1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Large capacity key type 3 * 4 * Copyright (C) 2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 5 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved. 6 * Written by David Howells (dhowells@redhat.com) 7 */ 8 9 #define pr_fmt(fmt) "big_key: "fmt 10 #include <linux/init.h> 11 #include <linux/seq_file.h> 12 #include <linux/file.h> 13 #include <linux/shmem_fs.h> 14 #include <linux/err.h> 15 #include <linux/scatterlist.h> 16 #include <linux/random.h> 17 #include <linux/vmalloc.h> 18 #include <keys/user-type.h> 19 #include <keys/big_key-type.h> 20 #include <crypto/aead.h> 21 #include <crypto/gcm.h> 22 23 struct big_key_buf { 24 unsigned int nr_pages; 25 void *virt; 26 struct scatterlist *sg; 27 struct page *pages[]; 28 }; 29 30 /* 31 * Layout of key payload words. 32 */ 33 enum { 34 big_key_data, 35 big_key_path, 36 big_key_path_2nd_part, 37 big_key_len, 38 }; 39 40 /* 41 * Crypto operation with big_key data 42 */ 43 enum big_key_op { 44 BIG_KEY_ENC, 45 BIG_KEY_DEC, 46 }; 47 48 /* 49 * If the data is under this limit, there's no point creating a shm file to 50 * hold it as the permanently resident metadata for the shmem fs will be at 51 * least as large as the data. 52 */ 53 #define BIG_KEY_FILE_THRESHOLD (sizeof(struct inode) + sizeof(struct dentry)) 54 55 /* 56 * Key size for big_key data encryption 57 */ 58 #define ENC_KEY_SIZE 32 59 60 /* 61 * Authentication tag length 62 */ 63 #define ENC_AUTHTAG_SIZE 16 64 65 /* 66 * big_key defined keys take an arbitrary string as the description and an 67 * arbitrary blob of data as the payload 68 */ 69 struct key_type key_type_big_key = { 70 .name = "big_key", 71 .preparse = big_key_preparse, 72 .free_preparse = big_key_free_preparse, 73 .instantiate = generic_key_instantiate, 74 .revoke = big_key_revoke, 75 .destroy = big_key_destroy, 76 .describe = big_key_describe, 77 .read = big_key_read, 78 /* no ->update(); don't add it without changing big_key_crypt() nonce */ 79 }; 80 81 /* 82 * Crypto names for big_key data authenticated encryption 83 */ 84 static const char big_key_alg_name[] = "gcm(aes)"; 85 #define BIG_KEY_IV_SIZE GCM_AES_IV_SIZE 86 87 /* 88 * Crypto algorithms for big_key data authenticated encryption 89 */ 90 static struct crypto_aead *big_key_aead; 91 92 /* 93 * Since changing the key affects the entire object, we need a mutex. 94 */ 95 static DEFINE_MUTEX(big_key_aead_lock); 96 97 /* 98 * Encrypt/decrypt big_key data 99 */ 100 static int big_key_crypt(enum big_key_op op, struct big_key_buf *buf, size_t datalen, u8 *key) 101 { 102 int ret; 103 struct aead_request *aead_req; 104 /* We always use a zero nonce. The reason we can get away with this is 105 * because we're using a different randomly generated key for every 106 * different encryption. Notably, too, key_type_big_key doesn't define 107 * an .update function, so there's no chance we'll wind up reusing the 108 * key to encrypt updated data. Simply put: one key, one encryption. 109 */ 110 u8 zero_nonce[BIG_KEY_IV_SIZE]; 111 112 aead_req = aead_request_alloc(big_key_aead, GFP_KERNEL); 113 if (!aead_req) 114 return -ENOMEM; 115 116 memset(zero_nonce, 0, sizeof(zero_nonce)); 117 aead_request_set_crypt(aead_req, buf->sg, buf->sg, datalen, zero_nonce); 118 aead_request_set_callback(aead_req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); 119 aead_request_set_ad(aead_req, 0); 120 121 mutex_lock(&big_key_aead_lock); 122 if (crypto_aead_setkey(big_key_aead, key, ENC_KEY_SIZE)) { 123 ret = -EAGAIN; 124 goto error; 125 } 126 if (op == BIG_KEY_ENC) 127 ret = crypto_aead_encrypt(aead_req); 128 else 129 ret = crypto_aead_decrypt(aead_req); 130 error: 131 mutex_unlock(&big_key_aead_lock); 132 aead_request_free(aead_req); 133 return ret; 134 } 135 136 /* 137 * Free up the buffer. 138 */ 139 static void big_key_free_buffer(struct big_key_buf *buf) 140 { 141 unsigned int i; 142 143 if (buf->virt) { 144 memset(buf->virt, 0, buf->nr_pages * PAGE_SIZE); 145 vunmap(buf->virt); 146 } 147 148 for (i = 0; i < buf->nr_pages; i++) 149 if (buf->pages[i]) 150 __free_page(buf->pages[i]); 151 152 kfree(buf); 153 } 154 155 /* 156 * Allocate a buffer consisting of a set of pages with a virtual mapping 157 * applied over them. 158 */ 159 static void *big_key_alloc_buffer(size_t len) 160 { 161 struct big_key_buf *buf; 162 unsigned int npg = (len + PAGE_SIZE - 1) >> PAGE_SHIFT; 163 unsigned int i, l; 164 165 buf = kzalloc(sizeof(struct big_key_buf) + 166 sizeof(struct page) * npg + 167 sizeof(struct scatterlist) * npg, 168 GFP_KERNEL); 169 if (!buf) 170 return NULL; 171 172 buf->nr_pages = npg; 173 buf->sg = (void *)(buf->pages + npg); 174 sg_init_table(buf->sg, npg); 175 176 for (i = 0; i < buf->nr_pages; i++) { 177 buf->pages[i] = alloc_page(GFP_KERNEL); 178 if (!buf->pages[i]) 179 goto nomem; 180 181 l = min_t(size_t, len, PAGE_SIZE); 182 sg_set_page(&buf->sg[i], buf->pages[i], l, 0); 183 len -= l; 184 } 185 186 buf->virt = vmap(buf->pages, buf->nr_pages, VM_MAP, PAGE_KERNEL); 187 if (!buf->virt) 188 goto nomem; 189 190 return buf; 191 192 nomem: 193 big_key_free_buffer(buf); 194 return NULL; 195 } 196 197 /* 198 * Preparse a big key 199 */ 200 int big_key_preparse(struct key_preparsed_payload *prep) 201 { 202 struct big_key_buf *buf; 203 struct path *path = (struct path *)&prep->payload.data[big_key_path]; 204 struct file *file; 205 u8 *enckey; 206 ssize_t written; 207 size_t datalen = prep->datalen, enclen = datalen + ENC_AUTHTAG_SIZE; 208 int ret; 209 210 if (datalen <= 0 || datalen > 1024 * 1024 || !prep->data) 211 return -EINVAL; 212 213 /* Set an arbitrary quota */ 214 prep->quotalen = 16; 215 216 prep->payload.data[big_key_len] = (void *)(unsigned long)datalen; 217 218 if (datalen > BIG_KEY_FILE_THRESHOLD) { 219 /* Create a shmem file to store the data in. This will permit the data 220 * to be swapped out if needed. 221 * 222 * File content is stored encrypted with randomly generated key. 223 */ 224 loff_t pos = 0; 225 226 buf = big_key_alloc_buffer(enclen); 227 if (!buf) 228 return -ENOMEM; 229 memcpy(buf->virt, prep->data, datalen); 230 231 /* generate random key */ 232 enckey = kmalloc(ENC_KEY_SIZE, GFP_KERNEL); 233 if (!enckey) { 234 ret = -ENOMEM; 235 goto error; 236 } 237 ret = get_random_bytes_wait(enckey, ENC_KEY_SIZE); 238 if (unlikely(ret)) 239 goto err_enckey; 240 241 /* encrypt aligned data */ 242 ret = big_key_crypt(BIG_KEY_ENC, buf, datalen, enckey); 243 if (ret) 244 goto err_enckey; 245 246 /* save aligned data to file */ 247 file = shmem_kernel_file_setup("", enclen, 0); 248 if (IS_ERR(file)) { 249 ret = PTR_ERR(file); 250 goto err_enckey; 251 } 252 253 written = kernel_write(file, buf->virt, enclen, &pos); 254 if (written != enclen) { 255 ret = written; 256 if (written >= 0) 257 ret = -ENOMEM; 258 goto err_fput; 259 } 260 261 /* Pin the mount and dentry to the key so that we can open it again 262 * later 263 */ 264 prep->payload.data[big_key_data] = enckey; 265 *path = file->f_path; 266 path_get(path); 267 fput(file); 268 big_key_free_buffer(buf); 269 } else { 270 /* Just store the data in a buffer */ 271 void *data = kmalloc(datalen, GFP_KERNEL); 272 273 if (!data) 274 return -ENOMEM; 275 276 prep->payload.data[big_key_data] = data; 277 memcpy(data, prep->data, prep->datalen); 278 } 279 return 0; 280 281 err_fput: 282 fput(file); 283 err_enckey: 284 kzfree(enckey); 285 error: 286 big_key_free_buffer(buf); 287 return ret; 288 } 289 290 /* 291 * Clear preparsement. 292 */ 293 void big_key_free_preparse(struct key_preparsed_payload *prep) 294 { 295 if (prep->datalen > BIG_KEY_FILE_THRESHOLD) { 296 struct path *path = (struct path *)&prep->payload.data[big_key_path]; 297 298 path_put(path); 299 } 300 kzfree(prep->payload.data[big_key_data]); 301 } 302 303 /* 304 * dispose of the links from a revoked keyring 305 * - called with the key sem write-locked 306 */ 307 void big_key_revoke(struct key *key) 308 { 309 struct path *path = (struct path *)&key->payload.data[big_key_path]; 310 311 /* clear the quota */ 312 key_payload_reserve(key, 0); 313 if (key_is_positive(key) && 314 (size_t)key->payload.data[big_key_len] > BIG_KEY_FILE_THRESHOLD) 315 vfs_truncate(path, 0); 316 } 317 318 /* 319 * dispose of the data dangling from the corpse of a big_key key 320 */ 321 void big_key_destroy(struct key *key) 322 { 323 size_t datalen = (size_t)key->payload.data[big_key_len]; 324 325 if (datalen > BIG_KEY_FILE_THRESHOLD) { 326 struct path *path = (struct path *)&key->payload.data[big_key_path]; 327 328 path_put(path); 329 path->mnt = NULL; 330 path->dentry = NULL; 331 } 332 kzfree(key->payload.data[big_key_data]); 333 key->payload.data[big_key_data] = NULL; 334 } 335 336 /* 337 * describe the big_key key 338 */ 339 void big_key_describe(const struct key *key, struct seq_file *m) 340 { 341 size_t datalen = (size_t)key->payload.data[big_key_len]; 342 343 seq_puts(m, key->description); 344 345 if (key_is_positive(key)) 346 seq_printf(m, ": %zu [%s]", 347 datalen, 348 datalen > BIG_KEY_FILE_THRESHOLD ? "file" : "buff"); 349 } 350 351 /* 352 * read the key data 353 * - the key's semaphore is read-locked 354 */ 355 long big_key_read(const struct key *key, char *buffer, size_t buflen) 356 { 357 size_t datalen = (size_t)key->payload.data[big_key_len]; 358 long ret; 359 360 if (!buffer || buflen < datalen) 361 return datalen; 362 363 if (datalen > BIG_KEY_FILE_THRESHOLD) { 364 struct big_key_buf *buf; 365 struct path *path = (struct path *)&key->payload.data[big_key_path]; 366 struct file *file; 367 u8 *enckey = (u8 *)key->payload.data[big_key_data]; 368 size_t enclen = datalen + ENC_AUTHTAG_SIZE; 369 loff_t pos = 0; 370 371 buf = big_key_alloc_buffer(enclen); 372 if (!buf) 373 return -ENOMEM; 374 375 file = dentry_open(path, O_RDONLY, current_cred()); 376 if (IS_ERR(file)) { 377 ret = PTR_ERR(file); 378 goto error; 379 } 380 381 /* read file to kernel and decrypt */ 382 ret = kernel_read(file, buf->virt, enclen, &pos); 383 if (ret >= 0 && ret != enclen) { 384 ret = -EIO; 385 goto err_fput; 386 } 387 388 ret = big_key_crypt(BIG_KEY_DEC, buf, enclen, enckey); 389 if (ret) 390 goto err_fput; 391 392 ret = datalen; 393 394 /* copy out decrypted data */ 395 memcpy(buffer, buf->virt, datalen); 396 397 err_fput: 398 fput(file); 399 error: 400 big_key_free_buffer(buf); 401 } else { 402 ret = datalen; 403 memcpy(buffer, key->payload.data[big_key_data], datalen); 404 } 405 406 return ret; 407 } 408 409 /* 410 * Register key type 411 */ 412 static int __init big_key_init(void) 413 { 414 int ret; 415 416 /* init block cipher */ 417 big_key_aead = crypto_alloc_aead(big_key_alg_name, 0, CRYPTO_ALG_ASYNC); 418 if (IS_ERR(big_key_aead)) { 419 ret = PTR_ERR(big_key_aead); 420 pr_err("Can't alloc crypto: %d\n", ret); 421 return ret; 422 } 423 424 if (unlikely(crypto_aead_ivsize(big_key_aead) != BIG_KEY_IV_SIZE)) { 425 WARN(1, "big key algorithm changed?"); 426 ret = -EINVAL; 427 goto free_aead; 428 } 429 430 ret = crypto_aead_setauthsize(big_key_aead, ENC_AUTHTAG_SIZE); 431 if (ret < 0) { 432 pr_err("Can't set crypto auth tag len: %d\n", ret); 433 goto free_aead; 434 } 435 436 ret = register_key_type(&key_type_big_key); 437 if (ret < 0) { 438 pr_err("Can't register type: %d\n", ret); 439 goto free_aead; 440 } 441 442 return 0; 443 444 free_aead: 445 crypto_free_aead(big_key_aead); 446 return ret; 447 } 448 449 late_initcall(big_key_init); 450