+1 -4

fs/crypto/Kconfig

reviewed

··· 2 2 config FS_ENCRYPTION 3 3 bool "FS Encryption (Per-file encryption)" 4 4 select CRYPTO 5 5 - select CRYPTO_HASH 6 6 - select CRYPTO_HKDF 7 5 select CRYPTO_SKCIPHER 8 6 select CRYPTO_LIB_SHA256 7 7 + select CRYPTO_LIB_SHA512 9 8 select KEYS 10 9 help 11 10 Enable encryption of files and directories. This ··· 31 32 select CRYPTO_CBC 32 33 select CRYPTO_CTS 33 34 select CRYPTO_ECB 34 34 - select CRYPTO_HMAC 35 35 - select CRYPTO_SHA512 36 35 select CRYPTO_XTS 37 36 38 37 config FS_ENCRYPTION_INLINE_CRYPT

+1 -1

fs/crypto/bio.c

reviewed

··· 148 148 */ 149 149 for (i = 0; i < nr_pages; i++) { 150 150 pages[i] = fscrypt_alloc_bounce_page(i == 0 ? GFP_NOFS : 151 151 - GFP_NOWAIT | __GFP_NOWARN); 151 151 + GFP_NOWAIT); 152 152 if (!pages[i]) 153 153 break; 154 154 }

-1

fs/crypto/fname.c

reviewed

··· 11 11 * This has not yet undergone a rigorous security audit. 12 12 */ 13 13 14 14 - #include <crypto/hash.h> 15 14 #include <crypto/sha2.h> 16 15 #include <crypto/skcipher.h> 17 16 #include <linux/export.h>

+10 -16

fs/crypto/fscrypt_private.h

reviewed

··· 11 11 #ifndef _FSCRYPT_PRIVATE_H 12 12 #define _FSCRYPT_PRIVATE_H 13 13 14 14 + #include <crypto/sha2.h> 14 15 #include <linux/fscrypt.h> 15 16 #include <linux/minmax.h> 16 17 #include <linux/siphash.h> 17 17 - #include <crypto/hash.h> 18 18 #include <linux/blk-crypto.h> 19 19 20 20 #define CONST_STRLEN(str) (sizeof(str) - 1) ··· 381 381 u32 *encrypted_len_ret); 382 382 383 383 /* hkdf.c */ 384 384 - struct fscrypt_hkdf { 385 385 - struct crypto_shash *hmac_tfm; 386 386 - }; 387 387 - 388 388 - int fscrypt_init_hkdf(struct fscrypt_hkdf *hkdf, const u8 *master_key, 389 389 - unsigned int master_key_size); 384 384 + void fscrypt_init_hkdf(struct hmac_sha512_key *hkdf, const u8 *master_key, 385 385 + unsigned int master_key_size); 390 386 391 387 /* 392 388 * The list of contexts in which fscrypt uses HKDF. These values are used as ··· 401 405 #define HKDF_CONTEXT_KEY_IDENTIFIER_FOR_HW_WRAPPED_KEY \ 402 406 8 /* info=<empty> */ 403 407 404 404 - int fscrypt_hkdf_expand(const struct fscrypt_hkdf *hkdf, u8 context, 405 405 - const u8 *info, unsigned int infolen, 406 406 - u8 *okm, unsigned int okmlen); 407 407 - 408 408 - void fscrypt_destroy_hkdf(struct fscrypt_hkdf *hkdf); 408 408 + void fscrypt_hkdf_expand(const struct hmac_sha512_key *hkdf, u8 context, 409 409 + const u8 *info, unsigned int infolen, 410 410 + u8 *okm, unsigned int okmlen); 409 411 410 412 /* inline_crypt.c */ 411 413 #ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT ··· 511 517 * ->is_hw_wrapped=false, or by the "software secret" that hardware 512 518 * derived from this master key if ->is_hw_wrapped=true. 513 519 */ 514 514 - struct fscrypt_hkdf hkdf; 520 520 + struct hmac_sha512_key hkdf; 515 521 516 522 /* 517 523 * True if this key is a hardware-wrapped key; false if this key is a ··· 690 696 fscrypt_find_master_key(struct super_block *sb, 691 697 const struct fscrypt_key_specifier *mk_spec); 692 698 693 693 - int fscrypt_get_test_dummy_key_identifier( 699 699 + void fscrypt_get_test_dummy_key_identifier( 694 700 u8 key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]); 695 701 696 702 int fscrypt_add_test_dummy_key(struct super_block *sb, ··· 726 732 int fscrypt_set_per_file_enc_key(struct fscrypt_inode_info *ci, 727 733 const u8 *raw_key); 728 734 729 729 - int fscrypt_derive_dirhash_key(struct fscrypt_inode_info *ci, 730 730 - const struct fscrypt_master_key *mk); 735 735 + void fscrypt_derive_dirhash_key(struct fscrypt_inode_info *ci, 736 736 + const struct fscrypt_master_key *mk); 731 737 732 738 void fscrypt_hash_inode_number(struct fscrypt_inode_info *ci, 733 739 const struct fscrypt_master_key *mk);

+38 -67

fs/crypto/hkdf.c

reviewed

··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 /* 3 3 + * Implementation of HKDF ("HMAC-based Extract-and-Expand Key Derivation 4 4 + * Function"), aka RFC 5869. See also the original paper (Krawczyk 2010): 5 5 + * "Cryptographic Extraction and Key Derivation: The HKDF Scheme". 6 6 + * 3 7 * This is used to derive keys from the fscrypt master keys (or from the 4 8 * "software secrets" which hardware derives from the fscrypt master keys, in 5 9 * the case that the fscrypt master keys are hardware-wrapped keys). 6 10 * 7 11 * Copyright 2019 Google LLC 8 12 */ 9 9 - 10 10 - #include <crypto/hash.h> 11 11 - #include <crypto/hkdf.h> 12 12 - #include <crypto/sha2.h> 13 13 14 14 #include "fscrypt_private.h" 15 15 ··· 24 24 * HKDF-SHA512 being much faster than HKDF-SHA256, as the longer digest size of 25 25 * SHA-512 causes HKDF-Expand to only need to do one iteration rather than two. 26 26 */ 27 27 - #define HKDF_HMAC_ALG "hmac(sha512)" 28 27 #define HKDF_HASHLEN SHA512_DIGEST_SIZE 29 28 30 29 /* ··· 43 44 */ 44 45 45 46 /* 46 46 - * Compute HKDF-Extract using the given master key as the input keying material, 47 47 - * and prepare an HMAC transform object keyed by the resulting pseudorandom key. 48 48 - * 49 49 - * Afterwards, the keyed HMAC transform object can be used for HKDF-Expand many 50 50 - * times without having to recompute HKDF-Extract each time. 47 47 + * Compute HKDF-Extract using 'master_key' as the input keying material, and 48 48 + * prepare the resulting HMAC key in 'hkdf'. Afterwards, 'hkdf' can be used for 49 49 + * HKDF-Expand many times without having to recompute HKDF-Extract each time. 51 50 */ 52 52 - int fscrypt_init_hkdf(struct fscrypt_hkdf *hkdf, const u8 *master_key, 53 53 - unsigned int master_key_size) 51 51 + void fscrypt_init_hkdf(struct hmac_sha512_key *hkdf, const u8 *master_key, 52 52 + unsigned int master_key_size) 54 53 { 55 55 - struct crypto_shash *hmac_tfm; 56 54 static const u8 default_salt[HKDF_HASHLEN]; 57 55 u8 prk[HKDF_HASHLEN]; 58 58 - int err; 59 56 60 60 - hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, FSCRYPT_CRYPTOAPI_MASK); 61 61 - if (IS_ERR(hmac_tfm)) { 62 62 - fscrypt_err(NULL, "Error allocating " HKDF_HMAC_ALG ": %ld", 63 63 - PTR_ERR(hmac_tfm)); 64 64 - return PTR_ERR(hmac_tfm); 65 65 - } 66 66 - 67 67 - if (WARN_ON_ONCE(crypto_shash_digestsize(hmac_tfm) != sizeof(prk))) { 68 68 - err = -EINVAL; 69 69 - goto err_free_tfm; 70 70 - } 71 71 - 72 72 - err = hkdf_extract(hmac_tfm, master_key, master_key_size, 73 73 - default_salt, HKDF_HASHLEN, prk); 74 74 - if (err) 75 75 - goto err_free_tfm; 76 76 - 77 77 - err = crypto_shash_setkey(hmac_tfm, prk, sizeof(prk)); 78 78 - if (err) 79 79 - goto err_free_tfm; 80 80 - 81 81 - hkdf->hmac_tfm = hmac_tfm; 82 82 - goto out; 83 83 - 84 84 - err_free_tfm: 85 85 - crypto_free_shash(hmac_tfm); 86 86 - out: 57 57 + hmac_sha512_usingrawkey(default_salt, sizeof(default_salt), 58 58 + master_key, master_key_size, prk); 59 59 + hmac_sha512_preparekey(hkdf, prk, sizeof(prk)); 87 60 memzero_explicit(prk, sizeof(prk)); 88 88 - return err; 89 61 } 90 62 91 63 /* 92 92 - * HKDF-Expand (RFC 5869 section 2.3). This expands the pseudorandom key, which 93 93 - * was already keyed into 'hkdf->hmac_tfm' by fscrypt_init_hkdf(), into 'okmlen' 64 64 + * HKDF-Expand (RFC 5869 section 2.3). Expand the HMAC key 'hkdf' into 'okmlen' 94 65 * bytes of output keying material parameterized by the application-specific 95 66 * 'info' of length 'infolen' bytes, prefixed by "fscrypt\0" and the 'context' 96 67 * byte. This is thread-safe and may be called by multiple threads in parallel. ··· 69 100 * adds to its application-specific info strings to guarantee that it doesn't 70 101 * accidentally repeat an info string when using HKDF for different purposes.) 71 102 */ 72 72 - int fscrypt_hkdf_expand(const struct fscrypt_hkdf *hkdf, u8 context, 73 73 - const u8 *info, unsigned int infolen, 74 74 - u8 *okm, unsigned int okmlen) 103 103 + void fscrypt_hkdf_expand(const struct hmac_sha512_key *hkdf, u8 context, 104 104 + const u8 *info, unsigned int infolen, 105 105 + u8 *okm, unsigned int okmlen) 75 106 { 76 76 - SHASH_DESC_ON_STACK(desc, hkdf->hmac_tfm); 77 77 - u8 *full_info; 78 78 - int err; 107 107 + struct hmac_sha512_ctx ctx; 108 108 + u8 counter = 1; 109 109 + u8 tmp[HKDF_HASHLEN]; 79 110 80 80 - full_info = kzalloc(infolen + 9, GFP_KERNEL); 81 81 - if (!full_info) 82 82 - return -ENOMEM; 83 83 - desc->tfm = hkdf->hmac_tfm; 111 111 + WARN_ON_ONCE(okmlen > 255 * HKDF_HASHLEN); 84 112 85 85 - memcpy(full_info, "fscrypt\0", 8); 86 86 - full_info[8] = context; 87 87 - memcpy(full_info + 9, info, infolen); 88 88 - 89 89 - err = hkdf_expand(hkdf->hmac_tfm, full_info, infolen + 9, 90 90 - okm, okmlen); 91 91 - kfree_sensitive(full_info); 92 92 - return err; 93 93 - } 94 94 - 95 95 - void fscrypt_destroy_hkdf(struct fscrypt_hkdf *hkdf) 96 96 - { 97 97 - crypto_free_shash(hkdf->hmac_tfm); 113 113 + for (unsigned int i = 0; i < okmlen; i += HKDF_HASHLEN) { 114 114 + hmac_sha512_init(&ctx, hkdf); 115 115 + if (i != 0) 116 116 + hmac_sha512_update(&ctx, &okm[i - HKDF_HASHLEN], 117 117 + HKDF_HASHLEN); 118 118 + hmac_sha512_update(&ctx, "fscrypt\0", 8); 119 119 + hmac_sha512_update(&ctx, &context, 1); 120 120 + hmac_sha512_update(&ctx, info, infolen); 121 121 + hmac_sha512_update(&ctx, &counter, 1); 122 122 + if (okmlen - i < HKDF_HASHLEN) { 123 123 + hmac_sha512_final(&ctx, tmp); 124 124 + memcpy(&okm[i], tmp, okmlen - i); 125 125 + memzero_explicit(tmp, sizeof(tmp)); 126 126 + } else { 127 127 + hmac_sha512_final(&ctx, &okm[i]); 128 128 + } 129 129 + counter++; 130 130 + } 98 131 }

+1 -1

fs/crypto/hooks.c

reviewed

··· 205 205 mk = ci->ci_master_key; 206 206 down_read(&mk->mk_sem); 207 207 if (mk->mk_present) 208 208 - err = fscrypt_derive_dirhash_key(ci, mk); 208 208 + fscrypt_derive_dirhash_key(ci, mk); 209 209 else 210 210 err = -ENOKEY; 211 211 up_read(&mk->mk_sem);

