1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * fscrypt.h: declarations for per-file encryption 4 * 5 * Filesystems that implement per-file encryption include this header 6 * file with the __FS_HAS_ENCRYPTION set according to whether that filesystem 7 * is being built with encryption support or not. 8 * 9 * Copyright (C) 2015, Google, Inc. 10 * 11 * Written by Michael Halcrow, 2015. 12 * Modified by Jaegeuk Kim, 2015. 13 */ 14 #ifndef _LINUX_FSCRYPT_H 15 #define _LINUX_FSCRYPT_H 16 17 #include <linux/key.h> 18 #include <linux/fs.h> 19 #include <linux/mm.h> 20 #include <linux/bio.h> 21 #include <linux/dcache.h> 22 #include <crypto/skcipher.h> 23 #include <uapi/linux/fs.h> 24 25 #define FS_CRYPTO_BLOCK_SIZE 16 26 27 struct fscrypt_info; 28 29 struct fscrypt_ctx { 30 union { 31 struct { 32 struct page *bounce_page; /* Ciphertext page */ 33 struct page *control_page; /* Original page */ 34 } w; 35 struct { 36 struct bio *bio; 37 struct work_struct work; 38 } r; 39 struct list_head free_list; /* Free list */ 40 }; 41 u8 flags; /* Flags */ 42 }; 43 44 /** 45 * For encrypted symlinks, the ciphertext length is stored at the beginning 46 * of the string in little-endian format. 47 */ 48 struct fscrypt_symlink_data { 49 __le16 len; 50 char encrypted_path[1]; 51 } __packed; 52 53 struct fscrypt_str { 54 unsigned char *name; 55 u32 len; 56 }; 57 58 struct fscrypt_name { 59 const struct qstr *usr_fname; 60 struct fscrypt_str disk_name; 61 u32 hash; 62 u32 minor_hash; 63 struct fscrypt_str crypto_buf; 64 }; 65 66 #define FSTR_INIT(n, l) { .name = n, .len = l } 67 #define FSTR_TO_QSTR(f) QSTR_INIT((f)->name, (f)->len) 68 #define fname_name(p) ((p)->disk_name.name) 69 #define fname_len(p) ((p)->disk_name.len) 70 71 /* 72 * fscrypt superblock flags 73 */ 74 #define FS_CFLG_OWN_PAGES (1U << 1) 75 76 /* 77 * crypto opertions for filesystems 78 */ 79 struct fscrypt_operations { 80 unsigned int flags; 81 const char *key_prefix; 82 int (*get_context)(struct inode *, void *, size_t); 83 int (*set_context)(struct inode *, const void *, size_t, void *); 84 bool (*dummy_context)(struct inode *); 85 bool (*empty_dir)(struct inode *); 86 unsigned (*max_namelen)(struct inode *); 87 }; 88 89 /* Maximum value for the third parameter of fscrypt_operations.set_context(). */ 90 #define FSCRYPT_SET_CONTEXT_MAX_SIZE 28 91 92 static inline bool fscrypt_dummy_context_enabled(struct inode *inode) 93 { 94 if (inode->i_sb->s_cop->dummy_context && 95 inode->i_sb->s_cop->dummy_context(inode)) 96 return true; 97 return false; 98 } 99 100 static inline bool fscrypt_valid_enc_modes(u32 contents_mode, 101 u32 filenames_mode) 102 { 103 if (contents_mode == FS_ENCRYPTION_MODE_AES_128_CBC && 104 filenames_mode == FS_ENCRYPTION_MODE_AES_128_CTS) 105 return true; 106 107 if (contents_mode == FS_ENCRYPTION_MODE_AES_256_XTS && 108 filenames_mode == FS_ENCRYPTION_MODE_AES_256_CTS) 109 return true; 110 111 return false; 112 } 113 114 static inline bool fscrypt_is_dot_dotdot(const struct qstr *str) 115 { 116 if (str->len == 1 && str->name[0] == '.') 117 return true; 118 119 if (str->len == 2 && str->name[0] == '.' && str->name[1] == '.') 120 return true; 121 122 return false; 123 } 124 125 #if __FS_HAS_ENCRYPTION 126 127 static inline struct page *fscrypt_control_page(struct page *page) 128 { 129 return ((struct fscrypt_ctx *)page_private(page))->w.control_page; 130 } 131 132 static inline bool fscrypt_has_encryption_key(const struct inode *inode) 133 { 134 return (inode->i_crypt_info != NULL); 135 } 136 137 #include <linux/fscrypt_supp.h> 138 139 #else /* !__FS_HAS_ENCRYPTION */ 140 141 static inline struct page *fscrypt_control_page(struct page *page) 142 { 143 WARN_ON_ONCE(1); 144 return ERR_PTR(-EINVAL); 145 } 146 147 static inline bool fscrypt_has_encryption_key(const struct inode *inode) 148 { 149 return 0; 150 } 151 152 #include <linux/fscrypt_notsupp.h> 153 #endif /* __FS_HAS_ENCRYPTION */ 154 155 /** 156 * fscrypt_require_key - require an inode's encryption key 157 * @inode: the inode we need the key for 158 * 159 * If the inode is encrypted, set up its encryption key if not already done. 160 * Then require that the key be present and return -ENOKEY otherwise. 161 * 162 * No locks are needed, and the key will live as long as the struct inode --- so 163 * it won't go away from under you. 164 * 165 * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code 166 * if a problem occurred while setting up the encryption key. 167 */ 168 static inline int fscrypt_require_key(struct inode *inode) 169 { 170 if (IS_ENCRYPTED(inode)) { 171 int err = fscrypt_get_encryption_info(inode); 172 173 if (err) 174 return err; 175 if (!fscrypt_has_encryption_key(inode)) 176 return -ENOKEY; 177 } 178 return 0; 179 } 180 181 /** 182 * fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory 183 * @old_dentry: an existing dentry for the inode being linked 184 * @dir: the target directory 185 * @dentry: negative dentry for the target filename 186 * 187 * A new link can only be added to an encrypted directory if the directory's 188 * encryption key is available --- since otherwise we'd have no way to encrypt 189 * the filename. Therefore, we first set up the directory's encryption key (if 190 * not already done) and return an error if it's unavailable. 191 * 192 * We also verify that the link will not violate the constraint that all files 193 * in an encrypted directory tree use the same encryption policy. 194 * 195 * Return: 0 on success, -ENOKEY if the directory's encryption key is missing, 196 * -EPERM if the link would result in an inconsistent encryption policy, or 197 * another -errno code. 198 */ 199 static inline int fscrypt_prepare_link(struct dentry *old_dentry, 200 struct inode *dir, 201 struct dentry *dentry) 202 { 203 if (IS_ENCRYPTED(dir)) 204 return __fscrypt_prepare_link(d_inode(old_dentry), dir); 205 return 0; 206 } 207 208 /** 209 * fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories 210 * @old_dir: source directory 211 * @old_dentry: dentry for source file 212 * @new_dir: target directory 213 * @new_dentry: dentry for target location (may be negative unless exchanging) 214 * @flags: rename flags (we care at least about %RENAME_EXCHANGE) 215 * 216 * Prepare for ->rename() where the source and/or target directories may be 217 * encrypted. A new link can only be added to an encrypted directory if the 218 * directory's encryption key is available --- since otherwise we'd have no way 219 * to encrypt the filename. A rename to an existing name, on the other hand, 220 * *is* cryptographically possible without the key. However, we take the more 221 * conservative approach and just forbid all no-key renames. 222 * 223 * We also verify that the rename will not violate the constraint that all files 224 * in an encrypted directory tree use the same encryption policy. 225 * 226 * Return: 0 on success, -ENOKEY if an encryption key is missing, -EPERM if the 227 * rename would cause inconsistent encryption policies, or another -errno code. 228 */ 229 static inline int fscrypt_prepare_rename(struct inode *old_dir, 230 struct dentry *old_dentry, 231 struct inode *new_dir, 232 struct dentry *new_dentry, 233 unsigned int flags) 234 { 235 if (IS_ENCRYPTED(old_dir) || IS_ENCRYPTED(new_dir)) 236 return __fscrypt_prepare_rename(old_dir, old_dentry, 237 new_dir, new_dentry, flags); 238 return 0; 239 } 240 241 /** 242 * fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory 243 * @dir: directory being searched 244 * @dentry: filename being looked up 245 * @flags: lookup flags 246 * 247 * Prepare for ->lookup() in a directory which may be encrypted. Lookups can be 248 * done with or without the directory's encryption key; without the key, 249 * filenames are presented in encrypted form. Therefore, we'll try to set up 250 * the directory's encryption key, but even without it the lookup can continue. 251 * 252 * To allow invalidating stale dentries if the directory's encryption key is 253 * added later, we also install a custom ->d_revalidate() method and use the 254 * DCACHE_ENCRYPTED_WITH_KEY flag to indicate whether a given dentry is a 255 * plaintext name (flag set) or a ciphertext name (flag cleared). 256 * 257 * Return: 0 on success, -errno if a problem occurred while setting up the 258 * encryption key 259 */ 260 static inline int fscrypt_prepare_lookup(struct inode *dir, 261 struct dentry *dentry, 262 unsigned int flags) 263 { 264 if (IS_ENCRYPTED(dir)) 265 return __fscrypt_prepare_lookup(dir, dentry); 266 return 0; 267 } 268 269 /** 270 * fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes 271 * @dentry: dentry through which the inode is being changed 272 * @attr: attributes to change 273 * 274 * Prepare for ->setattr() on a possibly-encrypted inode. On an encrypted file, 275 * most attribute changes are allowed even without the encryption key. However, 276 * without the encryption key we do have to forbid truncates. This is needed 277 * because the size being truncated to may not be a multiple of the filesystem 278 * block size, and in that case we'd have to decrypt the final block, zero the 279 * portion past i_size, and re-encrypt it. (We *could* allow truncating to a 280 * filesystem block boundary, but it's simpler to just forbid all truncates --- 281 * and we already forbid all other contents modifications without the key.) 282 * 283 * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code 284 * if a problem occurred while setting up the encryption key. 285 */ 286 static inline int fscrypt_prepare_setattr(struct dentry *dentry, 287 struct iattr *attr) 288 { 289 if (attr->ia_valid & ATTR_SIZE) 290 return fscrypt_require_key(d_inode(dentry)); 291 return 0; 292 } 293 294 #endif /* _LINUX_FSCRYPT_H */ 295