[linux-2.6-block.git] / fs / crypto / keysetup.c

// SPDX-License-Identifier: GPL-2.0
/*
 * Key setup facility for FS encryption support.
 *
 * Copyright (C) 2015, Google, Inc.
 *
 * Originally written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar.
 * Heavily modified since then.
 */

#include <crypto/aes.h>
#include <crypto/sha.h>
#include <crypto/skcipher.h>
#include <linux/key.h>

#include "fscrypt_private.h"

static struct crypto_shash *essiv_hash_tfm;

static struct fscrypt_mode available_modes[] = {
	[FSCRYPT_MODE_AES_256_XTS] = {
		.friendly_name = "AES-256-XTS",
		.cipher_str = "xts(aes)",
		.keysize = 64,
		.ivsize = 16,
	},
	[FSCRYPT_MODE_AES_256_CTS] = {
		.friendly_name = "AES-256-CTS-CBC",
		.cipher_str = "cts(cbc(aes))",
		.keysize = 32,
		.ivsize = 16,
	},
	[FSCRYPT_MODE_AES_128_CBC] = {
		.friendly_name = "AES-128-CBC",
		.cipher_str = "cbc(aes)",
		.keysize = 16,
		.ivsize = 16,
		.needs_essiv = true,
	},
	[FSCRYPT_MODE_AES_128_CTS] = {
		.friendly_name = "AES-128-CTS-CBC",
		.cipher_str = "cts(cbc(aes))",
		.keysize = 16,
		.ivsize = 16,
	},
	[FSCRYPT_MODE_ADIANTUM] = {
		.friendly_name = "Adiantum",
		.cipher_str = "adiantum(xchacha12,aes)",
		.keysize = 32,
		.ivsize = 32,
	},
};

static struct fscrypt_mode *
select_encryption_mode(const union fscrypt_policy *policy,
		       const struct inode *inode)
{
	if (S_ISREG(inode->i_mode))
		return &available_modes[fscrypt_policy_contents_mode(policy)];

	if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode))
		return &available_modes[fscrypt_policy_fnames_mode(policy)];

	WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n",
		  inode->i_ino, (inode->i_mode & S_IFMT));
	return ERR_PTR(-EINVAL);
}

/* Create a symmetric cipher object for the given encryption mode and key */
struct crypto_skcipher *fscrypt_allocate_skcipher(struct fscrypt_mode *mode,
						  const u8 *raw_key,
						  const struct inode *inode)
{
	struct crypto_skcipher *tfm;
	int err;

	tfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0);
	if (IS_ERR(tfm)) {
		if (PTR_ERR(tfm) == -ENOENT) {
			fscrypt_warn(inode,
				     "Missing crypto API support for %s (API name: \"%s\")",
				     mode->friendly_name, mode->cipher_str);
			return ERR_PTR(-ENOPKG);
		}
		fscrypt_err(inode, "Error allocating '%s' transform: %ld",
			    mode->cipher_str, PTR_ERR(tfm));
		return tfm;
	}
	if (unlikely(!mode->logged_impl_name)) {
		/*
		 * fscrypt performance can vary greatly depending on which
		 * crypto algorithm implementation is used.  Help people debug
		 * performance problems by logging the ->cra_driver_name the
		 * first time a mode is used.  Note that multiple threads can
		 * race here, but it doesn't really matter.
		 */
		mode->logged_impl_name = true;
		pr_info("fscrypt: %s using implementation \"%s\"\n",
			mode->friendly_name,
			crypto_skcipher_alg(tfm)->base.cra_driver_name);
	}
	crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
	err = crypto_skcipher_setkey(tfm, raw_key, mode->keysize);
	if (err)
		goto err_free_tfm;

	return tfm;

err_free_tfm:
	crypto_free_skcipher(tfm);
	return ERR_PTR(err);
}

static int derive_essiv_salt(const u8 *key, int keysize, u8 *salt)
{
	struct crypto_shash *tfm = READ_ONCE(essiv_hash_tfm);

	/* init hash transform on demand */
	if (unlikely(!tfm)) {
		struct crypto_shash *prev_tfm;

		tfm = crypto_alloc_shash("sha256", 0, 0);
		if (IS_ERR(tfm)) {
			if (PTR_ERR(tfm) == -ENOENT) {
				fscrypt_warn(NULL,
					     "Missing crypto API support for SHA-256");
				return -ENOPKG;
			}
			fscrypt_err(NULL,
				    "Error allocating SHA-256 transform: %ld",
				    PTR_ERR(tfm));
			return PTR_ERR(tfm);
		}
		prev_tfm = cmpxchg(&essiv_hash_tfm, NULL, tfm);
		if (prev_tfm) {
			crypto_free_shash(tfm);
			tfm = prev_tfm;
		}
	}

	{
		SHASH_DESC_ON_STACK(desc, tfm);
		desc->tfm = tfm;

		return crypto_shash_digest(desc, key, keysize, salt);
	}
}

static int init_essiv_generator(struct fscrypt_info *ci, const u8 *raw_key,
				int keysize)
{
	int err;
	struct crypto_cipher *essiv_tfm;
	u8 salt[SHA256_DIGEST_SIZE];

	if (WARN_ON(ci->ci_mode->ivsize != AES_BLOCK_SIZE))
		return -EINVAL;

	essiv_tfm = crypto_alloc_cipher("aes", 0, 0);
	if (IS_ERR(essiv_tfm))
		return PTR_ERR(essiv_tfm);

	ci->ci_essiv_tfm = essiv_tfm;

	err = derive_essiv_salt(raw_key, keysize, salt);
	if (err)
		goto out;

	/*
	 * Using SHA256 to derive the salt/key will result in AES-256 being
	 * used for IV generation. File contents encryption will still use the
	 * configured keysize (AES-128) nevertheless.
	 */
	err = crypto_cipher_setkey(essiv_tfm, salt, sizeof(salt));
	if (err)
		goto out;

out:
	memzero_explicit(salt, sizeof(salt));
	return err;
}

/* Given the per-file key, set up the file's crypto transform object(s) */
int fscrypt_set_derived_key(struct fscrypt_info *ci, const u8 *derived_key)
{
	struct fscrypt_mode *mode = ci->ci_mode;
	struct crypto_skcipher *ctfm;
	int err;

	ctfm = fscrypt_allocate_skcipher(mode, derived_key, ci->ci_inode);
	if (IS_ERR(ctfm))
		return PTR_ERR(ctfm);

	ci->ci_ctfm = ctfm;

	if (mode->needs_essiv) {
		err = init_essiv_generator(ci, derived_key, mode->keysize);
		if (err) {
			fscrypt_warn(ci->ci_inode,
				     "Error initializing ESSIV generator: %d",
				     err);
			return err;
		}
	}
	return 0;
}

static int setup_per_mode_key(struct fscrypt_info *ci,
			      struct fscrypt_master_key *mk)
{
	struct fscrypt_mode *mode = ci->ci_mode;
	u8 mode_num = mode - available_modes;
	struct crypto_skcipher *tfm, *prev_tfm;
	u8 mode_key[FSCRYPT_MAX_KEY_SIZE];
	int err;

	if (WARN_ON(mode_num >= ARRAY_SIZE(mk->mk_mode_keys)))
		return -EINVAL;

	/* pairs with cmpxchg() below */
	tfm = READ_ONCE(mk->mk_mode_keys[mode_num]);
	if (likely(tfm != NULL))
		goto done;

	BUILD_BUG_ON(sizeof(mode_num) != 1);
	err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf,
				  HKDF_CONTEXT_PER_MODE_KEY,
				  &mode_num, sizeof(mode_num),
				  mode_key, mode->keysize);
	if (err)
		return err;
	tfm = fscrypt_allocate_skcipher(mode, mode_key, ci->ci_inode);
	memzero_explicit(mode_key, mode->keysize);
	if (IS_ERR(tfm))
		return PTR_ERR(tfm);

	/* pairs with READ_ONCE() above */
	prev_tfm = cmpxchg(&mk->mk_mode_keys[mode_num], NULL, tfm);
	if (prev_tfm != NULL) {
		crypto_free_skcipher(tfm);
		tfm = prev_tfm;
	}
done:
	ci->ci_ctfm = tfm;
	return 0;
}

static int fscrypt_setup_v2_file_key(struct fscrypt_info *ci,
				     struct fscrypt_master_key *mk)
{
	u8 derived_key[FSCRYPT_MAX_KEY_SIZE];
	int err;

	if (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) {
		/*
		 * DIRECT_KEY: instead of deriving per-file keys, the per-file
		 * nonce will be included in all the IVs.  But unlike v1
		 * policies, for v2 policies in this case we don't encrypt with
		 * the master key directly but rather derive a per-mode key.
		 * This ensures that the master key is consistently used only
		 * for HKDF, avoiding key reuse issues.
		 */
		if (!fscrypt_mode_supports_direct_key(ci->ci_mode)) {
			fscrypt_warn(ci->ci_inode,
				     "Direct key flag not allowed with %s",
				     ci->ci_mode->friendly_name);
			return -EINVAL;
		}
		return setup_per_mode_key(ci, mk);
	}

	err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf,
				  HKDF_CONTEXT_PER_FILE_KEY,
				  ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE,
				  derived_key, ci->ci_mode->keysize);
	if (err)
		return err;

	err = fscrypt_set_derived_key(ci, derived_key);
	memzero_explicit(derived_key, ci->ci_mode->keysize);
	return err;
}

/*
 * Find the master key, then set up the inode's actual encryption key.
 *
 * If the master key is found in the filesystem-level keyring, then the
 * corresponding 'struct key' is returned in *master_key_ret with
 * ->mk_secret_sem read-locked.  This is needed to ensure that only one task
 * links the fscrypt_info into ->mk_decrypted_inodes (as multiple tasks may race
 * to create an fscrypt_info for the same inode), and to synchronize the master
 * key being removed with a new inode starting to use it.
 */
static int setup_file_encryption_key(struct fscrypt_info *ci,
				     struct key **master_key_ret)
{
	struct key *key;
	struct fscrypt_master_key *mk = NULL;
	struct fscrypt_key_specifier mk_spec;
	int err;

	switch (ci->ci_policy.version) {
	case FSCRYPT_POLICY_V1:
		mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR;
		memcpy(mk_spec.u.descriptor,
		       ci->ci_policy.v1.master_key_descriptor,
		       FSCRYPT_KEY_DESCRIPTOR_SIZE);
		break;
	case FSCRYPT_POLICY_V2:
		mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
		memcpy(mk_spec.u.identifier,
		       ci->ci_policy.v2.master_key_identifier,
		       FSCRYPT_KEY_IDENTIFIER_SIZE);
		break;
	default:
		WARN_ON(1);
		return -EINVAL;
	}

	key = fscrypt_find_master_key(ci->ci_inode->i_sb, &mk_spec);
	if (IS_ERR(key)) {
		if (key != ERR_PTR(-ENOKEY) ||
		    ci->ci_policy.version != FSCRYPT_POLICY_V1)
			return PTR_ERR(key);

		/*
		 * As a legacy fallback for v1 policies, search for the key in
		 * the current task's subscribed keyrings too.  Don't move this
		 * to before the search of ->s_master_keys, since users
		 * shouldn't be able to override filesystem-level keys.
		 */
		return fscrypt_setup_v1_file_key_via_subscribed_keyrings(ci);
	}

	mk = key->payload.data[0];
	down_read(&mk->mk_secret_sem);

	/* Has the secret been removed (via FS_IOC_REMOVE_ENCRYPTION_KEY)? */
	if (!is_master_key_secret_present(&mk->mk_secret)) {
		err = -ENOKEY;
		goto out_release_key;
	}

	/*
	 * Require that the master key be at least as long as the derived key.
	 * Otherwise, the derived key cannot possibly contain as much entropy as
	 * that required by the encryption mode it will be used for.  For v1
	 * policies it's also required for the KDF to work at all.
	 */
	if (mk->mk_secret.size < ci->ci_mode->keysize) {
		fscrypt_warn(NULL,
			     "key with %s %*phN is too short (got %u bytes, need %u+ bytes)",
			     master_key_spec_type(&mk_spec),
			     master_key_spec_len(&mk_spec), (u8 *)&mk_spec.u,
			     mk->mk_secret.size, ci->ci_mode->keysize);
		err = -ENOKEY;
		goto out_release_key;
	}

	switch (ci->ci_policy.version) {
	case FSCRYPT_POLICY_V1:
		err = fscrypt_setup_v1_file_key(ci, mk->mk_secret.raw);
		break;
	case FSCRYPT_POLICY_V2:
		err = fscrypt_setup_v2_file_key(ci, mk);
		break;
	default:
		WARN_ON(1);
		err = -EINVAL;
		break;
	}
	if (err)
		goto out_release_key;

	*master_key_ret = key;
	return 0;

out_release_key:
	up_read(&mk->mk_secret_sem);
	key_put(key);
	return err;
}

static void put_crypt_info(struct fscrypt_info *ci)
{
	struct key *key;

	if (!ci)
		return;

	if (ci->ci_direct_key) {
		fscrypt_put_direct_key(ci->ci_direct_key);
	} else if ((ci->ci_ctfm != NULL || ci->ci_essiv_tfm != NULL) &&
		   !fscrypt_is_direct_key_policy(&ci->ci_policy)) {
		crypto_free_skcipher(ci->ci_ctfm);
		crypto_free_cipher(ci->ci_essiv_tfm);
	}

	key = ci->ci_master_key;
	if (key) {
		struct fscrypt_master_key *mk = key->payload.data[0];

		/*
		 * Remove this inode from the list of inodes that were unlocked
		 * with the master key.
		 *
		 * In addition, if we're removing the last inode from a key that
		 * already had its secret removed, invalidate the key so that it
		 * gets removed from ->s_master_keys.
		 */
		spin_lock(&mk->mk_decrypted_inodes_lock);
		list_del(&ci->ci_master_key_link);
		spin_unlock(&mk->mk_decrypted_inodes_lock);
		if (refcount_dec_and_test(&mk->mk_refcount))
			key_invalidate(key);
		key_put(key);
	}
	kmem_cache_free(fscrypt_info_cachep, ci);
}

int fscrypt_get_encryption_info(struct inode *inode)
{
	struct fscrypt_info *crypt_info;
	union fscrypt_context ctx;
	struct fscrypt_mode *mode;
	struct key *master_key = NULL;
	int res;

	if (fscrypt_has_encryption_key(inode))
		return 0;

	res = fscrypt_initialize(inode->i_sb->s_cop->flags);
	if (res)
		return res;

	res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
	if (res < 0) {
		if (!fscrypt_dummy_context_enabled(inode) ||
		    IS_ENCRYPTED(inode)) {
			fscrypt_warn(inode,
				     "Error %d getting encryption context",
				     res);
			return res;
		}
		/* Fake up a context for an unencrypted directory */
		memset(&ctx, 0, sizeof(ctx));
		ctx.version = FSCRYPT_CONTEXT_V1;
		ctx.v1.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS;
		ctx.v1.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS;
		memset(ctx.v1.master_key_descriptor, 0x42,
		       FSCRYPT_KEY_DESCRIPTOR_SIZE);
		res = sizeof(ctx.v1);
	}

	crypt_info = kmem_cache_zalloc(fscrypt_info_cachep, GFP_NOFS);
	if (!crypt_info)
		return -ENOMEM;

	crypt_info->ci_inode = inode;

	res = fscrypt_policy_from_context(&crypt_info->ci_policy, &ctx, res);
	if (res) {
		fscrypt_warn(inode,
			     "Unrecognized or corrupt encryption context");
		goto out;
	}

	switch (ctx.version) {
	case FSCRYPT_CONTEXT_V1:
		memcpy(crypt_info->ci_nonce, ctx.v1.nonce,
		       FS_KEY_DERIVATION_NONCE_SIZE);
		break;
	case FSCRYPT_CONTEXT_V2:
		memcpy(crypt_info->ci_nonce, ctx.v2.nonce,
		       FS_KEY_DERIVATION_NONCE_SIZE);
		break;
	default:
		WARN_ON(1);
		res = -EINVAL;
		goto out;
	}

	if (!fscrypt_supported_policy(&crypt_info->ci_policy, inode)) {
		res = -EINVAL;
		goto out;
	}

	mode = select_encryption_mode(&crypt_info->ci_policy, inode);
	if (IS_ERR(mode)) {
		res = PTR_ERR(mode);
		goto out;
	}
	WARN_ON(mode->ivsize > FSCRYPT_MAX_IV_SIZE);
	crypt_info->ci_mode = mode;

	res = setup_file_encryption_key(crypt_info, &master_key);
	if (res)
		goto out;

	if (cmpxchg_release(&inode->i_crypt_info, NULL, crypt_info) == NULL) {
		if (master_key) {
			struct fscrypt_master_key *mk =
				master_key->payload.data[0];

			refcount_inc(&mk->mk_refcount);
			crypt_info->ci_master_key = key_get(master_key);
			spin_lock(&mk->mk_decrypted_inodes_lock);
			list_add(&crypt_info->ci_master_key_link,
				 &mk->mk_decrypted_inodes);
			spin_unlock(&mk->mk_decrypted_inodes_lock);
		}
		crypt_info = NULL;
	}
	res = 0;
out:
	if (master_key) {
		struct fscrypt_master_key *mk = master_key->payload.data[0];

		up_read(&mk->mk_secret_sem);
		key_put(master_key);
	}
	if (res == -ENOKEY)
		res = 0;
	put_crypt_info(crypt_info);
	return res;
}
EXPORT_SYMBOL(fscrypt_get_encryption_info);

/**
 * fscrypt_put_encryption_info - free most of an inode's fscrypt data
 *
 * Free the inode's fscrypt_info.  Filesystems must call this when the inode is
 * being evicted.  An RCU grace period need not have elapsed yet.
 */
void fscrypt_put_encryption_info(struct inode *inode)
{
	put_crypt_info(inode->i_crypt_info);
	inode->i_crypt_info = NULL;
}
EXPORT_SYMBOL(fscrypt_put_encryption_info);

/**
 * fscrypt_free_inode - free an inode's fscrypt data requiring RCU delay
 *
 * Free the inode's cached decrypted symlink target, if any.  Filesystems must
 * call this after an RCU grace period, just before they free the inode.
 */
void fscrypt_free_inode(struct inode *inode)
{
	if (IS_ENCRYPTED(inode) && S_ISLNK(inode->i_mode)) {
		kfree(inode->i_link);
		inode->i_link = NULL;
	}
}
EXPORT_SYMBOL(fscrypt_free_inode);

/**
 * fscrypt_drop_inode - check whether the inode's master key has been removed
 *
 * Filesystems supporting fscrypt must call this from their ->drop_inode()
 * method so that encrypted inodes are evicted as soon as they're no longer in
 * use and their master key has been removed.
 *
 * Return: 1 if fscrypt wants the inode to be evicted now, otherwise 0
 */
int fscrypt_drop_inode(struct inode *inode)
{
	const struct fscrypt_info *ci = READ_ONCE(inode->i_crypt_info);
	const struct fscrypt_master_key *mk;

	/*
	 * If ci is NULL, then the inode doesn't have an encryption key set up
	 * so it's irrelevant.  If ci_master_key is NULL, then the master key
	 * was provided via the legacy mechanism of the process-subscribed
	 * keyrings, so we don't know whether it's been removed or not.
	 */
	if (!ci || !ci->ci_master_key)
		return 0;
	mk = ci->ci_master_key->payload.data[0];

	/*
	 * Note: since we aren't holding ->mk_secret_sem, the result here can
	 * immediately become outdated.  But there's no correctness problem with
	 * unnecessarily evicting.  Nor is there a correctness problem with not
	 * evicting while iput() is racing with the key being removed, since
	 * then the thread removing the key will either evict the inode itself
	 * or will correctly detect that it wasn't evicted due to the race.
	 */
	return !is_master_key_secret_present(&mk->mk_secret);
}
EXPORT_SYMBOL_GPL(fscrypt_drop_inode);
Commit	Line	Data
b2441318	1	// SPDX-License-Identifier: GPL-2.0
0adda907	2	/*
3ec4f2a6	3	* Key setup facility for FS encryption support.
0adda907 JK	4	*
	5	* Copyright (C) 2015, Google, Inc.
	6	*
3ec4f2a6 EB	7	* Originally written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar.
3ec4f2a6 EB	8	* Heavily modified since then.
0adda907	9	*/
0b81d077	10
b7e7cf7a DW	11	#include <crypto/aes.h>
b7e7cf7a DW	12	#include <crypto/sha.h>
a575784c	13	#include <crypto/skcipher.h>
0109ce76 EB	14	#include <linux/key.h>
0109ce76 EB	15
3325bea5	16	#include "fscrypt_private.h"
0adda907	17
b7e7cf7a DW	18	static struct crypto_shash *essiv_hash_tfm;
b7e7cf7a DW	19
8094c3ce	20	static struct fscrypt_mode available_modes[] = {
3b6df59b	21	[FSCRYPT_MODE_AES_256_XTS] = {
e1cc40e5 EB	22	.friendly_name = "AES-256-XTS",
	23	.cipher_str = "xts(aes)",
	24	.keysize = 64,
8094c3ce	25	.ivsize = 16,
e1cc40e5	26	},
3b6df59b	27	[FSCRYPT_MODE_AES_256_CTS] = {
e1cc40e5 EB	28	.friendly_name = "AES-256-CTS-CBC",
	29	.cipher_str = "cts(cbc(aes))",
	30	.keysize = 32,
8094c3ce	31	.ivsize = 16,
e1cc40e5	32	},
3b6df59b	33	[FSCRYPT_MODE_AES_128_CBC] = {
e1cc40e5 EB	34	.friendly_name = "AES-128-CBC",
	35	.cipher_str = "cbc(aes)",
	36	.keysize = 16,
8094c3ce EB	37	.ivsize = 16,
8094c3ce EB	38	.needs_essiv = true,
e1cc40e5	39	},
3b6df59b	40	[FSCRYPT_MODE_AES_128_CTS] = {
e1cc40e5 EB	41	.friendly_name = "AES-128-CTS-CBC",
	42	.cipher_str = "cts(cbc(aes))",
	43	.keysize = 16,
8094c3ce EB	44	.ivsize = 16,
8094c3ce EB	45	},
3b6df59b	46	[FSCRYPT_MODE_ADIANTUM] = {
8094c3ce EB	47	.friendly_name = "Adiantum",
	48	.cipher_str = "adiantum(xchacha12,aes)",
	49	.keysize = 32,
	50	.ivsize = 32,
e1cc40e5	51	},
b7e7cf7a DW	52	};
b7e7cf7a DW	53
e1cc40e5	54	static struct fscrypt_mode *
5dae460c EB	55	select_encryption_mode(const union fscrypt_policy *policy,
5dae460c EB	56	const struct inode *inode)
8f39850d	57	{
e1cc40e5	58	if (S_ISREG(inode->i_mode))
5dae460c	59	return &available_modes[fscrypt_policy_contents_mode(policy)];
e1cc40e5 EB	60
e1cc40e5 EB	61	if (S_ISDIR(inode->i_mode) \|\| S_ISLNK(inode->i_mode))
5dae460c	62	return &available_modes[fscrypt_policy_fnames_mode(policy)];
8f39850d	63
e1cc40e5 EB	64	WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n",
	65	inode->i_ino, (inode->i_mode & S_IFMT));
	66	return ERR_PTR(-EINVAL);
8f39850d EB	67	}
8f39850d EB	68
3ec4f2a6	69	/* Create a symmetric cipher object for the given encryption mode and key */
0109ce76 EB	70	struct crypto_skcipher fscrypt_allocate_skcipher(struct fscrypt_mode mode,
	71	const u8 *raw_key,
	72	const struct inode *inode)
8094c3ce EB	73	{
	74	struct crypto_skcipher *tfm;
	75	int err;
	76
	77	tfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0);
	78	if (IS_ERR(tfm)) {
29a98c1c	79	if (PTR_ERR(tfm) == -ENOENT) {
a4d14e91 EB	80	fscrypt_warn(inode,
	81	"Missing crypto API support for %s (API name: \"%s\")",
	82	mode->friendly_name, mode->cipher_str);
29a98c1c EB	83	return ERR_PTR(-ENOPKG);
	84	}
	85	fscrypt_err(inode, "Error allocating '%s' transform: %ld",
	86	mode->cipher_str, PTR_ERR(tfm));
8094c3ce EB	87	return tfm;
	88	}
	89	if (unlikely(!mode->logged_impl_name)) {
	90	/*
	91	* fscrypt performance can vary greatly depending on which
	92	* crypto algorithm implementation is used. Help people debug
	93	* performance problems by logging the ->cra_driver_name the
	94	* first time a mode is used. Note that multiple threads can
	95	* race here, but it doesn't really matter.
	96	*/
	97	mode->logged_impl_name = true;
	98	pr_info("fscrypt: %s using implementation \"%s\"\n",
	99	mode->friendly_name,
	100	crypto_skcipher_alg(tfm)->base.cra_driver_name);
	101	}
231baecd	102	crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
8094c3ce EB	103	err = crypto_skcipher_setkey(tfm, raw_key, mode->keysize);
	104	if (err)
	105	goto err_free_tfm;
	106
	107	return tfm;
	108
	109	err_free_tfm:
	110	crypto_free_skcipher(tfm);
	111	return ERR_PTR(err);
	112	}
	113
b7e7cf7a DW	114	static int derive_essiv_salt(const u8 key, int keysize, u8 salt)
	115	{
	116	struct crypto_shash *tfm = READ_ONCE(essiv_hash_tfm);
	117
	118	/* init hash transform on demand */
	119	if (unlikely(!tfm)) {
	120	struct crypto_shash *prev_tfm;
	121
	122	tfm = crypto_alloc_shash("sha256", 0, 0);
	123	if (IS_ERR(tfm)) {
29a98c1c	124	if (PTR_ERR(tfm) == -ENOENT) {
a4d14e91 EB	125	fscrypt_warn(NULL,
a4d14e91 EB	126	"Missing crypto API support for SHA-256");
29a98c1c EB	127	return -ENOPKG;
	128	}
	129	fscrypt_err(NULL,
	130	"Error allocating SHA-256 transform: %ld",
	131	PTR_ERR(tfm));
b7e7cf7a DW	132	return PTR_ERR(tfm);
	133	}
	134	prev_tfm = cmpxchg(&essiv_hash_tfm, NULL, tfm);
	135	if (prev_tfm) {
	136	crypto_free_shash(tfm);
	137	tfm = prev_tfm;
	138	}
	139	}
	140
	141	{
	142	SHASH_DESC_ON_STACK(desc, tfm);
	143	desc->tfm = tfm;
b7e7cf7a DW	144
	145	return crypto_shash_digest(desc, key, keysize, salt);
	146	}
	147	}
	148
	149	static int init_essiv_generator(struct fscrypt_info ci, const u8 raw_key,
	150	int keysize)
	151	{
	152	int err;
	153	struct crypto_cipher *essiv_tfm;
	154	u8 salt[SHA256_DIGEST_SIZE];
	155
3ec4f2a6 EB	156	if (WARN_ON(ci->ci_mode->ivsize != AES_BLOCK_SIZE))
	157	return -EINVAL;
	158
b7e7cf7a DW	159	essiv_tfm = crypto_alloc_cipher("aes", 0, 0);
	160	if (IS_ERR(essiv_tfm))
	161	return PTR_ERR(essiv_tfm);
	162
	163	ci->ci_essiv_tfm = essiv_tfm;
	164
	165	err = derive_essiv_salt(raw_key, keysize, salt);
	166	if (err)
	167	goto out;
	168
	169	/*
	170	* Using SHA256 to derive the salt/key will result in AES-256 being
	171	* used for IV generation. File contents encryption will still use the
	172	* configured keysize (AES-128) nevertheless.
	173	*/
	174	err = crypto_cipher_setkey(essiv_tfm, salt, sizeof(salt));
	175	if (err)
	176	goto out;
	177
	178	out:
	179	memzero_explicit(salt, sizeof(salt));
	180	return err;
	181	}
	182
3ec4f2a6	183	/* Given the per-file key, set up the file's crypto transform object(s) */
0109ce76	184	int fscrypt_set_derived_key(struct fscrypt_info ci, const u8 derived_key)
8094c3ce	185	{
3ec4f2a6	186	struct fscrypt_mode *mode = ci->ci_mode;
8094c3ce EB	187	struct crypto_skcipher *ctfm;
	188	int err;
	189
3ec4f2a6 EB	190	ctfm = fscrypt_allocate_skcipher(mode, derived_key, ci->ci_inode);
	191	if (IS_ERR(ctfm))
	192	return PTR_ERR(ctfm);
	193
8094c3ce EB	194	ci->ci_ctfm = ctfm;
	195
	196	if (mode->needs_essiv) {
3ec4f2a6	197	err = init_essiv_generator(ci, derived_key, mode->keysize);
8094c3ce	198	if (err) {
3ec4f2a6	199	fscrypt_warn(ci->ci_inode,
886da8b3 EB	200	"Error initializing ESSIV generator: %d",
886da8b3 EB	201	err);
8094c3ce EB	202	return err;
	203	}
	204	}
	205	return 0;
	206	}
	207
5dae460c EB	208	static int setup_per_mode_key(struct fscrypt_info *ci,
	209	struct fscrypt_master_key *mk)
	210	{
	211	struct fscrypt_mode *mode = ci->ci_mode;
	212	u8 mode_num = mode - available_modes;
	213	struct crypto_skcipher tfm, prev_tfm;
	214	u8 mode_key[FSCRYPT_MAX_KEY_SIZE];
	215	int err;
	216
	217	if (WARN_ON(mode_num >= ARRAY_SIZE(mk->mk_mode_keys)))
	218	return -EINVAL;
	219
	220	/* pairs with cmpxchg() below */
	221	tfm = READ_ONCE(mk->mk_mode_keys[mode_num]);
	222	if (likely(tfm != NULL))
	223	goto done;
	224
	225	BUILD_BUG_ON(sizeof(mode_num) != 1);
	226	err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf,
	227	HKDF_CONTEXT_PER_MODE_KEY,
	228	&mode_num, sizeof(mode_num),
	229	mode_key, mode->keysize);
	230	if (err)
	231	return err;
	232	tfm = fscrypt_allocate_skcipher(mode, mode_key, ci->ci_inode);
	233	memzero_explicit(mode_key, mode->keysize);
	234	if (IS_ERR(tfm))
	235	return PTR_ERR(tfm);
	236
	237	/* pairs with READ_ONCE() above */
	238	prev_tfm = cmpxchg(&mk->mk_mode_keys[mode_num], NULL, tfm);
	239	if (prev_tfm != NULL) {
	240	crypto_free_skcipher(tfm);
	241	tfm = prev_tfm;
	242	}
	243	done:
	244	ci->ci_ctfm = tfm;
	245	return 0;
	246	}
	247
	248	static int fscrypt_setup_v2_file_key(struct fscrypt_info *ci,
	249	struct fscrypt_master_key *mk)
	250	{
	251	u8 derived_key[FSCRYPT_MAX_KEY_SIZE];
	252	int err;
	253
	254	if (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) {
	255	/*
	256	* DIRECT_KEY: instead of deriving per-file keys, the per-file
	257	* nonce will be included in all the IVs. But unlike v1
	258	* policies, for v2 policies in this case we don't encrypt with
	259	* the master key directly but rather derive a per-mode key.
	260	* This ensures that the master key is consistently used only
	261	* for HKDF, avoiding key reuse issues.
	262	*/
	263	if (!fscrypt_mode_supports_direct_key(ci->ci_mode)) {
	264	fscrypt_warn(ci->ci_inode,
	265	"Direct key flag not allowed with %s",
	266	ci->ci_mode->friendly_name);
	267	return -EINVAL;
	268	}
	269	return setup_per_mode_key(ci, mk);
	270	}
	271
272	err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf,
273	HKDF_CONTEXT_PER_FILE_KEY,
274	ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE,
275	derived_key, ci->ci_mode->keysize);
276	if (err)
277	return err;
278
279	err = fscrypt_set_derived_key(ci, derived_key);
280	memzero_explicit(derived_key, ci->ci_mode->keysize);
281	return err;
282	}
283
3ec4f2a6 EB	284	/*
3ec4f2a6 EB	285	* Find the master key, then set up the inode's actual encryption key.
b1c0ec35 EB	286	*
	287	* If the master key is found in the filesystem-level keyring, then the
	288	* corresponding 'struct key' is returned in *master_key_ret with
23c688b5 EB	289	* ->mk_secret_sem read-locked. This is needed to ensure that only one task
	290	* links the fscrypt_info into ->mk_decrypted_inodes (as multiple tasks may race
	291	* to create an fscrypt_info for the same inode), and to synchronize the master
	292	* key being removed with a new inode starting to use it.
3ec4f2a6	293	*/
b1c0ec35 EB	294	static int setup_file_encryption_key(struct fscrypt_info *ci,
b1c0ec35 EB	295	struct key **master_key_ret)
3ec4f2a6	296	{
22d94f49 EB	297	struct key *key;
	298	struct fscrypt_master_key *mk = NULL;
	299	struct fscrypt_key_specifier mk_spec;
	300	int err;
	301
5dae460c EB	302	switch (ci->ci_policy.version) {
	303	case FSCRYPT_POLICY_V1:
	304	mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR;
	305	memcpy(mk_spec.u.descriptor,
	306	ci->ci_policy.v1.master_key_descriptor,
	307	FSCRYPT_KEY_DESCRIPTOR_SIZE);
	308	break;
	309	case FSCRYPT_POLICY_V2:
	310	mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
	311	memcpy(mk_spec.u.identifier,
	312	ci->ci_policy.v2.master_key_identifier,
	313	FSCRYPT_KEY_IDENTIFIER_SIZE);
	314	break;
	315	default:
	316	WARN_ON(1);
	317	return -EINVAL;
	318	}
22d94f49 EB	319
	320	key = fscrypt_find_master_key(ci->ci_inode->i_sb, &mk_spec);
	321	if (IS_ERR(key)) {
5dae460c EB	322	if (key != ERR_PTR(-ENOKEY) \|\|
5dae460c EB	323	ci->ci_policy.version != FSCRYPT_POLICY_V1)
22d94f49 EB	324	return PTR_ERR(key);
22d94f49 EB	325
5dae460c EB	326	/*
	327	* As a legacy fallback for v1 policies, search for the key in
	328	* the current task's subscribed keyrings too. Don't move this
	329	* to before the search of ->s_master_keys, since users
	330	* shouldn't be able to override filesystem-level keys.
	331	*/
22d94f49 EB	332	return fscrypt_setup_v1_file_key_via_subscribed_keyrings(ci);
	333	}
	334
	335	mk = key->payload.data[0];
23c688b5	336	down_read(&mk->mk_secret_sem);
b1c0ec35 EB	337
	338	/* Has the secret been removed (via FS_IOC_REMOVE_ENCRYPTION_KEY)? */
	339	if (!is_master_key_secret_present(&mk->mk_secret)) {
	340	err = -ENOKEY;
	341	goto out_release_key;
	342	}
22d94f49	343
5dae460c EB	344	/*
	345	* Require that the master key be at least as long as the derived key.
	346	* Otherwise, the derived key cannot possibly contain as much entropy as
	347	* that required by the encryption mode it will be used for. For v1
	348	* policies it's also required for the KDF to work at all.
	349	*/
22d94f49 EB	350	if (mk->mk_secret.size < ci->ci_mode->keysize) {
	351	fscrypt_warn(NULL,
	352	"key with %s %*phN is too short (got %u bytes, need %u+ bytes)",
	353	master_key_spec_type(&mk_spec),
	354	master_key_spec_len(&mk_spec), (u8 *)&mk_spec.u,
	355	mk->mk_secret.size, ci->ci_mode->keysize);
	356	err = -ENOKEY;
	357	goto out_release_key;
	358	}
	359
5dae460c EB	360	switch (ci->ci_policy.version) {
	361	case FSCRYPT_POLICY_V1:
	362	err = fscrypt_setup_v1_file_key(ci, mk->mk_secret.raw);
	363	break;
	364	case FSCRYPT_POLICY_V2:
	365	err = fscrypt_setup_v2_file_key(ci, mk);
	366	break;
	367	default:
	368	WARN_ON(1);
	369	err = -EINVAL;
	370	break;
	371	}
b1c0ec35 EB	372	if (err)
	373	goto out_release_key;
	374
	375	*master_key_ret = key;
	376	return 0;
22d94f49 EB	377
22d94f49 EB	378	out_release_key:
23c688b5	379	up_read(&mk->mk_secret_sem);
22d94f49 EB	380	key_put(key);
22d94f49 EB	381	return err;
3ec4f2a6 EB	382	}
3ec4f2a6 EB	383
8094c3ce EB	384	static void put_crypt_info(struct fscrypt_info *ci)
8094c3ce EB	385	{
b1c0ec35 EB	386	struct key *key;
b1c0ec35 EB	387
8094c3ce EB	388	if (!ci)
	389	return;
	390
a828daab	391	if (ci->ci_direct_key) {
0109ce76	392	fscrypt_put_direct_key(ci->ci_direct_key);
5dae460c EB	393	} else if ((ci->ci_ctfm != NULL \|\| ci->ci_essiv_tfm != NULL) &&
5dae460c EB	394	!fscrypt_is_direct_key_policy(&ci->ci_policy)) {
8094c3ce EB	395	crypto_free_skcipher(ci->ci_ctfm);
	396	crypto_free_cipher(ci->ci_essiv_tfm);
	397	}
b1c0ec35 EB	398
	399	key = ci->ci_master_key;
	400	if (key) {
	401	struct fscrypt_master_key *mk = key->payload.data[0];
	402
	403	/*
	404	* Remove this inode from the list of inodes that were unlocked
	405	* with the master key.
	406	*
	407	* In addition, if we're removing the last inode from a key that
	408	* already had its secret removed, invalidate the key so that it
	409	* gets removed from ->s_master_keys.
	410	*/
	411	spin_lock(&mk->mk_decrypted_inodes_lock);
	412	list_del(&ci->ci_master_key_link);
	413	spin_unlock(&mk->mk_decrypted_inodes_lock);
	414	if (refcount_dec_and_test(&mk->mk_refcount))
	415	key_invalidate(key);
	416	key_put(key);
	417	}
8094c3ce EB	418	kmem_cache_free(fscrypt_info_cachep, ci);
	419	}
	420
1b53cf98	421	int fscrypt_get_encryption_info(struct inode *inode)
0adda907	422	{
0b81d077	423	struct fscrypt_info *crypt_info;
5dae460c	424	union fscrypt_context ctx;
e1cc40e5	425	struct fscrypt_mode *mode;
b1c0ec35	426	struct key *master_key = NULL;
0adda907 JK	427	int res;
0adda907 JK	428
e37a784d	429	if (fscrypt_has_encryption_key(inode))
1b53cf98 EB	430	return 0;
1b53cf98 EB	431
f32d7ac2	432	res = fscrypt_initialize(inode->i_sb->s_cop->flags);
cfc4d971 JK	433	if (res)
cfc4d971 JK	434	return res;
0b81d077	435
0b81d077 JK	436	res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
0b81d077 JK	437	if (res < 0) {
5bbdcbbb	438	if (!fscrypt_dummy_context_enabled(inode) \|\|
63f668f0 EB	439	IS_ENCRYPTED(inode)) {
	440	fscrypt_warn(inode,
	441	"Error %d getting encryption context",
	442	res);
0b81d077	443	return res;
63f668f0	444	}
5bbdcbbb TT	445	/* Fake up a context for an unencrypted directory */
5bbdcbbb TT	446	memset(&ctx, 0, sizeof(ctx));
5dae460c EB	447	ctx.version = FSCRYPT_CONTEXT_V1;
	448	ctx.v1.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS;
	449	ctx.v1.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS;
	450	memset(ctx.v1.master_key_descriptor, 0x42,
3b6df59b	451	FSCRYPT_KEY_DESCRIPTOR_SIZE);
5dae460c	452	res = sizeof(ctx.v1);
63f668f0	453	}
0adda907	454
8094c3ce	455	crypt_info = kmem_cache_zalloc(fscrypt_info_cachep, GFP_NOFS);
0adda907 JK	456	if (!crypt_info)
	457	return -ENOMEM;
	458
59dc6a8e EB	459	crypt_info->ci_inode = inode;
59dc6a8e EB	460
5dae460c EB	461	res = fscrypt_policy_from_context(&crypt_info->ci_policy, &ctx, res);
	462	if (res) {
	463	fscrypt_warn(inode,
	464	"Unrecognized or corrupt encryption context");
	465	goto out;
	466	}
	467
	468	switch (ctx.version) {
	469	case FSCRYPT_CONTEXT_V1:
	470	memcpy(crypt_info->ci_nonce, ctx.v1.nonce,
	471	FS_KEY_DERIVATION_NONCE_SIZE);
	472	break;
	473	case FSCRYPT_CONTEXT_V2:
	474	memcpy(crypt_info->ci_nonce, ctx.v2.nonce,
	475	FS_KEY_DERIVATION_NONCE_SIZE);
	476	break;
	477	default:
	478	WARN_ON(1);
	479	res = -EINVAL;
	480	goto out;
	481	}
	482
	483	if (!fscrypt_supported_policy(&crypt_info->ci_policy, inode)) {
	484	res = -EINVAL;
	485	goto out;
	486	}
640778fb	487
5dae460c	488	mode = select_encryption_mode(&crypt_info->ci_policy, inode);
e1cc40e5 EB	489	if (IS_ERR(mode)) {
e1cc40e5 EB	490	res = PTR_ERR(mode);
26bf3dc7	491	goto out;
e1cc40e5	492	}
8094c3ce EB	493	WARN_ON(mode->ivsize > FSCRYPT_MAX_IV_SIZE);
8094c3ce EB	494	crypt_info->ci_mode = mode;
8f39850d	495
b1c0ec35	496	res = setup_file_encryption_key(crypt_info, &master_key);
26bf3dc7 JK	497	if (res)
	498	goto out;
	499
b1c0ec35 EB	500	if (cmpxchg_release(&inode->i_crypt_info, NULL, crypt_info) == NULL) {
	501	if (master_key) {
	502	struct fscrypt_master_key *mk =
	503	master_key->payload.data[0];
	504
	505	refcount_inc(&mk->mk_refcount);
	506	crypt_info->ci_master_key = key_get(master_key);
	507	spin_lock(&mk->mk_decrypted_inodes_lock);
	508	list_add(&crypt_info->ci_master_key_link,
	509	&mk->mk_decrypted_inodes);
	510	spin_unlock(&mk->mk_decrypted_inodes_lock);
	511	}
1b53cf98	512	crypt_info = NULL;
b1c0ec35 EB	513	}
b1c0ec35 EB	514	res = 0;
26bf3dc7	515	out:
b1c0ec35	516	if (master_key) {
23c688b5 EB	517	struct fscrypt_master_key *mk = master_key->payload.data[0];
	518
	519	up_read(&mk->mk_secret_sem);
b1c0ec35 EB	520	key_put(master_key);
b1c0ec35 EB	521	}
0b81d077	522	if (res == -ENOKEY)
26bf3dc7	523	res = 0;
0b81d077	524	put_crypt_info(crypt_info);
0adda907 JK	525	return res;
0adda907 JK	526	}
1b53cf98	527	EXPORT_SYMBOL(fscrypt_get_encryption_info);
0adda907	528
2c58d548 EB	529	/**
	530	* fscrypt_put_encryption_info - free most of an inode's fscrypt data
	531	*
	532	* Free the inode's fscrypt_info. Filesystems must call this when the inode is
	533	* being evicted. An RCU grace period need not have elapsed yet.
	534	*/
3d204e24	535	void fscrypt_put_encryption_info(struct inode *inode)
0adda907	536	{
3d204e24 EB	537	put_crypt_info(inode->i_crypt_info);
3d204e24 EB	538	inode->i_crypt_info = NULL;
0b81d077 JK	539	}
0b81d077 JK	540	EXPORT_SYMBOL(fscrypt_put_encryption_info);
2c58d548 EB	541
	542	/**
	543	* fscrypt_free_inode - free an inode's fscrypt data requiring RCU delay
	544	*
	545	* Free the inode's cached decrypted symlink target, if any. Filesystems must
	546	* call this after an RCU grace period, just before they free the inode.
	547	*/
	548	void fscrypt_free_inode(struct inode *inode)
	549	{
	550	if (IS_ENCRYPTED(inode) && S_ISLNK(inode->i_mode)) {
	551	kfree(inode->i_link);
	552	inode->i_link = NULL;
	553	}
	554	}
	555	EXPORT_SYMBOL(fscrypt_free_inode);
b1c0ec35 EB	556
	557	/**
	558	* fscrypt_drop_inode - check whether the inode's master key has been removed
	559	*
	560	* Filesystems supporting fscrypt must call this from their ->drop_inode()
	561	* method so that encrypted inodes are evicted as soon as they're no longer in
	562	* use and their master key has been removed.
	563	*
	564	* Return: 1 if fscrypt wants the inode to be evicted now, otherwise 0
	565	*/
	566	int fscrypt_drop_inode(struct inode *inode)
	567	{
	568	const struct fscrypt_info *ci = READ_ONCE(inode->i_crypt_info);
	569	const struct fscrypt_master_key *mk;
	570
	571	/*
	572	* If ci is NULL, then the inode doesn't have an encryption key set up
	573	* so it's irrelevant. If ci_master_key is NULL, then the master key
	574	* was provided via the legacy mechanism of the process-subscribed
	575	* keyrings, so we don't know whether it's been removed or not.
	576	*/
	577	if (!ci \|\| !ci->ci_master_key)
	578	return 0;
	579	mk = ci->ci_master_key->payload.data[0];
	580
	581	/*
23c688b5	582	* Note: since we aren't holding ->mk_secret_sem, the result here can
b1c0ec35 EB	583	* immediately become outdated. But there's no correctness problem with
	584	* unnecessarily evicting. Nor is there a correctness problem with not
	585	* evicting while iput() is racing with the key being removed, since
	586	* then the thread removing the key will either evict the inode itself
	587	* or will correctly detect that it wasn't evicted due to the race.
	588	*/
	589	return !is_master_key_secret_present(&mk->mk_secret);
	590	}
	591	EXPORT_SYMBOL_GPL(fscrypt_drop_inode);