^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Filesystem-level keyring for fscrypt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Copyright 2019 Google LLC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) * This file implements management of fscrypt master keys in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) * filesystem-level keyring, including the ioctls:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) * - FS_IOC_ADD_ENCRYPTION_KEY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) * - FS_IOC_REMOVE_ENCRYPTION_KEY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) * - FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) * - FS_IOC_GET_ENCRYPTION_KEY_STATUS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) * See the "User API" section of Documentation/filesystems/fscrypt.rst for more
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) * information about these ioctls.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) #include <crypto/skcipher.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) #include <linux/key-type.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) #include <linux/random.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) #include <linux/seq_file.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) #include "fscrypt_private.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) static void wipe_master_key_secret(struct fscrypt_master_key_secret *secret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) fscrypt_destroy_hkdf(&secret->hkdf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) memzero_explicit(secret, sizeof(*secret));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) static void move_master_key_secret(struct fscrypt_master_key_secret *dst,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) struct fscrypt_master_key_secret *src)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) memcpy(dst, src, sizeof(*dst));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) memzero_explicit(src, sizeof(*src));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) static void free_master_key(struct fscrypt_master_key *mk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) size_t i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) wipe_master_key_secret(&mk->mk_secret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) for (i = 0; i <= FSCRYPT_MODE_MAX; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) fscrypt_destroy_prepared_key(&mk->mk_direct_keys[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) fscrypt_destroy_prepared_key(&mk->mk_iv_ino_lblk_64_keys[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) fscrypt_destroy_prepared_key(&mk->mk_iv_ino_lblk_32_keys[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) key_put(mk->mk_users);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) kfree_sensitive(mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) static inline bool valid_key_spec(const struct fscrypt_key_specifier *spec)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) if (spec->__reserved)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) return master_key_spec_len(spec) != 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) static int fscrypt_key_instantiate(struct key *key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) struct key_preparsed_payload *prep)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) key->payload.data[0] = (struct fscrypt_master_key *)prep->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) static void fscrypt_key_destroy(struct key *key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) free_master_key(key->payload.data[0]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) static void fscrypt_key_describe(const struct key *key, struct seq_file *m)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) seq_puts(m, key->description);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) if (key_is_positive(key)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) const struct fscrypt_master_key *mk = key->payload.data[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) if (!is_master_key_secret_present(&mk->mk_secret))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) seq_puts(m, ": secret removed");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) * Type of key in ->s_master_keys. Each key of this type represents a master
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) * key which has been added to the filesystem. Its payload is a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) * 'struct fscrypt_master_key'. The "." prefix in the key type name prevents
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) * users from adding keys of this type via the keyrings syscalls rather than via
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) * the intended method of FS_IOC_ADD_ENCRYPTION_KEY.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) static struct key_type key_type_fscrypt = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) .name = "._fscrypt",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) .instantiate = fscrypt_key_instantiate,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) .destroy = fscrypt_key_destroy,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) .describe = fscrypt_key_describe,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) static int fscrypt_user_key_instantiate(struct key *key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) struct key_preparsed_payload *prep)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) * We just charge FSCRYPT_MAX_KEY_SIZE bytes to the user's key quota for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) * each key, regardless of the exact key size. The amount of memory
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) * actually used is greater than the size of the raw key anyway.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) return key_payload_reserve(key, FSCRYPT_MAX_KEY_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) static void fscrypt_user_key_describe(const struct key *key, struct seq_file *m)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) seq_puts(m, key->description);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) * Type of key in ->mk_users. Each key of this type represents a particular
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) * user who has added a particular master key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) * Note that the name of this key type really should be something like
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) * ".fscrypt-user" instead of simply ".fscrypt". But the shorter name is chosen
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) * mainly for simplicity of presentation in /proc/keys when read by a non-root
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) * user. And it is expected to be rare that a key is actually added by multiple
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) * users, since users should keep their encryption keys confidential.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) static struct key_type key_type_fscrypt_user = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) .name = ".fscrypt",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) .instantiate = fscrypt_user_key_instantiate,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) .describe = fscrypt_user_key_describe,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) /* Search ->s_master_keys or ->mk_users */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) static struct key *search_fscrypt_keyring(struct key *keyring,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) struct key_type *type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) const char *description)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) * We need to mark the keyring reference as "possessed" so that we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) * acquire permission to search it, via the KEY_POS_SEARCH permission.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) key_ref_t keyref = make_key_ref(keyring, true /* possessed */);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) keyref = keyring_search(keyref, type, description, false);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) if (IS_ERR(keyref)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) if (PTR_ERR(keyref) == -EAGAIN || /* not found */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) PTR_ERR(keyref) == -EKEYREVOKED) /* recently invalidated */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) keyref = ERR_PTR(-ENOKEY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) return ERR_CAST(keyref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) return key_ref_to_ptr(keyref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) #define FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) (CONST_STRLEN("fscrypt-") + sizeof_field(struct super_block, s_id))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) #define FSCRYPT_MK_DESCRIPTION_SIZE (2 * FSCRYPT_KEY_IDENTIFIER_SIZE + 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) #define FSCRYPT_MK_USERS_DESCRIPTION_SIZE \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) (CONST_STRLEN("fscrypt-") + 2 * FSCRYPT_KEY_IDENTIFIER_SIZE + \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) CONST_STRLEN("-users") + 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) #define FSCRYPT_MK_USER_DESCRIPTION_SIZE \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) (2 * FSCRYPT_KEY_IDENTIFIER_SIZE + CONST_STRLEN(".uid.") + 10 + 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) static void format_fs_keyring_description(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) char description[FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) const struct super_block *sb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) sprintf(description, "fscrypt-%s", sb->s_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) static void format_mk_description(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) char description[FSCRYPT_MK_DESCRIPTION_SIZE],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) const struct fscrypt_key_specifier *mk_spec)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) sprintf(description, "%*phN",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) master_key_spec_len(mk_spec), (u8 *)&mk_spec->u);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) static void format_mk_users_keyring_description(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) char description[FSCRYPT_MK_USERS_DESCRIPTION_SIZE],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) const u8 mk_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) sprintf(description, "fscrypt-%*phN-users",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) FSCRYPT_KEY_IDENTIFIER_SIZE, mk_identifier);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) static void format_mk_user_description(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) char description[FSCRYPT_MK_USER_DESCRIPTION_SIZE],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) const u8 mk_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) sprintf(description, "%*phN.uid.%u", FSCRYPT_KEY_IDENTIFIER_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) mk_identifier, __kuid_val(current_fsuid()));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) /* Create ->s_master_keys if needed. Synchronized by fscrypt_add_key_mutex. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) static int allocate_filesystem_keyring(struct super_block *sb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) char description[FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) struct key *keyring;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) if (sb->s_master_keys)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) format_fs_keyring_description(description, sb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) keyring = keyring_alloc(description, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) current_cred(), KEY_POS_SEARCH |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) KEY_USR_SEARCH | KEY_USR_READ | KEY_USR_VIEW,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) if (IS_ERR(keyring))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) return PTR_ERR(keyring);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) * Pairs with the smp_load_acquire() in fscrypt_find_master_key().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) * I.e., here we publish ->s_master_keys with a RELEASE barrier so that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) * concurrent tasks can ACQUIRE it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) smp_store_release(&sb->s_master_keys, keyring);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) void fscrypt_sb_free(struct super_block *sb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) key_put(sb->s_master_keys);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) sb->s_master_keys = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) * Find the specified master key in ->s_master_keys.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) * Returns ERR_PTR(-ENOKEY) if not found.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) struct key *fscrypt_find_master_key(struct super_block *sb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) const struct fscrypt_key_specifier *mk_spec)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) struct key *keyring;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) char description[FSCRYPT_MK_DESCRIPTION_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) * Pairs with the smp_store_release() in allocate_filesystem_keyring().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) * I.e., another task can publish ->s_master_keys concurrently,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) * executing a RELEASE barrier. We need to use smp_load_acquire() here
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) * to safely ACQUIRE the memory the other task published.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) keyring = smp_load_acquire(&sb->s_master_keys);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) if (keyring == NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) return ERR_PTR(-ENOKEY); /* No keyring yet, so no keys yet. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) format_mk_description(description, mk_spec);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) return search_fscrypt_keyring(keyring, &key_type_fscrypt, description);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) static int allocate_master_key_users_keyring(struct fscrypt_master_key *mk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) char description[FSCRYPT_MK_USERS_DESCRIPTION_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) struct key *keyring;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) format_mk_users_keyring_description(description,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) mk->mk_spec.u.identifier);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) keyring = keyring_alloc(description, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) current_cred(), KEY_POS_SEARCH |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) KEY_USR_SEARCH | KEY_USR_READ | KEY_USR_VIEW,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) if (IS_ERR(keyring))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) return PTR_ERR(keyring);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) mk->mk_users = keyring;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) * Find the current user's "key" in the master key's ->mk_users.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) * Returns ERR_PTR(-ENOKEY) if not found.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) static struct key *find_master_key_user(struct fscrypt_master_key *mk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) char description[FSCRYPT_MK_USER_DESCRIPTION_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) format_mk_user_description(description, mk->mk_spec.u.identifier);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) return search_fscrypt_keyring(mk->mk_users, &key_type_fscrypt_user,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) description);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) * Give the current user a "key" in ->mk_users. This charges the user's quota
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) * and marks the master key as added by the current user, so that it cannot be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) * removed by another user with the key. Either the master key's key->sem must
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) * be held for write, or the master key must be still undergoing initialization.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) static int add_master_key_user(struct fscrypt_master_key *mk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) char description[FSCRYPT_MK_USER_DESCRIPTION_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) struct key *mk_user;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) format_mk_user_description(description, mk->mk_spec.u.identifier);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) mk_user = key_alloc(&key_type_fscrypt_user, description,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) current_fsuid(), current_gid(), current_cred(),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) KEY_POS_SEARCH | KEY_USR_VIEW, 0, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) if (IS_ERR(mk_user))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) return PTR_ERR(mk_user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) err = key_instantiate_and_link(mk_user, NULL, 0, mk->mk_users, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) key_put(mk_user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) * Remove the current user's "key" from ->mk_users.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) * The master key's key->sem must be held for write.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) * Returns 0 if removed, -ENOKEY if not found, or another -errno code.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) static int remove_master_key_user(struct fscrypt_master_key *mk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) struct key *mk_user;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) mk_user = find_master_key_user(mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) if (IS_ERR(mk_user))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) return PTR_ERR(mk_user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) err = key_unlink(mk->mk_users, mk_user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) key_put(mk_user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) * Allocate a new fscrypt_master_key which contains the given secret, set it as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) * the payload of a new 'struct key' of type fscrypt, and link the 'struct key'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) * into the given keyring. Synchronized by fscrypt_add_key_mutex.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) static int add_new_master_key(struct fscrypt_master_key_secret *secret,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) const struct fscrypt_key_specifier *mk_spec,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) struct key *keyring)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) struct fscrypt_master_key *mk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) char description[FSCRYPT_MK_DESCRIPTION_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) struct key *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) mk = kzalloc(sizeof(*mk), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) if (!mk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) mk->mk_spec = *mk_spec;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) move_master_key_secret(&mk->mk_secret, secret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) refcount_set(&mk->mk_refcount, 1); /* secret is present */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) INIT_LIST_HEAD(&mk->mk_decrypted_inodes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) spin_lock_init(&mk->mk_decrypted_inodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) if (mk_spec->type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) err = allocate_master_key_users_keyring(mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) goto out_free_mk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) err = add_master_key_user(mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) goto out_free_mk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) * Note that we don't charge this key to anyone's quota, since when
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) * ->mk_users is in use those keys are charged instead, and otherwise
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) * (when ->mk_users isn't in use) only root can add these keys.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) format_mk_description(description, mk_spec);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) key = key_alloc(&key_type_fscrypt, description,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) KEY_POS_SEARCH | KEY_USR_SEARCH | KEY_USR_VIEW,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) KEY_ALLOC_NOT_IN_QUOTA, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) if (IS_ERR(key)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) err = PTR_ERR(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) goto out_free_mk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) err = key_instantiate_and_link(key, mk, sizeof(*mk), keyring, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) key_put(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) goto out_free_mk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) out_free_mk:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) free_master_key(mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) #define KEY_DEAD 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) static int add_existing_master_key(struct fscrypt_master_key *mk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) struct fscrypt_master_key_secret *secret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) struct key *mk_user;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) bool rekey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) * If the current user is already in ->mk_users, then there's nothing to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) * do. (Not applicable for v1 policy keys, which have NULL ->mk_users.)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) if (mk->mk_users) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) mk_user = find_master_key_user(mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) if (mk_user != ERR_PTR(-ENOKEY)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) if (IS_ERR(mk_user))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) return PTR_ERR(mk_user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) key_put(mk_user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) /* If we'll be re-adding ->mk_secret, try to take the reference. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) rekey = !is_master_key_secret_present(&mk->mk_secret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) if (rekey && !refcount_inc_not_zero(&mk->mk_refcount))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) return KEY_DEAD;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) /* Add the current user to ->mk_users, if applicable. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) if (mk->mk_users) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) err = add_master_key_user(mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) if (rekey && refcount_dec_and_test(&mk->mk_refcount))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) return KEY_DEAD;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) /* Re-add the secret if needed. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) if (rekey)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) move_master_key_secret(&mk->mk_secret, secret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) static int do_add_master_key(struct super_block *sb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) struct fscrypt_master_key_secret *secret,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) const struct fscrypt_key_specifier *mk_spec)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) static DEFINE_MUTEX(fscrypt_add_key_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) struct key *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) mutex_lock(&fscrypt_add_key_mutex); /* serialize find + link */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) retry:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) key = fscrypt_find_master_key(sb, mk_spec);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) if (IS_ERR(key)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) err = PTR_ERR(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) if (err != -ENOKEY)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) /* Didn't find the key in ->s_master_keys. Add it. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) err = allocate_filesystem_keyring(sb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) err = add_new_master_key(secret, mk_spec, sb->s_master_keys);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) * Found the key in ->s_master_keys. Re-add the secret if
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) * needed, and add the user to ->mk_users if needed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) down_write(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) err = add_existing_master_key(key->payload.data[0], secret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) up_write(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) if (err == KEY_DEAD) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) /* Key being removed or needs to be removed */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) key_invalidate(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) key_put(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) goto retry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) key_put(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) out_unlock:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) mutex_unlock(&fscrypt_add_key_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) /* Size of software "secret" derived from hardware-wrapped key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) #define RAW_SECRET_SIZE 32
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) static int add_master_key(struct super_block *sb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) struct fscrypt_master_key_secret *secret,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) struct fscrypt_key_specifier *key_spec)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) if (key_spec->type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) u8 _kdf_key[RAW_SECRET_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) u8 *kdf_key = secret->raw;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) unsigned int kdf_key_size = secret->size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) if (secret->is_hw_wrapped) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) kdf_key = _kdf_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) kdf_key_size = RAW_SECRET_SIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) err = fscrypt_derive_raw_secret(sb, secret->raw,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) secret->size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) kdf_key, kdf_key_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) err = fscrypt_init_hkdf(&secret->hkdf, kdf_key, kdf_key_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) * Now that the HKDF context is initialized, the raw HKDF key is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) * no longer needed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) memzero_explicit(kdf_key, kdf_key_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) /* Calculate the key identifier */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) err = fscrypt_hkdf_expand(&secret->hkdf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) HKDF_CONTEXT_KEY_IDENTIFIER, NULL, 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) key_spec->u.identifier,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) FSCRYPT_KEY_IDENTIFIER_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515) return do_add_master_key(sb, secret, key_spec);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) static int fscrypt_provisioning_key_preparse(struct key_preparsed_payload *prep)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) const struct fscrypt_provisioning_key_payload *payload = prep->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) BUILD_BUG_ON(FSCRYPT_MAX_HW_WRAPPED_KEY_SIZE < FSCRYPT_MAX_KEY_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) if (prep->datalen < sizeof(*payload) + FSCRYPT_MIN_KEY_SIZE ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) prep->datalen > sizeof(*payload) + FSCRYPT_MAX_HW_WRAPPED_KEY_SIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) if (payload->type != FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) payload->type != FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) if (payload->__reserved)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) prep->payload.data[0] = kmemdup(payload, prep->datalen, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) if (!prep->payload.data[0])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539) prep->quotalen = prep->datalen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) static void fscrypt_provisioning_key_free_preparse(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) struct key_preparsed_payload *prep)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) kfree_sensitive(prep->payload.data[0]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) static void fscrypt_provisioning_key_describe(const struct key *key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) struct seq_file *m)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552) seq_puts(m, key->description);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) if (key_is_positive(key)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) const struct fscrypt_provisioning_key_payload *payload =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) key->payload.data[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) seq_printf(m, ": %u [%u]", key->datalen, payload->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) static void fscrypt_provisioning_key_destroy(struct key *key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563) kfree_sensitive(key->payload.data[0]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) static struct key_type key_type_fscrypt_provisioning = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) .name = "fscrypt-provisioning",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) .preparse = fscrypt_provisioning_key_preparse,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) .free_preparse = fscrypt_provisioning_key_free_preparse,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570) .instantiate = generic_key_instantiate,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) .describe = fscrypt_provisioning_key_describe,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) .destroy = fscrypt_provisioning_key_destroy,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) * Retrieve the raw key from the Linux keyring key specified by 'key_id', and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) * store it into 'secret'.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) * The key must be of type "fscrypt-provisioning" and must have the field
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) * fscrypt_provisioning_key_payload::type set to 'type', indicating that it's
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) * only usable with fscrypt with the particular KDF version identified by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) * 'type'. We don't use the "logon" key type because there's no way to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) * completely restrict the use of such keys; they can be used by any kernel API
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) * that accepts "logon" keys and doesn't require a specific service prefix.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) * The ability to specify the key via Linux keyring key is intended for cases
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) * where userspace needs to re-add keys after the filesystem is unmounted and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) * re-mounted. Most users should just provide the raw key directly instead.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) static int get_keyring_key(u32 key_id, u32 type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) struct fscrypt_master_key_secret *secret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593) key_ref_t ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) struct key *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) const struct fscrypt_provisioning_key_payload *payload;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) ref = lookup_user_key(key_id, 0, KEY_NEED_SEARCH);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) if (IS_ERR(ref))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) return PTR_ERR(ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) key = key_ref_to_ptr(ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) if (key->type != &key_type_fscrypt_provisioning)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604) goto bad_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605) payload = key->payload.data[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607) /* Don't allow fscrypt v1 keys to be used as v2 keys and vice versa. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608) if (payload->type != type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) goto bad_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611) secret->size = key->datalen - sizeof(*payload);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612) memcpy(secret->raw, payload->raw, secret->size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) goto out_put;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) bad_key:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617) err = -EKEYREJECTED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) out_put:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) key_ref_put(ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) * Add a master encryption key to the filesystem, causing all files which were
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) * encrypted with it to appear "unlocked" (decrypted) when accessed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627) * When adding a key for use by v1 encryption policies, this ioctl is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628) * privileged, and userspace must provide the 'key_descriptor'.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630) * When adding a key for use by v2+ encryption policies, this ioctl is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) * unprivileged. This is needed, in general, to allow non-root users to use
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632) * encryption without encountering the visibility problems of process-subscribed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633) * keyrings and the inability to properly remove keys. This works by having
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634) * each key identified by its cryptographically secure hash --- the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635) * 'key_identifier'. The cryptographic hash ensures that a malicious user
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) * cannot add the wrong key for a given identifier. Furthermore, each added key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637) * is charged to the appropriate user's quota for the keyrings service, which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638) * prevents a malicious user from adding too many keys. Finally, we forbid a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639) * user from removing a key while other users have added it too, which prevents
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) * a user who knows another user's key from causing a denial-of-service by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641) * removing it at an inopportune time. (We tolerate that a user who knows a key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642) * can prevent other users from removing it.)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644) * For more details, see the "FS_IOC_ADD_ENCRYPTION_KEY" section of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645) * Documentation/filesystems/fscrypt.rst.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647) int fscrypt_ioctl_add_key(struct file *filp, void __user *_uarg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) struct super_block *sb = file_inode(filp)->i_sb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650) struct fscrypt_add_key_arg __user *uarg = _uarg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651) struct fscrypt_add_key_arg arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652) struct fscrypt_master_key_secret secret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655) if (copy_from_user(&arg, uarg, sizeof(arg)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658) if (!valid_key_spec(&arg.key_spec))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661) if (memchr_inv(arg.__reserved, 0, sizeof(arg.__reserved)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 663)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 664) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 665) * Only root can add keys that are identified by an arbitrary descriptor
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 666) * rather than by a cryptographic hash --- since otherwise a malicious
