Gitiles
Code Review Sign In
192.168.1.100 / T108 / e958203796650e3959a43708d67534bf36f4c83b / . / marvell / linux / fs / crypto / inline_crypt.c
blob: 5817a04eabb122cdc84a48f648fc12fc6a0066f4 [file] [log] [blame]
b.liue9582032025-04-17 19:18:16 +0800[diff] [blame^]1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Inline encryption support for fscrypt
4 *
5 * Copyright 2019 Google LLC
6 */
7
8/*
9 * With "inline encryption", the block layer handles the decryption/encryption
10 * as part of the bio, instead of the filesystem doing the crypto itself via
11 * crypto API. See Documentation/block/inline-encryption.rst. fscrypt still
12 * provides the key and IV to use.
13 */
14
15#include <linux/blk-crypto.h>
16#include <linux/blkdev.h>
17#include <linux/buffer_head.h>
18#include <linux/keyslot-manager.h>
19#include <linux/sched/mm.h>
20#include <linux/uio.h>
21
22#include "fscrypt_private.h"
23
24struct fscrypt_blk_crypto_key {
25 struct blk_crypto_key base;
26 int num_devs;
27 struct request_queue *devs[];
28};
29
30static int fscrypt_get_num_devices(struct super_block *sb)
31{
32 if (sb->s_cop->get_num_devices)
33 return sb->s_cop->get_num_devices(sb);
34 return 1;
35}
36
37static void fscrypt_get_devices(struct super_block *sb, int num_devs,
38 struct request_queue **devs)
39{
40 if (num_devs == 1)
41 devs[0] = bdev_get_queue(sb->s_bdev);
42 else
43 sb->s_cop->get_devices(sb, devs);
44}
45
46static unsigned int fscrypt_get_dun_bytes(const struct fscrypt_info *ci)
47{
48 struct super_block *sb = ci->ci_inode->i_sb;
49 unsigned int flags = fscrypt_policy_flags(&ci->ci_policy);
50 int ino_bits = 64, lblk_bits = 64;
51
52 if (flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY)
53 return offsetofend(union fscrypt_iv, nonce);
54
55 if (flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64)
56 return sizeof(__le64);
57
58 if (flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)
59 return sizeof(__le32);
60
61 /* Default case: IVs are just the file logical block number */
62 if (sb->s_cop->get_ino_and_lblk_bits)
63 sb->s_cop->get_ino_and_lblk_bits(sb, &ino_bits, &lblk_bits);
64 return DIV_ROUND_UP(lblk_bits, 8);
65}
66
67/* Enable inline encryption for this file if supported. */
68int fscrypt_select_encryption_impl(struct fscrypt_info *ci,
69 bool is_hw_wrapped_key)
70{
71 const struct inode *inode = ci->ci_inode;
72 struct super_block *sb = inode->i_sb;
73 struct blk_crypto_config crypto_cfg;
74 int num_devs;
75 struct request_queue **devs;
76 int i;
77
78 /* The file must need contents encryption, not filenames encryption */
79 if (!S_ISREG(inode->i_mode))
80 return 0;
81
82 /* The crypto mode must have a blk-crypto counterpart */
83 if (ci->ci_mode->blk_crypto_mode == BLK_ENCRYPTION_MODE_INVALID)
84 return 0;
85
86 /* The filesystem must be mounted with -o inlinecrypt */
87 if (!(sb->s_flags & SB_INLINECRYPT))
88 return 0;
89
90 /*
91 * When a page contains multiple logically contiguous filesystem blocks,
92 * some filesystem code only calls fscrypt_mergeable_bio() for the first
93 * block in the page. This is fine for most of fscrypt's IV generation
94 * strategies, where contiguous blocks imply contiguous IVs. But it
95 * doesn't work with IV_INO_LBLK_32. For now, simply exclude
96 * IV_INO_LBLK_32 with blocksize != PAGE_SIZE from inline encryption.
97 */
98 if ((fscrypt_policy_flags(&ci->ci_policy) &
99 FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) &&
100 sb->s_blocksize != PAGE_SIZE)
101 return 0;
102
103 /*
104 * On all the filesystem's devices, blk-crypto must support the crypto
105 * configuration that the file would use.
106 */
107 crypto_cfg.crypto_mode = ci->ci_mode->blk_crypto_mode;
108 crypto_cfg.data_unit_size = sb->s_blocksize;
109 crypto_cfg.dun_bytes = fscrypt_get_dun_bytes(ci);
110 crypto_cfg.is_hw_wrapped = is_hw_wrapped_key;
111 num_devs = fscrypt_get_num_devices(sb);
112 devs = kmalloc_array(num_devs, sizeof(*devs), GFP_KERNEL);
113 if (!devs)
114 return -ENOMEM;
115 fscrypt_get_devices(sb, num_devs, devs);
116
117 for (i = 0; i < num_devs; i++) {
118 if (!blk_crypto_config_supported(devs[i], &crypto_cfg))
119 goto out_free_devs;
120 }
121
122 ci->ci_inlinecrypt = true;
123out_free_devs:
124 kfree(devs);
125
126 return 0;
127}
128
129int fscrypt_prepare_inline_crypt_key(struct fscrypt_prepared_key *prep_key,
130 const u8 *raw_key,
131 unsigned int raw_key_size,
132 bool is_hw_wrapped,
133 const struct fscrypt_info *ci)
134{
135 const struct inode *inode = ci->ci_inode;
136 struct super_block *sb = inode->i_sb;
137 enum blk_crypto_mode_num crypto_mode = ci->ci_mode->blk_crypto_mode;
138 int num_devs = fscrypt_get_num_devices(sb);
139 int queue_refs = 0;
140 struct fscrypt_blk_crypto_key *blk_key;
141 int err;
142 int i;
143
144 blk_key = kzalloc(struct_size(blk_key, devs, num_devs), GFP_KERNEL);
145 if (!blk_key)
146 return -ENOMEM;
147
148 blk_key->num_devs = num_devs;
149 fscrypt_get_devices(sb, num_devs, blk_key->devs);
150
151 BUILD_BUG_ON(FSCRYPT_MAX_HW_WRAPPED_KEY_SIZE >
152 BLK_CRYPTO_MAX_WRAPPED_KEY_SIZE);
153
154 err = blk_crypto_init_key(&blk_key->base, raw_key, raw_key_size,
155 is_hw_wrapped, crypto_mode,
156 fscrypt_get_dun_bytes(ci), sb->s_blocksize);
157 if (err) {
158 fscrypt_err(inode, "error %d initializing blk-crypto key", err);
159 goto fail;
160 }
161
162 /*
163 * We have to start using blk-crypto on all the filesystem's devices.
164 * We also have to save all the request_queue's for later so that the
165 * key can be evicted from them. This is needed because some keys
166 * aren't destroyed until after the filesystem was already unmounted
167 * (namely, the per-mode keys in struct fscrypt_master_key).
168 */
169 for (i = 0; i < num_devs; i++) {
170 if (!blk_get_queue(blk_key->devs[i])) {
171 fscrypt_err(inode, "couldn't get request_queue");
172 err = -EAGAIN;
173 goto fail;
174 }
175 queue_refs++;
176
177 err = blk_crypto_start_using_key(&blk_key->base,
178 blk_key->devs[i]);
179 if (err) {
180 fscrypt_err(inode,
181 "error %d starting to use blk-crypto", err);
182 goto fail;
183 }
184 }
185 /*
186 * Pairs with the smp_load_acquire() in fscrypt_is_key_prepared().
187 * I.e., here we publish ->blk_key with a RELEASE barrier so that
188 * concurrent tasks can ACQUIRE it. Note that this concurrency is only
189 * possible for per-mode keys, not for per-file keys.
190 */
191 smp_store_release(&prep_key->blk_key, blk_key);
192 return 0;
193
194fail:
195 for (i = 0; i < queue_refs; i++)
196 blk_put_queue(blk_key->devs[i]);
197 kzfree(blk_key);
198 return err;
199}
200
201void fscrypt_destroy_inline_crypt_key(struct fscrypt_prepared_key *prep_key)
202{
203 struct fscrypt_blk_crypto_key *blk_key = prep_key->blk_key;
204 int i;
205
206 if (blk_key) {
207 for (i = 0; i < blk_key->num_devs; i++) {
208 blk_crypto_evict_key(blk_key->devs[i], &blk_key->base);
209 blk_put_queue(blk_key->devs[i]);
210 }
211 kzfree(blk_key);
212 }
213}
214
215int fscrypt_derive_raw_secret(struct super_block *sb,
216 const u8 *wrapped_key,
217 unsigned int wrapped_key_size,
218 u8 *raw_secret, unsigned int raw_secret_size)
219{
220 struct request_queue *q;
221
222 q = bdev_get_queue(sb->s_bdev);
223 if (!q->ksm)
224 return -EOPNOTSUPP;
225
226 return blk_ksm_derive_raw_secret(q->ksm, wrapped_key, wrapped_key_size,
227 raw_secret, raw_secret_size);
228}
229
230bool __fscrypt_inode_uses_inline_crypto(const struct inode *inode)
231{
232 return inode->i_crypt_info->ci_inlinecrypt;
233}
234EXPORT_SYMBOL_GPL(__fscrypt_inode_uses_inline_crypto);
235
236static void fscrypt_generate_dun(const struct fscrypt_info *ci, u64 lblk_num,
237 u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE])
238{
239 union fscrypt_iv iv;
240 int i;
241
242 fscrypt_generate_iv(&iv, lblk_num, ci);
243
244 BUILD_BUG_ON(FSCRYPT_MAX_IV_SIZE > BLK_CRYPTO_MAX_IV_SIZE);
245 memset(dun, 0, BLK_CRYPTO_MAX_IV_SIZE);
246 for (i = 0; i < ci->ci_mode->ivsize/sizeof(dun[0]); i++)
247 dun[i] = le64_to_cpu(iv.dun[i]);
248}
249
250/**
251 * fscrypt_set_bio_crypt_ctx() - prepare a file contents bio for inline crypto
252 * @bio: a bio which will eventually be submitted to the file
253 * @inode: the file's inode
254 * @first_lblk: the first file logical block number in the I/O
255 * @gfp_mask: memory allocation flags - these must be a waiting mask so that
256 * bio_crypt_set_ctx can't fail.
257 *
258 * If the contents of the file should be encrypted (or decrypted) with inline
259 * encryption, then assign the appropriate encryption context to the bio.
260 *
261 * Normally the bio should be newly allocated (i.e. no pages added yet), as
262 * otherwise fscrypt_mergeable_bio() won't work as intended.
263 *
264 * The encryption context will be freed automatically when the bio is freed.
265 *
266 * This function also handles setting bi_skip_dm_default_key when needed.
267 */
268void fscrypt_set_bio_crypt_ctx(struct bio *bio, const struct inode *inode,
269 u64 first_lblk, gfp_t gfp_mask)
270{
271 const struct fscrypt_info *ci;
272 u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE];
273
274 if (fscrypt_inode_should_skip_dm_default_key(inode))
275 bio_set_skip_dm_default_key(bio);
276
277 if (!fscrypt_inode_uses_inline_crypto(inode))
278 return;
279 ci = inode->i_crypt_info;
280
281 fscrypt_generate_dun(ci, first_lblk, dun);
282 bio_crypt_set_ctx(bio, &ci->ci_enc_key.blk_key->base, dun, gfp_mask);
283}
284EXPORT_SYMBOL_GPL(fscrypt_set_bio_crypt_ctx);
285
286/* Extract the inode and logical block number from a buffer_head. */
287static bool bh_get_inode_and_lblk_num(const struct buffer_head *bh,
288 const struct inode **inode_ret,
289 u64 *lblk_num_ret)
290{
291 struct page *page = bh->b_page;
292 const struct address_space *mapping;
293 const struct inode *inode;
294
295 /*
296 * The ext4 journal (jbd2) can submit a buffer_head it directly created
297 * for a non-pagecache page. fscrypt doesn't care about these.
298 */
299 mapping = page_mapping(page);
300 if (!mapping)
301 return false;
302 inode = mapping->host;
303
304 *inode_ret = inode;
305 *lblk_num_ret = ((u64)page->index << (PAGE_SHIFT - inode->i_blkbits)) +
306 (bh_offset(bh) >> inode->i_blkbits);
307 return true;
308}
309
310/**
311 * fscrypt_set_bio_crypt_ctx_bh() - prepare a file contents bio for inline
312 * crypto
313 * @bio: a bio which will eventually be submitted to the file
314 * @first_bh: the first buffer_head for which I/O will be submitted
315 * @gfp_mask: memory allocation flags
316 *
317 * Same as fscrypt_set_bio_crypt_ctx(), except this takes a buffer_head instead
318 * of an inode and block number directly.
319 */
320void fscrypt_set_bio_crypt_ctx_bh(struct bio *bio,
321 const struct buffer_head *first_bh,
322 gfp_t gfp_mask)
323{
324 const struct inode *inode;
325 u64 first_lblk;
326
327 if (bh_get_inode_and_lblk_num(first_bh, &inode, &first_lblk))
328 fscrypt_set_bio_crypt_ctx(bio, inode, first_lblk, gfp_mask);
329}
330EXPORT_SYMBOL_GPL(fscrypt_set_bio_crypt_ctx_bh);
331
332/**
333 * fscrypt_mergeable_bio() - test whether data can be added to a bio
334 * @bio: the bio being built up
335 * @inode: the inode for the next part of the I/O
336 * @next_lblk: the next file logical block number in the I/O
337 *
338 * When building a bio which may contain data which should undergo inline
339 * encryption (or decryption) via fscrypt, filesystems should call this function
340 * to ensure that the resulting bio contains only contiguous data unit numbers.
341 * This will return false if the next part of the I/O cannot be merged with the
342 * bio because either the encryption key would be different or the encryption
343 * data unit numbers would be discontiguous.
344 *
345 * fscrypt_set_bio_crypt_ctx() must have already been called on the bio.
346 *
347 * This function also returns false if the next part of the I/O would need to
348 * have a different value for the bi_skip_dm_default_key flag.
349 *
350 * Return: true iff the I/O is mergeable
351 */
352bool fscrypt_mergeable_bio(struct bio *bio, const struct inode *inode,
353 u64 next_lblk)
354{
355 const struct bio_crypt_ctx *bc = bio->bi_crypt_context;
356 u64 next_dun[BLK_CRYPTO_DUN_ARRAY_SIZE];
357
358 if (!!bc != fscrypt_inode_uses_inline_crypto(inode))
359 return false;
360 if (bio_should_skip_dm_default_key(bio) !=
361 fscrypt_inode_should_skip_dm_default_key(inode))
362 return false;
363 if (!bc)
364 return true;
365
366 /*
367 * Comparing the key pointers is good enough, as all I/O for each key
368 * uses the same pointer. I.e., there's currently no need to support
369 * merging requests where the keys are the same but the pointers differ.
370 */
371 if (bc->bc_key != &inode->i_crypt_info->ci_enc_key.blk_key->base)
372 return false;
373
374 fscrypt_generate_dun(inode->i_crypt_info, next_lblk, next_dun);
375 return bio_crypt_dun_is_contiguous(bc, bio->bi_iter.bi_size, next_dun);
376}
377EXPORT_SYMBOL_GPL(fscrypt_mergeable_bio);
378
379/**
380 * fscrypt_mergeable_bio_bh() - test whether data can be added to a bio
381 * @bio: the bio being built up
382 * @next_bh: the next buffer_head for which I/O will be submitted
383 *
384 * Same as fscrypt_mergeable_bio(), except this takes a buffer_head instead of
385 * an inode and block number directly.
386 *
387 * Return: true iff the I/O is mergeable
388 */
389bool fscrypt_mergeable_bio_bh(struct bio *bio,
390 const struct buffer_head *next_bh)
391{
392 const struct inode *inode;
393 u64 next_lblk;
394
395 if (!bh_get_inode_and_lblk_num(next_bh, &inode, &next_lblk))
396 return !bio->bi_crypt_context &&
397 !bio_should_skip_dm_default_key(bio);
398
399 return fscrypt_mergeable_bio(bio, inode, next_lblk);
400}
401EXPORT_SYMBOL_GPL(fscrypt_mergeable_bio_bh);
402
403/**
404 * fscrypt_dio_supported() - check whether a direct I/O request is unsupported
405 * due to encryption constraints
406 * @iocb: the file and position the I/O is targeting
407 * @iter: the I/O data segment(s)
408 *
409 * Return: true if direct I/O is supported
410 */
411bool fscrypt_dio_supported(struct kiocb *iocb, struct iov_iter *iter)
412{
413 const struct inode *inode = file_inode(iocb->ki_filp);
414 const unsigned int blocksize = i_blocksize(inode);
415
416 /* If the file is unencrypted, no veto from us. */
417 if (!fscrypt_needs_contents_encryption(inode))
418 return true;
419
420 /* We only support direct I/O with inline crypto, not fs-layer crypto */
421 if (!fscrypt_inode_uses_inline_crypto(inode))
422 return false;
423
424 /*
425 * Since the granularity of encryption is filesystem blocks, the I/O
426 * must be block aligned -- not just disk sector aligned.
427 */
428 if (!IS_ALIGNED(iocb->ki_pos | iov_iter_alignment(iter), blocksize))
429 return false;
430
431 return true;
432}
433EXPORT_SYMBOL_GPL(fscrypt_dio_supported);
434
435/**
436 * fscrypt_limit_io_blocks() - limit I/O blocks to avoid discontiguous DUNs
437 * @inode: the file on which I/O is being done
438 * @lblk: the block at which the I/O is being started from
439 * @nr_blocks: the number of blocks we want to submit starting at @pos
440 *
441 * Determine the limit to the number of blocks that can be submitted in the bio
442 * targeting @pos without causing a data unit number (DUN) discontinuity.
443 *
444 * This is normally just @nr_blocks, as normally the DUNs just increment along
445 * with the logical blocks. (Or the file is not encrypted.)
446 *
447 * In rare cases, fscrypt can be using an IV generation method that allows the
448 * DUN to wrap around within logically continuous blocks, and that wraparound
449 * will occur. If this happens, a value less than @nr_blocks will be returned
450 * so that the wraparound doesn't occur in the middle of the bio.
451 *
452 * Return: the actual number of blocks that can be submitted
453 */
454u64 fscrypt_limit_io_blocks(const struct inode *inode, u64 lblk, u64 nr_blocks)
455{
456 const struct fscrypt_info *ci = inode->i_crypt_info;
457 u32 dun;
458
459 if (!fscrypt_inode_uses_inline_crypto(inode))
460 return nr_blocks;
461
462 if (nr_blocks <= 1)
463 return nr_blocks;
464
465 if (!(fscrypt_policy_flags(&ci->ci_policy) &
466 FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32))
467 return nr_blocks;
468
469 /* With IV_INO_LBLK_32, the DUN can wrap around from U32_MAX to 0. */
470
471 dun = ci->ci_hashed_ino + lblk;
472
473 return min_t(u64, nr_blocks, (u64)U32_MAX + 1 - dun);
474}