1feed8258SEric Biggers // SPDX-License-Identifier: GPL-2.0 2feed8258SEric Biggers /* 3feed8258SEric Biggers * Key setup facility for FS encryption support. 4feed8258SEric Biggers * 5feed8258SEric Biggers * Copyright (C) 2015, Google, Inc. 6feed8258SEric Biggers * 7feed8258SEric Biggers * Originally written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar. 8feed8258SEric Biggers * Heavily modified since then. 9feed8258SEric Biggers */ 10feed8258SEric Biggers 11feed8258SEric Biggers #include <crypto/skcipher.h> 12feed8258SEric Biggers #include <linux/key.h> 13feed8258SEric Biggers 14feed8258SEric Biggers #include "fscrypt_private.h" 15feed8258SEric Biggers 16feed8258SEric Biggers static struct fscrypt_mode available_modes[] = { 17feed8258SEric Biggers [FSCRYPT_MODE_AES_256_XTS] = { 18feed8258SEric Biggers .friendly_name = "AES-256-XTS", 19feed8258SEric Biggers .cipher_str = "xts(aes)", 20feed8258SEric Biggers .keysize = 64, 21feed8258SEric Biggers .ivsize = 16, 22feed8258SEric Biggers }, 23feed8258SEric Biggers [FSCRYPT_MODE_AES_256_CTS] = { 24feed8258SEric Biggers .friendly_name = "AES-256-CTS-CBC", 25feed8258SEric Biggers .cipher_str = "cts(cbc(aes))", 26feed8258SEric Biggers .keysize = 32, 27feed8258SEric Biggers .ivsize = 16, 28feed8258SEric Biggers }, 29feed8258SEric Biggers [FSCRYPT_MODE_AES_128_CBC] = { 304006d799SEric Biggers .friendly_name = "AES-128-CBC-ESSIV", 314006d799SEric Biggers .cipher_str = "essiv(cbc(aes),sha256)", 32feed8258SEric Biggers .keysize = 16, 33feed8258SEric Biggers .ivsize = 16, 34feed8258SEric Biggers }, 35feed8258SEric Biggers [FSCRYPT_MODE_AES_128_CTS] = { 36feed8258SEric Biggers .friendly_name = "AES-128-CTS-CBC", 37feed8258SEric Biggers .cipher_str = "cts(cbc(aes))", 38feed8258SEric Biggers .keysize = 16, 39feed8258SEric Biggers .ivsize = 16, 40feed8258SEric Biggers }, 41feed8258SEric Biggers [FSCRYPT_MODE_ADIANTUM] = { 42feed8258SEric Biggers .friendly_name = "Adiantum", 43feed8258SEric Biggers .cipher_str = "adiantum(xchacha12,aes)", 44feed8258SEric Biggers .keysize = 32, 45feed8258SEric Biggers .ivsize = 32, 46feed8258SEric Biggers }, 47feed8258SEric Biggers }; 48feed8258SEric Biggers 49feed8258SEric Biggers static struct fscrypt_mode * 505dae460cSEric Biggers select_encryption_mode(const union fscrypt_policy *policy, 515dae460cSEric Biggers const struct inode *inode) 52feed8258SEric Biggers { 53feed8258SEric Biggers if (S_ISREG(inode->i_mode)) 545dae460cSEric Biggers return &available_modes[fscrypt_policy_contents_mode(policy)]; 55feed8258SEric Biggers 56feed8258SEric Biggers if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) 575dae460cSEric Biggers return &available_modes[fscrypt_policy_fnames_mode(policy)]; 58feed8258SEric Biggers 59feed8258SEric Biggers WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n", 60feed8258SEric Biggers inode->i_ino, (inode->i_mode & S_IFMT)); 61feed8258SEric Biggers return ERR_PTR(-EINVAL); 62feed8258SEric Biggers } 63feed8258SEric Biggers 64feed8258SEric Biggers /* Create a symmetric cipher object for the given encryption mode and key */ 65feed8258SEric Biggers struct crypto_skcipher *fscrypt_allocate_skcipher(struct fscrypt_mode *mode, 66feed8258SEric Biggers const u8 *raw_key, 67feed8258SEric Biggers const struct inode *inode) 68feed8258SEric Biggers { 69feed8258SEric Biggers struct crypto_skcipher *tfm; 70feed8258SEric Biggers int err; 71feed8258SEric Biggers 