1 ext4: add EXT4 encryption facilities
3 From: Mike Halcrow <mhalcrow@google.com>
5 On encrypt, we will re-assign the buffer_heads to point to a bounce
6 page rather than the control_page (which is the original page to write
7 that contains the plaintext). The block I/O occurs against the bounce
8 page. On write completion, we re-assign the buffer_heads to the
9 original plaintext page.
11 On decrypt, we will attach a read completion callback to the bio
12 struct. This read completion will decrypt the read contents in-place
13 prior to setting the page up-to-date.
15 The current encryption mode, AES-256-XTS, represents the first of
16 several encryption modes on the roadmap. Future in-plan modes are
17 HMAC-SHA1 (integrity only), AES-256-XTS+RANDOM_TWEAK+HMAC-SHA1, and
20 Signed-off-by: Michael Halcrow <mhalcrow@google.com>
21 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
23 fs/ext4/Makefile | 9 +-
24 fs/ext4/crypto.c | 1135 +++++++++++++++++++++++++++++++++++++++++++++++++
25 fs/ext4/ext4.h | 25 ++
26 fs/ext4/ext4_crypto.h | 175 ++++++++
27 fs/ext4/super.c | 38 +-
29 6 files changed, 1377 insertions(+), 6 deletions(-)
30 create mode 100644 fs/ext4/crypto.c
31 create mode 100644 fs/ext4/ext4_crypto.h
33 diff --git a/fs/ext4/Makefile b/fs/ext4/Makefile
34 index 0310fec..de4de1c 100644
35 --- a/fs/ext4/Makefile
36 +++ b/fs/ext4/Makefile
39 obj-$(CONFIG_EXT4_FS) += ext4.o
41 -ext4-y := balloc.o bitmap.o dir.o file.o fsync.o ialloc.o inode.o page-io.o \
42 - ioctl.o namei.o super.o symlink.o hash.o resize.o extents.o \
43 - ext4_jbd2.o migrate.o mballoc.o block_validity.o move_extent.o \
44 - mmp.o indirect.o extents_status.o xattr.o xattr_user.o \
45 +ext4-y := balloc.o bitmap.o crypto.o dir.o file.o fsync.o ialloc.o \
46 + inode.o page-io.o ioctl.o namei.o super.o symlink.o \
47 + hash.o resize.o extents.o ext4_jbd2.o migrate.o \
48 + mballoc.o block_validity.o move_extent.o mmp.o \
49 + indirect.o extents_status.o xattr.o xattr_user.o \
50 xattr_trusted.o inline.o
52 ext4-$(CONFIG_EXT4_FS_POSIX_ACL) += acl.o
53 diff --git a/fs/ext4/crypto.c b/fs/ext4/crypto.c
55 index 0000000..ead3111
57 +++ b/fs/ext4/crypto.c
60 + * linux/fs/ext4/crypto.c
62 + * This contains encryption functions for ext4
64 + * Written by Michael Halcrow, 2014.
66 + * This has not yet undergone a rigorous security audit.
68 + * The usage of AES-XTS should conform to recommendations in NIST
69 + * Special Publication 800-38E. The usage of AES-GCM should conform to
70 + * the recommendations in NIST Special Publication 800-38D. Further
71 + * guidance for block-oriented storage is in IEEE P1619/D16. The key
72 + * derivation code implements an HKDF (see RFC 5869).
75 +#include <crypto/hash.h>
76 +#include <crypto/sha.h>
77 +#include <keys/user-type.h>
78 +#include <keys/encrypted-type.h>
79 +#include <linux/crypto.h>
80 +#include <linux/gfp.h>
81 +#include <linux/kernel.h>
82 +#include <linux/key.h>
83 +#include <linux/list.h>
84 +#include <linux/mempool.h>
85 +#include <linux/random.h>
86 +#include <linux/scatterlist.h>
87 +#include <linux/spinlock_types.h>
92 +/* Encryption added and removed here! (L: */
94 +mempool_t *ext4_bounce_page_pool = NULL;
96 +LIST_HEAD(ext4_free_crypto_ctxs);
97 +DEFINE_SPINLOCK(ext4_crypto_ctx_lock);
99 +/* TODO(mhalcrow): Remove for release */
100 +atomic_t ext4_dbg_pages = ATOMIC_INIT(0);
101 +atomic_t ext4_dbg_ctxs = ATOMIC_INIT(0);
104 + * ext4_release_crypto_ctx() - Releases an encryption context
105 + * @ctx: The encryption context to release.
107 + * If the encryption context was allocated from the pre-allocated
108 + * pool, returns it to that pool. Else, frees it.
110 + * If there's a bounce page in the context, this frees that.
112 +void ext4_release_crypto_ctx(struct ext4_crypto_ctx *ctx)
114 + unsigned long flags;
116 + atomic_dec(&ctx->dbg_refcnt);
117 + if (ctx->bounce_page) {
118 + if (ctx->flags & EXT4_BOUNCE_PAGE_REQUIRES_FREE_ENCRYPT_FL) {
119 + __free_page(ctx->bounce_page);
120 + atomic_dec(&ext4_dbg_pages);
122 + mempool_free(ctx->bounce_page, ext4_bounce_page_pool);
124 + ctx->bounce_page = NULL;
126 + ctx->control_page = NULL;
127 + if (ctx->flags & EXT4_CTX_REQUIRES_FREE_ENCRYPT_FL) {
129 + crypto_free_tfm(ctx->tfm);
131 + atomic_dec(&ext4_dbg_ctxs);
133 + spin_lock_irqsave(&ext4_crypto_ctx_lock, flags);
134 + list_add(&ctx->free_list, &ext4_free_crypto_ctxs);
135 + spin_unlock_irqrestore(&ext4_crypto_ctx_lock, flags);
140 + * ext4_alloc_and_init_crypto_ctx() - Allocates and inits an encryption context
141 + * @mask: The allocation mask.
143 + * Return: An allocated and initialized encryption context on
144 + * success. An error value or NULL otherwise.
146 +static struct ext4_crypto_ctx *ext4_alloc_and_init_crypto_ctx(u32 mask)
148 + struct ext4_crypto_ctx *ctx = kzalloc(sizeof(struct ext4_crypto_ctx),
152 + return ERR_PTR(-ENOMEM);
153 + atomic_inc(&ext4_dbg_ctxs);
158 + * ext4_get_crypto_ctx() - Gets an encryption context
159 + * @with_page: If true, allocates and attaches a bounce page.
160 + * @key: The encryption key for the context.
162 + * Allocates and initializes an encryption context.
164 + * Return: An allocated and initialized encryption context on success;
165 + * error value or NULL otherwise.
