Commit | Line | Data |
---|---|---|
0adda907 | 1 | /* |
0b81d077 | 2 | * key management facility for FS encryption support. |
0adda907 JK |
3 | * |
4 | * Copyright (C) 2015, Google, Inc. | |
5 | * | |
0b81d077 | 6 | * This contains encryption key functions. |
0adda907 JK |
7 | * |
8 | * Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015. | |
9 | */ | |
0b81d077 | 10 | |
0adda907 | 11 | #include <keys/user-type.h> |
0adda907 | 12 | #include <linux/scatterlist.h> |
3325bea5 | 13 | #include "fscrypt_private.h" |
0adda907 JK |
14 | |
15 | static void derive_crypt_complete(struct crypto_async_request *req, int rc) | |
16 | { | |
0b81d077 | 17 | struct fscrypt_completion_result *ecr = req->data; |
0adda907 JK |
18 | |
19 | if (rc == -EINPROGRESS) | |
20 | return; | |
21 | ||
22 | ecr->res = rc; | |
23 | complete(&ecr->completion); | |
24 | } | |
25 | ||
26 | /** | |
0b81d077 | 27 | * derive_key_aes() - Derive a key using AES-128-ECB |
0fac2d50 | 28 | * @deriving_key: Encryption key used for derivation. |
0adda907 JK |
29 | * @source_key: Source key to which to apply derivation. |
30 | * @derived_key: Derived key. | |
31 | * | |
32 | * Return: Zero on success; non-zero otherwise. | |
33 | */ | |
0b81d077 JK |
34 | static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE], |
35 | u8 source_key[FS_AES_256_XTS_KEY_SIZE], | |
36 | u8 derived_key[FS_AES_256_XTS_KEY_SIZE]) | |
0adda907 JK |
37 | { |
38 | int res = 0; | |
d407574e | 39 | struct skcipher_request *req = NULL; |
0b81d077 | 40 | DECLARE_FS_COMPLETION_RESULT(ecr); |
0adda907 | 41 | struct scatterlist src_sg, dst_sg; |
d407574e | 42 | struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0); |
0adda907 JK |
43 | |
44 | if (IS_ERR(tfm)) { | |
45 | res = PTR_ERR(tfm); | |
46 | tfm = NULL; | |
47 | goto out; | |
48 | } | |
d407574e LT |
49 | crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_WEAK_KEY); |
50 | req = skcipher_request_alloc(tfm, GFP_NOFS); | |
0adda907 JK |
51 | if (!req) { |
52 | res = -ENOMEM; | |
53 | goto out; | |
54 | } | |
d407574e | 55 | skcipher_request_set_callback(req, |
0adda907 JK |
56 | CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, |
57 | derive_crypt_complete, &ecr); | |
d407574e | 58 | res = crypto_skcipher_setkey(tfm, deriving_key, |
0b81d077 | 59 | FS_AES_128_ECB_KEY_SIZE); |
0adda907 JK |
60 | if (res < 0) |
61 | goto out; | |
62 | ||
0b81d077 JK |
63 | sg_init_one(&src_sg, source_key, FS_AES_256_XTS_KEY_SIZE); |
64 | sg_init_one(&dst_sg, derived_key, FS_AES_256_XTS_KEY_SIZE); | |
d407574e | 65 | skcipher_request_set_crypt(req, &src_sg, &dst_sg, |
0b81d077 | 66 | FS_AES_256_XTS_KEY_SIZE, NULL); |
d407574e | 67 | res = crypto_skcipher_encrypt(req); |
0adda907 | 68 | if (res == -EINPROGRESS || res == -EBUSY) { |
0adda907 JK |
69 | wait_for_completion(&ecr.completion); |
70 | res = ecr.res; | |
71 | } | |
72 | out: | |
d407574e LT |
73 | skcipher_request_free(req); |
74 | crypto_free_skcipher(tfm); | |
0adda907 JK |
75 | return res; |
76 | } | |
77 | ||
b5a7aef1 JK |
78 | static int validate_user_key(struct fscrypt_info *crypt_info, |
79 | struct fscrypt_context *ctx, u8 *raw_key, | |
a5d431ef | 80 | const char *prefix) |
b5a7aef1 | 81 | { |
a5d431ef | 82 | char *description; |
b5a7aef1 JK |
83 | struct key *keyring_key; |
84 | struct fscrypt_key *master_key; | |
85 | const struct user_key_payload *ukp; | |
b5a7aef1 JK |
86 | int res; |
87 | ||
a5d431ef EB |
88 | description = kasprintf(GFP_NOFS, "%s%*phN", prefix, |
89 | FS_KEY_DESCRIPTOR_SIZE, | |
90 | ctx->master_key_descriptor); | |
91 | if (!description) | |
b5a7aef1 JK |
92 | return -ENOMEM; |
93 | ||
a5d431ef EB |
94 | keyring_key = request_key(&key_type_logon, description, NULL); |
95 | kfree(description); | |
b5a7aef1 JK |
96 | if (IS_ERR(keyring_key)) |
97 | return PTR_ERR(keyring_key); | |
1b53cf98 | 98 | down_read(&keyring_key->sem); |
b5a7aef1 JK |
99 | |
100 | if (keyring_key->type != &key_type_logon) { | |
101 | printk_once(KERN_WARNING | |
102 | "%s: key type must be logon\n", __func__); | |
103 | res = -ENOKEY; | |
104 | goto out; | |
105 | } | |
0837e49a | 106 | ukp = user_key_payload_locked(keyring_key); |
b5a7aef1 JK |
107 | if (ukp->datalen != sizeof(struct fscrypt_key)) { |
108 | res = -EINVAL; | |
b5a7aef1 JK |
109 | goto out; |
110 | } | |
111 | master_key = (struct fscrypt_key *)ukp->data; | |
112 | BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE); | |
113 | ||
114 | if (master_key->size != FS_AES_256_XTS_KEY_SIZE) { | |
115 | printk_once(KERN_WARNING | |
116 | "%s: key size incorrect: %d\n", | |
117 | __func__, master_key->size); | |
118 | res = -ENOKEY; | |
b5a7aef1 JK |
119 | goto out; |
120 | } | |
121 | res = derive_key_aes(ctx->nonce, master_key->raw, raw_key); | |
b5a7aef1 | 122 | out: |
1b53cf98 | 123 | up_read(&keyring_key->sem); |
b5a7aef1 JK |
124 | key_put(keyring_key); |
125 | return res; | |
126 | } | |
127 | ||
8f39850d EB |
128 | static int determine_cipher_type(struct fscrypt_info *ci, struct inode *inode, |
129 | const char **cipher_str_ret, int *keysize_ret) | |
130 | { | |
131 | if (S_ISREG(inode->i_mode)) { | |
132 | if (ci->ci_data_mode == FS_ENCRYPTION_MODE_AES_256_XTS) { | |
133 | *cipher_str_ret = "xts(aes)"; | |
134 | *keysize_ret = FS_AES_256_XTS_KEY_SIZE; | |
135 | return 0; | |
136 | } | |
137 | pr_warn_once("fscrypto: unsupported contents encryption mode " | |
138 | "%d for inode %lu\n", | |
139 | ci->ci_data_mode, inode->i_ino); | |
140 | return -ENOKEY; | |
141 | } | |
142 | ||
143 | if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) { | |
144 | if (ci->ci_filename_mode == FS_ENCRYPTION_MODE_AES_256_CTS) { | |
145 | *cipher_str_ret = "cts(cbc(aes))"; | |
146 | *keysize_ret = FS_AES_256_CTS_KEY_SIZE; | |
147 | return 0; | |
148 | } | |
149 | pr_warn_once("fscrypto: unsupported filenames encryption mode " | |
150 | "%d for inode %lu\n", | |
151 | ci->ci_filename_mode, inode->i_ino); | |
152 | return -ENOKEY; | |
153 | } | |
154 | ||
155 | pr_warn_once("fscrypto: unsupported file type %d for inode %lu\n", | |
156 | (inode->i_mode & S_IFMT), inode->i_ino); | |
157 | return -ENOKEY; | |
158 | } | |
159 | ||
0b81d077 | 160 | static void put_crypt_info(struct fscrypt_info *ci) |
0adda907 | 161 | { |
0adda907 JK |
162 | if (!ci) |
163 | return; | |
164 | ||
d407574e | 165 | crypto_free_skcipher(ci->ci_ctfm); |
0b81d077 | 166 | kmem_cache_free(fscrypt_info_cachep, ci); |
0adda907 JK |
167 | } |
168 | ||
1b53cf98 | 169 | int fscrypt_get_encryption_info(struct inode *inode) |
0adda907 | 170 | { |
0b81d077 | 171 | struct fscrypt_info *crypt_info; |
0b81d077 | 172 | struct fscrypt_context ctx; |
d407574e | 173 | struct crypto_skcipher *ctfm; |
26bf3dc7 | 174 | const char *cipher_str; |
8f39850d | 175 | int keysize; |
a6e08912 | 176 | u8 *raw_key = NULL; |
0adda907 JK |
177 | int res; |
178 | ||
1b53cf98 EB |
179 | if (inode->i_crypt_info) |
180 | return 0; | |
181 | ||
f32d7ac2 | 182 | res = fscrypt_initialize(inode->i_sb->s_cop->flags); |
cfc4d971 JK |
183 | if (res) |
184 | return res; | |
0b81d077 | 185 | |
0b81d077 JK |
186 | res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); |
187 | if (res < 0) { | |
5bbdcbbb TT |
188 | if (!fscrypt_dummy_context_enabled(inode) || |
189 | inode->i_sb->s_cop->is_encrypted(inode)) | |
0b81d077 | 190 | return res; |
5bbdcbbb TT |
191 | /* Fake up a context for an unencrypted directory */ |
192 | memset(&ctx, 0, sizeof(ctx)); | |
8f39850d | 193 | ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1; |
0b81d077 JK |
194 | ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS; |
195 | ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS; | |
5bbdcbbb | 196 | memset(ctx.master_key_descriptor, 0x42, FS_KEY_DESCRIPTOR_SIZE); |
0b81d077 | 197 | } else if (res != sizeof(ctx)) { |
0adda907 | 198 | return -EINVAL; |
0b81d077 | 199 | } |
8f39850d EB |
200 | |
201 | if (ctx.format != FS_ENCRYPTION_CONTEXT_FORMAT_V1) | |
202 | return -EINVAL; | |
203 | ||
204 | if (ctx.flags & ~FS_POLICY_FLAGS_VALID) | |
205 | return -EINVAL; | |
0adda907 | 206 | |
0b81d077 | 207 | crypt_info = kmem_cache_alloc(fscrypt_info_cachep, GFP_NOFS); |
0adda907 JK |
208 | if (!crypt_info) |
209 | return -ENOMEM; | |
210 | ||
211 | crypt_info->ci_flags = ctx.flags; | |
212 | crypt_info->ci_data_mode = ctx.contents_encryption_mode; | |
213 | crypt_info->ci_filename_mode = ctx.filenames_encryption_mode; | |
214 | crypt_info->ci_ctfm = NULL; | |
215 | memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor, | |
216 | sizeof(crypt_info->ci_master_key)); | |
640778fb | 217 | |
8f39850d EB |
218 | res = determine_cipher_type(crypt_info, inode, &cipher_str, &keysize); |
219 | if (res) | |
26bf3dc7 | 220 | goto out; |
8f39850d | 221 | |
a6e08912 EB |
222 | /* |
223 | * This cannot be a stack buffer because it is passed to the scatterlist | |
224 | * crypto API as part of key derivation. | |
225 | */ | |
226 | res = -ENOMEM; | |
227 | raw_key = kmalloc(FS_MAX_KEY_SIZE, GFP_NOFS); | |
228 | if (!raw_key) | |
229 | goto out; | |
230 | ||
a5d431ef | 231 | res = validate_user_key(crypt_info, &ctx, raw_key, FS_KEY_DESC_PREFIX); |
b5a7aef1 | 232 | if (res && inode->i_sb->s_cop->key_prefix) { |
a5d431ef EB |
233 | int res2 = validate_user_key(crypt_info, &ctx, raw_key, |
234 | inode->i_sb->s_cop->key_prefix); | |
b5a7aef1 JK |
235 | if (res2) { |
236 | if (res2 == -ENOKEY) | |
237 | res = -ENOKEY; | |
238 | goto out; | |
239 | } | |
240 | } else if (res) { | |
66aa3e12 JK |
241 | goto out; |
242 | } | |
d407574e | 243 | ctfm = crypto_alloc_skcipher(cipher_str, 0, 0); |
26bf3dc7 JK |
244 | if (!ctfm || IS_ERR(ctfm)) { |
245 | res = ctfm ? PTR_ERR(ctfm) : -ENOMEM; | |
246 | printk(KERN_DEBUG | |
247 | "%s: error %d (inode %u) allocating crypto tfm\n", | |
248 | __func__, res, (unsigned) inode->i_ino); | |
249 | goto out; | |
0adda907 | 250 | } |
26bf3dc7 | 251 | crypt_info->ci_ctfm = ctfm; |
d407574e LT |
252 | crypto_skcipher_clear_flags(ctfm, ~0); |
253 | crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY); | |
8f39850d | 254 | res = crypto_skcipher_setkey(ctfm, raw_key, keysize); |
26bf3dc7 JK |
255 | if (res) |
256 | goto out; | |
257 | ||
1b53cf98 EB |
258 | if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) == NULL) |
259 | crypt_info = NULL; | |
26bf3dc7 | 260 | out: |
0b81d077 | 261 | if (res == -ENOKEY) |
26bf3dc7 | 262 | res = 0; |
0b81d077 | 263 | put_crypt_info(crypt_info); |
a6e08912 | 264 | kzfree(raw_key); |
0adda907 JK |
265 | return res; |
266 | } | |
1b53cf98 | 267 | EXPORT_SYMBOL(fscrypt_get_encryption_info); |
0adda907 | 268 | |
0b81d077 | 269 | void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci) |
0adda907 | 270 | { |
0b81d077 JK |
271 | struct fscrypt_info *prev; |
272 | ||
273 | if (ci == NULL) | |
274 | ci = ACCESS_ONCE(inode->i_crypt_info); | |
275 | if (ci == NULL) | |
276 | return; | |
0adda907 | 277 | |
0b81d077 JK |
278 | prev = cmpxchg(&inode->i_crypt_info, ci, NULL); |
279 | if (prev != ci) | |
280 | return; | |
281 | ||
282 | put_crypt_info(ci); | |
283 | } | |
284 | EXPORT_SYMBOL(fscrypt_put_encryption_info); |