 81 88 if (!description) 82 - return -ENOMEM; 89 + return ERR_PTR(-ENOMEM); 83 90 84 - keyring_key = request_key(&key_type_logon, description, NULL); 91 + key = request_key(&key_type_logon, description, NULL); 85 92 kfree(description); 86 - if (IS_ERR(keyring_key)) 87 - return PTR_ERR(keyring_key); 88 - down_read(&keyring_key->sem); 93 + if (IS_ERR(key)) 94 + return key; 89 95 90 - if (keyring_key->type != &key_type_logon) { 91 - printk_once(KERN_WARNING 92 - "%s: key type must be logon\n", __func__); 93 - res = -ENOKEY; 94 - goto out; 95 - } 96 - ukp = user_key_payload_locked(keyring_key); 97 - if (!ukp) { 98 - /* key was revoked before we acquired its semaphore */ 99 - res = -EKEYREVOKED; 100 - goto out; 101 - } 102 - if (ukp->datalen != sizeof(struct fscrypt_key)) { 103 - res = -EINVAL; 104 - goto out; 105 - } 106 - master_key = (struct fscrypt_key *)ukp->data; 107 - BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE); 96 + down_read(&key->sem); 97 + ukp = user_key_payload_locked(key); 108 98 109 - if (master_key->size < min_keysize || master_key->size > FS_MAX_KEY_SIZE 110 - || master_key->size % AES_BLOCK_SIZE != 0) { 111 - printk_once(KERN_WARNING 112 - "%s: key size incorrect: %d\n", 113 - __func__, master_key->size); 114 - res = -ENOKEY; 115 - goto out; 99 + if (!ukp) /* was the key revoked before we acquired its semaphore? */ 100 + goto invalid; 101 + 102 + payload = (const struct fscrypt_key *)ukp->data; 103 + 104 + if (ukp->datalen != sizeof(struct fscrypt_key) || 105 + payload->size < 1 || payload->size > FS_MAX_KEY_SIZE) { 106 + fscrypt_warn(NULL, 107 + "key with description '%s' has invalid payload", 108 + key->description); 109 + goto invalid; 116 110 } 117 - res = derive_key_aes(ctx->nonce, master_key, raw_key); 118 - out: 119 - up_read(&keyring_key->sem); 120 - key_put(keyring_key); 121 - return res; 111 + 112 + if (payload->size < min_keysize) { 113 + fscrypt_warn(NULL, 114 + "key with description '%s' is too short (got %u bytes, need %u+ bytes)", 115 + key->description, payload->size, min_keysize); 116 + goto invalid; 117 + } 118 + 119 + *payload_ret = payload; 120 + return key; 121 + 122 + invalid: 123 + up_read(&key->sem); 124 + key_put(key); 125 + return ERR_PTR(-ENOKEY); 122 126 } 123 127 124 - static const struct { 128 + /* Find the master key, then derive the inode's actual encryption key */ 129 + static int find_and_derive_key(const struct inode *inode, 130 + const struct fscrypt_context *ctx, 131 + u8 *derived_key, unsigned int derived_keysize) 132 + { 133 + struct key *key; 134 + const struct fscrypt_key *payload; 135 + int err; 136 + 137 + key = find_and_lock_process_key(FS_KEY_DESC_PREFIX, 138 + ctx->master_key_descriptor, 139 + derived_keysize, &payload); 140 + if (key == ERR_PTR(-ENOKEY) && inode->i_sb->s_cop->key_prefix) { 141 + key = find_and_lock_process_key(inode->i_sb->s_cop->key_prefix, 142 + ctx->master_key_descriptor, 143 + derived_keysize, &payload); 144 + } 145 + if (IS_ERR(key)) 146 + return PTR_ERR(key); 147 + err = derive_key_aes(payload->raw, ctx, derived_key, derived_keysize); 148 + up_read(&key->sem); 149 + key_put(key); 150 + return err; 151 + } 152 + 153 + static struct fscrypt_mode { 154 + const char *friendly_name; 125 155 const char *cipher_str; 126 156 int keysize; 157 + bool logged_impl_name; 127 158 } available_modes[] = { 128 - [FS_ENCRYPTION_MODE_AES_256_XTS] = { "xts(aes)", 129 - FS_AES_256_XTS_KEY_SIZE }, 130 - [FS_ENCRYPTION_MODE_AES_256_CTS] = { "cts(cbc(aes))", 131 - FS_AES_256_CTS_KEY_SIZE }, 132 - [FS_ENCRYPTION_MODE_AES_128_CBC] = { "cbc(aes)", 133 - FS_AES_128_CBC_KEY_SIZE }, 134 - [FS_ENCRYPTION_MODE_AES_128_CTS] = { "cts(cbc(aes))", 135 - FS_AES_128_CTS_KEY_SIZE }, 159 + [FS_ENCRYPTION_MODE_AES_256_XTS] = { 160 + .friendly_name = "AES-256-XTS", 161 + .cipher_str = "xts(aes)", 162 + .keysize = 64, 163 + }, 164 + [FS_ENCRYPTION_MODE_AES_256_CTS] = { 165 + .friendly_name = "AES-256-CTS-CBC", 166 + .cipher_str = "cts(cbc(aes))", 167 + .keysize = 32, 168 + }, 169 + [FS_ENCRYPTION_MODE_AES_128_CBC] = { 170 + .friendly_name = "AES-128-CBC", 171 + .cipher_str = "cbc(aes)", 172 + .keysize = 16, 173 + }, 174 + [FS_ENCRYPTION_MODE_AES_128_CTS] = { 175 + .friendly_name = "AES-128-CTS-CBC", 176 + .cipher_str = "cts(cbc(aes))", 177 + .keysize = 16, 178 + }, 179 + [FS_ENCRYPTION_MODE_SPECK128_256_XTS] = { 180 + .friendly_name = "Speck128/256-XTS", 181 + .cipher_str = "xts(speck128)", 182 + .keysize = 64, 183 + }, 184 + [FS_ENCRYPTION_MODE_SPECK128_256_CTS] = { 185 + .friendly_name = "Speck128/256-CTS-CBC", 186 + .cipher_str = "cts(cbc(speck128))", 187 + .keysize = 32, 188 + }, 136 189 }; 137 190 138 - static int determine_cipher_type(struct fscrypt_info *ci, struct inode *inode, 139 - const char **cipher_str_ret, int *keysize_ret) 191 + static struct fscrypt_mode * 192 + select_encryption_mode(const struct fscrypt_info *ci, const struct inode *inode) 140 193 { 141 - u32 mode; 142 - 143 194 if (!fscrypt_valid_enc_modes(ci->ci_data_mode, ci->ci_filename_mode)) { 144 - pr_warn_ratelimited("fscrypt: inode %lu uses unsupported encryption modes (contents mode %d, filenames mode %d)\n", 145 - inode->i_ino, 146 - ci->ci_data_mode, ci->ci_filename_mode); 147 - return -EINVAL; 195 + fscrypt_warn(inode->i_sb, 196 + "inode %lu uses unsupported encryption modes (contents mode %d, filenames mode %d)", 197 + inode->i_ino, ci->ci_data_mode, 198 + ci->ci_filename_mode); 199 + return ERR_PTR(-EINVAL); 148 200 } 149 201 150 - if (S_ISREG(inode->i_mode)) { 151 - mode = ci->ci_data_mode; 152 - } else if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) { 153 - mode = ci->ci_filename_mode; 154 - } else { 155 - WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n", 156 - inode->i_ino, (inode->i_mode & S_IFMT)); 157 - return -EINVAL; 158 - } 202 + if (S_ISREG(inode->i_mode)) 203 + return &available_modes[ci->ci_data_mode]; 159 204 160 - *cipher_str_ret = available_modes[mode].cipher_str; 161 - *keysize_ret = available_modes[mode].keysize; 162 - return 0; 205 + if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) 206 + return &available_modes[ci->ci_filename_mode]; 207 + 208 + WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n", 209 + inode->i_ino, (inode->i_mode & S_IFMT)); 210 + return ERR_PTR(-EINVAL); 163 211 } 164 212 165 213 static void put_crypt_info(struct fscrypt_info *ci) ··· 228 184 229 185 tfm = crypto_alloc_shash("sha256", 0, 0); 230 186 if (IS_ERR(tfm)) { 231 - pr_warn_ratelimited("fscrypt: error allocating SHA-256 transform: %ld\n", 232 - PTR_ERR(tfm)); 187 + fscrypt_warn(NULL, 188 + "error allocating SHA-256 transform: %ld", 189 + PTR_ERR(tfm)); 233 190 return PTR_ERR(tfm); 234 191 } 235 192 prev_tfm = cmpxchg(&essiv_hash_tfm, NULL, tfm); ··· 290 245 struct fscrypt_info *crypt_info; 291 246 struct fscrypt_context ctx; 292 247 struct crypto_skcipher *ctfm; 293 - const char *cipher_str; 294 - int keysize; 248 + struct fscrypt_mode *mode; 295 249 u8 *raw_key = NULL; 296 250 int res; 297 251 ··· 334 290 memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor, 335 291 sizeof(crypt_info->ci_master_key)); 336 292 337 - res = determine_cipher_type(crypt_info, inode, &cipher_str, &keysize); 338 - if (res) 293 + mode = select_encryption_mode(crypt_info, inode); 294 + if (IS_ERR(mode)) { 295 + res = PTR_ERR(mode); 339 296 goto out; 297 + } 340 298 341 299 /* 342 300 * This cannot be a stack buffer because it is passed to the scatterlist 343 301 * crypto API as part of key derivation. 344 302 */ 345 303 res = -ENOMEM; 346 - raw_key = kmalloc(FS_MAX_KEY_SIZE, GFP_NOFS); 304 + raw_key = kmalloc(mode->keysize, GFP_NOFS); 347 305 if (!raw_key) 348 306 goto out; 349 307 350 - res = validate_user_key(crypt_info, &ctx, raw_key, FS_KEY_DESC_PREFIX, 351 - keysize); 352 - if (res && inode->i_sb->s_cop->key_prefix) { 353 - int res2 = validate_user_key(crypt_info, &ctx, raw_key, 354 - inode->i_sb->s_cop->key_prefix, 355 - keysize); 356 - if (res2) { 357 - if (res2 == -ENOKEY) 358 - res = -ENOKEY; 359 - goto out; 360 - } 361 - } else if (res) { 308 + res = find_and_derive_key(inode, &ctx, raw_key, mode->keysize); 309 + if (res) 310 + goto out; 311 + 312 + ctfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0); 313 + if (IS_ERR(ctfm)) { 314 + res = PTR_ERR(ctfm); 315 + fscrypt_warn(inode->i_sb, 316 + "error allocating '%s' transform for inode %lu: %d", 317 + mode->cipher_str, inode->i_ino, res); 362 318 goto out; 363 319 } 364 - ctfm = crypto_alloc_skcipher(cipher_str, 0, 0); 365 - if (!ctfm || IS_ERR(ctfm)) { 366 - res = ctfm ? PTR_ERR(ctfm) : -ENOMEM; 367 - pr_debug("%s: error %d (inode %lu) allocating crypto tfm\n", 368 - __func__, res, inode->i_ino); 369 - goto out; 320 + if (unlikely(!mode->logged_impl_name)) { 321 + /* 322 + * fscrypt performance can vary greatly depending on which 323 + * crypto algorithm implementation is used. Help people debug 324 + * performance problems by logging the ->cra_driver_name the 325 + * first time a mode is used. Note that multiple threads can 326 + * race here, but it doesn't really matter. 327 + */ 328 + mode->logged_impl_name = true; 329 + pr_info("fscrypt: %s using implementation \"%s\"\n", 330 + mode->friendly_name, 331 + crypto_skcipher_alg(ctfm)->base.cra_driver_name); 370 332 } 371 333 crypt_info->ci_ctfm = ctfm; 372 - crypto_skcipher_clear_flags(ctfm, ~0); 373 334 crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY); 374 - /* 375 - * if the provided key is longer than keysize, we use the first 376 - * keysize bytes of the derived key only 377 - */ 378 - res = crypto_skcipher_setkey(ctfm, raw_key, keysize); 335 + res = crypto_skcipher_setkey(ctfm, raw_key, mode->keysize); 379 336 if (res) 380 337 goto out; 381 338 382 339 if (S_ISREG(inode->i_mode) && 383 340 crypt_info->ci_data_mode == FS_ENCRYPTION_MODE_AES_128_CBC) { 384 - res = init_essiv_generator(crypt_info, raw_key, keysize); 341 + res = init_essiv_generator(crypt_info, raw_key, mode->keysize); 385 342 if (res) { 386 - pr_debug("%s: error %d (inode %lu) allocating essiv tfm\n", 387 - __func__, res, inode->i_ino); 343 + fscrypt_warn(inode->i_sb, 344 + "error initializing ESSIV generator for inode %lu: %d", 345 + inode->i_ino, res); 388 346 goto out; 389 347 } 390 348 }

