Commit | Line | Data |
---|---|---|
b2441318 | 1 | // SPDX-License-Identifier: GPL-2.0 |
0adda907 | 2 | /* |
0b81d077 | 3 | * key management facility for FS encryption support. |
0adda907 JK |
4 | * |
5 | * Copyright (C) 2015, Google, Inc. | |
6 | * | |
0b81d077 | 7 | * This contains encryption key functions. |
0adda907 JK |
8 | * |
9 | * Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015. | |
10 | */ | |
0b81d077 | 11 | |
0adda907 | 12 | #include <keys/user-type.h> |
0adda907 | 13 | #include <linux/scatterlist.h> |
b7e7cf7a DW |
14 | #include <linux/ratelimit.h> |
15 | #include <crypto/aes.h> | |
16 | #include <crypto/sha.h> | |
3325bea5 | 17 | #include "fscrypt_private.h" |
0adda907 | 18 | |
b7e7cf7a DW |
19 | static struct crypto_shash *essiv_hash_tfm; |
20 | ||
0adda907 JK |
21 | static void derive_crypt_complete(struct crypto_async_request *req, int rc) |
22 | { | |
0b81d077 | 23 | struct fscrypt_completion_result *ecr = req->data; |
0adda907 JK |
24 | |
25 | if (rc == -EINPROGRESS) | |
26 | return; | |
27 | ||
28 | ecr->res = rc; | |
29 | complete(&ecr->completion); | |
30 | } | |
31 | ||
32 | /** | |
0b81d077 | 33 | * derive_key_aes() - Derive a key using AES-128-ECB |
0fac2d50 | 34 | * @deriving_key: Encryption key used for derivation. |
0adda907 | 35 | * @source_key: Source key to which to apply derivation. |
b7e7cf7a | 36 | * @derived_raw_key: Derived raw key. |
0adda907 JK |
37 | * |
38 | * Return: Zero on success; non-zero otherwise. | |
39 | */ | |
0b81d077 | 40 | static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE], |
b7e7cf7a DW |
41 | const struct fscrypt_key *source_key, |
42 | u8 derived_raw_key[FS_MAX_KEY_SIZE]) | |
0adda907 JK |
43 | { |
44 | int res = 0; | |
d407574e | 45 | struct skcipher_request *req = NULL; |
0b81d077 | 46 | DECLARE_FS_COMPLETION_RESULT(ecr); |
0adda907 | 47 | struct scatterlist src_sg, dst_sg; |
d407574e | 48 | struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0); |
0adda907 JK |
49 | |
50 | if (IS_ERR(tfm)) { | |
51 | res = PTR_ERR(tfm); | |
52 | tfm = NULL; | |
53 | goto out; | |
54 | } | |
d407574e LT |
55 | crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_WEAK_KEY); |
56 | req = skcipher_request_alloc(tfm, GFP_NOFS); | |
0adda907 JK |
57 | if (!req) { |
58 | res = -ENOMEM; | |
59 | goto out; | |
60 | } | |
d407574e | 61 | skcipher_request_set_callback(req, |
0adda907 JK |
62 | CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, |
63 | derive_crypt_complete, &ecr); | |
d407574e | 64 | res = crypto_skcipher_setkey(tfm, deriving_key, |
0b81d077 | 65 | FS_AES_128_ECB_KEY_SIZE); |
0adda907 JK |
66 | if (res < 0) |
67 | goto out; | |
68 | ||
b7e7cf7a DW |
69 | sg_init_one(&src_sg, source_key->raw, source_key->size); |
70 | sg_init_one(&dst_sg, derived_raw_key, source_key->size); | |
71 | skcipher_request_set_crypt(req, &src_sg, &dst_sg, source_key->size, | |
72 | NULL); | |
d407574e | 73 | res = crypto_skcipher_encrypt(req); |
