1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Filesystem-level keyring for fscrypt 4 * 5 * Copyright 2019 Google LLC 6 */ 7 8 /* 9 * This file implements management of fscrypt master keys in the 10 * filesystem-level keyring, including the ioctls: 11 * 12 * - FS_IOC_ADD_ENCRYPTION_KEY 13 * - FS_IOC_REMOVE_ENCRYPTION_KEY 14 * - FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS 15 * - FS_IOC_GET_ENCRYPTION_KEY_STATUS 16 * 17 * See the "User API" section of Documentation/filesystems/fscrypt.rst for more 18 * information about these ioctls. 19 */ 20 21 #include <crypto/skcipher.h> 22 #include <linux/key-type.h> 23 #include <linux/seq_file.h> 24 25 #include "fscrypt_private.h" 26 27 static void wipe_master_key_secret(struct fscrypt_master_key_secret *secret) 28 { 29 fscrypt_destroy_hkdf(&secret->hkdf); 30 memzero_explicit(secret, sizeof(*secret)); 31 } 32 33 static void move_master_key_secret(struct fscrypt_master_key_secret *dst, 34 struct fscrypt_master_key_secret *src) 35 { 36 memcpy(dst, src, sizeof(*dst)); 37 memzero_explicit(src, sizeof(*src)); 38 } 39 40 static void free_master_key(struct fscrypt_master_key *mk) 41 { 42 size_t i; 43 44 wipe_master_key_secret(&mk->mk_secret); 45 46 for (i = 0; i <= __FSCRYPT_MODE_MAX; i++) { 47 crypto_free_skcipher(mk->mk_direct_tfms[i]); 48 crypto_free_skcipher(mk->mk_iv_ino_lblk_64_tfms[i]); 49 } 50 51 key_put(mk->mk_users); 52 kzfree(mk); 53 } 54 55 static inline bool valid_key_spec(const struct fscrypt_key_specifier *spec) 56 { 57 if (spec->__reserved) 58 return false; 59 return master_key_spec_len(spec) != 0; 60 } 61 62 static int fscrypt_key_instantiate(struct key *key, 63 struct key_preparsed_payload *prep) 64 { 65 key->payload.data[0] = (struct fscrypt_master_key *)prep->data; 66 return 0; 67 } 68 69 static void fscrypt_key_destroy(struct key *key) 70 { 71 free_master_key(key->payload.data[0]); 72 } 73 74 static void fscrypt_key_describe(const struct key *key, struct seq_file *m) 75 { 76 seq_puts(m, key->description); 77 78 if (key_is_positive(key)) { 79 const struct fscrypt_master_key *mk = key->payload.data[0]; 80 81 if (!is_master_key_secret_present(&mk->mk_secret)) 82 seq_puts(m, ": secret removed"); 83 } 84 } 85 86 /* 87 * Type of key in ->s_master_keys. Each key of this type represents a master 88 * key which has been added to the filesystem. Its payload is a 89 * 'struct fscrypt_master_key'. The "." prefix in the key type name prevents 90 * users from adding keys of this type via the keyrings syscalls rather than via 91 * the intended method of FS_IOC_ADD_ENCRYPTION_KEY. 92 */ 93 static struct key_type key_type_fscrypt = { 94 .name = "._fscrypt", 95 .instantiate = fscrypt_key_instantiate, 96 .destroy = fscrypt_key_destroy, 97 .describe = fscrypt_key_describe, 98 }; 99 100 static int fscrypt_user_key_instantiate(struct key *key, 101 struct key_preparsed_payload *prep) 102 { 103 /* 104 * We just charge FSCRYPT_MAX_KEY_SIZE bytes to the user's key quota for 105 * each key, regardless of the exact key size. The amount of memory 106 * actually used is greater than the size of the raw key anyway. 107 */ 108 return key_payload_reserve(key, FSCRYPT_MAX_KEY_SIZE); 109 } 110 111 static void fscrypt_user_key_describe(const struct key *key, struct seq_file *m) 112 { 113 seq_puts(m, key->description); 114 } 115 116 /* 117 * Type of key in ->mk_users. Each key of this type represents a particular 118 * user who has added a particular master key. 119 * 120 * Note that the name of this key type really should be something like 121 * ".fscrypt-user" instead of simply ".fscrypt". But the shorter name is chosen 122 * mainly for simplicity of presentation in /proc/keys when read by a non-root 123 * user. And it is expected to be rare that a key is actually added by multiple 124 * users, since users should keep their encryption keys confidential. 125 */ 126 static struct key_type key_type_fscrypt_user = { 127 .name = ".fscrypt", 128 .instantiate = fscrypt_user_key_instantiate, 129 .describe = fscrypt_user_key_describe, 130 }; 131 132 /* Search ->s_master_keys or ->mk_users */ 133 static struct key *search_fscrypt_keyring(struct key *keyring, 134 struct key_type *type, 135 const char *description) 136 { 137 /* 138 * We need to mark the keyring reference as "possessed" so that we 139 * acquire permission to search it, via the KEY_POS_SEARCH permission. 140 */ 141 key_ref_t keyref = make_key_ref(keyring, true /* possessed */); 142 143 keyref = keyring_search(keyref, type, description, false); 144 if (IS_ERR(keyref)) { 145 if (PTR_ERR(keyref) == -EAGAIN || /* not found */ 146 PTR_ERR(keyref) == -EKEYREVOKED) /* recently invalidated */ 147 keyref = ERR_PTR(-ENOKEY); 148 return ERR_CAST(keyref); 149 } 150 return key_ref_to_ptr(keyref); 151 } 152 153 #define FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE \ 154 (CONST_STRLEN("fscrypt-") + sizeof_field(struct super_block, s_id)) 155 156 #define FSCRYPT_MK_DESCRIPTION_SIZE (2 * FSCRYPT_KEY_IDENTIFIER_SIZE + 1) 157 158 #define FSCRYPT_MK_USERS_DESCRIPTION_SIZE \ 159 (CONST_STRLEN("fscrypt-") + 2 * FSCRYPT_KEY_IDENTIFIER_SIZE + \ 160 CONST_STRLEN("-users") + 1) 161 162 #define FSCRYPT_MK_USER_DESCRIPTION_SIZE \ 163 (2 * FSCRYPT_KEY_IDENTIFIER_SIZE + CONST_STRLEN(".uid.") + 10 + 1) 164 165 static void format_fs_keyring_description( 166 char description[FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE], 167 const struct super_block *sb) 168 { 169 sprintf(description, "fscrypt-%s", sb->s_id); 170 } 171 172 static void format_mk_description( 173 char description[FSCRYPT_MK_DESCRIPTION_SIZE], 174 const struct fscrypt_key_specifier *mk_spec) 175 { 176 sprintf(description, "%*phN", 177 master_key_spec_len(mk_spec), (u8 *)&mk_spec->u); 178 } 179 180 static void format_mk_users_keyring_description( 181 char description[FSCRYPT_MK_USERS_DESCRIPTION_SIZE], 182 const u8 mk_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]) 183 { 184 sprintf(description, "fscrypt-%*phN-users", 185 FSCRYPT_KEY_IDENTIFIER_SIZE, mk_identifier); 186 } 187 188 static void format_mk_user_description( 189 char description[FSCRYPT_MK_USER_DESCRIPTION_SIZE], 190 const u8 mk_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]) 191 { 192 193 sprintf(description, "%*phN.uid.%u", FSCRYPT_KEY_IDENTIFIER_SIZE, 194 mk_identifier, __kuid_val(current_fsuid())); 195 } 196 197 /* Create ->s_master_keys if needed. Synchronized by fscrypt_add_key_mutex. */ 198 static int allocate_filesystem_keyring(struct super_block *sb) 199 { 200 char description[FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE]; 201 struct key *keyring; 202 203 if (sb->s_master_keys) 204 return 0; 205 206 format_fs_keyring_description(description, sb); 207 keyring = keyring_alloc(description, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, 208 current_cred(), KEY_POS_SEARCH | 209 KEY_USR_SEARCH | KEY_USR_READ | KEY_USR_VIEW, 210 KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); 211 if (IS_ERR(keyring)) 212 return PTR_ERR(keyring); 213 214 /* Pairs with READ_ONCE() in fscrypt_find_master_key() */ 215 smp_store_release(&sb->s_master_keys, keyring); 216 return 0; 217 } 218 219 void fscrypt_sb_free(struct super_block *sb) 220 { 221 key_put(sb->s_master_keys); 222 sb->s_master_keys = NULL; 223 } 224 225 /* 226 * Find the specified master key in ->s_master_keys. 227 * Returns ERR_PTR(-ENOKEY) if not found. 228 */ 229 struct key *fscrypt_find_master_key(struct super_block *sb, 230 const struct fscrypt_key_specifier *mk_spec) 231 { 232 struct key *keyring; 233 char description[FSCRYPT_MK_DESCRIPTION_SIZE]; 234 235 /* pairs with smp_store_release() in allocate_filesystem_keyring() */ 236 keyring = READ_ONCE(sb->s_master_keys); 237 if (keyring == NULL) 238 return ERR_PTR(-ENOKEY); /* No keyring yet, so no keys yet. */ 239 240 format_mk_description(description, mk_spec); 241 return search_fscrypt_keyring(keyring, &key_type_fscrypt, description); 242 } 243 244 static int allocate_master_key_users_keyring(struct fscrypt_master_key *mk) 245 { 246 char description[FSCRYPT_MK_USERS_DESCRIPTION_SIZE]; 247 struct key *keyring; 248 249 format_mk_users_keyring_description(description, 250 mk->mk_spec.u.identifier); 251 keyring = keyring_alloc(description, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, 252 current_cred(), KEY_POS_SEARCH | 253 KEY_USR_SEARCH | KEY_USR_READ | KEY_USR_VIEW, 254 KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); 255 if (IS_ERR(keyring)) 256 return PTR_ERR(keyring); 257 258 mk->mk_users = keyring; 259 return 0; 260 } 261 262 /* 263 * Find the current user's "key" in the master key's ->mk_users. 264 * Returns ERR_PTR(-ENOKEY) if not found. 