Commit | Line | Data |
---|---|---|
0adda907 | 1 | /* |
0b81d077 | 2 | * key management facility for FS encryption support. |
0adda907 JK |
3 | * |
4 | * Copyright (C) 2015, Google, Inc. | |
5 | * | |
0b81d077 | 6 | * This contains encryption key functions. |
0adda907 JK |
7 | * |
8 | * Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015. | |
9 | */ | |
0b81d077 | 10 | |
0adda907 JK |
11 | #include <keys/encrypted-type.h> |
12 | #include <keys/user-type.h> | |
13 | #include <linux/random.h> | |
14 | #include <linux/scatterlist.h> | |
15 | #include <uapi/linux/keyctl.h> | |
0b81d077 | 16 | #include <linux/fscrypto.h> |
0adda907 JK |
17 | |
18 | static void derive_crypt_complete(struct crypto_async_request *req, int rc) | |
19 | { | |
0b81d077 | 20 | struct fscrypt_completion_result *ecr = req->data; |
0adda907 JK |
21 | |
22 | if (rc == -EINPROGRESS) | |
23 | return; | |
24 | ||
25 | ecr->res = rc; | |
26 | complete(&ecr->completion); | |
27 | } | |
28 | ||
29 | /** | |
0b81d077 | 30 | * derive_key_aes() - Derive a key using AES-128-ECB |
0fac2d50 | 31 | * @deriving_key: Encryption key used for derivation. |
0adda907 JK |
32 | * @source_key: Source key to which to apply derivation. |
33 | * @derived_key: Derived key. | |
34 | * | |
35 | * Return: Zero on success; non-zero otherwise. | |
36 | */ | |
0b81d077 JK |
37 | static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE], |
38 | u8 source_key[FS_AES_256_XTS_KEY_SIZE], | |
39 | u8 derived_key[FS_AES_256_XTS_KEY_SIZE]) | |
0adda907 JK |
40 | { |
41 | int res = 0; | |
d407574e | 42 | struct skcipher_request *req = NULL; |
0b81d077 | 43 | DECLARE_FS_COMPLETION_RESULT(ecr); |
0adda907 | 44 | struct scatterlist src_sg, dst_sg; |
d407574e | 45 | struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0); |
0adda907 JK |
46 | |
47 | if (IS_ERR(tfm)) { | |
48 | res = PTR_ERR(tfm); | |
49 | tfm = NULL; | |
50 | goto out; | |
51 | } | |
d407574e LT |
52 | crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_WEAK_KEY); |
53 | req = skcipher_request_alloc(tfm, GFP_NOFS); | |
0adda907 JK |
54 | if (!req) { |
55 | res = -ENOMEM; | |
56 | goto out; | |
57 | } | |
d407574e | 58 | skcipher_request_set_callback(req, |
0adda907 JK |
59 | CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, |
60 | derive_crypt_complete, &ecr); | |
d407574e | 61 | res = crypto_skcipher_setkey(tfm, deriving_key, |
0b81d077 | 62 | FS_AES_128_ECB_KEY_SIZE); |
0adda907 JK |
63 | if (res < 0) |
64 | goto out; | |
65 | ||
0b81d077 JK |
66 | sg_init_one(&src_sg, source_key, FS_AES_256_XTS_KEY_SIZE); |
67 | sg_init_one(&dst_sg, derived_key, FS_AES_256_XTS_KEY_SIZE); | |
d407574e | 68 | skcipher_request_set_crypt(req, &src_sg, &dst_sg, |
0b81d077 | 69 | FS_AES_256_XTS_KEY_SIZE, NULL); |
d407574e | 70 | res = crypto_skcipher_encrypt(req); |
0adda907 | 71 | if (res == -EINPROGRESS || res == -EBUSY) { |
0adda907 JK |
72 | wait_for_completion(&ecr.completion); |
73 | res = ecr.res; | |
74 | } | |
75 | out: | |
d407574e LT |
76 | skcipher_request_free(req); |
77 | crypto_free_skcipher(tfm); | |
0adda907 JK |
78 | return res; |
79 | } | |
80 | ||
0b81d077 | 81 | static void put_crypt_info(struct fscrypt_info *ci) |
0adda907 | 82 | { |
0adda907 JK |
83 | if (!ci) |
84 | return; | |
85 | ||
d407574e LT |
86 | key_put(ci->ci_keyring_key); |
87 | crypto_free_skcipher(ci->ci_ctfm); | |
0b81d077 | 88 | kmem_cache_free(fscrypt_info_cachep, ci); |
0adda907 JK |
89 | } |
90 | ||
0b81d077 | 91 | int get_crypt_info(struct inode *inode) |
0adda907 | 92 | { |
0b81d077 JK |
93 | struct fscrypt_info *crypt_info; |
94 | u8 full_key_descriptor[FS_KEY_DESC_PREFIX_SIZE + | |
95 | (FS_KEY_DESCRIPTOR_SIZE * 2) + 1]; | |
0adda907 | 96 | struct key *keyring_key = NULL; |
0b81d077 JK |
97 | struct fscrypt_key *master_key; |
98 | struct fscrypt_context ctx; | |
146aa8b1 | 99 | const struct user_key_payload *ukp; |
d407574e | 100 | struct crypto_skcipher *ctfm; |
26bf3dc7 | 101 | const char *cipher_str; |
0b81d077 JK |
102 | u8 raw_key[FS_MAX_KEY_SIZE]; |
103 | u8 mode; | |
0adda907 JK |
104 | int res; |
105 | ||
0b81d077 | 106 | res = fscrypt_initialize(); |
cfc4d971 JK |
107 | if (res) |
108 | return res; | |
0b81d077 JK |
109 | |
110 | if (!inode->i_sb->s_cop->get_context) | |
111 | return -EOPNOTSUPP; | |
26bf3dc7 | 112 | retry: |
0b81d077 | 113 | crypt_info = ACCESS_ONCE(inode->i_crypt_info); |
26bf3dc7 JK |
114 | if (crypt_info) { |
115 | if (!crypt_info->ci_keyring_key || | |
116 | key_validate(crypt_info->ci_keyring_key) == 0) | |
0adda907 | 117 | return 0; |
0b81d077 | 118 | fscrypt_put_encryption_info(inode, crypt_info); |
26bf3dc7 | 119 | goto retry; |
0adda907 JK |
120 | } |
121 | ||
0b81d077 JK |
122 | res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); |
123 | if (res < 0) { | |
124 | if (!fscrypt_dummy_context_enabled(inode)) | |
125 | return res; | |
126 | ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS; | |
127 | ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS; | |
128 | ctx.flags = 0; | |
129 | } else if (res != sizeof(ctx)) { | |
0adda907 | 130 | return -EINVAL; |
0b81d077 | 131 | } |
0adda907 JK |
132 | res = 0; |
133 | ||
0b81d077 | 134 | crypt_info = kmem_cache_alloc(fscrypt_info_cachep, GFP_NOFS); |
0adda907 JK |
135 | if (!crypt_info) |
136 | return -ENOMEM; | |
137 | ||
138 | crypt_info->ci_flags = ctx.flags; | |
139 | crypt_info->ci_data_mode = ctx.contents_encryption_mode; | |
140 | crypt_info->ci_filename_mode = ctx.filenames_encryption_mode; | |
141 | crypt_info->ci_ctfm = NULL; | |
26bf3dc7 | 142 | crypt_info->ci_keyring_key = NULL; |
0adda907 JK |
143 | memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor, |
144 | sizeof(crypt_info->ci_master_key)); | |
145 | if (S_ISREG(inode->i_mode)) | |
26bf3dc7 | 146 | mode = crypt_info->ci_data_mode; |
0adda907 | 147 | else if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) |
26bf3dc7 | 148 | mode = crypt_info->ci_filename_mode; |
640778fb | 149 | else |
0adda907 | 150 | BUG(); |
640778fb | 151 | |
26bf3dc7 | 152 | switch (mode) { |
0b81d077 | 153 | case FS_ENCRYPTION_MODE_AES_256_XTS: |
26bf3dc7 JK |
154 | cipher_str = "xts(aes)"; |
155 | break; | |
0b81d077 | 156 | case FS_ENCRYPTION_MODE_AES_256_CTS: |
26bf3dc7 JK |
157 | cipher_str = "cts(cbc(aes))"; |
158 | break; | |
159 | default: | |
160 | printk_once(KERN_WARNING | |
0b81d077 JK |
161 | "%s: unsupported key mode %d (ino %u)\n", |
162 | __func__, mode, (unsigned) inode->i_ino); | |
26bf3dc7 JK |
163 | res = -ENOKEY; |
164 | goto out; | |
165 | } | |
0b81d077 JK |
166 | if (fscrypt_dummy_context_enabled(inode)) { |
167 | memset(raw_key, 0x42, FS_AES_256_XTS_KEY_SIZE); | |
168 | goto got_key; | |
169 | } | |
170 | memcpy(full_key_descriptor, FS_KEY_DESC_PREFIX, | |
171 | FS_KEY_DESC_PREFIX_SIZE); | |
172 | sprintf(full_key_descriptor + FS_KEY_DESC_PREFIX_SIZE, | |
173 | "%*phN", FS_KEY_DESCRIPTOR_SIZE, | |
0adda907 | 174 | ctx.master_key_descriptor); |
0b81d077 JK |
175 | full_key_descriptor[FS_KEY_DESC_PREFIX_SIZE + |
176 | (2 * FS_KEY_DESCRIPTOR_SIZE)] = '\0'; | |
0adda907 JK |
177 | keyring_key = request_key(&key_type_logon, full_key_descriptor, NULL); |
178 | if (IS_ERR(keyring_key)) { | |
179 | res = PTR_ERR(keyring_key); | |
180 | keyring_key = NULL; | |
181 | goto out; | |
182 | } | |
26bf3dc7 | 183 | crypt_info->ci_keyring_key = keyring_key; |
66aa3e12 | 184 | if (keyring_key->type != &key_type_logon) { |
0b81d077 JK |
185 | printk_once(KERN_WARNING |
186 | "%s: key type must be logon\n", __func__); | |
66aa3e12 JK |
187 | res = -ENOKEY; |
188 | goto out; | |
189 | } | |
745e8490 | 190 | down_read(&keyring_key->sem); |
146aa8b1 | 191 | ukp = user_key_payload(keyring_key); |
0b81d077 | 192 | if (ukp->datalen != sizeof(struct fscrypt_key)) { |
0adda907 | 193 | res = -EINVAL; |
745e8490 | 194 | up_read(&keyring_key->sem); |
0adda907 JK |
195 | goto out; |
196 | } | |
0b81d077 JK |
197 | master_key = (struct fscrypt_key *)ukp->data; |
198 | BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE); | |
199 | ||
200 | if (master_key->size != FS_AES_256_XTS_KEY_SIZE) { | |
66aa3e12 | 201 | printk_once(KERN_WARNING |
0b81d077 JK |
202 | "%s: key size incorrect: %d\n", |
203 | __func__, master_key->size); | |
66aa3e12 | 204 | res = -ENOKEY; |
745e8490 | 205 | up_read(&keyring_key->sem); |
66aa3e12 JK |
206 | goto out; |
207 | } | |
0b81d077 | 208 | res = derive_key_aes(ctx.nonce, master_key->raw, raw_key); |
745e8490 | 209 | up_read(&keyring_key->sem); |
26bf3dc7 JK |
210 | if (res) |
211 | goto out; | |
0b81d077 | 212 | got_key: |
d407574e | 213 | ctfm = crypto_alloc_skcipher(cipher_str, 0, 0); |
26bf3dc7 JK |
214 | if (!ctfm || IS_ERR(ctfm)) { |
215 | res = ctfm ? PTR_ERR(ctfm) : -ENOMEM; | |
216 | printk(KERN_DEBUG | |
217 | "%s: error %d (inode %u) allocating crypto tfm\n", | |
218 | __func__, res, (unsigned) inode->i_ino); | |
219 | goto out; | |
0adda907 | 220 | } |
26bf3dc7 | 221 | crypt_info->ci_ctfm = ctfm; |
d407574e LT |
222 | crypto_skcipher_clear_flags(ctfm, ~0); |
223 | crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY); | |
224 | res = crypto_skcipher_setkey(ctfm, raw_key, fscrypt_key_size(mode)); | |
26bf3dc7 JK |
225 | if (res) |
226 | goto out; | |
227 | ||
228 | memzero_explicit(raw_key, sizeof(raw_key)); | |
0b81d077 JK |
229 | if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) != NULL) { |
230 | put_crypt_info(crypt_info); | |
26bf3dc7 JK |
231 | goto retry; |
232 | } | |
233 | return 0; | |
234 | ||
235 | out: | |
0b81d077 | 236 | if (res == -ENOKEY) |
26bf3dc7 | 237 | res = 0; |
0b81d077 | 238 | put_crypt_info(crypt_info); |
26bf3dc7 | 239 | memzero_explicit(raw_key, sizeof(raw_key)); |
0adda907 JK |
240 | return res; |
241 | } | |
242 | ||
0b81d077 | 243 | void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci) |
0adda907 | 244 | { |
0b81d077 JK |
245 | struct fscrypt_info *prev; |
246 | ||
247 | if (ci == NULL) | |
248 | ci = ACCESS_ONCE(inode->i_crypt_info); | |
249 | if (ci == NULL) | |
250 | return; | |
0adda907 | 251 | |
0b81d077 JK |
252 | prev = cmpxchg(&inode->i_crypt_info, ci, NULL); |
253 | if (prev != ci) | |
254 | return; | |
255 | ||
256 | put_crypt_info(ci); | |
257 | } | |
258 | EXPORT_SYMBOL(fscrypt_put_encryption_info); | |
259 | ||
260 | int fscrypt_get_encryption_info(struct inode *inode) | |
261 | { | |
262 | struct fscrypt_info *ci = inode->i_crypt_info; | |
263 | ||
264 | if (!ci || | |
265 | (ci->ci_keyring_key && | |
266 | (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) | | |
267 | (1 << KEY_FLAG_REVOKED) | | |
268 | (1 << KEY_FLAG_DEAD))))) | |
269 | return get_crypt_info(inode); | |
270 | return 0; | |
0adda907 | 271 | } |
0b81d077 | 272 | EXPORT_SYMBOL(fscrypt_get_encryption_info); |