Commit c1f4cfdb authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/fscrypt

Pull fscrypt updates from Eric Biggers:
 "Some cleanups for fs/crypto/:

   - Split up the misleadingly-named FS_CRYPTO_BLOCK_SIZE constant.

   - Consistently report the encryption implementation that is being
     used.

   - Add helper functions for the test_dummy_encryption mount option
     that work properly with the new mount API. ext4 and f2fs will use
     these"

* tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/fscrypt:
  fscrypt: add new helper functions for test_dummy_encryption
  fscrypt: factor out fscrypt_policy_to_key_spec()
  fscrypt: log when starting to use inline encryption
  fscrypt: split up FS_CRYPTO_BLOCK_SIZE
parents ac2ab990 218d921b
...@@ -113,7 +113,7 @@ int fscrypt_crypt_block(const struct inode *inode, fscrypt_direction_t rw, ...@@ -113,7 +113,7 @@ int fscrypt_crypt_block(const struct inode *inode, fscrypt_direction_t rw,
if (WARN_ON_ONCE(len <= 0)) if (WARN_ON_ONCE(len <= 0))
return -EINVAL; return -EINVAL;
if (WARN_ON_ONCE(len % FS_CRYPTO_BLOCK_SIZE != 0)) if (WARN_ON_ONCE(len % FSCRYPT_CONTENTS_ALIGNMENT != 0))
return -EINVAL; return -EINVAL;
fscrypt_generate_iv(&iv, lblk_num, ci); fscrypt_generate_iv(&iv, lblk_num, ci);
...@@ -213,8 +213,8 @@ EXPORT_SYMBOL(fscrypt_encrypt_pagecache_blocks); ...@@ -213,8 +213,8 @@ EXPORT_SYMBOL(fscrypt_encrypt_pagecache_blocks);
* fscrypt_encrypt_block_inplace() - Encrypt a filesystem block in-place * fscrypt_encrypt_block_inplace() - Encrypt a filesystem block in-place
* @inode: The inode to which this block belongs * @inode: The inode to which this block belongs
* @page: The page containing the block to encrypt * @page: The page containing the block to encrypt
* @len: Size of block to encrypt. Doesn't need to be a multiple of the * @len: Size of block to encrypt. This must be a multiple of
* fs block size, but must be a multiple of FS_CRYPTO_BLOCK_SIZE. * FSCRYPT_CONTENTS_ALIGNMENT.
* @offs: Byte offset within @page at which the block to encrypt begins * @offs: Byte offset within @page at which the block to encrypt begins
* @lblk_num: Filesystem logical block number of the block, i.e. the 0-based * @lblk_num: Filesystem logical block number of the block, i.e. the 0-based
* number of the block within the file * number of the block within the file
...@@ -283,8 +283,8 @@ EXPORT_SYMBOL(fscrypt_decrypt_pagecache_blocks); ...@@ -283,8 +283,8 @@ EXPORT_SYMBOL(fscrypt_decrypt_pagecache_blocks);
* fscrypt_decrypt_block_inplace() - Decrypt a filesystem block in-place * fscrypt_decrypt_block_inplace() - Decrypt a filesystem block in-place
* @inode: The inode to which this block belongs * @inode: The inode to which this block belongs
* @page: The page containing the block to decrypt * @page: The page containing the block to decrypt
* @len: Size of block to decrypt. Doesn't need to be a multiple of the * @len: Size of block to decrypt. This must be a multiple of
* fs block size, but must be a multiple of FS_CRYPTO_BLOCK_SIZE. * FSCRYPT_CONTENTS_ALIGNMENT.
* @offs: Byte offset within @page at which the block to decrypt begins * @offs: Byte offset within @page at which the block to decrypt begins
* @lblk_num: Filesystem logical block number of the block, i.e. the 0-based * @lblk_num: Filesystem logical block number of the block, i.e. the 0-based
* number of the block within the file * number of the block within the file
......
...@@ -18,6 +18,13 @@ ...@@ -18,6 +18,13 @@
#include <crypto/skcipher.h> #include <crypto/skcipher.h>
#include "fscrypt_private.h" #include "fscrypt_private.h"
/*
* The minimum message length (input and output length), in bytes, for all
* filenames encryption modes. Filenames shorter than this will be zero-padded
* before being encrypted.
*/
#define FSCRYPT_FNAME_MIN_MSG_LEN 16
/* /*
* struct fscrypt_nokey_name - identifier for directory entry when key is absent * struct fscrypt_nokey_name - identifier for directory entry when key is absent
* *
...@@ -267,7 +274,7 @@ bool fscrypt_fname_encrypted_size(const union fscrypt_policy *policy, ...@@ -267,7 +274,7 @@ bool fscrypt_fname_encrypted_size(const union fscrypt_policy *policy,
if (orig_len > max_len) if (orig_len > max_len)
return false; return false;
encrypted_len = max(orig_len, (u32)FS_CRYPTO_BLOCK_SIZE); encrypted_len = max_t(u32, orig_len, FSCRYPT_FNAME_MIN_MSG_LEN);
encrypted_len = round_up(encrypted_len, padding); encrypted_len = round_up(encrypted_len, padding);
*encrypted_len_ret = min(encrypted_len, max_len); *encrypted_len_ret = min(encrypted_len, max_len);
return true; return true;
...@@ -350,7 +357,7 @@ int fscrypt_fname_disk_to_usr(const struct inode *inode, ...@@ -350,7 +357,7 @@ int fscrypt_fname_disk_to_usr(const struct inode *inode,
return 0; return 0;
} }
if (iname->len < FS_CRYPTO_BLOCK_SIZE) if (iname->len < FSCRYPT_FNAME_MIN_MSG_LEN)
return -EUCLEAN; return -EUCLEAN;
if (fscrypt_has_encryption_key(inode)) if (fscrypt_has_encryption_key(inode))
......
...@@ -545,8 +545,8 @@ struct key * ...@@ -545,8 +545,8 @@ struct key *
fscrypt_find_master_key(struct super_block *sb, fscrypt_find_master_key(struct super_block *sb,
const struct fscrypt_key_specifier *mk_spec); const struct fscrypt_key_specifier *mk_spec);
int fscrypt_add_test_dummy_key(struct super_block *sb, int fscrypt_get_test_dummy_key_identifier(
struct fscrypt_key_specifier *key_spec); u8 key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]);
int fscrypt_verify_key_added(struct super_block *sb, int fscrypt_verify_key_added(struct super_block *sb,
const u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]); const u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]);
...@@ -561,7 +561,9 @@ struct fscrypt_mode { ...@@ -561,7 +561,9 @@ struct fscrypt_mode {
int keysize; /* key size in bytes */ int keysize; /* key size in bytes */
int security_strength; /* security strength in bytes */ int security_strength; /* security strength in bytes */
int ivsize; /* IV size in bytes */ int ivsize; /* IV size in bytes */
int logged_impl_name; int logged_cryptoapi_impl;
int logged_blk_crypto_native;
int logged_blk_crypto_fallback;
enum blk_crypto_mode_num blk_crypto_mode; enum blk_crypto_mode_num blk_crypto_mode;
}; };
...@@ -621,6 +623,8 @@ int fscrypt_setup_v1_file_key_via_subscribed_keyrings(struct fscrypt_info *ci); ...@@ -621,6 +623,8 @@ int fscrypt_setup_v1_file_key_via_subscribed_keyrings(struct fscrypt_info *ci);
bool fscrypt_policies_equal(const union fscrypt_policy *policy1, bool fscrypt_policies_equal(const union fscrypt_policy *policy1,
const union fscrypt_policy *policy2); const union fscrypt_policy *policy2);
int fscrypt_policy_to_key_spec(const union fscrypt_policy *policy,
struct fscrypt_key_specifier *key_spec);
bool fscrypt_supported_policy(const union fscrypt_policy *policy_u, bool fscrypt_supported_policy(const union fscrypt_policy *policy_u,
const struct inode *inode); const struct inode *inode);
int fscrypt_policy_from_context(union fscrypt_policy *policy_u, int fscrypt_policy_from_context(union fscrypt_policy *policy_u,
......
...@@ -12,7 +12,7 @@ ...@@ -12,7 +12,7 @@
* provides the key and IV to use. * provides the key and IV to use.
