Commit | Line | Data |
---|---|---|
b2441318 | 1 | // SPDX-License-Identifier: GPL-2.0 |
0adda907 | 2 | /* |
3ec4f2a6 | 3 | * Key setup facility for FS encryption support. |
0adda907 JK |
4 | * |
5 | * Copyright (C) 2015, Google, Inc. | |
6 | * | |
3ec4f2a6 EB |
7 | * Originally written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar. |
8 | * Heavily modified since then. | |
0adda907 | 9 | */ |
0b81d077 | 10 | |
b7e7cf7a DW |
11 | #include <crypto/aes.h> |
12 | #include <crypto/sha.h> | |
a575784c | 13 | #include <crypto/skcipher.h> |
0109ce76 EB |
14 | #include <linux/key.h> |
15 | ||
3325bea5 | 16 | #include "fscrypt_private.h" |
0adda907 | 17 | |
b7e7cf7a DW |
18 | static struct crypto_shash *essiv_hash_tfm; |
19 | ||
8094c3ce | 20 | static struct fscrypt_mode available_modes[] = { |
3b6df59b | 21 | [FSCRYPT_MODE_AES_256_XTS] = { |
e1cc40e5 EB |
22 | .friendly_name = "AES-256-XTS", |
23 | .cipher_str = "xts(aes)", | |
24 | .keysize = 64, | |
8094c3ce | 25 | .ivsize = 16, |
e1cc40e5 | 26 | }, |
3b6df59b | 27 | [FSCRYPT_MODE_AES_256_CTS] = { |
e1cc40e5 EB |
28 | .friendly_name = "AES-256-CTS-CBC", |
29 | .cipher_str = "cts(cbc(aes))", | |
30 | .keysize = 32, | |
8094c3ce | 31 | .ivsize = 16, |
e1cc40e5 | 32 | }, |
3b6df59b | 33 | [FSCRYPT_MODE_AES_128_CBC] = { |
e1cc40e5 EB |
34 | .friendly_name = "AES-128-CBC", |
35 | .cipher_str = "cbc(aes)", | |
36 | .keysize = 16, | |
8094c3ce EB |
37 | .ivsize = 16, |
38 | .needs_essiv = true, | |
e1cc40e5 | 39 | }, |
3b6df59b | 40 | [FSCRYPT_MODE_AES_128_CTS] = { |
e1cc40e5 EB |
41 | .friendly_name = "AES-128-CTS-CBC", |
42 | .cipher_str = "cts(cbc(aes))", | |
43 | .keysize = 16, | |
8094c3ce EB |
44 | .ivsize = 16, |
45 | }, | |
3b6df59b | 46 | [FSCRYPT_MODE_ADIANTUM] = { |
8094c3ce EB |
47 | .friendly_name = "Adiantum", |
48 | .cipher_str = "adiantum(xchacha12,aes)", | |
49 | .keysize = 32, | |
50 | .ivsize = 32, | |
e1cc40e5 | 51 | }, |
b7e7cf7a DW |
52 | }; |
53 | ||
e1cc40e5 | 54 | static struct fscrypt_mode * |
5dae460c EB |
55 | select_encryption_mode(const union fscrypt_policy *policy, |
56 | const struct inode *inode) | |
8f39850d | 57 | { |
e1cc40e5 | 58 | if (S_ISREG(inode->i_mode)) |
5dae460c | 59 | return &available_modes[fscrypt_policy_contents_mode(policy)]; |
e1cc40e5 EB |
60 | |
61 | if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) | |
5dae460c | 62 | return &available_modes[fscrypt_policy_fnames_mode(policy)]; |
8f39850d | 63 | |
e1cc40e5 EB |
64 | WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n", |
65 | inode->i_ino, (inode->i_mode & S_IFMT)); | |
66 | return ERR_PTR(-EINVAL); | |
8f39850d EB |
67 | } |
68 | ||
3ec4f2a6 | 69 | /* Create a symmetric cipher object for the given encryption mode and key */ |
0109ce76 EB |
70 | struct crypto_skcipher *fscrypt_allocate_skcipher(struct fscrypt_mode *mode, |
71 | const u8 *raw_key, | |
72 | const struct inode *inode) | |
8094c3ce EB |
73 | { |
74 | struct crypto_skcipher *tfm; | |
75 | int err; | |
76 | ||
77 | tfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0); | |
78 | if (IS_ERR(tfm)) { | |
29a98c1c | 79 | if (PTR_ERR(tfm) == -ENOENT) { |
a4d14e91 EB |
80 | fscrypt_warn(inode, |
81 | "Missing crypto API support for %s (API name: \"%s\")", | |
82 | mode->friendly_name, mode->cipher_str); | |
29a98c1c EB |
83 | return ERR_PTR(-ENOPKG); |
84 | } | |
85 | fscrypt_err(inode, "Error allocating '%s' transform: %ld", | |
86 | mode->cipher_str, PTR_ERR(tfm)); | |
8094c3ce EB |
87 | return tfm; |
88 | } | |
89 | if (unlikely(!mode->logged_impl_name)) { | |
90 | /* | |
91 | * fscrypt performance can vary greatly depending on which | |
92 | * crypto algorithm implementation is used. Help people debug | |
93 | * performance problems by logging the ->cra_driver_name the | |
94 | * first time a mode is used. Note that multiple threads can | |
95 | * race here, but it doesn't really matter. | |
96 | */ | |
97 | mode->logged_impl_name = true; | |
98 | pr_info("fscrypt: %s using implementation \"%s\"\n", | |
99 | mode->friendly_name, | |
100 | crypto_skcipher_alg(tfm)->base.cra_driver_name); | |
101 | } | |
231baecd | 102 | crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS); |
8094c3ce EB |
103 | err = crypto_skcipher_setkey(tfm, raw_key, mode->keysize); |
104 | if (err) | |
105 | goto err_free_tfm; | |
106 | ||
107 | return tfm; | |
108 | ||
109 | err_free_tfm: | |
110 | crypto_free_skcipher(tfm); | |
111 | return ERR_PTR(err); | |
112 | } | |
113 | ||
b7e7cf7a DW |
114 | static int derive_essiv_salt(const u8 *key, int keysize, u8 *salt) |
115 | { | |
116 | struct crypto_shash *tfm = READ_ONCE(essiv_hash_tfm); | |
117 | ||
118 | /* init hash transform on demand */ | |
119 | if (unlikely(!tfm)) { | |
120 | struct crypto_shash *prev_tfm; | |
121 | ||
122 | tfm = crypto_alloc_shash("sha256", 0, 0); | |
123 | if (IS_ERR(tfm)) { | |
29a98c1c | 124 | if (PTR_ERR(tfm) == -ENOENT) { |
a4d14e91 EB |
125 | fscrypt_warn(NULL, |
126 | "Missing crypto API support for SHA-256"); | |
29a98c1c EB |
127 | return -ENOPKG; |
128 | } | |
129 | fscrypt_err(NULL, | |
130 | "Error allocating SHA-256 transform: %ld", | |
131 | PTR_ERR(tfm)); | |
b7e7cf7a DW |
132 | return PTR_ERR(tfm); |
133 | } | |
134 | prev_tfm = cmpxchg(&essiv_hash_tfm, NULL, tfm); | |
135 | if (prev_tfm) { | |
136 | crypto_free_shash(tfm); | |
137 | tfm = prev_tfm; | |
138 | } | |
139 | } | |
140 | ||
141 | { | |
142 | SHASH_DESC_ON_STACK(desc, tfm); | |
143 | desc->tfm = tfm; | |
b7e7cf7a DW |
144 | |
145 | return crypto_shash_digest(desc, key, keysize, salt); | |
146 | } | |
147 | } | |
148 | ||
149 | static int init_essiv_generator(struct fscrypt_info *ci, const u8 *raw_key, | |
150 | int keysize) | |
151 | { | |
152 | int err; | |
153 | struct crypto_cipher *essiv_tfm; | |
154 | u8 salt[SHA256_DIGEST_SIZE]; | |
155 | ||
3ec4f2a6 EB |
156 | if (WARN_ON(ci->ci_mode->ivsize != AES_BLOCK_SIZE)) |
157 | return -EINVAL; | |
158 | ||
b7e7cf7a DW |
159 | essiv_tfm = crypto_alloc_cipher("aes", 0, 0); |
160 | if (IS_ERR(essiv_tfm)) | |
161 | return PTR_ERR(essiv_tfm); | |
162 | ||
163 | ci->ci_essiv_tfm = essiv_tfm; | |
164 | ||
165 | err = derive_essiv_salt(raw_key, keysize, salt); | |
166 | if (err) | |
167 | goto out; | |
168 | ||
169 | /* | |
170 | * Using SHA256 to derive the salt/key will result in AES-256 being | |
171 | * used for IV generation. File contents encryption will still use the | |
172 | * configured keysize (AES-128) nevertheless. | |
173 | */ | |
174 | err = crypto_cipher_setkey(essiv_tfm, salt, sizeof(salt)); | |
175 | if (err) | |
176 | goto out; | |
177 | ||
178 | out: | |
179 | memzero_explicit(salt, sizeof(salt)); | |
180 | return err; | |
181 | } | |
182 | ||
3ec4f2a6 | 183 | /* Given the per-file key, set up the file's crypto transform object(s) */ |
0109ce76 | 184 | int fscrypt_set_derived_key(struct fscrypt_info *ci, const u8 *derived_key) |
8094c3ce | 185 | { |
3ec4f2a6 | 186 | struct fscrypt_mode *mode = ci->ci_mode; |
8094c3ce EB |
187 | struct crypto_skcipher *ctfm; |
188 | int err; | |
189 | ||
3ec4f2a6 EB |
190 | ctfm = fscrypt_allocate_skcipher(mode, derived_key, ci->ci_inode); |
191 | if (IS_ERR(ctfm)) | |
192 | return PTR_ERR(ctfm); | |
193 | ||
8094c3ce EB |
194 | ci->ci_ctfm = ctfm; |
195 | ||
196 | if (mode->needs_essiv) { | |
3ec4f2a6 | 197 | err = init_essiv_generator(ci, derived_key, mode->keysize); |
8094c3ce | 198 | if (err) { |
3ec4f2a6 | 199 | fscrypt_warn(ci->ci_inode, |
886da8b3 EB |
200 | "Error initializing ESSIV generator: %d", |
201 | err); | |
8094c3ce EB |
202 | return err; |
203 | } | |
204 | } | |
205 | return 0; | |
206 | } | |
207 | ||
5dae460c EB |
208 | static int setup_per_mode_key(struct fscrypt_info *ci, |
209 | struct fscrypt_master_key *mk) | |
210 | { | |
211 | struct fscrypt_mode *mode = ci->ci_mode; | |
212 | u8 mode_num = mode - available_modes; | |
213 | struct crypto_skcipher *tfm, *prev_tfm; | |
214 | u8 mode_key[FSCRYPT_MAX_KEY_SIZE]; | |
215 | int err; | |
216 | ||
217 | if (WARN_ON(mode_num >= ARRAY_SIZE(mk->mk_mode_keys))) | |
218 | return -EINVAL; | |
219 | ||
220 | /* pairs with cmpxchg() below */ | |
221 | tfm = READ_ONCE(mk->mk_mode_keys[mode_num]); | |
222 | if (likely(tfm != NULL)) | |
223 | goto done; | |
224 | ||
225 | BUILD_BUG_ON(sizeof(mode_num) != 1); | |
226 | err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, | |
227 | HKDF_CONTEXT_PER_MODE_KEY, | |
228 | &mode_num, sizeof(mode_num), | |
229 | mode_key, mode->keysize); | |
230 | if (err) | |
231 | return err; | |
232 | tfm = fscrypt_allocate_skcipher(mode, mode_key, ci->ci_inode); | |
233 | memzero_explicit(mode_key, mode->keysize); | |
234 | if (IS_ERR(tfm)) | |
235 | return PTR_ERR(tfm); | |
236 | ||
237 | /* pairs with READ_ONCE() above */ | |
238 | prev_tfm = cmpxchg(&mk->mk_mode_keys[mode_num], NULL, tfm); | |
239 | if (prev_tfm != NULL) { | |
240 | crypto_free_skcipher(tfm); | |
241 | tfm = prev_tfm; | |
242 | } | |
243 | done: | |
244 | ci->ci_ctfm = tfm; | |
245 | return 0; | |
246 | } | |
247 | ||
248 | static int fscrypt_setup_v2_file_key(struct fscrypt_info *ci, | |
249 | struct fscrypt_master_key *mk) | |
250 | { | |
251 | u8 derived_key[FSCRYPT_MAX_KEY_SIZE]; | |
252 | int err; | |
253 | ||
254 | if (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) { | |
255 | /* | |
256 | * DIRECT_KEY: instead of deriving per-file keys, the per-file | |
257 | * nonce will be included in all the IVs. But unlike v1 | |
258 | * policies, for v2 policies in this case we don't encrypt with | |
259 | * the master key directly but rather derive a per-mode key. | |
260 | * This ensures that the master key is consistently used only | |
261 | * for HKDF, avoiding key reuse issues. | |
262 | */ | |
263 | if (!fscrypt_mode_supports_direct_key(ci->ci_mode)) { | |
264 | fscrypt_warn(ci->ci_inode, | |
265 | "Direct key flag not allowed with %s", | |
266 | ci->ci_mode->friendly_name); | |
267 | return -EINVAL; | |
268 | } | |
269 | return setup_per_mode_key(ci, mk); | |
270 | } | |
271 | ||
272 | err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, | |
273 | HKDF_CONTEXT_PER_FILE_KEY, | |
274 | ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE, | |
275 | derived_key, ci->ci_mode->keysize); | |
276 | if (err) | |
277 | return err; | |
278 | ||
279 | err = fscrypt_set_derived_key(ci, derived_key); | |
280 | memzero_explicit(derived_key, ci->ci_mode->keysize); | |
281 | return err; | |
282 | } | |
283 | ||
3ec4f2a6 EB |
284 | /* |
285 | * Find the master key, then set up the inode's actual encryption key. | |
b1c0ec35 EB |
286 | * |
287 | * If the master key is found in the filesystem-level keyring, then the | |
288 | * corresponding 'struct key' is returned in *master_key_ret with | |
23c688b5 EB |
289 | * ->mk_secret_sem read-locked. This is needed to ensure that only one task |
290 | * links the fscrypt_info into ->mk_decrypted_inodes (as multiple tasks may race | |
291 | * to create an fscrypt_info for the same inode), and to synchronize the master | |
292 | * key being removed with a new inode starting to use it. | |
3ec4f2a6 | 293 | */ |
b1c0ec35 EB |
294 | static int setup_file_encryption_key(struct fscrypt_info *ci, |
295 | struct key **master_key_ret) | |
3ec4f2a6 | 296 | { |
22d94f49 EB |
297 | struct key *key; |
298 | struct fscrypt_master_key *mk = NULL; | |
299 | struct fscrypt_key_specifier mk_spec; | |
300 | int err; | |
301 | ||
5dae460c EB |
302 | switch (ci->ci_policy.version) { |
303 | case FSCRYPT_POLICY_V1: | |
304 | mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR; | |
305 | memcpy(mk_spec.u.descriptor, | |
306 | ci->ci_policy.v1.master_key_descriptor, | |
307 | FSCRYPT_KEY_DESCRIPTOR_SIZE); | |
308 | break; | |
309 | case FSCRYPT_POLICY_V2: | |
310 | mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER; | |
311 | memcpy(mk_spec.u.identifier, | |
312 | ci->ci_policy.v2.master_key_identifier, | |
313 | FSCRYPT_KEY_IDENTIFIER_SIZE); | |
314 | break; | |
315 | default: | |
316 | WARN_ON(1); | |
317 | return -EINVAL; | |
318 | } | |
22d94f49 EB |
319 | |
320 | key = fscrypt_find_master_key(ci->ci_inode->i_sb, &mk_spec); | |
321 | if (IS_ERR(key)) { | |
5dae460c EB |
322 | if (key != ERR_PTR(-ENOKEY) || |
323 | ci->ci_policy.version != FSCRYPT_POLICY_V1) | |
22d94f49 EB |
324 | return PTR_ERR(key); |
325 | ||
5dae460c EB |
326 | /* |
327 | * As a legacy fallback for v1 policies, search for the key in | |
328 | * the current task's subscribed keyrings too. Don't move this | |
329 | * to before the search of ->s_master_keys, since users | |
330 | * shouldn't be able to override filesystem-level keys. | |
331 | */ | |
22d94f49 EB |
332 | return fscrypt_setup_v1_file_key_via_subscribed_keyrings(ci); |
333 | } | |
334 | ||
335 | mk = key->payload.data[0]; | |
23c688b5 | 336 | down_read(&mk->mk_secret_sem); |
b1c0ec35 EB |
337 | |
338 | /* Has the secret been removed (via FS_IOC_REMOVE_ENCRYPTION_KEY)? */ | |
339 | if (!is_master_key_secret_present(&mk->mk_secret)) { | |
340 | err = -ENOKEY; | |
341 | goto out_release_key; | |
342 | } | |
22d94f49 | 343 | |
5dae460c EB |
344 | /* |
345 | * Require that the master key be at least as long as the derived key. | |
346 | * Otherwise, the derived key cannot possibly contain as much entropy as | |
347 | * that required by the encryption mode it will be used for. For v1 | |
348 | * policies it's also required for the KDF to work at all. | |
349 | */ | |
22d94f49 EB |
350 | if (mk->mk_secret.size < ci->ci_mode->keysize) { |
351 | fscrypt_warn(NULL, | |
352 | "key with %s %*phN is too short (got %u bytes, need %u+ bytes)", | |
353 | master_key_spec_type(&mk_spec), | |
354 | master_key_spec_len(&mk_spec), (u8 *)&mk_spec.u, | |
355 | mk->mk_secret.size, ci->ci_mode->keysize); | |
356 | err = -ENOKEY; | |
357 | goto out_release_key; | |
358 | } | |
359 | ||
5dae460c EB |
360 | switch (ci->ci_policy.version) { |
361 | case FSCRYPT_POLICY_V1: | |
362 | err = fscrypt_setup_v1_file_key(ci, mk->mk_secret.raw); | |
363 | break; | |
364 | case FSCRYPT_POLICY_V2: | |
365 | err = fscrypt_setup_v2_file_key(ci, mk); | |
366 | break; | |
367 | default: | |
368 | WARN_ON(1); | |
369 | err = -EINVAL; | |
370 | break; | |
371 | } | |
b1c0ec35 EB |
372 | if (err) |
373 | goto out_release_key; | |
374 | ||
375 | *master_key_ret = key; | |
376 | return 0; | |
22d94f49 EB |
377 | |
378 | out_release_key: | |
23c688b5 | 379 | up_read(&mk->mk_secret_sem); |
22d94f49 EB |
380 | key_put(key); |
381 | return err; | |
3ec4f2a6 EB |
382 | } |
383 | ||
8094c3ce EB |
384 | static void put_crypt_info(struct fscrypt_info *ci) |
385 | { | |
b1c0ec35 EB |
386 | struct key *key; |
387 | ||
8094c3ce EB |
388 | if (!ci) |
389 | return; | |
390 | ||
a828daab | 391 | if (ci->ci_direct_key) { |
0109ce76 | 392 | fscrypt_put_direct_key(ci->ci_direct_key); |
5dae460c EB |
393 | } else if ((ci->ci_ctfm != NULL || ci->ci_essiv_tfm != NULL) && |
394 | !fscrypt_is_direct_key_policy(&ci->ci_policy)) { | |
8094c3ce EB |
395 | crypto_free_skcipher(ci->ci_ctfm); |
396 | crypto_free_cipher(ci->ci_essiv_tfm); | |
397 | } | |
b1c0ec35 EB |
398 | |
399 | key = ci->ci_master_key; | |
400 | if (key) { | |
401 | struct fscrypt_master_key *mk = key->payload.data[0]; | |
402 | ||
403 | /* | |
404 | * Remove this inode from the list of inodes that were unlocked | |
405 | * with the master key. | |
406 | * | |
407 | * In addition, if we're removing the last inode from a key that | |
408 | * already had its secret removed, invalidate the key so that it | |
409 | * gets removed from ->s_master_keys. | |
410 | */ | |
411 | spin_lock(&mk->mk_decrypted_inodes_lock); | |
412 | list_del(&ci->ci_master_key_link); | |
413 | spin_unlock(&mk->mk_decrypted_inodes_lock); | |
414 | if (refcount_dec_and_test(&mk->mk_refcount)) | |
415 | key_invalidate(key); | |
416 | key_put(key); | |
417 | } | |
8094c3ce EB |
418 | kmem_cache_free(fscrypt_info_cachep, ci); |
419 | } | |
420 | ||
1b53cf98 | 421 | int fscrypt_get_encryption_info(struct inode *inode) |
0adda907 | 422 | { |
0b81d077 | 423 | struct fscrypt_info *crypt_info; |
5dae460c | 424 | union fscrypt_context ctx; |
e1cc40e5 | 425 | struct fscrypt_mode *mode; |
b1c0ec35 | 426 | struct key *master_key = NULL; |
0adda907 JK |
427 | int res; |
428 | ||
e37a784d | 429 | if (fscrypt_has_encryption_key(inode)) |
1b53cf98 EB |
430 | return 0; |
431 | ||
f32d7ac2 | 432 | res = fscrypt_initialize(inode->i_sb->s_cop->flags); |
cfc4d971 JK |
433 | if (res) |
434 | return res; | |
0b81d077 | 435 | |
0b81d077 JK |
436 | res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); |
437 | if (res < 0) { | |
5bbdcbbb | 438 | if (!fscrypt_dummy_context_enabled(inode) || |
63f668f0 EB |
439 | IS_ENCRYPTED(inode)) { |
440 | fscrypt_warn(inode, | |
441 | "Error %d getting encryption context", | |
442 | res); | |
0b81d077 | 443 | return res; |
63f668f0 | 444 | } |
5bbdcbbb TT |
445 | /* Fake up a context for an unencrypted directory */ |
446 | memset(&ctx, 0, sizeof(ctx)); | |
5dae460c EB |
447 | ctx.version = FSCRYPT_CONTEXT_V1; |
448 | ctx.v1.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; | |
449 | ctx.v1.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; | |
450 | memset(ctx.v1.master_key_descriptor, 0x42, | |
3b6df59b | 451 | FSCRYPT_KEY_DESCRIPTOR_SIZE); |
5dae460c | 452 | res = sizeof(ctx.v1); |
63f668f0 | 453 | } |
0adda907 | 454 | |
8094c3ce | 455 | crypt_info = kmem_cache_zalloc(fscrypt_info_cachep, GFP_NOFS); |
0adda907 JK |
456 | if (!crypt_info) |
457 | return -ENOMEM; | |
458 | ||
59dc6a8e EB |
459 | crypt_info->ci_inode = inode; |
460 | ||
5dae460c EB |
461 | res = fscrypt_policy_from_context(&crypt_info->ci_policy, &ctx, res); |
462 | if (res) { | |
463 | fscrypt_warn(inode, | |
464 | "Unrecognized or corrupt encryption context"); | |
465 | goto out; | |
466 | } | |
467 | ||
468 | switch (ctx.version) { | |
469 | case FSCRYPT_CONTEXT_V1: | |
470 | memcpy(crypt_info->ci_nonce, ctx.v1.nonce, | |
471 | FS_KEY_DERIVATION_NONCE_SIZE); | |
472 | break; | |
473 | case FSCRYPT_CONTEXT_V2: | |
474 | memcpy(crypt_info->ci_nonce, ctx.v2.nonce, | |
475 | FS_KEY_DERIVATION_NONCE_SIZE); | |
476 | break; | |
477 | default: | |
478 | WARN_ON(1); | |
479 | res = -EINVAL; | |
480 | goto out; | |
481 | } | |
482 | ||
483 | if (!fscrypt_supported_policy(&crypt_info->ci_policy, inode)) { | |
484 | res = -EINVAL; | |
485 | goto out; | |
486 | } | |
640778fb | 487 | |
5dae460c | 488 | mode = select_encryption_mode(&crypt_info->ci_policy, inode); |
e1cc40e5 EB |
489 | if (IS_ERR(mode)) { |
490 | res = PTR_ERR(mode); | |
26bf3dc7 | 491 | goto out; |
e1cc40e5 | 492 | } |
8094c3ce EB |
493 | WARN_ON(mode->ivsize > FSCRYPT_MAX_IV_SIZE); |
494 | crypt_info->ci_mode = mode; | |
8f39850d | 495 | |
b1c0ec35 | 496 | res = setup_file_encryption_key(crypt_info, &master_key); |
26bf3dc7 JK |
497 | if (res) |
498 | goto out; | |
499 | ||
b1c0ec35 EB |
500 | if (cmpxchg_release(&inode->i_crypt_info, NULL, crypt_info) == NULL) { |
501 | if (master_key) { | |
502 | struct fscrypt_master_key *mk = | |
503 | master_key->payload.data[0]; | |
504 | ||
505 | refcount_inc(&mk->mk_refcount); | |
506 | crypt_info->ci_master_key = key_get(master_key); | |
507 | spin_lock(&mk->mk_decrypted_inodes_lock); | |
508 | list_add(&crypt_info->ci_master_key_link, | |
509 | &mk->mk_decrypted_inodes); | |
510 | spin_unlock(&mk->mk_decrypted_inodes_lock); | |
511 | } | |
1b53cf98 | 512 | crypt_info = NULL; |
b1c0ec35 EB |
513 | } |
514 | res = 0; | |
26bf3dc7 | 515 | out: |
b1c0ec35 | 516 | if (master_key) { |
23c688b5 EB |
517 | struct fscrypt_master_key *mk = master_key->payload.data[0]; |
518 | ||
519 | up_read(&mk->mk_secret_sem); | |
b1c0ec35 EB |
520 | key_put(master_key); |
521 | } | |
0b81d077 | 522 | if (res == -ENOKEY) |
26bf3dc7 | 523 | res = 0; |
0b81d077 | 524 | put_crypt_info(crypt_info); |
0adda907 JK |
525 | return res; |
526 | } | |
1b53cf98 | 527 | EXPORT_SYMBOL(fscrypt_get_encryption_info); |
0adda907 | 528 | |
2c58d548 EB |
529 | /** |
530 | * fscrypt_put_encryption_info - free most of an inode's fscrypt data | |
531 | * | |
532 | * Free the inode's fscrypt_info. Filesystems must call this when the inode is | |
533 | * being evicted. An RCU grace period need not have elapsed yet. | |
534 | */ | |
3d204e24 | 535 | void fscrypt_put_encryption_info(struct inode *inode) |
0adda907 | 536 | { |
3d204e24 EB |
537 | put_crypt_info(inode->i_crypt_info); |
538 | inode->i_crypt_info = NULL; | |
0b81d077 JK |
539 | } |
540 | EXPORT_SYMBOL(fscrypt_put_encryption_info); | |
2c58d548 EB |
541 | |
542 | /** | |
543 | * fscrypt_free_inode - free an inode's fscrypt data requiring RCU delay | |
544 | * | |
545 | * Free the inode's cached decrypted symlink target, if any. Filesystems must | |
546 | * call this after an RCU grace period, just before they free the inode. | |
547 | */ | |
548 | void fscrypt_free_inode(struct inode *inode) | |
549 | { | |
550 | if (IS_ENCRYPTED(inode) && S_ISLNK(inode->i_mode)) { | |
551 | kfree(inode->i_link); | |
552 | inode->i_link = NULL; | |
553 | } | |
554 | } | |
555 | EXPORT_SYMBOL(fscrypt_free_inode); | |
b1c0ec35 EB |
556 | |
557 | /** | |
558 | * fscrypt_drop_inode - check whether the inode's master key has been removed | |
559 | * | |
560 | * Filesystems supporting fscrypt must call this from their ->drop_inode() | |
561 | * method so that encrypted inodes are evicted as soon as they're no longer in | |
562 | * use and their master key has been removed. | |
563 | * | |
564 | * Return: 1 if fscrypt wants the inode to be evicted now, otherwise 0 | |
565 | */ | |
566 | int fscrypt_drop_inode(struct inode *inode) | |
567 | { | |
568 | const struct fscrypt_info *ci = READ_ONCE(inode->i_crypt_info); | |
569 | const struct fscrypt_master_key *mk; | |
570 | ||
571 | /* | |
572 | * If ci is NULL, then the inode doesn't have an encryption key set up | |
573 | * so it's irrelevant. If ci_master_key is NULL, then the master key | |
574 | * was provided via the legacy mechanism of the process-subscribed | |
575 | * keyrings, so we don't know whether it's been removed or not. | |
576 | */ | |
577 | if (!ci || !ci->ci_master_key) | |
578 | return 0; | |
579 | mk = ci->ci_master_key->payload.data[0]; | |
580 | ||
581 | /* | |
23c688b5 | 582 | * Note: since we aren't holding ->mk_secret_sem, the result here can |
b1c0ec35 EB |
583 | * immediately become outdated. But there's no correctness problem with |
584 | * unnecessarily evicting. Nor is there a correctness problem with not | |
585 | * evicting while iput() is racing with the key being removed, since | |
586 | * then the thread removing the key will either evict the inode itself | |
587 | * or will correctly detect that it wasn't evicted due to the race. | |
588 | */ | |
589 | return !is_master_key_secret_present(&mk->mk_secret); | |
590 | } | |
591 | EXPORT_SYMBOL_GPL(fscrypt_drop_inode); |