Gitiles
Code Review Sign In
192.168.1.100 / T800 / ae7cf9c1566c697c2ba616a120c7ff3e90d20dfd / . / src / kernel / linux / v4.19 / fs / crypto / crypto.c
blob: 41b4fe15b4b6c4d983b81c7d5f497c21f58731be [file] [log] [blame]
xjb04a4022021-11-25 15:01:52 +0800[diff] [blame]1/*
2 * This contains encryption functions for per-file encryption.
3 *
4 * Copyright (C) 2015, Google, Inc.
5 * Copyright (C) 2015, Motorola Mobility
6 *
7 * Written by Michael Halcrow, 2014.
8 *
9 * Filename encryption additions
10 * Uday Savagaonkar, 2014
11 * Encryption policy handling additions
12 * Ildar Muslukhov, 2014
13 * Add fscrypt_pullback_bio_page()
14 * Jaegeuk Kim, 2015.
15 *
16 * This has not yet undergone a rigorous security audit.
17 *
18 * The usage of AES-XTS should conform to recommendations in NIST
19 * Special Publication 800-38E and IEEE P1619/D16.
20 */
21
22#include <linux/pagemap.h>
23#include <linux/mempool.h>
24#include <linux/module.h>
25#include <linux/scatterlist.h>
26#include <linux/ratelimit.h>
27#include <linux/dcache.h>
28#include <linux/namei.h>
29#include <crypto/skcipher.h>
30#include "fscrypt_private.h"
31
32static unsigned int num_prealloc_crypto_pages = 32;
33
34module_param(num_prealloc_crypto_pages, uint, 0444);
35MODULE_PARM_DESC(num_prealloc_crypto_pages,
36 "Number of crypto pages to preallocate");
37
38static mempool_t *fscrypt_bounce_page_pool = NULL;
39
40static struct workqueue_struct *fscrypt_read_workqueue;
41static DEFINE_MUTEX(fscrypt_init_mutex);
42
43struct kmem_cache *fscrypt_info_cachep;
44
45void fscrypt_enqueue_decrypt_work(struct work_struct *work)
46{
47 queue_work(fscrypt_read_workqueue, work);
48}
49EXPORT_SYMBOL(fscrypt_enqueue_decrypt_work);
50
51struct page *fscrypt_alloc_bounce_page(gfp_t gfp_flags)
52{
53 return mempool_alloc(fscrypt_bounce_page_pool, gfp_flags);
54}
55
56/**
57 * fscrypt_free_bounce_page() - free a ciphertext bounce page
58 *
59 * Free a bounce page that was allocated by fscrypt_encrypt_pagecache_blocks(),
60 * or by fscrypt_alloc_bounce_page() directly.
61 */
62void fscrypt_free_bounce_page(struct page *bounce_page)
63{
64 if (!bounce_page)
65 return;
66 set_page_private(bounce_page, (unsigned long)NULL);
67 ClearPagePrivate(bounce_page);
68 mempool_free(bounce_page, fscrypt_bounce_page_pool);
69}
70EXPORT_SYMBOL(fscrypt_free_bounce_page);
71
72void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num,
73 const struct fscrypt_info *ci)
74{
75 u8 flags = fscrypt_policy_flags(&ci->ci_policy);
76
77 memset(iv, 0, ci->ci_mode->ivsize);
78
79 if (flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) {
80 WARN_ON_ONCE((u32)lblk_num != lblk_num);
81 lblk_num |= (u64)ci->ci_inode->i_ino << 32;
82 } else if (flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) {
83 memcpy(iv->nonce, ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE);
84 }
85 iv->lblk_num = cpu_to_le64(lblk_num);
86}
87
88/* Encrypt or decrypt a single filesystem block of file contents */
89int fscrypt_crypt_block(const struct inode *inode, fscrypt_direction_t rw,
90 u64 lblk_num, struct page *src_page,
91 struct page *dest_page, unsigned int len,
92 unsigned int offs, gfp_t gfp_flags)
93{
94 union fscrypt_iv iv;
95 struct skcipher_request *req = NULL;
96 DECLARE_CRYPTO_WAIT(wait);
97 struct scatterlist dst, src;
98 struct fscrypt_info *ci = inode->i_crypt_info;
99 struct crypto_skcipher *tfm = ci->ci_key.tfm;
100 int res = 0;
101
102 if (WARN_ON_ONCE(len <= 0))
103 return -EINVAL;
104 if (WARN_ON_ONCE(len % FS_CRYPTO_BLOCK_SIZE != 0))
105 return -EINVAL;
106
107 fscrypt_generate_iv(&iv, lblk_num, ci);
108
109 req = skcipher_request_alloc(tfm, gfp_flags);
110 if (!req)
111 return -ENOMEM;
112
113 skcipher_request_set_callback(
114 req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
115 crypto_req_done, &wait);
116
117 sg_init_table(&dst, 1);
118 sg_set_page(&dst, dest_page, len, offs);
119 sg_init_table(&src, 1);
120 sg_set_page(&src, src_page, len, offs);
121 skcipher_request_set_crypt(req, &src, &dst, len, &iv);
122 if (rw == FS_DECRYPT)
123 res = crypto_wait_req(crypto_skcipher_decrypt(req), &wait);
124 else
125 res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
126 skcipher_request_free(req);
127 if (res) {
128 fscrypt_err(inode, "%scryption failed for block %llu: %d",
129 (rw == FS_DECRYPT ? "De" : "En"), lblk_num, res);
130 return res;
131 }
132 return 0;
133}
134
135/**
136 * fscrypt_encrypt_pagecache_blocks() - Encrypt filesystem blocks from a pagecache page
137 * @page: The locked pagecache page containing the block(s) to encrypt
138 * @len: Total size of the block(s) to encrypt. Must be a nonzero
139 * multiple of the filesystem's block size.
140 * @offs: Byte offset within @page of the first block to encrypt. Must be
141 * a multiple of the filesystem's block size.
142 * @gfp_flags: Memory allocation flags
143 *
144 * A new bounce page is allocated, and the specified block(s) are encrypted into
145 * it. In the bounce page, the ciphertext block(s) will be located at the same
146 * offsets at which the plaintext block(s) were located in the source page; any
147 * other parts of the bounce page will be left uninitialized. However, normally
148 * blocksize == PAGE_SIZE and the whole page is encrypted at once.
149 *
150 * This is for use by the filesystem's ->writepages() method.
151 *
152 * Return: the new encrypted bounce page on success; an ERR_PTR() on failure
153 */
154struct page *fscrypt_encrypt_pagecache_blocks(struct page *page,
155 unsigned int len,
156 unsigned int offs,
157 gfp_t gfp_flags)
158
159{
160 const struct inode *inode = page->mapping->host;
161 const unsigned int blockbits = inode->i_blkbits;
162 const unsigned int blocksize = 1 << blockbits;
163 struct page *ciphertext_page;
164 u64 lblk_num = ((u64)page->index << (PAGE_SHIFT - blockbits)) +
165 (offs >> blockbits);
166 unsigned int i;
167 int err;
168
169 if (WARN_ON_ONCE(!PageLocked(page)))
170 return ERR_PTR(-EINVAL);
171
172 if (WARN_ON_ONCE(len <= 0 || !IS_ALIGNED(len | offs, blocksize)))
173 return ERR_PTR(-EINVAL);
174
175 ciphertext_page = fscrypt_alloc_bounce_page(gfp_flags);
176 if (!ciphertext_page)
177 return ERR_PTR(-ENOMEM);
178
179 for (i = offs; i < offs + len; i += blocksize, lblk_num++) {
180 err = fscrypt_crypt_block(inode, FS_ENCRYPT, lblk_num,
181 page, ciphertext_page,
182 blocksize, i, gfp_flags);
183 if (err) {
184 fscrypt_free_bounce_page(ciphertext_page);
185 return ERR_PTR(err);
186 }
187 }
188 SetPagePrivate(ciphertext_page);
189 set_page_private(ciphertext_page, (unsigned long)page);
190 return ciphertext_page;
191}
192EXPORT_SYMBOL(fscrypt_encrypt_pagecache_blocks);
193
194/**
195 * fscrypt_encrypt_block_inplace() - Encrypt a filesystem block in-place
196 * @inode: The inode to which this block belongs
197 * @page: The page containing the block to encrypt
198 * @len: Size of block to encrypt. Doesn't need to be a multiple of the
199 * fs block size, but must be a multiple of FS_CRYPTO_BLOCK_SIZE.
200 * @offs: Byte offset within @page at which the block to encrypt begins
201 * @lblk_num: Filesystem logical block number of the block, i.e. the 0-based
202 * number of the block within the file
203 * @gfp_flags: Memory allocation flags
204 *
205 * Encrypt a possibly-compressed filesystem block that is located in an
206 * arbitrary page, not necessarily in the original pagecache page. The @inode
207 * and @lblk_num must be specified, as they can't be determined from @page.
208 *
209 * Return: 0 on success; -errno on failure
210 */
211int fscrypt_encrypt_block_inplace(const struct inode *inode, struct page *page,
212 unsigned int len, unsigned int offs,
213 u64 lblk_num, gfp_t gfp_flags)
214{
215 return fscrypt_crypt_block(inode, FS_ENCRYPT, lblk_num, page, page,
216 len, offs, gfp_flags);
217}
218EXPORT_SYMBOL(fscrypt_encrypt_block_inplace);
219
220/**
221 * fscrypt_decrypt_pagecache_blocks() - Decrypt filesystem blocks in a pagecache page
222 * @page: The locked pagecache page containing the block(s) to decrypt
223 * @len: Total size of the block(s) to decrypt. Must be a nonzero
224 * multiple of the filesystem's block size.
225 * @offs: Byte offset within @page of the first block to decrypt. Must be
226 * a multiple of the filesystem's block size.
227 *
228 * The specified block(s) are decrypted in-place within the pagecache page,
229 * which must still be locked and not uptodate. Normally, blocksize ==
230 * PAGE_SIZE and the whole page is decrypted at once.
231 *
232 * This is for use by the filesystem's ->readpages() method.
233 *
234 * Return: 0 on success; -errno on failure
235 */
236int fscrypt_decrypt_pagecache_blocks(struct page *page, unsigned int len,
237 unsigned int offs)
238{
239 const struct inode *inode = page->mapping->host;
240 const unsigned int blockbits = inode->i_blkbits;
241 const unsigned int blocksize = 1 << blockbits;
242 u64 lblk_num = ((u64)page->index << (PAGE_SHIFT - blockbits)) +
243 (offs >> blockbits);
244 unsigned int i;
245 int err;
246
247 if (WARN_ON_ONCE(!PageLocked(page)))
248 return -EINVAL;
249
250 if (WARN_ON_ONCE(len <= 0 || !IS_ALIGNED(len | offs, blocksize)))
251 return -EINVAL;
252
253 for (i = offs; i < offs + len; i += blocksize, lblk_num++) {
254 err = fscrypt_crypt_block(inode, FS_DECRYPT, lblk_num, page,
255 page, blocksize, i, GFP_NOFS);
256 if (err)
257 return err;
258 }
259 return 0;
260}
261EXPORT_SYMBOL(fscrypt_decrypt_pagecache_blocks);
262
263/**
264 * fscrypt_decrypt_block_inplace() - Decrypt a filesystem block in-place
265 * @inode: The inode to which this block belongs
266 * @page: The page containing the block to decrypt
267 * @len: Size of block to decrypt. Doesn't need to be a multiple of the
268 * fs block size, but must be a multiple of FS_CRYPTO_BLOCK_SIZE.
269 * @offs: Byte offset within @page at which the block to decrypt begins
270 * @lblk_num: Filesystem logical block number of the block, i.e. the 0-based
271 * number of the block within the file
272 *
273 * Decrypt a possibly-compressed filesystem block that is located in an
274 * arbitrary page, not necessarily in the original pagecache page. The @inode
275 * and @lblk_num must be specified, as they can't be determined from @page.
276 *
277 * Return: 0 on success; -errno on failure
278 */
279int fscrypt_decrypt_block_inplace(const struct inode *inode, struct page *page,
280 unsigned int len, unsigned int offs,
281 u64 lblk_num)
282{
283 return fscrypt_crypt_block(inode, FS_DECRYPT, lblk_num, page, page,
284 len, offs, GFP_NOFS);
285}
286EXPORT_SYMBOL(fscrypt_decrypt_block_inplace);
287
288/*
289 * Validate dentries in encrypted directories to make sure we aren't potentially
290 * caching stale dentries after a key has been added.
291 */
292static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
293{
294 struct dentry *dir;
295 int err;
296 int valid;
297
298 /*
299 * Plaintext names are always valid, since fscrypt doesn't support
300 * reverting to ciphertext names without evicting the directory's inode
301 * -- which implies eviction of the dentries in the directory.
302 */
303 if (!(dentry->d_flags & DCACHE_ENCRYPTED_NAME))
304 return 1;
305
306 /*
307 * Ciphertext name; valid if the directory's key is still unavailable.
308 *
309 * Although fscrypt forbids rename() on ciphertext names, we still must
310 * use dget_parent() here rather than use ->d_parent directly. That's
311 * because a corrupted fs image may contain directory hard links, which
312 * the VFS handles by moving the directory's dentry tree in the dcache
313 * each time ->lookup() finds the directory and it already has a dentry
314 * elsewhere. Thus ->d_parent can be changing, and we must safely grab
315 * a reference to some ->d_parent to prevent it from being freed.
316 */
317
318 if (flags & LOOKUP_RCU)
319 return -ECHILD;
320
321 dir = dget_parent(dentry);
322 err = fscrypt_get_encryption_info(d_inode(dir));
323 valid = !fscrypt_has_encryption_key(d_inode(dir));
324 dput(dir);
325
326 if (err < 0)
327 return err;
328
329 return valid;
330}
331
332const struct dentry_operations fscrypt_d_ops = {
333 .d_revalidate = fscrypt_d_revalidate,
334};
335
336/**
337 * fscrypt_initialize() - allocate major buffers for fs encryption.
338 * @cop_flags: fscrypt operations flags
339 *
340 * We only call this when we start accessing encrypted files, since it
341 * results in memory getting allocated that wouldn't otherwise be used.
342 *
343 * Return: 0 on success; -errno on failure
344 */
345int fscrypt_initialize(unsigned int cop_flags)
346{
347 int err = 0;
348
349 /* No need to allocate a bounce page pool if this FS won't use it. */
350 if (cop_flags & FS_CFLG_OWN_PAGES)
351 return 0;
352
353 mutex_lock(&fscrypt_init_mutex);
354 if (fscrypt_bounce_page_pool)
355 goto out_unlock;
356
357 err = -ENOMEM;
358 fscrypt_bounce_page_pool =
359 mempool_create_page_pool(num_prealloc_crypto_pages, 0);
360 if (!fscrypt_bounce_page_pool)
361 goto out_unlock;
362
363 err = 0;
364out_unlock:
365 mutex_unlock(&fscrypt_init_mutex);
366 return err;
367}
368
369void fscrypt_msg(const struct inode *inode, const char *level,
370 const char *fmt, ...)
371{
372 static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL,
373 DEFAULT_RATELIMIT_BURST);
374 struct va_format vaf;
375 va_list args;
376
377 if (!__ratelimit(&rs))
378 return;
379
380 va_start(args, fmt);
381 vaf.fmt = fmt;
382 vaf.va = &args;
383 if (inode)
384 printk("%sfscrypt (%s, inode %lu): %pV\n",
385 level, inode->i_sb->s_id, inode->i_ino, &vaf);
386 else
387 printk("%sfscrypt: %pV\n", level, &vaf);
388 va_end(args);
389}
390
391/**
392 * fscrypt_init() - Set up for fs encryption.
393 */
394static int __init fscrypt_init(void)
395{
396 int err = -ENOMEM;
397
398 /*
399 * Use an unbound workqueue to allow bios to be decrypted in parallel
400 * even when they happen to complete on the same CPU. This sacrifices
401 * locality, but it's worthwhile since decryption is CPU-intensive.
402 *
403 * Also use a high-priority workqueue to prioritize decryption work,
404 * which blocks reads from completing, over regular application tasks.
405 */
406 fscrypt_read_workqueue = alloc_workqueue("fscrypt_read_queue",
407 WQ_UNBOUND | WQ_HIGHPRI,
408 num_online_cpus());
409 if (!fscrypt_read_workqueue)
410 goto fail;
411
412 fscrypt_info_cachep = KMEM_CACHE(fscrypt_info, SLAB_RECLAIM_ACCOUNT);
413 if (!fscrypt_info_cachep)
414 goto fail_free_queue;
415
416 err = fscrypt_init_keyring();
417 if (err)
418 goto fail_free_info;
419
420 return 0;
421
422fail_free_info:
423 kmem_cache_destroy(fscrypt_info_cachep);
424fail_free_queue:
425 destroy_workqueue(fscrypt_read_workqueue);
426fail:
427 return err;
428}
429late_initcall(fscrypt_init)