+9 -21

fs/crypto/keyring.c

reviewed

··· 42 42 43 43 static void wipe_master_key_secret(struct fscrypt_master_key_secret *secret) 44 44 { 45 45 - fscrypt_destroy_hkdf(&secret->hkdf); 46 45 memzero_explicit(secret, sizeof(*secret)); 47 46 } 48 47 ··· 586 587 keyid_kdf_ctx = 587 588 HKDF_CONTEXT_KEY_IDENTIFIER_FOR_HW_WRAPPED_KEY; 588 589 } 589 589 - err = fscrypt_init_hkdf(&secret->hkdf, kdf_key, kdf_key_size); 590 590 + fscrypt_init_hkdf(&secret->hkdf, kdf_key, kdf_key_size); 590 591 /* 591 592 * Now that the KDF context is initialized, the raw KDF key is 592 593 * no longer needed. 593 594 */ 594 595 memzero_explicit(kdf_key, kdf_key_size); 595 595 - if (err) 596 596 - return err; 597 596 598 597 /* Calculate the key identifier */ 599 599 - err = fscrypt_hkdf_expand(&secret->hkdf, keyid_kdf_ctx, NULL, 0, 600 600 - key_spec->u.identifier, 601 601 - FSCRYPT_KEY_IDENTIFIER_SIZE); 602 602 - if (err) 603 603 - return err; 598 598 + fscrypt_hkdf_expand(&secret->hkdf, keyid_kdf_ctx, NULL, 0, 599 599 + key_spec->u.identifier, 600 600 + FSCRYPT_KEY_IDENTIFIER_SIZE); 604 601 } 605 602 return do_add_master_key(sb, secret, key_spec); 606 603 } ··· 830 835 memcpy(secret->bytes, test_key, sizeof(test_key)); 831 836 } 832 837 833 833 - int fscrypt_get_test_dummy_key_identifier( 838 838 + void fscrypt_get_test_dummy_key_identifier( 834 839 u8 key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]) 835 840 { 836 841 struct fscrypt_master_key_secret secret; 837 837 - int err; 838 842 839 843 fscrypt_get_test_dummy_secret(&secret); 840 840 - 841 841 - err = fscrypt_init_hkdf(&secret.hkdf, secret.bytes, secret.size); 842 842 - if (err) 843 843 - goto out; 844 844 - err = fscrypt_hkdf_expand(&secret.hkdf, 845 845 - HKDF_CONTEXT_KEY_IDENTIFIER_FOR_RAW_KEY, 846 846 - NULL, 0, key_identifier, 847 847 - FSCRYPT_KEY_IDENTIFIER_SIZE); 848 848 - out: 844 844 + fscrypt_init_hkdf(&secret.hkdf, secret.bytes, secret.size); 845 845 + fscrypt_hkdf_expand(&secret.hkdf, 846 846 + HKDF_CONTEXT_KEY_IDENTIFIER_FOR_RAW_KEY, NULL, 0, 847 847 + key_identifier, FSCRYPT_KEY_IDENTIFIER_SIZE); 849 848 wipe_master_key_secret(&secret); 850 850 - return err; 851 849 } 852 850 853 851 /**