*/ */
#include <linux/blk-crypto.h> #include <linux/blk-crypto-profile.h>
#include <linux/blkdev.h> #include <linux/blkdev.h>
#include <linux/buffer_head.h> #include <linux/buffer_head.h>
#include <linux/sched/mm.h> #include <linux/sched/mm.h>
...@@ -64,6 +64,35 @@ static unsigned int fscrypt_get_dun_bytes(const struct fscrypt_info *ci) ...@@ -64,6 +64,35 @@ static unsigned int fscrypt_get_dun_bytes(const struct fscrypt_info *ci)
return DIV_ROUND_UP(lblk_bits, 8); return DIV_ROUND_UP(lblk_bits, 8);
} }
/*
* Log a message when starting to use blk-crypto (native) or blk-crypto-fallback
* for an encryption mode for the first time. This is the blk-crypto
* counterpart to the message logged when starting to use the crypto API for the
* first time. A limitation is that these messages don't convey which specific
* filesystems or files are using each implementation. However, *usually*
* systems use just one implementation per mode, which makes these messages
* helpful for debugging problems where the "wrong" implementation is used.
*/
static void fscrypt_log_blk_crypto_impl(struct fscrypt_mode *mode,
struct request_queue **devs,
int num_devs,
const struct blk_crypto_config *cfg)
{
int i;
for (i = 0; i < num_devs; i++) {
if (!IS_ENABLED(CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK) ||
__blk_crypto_cfg_supported(devs[i]->crypto_profile, cfg)) {
if (!xchg(&mode->logged_blk_crypto_native, 1))
pr_info("fscrypt: %s using blk-crypto (native)\n",
mode->friendly_name);
} else if (!xchg(&mode->logged_blk_crypto_fallback, 1)) {
pr_info("fscrypt: %s using blk-crypto-fallback\n",
mode->friendly_name);
}
}
}
/* Enable inline encryption for this file if supported. */ /* Enable inline encryption for this file if supported. */
int fscrypt_select_encryption_impl(struct fscrypt_info *ci) int fscrypt_select_encryption_impl(struct fscrypt_info *ci)
{ {
...@@ -117,6 +146,8 @@ int fscrypt_select_encryption_impl(struct fscrypt_info *ci) ...@@ -117,6 +146,8 @@ int fscrypt_select_encryption_impl(struct fscrypt_info *ci)
goto out_free_devs; goto out_free_devs;
} }
fscrypt_log_blk_crypto_impl(ci->ci_mode, devs, num_devs, &crypto_cfg);
ci->ci_inlinecrypt = true; ci->ci_inlinecrypt = true;
out_free_devs: out_free_devs:
kfree(devs); kfree(devs);
......
...@@ -688,28 +688,68 @@ int fscrypt_ioctl_add_key(struct file *filp, void __user *_uarg) ...@@ -688,28 +688,68 @@ int fscrypt_ioctl_add_key(struct file *filp, void __user *_uarg)
} }
EXPORT_SYMBOL_GPL(fscrypt_ioctl_add_key); EXPORT_SYMBOL_GPL(fscrypt_ioctl_add_key);
/* static void
* Add the key for '-o test_dummy_encryption' to the filesystem keyring. fscrypt_get_test_dummy_secret(struct fscrypt_master_key_secret *secret)
*
* Use a per-boot random key to prevent people from misusing this option.
*/
int fscrypt_add_test_dummy_key(struct super_block *sb,
struct fscrypt_key_specifier *key_spec)
{ {
static u8 test_key[FSCRYPT_MAX_KEY_SIZE]; static u8 test_key[FSCRYPT_MAX_KEY_SIZE];
get_random_once(test_key, FSCRYPT_MAX_KEY_SIZE);
memset(secret, 0, sizeof(*secret));
secret->size = FSCRYPT_MAX_KEY_SIZE;
memcpy(secret->raw, test_key, FSCRYPT_MAX_KEY_SIZE);
}
int fscrypt_get_test_dummy_key_identifier(
u8 key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE])
{
struct fscrypt_master_key_secret secret; struct fscrypt_master_key_secret secret;
int err; int err;
get_random_once(test_key, FSCRYPT_MAX_KEY_SIZE); fscrypt_get_test_dummy_secret(&secret);
memset(&secret, 0, sizeof(secret)); err = fscrypt_init_hkdf(&secret.hkdf, secret.raw, secret.size);
secret.size = FSCRYPT_MAX_KEY_SIZE; if (err)
memcpy(secret.raw, test_key, FSCRYPT_MAX_KEY_SIZE); goto out;
err = fscrypt_hkdf_expand(&secret.hkdf, HKDF_CONTEXT_KEY_IDENTIFIER,
NULL, 0, key_identifier,
FSCRYPT_KEY_IDENTIFIER_SIZE);
out:
wipe_master_key_secret(&secret);
return err;
}
err = add_master_key(sb, &secret, key_spec); /**
* fscrypt_add_test_dummy_key() - add the test dummy encryption key
* @sb: the filesystem instance to add the key to
* @dummy_policy: the encryption policy for test_dummy_encryption
*
* If needed, add the key for the test_dummy_encryption mount option to the
* filesystem. To prevent misuse of this mount option, a per-boot random key is
* used instead of a hardcoded one. This makes it so that any encrypted files
* created using this option won't be accessible after a reboot.
*
* Return: 0 on success, -errno on failure
*/
int fscrypt_add_test_dummy_key(struct super_block *sb,
const struct fscrypt_dummy_policy *dummy_policy)
{
const union fscrypt_policy *policy = dummy_policy->policy;
struct fscrypt_key_specifier key_spec;
struct fscrypt_master_key_secret secret;
int err;
if (!policy)
return 0;
err = fscrypt_policy_to_key_spec(policy, &key_spec);
if (err)
return err;
fscrypt_get_test_dummy_secret(&secret);
err = add_master_key(sb, &secret, &key_spec);
wipe_master_key_secret(&secret); wipe_master_key_secret(&secret);
return err; return err;
} }
EXPORT_SYMBOL_GPL(fscrypt_add_test_dummy_key);
/* /*
* Verify that the current user has added a master key with the given identifier * Verify that the current user has added a master key with the given identifier
......
...@@ -94,7 +94,7 @@ fscrypt_allocate_skcipher(struct fscrypt_mode *mode, const u8 *raw_key, ...@@ -94,7 +94,7 @@ fscrypt_allocate_skcipher(struct fscrypt_mode *mode, const u8 *raw_key,
mode->cipher_str, PTR_ERR(tfm)); mode->cipher_str, PTR_ERR(tfm));
return tfm; return tfm;
} }
if (!xchg(&mode->logged_impl_name, 1)) { if (!xchg(&mode->logged_cryptoapi_impl, 1)) {
/* /*
* fscrypt performance can vary greatly depending on which * fscrypt performance can vary greatly depending on which
* crypto algorithm implementation is used. Help people debug * crypto algorithm implementation is used. Help people debug
...@@ -425,23 +425,9 @@ static int setup_file_encryption_key(struct fscrypt_info *ci, ...@@ -425,23 +425,9 @@ static int setup_file_encryption_key(struct fscrypt_info *ci,
if (err) if (err)
return err; return err;
switch (ci->ci_policy.version) { err = fscrypt_policy_to_key_spec(&ci->ci_policy, &mk_spec);
case FSCRYPT_POLICY_V1: if (err)
mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR; return err;
memcpy(mk_spec.u.descriptor,
ci->ci_policy.v1.master_key_descriptor,
FSCRYPT_KEY_DESCRIPTOR_SIZE);
break;
case FSCRYPT_POLICY_V2:
mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
memcpy(mk_spec.u.identifier,
ci->ci_policy.v2.master_key_identifier,
FSCRYPT_KEY_IDENTIFIER_SIZE);
break;
default:
WARN_ON(1);
return -EINVAL;
}
key = fscrypt_find_master_key(ci->ci_inode->i_sb, &mk_spec); key = fscrypt_find_master_key(ci->ci_inode->i_sb, &mk_spec);
if (IS_ERR(key)) { if (IS_ERR(key)) {
......
...@@ -10,6 +10,7 @@ ...@@ -10,6 +10,7 @@
* Modified by Eric Biggers, 2019 for v2 policy support. * Modified by Eric Biggers, 2019 for v2 policy support.
*/ */
#include <linux/fs_context.h>
#include <linux/random.h> #include <linux/random.h>
#include <linux/seq_file.h> #include <linux/seq_file.h>
#include <linux/string.h> #include <linux/string.h>
...@@ -32,6 +33,26 @@ bool fscrypt_policies_equal(const union fscrypt_policy *policy1, ...@@ -32,6 +33,26 @@ bool fscrypt_policies_equal(const union fscrypt_policy *policy1,
return !memcmp(policy1, policy2, fscrypt_policy_size(policy1)); return !memcmp(policy1, policy2, fscrypt_policy_size(policy1));
} }
int fscrypt_policy_to_key_spec(const union fscrypt_policy *policy,
struct fscrypt_key_specifier *key_spec)
{
switch (policy->version) {
case FSCRYPT_POLICY_V1:
key_spec->type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR;
memcpy(key_spec->u.descriptor, policy->v1.master_key_descriptor,
FSCRYPT_KEY_DESCRIPTOR_SIZE);
return 0;
case FSCRYPT_POLICY_V2:
key_spec->type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
memcpy(key_spec->u.identifier, policy->v2.master_key_identifier,
FSCRYPT_KEY_IDENTIFIER_SIZE);
return 0;
default:
WARN_ON(1);
return -EINVAL;
}
}
static const union fscrypt_policy * static const union fscrypt_policy *
fscrypt_get_dummy_policy(struct super_block *sb) fscrypt_get_dummy_policy(struct super_block *sb)
{ {
...@@ -704,73 +725,45 @@ int fscrypt_set_context(struct inode *inode, void *fs_data) ...@@ -704,73 +725,45 @@ int fscrypt_set_context(struct inode *inode, void *fs_data)
EXPORT_SYMBOL_GPL(fscrypt_set_context); EXPORT_SYMBOL_GPL(fscrypt_set_context);
/** /**
* fscrypt_set_test_dummy_encryption() - handle '-o test_dummy_encryption' * fscrypt_parse_test_dummy_encryption() - parse the test_dummy_encryption mount option
* @sb: the filesystem on which test_dummy_encryption is being specified * @param: the mount option
* @arg: the argument to the test_dummy_encryption option. May be NULL. * @dummy_policy: (input/output) the place to write the dummy policy that will
* @dummy_policy: the filesystem's current dummy policy (input/output, see * result from parsing the option. Zero-initialize this. If a policy is
* below) * already set here (due to test_dummy_encryption being given multiple
* * times), then this function will verify that the policies are the same.
* Handle the test_dummy_encryption mount option by creating a dummy encryption
* policy, saving it in @dummy_policy, and adding the corresponding dummy
* encryption key to the filesystem. If the @dummy_policy is already set, then
* instead validate that it matches @arg. Don't support changing it via
* remount, as that is difficult to do safely.
* *
* Return: 0 on success (dummy policy set, or the same policy is already set); * Return: 0 on success; -EINVAL if the argument is invalid; -EEXIST if the
* -EEXIST if a different dummy policy is already set; * argument conflicts with one already specified; or -ENOMEM.
* or another -errno value.
*/ */
int fscrypt_set_test_dummy_encryption(struct super_block *sb, const char *arg, int fscrypt_parse_test_dummy_encryption(const struct fs_parameter *param,
struct fscrypt_dummy_policy *dummy_policy) struct fscrypt_dummy_policy *dummy_policy)
{ {
struct fscrypt_key_specifier key_spec = { 0 }; const char *arg = "v2";
int version; union fscrypt_policy *policy;
union fscrypt_policy *policy = NULL;
int err; int err;
if (!arg) if (param->type == fs_value_is_string && *param->string)
arg = "v2"; arg = param->string;
if (!strcmp(arg, "v1")) {
version = FSCRYPT_POLICY_V1;
key_spec.type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR;
memset(key_spec.u.descriptor, 0x42,
FSCRYPT_KEY_DESCRIPTOR_SIZE);
} else if (!strcmp(arg, "v2")) {
version = FSCRYPT_POLICY_V2;
key_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
/* key_spec.u.identifier gets filled in when adding the key */
} else {
err = -EINVAL;
goto out;
}
policy = kzalloc(sizeof(*policy), GFP_KERNEL); policy = kzalloc(sizeof(*policy), GFP_KERNEL);
if (!policy) { if (!policy)
err = -ENOMEM; return -ENOMEM;
goto out;
}
err = fscrypt_add_test_dummy_key(sb, &key_spec);
if (err)
goto out;
policy->version = version; if (!strcmp(arg, "v1")) {
switch (policy->version) { policy->version = FSCRYPT_POLICY_V1;
case FSCRYPT_POLICY_V1:
policy->v1.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; policy->v1.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS;
policy->v1.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; policy->v1.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS;
memcpy(policy->v1.master_key_descriptor, key_spec.u.descriptor, memset(policy->v1.master_key_descriptor, 0x42,
FSCRYPT_KEY_DESCRIPTOR_SIZE); FSCRYPT_KEY_DESCRIPTOR_SIZE);
break; } else if (!strcmp(arg, "v2")) {
case FSCRYPT_POLICY_V2: policy->version = FSCRYPT_POLICY_V2;
policy->v2.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; policy->v2.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS;
policy->v2.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; policy->v2.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS;
memcpy(policy->v2.master_key_identifier, key_spec.u.identifier, err = fscrypt_get_test_dummy_key_identifier(
FSCRYPT_KEY_IDENTIFIER_SIZE); policy->v2.master_key_identifier);
break; if (err)
default: goto out;
WARN_ON(1); } else {
err = -EINVAL; err = -EINVAL;
goto out; goto out;
} }
...@@ -789,6 +782,37 @@ int fscrypt_set_test_dummy_encryption(struct super_block *sb, const char *arg, ...@@ -789,6 +782,37 @@ int fscrypt_set_test_dummy_encryption(struct super_block *sb, const char *arg,
kfree(policy); kfree(policy);
return err; return err;
} }
EXPORT_SYMBOL_GPL(fscrypt_parse_test_dummy_encryption);
/**
* fscrypt_dummy_policies_equal() - check whether two dummy policies are equal
* @p1: the first test dummy policy (may be unset)
* @p2: the second test dummy policy (may be unset)
*
* Return: %true if the dummy policies are both set and equal, or both unset.
*/
bool fscrypt_dummy_policies_equal(const struct fscrypt_dummy_policy *p1,
const struct fscrypt_dummy_policy *p2)
{
if (!p1->policy && !p2->policy)
return true;
if (!p1->policy || !p2->policy)
return false;
return fscrypt_policies_equal(p1->policy, p2->policy);
}
EXPORT_SYMBOL_GPL(fscrypt_dummy_policies_equal);
/* Deprecated, do not use */
int fscrypt_set_test_dummy_encryption(struct super_block *sb, const char *arg,
struct fscrypt_dummy_policy *dummy_policy)
{
struct fs_parameter param = {
.type = fs_value_is_string,
.string = arg ? (char *)arg : "",
};
return fscrypt_parse_test_dummy_encryption(&param, dummy_policy) ?:
fscrypt_add_test_dummy_key(sb, dummy_policy);
}
EXPORT_SYMBOL_GPL(fscrypt_set_test_dummy_encryption); EXPORT_SYMBOL_GPL(fscrypt_set_test_dummy_encryption);
/** /**
......
...@@ -132,7 +132,7 @@ ...@@ -132,7 +132,7 @@
#define WORST_COMPR_FACTOR 2 #define WORST_COMPR_FACTOR 2
#ifdef CONFIG_FS_ENCRYPTION #ifdef CONFIG_FS_ENCRYPTION
#define UBIFS_CIPHER_BLOCK_SIZE FS_CRYPTO_BLOCK_SIZE #define UBIFS_CIPHER_BLOCK_SIZE FSCRYPT_CONTENTS_ALIGNMENT
#else #else
#define UBIFS_CIPHER_BLOCK_SIZE 0 #define UBIFS_CIPHER_BLOCK_SIZE 0
#endif #endif
......
...@@ -18,10 +18,21 @@ ...@@ -18,10 +18,21 @@
#include <linux/slab.h> #include <linux/slab.h>
#include <uapi/linux/fscrypt.h> #include <uapi/linux/fscrypt.h>
#define FS_CRYPTO_BLOCK_SIZE 16 /*
* The lengths of all file contents blocks must be divisible by this value.
* This is needed to ensure that all contents encryption modes will work, as
* some of the supported modes don't support arbitrarily byte-aligned messages.
*
* Since the needed alignment is 16 bytes, most filesystems will meet this
* requirement naturally, as typical block sizes are powers of 2. However, if a
* filesystem can generate arbitrarily byte-aligned block lengths (e.g., via
* compression), then it will need to pad to this alignment before encryption.
*/
#define FSCRYPT_CONTENTS_ALIGNMENT 16
union fscrypt_policy; union fscrypt_policy;
struct fscrypt_info; struct fscrypt_info;
struct fs_parameter;
struct seq_file; struct seq_file;
struct fscrypt_str { struct fscrypt_str {
...@@ -279,10 +290,19 @@ struct fscrypt_dummy_policy { ...@@ -279,10 +290,19 @@ struct fscrypt_dummy_policy {
const union fscrypt_policy *policy; const union fscrypt_policy *policy;
}; };
int fscrypt_parse_test_dummy_encryption(const struct fs_parameter *param,
struct fscrypt_dummy_policy *dummy_policy);
bool fscrypt_dummy_policies_equal(const struct fscrypt_dummy_policy *p1,
const struct fscrypt_dummy_policy *p2);
int fscrypt_set_test_dummy_encryption(struct super_block *sb, const char *arg, int fscrypt_set_test_dummy_encryption(struct super_block *sb, const char *arg,
struct fscrypt_dummy_policy *dummy_policy); struct fscrypt_dummy_policy *dummy_policy);
void fscrypt_show_test_dummy_encryption(struct seq_file *seq, char sep, void fscrypt_show_test_dummy_encryption(struct seq_file *seq, char sep,
struct super_block *sb); struct super_block *sb);
static inline bool
fscrypt_is_dummy_policy_set(const struct fscrypt_dummy_policy *dummy_policy)
{
return dummy_policy->policy != NULL;
}
static inline void static inline void
fscrypt_free_dummy_policy(struct fscrypt_dummy_policy *dummy_policy) fscrypt_free_dummy_policy(struct fscrypt_dummy_policy *dummy_policy)
{ {
...@@ -293,6 +313,8 @@ fscrypt_free_dummy_policy(struct fscrypt_dummy_policy *dummy_policy) ...@@ -293,6 +313,8 @@ fscrypt_free_dummy_policy(struct fscrypt_dummy_policy *dummy_policy)
/* keyring.c */ /* keyring.c */
void fscrypt_sb_free(struct super_block *sb); void fscrypt_sb_free(struct super_block *sb);
int fscrypt_ioctl_add_key(struct file *filp, void __user *arg); int fscrypt_ioctl_add_key(struct file *filp, void __user *arg);
int fscrypt_add_test_dummy_key(struct super_block *sb,
const struct fscrypt_dummy_policy *dummy_policy);
int fscrypt_ioctl_remove_key(struct file *filp, void __user *arg); int fscrypt_ioctl_remove_key(struct file *filp, void __user *arg);
int fscrypt_ioctl_remove_key_all_users(struct file *filp, void __user *arg); int fscrypt_ioctl_remove_key_all_users(struct file *filp, void __user *arg);
int fscrypt_ioctl_get_key_status(struct file *filp, void __user *arg); int fscrypt_ioctl_get_key_status(struct file *filp, void __user *arg);
...@@ -467,12 +489,32 @@ static inline int fscrypt_set_context(struct inode *inode, void *fs_data) ...@@ -467,12 +489,32 @@ static inline int fscrypt_set_context(struct inode *inode, void *fs_data)
struct fscrypt_dummy_policy { struct fscrypt_dummy_policy {
}; };
static inline int
fscrypt_parse_test_dummy_encryption(const struct fs_parameter *param,
struct fscrypt_dummy_policy *dummy_policy)
{
return -EINVAL;
}
static inline bool
fscrypt_dummy_policies_equal(const struct fscrypt_dummy_policy *p1,
const struct fscrypt_dummy_policy *p2)
{
return true;
}
static inline void fscrypt_show_test_dummy_encryption(struct seq_file *seq, static inline void fscrypt_show_test_dummy_encryption(struct seq_file *seq,
char sep, char sep,
struct super_block *sb) struct super_block *sb)
{ {
} }
static inline bool
fscrypt_is_dummy_policy_set(const struct fscrypt_dummy_policy *dummy_policy)
{
return false;
}
static inline void static inline void
fscrypt_free_dummy_policy(struct fscrypt_dummy_policy *dummy_policy) fscrypt_free_dummy_policy(struct fscrypt_dummy_policy *dummy_policy)
{ {
...@@ -488,6 +530,13 @@ static inline int fscrypt_ioctl_add_key(struct file *filp, void __user *arg) ...@@ -488,6 +530,13 @@ static inline int fscrypt_ioctl_add_key(struct file *filp, void __user *arg)
return -EOPNOTSUPP; return -EOPNOTSUPP;
} }
static inline int
fscrypt_add_test_dummy_key(struct super_block *sb,
const struct fscrypt_dummy_policy *dummy_policy)
{
return 0;
}
static inline int fscrypt_ioctl_remove_key(struct file *filp, void __user *arg) static inline int fscrypt_ioctl_remove_key(struct file *filp, void __user *arg)
{ {
return -EOPNOTSUPP; return -EOPNOTSUPP;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment