fscrypt_private.h 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787
  1. /* SPDX-License-Identifier: GPL-2.0 */
  2. /*
  3. * fscrypt_private.h
  4. *
  5. * Copyright (C) 2015, Google, Inc.
  6. *
  7. * Originally written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar.
  8. * Heavily modified since then.
  9. */
  10. #ifndef _FSCRYPT_PRIVATE_H
  11. #define _FSCRYPT_PRIVATE_H
  12. #include <crypto/sha2.h>
  13. #include <linux/fscrypt.h>
  14. #include <linux/minmax.h>
  15. #include <linux/siphash.h>
  16. #include <linux/blk-crypto.h>
  17. #define CONST_STRLEN(str) (sizeof(str) - 1)
  18. #define FSCRYPT_FILE_NONCE_SIZE 16
  19. /*
  20. * Minimum size of an fscrypt master key. Note: a longer key will be required
  21. * if ciphers with a 256-bit security strength are used. This is just the
  22. * absolute minimum, which applies when only 128-bit encryption is used.
  23. */
  24. #define FSCRYPT_MIN_KEY_SIZE 16
  25. /* Maximum size of a raw fscrypt master key */
  26. #define FSCRYPT_MAX_RAW_KEY_SIZE 64
  27. /* Maximum size of a hardware-wrapped fscrypt master key */
  28. #define FSCRYPT_MAX_HW_WRAPPED_KEY_SIZE BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE
  29. /* Maximum size of an fscrypt master key across both key types */
  30. #define FSCRYPT_MAX_ANY_KEY_SIZE \
  31. MAX(FSCRYPT_MAX_RAW_KEY_SIZE, FSCRYPT_MAX_HW_WRAPPED_KEY_SIZE)
  32. /*
  33. * FSCRYPT_MAX_KEY_SIZE is defined in the UAPI header, but the addition of
  34. * hardware-wrapped keys has made it misleading as it's only for raw keys.
  35. * Don't use it in kernel code; use one of the above constants instead.
  36. */
  37. #undef FSCRYPT_MAX_KEY_SIZE
  38. /*
  39. * This mask is passed as the third argument to the crypto_alloc_*() functions
  40. * to prevent fscrypt from using the Crypto API drivers for non-inline crypto
  41. * engines. Those drivers have been problematic for fscrypt. fscrypt users
  42. * have reported hangs and even incorrect en/decryption with these drivers.
  43. * Since going to the driver, off CPU, and back again is really slow, such
  44. * drivers can be over 50 times slower than the CPU-based code for fscrypt's
  45. * workload. Even on platforms that lack AES instructions on the CPU, using the
  46. * offloads has been shown to be slower, even staying with AES. (Of course,
  47. * Adiantum is faster still, and is the recommended option on such platforms...)
  48. *
  49. * Note that fscrypt also supports inline crypto engines. Those don't use the
  50. * Crypto API and work much better than the old-style (non-inline) engines.
  51. */
  52. #define FSCRYPT_CRYPTOAPI_MASK \
  53. (CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY | \
  54. CRYPTO_ALG_KERN_DRIVER_ONLY)
  55. #define FSCRYPT_CONTEXT_V1 1
  56. #define FSCRYPT_CONTEXT_V2 2
  57. /* Keep this in sync with include/uapi/linux/fscrypt.h */
  58. #define FSCRYPT_MODE_MAX FSCRYPT_MODE_AES_256_HCTR2
  59. struct fscrypt_context_v1 {
  60. u8 version; /* FSCRYPT_CONTEXT_V1 */
  61. u8 contents_encryption_mode;
  62. u8 filenames_encryption_mode;
  63. u8 flags;
  64. u8 master_key_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE];
  65. u8 nonce[FSCRYPT_FILE_NONCE_SIZE];
  66. };
  67. struct fscrypt_context_v2 {
  68. u8 version; /* FSCRYPT_CONTEXT_V2 */
  69. u8 contents_encryption_mode;
  70. u8 filenames_encryption_mode;
  71. u8 flags;
  72. u8 log2_data_unit_size;
  73. u8 __reserved[3];
  74. u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE];
  75. u8 nonce[FSCRYPT_FILE_NONCE_SIZE];
  76. };
  77. /*
  78. * fscrypt_context - the encryption context of an inode
  79. *
  80. * This is the on-disk equivalent of an fscrypt_policy, stored alongside each
  81. * encrypted file usually in a hidden extended attribute. It contains the
  82. * fields from the fscrypt_policy, in order to identify the encryption algorithm
  83. * and key with which the file is encrypted. It also contains a nonce that was
  84. * randomly generated by fscrypt itself; this is used as KDF input or as a tweak
  85. * to cause different files to be encrypted differently.
  86. */
  87. union fscrypt_context {
  88. u8 version;
  89. struct fscrypt_context_v1 v1;
  90. struct fscrypt_context_v2 v2;
  91. };
  92. /*
  93. * Return the size expected for the given fscrypt_context based on its version
  94. * number, or 0 if the context version is unrecognized.
  95. */
  96. static inline int fscrypt_context_size(const union fscrypt_context *ctx)
  97. {
  98. switch (ctx->version) {
  99. case FSCRYPT_CONTEXT_V1:
  100. BUILD_BUG_ON(sizeof(ctx->v1) != 28);
  101. return sizeof(ctx->v1);
  102. case FSCRYPT_CONTEXT_V2:
  103. BUILD_BUG_ON(sizeof(ctx->v2) != 40);
  104. return sizeof(ctx->v2);
  105. }
  106. return 0;
  107. }
  108. /* Check whether an fscrypt_context has a recognized version number and size */
  109. static inline bool fscrypt_context_is_valid(const union fscrypt_context *ctx,
  110. int ctx_size)
  111. {
  112. return ctx_size >= 1 && ctx_size == fscrypt_context_size(ctx);
  113. }
  114. /* Retrieve the context's nonce, assuming the context was already validated */
  115. static inline const u8 *fscrypt_context_nonce(const union fscrypt_context *ctx)
  116. {
  117. switch (ctx->version) {
  118. case FSCRYPT_CONTEXT_V1:
  119. return ctx->v1.nonce;
  120. case FSCRYPT_CONTEXT_V2:
  121. return ctx->v2.nonce;
  122. }
  123. WARN_ON_ONCE(1);
  124. return NULL;
  125. }
  126. union fscrypt_policy {
  127. u8 version;
  128. struct fscrypt_policy_v1 v1;
  129. struct fscrypt_policy_v2 v2;
  130. };
  131. /*
  132. * Return the size expected for the given fscrypt_policy based on its version
  133. * number, or 0 if the policy version is unrecognized.
  134. */
  135. static inline int fscrypt_policy_size(const union fscrypt_policy *policy)
  136. {
  137. switch (policy->version) {
  138. case FSCRYPT_POLICY_V1:
  139. return sizeof(policy->v1);
  140. case FSCRYPT_POLICY_V2:
  141. return sizeof(policy->v2);
  142. }
  143. return 0;
  144. }
  145. /* Return the contents encryption mode of a valid encryption policy */
  146. static inline u8
  147. fscrypt_policy_contents_mode(const union fscrypt_policy *policy)
  148. {
  149. switch (policy->version) {
  150. case FSCRYPT_POLICY_V1:
  151. return policy->v1.contents_encryption_mode;
  152. case FSCRYPT_POLICY_V2:
  153. return policy->v2.contents_encryption_mode;
  154. }
  155. BUG();
  156. }
  157. /* Return the filenames encryption mode of a valid encryption policy */
  158. static inline u8
  159. fscrypt_policy_fnames_mode(const union fscrypt_policy *policy)
  160. {
  161. switch (policy->version) {
  162. case FSCRYPT_POLICY_V1:
  163. return policy->v1.filenames_encryption_mode;
  164. case FSCRYPT_POLICY_V2:
  165. return policy->v2.filenames_encryption_mode;
  166. }
  167. BUG();
  168. }
  169. /* Return the flags (FSCRYPT_POLICY_FLAG*) of a valid encryption policy */
  170. static inline u8
  171. fscrypt_policy_flags(const union fscrypt_policy *policy)
  172. {
  173. switch (policy->version) {
  174. case FSCRYPT_POLICY_V1:
  175. return policy->v1.flags;
  176. case FSCRYPT_POLICY_V2:
  177. return policy->v2.flags;
  178. }
  179. BUG();
  180. }
  181. static inline int
  182. fscrypt_policy_v2_du_bits(const struct fscrypt_policy_v2 *policy,
  183. const struct inode *inode)
  184. {
  185. return policy->log2_data_unit_size ?: inode->i_blkbits;
  186. }
  187. static inline int
  188. fscrypt_policy_du_bits(const union fscrypt_policy *policy,
  189. const struct inode *inode)
  190. {
  191. switch (policy->version) {
  192. case FSCRYPT_POLICY_V1:
  193. return inode->i_blkbits;
  194. case FSCRYPT_POLICY_V2:
  195. return fscrypt_policy_v2_du_bits(&policy->v2, inode);
  196. }
  197. BUG();
  198. }
  199. /*
  200. * For encrypted symlinks, the ciphertext length is stored at the beginning
  201. * of the string in little-endian format.
  202. */
  203. struct fscrypt_symlink_data {
  204. __le16 len;
  205. char encrypted_path[];
  206. } __packed;
  207. /**
  208. * struct fscrypt_prepared_key - a key prepared for actual encryption/decryption
  209. * @tfm: crypto API transform object
  210. * @blk_key: key for blk-crypto
  211. *
  212. * Normally only one of the fields will be non-NULL.
  213. */
  214. struct fscrypt_prepared_key {
  215. struct crypto_sync_skcipher *tfm;
  216. #ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
  217. struct blk_crypto_key *blk_key;
  218. #endif
  219. };
  220. /*
  221. * fscrypt_inode_info - the "encryption key" for an inode
  222. *
  223. * When an encrypted file's key is made available, an instance of this struct is
  224. * allocated and a pointer to it is stored in the file's in-memory inode. Once
  225. * created, it remains until the inode is evicted.
  226. */
  227. struct fscrypt_inode_info {
  228. /* The key in a form prepared for actual encryption/decryption */
  229. struct fscrypt_prepared_key ci_enc_key;
  230. /* True if ci_enc_key should be freed when this struct is freed */
  231. u8 ci_owns_key : 1;
  232. #ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
  233. /*
  234. * True if this inode will use inline encryption (blk-crypto) instead of
  235. * the traditional filesystem-layer encryption.
  236. */
  237. u8 ci_inlinecrypt : 1;
  238. #endif
  239. /* True if ci_dirhash_key is initialized */
  240. u8 ci_dirhash_key_initialized : 1;
  241. /*
  242. * log2 of the data unit size (granularity of contents encryption) of
  243. * this file. This is computable from ci_policy and ci_inode but is
  244. * cached here for efficiency. Only used for regular files.
  245. */
  246. u8 ci_data_unit_bits;
  247. /* Cached value: log2 of number of data units per FS block */
  248. u8 ci_data_units_per_block_bits;
  249. /* Hashed inode number. Only set for IV_INO_LBLK_32 */
  250. u32 ci_hashed_ino;
  251. /*
  252. * Encryption mode used for this inode. It corresponds to either the
  253. * contents or filenames encryption mode, depending on the inode type.
  254. */
  255. struct fscrypt_mode *ci_mode;
  256. /* Back-pointer to the inode */
  257. struct inode *ci_inode;
  258. /*
  259. * The master key with which this inode was unlocked (decrypted). This
  260. * will be NULL if the master key was found in a process-subscribed
  261. * keyring rather than in the filesystem-level keyring.
  262. */
  263. struct fscrypt_master_key *ci_master_key;
  264. /*
  265. * Link in list of inodes that were unlocked with the master key.
  266. * Only used when ->ci_master_key is set.
  267. */
  268. struct list_head ci_master_key_link;
  269. /*
  270. * If non-NULL, then encryption is done using the master key directly
  271. * and ci_enc_key will equal ci_direct_key->dk_key.
  272. */
  273. struct fscrypt_direct_key *ci_direct_key;
  274. /*
  275. * This inode's hash key for filenames. This is a 128-bit SipHash-2-4
  276. * key. This is only set for directories that use a keyed dirhash over
  277. * the plaintext filenames -- currently just casefolded directories.
  278. */
  279. siphash_key_t ci_dirhash_key;
  280. /* The encryption policy used by this inode */
  281. union fscrypt_policy ci_policy;
  282. /* This inode's nonce, copied from the fscrypt_context */
  283. u8 ci_nonce[FSCRYPT_FILE_NONCE_SIZE];
  284. };
  285. typedef enum {
  286. FS_DECRYPT = 0,
  287. FS_ENCRYPT,
  288. } fscrypt_direction_t;
  289. /* crypto.c */
  290. extern struct kmem_cache *fscrypt_inode_info_cachep;
  291. int fscrypt_initialize(struct super_block *sb);
  292. int fscrypt_crypt_data_unit(const struct fscrypt_inode_info *ci,
  293. fscrypt_direction_t rw, u64 index,
  294. struct page *src_page, struct page *dest_page,
  295. unsigned int len, unsigned int offs);
  296. struct page *fscrypt_alloc_bounce_page(gfp_t gfp_flags);
  297. void __printf(3, 4) __cold
  298. fscrypt_msg(const struct inode *inode, const char *level, const char *fmt, ...);
  299. #define fscrypt_warn(inode, fmt, ...) \
  300. fscrypt_msg((inode), KERN_WARNING, fmt, ##__VA_ARGS__)
  301. #define fscrypt_err(inode, fmt, ...) \
  302. fscrypt_msg((inode), KERN_ERR, fmt, ##__VA_ARGS__)
  303. #define FSCRYPT_MAX_IV_SIZE 32
  304. union fscrypt_iv {
  305. struct {
  306. /* zero-based index of data unit within the file */
  307. __le64 index;
  308. /* per-file nonce; only set in DIRECT_KEY mode */
  309. u8 nonce[FSCRYPT_FILE_NONCE_SIZE];
  310. };
  311. u8 raw[FSCRYPT_MAX_IV_SIZE];
  312. __le64 dun[FSCRYPT_MAX_IV_SIZE / sizeof(__le64)];
  313. };
  314. void fscrypt_generate_iv(union fscrypt_iv *iv, u64 index,
  315. const struct fscrypt_inode_info *ci);
  316. /*
  317. * Return the number of bits used by the maximum file data unit index that is
  318. * possible on the given filesystem, using the given log2 data unit size.
  319. */
  320. static inline int
  321. fscrypt_max_file_dun_bits(const struct super_block *sb, int du_bits)
  322. {
  323. return fls64(sb->s_maxbytes - 1) - du_bits;
  324. }
  325. /* fname.c */
  326. bool __fscrypt_fname_encrypted_size(const union fscrypt_policy *policy,
  327. u32 orig_len, u32 max_len,
  328. u32 *encrypted_len_ret);
  329. /* hkdf.c */
  330. void fscrypt_init_hkdf(struct hmac_sha512_key *hkdf, const u8 *master_key,
  331. unsigned int master_key_size);
  332. /*
  333. * The list of contexts in which fscrypt uses HKDF. These values are used as
  334. * the first byte of the HKDF application-specific info string to guarantee that
  335. * info strings are never repeated between contexts. This ensures that all HKDF
  336. * outputs are unique and cryptographically isolated, i.e. knowledge of one
  337. * output doesn't reveal another.
  338. */
  339. #define HKDF_CONTEXT_KEY_IDENTIFIER_FOR_RAW_KEY 1 /* info=<empty> */
  340. #define HKDF_CONTEXT_PER_FILE_ENC_KEY 2 /* info=file_nonce */
  341. #define HKDF_CONTEXT_DIRECT_KEY 3 /* info=mode_num */
  342. #define HKDF_CONTEXT_IV_INO_LBLK_64_KEY 4 /* info=mode_num||fs_uuid */
  343. #define HKDF_CONTEXT_DIRHASH_KEY 5 /* info=file_nonce */
  344. #define HKDF_CONTEXT_IV_INO_LBLK_32_KEY 6 /* info=mode_num||fs_uuid */
  345. #define HKDF_CONTEXT_INODE_HASH_KEY 7 /* info=<empty> */
  346. #define HKDF_CONTEXT_KEY_IDENTIFIER_FOR_HW_WRAPPED_KEY \
  347. 8 /* info=<empty> */
  348. void fscrypt_hkdf_expand(const struct hmac_sha512_key *hkdf, u8 context,
  349. const u8 *info, unsigned int infolen,
  350. u8 *okm, unsigned int okmlen);
  351. /* inline_crypt.c */
  352. #ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
  353. int fscrypt_select_encryption_impl(struct fscrypt_inode_info *ci,
  354. bool is_hw_wrapped_key);
  355. static inline bool
  356. fscrypt_using_inline_encryption(const struct fscrypt_inode_info *ci)
  357. {
  358. return ci->ci_inlinecrypt;
  359. }
  360. int fscrypt_prepare_inline_crypt_key(struct fscrypt_prepared_key *prep_key,
  361. const u8 *key_bytes, size_t key_size,
  362. bool is_hw_wrapped,
  363. const struct fscrypt_inode_info *ci);
  364. void fscrypt_destroy_inline_crypt_key(struct super_block *sb,
  365. struct fscrypt_prepared_key *prep_key);
  366. int fscrypt_derive_sw_secret(struct super_block *sb,
  367. const u8 *wrapped_key, size_t wrapped_key_size,
  368. u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]);
  369. /*
  370. * Check whether the crypto transform or blk-crypto key has been allocated in
  371. * @prep_key, depending on which encryption implementation the file will use.
  372. */
  373. static inline bool
  374. fscrypt_is_key_prepared(struct fscrypt_prepared_key *prep_key,
  375. const struct fscrypt_inode_info *ci)
  376. {
  377. /*
  378. * The two smp_load_acquire()'s here pair with the smp_store_release()'s
  379. * in fscrypt_prepare_inline_crypt_key() and fscrypt_prepare_key().
  380. * I.e., in some cases (namely, if this prep_key is a per-mode
  381. * encryption key) another task can publish blk_key or tfm concurrently,
  382. * executing a RELEASE barrier. We need to use smp_load_acquire() here
  383. * to safely ACQUIRE the memory the other task published.
  384. */
  385. if (fscrypt_using_inline_encryption(ci))
  386. return smp_load_acquire(&prep_key->blk_key) != NULL;
  387. return smp_load_acquire(&prep_key->tfm) != NULL;
  388. }
  389. #else /* CONFIG_FS_ENCRYPTION_INLINE_CRYPT */
  390. static inline int fscrypt_select_encryption_impl(struct fscrypt_inode_info *ci,
  391. bool is_hw_wrapped_key)
  392. {
  393. return 0;
  394. }
  395. static inline bool
  396. fscrypt_using_inline_encryption(const struct fscrypt_inode_info *ci)
  397. {
  398. return false;
  399. }
  400. static inline int
  401. fscrypt_prepare_inline_crypt_key(struct fscrypt_prepared_key *prep_key,
  402. const u8 *key_bytes, size_t key_size,
  403. bool is_hw_wrapped,
  404. const struct fscrypt_inode_info *ci)
  405. {
  406. WARN_ON_ONCE(1);
  407. return -EOPNOTSUPP;
  408. }
  409. static inline void
  410. fscrypt_destroy_inline_crypt_key(struct super_block *sb,
  411. struct fscrypt_prepared_key *prep_key)
  412. {
  413. }
  414. static inline int
  415. fscrypt_derive_sw_secret(struct super_block *sb,
  416. const u8 *wrapped_key, size_t wrapped_key_size,
  417. u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE])
  418. {
  419. fscrypt_warn(NULL, "kernel doesn't support hardware-wrapped keys");
  420. return -EOPNOTSUPP;
  421. }
  422. static inline bool
  423. fscrypt_is_key_prepared(struct fscrypt_prepared_key *prep_key,
  424. const struct fscrypt_inode_info *ci)
  425. {
  426. return smp_load_acquire(&prep_key->tfm) != NULL;
  427. }
  428. #endif /* !CONFIG_FS_ENCRYPTION_INLINE_CRYPT */
  429. /* keyring.c */
  430. /*
  431. * fscrypt_master_key_secret - secret key material of an in-use master key
  432. */
  433. struct fscrypt_master_key_secret {
  434. /*
  435. * The KDF with which subkeys of this key can be derived.
  436. *
  437. * For v1 policy keys, this isn't applicable and won't be set.
  438. * Otherwise, this KDF will be keyed by this master key if
  439. * ->is_hw_wrapped=false, or by the "software secret" that hardware
  440. * derived from this master key if ->is_hw_wrapped=true.
  441. */
  442. struct hmac_sha512_key hkdf;
  443. /*
  444. * True if this key is a hardware-wrapped key; false if this key is a
  445. * raw key (i.e. a "software key"). For v1 policy keys this will always
  446. * be false, as v1 policy support is a legacy feature which doesn't
  447. * support newer functionality such as hardware-wrapped keys.
  448. */
  449. bool is_hw_wrapped;
  450. /*
  451. * Size of the key in bytes. This remains set even if ->bytes was
  452. * zeroized due to no longer being needed. I.e. we still remember the
  453. * size of the key even if we don't need to remember the key itself.
  454. */
  455. u32 size;
  456. /*
  457. * The bytes of the key, when still needed. This can be either a raw
  458. * key or a hardware-wrapped key, as indicated by ->is_hw_wrapped. In
  459. * the case of a raw, v2 policy key, there is no need to remember the
  460. * actual key separately from ->hkdf so this field will be zeroized as
  461. * soon as ->hkdf is initialized.
  462. */
  463. u8 bytes[FSCRYPT_MAX_ANY_KEY_SIZE];
  464. } __randomize_layout;
  465. /*
  466. * fscrypt_master_key - an in-use master key
  467. *
  468. * This represents a master encryption key which has been added to the
  469. * filesystem. There are three high-level states that a key can be in:
  470. *
  471. * FSCRYPT_KEY_STATUS_PRESENT
  472. * Key is fully usable; it can be used to unlock inodes that are encrypted
  473. * with it (this includes being able to create new inodes). ->mk_present
  474. * indicates whether the key is in this state. ->mk_secret exists, the key
  475. * is in the keyring, and ->mk_active_refs > 0 due to ->mk_present.
  476. *
  477. * FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED
  478. * Removal of this key has been initiated, but some inodes that were
  479. * unlocked with it are still in-use. Like ABSENT, ->mk_secret is wiped,
  480. * and the key can no longer be used to unlock inodes. Unlike ABSENT, the
  481. * key is still in the keyring; ->mk_decrypted_inodes is nonempty; and
  482. * ->mk_active_refs > 0, being equal to the size of ->mk_decrypted_inodes.
  483. *
  484. * This state transitions to ABSENT if ->mk_decrypted_inodes becomes empty,
  485. * or to PRESENT if FS_IOC_ADD_ENCRYPTION_KEY is called again for this key.
  486. *
  487. * FSCRYPT_KEY_STATUS_ABSENT
  488. * Key is fully removed. The key is no longer in the keyring,
  489. * ->mk_decrypted_inodes is empty, ->mk_active_refs == 0, ->mk_secret is
  490. * wiped, and the key can no longer be used to unlock inodes.
  491. */
  492. struct fscrypt_master_key {
  493. /*
  494. * Link in ->s_master_keys->key_hashtable.
  495. * Only valid if ->mk_active_refs > 0.
  496. */
  497. struct hlist_node mk_node;
  498. /* Semaphore that protects ->mk_secret, ->mk_users, and ->mk_present */
  499. struct rw_semaphore mk_sem;
  500. /*
  501. * Active and structural reference counts. An active ref guarantees
  502. * that the struct continues to exist, continues to be in the keyring
  503. * ->s_master_keys, and that any embedded subkeys (e.g.
  504. * ->mk_direct_keys) that have been prepared continue to exist.
  505. * A structural ref only guarantees that the struct continues to exist.
  506. *
  507. * There is one active ref associated with ->mk_present being true, and
  508. * one active ref for each inode in ->mk_decrypted_inodes.
  509. *
  510. * There is one structural ref associated with the active refcount being
  511. * nonzero. Finding a key in the keyring also takes a structural ref,
  512. * which is then held temporarily while the key is operated on.
  513. */
  514. refcount_t mk_active_refs;
  515. refcount_t mk_struct_refs;
  516. struct rcu_head mk_rcu_head;
  517. /*
  518. * The secret key material. Wiped as soon as it is no longer needed;
  519. * for details, see the fscrypt_master_key struct comment.
  520. *
  521. * Locking: protected by ->mk_sem.
  522. */
  523. struct fscrypt_master_key_secret mk_secret;
  524. /*
  525. * For v1 policy keys: an arbitrary key descriptor which was assigned by
  526. * userspace (->descriptor).
  527. *
  528. * For v2 policy keys: a cryptographic hash of this key (->identifier).
  529. */
  530. struct fscrypt_key_specifier mk_spec;
  531. /*
  532. * Keyring which contains a key of type 'key_type_fscrypt_user' for each
  533. * user who has added this key. Normally each key will be added by just
  534. * one user, but it's possible that multiple users share a key, and in
  535. * that case we need to keep track of those users so that one user can't
  536. * remove the key before the others want it removed too.
  537. *
  538. * This is NULL for v1 policy keys; those can only be added by root.
  539. *
  540. * Locking: protected by ->mk_sem. (We don't just rely on the keyrings
  541. * subsystem semaphore ->mk_users->sem, as we need support for atomic
  542. * search+insert along with proper synchronization with other fields.)
  543. */
  544. struct key *mk_users;
  545. /*
  546. * List of inodes that were unlocked using this key. This allows the
  547. * inodes to be evicted efficiently if the key is removed.
  548. */
  549. struct list_head mk_decrypted_inodes;
  550. spinlock_t mk_decrypted_inodes_lock;
  551. /*
  552. * Per-mode encryption keys for the various types of encryption policies
  553. * that use them. Allocated and derived on-demand.
  554. */
  555. struct fscrypt_prepared_key mk_direct_keys[FSCRYPT_MODE_MAX + 1];
  556. struct fscrypt_prepared_key mk_iv_ino_lblk_64_keys[FSCRYPT_MODE_MAX + 1];
  557. struct fscrypt_prepared_key mk_iv_ino_lblk_32_keys[FSCRYPT_MODE_MAX + 1];
  558. /* Hash key for inode numbers. Initialized only when needed. */
  559. siphash_key_t mk_ino_hash_key;
  560. bool mk_ino_hash_key_initialized;
  561. /*
  562. * Whether this key is in the "present" state, i.e. fully usable. For
  563. * details, see the fscrypt_master_key struct comment.
  564. *
  565. * Locking: protected by ->mk_sem, but can be read locklessly using
  566. * READ_ONCE(). Writers must use WRITE_ONCE() when concurrent readers
  567. * are possible.