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 667) * user could add the wrong key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 668) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 669) if (arg.key_spec.type == FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 670) !capable(CAP_SYS_ADMIN))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 671) return -EACCES;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 672)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 673) memset(&secret, 0, sizeof(secret));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 674)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 675) if (arg.__flags) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 676) if (arg.__flags & ~__FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 677) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 678) if (arg.key_spec.type != FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 679) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 680) secret.is_hw_wrapped = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 681) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 682)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 683) if (arg.key_id) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 684) if (arg.raw_size != 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 685) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 686) err = get_keyring_key(arg.key_id, arg.key_spec.type, &secret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 687) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 688) goto out_wipe_secret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 689) err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 690) if (secret.size > FSCRYPT_MAX_KEY_SIZE && !secret.is_hw_wrapped)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 691) goto out_wipe_secret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 692) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 693) if (arg.raw_size < FSCRYPT_MIN_KEY_SIZE ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 694) arg.raw_size > (secret.is_hw_wrapped ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 695) FSCRYPT_MAX_HW_WRAPPED_KEY_SIZE :
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 696) FSCRYPT_MAX_KEY_SIZE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 697) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 698) secret.size = arg.raw_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 699) err = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 700) if (copy_from_user(secret.raw, uarg->raw, secret.size))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 701) goto out_wipe_secret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 702) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 703)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 704) err = add_master_key(sb, &secret, &arg.key_spec);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 705) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 706) goto out_wipe_secret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 707)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 708) /* Return the key identifier to userspace, if applicable */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 709) err = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 710) if (arg.key_spec.type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 711) copy_to_user(uarg->key_spec.u.identifier, arg.key_spec.u.identifier,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 712) FSCRYPT_KEY_IDENTIFIER_SIZE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 713) goto out_wipe_secret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 714) err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 715) out_wipe_secret:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 716) wipe_master_key_secret(&secret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 717) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 718) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 719) EXPORT_SYMBOL_GPL(fscrypt_ioctl_add_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 720)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 721) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 722) * Add the key for '-o test_dummy_encryption' to the filesystem keyring.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 723) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 724) * Use a per-boot random key to prevent people from misusing this option.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 725) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 726) int fscrypt_add_test_dummy_key(struct super_block *sb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 727) struct fscrypt_key_specifier *key_spec)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 728) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 729) static u8 test_key[FSCRYPT_MAX_KEY_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 730) struct fscrypt_master_key_secret secret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 731) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 732)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 733) get_random_once(test_key, FSCRYPT_MAX_KEY_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 734)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 735) memset(&secret, 0, sizeof(secret));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 736) secret.size = FSCRYPT_MAX_KEY_SIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 737) memcpy(secret.raw, test_key, FSCRYPT_MAX_KEY_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 738)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 739) err = add_master_key(sb, &secret, key_spec);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 740) wipe_master_key_secret(&secret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 741) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 742) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 743)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 744) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 745) * Verify that the current user has added a master key with the given identifier
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 746) * (returns -ENOKEY if not). This is needed to prevent a user from encrypting
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 747) * their files using some other user's key which they don't actually know.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 748) * Cryptographically this isn't much of a problem, but the semantics of this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 749) * would be a bit weird, so it's best to just forbid it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 750) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 751) * The system administrator (CAP_FOWNER) can override this, which should be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 752) * enough for any use cases where encryption policies are being set using keys
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 753) * that were chosen ahead of time but aren't available at the moment.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 754) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 755) * Note that the key may have already removed by the time this returns, but
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 756) * that's okay; we just care whether the key was there at some point.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 757) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 758) * Return: 0 if the key is added, -ENOKEY if it isn't, or another -errno code
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 759) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 760) int fscrypt_verify_key_added(struct super_block *sb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 761) const u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 762) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 763) struct fscrypt_key_specifier mk_spec;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 764) struct key *key, *mk_user;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 765) struct fscrypt_master_key *mk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 766) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 767)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 768) mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 769) memcpy(mk_spec.u.identifier, identifier, FSCRYPT_KEY_IDENTIFIER_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 770)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 771) key = fscrypt_find_master_key(sb, &mk_spec);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 772) if (IS_ERR(key)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 773) err = PTR_ERR(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 774) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 775) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 776) mk = key->payload.data[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 777) mk_user = find_master_key_user(mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 778) if (IS_ERR(mk_user)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 779) err = PTR_ERR(mk_user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 780) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 781) key_put(mk_user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 782) err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 783) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 784) key_put(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 785) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 786) if (err == -ENOKEY && capable(CAP_FOWNER))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 787) err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 788) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 789) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 790)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 791) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 792) * Try to evict the inode's dentries from the dentry cache. If the inode is a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 793) * directory, then it can have at most one dentry; however, that dentry may be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 794) * pinned by child dentries, so first try to evict the children too.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 795) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 796) static void shrink_dcache_inode(struct inode *inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 797) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 798) struct dentry *dentry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 799)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 800) if (S_ISDIR(inode->i_mode)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 801) dentry = d_find_any_alias(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 802) if (dentry) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 803) shrink_dcache_parent(dentry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 804) dput(dentry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 805) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 806) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 807) d_prune_aliases(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 808) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 809)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 810) static void evict_dentries_for_decrypted_inodes(struct fscrypt_master_key *mk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 811) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 812) struct fscrypt_info *ci;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 813) struct inode *inode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 814) struct inode *toput_inode = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 815)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 816) spin_lock(&mk->mk_decrypted_inodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 817)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 818) list_for_each_entry(ci, &mk->mk_decrypted_inodes, ci_master_key_link) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 819) inode = ci->ci_inode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 820) spin_lock(&inode->i_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 821) if (inode->i_state & (I_FREEING | I_WILL_FREE | I_NEW)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 822) spin_unlock(&inode->i_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 823) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 824) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 825) __iget(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 826) spin_unlock(&inode->i_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 827) spin_unlock(&mk->mk_decrypted_inodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 828)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 829) shrink_dcache_inode(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 830) iput(toput_inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 831) toput_inode = inode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 832)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 833) spin_lock(&mk->mk_decrypted_inodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 834) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 835)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 836) spin_unlock(&mk->mk_decrypted_inodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 837) iput(toput_inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 838) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 839)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 840) static int check_for_busy_inodes(struct super_block *sb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 841) struct fscrypt_master_key *mk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 842) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 843) struct list_head *pos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 844) size_t busy_count = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 845) unsigned long ino;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 846) char ino_str[50] = "";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 847)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 848) spin_lock(&mk->mk_decrypted_inodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 849)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 850) list_for_each(pos, &mk->mk_decrypted_inodes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 851) busy_count++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 852)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 853) if (busy_count == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 854) spin_unlock(&mk->mk_decrypted_inodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 855) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 856) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 857)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 858) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 859) /* select an example file to show for debugging purposes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 860) struct inode *inode =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 861) list_first_entry(&mk->mk_decrypted_inodes,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 862) struct fscrypt_info,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 863) ci_master_key_link)->ci_inode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 864) ino = inode->i_ino;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 865) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 866) spin_unlock(&mk->mk_decrypted_inodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 867)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 868) /* If the inode is currently being created, ino may still be 0. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 869) if (ino)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 870) snprintf(ino_str, sizeof(ino_str), ", including ino %lu", ino);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 871)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 872) fscrypt_warn(NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 873) "%s: %zu inode(s) still busy after removing key with %s %*phN%s",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 874) sb->s_id, busy_count, master_key_spec_type(&mk->mk_spec),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 875) master_key_spec_len(&mk->mk_spec), (u8 *)&mk->mk_spec.u,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 876) ino_str);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 877) return -EBUSY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 878) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 879)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 880) static int try_to_lock_encrypted_files(struct super_block *sb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 881) struct fscrypt_master_key *mk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 882) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 883) int err1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 884) int err2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 885)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 886) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 887) * An inode can't be evicted while it is dirty or has dirty pages.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 888) * Thus, we first have to clean the inodes in ->mk_decrypted_inodes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 889) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 890) * Just do it the easy way: call sync_filesystem(). It's overkill, but
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 891) * it works, and it's more important to minimize the amount of caches we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 892) * drop than the amount of data we sync. Also, unprivileged users can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 893) * already call sync_filesystem() via sys_syncfs() or sys_sync().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 894) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 895) down_read(&sb->s_umount);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 896) err1 = sync_filesystem(sb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 897) up_read(&sb->s_umount);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 898) /* If a sync error occurs, still try to evict as much as possible. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 899)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 900) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 901) * Inodes are pinned by their dentries, so we have to evict their
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 902) * dentries. shrink_dcache_sb() would suffice, but would be overkill
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 903) * and inappropriate for use by unprivileged users. So instead go
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 904) * through the inodes' alias lists and try to evict each dentry.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 905) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 906) evict_dentries_for_decrypted_inodes(mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 907)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 908) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 909) * evict_dentries_for_decrypted_inodes() already iput() each inode in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 910) * the list; any inodes for which that dropped the last reference will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 911) * have been evicted due to fscrypt_drop_inode() detecting the key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 912) * removal and telling the VFS to evict the inode. So to finish, we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 913) * just need to check whether any inodes couldn't be evicted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 914) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 915) err2 = check_for_busy_inodes(sb, mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 916)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 917) return err1 ?: err2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 918) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 919)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 920) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 921) * Try to remove an fscrypt master encryption key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 922) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 923) * FS_IOC_REMOVE_ENCRYPTION_KEY (all_users=false) removes the current user's
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 924) * claim to the key, then removes the key itself if no other users have claims.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 925) * FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS (all_users=true) always removes the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 926) * key itself.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 927) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 928) * To "remove the key itself", first we wipe the actual master key secret, so
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 929) * that no more inodes can be unlocked with it. Then we try to evict all cached
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 930) * inodes that had been unlocked with the key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 931) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 932) * If all inodes were evicted, then we unlink the fscrypt_master_key from the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 933) * keyring. Otherwise it remains in the keyring in the "incompletely removed"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 934) * state (without the actual secret key) where it tracks the list of remaining
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 935) * inodes. Userspace can execute the ioctl again later to retry eviction, or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 936) * alternatively can re-add the secret key again.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 937) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 938) * For more details, see the "Removing keys" section of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 939) * Documentation/filesystems/fscrypt.rst.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 940) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 941) static int do_remove_key(struct file *filp, void __user *_uarg, bool all_users)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 942) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 943) struct super_block *sb = file_inode(filp)->i_sb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 944) struct fscrypt_remove_key_arg __user *uarg = _uarg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 945) struct fscrypt_remove_key_arg arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 946) struct key *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 947) struct fscrypt_master_key *mk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 948) u32 status_flags = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 949) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 950) bool dead;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 951)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 952) if (copy_from_user(&arg, uarg, sizeof(arg)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 953) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 954)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 955) if (!valid_key_spec(&arg.key_spec))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 956) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 957)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 958) if (memchr_inv(arg.__reserved, 0, sizeof(arg.__reserved)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 959) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 960)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 961) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 962) * Only root can add and remove keys that are identified by an arbitrary
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 963) * descriptor rather than by a cryptographic hash.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 964) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 965) if (arg.key_spec.type == FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 966) !capable(CAP_SYS_ADMIN))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 967) return -EACCES;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 968)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 969) /* Find the key being removed. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 970) key = fscrypt_find_master_key(sb, &arg.key_spec);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 971) if (IS_ERR(key))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 972) return PTR_ERR(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 973) mk = key->payload.data[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 974)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 975) down_write(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 976)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 977) /* If relevant, remove current user's (or all users) claim to the key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 978) if (mk->mk_users && mk->mk_users->keys.nr_leaves_on_tree != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 979) if (all_users)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 980) err = keyring_clear(mk->mk_users);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 981) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 982) err = remove_master_key_user(mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 983) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 984) up_write(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 985) goto out_put_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 986) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 987) if (mk->mk_users->keys.nr_leaves_on_tree != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 988) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 989) * Other users have still added the key too. We removed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 990) * the current user's claim to the key, but we still
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 991) * can't remove the key itself.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 992) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 993) status_flags |=
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 994) FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 995) err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 996) up_write(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 997) goto out_put_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 998) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 999) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1000)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1001) /* No user claims remaining. Go ahead and wipe the secret. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1002) dead = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1003) if (is_master_key_secret_present(&mk->mk_secret)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1004) wipe_master_key_secret(&mk->mk_secret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1005) dead = refcount_dec_and_test(&mk->mk_refcount);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1006) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1007) up_write(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1008) if (dead) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1009) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1010) * No inodes reference the key, and we wiped the secret, so the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1011) * key object is free to be removed from the keyring.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1012) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1013) key_invalidate(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1014) err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1015) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1016) /* Some inodes still reference this key; try to evict them. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1017) err = try_to_lock_encrypted_files(sb, mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1018) if (err == -EBUSY) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1019) status_flags |=
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1020) FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1021) err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1022) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1023) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1024) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1025) * We return 0 if we successfully did something: removed a claim to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1026) * key, wiped the secret, or tried locking the files again. Users need
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1027) * to check the informational status flags if they care whether the key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1028) * has been fully removed including all files locked.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1029) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1030) out_put_key:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1031) key_put(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1032) if (err == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1033) err = put_user(status_flags, &uarg->removal_status_flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1034) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1035) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1036)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1037) int fscrypt_ioctl_remove_key(struct file *filp, void __user *uarg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1038) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1039) return do_remove_key(filp, uarg, false);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1040) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1041) EXPORT_SYMBOL_GPL(fscrypt_ioctl_remove_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1042)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1043) int fscrypt_ioctl_remove_key_all_users(struct file *filp, void __user *uarg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1044) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1045) if (!capable(CAP_SYS_ADMIN))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1046) return -EACCES;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1047) return do_remove_key(filp, uarg, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1048) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1049) EXPORT_SYMBOL_GPL(fscrypt_ioctl_remove_key_all_users);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1050)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1051) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1052) * Retrieve the status of an fscrypt master encryption key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1053) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1054) * We set ->status to indicate whether the key is absent, present, or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1055) * incompletely removed. "Incompletely removed" means that the master key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1056) * secret has been removed, but some files which had been unlocked with it are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1057) * still in use. This field allows applications to easily determine the state
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1058) * of an encrypted directory without using a hack such as trying to open a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1059) * regular file in it (which can confuse the "incompletely removed" state with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1060) * absent or present).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1061) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1062) * In addition, for v2 policy keys we allow applications to determine, via
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1063) * ->status_flags and ->user_count, whether the key has been added by the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1064) * current user, by other users, or by both. Most applications should not need
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1065) * this, since ordinarily only one user should know a given key. However, if a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1066) * secret key is shared by multiple users, applications may wish to add an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1067) * already-present key to prevent other users from removing it. This ioctl can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1068) * be used to check whether that really is the case before the work is done to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1069) * add the key --- which might e.g. require prompting the user for a passphrase.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1070) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1071) * For more details, see the "FS_IOC_GET_ENCRYPTION_KEY_STATUS" section of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1072) * Documentation/filesystems/fscrypt.rst.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1073) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1074) int fscrypt_ioctl_get_key_status(struct file *filp, void __user *uarg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1075) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1076) struct super_block *sb = file_inode(filp)->i_sb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1077) struct fscrypt_get_key_status_arg arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1078) struct key *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1079) struct fscrypt_master_key *mk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1080) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1081)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1082) if (copy_from_user(&arg, uarg, sizeof(arg)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1083) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1084)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1085) if (!valid_key_spec(&arg.key_spec))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1086) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1087)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1088) if (memchr_inv(arg.__reserved, 0, sizeof(arg.__reserved)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1089) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1090)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1091) arg.status_flags = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1092) arg.user_count = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1093) memset(arg.__out_reserved, 0, sizeof(arg.__out_reserved));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1094)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1095) key = fscrypt_find_master_key(sb, &arg.key_spec);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1096) if (IS_ERR(key)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1097) if (key != ERR_PTR(-ENOKEY))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1098) return PTR_ERR(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1099) arg.status = FSCRYPT_KEY_STATUS_ABSENT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1100) err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1101) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1102) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1103) mk = key->payload.data[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1104) down_read(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1105)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1106) if (!is_master_key_secret_present(&mk->mk_secret)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1107) arg.status = FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1108) err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1109) goto out_release_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1110) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1112) arg.status = FSCRYPT_KEY_STATUS_PRESENT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1113) if (mk->mk_users) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1114) struct key *mk_user;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1116) arg.user_count = mk->mk_users->keys.nr_leaves_on_tree;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1117) mk_user = find_master_key_user(mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1118) if (!IS_ERR(mk_user)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1119) arg.status_flags |=
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1120) FSCRYPT_KEY_STATUS_FLAG_ADDED_BY_SELF;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1121) key_put(mk_user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1122) } else if (mk_user != ERR_PTR(-ENOKEY)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1123) err = PTR_ERR(mk_user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1124) goto out_release_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1125) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1126) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1127) err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1128) out_release_key:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1129) up_read(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1130) key_put(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1131) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1132) if (!err && copy_to_user(uarg, &arg, sizeof(arg)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1133) err = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1134) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1135) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1136) EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_key_status);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1137)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1138) int __init fscrypt_init_keyring(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1139) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1140) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1141)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1142) err = register_key_type(&key_type_fscrypt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1143) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1144) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1145)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1146) err = register_key_type(&key_type_fscrypt_user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1147) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1148) goto err_unregister_fscrypt;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1149)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1150) err = register_key_type(&key_type_fscrypt_provisioning);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1151) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1152) goto err_unregister_fscrypt_user;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1153)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1154) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1155)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1156) err_unregister_fscrypt_user:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1157) unregister_key_type(&key_type_fscrypt_user);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1158) err_unregister_fscrypt:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1159) unregister_key_type(&key_type_fscrypt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1160) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1161) }
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags