Commit | Line | Data |
---|---|---|
b2441318 | 1 | /* SPDX-License-Identifier: GPL-2.0 */ |
3325bea5 TT |
2 | /* |
3 | * fscrypt_private.h | |
4 | * | |
5 | * Copyright (C) 2015, Google, Inc. | |
6 | * | |
3ec4f2a6 EB |
7 | * Originally written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar. |
8 | * Heavily modified since then. | |
3325bea5 TT |
9 | */ |
10 | ||
11 | #ifndef _FSCRYPT_PRIVATE_H | |
12 | #define _FSCRYPT_PRIVATE_H | |
13 | ||
734f0d24 | 14 | #include <linux/fscrypt.h> |
b7e7cf7a | 15 | #include <crypto/hash.h> |
3325bea5 | 16 | |
22d94f49 EB |
17 | #define CONST_STRLEN(str) (sizeof(str) - 1) |
18 | ||
11b8818e | 19 | #define FS_KEY_DERIVATION_NONCE_SIZE 16 |
cc4e0df0 | 20 | |
22d94f49 EB |
21 | #define FSCRYPT_MIN_KEY_SIZE 16 |
22 | ||
5dae460c EB |
23 | #define FSCRYPT_CONTEXT_V1 1 |
24 | #define FSCRYPT_CONTEXT_V2 2 | |
25 | ||
26 | struct fscrypt_context_v1 { | |
27 | u8 version; /* FSCRYPT_CONTEXT_V1 */ | |
cc4e0df0 TT |
28 | u8 contents_encryption_mode; |
29 | u8 filenames_encryption_mode; | |
30 | u8 flags; | |
3b6df59b | 31 | u8 master_key_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE]; |
cc4e0df0 | 32 | u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE]; |
5dae460c | 33 | }; |
cc4e0df0 | 34 | |
5dae460c EB |
35 | struct fscrypt_context_v2 { |
36 | u8 version; /* FSCRYPT_CONTEXT_V2 */ | |
37 | u8 contents_encryption_mode; | |
38 | u8 filenames_encryption_mode; | |
39 | u8 flags; | |
40 | u8 __reserved[4]; | |
41 | u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]; | |
42 | u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE]; | |
43 | }; | |
44 | ||
45 | /** | |
46 | * fscrypt_context - the encryption context of an inode | |
47 | * | |
48 | * This is the on-disk equivalent of an fscrypt_policy, stored alongside each | |
49 | * encrypted file usually in a hidden extended attribute. It contains the | |
50 | * fields from the fscrypt_policy, in order to identify the encryption algorithm | |
51 | * and key with which the file is encrypted. It also contains a nonce that was | |
52 | * randomly generated by fscrypt itself; this is used as KDF input or as a tweak | |
53 | * to cause different files to be encrypted differently. | |
54 | */ | |
55 | union fscrypt_context { | |
56 | u8 version; | |
57 | struct fscrypt_context_v1 v1; | |
58 | struct fscrypt_context_v2 v2; | |
59 | }; | |
60 | ||
61 | /* | |
62 | * Return the size expected for the given fscrypt_context based on its version | |
63 | * number, or 0 if the context version is unrecognized. | |
64 | */ | |
65 | static inline int fscrypt_context_size(const union fscrypt_context *ctx) | |
66 | { | |
67 | switch (ctx->version) { | |
68 | case FSCRYPT_CONTEXT_V1: | |
69 | BUILD_BUG_ON(sizeof(ctx->v1) != 28); | |
70 | return sizeof(ctx->v1); | |
71 | case FSCRYPT_CONTEXT_V2: | |
72 | BUILD_BUG_ON(sizeof(ctx->v2) != 40); | |
73 | return sizeof(ctx->v2); | |
74 | } | |
75 | return 0; | |
76 | } | |
77 | ||
78 | #undef fscrypt_policy | |
79 | union fscrypt_policy { | |
80 | u8 version; | |
81 | struct fscrypt_policy_v1 v1; | |
82 | struct fscrypt_policy_v2 v2; | |
83 | }; | |
84 | ||
85 | /* | |
86 | * Return the size expected for the given fscrypt_policy based on its version | |
87 | * number, or 0 if the policy version is unrecognized. | |
88 | */ | |
89 | static inline int fscrypt_policy_size(const union fscrypt_policy *policy) | |
90 | { | |
91 | switch (policy->version) { | |
92 | case FSCRYPT_POLICY_V1: | |
93 | return sizeof(policy->v1); | |
94 | case FSCRYPT_POLICY_V2: | |
95 | return sizeof(policy->v2); | |
96 | } | |
97 | return 0; | |
98 | } | |
99 | ||
100 | /* Return the contents encryption mode of a valid encryption policy */ | |
101 | static inline u8 | |
102 | fscrypt_policy_contents_mode(const union fscrypt_policy *policy) | |
103 | { | |
104 | switch (policy->version) { | |
105 | case FSCRYPT_POLICY_V1: | |
106 | return policy->v1.contents_encryption_mode; | |
107 | case FSCRYPT_POLICY_V2: | |
108 | return policy->v2.contents_encryption_mode; | |
109 | } | |
110 | BUG(); | |
111 | } | |
112 | ||
113 | /* Return the filenames encryption mode of a valid encryption policy */ | |
114 | static inline u8 | |
115 | fscrypt_policy_fnames_mode(const union fscrypt_policy *policy) | |
116 | { | |
117 | switch (policy->version) { | |
118 | case FSCRYPT_POLICY_V1: | |
119 | return policy->v1.filenames_encryption_mode; | |
120 | case FSCRYPT_POLICY_V2: | |
121 | return policy->v2.filenames_encryption_mode; | |
122 | } | |
123 | BUG(); | |
124 | } | |
125 | ||
126 | /* Return the flags (FSCRYPT_POLICY_FLAG*) of a valid encryption policy */ | |
127 | static inline u8 | |
128 | fscrypt_policy_flags(const union fscrypt_policy *policy) | |
129 | { | |
130 | switch (policy->version) { | |
131 | case FSCRYPT_POLICY_V1: | |
132 | return policy->v1.flags; | |
133 | case FSCRYPT_POLICY_V2: | |
134 | return policy->v2.flags; | |
135 | } | |
136 | BUG(); | |
137 | } | |
138 | ||
139 | static inline bool | |
140 | fscrypt_is_direct_key_policy(const union fscrypt_policy *policy) | |
141 | { | |
142 | return fscrypt_policy_flags(policy) & FSCRYPT_POLICY_FLAG_DIRECT_KEY; | |
143 | } | |
cc4e0df0 | 144 | |
0eaab5b1 EB |
145 | /** |
146 | * For encrypted symlinks, the ciphertext length is stored at the beginning | |
147 | * of the string in little-endian format. | |
148 | */ | |
149 | struct fscrypt_symlink_data { | |
150 | __le16 len; | |
151 | char encrypted_path[1]; | |
152 | } __packed; | |
153 | ||
cc4e0df0 | 154 | /* |
8094c3ce EB |
155 | * fscrypt_info - the "encryption key" for an inode |
156 | * | |
157 | * When an encrypted file's key is made available, an instance of this struct is | |
158 | * allocated and stored in ->i_crypt_info. Once created, it remains until the | |
159 | * inode is evicted. | |
cc4e0df0 TT |
160 | */ |
161 | struct fscrypt_info { | |
8094c3ce EB |
162 | |
163 | /* The actual crypto transform used for encryption and decryption */ | |
164 | struct crypto_skcipher *ci_ctfm; | |
165 | ||
b103fb76 EB |
166 | /* True if the key should be freed when this fscrypt_info is freed */ |
167 | bool ci_owns_key; | |
168 | ||
8094c3ce | 169 | /* |
5dae460c EB |
170 | * Encryption mode used for this inode. It corresponds to either the |
171 | * contents or filenames encryption mode, depending on the inode type. | |
8094c3ce EB |
172 | */ |
173 | struct fscrypt_mode *ci_mode; | |
174 | ||
59dc6a8e EB |
175 | /* Back-pointer to the inode */ |
176 | struct inode *ci_inode; | |
177 | ||
b1c0ec35 EB |
178 | /* |
179 | * The master key with which this inode was unlocked (decrypted). This | |
180 | * will be NULL if the master key was found in a process-subscribed | |
181 | * keyring rather than in the filesystem-level keyring. | |
182 | */ | |
183 | struct key *ci_master_key; | |
184 | ||
185 | /* | |
186 | * Link in list of inodes that were unlocked with the master key. | |
187 | * Only used when ->ci_master_key is set. | |
188 | */ | |
189 | struct list_head ci_master_key_link; | |
190 | ||
8094c3ce | 191 | /* |
a828daab EB |
192 | * If non-NULL, then encryption is done using the master key directly |
193 | * and ci_ctfm will equal ci_direct_key->dk_ctfm. | |
8094c3ce | 194 | */ |
a828daab | 195 | struct fscrypt_direct_key *ci_direct_key; |
8094c3ce | 196 | |
5dae460c EB |
197 | /* The encryption policy used by this inode */ |
198 | union fscrypt_policy ci_policy; | |
199 | ||
200 | /* This inode's nonce, copied from the fscrypt_context */ | |
8094c3ce | 201 | u8 ci_nonce[FS_KEY_DERIVATION_NONCE_SIZE]; |
cc4e0df0 TT |
202 | }; |
203 | ||
58ae7468 RW |
204 | typedef enum { |
205 | FS_DECRYPT = 0, | |
206 | FS_ENCRYPT, | |
207 | } fscrypt_direction_t; | |
208 | ||
bb8179e5 EB |
209 | static inline bool fscrypt_valid_enc_modes(u32 contents_mode, |
210 | u32 filenames_mode) | |
211 | { | |
3b6df59b EB |
212 | if (contents_mode == FSCRYPT_MODE_AES_128_CBC && |
213 | filenames_mode == FSCRYPT_MODE_AES_128_CTS) | |
bb8179e5 EB |
214 | return true; |
215 | ||
3b6df59b EB |
216 | if (contents_mode == FSCRYPT_MODE_AES_256_XTS && |
217 | filenames_mode == FSCRYPT_MODE_AES_256_CTS) | |
bb8179e5 EB |
218 | return true; |
219 | ||
3b6df59b EB |
220 | if (contents_mode == FSCRYPT_MODE_ADIANTUM && |
221 | filenames_mode == FSCRYPT_MODE_ADIANTUM) | |
8094c3ce EB |
222 | return true; |
223 | ||
bb8179e5 EB |
224 | return false; |
225 | } | |
226 | ||
b98701df | 227 | /* crypto.c */ |
e4de782a | 228 | extern struct kmem_cache *fscrypt_info_cachep; |
58ae7468 | 229 | extern int fscrypt_initialize(unsigned int cop_flags); |
f47fcbb2 EB |
230 | extern int fscrypt_crypt_block(const struct inode *inode, |
231 | fscrypt_direction_t rw, u64 lblk_num, | |
232 | struct page *src_page, struct page *dest_page, | |
233 | unsigned int len, unsigned int offs, | |
234 | gfp_t gfp_flags); | |
d2d0727b | 235 | extern struct page *fscrypt_alloc_bounce_page(gfp_t gfp_flags); |
54222025 | 236 | extern const struct dentry_operations fscrypt_d_ops; |
b98701df | 237 | |
544d08fd | 238 | extern void __printf(3, 4) __cold |
886da8b3 | 239 | fscrypt_msg(const struct inode *inode, const char *level, const char *fmt, ...); |
544d08fd | 240 | |
886da8b3 EB |
241 | #define fscrypt_warn(inode, fmt, ...) \ |
242 | fscrypt_msg((inode), KERN_WARNING, fmt, ##__VA_ARGS__) | |
243 | #define fscrypt_err(inode, fmt, ...) \ | |
244 | fscrypt_msg((inode), KERN_ERR, fmt, ##__VA_ARGS__) | |
544d08fd | 245 | |
8094c3ce EB |
246 | #define FSCRYPT_MAX_IV_SIZE 32 |
247 | ||
248 | union fscrypt_iv { | |
249 | struct { | |
250 | /* logical block number within the file */ | |
251 | __le64 lblk_num; | |
252 | ||
253 | /* per-file nonce; only set in DIRECT_KEY mode */ | |
254 | u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE]; | |
255 | }; | |
256 | u8 raw[FSCRYPT_MAX_IV_SIZE]; | |
257 | }; | |
258 | ||
259 | void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num, | |
260 | const struct fscrypt_info *ci); | |
261 | ||
76e81d6d | 262 | /* fname.c */ |
50c961de EB |
263 | extern int fname_encrypt(struct inode *inode, const struct qstr *iname, |
264 | u8 *out, unsigned int olen); | |
b9db0b4a EB |
265 | extern bool fscrypt_fname_encrypted_size(const struct inode *inode, |
266 | u32 orig_len, u32 max_len, | |
267 | u32 *encrypted_len_ret); | |
76e81d6d | 268 | |
c1144c9b EB |
269 | /* hkdf.c */ |
270 | ||
271 | struct fscrypt_hkdf { | |
272 | struct crypto_shash *hmac_tfm; | |
273 | }; | |
274 | ||
275 | extern int fscrypt_init_hkdf(struct fscrypt_hkdf *hkdf, const u8 *master_key, | |
276 | unsigned int master_key_size); | |
277 | ||
5dae460c EB |
278 | /* |
279 | * The list of contexts in which fscrypt uses HKDF. These values are used as | |
280 | * the first byte of the HKDF application-specific info string to guarantee that | |
281 | * info strings are never repeated between contexts. This ensures that all HKDF | |
282 | * outputs are unique and cryptographically isolated, i.e. knowledge of one | |
283 | * output doesn't reveal another. | |
284 | */ | |
285 | #define HKDF_CONTEXT_KEY_IDENTIFIER 1 | |
286 | #define HKDF_CONTEXT_PER_FILE_KEY 2 | |
b103fb76 EB |
287 | #define HKDF_CONTEXT_DIRECT_KEY 3 |
288 | #define HKDF_CONTEXT_IV_INO_LBLK_64_KEY 4 | |
5dae460c | 289 | |
c1144c9b EB |
290 | extern int fscrypt_hkdf_expand(struct fscrypt_hkdf *hkdf, u8 context, |
291 | const u8 *info, unsigned int infolen, | |
292 | u8 *okm, unsigned int okmlen); | |
293 | ||
294 | extern void fscrypt_destroy_hkdf(struct fscrypt_hkdf *hkdf); | |
295 | ||
22d94f49 EB |
296 | /* keyring.c */ |
297 | ||
298 | /* | |
299 | * fscrypt_master_key_secret - secret key material of an in-use master key | |
300 | */ | |
301 | struct fscrypt_master_key_secret { | |
302 | ||
5dae460c EB |
303 | /* |
304 | * For v2 policy keys: HKDF context keyed by this master key. | |
305 | * For v1 policy keys: not set (hkdf.hmac_tfm == NULL). | |
306 | */ | |
307 | struct fscrypt_hkdf hkdf; | |
308 | ||
309 | /* Size of the raw key in bytes. Set even if ->raw isn't set. */ | |
22d94f49 EB |
310 | u32 size; |
311 | ||
5dae460c | 312 | /* For v1 policy keys: the raw key. Wiped for v2 policy keys. */ |
22d94f49 EB |
313 | u8 raw[FSCRYPT_MAX_KEY_SIZE]; |
314 | ||
315 | } __randomize_layout; | |
316 | ||
317 | /* | |
318 | * fscrypt_master_key - an in-use master key | |
319 | * | |
320 | * This represents a master encryption key which has been added to the | |
321 | * filesystem and can be used to "unlock" the encrypted files which were | |
322 | * encrypted with it. | |
323 | */ | |
324 | struct fscrypt_master_key { | |
325 | ||
b1c0ec35 EB |
326 | /* |
327 | * The secret key material. After FS_IOC_REMOVE_ENCRYPTION_KEY is | |
328 | * executed, this is wiped and no new inodes can be unlocked with this | |
329 | * key; however, there may still be inodes in ->mk_decrypted_inodes | |
330 | * which could not be evicted. As long as some inodes still remain, | |
331 | * FS_IOC_REMOVE_ENCRYPTION_KEY can be retried, or | |
332 | * FS_IOC_ADD_ENCRYPTION_KEY can add the secret again. | |
333 | * | |
23c688b5 EB |
334 | * Locking: protected by key->sem (outer) and mk_secret_sem (inner). |
335 | * The reason for two locks is that key->sem also protects modifying | |
336 | * mk_users, which ranks it above the semaphore for the keyring key | |
337 | * type, which is in turn above page faults (via keyring_read). But | |
338 | * sometimes filesystems call fscrypt_get_encryption_info() from within | |
339 | * a transaction, which ranks it below page faults. So we need a | |
340 | * separate lock which protects mk_secret but not also mk_users. | |
b1c0ec35 | 341 | */ |
22d94f49 | 342 | struct fscrypt_master_key_secret mk_secret; |
23c688b5 | 343 | struct rw_semaphore mk_secret_sem; |
22d94f49 | 344 | |
5dae460c EB |
345 | /* |
346 | * For v1 policy keys: an arbitrary key descriptor which was assigned by | |
347 | * userspace (->descriptor). | |
348 | * | |
349 | * For v2 policy keys: a cryptographic hash of this key (->identifier). | |
350 | */ | |
22d94f49 EB |
351 | struct fscrypt_key_specifier mk_spec; |
352 | ||
23c688b5 EB |
353 | /* |
354 | * Keyring which contains a key of type 'key_type_fscrypt_user' for each | |
355 | * user who has added this key. Normally each key will be added by just | |
356 | * one user, but it's possible that multiple users share a key, and in | |
357 | * that case we need to keep track of those users so that one user can't | |
358 | * remove the key before the others want it removed too. | |
359 | * | |
360 | * This is NULL for v1 policy keys; those can only be added by root. | |
361 | * | |
362 | * Locking: in addition to this keyrings own semaphore, this is | |
363 | * protected by the master key's key->sem, so we can do atomic | |
364 | * search+insert. It can also be searched without taking any locks, but | |
365 | * in that case the returned key may have already been removed. | |
366 | */ | |
367 | struct key *mk_users; | |
368 | ||
b1c0ec35 EB |
369 | /* |
370 | * Length of ->mk_decrypted_inodes, plus one if mk_secret is present. | |
371 | * Once this goes to 0, the master key is removed from ->s_master_keys. | |
372 | * The 'struct fscrypt_master_key' will continue to live as long as the | |
373 | * 'struct key' whose payload it is, but we won't let this reference | |
374 | * count rise again. | |
375 | */ | |
376 | refcount_t mk_refcount; | |
377 | ||
378 | /* | |
379 | * List of inodes that were unlocked using this key. This allows the | |
380 | * inodes to be evicted efficiently if the key is removed. | |
381 | */ | |
382 | struct list_head mk_decrypted_inodes; | |
383 | spinlock_t mk_decrypted_inodes_lock; | |
384 | ||
b103fb76 EB |
385 | /* Crypto API transforms for DIRECT_KEY policies, allocated on-demand */ |
386 | struct crypto_skcipher *mk_direct_tfms[__FSCRYPT_MODE_MAX + 1]; | |
387 | ||
388 | /* | |
389 | * Crypto API transforms for filesystem-layer implementation of | |
390 | * IV_INO_LBLK_64 policies, allocated on-demand. | |
391 | */ | |
392 | struct crypto_skcipher *mk_iv_ino_lblk_64_tfms[__FSCRYPT_MODE_MAX + 1]; | |
5dae460c | 393 | |
22d94f49 EB |
394 | } __randomize_layout; |
395 | ||
b1c0ec35 EB |
396 | static inline bool |
397 | is_master_key_secret_present(const struct fscrypt_master_key_secret *secret) | |
398 | { | |
399 | /* | |
400 | * The READ_ONCE() is only necessary for fscrypt_drop_inode() and | |
401 | * fscrypt_key_describe(). These run in atomic context, so they can't | |
23c688b5 EB |
402 | * take ->mk_secret_sem and thus 'secret' can change concurrently which |
403 | * would be a data race. But they only need to know whether the secret | |
404 | * *was* present at the time of check, so READ_ONCE() suffices. | |
b1c0ec35 EB |
405 | */ |
406 | return READ_ONCE(secret->size) != 0; | |
407 | } | |
408 | ||
22d94f49 EB |
409 | static inline const char *master_key_spec_type( |
410 | const struct fscrypt_key_specifier *spec) | |
411 | { | |
412 | switch (spec->type) { | |
413 | case FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR: | |
414 | return "descriptor"; | |
5dae460c EB |
415 | case FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER: |
416 | return "identifier"; | |
22d94f49 EB |
417 | } |
418 | return "[unknown]"; | |
419 | } | |
420 | ||
421 | static inline int master_key_spec_len(const struct fscrypt_key_specifier *spec) | |
422 | { | |
423 | switch (spec->type) { | |
424 | case FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR: | |
425 | return FSCRYPT_KEY_DESCRIPTOR_SIZE; | |
5dae460c EB |
426 | case FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER: |
427 | return FSCRYPT_KEY_IDENTIFIER_SIZE; | |
22d94f49 EB |
428 | } |
429 | return 0; | |
430 | } | |
431 | ||
432 | extern struct key * | |
433 | fscrypt_find_master_key(struct super_block *sb, | |
434 | const struct fscrypt_key_specifier *mk_spec); | |
435 | ||
5ab7189a EB |
436 | extern int fscrypt_verify_key_added(struct super_block *sb, |
437 | const u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]); | |
438 | ||
22d94f49 EB |
439 | extern int __init fscrypt_init_keyring(void); |
440 | ||
feed8258 | 441 | /* keysetup.c */ |
8094c3ce EB |
442 | |
443 | struct fscrypt_mode { | |
444 | const char *friendly_name; | |
445 | const char *cipher_str; | |
446 | int keysize; | |
447 | int ivsize; | |
ff73c2c0 | 448 | int logged_impl_name; |
8094c3ce EB |
449 | }; |
450 | ||
3ec4f2a6 EB |
451 | static inline bool |
452 | fscrypt_mode_supports_direct_key(const struct fscrypt_mode *mode) | |
453 | { | |
454 | return mode->ivsize >= offsetofend(union fscrypt_iv, nonce); | |
455 | } | |
456 | ||
0109ce76 EB |
457 | extern struct crypto_skcipher * |
458 | fscrypt_allocate_skcipher(struct fscrypt_mode *mode, const u8 *raw_key, | |
459 | const struct inode *inode); | |
460 | ||
461 | extern int fscrypt_set_derived_key(struct fscrypt_info *ci, | |
462 | const u8 *derived_key); | |
463 | ||
464 | /* keysetup_v1.c */ | |
465 | ||
466 | extern void fscrypt_put_direct_key(struct fscrypt_direct_key *dk); | |
467 | ||
468 | extern int fscrypt_setup_v1_file_key(struct fscrypt_info *ci, | |
469 | const u8 *raw_master_key); | |
470 | ||
471 | extern int fscrypt_setup_v1_file_key_via_subscribed_keyrings( | |
472 | struct fscrypt_info *ci); | |
5dae460c EB |
473 | /* policy.c */ |
474 | ||
475 | extern bool fscrypt_policies_equal(const union fscrypt_policy *policy1, | |
476 | const union fscrypt_policy *policy2); | |
477 | extern bool fscrypt_supported_policy(const union fscrypt_policy *policy_u, | |
478 | const struct inode *inode); | |
479 | extern int fscrypt_policy_from_context(union fscrypt_policy *policy_u, | |
480 | const union fscrypt_context *ctx_u, | |
481 | int ctx_size); | |
0109ce76 | 482 | |
3325bea5 | 483 | #endif /* _FSCRYPT_PRIVATE_H */ |