  568. */
  569. bool mk_present;
  570. } __randomize_layout;
  571. static inline const char *master_key_spec_type(
  572. const struct fscrypt_key_specifier *spec)
  573. {
  574. switch (spec->type) {
  575. case FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR:
  576. return "descriptor";
  577. case FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER:
  578. return "identifier";
  579. }
  580. return "[unknown]";
  581. }
  582. static inline int master_key_spec_len(const struct fscrypt_key_specifier *spec)
  583. {
  584. switch (spec->type) {
  585. case FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR:
  586. return FSCRYPT_KEY_DESCRIPTOR_SIZE;
  587. case FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER:
  588. return FSCRYPT_KEY_IDENTIFIER_SIZE;
  589. }
  590. return 0;
  591. }
  592. void fscrypt_put_master_key(struct fscrypt_master_key *mk);
  593. void fscrypt_put_master_key_activeref(struct super_block *sb,
  594. struct fscrypt_master_key *mk);
  595. struct fscrypt_master_key *
  596. fscrypt_find_master_key(struct super_block *sb,
  597. const struct fscrypt_key_specifier *mk_spec);
  598. void fscrypt_get_test_dummy_key_identifier(
  599. u8 key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]);
  600. int fscrypt_add_test_dummy_key(struct super_block *sb,
  601. struct fscrypt_key_specifier *key_spec);
  602. int fscrypt_verify_key_added(struct super_block *sb,
  603. const u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]);
  604. int __init fscrypt_init_keyring(void);
  605. /* keysetup.c */
  606. struct fscrypt_mode {
  607. const char *friendly_name;
  608. const char *cipher_str;
  609. int keysize; /* key size in bytes */
  610. int security_strength; /* security strength in bytes */
  611. int ivsize; /* IV size in bytes */
  612. int logged_cryptoapi_impl;
  613. int logged_blk_crypto_native;
  614. int logged_blk_crypto_fallback;
  615. enum blk_crypto_mode_num blk_crypto_mode;
  616. };
  617. extern struct fscrypt_mode fscrypt_modes[];
  618. int fscrypt_prepare_key(struct fscrypt_prepared_key *prep_key,
  619. const u8 *raw_key, const struct fscrypt_inode_info *ci);
  620. void fscrypt_destroy_prepared_key(struct super_block *sb,
  621. struct fscrypt_prepared_key *prep_key);
  622. int fscrypt_set_per_file_enc_key(struct fscrypt_inode_info *ci,
  623. const u8 *raw_key);
  624. void fscrypt_derive_dirhash_key(struct fscrypt_inode_info *ci,
  625. const struct fscrypt_master_key *mk);
  626. void fscrypt_hash_inode_number(struct fscrypt_inode_info *ci,
  627. const struct fscrypt_master_key *mk);
  628. int fscrypt_get_encryption_info(struct inode *inode, bool allow_unsupported);
  629. /**
  630. * fscrypt_require_key() - require an inode's encryption key
  631. * @inode: the inode we need the key for
  632. *
  633. * If the inode is encrypted, set up its encryption key if not already done.
  634. * Then require that the key be present and return -ENOKEY otherwise.
  635. *
  636. * No locks are needed, and the key will live as long as the struct inode --- so
  637. * it won't go away from under you.
  638. *
  639. * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
  640. * if a problem occurred while setting up the encryption key.
  641. */
  642. static inline int fscrypt_require_key(struct inode *inode)
  643. {
  644. if (IS_ENCRYPTED(inode)) {
  645. int err = fscrypt_get_encryption_info(inode, false);
  646. if (err)
  647. return err;
  648. if (!fscrypt_has_encryption_key(inode))
  649. return -ENOKEY;
  650. }
  651. return 0;
  652. }
  653. /* keysetup_v1.c */
  654. void fscrypt_put_direct_key(struct fscrypt_direct_key *dk);
  655. int fscrypt_setup_v1_file_key(struct fscrypt_inode_info *ci,
  656. const u8 *raw_master_key);
  657. int fscrypt_setup_v1_file_key_via_subscribed_keyrings(
  658. struct fscrypt_inode_info *ci);
  659. /* policy.c */
  660. bool fscrypt_policies_equal(const union fscrypt_policy *policy1,
  661. const union fscrypt_policy *policy2);
  662. int fscrypt_policy_to_key_spec(const union fscrypt_policy *policy,
  663. struct fscrypt_key_specifier *key_spec);
  664. const union fscrypt_policy *fscrypt_get_dummy_policy(struct super_block *sb);
  665. bool fscrypt_supported_policy(const union fscrypt_policy *policy_u,
  666. const struct inode *inode);
  667. int fscrypt_policy_from_context(union fscrypt_policy *policy_u,
  668. const union fscrypt_context *ctx_u,
  669. int ctx_size);
  670. const union fscrypt_policy *fscrypt_policy_to_inherit(struct inode *dir);
  671. #endif /* _FSCRYPT_PRIVATE_H */