forked from Minki/linux
643fa9612b
In order to have a common code base for fscrypt "post read" processing for all filesystems which support encryption, this commit removes filesystem specific build config option (e.g. CONFIG_EXT4_FS_ENCRYPTION) and replaces it with a build option (i.e. CONFIG_FS_ENCRYPTION) whose value affects all the filesystems making use of fscrypt. Reviewed-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com> Signed-off-by: Eric Biggers <ebiggers@google.com>
175 lines
4.5 KiB
C
175 lines
4.5 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* fscrypt_private.h
|
|
*
|
|
* Copyright (C) 2015, Google, Inc.
|
|
*
|
|
* This contains encryption key functions.
|
|
*
|
|
* Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015.
|
|
*/
|
|
|
|
#ifndef _FSCRYPT_PRIVATE_H
|
|
#define _FSCRYPT_PRIVATE_H
|
|
|
|
#include <linux/fscrypt.h>
|
|
#include <crypto/hash.h>
|
|
|
|
/* Encryption parameters */
|
|
#define FS_KEY_DERIVATION_NONCE_SIZE 16
|
|
|
|
/**
|
|
* Encryption context for inode
|
|
*
|
|
* Protector format:
|
|
* 1 byte: Protector format (1 = this version)
|
|
* 1 byte: File contents encryption mode
|
|
* 1 byte: File names encryption mode
|
|
* 1 byte: Flags
|
|
* 8 bytes: Master Key descriptor
|
|
* 16 bytes: Encryption Key derivation nonce
|
|
*/
|
|
struct fscrypt_context {
|
|
u8 format;
|
|
u8 contents_encryption_mode;
|
|
u8 filenames_encryption_mode;
|
|
u8 flags;
|
|
u8 master_key_descriptor[FS_KEY_DESCRIPTOR_SIZE];
|
|
u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE];
|
|
} __packed;
|
|
|
|
#define FS_ENCRYPTION_CONTEXT_FORMAT_V1 1
|
|
|
|
/**
|
|
* For encrypted symlinks, the ciphertext length is stored at the beginning
|
|
* of the string in little-endian format.
|
|
*/
|
|
struct fscrypt_symlink_data {
|
|
__le16 len;
|
|
char encrypted_path[1];
|
|
} __packed;
|
|
|
|
/*
|
|
* fscrypt_info - the "encryption key" for an inode
|
|
*
|
|
* When an encrypted file's key is made available, an instance of this struct is
|
|
* allocated and stored in ->i_crypt_info. Once created, it remains until the
|
|
* inode is evicted.
|
|
*/
|
|
struct fscrypt_info {
|
|
|
|
/* The actual crypto transform used for encryption and decryption */
|
|
struct crypto_skcipher *ci_ctfm;
|
|
|
|
/*
|
|
* Cipher for ESSIV IV generation. Only set for CBC contents
|
|
* encryption, otherwise is NULL.
|
|
*/
|
|
struct crypto_cipher *ci_essiv_tfm;
|
|
|
|
/*
|
|
* Encryption mode used for this inode. It corresponds to either
|
|
* ci_data_mode or ci_filename_mode, depending on the inode type.
|
|
*/
|
|
struct fscrypt_mode *ci_mode;
|
|
|
|
/*
|
|
* If non-NULL, then this inode uses a master key directly rather than a
|
|
* derived key, and ci_ctfm will equal ci_master_key->mk_ctfm.
|
|
* Otherwise, this inode uses a derived key.
|
|
*/
|
|
struct fscrypt_master_key *ci_master_key;
|
|
|
|
/* fields from the fscrypt_context */
|
|
u8 ci_data_mode;
|
|
u8 ci_filename_mode;
|
|
u8 ci_flags;
|
|
u8 ci_master_key_descriptor[FS_KEY_DESCRIPTOR_SIZE];
|
|
u8 ci_nonce[FS_KEY_DERIVATION_NONCE_SIZE];
|
|
};
|
|
|
|
typedef enum {
|
|
FS_DECRYPT = 0,
|
|
FS_ENCRYPT,
|
|
} fscrypt_direction_t;
|
|
|
|
#define FS_CTX_REQUIRES_FREE_ENCRYPT_FL 0x00000001
|
|
#define FS_CTX_HAS_BOUNCE_BUFFER_FL 0x00000002
|
|
|
|
static inline bool fscrypt_valid_enc_modes(u32 contents_mode,
|
|
u32 filenames_mode)
|
|
{
|
|
if (contents_mode == FS_ENCRYPTION_MODE_AES_128_CBC &&
|
|
filenames_mode == FS_ENCRYPTION_MODE_AES_128_CTS)
|
|
return true;
|
|
|
|
if (contents_mode == FS_ENCRYPTION_MODE_AES_256_XTS &&
|
|
filenames_mode == FS_ENCRYPTION_MODE_AES_256_CTS)
|
|
return true;
|
|
|
|
if (contents_mode == FS_ENCRYPTION_MODE_ADIANTUM &&
|
|
filenames_mode == FS_ENCRYPTION_MODE_ADIANTUM)
|
|
return true;
|
|
|
|
return false;
|
|
}
|
|
|
|
/* crypto.c */
|
|
extern struct kmem_cache *fscrypt_info_cachep;
|
|
extern int fscrypt_initialize(unsigned int cop_flags);
|
|
extern int fscrypt_do_page_crypto(const struct inode *inode,
|
|
fscrypt_direction_t rw, u64 lblk_num,
|
|
struct page *src_page,
|
|
struct page *dest_page,
|
|
unsigned int len, unsigned int offs,
|
|
gfp_t gfp_flags);
|
|
extern struct page *fscrypt_alloc_bounce_page(struct fscrypt_ctx *ctx,
|
|
gfp_t gfp_flags);
|
|
extern const struct dentry_operations fscrypt_d_ops;
|
|
|
|
extern void __printf(3, 4) __cold
|
|
fscrypt_msg(struct super_block *sb, const char *level, const char *fmt, ...);
|
|
|
|
#define fscrypt_warn(sb, fmt, ...) \
|
|
fscrypt_msg(sb, KERN_WARNING, fmt, ##__VA_ARGS__)
|
|
#define fscrypt_err(sb, fmt, ...) \
|
|
fscrypt_msg(sb, KERN_ERR, fmt, ##__VA_ARGS__)
|
|
|
|
#define FSCRYPT_MAX_IV_SIZE 32
|
|
|
|
union fscrypt_iv {
|
|
struct {
|
|
/* logical block number within the file */
|
|
__le64 lblk_num;
|
|
|
|
/* per-file nonce; only set in DIRECT_KEY mode */
|
|
u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE];
|
|
};
|
|
u8 raw[FSCRYPT_MAX_IV_SIZE];
|
|
};
|
|
|
|
void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num,
|
|
const struct fscrypt_info *ci);
|
|
|
|
/* fname.c */
|
|
extern int fname_encrypt(struct inode *inode, const struct qstr *iname,
|
|
u8 *out, unsigned int olen);
|
|
extern bool fscrypt_fname_encrypted_size(const struct inode *inode,
|
|
u32 orig_len, u32 max_len,
|
|
u32 *encrypted_len_ret);
|
|
|
|
/* keyinfo.c */
|
|
|
|
struct fscrypt_mode {
|
|
const char *friendly_name;
|
|
const char *cipher_str;
|
|
int keysize;
|
|
int ivsize;
|
|
bool logged_impl_name;
|
|
bool needs_essiv;
|
|
};
|
|
|
|
extern void __exit fscrypt_essiv_cleanup(void);
|
|
|
|
#endif /* _FSCRYPT_PRIVATE_H */
|