1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3 * Copyright 2019 Google LLC
4 */
5
6 #ifndef __LINUX_BLK_CRYPTO_H
7 #define __LINUX_BLK_CRYPTO_H
8
9 #include <linux/minmax.h>
10 #include <linux/types.h>
11 #include <uapi/linux/blk-crypto.h>
12
13 enum blk_crypto_mode_num {
14 BLK_ENCRYPTION_MODE_INVALID,
15 BLK_ENCRYPTION_MODE_AES_256_XTS,
16 BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV,
17 BLK_ENCRYPTION_MODE_ADIANTUM,
18 BLK_ENCRYPTION_MODE_SM4_XTS,
19 BLK_ENCRYPTION_MODE_MAX,
20 };
21
22 /*
23 * Supported types of keys. Must be bitflags due to their use in
24 * blk_crypto_profile::key_types_supported.
25 */
26 enum blk_crypto_key_type {
27 /*
28 * Raw keys (i.e. "software keys"). These keys are simply kept in raw,
29 * plaintext form in kernel memory.
30 */
31 BLK_CRYPTO_KEY_TYPE_RAW = 0x1,
32
33 /*
34 * Hardware-wrapped keys. These keys are only present in kernel memory
35 * in ephemerally-wrapped form, and they can only be unwrapped by
36 * dedicated hardware. For details, see the "Hardware-wrapped keys"
37 * section of Documentation/block/inline-encryption.rst.
38 */
39 BLK_CRYPTO_KEY_TYPE_HW_WRAPPED = 0x2,
40 };
41
42 /*
43 * Currently the maximum raw key size is 64 bytes, as that is the key size of
44 * BLK_ENCRYPTION_MODE_AES_256_XTS which takes the longest key.
45 *
46 * The maximum hardware-wrapped key size depends on the hardware's key wrapping
47 * algorithm, which is a hardware implementation detail, so it isn't precisely
48 * specified. But currently 128 bytes is plenty in practice. Implementations
49 * are recommended to wrap a 32-byte key for the hardware KDF with AES-256-GCM,
50 * which should result in a size closer to 64 bytes than 128.
51 *
52 * Both of these values can trivially be increased if ever needed.
53 */
54 #define BLK_CRYPTO_MAX_RAW_KEY_SIZE 64
55 #define BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE 128
56
57 #define BLK_CRYPTO_MAX_ANY_KEY_SIZE \
58 MAX(BLK_CRYPTO_MAX_RAW_KEY_SIZE, BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE)
59
60 /*
61 * Size of the "software secret" which can be derived from a hardware-wrapped
62 * key. This is currently always 32 bytes. Note, the choice of 32 bytes
63 * assumes that the software secret is only used directly for algorithms that
64 * don't require more than a 256-bit key to get the desired security strength.
65 * If it were to be used e.g. directly as an AES-256-XTS key, then this would
66 * need to be increased (which is possible if hardware supports it, but care
67 * would need to be taken to avoid breaking users who need exactly 32 bytes).
68 */
69 #define BLK_CRYPTO_SW_SECRET_SIZE 32
70
71 /**
72 * struct blk_crypto_config - an inline encryption key's crypto configuration
73 * @crypto_mode: encryption algorithm this key is for
74 * @data_unit_size: the data unit size for all encryption/decryptions with this
75 * key. This is the size in bytes of each individual plaintext and
76 * ciphertext. This is always a power of 2. It might be e.g. the
77 * filesystem block size or the disk sector size.
78 * @dun_bytes: the maximum number of bytes of DUN used when using this key
79 * @key_type: the type of this key -- either raw or hardware-wrapped
80 */
81 struct blk_crypto_config {
82 enum blk_crypto_mode_num crypto_mode;
83 unsigned int data_unit_size;
84 unsigned int dun_bytes;
85 enum blk_crypto_key_type key_type;
86 };
87
88 /**
89 * struct blk_crypto_key - an inline encryption key
90 * @crypto_cfg: the crypto mode, data unit size, key type, and other
91 * characteristics of this key and how it will be used
92 * @data_unit_size_bits: log2 of data_unit_size
93 * @size: size of this key in bytes. The size of a raw key is fixed for a given
94 * crypto mode, but the size of a hardware-wrapped key can vary.
95 * @bytes: the bytes of this key. Only the first @size bytes are significant.
96 *
97 * A blk_crypto_key is immutable once created, and many bios can reference it at
98 * the same time. It must not be freed until all bios using it have completed
99 * and it has been evicted from all devices on which it may have been used.
100 */
101 struct blk_crypto_key {
102 struct blk_crypto_config crypto_cfg;
103 unsigned int data_unit_size_bits;
104 unsigned int size;
105 u8 bytes[BLK_CRYPTO_MAX_ANY_KEY_SIZE];
106 };
107
108 #define BLK_CRYPTO_MAX_IV_SIZE 32
109 #define BLK_CRYPTO_DUN_ARRAY_SIZE (BLK_CRYPTO_MAX_IV_SIZE / sizeof(u64))
110
111 /**
112 * struct bio_crypt_ctx - an inline encryption context
113 * @bc_key: the key, algorithm, and data unit size to use
114 * @bc_dun: the data unit number (starting IV) to use
115 *
116 * A bio_crypt_ctx specifies that the contents of the bio will be encrypted (for
117 * write requests) or decrypted (for read requests) inline by the storage device
118 * or controller, or by the crypto API fallback.
119 */
120 struct bio_crypt_ctx {
121 const struct blk_crypto_key *bc_key;
122 u64 bc_dun[BLK_CRYPTO_DUN_ARRAY_SIZE];
123 };
124
125 #include <linux/blk_types.h>
126 #include <linux/blkdev.h>
127
128 #ifdef CONFIG_BLK_INLINE_ENCRYPTION
129
bio_has_crypt_ctx(struct bio * bio)130 static inline bool bio_has_crypt_ctx(struct bio *bio)
131 {
132 return bio->bi_crypt_context;
133 }
134
135 void bio_crypt_set_ctx(struct bio *bio, const struct blk_crypto_key *key,
136 const u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE],
137 gfp_t gfp_mask);
138
139 bool bio_crypt_dun_is_contiguous(const struct bio_crypt_ctx *bc,
140 unsigned int bytes,
141 const u64 next_dun[BLK_CRYPTO_DUN_ARRAY_SIZE]);
142
143 int blk_crypto_init_key(struct blk_crypto_key *blk_key,
144 const u8 *key_bytes, size_t key_size,
145 enum blk_crypto_key_type key_type,
146 enum blk_crypto_mode_num crypto_mode,
147 unsigned int dun_bytes,
148 unsigned int data_unit_size);
149
150 int blk_crypto_start_using_key(struct block_device *bdev,
151 const struct blk_crypto_key *key);
152
153 void blk_crypto_evict_key(struct block_device *bdev,
154 const struct blk_crypto_key *key);
155
156 bool blk_crypto_config_supported_natively(struct block_device *bdev,
157 const struct blk_crypto_config *cfg);
158 bool blk_crypto_config_supported(struct block_device *bdev,
159 const struct blk_crypto_config *cfg);
160
161 int blk_crypto_derive_sw_secret(struct block_device *bdev,
162 const u8 *eph_key, size_t eph_key_size,
163 u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]);
164
165 #else /* CONFIG_BLK_INLINE_ENCRYPTION */
166
bio_has_crypt_ctx(struct bio * bio)167 static inline bool bio_has_crypt_ctx(struct bio *bio)
168 {
169 return false;
170 }
171
172 #endif /* CONFIG_BLK_INLINE_ENCRYPTION */
173
174 int __bio_crypt_clone(struct bio *dst, struct bio *src, gfp_t gfp_mask);
175 /**
176 * bio_crypt_clone - clone bio encryption context
177 * @dst: destination bio
178 * @src: source bio
179 * @gfp_mask: memory allocation flags
180 *
181 * If @src has an encryption context, clone it to @dst.
182 *
183 * Return: 0 on success, -ENOMEM if out of memory. -ENOMEM is only possible if
184 * @gfp_mask doesn't include %__GFP_DIRECT_RECLAIM.
185 */
bio_crypt_clone(struct bio * dst,struct bio * src,gfp_t gfp_mask)186 static inline int bio_crypt_clone(struct bio *dst, struct bio *src,
187 gfp_t gfp_mask)
188 {
189 if (bio_has_crypt_ctx(src))
190 return __bio_crypt_clone(dst, src, gfp_mask);
191 return 0;
192 }
193
194 #endif /* __LINUX_BLK_CRYPTO_H */
195