265 */ 266 static struct key *find_master_key_user(struct fscrypt_master_key *mk) 267 { 268 char description[FSCRYPT_MK_USER_DESCRIPTION_SIZE]; 269 270 format_mk_user_description(description, mk->mk_spec.u.identifier); 271 return search_fscrypt_keyring(mk->mk_users, &key_type_fscrypt_user, 272 description); 273 } 274 275 /* 276 * Give the current user a "key" in ->mk_users. This charges the user's quota 277 * and marks the master key as added by the current user, so that it cannot be 278 * removed by another user with the key. Either the master key's key->sem must 279 * be held for write, or the master key must be still undergoing initialization. 280 */ 281 static int add_master_key_user(struct fscrypt_master_key *mk) 282 { 283 char description[FSCRYPT_MK_USER_DESCRIPTION_SIZE]; 284 struct key *mk_user; 285 int err; 286 287 format_mk_user_description(description, mk->mk_spec.u.identifier); 288 mk_user = key_alloc(&key_type_fscrypt_user, description, 289 current_fsuid(), current_gid(), current_cred(), 290 KEY_POS_SEARCH | KEY_USR_VIEW, 0, NULL); 291 if (IS_ERR(mk_user)) 292 return PTR_ERR(mk_user); 293 294 err = key_instantiate_and_link(mk_user, NULL, 0, mk->mk_users, NULL); 295 key_put(mk_user); 296 return err; 297 } 298 299 /* 300 * Remove the current user's "key" from ->mk_users. 301 * The master key's key->sem must be held for write. 302 * 303 * Returns 0 if removed, -ENOKEY if not found, or another -errno code. 304 */ 305 static int remove_master_key_user(struct fscrypt_master_key *mk) 306 { 307 struct key *mk_user; 308 int err; 309 310 mk_user = find_master_key_user(mk); 311 if (IS_ERR(mk_user)) 312 return PTR_ERR(mk_user); 313 err = key_unlink(mk->mk_users, mk_user); 314 key_put(mk_user); 315 return err; 316 } 317 318 /* 319 * Allocate a new fscrypt_master_key which contains the given secret, set it as 320 * the payload of a new 'struct key' of type fscrypt, and link the 'struct key' 321 * into the given keyring. Synchronized by fscrypt_add_key_mutex. 322 */ 323 static int add_new_master_key(struct fscrypt_master_key_secret *secret, 324 const struct fscrypt_key_specifier *mk_spec, 325 struct key *keyring) 326 { 327 struct fscrypt_master_key *mk; 328 char description[FSCRYPT_MK_DESCRIPTION_SIZE]; 329 struct key *key; 330 int err; 331 332 mk = kzalloc(sizeof(*mk), GFP_KERNEL); 333 if (!mk) 334 return -ENOMEM; 335 336 mk->mk_spec = *mk_spec; 337 338 move_master_key_secret(&mk->mk_secret, secret); 339 init_rwsem(&mk->mk_secret_sem); 340 341 refcount_set(&mk->mk_refcount, 1); /* secret is present */ 342 INIT_LIST_HEAD(&mk->mk_decrypted_inodes); 343 spin_lock_init(&mk->mk_decrypted_inodes_lock); 344 345 if (mk_spec->type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) { 346 err = allocate_master_key_users_keyring(mk); 347 if (err) 348 goto out_free_mk; 349 err = add_master_key_user(mk); 350 if (err) 351 goto out_free_mk; 352 } 353 354 /* 355 * Note that we don't charge this key to anyone's quota, since when 356 * ->mk_users is in use those keys are charged instead, and otherwise 357 * (when ->mk_users isn't in use) only root can add these keys. 358 */ 359 format_mk_description(description, mk_spec); 360 key = key_alloc(&key_type_fscrypt, description, 361 GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(), 362 KEY_POS_SEARCH | KEY_USR_SEARCH | KEY_USR_VIEW, 363 KEY_ALLOC_NOT_IN_QUOTA, NULL); 364 if (IS_ERR(key)) { 365 err = PTR_ERR(key); 366 goto out_free_mk; 367 } 368 err = key_instantiate_and_link(key, mk, sizeof(*mk), keyring, NULL); 369 key_put(key); 370 if (err) 371 goto out_free_mk; 372 373 return 0; 374 375 out_free_mk: 376 free_master_key(mk); 377 return err; 378 } 379 380 #define KEY_DEAD 1 381 382 static int add_existing_master_key(struct fscrypt_master_key *mk, 383 struct fscrypt_master_key_secret *secret) 384 { 385 struct key *mk_user; 386 bool rekey; 387 int err; 388 389 /* 390 * If the current user is already in ->mk_users, then there's nothing to 391 * do. (Not applicable for v1 policy keys, which have NULL ->mk_users.) 392 */ 393 if (mk->mk_users) { 394 mk_user = find_master_key_user(mk); 395 if (mk_user != ERR_PTR(-ENOKEY)) { 396 if (IS_ERR(mk_user)) 397 return PTR_ERR(mk_user); 398 key_put(mk_user); 399 return 0; 400 } 401 } 402 403 /* If we'll be re-adding ->mk_secret, try to take the reference. */ 404 rekey = !is_master_key_secret_present(&mk->mk_secret); 405 if (rekey && !refcount_inc_not_zero(&mk->mk_refcount)) 406 return KEY_DEAD; 407 408 /* Add the current user to ->mk_users, if applicable. */ 409 if (mk->mk_users) { 410 err = add_master_key_user(mk); 411 if (err) { 412 if (rekey && refcount_dec_and_test(&mk->mk_refcount)) 413 return KEY_DEAD; 414 return err; 415 } 416 } 417 418 /* Re-add the secret if needed. */ 419 if (rekey) { 420 down_write(&mk->mk_secret_sem); 421 move_master_key_secret(&mk->mk_secret, secret); 422 up_write(&mk->mk_secret_sem); 423 } 424 return 0; 425 } 426 427 static int add_master_key(struct super_block *sb, 428 struct fscrypt_master_key_secret *secret, 429 const struct fscrypt_key_specifier *mk_spec) 430 { 431 static DEFINE_MUTEX(fscrypt_add_key_mutex); 432 struct key *key; 433 int err; 434 435 mutex_lock(&fscrypt_add_key_mutex); /* serialize find + link */ 436 retry: 437 key = fscrypt_find_master_key(sb, mk_spec); 438 if (IS_ERR(key)) { 439 err = PTR_ERR(key); 440 if (err != -ENOKEY) 441 goto out_unlock; 442 /* Didn't find the key in ->s_master_keys. Add it. */ 443 err = allocate_filesystem_keyring(sb); 444 if (err) 445 goto out_unlock; 446 err = add_new_master_key(secret, mk_spec, sb->s_master_keys); 447 } else { 448 /* 449 * Found the key in ->s_master_keys. Re-add the secret if 450 * needed, and add the user to ->mk_users if needed. 451 */ 452 down_write(&key->sem); 453 err = add_existing_master_key(key->payload.data[0], secret); 454 up_write(&key->sem); 455 if (err == KEY_DEAD) { 456 /* Key being removed or needs to be removed */ 457 key_invalidate(key); 458 key_put(key); 459 goto retry; 460 } 461 key_put(key); 462 } 463 out_unlock: 464 mutex_unlock(&fscrypt_add_key_mutex); 465 return err; 466 } 467 468 static int fscrypt_provisioning_key_preparse(struct key_preparsed_payload *prep) 469 { 470 const struct fscrypt_provisioning_key_payload *payload = prep->data; 471 472 if (prep->datalen < sizeof(*payload) + FSCRYPT_MIN_KEY_SIZE || 473 prep->datalen > sizeof(*payload) + FSCRYPT_MAX_KEY_SIZE) 474 return -EINVAL; 475 476 if (payload->type != FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR && 477 payload->type != FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) 478 return -EINVAL; 479 480 if (payload->__reserved) 481 return -EINVAL; 482 483 prep->payload.data[0] = kmemdup(payload, prep->datalen, GFP_KERNEL); 484 if (!prep->payload.data[0]) 485 return -ENOMEM; 486 487 prep->quotalen = prep->datalen; 488 return 0; 489 } 490 491 static void fscrypt_provisioning_key_free_preparse( 492 struct key_preparsed_payload *prep) 493 { 494 kzfree(prep->payload.data[0]); 495 } 496 497 static void fscrypt_provisioning_key_describe(const struct key *key, 498 struct seq_file *m) 499 { 500 seq_puts(m, key->description); 501 if (key_is_positive(key)) { 502 const struct fscrypt_provisioning_key_payload *payload = 503 key->payload.data[0]; 504 505 seq_printf(m, ": %u [%u]", key->datalen, payload->type); 506 } 507 } 508 509 static void fscrypt_provisioning_key_destroy(struct key *key) 510 { 511 kzfree(key->payload.data[0]); 512 } 513 514 static struct key_type key_type_fscrypt_provisioning = { 515 .name = "fscrypt-provisioning", 516 .preparse = fscrypt_provisioning_key_preparse, 517 .free_preparse = fscrypt_provisioning_key_free_preparse, 518 .instantiate = generic_key_instantiate, 519 .describe = fscrypt_provisioning_key_describe, 520 .destroy = fscrypt_provisioning_key_destroy, 521 }; 522 523 /* 524 * Retrieve the raw key from the Linux keyring key specified by 'key_id', and 525 * store it into 'secret'. 526 * 527 * The key must be of type "fscrypt-provisioning" and must have the field 528 * fscrypt_provisioning_key_payload::type set to 'type', indicating that it's 529 * only usable with fscrypt with the particular KDF version identified by 530 * 'type'. We don't use the "logon" key type because there's no way to 531 * completely restrict the use of such keys; they can be used by any kernel API 532 * that accepts "logon" keys and doesn't require a specific service prefix. 533 * 534 * The ability to specify the key via Linux keyring key is intended for cases 535 * where userspace needs to re-add keys after the filesystem is unmounted and 536 * re-mounted. Most users should just provide the raw key directly instead. 537 */ 538 static int get_keyring_key(u32 key_id, u32 type, 539 struct fscrypt_master_key_secret *secret) 540 { 541 key_ref_t ref; 542 struct key *key; 543 const struct fscrypt_provisioning_key_payload *payload; 544 int err; 545 546 ref = lookup_user_key(key_id, 0, KEY_NEED_SEARCH); 547 if (IS_ERR(ref)) 548 return PTR_ERR(ref); 549 key = key_ref_to_ptr(ref); 550 551 if (key->type != &key_type_fscrypt_provisioning) 552 goto bad_key; 553 payload = key->payload.data[0]; 554 555 /* Don't allow fscrypt v1 keys to be used as v2 keys and vice versa. */ 556 if (payload->type != type) 557 goto bad_key; 558 559 secret->size = key->datalen - sizeof(*payload); 560 memcpy(secret->raw, payload->raw, secret->size); 561 err = 0; 562 goto out_put; 563 564 bad_key: 565 err = -EKEYREJECTED; 566 out_put: 567 key_ref_put(ref); 568 return err; 569 } 570 571 /* 572 * Add a master encryption key to the filesystem, causing all files which were 573 * encrypted with it to appear "unlocked" (decrypted) when accessed. 