0adda907 | 74 | if (res == -EINPROGRESS || res == -EBUSY) { |
0adda907 JK |
75 | wait_for_completion(&ecr.completion); |
76 | res = ecr.res; | |
77 | } | |
78 | out: | |
d407574e LT |
79 | skcipher_request_free(req); |
80 | crypto_free_skcipher(tfm); | |
0adda907 JK |
81 | return res; |
82 | } | |
83 | ||
b5a7aef1 JK |
84 | static int validate_user_key(struct fscrypt_info *crypt_info, |
85 | struct fscrypt_context *ctx, u8 *raw_key, | |
b7e7cf7a | 86 | const char *prefix, int min_keysize) |
b5a7aef1 | 87 | { |
a5d431ef | 88 | char *description; |
b5a7aef1 JK |
89 | struct key *keyring_key; |
90 | struct fscrypt_key *master_key; | |
91 | const struct user_key_payload *ukp; | |
b5a7aef1 JK |
92 | int res; |
93 | ||
a5d431ef EB |
94 | description = kasprintf(GFP_NOFS, "%s%*phN", prefix, |
95 | FS_KEY_DESCRIPTOR_SIZE, | |
96 | ctx->master_key_descriptor); | |
97 | if (!description) | |
b5a7aef1 JK |
98 | return -ENOMEM; |
99 | ||
a5d431ef EB |
100 | keyring_key = request_key(&key_type_logon, description, NULL); |
101 | kfree(description); | |
b5a7aef1 JK |
102 | if (IS_ERR(keyring_key)) |
103 | return PTR_ERR(keyring_key); | |
1b53cf98 | 104 | down_read(&keyring_key->sem); |
b5a7aef1 JK |
105 | |
106 | if (keyring_key->type != &key_type_logon) { | |
107 | printk_once(KERN_WARNING | |
108 | "%s: key type must be logon\n", __func__); | |
109 | res = -ENOKEY; | |
110 | goto out; | |
111 | } | |
0837e49a | 112 | ukp = user_key_payload_locked(keyring_key); |
d60b5b78 EB |
113 | if (!ukp) { |
114 | /* key was revoked before we acquired its semaphore */ | |
115 | res = -EKEYREVOKED; | |
116 | goto out; | |
117 | } | |
b5a7aef1 JK |
118 | if (ukp->datalen != sizeof(struct fscrypt_key)) { |
119 | res = -EINVAL; | |
b5a7aef1 JK |
120 | goto out; |
121 | } | |
122 | master_key = (struct fscrypt_key *)ukp->data; | |
123 | BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE); | |
124 | ||
b7e7cf7a DW |
125 | if (master_key->size < min_keysize || master_key->size > FS_MAX_KEY_SIZE |
126 | || master_key->size % AES_BLOCK_SIZE != 0) { | |
b5a7aef1 JK |
127 | printk_once(KERN_WARNING |
128 | "%s: key size incorrect: %d\n", | |
129 | __func__, master_key->size); | |
130 | res = -ENOKEY; | |
b5a7aef1 JK |
131 | goto out; |
132 | } | |
b7e7cf7a | 133 | res = derive_key_aes(ctx->nonce, master_key, raw_key); |
b5a7aef1 | 134 | out: |
1b53cf98 | 135 | up_read(&keyring_key->sem); |
b5a7aef1 JK |
136 | key_put(keyring_key); |
137 | return res; | |
138 | } | |
139 | ||
b7e7cf7a DW |
140 | static const struct { |
141 | const char *cipher_str; | |
142 | int keysize; | |
143 | } available_modes[] = { | |
144 | [FS_ENCRYPTION_MODE_AES_256_XTS] = { "xts(aes)", | |
145 | FS_AES_256_XTS_KEY_SIZE }, | |
146 | [FS_ENCRYPTION_MODE_AES_256_CTS] = { "cts(cbc(aes))", | |
147 | FS_AES_256_CTS_KEY_SIZE }, | |
148 | [FS_ENCRYPTION_MODE_AES_128_CBC] = { "cbc(aes)", | |
149 | FS_AES_128_CBC_KEY_SIZE }, | |
150 | [FS_ENCRYPTION_MODE_AES_128_CTS] = { "cts(cbc(aes))", | |
151 | FS_AES_128_CTS_KEY_SIZE }, | |
152 | }; | |
153 | ||
8f39850d EB |
154 | static int determine_cipher_type(struct fscrypt_info *ci, struct inode *inode, |
155 | const char **cipher_str_ret, int *keysize_ret) | |
156 | { | |
b7e7cf7a DW |
157 | u32 mode; |
158 | ||
159 | if (!fscrypt_valid_enc_modes(ci->ci_data_mode, ci->ci_filename_mode)) { | |
160 | pr_warn_ratelimited("fscrypt: inode %lu uses unsupported encryption modes (contents mode %d, filenames mode %d)\n", | |
161 | inode->i_ino, | |
162 | ci->ci_data_mode, ci->ci_filename_mode); | |
163 | return -EINVAL; | |
8f39850d EB |
164 | } |
165 | ||
b7e7cf7a DW |
166 | if (S_ISREG(inode->i_mode)) { |
167 | mode = ci->ci_data_mode; | |
168 | } else if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) { | |
169 | mode = ci->ci_filename_mode; | |
170 | } else { | |
171 | WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n", | |
172 | inode->i_ino, (inode->i_mode & S_IFMT)); | |
173 | return -EINVAL; | |
8f39850d EB |
174 | } |
175 | ||
b7e7cf7a DW |
176 | *cipher_str_ret = available_modes[mode].cipher_str; |
177 | *keysize_ret = available_modes[mode].keysize; | |
178 | return 0; | |
8f39850d EB |
179 | } |
180 | ||
0b81d077 | 181 | static void put_crypt_info(struct fscrypt_info *ci) |
0adda907 | 182 | { |
0adda907 JK |
183 | if (!ci) |
184 | return; | |
185 | ||
d407574e | 186 | crypto_free_skcipher(ci->ci_ctfm); |
b7e7cf7a | 187 | crypto_free_cipher(ci->ci_essiv_tfm); |
0b81d077 | 188 | kmem_cache_free(fscrypt_info_cachep, ci); |
0adda907 JK |
189 | } |
190 | ||
b7e7cf7a DW |
191 | static int derive_essiv_salt(const u8 *key, int keysize, u8 *salt) |
192 | { | |
193 | struct crypto_shash *tfm = READ_ONCE(essiv_hash_tfm); | |
194 | ||
195 | /* init hash transform on demand */ | |
196 | if (unlikely(!tfm)) { | |
197 | struct crypto_shash *prev_tfm; | |
198 | ||
199 | tfm = crypto_alloc_shash("sha256", 0, 0); | |
200 | if (IS_ERR(tfm)) { | |
201 | pr_warn_ratelimited("fscrypt: error allocating SHA-256 transform: %ld\n", | |
202 | PTR_ERR(tfm)); | |
203 | return PTR_ERR(tfm); | |
204 | } | |
205 | prev_tfm = cmpxchg(&essiv_hash_tfm, NULL, tfm); | |
206 | if (prev_tfm) { | |
207 | crypto_free_shash(tfm); | |
208 | tfm = prev_tfm; | |
209 | } | |
210 | } | |
211 | ||
212 | { | |
213 | SHASH_DESC_ON_STACK(desc, tfm); | |
214 | desc->tfm = tfm; | |
215 | desc->flags = 0; | |
216 | ||
217 | return crypto_shash_digest(desc, key, keysize, salt); | |
218 | } | |
219 | } | |
220 | ||
221 | static int init_essiv_generator(struct fscrypt_info *ci, const u8 *raw_key, | |
222 | int keysize) | |
223 | { | |
224 | int err; | |
225 | struct crypto_cipher *essiv_tfm; | |
226 | u8 salt[SHA256_DIGEST_SIZE]; | |
227 | ||
228 | essiv_tfm = crypto_alloc_cipher("aes", 0, 0); | |
229 | if (IS_ERR(essiv_tfm)) | |
230 | return PTR_ERR(essiv_tfm); | |
231 | ||
232 | ci->ci_essiv_tfm = essiv_tfm; | |
233 | ||
234 | err = derive_essiv_salt(raw_key, keysize, salt); | |
235 | if (err) | |
236 | goto out; | |
237 | ||
238 | /* | |
239 | * Using SHA256 to derive the salt/key will result in AES-256 being | |
240 | * used for IV generation. File contents encryption will still use the | |
241 | * configured keysize (AES-128) nevertheless. | |
242 | */ | |
243 | err = crypto_cipher_setkey(essiv_tfm, salt, sizeof(salt)); | |
244 | if (err) | |
245 | goto out; | |
246 | ||
247 | out: | |
248 | memzero_explicit(salt, sizeof(salt)); | |
249 | return err; | |
250 | } | |
251 | ||
252 | void __exit fscrypt_essiv_cleanup(void) | |
253 | { | |
254 | crypto_free_shash(essiv_hash_tfm); | |
255 | } | |
256 | ||
1b53cf98 | 257 | int fscrypt_get_encryption_info(struct inode *inode) |
0adda907 | 258 | { |
0b81d077 | 259 | struct fscrypt_info *crypt_info; |
0b81d077 | 260 | struct fscrypt_context ctx; |
d407574e | 261 | struct crypto_skcipher *ctfm; |
26bf3dc7 | 262 | const char *cipher_str; |
8f39850d | 263 | int keysize; |
a6e08912 | 264 | u8 *raw_key = NULL; |
0adda907 JK |
265 | int res; |
266 | ||
1b53cf98 EB |
267 | if (inode->i_crypt_info) |
268 | return 0; | |
269 | ||
f32d7ac2 | 270 | res = fscrypt_initialize(inode->i_sb->s_cop->flags); |
cfc4d971 JK |
271 | if (res) |
272 | return res; | |
0b81d077 | 273 | |
0b81d077 JK |
274 | res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); |
275 | if (res < 0) { | |
5bbdcbbb TT |
276 | if (!fscrypt_dummy_context_enabled(inode) || |
277 | inode->i_sb->s_cop->is_encrypted(inode)) | |
0b81d077 | 278 | return res; |
5bbdcbbb TT |
279 | /* Fake up a context for an unencrypted directory */ |
280 | memset(&ctx, 0, sizeof(ctx)); | |
8f39850d | 281 | ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1; |
0b81d077 JK |
282 | ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS; |
283 | ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS; | |
5bbdcbbb | 284 | memset(ctx.master_key_descriptor, 0x42, FS_KEY_DESCRIPTOR_SIZE); |
0b81d077 | 285 | } else if (res != sizeof(ctx)) { |
0adda907 | 286 | return -EINVAL; |
0b81d077 | 287 | } |
8f39850d EB |
288 | |
289 | if (ctx.format != FS_ENCRYPTION_CONTEXT_FORMAT_V1) | |
290 | return -EINVAL; | |
291 | ||
292 | if (ctx.flags & ~FS_POLICY_FLAGS_VALID) | |
293 | return -EINVAL; | |
0adda907 | 294 | |
0b81d077 | 295 | crypt_info = kmem_cache_alloc(fscrypt_info_cachep, GFP_NOFS); |
0adda907 JK |
296 | if (!crypt_info) |
297 | return -ENOMEM; | |
298 | ||
299 | crypt_info->ci_flags = ctx.flags; | |
300 | crypt_info->ci_data_mode = ctx.contents_encryption_mode; | |
301 | crypt_info->ci_filename_mode = ctx.filenames_encryption_mode; | |
302 | crypt_info->ci_ctfm = NULL; | |
b7e7cf7a | 303 | crypt_info->ci_essiv_tfm = NULL; |
0adda907 JK |
304 | memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor, |
305 | sizeof(crypt_info->ci_master_key)); | |
640778fb | 306 | |
8f39850d EB |
307 | res = determine_cipher_type(crypt_info, inode, &cipher_str, &keysize); |
308 | if (res) | |
26bf3dc7 | 309 | goto out; |
8f39850d | 310 | |
a6e08912 EB |
311 | /* |
312 | * This cannot be a stack buffer because it is passed to the scatterlist | |
313 | * crypto API as part of key derivation. | |
314 | */ | |
315 | res = -ENOMEM; | |
316 | raw_key = kmalloc(FS_MAX_KEY_SIZE, GFP_NOFS); | |
317 | if (!raw_key) | |
318 | goto out; | |
319 | ||
b7e7cf7a DW |
320 | res = validate_user_key(crypt_info, &ctx, raw_key, FS_KEY_DESC_PREFIX, |
321 | keysize); | |
b5a7aef1 | 322 | if (res && inode->i_sb->s_cop->key_prefix) { |
a5d431ef | 323 | int res2 = validate_user_key(crypt_info, &ctx, raw_key, |
b7e7cf7a DW |
324 | inode->i_sb->s_cop->key_prefix, |
325 | keysize); | |
b5a7aef1 JK |
326 | if (res2) { |
327 | if (res2 == -ENOKEY) | |
328 | res = -ENOKEY; | |
329 | goto out; | |
330 | } | |
331 | } else if (res) { | |
66aa3e12 JK |
332 | goto out; |
333 | } | |
d407574e | 334 | ctfm = crypto_alloc_skcipher(cipher_str, 0, 0); |
26bf3dc7 JK |
335 | if (!ctfm || IS_ERR(ctfm)) { |
336 | res = ctfm ? PTR_ERR(ctfm) : -ENOMEM; | |
b7e7cf7a DW |
337 | pr_debug("%s: error %d (inode %lu) allocating crypto tfm\n", |
338 | __func__, res, inode->i_ino); | |
26bf3dc7 | 339 | goto out; |
0adda907 | 340 | } |
26bf3dc7 | 341 | crypt_info->ci_ctfm = ctfm; |
d407574e LT |
342 | crypto_skcipher_clear_flags(ctfm, ~0); |
343 | crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY); | |
b7e7cf7a DW |
344 | /* |
345 | * if the provided key is longer than keysize, we use the first | |
346 | * keysize bytes of the derived key only | |
347 | */ | |
8f39850d | 348 | res = crypto_skcipher_setkey(ctfm, raw_key, keysize); |
26bf3dc7 JK |
349 | if (res) |
350 | goto out; | |
351 | ||
b7e7cf7a DW |
352 | if (S_ISREG(inode->i_mode) && |
353 | crypt_info->ci_data_mode == FS_ENCRYPTION_MODE_AES_128_CBC) { | |
354 | res = init_essiv_generator(crypt_info, raw_key, keysize); | |
355 | if (res) { | |
356 | pr_debug("%s: error %d (inode %lu) allocating essiv tfm\n", | |
357 | __func__, res, inode->i_ino); | |
358 | goto out; | |
359 | } | |
360 | } | |
1b53cf98 EB |
361 | if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) == NULL) |
362 | crypt_info = NULL; | |
26bf3dc7 | 363 | out: |
0b81d077 | 364 | if (res == -ENOKEY) |
26bf3dc7 | 365 | res = 0; |
0b81d077 | 366 | put_crypt_info(crypt_info); |
a6e08912 | 367 | kzfree(raw_key); |
0adda907 JK |
368 | return res; |
369 | } | |
1b53cf98 | 370 | EXPORT_SYMBOL(fscrypt_get_encryption_info); |
0adda907 | 371 | |
0b81d077 | 372 | void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci) |
0adda907 | 373 | { |
0b81d077 JK |
374 | struct fscrypt_info *prev; |
375 | ||
376 | if (ci == NULL) | |
377 | ci = ACCESS_ONCE(inode->i_crypt_info); | |
378 | if (ci == NULL) | |
379 | return; | |
0adda907 | 380 | |
0b81d077 JK |
381 | prev = cmpxchg(&inode->i_crypt_info, ci, NULL); |
382 | if (prev != ci) | |
383 | return; | |
384 | ||
385 | put_crypt_info(ci); | |
386 | } | |
387 | EXPORT_SYMBOL(fscrypt_put_encryption_info); |