^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Key setup facility for FS encryption support.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Copyright (C) 2015, Google, Inc.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) * Originally written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) * Heavily modified since then.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) #include <crypto/skcipher.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) #include <linux/key.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) #include <linux/random.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) #include "fscrypt_private.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) struct fscrypt_mode fscrypt_modes[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) [FSCRYPT_MODE_AES_256_XTS] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) .friendly_name = "AES-256-XTS",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) .cipher_str = "xts(aes)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) .keysize = 64,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) .security_strength = 32,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) .ivsize = 16,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) .blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_256_XTS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) [FSCRYPT_MODE_AES_256_CTS] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) .friendly_name = "AES-256-CTS-CBC",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) .cipher_str = "cts(cbc(aes))",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) .keysize = 32,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) .security_strength = 32,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) .ivsize = 16,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) [FSCRYPT_MODE_AES_128_CBC] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) .friendly_name = "AES-128-CBC-ESSIV",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) .cipher_str = "essiv(cbc(aes),sha256)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) .keysize = 16,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) .security_strength = 16,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) .ivsize = 16,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) .blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) [FSCRYPT_MODE_AES_128_CTS] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) .friendly_name = "AES-128-CTS-CBC",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) .cipher_str = "cts(cbc(aes))",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) .keysize = 16,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) .security_strength = 16,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) .ivsize = 16,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) [FSCRYPT_MODE_ADIANTUM] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) .friendly_name = "Adiantum",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) .cipher_str = "adiantum(xchacha12,aes)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) .keysize = 32,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) .security_strength = 32,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) .ivsize = 32,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) .blk_crypto_mode = BLK_ENCRYPTION_MODE_ADIANTUM,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) static DEFINE_MUTEX(fscrypt_mode_key_setup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) static struct fscrypt_mode *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) select_encryption_mode(const union fscrypt_policy *policy,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) const struct inode *inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) BUILD_BUG_ON(ARRAY_SIZE(fscrypt_modes) != FSCRYPT_MODE_MAX + 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) if (S_ISREG(inode->i_mode))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) return &fscrypt_modes[fscrypt_policy_contents_mode(policy)];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) return &fscrypt_modes[fscrypt_policy_fnames_mode(policy)];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) inode->i_ino, (inode->i_mode & S_IFMT));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) return ERR_PTR(-EINVAL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) /* Create a symmetric cipher object for the given encryption mode and key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) static struct crypto_skcipher *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) fscrypt_allocate_skcipher(struct fscrypt_mode *mode, const u8 *raw_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) const struct inode *inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) struct crypto_skcipher *tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) tfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) if (IS_ERR(tfm)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) if (PTR_ERR(tfm) == -ENOENT) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) fscrypt_warn(inode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) "Missing crypto API support for %s (API name: \"%s\")",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) mode->friendly_name, mode->cipher_str);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) return ERR_PTR(-ENOPKG);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) fscrypt_err(inode, "Error allocating '%s' transform: %ld",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) mode->cipher_str, PTR_ERR(tfm));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) return tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) if (!xchg(&mode->logged_impl_name, 1)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) * fscrypt performance can vary greatly depending on which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) * crypto algorithm implementation is used. Help people debug
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) * performance problems by logging the ->cra_driver_name the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) * first time a mode is used.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) pr_info("fscrypt: %s using implementation \"%s\"\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) mode->friendly_name, crypto_skcipher_driver_name(tfm));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) if (WARN_ON(crypto_skcipher_ivsize(tfm) != mode->ivsize)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) goto err_free_tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) err = crypto_skcipher_setkey(tfm, raw_key, mode->keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) goto err_free_tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) return tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) err_free_tfm:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) crypto_free_skcipher(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) return ERR_PTR(err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) * Prepare the crypto transform object or blk-crypto key in @prep_key, given the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) * raw key, encryption mode, and flag indicating which encryption implementation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) * (fs-layer or blk-crypto) will be used.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) int fscrypt_prepare_key(struct fscrypt_prepared_key *prep_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) const u8 *raw_key, unsigned int raw_key_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) bool is_hw_wrapped, const struct fscrypt_info *ci)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) struct crypto_skcipher *tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) if (fscrypt_using_inline_encryption(ci))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) return fscrypt_prepare_inline_crypt_key(prep_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) raw_key, raw_key_size, is_hw_wrapped, ci);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) if (WARN_ON(is_hw_wrapped || raw_key_size != ci->ci_mode->keysize))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) tfm = fscrypt_allocate_skcipher(ci->ci_mode, raw_key, ci->ci_inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) if (IS_ERR(tfm))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) return PTR_ERR(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) * Pairs with the smp_load_acquire() in fscrypt_is_key_prepared().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) * I.e., here we publish ->tfm with a RELEASE barrier so that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) * concurrent tasks can ACQUIRE it. Note that this concurrency is only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) * possible for per-mode keys, not for per-file keys.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) smp_store_release(&prep_key->tfm, tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) /* Destroy a crypto transform object and/or blk-crypto key. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) void fscrypt_destroy_prepared_key(struct fscrypt_prepared_key *prep_key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) crypto_free_skcipher(prep_key->tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) fscrypt_destroy_inline_crypt_key(prep_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) /* Given a per-file encryption key, set up the file's crypto transform object */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) int fscrypt_set_per_file_enc_key(struct fscrypt_info *ci, const u8 *raw_key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) ci->ci_owns_key = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) return fscrypt_prepare_key(&ci->ci_enc_key, raw_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) ci->ci_mode->keysize,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) false /*is_hw_wrapped*/, ci);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) static int setup_per_mode_enc_key(struct fscrypt_info *ci,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) struct fscrypt_master_key *mk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) struct fscrypt_prepared_key *keys,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) u8 hkdf_context, bool include_fs_uuid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) const struct inode *inode = ci->ci_inode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) const struct super_block *sb = inode->i_sb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) struct fscrypt_mode *mode = ci->ci_mode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) const u8 mode_num = mode - fscrypt_modes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) struct fscrypt_prepared_key *prep_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) u8 mode_key[FSCRYPT_MAX_KEY_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) u8 hkdf_info[sizeof(mode_num) + sizeof(sb->s_uuid)];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) unsigned int hkdf_infolen = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) if (WARN_ON(mode_num > FSCRYPT_MODE_MAX))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) prep_key = &keys[mode_num];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) if (fscrypt_is_key_prepared(prep_key, ci)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) ci->ci_enc_key = *prep_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) mutex_lock(&fscrypt_mode_key_setup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) if (fscrypt_is_key_prepared(prep_key, ci))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) goto done_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) if (mk->mk_secret.is_hw_wrapped && S_ISREG(inode->i_mode)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) if (!fscrypt_using_inline_encryption(ci)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) fscrypt_warn(ci->ci_inode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) "Hardware-wrapped keys require inline encryption (-o inlinecrypt)");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) for (i = 0; i <= FSCRYPT_MODE_MAX; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) if (fscrypt_is_key_prepared(&keys[i], ci)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) fscrypt_warn(ci->ci_inode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) "Each hardware-wrapped key can only be used with one encryption mode");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) err = fscrypt_prepare_key(prep_key, mk->mk_secret.raw,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) mk->mk_secret.size, true, ci);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) BUILD_BUG_ON(sizeof(mode_num) != 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) BUILD_BUG_ON(sizeof(sb->s_uuid) != 16);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) BUILD_BUG_ON(sizeof(hkdf_info) != 17);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) hkdf_info[hkdf_infolen++] = mode_num;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) if (include_fs_uuid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) memcpy(&hkdf_info[hkdf_infolen], &sb->s_uuid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) sizeof(sb->s_uuid));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) hkdf_infolen += sizeof(sb->s_uuid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) hkdf_context, hkdf_info, hkdf_infolen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) mode_key, mode->keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) err = fscrypt_prepare_key(prep_key, mode_key, mode->keysize,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) false /*is_hw_wrapped*/, ci);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) memzero_explicit(mode_key, mode->keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) done_unlock:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) ci->ci_enc_key = *prep_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) out_unlock:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) mutex_unlock(&fscrypt_mode_key_setup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) * Derive a SipHash key from the given fscrypt master key and the given
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) * application-specific information string.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) * Note that the KDF produces a byte array, but the SipHash APIs expect the key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) * as a pair of 64-bit words. Therefore, on big endian CPUs we have to do an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) * endianness swap in order to get the same results as on little endian CPUs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) static int fscrypt_derive_siphash_key(const struct fscrypt_master_key *mk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) u8 context, const u8 *info,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) unsigned int infolen, siphash_key_t *key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, context, info, infolen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) (u8 *)key, sizeof(*key));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) BUILD_BUG_ON(sizeof(*key) != 16);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) BUILD_BUG_ON(ARRAY_SIZE(key->key) != 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) le64_to_cpus(&key->key[0]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) le64_to_cpus(&key->key[1]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) int fscrypt_derive_dirhash_key(struct fscrypt_info *ci,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) const struct fscrypt_master_key *mk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) err = fscrypt_derive_siphash_key(mk, HKDF_CONTEXT_DIRHASH_KEY,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) ci->ci_nonce, FSCRYPT_FILE_NONCE_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) &ci->ci_dirhash_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) ci->ci_dirhash_key_initialized = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) void fscrypt_hash_inode_number(struct fscrypt_info *ci,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) const struct fscrypt_master_key *mk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) WARN_ON(ci->ci_inode->i_ino == 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) WARN_ON(!mk->mk_ino_hash_key_initialized);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) ci->ci_hashed_ino = (u32)siphash_1u64(ci->ci_inode->i_ino,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) &mk->mk_ino_hash_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) static int fscrypt_setup_iv_ino_lblk_32_key(struct fscrypt_info *ci,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) struct fscrypt_master_key *mk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) err = setup_per_mode_enc_key(ci, mk, mk->mk_iv_ino_lblk_32_keys,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) HKDF_CONTEXT_IV_INO_LBLK_32_KEY, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) /* pairs with smp_store_release() below */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) if (!smp_load_acquire(&mk->mk_ino_hash_key_initialized)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) mutex_lock(&fscrypt_mode_key_setup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) if (mk->mk_ino_hash_key_initialized)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) goto unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) err = fscrypt_derive_siphash_key(mk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) HKDF_CONTEXT_INODE_HASH_KEY,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) NULL, 0, &mk->mk_ino_hash_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) goto unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) /* pairs with smp_load_acquire() above */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) smp_store_release(&mk->mk_ino_hash_key_initialized, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) unlock:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) mutex_unlock(&fscrypt_mode_key_setup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) * New inodes may not have an inode number assigned yet.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) * Hashing their inode number is delayed until later.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) if (ci->ci_inode->i_ino)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) fscrypt_hash_inode_number(ci, mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) static int fscrypt_setup_v2_file_key(struct fscrypt_info *ci,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) struct fscrypt_master_key *mk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) bool need_dirhash_key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) if (mk->mk_secret.is_hw_wrapped &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) !(ci->ci_policy.v2.flags & (FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) fscrypt_warn(ci->ci_inode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) "Hardware-wrapped keys are only supported with IV_INO_LBLK policies");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) if (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) * DIRECT_KEY: instead of deriving per-file encryption keys, the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) * per-file nonce will be included in all the IVs. But unlike
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) * v1 policies, for v2 policies in this case we don't encrypt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) * with the master key directly but rather derive a per-mode
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) * encryption key. This ensures that the master key is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) * consistently used only for HKDF, avoiding key reuse issues.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) err = setup_per_mode_enc_key(ci, mk, mk->mk_direct_keys,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) HKDF_CONTEXT_DIRECT_KEY, false);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) } else if (ci->ci_policy.v2.flags &
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) * IV_INO_LBLK_64: encryption keys are derived from (master_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) * mode_num, filesystem_uuid), and inode number is included in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) * the IVs. This format is optimized for use with inline
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) * encryption hardware compliant with the UFS standard.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) err = setup_per_mode_enc_key(ci, mk, mk->mk_iv_ino_lblk_64_keys,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) HKDF_CONTEXT_IV_INO_LBLK_64_KEY,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) } else if (ci->ci_policy.v2.flags &
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) err = fscrypt_setup_iv_ino_lblk_32_key(ci, mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) u8 derived_key[FSCRYPT_MAX_KEY_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) HKDF_CONTEXT_PER_FILE_ENC_KEY,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) ci->ci_nonce, FSCRYPT_FILE_NONCE_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) derived_key, ci->ci_mode->keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) err = fscrypt_set_per_file_enc_key(ci, derived_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) memzero_explicit(derived_key, ci->ci_mode->keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) /* Derive a secret dirhash key for directories that need it. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) if (need_dirhash_key) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) err = fscrypt_derive_dirhash_key(ci, mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) * Check whether the size of the given master key (@mk) is appropriate for the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) * encryption settings which a particular file will use (@ci).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) * If the file uses a v1 encryption policy, then the master key must be at least
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) * as long as the derived key, as this is a requirement of the v1 KDF.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) * Otherwise, the KDF can accept any size key, so we enforce a slightly looser
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) * requirement: we require that the size of the master key be at least the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) * maximum security strength of any algorithm whose key will be derived from it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) * (but in practice we only need to consider @ci->ci_mode, since any other
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) * possible subkeys such as DIRHASH and INODE_HASH will never increase the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) * required key size over @ci->ci_mode). This allows AES-256-XTS keys to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) * derived from a 256-bit master key, which is cryptographically sufficient,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) * rather than requiring a 512-bit master key which is unnecessarily long. (We
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) * still allow 512-bit master keys if the user chooses to use them, though.)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) static bool fscrypt_valid_master_key_size(const struct fscrypt_master_key *mk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) const struct fscrypt_info *ci)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) unsigned int min_keysize;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) if (ci->ci_policy.version == FSCRYPT_POLICY_V1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) min_keysize = ci->ci_mode->keysize;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) min_keysize = ci->ci_mode->security_strength;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) if (mk->mk_secret.size < min_keysize) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) fscrypt_warn(NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) "key with %s %*phN is too short (got %u bytes, need %u+ bytes)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) master_key_spec_type(&mk->mk_spec),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) master_key_spec_len(&mk->mk_spec),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) (u8 *)&mk->mk_spec.u,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) mk->mk_secret.size, min_keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) * Find the master key, then set up the inode's actual encryption key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) * If the master key is found in the filesystem-level keyring, then the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) * corresponding 'struct key' is returned in *master_key_ret with its semaphore
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) * read-locked. This is needed to ensure that only one task links the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) * fscrypt_info into ->mk_decrypted_inodes (as multiple tasks may race to create
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) * an fscrypt_info for the same inode), and to synchronize the master key being
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) * removed with a new inode starting to use it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) static int setup_file_encryption_key(struct fscrypt_info *ci,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) bool need_dirhash_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) struct key **master_key_ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) struct key *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) struct fscrypt_master_key *mk = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) struct fscrypt_key_specifier mk_spec;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) switch (ci->ci_policy.version) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) case FSCRYPT_POLICY_V1:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) memcpy(mk_spec.u.descriptor,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) ci->ci_policy.v1.master_key_descriptor,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) FSCRYPT_KEY_DESCRIPTOR_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) case FSCRYPT_POLICY_V2:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) memcpy(mk_spec.u.identifier,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) ci->ci_policy.v2.master_key_identifier,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) FSCRYPT_KEY_IDENTIFIER_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) WARN_ON(1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) key = fscrypt_find_master_key(ci->ci_inode->i_sb, &mk_spec);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) if (IS_ERR(key)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) if (key != ERR_PTR(-ENOKEY) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) ci->ci_policy.version != FSCRYPT_POLICY_V1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) return PTR_ERR(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) err = fscrypt_select_encryption_impl(ci, false);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) * As a legacy fallback for v1 policies, search for the key in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) * the current task's subscribed keyrings too. Don't move this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) * to before the search of ->s_master_keys, since users
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) * shouldn't be able to override filesystem-level keys.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) return fscrypt_setup_v1_file_key_via_subscribed_keyrings(ci);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) mk = key->payload.data[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) down_read(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) /* Has the secret been removed (via FS_IOC_REMOVE_ENCRYPTION_KEY)? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) if (!is_master_key_secret_present(&mk->mk_secret)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) err = -ENOKEY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) goto out_release_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) if (!fscrypt_valid_master_key_size(mk, ci)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) err = -ENOKEY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) goto out_release_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) err = fscrypt_select_encryption_impl(ci, mk->mk_secret.is_hw_wrapped);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515) goto out_release_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) switch (ci->ci_policy.version) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) case FSCRYPT_POLICY_V1:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) err = fscrypt_setup_v1_file_key(ci, mk->mk_secret.raw);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521) case FSCRYPT_POLICY_V2:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) err = fscrypt_setup_v2_file_key(ci, mk, need_dirhash_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) WARN_ON(1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) goto out_release_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) *master_key_ret = key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) out_release_key:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) up_read(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) key_put(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) static void put_crypt_info(struct fscrypt_info *ci)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) struct key *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) if (!ci)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) if (ci->ci_direct_key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) fscrypt_put_direct_key(ci->ci_direct_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) else if (ci->ci_owns_key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) fscrypt_destroy_prepared_key(&ci->ci_enc_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) key = ci->ci_master_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) if (key) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) struct fscrypt_master_key *mk = key->payload.data[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558) * Remove this inode from the list of inodes that were unlocked
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) * with the master key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) * In addition, if we're removing the last inode from a key that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) * already had its secret removed, invalidate the key so that it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563) * gets removed from ->s_master_keys.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) spin_lock(&mk->mk_decrypted_inodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) list_del(&ci->ci_master_key_link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) spin_unlock(&mk->mk_decrypted_inodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) if (refcount_dec_and_test(&mk->mk_refcount))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) key_invalidate(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570) key_put(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) memzero_explicit(ci, sizeof(*ci));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) kmem_cache_free(fscrypt_info_cachep, ci);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) static int
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) fscrypt_setup_encryption_info(struct inode *inode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) const union fscrypt_policy *policy,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) const u8 nonce[FSCRYPT_FILE_NONCE_SIZE],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) bool need_dirhash_key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) struct fscrypt_info *crypt_info;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) struct fscrypt_mode *mode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) struct key *master_key = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) int res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) res = fscrypt_initialize(inode->i_sb->s_cop->flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) if (res)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) return res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) crypt_info = kmem_cache_zalloc(fscrypt_info_cachep, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592) if (!crypt_info)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) crypt_info->ci_inode = inode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) crypt_info->ci_policy = *policy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597) memcpy(crypt_info->ci_nonce, nonce, FSCRYPT_FILE_NONCE_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) mode = select_encryption_mode(&crypt_info->ci_policy, inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) if (IS_ERR(mode)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) res = PTR_ERR(mode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604) WARN_ON(mode->ivsize > FSCRYPT_MAX_IV_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605) crypt_info->ci_mode = mode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607) res = setup_file_encryption_key(crypt_info, need_dirhash_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608) &master_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) if (res)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) * For existing inodes, multiple tasks may race to set ->i_crypt_info.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) * So use cmpxchg_release(). This pairs with the smp_load_acquire() in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615) * fscrypt_get_info(). I.e., here we publish ->i_crypt_info with a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) * RELEASE barrier so that other tasks can ACQUIRE it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) if (cmpxchg_release(&inode->i_crypt_info, NULL, crypt_info) == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620) * We won the race and set ->i_crypt_info to our crypt_info.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621) * Now link it into the master key's inode list.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623) if (master_key) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) struct fscrypt_master_key *mk =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) master_key->payload.data[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627) refcount_inc(&mk->mk_refcount);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628) crypt_info->ci_master_key = key_get(master_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629) spin_lock(&mk->mk_decrypted_inodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630) list_add(&crypt_info->ci_master_key_link,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) &mk->mk_decrypted_inodes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632) spin_unlock(&mk->mk_decrypted_inodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634) crypt_info = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) res = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638) if (master_key) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639) up_read(&master_key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) key_put(master_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642) put_crypt_info(crypt_info);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) return res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647) * fscrypt_get_encryption_info() - set up an inode's encryption key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648) * @inode: the inode to set up the key for. Must be encrypted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) * @allow_unsupported: if %true, treat an unsupported encryption policy (or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650) * unrecognized encryption context) the same way as the key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651) * being unavailable, instead of returning an error. Use
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652) * %false unless the operation being performed is needed in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653) * order for files (or directories) to be deleted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655) * Set up ->i_crypt_info, if it hasn't already been done.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657) * Note: unless ->i_crypt_info is already set, this isn't %GFP_NOFS-safe. So
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658) * generally this shouldn't be called from within a filesystem transaction.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660) * Return: 0 if ->i_crypt_info was set or was already set, *or* if the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661) * encryption key is unavailable. (Use fscrypt_has_encryption_key() to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662) * distinguish these cases.) Also can return another -errno code.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 663) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 664) int fscrypt_get_encryption_info(struct inode *inode, bool allow_unsupported)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 665) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 666) int res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 667) union fscrypt_context ctx;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 668) union fscrypt_policy policy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 669)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 670) if (fscrypt_has_encryption_key(inode))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 671) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 672)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 673) res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 674) if (res < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 675) if (res == -ERANGE && allow_unsupported)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 676) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 677) fscrypt_warn(inode, "Error %d getting encryption context", res);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 678) return res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 679) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 680)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 681) res = fscrypt_policy_from_context(&policy, &ctx, res);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 682) if (res) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 683) if (allow_unsupported)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 684) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 685) fscrypt_warn(inode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 686) "Unrecognized or corrupt encryption context");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 687) return res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 688) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 689)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 690) if (!fscrypt_supported_policy(&policy, inode)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 691) if (allow_unsupported)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 692) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 693) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 694) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 695)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 696) res = fscrypt_setup_encryption_info(inode, &policy,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 697) fscrypt_context_nonce(&ctx),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 698) IS_CASEFOLDED(inode) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 699) S_ISDIR(inode->i_mode));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 700)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 701) if (res == -ENOPKG && allow_unsupported) /* Algorithm unavailable? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 702) res = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 703) if (res == -ENOKEY)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 704) res = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 705) return res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 706) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 707)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 708) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 709) * fscrypt_prepare_new_inode() - prepare to create a new inode in a directory
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 710) * @dir: a possibly-encrypted directory
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 711) * @inode: the new inode. ->i_mode must be set already.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 712) * ->i_ino doesn't need to be set yet.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 713) * @encrypt_ret: (output) set to %true if the new inode will be encrypted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 714) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 715) * If the directory is encrypted, set up its ->i_crypt_info in preparation for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 716) * encrypting the name of the new file. Also, if the new inode will be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 717) * encrypted, set up its ->i_crypt_info and set *encrypt_ret=true.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 718) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 719) * This isn't %GFP_NOFS-safe, and therefore it should be called before starting
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 720) * any filesystem transaction to create the inode. For this reason, ->i_ino
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 721) * isn't required to be set yet, as the filesystem may not have set it yet.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 722) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 723) * This doesn't persist the new inode's encryption context. That still needs to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 724) * be done later by calling fscrypt_set_context().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 725) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 726) * Return: 0 on success, -ENOKEY if the encryption key is missing, or another
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 727) * -errno code
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 728) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 729) int fscrypt_prepare_new_inode(struct inode *dir, struct inode *inode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 730) bool *encrypt_ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 731) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 732) const union fscrypt_policy *policy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 733) u8 nonce[FSCRYPT_FILE_NONCE_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 734)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 735) policy = fscrypt_policy_to_inherit(dir);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 736) if (policy == NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 737) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 738) if (IS_ERR(policy))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 739) return PTR_ERR(policy);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 740)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 741) if (WARN_ON_ONCE(inode->i_mode == 0))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 742) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 743)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 744) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 745) * Only regular files, directories, and symlinks are encrypted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 746) * Special files like device nodes and named pipes aren't.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 747) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 748) if (!S_ISREG(inode->i_mode) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 749) !S_ISDIR(inode->i_mode) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 750) !S_ISLNK(inode->i_mode))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 751) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 752)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 753) *encrypt_ret = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 754)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 755) get_random_bytes(nonce, FSCRYPT_FILE_NONCE_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 756) return fscrypt_setup_encryption_info(inode, policy, nonce,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 757) IS_CASEFOLDED(dir) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 758) S_ISDIR(inode->i_mode));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 759) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 760) EXPORT_SYMBOL_GPL(fscrypt_prepare_new_inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 761)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 762) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 763) * fscrypt_put_encryption_info() - free most of an inode's fscrypt data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 764) * @inode: an inode being evicted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 765) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 766) * Free the inode's fscrypt_info. Filesystems must call this when the inode is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 767) * being evicted. An RCU grace period need not have elapsed yet.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 768) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 769) void fscrypt_put_encryption_info(struct inode *inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 770) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 771) put_crypt_info(inode->i_crypt_info);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 772) inode->i_crypt_info = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 773) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 774) EXPORT_SYMBOL(fscrypt_put_encryption_info);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 775)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 776) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 777) * fscrypt_free_inode() - free an inode's fscrypt data requiring RCU delay
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 778) * @inode: an inode being freed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 779) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 780) * Free the inode's cached decrypted symlink target, if any. Filesystems must
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 781) * call this after an RCU grace period, just before they free the inode.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 782) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 783) void fscrypt_free_inode(struct inode *inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 784) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 785) if (IS_ENCRYPTED(inode) && S_ISLNK(inode->i_mode)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 786) kfree(inode->i_link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 787) inode->i_link = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 788) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 789) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 790) EXPORT_SYMBOL(fscrypt_free_inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 791)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 792) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 793) * fscrypt_drop_inode() - check whether the inode's master key has been removed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 794) * @inode: an inode being considered for eviction
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 795) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 796) * Filesystems supporting fscrypt must call this from their ->drop_inode()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 797) * method so that encrypted inodes are evicted as soon as they're no longer in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 798) * use and their master key has been removed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 799) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 800) * Return: 1 if fscrypt wants the inode to be evicted now, otherwise 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 801) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 802) int fscrypt_drop_inode(struct inode *inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 803) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 804) const struct fscrypt_info *ci = fscrypt_get_info(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 805) const struct fscrypt_master_key *mk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 806)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 807) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 808) * If ci is NULL, then the inode doesn't have an encryption key set up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 809) * so it's irrelevant. If ci_master_key is NULL, then the master key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 810) * was provided via the legacy mechanism of the process-subscribed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 811) * keyrings, so we don't know whether it's been removed or not.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 812) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 813) if (!ci || !ci->ci_master_key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 814) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 815) mk = ci->ci_master_key->payload.data[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 816)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 817) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 818) * With proper, non-racy use of FS_IOC_REMOVE_ENCRYPTION_KEY, all inodes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 819) * protected by the key were cleaned by sync_filesystem(). But if
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 820) * userspace is still using the files, inodes can be dirtied between
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 821) * then and now. We mustn't lose any writes, so skip dirty inodes here.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 822) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 823) if (inode->i_state & I_DIRTY_ALL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 824) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 825)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 826) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 827) * Note: since we aren't holding the key semaphore, the result here can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 828) * immediately become outdated. But there's no correctness problem with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 829) * unnecessarily evicting. Nor is there a correctness problem with not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 830) * evicting while iput() is racing with the key being removed, since
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 831) * then the thread removing the key will either evict the inode itself
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 832) * or will correctly detect that it wasn't evicted due to the race.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 833) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 834) return !is_master_key_secret_present(&mk->mk_secret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 835) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 836) EXPORT_SYMBOL_GPL(fscrypt_drop_inode);
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags