^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Key setup for v1 encryption policies
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Copyright 2015, 2019 Google LLC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) * This file implements compatibility functions for the original encryption
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) * policy version ("v1"), including:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) * - Deriving per-file encryption keys using the AES-128-ECB based KDF
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) * (rather than the new method of using HKDF-SHA512)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) * - Retrieving fscrypt master keys from process-subscribed keyrings
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) * (rather than the new method of using a filesystem-level keyring)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) * - Handling policies with the DIRECT_KEY flag set using a master key table
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) * (rather than the new method of implementing DIRECT_KEY with per-mode keys
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) * managed alongside the master keys in the filesystem-level keyring)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) #include <crypto/algapi.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) #include <crypto/skcipher.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) #include <keys/user-type.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) #include <linux/hashtable.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) #include <linux/scatterlist.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) #include "fscrypt_private.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) /* Table of keys referenced by DIRECT_KEY policies */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) static DEFINE_HASHTABLE(fscrypt_direct_keys, 6); /* 6 bits = 64 buckets */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) static DEFINE_SPINLOCK(fscrypt_direct_keys_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) * v1 key derivation function. This generates the derived key by encrypting the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) * master key with AES-128-ECB using the nonce as the AES key. This provides a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) * unique derived key with sufficient entropy for each inode. However, it's
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) * nonstandard, non-extensible, doesn't evenly distribute the entropy from the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) * master key, and is trivially reversible: an attacker who compromises a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) * derived key can "decrypt" it to get back to the master key, then derive any
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) * other key. For all new code, use HKDF instead.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) * The master key must be at least as long as the derived key. If the master
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) * key is longer, then only the first 'derived_keysize' bytes are used.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) static int derive_key_aes(const u8 *master_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) const u8 nonce[FSCRYPT_FILE_NONCE_SIZE],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) u8 *derived_key, unsigned int derived_keysize)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) int res = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) struct skcipher_request *req = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) DECLARE_CRYPTO_WAIT(wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) struct scatterlist src_sg, dst_sg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) if (IS_ERR(tfm)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) res = PTR_ERR(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) tfm = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) req = skcipher_request_alloc(tfm, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) if (!req) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) res = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) skcipher_request_set_callback(req,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) crypto_req_done, &wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) res = crypto_skcipher_setkey(tfm, nonce, FSCRYPT_FILE_NONCE_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) if (res < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) sg_init_one(&src_sg, master_key, derived_keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) sg_init_one(&dst_sg, derived_key, derived_keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) skcipher_request_set_crypt(req, &src_sg, &dst_sg, derived_keysize,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) skcipher_request_free(req);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) crypto_free_skcipher(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) return res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) * Search the current task's subscribed keyrings for a "logon" key with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) * description prefix:descriptor, and if found acquire a read lock on it and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) * return a pointer to its validated payload in *payload_ret.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) static struct key *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) find_and_lock_process_key(const char *prefix,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) const u8 descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) unsigned int min_keysize,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) const struct fscrypt_key **payload_ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) char *description;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) struct key *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) const struct user_key_payload *ukp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) const struct fscrypt_key *payload;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) description = kasprintf(GFP_KERNEL, "%s%*phN", prefix,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) FSCRYPT_KEY_DESCRIPTOR_SIZE, descriptor);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) if (!description)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) return ERR_PTR(-ENOMEM);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) key = request_key(&key_type_logon, description, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) kfree(description);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) if (IS_ERR(key))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) return key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) down_read(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) ukp = user_key_payload_locked(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) if (!ukp) /* was the key revoked before we acquired its semaphore? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) goto invalid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) payload = (const struct fscrypt_key *)ukp->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) if (ukp->datalen != sizeof(struct fscrypt_key) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) payload->size < 1 || payload->size > FSCRYPT_MAX_KEY_SIZE) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) fscrypt_warn(NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) "key with description '%s' has invalid payload",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) key->description);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) goto invalid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) if (payload->size < min_keysize) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) fscrypt_warn(NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) "key with description '%s' is too short (got %u bytes, need %u+ bytes)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) key->description, payload->size, min_keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) goto invalid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) *payload_ret = payload;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) return key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) invalid:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) up_read(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) key_put(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) return ERR_PTR(-ENOKEY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) /* Master key referenced by DIRECT_KEY policy */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) struct fscrypt_direct_key {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) struct hlist_node dk_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) refcount_t dk_refcount;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) const struct fscrypt_mode *dk_mode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) struct fscrypt_prepared_key dk_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) u8 dk_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) u8 dk_raw[FSCRYPT_MAX_KEY_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) static void free_direct_key(struct fscrypt_direct_key *dk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) if (dk) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) fscrypt_destroy_prepared_key(&dk->dk_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) kfree_sensitive(dk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) void fscrypt_put_direct_key(struct fscrypt_direct_key *dk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) if (!refcount_dec_and_lock(&dk->dk_refcount, &fscrypt_direct_keys_lock))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) hash_del(&dk->dk_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) spin_unlock(&fscrypt_direct_keys_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) free_direct_key(dk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) * Find/insert the given key into the fscrypt_direct_keys table. If found, it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) * is returned with elevated refcount, and 'to_insert' is freed if non-NULL. If
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) * not found, 'to_insert' is inserted and returned if it's non-NULL; otherwise
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) * NULL is returned.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) static struct fscrypt_direct_key *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) find_or_insert_direct_key(struct fscrypt_direct_key *to_insert,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) const u8 *raw_key, const struct fscrypt_info *ci)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) unsigned long hash_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) struct fscrypt_direct_key *dk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) * Careful: to avoid potentially leaking secret key bytes via timing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) * information, we must key the hash table by descriptor rather than by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) * raw key, and use crypto_memneq() when comparing raw keys.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) BUILD_BUG_ON(sizeof(hash_key) > FSCRYPT_KEY_DESCRIPTOR_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) memcpy(&hash_key, ci->ci_policy.v1.master_key_descriptor,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) sizeof(hash_key));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) spin_lock(&fscrypt_direct_keys_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) hash_for_each_possible(fscrypt_direct_keys, dk, dk_node, hash_key) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) if (memcmp(ci->ci_policy.v1.master_key_descriptor,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) dk->dk_descriptor, FSCRYPT_KEY_DESCRIPTOR_SIZE) != 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) if (ci->ci_mode != dk->dk_mode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) if (!fscrypt_is_key_prepared(&dk->dk_key, ci))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) if (crypto_memneq(raw_key, dk->dk_raw, ci->ci_mode->keysize))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) /* using existing tfm with same (descriptor, mode, raw_key) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) refcount_inc(&dk->dk_refcount);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) spin_unlock(&fscrypt_direct_keys_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) free_direct_key(to_insert);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) return dk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) if (to_insert)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) hash_add(fscrypt_direct_keys, &to_insert->dk_node, hash_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) spin_unlock(&fscrypt_direct_keys_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) return to_insert;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) /* Prepare to encrypt directly using the master key in the given mode */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) static struct fscrypt_direct_key *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) fscrypt_get_direct_key(const struct fscrypt_info *ci, const u8 *raw_key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) struct fscrypt_direct_key *dk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) /* Is there already a tfm for this key? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) dk = find_or_insert_direct_key(NULL, raw_key, ci);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) if (dk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) return dk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) /* Nope, allocate one. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) dk = kzalloc(sizeof(*dk), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) if (!dk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) return ERR_PTR(-ENOMEM);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) refcount_set(&dk->dk_refcount, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) dk->dk_mode = ci->ci_mode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) err = fscrypt_prepare_key(&dk->dk_key, raw_key, ci->ci_mode->keysize,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) false /*is_hw_wrapped*/, ci);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) goto err_free_dk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) memcpy(dk->dk_descriptor, ci->ci_policy.v1.master_key_descriptor,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) FSCRYPT_KEY_DESCRIPTOR_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) memcpy(dk->dk_raw, raw_key, ci->ci_mode->keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) return find_or_insert_direct_key(dk, raw_key, ci);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) err_free_dk:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) free_direct_key(dk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) return ERR_PTR(err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) /* v1 policy, DIRECT_KEY: use the master key directly */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) static int setup_v1_file_key_direct(struct fscrypt_info *ci,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) const u8 *raw_master_key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) struct fscrypt_direct_key *dk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) dk = fscrypt_get_direct_key(ci, raw_master_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) if (IS_ERR(dk))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) return PTR_ERR(dk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) ci->ci_direct_key = dk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) ci->ci_enc_key = dk->dk_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) /* v1 policy, !DIRECT_KEY: derive the file's encryption key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) static int setup_v1_file_key_derived(struct fscrypt_info *ci,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) const u8 *raw_master_key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) u8 *derived_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) * This cannot be a stack buffer because it will be passed to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) * scatterlist crypto API during derive_key_aes().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) derived_key = kmalloc(ci->ci_mode->keysize, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) if (!derived_key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) err = derive_key_aes(raw_master_key, ci->ci_nonce,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) derived_key, ci->ci_mode->keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) err = fscrypt_set_per_file_enc_key(ci, derived_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) kfree_sensitive(derived_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) int fscrypt_setup_v1_file_key(struct fscrypt_info *ci, const u8 *raw_master_key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) if (ci->ci_policy.v1.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) return setup_v1_file_key_direct(ci, raw_master_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) return setup_v1_file_key_derived(ci, raw_master_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) int fscrypt_setup_v1_file_key_via_subscribed_keyrings(struct fscrypt_info *ci)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) struct key *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) const struct fscrypt_key *payload;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) key = find_and_lock_process_key(FSCRYPT_KEY_DESC_PREFIX,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) ci->ci_policy.v1.master_key_descriptor,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) ci->ci_mode->keysize, &payload);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) if (key == ERR_PTR(-ENOKEY) && ci->ci_inode->i_sb->s_cop->key_prefix) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) key = find_and_lock_process_key(ci->ci_inode->i_sb->s_cop->key_prefix,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) ci->ci_policy.v1.master_key_descriptor,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) ci->ci_mode->keysize, &payload);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) if (IS_ERR(key))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) return PTR_ERR(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) err = fscrypt_setup_v1_file_key(ci, payload->raw);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) up_read(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) key_put(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) }
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags