| blob | b132509f33b589060ba81dafa207ecebeeaf8fc6 |
1 ext4: add EXT4 encryption facilities
3 From: Mike Halcrow <mhalcrow@google.com>
5 On encrypt, we will re-assign the buffer_heads to point to a bounce
6 page rather than the control_page (which is the original page to write
7 that contains the plaintext). The block I/O occurs against the bounce
8 page. On write completion, we re-assign the buffer_heads to the
9 original plaintext page.
11 On decrypt, we will attach a read completion callback to the bio
12 struct. This read completion will decrypt the read contents in-place
13 prior to setting the page up-to-date.
15 The current encryption mode, AES-256-XTS, represents the first of
16 several encryption modes on the roadmap. Future in-plan modes are
17 HMAC-SHA1 (integrity only), AES-256-XTS+RANDOM_TWEAK+HMAC-SHA1, and
18 AES-256-GCM.
20 Signed-off-by: Michael Halcrow <mhalcrow@google.com>
21 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
22 ---
23 fs/ext4/Makefile | 9 +-
24 fs/ext4/crypto.c | 1135 +++++++++++++++++++++++++++++++++++++++++++++++++
25 fs/ext4/ext4.h | 25 ++
26 fs/ext4/ext4_crypto.h | 175 ++++++++
27 fs/ext4/super.c | 38 +-
28 fs/ext4/xattr.h | 1 +
29 6 files changed, 1377 insertions(+), 6 deletions(-)
30 create mode 100644 fs/ext4/crypto.c
31 create mode 100644 fs/ext4/ext4_crypto.h
33 diff --git a/fs/ext4/Makefile b/fs/ext4/Makefile
34 index 0310fec..de4de1c 100644
35 --- a/fs/ext4/Makefile
36 +++ b/fs/ext4/Makefile
37 @@ -4,10 +4,11 @@
39 obj-$(CONFIG_EXT4_FS) += ext4.o
41 -ext4-y := balloc.o bitmap.o dir.o file.o fsync.o ialloc.o inode.o page-io.o \
42 - ioctl.o namei.o super.o symlink.o hash.o resize.o extents.o \
43 - ext4_jbd2.o migrate.o mballoc.o block_validity.o move_extent.o \
44 - mmp.o indirect.o extents_status.o xattr.o xattr_user.o \
45 +ext4-y := balloc.o bitmap.o crypto.o dir.o file.o fsync.o ialloc.o \
46 + inode.o page-io.o ioctl.o namei.o super.o symlink.o \
47 + hash.o resize.o extents.o ext4_jbd2.o migrate.o \
48 + mballoc.o block_validity.o move_extent.o mmp.o \
49 + indirect.o extents_status.o xattr.o xattr_user.o \
50 xattr_trusted.o inline.o
52 ext4-$(CONFIG_EXT4_FS_POSIX_ACL) += acl.o
53 diff --git a/fs/ext4/crypto.c b/fs/ext4/crypto.c
54 new file mode 100644
55 index 0000000..ead3111
56 --- /dev/null
57 +++ b/fs/ext4/crypto.c
58 @@ -0,0 +1,1135 @@
59 +/*
60 + * linux/fs/ext4/crypto.c
61 + *
62 + * This contains encryption functions for ext4
63 + *
64 + * Written by Michael Halcrow, 2014.
65 + *
66 + * This has not yet undergone a rigorous security audit.
67 + *
68 + * The usage of AES-XTS should conform to recommendations in NIST
69 + * Special Publication 800-38E. The usage of AES-GCM should conform to
70 + * the recommendations in NIST Special Publication 800-38D. Further
71 + * guidance for block-oriented storage is in IEEE P1619/D16. The key
72 + * derivation code implements an HKDF (see RFC 5869).
73 + */
74 +
75 +#include <crypto/hash.h>
76 +#include <crypto/sha.h>
77 +#include <keys/user-type.h>
78 +#include <keys/encrypted-type.h>
79 +#include <linux/crypto.h>
80 +#include <linux/gfp.h>
81 +#include <linux/kernel.h>
82 +#include <linux/key.h>
83 +#include <linux/list.h>
84 +#include <linux/mempool.h>
85 +#include <linux/random.h>
86 +#include <linux/scatterlist.h>
87 +#include <linux/spinlock_types.h>
88 +
89 +#include "ext4.h"
90 +#include "xattr.h"
91 +
92 +/* Encryption added and removed here! (L: */
93 +
94 +mempool_t *ext4_bounce_page_pool = NULL;
95 +
96 +LIST_HEAD(ext4_free_crypto_ctxs);
97 +DEFINE_SPINLOCK(ext4_crypto_ctx_lock);
98 +
99 +/* TODO(mhalcrow): Remove for release */
100 +atomic_t ext4_dbg_pages = ATOMIC_INIT(0);
101 +atomic_t ext4_dbg_ctxs = ATOMIC_INIT(0);
102 +
103 +/**
104 + * ext4_release_crypto_ctx() - Releases an encryption context
105 + * @ctx: The encryption context to release.
106 + *
107 + * If the encryption context was allocated from the pre-allocated
108 + * pool, returns it to that pool. Else, frees it.
109 + *
110 + * If there's a bounce page in the context, this frees that.
111 + */
112 +void ext4_release_crypto_ctx(struct ext4_crypto_ctx *ctx)
113 +{
114 + unsigned long flags;
115 +
116 + atomic_dec(&ctx->dbg_refcnt);
117 + if (ctx->bounce_page) {
118 + if (ctx->flags & EXT4_BOUNCE_PAGE_REQUIRES_FREE_ENCRYPT_FL) {
119 + __free_page(ctx->bounce_page);
120 + atomic_dec(&ext4_dbg_pages);
121 + } else {
122 + mempool_free(ctx->bounce_page, ext4_bounce_page_pool);
123 + }
124 + ctx->bounce_page = NULL;
125 + }
126 + ctx->control_page = NULL;
127 + if (ctx->flags & EXT4_CTX_REQUIRES_FREE_ENCRYPT_FL) {
128 + if (ctx->tfm)
129 + crypto_free_tfm(ctx->tfm);
130 + kfree(ctx);
131 + atomic_dec(&ext4_dbg_ctxs);
132 + } else {
133 + spin_lock_irqsave(&ext4_crypto_ctx_lock, flags);
134 + list_add(&ctx->free_list, &ext4_free_crypto_ctxs);
135 + spin_unlock_irqrestore(&ext4_crypto_ctx_lock, flags);
136 + }
137 +}
138 +
139 +/**
140 + * ext4_alloc_and_init_crypto_ctx() - Allocates and inits an encryption context
141 + * @mask: The allocation mask.
142 + *
143 + * Return: An allocated and initialized encryption context on
144 + * success. An error value or NULL otherwise.
145 + */
146 +static struct ext4_crypto_ctx *ext4_alloc_and_init_crypto_ctx(u32 mask)
147 +{
148 + struct ext4_crypto_ctx *ctx = kzalloc(sizeof(struct ext4_crypto_ctx),
149 + mask);
150 +
151 + if (!ctx)
152 + return ERR_PTR(-ENOMEM);
153 + atomic_inc(&ext4_dbg_ctxs);
154 + return ctx;
155 +}
156 +
157 +/**
158 + * ext4_get_crypto_ctx() - Gets an encryption context
159 + * @with_page: If true, allocates and attaches a bounce page.
160 + * @key: The encryption key for the context.
161 + *
162 + * Allocates and initializes an encryption context.
163 + *
164 + * Return: An allocated and initialized encryption context on success;
165 + * error value or NULL otherwise.
166 + */
167 +struct ext4_crypto_ctx *ext4_get_crypto_ctx(
168 + bool with_page, const struct ext4_encryption_key *key)
169 +{
170 + struct ext4_crypto_ctx *ctx = NULL;
171 + int res = 0;
172 + unsigned long flags;
173 +
174 + /* We first try getting the ctx from a free list because in
175 + * the common case the ctx will have an allocated and
176 + * initialized crypto tfm, so it's probably a worthwhile
177 + * optimization. For the bounce page, we first try getting it
178 + * from the kernel allocator because that's just about as fast
179 + * as getting it from a list and because a cache of free pages
180 + * should generally be a "last resort" option for a filesystem
181 + * to be able to do its job. */
182 + spin_lock_irqsave(&ext4_crypto_ctx_lock, flags);
183 + ctx = list_first_entry_or_null(&ext4_free_crypto_ctxs,
184 + struct ext4_crypto_ctx, free_list);
185 + if (ctx)
186 + list_del(&ctx->free_list);
187 + spin_unlock_irqrestore(&ext4_crypto_ctx_lock, flags);
188 + if (!ctx) {
189 + ctx = ext4_alloc_and_init_crypto_ctx(GFP_NOFS);
190 + if (IS_ERR(ctx)) {
191 + res = PTR_ERR(ctx);
192 + goto out;
193 + }
194 + ctx->flags |= EXT4_CTX_REQUIRES_FREE_ENCRYPT_FL;
195 + } else {
196 + ctx->flags &= ~EXT4_CTX_REQUIRES_FREE_ENCRYPT_FL;
197 + }
198 + atomic_set(&ctx->dbg_refcnt, 0);
199 +
200 + /* Allocate a new Crypto API context if we don't already have
201 + * one or if it isn't the right mode. */
202 + BUG_ON(key->mode == EXT4_ENCRYPTION_MODE_INVALID);
203 + if (ctx->tfm && (ctx->mode != key->mode)) {
204 + crypto_free_tfm(ctx->tfm);
205 + ctx->tfm = NULL;
206 + ctx->mode = EXT4_ENCRYPTION_MODE_INVALID;
207 + }
208 + if (!ctx->tfm) {
209 + switch (key->mode) {
210 + case EXT4_ENCRYPTION_MODE_AES_256_XTS:
211 + ctx->tfm = crypto_ablkcipher_tfm(
212 + crypto_alloc_ablkcipher("xts(aes)", 0, 0));
213 + break;
214 + case EXT4_ENCRYPTION_MODE_AES_256_GCM:
215 + /* TODO(mhalcrow): AEAD w/ gcm(aes);
216 + * crypto_aead_setauthsize() */
217 + case EXT4_ENCRYPTION_MODE_HMAC_SHA1:
218 + /* TODO(mhalcrow): AHASH w/ hmac(sha1) */
219 + case EXT4_ENCRYPTION_MODE_AES_256_XTS_RANDOM_IV_HMAC_SHA1:
220 + ctx->tfm = ERR_PTR(-ENOTSUPP);
221 + break;
222 + default:
223 + BUG();
224 + }
225 + if (IS_ERR_OR_NULL(ctx->tfm)) {
226 + res = PTR_ERR(ctx->tfm);
227 + ctx->tfm = NULL;
228 + goto out;
229 + }
230 + ctx->mode = key->mode;
231 + }
232 + BUG_ON(key->size != ext4_encryption_key_size(key->mode));
233 +
234 + /* There shouldn't be a bounce page attached to the crypto
235 + * context at this point. */
236 + BUG_ON(ctx->bounce_page);
237 + if (!with_page)
238 + goto out;
239 +
240 + /* The encryption operation will require a bounce page. */
241 + ctx->bounce_page = alloc_page(GFP_NOFS);
242 + if (!ctx->bounce_page) {
243 + /* This is a potential bottleneck, but at least we'll
244 + * have forward progress. */
245 + ctx->bounce_page = mempool_alloc(ext4_bounce_page_pool,
246 + GFP_NOFS);
247 + if (WARN_ON_ONCE(!ctx->bounce_page)) {
248 + ctx->bounce_page = mempool_alloc(ext4_bounce_page_pool,
249 + GFP_NOFS | __GFP_WAIT);
250 + }
251 + ctx->flags &= ~EXT4_BOUNCE_PAGE_REQUIRES_FREE_ENCRYPT_FL;
252 + } else {
253 + atomic_inc(&ext4_dbg_pages);
254 + ctx->flags |= EXT4_BOUNCE_PAGE_REQUIRES_FREE_ENCRYPT_FL;
255 + }
256 +out:
257 + if (res) {
258 + if (!IS_ERR_OR_NULL(ctx))
259 + ext4_release_crypto_ctx(ctx);
260 + ctx = ERR_PTR(res);
261 + }
262 + return ctx;
263 +}
264 +
265 +struct workqueue_struct *mpage_read_workqueue;
266 +
267 +/**
268 + * ext4_delete_crypto_ctxs() - Deletes/frees all encryption contexts
269 + */
270 +static void ext4_delete_crypto_ctxs(void)
271 +{
272 + struct ext4_crypto_ctx *pos, *n;
273 +
274 + list_for_each_entry_safe(pos, n, &ext4_free_crypto_ctxs, free_list) {
275 + if (pos->bounce_page) {
276 + if (pos->flags &
277 + EXT4_BOUNCE_PAGE_REQUIRES_FREE_ENCRYPT_FL) {
278 + __free_page(pos->bounce_page);
279 + } else {
280 + mempool_free(pos->bounce_page,
281 + ext4_bounce_page_pool);
282 + }
283 + }
284 + if (pos->tfm)
285 + crypto_free_tfm(pos->tfm);
286 + kfree(pos);
287 + }
288 +}
289 +
290 +/**
291 + * ext4_allocate_crypto_ctxs() - Allocates a pool of encryption contexts
292 + * @num_to_allocate: The number of encryption contexts to allocate.
293 + *
294 + * Return: Zero on success, non-zero otherwise.
295 + */
296 +static int __init ext4_allocate_crypto_ctxs(size_t num_to_allocate)
297 +{
298 + struct ext4_crypto_ctx *ctx = NULL;
299 +
300 + while (num_to_allocate > 0) {
301 + ctx = ext4_alloc_and_init_crypto_ctx(GFP_KERNEL);
302 + if (IS_ERR(ctx))
303 + break;
304 + list_add(&ctx->free_list, &ext4_free_crypto_ctxs);
305 + num_to_allocate--;
306 + }
307 + if (IS_ERR(ctx))
308 + ext4_delete_crypto_ctxs();
309 + return PTR_ERR_OR_ZERO(ctx);
310 +}
311 +
312 +/**
313 + * ext4_delete_crypto() - Frees all allocated encryption objects
314 + */
315 +void ext4_delete_crypto(void)
316 +{
317 + ext4_delete_crypto_ctxs();
318 + mempool_destroy(ext4_bounce_page_pool);
319 + destroy_workqueue(mpage_read_workqueue);
320 +}
321 +
322 +/**
323 + * ext4_allocate_crypto() - Allocates encryption objects for later use
324 + * @num_crypto_pages: The number of bounce pages to allocate for encryption.
325 + * @num_crypto_ctxs: The number of encryption contexts to allocate.
326 + *
327 + * Return: Zero on success, non-zero otherwise.
328 + */
329 +int __init ext4_allocate_crypto(size_t num_crypto_pages, size_t num_crypto_ctxs)
330 +{
331 + int res = 0;
332 +
333 + mpage_read_workqueue = alloc_workqueue("ext4_crypto", WQ_HIGHPRI, 0);
334 + if (!mpage_read_workqueue) {
335 + res = -ENOMEM;
336 + goto fail;
337 + }
338 + res = ext4_allocate_crypto_ctxs(num_crypto_ctxs);
339 + if (res)
340 + goto fail;
341 + ext4_bounce_page_pool = mempool_create_page_pool(num_crypto_pages, 0);
342 + if (!ext4_bounce_page_pool)
343 + goto fail;
344 + return 0;
345 +fail:
346 + ext4_delete_crypto();
347 + return res;
348 +}
349 +
350 +/**
351 + * ext4_xts_tweak_for_page() - Generates an XTS tweak for a page
352 + * @xts_tweak: Buffer into which this writes the XTS tweak.
353 + * @page: The page for which this generates a tweak.
354 + *
355 + * Generates an XTS tweak value for the given page.
356 + */
357 +static void ext4_xts_tweak_for_page(u8 xts_tweak[EXT4_XTS_TWEAK_SIZE],
358 + const struct page *page)
359 +{
360 + /* Only do this for XTS tweak values. For other modes (CBC,
361 + * GCM, etc.), you most like will need to do something
362 + * different. */
363 + BUILD_BUG_ON(EXT4_XTS_TWEAK_SIZE < sizeof(page->index));
364 + memcpy(xts_tweak, &page->index, sizeof(page->index));
365 + memset(&xts_tweak[sizeof(page->index)], 0,
366 + EXT4_XTS_TWEAK_SIZE - sizeof(page->index));
367 +}
368 +
369 +/**
370 + * set_bh_to_page() - Re-assigns the pages for a set of buffer heads
371 + * @head: The head of the buffer list to reassign.
372 + * @page: The page to which to re-assign the buffer heads.
373 + */
374 +void set_bh_to_page(struct buffer_head *head, struct page *page)
375 +{
376 + struct buffer_head *bh = head;
377 +
378 + do {
379 + set_bh_page(bh, page, bh_offset(bh));
380 + if (PageDirty(page))
381 + set_buffer_dirty(bh);
382 + if (!bh->b_this_page)
383 + bh->b_this_page = head;
384 + } while ((bh = bh->b_this_page) != head);
385 +}
386 +
387 +struct ext4_crypt_result {
388 + struct completion completion;
389 + int res;
390 +};
391 +
392 +static void ext4_crypt_complete(struct crypto_async_request *req, int res)
393 +{
394 + struct ext4_crypt_result *ecr = req->data;
395 +
396 + if (res == -EINPROGRESS)
397 + return;
398 + ecr->res = res;
399 + complete(&ecr->completion);
400 +}
401 +
402 +/**
403 + * ext4_prep_pages_for_write() - Prepare pages for write
404 + * @ciphertext_page: Ciphertext page that will actually be written.
405 + * @plaintext_page: Plaintext page that acts as a control page.
406 + * @ctx: Encryption context for the pages.
407 + */
408 +static void ext4_prep_pages_for_write(struct page *ciphertext_page,
409 + struct page *plaintext_page,
410 + struct ext4_crypto_ctx *ctx)
411 +{
412 + SetPageDirty(ciphertext_page);
413 + SetPagePrivate(ciphertext_page);
414 + ctx->control_page = plaintext_page;
415 + set_page_private(ciphertext_page, (unsigned long)ctx);
416 + set_bh_to_page(page_buffers(plaintext_page), ciphertext_page);
417 +}
418 +
419 +/**
420 + * ext4_xts_encrypt() - Encrypts a page using AES-256-XTS
421 + * @ctx: The encryption context.
422 + * @plaintext_page: The page to encrypt. Must be locked.
423 + *
424 + * Allocates a ciphertext page and encrypts plaintext_page into it
425 + * using the ctx encryption context. Uses AES-256-XTS.
426 + *
427 + * Called on the page write path.
428 + *
429 + * Return: An allocated page with the encrypted content on
430 + * success. Else, an error value or NULL.
431 + */
432 +struct page *ext4_xts_encrypt(struct ext4_crypto_ctx *ctx,
433 + struct page *plaintext_page)
434 +{
435 + struct page *ciphertext_page = ctx->bounce_page;
436 + u8 xts_tweak[EXT4_XTS_TWEAK_SIZE];
437 + struct ablkcipher_request *req = NULL;
438 + struct ext4_crypt_result ecr;
439 + struct scatterlist dst, src;
440 + struct ext4_inode_info *ei = EXT4_I(plaintext_page->mapping->host);
441 + struct crypto_ablkcipher *atfm = __crypto_ablkcipher_cast(ctx->tfm);
442 + int res = 0;
443 +
444 + BUG_ON(!ciphertext_page);
445 + BUG_ON(!ctx->tfm);
446 + BUG_ON(ei->i_encryption_key.mode != EXT4_ENCRYPTION_MODE_AES_256_XTS);
447 + crypto_ablkcipher_clear_flags(atfm, ~0);
448 + crypto_tfm_set_flags(ctx->tfm, CRYPTO_TFM_REQ_WEAK_KEY);
449 +
450 + /* Since in AES-256-XTS mode we only perform one cryptographic
451 + * operation on each block and there are no constraints about
452 + * how many blocks a single key can encrypt, we directly use
453 + * the inode master key */
454 + res = crypto_ablkcipher_setkey(atfm, ei->i_encryption_key.raw,
455 + ei->i_encryption_key.size);
456 + req = ablkcipher_request_alloc(atfm, GFP_NOFS);
457 + if (!req) {
458 + printk_ratelimited(KERN_ERR
459 + "%s: crypto_request_alloc() failed\n",
460 + __func__);
461 + ciphertext_page = ERR_PTR(-ENOMEM);
462 + goto out;
463 + }
464 + ablkcipher_request_set_callback(
465 + req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
466 + ext4_crypt_complete, &ecr);
467 + ext4_xts_tweak_for_page(xts_tweak, plaintext_page);
468 + sg_init_table(&dst, 1);
469 + sg_set_page(&dst, ciphertext_page, PAGE_CACHE_SIZE, 0);
470 + sg_init_table(&src, 1);
471 + sg_set_page(&src, plaintext_page, PAGE_CACHE_SIZE, 0);
472 + ablkcipher_request_set_crypt(req, &src, &dst, PAGE_CACHE_SIZE,
473 + xts_tweak);
474 + res = crypto_ablkcipher_encrypt(req);
475 + if (res == -EINPROGRESS || res == -EBUSY) {
476 + BUG_ON(req->base.data != &ecr);
477 + wait_for_completion(&ecr.completion);
478 + res = ecr.res;
479 + }
480 + ablkcipher_request_free(req);
481 + if (res) {
482 + printk_ratelimited(KERN_ERR "%s: crypto_ablkcipher_encrypt() returned %d\n",
483 + __func__, res);
484 + ciphertext_page = ERR_PTR(res);
485 + goto out;
486 + }
487 +out:
488 + return ciphertext_page;
489 +}
490 +
491 +/**
492 + * ext4_encrypt() - Encrypts a page
493 + * @ctx: The encryption context.
494 + * @plaintext_page: The page to encrypt. Must be locked.
495 + *
496 + * Allocates a ciphertext page and encrypts plaintext_page into it
497 + * using the ctx encryption context.
498 + *
499 + * Called on the page write path.
500 + *
501 + * Return: An allocated page with the encrypted content on
502 + * success. Else, an error value or NULL.
503 + */
504 +struct page *ext4_encrypt(struct ext4_crypto_ctx *ctx,
505 + struct page *plaintext_page)
506 +{
507 + struct page *ciphertext_page = NULL;
508 +
509 + BUG_ON(!PageLocked(plaintext_page));
510 + switch (ctx->mode) {
511 + case EXT4_ENCRYPTION_MODE_AES_256_XTS:
512 + ciphertext_page = ext4_xts_encrypt(ctx, plaintext_page);
513 + break;
514 + case EXT4_ENCRYPTION_MODE_AES_256_GCM:
515 + /* TODO(mhalcrow): We'll need buffers for the
516 + * generated IV and/or auth tag for this mode and the
517 + * ones below */
518 + case EXT4_ENCRYPTION_MODE_HMAC_SHA1:
519 + case EXT4_ENCRYPTION_MODE_AES_256_XTS_RANDOM_IV_HMAC_SHA1:
520 + ciphertext_page = ERR_PTR(-ENOTSUPP);
521 + break;
522 + default:
523 + BUG();
524 + }
525 + if (!IS_ERR_OR_NULL(ciphertext_page))
526 + ext4_prep_pages_for_write(ciphertext_page, plaintext_page, ctx);
527 + return ciphertext_page;
528 +}
529 +
530 +/**
531 + * ext4_xts_decrypt() - Decrypts a page using AES-256-XTS
532 + * @ctx: The encryption context.
533 + * @page: The page to decrypt. Must be locked.
534 + *
535 + * Return: Zero on success, non-zero otherwise.
536 + */
537 +int ext4_xts_decrypt(struct ext4_crypto_ctx *ctx, struct page *page)
538 +{
539 + u8 xts_tweak[EXT4_XTS_TWEAK_SIZE];
540 + struct ablkcipher_request *req = NULL;
541 + struct ext4_crypt_result ecr;
542 + struct scatterlist sg;
543 + struct ext4_inode_info *ei = EXT4_I(page->mapping->host);
544 + struct crypto_ablkcipher *atfm = __crypto_ablkcipher_cast(ctx->tfm);
545 + int res = 0;
546 +
547 + BUG_ON(!ctx->tfm);
548 + BUG_ON(ei->i_encryption_key.mode != EXT4_ENCRYPTION_MODE_AES_256_XTS);
549 + crypto_ablkcipher_clear_flags(atfm, ~0);
550 + crypto_tfm_set_flags(ctx->tfm, CRYPTO_TFM_REQ_WEAK_KEY);
551 +
552 + /* Since in AES-256-XTS mode we only perform one cryptographic
553 + * operation on each block and there are no constraints about
554 + * how many blocks a single key can encrypt, we directly use
555 + * the inode master key */
556 + res = crypto_ablkcipher_setkey(atfm, ei->i_encryption_key.raw,
557 + ei->i_encryption_key.size);
558 + req = ablkcipher_request_alloc(atfm, GFP_NOFS);
559 + if (!req) {
560 + res = -ENOMEM;
561 + goto out;
562 + }
563 + ablkcipher_request_set_callback(
564 + req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
565 + ext4_crypt_complete, &ecr);
566 + ext4_xts_tweak_for_page(xts_tweak, page);
567 + sg_init_table(&sg, 1);
568 + sg_set_page(&sg, page, PAGE_CACHE_SIZE, 0);
569 + ablkcipher_request_set_crypt(req, &sg, &sg, PAGE_CACHE_SIZE, xts_tweak);
570 + res = crypto_ablkcipher_decrypt(req);
571 + if (res == -EINPROGRESS || res == -EBUSY) {
572 + BUG_ON(req->base.data != &ecr);
573 + wait_for_completion(&ecr.completion);
574 + res = ecr.res;
575 + }
576 + ablkcipher_request_free(req);
577 +out:
578 + if (res)
579 + printk_ratelimited(KERN_ERR "%s: res = [%d]\n", __func__, res);
580 + return res;
581 +}
582 +
583 +/**
584 + * ext4_decrypt() - Decrypts a page in-place
585 + * @ctx: The encryption context.
586 + * @page: The page to decrypt. Must be locked.
587 + *
588 + * Decrypts page in-place using the ctx encryption context.
589 + *
590 + * Called from the read completion callback.
591 + *
592 + * Return: Zero on success, non-zero otherwise.
593 + */
594 +int ext4_decrypt(struct ext4_crypto_ctx *ctx, struct page *page)
595 +{
596 + int res = 0;
597 +
598 + BUG_ON(!PageLocked(page));
599 + switch (ctx->mode) {
600 + case EXT4_ENCRYPTION_MODE_AES_256_XTS:
601 + res = ext4_xts_decrypt(ctx, page);
602 + break;
603 + case EXT4_ENCRYPTION_MODE_AES_256_GCM:
604 + case EXT4_ENCRYPTION_MODE_HMAC_SHA1:
605 + case EXT4_ENCRYPTION_MODE_AES_256_XTS_RANDOM_IV_HMAC_SHA1:
606 + res = -ENOTSUPP;
607 + break;
608 + default:
609 + BUG();
610 + }
611 + return res;
612 +}
613 +
614 +/**
615 + * ext4_get_wrapping_key_from_keyring() - Gets a wrapping key from the keyring
616 + * @wrapping_key: Buffer into which this writes the wrapping key.
617 + * @sig: The signature for the wrapping key.
618 + *
619 + * Return: Zero on success, non-zero otherwise.
620 + */
621 +static int ext4_get_wrapping_key_from_keyring(
622 + char wrapping_key[EXT4_MAX_KEY_SIZE],
623 + const char sig[EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE])
624 +{
625 + struct key *create_key;
626 + struct encrypted_key_payload *payload;
627 + struct ecryptfs_auth_tok *auth_tok;
628 +
629 + create_key = request_key(&key_type_user, sig, NULL);
630 + if (WARN_ON_ONCE(IS_ERR(create_key)))
631 + return -ENOENT;
632 + payload = (struct encrypted_key_payload *)create_key->payload.data;
633 + if (WARN_ON_ONCE(create_key->datalen !=
634 + sizeof(struct ecryptfs_auth_tok))) {
635 + return -EINVAL;
636 + }
637 + auth_tok = (struct ecryptfs_auth_tok *)(&(payload)->payload_data);
638 + if (WARN_ON_ONCE(!(auth_tok->token.password.flags &
639 + ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET))) {
640 + return -EINVAL;
641 + }
642 + BUILD_BUG_ON(EXT4_MAX_KEY_SIZE < EXT4_AES_256_XTS_KEY_SIZE);
643 + BUILD_BUG_ON(ECRYPTFS_MAX_KEY_BYTES < EXT4_AES_256_XTS_KEY_SIZE);
644 + memcpy(wrapping_key,
645 + auth_tok->token.password.session_key_encryption_key,
646 + EXT4_AES_256_XTS_KEY_SIZE);
647 + return 0;
648 +}
649 +
650 +/**
651 + * ext4_wrapping_key_sig_for_parent_dir() - Gets the key signature for
652 + * the parent directory
653 + * @sig: Buffer into which this writes the wrapping key signature.
654 + *
655 + * Return: Zero on success, non-zero otherwise.
656 + */
657 +static int ext4_wrapping_key_sig_for_parent_dir(
658 + char sig[EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE])
659 +{
660 + /* TODO(mhalcrow): Here's where we can check for wrapping key
661 + * specifier in parent directory xattr. */
662 + return -ENOTSUPP;
663 +}
664 +
665 +/**
666 + * ext4_get_wrapping_key() - Gets the wrapping key from the user session keyring
667 + * @wrapping_key: Buffer into which this writes the wrapping key.
668 + * @sig: Buffer into which this writes the wrapping key signature.
669 + * @inode: The inode for the wrapping key.
670 + *
671 + * Return: Zero on success, non-zero otherwise.
672 + */
673 +static int ext4_get_wrapping_key(
674 + char wrapping_key[EXT4_AES_256_XTS_KEY_SIZE],
675 + char sig[EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE],
676 + const struct inode *inode)
677 +{
678 + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
679 + int res = ext4_wrapping_key_sig_for_parent_dir(sig);
680 +
681 + if (res) {
682 + BUILD_BUG_ON(ECRYPTFS_SIG_SIZE_HEX + 1 !=
683 + EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE);
684 + memcpy(sig,
685 + sbi->s_default_encryption_wrapper_desc.wrapping_key_sig,
686 + EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE);
687 + }
688 + BUG_ON(sig[EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE - 1] != '\0');
689 + res = ext4_get_wrapping_key_from_keyring(wrapping_key, sig);
690 + return res;
691 +}
692 +
693 +/**
694 + * ext4_validate_encryption_mode() - Validate the encryption key mode
695 + * @mode: The key mode to validate.
696 + *
697 + * Return: The validated key mode. EXT4_ENCRYPTION_MODE_INVALID if
698 + * invalid.
699 + */
700 +static uint32_t ext4_validate_encryption_mode(uint32_t mode)
701 +{
702 + switch (mode) {
703 + case EXT4_ENCRYPTION_MODE_AES_256_XTS:
704 + return mode;
705 + default:
706 + break;
707 + }
708 + return EXT4_ENCRYPTION_MODE_INVALID;
709 +}
710 +
711 +/**
712 + * ext4_validate_encryption_key_size() - Validate the encryption key size
713 + * @mode: The key mode.
714 + * @size: The key size to validate.
715 + *
716 + * Return: The validated key size for @mode. Zero if invalid.
717 + */
718 +static uint32_t ext4_validate_encryption_key_size(uint32_t mode, uint32_t size)
719 +{
720 + if (size == ext4_encryption_key_size(mode))
721 + return size;
722 + return 0;
723 +}
724 +
725 +struct ext4_hmac_result {
726 + struct completion completion;
727 + int res;
728 +} ext4_hmac_result;
729 +
730 +/**
731 + * ext4_hmac_complete() - Completion for async HMAC
732 + * @req: The async request.
733 + * @res: The result of the HMAC operation.
734 + */
735 +static void ext4_hmac_complete(struct crypto_async_request *req, int res)
736 +{
737 + struct ext4_hmac_result *ehr = req->data;
738 +
739 + if (res == -EINPROGRESS)
740 + return;
741 + ehr->res = res;
742 + complete(&ehr->completion);
743 +}
744 +
745 +/**
746 + * ext4_hmac_derive_key() - Generate an HMAC
747 + * @derivation: If true, derive a key. Else, generate an integrity HMAC.
748 + * @key: The HMAC key.
749 + * @key_size: The size of @key.
750 + * @src: The data to HMAC.
751 + * @src_size: The size of @src.
752 + * @dst: The target buffer for the generated HMAC.
753 + * @dst_size: The size of @dst.
754 + *
755 + * Return: Zero on success, non-zero otherwise.
756 + */
757 +static int ext4_hmac(bool derivation, const char *key, size_t key_size,
758 + const char *src, size_t src_size, char *dst,
759 + size_t dst_size)
760 +{
761 + struct scatterlist sg;
762 + struct ahash_request *req = NULL;
763 + struct ext4_hmac_result ehr;
764 + char hmac[SHA512_DIGEST_SIZE];
765 + struct crypto_ahash *tfm = crypto_alloc_ahash(derivation ?
766 + "hmac(sha512)" :
767 + "hmac(sha1)", 0, 0);
768 + int res = 0;
769 +
770 + BUG_ON(dst_size > SHA512_DIGEST_SIZE);
771 + if (IS_ERR(tfm))
772 + return PTR_ERR(tfm);
773 + req = ahash_request_alloc(tfm, GFP_NOFS);
774 + if (!req) {
775 + res = -ENOMEM;
776 + goto out;
777 + }
778 + ahash_request_set_callback(req,
779 + (CRYPTO_TFM_REQ_MAY_BACKLOG |
780 + CRYPTO_TFM_REQ_MAY_SLEEP),
781 + ext4_hmac_complete, &ehr);
782 +
783 + res = crypto_ahash_setkey(tfm, key, key_size);
784 + if (res)
785 + goto out;
786 + sg_init_one(&sg, src, src_size);
787 + ahash_request_set_crypt(req, &sg, hmac, src_size);
788 + init_completion(&ehr.completion);
789 + res = crypto_ahash_digest(req);
790 + if (res == -EINPROGRESS || res == -EBUSY) {
791 + BUG_ON(req->base.data != &ehr);
792 + wait_for_completion(&ehr.completion);
793 + res = ehr.res;
794 + }
795 + if (res)
796 + goto out;
797 + memcpy(dst, hmac, dst_size);
798 +out:
799 + crypto_free_ahash(tfm);
800 + if (req)
801 + ahash_request_free(req);
802 + return res;
803 +}
804 +
805 +/**
806 + * ext4_hmac_derive_key() - Generate an HMAC for an key derivation (HKDF)
807 + * @key: The master key.
808 + * @key_size: The size of @key.
809 + * @src: The derivation data.
810 + * @src_size: The size of @src.
811 + * @dst: The target buffer for the derived key.
812 + * @dst_size: The size of @dst.
813 + *
814 + * Return: Zero on success, non-zero otherwise.
815 + */
816 +static int ext4_hmac_derive_key(const char *key, size_t key_size,
817 + const char *src, size_t src_size, char *dst,
818 + size_t dst_size)
819 +{
820 + return ext4_hmac(true, key, key_size, src, src_size, dst, dst_size);
821 +}
822 +
823 +/**
824 + * ext4_hmac_integrity() - Generate an HMAC for an integrity measurement
825 + * @key: The HMAC key.
826 + * @key_size: The size of @key.
827 + * @src: The data to generate the HMAC over.
828 + * @src_size: The size of @src.
829 + * @dst: The target buffer for the HMAC.
830 + * @dst_size: The size of @dst.
831 + *
832 + * Return: Zero on success, non-zero otherwise.
833 + */
834 +static int ext4_hmac_integrity(const char *key, size_t key_size,
835 + const char *src, size_t src_size, char *dst,
836 + size_t dst_size)
837 +{
838 + return ext4_hmac(false, key, key_size, src, src_size, dst, dst_size);
839 +}
840 +
841 +/**
842 + * ext4_crypt_wrapper_virt() - Encrypt a key
843 + * @enc_key: The wrapping key.
844 + * @iv: The initialization vector for the key encryption.
845 + * @src_virt: The source key object to wrap.
846 + * @dst_virt: The buffer for the wrapped key object.
847 + * @size: The size of the key object (identical for wrapped or unwrapped).
848 + * @enc: If 0, decrypt. Else, encrypt.
849 + *
850 + * Uses the wrapped key to unwrap the encryption key.
851 + *
852 + * Return: Zero on success, non-zero otherwise.
853 + */
854 +static int ext4_crypt_wrapper_virt(const char *enc_key, const char *iv,
855 + const char *src_virt, char *dst_virt,
856 + size_t size, bool enc)
857 +{
858 + struct scatterlist dst, src;
859 + struct blkcipher_desc desc = {
860 + .flags = CRYPTO_TFM_REQ_MAY_SLEEP
861 + };
862 + int res = 0;
863 +
864 + desc.tfm = crypto_alloc_blkcipher("ctr(aes)", 0, CRYPTO_ALG_ASYNC);
865 + if (IS_ERR(desc.tfm))
866 + return PTR_ERR(desc.tfm);
867 + if (!desc.tfm)
868 + return -ENOMEM;
869 + crypto_blkcipher_set_flags(desc.tfm, CRYPTO_TFM_REQ_WEAK_KEY);
870 + sg_init_one(&dst, dst_virt, size);
871 + sg_init_one(&src, src_virt, size);
872 + crypto_blkcipher_set_iv(desc.tfm, iv, EXT4_WRAPPING_IV_SIZE);
873 + res = crypto_blkcipher_setkey(desc.tfm, enc_key,
874 + EXT4_AES_256_CTR_KEY_SIZE);
875 + if (res)
876 + goto out;
877 + if (enc)
878 + res = crypto_blkcipher_encrypt(&desc, &dst, &src, size);
879 + else
880 + res = crypto_blkcipher_decrypt(&desc, &dst, &src, size);
881 +out:
882 + crypto_free_blkcipher(desc.tfm);
883 + return res;
884 +}
885 +
886 +/**
887 + * ext4_unwrap_key() - Unwraps the encryption key for the inode
888 + * @wrapped_key_packet: The wrapped encryption key packet.
889 + * @wrapped_key_packet_size: The wrapped encryption key packet size.
890 + * @key: The encryption key to fill in with unwrapped data.
891 + *
892 + * Uses the wrapped key to unwrap the encryption key.
893 + *
894 + * Return: Zero on success, non-zero otherwise.
895 + */
896 +static int ext4_unwrap_key(const char *wrapped_key_packet,
897 + size_t wrapped_key_packet_size,
898 + struct ext4_encryption_key *key)
899 +{
900 + struct ext4_wrapped_key_packet *packet =
901 + (struct ext4_wrapped_key_packet *)wrapped_key_packet;
902 + uint32_t packet_size = ntohl(*(uint32_t *)packet->size);
903 + struct ext4_encryption_key_packet key_packet;
904 + char wrapping_key[EXT4_AES_256_XTS_KEY_SIZE];
905 + char enc_key[EXT4_AES_256_CTR_KEY_SIZE];
906 + char int_key[EXT4_HMAC_KEY_SIZE];
907 + char hmac[EXT4_HMAC_SIZE];
908 + char hmac_invalid = 0;
909 + int i;
910 + int res = 0;
911 +
912 + if (wrapped_key_packet_size < sizeof(packet_size))
913 + return -EINVAL;
914 + BUILD_BUG_ON(sizeof(struct ext4_wrapped_key_packet) !=
915 + EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE);
916 + if (packet_size != sizeof(struct ext4_wrapped_key_packet))
917 + return -EINVAL;
918 + if (wrapped_key_packet_size != packet_size)
919 + return -EINVAL;
920 + if (packet->type != EXT4_KEY_PACKET_TYPE_WRAPPED_KEY_V0)
921 + return -EINVAL;
922 + if (packet->sig[EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE - 1] != '\0')
923 + return -EINVAL;
924 + res = ext4_get_wrapping_key_from_keyring(wrapping_key, packet->sig);
925 + if (res)
926 + return res;
927 +
928 + /* Always validate the HMAC as soon as we get the key to do so */
929 + packet->nonce[EXT4_NONCE_SIZE] = EXT4_WRAPPING_INT_DERIVATION_TWEAK;
930 + res = ext4_hmac_derive_key(wrapping_key, EXT4_AES_256_XTS_KEY_SIZE,
931 + packet->nonce,
932 + EXT4_DERIVATION_TWEAK_NONCE_SIZE, int_key,
933 + EXT4_HMAC_KEY_SIZE);
934 + if (res)
935 + goto out;
936 + res = ext4_hmac_integrity(int_key, EXT4_HMAC_KEY_SIZE,
937 + wrapped_key_packet,
938 + (EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE -
939 + EXT4_HMAC_SIZE), hmac, EXT4_HMAC_SIZE);
940 + memset(int_key, 0, EXT4_HMAC_KEY_SIZE);
941 + for (i = 0; i < EXT4_HMAC_SIZE; ++i)
942 + hmac_invalid |= (packet->hmac[i] ^ hmac[i]);
943 + if (hmac_invalid) {
944 + printk_ratelimited(KERN_ERR "%s: Security advisory: Wrapped key HMAC check failed\n",
945 + __func__);
946 + res = -EINVAL;
947 + goto out;
948 + }
949 +
950 + /* The HMAC validated. Decrypt the key packet. */
951 + packet->nonce[EXT4_NONCE_SIZE] = EXT4_WRAPPING_ENC_DERIVATION_TWEAK;
952 + res = ext4_hmac_derive_key(wrapping_key, EXT4_AES_256_XTS_KEY_SIZE,
953 + packet->nonce,
954 + EXT4_DERIVATION_TWEAK_NONCE_SIZE, enc_key,
955 + EXT4_AES_256_CTR_KEY_SIZE);
956 + if (res)
957 + goto out;
958 + res = ext4_crypt_wrapper_virt(enc_key, packet->iv,
959 + packet->wrapped_key_packet,
960 + (char *)&key_packet,
961 + EXT4_V0_SERIALIZED_KEY_SIZE, false);
962 + memset(enc_key, 0, EXT4_AES_256_CTR_KEY_SIZE);
963 + if (res)
964 + goto out;
965 + key->mode = ext4_validate_encryption_mode(
966 + ntohl(*((uint32_t *)key_packet.mode)));
967 + if (key->mode == EXT4_ENCRYPTION_MODE_INVALID) {
968 + res = -EINVAL;
969 + goto out;
970 + }
971 + memcpy(key->raw, key_packet.raw, EXT4_MAX_KEY_SIZE);
972 + memset(key_packet.raw, 0, EXT4_MAX_KEY_SIZE);
973 + key->size = ext4_validate_encryption_key_size(
974 + key->mode, ntohl(*((uint32_t *)key_packet.size)));
975 + if (!key->size) {
976 + res = -EINVAL;
977 + goto out;
978 + }
979 +out:
980 + if (res)
981 + key->mode = EXT4_ENCRYPTION_MODE_INVALID;
982 + memset(wrapping_key, 0, EXT4_AES_256_XTS_KEY_SIZE);
983 + return res;
984 +}
985 +
986 +/**
987 + * ext4_wrap_key() - Wraps the encryption key for the inode
988 + * @wrapped_crypto_key: The buffer into which this writes the wrapped key.
989 + * @key_packet_size: The size of the packet.
990 + * @key: The encryption key.
991 + * @inode: The inode for the encryption key.
992 + *
993 + * Generates a wrapped key packet from an encryption key and a
994 + * wrapping key for an inode.
995 + *
996 + * Return: Zero on success, non-zero otherwise.
997 + */
998 +static int ext4_wrap_key(char *wrapped_key_packet, size_t *key_packet_size,
999 + const struct ext4_encryption_key *key,
1000 + const struct inode *inode)
1001 +{
1002 + struct ext4_wrapped_key_packet *packet =
1003 + (struct ext4_wrapped_key_packet *)wrapped_key_packet;
1004 + struct ext4_encryption_key_packet key_packet;
1005 + char wrapping_key[EXT4_AES_256_XTS_KEY_SIZE];
1006 + char enc_key[EXT4_AES_256_CTR_KEY_SIZE];
1007 + char int_key[EXT4_HMAC_KEY_SIZE];
1008 + int res = 0;
1009 +
1010 + BUILD_BUG_ON(sizeof(struct ext4_wrapped_key_packet) !=
1011 + EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE);
1012 + if (!wrapped_key_packet) {
1013 + *key_packet_size = EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE;
1014 + return 0;
1015 + }
1016 + res = ext4_get_wrapping_key(wrapping_key, packet->sig, inode);
1017 + if (res)
1018 + return res;
1019 + BUG_ON(*key_packet_size != EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE);
1020 +
1021 + /* Size, type, nonce, and IV */
1022 + *((uint32_t *)packet->size) =
1023 + htonl(EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE);
1024 + packet->type = EXT4_KEY_PACKET_TYPE_WRAPPED_KEY_V0;
1025 + get_random_bytes(packet->nonce, EXT4_NONCE_SIZE);
1026 + get_random_bytes(packet->iv, EXT4_WRAPPING_IV_SIZE);
1027 +
1028 + /* Derive the wrapping encryption key from the wrapping key */
1029 + packet->nonce[EXT4_NONCE_SIZE] = EXT4_WRAPPING_ENC_DERIVATION_TWEAK;
1030 + res = ext4_hmac_derive_key(wrapping_key, EXT4_AES_256_XTS_KEY_SIZE,
1031 + packet->nonce,
1032 + EXT4_DERIVATION_TWEAK_NONCE_SIZE,
1033 + enc_key, EXT4_AES_256_CTR_KEY_SIZE);
1034 + if (res)
1035 + goto out;
1036 +
1037 + /* Wrap the data key with the wrapping encryption key */
1038 + *((uint32_t *)key_packet.mode) = htonl(key->mode);
1039 + memcpy(key_packet.raw, key->raw, EXT4_MAX_KEY_SIZE);
1040 + *((uint32_t *)key_packet.size) = htonl(key->size);
1041 + BUILD_BUG_ON(sizeof(struct ext4_encryption_key_packet) !=
1042 + EXT4_V0_SERIALIZED_KEY_SIZE);
1043 + res = ext4_crypt_wrapper_virt(enc_key, packet->iv, (char *)&key_packet,
1044 + (char *)&packet->wrapped_key_packet,
1045 + EXT4_V0_SERIALIZED_KEY_SIZE, true);
1046 + memset(enc_key, 0, EXT4_AES_256_CTR_KEY_SIZE);
1047 + memset(key_packet.raw, 0, EXT4_MAX_KEY_SIZE);
1048 + if (res)
1049 + goto out;
1050 +
1051 + /* Calculate the HMAC over the entire packet (except, of
1052 + * course, the HMAC buffer at the end) */
1053 + packet->nonce[EXT4_NONCE_SIZE] = EXT4_WRAPPING_INT_DERIVATION_TWEAK;
1054 + res = ext4_hmac_derive_key(wrapping_key, EXT4_AES_256_XTS_KEY_SIZE,
1055 + packet->nonce,
1056 + EXT4_DERIVATION_TWEAK_NONCE_SIZE,
1057 + int_key, EXT4_HMAC_KEY_SIZE);
1058 + if (res)
1059 + goto out;
1060 + BUILD_BUG_ON(EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE < EXT4_HMAC_SIZE);
1061 + res = ext4_hmac_integrity(int_key, EXT4_HMAC_KEY_SIZE,
1062 + wrapped_key_packet,
1063 + (EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE -
1064 + EXT4_HMAC_SIZE), packet->hmac,
1065 + EXT4_HMAC_SIZE);
1066 + packet->nonce[EXT4_NONCE_SIZE] = 0; /* to catch decryption bugs */
1067 + memset(int_key, 0, EXT4_HMAC_KEY_SIZE);
1068 +out:
1069 + memset(wrapping_key, 0, EXT4_AES_256_XTS_KEY_SIZE);
1070 + return res;
1071 +}
1072 +
1073 +/**
1074 + * ext4_generate_encryption_key() - Generates an encryption key
1075 + * @dentry: The dentry containing the encryption key this will set.
1076 + */
1077 +static void ext4_generate_encryption_key(const struct dentry *dentry)
1078 +{
1079 + struct ext4_inode_info *ei = EXT4_I(dentry->d_inode);
1080 + struct ext4_sb_info *sbi = EXT4_SB(dentry->d_sb);
1081 + struct ext4_encryption_key *key = &ei->i_encryption_key;
1082 +
1083 + key->mode = sbi->s_default_encryption_mode;
1084 + key->size = ext4_encryption_key_size(key->mode);
1085 + BUG_ON(!key->size);
1086 + get_random_bytes(key->raw, key->size);
1087 +}
1088 +
1089 +/**
1090 + * ext4_set_crypto_key() - Generates and sets the encryption key for the inode
1091 + * @dentry: The dentry for the encryption key.
1092 + *
1093 + * Generates the encryption key for the inode. Generates and writes
1094 + * the encryption metadata for the inode.
1095 + *
1096 + * Return: Zero on success, non-zero otherwise.
1097 + */
1098 +int ext4_set_crypto_key(struct dentry *dentry)
1099 +{
1100 + char root_packet[EXT4_PACKET_SET_V0_MAX_SIZE];
1101 + char *wrapped_key_packet = &root_packet[EXT4_PACKET_HEADER_SIZE];
1102 + size_t wrapped_key_packet_size = EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE;
1103 + size_t root_packet_size = (EXT4_PACKET_HEADER_SIZE +
1104 + wrapped_key_packet_size);
1105 + struct inode *inode = dentry->d_inode;
1106 + struct ext4_inode_info *ei = EXT4_I(inode);
1107 + int res = 0;
1108 +
1109 +try_again:
1110 + ext4_generate_encryption_key(dentry);
1111 + res = ext4_wrap_key(wrapped_key_packet, &wrapped_key_packet_size,
1112 + &ei->i_encryption_key, inode);
1113 + if (res)
1114 + goto out;
1115 + root_packet[0] = EXT4_PACKET_SET_VERSION_V0;
1116 + BUILD_BUG_ON(EXT4_PACKET_SET_V0_MAX_SIZE !=
1117 + (EXT4_PACKET_HEADER_SIZE +
1118 + EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE));
1119 + BUG_ON(sizeof(root_packet) != root_packet_size);
1120 + res = ext4_xattr_set(inode, EXT4_XATTR_INDEX_ENCRYPTION_METADATA, "",
1121 + root_packet, root_packet_size, 0);
1122 +out:
1123 + if (res) {
1124 + if (res == -EINTR)
1125 + goto try_again;
1126 + ei->i_encryption_key.mode = EXT4_ENCRYPTION_MODE_INVALID;
1127 + printk_ratelimited(KERN_ERR "%s: res = [%d]\n", __func__, res);
1128 + }
1129 + return res;
1130 +}
1131 +
1132 +/**
1133 + * ext4_get_root_packet() - Reads the root packet
1134 + * @inode: The inode containing the root packet.
1135 + * @root_packet: The root packet.
1136 + * @root_packet_size: The size of the root packet. Set by this if
1137 + * root_packet == NULL.
1138 + *
1139 + * Return: Zero on success, non-zero otherwise.
1140 + */
1141 +static int ext4_get_root_packet(struct inode *inode, char *root_packet,
1142 + size_t *root_packet_size)
1143 +{
1144 + int res = ext4_xattr_get(inode, EXT4_XATTR_INDEX_ENCRYPTION_METADATA,
1145 + "", NULL, 0);
1146 + if (res < 0)
1147 + return res;
1148 + if (!root_packet) {
1149 + *root_packet_size = res;
1150 + return 0;
1151 + }
1152 + if (res != *root_packet_size)
1153 + return -ENODATA;
1154 + res = ext4_xattr_get(inode, EXT4_XATTR_INDEX_ENCRYPTION_METADATA, "",
1155 + root_packet, res);
1156 + if (root_packet[0] != EXT4_PACKET_SET_VERSION_V0) {
1157 + printk_ratelimited(KERN_ERR "%s: Expected root packet version [%d]; got [%d]\n",
1158 + __func__, EXT4_PACKET_SET_VERSION_V0,
1159 + root_packet[0]);
1160 + return -EINVAL;
1161 + }
1162 + return 0;
1163 +}
1164 +
1165 +/**
1166 + * ext4_get_crypto_key() - Gets the encryption key for the inode
1167 + * @file: The file for the encryption key.
1168 + *
1169 + * Return: Zero on success, non-zero otherwise.
1170 + */
1171 +int ext4_get_crypto_key(const struct file *file)
1172 +{
1173 + char root_packet[EXT4_PACKET_SET_V0_MAX_SIZE];
1174 + char *wrapped_key_packet = &root_packet[EXT4_PACKET_HEADER_SIZE];
1175 + size_t wrapped_key_packet_size = EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE;
1176 + size_t root_packet_size = (EXT4_PACKET_HEADER_SIZE +
1177 + wrapped_key_packet_size);
1178 + struct inode *inode = file->f_mapping->host;
1179 + struct ext4_inode_info *ei = EXT4_I(inode);
1180 + int res = ext4_get_root_packet(inode, root_packet, &root_packet_size);
1181 +
1182 + if (res)
1183 + goto out;
1184 + res = ext4_unwrap_key(wrapped_key_packet,
1185 + EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE,
1186 + &ei->i_encryption_key);
1187 + if (res)
1188 + goto out;
1189 +out:
1190 + if (res)
1191 + ei->i_encryption_key.mode = EXT4_ENCRYPTION_MODE_INVALID;
1192 + return res;
1193 +}
1194 diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
1195 index 7cc5a0e..ef89b61 100644
1196 --- a/fs/ext4/ext4.h
1197 +++ b/fs/ext4/ext4.h
1198 @@ -32,6 +32,7 @@
1199 #include <linux/ratelimit.h>
1200 #include <crypto/hash.h>
1201 #include <linux/falloc.h>
1202 +#include <linux/ecryptfs.h>
1203 #ifdef __KERNEL__
1204 #include <linux/compat.h>
1205 #endif
1206 @@ -809,6 +810,8 @@ do { \
1208 #endif /* defined(__KERNEL__) || defined(__linux__) */
1210 +#include "ext4_crypto.h"
1211 +
1212 #include "extents_status.h"
1214 /*
1215 @@ -943,6 +946,10 @@ struct ext4_inode_info {
1217 /* Precomputed uuid+inum+igen checksum for seeding inode checksums */
1218 __u32 i_csum_seed;
1219 +
1220 + /* Encryption params */
1221 + struct ext4_encryption_key i_encryption_key;
1222 + struct ext4_encryption_wrapper_desc i_encryption_wrapper_desc;
1223 };
1225 /*
1226 @@ -1340,6 +1347,10 @@ struct ext4_sb_info {
1227 struct ratelimit_state s_err_ratelimit_state;
1228 struct ratelimit_state s_warning_ratelimit_state;
1229 struct ratelimit_state s_msg_ratelimit_state;
1230 +
1231 + /* Encryption */
1232 + uint32_t s_default_encryption_mode;
1233 + struct ext4_encryption_wrapper_desc s_default_encryption_wrapper_desc;
1234 };
1236 static inline struct ext4_sb_info *EXT4_SB(struct super_block *sb)
1237 @@ -2783,6 +2794,20 @@ static inline void set_bitmap_uptodate(struct buffer_head *bh)
1238 set_bit(BH_BITMAP_UPTODATE, &(bh)->b_state);
1239 }
1241 +/* crypto.c */
1242 +extern struct workqueue_struct *mpage_read_workqueue;
1243 +int ext4_allocate_crypto(size_t num_crypto_pages, size_t num_crypto_ctxs);
1244 +void ext4_delete_crypto(void);
1245 +struct ext4_crypto_ctx *ext4_get_crypto_ctx(
1246 + bool with_page, const struct ext4_encryption_key *key);
1247 +void ext4_release_crypto_ctx(struct ext4_crypto_ctx *ctx);
1248 +void set_bh_to_page(struct buffer_head *head, struct page *page);
1249 +struct page *ext4_encrypt(struct ext4_crypto_ctx *ctx,
1250 + struct page *plaintext_page);
1251 +int ext4_decrypt(struct ext4_crypto_ctx *ctx, struct page *page);
1252 +int ext4_get_crypto_key(const struct file *file);
1253 +int ext4_set_crypto_key(struct dentry *dentry);
1254 +
1255 /*
1256 * Disable DIO read nolock optimization, so new dioreaders will be forced
1257 * to grab i_mutex
1258 diff --git a/fs/ext4/ext4_crypto.h b/fs/ext4/ext4_crypto.h
1259 new file mode 100644
1260 index 0000000..8eaf273
1261 --- /dev/null
1262 +++ b/fs/ext4/ext4_crypto.h
1263 @@ -0,0 +1,175 @@
1264 +/*
1265 + * linux/fs/ext4/ext4_crypto.h
1266 + *
1267 + * This contains encryption header content for ext4
1268 + *
1269 + * Written by Michael Halcrow, 2014.
1270 + */
1271 +
1272 +#ifndef _EXT4_CRYPTO_H
1273 +#define _EXT4_CRYPTO_H
1274 +
1275 +/* Encryption parameters */
1276 +#define EXT4_AES_256_XTS_KEY_SIZE 64
1277 +#define EXT4_XTS_TWEAK_SIZE 16
1278 +#define EXT4_AES_256_CTR_KEY_SIZE 32
1279 +#define EXT4_AES_256_ECB_KEY_SIZE 32
1280 +#define EXT4_HMAC_KEY_SIZE 12
1281 +#define EXT4_HMAC_SIZE 12
1282 +#define EXT4_NONCE_SIZE 12
1283 +#define EXT4_DERIVATION_TWEAK_SIZE 1
1284 +#define EXT4_DERIVATION_TWEAK_NONCE_SIZE (EXT4_NONCE_SIZE + \
1285 + EXT4_DERIVATION_TWEAK_SIZE)
1286 +#define EXT4_WRAPPING_ENC_DERIVATION_TWEAK 'e'
1287 +#define EXT4_WRAPPING_INT_DERIVATION_TWEAK 'i'
1288 +#define EXT4_AES_256_XTS_RANDOMIV_HMAC_SHA1_KEY_SIZE \
1289 + (EXT4_AES_256_XTS_KEY_SIZE + EXT4_HMAC_KEY_SIZE)
1290 +#define EXT4_AES_256_GCM_KEY_SIZE 32
1291 +#define EXT4_AES_256_GCM_AUTH_SIZE 16
1292 +#define EXT4_GCM_ASSOC_DATA_SIZE sizeof(pgoff_t)
1293 +#define EXT4_PAGE_REGION_INDEX_SHIFT 16 /* 2**16-sized regions */
1294 +#define EXT4_MAX_KEY_SIZE EXT4_AES_256_XTS_RANDOMIV_HMAC_SHA1_KEY_SIZE
1295 +#define EXT4_MAX_IV_SIZE AES_BLOCK_SIZE
1296 +#define EXT4_MAX_AUTH_SIZE EXT4_AES_256_GCM_AUTH_SIZE
1297 +
1298 +/* The metadata directory is only necessary only for the sibling file
1299 + * directory under the mount root, which will be replaced by per-block
1300 + * metadata when it's ready. */
1301 +#define EXT4_METADATA_DIRECTORY_NAME ".ext4_crypt_data"
1302 +#define EXT4_METADATA_DIRECTORY_NAME_SIZE 16
1303 +
1304 +/**
1305 + * Packet format:
1306 + * 4 bytes: Size of packet (inclusive of these 4 bytes)
1307 + * 1 byte: Packet type/version
1308 + * Variable bytes: Packet content (may contain nested packets)
1309 + *
1310 + * Packets may be nested. The top-level packet is the "packet set".
1311 + */
1312 +#define EXT4_PACKET_SET_VERSION_V0 ((char)0x00)
1313 +#define EXT4_PACKET_SET_VERSION_SIZE 1
1314 +#define EXT4_PACKET_SIZE_SIZE 4
1315 +#define EXT4_PACKET_TYPE_SIZE 1
1316 +#define EXT4_PACKET_HEADER_SIZE (EXT4_PACKET_SIZE_SIZE + EXT4_PACKET_TYPE_SIZE)
1317 +
1318 +/**
1319 + * Wrapped key packet format:
1320 + * 4 bytes: Size of packet (inclusive of these 4 bytes)
1321 + * 1 byte: Packet type/version (0x00)
1322 + * 17 bytes: NULL-terminated wrapping key signature (printable)
1323 + * 13 bytes: Derivation nonce (last byte ignored)
1324 + * 16 bytes: IV
1325 + * Variable bytes: Serialized key, AES-256-CTR encrypted
1326 + * 12 bytes: HMAC-SHA1(everything preceding)
1327 + */
1328 +#define EXT4_KEY_PACKET_TYPE_WRAPPED_KEY_V0 ((char)0x00)
1329 +#define EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE (ECRYPTFS_SIG_SIZE_HEX + 1)
1330 +#define EXT4_WRAPPING_IV_SIZE 16
1331 +
1332 +/* These #defines may seem redundant to the sizeof the structs below
1333 + * them. Since naively changing the structs can result in nasty bugs
1334 + * that might have security implications, we use the explict sizes
1335 + * together with BUILD_BUG_ON() to help avoid mistakes. */
1336 +#define EXT4_V0_SERIALIZED_KEY_SIZE (sizeof(uint32_t) + \
1337 + EXT4_MAX_KEY_SIZE + \
1338 + sizeof(uint32_t))
1339 +#define EXT4_WRAPPED_KEY_PACKET_V0_SIZE ( \
1340 + EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE + \
1341 + EXT4_DERIVATION_TWEAK_NONCE_SIZE + \
1342 + EXT4_WRAPPING_IV_SIZE + \
1343 + EXT4_V0_SERIALIZED_KEY_SIZE + \
1344 + EXT4_HMAC_SIZE)
1345 +
1346 +#define EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE ((uint32_t)( \
1347 + EXT4_PACKET_HEADER_SIZE + \
1348 + EXT4_WRAPPED_KEY_PACKET_V0_SIZE))
1349 +
1350 +/* V0 supports only one key in a fixed xattr space. If/when compelling
1351 + * requirements come along, future versions may be able to use
1352 + * (non-xattr) metadata storage to store an arbitrary number of
1353 + * wrapped keys. In the meantime, we won't spend the code complexity
1354 + * budget on supporting multiple wrapped keys. */
1355 +#define EXT4_PACKET_SET_V0_MAX_WRAPPED_KEYS 1
1356 +#define EXT4_PACKET_SET_V0_MAX_SIZE ((uint32_t)( \
1357 + EXT4_PACKET_HEADER_SIZE + \
1358 + (EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE * \
1359 + EXT4_PACKET_SET_V0_MAX_WRAPPED_KEYS)))
1360 +
1361 +/* Don't change this without also changing the packet type. Serialized
1362 + * packets are cast directly into this struct. */
1363 +struct ext4_encryption_key_packet {
1364 + char mode[sizeof(uint32_t)]; /* Network byte order */
1365 + char raw[EXT4_MAX_KEY_SIZE];
1366 + char size[sizeof(uint32_t)]; /* Network byte order */
1367 +} __attribute__((__packed__));
1368 +
1369 +/**
1370 + * If you change the existing modes (order or type), you'll need to
1371 + * change the packet type too.
1372 + */
1373 +enum ext4_encryption_mode {
1374 + EXT4_ENCRYPTION_MODE_INVALID = 0,
1375 + EXT4_ENCRYPTION_MODE_AES_256_XTS,
1376 + EXT4_ENCRYPTION_MODE_AES_256_GCM,
1377 + EXT4_ENCRYPTION_MODE_HMAC_SHA1,
1378 + EXT4_ENCRYPTION_MODE_AES_256_XTS_RANDOM_IV_HMAC_SHA1,
1379 +};
1380 +
1381 +struct ext4_encryption_key {
1382 + uint32_t mode;
1383 + char raw[EXT4_MAX_KEY_SIZE];
1384 + uint32_t size;
1385 +};
1386 +
1387 +/* Don't change this without also changing the packet type. Serialized
1388 + * packets are cast directly into this struct. */
1389 +struct ext4_wrapped_key_packet {
1390 + char size[sizeof(uint32_t)]; /* Network byte order */
1391 + char type;
1392 + char sig[EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE];
1393 + char nonce[EXT4_DERIVATION_TWEAK_NONCE_SIZE];
1394 + char iv[EXT4_WRAPPING_IV_SIZE];
1395 + char wrapped_key_packet[sizeof(struct ext4_encryption_key_packet)];
1396 + char hmac[EXT4_HMAC_SIZE];
1397 +} __attribute__((__packed__));
1398 +
1399 +struct ext4_encryption_wrapper_desc {
1400 + char wrapping_key_sig[ECRYPTFS_SIG_SIZE_HEX + 1];
1401 +};
1402 +
1403 +#define EXT4_CTX_REQUIRES_FREE_ENCRYPT_FL 0x00000001
1404 +#define EXT4_BOUNCE_PAGE_REQUIRES_FREE_ENCRYPT_FL 0x00000002
1405 +
1406 +struct ext4_crypto_ctx {
1407 + struct crypto_tfm *tfm; /* Crypto API context */
1408 + struct page *bounce_page; /* Ciphertext page on write path */
1409 + struct page *control_page; /* Original page on write path */
1410 + struct bio *bio; /* The bio for this context */
1411 + struct work_struct work; /* Work queue for read complete path */
1412 + struct list_head free_list; /* Free list */
1413 + int flags; /* Flags */
1414 + enum ext4_encryption_mode mode; /* Encryption mode for tfm */
1415 + atomic_t dbg_refcnt; /* TODO(mhalcrow): Remove for release */
1416 +};
1417 +
1418 +static inline int ext4_encryption_key_size(enum ext4_encryption_mode mode)
1419 +{
1420 + switch (mode) {
1421 + case EXT4_ENCRYPTION_MODE_AES_256_XTS:
1422 + return EXT4_AES_256_XTS_KEY_SIZE;
1423 + case EXT4_ENCRYPTION_MODE_AES_256_GCM:
1424 + return EXT4_AES_256_GCM_KEY_SIZE;
1425 + case EXT4_ENCRYPTION_MODE_HMAC_SHA1:
1426 + return EXT4_HMAC_KEY_SIZE;
1427 + case EXT4_ENCRYPTION_MODE_AES_256_XTS_RANDOM_IV_HMAC_SHA1:
1428 + return EXT4_AES_256_XTS_RANDOMIV_HMAC_SHA1_KEY_SIZE;
1429 + default:
1430 + BUG();
1431 + }
1432 + return 0;
1433 +}
1434 +
1435 +extern atomic_t ext4_dbg_pages; /* TODO(mhalcrow): Remove for release */
1436 +extern atomic_t ext4_dbg_ctxs; /* TODO(mhalcrow): Remove for release */
1437 +
1438 +#endif /* _EXT4_CRYPTO_H */
1439 diff --git a/fs/ext4/super.c b/fs/ext4/super.c
1440 index 6df7bc6..a0355a0 100644
1441 --- a/fs/ext4/super.c
1442 +++ b/fs/ext4/super.c
1443 @@ -904,6 +904,7 @@ static struct inode *ext4_alloc_inode(struct super_block *sb)
1444 atomic_set(&ei->i_ioend_count, 0);
1445 atomic_set(&ei->i_unwritten, 0);
1446 INIT_WORK(&ei->i_rsv_conversion_work, ext4_end_io_rsv_work);
1447 + ei->i_encryption_key.mode = EXT4_ENCRYPTION_MODE_INVALID;
1449 return &ei->vfs_inode;
1450 }
1451 @@ -1168,7 +1169,7 @@ enum {
1452 Opt_inode_readahead_blks, Opt_journal_ioprio,
1453 Opt_dioread_nolock, Opt_dioread_lock,
1454 Opt_discard, Opt_nodiscard, Opt_init_itable, Opt_noinit_itable,
1455 - Opt_max_dir_size_kb,
1456 + Opt_max_dir_size_kb, Opt_encrypt_key_sig,
1457 };
1459 static const match_table_t tokens = {
1460 @@ -1244,6 +1245,7 @@ static const match_table_t tokens = {
1461 {Opt_init_itable, "init_itable"},
1462 {Opt_noinit_itable, "noinit_itable"},
1463 {Opt_max_dir_size_kb, "max_dir_size_kb=%u"},
1464 + {Opt_encrypt_key_sig, "encrypt_key_sig=%s"},
1465 {Opt_removed, "check=none"}, /* mount option from ext2/3 */
1466 {Opt_removed, "nocheck"}, /* mount option from ext2/3 */
1467 {Opt_removed, "reservation"}, /* mount option from ext2/3 */
1468 @@ -1442,6 +1444,7 @@ static const struct mount_opts {
1469 {Opt_jqfmt_vfsv0, QFMT_VFS_V0, MOPT_QFMT},
1470 {Opt_jqfmt_vfsv1, QFMT_VFS_V1, MOPT_QFMT},
1471 {Opt_max_dir_size_kb, 0, MOPT_GTE0},
1472 + {Opt_encrypt_key_sig, 0, MOPT_STRING},
1473 {Opt_err, 0, 0}
1474 };
1476 @@ -1543,6 +1546,28 @@ static int handle_mount_opt(struct super_block *sb, char *opt, int token,
1477 sbi->s_li_wait_mult = arg;
1478 } else if (token == Opt_max_dir_size_kb) {
1479 sbi->s_max_dir_size_kb = arg;
1480 + } else if (token == Opt_encrypt_key_sig) {
1481 + char *encrypt_key_sig;
1482 +
1483 + encrypt_key_sig = match_strdup(&args[0]);
1484 + if (!encrypt_key_sig) {
1485 + ext4_msg(sb, KERN_ERR,
1486 + "error: could not dup encryption key sig string");
1487 + return -1;
1488 + }
1489 + if (strlen(encrypt_key_sig) != ECRYPTFS_SIG_SIZE_HEX) {
1490 + ext4_msg(sb, KERN_ERR,
1491 + "error: encryption key sig string must be length %d",
1492 + ECRYPTFS_SIG_SIZE_HEX);
1493 + return -1;
1494 + }
1495 + sbi->s_default_encryption_mode =
1496 + EXT4_ENCRYPTION_MODE_AES_256_XTS;
1497 + memcpy(sbi->s_default_encryption_wrapper_desc.wrapping_key_sig,
1498 + encrypt_key_sig,
1499 + ECRYPTFS_SIG_SIZE_HEX);
1500 + sbi->s_default_encryption_wrapper_desc.wrapping_key_sig[
1501 + ECRYPTFS_SIG_SIZE_HEX] = '\0';
1502 } else if (token == Opt_stripe) {
1503 sbi->s_stripe = arg;
1504 } else if (token == Opt_resuid) {
1505 @@ -5517,6 +5542,8 @@ struct mutex ext4__aio_mutex[EXT4_WQ_HASH_SZ];
1506 static int __init ext4_init_fs(void)
1507 {
1508 int i, err;
1509 + static size_t num_prealloc_crypto_pages = 32;
1510 + static size_t num_prealloc_crypto_ctxs = 128;
1512 ext4_li_info = NULL;
1513 mutex_init(&ext4_li_mtx);
1514 @@ -5529,10 +5556,15 @@ static int __init ext4_init_fs(void)
1515 init_waitqueue_head(&ext4__ioend_wq[i]);
1516 }
1518 - err = ext4_init_es();
1519 + err = ext4_allocate_crypto(num_prealloc_crypto_pages,
1520 + num_prealloc_crypto_ctxs);
1521 if (err)
1522 return err;
1524 + err = ext4_init_es();
1525 + if (err)
1526 + goto out8;
1527 +
1528 err = ext4_init_pageio();
1529 if (err)
1530 goto out7;
1531 @@ -5585,6 +5617,8 @@ out6:
1532 ext4_exit_pageio();
1533 out7:
1534 ext4_exit_es();
1535 +out8:
1536 + ext4_delete_crypto();
1538 return err;
1539 }
1540 diff --git a/fs/ext4/xattr.h b/fs/ext4/xattr.h
1541 index 29bedf5..29d47c7 100644
1542 --- a/fs/ext4/xattr.h
1543 +++ b/fs/ext4/xattr.h
1544 @@ -23,6 +23,7 @@
1545 #define EXT4_XATTR_INDEX_SECURITY 6
1546 #define EXT4_XATTR_INDEX_SYSTEM 7
1547 #define EXT4_XATTR_INDEX_RICHACL 8
1548 +#define EXT4_XATTR_INDEX_ENCRYPTION_METADATA 9
1550 struct ext4_xattr_header {
1551 __le32 h_magic; /* magic number for identification */
1552 --
1553 2.1.0.rc2.206.gedb03e5