mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-17 02:15:57 +00:00
fscrypt updates for 6.9
Fix flakiness in a test by releasing the quota synchronously when a key is removed, and other minor cleanups. -----BEGIN PGP SIGNATURE----- iIoEABYIADIWIQSacvsUNc7UX4ntmEPzXCl4vpKOKwUCZe/STxQcZWJpZ2dlcnNA Z29vZ2xlLmNvbQAKCRDzXCl4vpKOKyVAAQCJQr5l3fU+rm1FVpuVg8q/pbPdi5wJ N31pYFvY3AehtQEArdPNtBbXW3V7i9OL6CDmesuNtGr3Il5KRV1h89yyYgY= =RGab -----END PGP SIGNATURE----- Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux Pull fscrypt updates from Eric Biggers: "Fix flakiness in a test by releasing the quota synchronously when a key is removed, and other minor cleanups" * tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux: fscrypt: shrink the size of struct fscrypt_inode_info slightly fscrypt: write CBC-CTS instead of CTS-CBC fscrypt: clear keyring before calling key_put() fscrypt: explicitly require that inode->i_blkbits be set
This commit is contained in:
commit
3bf95d567d
@ -338,11 +338,14 @@ Supported modes
|
|||||||
|
|
||||||
Currently, the following pairs of encryption modes are supported:
|
Currently, the following pairs of encryption modes are supported:
|
||||||
|
|
||||||
- AES-256-XTS for contents and AES-256-CTS-CBC for filenames
|
- AES-256-XTS for contents and AES-256-CBC-CTS for filenames
|
||||||
- AES-256-XTS for contents and AES-256-HCTR2 for filenames
|
- AES-256-XTS for contents and AES-256-HCTR2 for filenames
|
||||||
- Adiantum for both contents and filenames
|
- Adiantum for both contents and filenames
|
||||||
- AES-128-CBC-ESSIV for contents and AES-128-CTS-CBC for filenames
|
- AES-128-CBC-ESSIV for contents and AES-128-CBC-CTS for filenames
|
||||||
- SM4-XTS for contents and SM4-CTS-CBC for filenames
|
- SM4-XTS for contents and SM4-CBC-CTS for filenames
|
||||||
|
|
||||||
|
Note: in the API, "CBC" means CBC-ESSIV, and "CTS" means CBC-CTS.
|
||||||
|
So, for example, FSCRYPT_MODE_AES_256_CTS means AES-256-CBC-CTS.
|
||||||
|
|
||||||
Authenticated encryption modes are not currently supported because of
|
Authenticated encryption modes are not currently supported because of
|
||||||
the difficulty of dealing with ciphertext expansion. Therefore,
|
the difficulty of dealing with ciphertext expansion. Therefore,
|
||||||
@ -351,11 +354,11 @@ contents encryption uses a block cipher in `XTS mode
|
|||||||
`CBC-ESSIV mode
|
`CBC-ESSIV mode
|
||||||
<https://en.wikipedia.org/wiki/Disk_encryption_theory#Encrypted_salt-sector_initialization_vector_(ESSIV)>`_,
|
<https://en.wikipedia.org/wiki/Disk_encryption_theory#Encrypted_salt-sector_initialization_vector_(ESSIV)>`_,
|
||||||
or a wide-block cipher. Filenames encryption uses a
|
or a wide-block cipher. Filenames encryption uses a
|
||||||
block cipher in `CTS-CBC mode
|
block cipher in `CBC-CTS mode
|
||||||
<https://en.wikipedia.org/wiki/Ciphertext_stealing>`_ or a wide-block
|
<https://en.wikipedia.org/wiki/Ciphertext_stealing>`_ or a wide-block
|
||||||
cipher.
|
cipher.
|
||||||
|
|
||||||
The (AES-256-XTS, AES-256-CTS-CBC) pair is the recommended default.
|
The (AES-256-XTS, AES-256-CBC-CTS) pair is the recommended default.
|
||||||
It is also the only option that is *guaranteed* to always be supported
|
It is also the only option that is *guaranteed* to always be supported
|
||||||
if the kernel supports fscrypt at all; see `Kernel config options`_.
|
if the kernel supports fscrypt at all; see `Kernel config options`_.
|
||||||
|
|
||||||
@ -364,7 +367,7 @@ upgrades the filenames encryption to use a wide-block cipher. (A
|
|||||||
*wide-block cipher*, also called a tweakable super-pseudorandom
|
*wide-block cipher*, also called a tweakable super-pseudorandom
|
||||||
permutation, has the property that changing one bit scrambles the
|
permutation, has the property that changing one bit scrambles the
|
||||||
entire result.) As described in `Filenames encryption`_, a wide-block
|
entire result.) As described in `Filenames encryption`_, a wide-block
|
||||||
cipher is the ideal mode for the problem domain, though CTS-CBC is the
|
cipher is the ideal mode for the problem domain, though CBC-CTS is the
|
||||||
"least bad" choice among the alternatives. For more information about
|
"least bad" choice among the alternatives. For more information about
|
||||||
HCTR2, see `the HCTR2 paper <https://eprint.iacr.org/2021/1441.pdf>`_.
|
HCTR2, see `the HCTR2 paper <https://eprint.iacr.org/2021/1441.pdf>`_.
|
||||||
|
|
||||||
@ -375,13 +378,13 @@ the work is done by XChaCha12, which is much faster than AES when AES
|
|||||||
acceleration is unavailable. For more information about Adiantum, see
|
acceleration is unavailable. For more information about Adiantum, see
|
||||||
`the Adiantum paper <https://eprint.iacr.org/2018/720.pdf>`_.
|
`the Adiantum paper <https://eprint.iacr.org/2018/720.pdf>`_.
|
||||||
|
|
||||||
The (AES-128-CBC-ESSIV, AES-128-CTS-CBC) pair exists only to support
|
The (AES-128-CBC-ESSIV, AES-128-CBC-CTS) pair exists only to support
|
||||||
systems whose only form of AES acceleration is an off-CPU crypto
|
systems whose only form of AES acceleration is an off-CPU crypto
|
||||||
accelerator such as CAAM or CESA that does not support XTS.
|
accelerator such as CAAM or CESA that does not support XTS.
|
||||||
|
|
||||||
The remaining mode pairs are the "national pride ciphers":
|
The remaining mode pairs are the "national pride ciphers":
|
||||||
|
|
||||||
- (SM4-XTS, SM4-CTS-CBC)
|
- (SM4-XTS, SM4-CBC-CTS)
|
||||||
|
|
||||||
Generally speaking, these ciphers aren't "bad" per se, but they
|
Generally speaking, these ciphers aren't "bad" per se, but they
|
||||||
receive limited security review compared to the usual choices such as
|
receive limited security review compared to the usual choices such as
|
||||||
@ -393,7 +396,7 @@ Kernel config options
|
|||||||
|
|
||||||
Enabling fscrypt support (CONFIG_FS_ENCRYPTION) automatically pulls in
|
Enabling fscrypt support (CONFIG_FS_ENCRYPTION) automatically pulls in
|
||||||
only the basic support from the crypto API needed to use AES-256-XTS
|
only the basic support from the crypto API needed to use AES-256-XTS
|
||||||
and AES-256-CTS-CBC encryption. For optimal performance, it is
|
and AES-256-CBC-CTS encryption. For optimal performance, it is
|
||||||
strongly recommended to also enable any available platform-specific
|
strongly recommended to also enable any available platform-specific
|
||||||
kconfig options that provide acceleration for the algorithm(s) you
|
kconfig options that provide acceleration for the algorithm(s) you
|
||||||
wish to use. Support for any "non-default" encryption modes typically
|
wish to use. Support for any "non-default" encryption modes typically
|
||||||
@ -407,7 +410,7 @@ kernel crypto API (see `Inline encryption support`_); in that case,
|
|||||||
the file contents mode doesn't need to supported in the kernel crypto
|
the file contents mode doesn't need to supported in the kernel crypto
|
||||||
API, but the filenames mode still does.
|
API, but the filenames mode still does.
|
||||||
|
|
||||||
- AES-256-XTS and AES-256-CTS-CBC
|
- AES-256-XTS and AES-256-CBC-CTS
|
||||||
- Recommended:
|
- Recommended:
|
||||||
- arm64: CONFIG_CRYPTO_AES_ARM64_CE_BLK
|
- arm64: CONFIG_CRYPTO_AES_ARM64_CE_BLK
|
||||||
- x86: CONFIG_CRYPTO_AES_NI_INTEL
|
- x86: CONFIG_CRYPTO_AES_NI_INTEL
|
||||||
@ -433,7 +436,7 @@ API, but the filenames mode still does.
|
|||||||
- x86: CONFIG_CRYPTO_NHPOLY1305_SSE2
|
- x86: CONFIG_CRYPTO_NHPOLY1305_SSE2
|
||||||
- x86: CONFIG_CRYPTO_NHPOLY1305_AVX2
|
- x86: CONFIG_CRYPTO_NHPOLY1305_AVX2
|
||||||
|
|
||||||
- AES-128-CBC-ESSIV and AES-128-CTS-CBC:
|
- AES-128-CBC-ESSIV and AES-128-CBC-CTS:
|
||||||
- Mandatory:
|
- Mandatory:
|
||||||
- CONFIG_CRYPTO_ESSIV
|
- CONFIG_CRYPTO_ESSIV
|
||||||
- CONFIG_CRYPTO_SHA256 or another SHA-256 implementation
|
- CONFIG_CRYPTO_SHA256 or another SHA-256 implementation
|
||||||
@ -521,7 +524,7 @@ alternatively has the file's nonce (for `DIRECT_KEY policies`_) or
|
|||||||
inode number (for `IV_INO_LBLK_64 policies`_) included in the IVs.
|
inode number (for `IV_INO_LBLK_64 policies`_) included in the IVs.
|
||||||
Thus, IV reuse is limited to within a single directory.
|
Thus, IV reuse is limited to within a single directory.
|
||||||
|
|
||||||
With CTS-CBC, the IV reuse means that when the plaintext filenames share a
|
With CBC-CTS, the IV reuse means that when the plaintext filenames share a
|
||||||
common prefix at least as long as the cipher block size (16 bytes for AES), the
|
common prefix at least as long as the cipher block size (16 bytes for AES), the
|
||||||
corresponding encrypted filenames will also share a common prefix. This is
|
corresponding encrypted filenames will also share a common prefix. This is
|
||||||
undesirable. Adiantum and HCTR2 do not have this weakness, as they are
|
undesirable. Adiantum and HCTR2 do not have this weakness, as they are
|
||||||
|
@ -222,16 +222,19 @@ struct fscrypt_inode_info {
|
|||||||
struct fscrypt_prepared_key ci_enc_key;
|
struct fscrypt_prepared_key ci_enc_key;
|
||||||
|
|
||||||
/* True if ci_enc_key should be freed when this struct is freed */
|
/* True if ci_enc_key should be freed when this struct is freed */
|
||||||
bool ci_owns_key;
|
u8 ci_owns_key : 1;
|
||||||
|
|
||||||
#ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
|
#ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
|
||||||
/*
|
/*
|
||||||
* True if this inode will use inline encryption (blk-crypto) instead of
|
* True if this inode will use inline encryption (blk-crypto) instead of
|
||||||
* the traditional filesystem-layer encryption.
|
* the traditional filesystem-layer encryption.
|
||||||
*/
|
*/
|
||||||
bool ci_inlinecrypt;
|
u8 ci_inlinecrypt : 1;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* True if ci_dirhash_key is initialized */
|
||||||
|
u8 ci_dirhash_key_initialized : 1;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* log2 of the data unit size (granularity of contents encryption) of
|
* log2 of the data unit size (granularity of contents encryption) of
|
||||||
* this file. This is computable from ci_policy and ci_inode but is
|
* this file. This is computable from ci_policy and ci_inode but is
|
||||||
@ -242,6 +245,9 @@ struct fscrypt_inode_info {
|
|||||||
/* Cached value: log2 of number of data units per FS block */
|
/* Cached value: log2 of number of data units per FS block */
|
||||||
u8 ci_data_units_per_block_bits;
|
u8 ci_data_units_per_block_bits;
|
||||||
|
|
||||||
|
/* Hashed inode number. Only set for IV_INO_LBLK_32 */
|
||||||
|
u32 ci_hashed_ino;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Encryption mode used for this inode. It corresponds to either the
|
* Encryption mode used for this inode. It corresponds to either the
|
||||||
* contents or filenames encryption mode, depending on the inode type.
|
* contents or filenames encryption mode, depending on the inode type.
|
||||||
@ -276,16 +282,12 @@ struct fscrypt_inode_info {
|
|||||||
* the plaintext filenames -- currently just casefolded directories.
|
* the plaintext filenames -- currently just casefolded directories.
|
||||||
*/
|
*/
|
||||||
siphash_key_t ci_dirhash_key;
|
siphash_key_t ci_dirhash_key;
|
||||||
bool ci_dirhash_key_initialized;
|
|
||||||
|
|
||||||
/* The encryption policy used by this inode */
|
/* The encryption policy used by this inode */
|
||||||
union fscrypt_policy ci_policy;
|
union fscrypt_policy ci_policy;
|
||||||
|
|
||||||
/* This inode's nonce, copied from the fscrypt_context */
|
/* This inode's nonce, copied from the fscrypt_context */
|
||||||
u8 ci_nonce[FSCRYPT_FILE_NONCE_SIZE];
|
u8 ci_nonce[FSCRYPT_FILE_NONCE_SIZE];
|
||||||
|
|
||||||
/* Hashed inode number. Only set for IV_INO_LBLK_32 */
|
|
||||||
u32 ci_hashed_ino;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
typedef enum {
|
typedef enum {
|
||||||
|
@ -74,8 +74,12 @@ void fscrypt_put_master_key(struct fscrypt_master_key *mk)
|
|||||||
* that concurrent keyring lookups can no longer find it.
|
* that concurrent keyring lookups can no longer find it.
|
||||||
*/
|
*/
|
||||||
WARN_ON_ONCE(refcount_read(&mk->mk_active_refs) != 0);
|
WARN_ON_ONCE(refcount_read(&mk->mk_active_refs) != 0);
|
||||||
key_put(mk->mk_users);
|
if (mk->mk_users) {
|
||||||
mk->mk_users = NULL;
|
/* Clear the keyring so the quota gets released right away. */
|
||||||
|
keyring_clear(mk->mk_users);
|
||||||
|
key_put(mk->mk_users);
|
||||||
|
mk->mk_users = NULL;
|
||||||
|
}
|
||||||
call_rcu(&mk->mk_rcu_head, fscrypt_free_master_key);
|
call_rcu(&mk->mk_rcu_head, fscrypt_free_master_key);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -23,7 +23,7 @@ struct fscrypt_mode fscrypt_modes[] = {
|
|||||||
.blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_256_XTS,
|
.blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_256_XTS,
|
||||||
},
|
},
|
||||||
[FSCRYPT_MODE_AES_256_CTS] = {
|
[FSCRYPT_MODE_AES_256_CTS] = {
|
||||||
.friendly_name = "AES-256-CTS-CBC",
|
.friendly_name = "AES-256-CBC-CTS",
|
||||||
.cipher_str = "cts(cbc(aes))",
|
.cipher_str = "cts(cbc(aes))",
|
||||||
.keysize = 32,
|
.keysize = 32,
|
||||||
.security_strength = 32,
|
.security_strength = 32,
|
||||||
@ -38,7 +38,7 @@ struct fscrypt_mode fscrypt_modes[] = {
|
|||||||
.blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV,
|
.blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV,
|
||||||
},
|
},
|
||||||
[FSCRYPT_MODE_AES_128_CTS] = {
|
[FSCRYPT_MODE_AES_128_CTS] = {
|
||||||
.friendly_name = "AES-128-CTS-CBC",
|
.friendly_name = "AES-128-CBC-CTS",
|
||||||
.cipher_str = "cts(cbc(aes))",
|
.cipher_str = "cts(cbc(aes))",
|
||||||
.keysize = 16,
|
.keysize = 16,
|
||||||
.security_strength = 16,
|
.security_strength = 16,
|
||||||
@ -53,7 +53,7 @@ struct fscrypt_mode fscrypt_modes[] = {
|
|||||||
.blk_crypto_mode = BLK_ENCRYPTION_MODE_SM4_XTS,
|
.blk_crypto_mode = BLK_ENCRYPTION_MODE_SM4_XTS,
|
||||||
},
|
},
|
||||||
[FSCRYPT_MODE_SM4_CTS] = {
|
[FSCRYPT_MODE_SM4_CTS] = {
|
||||||
.friendly_name = "SM4-CTS-CBC",
|
.friendly_name = "SM4-CBC-CTS",
|
||||||
.cipher_str = "cts(cbc(sm4))",
|
.cipher_str = "cts(cbc(sm4))",
|
||||||
.keysize = 16,
|
.keysize = 16,
|
||||||
.security_strength = 16,
|
.security_strength = 16,
|
||||||
@ -687,7 +687,7 @@ int fscrypt_get_encryption_info(struct inode *inode, bool allow_unsupported)
|
|||||||
/**
|
/**
|
||||||
* fscrypt_prepare_new_inode() - prepare to create a new inode in a directory
|
* fscrypt_prepare_new_inode() - prepare to create a new inode in a directory
|
||||||
* @dir: a possibly-encrypted directory
|
* @dir: a possibly-encrypted directory
|
||||||
* @inode: the new inode. ->i_mode must be set already.
|
* @inode: the new inode. ->i_mode and ->i_blkbits must be set already.
|
||||||
* ->i_ino doesn't need to be set yet.
|
* ->i_ino doesn't need to be set yet.
|
||||||
* @encrypt_ret: (output) set to %true if the new inode will be encrypted
|
* @encrypt_ret: (output) set to %true if the new inode will be encrypted
|
||||||
*
|
*
|
||||||
@ -717,6 +717,9 @@ int fscrypt_prepare_new_inode(struct inode *dir, struct inode *inode,
|
|||||||
if (IS_ERR(policy))
|
if (IS_ERR(policy))
|
||||||
return PTR_ERR(policy);
|
return PTR_ERR(policy);
|
||||||
|
|
||||||
|
if (WARN_ON_ONCE(inode->i_blkbits == 0))
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
if (WARN_ON_ONCE(inode->i_mode == 0))
|
if (WARN_ON_ONCE(inode->i_mode == 0))
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user