+1 -7

fs/ext4/super.c

··· 1267 1267 return DUMMY_ENCRYPTION_ENABLED(EXT4_SB(inode->i_sb)); 1268 1268 } 1269 1269 1270 - static unsigned ext4_max_namelen(struct inode *inode) 1271 - { 1272 - return S_ISLNK(inode->i_mode) ? inode->i_sb->s_blocksize : 1273 - EXT4_NAME_LEN; 1274 - } 1275 - 1276 1270 static const struct fscrypt_operations ext4_cryptops = { 1277 1271 .key_prefix = "ext4:", 1278 1272 .get_context = ext4_get_context, 1279 1273 .set_context = ext4_set_context, 1280 1274 .dummy_context = ext4_dummy_context, 1281 1275 .empty_dir = ext4_empty_dir, 1282 - .max_namelen = ext4_max_namelen, 1276 + .max_namelen = EXT4_NAME_LEN, 1283 1277 }; 1284 1278 #endif 1285 1279

+1 -7

fs/f2fs/super.c

··· 1930 1930 return DUMMY_ENCRYPTION_ENABLED(F2FS_I_SB(inode)); 1931 1931 } 1932 1932 1933 - static unsigned f2fs_max_namelen(struct inode *inode) 1934 - { 1935 - return S_ISLNK(inode->i_mode) ? 1936 - inode->i_sb->s_blocksize : F2FS_NAME_LEN; 1937 - } 1938 - 1939 1933 static const struct fscrypt_operations f2fs_cryptops = { 1940 1934 .key_prefix = "f2fs:", 1941 1935 .get_context = f2fs_get_context, 1942 1936 .set_context = f2fs_set_context, 1943 1937 .dummy_context = f2fs_dummy_context, 1944 1938 .empty_dir = f2fs_empty_dir, 1945 - .max_namelen = f2fs_max_namelen, 1939 + .max_namelen = F2FS_NAME_LEN, 1946 1940 }; 1947 1941 #endif 1948 1942

+1 -9

fs/ubifs/crypto.c

··· 24 24 return ubifs_check_dir_empty(inode) == 0; 25 25 } 26 26 27 - static unsigned int ubifs_crypt_max_namelen(struct inode *inode) 28 - { 29 - if (S_ISLNK(inode->i_mode)) 30 - return UBIFS_MAX_INO_DATA; 31 - else 32 - return UBIFS_MAX_NLEN; 33 - } 34 - 35 27 int ubifs_encrypt(const struct inode *inode, struct ubifs_data_node *dn, 36 28 unsigned int in_len, unsigned int *out_len, int block) 37 29 { ··· 81 89 .get_context = ubifs_crypt_get_context, 82 90 .set_context = ubifs_crypt_set_context, 83 91 .empty_dir = ubifs_crypt_empty_dir, 84 - .max_namelen = ubifs_crypt_max_namelen, 92 + .max_namelen = UBIFS_MAX_NLEN, 85 93 };

+2 -2

include/linux/fs.h

··· 1364 1364 void *s_security; 1365 1365 #endif 1366 1366 const struct xattr_handler **s_xattr; 1367 - 1367 + #if IS_ENABLED(CONFIG_FS_ENCRYPTION) 1368 1368 const struct fscrypt_operations *s_cop; 1369 - 1369 + #endif 1370 1370 struct hlist_bl_head s_roots; /* alternate root dentries for NFS */ 1371 1371 struct list_head s_mounts; /* list of mounts; _not_ for fs use */ 1372 1372 struct block_device *s_bdev;

-10

include/linux/fscrypt_notsupp.h

··· 64 64 return; 65 65 } 66 66 67 - static inline void fscrypt_set_d_op(struct dentry *dentry) 68 - { 69 - return; 70 - } 71 - 72 - static inline void fscrypt_set_encrypted_dentry(struct dentry *dentry) 73 - { 74 - return; 75 - } 76 - 77 67 /* policy.c */ 78 68 static inline int fscrypt_ioctl_set_policy(struct file *filp, 79 69 const void __user *arg)

+1 -15

include/linux/fscrypt_supp.h

··· 29 29 int (*set_context)(struct inode *, const void *, size_t, void *); 30 30 bool (*dummy_context)(struct inode *); 31 31 bool (*empty_dir)(struct inode *); 32 - unsigned (*max_namelen)(struct inode *); 32 + unsigned int max_namelen; 33 33 }; 34 34 35 35 struct fscrypt_ctx { ··· 73 73 } 74 74 75 75 extern void fscrypt_restore_control_page(struct page *); 76 - 77 - extern const struct dentry_operations fscrypt_d_ops; 78 - 79 - static inline void fscrypt_set_d_op(struct dentry *dentry) 80 - { 81 - d_set_d_op(dentry, &fscrypt_d_ops); 82 - } 83 - 84 - static inline void fscrypt_set_encrypted_dentry(struct dentry *dentry) 85 - { 86 - spin_lock(&dentry->d_lock); 87 - dentry->d_flags |= DCACHE_ENCRYPTED_WITH_KEY; 88 - spin_unlock(&dentry->d_lock); 89 - } 90 76 91 77 /* policy.c */ 92 78 extern int fscrypt_ioctl_set_policy(struct file *, const void __user *);

+2

include/uapi/linux/fs.h

··· 279 279 #define FS_ENCRYPTION_MODE_AES_256_CTS 4 280 280 #define FS_ENCRYPTION_MODE_AES_128_CBC 5 281 281 #define FS_ENCRYPTION_MODE_AES_128_CTS 6 282 + #define FS_ENCRYPTION_MODE_SPECK128_256_XTS 7 283 + #define FS_ENCRYPTION_MODE_SPECK128_256_CTS 8 282 284 283 285 struct fscrypt_policy { 284 286 __u8 version;