1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Copyright 2019 Google LLC 4 */ 5 6 /* 7 * Refer to Documentation/block/inline-encryption.rst for detailed explanation. 8 */ 9 10 #define pr_fmt(fmt) "blk-crypto: " fmt 11 12 #include <linux/bio.h> 13 #include <linux/blkdev.h> 14 #include <linux/blk-crypto-profile.h> 15 #include <linux/module.h> 16 #include <linux/ratelimit.h> 17 #include <linux/slab.h> 18 19 #include "blk-crypto-internal.h" 20 21 const struct blk_crypto_mode blk_crypto_modes[] = { 22 [BLK_ENCRYPTION_MODE_AES_256_XTS] = { 23 .name = "AES-256-XTS", 24 .cipher_str = "xts(aes)", 25 .keysize = 64, 26 .security_strength = 32, 27 .ivsize = 16, 28 }, 29 [BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV] = { 30 .name = "AES-128-CBC-ESSIV", 31 .cipher_str = "essiv(cbc(aes),sha256)", 32 .keysize = 16, 33 .security_strength = 16, 34 .ivsize = 16, 35 }, 36 [BLK_ENCRYPTION_MODE_ADIANTUM] = { 37 .name = "Adiantum", 38 .cipher_str = "adiantum(xchacha12,aes)", 39 .keysize = 32, 40 .security_strength = 32, 41 .ivsize = 32, 42 }, 43 [BLK_ENCRYPTION_MODE_SM4_XTS] = { 44 .name = "SM4-XTS", 45 .cipher_str = "xts(sm4)", 46 .keysize = 32, 47 .security_strength = 16, 48 .ivsize = 16, 49 }, 50 }; 51 52 /* 53 * This number needs to be at least (the number of threads doing IO 54 * concurrently) * (maximum recursive depth of a bio), so that we don't 55 * deadlock on crypt_ctx allocations. The default is chosen to be the same 56 * as the default number of post read contexts in both EXT4 and F2FS. 57 */ 58 static int num_prealloc_crypt_ctxs = 128; 59 60 module_param(num_prealloc_crypt_ctxs, int, 0444); 61 MODULE_PARM_DESC(num_prealloc_crypt_ctxs, 62 "Number of bio crypto contexts to preallocate"); 63 64 static struct kmem_cache *bio_crypt_ctx_cache; 65 static mempool_t *bio_crypt_ctx_pool; 66 67 static int __init bio_crypt_ctx_init(void) 68 { 69 size_t i; 70 71 bio_crypt_ctx_cache = KMEM_CACHE(bio_crypt_ctx, 0); 72 if (!bio_crypt_ctx_cache) 73 goto out_no_mem; 74 75 bio_crypt_ctx_pool = mempool_create_slab_pool(num_prealloc_crypt_ctxs, 76 bio_crypt_ctx_cache); 77 if (!bio_crypt_ctx_pool) 78 goto out_no_mem; 79 80 /* This is assumed in various places. */ 81 BUILD_BUG_ON(BLK_ENCRYPTION_MODE_INVALID != 0); 82 83 /* 84 * Validate the crypto mode properties. This ideally would be done with 85 * static assertions, but boot-time checks are the next best thing. 86 */ 87 for (i = 0; i < BLK_ENCRYPTION_MODE_MAX; i++) { 88 BUG_ON(blk_crypto_modes[i].keysize > 89 BLK_CRYPTO_MAX_RAW_KEY_SIZE); 90 BUG_ON(blk_crypto_modes[i].security_strength > 91 blk_crypto_modes[i].keysize); 92 BUG_ON(blk_crypto_modes[i].ivsize > BLK_CRYPTO_MAX_IV_SIZE); 93 } 94 95 return 0; 96 out_no_mem: 97 panic("Failed to allocate mem for bio crypt ctxs\n"); 98 } 99 subsys_initcall(bio_crypt_ctx_init); 100 101 void bio_crypt_set_ctx(struct bio *bio, const struct blk_crypto_key *key, 102 const u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE], gfp_t gfp_mask) 103 { 104 struct bio_crypt_ctx *bc; 105 106 /* 107 * The caller must use a gfp_mask that contains __GFP_DIRECT_RECLAIM so 108 * that the mempool_alloc() can't fail. 109 */ 110 WARN_ON_ONCE(!(gfp_mask & __GFP_DIRECT_RECLAIM)); 111 112 bc = mempool_alloc(bio_crypt_ctx_pool, gfp_mask); 113 114 bc->bc_key = key; 115 memcpy(bc->bc_dun, dun, sizeof(bc->bc_dun)); 116 117 bio->bi_crypt_context = bc; 118 } 119 120 void __bio_crypt_free_ctx(struct bio *bio) 121 { 122 mempool_free(bio->bi_crypt_context, bio_crypt_ctx_pool); 123 bio->bi_crypt_context = NULL; 124 } 125 126 int __bio_crypt_clone(struct bio *dst, struct bio *src, gfp_t gfp_mask) 127 { 128 dst->bi_crypt_context = mempool_alloc(bio_crypt_ctx_pool, gfp_mask); 129 if (!dst->bi_crypt_context) 130 return -ENOMEM; 131 *dst->bi_crypt_context = *src->bi_crypt_context; 132 return 0; 133 } 134 135 /* Increments @dun by @inc, treating @dun as a multi-limb integer. */ 136 void bio_crypt_dun_increment(u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE], 137 unsigned int inc) 138 { 139 int i; 140 141 for (i = 0; inc && i < BLK_CRYPTO_DUN_ARRAY_SIZE; i++) { 142 dun[i] += inc; 143 /* 144 * If the addition in this limb overflowed, then we need to 145 * carry 1 into the next limb. Else the carry is 0. 146 */ 147 if (dun[i] < inc) 148 inc = 1; 149 else 150 inc = 0; 151 } 152 } 153 154 void __bio_crypt_advance(struct bio *bio, unsigned int bytes) 155 { 156 struct bio_crypt_ctx *bc = bio->bi_crypt_context; 157 158 bio_crypt_dun_increment(bc->bc_dun, 159 bytes >> bc->bc_key->data_unit_size_bits); 160 } 161 162 /* 163 * Returns true if @bc->bc_dun plus @bytes converted to data units is equal to 164 * @next_dun, treating the DUNs as multi-limb integers. 165 */ 166 bool bio_crypt_dun_is_contiguous(const struct bio_crypt_ctx *bc, 167 unsigned int bytes, 168 const u64 next_dun[BLK_CRYPTO_DUN_ARRAY_SIZE]) 169 { 170 int i; 171 unsigned int carry = bytes >> bc->bc_key->data_unit_size_bits; 172 173 for (i = 0; i < BLK_CRYPTO_DUN_ARRAY_SIZE; i++) { 174 if (bc->bc_dun[i] + carry != next_dun[i]) 175 return false; 176 /* 177 * If the addition in this limb overflowed, then we need to 178 * carry 1 into the next limb. Else the carry is 0. 179 */ 180 if ((bc->bc_dun[i] + carry) < carry) 181 carry = 1; 182 else 183 carry = 0; 184 } 185 186 /* If the DUN wrapped through 0, don't treat it as contiguous. */ 187 return carry == 0; 188 } 189 190 /* 191 * Checks that two bio crypt contexts are compatible - i.e. that 192 * they are mergeable except for data_unit_num continuity. 193 */ 194 static bool bio_crypt_ctx_compatible(struct bio_crypt_ctx *bc1, 195 struct bio_crypt_ctx *bc2) 196 { 197 if (!bc1) 198 return !bc2; 199 200 return bc2 && bc1->bc_key == bc2->bc_key; 201 } 202 203 bool bio_crypt_rq_ctx_compatible(struct request *rq, struct bio *bio) 204 { 205 return bio_crypt_ctx_compatible(rq->crypt_ctx, bio->bi_crypt_context); 206 } 207 208 /* 209 * Checks that two bio crypt contexts are compatible, and also 210 * that their data_unit_nums are continuous (and can hence be merged) 211 * in the order @bc1 followed by @bc2. 212 */ 213 bool bio_crypt_ctx_mergeable(struct bio_crypt_ctx *bc1, unsigned int bc1_bytes, 214 struct bio_crypt_ctx *bc2) 215 { 216 if (!bio_crypt_ctx_compatible(bc1, bc2)) 217 return false; 218 219 return !bc1 || bio_crypt_dun_is_contiguous(bc1, bc1_bytes, bc2->bc_dun); 220 } 221 222 blk_status_t __blk_crypto_rq_get_keyslot(struct request *rq) 223 { 224 return blk_crypto_get_keyslot(rq->q->crypto_profile, 225 rq->crypt_ctx->bc_key, 226 &rq->crypt_keyslot); 227 } 228 229 void __blk_crypto_rq_put_keyslot(struct request *rq) 230 { 231 blk_crypto_put_keyslot(rq->crypt_keyslot); 232 rq->crypt_keyslot = NULL; 233 } 234 235 void __blk_crypto_free_request(struct request *rq) 236 { 237 /* The keyslot, if one was needed, should have been released earlier. */ 238 if (WARN_ON_ONCE(rq->crypt_keyslot)) 239 __blk_crypto_rq_put_keyslot(rq); 240 241 mempool_free(rq->crypt_ctx, bio_crypt_ctx_pool); 242 rq->crypt_ctx = NULL; 243 } 244 245 /* 246 * Process a bio with a crypto context. Returns true if the caller should 247 * submit the passed in bio, false if the bio is consumed. 248 * 249 * See the kerneldoc comment for blk_crypto_submit_bio for further details. 250 */ 251 bool __blk_crypto_submit_bio(struct bio *bio) 252 { 253 const struct blk_crypto_key *bc_key = bio->bi_crypt_context->bc_key; 254 struct block_device *bdev = bio->bi_bdev; 255 256 /* Error if bio has no data. */ 257 if (WARN_ON_ONCE(!bio_has_data(bio))) { 258 bio_io_error(bio); 259 return false; 260 } 261 262 /* 263 * If the device does not natively support the encryption context, try to use 264 * the fallback if available. 265 */ 266 if (!blk_crypto_config_supported_natively(bdev, &bc_key->crypto_cfg)) { 267 if (!IS_ENABLED(CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK)) { 268 pr_warn_once("%pg: crypto API fallback disabled; failing request.\n", 269 bdev); 270 bio_endio_status(bio, BLK_STS_NOTSUPP); 271 return false; 272 } 273 return blk_crypto_fallback_bio_prep(bio); 274 } 275 276 return true; 277 } 278 EXPORT_SYMBOL_GPL(__blk_crypto_submit_bio); 279 280 int __blk_crypto_rq_bio_prep(struct request *rq, struct bio *bio, 281 gfp_t gfp_mask) 282 { 283 if (!rq->crypt_ctx) { 284 rq->crypt_ctx = mempool_alloc(bio_crypt_ctx_pool, gfp_mask); 285 if (!rq->crypt_ctx) 286 return -ENOMEM; 287 } 288 *rq->crypt_ctx = *bio->bi_crypt_context; 289 return 0; 290 } 291 292 /** 293 * blk_crypto_init_key() - Prepare a key for use with blk-crypto 294 * @blk_key: Pointer to the blk_crypto_key to initialize. 295 * @key_bytes: the bytes of the key 296 * @key_size: size of the key in bytes 297 * @key_type: type of the key -- either raw or hardware-wrapped 298 * @crypto_mode: identifier for the encryption algorithm to use 299 * @dun_bytes: number of bytes that will be used to specify the DUN when this 300 * key is used 301 * @data_unit_size: the data unit size to use for en/decryption 302 * 303 * Return: 0 on success, -errno on failure. The caller is responsible for 304 * zeroizing both blk_key and key_bytes when done with them. 305 */ 306 int blk_crypto_init_key(struct blk_crypto_key *blk_key, 307 const u8 *key_bytes, size_t key_size, 308 enum blk_crypto_key_type key_type, 309 enum blk_crypto_mode_num crypto_mode, 310 unsigned int dun_bytes, 311 unsigned int data_unit_size) 312 { 313 const struct blk_crypto_mode *mode; 314 315 memset(blk_key, 0, sizeof(*blk_key)); 316 317 if (crypto_mode >= ARRAY_SIZE(blk_crypto_modes)) 318 return -EINVAL; 319 320 mode = &blk_crypto_modes[crypto_mode]; 321 switch (key_type) { 322 case BLK_CRYPTO_KEY_TYPE_RAW: 323 if (key_size != mode->keysize) 324 return -EINVAL; 325 break; 326 case BLK_CRYPTO_KEY_TYPE_HW_WRAPPED: 327 if (key_size < mode->security_strength || 328 key_size > BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE) 329 return -EINVAL; 330 break; 331 default: 332 return -EINVAL; 333 } 334 335 if (dun_bytes == 0 || dun_bytes > mode->ivsize) 336 return -EINVAL; 337 338 if (!is_power_of_2(data_unit_size)) 339 return -EINVAL; 340 341 blk_key->crypto_cfg.crypto_mode = crypto_mode; 342 blk_key->crypto_cfg.dun_bytes = dun_bytes; 343 blk_key->crypto_cfg.data_unit_size = data_unit_size; 344 blk_key->crypto_cfg.key_type = key_type; 345 blk_key->data_unit_size_bits = ilog2(data_unit_size); 346 blk_key->size = key_size; 347 memcpy(blk_key->bytes, key_bytes, key_size); 348 349 return 0; 350 } 351 352 bool blk_crypto_config_supported_natively(struct block_device *bdev, 353 const struct blk_crypto_config *cfg) 354 { 355 return __blk_crypto_cfg_supported(bdev_get_queue(bdev)->crypto_profile, 356 cfg); 357 } 358 359 /* 360 * Check if bios with @cfg can be en/decrypted by blk-crypto (i.e. either the 361 * block_device it's submitted to supports inline crypto, or the 362 * blk-crypto-fallback is enabled and supports the cfg). 363 */ 364 bool blk_crypto_config_supported(struct block_device *bdev, 365 const struct blk_crypto_config *cfg) 366 { 367 if (IS_ENABLED(CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK) && 368 cfg->key_type == BLK_CRYPTO_KEY_TYPE_RAW) 369 return true; 370 return blk_crypto_config_supported_natively(bdev, cfg); 371 } 372 373 /** 374 * blk_crypto_start_using_key() - Start using a blk_crypto_key on a device 375 * @bdev: block device to operate on 376 * @key: A key to use on the device 377 * 378 * Upper layers must call this function to ensure that either the hardware 379 * supports the key's crypto settings, or the crypto API fallback has transforms 380 * for the needed mode allocated and ready to go. This function may allocate 381 * an skcipher, and *should not* be called from the data path, since that might 382 * cause a deadlock 383 * 384 * Return: 0 on success; -EOPNOTSUPP if the key is wrapped but the hardware does 385 * not support wrapped keys; -ENOPKG if the key is a raw key but the 386 * hardware does not support raw keys and blk-crypto-fallback is either 387 * disabled or the needed algorithm is disabled in the crypto API; or 388 * another -errno code if something else went wrong. 389 */ 390 int blk_crypto_start_using_key(struct block_device *bdev, 391 const struct blk_crypto_key *key) 392 { 393 if (blk_crypto_config_supported_natively(bdev, &key->crypto_cfg)) 394 return 0; 395 if (key->crypto_cfg.key_type != BLK_CRYPTO_KEY_TYPE_RAW) { 396 pr_warn_ratelimited("%pg: no support for wrapped keys\n", bdev); 397 return -EOPNOTSUPP; 398 } 399 return blk_crypto_fallback_start_using_mode(key->crypto_cfg.crypto_mode); 400 } 401 402 /** 403 * blk_crypto_evict_key() - Evict a blk_crypto_key from a block_device 404 * @bdev: a block_device on which I/O using the key may have been done 405 * @key: the key to evict 406 * 407 * For a given block_device, this function removes the given blk_crypto_key from 408 * the keyslot management structures and evicts it from any underlying hardware 409 * keyslot(s) or blk-crypto-fallback keyslot it may have been programmed into. 410 * 411 * Upper layers must call this before freeing the blk_crypto_key. It must be 412 * called for every block_device the key may have been used on. The key must no 413 * longer be in use by any I/O when this function is called. 414 * 415 * Context: May sleep. 416 */ 417 void blk_crypto_evict_key(struct block_device *bdev, 418 const struct blk_crypto_key *key) 419 { 420 struct request_queue *q = bdev_get_queue(bdev); 421 int err; 422 423 if (blk_crypto_config_supported_natively(bdev, &key->crypto_cfg)) 424 err = __blk_crypto_evict_key(q->crypto_profile, key); 425 else 426 err = blk_crypto_fallback_evict_key(key); 427 /* 428 * An error can only occur here if the key failed to be evicted from a 429 * keyslot (due to a hardware or driver issue) or is allegedly still in 430 * use by I/O (due to a kernel bug). Even in these cases, the key is 431 * still unlinked from the keyslot management structures, and the caller 432 * is allowed and expected to free it right away. There's nothing 433 * callers can do to handle errors, so just log them and return void. 434 */ 435 if (err) 436 pr_warn_ratelimited("%pg: error %d evicting key\n", bdev, err); 437 } 438 EXPORT_SYMBOL_GPL(blk_crypto_evict_key); 439 440 static int blk_crypto_ioctl_import_key(struct blk_crypto_profile *profile, 441 void __user *argp) 442 { 443 struct blk_crypto_import_key_arg arg; 444 u8 