167 +struct ext4_crypto_ctx *ext4_get_crypto_ctx(
168 + bool with_page, const struct ext4_encryption_key *key)
170 + struct ext4_crypto_ctx *ctx = NULL;
172 + unsigned long flags;
174 + /* We first try getting the ctx from a free list because in
175 + * the common case the ctx will have an allocated and
176 + * initialized crypto tfm, so it's probably a worthwhile
177 + * optimization. For the bounce page, we first try getting it
178 + * from the kernel allocator because that's just about as fast
179 + * as getting it from a list and because a cache of free pages
180 + * should generally be a "last resort" option for a filesystem
181 + * to be able to do its job. */
182 + spin_lock_irqsave(&ext4_crypto_ctx_lock, flags);
183 + ctx = list_first_entry_or_null(&ext4_free_crypto_ctxs,
184 + struct ext4_crypto_ctx, free_list);
186 + list_del(&ctx->free_list);
187 + spin_unlock_irqrestore(&ext4_crypto_ctx_lock, flags);
189 + ctx = ext4_alloc_and_init_crypto_ctx(GFP_NOFS);
191 + res = PTR_ERR(ctx);
194 + ctx->flags |= EXT4_CTX_REQUIRES_FREE_ENCRYPT_FL;
196 + ctx->flags &= ~EXT4_CTX_REQUIRES_FREE_ENCRYPT_FL;
198 + atomic_set(&ctx->dbg_refcnt, 0);
200 + /* Allocate a new Crypto API context if we don't already have
201 + * one or if it isn't the right mode. */
202 + BUG_ON(key->mode == EXT4_ENCRYPTION_MODE_INVALID);
203 + if (ctx->tfm && (ctx->mode != key->mode)) {
204 + crypto_free_tfm(ctx->tfm);
206 + ctx->mode = EXT4_ENCRYPTION_MODE_INVALID;
209 + switch (key->mode) {
210 + case EXT4_ENCRYPTION_MODE_AES_256_XTS:
211 + ctx->tfm = crypto_ablkcipher_tfm(
212 + crypto_alloc_ablkcipher("xts(aes)", 0, 0));
214 + case EXT4_ENCRYPTION_MODE_AES_256_GCM:
215 + /* TODO(mhalcrow): AEAD w/ gcm(aes);
216 + * crypto_aead_setauthsize() */
217 + case EXT4_ENCRYPTION_MODE_HMAC_SHA1:
218 + /* TODO(mhalcrow): AHASH w/ hmac(sha1) */
219 + case EXT4_ENCRYPTION_MODE_AES_256_XTS_RANDOM_IV_HMAC_SHA1:
220 + ctx->tfm = ERR_PTR(-ENOTSUPP);
225 + if (IS_ERR_OR_NULL(ctx->tfm)) {
226 + res = PTR_ERR(ctx->tfm);
230 + ctx->mode = key->mode;
232 + BUG_ON(key->size != ext4_encryption_key_size(key->mode));
234 + /* There shouldn't be a bounce page attached to the crypto
235 + * context at this point. */
236 + BUG_ON(ctx->bounce_page);
240 + /* The encryption operation will require a bounce page. */
241 + ctx->bounce_page = alloc_page(GFP_NOFS);
242 + if (!ctx->bounce_page) {
243 + /* This is a potential bottleneck, but at least we'll
244 + * have forward progress. */
245 + ctx->bounce_page = mempool_alloc(ext4_bounce_page_pool,
247 + if (WARN_ON_ONCE(!ctx->bounce_page)) {
248 + ctx->bounce_page = mempool_alloc(ext4_bounce_page_pool,
249 + GFP_NOFS | __GFP_WAIT);
251 + ctx->flags &= ~EXT4_BOUNCE_PAGE_REQUIRES_FREE_ENCRYPT_FL;
253 + atomic_inc(&ext4_dbg_pages);
254 + ctx->flags |= EXT4_BOUNCE_PAGE_REQUIRES_FREE_ENCRYPT_FL;
258 + if (!IS_ERR_OR_NULL(ctx))
259 + ext4_release_crypto_ctx(ctx);
260 + ctx = ERR_PTR(res);
265 +struct workqueue_struct *mpage_read_workqueue;
268 + * ext4_delete_crypto_ctxs() - Deletes/frees all encryption contexts
270 +static void ext4_delete_crypto_ctxs(void)
272 + struct ext4_crypto_ctx *pos, *n;
274 + list_for_each_entry_safe(pos, n, &ext4_free_crypto_ctxs, free_list) {
275 + if (pos->bounce_page) {
277 + EXT4_BOUNCE_PAGE_REQUIRES_FREE_ENCRYPT_FL) {
278 + __free_page(pos->bounce_page);
280 + mempool_free(pos->bounce_page,
281 + ext4_bounce_page_pool);
285 + crypto_free_tfm(pos->tfm);
291 + * ext4_allocate_crypto_ctxs() - Allocates a pool of encryption contexts
292 + * @num_to_allocate: The number of encryption contexts to allocate.
294 + * Return: Zero on success, non-zero otherwise.
296 +static int __init ext4_allocate_crypto_ctxs(size_t num_to_allocate)
298 + struct ext4_crypto_ctx *ctx = NULL;
300 + while (num_to_allocate > 0) {
301 + ctx = ext4_alloc_and_init_crypto_ctx(GFP_KERNEL);
304 + list_add(&ctx->free_list, &ext4_free_crypto_ctxs);
308 + ext4_delete_crypto_ctxs();
309 + return PTR_ERR_OR_ZERO(ctx);
313 + * ext4_delete_crypto() - Frees all allocated encryption objects
315 +void ext4_delete_crypto(void)
317 + ext4_delete_crypto_ctxs();
318 + mempool_destroy(ext4_bounce_page_pool);
319 + destroy_workqueue(mpage_read_workqueue);
323 + * ext4_allocate_crypto() - Allocates encryption objects for later use
324 + * @num_crypto_pages: The number of bounce pages to allocate for encryption.
325 + * @num_crypto_ctxs: The number of encryption contexts to allocate.
327 + * Return: Zero on success, non-zero otherwise.
329 +int __init ext4_allocate_crypto(size_t num_crypto_pages, size_t num_crypto_ctxs)
333 + mpage_read_workqueue = alloc_workqueue("ext4_crypto", WQ_HIGHPRI, 0);
334 + if (!mpage_read_workqueue) {
338 + res = ext4_allocate_crypto_ctxs(num_crypto_ctxs);
341 + ext4_bounce_page_pool = mempool_create_page_pool(num_crypto_pages, 0);
342 + if (!ext4_bounce_page_pool)
346 + ext4_delete_crypto();
351 + * ext4_xts_tweak_for_page() - Generates an XTS tweak for a page
352 + * @xts_tweak: Buffer into which this writes the XTS tweak.
353 + * @page: The page for which this generates a tweak.
355 + * Generates an XTS tweak value for the given page.
357 +static void ext4_xts_tweak_for_page(u8 xts_tweak[EXT4_XTS_TWEAK_SIZE],
358 + const struct page *page)
360 + /* Only do this for XTS tweak values. For other modes (CBC,
361 + * GCM, etc.), you most like will need to do something
363 + BUILD_BUG_ON(EXT4_XTS_TWEAK_SIZE < sizeof(page->index));
364 + memcpy(xts_tweak, &page->index, sizeof(page->index));
365 + memset(&xts_tweak[sizeof(page->index)], 0,
366 + EXT4_XTS_TWEAK_SIZE - sizeof(page->index));
370 + * set_bh_to_page() - Re-assigns the pages for a set of buffer heads
371 + * @head: The head of the buffer list to reassign.
372 + * @page: The page to which to re-assign the buffer heads.
374 +void set_bh_to_page(struct buffer_head *head, struct page *page)
376 + struct buffer_head *bh = head;
379 + set_bh_page(bh, page, bh_offset(bh));
380 + if (PageDirty(page))
381 + set_buffer_dirty(bh);
382 + if (!bh->b_this_page)
383 + bh->b_this_page = head;
384 + } while ((bh = bh->b_this_page) != head);
387 +struct ext4_crypt_result {
388 + struct completion completion;
392 +static void ext4_crypt_complete(struct crypto_async_request *req, int res)
394 + struct ext4_crypt_result *ecr = req->data;
396 + if (res == -EINPROGRESS)
399 + complete(&ecr->completion);
403 + * ext4_prep_pages_for_write() - Prepare pages for write
404 + * @ciphertext_page: Ciphertext page that will actually be written.
405 + * @plaintext_page: Plaintext page that acts as a control page.
406 + * @ctx: Encryption context for the pages.
408 +static void ext4_prep_pages_for_write(struct page *ciphertext_page,
409 + struct page *plaintext_page,
410 + struct ext4_crypto_ctx *ctx)
412 + SetPageDirty(ciphertext_page);
413 + SetPagePrivate(ciphertext_page);
414 + ctx->control_page = plaintext_page;
415 + set_page_private(ciphertext_page, (unsigned long)ctx);
416 + set_bh_to_page(page_buffers(plaintext_page), ciphertext_page);
420 + * ext4_xts_encrypt() - Encrypts a page using AES-256-XTS
421 + * @ctx: The encryption context.
422 + * @plaintext_page: The page to encrypt. Must be locked.
424 + * Allocates a ciphertext page and encrypts plaintext_page into it
425 + * using the ctx encryption context. Uses AES-256-XTS.
427 + * Called on the page write path.
