Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux
Pull fscrypt updates from Eric Biggers:
"Simplify how fscrypt uses the crypto API, resulting in some
significant performance improvements:
- Drop the incomplete and problematic support for asynchronous
algorithms. These drivers are bug-prone, and it turns out they are
actually much slower than the CPU-based code as well.
- Allocate crypto requests on the stack instead of the heap. This
improves encryption and decryption performance, especially for
filenames. This also eliminates a point of failure during I/O"
* tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux:
ceph: Remove gfp_t argument from ceph_fscrypt_encrypt_*()
fscrypt: Remove gfp_t argument from fscrypt_encrypt_block_inplace()
fscrypt: Remove gfp_t argument from fscrypt_crypt_data_unit()
fscrypt: Switch to sync_skcipher and on-stack requests
fscrypt: Drop FORBID_WEAK_KEYS flag for AES-ECB
fscrypt: Don't use asynchronous CryptoAPI algorithms
fscrypt: Don't use problematic non-inline crypto engines
fscrypt: Drop obsolete recommendation to enable optimized SHA-512
fscrypt: Explicitly include <linux/export.h>
+145
-181
+15
-30
Documentation/filesystems/fscrypt.rst
+15
-30
Documentation/filesystems/fscrypt.rst
···
147
147
were wiped. To partially solve this, you can add init_on_free=1 to
148
148
your kernel command line. However, this has a performance cost.
149
149
150
-
- Secret keys might still exist in CPU registers, in crypto
151
-
accelerator hardware (if used by the crypto API to implement any of
152
-
the algorithms), or in other places not explicitly considered here.
150
+
- Secret keys might still exist in CPU registers or in other places
151
+
not explicitly considered here.
153
152
154
153
Full system compromise
155
154
~~~~~~~~~~~~~~~~~~~~~~
···
405
406
acceleration is unavailable. For more information about Adiantum, see
406
407
`the Adiantum paper <https://eprint.iacr.org/2018/720.pdf>`_.
407
408
408
-
The (AES-128-CBC-ESSIV, AES-128-CBC-CTS) pair exists only to support
409
-
systems whose only form of AES acceleration is an off-CPU crypto
410
-
accelerator such as CAAM or CESA that does not support XTS.
409
+
The (AES-128-CBC-ESSIV, AES-128-CBC-CTS) pair was added to try to
410
+
provide a more efficient option for systems that lack AES instructions
411
+
in the CPU but do have a non-inline crypto engine such as CAAM or CESA
412
+
that supports AES-CBC (and not AES-XTS). This is deprecated. It has
413
+
been shown that just doing AES on the CPU is actually faster.
414
+
Moreover, Adiantum is faster still and is recommended on such systems.
411
415
412
416
The remaining mode pairs are the "national pride ciphers":
413
417
···
469
467
- CONFIG_CRYPTO_SHA256 or another SHA-256 implementation
470
468
- Recommended:
471
469
- AES-CBC acceleration
472
-
473
-
fscrypt also uses HMAC-SHA512 for key derivation, so enabling SHA-512
474
-
acceleration is recommended:
475
-
476
-
- SHA-512
477
-
- Recommended:
478
-
- arm64: CONFIG_CRYPTO_SHA512_ARM64_CE
479
-
- x86: CONFIG_CRYPTO_SHA512_SSSE3
480
470
481
471
Contents encryption
482
472
-------------------
···
1320
1326
Inline encryption support
1321
1327
=========================
1322
1328
1323
-
By default, fscrypt uses the kernel crypto API for all cryptographic
1324
-
operations (other than HKDF, which fscrypt partially implements
1325
-
itself). The kernel crypto API supports hardware crypto accelerators,
1326
-
but only ones that work in the traditional way where all inputs and
1327
-
outputs (e.g. plaintexts and ciphertexts) are in memory. fscrypt can
1328
-
take advantage of such hardware, but the traditional acceleration
1329
-
model isn't particularly efficient and fscrypt hasn't been optimized
1330
-
for it.
1331
-
1332
-
Instead, many newer systems (especially mobile SoCs) have *inline
1333
-
encryption hardware* that can encrypt/decrypt data while it is on its
1334
-
way to/from the storage device. Linux supports inline encryption
1335
-
through a set of extensions to the block layer called *blk-crypto*.
1336
-
blk-crypto allows filesystems to attach encryption contexts to bios
1337
-
(I/O requests) to specify how the data will be encrypted or decrypted
1338
-
in-line. For more information about blk-crypto, see
1329
+
Many newer systems (especially mobile SoCs) have *inline encryption
1330
+
hardware* that can encrypt/decrypt data while it is on its way to/from
1331
+
the storage device. Linux supports inline encryption through a set of
1332
+
extensions to the block layer called *blk-crypto*. blk-crypto allows
1333
+
filesystems to attach encryption contexts to bios (I/O requests) to
1334
+
specify how the data will be encrypted or decrypted in-line. For more
1335
+
information about blk-crypto, see
1339
1336
:ref:`Documentation/block/inline-encryption.rst <inline_encryption>`.
1340
1337
1341
1338
On supported filesystems (currently ext4 and f2fs), fscrypt can use
+5
-8
fs/ceph/crypto.c
+5
-8
fs/ceph/crypto.c
···
488
488
489
489
int ceph_fscrypt_encrypt_block_inplace(const struct inode *inode,
490
490
struct page *page, unsigned int len,
491
-
unsigned int offs, u64 lblk_num,
492
-
gfp_t gfp_flags)
491
+
unsigned int offs, u64 lblk_num)
493
492
{
494
493
struct ceph_client *cl = ceph_inode_to_client(inode);
495
494
496
495
doutc(cl, "%p %llx.%llx len %u offs %u blk %llu\n", inode,
497
496
ceph_vinop(inode), len, offs, lblk_num);
498
-
return fscrypt_encrypt_block_inplace(inode, page, len, offs, lblk_num,
499
-
gfp_flags);
497
+
return fscrypt_encrypt_block_inplace(inode, page, len, offs, lblk_num);
500
498
}
501
499
502
500
/**
···
612
614
* @page: pointer to page array
613
615
* @off: offset into the file that the data starts
614
616
* @len: max length to encrypt
615
-
* @gfp: gfp flags to use for allocation
616
617
*
617
-
* Decrypt an array of cleartext pages and return the amount of
618
+
* Encrypt an array of cleartext pages and return the amount of
618
619
* data encrypted. Any data in the page prior to the start of the
619
620
* first complete block in the read is ignored. Any incomplete
620
621
* crypto blocks at the end of the array are ignored.
···
621
624
* Returns the length of the encrypted data or a negative errno.
622
625
*/
623
626
int ceph_fscrypt_encrypt_pages(struct inode *inode, struct page **page, u64 off,
624
-
int len, gfp_t gfp)
627
+
int len)
625
628
{
626
629
int i, num_blocks;
627
630
u64 baseblk = off >> CEPH_FSCRYPT_BLOCK_SHIFT;
···
642
645
643
646
fret = ceph_fscrypt_encrypt_block_inplace(inode, page[pgidx],
644
647
CEPH_FSCRYPT_BLOCK_SIZE, pgoffs,
645
-
baseblk + i, gfp);
648
+
baseblk + i);
646
649
if (fret < 0) {
647
650
if (ret == 0)
648
651
ret = fret;
+4
-6
fs/ceph/crypto.h
+4
-6
fs/ceph/crypto.h
···
152
152
unsigned int offs, u64 lblk_num);
153
153
int ceph_fscrypt_encrypt_block_inplace(const struct inode *inode,
154
154
struct page *page, unsigned int len,
155
-
unsigned int offs, u64 lblk_num,
156
-
gfp_t gfp_flags);
155
+
unsigned int offs, u64 lblk_num);
157
156
int ceph_fscrypt_decrypt_pages(struct inode *inode, struct page **page,
158
157
u64 off, int len);
159
158
int ceph_fscrypt_decrypt_extents(struct inode *inode, struct page **page,
160
