+97 -72

Documentation/filesystems/fscrypt.rst

reviewed

··· 132 132 Per-file keys 133 133 ------------- 134 134 135 135 - Master keys are not used to encrypt file contents or names directly. 136 136 - Instead, a unique key is derived for each encrypted file, including 137 137 - each regular file, directory, and symbolic link. This has several 138 138 - advantages: 135 135 + Since each master key can protect many files, it is necessary to 136 136 + "tweak" the encryption of each file so that the same plaintext in two 137 137 + files doesn't map to the same ciphertext, or vice versa. In most 138 138 + cases, fscrypt does this by deriving per-file keys. When a new 139 139 + encrypted inode (regular file, directory, or symlink) is created, 140 140 + fscrypt randomly generates a 16-byte nonce and stores it in the 141 141 + inode's encryption xattr. Then, it uses a KDF (Key Derivation 142 142 + Function) to derive the file's key from the master key and nonce. 139 143 140 140 - - In cryptosystems, the same key material should never be used for 141 141 - different purposes. Using the master key as both an XTS key for 142 142 - contents encryption and as a CTS-CBC key for filenames encryption 143 143 - would violate this rule. 144 144 - - Per-file keys simplify the choice of IVs (Initialization Vectors) 145 145 - for contents encryption. Without per-file keys, to ensure IV 146 146 - uniqueness both the inode and logical block number would need to be 147 147 - encoded in the IVs. This would make it impossible to renumber 148 148 - inodes, which e.g. ``resize2fs`` can do when resizing an ext4 149 149 - filesystem. With per-file keys, it is sufficient to encode just the 150 150 - logical block number in the IVs. 151 151 - - Per-file keys strengthen the encryption of filenames, where IVs are 152 152 - reused out of necessity. With a unique key per directory, IV reuse 153 153 - is limited to within a single directory. 154 154 - - Per-file keys allow individual files to be securely erased simply by 155 155 - securely erasing their keys. (Not yet implemented.) 144 144 + The Adiantum encryption mode (see `Encryption modes and usage`_) is 145 145 + special, since it accepts longer IVs and is suitable for both contents 146 146 + and filenames encryption. For it, a "direct key" option is offered 147 147 + where the file's nonce is included in the IVs and the master key is 148 148 + used for encryption directly. This improves performance; however, 149 149 + users must not use the same master key for any other encryption mode. 156 150 157 157 - A KDF (Key Derivation Function) is used to derive per-file keys from 158 158 - the master key. This is done instead of wrapping a randomly-generated 159 159 - key for each file because it reduces the size of the encryption xattr, 160 160 - which for some filesystems makes the xattr more likely to fit in-line 161 161 - in the filesystem's inode table. With a KDF, only a 16-byte nonce is 162 162 - required --- long enough to make key reuse extremely unlikely. A 163 163 - wrapped key, on the other hand, would need to be up to 64 bytes --- 164 164 - the length of an AES-256-XTS key. Furthermore, currently there is no 165 165 - requirement to support unlocking a file with multiple alternative 166 166 - master keys or to support rotating master keys. Instead, the master 167 167 - keys may be wrapped in userspace, e.g. as done by the `fscrypt 168 168 - <https://github.com/google/fscrypt>`_ tool. 151 151 + Below, the KDF and design considerations are described in more detail. 169 152 170 170 - The current KDF encrypts the master key using the 16-byte nonce as an 171 171 - AES-128-ECB key. The output is used as the derived key. If the 172 172 - output is longer than needed, then it is truncated to the needed 173 173 - length. Truncation is the norm for directories and symlinks, since 174 174 - those use the CTS-CBC encryption mode which requires a key half as 175 175 - long as that required by the XTS encryption mode. 153 153 + The current KDF works by encrypting the master key with AES-128-ECB, 154 154 + using the file's nonce as the AES key. The output is used as the 155 155 + derived key. If the output is longer than needed, then it is 156 156 + truncated to the needed length. 176 157 177 158 Note: this KDF meets the primary security requirement, which is to 178 159 produce unique derived keys that preserve the entropy of the master ··· 161 180 However, it is nonstandard and has some problems such as being 162 181 reversible, so it is generally considered to be a mistake! It may be 163 182 replaced with HKDF or another more standard KDF in the future. 183 183 + 184 184 + Key derivation was chosen over key wrapping because wrapped keys would 185 185 + require larger xattrs which would be less likely to fit in-line in the 186 186 + filesystem's inode table, and there didn't appear to be any 187 187 + significant advantages to key wrapping. In particular, currently 188 188 + there is no requirement to support unlocking a file with multiple 189 189 + alternative master keys or to support rotating master keys. Instead, 190 190 + the master keys may be wrapped in userspace, e.g. as is done by the 191 191 + `fscrypt <https://github.com/google/fscrypt>`_ tool. 192 192 + 193 193 + Including the inode number in the IVs was considered. However, it was 194 194 + rejected as it would have prevented ext4 filesystems from being 195 195 + resized, and by itself still wouldn't have been sufficient to prevent 196 196 + the same key from being directly reused for both XTS and CTS-CBC. 164 197 165 198 Encryption modes and usage 166 199 ========================== ··· 186 191 187 192 - AES-256-XTS for contents and AES-256-CTS-CBC for filenames 188 193 - AES-128-CBC for contents and AES-128-CTS-CBC for filenames 194 194 + - Adiantum for both contents and filenames 189 195 190 190 - It is strongly recommended to use AES-256-XTS for contents encryption. 196 196 + If unsure, you should use the (AES-256-XTS, AES-256-CTS-CBC) pair. 197 197 + 191 198 AES-128-CBC was added only for low-powered embedded devices with 192 199 crypto accelerators such as CAAM or CESA that do not support XTS. 200 200 + 201 201 + Adiantum is a (primarily) stream cipher-based mode that is fast even 202 202 + on CPUs without dedicated crypto instructions. It's also a true 203 203 + wide-block mode, unlike XTS. It can also eliminate the need to derive 204 204 + per-file keys. However, it depends on the security of two primitives, 205 205 + XChaCha12 and AES-256, rather than just one. See the paper 206 206 + "Adiantum: length-preserving encryption for entry-level processors" 207 207 + (https://eprint.iacr.org/2018/720.pdf) for more details. To use 208 208 + Adiantum, CONFIG_CRYPTO_ADIANTUM must be enabled. Also, fast 209 209 + implementations of ChaCha and NHPoly1305 should be enabled, e.g. 210 210 + CONFIG_CRYPTO_CHACHA20_NEON and CONFIG_CRYPTO_NHPOLY1305_NEON for ARM. 193 211 194 212 New encryption modes can be added relatively easily, without changes 195 213 to individual filesystems. However, authenticated encryption (AE) 196 214 modes are not currently supported because of the difficulty of dealing 197 215 with ciphertext expansion. 198 216 217 217 + Contents encryption 218 218 + ------------------- 219 219 + 199 220 For file contents, each filesystem block is encrypted independently. 200 221 Currently, only the case where the filesystem block size is equal to 201 201 - the system's page size (usually 4096 bytes) is supported. With the 202 202 - XTS mode of operation (recommended), the logical block number within 203 203 - the file is used as the IV. With the CBC mode of operation (not 204 204 - recommended), ESSIV is used; specifically, the IV for CBC is the 205 205 - logical block number encrypted with AES-256, where the AES-256 key is 206 206 - the SHA-256 hash of the inode's data encryption key. 222 222 + the system's page size (usually 4096 bytes) is supported. 207 223 208 208 - For filenames, the full filename is encrypted at once. Because of the 209 209 - requirements to retain support for efficient directory lookups and 210 210 - filenames of up to 255 bytes, a constant initialization vector (IV) is 211 211 - used. However, each encrypted directory uses a unique key, which 212 212 - limits IV reuse to within a single directory. Note that IV reuse in 213 213 - the context of CTS-CBC encryption means that when the original 214 214 - filenames share a common prefix at least as long as the cipher block 215 215 - size (16 bytes for AES), the corresponding encrypted filenames will 216 216 - also share a common prefix. This is undesirable; it may be fixed in 217 217 - the future by switching to an encryption mode that is a strong 218 218 - pseudorandom permutation on arbitrary-length messages, e.g. the HEH 219 219 - (Hash-Encrypt-Hash) mode. 224 224 + Each block's IV is set to the logical block number within the file as 225 225 + a little endian number, except that: 220 226 221 221 - Since filenames are encrypted with the CTS-CBC mode of operation, the 222 222 - plaintext and ciphertext filenames need not be multiples of the AES 223 223 - block size, i.e. 16 bytes. However, the minimum size that can be 224 224 - encrypted is 16 bytes, so shorter filenames are NUL-padded to 16 bytes 225 225 - before being encrypted. In addition, to reduce leakage of filename 226 226 - lengths via their ciphertexts, all filenames are NUL-padded to the 227 227 - next 4, 8, 16, or 32-byte boundary (configurable). 32 is recommended 228 228 - since this provides the best confidentiality, at the cost of making 229 229 - directory entries consume slightly more space. Note that since NUL 230 230 - (``\0``) is not otherwise a valid character in filenames, the padding 231 231 - will never produce duplicate plaintexts. 227 227 + - With CBC mode encryption, ESSIV is also used. Specifically, each IV 228 228 + is encrypted with AES-256 where the AES-256 key is the SHA-256 hash 229 229 + of the file's data encryption key. 230 230 + 231 231 + - In the "direct key" configuration (FS_POLICY_FLAG_DIRECT_KEY set in 232 232 + the fscrypt_policy), the file's nonce is also appended to the IV. 233 233 + Currently this is only allowed with the Adiantum encryption mode. 234 234 + 235 235 + Filenames encryption 236 236 + -------------------- 237 237 + 238 238 + For filenames, each full filename is encrypted at once. Because of 239 239 + the requirements to retain support for efficient directory lookups and 240 240 + filenames of up to 255 bytes, the same IV is used for every filename 241 241 + in a directory. 242 242 + 243 243 + However, each encrypted directory still uses a unique key; or 244 244 + alternatively (for the "direct key" configuration) has the file's 245 245 + nonce included in the IVs. Thus, IV reuse is limited to within a 246 246 + single directory. 247 247 + 248 248 + With CTS-CBC, the IV reuse means that when the plaintext filenames 249 249 + share a common prefix at least as long as the cipher block size (16 250 250 + bytes for AES), the corresponding encrypted filenames will also share 251 251 + a common prefix. This is undesirable. Adiantum does not have this 252 252 + weakness, as it is a wide-block encryption mode. 253 253 + 254 254 + All supported filenames encryption modes accept any plaintext length 255 255 + >= 16 bytes; cipher block alignment is not required. However, 256 256 + filenames shorter than 16 bytes are NUL-padded to 16 bytes before 257 257 + being encrypted. In addition, to reduce leakage of filename lengths 258 258 + via their ciphertexts, all filenames are NUL-padded to the next 4, 8, 259 259 + 16, or 32-byte boundary (configurable). 32 is recommended since this 260 260 + provides the best confidentiality, at the cost of making directory 261 261 + entries consume slightly more space. Note that since NUL (``\0``) is 262 262 + not otherwise a valid character in filenames, the padding will never 263 263 + produce duplicate plaintexts. 232 264 233 265 Symbolic link targets are considered a type of filename and are 234 234 - encrypted in the same way as filenames in directory entries. Each 235 235 - symlink also uses a unique key; hence, the hardcoded IV is not a 236 236 - problem for symlinks. 266 266 + encrypted in the same way as filenames in directory entries, except 267 267 + that IV reuse is not a problem as each symlink has its own inode. 237 268 238 269 User API 239 270 ======== ··· 293 272 and FS_ENCRYPTION_MODE_AES_256_CTS (4) for 294 273 ``filenames_encryption_mode``. 295 274 296 296 - - ``flags`` must be set to a value from ``<linux/fs.h>`` which 275 275 + - ``flags`` must contain a value from ``<linux/fs.h>`` which 297 276 identifies the amount of NUL-padding to use when encrypting 298 277 filenames. If unsure, use FS_POLICY_FLAGS_PAD_32 (0x3). 278 278 + In addition, if the chosen encryption modes are both 279 279 + FS_ENCRYPTION_MODE_ADIANTUM, this can contain 280 280 + FS_POLICY_FLAG_DIRECT_KEY to specify that the master key should be 281 281 + used directly, without key derivation. 299 282 300 283 - ``master_key_descriptor`` specifies how to find the master key in 301 284 the keyring; see `Adding keys`_. It is up to userspace to choose a

+15 -13

fs/crypto/crypto.c

reviewed

··· 133 133 } 134 134 EXPORT_SYMBOL(fscrypt_get_ctx); 135 135 136 136 + void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num, 137 137 + const struct fscrypt_info *ci) 138 138 + { 139 139 + memset(iv, 0, ci->ci_mode->ivsize); 140 140 + iv->lblk_num = cpu_to_le64(lblk_num); 141 141 + 142 142 + if (ci->ci_flags & FS_POLICY_FLAG_DIRECT_KEY) 143 143 + memcpy(iv->nonce, ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE); 144 144 + 145 145 + if (ci->ci_essiv_tfm != NULL) 146 146 + crypto_cipher_encrypt_one(ci->ci_essiv_tfm, iv->raw, iv->raw); 147 147 + } 148 148 + 136 149 int fscrypt_do_page_crypto(const struct inode *inode, fscrypt_direction_t rw, 137 150 u64 lblk_num, struct page *src_page, 138 151 struct page *dest_page, unsigned int len, 139 152 unsigned int offs, gfp_t gfp_flags) 140 153 { 141 141 - struct { 142 142 - __le64 index; 143 143 - u8 padding[FS_IV_SIZE - sizeof(__le64)]; 144 144 - } iv; 154 154 + union fscrypt_iv iv; 145 155 struct skcipher_request *req = NULL; 146 156 DECLARE_CRYPTO_WAIT(wait); 147 157 struct scatterlist dst, src; ··· 161 151 162 152 BUG_ON(len == 0); 163 153 164 164 - BUILD_BUG_ON(sizeof(iv) != FS_IV_SIZE); 165 165 - BUILD_BUG_ON(AES_BLOCK_SIZE != FS_IV_SIZE); 166 166 - iv.index = cpu_to_le64(lblk_num); 167 167 - memset(iv.padding, 0, sizeof(iv.padding)); 168 168 - 169 169 - if (ci->ci_essiv_tfm != NULL) { 170 170 - crypto_cipher_encrypt_one(ci->ci_essiv_tfm, (u8 *)&iv, 171 171 - (u8 *)&iv); 172 172 - } 154 154 + fscrypt_generate_iv(&iv, lblk_num, ci); 173 155 174 156 req = skcipher_request_alloc(tfm, gfp_flags); 175 157 if (!req)

+12 -10

fs/crypto/fname.c

reviewed

··· 40 40 { 41 41 struct skcipher_request *req = NULL; 42 42 DECLARE_CRYPTO_WAIT(wait); 43 43 - struct crypto_skcipher *tfm = inode->i_crypt_info->ci_ctfm; 44 44 - int res = 0; 45 45 - char iv[FS_CRYPTO_BLOCK_SIZE]; 43 43 + struct fscrypt_info *ci = inode->i_crypt_info; 44 44 + struct crypto_skcipher *tfm = ci->ci_ctfm; 45 45 + union fscrypt_iv iv; 46 46 struct scatterlist sg; 47 47 + int res; 47 48 48 49 /* 49 50 * Copy the filename to the output buffer for encrypting in-place and ··· 56 55 memset(out + iname->len, 0, olen - iname->len); 57 56 58 57 /* Initialize the IV */ 59 59 - memset(iv, 0, FS_CRYPTO_BLOCK_SIZE); 58 58 + fscrypt_generate_iv(&iv, 0, ci); 60 59 61 60 /* Set up the encryption request */ 62 61 req = skcipher_request_alloc(tfm, GFP_NOFS); ··· 66 65 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, 67 66 crypto_req_done, &wait); 68 67 sg_init_one(&sg, out, olen); 69 69 - skcipher_request_set_crypt(req, &sg, &sg, olen, iv); 68 68 + skcipher_request_set_crypt(req, &sg, &sg, olen, &iv); 70 69 71 70 /* Do the encryption */ 72 71 res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait); ··· 95 94 struct skcipher_request *req = NULL; 96 95 DECLARE_CRYPTO_WAIT(wait); 97 96 struct scatterlist src_sg, dst_sg; 98 98 - struct crypto_skcipher *tfm = inode->i_crypt_info->ci_ctfm; 99 99 - int res = 0; 100 100 - char iv[FS_CRYPTO_BLOCK_SIZE]; 97 97 + struct fscrypt_info *ci = inode->i_crypt_info; 98 98 + struct crypto_skcipher *tfm = ci->ci_ctfm; 99 99 + union fscrypt_iv iv; 100 100 + int res; 101 101 102 102 /* Allocate request */ 103 103 req = skcipher_request_alloc(tfm, GFP_NOFS); ··· 109 107 crypto_req_done, &wait); 110 108 111 109 /* Initialize IV */ 112 112 - memset(iv, 0, FS_CRYPTO_BLOCK_SIZE); 110 110 + fscrypt_generate_iv(&iv, 0, ci); 113 111 114 112 /* Create decryption request */ 115 113 sg_init_one(&src_sg, iname->name, iname->len); 116 114 sg_init_one(&dst_sg, oname->name, oname->len); 117 117 - skcipher_request_set_crypt(req, &src_sg, &dst_sg, iname->len, iv); 115 115 + skcipher_request_set_crypt(req, &src_sg, &dst_sg, iname->len, &iv); 118 116 res = crypto_wait_req(crypto_skcipher_decrypt(req), &wait); 119 117 skcipher_request_free(req); 120 118 if (res < 0) {

+61 -6

fs/crypto/fscrypt_private.h

reviewed

··· 17 17 #include <crypto/hash.h> 18 18 19 19 /* Encryption parameters */ 20 20 - #define FS_IV_SIZE 16 21 20 #define FS_KEY_DERIVATION_NONCE_SIZE 16 22 21 23 22 /** ··· 51 52 } __packed; 52 53 53 54 /* 54 54 - * A pointer to this structure is stored in the file system's in-core 55 55 - * representation of an inode. 55 55 + * fscrypt_info - the "encryption key" for an inode 56 56 + * 57 57 + * When an encrypted file's key is made available, an instance of this struct is 58 58 + * allocated and stored in ->i_crypt_info. Once created, it remains until the 59 59 + * inode is evicted. 56 60 */ 57 61 struct fscrypt_info { 62 62 + 63 63 + /* The actual crypto transform used for encryption and decryption */ 64 64 + struct crypto_skcipher *ci_ctfm; 65 65 + 66 66 + /* 67 67 + * Cipher for ESSIV IV generation. Only set for CBC contents 68 68 + * encryption, otherwise is NULL. 69 69 + */ 70 70 + struct crypto_cipher *ci_essiv_tfm; 71 71 + 72 72 + /* 73 73 + * Encryption mode used for this inode. It corresponds to either 74 74 + * ci_data_mode or ci_filename_mode, depending on the inode type. 75 75 + */ 76 76 + struct fscrypt_mode *ci_mode; 77 77 + 78 78 + /* 79 79 + * If non-NULL, then this inode uses a master key directly rather than a 80 80 + * derived key, and ci_ctfm will equal ci_master_key->mk_ctfm. 81 81 + * Otherwise, this inode uses a derived key. 82 82 + */ 83 83 + struct fscrypt_master_key *ci_master_key; 84 84 + 85 85 + /* fields from the fscrypt_context */ 58 86 u8 ci_data_mode; 59 87 u8 ci_filename_mode; 60 88 u8 ci_flags; 61 61 - struct crypto_skcipher *ci_ctfm; 62 62 - struct crypto_cipher *ci_essiv_tfm; 63 63 - u8 ci_master_key[FS_KEY_DESCRIPTOR_SIZE]; 89 89 + u8 ci_master_key_descriptor[FS_KEY_DESCRIPTOR_SIZE]; 90 90 + u8 ci_nonce[FS_KEY_DERIVATION_NONCE_SIZE]; 64 91 }; 65 92 66 93 typedef enum { ··· 106 81 107 82 if (contents_mode == FS_ENCRYPTION_MODE_AES_256_XTS && 108 83 filenames_mode == FS_ENCRYPTION_MODE_AES_256_CTS) 84 84 + return true; 85 85 + 86 86 + if (contents_mode == FS_ENCRYPTION_MODE_ADIANTUM && 87 87 + filenames_mode == FS_ENCRYPTION_MODE_ADIANTUM) 109 88 return true; 110 89 111 90 return false; ··· 136 107 #define fscrypt_err(sb, fmt, ...) \ 137 108 fscrypt_msg(sb, KERN_ERR, fmt, ##__VA_ARGS__) 138 109 110 110 + #define FSCRYPT_MAX_IV_SIZE 32 111 111 + 112 112 + union fscrypt_iv { 113 113 + struct { 114 114 + /* logical block number within the file */ 115 115 + __le64 lblk_num; 116 116 + 117 117 + /* per-file nonce; only set in DIRECT_KEY mode */ 118 118 + u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE]; 119 119 + }; 120 120 + u8 raw[FSCRYPT_MAX_IV_SIZE]; 121 121 + }; 122 122 + 123 123 + void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num, 124 124 + const struct fscrypt_info *ci); 125 125 + 139 126 /* fname.c */ 140 127 extern int fname_encrypt(struct inode *inode, const struct qstr *iname, 141 128 u8 *out, unsigned int olen); ··· 160 115 u32 *encrypted_len_ret); 161 116 162 117 /* keyinfo.c */ 118 118 + 119 119 + struct fscrypt_mode { 120 120 + const char *friendly_name; 121 121 + const char *cipher_str; 122 122 + int keysize; 123 123 + int ivsize; 124 124 + bool logged_impl_name; 125 125 + bool needs_essiv; 126 126 + }; 127 127 + 163 128 extern void __exit fscrypt_essiv_cleanup(void); 164 129 165 130 #endif /* _FSCRYPT_PRIVATE_H */

+273 -80

fs/crypto/keyinfo.c

reviewed

··· 10 10 */ 11 11 12 12 #include <keys/user-type.h> 13 13 + #include <linux/hashtable.h> 13 14 #include <linux/scatterlist.h> 14 15 #include <linux/ratelimit.h> 15 16 #include <crypto/aes.h> 17 17 + #include <crypto/algapi.h> 16 18 #include <crypto/sha.h> 17 19 #include <crypto/skcipher.h> 18 20 #include "fscrypt_private.h" 19 21 20 22 static struct crypto_shash *essiv_hash_tfm; 23 23 + 24 24 + /* Table of keys referenced by FS_POLICY_FLAG_DIRECT_KEY policies */ 25 25 + static DEFINE_HASHTABLE(fscrypt_master_keys, 6); /* 6 bits = 64 buckets */ 26 26 + static DEFINE_SPINLOCK(fscrypt_master_keys_lock); 21 27 22 28 /* 23 29 * Key derivation function. This generates the derived key by encrypting the ··· 129 123 return ERR_PTR(-ENOKEY); 130 124 } 131 125 132 132 - /* Find the master key, then derive the inode's actual encryption key */ 133 133 - static int find_and_derive_key(const struct inode *inode, 134 134 - const struct fscrypt_context *ctx, 135 135 - u8 *derived_key, unsigned int derived_keysize) 136 136 - { 137 137 - struct key *key; 138 138 - const struct fscrypt_key *payload; 139 139 - int err; 140 140 - 141 141 - key = find_and_lock_process_key(FS_KEY_DESC_PREFIX, 142 142 - ctx->master_key_descriptor, 143 143 - derived_keysize, &payload); 144 144 - if (key == ERR_PTR(-ENOKEY) && inode->i_sb->s_cop->key_prefix) { 145 145 - key = find_and_lock_process_key(inode->i_sb->s_cop->key_prefix, 146 146 - ctx->master_key_descriptor, 147 147 - derived_keysize, &payload); 148 148 - } 149 149 - if (IS_ERR(key)) 150 150 - return PTR_ERR(key); 151 151 - err = derive_key_aes(payload->raw, ctx, derived_key, derived_keysize); 152 152 - up_read(&key->sem); 153 153 - key_put(key); 154 154 - return err; 155 155 - } 156 156 - 157 157 - static struct fscrypt_mode { 158 158 - const char *friendly_name; 159 159 - const char *cipher_str; 160 160 - int keysize; 161 161 - bool logged_impl_name; 162 162 - } available_modes[] = { 126 126 + static struct fscrypt_mode available_modes[] = { 163 127 [FS_ENCRYPTION_MODE_AES_256_XTS] = { 164 128 .friendly_name = "AES-256-XTS", 165 129 .cipher_str = "xts(aes)", 166 130 .keysize = 64, 131 131 + .ivsize = 16, 167 132 }, 168 133 [FS_ENCRYPTION_MODE_AES_256_CTS] = { 169 134 .friendly_name = "AES-256-CTS-CBC", 170 135 .cipher_str = "cts(cbc(aes))", 171 136 .keysize = 32, 137 137 + .ivsize = 16, 172 138 }, 173 139 [FS_ENCRYPTION_MODE_AES_128_CBC] = { 174 140 .friendly_name = "AES-128-CBC", 175 141 .cipher_str = "cbc(aes)", 176 142 .keysize = 16, 143 143 + .ivsize = 16, 144 144 + .needs_essiv = true, 177 145 }, 178 146 [FS_ENCRYPTION_MODE_AES_128_CTS] = { 179 147 .friendly_name = "AES-128-CTS-CBC", 180 148 .cipher_str = "cts(cbc(aes))", 181 149 .keysize = 16, 150 150 + .ivsize = 16, 151 151 + }, 152 152 + [FS_ENCRYPTION_MODE_ADIANTUM] = { 153 153 + .friendly_name = "Adiantum", 154 154 + .cipher_str = "adiantum(xchacha12,aes)", 155 155 + .keysize = 32, 156 156 + .ivsize = 32, 182 157 }, 183 158 }; 184 159 ··· 185 198 return ERR_PTR(-EINVAL); 186 199 } 187 200 188 188 - static void put_crypt_info(struct fscrypt_info *ci) 201 201 + /* Find the master key, then derive the inode's actual encryption key */ 202 202 + static int find_and_derive_key(const struct inode *inode, 203 203 + const struct fscrypt_context *ctx, 204 204 + u8 *derived_key, const struct fscrypt_mode *mode) 189 205 { 190 190 - if (!ci) 191 191 - return; 206 206 + struct key *key; 207 207 + const struct fscrypt_key *payload; 208 208 + int err; 192 209 193 193 - crypto_free_skcipher(ci->ci_ctfm); 194 194 - crypto_free_cipher(ci->ci_essiv_tfm); 195 195 - kmem_cache_free(fscrypt_info_cachep, ci); 210 210 + key = find_and_lock_process_key(FS_KEY_DESC_PREFIX, 211 211 + ctx->master_key_descriptor, 212 212 + mode->keysize, &payload); 213 213 + if (key == ERR_PTR(-ENOKEY) && inode->i_sb->s_cop->key_prefix) { 214 214 + key = find_and_lock_process_key(inode->i_sb->s_cop->key_prefix, 215 215 + ctx->master_key_descriptor, 216 216 + mode->keysize, &payload); 217 217 + } 218 218 + if (IS_ERR(key)) 219 219 + return PTR_ERR(key); 220 220 + 221 221 + if (ctx->flags & FS_POLICY_FLAG_DIRECT_KEY) { 222 222 + if (mode->ivsize < offsetofend(union fscrypt_iv, nonce)) { 223 223 + fscrypt_warn(inode->i_sb, 224 224 + "direct key mode not allowed with %s", 225 225 + mode->friendly_name); 226 226 + err = -EINVAL; 227 227 + } else if (ctx->contents_encryption_mode != 228 228 + ctx->filenames_encryption_mode) { 229 229 + fscrypt_warn(inode->i_sb, 230 230 + "direct key mode not allowed with different contents and filenames modes"); 231 231 + err = -EINVAL; 232 232 + } else { 233 233 + memcpy(derived_key, payload->raw, mode->keysize); 234 234 + err = 0; 235 235 + } 236 236 + } else { 237 237 + err = derive_key_aes(payload->raw, ctx, derived_key, 238 238 + mode->keysize); 239 239 + } 240 240 + up_read(&key->sem); 241 241 + key_put(key); 242 242 + return err; 243 243 + } 244 244 + 245 245 + /* Allocate and key a symmetric cipher object for the given encryption mode */ 246 246 + static struct crypto_skcipher * 247 247 + allocate_skcipher_for_mode(struct fscrypt_mode *mode, const u8 *raw_key, 248 248 + const struct inode *inode) 249 249 + { 250 250 + struct crypto_skcipher *tfm; 251 251 + int err; 252 252 + 253 253 + tfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0); 254 254 + if (IS_ERR(tfm)) { 255 255 + fscrypt_warn(inode->i_sb, 256 256 + "error allocating '%s' transform for inode %lu: %ld", 257 257 + mode->cipher_str, inode->i_ino, PTR_ERR(tfm)); 258 258 + return tfm; 259 259 + } 260 260 + if (unlikely(!mode->logged_impl_name)) { 261 261 + /* 262 262 + * fscrypt performance can vary greatly depending on which 263 263 + * crypto algorithm implementation is used. Help people debug 264 264 + * performance problems by logging the ->cra_driver_name the 265 265 + * first time a mode is used. Note that multiple threads can 266 266 + * race here, but it doesn't really matter. 