Commit | Line | Data |
---|---|---|
0adda907 | 1 | /* |
0b81d077 | 2 | * key management facility for FS encryption support. |
0adda907 JK |
3 | * |
4 | * Copyright (C) 2015, Google, Inc. | |
5 | * | |
0b81d077 | 6 | * This contains encryption key functions. |
0adda907 JK |
7 | * |
8 | * Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015. | |
9 | */ | |
0b81d077 | 10 | |
0adda907 | 11 | #include <keys/user-type.h> |
0adda907 | 12 | #include <linux/scatterlist.h> |
0b81d077 | 13 | #include <linux/fscrypto.h> |
0adda907 JK |
14 | |
15 | static void derive_crypt_complete(struct crypto_async_request *req, int rc) | |
16 | { | |
0b81d077 | 17 | struct fscrypt_completion_result *ecr = req->data; |
0adda907 JK |
18 | |
19 | if (rc == -EINPROGRESS) | |
20 | return; | |
21 | ||
22 | ecr->res = rc; | |
23 | complete(&ecr->completion); | |
24 | } | |
25 | ||
26 | /** | |
0b81d077 | 27 | * derive_key_aes() - Derive a key using AES-128-ECB |
0fac2d50 | 28 | * @deriving_key: Encryption key used for derivation. |
0adda907 JK |
29 | * @source_key: Source key to which to apply derivation. |
30 | * @derived_key: Derived key. | |
31 | * | |
32 | * Return: Zero on success; non-zero otherwise. | |
33 | */ | |
0b81d077 JK |
34 | static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE], |
35 | u8 source_key[FS_AES_256_XTS_KEY_SIZE], | |
36 | u8 derived_key[FS_AES_256_XTS_KEY_SIZE]) | |
0adda907 JK |
37 | { |
38 | int res = 0; | |
d407574e | 39 | struct skcipher_request *req = NULL; |
0b81d077 | 40 | DECLARE_FS_COMPLETION_RESULT(ecr); |
0adda907 | 41 | struct scatterlist src_sg, dst_sg; |
d407574e | 42 | struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0); |
0adda907 JK |
43 | |
44 | if (IS_ERR(tfm)) { | |
45 | res = PTR_ERR(tfm); | |
46 | tfm = NULL; | |
47 | goto out; | |
48 | } | |
d407574e LT |
49 | crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_WEAK_KEY); |
50 | req = skcipher_request_alloc(tfm, GFP_NOFS); | |
0adda907 JK |
51 | if (!req) { |
52 | res = -ENOMEM; | |
53 | goto out; | |
54 | } | |
d407574e | 55 | skcipher_request_set_callback(req, |
0adda907 JK |
56 | CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, |
57 | derive_crypt_complete, &ecr); | |
d407574e | 58 | res = crypto_skcipher_setkey(tfm, deriving_key, |
0b81d077 | 59 | FS_AES_128_ECB_KEY_SIZE); |
0adda907 JK |
60 | if (res < 0) |
61 | goto out; | |
62 | ||
0b81d077 JK |
63 | sg_init_one(&src_sg, source_key, FS_AES_256_XTS_KEY_SIZE); |
64 | sg_init_one(&dst_sg, derived_key, FS_AES_256_XTS_KEY_SIZE); | |
d407574e | 65 | skcipher_request_set_crypt(req, &src_sg, &dst_sg, |
0b81d077 | 66 | FS_AES_256_XTS_KEY_SIZE, NULL); |
d407574e | 67 | res = crypto_skcipher_encrypt(req); |
0adda907 | 68 | if (res == -EINPROGRESS || res == -EBUSY) { |
0adda907 JK |
69 | wait_for_completion(&ecr.completion); |
70 | res = ecr.res; | |
71 | } | |
72 | out: | |
d407574e LT |
73 | skcipher_request_free(req); |
74 | crypto_free_skcipher(tfm); | |
0adda907 JK |
75 | return res; |
76 | } | |
77 | ||
b5a7aef1 JK |
78 | static int validate_user_key(struct fscrypt_info *crypt_info, |
79 | struct fscrypt_context *ctx, u8 *raw_key, | |
80 | u8 *prefix, int prefix_size) | |
81 | { | |
82 | u8 *full_key_descriptor; | |
83 | struct key *keyring_key; | |
84 | struct fscrypt_key *master_key; | |
85 | const struct user_key_payload *ukp; | |
86 | int full_key_len = prefix_size + (FS_KEY_DESCRIPTOR_SIZE * 2) + 1; | |
87 | int res; | |
88 | ||
89 | full_key_descriptor = kmalloc(full_key_len, GFP_NOFS); | |
90 | if (!full_key_descriptor) | |
91 | return -ENOMEM; | |
92 | ||
93 | memcpy(full_key_descriptor, prefix, prefix_size); | |
94 | sprintf(full_key_descriptor + prefix_size, | |
95 | "%*phN", FS_KEY_DESCRIPTOR_SIZE, | |
96 | ctx->master_key_descriptor); | |
97 | full_key_descriptor[full_key_len - 1] = '\0'; | |
98 | keyring_key = request_key(&key_type_logon, full_key_descriptor, NULL); | |
99 | kfree(full_key_descriptor); | |
100 | if (IS_ERR(keyring_key)) | |
101 | return PTR_ERR(keyring_key); | |
102 | ||
103 | if (keyring_key->type != &key_type_logon) { | |
104 | printk_once(KERN_WARNING | |
105 | "%s: key type must be logon\n", __func__); | |
106 | res = -ENOKEY; | |
107 | goto out; | |
108 | } | |
109 | down_read(&keyring_key->sem); | |
110 | ukp = user_key_payload(keyring_key); | |
111 | if (ukp->datalen != sizeof(struct fscrypt_key)) { | |
112 | res = -EINVAL; | |
113 | up_read(&keyring_key->sem); | |
114 | goto out; | |
115 | } | |
116 | master_key = (struct fscrypt_key *)ukp->data; | |
117 | BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE); | |
118 | ||
119 | if (master_key->size != FS_AES_256_XTS_KEY_SIZE) { | |
120 | printk_once(KERN_WARNING | |
121 | "%s: key size incorrect: %d\n", | |
122 | __func__, master_key->size); | |
123 | res = -ENOKEY; | |
124 | up_read(&keyring_key->sem); | |
125 | goto out; | |
126 | } | |
127 | res = derive_key_aes(ctx->nonce, master_key->raw, raw_key); | |
128 | up_read(&keyring_key->sem); | |
129 | if (res) | |
130 | goto out; | |
131 | ||
132 | crypt_info->ci_keyring_key = keyring_key; | |
133 | return 0; | |
134 | out: | |
135 | key_put(keyring_key); | |
136 | return res; | |
137 | } | |
138 | ||
8f39850d EB |
139 | static int determine_cipher_type(struct fscrypt_info *ci, struct inode *inode, |
140 | const char **cipher_str_ret, int *keysize_ret) | |
141 | { | |
142 | if (S_ISREG(inode->i_mode)) { | |
143 | if (ci->ci_data_mode == FS_ENCRYPTION_MODE_AES_256_XTS) { | |
144 | *cipher_str_ret = "xts(aes)"; | |
145 | *keysize_ret = FS_AES_256_XTS_KEY_SIZE; | |
146 | return 0; | |
147 | } | |
148 | pr_warn_once("fscrypto: unsupported contents encryption mode " | |
149 | "%d for inode %lu\n", | |
150 | ci->ci_data_mode, inode->i_ino); | |
151 | return -ENOKEY; | |
152 | } | |
153 | ||
154 | if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) { | |
155 | if (ci->ci_filename_mode == FS_ENCRYPTION_MODE_AES_256_CTS) { | |
156 | *cipher_str_ret = "cts(cbc(aes))"; | |
157 | *keysize_ret = FS_AES_256_CTS_KEY_SIZE; | |
158 | return 0; | |
159 | } | |
160 | pr_warn_once("fscrypto: unsupported filenames encryption mode " | |
161 | "%d for inode %lu\n", | |
162 | ci->ci_filename_mode, inode->i_ino); | |
163 | return -ENOKEY; | |
164 | } | |
165 | ||
166 | pr_warn_once("fscrypto: unsupported file type %d for inode %lu\n", | |
167 | (inode->i_mode & S_IFMT), inode->i_ino); | |
168 | return -ENOKEY; | |
169 | } | |
170 | ||
0b81d077 | 171 | static void put_crypt_info(struct fscrypt_info *ci) |
0adda907 | 172 | { |
0adda907 JK |
173 | if (!ci) |
174 | return; | |
175 | ||
d407574e LT |
176 | key_put(ci->ci_keyring_key); |
177 | crypto_free_skcipher(ci->ci_ctfm); | |
0b81d077 | 178 | kmem_cache_free(fscrypt_info_cachep, ci); |
0adda907 JK |
179 | } |
180 | ||
0b81d077 | 181 | int get_crypt_info(struct inode *inode) |
0adda907 | 182 | { |
0b81d077 | 183 | struct fscrypt_info *crypt_info; |
0b81d077 | 184 | struct fscrypt_context ctx; |
d407574e | 185 | struct crypto_skcipher *ctfm; |
26bf3dc7 | 186 | const char *cipher_str; |
8f39850d | 187 | int keysize; |
0b81d077 | 188 | u8 raw_key[FS_MAX_KEY_SIZE]; |
0adda907 JK |
189 | int res; |
190 | ||
0b81d077 | 191 | res = fscrypt_initialize(); |
cfc4d971 JK |
192 | if (res) |
193 | return res; | |
0b81d077 JK |
194 | |
195 | if (!inode->i_sb->s_cop->get_context) | |
196 | return -EOPNOTSUPP; | |
26bf3dc7 | 197 | retry: |
0b81d077 | 198 | crypt_info = ACCESS_ONCE(inode->i_crypt_info); |
26bf3dc7 JK |
199 | if (crypt_info) { |
200 | if (!crypt_info->ci_keyring_key || | |
201 | key_validate(crypt_info->ci_keyring_key) == 0) | |
0adda907 | 202 | return 0; |
0b81d077 | 203 | fscrypt_put_encryption_info(inode, crypt_info); |
26bf3dc7 | 204 | goto retry; |
0adda907 JK |
205 | } |
206 | ||
0b81d077 JK |
207 | res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); |
208 | if (res < 0) { | |
209 | if (!fscrypt_dummy_context_enabled(inode)) | |
210 | return res; | |
8f39850d | 211 | ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1; |
0b81d077 JK |
212 | ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS; |
213 | ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS; | |
214 | ctx.flags = 0; | |
215 | } else if (res != sizeof(ctx)) { | |
0adda907 | 216 | return -EINVAL; |
0b81d077 | 217 | } |
8f39850d EB |
218 | |
219 | if (ctx.format != FS_ENCRYPTION_CONTEXT_FORMAT_V1) | |
220 | return -EINVAL; | |
221 | ||
222 | if (ctx.flags & ~FS_POLICY_FLAGS_VALID) | |
223 | return -EINVAL; | |
0adda907 | 224 | |
0b81d077 | 225 | crypt_info = kmem_cache_alloc(fscrypt_info_cachep, GFP_NOFS); |
0adda907 JK |
226 | if (!crypt_info) |
227 | return -ENOMEM; | |
228 | ||
229 | crypt_info->ci_flags = ctx.flags; | |
230 | crypt_info->ci_data_mode = ctx.contents_encryption_mode; | |
231 | crypt_info->ci_filename_mode = ctx.filenames_encryption_mode; | |
232 | crypt_info->ci_ctfm = NULL; | |
26bf3dc7 | 233 | crypt_info->ci_keyring_key = NULL; |
0adda907 JK |
234 | memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor, |
235 | sizeof(crypt_info->ci_master_key)); | |
640778fb | 236 | |
8f39850d EB |
237 | res = determine_cipher_type(crypt_info, inode, &cipher_str, &keysize); |
238 | if (res) | |
26bf3dc7 | 239 | goto out; |
8f39850d | 240 | |
0b81d077 JK |
241 | if (fscrypt_dummy_context_enabled(inode)) { |
242 | memset(raw_key, 0x42, FS_AES_256_XTS_KEY_SIZE); | |
243 | goto got_key; | |
244 | } | |
0b81d077 | 245 | |
b5a7aef1 JK |
246 | res = validate_user_key(crypt_info, &ctx, raw_key, |
247 | FS_KEY_DESC_PREFIX, FS_KEY_DESC_PREFIX_SIZE); | |
248 | if (res && inode->i_sb->s_cop->key_prefix) { | |
249 | u8 *prefix = NULL; | |
250 | int prefix_size, res2; | |
251 | ||
252 | prefix_size = inode->i_sb->s_cop->key_prefix(inode, &prefix); | |
253 | res2 = validate_user_key(crypt_info, &ctx, raw_key, | |
254 | prefix, prefix_size); | |
255 | if (res2) { | |
256 | if (res2 == -ENOKEY) | |
257 | res = -ENOKEY; | |
258 | goto out; | |
259 | } | |
260 | } else if (res) { | |
66aa3e12 JK |
261 | goto out; |
262 | } | |
0b81d077 | 263 | got_key: |
d407574e | 264 | ctfm = crypto_alloc_skcipher(cipher_str, 0, 0); |
26bf3dc7 JK |
265 | if (!ctfm || IS_ERR(ctfm)) { |
266 | res = ctfm ? PTR_ERR(ctfm) : -ENOMEM; | |
267 | printk(KERN_DEBUG | |
268 | "%s: error %d (inode %u) allocating crypto tfm\n", | |
269 | __func__, res, (unsigned) inode->i_ino); | |
270 | goto out; | |
0adda907 | 271 | } |
26bf3dc7 | 272 | crypt_info->ci_ctfm = ctfm; |
d407574e LT |
273 | crypto_skcipher_clear_flags(ctfm, ~0); |
274 | crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY); | |
8f39850d | 275 | res = crypto_skcipher_setkey(ctfm, raw_key, keysize); |
26bf3dc7 JK |
276 | if (res) |
277 | goto out; | |
278 | ||
279 | memzero_explicit(raw_key, sizeof(raw_key)); | |
0b81d077 JK |
280 | if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) != NULL) { |
281 | put_crypt_info(crypt_info); | |
26bf3dc7 JK |
282 | goto retry; |
283 | } | |
284 | return 0; | |
285 | ||
286 | out: | |
0b81d077 | 287 | if (res == -ENOKEY) |
26bf3dc7 | 288 | res = 0; |
0b81d077 | 289 | put_crypt_info(crypt_info); |
26bf3dc7 | 290 | memzero_explicit(raw_key, sizeof(raw_key)); |
0adda907 JK |
291 | return res; |
292 | } | |
293 | ||
0b81d077 | 294 | void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci) |
0adda907 | 295 | { |
0b81d077 JK |
296 | struct fscrypt_info *prev; |
297 | ||
298 | if (ci == NULL) | |
299 | ci = ACCESS_ONCE(inode->i_crypt_info); | |
300 | if (ci == NULL) | |
301 | return; | |
0adda907 | 302 | |
0b81d077 JK |
303 | prev = cmpxchg(&inode->i_crypt_info, ci, NULL); |
304 | if (prev != ci) | |
305 | return; | |
306 | ||
307 | put_crypt_info(ci); | |
308 | } | |
309 | EXPORT_SYMBOL(fscrypt_put_encryption_info); | |
310 | ||
311 | int fscrypt_get_encryption_info(struct inode *inode) | |
312 | { | |
313 | struct fscrypt_info *ci = inode->i_crypt_info; | |
314 | ||
315 | if (!ci || | |
316 | (ci->ci_keyring_key && | |
317 | (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) | | |
318 | (1 << KEY_FLAG_REVOKED) | | |
319 | (1 << KEY_FLAG_DEAD))))) | |
320 | return get_crypt_info(inode); | |
321 | return 0; | |
0adda907 | 322 | } |
0b81d077 | 323 | EXPORT_SYMBOL(fscrypt_get_encryption_info); |