159
u64 off, struct ceph_sparse_extent *map,
161
160
u32 ext_cnt);
162
161
int ceph_fscrypt_encrypt_pages(struct inode *inode, struct page **page, u64 off,
163
-
int len, gfp_t gfp);
162
+
int len);
164
163
165
164
static inline struct page *ceph_fscrypt_pagecache_page(struct page *page)
166
165
{
···
235
236
236
237
static inline int ceph_fscrypt_encrypt_block_inplace(const struct inode *inode,
237
238
struct page *page, unsigned int len,
238
-
unsigned int offs, u64 lblk_num,
239
-
gfp_t gfp_flags)
239
+
unsigned int offs, u64 lblk_num)
240
240
{
241
241
return 0;
242
242
}
···
257
259
258
260
static inline int ceph_fscrypt_encrypt_pages(struct inode *inode,
259
261
struct page **page, u64 off,
260
-
int len, gfp_t gfp)
262
+
int len)
261
263
{
262
264
return 0;
263
265
}
+1
-2
fs/ceph/file.c
+1
-2
fs/ceph/file.c
···
1992
1992
1993
1993
if (IS_ENCRYPTED(inode)) {
1994
1994
ret = ceph_fscrypt_encrypt_pages(inode, pages,
1995
-
write_pos, write_len,
1996
-
GFP_KERNEL);
1995
+
write_pos, write_len);
1997
1996
if (ret < 0) {
1998
1997
doutc(cl, "encryption failed with %d\n", ret);
1999
1998
ceph_release_page_vector(pages, num_pages);
+1
-2
fs/ceph/inode.c
+1
-2
fs/ceph/inode.c
+5
-4
fs/crypto/bio.c
+5
-4
fs/crypto/bio.c
···
7
7
* Copyright (C) 2015, Motorola Mobility
8
8
*/
9
9
10
-
#include <linux/pagemap.h>
11
-
#include <linux/module.h>
12
10
#include <linux/bio.h>
11
+
#include <linux/export.h>
12
+
#include <linux/module.h>
13
13
#include <linux/namei.h>
14
+
#include <linux/pagemap.h>
15
+
14
16
#include "fscrypt_private.h"
15
17
16
18
/**
···
167
165
do {
168
166
err = fscrypt_crypt_data_unit(ci, FS_ENCRYPT, du_index,
169
167
ZERO_PAGE(0), pages[i],
170
-
du_size, offset,
171
-
GFP_NOFS);
168
+
du_size, offset);
172
169
if (err)
173
170
goto out;
174
171
du_index++;
+20
-32
fs/crypto/crypto.c
+20
-32
fs/crypto/crypto.c
···
20
20
* Special Publication 800-38E and IEEE P1619/D16.
21
21
*/
22
22
23
-
#include <linux/pagemap.h>
23
+
#include <crypto/skcipher.h>
24
+
#include <linux/export.h>
24
25
#include <linux/mempool.h>
25
26
#include <linux/module.h>
26
-
#include <linux/scatterlist.h>
27
+
#include <linux/pagemap.h>
27
28
#include <linux/ratelimit.h>
28
-
#include <crypto/skcipher.h>
29
+
#include <linux/scatterlist.h>
30
+
29
31
#include "fscrypt_private.h"
30
32
31
33
static unsigned int num_prealloc_crypto_pages = 32;
···
110
108
int fscrypt_crypt_data_unit(const struct fscrypt_inode_info *ci,
111
109
fscrypt_direction_t rw, u64 index,
112
110
struct page *src_page, struct page *dest_page,
113
-
unsigned int len, unsigned int offs,
114
-
gfp_t gfp_flags)
111
+
unsigned int len, unsigned int offs)
115
112
{
113
+
struct crypto_sync_skcipher *tfm = ci->ci_enc_key.tfm;
114
+
SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
116
115
union fscrypt_iv iv;
117
-
struct skcipher_request *req = NULL;
118
-
DECLARE_CRYPTO_WAIT(wait);
119
116
struct scatterlist dst, src;
120
-
struct crypto_skcipher *tfm = ci->ci_enc_key.tfm;
121
-
int res = 0;
117
+
int err;
122
118
123
119
if (WARN_ON_ONCE(len <= 0))
124
120
return -EINVAL;
···
125
125
126
126
fscrypt_generate_iv(&iv, index, ci);
127
127
128
-
req = skcipher_request_alloc(tfm, gfp_flags);
129
-
if (!req)
130
-
return -ENOMEM;
131
-
132
128
skcipher_request_set_callback(
133
129
req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
134
-
crypto_req_done, &wait);
135
-
130
+
NULL, NULL);
136
131
sg_init_table(&dst, 1);
137
132
sg_set_page(&dst, dest_page, len, offs);
138
133
sg_init_table(&src, 1);
139
134
sg_set_page(&src, src_page, len, offs);
140
135
skcipher_request_set_crypt(req, &src, &dst, len, &iv);
141
136
if (rw == FS_DECRYPT)
142
-
res = crypto_wait_req(crypto_skcipher_decrypt(req), &wait);
137
+
err = crypto_skcipher_decrypt(req);
143
138
else
144
-
res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
145
-
skcipher_request_free(req);
146
-
if (res) {
139
+
err = crypto_skcipher_encrypt(req);
140
+
if (err)
147
141
fscrypt_err(ci->ci_inode,
148
142
"%scryption failed for data unit %llu: %d",
149
-
(rw == FS_DECRYPT ? "De" : "En"), index, res);
150
-
return res;
151
-
}
152
-
return 0;
143
+
(rw == FS_DECRYPT ? "De" : "En"), index, err);
144
+
return err;
153
145
}
154
146
155
147
/**
···
196
204
for (i = offs; i < offs + len; i += du_size, index++) {
197
205
err = fscrypt_crypt_data_unit(ci, FS_ENCRYPT, index,
198
206
&folio->page, ciphertext_page,
199
-
du_size, i, gfp_flags);
207
+
du_size, i);
200
208
if (err) {
201
209
fscrypt_free_bounce_page(ciphertext_page);
202
210
return ERR_PTR(err);
···
217
225
* @offs: Byte offset within @page at which the block to encrypt begins
218
226
* @lblk_num: Filesystem logical block number of the block, i.e. the 0-based
219
227
* number of the block within the file
220
-
* @gfp_flags: Memory allocation flags
221
228
*
222
229
* Encrypt a possibly-compressed filesystem block that is located in an
223
230
* arbitrary page, not necessarily in the original pagecache page. The @inode
···
228
237
*/
229
238
int fscrypt_encrypt_block_inplace(const struct inode *inode, struct page *page,
230
239
unsigned int len, unsigned int offs,
231
-
u64 lblk_num, gfp_t gfp_flags)
240
+
u64 lblk_num)
232
241
{
233
242
if (WARN_ON_ONCE(inode->i_sb->s_cop->supports_subblock_data_units))
234
243
return -EOPNOTSUPP;
235
244
return fscrypt_crypt_data_unit(inode->i_crypt_info, FS_ENCRYPT,
236
-
lblk_num, page, page, len, offs,
237
-
gfp_flags);
245
+
lblk_num, page, page, len, offs);
238
246
}
239
247
EXPORT_SYMBOL(fscrypt_encrypt_block_inplace);
240
248
···
273
283
struct page *page = folio_page(folio, i >> PAGE_SHIFT);
274
284
275
285
err = fscrypt_crypt_data_unit(ci, FS_DECRYPT, index, page,
276
-
page, du_size, i & ~PAGE_MASK,
277
-
GFP_NOFS);
286
+
page, du_size, i & ~PAGE_MASK);
278
287
if (err)
279
288
return err;
280
289
}
···
306
317
if (WARN_ON_ONCE(inode->i_sb->s_cop->supports_subblock_data_units))
307
318
return -EOPNOTSUPP;
308
319
return fscrypt_crypt_data_unit(inode->i_crypt_info, FS_DECRYPT,
309
-
lblk_num, page, page, len, offs,
310
-
GFP_NOFS);
320
+
lblk_num, page, page, len, offs);
311
321
}
312
322
EXPORT_SYMBOL(fscrypt_decrypt_block_inplace);
313
323
+25
-44
fs/crypto/fname.c
+25
-44
fs/crypto/fname.c
···
11
11
* This has not yet undergone a rigorous security audit.
12
12
*/
13
13
14
-
#include <linux/namei.h>
15
-
#include <linux/scatterlist.h>
16
14
#include <crypto/hash.h>
17
15
#include <crypto/sha2.h>
18
16
#include <crypto/skcipher.h>
17
+
#include <linux/export.h>
18
+
#include <linux/namei.h>
19
+
#include <linux/scatterlist.h>
20
+
19
21
#include "fscrypt_private.h"
20
22
21
23
/*
···
94
92
int fscrypt_fname_encrypt(const struct inode *inode, const struct qstr *iname,
95
93
u8 *out, unsigned int olen)
96
94
{
97
-
struct skcipher_request *req = NULL;
98
-
DECLARE_CRYPTO_WAIT(wait);
99
95
const struct fscrypt_inode_info *ci = inode->i_crypt_info;
100
-
struct crypto_skcipher *tfm = ci->ci_enc_key.tfm;
96
+
struct crypto_sync_skcipher *tfm = ci->ci_enc_key.tfm;
97
+
SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
101
98
union fscrypt_iv iv;
102
99
struct scatterlist sg;
103
-
int res;
100
+
int err;
104
101
105
102
/*
106
103
* Copy the filename to the output buffer for encrypting in-place and
···
110
109
memcpy(out, iname->name, iname->len);
111
110
memset(out + iname->len, 0, olen - iname->len);
112
111
113
-
/* Initialize the IV */
114
112
fscrypt_generate_iv(&iv, 0, ci);
115
113
116
-
/* Set up the encryption request */
117
-
req = skcipher_request_alloc(tfm, GFP_NOFS);
118
-
if (!req)
119
-
return -ENOMEM;
120
-
skcipher_request_set_callback(req,
121
-
CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
122
-
crypto_req_done, &wait);
114
+
skcipher_request_set_callback(
115
+
req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
116
+
NULL, NULL);
123
117
sg_init_one(&sg, out, olen);
124
118
skcipher_request_set_crypt(req, &sg, &sg, olen, &iv);
125
-
126
-
/* Do the encryption */
127
-
res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
128
-
skcipher_request_free(req);
129
-
if (res < 0) {
130
-
fscrypt_err(inode, "Filename encryption failed: %d", res);
131
-
return res;
132
-
}
133
-
134
-
return 0;
119
+
err = crypto_skcipher_encrypt(req);
120
+
if (err)
121
+
fscrypt_err(inode, "Filename encryption failed: %d", err);
122
+
return err;
135
123
}
136
124
EXPORT_SYMBOL_GPL(fscrypt_fname_encrypt);
137
125
···
138
148
const struct fscrypt_str *iname,
139
149
struct fscrypt_str *oname)
140
150
{
141
-
struct skcipher_request *req = NULL;
142
-
DECLARE_CRYPTO_WAIT(wait);
143
-
struct scatterlist src_sg, dst_sg;
144
151
const struct fscrypt_inode_info *ci = inode->i_crypt_info;
145
-
struct crypto_skcipher *tfm = ci->ci_enc_key.tfm;
152
+
struct crypto_sync_skcipher *tfm = ci->ci_enc_key.tfm;
153
+
SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
146
154
union fscrypt_iv iv;
147
-
int res;
155
+
struct scatterlist src_sg, dst_sg;
156
+
int err;
148
157
149
-
/* Allocate request */
150
-
req = skcipher_request_alloc(tfm, GFP_NOFS);
151
-
if (!req)
152
-
return -ENOMEM;
153
-
skcipher_request_set_callback(req,
154
-
CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
155
-
crypto_req_done, &wait);
156
-
157
-
/* Initialize IV */
158
158
fscrypt_generate_iv(&iv, 0, ci);
159
159
160
-
/* Create decryption request */
160
+
skcipher_request_set_callback(
161
+
req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
162
+
NULL, NULL);
161
163
sg_init_one(&src_sg, iname->name, iname->len);
162
164
sg_init_one(&dst_sg, oname->name, oname->len);
163
165
skcipher_request_set_crypt(req, &src_sg, &dst_sg, iname->len, &iv);
164
-
res = crypto_wait_req(crypto_skcipher_decrypt(req), &wait);
165
-
skcipher_request_free(req);
166
-
if (res < 0) {
167
-
fscrypt_err(inode, "Filename decryption failed: %d", res);
168
-
return res;
166
+
err = crypto_skcipher_decrypt(req);
167
+
if (err) {
168
+
fscrypt_err(inode, "Filename decryption failed: %d", err);
169
+
return err;
169
170
}
170
171
171
172
oname->len = strnlen(oname->name, iname->len);
+20
-3
fs/crypto/fscrypt_private.h
+20
-3
fs/crypto/fscrypt_private.h
···
45
45
*/
46
46
#undef FSCRYPT_MAX_KEY_SIZE
47
47
48
+
/*
49
+
* This mask is passed as the third argument to the crypto_alloc_*() functions
50
+
* to prevent fscrypt from using the Crypto API drivers for non-inline crypto
51
+
* engines. Those drivers have been problematic for fscrypt. fscrypt users
52
+
* have reported hangs and even incorrect en/decryption with these drivers.
53
+
* Since going to the driver, off CPU, and back again is really slow, such
54
+
* drivers can be over 50 times slower than the CPU-based code for fscrypt's
55
+
* workload. Even on platforms that lack AES instructions on the CPU, using the
56
+
* offloads has been shown to be slower, even staying with AES. (Of course,
57
+
* Adiantum is faster still, and is the recommended option on such platforms...)
58
+
*
59
+
* Note that fscrypt also supports inline crypto engines. Those don't use the
60
+
* Crypto API and work much better than the old-style (non-inline) engines.
61
+
*/
62
+
#define FSCRYPT_CRYPTOAPI_MASK \
63
+
(CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY | \
64
+
CRYPTO_ALG_KERN_DRIVER_ONLY)
65
+
48
66
#define FSCRYPT_CONTEXT_V1 1
49
67
#define FSCRYPT_CONTEXT_V2 2
50
68
···
239
221
* Normally only one of the fields will be non-NULL.
240
222
*/
241
223
struct fscrypt_prepared_key {
242
-
struct crypto_skcipher *tfm;
224
+
struct crypto_sync_skcipher *tfm;
243
225
#ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
244
226
struct blk_crypto_key *blk_key;
245
227
#endif
···
337
319
int fscrypt_crypt_data_unit(const struct fscrypt_inode_info *ci,
338
320
fscrypt_direction_t rw, u64 index,
339
321
struct page *src_page, struct page *dest_page,
340
-
unsigned int len, unsigned int offs,
341
-
gfp_t gfp_flags);
322
+
unsigned int len, unsigned int offs);
342
323
struct page *fscrypt_alloc_bounce_page(gfp_t gfp_flags);
343
324
344
325
void __printf(3, 4) __cold
+2
-2
fs/crypto/hkdf.c
+2
-2
fs/crypto/hkdf.c
···
8
8
*/
9
9
10
10
#include <crypto/hash.h>
11
-
#include <crypto/sha2.h>
12
11
#include <crypto/hkdf.h>
12
+
#include <crypto/sha2.h>
13
13
14
14
#include "fscrypt_private.h"
15
15
···
58
58
u8 prk[HKDF_HASHLEN];
59
59
int err;
60
60
61
-
hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, 0);
61
+
hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, FSCRYPT_CRYPTOAPI_MASK);
62
62
if (IS_ERR(hmac_tfm)) {
63
63
fscrypt_err(NULL, "Error allocating " HKDF_HMAC_ALG ": %ld",
64
64
PTR_ERR(hmac_tfm));
+2
fs/crypto/hooks.c
+2
fs/crypto/hooks.c
+1
fs/crypto/inline_crypt.c
+1
fs/crypto/inline_crypt.c
+3
-2
fs/crypto/keyring.c
+3
-2
fs/crypto/keyring.c
···
18
18
* information about these ioctls.
19
19
*/
20
20
21
-
#include <linux/unaligned.h>
22
21
#include <crypto/skcipher.h>
22
+
#include <linux/export.h>
23
23
#include <linux/key-type.h>
24
-
#include <linux/random.h>
25
24
#include <linux/once.h>
25
+
#include <linux/random.h>
26
26
#include <linux/seq_file.h>
27
+
#include <linux/unaligned.h>
27
28
28
29
#include "fscrypt_private.h"
29
30
+13
-10
fs/crypto/keysetup.c
+13
-10
fs/crypto/keysetup.c
···
9
9
*/
10
10
11
11
#include <crypto/skcipher.h>
12
+
#include <linux/export.h>
12
13
#include <linux/random.h>
13
14
14
15
#include "fscrypt_private.h"
···
97
96
}
98
97
99
98
/* Create a symmetric cipher object for the given encryption mode and key */
100
-
static struct crypto_skcipher *
99
+
static struct crypto_sync_skcipher *
101
100
fscrypt_allocate_skcipher(struct fscrypt_mode *mode, const u8 *raw_key,
102
101
const struct inode *inode)
103
102
{
104
-
struct crypto_skcipher *tfm;
103
+
struct crypto_sync_skcipher *tfm;
105
104
int err;
106
105
107
-
tfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0);
106
+
tfm = crypto_alloc_sync_skcipher(mode->cipher_str, 0,
107
+
FSCRYPT_CRYPTOAPI_MASK);
108
108
if (IS_ERR(tfm)) {
109
109
if (PTR_ERR(tfm) == -ENOENT) {
110
110
fscrypt_warn(inode,
···
125
123
* first time a mode is used.
126
124
*/
127
125
pr_info("fscrypt: %s using implementation \"%s\"\n",
128
-
mode->friendly_name, crypto_skcipher_driver_name(tfm));
126
+
mode->friendly_name,
127
+
crypto_skcipher_driver_name(&tfm->base));
129
128
}
130
-
if (WARN_ON_ONCE(crypto_skcipher_ivsize(tfm) != mode->ivsize)) {
129
+
if (WARN_ON_ONCE(crypto_sync_skcipher_ivsize(tfm) != mode->ivsize)) {
131
130
err = -EINVAL;
132
131
goto err_free_tfm;
133
132
}
134
-
crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
135
-
err = crypto_skcipher_setkey(tfm, raw_key, mode->keysize);
133
+
crypto_sync_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
134
+
err = crypto_sync_skcipher_setkey(tfm, raw_key, mode->keysize);
136
135
if (err)
137
136
goto err_free_tfm;
138
137
139
138
return tfm;
140
139
141
140
err_free_tfm:
142
-
crypto_free_skcipher(tfm);
141
+
crypto_free_sync_skcipher(tfm);
143
142
return ERR_PTR(err);
144
143
}
145
144
···
153
150
int fscrypt_prepare_key(struct fscrypt_prepared_key *prep_key,
154
151
const u8 *raw_key, const struct fscrypt_inode_info *ci)
155
152
{
156
-
struct crypto_skcipher *tfm;
153
+
struct crypto_sync_skcipher *tfm;
157
154
158
155
if (fscrypt_using_inline_encryption(ci))
159
156
return fscrypt_prepare_inline_crypt_key(prep_key, raw_key,
···
177
174
void fscrypt_destroy_prepared_key(struct super_block *sb,
178
175
struct fscrypt_prepared_key *prep_key)
179
176
{
180
-
crypto_free_skcipher(prep_key->tfm);
177
+
crypto_free_sync_skcipher(prep_key->tfm);
181
178
fscrypt_destroy_inline_crypt_key(sb, prep_key);
182
179
memzero_explicit(prep_key, sizeof(*prep_key));
183
180
}
+22
-31
fs/crypto/keysetup_v1.c
+22
-31
fs/crypto/keysetup_v1.c
···
48
48
const u8 nonce[FSCRYPT_FILE_NONCE_SIZE],
49
49
u8 *derived_key, unsigned int derived_keysize)
50
50
{
51
-
int res = 0;
52
-
struct skcipher_request *req = NULL;
53
-
DECLARE_CRYPTO_WAIT(wait);
54
-
struct scatterlist src_sg, dst_sg;
55
-
struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);
51
+
struct crypto_sync_skcipher *tfm;
52
+
int err;
56
53
57
-
if (IS_ERR(tfm)) {
58
-
res = PTR_ERR(tfm);
59
-
tfm = NULL;
60
-
goto out;
61
-
}
62
-
crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
63
-
req = skcipher_request_alloc(tfm, GFP_KERNEL);
64
-
if (!req) {
65
-
res = -ENOMEM;
66
-
goto out;
67
-
}
68
-
skcipher_request_set_callback(req,
69
-
CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
70
-
crypto_req_done, &wait);
71
-
res = crypto_skcipher_setkey(tfm, nonce, FSCRYPT_FILE_NONCE_SIZE);
72
-
if (res < 0)
73
-
goto out;
54
+
tfm = crypto_alloc_sync_skcipher("ecb(aes)", 0, FSCRYPT_CRYPTOAPI_MASK);
55
+
if (IS_ERR(tfm))
56
+
return PTR_ERR(tfm);
74
57
75
-
sg_init_one(&src_sg, master_key, derived_keysize);
76
-
sg_init_one(&dst_sg, derived_key, derived_keysize);
77
-
skcipher_request_set_crypt(req, &src_sg, &dst_sg, derived_keysize,
78
-
NULL);
79
-
res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
80
-
out:
81
-
skcipher_request_free(req);
82
-
crypto_free_skcipher(tfm);
83
-
return res;
58
+
err = crypto_sync_skcipher_setkey(tfm, nonce, FSCRYPT_FILE_NONCE_SIZE);
59
+
if (err == 0) {
60
+
SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
61
+
struct scatterlist src_sg, dst_sg;
62
+
63
+
skcipher_request_set_callback(req,
64
+
CRYPTO_TFM_REQ_MAY_BACKLOG |
65
+
CRYPTO_TFM_REQ_MAY_SLEEP,
66
+
NULL, NULL);
67
+
sg_init_one(&src_sg, master_key, derived_keysize);
68
+
sg_init_one(&dst_sg, derived_key, derived_keysize);
69
+
skcipher_request_set_crypt(req, &src_sg, &dst_sg,
70
+
derived_keysize, NULL);
71
+
err = crypto_skcipher_encrypt(req);
72
+
}
73
+
crypto_free_sync_skcipher(tfm);
74
+
return err;
84
75
}
85
76
86
77
/*
+3
-1
fs/crypto/policy.c
+3
-1
fs/crypto/policy.c
···
10
10
* Modified by Eric Biggers, 2019 for v2 policy support.
11
11
*/
12
12
13
+
#include <linux/export.h>
13
14
#include <linux/fs_context.h>
15
+
#include <linux/mount.h>
14
16
#include <linux/random.h>
15
17
#include <linux/seq_file.h>
16
18
#include <linux/string.h>
17
-
#include <linux/mount.h>
19
+
18
20
#include "fscrypt_private.h"
19
21
20
22
/**
+1
-1
fs/ubifs/crypto.c
+1
-1
fs/ubifs/crypto.c
···
51
51
memset(p + in_len, 0, pad_len - in_len);
52
52
53
53
err = fscrypt_encrypt_block_inplace(inode, virt_to_page(p), pad_len,
54
-
offset_in_page(p), block, GFP_NOFS);
54
+
offset_in_page(p), block);
55
55
if (err) {
56
56
ubifs_err(c, "fscrypt_encrypt_block_inplace() failed: %d", err);
57
57
return err;
+2
-3
include/linux/fscrypt.h
+2
-3
include/linux/fscrypt.h
···
314
314
size_t len, size_t offs, gfp_t gfp_flags);
315
315
int fscrypt_encrypt_block_inplace(const struct inode *inode, struct page *page,
316
316
unsigned int len, unsigned int offs,
317
-
u64 lblk_num, gfp_t gfp_flags);
317
+
u64 lblk_num);
318
318
319
319
int fscrypt_decrypt_pagecache_blocks(struct folio *folio, size_t len,
320
320
size_t offs);
···
487
487
static inline int fscrypt_encrypt_block_inplace(const struct inode *inode,
488
488
struct page *page,
489
489
unsigned int len,
490
-
unsigned int offs, u64 lblk_num,
491
-
gfp_t gfp_flags)
490
+
unsigned int offs, u64 lblk_num)
492
491
{
493
492
return -EOPNOTSUPP;
494
493
}