429 + * Return: An allocated page with the encrypted content on
430 + * success. Else, an error value or NULL.
432 +struct page *ext4_xts_encrypt(struct ext4_crypto_ctx *ctx,
433 + struct page *plaintext_page)
435 + struct page *ciphertext_page = ctx->bounce_page;
436 + u8 xts_tweak[EXT4_XTS_TWEAK_SIZE];
437 + struct ablkcipher_request *req = NULL;
438 + struct ext4_crypt_result ecr;
439 + struct scatterlist dst, src;
440 + struct ext4_inode_info *ei = EXT4_I(plaintext_page->mapping->host);
441 + struct crypto_ablkcipher *atfm = __crypto_ablkcipher_cast(ctx->tfm);
444 + BUG_ON(!ciphertext_page);
446 + BUG_ON(ei->i_encryption_key.mode != EXT4_ENCRYPTION_MODE_AES_256_XTS);
447 + crypto_ablkcipher_clear_flags(atfm, ~0);
448 + crypto_tfm_set_flags(ctx->tfm, CRYPTO_TFM_REQ_WEAK_KEY);
450 + /* Since in AES-256-XTS mode we only perform one cryptographic
451 + * operation on each block and there are no constraints about
452 + * how many blocks a single key can encrypt, we directly use
453 + * the inode master key */
454 + res = crypto_ablkcipher_setkey(atfm, ei->i_encryption_key.raw,
455 + ei->i_encryption_key.size);
456 + req = ablkcipher_request_alloc(atfm, GFP_NOFS);
458 + printk_ratelimited(KERN_ERR
459 + "%s: crypto_request_alloc() failed\n",
461 + ciphertext_page = ERR_PTR(-ENOMEM);
464 + ablkcipher_request_set_callback(
465 + req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
466 + ext4_crypt_complete, &ecr);
467 + ext4_xts_tweak_for_page(xts_tweak, plaintext_page);
468 + sg_init_table(&dst, 1);
469 + sg_set_page(&dst, ciphertext_page, PAGE_CACHE_SIZE, 0);
470 + sg_init_table(&src, 1);
471 + sg_set_page(&src, plaintext_page, PAGE_CACHE_SIZE, 0);
472 + ablkcipher_request_set_crypt(req, &src, &dst, PAGE_CACHE_SIZE,
474 + res = crypto_ablkcipher_encrypt(req);
475 + if (res == -EINPROGRESS || res == -EBUSY) {
476 + BUG_ON(req->base.data != &ecr);
477 + wait_for_completion(&ecr.completion);
480 + ablkcipher_request_free(req);
482 + printk_ratelimited(KERN_ERR "%s: crypto_ablkcipher_encrypt() returned %d\n",
484 + ciphertext_page = ERR_PTR(res);
488 + return ciphertext_page;
492 + * ext4_encrypt() - Encrypts a page
493 + * @ctx: The encryption context.
494 + * @plaintext_page: The page to encrypt. Must be locked.
496 + * Allocates a ciphertext page and encrypts plaintext_page into it
497 + * using the ctx encryption context.
499 + * Called on the page write path.
501 + * Return: An allocated page with the encrypted content on
502 + * success. Else, an error value or NULL.
504 +struct page *ext4_encrypt(struct ext4_crypto_ctx *ctx,
505 + struct page *plaintext_page)
507 + struct page *ciphertext_page = NULL;
509 + BUG_ON(!PageLocked(plaintext_page));
510 + switch (ctx->mode) {
511 + case EXT4_ENCRYPTION_MODE_AES_256_XTS:
512 + ciphertext_page = ext4_xts_encrypt(ctx, plaintext_page);
514 + case EXT4_ENCRYPTION_MODE_AES_256_GCM:
515 + /* TODO(mhalcrow): We'll need buffers for the
516 + * generated IV and/or auth tag for this mode and the
518 + case EXT4_ENCRYPTION_MODE_HMAC_SHA1:
519 + case EXT4_ENCRYPTION_MODE_AES_256_XTS_RANDOM_IV_HMAC_SHA1:
520 + ciphertext_page = ERR_PTR(-ENOTSUPP);
525 + if (!IS_ERR_OR_NULL(ciphertext_page))
526 + ext4_prep_pages_for_write(ciphertext_page, plaintext_page, ctx);
527 + return ciphertext_page;
531 + * ext4_xts_decrypt() - Decrypts a page using AES-256-XTS
532 + * @ctx: The encryption context.
533 + * @page: The page to decrypt. Must be locked.
535 + * Return: Zero on success, non-zero otherwise.
537 +int ext4_xts_decrypt(struct ext4_crypto_ctx *ctx, struct page *page)
539 + u8 xts_tweak[EXT4_XTS_TWEAK_SIZE];
540 + struct ablkcipher_request *req = NULL;
541 + struct ext4_crypt_result ecr;
542 + struct scatterlist sg;
543 + struct ext4_inode_info *ei = EXT4_I(page->mapping->host);
544 + struct crypto_ablkcipher *atfm = __crypto_ablkcipher_cast(ctx->tfm);
548 + BUG_ON(ei->i_encryption_key.mode != EXT4_ENCRYPTION_MODE_AES_256_XTS);
549 + crypto_ablkcipher_clear_flags(atfm, ~0);
550 + crypto_tfm_set_flags(ctx->tfm, CRYPTO_TFM_REQ_WEAK_KEY);
552 + /* Since in AES-256-XTS mode we only perform one cryptographic
553 + * operation on each block and there are no constraints about
554 + * how many blocks a single key can encrypt, we directly use
555 + * the inode master key */
556 + res = crypto_ablkcipher_setkey(atfm, ei->i_encryption_key.raw,
557 + ei->i_encryption_key.size);
558 + req = ablkcipher_request_alloc(atfm, GFP_NOFS);
563 + ablkcipher_request_set_callback(
564 + req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
565 + ext4_crypt_complete, &ecr);
566 + ext4_xts_tweak_for_page(xts_tweak, page);
567 + sg_init_table(&sg, 1);
568 + sg_set_page(&sg, page, PAGE_CACHE_SIZE, 0);
569 + ablkcipher_request_set_crypt(req, &sg, &sg, PAGE_CACHE_SIZE, xts_tweak);
570 + res = crypto_ablkcipher_decrypt(req);
571 + if (res == -EINPROGRESS || res == -EBUSY) {
572 + BUG_ON(req->base.data != &ecr);
573 + wait_for_completion(&ecr.completion);
576 + ablkcipher_request_free(req);
579 + printk_ratelimited(KERN_ERR "%s: res = [%d]\n", __func__, res);
584 + * ext4_decrypt() - Decrypts a page in-place
585 + * @ctx: The encryption context.
586 + * @page: The page to decrypt. Must be locked.
588 + * Decrypts page in-place using the ctx encryption context.
590 + * Called from the read completion callback.
592 + * Return: Zero on success, non-zero otherwise.
594 +int ext4_decrypt(struct ext4_crypto_ctx *ctx, struct page *page)
598 + BUG_ON(!PageLocked(page));
599 + switch (ctx->mode) {
600 + case EXT4_ENCRYPTION_MODE_AES_256_XTS:
601 + res = ext4_xts_decrypt(ctx, page);
603 + case EXT4_ENCRYPTION_MODE_AES_256_GCM:
604 + case EXT4_ENCRYPTION_MODE_HMAC_SHA1:
605 + case EXT4_ENCRYPTION_MODE_AES_256_XTS_RANDOM_IV_HMAC_SHA1:
615 + * ext4_get_wrapping_key_from_keyring() - Gets a wrapping key from the keyring
616 + * @wrapping_key: Buffer into which this writes the wrapping key.
617 + * @sig: The signature for the wrapping key.
619 + * Return: Zero on success, non-zero otherwise.
621 +static int ext4_get_wrapping_key_from_keyring(
622 + char wrapping_key[EXT4_MAX_KEY_SIZE],
623 + const char sig[EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE])
625 + struct key *create_key;
626 + struct encrypted_key_payload *payload;
627 + struct ecryptfs_auth_tok *auth_tok;
629 + create_key = request_key(&key_type_user, sig, NULL);
630 + if (WARN_ON_ONCE(IS_ERR(create_key)))
632 + payload = (struct encrypted_key_payload *)create_key->payload.data;
633 + if (WARN_ON_ONCE(create_key->datalen !=
634 + sizeof(struct ecryptfs_auth_tok))) {
637 + auth_tok = (struct ecryptfs_auth_tok *)(&(payload)->payload_data);
638 + if (WARN_ON_ONCE(!(auth_tok->token.password.flags &
639 + ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET))) {
642 + BUILD_BUG_ON(EXT4_MAX_KEY_SIZE < EXT4_AES_256_XTS_KEY_SIZE);
643 + BUILD_BUG_ON(ECRYPTFS_MAX_KEY_BYTES < EXT4_AES_256_XTS_KEY_SIZE);
644 + memcpy(wrapping_key,
645 + auth_tok->token.password.session_key_encryption_key,
646 + EXT4_AES_256_XTS_KEY_SIZE);
651 + * ext4_wrapping_key_sig_for_parent_dir() - Gets the key signature for
652 + * the parent directory
653 + * @sig: Buffer into which this writes the wrapping key signature.
655 + * Return: Zero on success, non-zero otherwise.
657 +static int ext4_wrapping_key_sig_for_parent_dir(
658 + char sig[EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE])
660 + /* TODO(mhalcrow): Here's where we can check for wrapping key
661 + * specifier in parent directory xattr. */
666 + * ext4_get_wrapping_key() - Gets the wrapping key from the user session keyring
667 + * @wrapping_key: Buffer into which this writes the wrapping key.
668 + * @sig: Buffer into which this writes the wrapping key signature.
669 + * @inode: The inode for the wrapping key.
671 + * Return: Zero on success, non-zero otherwise.
673 +static int ext4_get_wrapping_key(
674 + char wrapping_key[EXT4_AES_256_XTS_KEY_SIZE],
675 + char sig[EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE],
676 + const struct inode *inode)
678 + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
679 + int res = ext4_wrapping_key_sig_for_parent_dir(sig);
682 + BUILD_BUG_ON(ECRYPTFS_SIG_SIZE_HEX + 1 !=
683 + EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE);
685 + sbi->s_default_encryption_wrapper_desc.wrapping_key_sig,
686 + EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE);
688 + BUG_ON(sig[EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE - 1] != '\0');
689 + res = ext4_get_wrapping_key_from_keyring(wrapping_key, sig);
694 + * ext4_validate_encryption_mode() - Validate the encryption key mode
695 + * @mode: The key mode to validate.
697 + * Return: The validated key mode. EXT4_ENCRYPTION_MODE_INVALID if
700 +static uint32_t ext4_validate_encryption_mode(uint32_t mode)
703 + case EXT4_ENCRYPTION_MODE_AES_256_XTS:
708 + return EXT4_ENCRYPTION_MODE_INVALID;
712 + * ext4_validate_encryption_key_size() - Validate the encryption key size
713 + * @mode: The key mode.
714 + * @size: The key size to validate.
716 + * Return: The validated key size for @mode. Zero if invalid.
718 +static uint32_t ext4_validate_encryption_key_size(uint32_t mode, uint32_t size)
720 + if (size == ext4_encryption_key_size(mode))
725 +struct ext4_hmac_result {
726 + struct completion completion;
731 + * ext4_hmac_complete() - Completion for async HMAC
732 + * @req: The async request.
733 + * @res: The result of the HMAC operation.
735 +static void ext4_hmac_complete(struct crypto_async_request *req, int res)
737 + struct ext4_hmac_result *ehr = req->data;
739 + if (res == -EINPROGRESS)
742 + complete(&ehr->completion);
746 + * ext4_hmac_derive_key() - Generate an HMAC
747 + * @derivation: If true, derive a key. Else, generate an integrity HMAC.
748 + * @key: The HMAC key.
749 + * @key_size: The size of @key.
750 + * @src: The data to HMAC.
751 + * @src_size: The size of @src.
752 + * @dst: The target buffer for the generated HMAC.
753 + * @dst_size: The size of @dst.
755 + * Return: Zero on success, non-zero otherwise.
757 +static int ext4_hmac(bool derivation, const char *key, size_t key_size,
758 + const char *src, size_t src_size, char *dst,
761 + struct scatterlist sg;
762 + struct ahash_request *req = NULL;
763 + struct ext4_hmac_result ehr;
764 + char hmac[SHA512_DIGEST_SIZE];
765 + struct crypto_ahash *tfm = crypto_alloc_ahash(derivation ?
767 + "hmac(sha1)", 0, 0);
770 + BUG_ON(dst_size > SHA512_DIGEST_SIZE);
772 + return PTR_ERR(tfm);
773 + req = ahash_request_alloc(tfm, GFP_NOFS);
778 + ahash_request_set_callback(req,
779 + (CRYPTO_TFM_REQ_MAY_BACKLOG |
780 + CRYPTO_TFM_REQ_MAY_SLEEP),
781 + ext4_hmac_complete, &ehr);
783 + res = crypto_ahash_setkey(tfm, key, key_size);
786 + sg_init_one(&sg, src, src_size);
787 + ahash_request_set_crypt(req, &sg, hmac, src_size);
788 + init_completion(&ehr.completion);
789 + res = crypto_ahash_digest(req);
790 + if (res == -EINPROGRESS || res == -EBUSY) {
791 + BUG_ON(req->base.data != &ehr);
792 + wait_for_completion(&ehr.completion);
797 + memcpy(dst, hmac, dst_size);
799 + crypto_free_ahash(tfm);
801 + ahash_request_free(req);
806 + * ext4_hmac_derive_key() - Generate an HMAC for an key derivation (HKDF)
807 + * @key: The master key.
808 + * @key_size: The size of @key.
809 + * @src: The derivation data.
810 + * @src_size: The size of @src.
811 + * @dst: The target buffer for the derived key.
812 + * @dst_size: The size of @dst.
814 + * Return: Zero on success, non-zero otherwise.
816 +static int ext4_hmac_derive_key(const char *key, size_t key_size,
817 + const char *src, size_t src_size, char *dst,
820 + return ext4_hmac(true, key, key_size, src, src_size, dst, dst_size);
824 + * ext4_hmac_integrity() - Generate an HMAC for an integrity measurement
825 + * @key: The HMAC key.
826 + * @key_size: The size of @key.
827 + * @src: The data to generate the HMAC over.
828 + * @src_size: The size of @src.
829 + * @dst: The target buffer for the HMAC.
830 + * @dst_size: The size of @dst.
832 + * Return: Zero on success, non-zero otherwise.
834 +static int ext4_hmac_integrity(const char *key, size_t key_size,
835 + const char *src, size_t src_size, char *dst,
838 + return ext4_hmac(false, key, key_size, src, src_size, dst, dst_size);
842 + * ext4_crypt_wrapper_virt() - Encrypt a key
843 + * @enc_key: The wrapping key.
844 + * @iv: The initialization vector for the key encryption.
845 + * @src_virt: The source key object to wrap.
846 + * @dst_virt: The buffer for the wrapped key object.
847 + * @size: The size of the key object (identical for wrapped or unwrapped).
848 + * @enc: If 0, decrypt. Else, encrypt.
850 + * Uses the wrapped key to unwrap the encryption key.
852 + * Return: Zero on success, non-zero otherwise.
854 +static int ext4_crypt_wrapper_virt(const char *enc_key, const char *iv,
855 + const char *src_virt, char *dst_virt,
856 + size_t size, bool enc)
858 + struct scatterlist dst, src;
859 + struct blkcipher_desc desc = {
860 + .flags = CRYPTO_TFM_REQ_MAY_SLEEP
864 + desc.tfm = crypto_alloc_blkcipher("ctr(aes)", 0, CRYPTO_ALG_ASYNC);
865 + if (IS_ERR(desc.tfm))
866 + return PTR_ERR(desc.tfm);
869 + crypto_blkcipher_set_flags(desc.tfm, CRYPTO_TFM_REQ_WEAK_KEY);
870 + sg_init_one(&dst, dst_virt, size);
871 + sg_init_one(&src, src_virt, size);
872 + crypto_blkcipher_set_iv(desc.tfm, iv, EXT4_WRAPPING_IV_SIZE);
873 + res = crypto_blkcipher_setkey(desc.tfm, enc_key,
874 + EXT4_AES_256_CTR_KEY_SIZE);
878 + res = crypto_blkcipher_encrypt(&desc, &dst, &src, size);
880 + res = crypto_blkcipher_decrypt(&desc, &dst, &src, size);
882 + crypto_free_blkcipher(desc.tfm);
887 + * ext4_unwrap_key() - Unwraps the encryption key for the inode
888 + * @wrapped_key_packet: The wrapped encryption key packet.
889 + * @wrapped_key_packet_size: The wrapped encryption key packet size.
890 + * @key: The encryption key to fill in with unwrapped data.
892 + * Uses the wrapped key to unwrap the encryption key.
894 + * Return: Zero on success, non-zero otherwise.
896 +static int ext4_unwrap_key(const char *wrapped_key_packet,
897 + size_t wrapped_key_packet_size,
898 + struct ext4_encryption_key *key)
900 + struct ext4_wrapped_key_packet *packet =
901 + (struct ext4_wrapped_key_packet *)wrapped_key_packet;
902 + uint32_t packet_size = ntohl(*(uint32_t *)packet->size);
903 + struct ext4_encryption_key_packet key_packet;
904 + char wrapping_key[EXT4_AES_256_XTS_KEY_SIZE];
905 + char enc_key[EXT4_AES_256_CTR_KEY_SIZE];
906 + char int_key[EXT4_HMAC_KEY_SIZE];
907 + char hmac[EXT4_HMAC_SIZE];
908 + char hmac_invalid = 0;
912 + if (wrapped_key_packet_size < sizeof(packet_size))
914 + BUILD_BUG_ON(sizeof(struct ext4_wrapped_key_packet) !=
915 + EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE);
916 + if (packet_size != sizeof(struct ext4_wrapped_key_packet))
918 + if (wrapped_key_packet_size != packet_size)
920 + if (packet->type != EXT4_KEY_PACKET_TYPE_WRAPPED_KEY_V0)
922 + if (packet->sig[EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE - 1] != '\0')
924 + res = ext4_get_wrapping_key_from_keyring(wrapping_key, packet->sig);
928 + /* Always validate the HMAC as soon as we get the key to do so */
929 + packet->nonce[EXT4_NONCE_SIZE] = EXT4_WRAPPING_INT_DERIVATION_TWEAK;
930 + res = ext4_hmac_derive_key(wrapping_key, EXT4_AES_256_XTS_KEY_SIZE,
932 + EXT4_DERIVATION_TWEAK_NONCE_SIZE, int_key,
933 + EXT4_HMAC_KEY_SIZE);
936 + res = ext4_hmac_integrity(int_key, EXT4_HMAC_KEY_SIZE,
937 + wrapped_key_packet,
938 + (EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE -
939 + EXT4_HMAC_SIZE), hmac, EXT4_HMAC_SIZE);
940 + memset(int_key, 0, EXT4_HMAC_KEY_SIZE);
941 + for (i = 0; i < EXT4_HMAC_SIZE; ++i)
942 + hmac_invalid |= (packet->hmac[i] ^ hmac[i]);
943 + if (hmac_invalid) {
944 + printk_ratelimited(KERN_ERR "%s: Security advisory: Wrapped key HMAC check failed\n",
950 + /* The HMAC validated. Decrypt the key packet. */
951 + packet->nonce[EXT4_NONCE_SIZE] = EXT4_WRAPPING_ENC_DERIVATION_TWEAK;
952 + res = ext4_hmac_derive_key(wrapping_key, EXT4_AES_256_XTS_KEY_SIZE,
954 + EXT4_DERIVATION_TWEAK_NONCE_SIZE, enc_key,
955 + EXT4_AES_256_CTR_KEY_SIZE);
958 + res = ext4_crypt_wrapper_virt(enc_key, packet->iv,
959 + packet->wrapped_key_packet,
960 + (char *)&key_packet,
961 + EXT4_V0_SERIALIZED_KEY_SIZE, false);
962 + memset(enc_key, 0, EXT4_AES_256_CTR_KEY_SIZE);
965 + key->mode = ext4_validate_encryption_mode(
966 + ntohl(*((uint32_t *)key_packet.mode)));
967 + if (key->mode == EXT4_ENCRYPTION_MODE_INVALID) {
971 + memcpy(key->raw, key_packet.raw, EXT4_MAX_KEY_SIZE);
972 + memset(key_packet.raw, 0, EXT4_MAX_KEY_SIZE);
973 + key->size = ext4_validate_encryption_key_size(
974 + key->mode, ntohl(*((uint32_t *)key_packet.size)));
981 + key->mode = EXT4_ENCRYPTION_MODE_INVALID;
982 + memset(wrapping_key, 0, EXT4_AES_256_XTS_KEY_SIZE);
987 + * ext4_wrap_key() - Wraps the encryption key for the inode
988 + * @wrapped_crypto_key: The buffer into which this writes the wrapped key.
989 + * @key_packet_size: The size of the packet.
990 + * @key: The encryption key.
991 + * @inode: The inode for the encryption key.
993 + * Generates a wrapped key packet from an encryption key and a
994 + * wrapping key for an inode.
996 + * Return: Zero on success, non-zero otherwise.
998 +static int ext4_wrap_key(char *wrapped_key_packet, size_t *key_packet_size,
999 + const struct ext4_encryption_key *key,
1000 + const struct inode *inode)
1002 + struct ext4_wrapped_key_packet *packet =
1003 + (struct ext4_wrapped_key_packet *)wrapped_key_packet;
1004 + struct ext4_encryption_key_packet key_packet;
1005 + char wrapping_key[EXT4_AES_256_XTS_KEY_SIZE];
1006 + char enc_key[EXT4_AES_256_CTR_KEY_SIZE];
1007 + char int_key[EXT4_HMAC_KEY_SIZE];
1010 + BUILD_BUG_ON(sizeof(struct ext4_wrapped_key_packet) !=
1011 + EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE);
1012 + if (!wrapped_key_packet) {
1013 + *key_packet_size = EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE;
1016 + res = ext4_get_wrapping_key(wrapping_key, packet->sig, inode);
1019 + BUG_ON(*key_packet_size != EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE);
1021 + /* Size, type, nonce, and IV */
1022 + *((uint32_t *)packet->size) =
1023 + htonl(EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE);
1024 + packet->type = EXT4_KEY_PACKET_TYPE_WRAPPED_KEY_V0;
1025 + get_random_bytes(packet->nonce, EXT4_NONCE_SIZE);
1026 + get_random_bytes(packet->iv, EXT4_WRAPPING_IV_SIZE);
1028 + /* Derive the wrapping encryption key from the wrapping key */
1029 + packet->nonce[EXT4_NONCE_SIZE] = EXT4_WRAPPING_ENC_DERIVATION_TWEAK;
1030 + res = ext4_hmac_derive_key(wrapping_key, EXT4_AES_256_XTS_KEY_SIZE,
1032 + EXT4_DERIVATION_TWEAK_NONCE_SIZE,
1033 + enc_key, EXT4_AES_256_CTR_KEY_SIZE);
1037 + /* Wrap the data key with the wrapping encryption key */
1038 + *((uint32_t *)key_packet.mode) = htonl(key->mode);
1039 + memcpy(key_packet.raw, key->raw, EXT4_MAX_KEY_SIZE);
1040 + *((uint32_t *)key_packet.size) = htonl(key->size);
1041 + BUILD_BUG_ON(sizeof(struct ext4_encryption_key_packet) !=
1042 + EXT4_V0_SERIALIZED_KEY_SIZE);
1043 + res = ext4_crypt_wrapper_virt(enc_key, packet->iv, (char *)&key_packet,
1044 + (char *)&packet->wrapped_key_packet,
1045 + EXT4_V0_SERIALIZED_KEY_SIZE, true);
1046 + memset(enc_key, 0, EXT4_AES_256_CTR_KEY_SIZE);
1047 + memset(key_packet.raw, 0, EXT4_MAX_KEY_SIZE);
1051 + /* Calculate the HMAC over the entire packet (except, of
1052 + * course, the HMAC buffer at the end) */
1053 + packet->nonce[EXT4_NONCE_SIZE] = EXT4_WRAPPING_INT_DERIVATION_TWEAK;
1054 + res = ext4_hmac_derive_key(wrapping_key, EXT4_AES_256_XTS_KEY_SIZE,
1056 + EXT4_DERIVATION_TWEAK_NONCE_SIZE,
1057 + int_key, EXT4_HMAC_KEY_SIZE);
1060 + BUILD_BUG_ON(EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE < EXT4_HMAC_SIZE);
1061 + res = ext4_hmac_integrity(int_key, EXT4_HMAC_KEY_SIZE,
1062 + wrapped_key_packet,
1063 + (EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE -
1064 + EXT4_HMAC_SIZE), packet->hmac,
1066 + packet->nonce[EXT4_NONCE_SIZE] = 0; /* to catch decryption bugs */
1067 + memset(int_key, 0, EXT4_HMAC_KEY_SIZE);
1069 + memset(wrapping_key, 0, EXT4_AES_256_XTS_KEY_SIZE);
1074 + * ext4_generate_encryption_key() - Generates an encryption key
1075 + * @dentry: The dentry containing the encryption key this will set.
1077 +static void ext4_generate_encryption_key(const struct dentry *dentry)
1079 + struct ext4_inode_info *ei = EXT4_I(dentry->d_inode);
1080 + struct ext4_sb_info *sbi = EXT4_SB(dentry->d_sb);
1081 + struct ext4_encryption_key *key = &ei->i_encryption_key;
1083 + key->mode = sbi->s_default_encryption_mode;
1084 + key->size = ext4_encryption_key_size(key->mode);
1085 + BUG_ON(!key->size);
1086 + get_random_bytes(key->raw, key->size);
1090 + * ext4_set_crypto_key() - Generates and sets the encryption key for the inode
1091 + * @dentry: The dentry for the encryption key.
1093 + * Generates the encryption key for the inode. Generates and writes
1094 + * the encryption metadata for the inode.
1096 + * Return: Zero on success, non-zero otherwise.
1098 +int ext4_set_crypto_key(struct dentry *dentry)
1100 + char root_packet[EXT4_PACKET_SET_V0_MAX_SIZE];
1101 + char *wrapped_key_packet = &root_packet[EXT4_PACKET_HEADER_SIZE];
1102 + size_t wrapped_key_packet_size = EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE;
1103 + size_t root_packet_size = (EXT4_PACKET_HEADER_SIZE +
1104 + wrapped_key_packet_size);
1105 + struct inode *inode = dentry->d_inode;
1106 + struct ext4_inode_info *ei = EXT4_I(inode);
1110 + ext4_generate_encryption_key(dentry);
1111 + res = ext4_wrap_key(wrapped_key_packet, &wrapped_key_packet_size,
1112 + &ei->i_encryption_key, inode);
1115 + root_packet[0] = EXT4_PACKET_SET_VERSION_V0;
1116 + BUILD_BUG_ON(EXT4_PACKET_SET_V0_MAX_SIZE !=
1117 + (EXT4_PACKET_HEADER_SIZE +
1118 + EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE));
1119 + BUG_ON(sizeof(root_packet) != root_packet_size);
1120 + res = ext4_xattr_set(inode, EXT4_XATTR_INDEX_ENCRYPTION_METADATA, "",
1121 + root_packet, root_packet_size, 0);
1124 + if (res == -EINTR)
1126 + ei->i_encryption_key.mode = EXT4_ENCRYPTION_MODE_INVALID;
1127 + printk_ratelimited(KERN_ERR "%s: res = [%d]\n", __func__, res);
1133 + * ext4_get_root_packet() - Reads the root packet
1134 + * @inode: The inode containing the root packet.
1135 + * @root_packet: The root packet.
1136 + * @root_packet_size: The size of the root packet. Set by this if
1137 + * root_packet == NULL.
1139 + * Return: Zero on success, non-zero otherwise.
1141 +static int ext4_get_root_packet(struct inode *inode, char *root_packet,
1142 + size_t *root_packet_size)
1144 + int res = ext4_xattr_get(inode, EXT4_XATTR_INDEX_ENCRYPTION_METADATA,
1148 + if (!root_packet) {
1149 + *root_packet_size = res;
1152 + if (res != *root_packet_size)
1154 + res = ext4_xattr_get(inode, EXT4_XATTR_INDEX_ENCRYPTION_METADATA, "",
1155 + root_packet, res);
1156 + if (root_packet[0] != EXT4_PACKET_SET_VERSION_V0) {
1157 + printk_ratelimited(KERN_ERR "%s: Expected root packet version [%d]; got [%d]\n",
1158 + __func__, EXT4_PACKET_SET_VERSION_V0,
1166 + * ext4_get_crypto_key() - Gets the encryption key for the inode
1167 + * @file: The file for the encryption key.
1169 + * Return: Zero on success, non-zero otherwise.
1171 +int ext4_get_crypto_key(const struct file *file)
1173 + char root_packet[EXT4_PACKET_SET_V0_MAX_SIZE];
1174 + char *wrapped_key_packet = &root_packet[EXT4_PACKET_HEADER_SIZE];
1175 + size_t wrapped_key_packet_size = EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE;
1176 + size_t root_packet_size = (EXT4_PACKET_HEADER_SIZE +
1177 + wrapped_key_packet_size);
1178 + struct inode *inode = file->f_mapping->host;
1179 + struct ext4_inode_info *ei = EXT4_I(inode);
1180 + int res = ext4_get_root_packet(inode, root_packet, &root_packet_size);
1184 + res = ext4_unwrap_key(wrapped_key_packet,
1185 + EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE,
1186 + &ei->i_encryption_key);
1191 + ei->i_encryption_key.mode = EXT4_ENCRYPTION_MODE_INVALID;
1194 diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
1195 index 7cc5a0e..ef89b61 100644
1196 --- a/fs/ext4/ext4.h
1197 +++ b/fs/ext4/ext4.h
1199 #include <linux/ratelimit.h>
1200 #include <crypto/hash.h>
1201 #include <linux/falloc.h>
1202 +#include <linux/ecryptfs.h>
1204 #include <linux/compat.h>
1206 @@ -809,6 +810,8 @@ do { \
1208 #endif /* defined(__KERNEL__) || defined(__linux__) */
1210 +#include "ext4_crypto.h"
1212 #include "extents_status.h"
1215 @@ -943,6 +946,10 @@ struct ext4_inode_info {
1217 /* Precomputed uuid+inum+igen checksum for seeding inode checksums */
1220 + /* Encryption params */
1221 + struct ext4_encryption_key i_encryption_key;
1222 + struct ext4_encryption_wrapper_desc i_encryption_wrapper_desc;
1226 @@ -1340,6 +1347,10 @@ struct ext4_sb_info {
1227 struct ratelimit_state s_err_ratelimit_state;
1228 struct ratelimit_state s_warning_ratelimit_state;
1229 struct ratelimit_state s_msg_ratelimit_state;
1232 + uint32_t s_default_encryption_mode;
1233 + struct ext4_encryption_wrapper_desc s_default_encryption_wrapper_desc;
1236 static inline struct ext4_sb_info *EXT4_SB(struct super_block *sb)
1237 @@ -2783,6 +2794,20 @@ static inline void set_bitmap_uptodate(struct buffer_head *bh)
1238 set_bit(BH_BITMAP_UPTODATE, &(bh)->b_state);
1242 +extern struct workqueue_struct *mpage_read_workqueue;
1243 +int ext4_allocate_crypto(size_t num_crypto_pages, size_t num_crypto_ctxs);
1244 +void ext4_delete_crypto(void);
1245 +struct ext4_crypto_ctx *ext4_get_crypto_ctx(
1246 + bool with_page, const struct ext4_encryption_key *key);
1247 +void ext4_release_crypto_ctx(struct ext4_crypto_ctx *ctx);
1248 +void set_bh_to_page(struct buffer_head *head, struct page *page);
1249 +struct page *ext4_encrypt(struct ext4_crypto_ctx *ctx,
1250 + struct page *plaintext_page);
1251 +int ext4_decrypt(struct ext4_crypto_ctx *ctx, struct page *page);
1252 +int ext4_get_crypto_key(const struct file *file);
1253 +int ext4_set_crypto_key(struct dentry *dentry);
1256 * Disable DIO read nolock optimization, so new dioreaders will be forced
1258 diff --git a/fs/ext4/ext4_crypto.h b/fs/ext4/ext4_crypto.h
1259 new file mode 100644
1260 index 0000000..8eaf273
1262 +++ b/fs/ext4/ext4_crypto.h
1265 + * linux/fs/ext4/ext4_crypto.h
1267 + * This contains encryption header content for ext4
1269 + * Written by Michael Halcrow, 2014.
1272 +#ifndef _EXT4_CRYPTO_H
1273 +#define _EXT4_CRYPTO_H
1275 +/* Encryption parameters */
1276 +#define EXT4_AES_256_XTS_KEY_SIZE 64
1277 +#define EXT4_XTS_TWEAK_SIZE 16
1278 +#define EXT4_AES_256_CTR_KEY_SIZE 32
1279 +#define EXT4_AES_256_ECB_KEY_SIZE 32
1280 +#define EXT4_HMAC_KEY_SIZE 12
1281 +#define EXT4_HMAC_SIZE 12
1282 +#define EXT4_NONCE_SIZE 12
1283 +#define EXT4_DERIVATION_TWEAK_SIZE 1
1284 +#define EXT4_DERIVATION_TWEAK_NONCE_SIZE (EXT4_NONCE_SIZE + \
1285 + EXT4_DERIVATION_TWEAK_SIZE)
1286 +#define EXT4_WRAPPING_ENC_DERIVATION_TWEAK 'e'
1287 +#define EXT4_WRAPPING_INT_DERIVATION_TWEAK 'i'
1288 +#define EXT4_AES_256_XTS_RANDOMIV_HMAC_SHA1_KEY_SIZE \
1289 + (EXT4_AES_256_XTS_KEY_SIZE + EXT4_HMAC_KEY_SIZE)
1290 +#define EXT4_AES_256_GCM_KEY_SIZE 32
1291 +#define EXT4_AES_256_GCM_AUTH_SIZE 16
1292 +#define EXT4_GCM_ASSOC_DATA_SIZE sizeof(pgoff_t)
1293 +#define EXT4_PAGE_REGION_INDEX_SHIFT 16 /* 2**16-sized regions */
1294 +#define EXT4_MAX_KEY_SIZE EXT4_AES_256_XTS_RANDOMIV_HMAC_SHA1_KEY_SIZE
1295 +#define EXT4_MAX_IV_SIZE AES_BLOCK_SIZE
1296 +#define EXT4_MAX_AUTH_SIZE EXT4_AES_256_GCM_AUTH_SIZE
1298 +/* The metadata directory is only necessary only for the sibling file
1299 + * directory under the mount root, which will be replaced by per-block
1300 + * metadata when it's ready. */
1301 +#define EXT4_METADATA_DIRECTORY_NAME ".ext4_crypt_data"
1302 +#define EXT4_METADATA_DIRECTORY_NAME_SIZE 16
1306 + * 4 bytes: Size of packet (inclusive of these 4 bytes)
1307 + * 1 byte: Packet type/version
1308 + * Variable bytes: Packet content (may contain nested packets)
1310 + * Packets may be nested. The top-level packet is the "packet set".
1312 +#define EXT4_PACKET_SET_VERSION_V0 ((char)0x00)
1313 +#define EXT4_PACKET_SET_VERSION_SIZE 1
1314 +#define EXT4_PACKET_SIZE_SIZE 4
1315 +#define EXT4_PACKET_TYPE_SIZE 1
1316 +#define EXT4_PACKET_HEADER_SIZE (EXT4_PACKET_SIZE_SIZE + EXT4_PACKET_TYPE_SIZE)
1319 + * Wrapped key packet format:
1320 + * 4 bytes: Size of packet (inclusive of these 4 bytes)
1321 + * 1 byte: Packet type/version (0x00)
1322 + * 17 bytes: NULL-terminated wrapping key signature (printable)
1323 + * 13 bytes: Derivation nonce (last byte ignored)
1325 + * Variable bytes: Serialized key, AES-256-CTR encrypted
1326 + * 12 bytes: HMAC-SHA1(everything preceding)
1328 +#define EXT4_KEY_PACKET_TYPE_WRAPPED_KEY_V0 ((char)0x00)
1329 +#define EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE (ECRYPTFS_SIG_SIZE_HEX + 1)
1330 +#define EXT4_WRAPPING_IV_SIZE 16
1332 +/* These #defines may seem redundant to the sizeof the structs below
1333 + * them. Since naively changing the structs can result in nasty bugs
1334 + * that might have security implications, we use the explict sizes
1335 + * together with BUILD_BUG_ON() to help avoid mistakes. */
1336 +#define EXT4_V0_SERIALIZED_KEY_SIZE (sizeof(uint32_t) + \
1337 + EXT4_MAX_KEY_SIZE + \
1339 +#define EXT4_WRAPPED_KEY_PACKET_V0_SIZE ( \
1340 + EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE + \
1341 + EXT4_DERIVATION_TWEAK_NONCE_SIZE + \
1342 + EXT4_WRAPPING_IV_SIZE + \
1343 + EXT4_V0_SERIALIZED_KEY_SIZE + \
1346 +#define EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE ((uint32_t)( \
1347 + EXT4_PACKET_HEADER_SIZE + \
1348 + EXT4_WRAPPED_KEY_PACKET_V0_SIZE))
1350 +/* V0 supports only one key in a fixed xattr space. If/when compelling
1351 + * requirements come along, future versions may be able to use
1352 + * (non-xattr) metadata storage to store an arbitrary number of
1353 + * wrapped keys. In the meantime, we won't spend the code complexity
1354 + * budget on supporting multiple wrapped keys. */
1355 +#define EXT4_PACKET_SET_V0_MAX_WRAPPED_KEYS 1
1356 +#define EXT4_PACKET_SET_V0_MAX_SIZE ((uint32_t)( \
1357 + EXT4_PACKET_HEADER_SIZE + \
1358 + (EXT4_FULL_WRAPPED_KEY_PACKET_V0_SIZE * \
1359 + EXT4_PACKET_SET_V0_MAX_WRAPPED_KEYS)))
1361 +/* Don't change this without also changing the packet type. Serialized
1362 + * packets are cast directly into this struct. */
1363 +struct ext4_encryption_key_packet {
1364 + char mode[sizeof(uint32_t)]; /* Network byte order */
1365 + char raw[EXT4_MAX_KEY_SIZE];
1366 + char size[sizeof(uint32_t)]; /* Network byte order */
1367 +} __attribute__((__packed__));
1370 + * If you change the existing modes (order or type), you'll need to
1371 + * change the packet type too.
1373 +enum ext4_encryption_mode {
1374 + EXT4_ENCRYPTION_MODE_INVALID = 0,
1375 + EXT4_ENCRYPTION_MODE_AES_256_XTS,
1376 + EXT4_ENCRYPTION_MODE_AES_256_GCM,
1377 + EXT4_ENCRYPTION_MODE_HMAC_SHA1,
1378 + EXT4_ENCRYPTION_MODE_AES_256_XTS_RANDOM_IV_HMAC_SHA1,
1381 +struct ext4_encryption_key {
1383 + char raw[EXT4_MAX_KEY_SIZE];
1387 +/* Don't change this without also changing the packet type. Serialized
1388 + * packets are cast directly into this struct. */
1389 +struct ext4_wrapped_key_packet {
1390 + char size[sizeof(uint32_t)]; /* Network byte order */
1392 + char sig[EXT4_WRAPPING_KEY_SIG_NULL_TERMINATED_SIZE];
1393 + char nonce[EXT4_DERIVATION_TWEAK_NONCE_SIZE];
1394 + char iv[EXT4_WRAPPING_IV_SIZE];
1395 + char wrapped_key_packet[sizeof(struct ext4_encryption_key_packet)];
1396 + char hmac[EXT4_HMAC_SIZE];
1397 +} __attribute__((__packed__));
1399 +struct ext4_encryption_wrapper_desc {
1400 + char wrapping_key_sig[ECRYPTFS_SIG_SIZE_HEX + 1];
1403 +#define EXT4_CTX_REQUIRES_FREE_ENCRYPT_FL 0x00000001
1404 +#define EXT4_BOUNCE_PAGE_REQUIRES_FREE_ENCRYPT_FL 0x00000002
1406 +struct ext4_crypto_ctx {
1407 + struct crypto_tfm *tfm; /* Crypto API context */
1408 + struct page *bounce_page; /* Ciphertext page on write path */
1409 + struct page *control_page; /* Original page on write path */
1410 + struct bio *bio; /* The bio for this context */
1411 + struct work_struct work; /* Work queue for read complete path */
1412 + struct list_head free_list; /* Free list */
1413 + int flags; /* Flags */
1414 + enum ext4_encryption_mode mode; /* Encryption mode for tfm */
1415 + atomic_t dbg_refcnt; /* TODO(mhalcrow): Remove for release */
1418 +static inline int ext4_encryption_key_size(enum ext4_encryption_mode mode)
1421 + case EXT4_ENCRYPTION_MODE_AES_256_XTS:
1422 + return EXT4_AES_256_XTS_KEY_SIZE;
1423 + case EXT4_ENCRYPTION_MODE_AES_256_GCM:
1424 + return EXT4_AES_256_GCM_KEY_SIZE;
1425 + case EXT4_ENCRYPTION_MODE_HMAC_SHA1:
1426 + return EXT4_HMAC_KEY_SIZE;
1427 + case EXT4_ENCRYPTION_MODE_AES_256_XTS_RANDOM_IV_HMAC_SHA1:
1428 + return EXT4_AES_256_XTS_RANDOMIV_HMAC_SHA1_KEY_SIZE;
1435 +extern atomic_t ext4_dbg_pages; /* TODO(mhalcrow): Remove for release */
1436 +extern atomic_t ext4_dbg_ctxs; /* TODO(mhalcrow): Remove for release */
1438 +#endif /* _EXT4_CRYPTO_H */
1439 diff --git a/fs/ext4/super.c b/fs/ext4/super.c
1440 index 6df7bc6..a0355a0 100644
1441 --- a/fs/ext4/super.c
1442 +++ b/fs/ext4/super.c
1443 @@ -904,6 +904,7 @@ static struct inode *ext4_alloc_inode(struct super_block *sb)
1444 atomic_set(&ei->i_ioend_count, 0);
1445 atomic_set(&ei->i_unwritten, 0);
1446 INIT_WORK(&ei->i_rsv_conversion_work, ext4_end_io_rsv_work);
1447 + ei->i_encryption_key.mode = EXT4_ENCRYPTION_MODE_INVALID;
1449 return &ei->vfs_inode;
1451 @@ -1168,7 +1169,7 @@ enum {
1452 Opt_inode_readahead_blks, Opt_journal_ioprio,
1453 Opt_dioread_nolock, Opt_dioread_lock,
1454 Opt_discard, Opt_nodiscard, Opt_init_itable, Opt_noinit_itable,
1455 - Opt_max_dir_size_kb,
1456 + Opt_max_dir_size_kb, Opt_encrypt_key_sig,
1459 static const match_table_t tokens = {
1460 @@ -1244,6 +1245,7 @@ static const match_table_t tokens = {
1461 {Opt_init_itable, "init_itable"},
1462 {Opt_noinit_itable, "noinit_itable"},
1463 {Opt_max_dir_size_kb, "max_dir_size_kb=%u"},
1464 + {Opt_encrypt_key_sig, "encrypt_key_sig=%s"},
1465 {Opt_removed, "check=none"}, /* mount option from ext2/3 */
1466 {Opt_removed, "nocheck"}, /* mount option from ext2/3 */
1467 {Opt_removed, "reservation"}, /* mount option from ext2/3 */
1468 @@ -1442,6 +1444,7 @@ static const struct mount_opts {
1469 {Opt_jqfmt_vfsv0, QFMT_VFS_V0, MOPT_QFMT},
1470 {Opt_jqfmt_vfsv1, QFMT_VFS_V1, MOPT_QFMT},
1471 {Opt_max_dir_size_kb, 0, MOPT_GTE0},
1472 + {Opt_encrypt_key_sig, 0, MOPT_STRING},
1476 @@ -1543,6 +1546,28 @@ static int handle_mount_opt(struct super_block *sb, char *opt, int token,
1477 sbi->s_li_wait_mult = arg;
1478 } else if (token == Opt_max_dir_size_kb) {
1479 sbi->s_max_dir_size_kb = arg;
1480 + } else if (token == Opt_encrypt_key_sig) {
1481 + char *encrypt_key_sig;
1483 + encrypt_key_sig = match_strdup(&args[0]);
1484 + if (!encrypt_key_sig) {
1485 + ext4_msg(sb, KERN_ERR,
1486 + "error: could not dup encryption key sig string");
1489 + if (strlen(encrypt_key_sig) != ECRYPTFS_SIG_SIZE_HEX) {
1490 + ext4_msg(sb, KERN_ERR,
1491 + "error: encryption key sig string must be length %d",
1492 + ECRYPTFS_SIG_SIZE_HEX);
1495 + sbi->s_default_encryption_mode =
1496 + EXT4_ENCRYPTION_MODE_AES_256_XTS;
1497 + memcpy(sbi->s_default_encryption_wrapper_desc.wrapping_key_sig,
1499 + ECRYPTFS_SIG_SIZE_HEX);
1500 + sbi->s_default_encryption_wrapper_desc.wrapping_key_sig[
1501 + ECRYPTFS_SIG_SIZE_HEX] = '\0';
1502 } else if (token == Opt_stripe) {
1503 sbi->s_stripe = arg;
1504 } else if (token == Opt_resuid) {
1505 @@ -5517,6 +5542,8 @@ struct mutex ext4__aio_mutex[EXT4_WQ_HASH_SZ];
1506 static int __init ext4_init_fs(void)
1509 + static size_t num_prealloc_crypto_pages = 32;
1510 + static size_t num_prealloc_crypto_ctxs = 128;
1512 ext4_li_info = NULL;
1513 mutex_init(&ext4_li_mtx);
1514 @@ -5529,10 +5556,15 @@ static int __init ext4_init_fs(void)
1515 init_waitqueue_head(&ext4__ioend_wq[i]);
1518 - err = ext4_init_es();
1519 + err = ext4_allocate_crypto(num_prealloc_crypto_pages,
1520 + num_prealloc_crypto_ctxs);
1524 + err = ext4_init_es();
1528 err = ext4_init_pageio();
1531 @@ -5585,6 +5617,8 @@ out6:
1536 + ext4_delete_crypto();
1540 diff --git a/fs/ext4/xattr.h b/fs/ext4/xattr.h
1541 index 29bedf5..29d47c7 100644
1542 --- a/fs/ext4/xattr.h
1543 +++ b/fs/ext4/xattr.h
1545 #define EXT4_XATTR_INDEX_SECURITY 6
1546 #define EXT4_XATTR_INDEX_SYSTEM 7
1547 #define EXT4_XATTR_INDEX_RICHACL 8
1548 +#define EXT4_XATTR_INDEX_ENCRYPTION_METADATA 9
1550 struct ext4_xattr_header {
1551 __le32 h_magic; /* magic number for identification */
1553 2.1.0.rc2.206.gedb03e5