// SPDX-License-Identifier: GPL-2.0 /* * Copyright 2019 Google LLC */ /* * Refer to Documentation/block/inline-encryption.rst for detailed explanation. */ #define pr_fmt(fmt) "blk-crypto-fallback: " fmt #include #include #include #include #include #include #include #include #include #include "blk-cgroup.h" #include "blk-crypto-internal.h" static unsigned int num_prealloc_bounce_pg = BIO_MAX_VECS; module_param(num_prealloc_bounce_pg, uint, 0); MODULE_PARM_DESC(num_prealloc_bounce_pg, "Number of preallocated bounce pages for the blk-crypto crypto API fallback"); static unsigned int blk_crypto_num_keyslots = 100; module_param_named(num_keyslots, blk_crypto_num_keyslots, uint, 0); MODULE_PARM_DESC(num_keyslots, "Number of keyslots for the blk-crypto crypto API fallback"); static unsigned int num_prealloc_fallback_crypt_ctxs = 128; module_param(num_prealloc_fallback_crypt_ctxs, uint, 0); MODULE_PARM_DESC(num_prealloc_crypt_fallback_ctxs, "Number of preallocated bio fallback crypto contexts for blk-crypto to use during crypto API fallback"); struct bio_fallback_crypt_ctx { struct bio_crypt_ctx crypt_ctx; /* * Copy of the bvec_iter when this bio was submitted. * We only want to en/decrypt the part of the bio as described by the * bvec_iter upon submission because bio might be split before being * resubmitted */ struct bvec_iter crypt_iter; union { struct { struct work_struct work; struct bio *bio; }; struct { void *bi_private_orig; bio_end_io_t *bi_end_io_orig; }; }; }; static struct kmem_cache *bio_fallback_crypt_ctx_cache; static mempool_t *bio_fallback_crypt_ctx_pool; /* * Allocating a crypto tfm during I/O can deadlock, so we have to preallocate * all of a mode's tfms when that mode starts being used. Since each mode may * need all the keyslots at some point, each mode needs its own tfm for each * keyslot; thus, a keyslot may contain tfms for multiple modes. However, to * match the behavior of real inline encryption hardware (which only supports a * single encryption context per keyslot), we only allow one tfm per keyslot to * be used at a time - the rest of the unused tfms have their keys cleared. */ static DEFINE_MUTEX(tfms_init_lock); static bool tfms_inited[BLK_ENCRYPTION_MODE_MAX]; static struct blk_crypto_fallback_keyslot { enum blk_crypto_mode_num crypto_mode; struct crypto_sync_skcipher *tfms[BLK_ENCRYPTION_MODE_MAX]; } *blk_crypto_keyslots; static struct blk_crypto_profile *blk_crypto_fallback_profile; static struct workqueue_struct *blk_crypto_wq; static mempool_t *blk_crypto_bounce_page_pool; static struct bio_set enc_bio_set; /* * This is the key we set when evicting a keyslot. This *should* be the all 0's * key, but AES-XTS rejects that key, so we use some random bytes instead. */ static u8 blank_key[BLK_CRYPTO_MAX_RAW_KEY_SIZE]; static void blk_crypto_fallback_evict_keyslot(unsigned int slot) { struct blk_crypto_fallback_keyslot *slotp = &blk_crypto_keyslots[slot]; enum blk_crypto_mode_num crypto_mode = slotp->crypto_mode; int err; WARN_ON(slotp->crypto_mode == BLK_ENCRYPTION_MODE_INVALID); /* Clear the key in the skcipher */ err = crypto_sync_skcipher_setkey(slotp->tfms[crypto_mode], blank_key, blk_crypto_modes[crypto_mode].keysize); WARN_ON(err); slotp->crypto_mode = BLK_ENCRYPTION_MODE_INVALID; } static int blk_crypto_fallback_keyslot_program(struct blk_crypto_profile *profile, const struct blk_crypto_key *key, unsigned int slot) { struct blk_crypto_fallback_keyslot *slotp = &blk_crypto_keyslots[slot]; const enum blk_crypto_mode_num crypto_mode = key->crypto_cfg.crypto_mode; int err; if (crypto_mode != slotp->crypto_mode && slotp->crypto_mode != BLK_ENCRYPTION_MODE_INVALID) blk_crypto_fallback_evict_keyslot(slot); slotp->crypto_mode = crypto_mode; err = crypto_sync_skcipher_setkey(slotp->tfms[crypto_mode], key->bytes, key->size); if (err) { blk_crypto_fallback_evict_keyslot(slot); return err; } return 0; } static int blk_crypto_fallback_keyslot_evict(struct blk_crypto_profile *profile, const struct blk_crypto_key *key, unsigned int slot) { blk_crypto_fallback_evict_keyslot(slot); return 0; } static const struct blk_crypto_ll_ops blk_crypto_fallback_ll_ops = { .keyslot_program = blk_crypto_fallback_keyslot_program, .keyslot_evict = blk_crypto_fallback_keyslot_evict, }; static void blk_crypto_fallback_encrypt_endio(struct bio *enc_bio) { struct bio *src_bio = enc_bio->bi_private; struct page **pages = (struct page **)enc_bio->bi_io_vec; struct bio_vec *bv; unsigned int i; /* * Use the same trick as the alloc side to avoid the need for an extra * pages array. */ bio_for_each_bvec_all(bv, enc_bio, i) pages[i] = bv->bv_page; i = mempool_free_bulk(blk_crypto_bounce_page_pool, (void **)pages, enc_bio->bi_vcnt); if (i < enc_bio->bi_vcnt) release_pages(pages + i, enc_bio->bi_vcnt - i); if (enc_bio->bi_status) cmpxchg(&src_bio->bi_status, 0, enc_bio->bi_status); bio_put(enc_bio); bio_endio(src_bio); } #define PAGE_PTRS_PER_BVEC (sizeof(struct bio_vec) / sizeof(struct page *)) static struct bio *blk_crypto_alloc_enc_bio(struct bio *bio_src, unsigned int nr_segs, struct page ***pages_ret) { unsigned int memflags = memalloc_noio_save(); unsigned int nr_allocated; struct page **pages; struct bio *bio; bio = bio_alloc_bioset(bio_src->bi_bdev, nr_segs, bio_src->bi_opf, GFP_NOIO, &enc_bio_set); if (bio_flagged(bio_src, BIO_REMAPPED)) bio_set_flag(bio, BIO_REMAPPED); bio->bi_private = bio_src; bio->bi_end_io = blk_crypto_fallback_encrypt_endio; bio->bi_ioprio = bio_src->bi_ioprio; bio->bi_write_hint = bio_src->bi_write_hint; bio->bi_write_stream = bio_src->bi_write_stream; bio->bi_iter.bi_sector = bio_src->bi_iter.bi_sector; bio_clone_blkg_association(bio, bio_src); /* * Move page array up in the allocated memory for the bio vecs as far as * possible so that we can start filling biovecs from the beginning * without overwriting the temporary page array. */ static_assert(PAGE_PTRS_PER_BVEC > 1); pages = (struct page **)bio->bi_io_vec; pages += nr_segs * (PAGE_PTRS_PER_BVEC - 1); /* * Try a bulk allocation first. This could leave random pages in the * array unallocated, but we'll fix that up later in mempool_alloc_bulk. * * Note: alloc_pages_bulk needs the array to be zeroed, as it assumes * any non-zero slot already contains a valid allocation. */ memset(pages, 0, sizeof(struct page *) * nr_segs); nr_allocated = alloc_pages_bulk(GFP_KERNEL, nr_segs, pages); if (nr_allocated < nr_segs) mempool_alloc_bulk(blk_crypto_bounce_page_pool, (void **)pages, nr_segs, nr_allocated); memalloc_noio_restore(memflags); *pages_ret = pages; return bio; } static struct crypto_sync_skcipher * blk_crypto_fallback_tfm(struct blk_crypto_keyslot *slot) { const struct blk_crypto_fallback_keyslot *slotp = &blk_crypto_keyslots[blk_crypto_keyslot_index(slot)]; return slotp->tfms[slotp->crypto_mode]; } union blk_crypto_iv { __le64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE]; u8 bytes[BLK_CRYPTO_MAX_IV_SIZE]; }; static void blk_crypto_dun_to_iv(const u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE], union blk_crypto_iv *iv) { int i; for (i = 0; i < BLK_CRYPTO_DUN_ARRAY_SIZE; i++) iv->dun[i] = cpu_to_le64(dun[i]); } static void __blk_crypto_fallback_encrypt_bio(struct bio *src_bio, struct crypto_sync_skcipher *tfm) { struct bio_crypt_ctx *bc = src_bio->bi_crypt_context; int data_unit_size = bc->bc_key->crypto_cfg.data_unit_size; SYNC_SKCIPHER_REQUEST_ON_STACK(ciph_req, tfm); u64 curr_dun[BLK_CRYPTO_DUN_ARRAY_SIZE]; struct scatterlist src, dst; union blk_crypto_iv iv; unsigned int nr_enc_pages, enc_idx; struct page **enc_pages; struct bio *enc_bio; unsigned int i; skcipher_request_set_callback(ciph_req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); memcpy(curr_dun, bc->bc_dun, sizeof(curr_dun)); sg_init_table(&src, 1); sg_init_table(&dst, 1); skcipher_request_set_crypt(ciph_req, &src, &dst, data_unit_size, iv.bytes); /* * Encrypt each page in the source bio. Because the source bio could * have bio_vecs that span more than a single page, but the encrypted * bios are limited to a single page per bio_vec, this can generate * more than a single encrypted bio per source bio. */ new_bio: nr_enc_pages = min(bio_segments(src_bio), BIO_MAX_VECS); enc_bio = blk_crypto_alloc_enc_bio(src_bio, nr_enc_pages, &enc_pages); enc_idx = 0; for (;;) { struct bio_vec src_bv = bio_iter_iovec(src_bio, src_bio->bi_iter); struct page *enc_page = enc_pages[enc_idx]; if (!IS_ALIGNED(src_bv.bv_len | src_bv.bv_offset, data_unit_size)) { enc_bio->bi_status = BLK_STS_INVAL; goto out_free_enc_bio; } __bio_add_page(enc_bio, enc_page, src_bv.bv_len, src_bv.bv_offset); sg_set_page(&src, src_bv.bv_page, data_unit_size, src_bv.bv_offset); sg_set_page(&dst, enc_page, data_unit_size, src_bv.bv_offset); /* * Increment the index now that the encrypted page is added to * the bio. This is important for the error unwind path. */ enc_idx++; /* * Encrypt each data unit in this page. */ for (i = 0; i < src_bv.bv_len; i += data_unit_size) { blk_crypto_dun_to_iv(curr_dun, &iv); if (crypto_skcipher_encrypt(ciph_req)) { enc_bio->bi_status = BLK_STS_IOERR; goto out_free_enc_bio; } bio_crypt_dun_increment(curr_dun, 1); src.offset += data_unit_size; dst.offset += data_unit_size; } bio_advance_iter_single(src_bio, &src_bio->bi_iter, src_bv.bv_len); if (!src_bio->bi_iter.bi_size) break; if (enc_idx == nr_enc_pages) { /* * For each additional encrypted bio submitted, * increment the source bio's remaining count. Each * encrypted bio's completion handler calls bio_endio on * the source bio, so this keeps the source bio from * completing until the last encrypted bio does. */ bio_inc_remaining(src_bio); submit_bio(enc_bio); goto new_bio; } } submit_bio(enc_bio); return; out_free_enc_bio: /* * Add the remaining pages to the bio so that the normal completion path * in blk_crypto_fallback_encrypt_endio frees them. The exact data * layout does not matter for that, so don't bother iterating the source * bio. */ for (; enc_idx < nr_enc_pages; enc_idx++) __bio_add_page(enc_bio, enc_pages[enc_idx], PAGE_SIZE, 0); bio_endio(enc_bio); } /* * The crypto API fallback's encryption routine. * * Allocate one or more bios for encryption, encrypt the input bio using the * crypto API, and submit the encrypted bios. Sets bio->bi_status and * completes the source bio on error */ static void blk_crypto_fallback_encrypt_bio(struct bio *src_bio) { struct bio_crypt_ctx *bc = src_bio->bi_crypt_context; struct blk_crypto_keyslot *slot; blk_status_t status; status = blk_crypto_get_keyslot(blk_crypto_fallback_profile, bc->bc_key, &slot); if (status != BLK_STS_OK) { src_bio->bi_status = status; bio_endio(src_bio); return; } __blk_crypto_fallback_encrypt_bio(src_bio, blk_crypto_fallback_tfm(slot)); blk_crypto_put_keyslot(slot); } static blk_status_t __blk_crypto_fallback_decrypt_bio(struct bio *bio, struct bio_crypt_ctx *bc, struct bvec_iter iter, struct crypto_sync_skcipher *tfm) { SYNC_SKCIPHER_REQUEST_ON_STACK(ciph_req, tfm); u64 curr_dun[BLK_CRYPTO_DUN_ARRAY_SIZE]; union blk_crypto_iv iv; struct scatterlist sg; struct bio_vec bv; const int data_unit_size = bc->bc_key->crypto_cfg.data_unit_size; unsigned int i; skcipher_request_set_callback(ciph_req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); memcpy(curr_dun, bc->bc_dun, sizeof(curr_dun)); sg_init_table(&sg, 1); skcipher_request_set_crypt(ciph_req, &sg, &sg, data_unit_size, iv.bytes); /* Decrypt each segment in the bio */ __bio_for_each_segment(bv, bio, iter, iter) { struct page *page = bv.bv_page; if (!IS_ALIGNED(bv.bv_len | bv.bv_offset, data_unit_size)) return BLK_STS_INVAL; sg_set_page(&sg, page, data_unit_size, bv.bv_offset); /* Decrypt each data unit in the segment */ for (i = 0; i < bv.bv_len; i += data_unit_size) { blk_crypto_dun_to_iv(curr_dun, &iv); if (crypto_skcipher_decrypt(ciph_req)) return BLK_STS_IOERR; bio_crypt_dun_increment(curr_dun, 1); sg.offset += data_unit_size; } } return BLK_STS_OK; } /* * The crypto API fallback's main decryption routine. * * Decrypts input bio in place, and calls bio_endio on the bio. */ static void blk_crypto_fallback_decrypt_bio(struct work_struct *work) { struct bio_fallback_crypt_ctx *f_ctx = container_of(work, struct bio_fallback_crypt_ctx, work); struct bio *bio = f_ctx->bio; struct bio_crypt_ctx *bc = &f_ctx->crypt_ctx; struct blk_crypto_keyslot *slot; blk_status_t status; status = blk_crypto_get_keyslot(blk_crypto_fallback_profile, bc->bc_key, &slot); if (status == BLK_STS_OK) { status = __blk_crypto_fallback_decrypt_bio(bio, bc, f_ctx->crypt_iter, blk_crypto_fallback_tfm(slot)); blk_crypto_put_keyslot(slot); } mempool_free(f_ctx, bio_fallback_crypt_ctx_pool); bio->bi_status = status; bio_endio(bio); } /** * blk_crypto_fallback_decrypt_endio - queue bio for fallback decryption * * @bio: the bio to queue * * Restore bi_private and bi_end_io, and queue the bio for decryption into a * workqueue, since this function will be called from an atomic context. */ static void blk_crypto_fallback_decrypt_endio(struct bio *bio) { struct bio_fallback_crypt_ctx *f_ctx = bio->bi_private; bio->bi_private = f_ctx->bi_private_orig; bio->bi_end_io = f_ctx->bi_end_io_orig; /* If there was an IO error, don't queue for decrypt. */ if (bio->bi_status) { mempool_free(f_ctx, bio_fallback_crypt_ctx_pool); bio_endio(bio); return; } INIT_WORK(&f_ctx->work, blk_crypto_fallback_decrypt_bio); f_ctx->bio = bio; queue_work(blk_crypto_wq, &f_ctx->work); } /** * blk_crypto_fallback_bio_prep - Prepare a bio to use fallback en/decryption * @bio: bio to prepare * * If bio is doing a WRITE operation, allocate one or more bios to contain the * encrypted payload and submit them. * * For a READ operation, mark the bio for decryption by using bi_private and * bi_end_io. * * In either case, this function will make the submitted bio(s) look like * regular bios (i.e. as if no encryption context was ever specified) for the * purposes of the rest of the stack except for blk-integrity (blk-integrity and * blk-crypto are not currently supported together). * * Return: true if @bio should be submitted to the driver by the caller, else * false. Sets bio->bi_status, calls bio_endio and returns false on error. */ bool blk_crypto_fallback_bio_prep(struct bio *bio) { struct bio_crypt_ctx *bc = bio->bi_crypt_context; struct bio_fallback_crypt_ctx *f_ctx; if (WARN_ON_ONCE(!tfms_inited[bc->bc_key->crypto_cfg.crypto_mode])) { /* User didn't call blk_crypto_start_using_key() first */ bio_io_error(bio); return false; } if (!__blk_crypto_cfg_supported(blk_crypto_fallback_profile, &bc->bc_key->crypto_cfg)) { bio->bi_status = BLK_STS_NOTSUPP; bio_endio(bio); return false; } if (bio_data_dir(bio) == WRITE) { blk_crypto_fallback_encrypt_bio(bio); return false; } /* * bio READ case: Set up a f_ctx in the bio's bi_private and set the * bi_end_io appropriately to trigger decryption when the bio is ended. */ f_ctx = mempool_alloc(bio_fallback_crypt_ctx_pool, GFP_NOIO); f_ctx->crypt_ctx = *bc; f_ctx->crypt_iter = bio->bi_iter; f_ctx->bi_private_orig = bio->bi_private; f_ctx->bi_end_io_orig = bio->bi_end_io; bio->bi_private = (void *)f_ctx; bio->bi_end_io = blk_crypto_fallback_decrypt_endio; bio_crypt_free_ctx(bio); return true; } int blk_crypto_fallback_evict_key(const struct blk_crypto_key *key) { return __blk_crypto_evict_key(blk_crypto_fallback_profile, key); } static bool blk_crypto_fallback_inited; static int blk_crypto_fallback_init(void) { int i; int err; if (blk_crypto_fallback_inited) return 0; get_random_bytes(blank_key, sizeof(blank_key)); err = bioset_init(&enc_bio_set, 64, 0, BIOSET_NEED_BVECS); if (err) goto out; /* Dynamic allocation is needed because of lockdep_register_key(). */ blk_crypto_fallback_profile = kzalloc_obj(*blk_crypto_fallback_profile); if (!blk_crypto_fallback_profile) { err = -ENOMEM; goto fail_free_bioset; } err = blk_crypto_profile_init(blk_crypto_fallback_profile, blk_crypto_num_keyslots); if (err) goto fail_free_profile; err = -ENOMEM; blk_crypto_fallback_profile->ll_ops = blk_crypto_fallback_ll_ops; blk_crypto_fallback_profile->max_dun_bytes_supported = BLK_CRYPTO_MAX_IV_SIZE; blk_crypto_fallback_profile->key_types_supported = BLK_CRYPTO_KEY_TYPE_RAW; /* All blk-crypto modes have a crypto API fallback. */ for (i = 0; i < BLK_ENCRYPTION_MODE_MAX; i++) blk_crypto_fallback_profile->modes_supported[i] = 0xFFFFFFFF; blk_crypto_fallback_profile->modes_supported[BLK_ENCRYPTION_MODE_INVALID] = 0; blk_crypto_wq = alloc_workqueue("blk_crypto_wq", WQ_UNBOUND | WQ_HIGHPRI | WQ_MEM_RECLAIM, num_online_cpus()); if (!blk_crypto_wq) goto fail_destroy_profile; blk_crypto_keyslots = kzalloc_objs(blk_crypto_keyslots[0], blk_crypto_num_keyslots); if (!blk_crypto_keyslots) goto fail_free_wq; blk_crypto_bounce_page_pool = mempool_create_page_pool(num_prealloc_bounce_pg, 0); if (!blk_crypto_bounce_page_pool) goto fail_free_keyslots; bio_fallback_crypt_ctx_cache = KMEM_CACHE(bio_fallback_crypt_ctx, 0); if (!bio_fallback_crypt_ctx_cache) goto fail_free_bounce_page_pool; bio_fallback_crypt_ctx_pool = mempool_create_slab_pool(num_prealloc_fallback_crypt_ctxs, bio_fallback_crypt_ctx_cache); if (!bio_fallback_crypt_ctx_pool) goto fail_free_crypt_ctx_cache; blk_crypto_fallback_inited = true; return 0; fail_free_crypt_ctx_cache: kmem_cache_destroy(bio_fallback_crypt_ctx_cache); fail_free_bounce_page_pool: mempool_destroy(blk_crypto_bounce_page_pool); fail_free_keyslots: kfree(blk_crypto_keyslots); fail_free_wq: destroy_workqueue(blk_crypto_wq); fail_destroy_profile: blk_crypto_profile_destroy(blk_crypto_fallback_profile); fail_free_profile: kfree(blk_crypto_fallback_profile); fail_free_bioset: bioset_exit(&enc_bio_set); out: return err; } /* * Prepare blk-crypto-fallback for the specified crypto mode. * Returns -ENOPKG if the needed crypto API support is missing. */ int blk_crypto_fallback_start_using_mode(enum blk_crypto_mode_num mode_num) { const char *cipher_str = blk_crypto_modes[mode_num].cipher_str; struct blk_crypto_fallback_keyslot *slotp; unsigned int i; int err = 0; /* * Fast path * Ensure that updates to blk_crypto_keyslots[i].tfms[mode_num] * for each i are visible before we try to access them. */ if (likely(smp_load_acquire(&tfms_inited[mode_num]))) return 0; mutex_lock(&tfms_init_lock); if (tfms_inited[mode_num]) goto out; err = blk_crypto_fallback_init(); if (err) goto out; for (i = 0; i < blk_crypto_num_keyslots; i++) { slotp = &blk_crypto_keyslots[i]; slotp->tfms[mode_num] = crypto_alloc_sync_skcipher(cipher_str, 0, 0); if (IS_ERR(slotp->tfms[mode_num])) { err = PTR_ERR(slotp->tfms[mode_num]); if (err == -ENOENT) { pr_warn_once("Missing crypto API support for \"%s\"\n", cipher_str); err = -ENOPKG; } slotp->tfms[mode_num] = NULL; goto out_free_tfms; } crypto_sync_skcipher_set_flags(slotp->tfms[mode_num], CRYPTO_TFM_REQ_FORBID_WEAK_KEYS); } /* * Ensure that updates to blk_crypto_keyslots[i].tfms[mode_num] * for each i are visible before we set tfms_inited[mode_num]. */ smp_store_release(&tfms_inited[mode_num], true); goto out; out_free_tfms: for (i = 0; i < blk_crypto_num_keyslots; i++) { slotp = &blk_crypto_keyslots[i]; crypto_free_sync_skcipher(slotp->tfms[mode_num]); slotp->tfms[mode_num] = NULL; } out: mutex_unlock(&tfms_init_lock); return err; }