72feed8258SEric Biggers tfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0); 73feed8258SEric Biggers if (IS_ERR(tfm)) { 74feed8258SEric Biggers if (PTR_ERR(tfm) == -ENOENT) { 75feed8258SEric Biggers fscrypt_warn(inode, 76feed8258SEric Biggers "Missing crypto API support for %s (API name: \"%s\")", 77feed8258SEric Biggers mode->friendly_name, mode->cipher_str); 78feed8258SEric Biggers return ERR_PTR(-ENOPKG); 79feed8258SEric Biggers } 80feed8258SEric Biggers fscrypt_err(inode, "Error allocating '%s' transform: %ld", 81feed8258SEric Biggers mode->cipher_str, PTR_ERR(tfm)); 82feed8258SEric Biggers return tfm; 83feed8258SEric Biggers } 84ff73c2c0SEric Biggers if (!xchg(&mode->logged_impl_name, 1)) { 85feed8258SEric Biggers /* 86feed8258SEric Biggers * fscrypt performance can vary greatly depending on which 87feed8258SEric Biggers * crypto algorithm implementation is used. Help people debug 88feed8258SEric Biggers * performance problems by logging the ->cra_driver_name the 89ff73c2c0SEric Biggers * first time a mode is used. 90feed8258SEric Biggers */ 91feed8258SEric Biggers pr_info("fscrypt: %s using implementation \"%s\"\n", 92feed8258SEric Biggers mode->friendly_name, 93feed8258SEric Biggers crypto_skcipher_alg(tfm)->base.cra_driver_name); 94feed8258SEric Biggers } 95feed8258SEric Biggers crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS); 96feed8258SEric Biggers err = crypto_skcipher_setkey(tfm, raw_key, mode->keysize); 97feed8258SEric Biggers if (err) 98feed8258SEric Biggers goto err_free_tfm; 99feed8258SEric Biggers 100feed8258SEric Biggers return tfm; 101feed8258SEric Biggers 102feed8258SEric Biggers err_free_tfm: 103feed8258SEric Biggers crypto_free_skcipher(tfm); 104feed8258SEric Biggers return ERR_PTR(err); 105feed8258SEric Biggers } 106feed8258SEric Biggers 1074006d799SEric Biggers /* Given the per-file key, set up the file's crypto transform object */ 108feed8258SEric Biggers int fscrypt_set_derived_key(struct fscrypt_info *ci, const u8 *derived_key) 109feed8258SEric Biggers { 1104006d799SEric Biggers struct crypto_skcipher *tfm; 111feed8258SEric Biggers 1124006d799SEric Biggers tfm = fscrypt_allocate_skcipher(ci->ci_mode, derived_key, ci->ci_inode); 1134006d799SEric Biggers if (IS_ERR(tfm)) 1144006d799SEric Biggers return PTR_ERR(tfm); 115feed8258SEric Biggers 1164006d799SEric Biggers ci->ci_ctfm = tfm; 117b103fb76SEric Biggers ci->ci_owns_key = true; 118feed8258SEric Biggers return 0; 119feed8258SEric Biggers } 120feed8258SEric Biggers 1215dae460cSEric Biggers static int setup_per_mode_key(struct fscrypt_info *ci, 122b103fb76SEric Biggers struct fscrypt_master_key *mk, 123b103fb76SEric Biggers struct crypto_skcipher **tfms, 124b103fb76SEric Biggers u8 hkdf_context, bool include_fs_uuid) 1255dae460cSEric Biggers { 126b103fb76SEric Biggers const struct inode *inode = ci->ci_inode; 127b103fb76SEric Biggers const struct super_block *sb = inode->i_sb; 1285dae460cSEric Biggers struct fscrypt_mode *mode = ci->ci_mode; 1295dae460cSEric Biggers u8 mode_num = mode - available_modes; 1305dae460cSEric Biggers struct crypto_skcipher *tfm, *prev_tfm; 1315dae460cSEric Biggers u8 mode_key[FSCRYPT_MAX_KEY_SIZE]; 132b103fb76SEric Biggers u8 hkdf_info[sizeof(mode_num) + sizeof(sb->s_uuid)]; 133b103fb76SEric Biggers unsigned int hkdf_infolen = 0; 1345dae460cSEric Biggers int err; 1355dae460cSEric Biggers 136b103fb76SEric Biggers if (WARN_ON(mode_num > __FSCRYPT_MODE_MAX)) 1375dae460cSEric Biggers return -EINVAL; 1385dae460cSEric Biggers 1395dae460cSEric Biggers /* pairs with cmpxchg() below */ 140b103fb76SEric Biggers tfm = READ_ONCE(tfms[mode_num]); 1415dae460cSEric Biggers if (likely(tfm != NULL)) 1425dae460cSEric Biggers goto done; 1435dae460cSEric Biggers 1445dae460cSEric Biggers BUILD_BUG_ON(sizeof(mode_num) != 1); 145b103fb76SEric Biggers BUILD_BUG_ON(sizeof(sb->s_uuid) != 16); 146b103fb76SEric Biggers BUILD_BUG_ON(sizeof(hkdf_info) != 17); 147b103fb76SEric Biggers hkdf_info[hkdf_infolen++] = mode_num; 148b103fb76SEric Biggers if (include_fs_uuid) { 149b103fb76SEric Biggers memcpy(&hkdf_info[hkdf_infolen], &sb->s_uuid, 150b103fb76SEric Biggers sizeof(sb->s_uuid)); 151b103fb76SEric Biggers hkdf_infolen += sizeof(sb->s_uuid); 152b103fb76SEric Biggers } 1535dae460cSEric Biggers err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, 154b103fb76SEric Biggers hkdf_context, hkdf_info, hkdf_infolen, 1555dae460cSEric Biggers mode_key, mode->keysize); 1565dae460cSEric Biggers if (err) 1575dae460cSEric Biggers return err; 158b103fb76SEric Biggers tfm = fscrypt_allocate_skcipher(mode, mode_key, inode); 1595dae460cSEric Biggers memzero_explicit(mode_key, mode->keysize); 1605dae460cSEric Biggers if (IS_ERR(tfm)) 1615dae460cSEric Biggers return PTR_ERR(tfm); 1625dae460cSEric Biggers 1635dae460cSEric Biggers /* pairs with READ_ONCE() above */ 164b103fb76SEric Biggers prev_tfm = cmpxchg(&tfms[mode_num], NULL, tfm); 1655dae460cSEric Biggers if (prev_tfm != NULL) { 1665dae460cSEric Biggers crypto_free_skcipher(tfm); 1675dae460cSEric Biggers tfm = prev_tfm; 1685dae460cSEric Biggers } 1695dae460cSEric Biggers done: 1705dae460cSEric Biggers ci->ci_ctfm = tfm; 1715dae460cSEric Biggers return 0; 1725dae460cSEric Biggers } 1735dae460cSEric Biggers 1745dae460cSEric Biggers static int fscrypt_setup_v2_file_key(struct fscrypt_info *ci, 1755dae460cSEric Biggers struct fscrypt_master_key *mk) 1765dae460cSEric Biggers { 1775dae460cSEric Biggers u8 derived_key[FSCRYPT_MAX_KEY_SIZE]; 1785dae460cSEric Biggers int err; 1795dae460cSEric Biggers 1805dae460cSEric Biggers if (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) { 1815dae460cSEric Biggers /* 1825dae460cSEric Biggers * DIRECT_KEY: instead of deriving per-file keys, the per-file 1835dae460cSEric Biggers * nonce will be included in all the IVs. But unlike v1 1845dae460cSEric Biggers * policies, for v2 policies in this case we don't encrypt with 1855dae460cSEric Biggers * the master key directly but rather derive a per-mode key. 1865dae460cSEric Biggers * This ensures that the master key is consistently used only 1875dae460cSEric Biggers * for HKDF, avoiding key reuse issues. 1885dae460cSEric Biggers */ 1895dae460cSEric Biggers if (!fscrypt_mode_supports_direct_key(ci->ci_mode)) { 1905dae460cSEric Biggers fscrypt_warn(ci->ci_inode, 1915dae460cSEric Biggers "Direct key flag not allowed with %s", 1925dae460cSEric Biggers ci->ci_mode->friendly_name); 1935dae460cSEric Biggers return -EINVAL; 1945dae460cSEric Biggers } 195b103fb76SEric Biggers return setup_per_mode_key(ci, mk, mk->mk_direct_tfms, 196b103fb76SEric Biggers HKDF_CONTEXT_DIRECT_KEY, false); 197b103fb76SEric Biggers } else if (ci->ci_policy.v2.flags & 198b103fb76SEric Biggers FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) { 199b103fb76SEric Biggers /* 200b103fb76SEric Biggers * IV_INO_LBLK_64: encryption keys are derived from (master_key, 201b103fb76SEric Biggers * mode_num, filesystem_uuid), and inode number is included in 202b103fb76SEric Biggers * the IVs. This format is optimized for use with inline 203b103fb76SEric Biggers * encryption hardware compliant with the UFS or eMMC standards. 