+20 -45

fs/crypto/keysetup.c

reviewed

··· 253 253 sizeof(sb->s_uuid)); 254 254 hkdf_infolen += sizeof(sb->s_uuid); 255 255 } 256 256 - err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, 257 257 - hkdf_context, hkdf_info, hkdf_infolen, 258 258 - mode_key, mode->keysize); 259 259 - if (err) 260 260 - goto out_unlock; 256 256 + fscrypt_hkdf_expand(&mk->mk_secret.hkdf, hkdf_context, hkdf_info, 257 257 + hkdf_infolen, mode_key, mode->keysize); 261 258 err = fscrypt_prepare_key(prep_key, mode_key, ci); 262 259 memzero_explicit(mode_key, mode->keysize); 263 260 if (err) ··· 275 278 * as a pair of 64-bit words. Therefore, on big endian CPUs we have to do an 276 279 * endianness swap in order to get the same results as on little endian CPUs. 277 280 */ 278 278 - static int fscrypt_derive_siphash_key(const struct fscrypt_master_key *mk, 279 279 - u8 context, const u8 *info, 280 280 - unsigned int infolen, siphash_key_t *key) 281 281 + static void fscrypt_derive_siphash_key(const struct fscrypt_master_key *mk, 282 282 + u8 context, const u8 *info, 283 283 + unsigned int infolen, siphash_key_t *key) 281 284 { 282 282 - int err; 283 283 - 284 284 - err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, context, info, infolen, 285 285 - (u8 *)key, sizeof(*key)); 286 286 - if (err) 287 287 - return err; 288 288 - 285 285 + fscrypt_hkdf_expand(&mk->mk_secret.hkdf, context, info, infolen, 286 286 + (u8 *)key, sizeof(*key)); 289 287 BUILD_BUG_ON(sizeof(*key) != 16); 290 288 BUILD_BUG_ON(ARRAY_SIZE(key->key) != 2); 291 289 le64_to_cpus(&key->key[0]); 292 290 le64_to_cpus(&key->key[1]); 293 293 - return 0; 294 291 } 295 292 296 296 - int fscrypt_derive_dirhash_key(struct fscrypt_inode_info *ci, 297 297 - const struct fscrypt_master_key *mk) 293 293 + void fscrypt_derive_dirhash_key(struct fscrypt_inode_info *ci, 294 294 + const struct fscrypt_master_key *mk) 298 295 { 299 299 - int err; 300 300 - 301 301 - err = fscrypt_derive_siphash_key(mk, HKDF_CONTEXT_DIRHASH_KEY, 302 302 - ci->ci_nonce, FSCRYPT_FILE_NONCE_SIZE, 303 303 - &ci->ci_dirhash_key); 304 304 - if (err) 305 305 - return err; 296 296 + fscrypt_derive_siphash_key(mk, HKDF_CONTEXT_DIRHASH_KEY, 297 297 + ci->ci_nonce, FSCRYPT_FILE_NONCE_SIZE, 298 298 + &ci->ci_dirhash_key); 306 299 ci->ci_dirhash_key_initialized = true; 307 307 - return 0; 308 300 } 309 301 310 302 void fscrypt_hash_inode_number(struct fscrypt_inode_info *ci, ··· 324 338 if (mk->mk_ino_hash_key_initialized) 325 339 goto unlock; 326 340 327 327 - err = fscrypt_derive_siphash_key(mk, 328 328 - HKDF_CONTEXT_INODE_HASH_KEY, 329 329 - NULL, 0, &mk->mk_ino_hash_key); 330 330 - if (err) 331 331 - goto unlock; 341 341 + fscrypt_derive_siphash_key(mk, HKDF_CONTEXT_INODE_HASH_KEY, 342 342 + NULL, 0, &mk->mk_ino_hash_key); 332 343 /* pairs with smp_load_acquire() above */ 333 344 smp_store_release(&mk->mk_ino_hash_key_initialized, true); 334 345 unlock: 335 346 mutex_unlock(&fscrypt_mode_key_setup_mutex); 336 336 - if (err) 337 337 - return err; 338 347 } 339 348 340 349 /* ··· 383 402 } else { 384 403 u8 derived_key[FSCRYPT_MAX_RAW_KEY_SIZE]; 385 404 386 386 - err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, 387 387 - HKDF_CONTEXT_PER_FILE_ENC_KEY, 388 388 - ci->ci_nonce, FSCRYPT_FILE_NONCE_SIZE, 389 389 - derived_key, ci->ci_mode->keysize); 390 390 - if (err) 391 391 - return err; 392 392 - 405 405 + fscrypt_hkdf_expand(&mk->mk_secret.hkdf, 406 406 + HKDF_CONTEXT_PER_FILE_ENC_KEY, 407 407 + ci->ci_nonce, FSCRYPT_FILE_NONCE_SIZE, 408 408 + derived_key, ci->ci_mode->keysize); 393 409 err = fscrypt_set_per_file_enc_key(ci, derived_key); 394 410 memzero_explicit(derived_key, ci->ci_mode->keysize); 395 411 } ··· 394 416 return err; 395 417 396 418 /* Derive a secret dirhash key for directories that need it. */ 397 397 - if (need_dirhash_key) { 398 398 - err = fscrypt_derive_dirhash_key(ci, mk); 399 399 - if (err) 400 400 - return err; 401 401 - } 419 419 + if (need_dirhash_key) 420 420 + fscrypt_derive_dirhash_key(ci, mk); 402 421 403 422 return 0; 404 423 }

+1 -3

fs/crypto/policy.c

reviewed

··· 827 827 policy->version = FSCRYPT_POLICY_V2; 828 828 policy->v2.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; 829 829 policy->v2.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; 830 830 - err = fscrypt_get_test_dummy_key_identifier( 830 830 + fscrypt_get_test_dummy_key_identifier( 831 831 policy->v2.master_key_identifier); 832 832 - if (err) 833 833 - goto out; 834 832 } else { 835 833 err = -EINVAL; 836 834 goto out;