574 * 575 * When adding a key for use by v1 encryption policies, this ioctl is 576 * privileged, and userspace must provide the 'key_descriptor'. 577 * 578 * When adding a key for use by v2+ encryption policies, this ioctl is 579 * unprivileged. This is needed, in general, to allow non-root users to use 580 * encryption without encountering the visibility problems of process-subscribed 581 * keyrings and the inability to properly remove keys. This works by having 582 * each key identified by its cryptographically secure hash --- the 583 * 'key_identifier'. The cryptographic hash ensures that a malicious user 584 * cannot add the wrong key for a given identifier. Furthermore, each added key 585 * is charged to the appropriate user's quota for the keyrings service, which 586 * prevents a malicious user from adding too many keys. Finally, we forbid a 587 * user from removing a key while other users have added it too, which prevents 588 * a user who knows another user's key from causing a denial-of-service by 589 * removing it at an inopportune time. (We tolerate that a user who knows a key 590 * can prevent other users from removing it.) 591 * 592 * For more details, see the "FS_IOC_ADD_ENCRYPTION_KEY" section of 593 * Documentation/filesystems/fscrypt.rst. 594 */ 595 int fscrypt_ioctl_add_key(struct file *filp, void __user *_uarg) 596 { 597 struct super_block *sb = file_inode(filp)->i_sb; 598 struct fscrypt_add_key_arg __user *uarg = _uarg; 599 struct fscrypt_add_key_arg arg; 600 struct fscrypt_master_key_secret secret; 601 int err; 602 603 if (copy_from_user(&arg, uarg, sizeof(arg))) 604 return -EFAULT; 605 606 if (!valid_key_spec(&arg.key_spec)) 607 return -EINVAL; 608 609 if (memchr_inv(arg.__reserved, 0, sizeof(arg.__reserved))) 610 return -EINVAL; 611 612 memset(&secret, 0, sizeof(secret)); 613 if (arg.key_id) { 614 if (arg.raw_size != 0) 615 return -EINVAL; 616 err = get_keyring_key(arg.key_id, arg.key_spec.type, &secret); 617 if (err) 618 goto out_wipe_secret; 619 } else { 620 if (arg.raw_size < FSCRYPT_MIN_KEY_SIZE || 621 arg.raw_size > FSCRYPT_MAX_KEY_SIZE) 622 return -EINVAL; 623 secret.size = arg.raw_size; 624 err = -EFAULT; 625 if (copy_from_user(secret.raw, uarg->raw, secret.size)) 626 goto out_wipe_secret; 627 } 628 629 switch (arg.key_spec.type) { 630 case FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR: 631 /* 632 * Only root can add keys that are identified by an arbitrary 633 * descriptor rather than by a cryptographic hash --- since 634 * otherwise a malicious user could add the wrong key. 635 */ 636 err = -EACCES; 637 if (!capable(CAP_SYS_ADMIN)) 638 goto out_wipe_secret; 639 break; 640 case FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER: 641 err = fscrypt_init_hkdf(&secret.hkdf, secret.raw, secret.size); 642 if (err) 643 goto out_wipe_secret; 644 645 /* 646 * Now that the HKDF context is initialized, the raw key is no 647 * longer needed. 648 */ 649 memzero_explicit(secret.raw, secret.size); 650 651 /* Calculate the key identifier and return it to userspace. */ 652 err = fscrypt_hkdf_expand(&secret.hkdf, 653 HKDF_CONTEXT_KEY_IDENTIFIER, 654 NULL, 0, arg.key_spec.u.identifier, 655 FSCRYPT_KEY_IDENTIFIER_SIZE); 656 if (err) 657 goto out_wipe_secret; 658 err = -EFAULT; 659 if (copy_to_user(uarg->key_spec.u.identifier, 660 arg.key_spec.u.identifier, 661 FSCRYPT_KEY_IDENTIFIER_SIZE)) 662 goto out_wipe_secret; 663 break; 664 default: 665 WARN_ON(1); 666 err = -EINVAL; 667 goto out_wipe_secret; 668 } 669 670 err = add_master_key(sb, &secret, &arg.key_spec); 671 out_wipe_secret: 672 wipe_master_key_secret(&secret); 673 return err; 674 } 675 EXPORT_SYMBOL_GPL(fscrypt_ioctl_add_key); 676 677 /* 678 * Verify that the current user has added a master key with the given identifier 679 * (returns -ENOKEY if not). This is needed to prevent a user from encrypting 680 * their files using some other user's key which they don't actually know. 681 * Cryptographically this isn't much of a problem, but the semantics of this 682 * would be a bit weird, so it's best to just forbid it. 683 * 684 * The system administrator (CAP_FOWNER) can override this, which should be 685 * enough for any use cases where encryption policies are being set using keys 686 * that were chosen ahead of time but aren't available at the moment. 687 * 688 * Note that the key may have already removed by the time this returns, but 689 * that's okay; we just care whether the key was there at some point. 690 * 691 * Return: 0 if the key is added, -ENOKEY if it isn't, or another -errno code 692 */ 693 int fscrypt_verify_key_added(struct super_block *sb, 694 const u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]) 695 { 696 struct fscrypt_key_specifier mk_spec; 697 struct key *key, *mk_user; 698 struct fscrypt_master_key *mk; 699 int err; 700 701 mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER; 702 memcpy(mk_spec.u.identifier, identifier, FSCRYPT_KEY_IDENTIFIER_SIZE); 703 704 key = fscrypt_find_master_key(sb, &mk_spec); 705 if (IS_ERR(key)) { 706 err = PTR_ERR(key); 707 goto out; 708 } 709 mk = key->payload.data[0]; 710 mk_user = find_master_key_user(mk); 711 if (IS_ERR(mk_user)) { 712 err = PTR_ERR(mk_user); 713 } else { 714 key_put(mk_user); 715 err = 0; 716 } 717 key_put(key); 718 out: 719 if (err == -ENOKEY && capable(CAP_FOWNER)) 720 err = 0; 721 return err; 722 } 723 724 /* 725 * Try to evict the inode's dentries from the dentry cache. If the inode is a 726 * directory, then it can have at most one dentry; however, that dentry may be 727 * pinned by child dentries, so first try to evict the children too. 728 */ 729 static void shrink_dcache_inode(struct inode *inode) 730 { 731 struct dentry *dentry; 732 733 if (S_ISDIR(inode->i_mode)) { 734 dentry = d_find_any_alias(inode); 735 if (dentry) { 736 shrink_dcache_parent(dentry); 737 dput(dentry); 738 } 739 } 740 d_prune_aliases(inode); 741 } 742 743 static void evict_dentries_for_decrypted_inodes(struct fscrypt_master_key *mk) 744 { 745 struct fscrypt_info *ci; 746 struct inode *inode; 747 struct inode *toput_inode = NULL; 748 749 spin_lock(&mk->mk_decrypted_inodes_lock); 750 751 list_for_each_entry(ci, &mk->mk_decrypted_inodes, ci_master_key_link) { 752 inode = ci->ci_inode; 753 spin_lock(&inode->i_lock); 754 if (inode->i_state & (I_FREEING | I_WILL_FREE | I_NEW)) { 755 spin_unlock(&inode->i_lock); 756 continue; 757 } 758 __iget(inode); 759 spin_unlock(&inode->i_lock); 760 spin_unlock(&mk->mk_decrypted_inodes_lock); 761 762 shrink_dcache_inode(inode); 763 iput(toput_inode); 764 toput_inode = inode; 765 766 spin_lock(&mk->mk_decrypted_inodes_lock); 767 } 768 769 spin_unlock(&mk->mk_decrypted_inodes_lock); 770 iput(toput_inode); 771 } 772 773 static int check_for_busy_inodes(struct super_block *sb, 774 struct fscrypt_master_key *mk) 775 { 776 struct list_head *pos; 777 size_t busy_count = 0; 778 unsigned long ino; 779 780 spin_lock(&mk->mk_decrypted_inodes_lock); 781 782 list_for_each(pos, &mk->mk_decrypted_inodes) 783 busy_count++; 784 785 if (busy_count == 0) { 786 spin_unlock(&mk->mk_decrypted_inodes_lock); 787 return 0; 788 } 789 790 { 791 /* select an example file to show for debugging purposes */ 792 struct inode *inode = 793 list_first_entry(&mk->mk_decrypted_inodes, 794 struct fscrypt_info, 795 ci_master_key_link)->ci_inode; 796 ino = inode->i_ino; 797 } 798 spin_unlock(&mk->mk_decrypted_inodes_lock); 799 800 fscrypt_warn(NULL, 801 "%s: %zu inode(s) still busy after removing key with %s %*phN, including ino %lu", 802 sb->s_id, busy_count, master_key_spec_type(&mk->mk_spec), 803 master_key_spec_len(&mk->mk_spec), (u8 *)&mk->mk_spec.u, 804 ino); 805 return -EBUSY; 806 } 807 808 static int try_to_lock_encrypted_files(struct super_block *sb, 809 struct fscrypt_master_key *mk) 810 { 811 int err1; 812 int err2; 813 814 /* 815 * An inode can't be evicted while it is dirty or has dirty pages. 816 * Thus, we first have to clean the inodes in ->mk_decrypted_inodes. 817 * 818 * Just do it the easy way: call sync_filesystem(). It's overkill, but 819 * it works, and it's more important to minimize the amount of caches we 820 * drop than the amount of data we sync. Also, unprivileged users can 821 * already call sync_filesystem() via sys_syncfs() or sys_sync(). 822 */ 823 down_read(&sb->s_umount); 824 err1 = sync_filesystem(sb); 825 up_read(&sb->s_umount); 826 /* If a sync error occurs, still try to evict as much as possible. */ 827 828 /* 829 * Inodes are pinned by their dentries, so we have to evict their 830 * dentries. shrink_dcache_sb() would suffice, but would be overkill 831 * and inappropriate for use by unprivileged users. So instead go 832 * through the inodes' alias lists and try to evict each dentry. 833 */ 834 evict_dentries_for_decrypted_inodes(mk); 835 836 /* 837 * evict_dentries_for_decrypted_inodes() already iput() each inode in 838 * the list; any inodes for which that dropped the last reference will 839 * have been evicted due to fscrypt_drop_inode() detecting the key 840 * removal and telling the VFS to evict the inode. So to finish, we 841 * just need to check whether any inodes couldn't be evicted. 842 */ 843 err2 = check_for_busy_inodes(sb, mk); 844 845 return err1 ?: err2; 846 } 847 848 /* 849 * Try to remove an fscrypt master encryption key. 850 * 851 * FS_IOC_REMOVE_ENCRYPTION_KEY (all_users=false) removes the current user's 852 * claim to the key, then removes the key itself if no other users have claims. 853 * FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS (all_users=true) always removes the 854 * key itself. 855 * 856 * To "remove the key itself", first we wipe the actual master key secret, so 857 * that no more inodes can be unlocked with it. Then we try to evict all cached 858 * inodes that had been unlocked with the key. 859 * 860 * If all inodes were evicted, then we unlink the fscrypt_master_key from the 861 * keyring. Otherwise it remains in the keyring in the "incompletely removed" 862 * state (without the actual secret key) where it tracks the list of remaining 863 * inodes. Userspace can execute the ioctl again later to retry eviction, or 864 * alternatively can re-add the secret key again. 865 * 866 * For more details, see the "Removing keys" section of 867 * Documentation/filesystems/fscrypt.rst. 868 */ 869 static int do_remove_key(struct file *filp, void __user *_uarg, bool all_users) 870 { 871 struct super_block *sb = file_inode(filp)->i_sb; 872 struct fscrypt_remove_key_arg __user *uarg = _uarg; 873 struct fscrypt_remove_key_arg arg; 874 struct key *key; 875 struct fscrypt_master_key *mk; 876 u32 status_flags = 0; 877 int err; 878 bool dead; 879 880 if (copy_from_user(&arg, uarg, sizeof(arg))) 881 return -EFAULT; 882 883 if (!valid_key_spec(&arg.key_spec)) 884 return -EINVAL; 885 886 if (memchr_inv(arg.__reserved, 0, sizeof(arg.__reserved))) 887 return -EINVAL; 888 889 /* 890 * Only root can add and remove keys that are identified by an arbitrary 891 * descriptor rather than by a cryptographic hash. 892 */ 893 if (arg.key_spec.type == FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR && 894 !capable(CAP_SYS_ADMIN)) 895 return -EACCES; 896 897 /* Find the key being removed. */ 898 key = fscrypt_find_master_key(sb, &arg.key_spec); 899 if (IS_ERR(key)) 900 return PTR_ERR(key); 901 mk = key->payload.data[0]; 902 903 down_write(&key->sem); 904 905 /* If relevant, remove current user's (or all users) claim to the key */ 906 if (mk->mk_users && mk->mk_users->keys.nr_leaves_on_tree != 0) { 907 if (all_users) 908 err = keyring_clear(mk->mk_users); 909 else 910 err = remove_master_key_user(mk); 911 if (err) { 912 up_write(&key->sem); 913 goto out_put_key; 914 } 915 if (mk->mk_users->keys.nr_leaves_on_tree != 0) { 916 /* 917 * Other users have still added the key too. We removed 918 * the current user's claim to the key, but we still 919 * can't remove the key itself. 920 */ 921 status_flags |= 922 FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS; 923 err = 0; 924 up_write(&key->sem); 925 goto out_put_key; 926 } 927 } 928 929 /* No user claims remaining. Go ahead and wipe the secret. */ 930 dead = false; 931 if (is_master_key_secret_present(&mk->mk_secret)) { 932 down_write(&mk->mk_secret_sem); 933 wipe_master_key_secret(&mk->mk_secret); 934 dead = refcount_dec_and_test(&mk->mk_refcount); 935 up_write(&mk->mk_secret_sem); 936 } 937 up_write(&key->sem); 938 if (dead) { 939 /* 940 * No inodes reference the key, and we wiped the secret, so the 941 * key object is free to be removed from the keyring. 942 */ 943 key_invalidate(key); 944 err = 0; 945 } else { 946 /* Some inodes still reference this key; try to evict them. */ 947 err = try_to_lock_encrypted_files(sb, mk); 948 if (err == -EBUSY) { 949 status_flags |= 950 FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY; 951 err = 0; 952 } 953 } 954 /* 955 * We return 0 if we successfully did something: removed a claim to the 956 * key, wiped the secret, or tried locking the files again. Users need 957 * to check the informational status flags if they care whether the key 958 * has been fully removed including all files locked. 959 */ 960 out_put_key: 961 key_put(key); 962 if (err == 0) 963 err = put_user(status_flags, &uarg->removal_status_flags); 964 return err; 965 } 966 967 int fscrypt_ioctl_remove_key(struct file *filp, void __user *uarg) 968 { 969 return do_remove_key(filp, uarg, false); 970 } 971 EXPORT_SYMBOL_GPL(fscrypt_ioctl_remove_key); 972 973 int fscrypt_ioctl_remove_key_all_users(struct file *filp, void __user *uarg) 974 { 975 if (!capable(CAP_SYS_ADMIN)) 976 return -EACCES; 977 return do_remove_key(filp, uarg, true); 978 } 979 EXPORT_SYMBOL_GPL(fscrypt_ioctl_remove_key_all_users); 980 981 /* 982 * Retrieve the status of an fscrypt master encryption key. 983 * 984 * We set ->status to indicate whether the key is absent, present, or 985 * incompletely removed. "Incompletely removed" means that the master key 986 * secret has been removed, but some files which had been unlocked with it are 987 * still in use. This field allows applications to easily determine the state 988 * of an encrypted directory without using a hack such as trying to open a 989 * regular file in it (which can confuse the "incompletely removed" state with 990 * absent or present). 991 * 992 * In addition, for v2 policy keys we allow applications to determine, via 993 * ->status_flags and ->user_count, whether the key has been added by the 994 * current user, by other users, or by both. Most applications should not need 995 * this, since ordinarily only one user should know a given key. However, if a 996 * secret key is shared by multiple users, applications may wish to add an 997 * already-present key to prevent other users from removing it. This ioctl can 998 * be used to check whether that really is the case before the work is done to 999 * add the key --- which might e.g. require prompting the user for a passphrase. 1000 * 1001 * For more details, see the "FS_IOC_GET_ENCRYPTION_KEY_STATUS" section of 1002 * Documentation/filesystems/fscrypt.rst. 1003 */ 1004 int fscrypt_ioctl_get_key_status(struct file *filp, void __user *uarg) 1005 { 1006 struct super_block *sb = file_inode(filp)->i_sb; 1007 struct fscrypt_get_key_status_arg arg; 1008 struct key *key; 1009 struct fscrypt_master_key *mk; 1010 int err; 1011 1012 if (copy_from_user(&arg, uarg, sizeof(arg))) 1013 return -EFAULT; 1014 1015 if (!valid_key_spec(&arg.key_spec)) 1016 return -EINVAL; 1017 1018 if (memchr_inv(arg.__reserved, 0, sizeof(arg.__reserved))) 1019 return -EINVAL; 1020 1021 arg.status_flags = 0; 1022 arg.user_count = 0; 1023 memset(arg.__out_reserved, 0, sizeof(arg.__out_reserved)); 1024 1025 key = fscrypt_find_master_key(sb, &arg.key_spec); 1026 if (IS_ERR(key)) { 1027 if (key != ERR_PTR(-ENOKEY)) 1028 return PTR_ERR(key); 1029 arg.status = FSCRYPT_KEY_STATUS_ABSENT; 1030 err = 0; 1031 goto out; 1032 } 1033 mk = key->payload.data[0]; 1034 down_read(&key->sem); 1035 1036 if (!is_master_key_secret_present(&mk->mk_secret)) { 1037 arg.status = FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED; 1038 err = 0; 1039 goto out_release_key; 1040 } 1041 1042 arg.status = FSCRYPT_KEY_STATUS_PRESENT; 1043 if (mk->mk_users) { 1044 struct key *mk_user; 1045 1046 arg.user_count = mk->mk_users->keys.nr_leaves_on_tree; 1047 mk_user = find_master_key_user(mk); 1048 if (!IS_ERR(mk_user)) { 1049 arg.status_flags |= 1050 FSCRYPT_KEY_STATUS_FLAG_ADDED_BY_SELF; 1051 key_put(mk_user); 1052 } else if (mk_user != ERR_PTR(-ENOKEY)) { 1053 err = PTR_ERR(mk_user); 1054 goto out_release_key; 1055 } 1056 } 1057 err = 0; 1058 out_release_key: 1059 up_read(&key->sem); 1060 key_put(key); 1061 out: 1062 if (!err && copy_to_user(uarg, &arg, sizeof(arg))) 1063 err = -EFAULT; 1064 return err; 1065 } 1066 EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_key_status); 1067 1068 int __init fscrypt_init_keyring(void) 1069 { 1070 int err; 1071 1072 err = register_key_type(&key_type_fscrypt); 1073 if (err) 1074 return err; 1075 1076 err = register_key_type(&key_type_fscrypt_user); 1077 if (err) 1078 goto err_unregister_fscrypt; 1079 1080 err = register_key_type(&key_type_fscrypt_provisioning); 1081 if (err) 1082 goto err_unregister_fscrypt_user; 1083 1084 return 0; 1085 1086 err_unregister_fscrypt_user: 1087 unregister_key_type(&key_type_fscrypt_user); 1088 err_unregister_fscrypt: 1089 unregister_key_type(&key_type_fscrypt); 1090 return err; 1091 } 1092