raw_key[BLK_CRYPTO_MAX_RAW_KEY_SIZE]; 445 u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]; 446 int ret; 447 448 if (copy_from_user(&arg, argp, sizeof(arg))) 449 return -EFAULT; 450 451 if (memchr_inv(arg.reserved, 0, sizeof(arg.reserved))) 452 return -EINVAL; 453 454 if (arg.raw_key_size < 16 || arg.raw_key_size > sizeof(raw_key)) 455 return -EINVAL; 456 457 if (copy_from_user(raw_key, u64_to_user_ptr(arg.raw_key_ptr), 458 arg.raw_key_size)) { 459 ret = -EFAULT; 460 goto out; 461 } 462 ret = blk_crypto_import_key(profile, raw_key, arg.raw_key_size, lt_key); 463 if (ret < 0) 464 goto out; 465 if (ret > arg.lt_key_size) { 466 ret = -EOVERFLOW; 467 goto out; 468 } 469 arg.lt_key_size = ret; 470 if (copy_to_user(u64_to_user_ptr(arg.lt_key_ptr), lt_key, 471 arg.lt_key_size) || 472 copy_to_user(argp, &arg, sizeof(arg))) { 473 ret = -EFAULT; 474 goto out; 475 } 476 ret = 0; 477 478 out: 479 memzero_explicit(raw_key, sizeof(raw_key)); 480 memzero_explicit(lt_key, sizeof(lt_key)); 481 return ret; 482 } 483 484 static int blk_crypto_ioctl_generate_key(struct blk_crypto_profile *profile, 485 void __user *argp) 486 { 487 struct blk_crypto_generate_key_arg arg; 488 u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]; 489 int ret; 490 491 if (copy_from_user(&arg, argp, sizeof(arg))) 492 return -EFAULT; 493 494 if (memchr_inv(arg.reserved, 0, sizeof(arg.reserved))) 495 return -EINVAL; 496 497 ret = blk_crypto_generate_key(profile, lt_key); 498 if (ret < 0) 499 goto out; 500 if (ret > arg.lt_key_size) { 501 ret = -EOVERFLOW; 502 goto out; 503 } 504 arg.lt_key_size = ret; 505 if (copy_to_user(u64_to_user_ptr(arg.lt_key_ptr), lt_key, 506 arg.lt_key_size) || 507 copy_to_user(argp, &arg, sizeof(arg))) { 508 ret = -EFAULT; 509 goto out; 510 } 511 ret = 0; 512 513 out: 514 memzero_explicit(lt_key, sizeof(lt_key)); 515 return ret; 516 } 517 518 static int blk_crypto_ioctl_prepare_key(struct blk_crypto_profile *profile, 519 void __user *argp) 520 { 521 struct blk_crypto_prepare_key_arg arg; 522 u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]; 523 u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]; 524 int ret; 525 526 if (copy_from_user(&arg, argp, sizeof(arg))) 527 return -EFAULT; 528 529 if (memchr_inv(arg.reserved, 0, sizeof(arg.reserved))) 530 return -EINVAL; 531 532 if (arg.lt_key_size > sizeof(lt_key)) 533 return -EINVAL; 534 535 if (copy_from_user(lt_key, u64_to_user_ptr(arg.lt_key_ptr), 536 arg.lt_key_size)) { 537 ret = -EFAULT; 538 goto out; 539 } 540 ret = blk_crypto_prepare_key(profile, lt_key, arg.lt_key_size, eph_key); 541 if (ret < 0) 542 goto out; 543 if (ret > arg.eph_key_size) { 544 ret = -EOVERFLOW; 545 goto out; 546 } 547 arg.eph_key_size = ret; 548 if (copy_to_user(u64_to_user_ptr(arg.eph_key_ptr), eph_key, 549 arg.eph_key_size) || 550 copy_to_user(argp, &arg, sizeof(arg))) { 551 ret = -EFAULT; 552 goto out; 553 } 554 ret = 0; 555 556 out: 557 memzero_explicit(lt_key, sizeof(lt_key)); 558 memzero_explicit(eph_key, sizeof(eph_key)); 559 return ret; 560 } 561 562 int blk_crypto_ioctl(struct block_device *bdev, unsigned int cmd, 563 void __user *argp) 564 { 565 struct blk_crypto_profile *profile = 566 bdev_get_queue(bdev)->crypto_profile; 567 568 if (!profile) 569 return -EOPNOTSUPP; 570 571 switch (cmd) { 572 case BLKCRYPTOIMPORTKEY: 573 return blk_crypto_ioctl_import_key(profile, argp); 574 case BLKCRYPTOGENERATEKEY: 575 return blk_crypto_ioctl_generate_key(profile, argp); 576 case BLKCRYPTOPREPAREKEY: 577 return blk_crypto_ioctl_prepare_key(profile, argp); 578 default: 579 return -ENOTTY; 580 } 581 } 582