1 // SPDX-License-Identifier: GPL-2.0 2 #include "bcachefs.h" 3 #include "checksum.h" 4 #include "errcode.h" 5 #include "super.h" 6 #include "super-io.h" 7 8 #include <linux/crc32c.h> 9 #include <linux/crypto.h> 10 #include <linux/xxhash.h> 11 #include <linux/key.h> 12 #include <linux/random.h> 13 #include <linux/scatterlist.h> 14 #include <crypto/algapi.h> 15 #include <crypto/chacha.h> 16 #include <crypto/hash.h> 17 #include <crypto/poly1305.h> 18 #include <crypto/skcipher.h> 19 #include <keys/user-type.h> 20 21 /* 22 * bch2_checksum state is an abstraction of the checksum state calculated over different pages. 23 * it features page merging without having the checksum algorithm lose its state. 24 * for native checksum aglorithms (like crc), a default seed value will do. 25 * for hash-like algorithms, a state needs to be stored 26 */ 27 28 struct bch2_checksum_state { 29 union { 30 u64 seed; 31 struct xxh64_state h64state; 32 }; 33 unsigned int type; 34 }; 35 36 static void bch2_checksum_init(struct bch2_checksum_state *state) 37 { 38 switch (state->type) { 39 case BCH_CSUM_none: 40 case BCH_CSUM_crc32c: 41 case BCH_CSUM_crc64: 42 state->seed = 0; 43 break; 44 case BCH_CSUM_crc32c_nonzero: 45 state->seed = U32_MAX; 46 break; 47 case BCH_CSUM_crc64_nonzero: 48 state->seed = U64_MAX; 49 break; 50 case BCH_CSUM_xxhash: 51 xxh64_reset(&state->h64state, 0); 52 break; 53 default: 54 BUG(); 55 } 56 } 57 58 static u64 bch2_checksum_final(const struct bch2_checksum_state *state) 59 { 60 switch (state->type) { 61 case BCH_CSUM_none: 62 case BCH_CSUM_crc32c: 63 case BCH_CSUM_crc64: 64 return state->seed; 65 case BCH_CSUM_crc32c_nonzero: 66 return state->seed ^ U32_MAX; 67 case BCH_CSUM_crc64_nonzero: 68 return state->seed ^ U64_MAX; 69 case BCH_CSUM_xxhash: 70 return xxh64_digest(&state->h64state); 71 default: 72 BUG(); 73 } 74 } 75 76 static void bch2_checksum_update(struct bch2_checksum_state *state, const void *data, size_t len) 77 { 78 switch (state->type) { 79 case BCH_CSUM_none: 80 return; 81 case BCH_CSUM_crc32c_nonzero: 82 case BCH_CSUM_crc32c: 83 state->seed = crc32c(state->seed, data, len); 84 break; 85 case BCH_CSUM_crc64_nonzero: 86 case BCH_CSUM_crc64: 87 state->seed = crc64_be(state->seed, data, len); 88 break; 89 case BCH_CSUM_xxhash: 90 xxh64_update(&state->h64state, data, len); 91 break; 92 default: 93 BUG(); 94 } 95 } 96 97 static inline int do_encrypt_sg(struct crypto_sync_skcipher *tfm, 98 struct nonce nonce, 99 struct scatterlist *sg, size_t len) 100 { 101 SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm); 102 int ret; 103 104 skcipher_request_set_sync_tfm(req, tfm); 105 skcipher_request_set_callback(req, 0, NULL, NULL); 106 skcipher_request_set_crypt(req, sg, sg, len, nonce.d); 107 108 ret = crypto_skcipher_encrypt(req); 109 if (ret) 110 pr_err("got error %i from crypto_skcipher_encrypt()", ret); 111 112 return ret; 113 } 114 115 static inline int do_encrypt(struct crypto_sync_skcipher *tfm, 116 struct nonce nonce, 117 void *buf, size_t len) 118 { 119 if (!is_vmalloc_addr(buf)) { 120 struct scatterlist sg; 121 122 sg_init_table(&sg, 1); 123 sg_set_page(&sg, 124 is_vmalloc_addr(buf) 125 ? vmalloc_to_page(buf) 126 : virt_to_page(buf), 127 len, offset_in_page(buf)); 128 return do_encrypt_sg(tfm, nonce, &sg, len); 129 } else { 130 unsigned pages = buf_pages(buf, len); 131 struct scatterlist *sg; 132 size_t orig_len = len; 133 int ret, i; 134 135 sg = kmalloc_array(pages, sizeof(*sg), GFP_KERNEL); 136 if (!sg) 137 return -BCH_ERR_ENOMEM_do_encrypt; 138 139 sg_init_table(sg, pages); 140 141 for (i = 0; i < pages; i++) { 142 unsigned offset = offset_in_page(buf); 143 unsigned pg_len = min_t(size_t, len, PAGE_SIZE - offset); 144 145 sg_set_page(sg + i, vmalloc_to_page(buf), pg_len, offset); 146 buf += pg_len; 147 len -= pg_len; 148 } 149 150 ret = do_encrypt_sg(tfm, nonce, sg, orig_len); 151 kfree(sg); 152 return ret; 153 } 154 } 155 156 int bch2_chacha_encrypt_key(struct bch_key *key, struct nonce nonce, 157 void *buf, size_t len) 158 { 159 struct crypto_sync_skcipher *chacha20 = 160 crypto_alloc_sync_skcipher("chacha20", 0, 0); 161 int ret; 162 163 ret = PTR_ERR_OR_ZERO(chacha20); 164 if (ret) { 165 pr_err("error requesting chacha20 cipher: %s", bch2_err_str(ret)); 166 return ret; 167 } 168 169 ret = crypto_skcipher_setkey(&chacha20->base, 170 (void *) key, sizeof(*key)); 171 if (ret) { 172 pr_err("error from crypto_skcipher_setkey(): %s", bch2_err_str(ret)); 173 goto err; 174 } 175 176 ret = do_encrypt(chacha20, nonce, buf, len); 177 err: 178 crypto_free_sync_skcipher(chacha20); 179 return ret; 180 } 181 182 static int gen_poly_key(struct bch_fs *c, struct shash_desc *desc, 183 struct nonce nonce) 184 { 185 u8 key[POLY1305_KEY_SIZE]; 186 int ret; 187 188 nonce.d[3] ^= BCH_NONCE_POLY; 189 190 memset(key, 0, sizeof(key)); 191 ret = do_encrypt(c->chacha20, nonce, key, sizeof(key)); 192 if (ret) 193 return ret; 194 195 desc->tfm = c->poly1305; 196 crypto_shash_init(desc); 197 crypto_shash_update(desc, key, sizeof(key)); 198 return 0; 199 } 200 201 struct bch_csum bch2_checksum(struct bch_fs *c, unsigned type, 202 struct nonce nonce, const void *data, size_t len) 203 { 204 switch (type) { 205 case BCH_CSUM_none: 206 case BCH_CSUM_crc32c_nonzero: 207 case BCH_CSUM_crc64_nonzero: 208 case BCH_CSUM_crc32c: 209 case BCH_CSUM_xxhash: 210 case BCH_CSUM_crc64: { 211 struct bch2_checksum_state state; 212 213 state.type = type; 214 215 bch2_checksum_init(&state); 216 bch2_checksum_update(&state, data, len); 217 218 return (struct bch_csum) { .lo = cpu_to_le64(bch2_checksum_final(&state)) }; 219 } 220 221 case BCH_CSUM_chacha20_poly1305_80: 222 case BCH_CSUM_chacha20_poly1305_128: { 223 SHASH_DESC_ON_STACK(desc, c->poly1305); 224 u8 digest[POLY1305_DIGEST_SIZE]; 225 struct bch_csum ret = { 0 }; 226 227 gen_poly_key(c, desc, nonce); 228 229 crypto_shash_update(desc, data, len); 230 crypto_shash_final(desc, digest); 231 232 memcpy(&ret, digest, bch_crc_bytes[type]); 233 return ret; 234 } 235 default: 236 BUG(); 237 } 238 } 239 240 int bch2_encrypt(struct bch_fs *c, unsigned type, 241 struct nonce nonce, void *data, size_t len) 242 { 243 if (!bch2_csum_type_is_encryption(type)) 244 return 0; 245 246 return do_encrypt(c->chacha20, nonce, data, len); 247 } 248 249 static struct bch_csum __bch2_checksum_bio(struct bch_fs *c, unsigned type, 250 struct nonce nonce, struct bio *bio, 251 struct bvec_iter *iter) 252 { 253 struct bio_vec bv; 254 255 switch (type) { 256 case BCH_CSUM_none: 257 return (struct bch_csum) { 0 }; 258 case BCH_CSUM_crc32c_nonzero: 259 case BCH_CSUM_crc64_nonzero: 260 case BCH_CSUM_crc32c: 261 case BCH_CSUM_xxhash: 262 case BCH_CSUM_crc64: { 263 struct bch2_checksum_state state; 264 265 state.type = type; 266 bch2_checksum_init(&state); 267 268 #ifdef CONFIG_HIGHMEM 269 __bio_for_each_segment(bv, bio, *iter, *iter) { 270 void *p = kmap_local_page(bv.bv_page) + bv.bv_offset; 271 272 bch2_checksum_update(&state, p, bv.bv_len); 273 kunmap_local(p); 274 } 275 #else 276 __bio_for_each_bvec(bv, bio, *iter, *iter) 277 bch2_checksum_update(&state, page_address(bv.bv_page) + bv.bv_offset, 278 bv.bv_len); 279 #endif 280 return (struct bch_csum) { .lo = cpu_to_le64(bch2_checksum_final(&state)) }; 281 } 282 283 case BCH_CSUM_chacha20_poly1305_80: 284 case BCH_CSUM_chacha20_poly1305_128: { 285 SHASH_DESC_ON_STACK(desc, c->poly1305); 286 u8 digest[POLY1305_DIGEST_SIZE]; 287 struct bch_csum ret = { 0 }; 288 289 gen_poly_key(c, desc, nonce); 290 291 #ifdef CONFIG_HIGHMEM 292 __bio_for_each_segment(bv, bio, *iter, *iter) { 293 void *p = kmap_local_page(bv.bv_page) + bv.bv_offset; 294 295 crypto_shash_update(desc, p, bv.bv_len); 296 kunmap_local(p); 297 } 298 #else 299 __bio_for_each_bvec(bv, bio, *iter, *iter) 300 crypto_shash_update(desc, 301 page_address(bv.bv_page) + bv.bv_offset, 302 bv.bv_len); 303 #endif 304 crypto_shash_final(desc, digest); 305 306 memcpy(&ret, digest, bch_crc_bytes[type]); 307 return ret; 308 } 309 default: 310 BUG(); 311 } 312 } 313 314 struct bch_csum bch2_checksum_bio(struct bch_fs *c, unsigned type, 315 struct nonce nonce, struct bio *bio) 316 { 317 struct bvec_iter iter = bio->bi_iter; 318 319 return __bch2_checksum_bio(c, type, nonce, bio, &iter); 320 } 321 322 int __bch2_encrypt_bio(struct bch_fs *c, unsigned type, 323 struct nonce nonce, struct bio *bio) 324 { 325 struct bio_vec bv; 326 struct bvec_iter iter; 327 struct scatterlist sgl[16], *sg = sgl; 328 size_t bytes = 0; 329 int ret = 0; 330 331 if (!bch2_csum_type_is_encryption(type)) 332 return 0; 333 334 sg_init_table(sgl, ARRAY_SIZE(sgl)); 335 336 bio_for_each_segment(bv, bio, iter) { 337 if (sg == sgl + ARRAY_SIZE(sgl)) { 338 sg_mark_end(sg - 1); 339 340 ret = do_encrypt_sg(c->chacha20, nonce, sgl, bytes); 341 if (ret) 342 return ret; 343 344 nonce = nonce_add(nonce, bytes); 345 bytes = 0; 346 347 sg_init_table(sgl, ARRAY_SIZE(sgl)); 348 sg = sgl; 349 } 350 351 sg_set_page(sg++, bv.bv_page, bv.bv_len, bv.bv_offset); 352 bytes += bv.bv_len; 353 } 354 355 sg_mark_end(sg - 1); 356 return do_encrypt_sg(c->chacha20, nonce, sgl, bytes); 357 } 358 359 struct bch_csum bch2_checksum_merge(unsigned type, struct bch_csum a, 360 struct bch_csum b, size_t b_len) 361 { 362 struct bch2_checksum_state state; 363 364 state.type = type; 365 bch2_checksum_init(&state); 366 state.seed = le64_to_cpu(a.lo); 367 368 BUG_ON(!bch2_checksum_mergeable(type)); 369 370 while (b_len) { 371 unsigned page_len = min_t(unsigned, b_len, PAGE_SIZE); 372 373 bch2_checksum_update(&state, 374 page_address(ZERO_PAGE(0)), page_len); 375 b_len -= page_len; 376 } 377 a.lo = cpu_to_le64(bch2_checksum_final(&state)); 378 a.lo ^= b.lo; 379 a.hi ^= b.hi; 380 return a; 381 } 382 383 int bch2_rechecksum_bio(struct bch_fs *c, struct bio *bio, 384 struct bversion version, 385 struct bch_extent_crc_unpacked crc_old, 386 struct bch_extent_crc_unpacked *crc_a, 387 struct bch_extent_crc_unpacked *crc_b, 388 unsigned len_a, unsigned len_b, 389 unsigned new_csum_type) 390 { 391 struct bvec_iter iter = bio->bi_iter; 392 struct nonce nonce = extent_nonce(version, crc_old); 393 struct bch_csum merged = { 0 }; 394 struct crc_split { 395 struct bch_extent_crc_unpacked *crc; 396 unsigned len; 397 unsigned csum_type; 398 struct bch_csum csum; 399 } splits[3] = { 400 { crc_a, len_a, new_csum_type, { 0 }}, 401 { crc_b, len_b, new_csum_type, { 0 } }, 402 { NULL, bio_sectors(bio) - len_a - len_b, new_csum_type, { 0 } }, 403 }, *i; 404 bool mergeable = crc_old.csum_type == new_csum_type && 405 bch2_checksum_mergeable(new_csum_type); 406 unsigned crc_nonce = crc_old.nonce; 407 408 BUG_ON(len_a + len_b > bio_sectors(bio)); 409 BUG_ON(crc_old.uncompressed_size != bio_sectors(bio)); 410 BUG_ON(crc_is_compressed(crc_old)); 411 BUG_ON(bch2_csum_type_is_encryption(crc_old.csum_type) != 412 bch2_csum_type_is_encryption(new_csum_type)); 413 414 for (i = splits; i < splits + ARRAY_SIZE(splits); i++) { 415 iter.bi_size = i->len << 9; 416 if (mergeable || i->crc) 417 i->csum = __bch2_checksum_bio(c, i->csum_type, 418 nonce, bio, &iter); 419 else 420 bio_advance_iter(bio, &iter, i->len << 9); 421 nonce = nonce_add(nonce, i->len << 9); 422 } 423 424 if (mergeable) 425 for (i = splits; i < splits + ARRAY_SIZE(splits); i++) 426 merged = bch2_checksum_merge(new_csum_type, merged, 427 i->csum, i->len << 9); 428 else 429 merged = bch2_checksum_bio(c, crc_old.csum_type, 430 extent_nonce(version, crc_old), bio); 431 432 if (bch2_crc_cmp(merged, crc_old.csum) && !c->opts.no_data_io) { 433 struct printbuf buf = PRINTBUF; 434 prt_printf(&buf, "checksum error in %s() (memory corruption or bug?)\n" 435 "expected %0llx:%0llx got %0llx:%0llx (old type ", 436 __func__, 437 crc_old.csum.hi, 438 crc_old.csum.lo, 439 merged.hi, 440 merged.lo); 441 bch2_prt_csum_type(&buf, crc_old.csum_type); 442 prt_str(&buf, " new type "); 443 bch2_prt_csum_type(&buf, new_csum_type); 444 prt_str(&buf, ")"); 445 bch_err(c, "%s", buf.buf); 446 printbuf_exit(&buf); 447 return -EIO; 448 } 449 450 for (i = splits; i < splits + ARRAY_SIZE(splits); i++) { 451 if (i->crc) 452 *i->crc = (struct bch_extent_crc_unpacked) { 453 .csum_type = i->csum_type, 454 .compression_type = crc_old.compression_type, 455 .compressed_size = i->len, 456 .uncompressed_size = i->len, 457 .offset = 0, 458 .live_size = i->len, 459 .nonce = crc_nonce, 460 .csum = i->csum, 461 }; 462 463 if (bch2_csum_type_is_encryption(new_csum_type)) 464 crc_nonce += i->len; 465 } 466 467 return 0; 468 } 469 470 /* BCH_SB_FIELD_crypt: */ 471 472 static int bch2_sb_crypt_validate(struct bch_sb *sb, struct bch_sb_field *f, 473 enum bch_validate_flags flags, struct printbuf *err) 474 { 475 struct bch_sb_field_crypt *crypt = field_to_type(f, crypt); 476 477 if (vstruct_bytes(&crypt->field) < sizeof(*crypt)) { 478 prt_printf(err, "wrong size (got %zu should be %zu)", 479 vstruct_bytes(&crypt->field), sizeof(*crypt)); 480 return -BCH_ERR_invalid_sb_crypt; 481 } 482 483 if (BCH_CRYPT_KDF_TYPE(crypt)) { 484 prt_printf(err, "bad kdf type %llu", BCH_CRYPT_KDF_TYPE(crypt)); 485 return -BCH_ERR_invalid_sb_crypt; 486 } 487 488 return 0; 489 } 490 491 static void bch2_sb_crypt_to_text(struct printbuf *out, struct bch_sb *sb, 492 struct bch_sb_field *f) 493 { 494 struct bch_sb_field_crypt *crypt = field_to_type(f, crypt); 495 496 prt_printf(out, "KFD: %llu\n", BCH_CRYPT_KDF_TYPE(crypt)); 497 prt_printf(out, "scrypt n: %llu\n", BCH_KDF_SCRYPT_N(crypt)); 498 prt_printf(out, "scrypt r: %llu\n", BCH_KDF_SCRYPT_R(crypt)); 499 prt_printf(out, "scrypt p: %llu\n", BCH_KDF_SCRYPT_P(crypt)); 500 } 501 502 const struct bch_sb_field_ops bch_sb_field_ops_crypt = { 503 .validate = bch2_sb_crypt_validate, 504 .to_text = bch2_sb_crypt_to_text, 505 }; 506 507 #ifdef __KERNEL__ 508 static int __bch2_request_key(char *key_description, struct bch_key *key) 509 { 510 struct key *keyring_key; 511 const struct user_key_payload *ukp; 512 int ret; 513 514 keyring_key = request_key(&key_type_user, key_description, NULL); 515 if (IS_ERR(keyring_key)) 516 return PTR_ERR(keyring_key); 517 518 down_read(&keyring_key->sem); 519 ukp = dereference_key_locked(keyring_key); 520 if (ukp->datalen == sizeof(*key)) { 521 memcpy(key, ukp->data, ukp->datalen); 522 ret = 0; 523 } else { 524 ret = -EINVAL; 525 } 526 up_read(&keyring_key->sem); 527 key_put(keyring_key); 528 529 return ret; 530 } 531 #else 532 #include <keyutils.h> 533 534 static int __bch2_request_key(char *key_description, struct bch_key *key) 535 { 536 key_serial_t key_id; 537 538 key_id = request_key("user", key_description, NULL, 539 KEY_SPEC_SESSION_KEYRING); 540 if (key_id >= 0) 541 goto got_key; 542 543 key_id = request_key("user", key_description, NULL, 544 KEY_SPEC_USER_KEYRING); 545 if (key_id >= 0) 546 goto got_key; 547 548 key_id = request_key("user", key_description, NULL, 549 KEY_SPEC_USER_SESSION_KEYRING); 550 if (key_id >= 0) 551 goto got_key; 552 553 return -errno; 554 got_key: 555 556 if (keyctl_read(key_id, (void *) key, sizeof(*key)) != sizeof(*key)) 557 return -1; 558 559 return 0; 560 } 561 562 #include "crypto.h" 563 #endif 564 565 int bch2_request_key(struct bch_sb *sb, struct bch_key *key) 566 { 567 struct printbuf key_description = PRINTBUF; 568 int ret; 569 570 prt_printf(&key_description, "bcachefs:"); 571 pr_uuid(&key_description, sb->user_uuid.b); 572 573 ret = __bch2_request_key(key_description.buf, key); 574 printbuf_exit(&key_description); 575 576 #ifndef __KERNEL__ 577 if (ret) { 578 char *passphrase = read_passphrase("Enter passphrase: "); 579 struct bch_encrypted_key sb_key; 580 581 bch2_passphrase_check(sb, passphrase, 582 key, &sb_key); 583 ret = 0; 584 } 585 #endif 586 587 /* stash with memfd, pass memfd fd to mount */ 588 589 return ret; 590 } 591 592 #ifndef __KERNEL__ 593 int bch2_revoke_key(struct bch_sb *sb) 594 { 595 key_serial_t key_id; 596 struct printbuf key_description = PRINTBUF; 597 598 prt_printf(&key_description, "bcachefs:"); 599 pr_uuid(&key_description, sb->user_uuid.b); 600 601 key_id = request_key("user", key_description.buf, NULL, KEY_SPEC_USER_KEYRING); 602 printbuf_exit(&key_description); 603 if (key_id < 0) 604 return errno; 605 606 keyctl_revoke(key_id); 607 608 return 0; 609 } 610 #endif 611 612 int bch2_decrypt_sb_key(struct bch_fs *c, 613 struct bch_sb_field_crypt *crypt, 614 struct bch_key *key) 615 { 616 struct bch_encrypted_key sb_key = crypt->key; 617 struct bch_key user_key; 618 int ret = 0; 619 620 /* is key encrypted? */ 621 if (!bch2_key_is_encrypted(&sb_key)) 622 goto out; 623 624 ret = bch2_request_key(c->disk_sb.sb, &user_key); 625 if (ret) { 626 bch_err(c, "error requesting encryption key: %s", bch2_err_str(ret)); 627 goto err; 628 } 629 630 /* decrypt real key: */ 631 ret = bch2_chacha_encrypt_key(&user_key, bch2_sb_key_nonce(c), 632 &sb_key, sizeof(sb_key)); 633 if (ret) 634 goto err; 635 636 if (bch2_key_is_encrypted(&sb_key)) { 637 bch_err(c, "incorrect encryption key"); 638 ret = -EINVAL; 639 goto err; 640 } 641 out: 642 *key = sb_key.key; 643 err: 644 memzero_explicit(&sb_key, sizeof(sb_key)); 645 memzero_explicit(&user_key, sizeof(user_key)); 646 return ret; 647 } 648 649 static int bch2_alloc_ciphers(struct bch_fs *c) 650 { 651 int ret; 652 653 if (!c->chacha20) 654 c->chacha20 = crypto_alloc_sync_skcipher("chacha20", 0, 0); 655 ret = PTR_ERR_OR_ZERO(c->chacha20); 656 657 if (ret) { 658 bch_err(c, "error requesting chacha20 module: %s", bch2_err_str(ret)); 659 return ret; 660 } 661 662 if (!c->poly1305) 663 c->poly1305 = crypto_alloc_shash("poly1305", 0, 0); 664 ret = PTR_ERR_OR_ZERO(c->poly1305); 665 666 if (ret) { 667 bch_err(c, "error requesting poly1305 module: %s", bch2_err_str(ret)); 668 return ret; 669 } 670 671 return 0; 672 } 673 674 int bch2_disable_encryption(struct bch_fs *c) 675 { 676 struct bch_sb_field_crypt *crypt; 677 struct bch_key key; 678 int ret = -EINVAL; 679 680 mutex_lock(&c->sb_lock); 681 682 crypt = bch2_sb_field_get(c->disk_sb.sb, crypt); 683 if (!crypt) 684 goto out; 685 686 /* is key encrypted? */ 687 ret = 0; 688 if (bch2_key_is_encrypted(&crypt->key)) 689 goto out; 690 691 ret = bch2_decrypt_sb_key(c, crypt, &key); 692 if (ret) 693 goto out; 694 695 crypt->key.magic = cpu_to_le64(BCH_KEY_MAGIC); 696 crypt->key.key = key; 697 698 SET_BCH_SB_ENCRYPTION_TYPE(c->disk_sb.sb, 0); 699 bch2_write_super(c); 700 out: 701 mutex_unlock(&c->sb_lock); 702 703 return ret; 704 } 705 706 int bch2_enable_encryption(struct bch_fs *c, bool keyed) 707 { 708 struct bch_encrypted_key key; 709 struct bch_key user_key; 710 struct bch_sb_field_crypt *crypt; 711 int ret = -EINVAL; 712 713 mutex_lock(&c->sb_lock); 714 715 /* Do we already have an encryption key? */ 716 if (bch2_sb_field_get(c->disk_sb.sb, crypt)) 717 goto err; 718 719 ret = bch2_alloc_ciphers(c); 720 if (ret) 721 goto err; 722 723 key.magic = cpu_to_le64(BCH_KEY_MAGIC); 724 get_random_bytes(&key.key, sizeof(key.key)); 725 726 if (keyed) { 727 ret = bch2_request_key(c->disk_sb.sb, &user_key); 728 if (ret) { 729 bch_err(c, "error requesting encryption key: %s", bch2_err_str(ret)); 730 goto err; 731 } 732 733 ret = bch2_chacha_encrypt_key(&user_key, bch2_sb_key_nonce(c), 734 &key, sizeof(key)); 735 if (ret) 736 goto err; 737 } 738 739 ret = crypto_skcipher_setkey(&c->chacha20->base, 740 (void *) &key.key, sizeof(key.key)); 741 if (ret) 742 goto err; 743 744 crypt = bch2_sb_field_resize(&c->disk_sb, crypt, 745 sizeof(*crypt) / sizeof(u64)); 746 if (!crypt) { 747 ret = -BCH_ERR_ENOSPC_sb_crypt; 748 goto err; 749 } 750 751 crypt->key = key; 752 753 /* write superblock */ 754 SET_BCH_SB_ENCRYPTION_TYPE(c->disk_sb.sb, 1); 755 bch2_write_super(c); 756 err: 757 mutex_unlock(&c->sb_lock); 758 memzero_explicit(&user_key, sizeof(user_key)); 759 memzero_explicit(&key, sizeof(key)); 760 return ret; 761 } 762 763 void bch2_fs_encryption_exit(struct bch_fs *c) 764 { 765 if (!IS_ERR_OR_NULL(c->poly1305)) 766 crypto_free_shash(c->poly1305); 767 if (!IS_ERR_OR_NULL(c->chacha20)) 768 crypto_free_sync_skcipher(c->chacha20); 769 if (!IS_ERR_OR_NULL(c->sha256)) 770 crypto_free_shash(c->sha256); 771 } 772 773 int bch2_fs_encryption_init(struct bch_fs *c) 774 { 775 struct bch_sb_field_crypt *crypt; 776 struct bch_key key; 777 int ret = 0; 778 779 c->sha256 = crypto_alloc_shash("sha256", 0, 0); 780 ret = PTR_ERR_OR_ZERO(c->sha256); 781 if (ret) { 782 bch_err(c, "error requesting sha256 module: %s", bch2_err_str(ret)); 783 goto out; 784 } 785 786 crypt = bch2_sb_field_get(c->disk_sb.sb, crypt); 787 if (!crypt) 788 goto out; 789 790 ret = bch2_alloc_ciphers(c); 791 if (ret) 792 goto out; 793 794 ret = bch2_decrypt_sb_key(c, crypt, &key); 795 if (ret) 796 goto out; 797 798 ret = crypto_skcipher_setkey(&c->chacha20->base, 799 (void *) &key.key, sizeof(key.key)); 800 if (ret) 801 goto out; 802 out: 803 memzero_explicit(&key, sizeof(key)); 804 return ret; 805 } 806