267 267 + */ 268 268 + mode->logged_impl_name = true; 269 269 + pr_info("fscrypt: %s using implementation \"%s\"\n", 270 270 + mode->friendly_name, 271 271 + crypto_skcipher_alg(tfm)->base.cra_driver_name); 272 272 + } 273 273 + crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_WEAK_KEY); 274 274 + err = crypto_skcipher_setkey(tfm, raw_key, mode->keysize); 275 275 + if (err) 276 276 + goto err_free_tfm; 277 277 + 278 278 + return tfm; 279 279 + 280 280 + err_free_tfm: 281 281 + crypto_free_skcipher(tfm); 282 282 + return ERR_PTR(err); 283 283 + } 284 284 + 285 285 + /* Master key referenced by FS_POLICY_FLAG_DIRECT_KEY policy */ 286 286 + struct fscrypt_master_key { 287 287 + struct hlist_node mk_node; 288 288 + refcount_t mk_refcount; 289 289 + const struct fscrypt_mode *mk_mode; 290 290 + struct crypto_skcipher *mk_ctfm; 291 291 + u8 mk_descriptor[FS_KEY_DESCRIPTOR_SIZE]; 292 292 + u8 mk_raw[FS_MAX_KEY_SIZE]; 293 293 + }; 294 294 + 295 295 + static void free_master_key(struct fscrypt_master_key *mk) 296 296 + { 297 297 + if (mk) { 298 298 + crypto_free_skcipher(mk->mk_ctfm); 299 299 + kzfree(mk); 300 300 + } 301 301 + } 302 302 + 303 303 + static void put_master_key(struct fscrypt_master_key *mk) 304 304 + { 305 305 + if (!refcount_dec_and_lock(&mk->mk_refcount, &fscrypt_master_keys_lock)) 306 306 + return; 307 307 + hash_del(&mk->mk_node); 308 308 + spin_unlock(&fscrypt_master_keys_lock); 309 309 + 310 310 + free_master_key(mk); 311 311 + } 312 312 + 313 313 + /* 314 314 + * Find/insert the given master key into the fscrypt_master_keys table. If 315 315 + * found, it is returned with elevated refcount, and 'to_insert' is freed if 316 316 + * non-NULL. If not found, 'to_insert' is inserted and returned if it's 317 317 + * non-NULL; otherwise NULL is returned. 318 318 + */ 319 319 + static struct fscrypt_master_key * 320 320 + find_or_insert_master_key(struct fscrypt_master_key *to_insert, 321 321 + const u8 *raw_key, const struct fscrypt_mode *mode, 322 322 + const struct fscrypt_info *ci) 323 323 + { 324 324 + unsigned long hash_key; 325 325 + struct fscrypt_master_key *mk; 326 326 + 327 327 + /* 328 328 + * Careful: to avoid potentially leaking secret key bytes via timing 329 329 + * information, we must key the hash table by descriptor rather than by 330 330 + * raw key, and use crypto_memneq() when comparing raw keys. 331 331 + */ 332 332 + 333 333 + BUILD_BUG_ON(sizeof(hash_key) > FS_KEY_DESCRIPTOR_SIZE); 334 334 + memcpy(&hash_key, ci->ci_master_key_descriptor, sizeof(hash_key)); 335 335 + 336 336 + spin_lock(&fscrypt_master_keys_lock); 337 337 + hash_for_each_possible(fscrypt_master_keys, mk, mk_node, hash_key) { 338 338 + if (memcmp(ci->ci_master_key_descriptor, mk->mk_descriptor, 339 339 + FS_KEY_DESCRIPTOR_SIZE) != 0) 340 340 + continue; 341 341 + if (mode != mk->mk_mode) 342 342 + continue; 343 343 + if (crypto_memneq(raw_key, mk->mk_raw, mode->keysize)) 344 344 + continue; 345 345 + /* using existing tfm with same (descriptor, mode, raw_key) */ 346 346 + refcount_inc(&mk->mk_refcount); 347 347 + spin_unlock(&fscrypt_master_keys_lock); 348 348 + free_master_key(to_insert); 349 349 + return mk; 350 350 + } 351 351 + if (to_insert) 352 352 + hash_add(fscrypt_master_keys, &to_insert->mk_node, hash_key); 353 353 + spin_unlock(&fscrypt_master_keys_lock); 354 354 + return to_insert; 355 355 + } 356 356 + 357 357 + /* Prepare to encrypt directly using the master key in the given mode */ 358 358 + static struct fscrypt_master_key * 359 359 + fscrypt_get_master_key(const struct fscrypt_info *ci, struct fscrypt_mode *mode, 360 360 + const u8 *raw_key, const struct inode *inode) 361 361 + { 362 362 + struct fscrypt_master_key *mk; 363 363 + int err; 364 364 + 365 365 + /* Is there already a tfm for this key? */ 366 366 + mk = find_or_insert_master_key(NULL, raw_key, mode, ci); 367 367 + if (mk) 368 368 + return mk; 369 369 + 370 370 + /* Nope, allocate one. */ 371 371 + mk = kzalloc(sizeof(*mk), GFP_NOFS); 372 372 + if (!mk) 373 373 + return ERR_PTR(-ENOMEM); 374 374 + refcount_set(&mk->mk_refcount, 1); 375 375 + mk->mk_mode = mode; 376 376 + mk->mk_ctfm = allocate_skcipher_for_mode(mode, raw_key, inode); 377 377 + if (IS_ERR(mk->mk_ctfm)) { 378 378 + err = PTR_ERR(mk->mk_ctfm); 379 379 + mk->mk_ctfm = NULL; 380 380 + goto err_free_mk; 381 381 + } 382 382 + memcpy(mk->mk_descriptor, ci->ci_master_key_descriptor, 383 383 + FS_KEY_DESCRIPTOR_SIZE); 384 384 + memcpy(mk->mk_raw, raw_key, mode->keysize); 385 385 + 386 386 + return find_or_insert_master_key(mk, raw_key, mode, ci); 387 387 + 388 388 + err_free_mk: 389 389 + free_master_key(mk); 390 390 + return ERR_PTR(err); 196 391 } 197 392 198 393 static int derive_essiv_salt(const u8 *key, int keysize, u8 *salt) ··· 444 275 crypto_free_shash(essiv_hash_tfm); 445 276 } 446 277 278 278 + /* 279 279 + * Given the encryption mode and key (normally the derived key, but for 280 280 + * FS_POLICY_FLAG_DIRECT_KEY mode it's the master key), set up the inode's 281 281 + * symmetric cipher transform object(s). 282 282 + */ 283 283 + static int setup_crypto_transform(struct fscrypt_info *ci, 284 284 + struct fscrypt_mode *mode, 285 285 + const u8 *raw_key, const struct inode *inode) 286 286 + { 287 287 + struct fscrypt_master_key *mk; 288 288 + struct crypto_skcipher *ctfm; 289 289 + int err; 290 290 + 291 291 + if (ci->ci_flags & FS_POLICY_FLAG_DIRECT_KEY) { 292 292 + mk = fscrypt_get_master_key(ci, mode, raw_key, inode); 293 293 + if (IS_ERR(mk)) 294 294 + return PTR_ERR(mk); 295 295 + ctfm = mk->mk_ctfm; 296 296 + } else { 297 297 + mk = NULL; 298 298 + ctfm = allocate_skcipher_for_mode(mode, raw_key, inode); 299 299 + if (IS_ERR(ctfm)) 300 300 + return PTR_ERR(ctfm); 301 301 + } 302 302 + ci->ci_master_key = mk; 303 303 + ci->ci_ctfm = ctfm; 304 304 + 305 305 + if (mode->needs_essiv) { 306 306 + /* ESSIV implies 16-byte IVs which implies !DIRECT_KEY */ 307 307 + WARN_ON(mode->ivsize != AES_BLOCK_SIZE); 308 308 + WARN_ON(ci->ci_flags & FS_POLICY_FLAG_DIRECT_KEY); 309 309 + 310 310 + err = init_essiv_generator(ci, raw_key, mode->keysize); 311 311 + if (err) { 312 312 + fscrypt_warn(inode->i_sb, 313 313 + "error initializing ESSIV generator for inode %lu: %d", 314 314 + inode->i_ino, err); 315 315 + return err; 316 316 + } 317 317 + } 318 318 + return 0; 319 319 + } 320 320 + 321 321 + static void put_crypt_info(struct fscrypt_info *ci) 322 322 + { 323 323 + if (!ci) 324 324 + return; 325 325 + 326 326 + if (ci->ci_master_key) { 327 327 + put_master_key(ci->ci_master_key); 328 328 + } else { 329 329 + crypto_free_skcipher(ci->ci_ctfm); 330 330 + crypto_free_cipher(ci->ci_essiv_tfm); 331 331 + } 332 332 + kmem_cache_free(fscrypt_info_cachep, ci); 333 333 + } 334 334 + 447 335 int fscrypt_get_encryption_info(struct inode *inode) 448 336 { 449 337 struct fscrypt_info *crypt_info; 450 338 struct fscrypt_context ctx; 451 451 - struct crypto_skcipher *ctfm; 452 339 struct fscrypt_mode *mode; 453 340 u8 *raw_key = NULL; 454 341 int res; ··· 537 312 if (ctx.flags & ~FS_POLICY_FLAGS_VALID) 538 313 return -EINVAL; 539 314 540 540 - crypt_info = kmem_cache_alloc(fscrypt_info_cachep, GFP_NOFS); 315 315 + crypt_info = kmem_cache_zalloc(fscrypt_info_cachep, GFP_NOFS); 541 316 if (!crypt_info) 542 317 return -ENOMEM; 543 318 544 319 crypt_info->ci_flags = ctx.flags; 545 320 crypt_info->ci_data_mode = ctx.contents_encryption_mode; 546 321 crypt_info->ci_filename_mode = ctx.filenames_encryption_mode; 547 547 - crypt_info->ci_ctfm = NULL; 548 548 - crypt_info->ci_essiv_tfm = NULL; 549 549 - memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor, 550 550 - sizeof(crypt_info->ci_master_key)); 322 322 + memcpy(crypt_info->ci_master_key_descriptor, ctx.master_key_descriptor, 323 323 + FS_KEY_DESCRIPTOR_SIZE); 324 324 + memcpy(crypt_info->ci_nonce, ctx.nonce, FS_KEY_DERIVATION_NONCE_SIZE); 551 325 552 326 mode = select_encryption_mode(crypt_info, inode); 553 327 if (IS_ERR(mode)) { 554 328 res = PTR_ERR(mode); 555 329 goto out; 556 330 } 331 331 + WARN_ON(mode->ivsize > FSCRYPT_MAX_IV_SIZE); 332 332 + crypt_info->ci_mode = mode; 557 333 558 334 /* 559 559 - * This cannot be a stack buffer because it is passed to the scatterlist 560 560 - * crypto API as part of key derivation. 335 335 + * This cannot be a stack buffer because it may be passed to the 336 336 + * scatterlist crypto API as part of key derivation. 561 337 */ 562 338 res = -ENOMEM; 563 339 raw_key = kmalloc(mode->keysize, GFP_NOFS); 564 340 if (!raw_key) 565 341 goto out; 566 342 567 567 - res = find_and_derive_key(inode, &ctx, raw_key, mode->keysize); 343 343 + res = find_and_derive_key(inode, &ctx, raw_key, mode); 568 344 if (res) 569 345 goto out; 570 346 571 571 - ctfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0); 572 572 - if (IS_ERR(ctfm)) { 573 573 - res = PTR_ERR(ctfm); 574 574 - fscrypt_warn(inode->i_sb, 575 575 - "error allocating '%s' transform for inode %lu: %d", 576 576 - mode->cipher_str, inode->i_ino, res); 577 577 - goto out; 578 578 - } 579 579 - if (unlikely(!mode->logged_impl_name)) { 580 580 - /* 581 581 - * fscrypt performance can vary greatly depending on which 582 582 - * crypto algorithm implementation is used. Help people debug 583 583 - * performance problems by logging the ->cra_driver_name the 584 584 - * first time a mode is used. Note that multiple threads can 585 585 - * race here, but it doesn't really matter. 586 586 - */ 587 587 - mode->logged_impl_name = true; 588 588 - pr_info("fscrypt: %s using implementation \"%s\"\n", 589 589 - mode->friendly_name, 590 590 - crypto_skcipher_alg(ctfm)->base.cra_driver_name); 591 591 - } 592 592 - crypt_info->ci_ctfm = ctfm; 593 593 - crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY); 594 594 - res = crypto_skcipher_setkey(ctfm, raw_key, mode->keysize); 347 347 + res = setup_crypto_transform(crypt_info, mode, raw_key, inode); 595 348 if (res) 596 349 goto out; 597 350 598 598 - if (S_ISREG(inode->i_mode) && 599 599 - crypt_info->ci_data_mode == FS_ENCRYPTION_MODE_AES_128_CBC) { 600 600 - res = init_essiv_generator(crypt_info, raw_key, mode->keysize); 601 601 - if (res) { 602 602 - fscrypt_warn(inode->i_sb, 603 603 - "error initializing ESSIV generator for inode %lu: %d", 604 604 - inode->i_ino, res); 605 605 - goto out; 606 606 - } 607 607 - } 608 351 if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) == NULL) 609 352 crypt_info = NULL; 610 353 out:

+3 -2

fs/crypto/policy.c

reviewed

··· 199 199 child_ci = child->i_crypt_info; 200 200 201 201 if (parent_ci && child_ci) { 202 202 - return memcmp(parent_ci->ci_master_key, child_ci->ci_master_key, 202 202 + return memcmp(parent_ci->ci_master_key_descriptor, 203 203 + child_ci->ci_master_key_descriptor, 203 204 FS_KEY_DESCRIPTOR_SIZE) == 0 && 204 205 (parent_ci->ci_data_mode == child_ci->ci_data_mode) && 205 206 (parent_ci->ci_filename_mode == ··· 255 254 ctx.contents_encryption_mode = ci->ci_data_mode; 256 255 ctx.filenames_encryption_mode = ci->ci_filename_mode; 257 256 ctx.flags = ci->ci_flags; 258 258 - memcpy(ctx.master_key_descriptor, ci->ci_master_key, 257 257 + memcpy(ctx.master_key_descriptor, ci->ci_master_key_descriptor, 259 258 FS_KEY_DESCRIPTOR_SIZE); 260 259 get_random_bytes(ctx.nonce, FS_KEY_DERIVATION_NONCE_SIZE); 261 260 BUILD_BUG_ON(sizeof(ctx) != FSCRYPT_SET_CONTEXT_MAX_SIZE);

+3 -1

include/uapi/linux/fs.h

reviewed

··· 223 223 #define FS_POLICY_FLAGS_PAD_16 0x02 224 224 #define FS_POLICY_FLAGS_PAD_32 0x03 225 225 #define FS_POLICY_FLAGS_PAD_MASK 0x03 226 226 - #define FS_POLICY_FLAGS_VALID 0x03 226 226 + #define FS_POLICY_FLAG_DIRECT_KEY 0x04 /* use master key directly */ 227 227 + #define FS_POLICY_FLAGS_VALID 0x07 227 228 228 229 /* Encryption algorithms */ 229 230 #define FS_ENCRYPTION_MODE_INVALID 0 ··· 236 235 #define FS_ENCRYPTION_MODE_AES_128_CTS 6 237 236 #define FS_ENCRYPTION_MODE_SPECK128_256_XTS 7 /* Removed, do not use. */ 238 237 #define FS_ENCRYPTION_MODE_SPECK128_256_CTS 8 /* Removed, do not use. */ 238 238 + #define FS_ENCRYPTION_MODE_ADIANTUM 9 239 239 240 240 struct fscrypt_policy { 241 241 __u8 version;