Lines Matching +full:crypto +full:- +full:rst
1 // SPDX-License-Identifier: GPL-2.0
7 * DOC: blk-crypto profiles
9 * 'struct blk_crypto_profile' contains all generic inline encryption-related
11 * as the way that drivers for inline encryption hardware expose their crypto
14 * construct a crypto profile, then associate it with the disk's request_queue.
17 * these keyslots in a device-independent way, using the driver-provided
22 * For more information, see Documentation/block/inline-encryption.rst.
25 #define pr_fmt(fmt) "blk-crypto: " fmt
27 #include <linux/blk-crypto-profile.h>
34 #include <linux/blk-integrity.h>
35 #include "blk-crypto-internal.h"
48 * Calling into the driver requires profile->lock held and the device in blk_crypto_hw_enter()
50 * and release profile->lock via blk_crypto_reprogram_all_keys(). in blk_crypto_hw_enter()
52 if (profile->dev) in blk_crypto_hw_enter()
53 pm_runtime_get_sync(profile->dev); in blk_crypto_hw_enter()
54 down_write(&profile->lock); in blk_crypto_hw_enter()
59 up_write(&profile->lock); in blk_crypto_hw_exit()
60 if (profile->dev) in blk_crypto_hw_exit()
61 pm_runtime_put_sync(profile->dev); in blk_crypto_hw_exit()
65 * blk_crypto_profile_init() - Initialize a blk_crypto_profile
84 * profile->lock of an underlying device can nest inside profile->lock in blk_crypto_profile_init()
85 * of a device-mapper device, so use a dynamic lock class to avoid in blk_crypto_profile_init()
86 * false-positive lockdep reports. in blk_crypto_profile_init()
88 lockdep_register_key(&profile->lockdep_key); in blk_crypto_profile_init()
89 __init_rwsem(&profile->lock, "&profile->lock", &profile->lockdep_key); in blk_crypto_profile_init()
96 profile->slots = kvcalloc(num_slots, sizeof(profile->slots[0]), in blk_crypto_profile_init()
98 if (!profile->slots) in blk_crypto_profile_init()
101 profile->num_slots = num_slots; in blk_crypto_profile_init()
103 init_waitqueue_head(&profile->idle_slots_wait_queue); in blk_crypto_profile_init()
104 INIT_LIST_HEAD(&profile->idle_slots); in blk_crypto_profile_init()
107 profile->slots[slot].profile = profile; in blk_crypto_profile_init()
108 list_add_tail(&profile->slots[slot].idle_slot_node, in blk_crypto_profile_init()
109 &profile->idle_slots); in blk_crypto_profile_init()
112 spin_lock_init(&profile->idle_slots_lock); in blk_crypto_profile_init()
122 profile->log_slot_ht_size = ilog2(slot_hashtable_size); in blk_crypto_profile_init()
123 profile->slot_hashtable = in blk_crypto_profile_init()
125 sizeof(profile->slot_hashtable[0]), GFP_KERNEL); in blk_crypto_profile_init()
126 if (!profile->slot_hashtable) in blk_crypto_profile_init()
129 INIT_HLIST_HEAD(&profile->slot_hashtable[i]); in blk_crypto_profile_init()
135 return -ENOMEM; in blk_crypto_profile_init()
145 * devm_blk_crypto_profile_init() - Resource-managed blk_crypto_profile_init()
174 return &profile->slot_hashtable[ in blk_crypto_hash_bucket_for_key()
175 hash_ptr(key, profile->log_slot_ht_size)]; in blk_crypto_hash_bucket_for_key()
181 struct blk_crypto_profile *profile = slot->profile; in blk_crypto_remove_slot_from_lru_list()
184 spin_lock_irqsave(&profile->idle_slots_lock, flags); in blk_crypto_remove_slot_from_lru_list()
185 list_del(&slot->idle_slot_node); in blk_crypto_remove_slot_from_lru_list()
186 spin_unlock_irqrestore(&profile->idle_slots_lock, flags); in blk_crypto_remove_slot_from_lru_list()
198 if (slotp->key == key) in blk_crypto_find_keyslot()
213 if (atomic_inc_return(&slot->slot_refs) == 1) { in blk_crypto_find_and_grab_keyslot()
221 * blk_crypto_keyslot_index() - Get the index of a keyslot
224 * Return: the 0-based index of the keyslot within the device's keyslots.
228 return slot - slot->profile->slots; in blk_crypto_keyslot_index()
233 * blk_crypto_get_keyslot() - Get a keyslot for a key, if needed.
234 * @profile: the crypto profile of the device the key will be used on
244 * Context: Process context. Takes and releases profile->lock.
262 if (profile->num_slots == 0) in blk_crypto_get_keyslot()
265 down_read(&profile->lock); in blk_crypto_get_keyslot()
267 up_read(&profile->lock); in blk_crypto_get_keyslot()
283 if (!list_empty(&profile->idle_slots)) in blk_crypto_get_keyslot()
287 wait_event(profile->idle_slots_wait_queue, in blk_crypto_get_keyslot()
288 !list_empty(&profile->idle_slots)); in blk_crypto_get_keyslot()
291 slot = list_first_entry(&profile->idle_slots, struct blk_crypto_keyslot, in blk_crypto_get_keyslot()
295 err = profile->ll_ops.keyslot_program(profile, key, slot_idx); in blk_crypto_get_keyslot()
297 wake_up(&profile->idle_slots_wait_queue); in blk_crypto_get_keyslot()
303 if (slot->key) in blk_crypto_get_keyslot()
304 hlist_del(&slot->hash_node); in blk_crypto_get_keyslot()
305 slot->key = key; in blk_crypto_get_keyslot()
306 hlist_add_head(&slot->hash_node, in blk_crypto_get_keyslot()
309 atomic_set(&slot->slot_refs, 1); in blk_crypto_get_keyslot()
320 * blk_crypto_put_keyslot() - Release a reference to a keyslot
327 struct blk_crypto_profile *profile = slot->profile; in blk_crypto_put_keyslot()
330 if (atomic_dec_and_lock_irqsave(&slot->slot_refs, in blk_crypto_put_keyslot()
331 &profile->idle_slots_lock, flags)) { in blk_crypto_put_keyslot()
332 list_add_tail(&slot->idle_slot_node, &profile->idle_slots); in blk_crypto_put_keyslot()
333 spin_unlock_irqrestore(&profile->idle_slots_lock, flags); in blk_crypto_put_keyslot()
334 wake_up(&profile->idle_slots_wait_queue); in blk_crypto_put_keyslot()
339 * __blk_crypto_cfg_supported() - Check whether the given crypto profile
340 * supports the given crypto configuration.
341 * @profile: the crypto profile to check
342 * @cfg: the crypto configuration to check for
351 if (!(profile->modes_supported[cfg->crypto_mode] & cfg->data_unit_size)) in __blk_crypto_cfg_supported()
353 if (profile->max_dun_bytes_supported < cfg->dun_bytes) in __blk_crypto_cfg_supported()
355 if (!(profile->key_types_supported & cfg->key_type)) in __blk_crypto_cfg_supported()
362 * device that can be either a real device or the blk-crypto-fallback "device".
371 if (profile->num_slots == 0) { in __blk_crypto_evict_key()
372 if (profile->ll_ops.keyslot_evict) { in __blk_crypto_evict_key()
374 err = profile->ll_ops.keyslot_evict(profile, key, -1); in __blk_crypto_evict_key()
392 if (WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)) { in __blk_crypto_evict_key()
394 err = -EBUSY; in __blk_crypto_evict_key()
397 err = profile->ll_ops.keyslot_evict(profile, key, in __blk_crypto_evict_key()
402 * table and clear slot->key even on error. in __blk_crypto_evict_key()
404 hlist_del(&slot->hash_node); in __blk_crypto_evict_key()
405 slot->key = NULL; in __blk_crypto_evict_key()
412 * blk_crypto_reprogram_all_keys() - Re-program all keyslots.
413 * @profile: The crypto profile
415 * Re-program all keyslots that are supposed to have a key programmed. This is
418 * Context: Process context. Takes and releases profile->lock.
424 if (profile->num_slots == 0) in blk_crypto_reprogram_all_keys()
428 down_write(&profile->lock); in blk_crypto_reprogram_all_keys()
429 for (slot = 0; slot < profile->num_slots; slot++) { in blk_crypto_reprogram_all_keys()
430 const struct blk_crypto_key *key = profile->slots[slot].key; in blk_crypto_reprogram_all_keys()
436 err = profile->ll_ops.keyslot_program(profile, key, slot); in blk_crypto_reprogram_all_keys()
439 up_write(&profile->lock); in blk_crypto_reprogram_all_keys()
447 lockdep_unregister_key(&profile->lockdep_key); in blk_crypto_profile_destroy()
448 kvfree(profile->slot_hashtable); in blk_crypto_profile_destroy()
449 kvfree_sensitive(profile->slots, in blk_crypto_profile_destroy()
450 sizeof(profile->slots[0]) * profile->num_slots); in blk_crypto_profile_destroy()
462 q->crypto_profile = profile; in blk_crypto_register()
468 * blk_crypto_derive_sw_secret() - Derive software secret from wrapped key
469 * @bdev: a block device that supports hardware-wrapped keys
470 * @eph_key: a hardware-wrapped key in ephemerally-wrapped form
474 * Given a hardware-wrapped key in ephemerally-wrapped form (the same form that
480 * Return: 0 on success, -EOPNOTSUPP if the block device doesn't support
481 * hardware-wrapped keys, -EBADMSG if the key isn't a valid
482 * ephemerally-wrapped key, or another -errno code.
489 bdev_get_queue(bdev)->crypto_profile; in blk_crypto_derive_sw_secret()
493 return -EOPNOTSUPP; in blk_crypto_derive_sw_secret()
494 if (!(profile->key_types_supported & BLK_CRYPTO_KEY_TYPE_HW_WRAPPED)) in blk_crypto_derive_sw_secret()
495 return -EOPNOTSUPP; in blk_crypto_derive_sw_secret()
496 if (!profile->ll_ops.derive_sw_secret) in blk_crypto_derive_sw_secret()
497 return -EOPNOTSUPP; in blk_crypto_derive_sw_secret()
499 err = profile->ll_ops.derive_sw_secret(profile, eph_key, eph_key_size, in blk_crypto_derive_sw_secret()
513 return -EOPNOTSUPP; in blk_crypto_import_key()
514 if (!(profile->key_types_supported & BLK_CRYPTO_KEY_TYPE_HW_WRAPPED)) in blk_crypto_import_key()
515 return -EOPNOTSUPP; in blk_crypto_import_key()
516 if (!profile->ll_ops.import_key) in blk_crypto_import_key()
517 return -EOPNOTSUPP; in blk_crypto_import_key()
519 ret = profile->ll_ops.import_key(profile, raw_key, raw_key_size, in blk_crypto_import_key()
532 return -EOPNOTSUPP; in blk_crypto_generate_key()
533 if (!(profile->key_types_supported & BLK_CRYPTO_KEY_TYPE_HW_WRAPPED)) in blk_crypto_generate_key()
534 return -EOPNOTSUPP; in blk_crypto_generate_key()
535 if (!profile->ll_ops.generate_key) in blk_crypto_generate_key()
536 return -EOPNOTSUPP; in blk_crypto_generate_key()
538 ret = profile->ll_ops.generate_key(profile, lt_key); in blk_crypto_generate_key()
551 return -EOPNOTSUPP; in blk_crypto_prepare_key()
552 if (!(profile->key_types_supported & BLK_CRYPTO_KEY_TYPE_HW_WRAPPED)) in blk_crypto_prepare_key()
553 return -EOPNOTSUPP; in blk_crypto_prepare_key()
554 if (!profile->ll_ops.prepare_key) in blk_crypto_prepare_key()
555 return -EOPNOTSUPP; in blk_crypto_prepare_key()
557 ret = profile->ll_ops.prepare_key(profile, lt_key, lt_key_size, in blk_crypto_prepare_key()
565 * blk_crypto_intersect_capabilities() - restrict supported crypto capabilities
567 * @parent: the crypto profile for the parent device
568 * @child: the crypto profile for the child device, or NULL
570 * This clears all crypto capabilities in @parent that aren't set in @child. If
573 * Only use this when setting up the crypto profile for a layered device, before
582 parent->max_dun_bytes_supported = in blk_crypto_intersect_capabilities()
583 min(parent->max_dun_bytes_supported, in blk_crypto_intersect_capabilities()
584 child->max_dun_bytes_supported); in blk_crypto_intersect_capabilities()
585 for (i = 0; i < ARRAY_SIZE(child->modes_supported); i++) in blk_crypto_intersect_capabilities()
586 parent->modes_supported[i] &= child->modes_supported[i]; in blk_crypto_intersect_capabilities()
587 parent->key_types_supported &= child->key_types_supported; in blk_crypto_intersect_capabilities()
589 parent->max_dun_bytes_supported = 0; in blk_crypto_intersect_capabilities()
590 memset(parent->modes_supported, 0, in blk_crypto_intersect_capabilities()
591 sizeof(parent->modes_supported)); in blk_crypto_intersect_capabilities()
592 parent->key_types_supported = 0; in blk_crypto_intersect_capabilities()
598 * blk_crypto_has_capabilities() - Check whether @target supports at least all
599 * the crypto capabilities that @reference does.
603 * Return: %true if @target supports all the crypto capabilities of @reference.
616 for (i = 0; i < ARRAY_SIZE(target->modes_supported); i++) { in blk_crypto_has_capabilities()
617 if (reference->modes_supported[i] & ~target->modes_supported[i]) in blk_crypto_has_capabilities()
621 if (reference->max_dun_bytes_supported > in blk_crypto_has_capabilities()
622 target->max_dun_bytes_supported) in blk_crypto_has_capabilities()
625 if (reference->key_types_supported & ~target->key_types_supported) in blk_crypto_has_capabilities()
633 * blk_crypto_update_capabilities() - Update the capabilities of a crypto
634 * profile to match those of another crypto
636 * @dst: The crypto profile whose capabilities to update.
637 * @src: The crypto profile whose capabilities this function will update @dst's
640 * Blk-crypto requires that crypto capabilities that were
643 * shrink its advertised crypto capabilities without any explicit
645 * synchronization, @src must support all the crypto capabilities that
648 * Note also that as long as the crypto capabilities are being expanded, the
650 * for blk-crypto to see stale values - they only cause blk-crypto to
651 * believe that a crypto capability isn't supported when it actually is (which
652 * might result in blk-crypto-fallback being used if available, or the bio being
658 memcpy(dst->modes_supported, src->modes_supported, in blk_crypto_update_capabilities()
659 sizeof(dst->modes_supported)); in blk_crypto_update_capabilities()
661 dst->max_dun_bytes_supported = src->max_dun_bytes_supported; in blk_crypto_update_capabilities()
662 dst->key_types_supported = src->key_types_supported; in blk_crypto_update_capabilities()