204b103fb76SEric Biggers */ 205b103fb76SEric Biggers return setup_per_mode_key(ci, mk, mk->mk_iv_ino_lblk_64_tfms, 206b103fb76SEric Biggers HKDF_CONTEXT_IV_INO_LBLK_64_KEY, 207b103fb76SEric Biggers true); 2085dae460cSEric Biggers } 2095dae460cSEric Biggers 2105dae460cSEric Biggers err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, 2115dae460cSEric Biggers HKDF_CONTEXT_PER_FILE_KEY, 2125dae460cSEric Biggers ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE, 2135dae460cSEric Biggers derived_key, ci->ci_mode->keysize); 2145dae460cSEric Biggers if (err) 2155dae460cSEric Biggers return err; 2165dae460cSEric Biggers 2175dae460cSEric Biggers err = fscrypt_set_derived_key(ci, derived_key); 2185dae460cSEric Biggers memzero_explicit(derived_key, ci->ci_mode->keysize); 2195dae460cSEric Biggers return err; 2205dae460cSEric Biggers } 2215dae460cSEric Biggers 222feed8258SEric Biggers /* 223feed8258SEric Biggers * Find the master key, then set up the inode's actual encryption key. 224b1c0ec35SEric Biggers * 225b1c0ec35SEric Biggers * If the master key is found in the filesystem-level keyring, then the 226b1c0ec35SEric Biggers * corresponding 'struct key' is returned in *master_key_ret with 22723c688b5SEric Biggers * ->mk_secret_sem read-locked. This is needed to ensure that only one task 22823c688b5SEric Biggers * links the fscrypt_info into ->mk_decrypted_inodes (as multiple tasks may race 22923c688b5SEric Biggers * to create an fscrypt_info for the same inode), and to synchronize the master 23023c688b5SEric Biggers * key being removed with a new inode starting to use it. 231feed8258SEric Biggers */ 232b1c0ec35SEric Biggers static int setup_file_encryption_key(struct fscrypt_info *ci, 233b1c0ec35SEric Biggers struct key **master_key_ret) 234feed8258SEric Biggers { 23522d94f49SEric Biggers struct key *key; 23622d94f49SEric Biggers struct fscrypt_master_key *mk = NULL; 23722d94f49SEric Biggers struct fscrypt_key_specifier mk_spec; 23822d94f49SEric Biggers int err; 23922d94f49SEric Biggers 2405dae460cSEric Biggers switch (ci->ci_policy.version) { 2415dae460cSEric Biggers case FSCRYPT_POLICY_V1: 24222d94f49SEric Biggers mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR; 2435dae460cSEric Biggers memcpy(mk_spec.u.descriptor, 2445dae460cSEric Biggers ci->ci_policy.v1.master_key_descriptor, 24522d94f49SEric Biggers FSCRYPT_KEY_DESCRIPTOR_SIZE); 2465dae460cSEric Biggers break; 2475dae460cSEric Biggers case FSCRYPT_POLICY_V2: 2485dae460cSEric Biggers mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER; 2495dae460cSEric Biggers memcpy(mk_spec.u.identifier, 2505dae460cSEric Biggers ci->ci_policy.v2.master_key_identifier, 2515dae460cSEric Biggers FSCRYPT_KEY_IDENTIFIER_SIZE); 2525dae460cSEric Biggers break; 2535dae460cSEric Biggers default: 2545dae460cSEric Biggers WARN_ON(1); 2555dae460cSEric Biggers return -EINVAL; 2565dae460cSEric Biggers } 25722d94f49SEric Biggers 25822d94f49SEric Biggers key = fscrypt_find_master_key(ci->ci_inode->i_sb, &mk_spec); 25922d94f49SEric Biggers if (IS_ERR(key)) { 2605dae460cSEric Biggers if (key != ERR_PTR(-ENOKEY) || 2615dae460cSEric Biggers ci->ci_policy.version != FSCRYPT_POLICY_V1) 26222d94f49SEric Biggers return PTR_ERR(key); 26322d94f49SEric Biggers 2645dae460cSEric Biggers /* 2655dae460cSEric Biggers * As a legacy fallback for v1 policies, search for the key in 2665dae460cSEric Biggers * the current task's subscribed keyrings too. Don't move this 2675dae460cSEric Biggers * to before the search of ->s_master_keys, since users 2685dae460cSEric Biggers * shouldn't be able to override filesystem-level keys. 2695dae460cSEric Biggers */ 270feed8258SEric Biggers return fscrypt_setup_v1_file_key_via_subscribed_keyrings(ci); 271feed8258SEric Biggers } 272feed8258SEric Biggers 27322d94f49SEric Biggers mk = key->payload.data[0]; 27423c688b5SEric Biggers down_read(&mk->mk_secret_sem); 275b1c0ec35SEric Biggers 276b1c0ec35SEric Biggers /* Has the secret been removed (via FS_IOC_REMOVE_ENCRYPTION_KEY)? */ 277b1c0ec35SEric Biggers if (!is_master_key_secret_present(&mk->mk_secret)) { 278b1c0ec35SEric Biggers err = -ENOKEY; 279b1c0ec35SEric Biggers goto out_release_key; 280b1c0ec35SEric Biggers } 28122d94f49SEric Biggers 2825dae460cSEric Biggers /* 2835dae460cSEric Biggers * Require that the master key be at least as long as the derived key. 2845dae460cSEric Biggers * Otherwise, the derived key cannot possibly contain as much entropy as 2855dae460cSEric Biggers * that required by the encryption mode it will be used for. For v1 2865dae460cSEric Biggers * policies it's also required for the KDF to work at all. 2875dae460cSEric Biggers */ 28822d94f49SEric Biggers if (mk->mk_secret.size < ci->ci_mode->keysize) { 28922d94f49SEric Biggers fscrypt_warn(NULL, 29022d94f49SEric Biggers "key with %s %*phN is too short (got %u bytes, need %u+ bytes)", 29122d94f49SEric Biggers master_key_spec_type(&mk_spec), 29222d94f49SEric Biggers master_key_spec_len(&mk_spec), (u8 *)&mk_spec.u, 29322d94f49SEric Biggers mk->mk_secret.size, ci->ci_mode->keysize); 29422d94f49SEric Biggers err = -ENOKEY; 29522d94f49SEric Biggers goto out_release_key; 29622d94f49SEric Biggers } 29722d94f49SEric Biggers 2985dae460cSEric Biggers switch (ci->ci_policy.version) { 2995dae460cSEric Biggers case FSCRYPT_POLICY_V1: 30022d94f49SEric Biggers err = fscrypt_setup_v1_file_key(ci, mk->mk_secret.raw); 3015dae460cSEric Biggers break; 3025dae460cSEric Biggers case FSCRYPT_POLICY_V2: 3035dae460cSEric Biggers err = fscrypt_setup_v2_file_key(ci, mk); 3045dae460cSEric Biggers break; 3055dae460cSEric Biggers default: 3065dae460cSEric Biggers WARN_ON(1); 3075dae460cSEric Biggers err = -EINVAL; 3085dae460cSEric Biggers break; 3095dae460cSEric Biggers } 310b1c0ec35SEric Biggers if (err) 311b1c0ec35SEric Biggers goto out_release_key; 312b1c0ec35SEric Biggers 313b1c0ec35SEric Biggers *master_key_ret = key; 314b1c0ec35SEric Biggers return 0; 31522d94f49SEric Biggers 31622d94f49SEric Biggers out_release_key: 31723c688b5SEric Biggers up_read(&mk->mk_secret_sem); 31822d94f49SEric Biggers key_put(key); 31922d94f49SEric Biggers return err; 32022d94f49SEric Biggers } 32122d94f49SEric Biggers 322feed8258SEric Biggers static void put_crypt_info(struct fscrypt_info *ci) 323feed8258SEric Biggers { 324b1c0ec35SEric Biggers struct key *key; 325b1c0ec35SEric Biggers 326feed8258SEric Biggers if (!ci) 327feed8258SEric Biggers return; 328feed8258SEric Biggers 3294006d799SEric Biggers if (ci->ci_direct_key) 330feed8258SEric Biggers fscrypt_put_direct_key(ci->ci_direct_key); 331b103fb76SEric Biggers else if (ci->ci_owns_key) 332feed8258SEric Biggers crypto_free_skcipher(ci->ci_ctfm); 333b1c0ec35SEric Biggers 334b1c0ec35SEric Biggers key = ci->ci_master_key; 335b1c0ec35SEric Biggers if (key) { 336b1c0ec35SEric Biggers struct fscrypt_master_key *mk = key->payload.data[0]; 337b1c0ec35SEric Biggers 338b1c0ec35SEric Biggers /* 339b1c0ec35SEric Biggers * Remove this inode from the list of inodes that were unlocked 340b1c0ec35SEric Biggers * with the master key. 341b1c0ec35SEric Biggers * 342b1c0ec35SEric Biggers * In addition, if we're removing the last inode from a key that 343b1c0ec35SEric Biggers * already had its secret removed, invalidate the key so that it 344b1c0ec35SEric Biggers * gets removed from ->s_master_keys. 345b1c0ec35SEric Biggers */ 346b1c0ec35SEric Biggers spin_lock(&mk->mk_decrypted_inodes_lock); 347b1c0ec35SEric Biggers list_del(&ci->ci_master_key_link); 348b1c0ec35SEric Biggers spin_unlock(&mk->mk_decrypted_inodes_lock); 349b1c0ec35SEric Biggers if (refcount_dec_and_test(&mk->mk_refcount)) 350b1c0ec35SEric Biggers key_invalidate(key); 351b1c0ec35SEric Biggers key_put(key); 352b1c0ec35SEric Biggers } 3536f99756dSEric Biggers memzero_explicit(ci, sizeof(*ci)); 354feed8258SEric Biggers kmem_cache_free(fscrypt_info_cachep, ci); 355feed8258SEric Biggers } 356feed8258SEric Biggers 357feed8258SEric Biggers int fscrypt_get_encryption_info(struct inode *inode) 358feed8258SEric Biggers { 359feed8258SEric Biggers struct fscrypt_info *crypt_info; 3605dae460cSEric Biggers union fscrypt_context ctx; 361feed8258SEric Biggers struct fscrypt_mode *mode; 362b1c0ec35SEric Biggers struct key *master_key = NULL; 363feed8258SEric Biggers int res; 364feed8258SEric Biggers 365feed8258SEric Biggers if (fscrypt_has_encryption_key(inode)) 366feed8258SEric Biggers return 0; 367feed8258SEric Biggers 368feed8258SEric Biggers res = fscrypt_initialize(inode->i_sb->s_cop->flags); 369feed8258SEric Biggers if (res) 370feed8258SEric Biggers return res; 371feed8258SEric Biggers 372feed8258SEric Biggers res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); 373feed8258SEric Biggers if (res < 0) { 374feed8258SEric Biggers if (!fscrypt_dummy_context_enabled(inode) || 375feed8258SEric Biggers IS_ENCRYPTED(inode)) { 376feed8258SEric Biggers fscrypt_warn(inode, 377feed8258SEric Biggers "Error %d getting encryption context", 378feed8258SEric Biggers res); 379feed8258SEric Biggers return res; 380feed8258SEric Biggers } 381feed8258SEric Biggers /* Fake up a context for an unencrypted directory */ 382feed8258SEric Biggers memset(&ctx, 0, sizeof(ctx)); 3835dae460cSEric Biggers ctx.version = FSCRYPT_CONTEXT_V1; 3845dae460cSEric Biggers ctx.v1.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; 3855dae460cSEric Biggers ctx.v1.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; 3865dae460cSEric Biggers memset(ctx.v1.master_key_descriptor, 0x42, 387feed8258SEric Biggers FSCRYPT_KEY_DESCRIPTOR_SIZE); 3885dae460cSEric Biggers res = sizeof(ctx.v1); 389feed8258SEric Biggers } 390feed8258SEric Biggers 391feed8258SEric Biggers crypt_info = kmem_cache_zalloc(fscrypt_info_cachep, GFP_NOFS); 392feed8258SEric Biggers if (!crypt_info) 393feed8258SEric Biggers return -ENOMEM; 394feed8258SEric Biggers 395feed8258SEric Biggers crypt_info->ci_inode = inode; 396feed8258SEric Biggers 3975dae460cSEric Biggers res = fscrypt_policy_from_context(&crypt_info->ci_policy, &ctx, res); 3985dae460cSEric Biggers if (res) { 3995dae460cSEric Biggers fscrypt_warn(inode, 4005dae460cSEric Biggers "Unrecognized or corrupt encryption context"); 4015dae460cSEric Biggers goto out; 4025dae460cSEric Biggers } 403feed8258SEric Biggers 4045dae460cSEric Biggers switch (ctx.version) { 4055dae460cSEric Biggers case FSCRYPT_CONTEXT_V1: 4065dae460cSEric Biggers memcpy(crypt_info->ci_nonce, ctx.v1.nonce, 4075dae460cSEric Biggers FS_KEY_DERIVATION_NONCE_SIZE); 4085dae460cSEric Biggers break; 4095dae460cSEric Biggers case FSCRYPT_CONTEXT_V2: 4105dae460cSEric Biggers memcpy(crypt_info->ci_nonce, ctx.v2.nonce, 4115dae460cSEric Biggers FS_KEY_DERIVATION_NONCE_SIZE); 4125dae460cSEric Biggers break; 4135dae460cSEric Biggers default: 4145dae460cSEric Biggers WARN_ON(1); 4155dae460cSEric Biggers res = -EINVAL; 4165dae460cSEric Biggers goto out; 4175dae460cSEric Biggers } 4185dae460cSEric Biggers 4195dae460cSEric Biggers if (!fscrypt_supported_policy(&crypt_info->ci_policy, inode)) { 4205dae460cSEric Biggers res = -EINVAL; 4215dae460cSEric Biggers goto out; 4225dae460cSEric Biggers } 4235dae460cSEric Biggers 4245dae460cSEric Biggers mode = select_encryption_mode(&crypt_info->ci_policy, inode); 425feed8258SEric Biggers if (IS_ERR(mode)) { 426feed8258SEric Biggers res = PTR_ERR(mode); 427feed8258SEric Biggers goto out; 428feed8258SEric Biggers } 429feed8258SEric Biggers WARN_ON(mode->ivsize > FSCRYPT_MAX_IV_SIZE); 430feed8258SEric Biggers crypt_info->ci_mode = mode; 431feed8258SEric Biggers 432b1c0ec35SEric Biggers res = setup_file_encryption_key(crypt_info, &master_key); 433feed8258SEric Biggers if (res) 434feed8258SEric Biggers goto out; 435feed8258SEric Biggers 436b1c0ec35SEric Biggers if (cmpxchg_release(&inode->i_crypt_info, NULL, crypt_info) == NULL) { 437b1c0ec35SEric Biggers if (master_key) { 438b1c0ec35SEric Biggers struct fscrypt_master_key *mk = 439b1c0ec35SEric Biggers master_key->payload.data[0]; 440b1c0ec35SEric Biggers 441b1c0ec35SEric Biggers refcount_inc(&mk->mk_refcount); 442b1c0ec35SEric Biggers crypt_info->ci_master_key = key_get(master_key); 443b1c0ec35SEric Biggers spin_lock(&mk->mk_decrypted_inodes_lock); 444b1c0ec35SEric Biggers list_add(&crypt_info->ci_master_key_link, 445b1c0ec35SEric Biggers &mk->mk_decrypted_inodes); 446b1c0ec35SEric Biggers spin_unlock(&mk->mk_decrypted_inodes_lock); 447b1c0ec35SEric Biggers } 448feed8258SEric Biggers crypt_info = NULL; 449b1c0ec35SEric Biggers } 450b1c0ec35SEric Biggers res = 0; 451feed8258SEric Biggers out: 452b1c0ec35SEric Biggers if (master_key) { 45323c688b5SEric Biggers struct fscrypt_master_key *mk = master_key->payload.data[0]; 45423c688b5SEric Biggers 45523c688b5SEric Biggers up_read(&mk->mk_secret_sem); 456b1c0ec35SEric Biggers key_put(master_key); 457b1c0ec35SEric Biggers } 458feed8258SEric Biggers if (res == -ENOKEY) 459feed8258SEric Biggers res = 0; 460feed8258SEric Biggers put_crypt_info(crypt_info); 461feed8258SEric Biggers return res; 462feed8258SEric Biggers } 463feed8258SEric Biggers EXPORT_SYMBOL(fscrypt_get_encryption_info); 464feed8258SEric Biggers 465feed8258SEric Biggers /** 466feed8258SEric Biggers * fscrypt_put_encryption_info - free most of an inode's fscrypt data 467feed8258SEric Biggers * 468feed8258SEric Biggers * Free the inode's fscrypt_info. Filesystems must call this when the inode is 469feed8258SEric Biggers * being evicted. An RCU grace period need not have elapsed yet. 470feed8258SEric Biggers */ 471feed8258SEric Biggers void fscrypt_put_encryption_info(struct inode *inode) 472feed8258SEric Biggers { 473feed8258SEric Biggers put_crypt_info(inode->i_crypt_info); 474feed8258SEric Biggers inode->i_crypt_info = NULL; 475feed8258SEric Biggers } 476feed8258SEric Biggers EXPORT_SYMBOL(fscrypt_put_encryption_info); 477feed8258SEric Biggers 478feed8258SEric Biggers /** 479feed8258SEric Biggers * fscrypt_free_inode - free an inode's fscrypt data requiring RCU delay 480feed8258SEric Biggers * 481feed8258SEric Biggers * Free the inode's cached decrypted symlink target, if any. Filesystems must 482feed8258SEric Biggers * call this after an RCU grace period, just before they free the inode. 483feed8258SEric Biggers */ 484feed8258SEric Biggers void fscrypt_free_inode(struct inode *inode) 485feed8258SEric Biggers { 486feed8258SEric Biggers if (IS_ENCRYPTED(inode) && S_ISLNK(inode->i_mode)) { 487feed8258SEric Biggers kfree(inode->i_link); 488feed8258SEric Biggers inode->i_link = NULL; 489feed8258SEric Biggers } 490feed8258SEric Biggers } 491feed8258SEric Biggers EXPORT_SYMBOL(fscrypt_free_inode); 492b1c0ec35SEric Biggers 493b1c0ec35SEric Biggers /** 494b1c0ec35SEric Biggers * fscrypt_drop_inode - check whether the inode's master key has been removed 495b1c0ec35SEric Biggers * 496b1c0ec35SEric Biggers * Filesystems supporting fscrypt must call this from their ->drop_inode() 497b1c0ec35SEric Biggers * method so that encrypted inodes are evicted as soon as they're no longer in 498b1c0ec35SEric Biggers * use and their master key has been removed. 499b1c0ec35SEric Biggers * 500b1c0ec35SEric Biggers * Return: 1 if fscrypt wants the inode to be evicted now, otherwise 0 501b1c0ec35SEric Biggers */ 502b1c0ec35SEric Biggers int fscrypt_drop_inode(struct inode *inode) 503b1c0ec35SEric Biggers { 504b1c0ec35SEric Biggers const struct fscrypt_info *ci = READ_ONCE(inode->i_crypt_info); 505b1c0ec35SEric Biggers const struct fscrypt_master_key *mk; 506b1c0ec35SEric Biggers 507b1c0ec35SEric Biggers /* 508b1c0ec35SEric Biggers * If ci is NULL, then the inode doesn't have an encryption key set up 509b1c0ec35SEric Biggers * so it's irrelevant. If ci_master_key is NULL, then the master key 510b1c0ec35SEric Biggers * was provided via the legacy mechanism of the process-subscribed 511b1c0ec35SEric Biggers * keyrings, so we don't know whether it's been removed or not. 512b1c0ec35SEric Biggers */ 513b1c0ec35SEric Biggers if (!ci || !ci->ci_master_key) 514b1c0ec35SEric Biggers return 0; 515b1c0ec35SEric Biggers mk = ci->ci_master_key->payload.data[0]; 516b1c0ec35SEric Biggers 517b1c0ec35SEric Biggers /* 51823c688b5SEric Biggers * Note: since we aren't holding ->mk_secret_sem, the result here can 519b1c0ec35SEric Biggers * immediately become outdated. But there's no correctness problem with 520b1c0ec35SEric Biggers * unnecessarily evicting. Nor is there a correctness problem with not 521b1c0ec35SEric Biggers * evicting while iput() is racing with the key being removed, since 522b1c0ec35SEric Biggers * then the thread removing the key will either evict the inode itself 523b1c0ec35SEric Biggers * or will correctly detect that it wasn't evicted due to the race. 524b1c0ec35SEric Biggers */ 525b1c0ec35SEric Biggers return !is_master_key_secret_present(&mk->mk_secret); 526b1c0ec35SEric Biggers } 527b1c0ec35SEric Biggers EXPORT_SYMBOL_GPL(fscrypt_drop_inode); 528