1 // SPDX-License-Identifier: GPL-2.0 2 #include "bcachefs.h" 3 #include "checksum.h" 4 #include "errcode.h" 5 #include "super.h" 6 #include "super-io.h" 7 8 #include <linux/crc32c.h> 9 #include <linux/crypto.h> 10 #include <linux/xxhash.h> 11 #include <linux/key.h> 12 #include <linux/random.h> 13 #include <linux/ratelimit.h> 14 #include <linux/scatterlist.h> 15 #include <crypto/algapi.h> 16 #include <crypto/chacha.h> 17 #include <crypto/hash.h> 18 #include <crypto/poly1305.h> 19 #include <crypto/skcipher.h> 20 #include <keys/user-type.h> 21 22 /* 23 * bch2_checksum state is an abstraction of the checksum state calculated over different pages. 24 * it features page merging without having the checksum algorithm lose its state. 25 * for native checksum aglorithms (like crc), a default seed value will do. 26 * for hash-like algorithms, a state needs to be stored 27 */ 28 29 struct bch2_checksum_state { 30 union { 31 u64 seed; 32 struct xxh64_state h64state; 33 }; 34 unsigned int type; 35 }; 36 37 static void bch2_checksum_init(struct bch2_checksum_state *state) 38 { 39 switch (state->type) { 40 case BCH_CSUM_none: 41 case BCH_CSUM_crc32c: 42 case BCH_CSUM_crc64: 43 state->seed = 0; 44 break; 45 case BCH_CSUM_crc32c_nonzero: 46 state->seed = U32_MAX; 47 break; 48 case BCH_CSUM_crc64_nonzero: 49 state->seed = U64_MAX; 50 break; 51 case BCH_CSUM_xxhash: 52 xxh64_reset(&state->h64state, 0); 53 break; 54 default: 55 BUG(); 56 } 57 } 58 59 static u64 bch2_checksum_final(const struct bch2_checksum_state *state) 60 { 61 switch (state->type) { 62 case BCH_CSUM_none: 63 case BCH_CSUM_crc32c: 64 case BCH_CSUM_crc64: 65 return state->seed; 66 case BCH_CSUM_crc32c_nonzero: 67 return state->seed ^ U32_MAX; 68 case BCH_CSUM_crc64_nonzero: 69 return state->seed ^ U64_MAX; 70 case BCH_CSUM_xxhash: 71 return xxh64_digest(&state->h64state); 72 default: 73 BUG(); 74 } 75 } 76 77 static void bch2_checksum_update(struct bch2_checksum_state *state, const void *data, size_t len) 78 { 79 switch (state->type) { 80 case BCH_CSUM_none: 81 return; 82 case BCH_CSUM_crc32c_nonzero: 83 case BCH_CSUM_crc32c: 84 state->seed = crc32c(state->seed, data, len); 85 break; 86 case BCH_CSUM_crc64_nonzero: 87 case BCH_CSUM_crc64: 88 state->seed = crc64_be(state->seed, data, len); 89 break; 90 case BCH_CSUM_xxhash: 91 xxh64_update(&state->h64state, data, len); 92 break; 93 default: 94 BUG(); 95 } 96 } 97 98 static inline int do_encrypt_sg(struct crypto_sync_skcipher *tfm, 99 struct nonce nonce, 100 struct scatterlist *sg, size_t len) 101 { 102 SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm); 103 104 skcipher_request_set_sync_tfm(req, tfm); 105 skcipher_request_set_callback(req, 0, NULL, NULL); 106 skcipher_request_set_crypt(req, sg, sg, len, nonce.d); 107 108 int ret = crypto_skcipher_encrypt(req); 109 if (ret) 110 pr_err("got error %i from crypto_skcipher_encrypt()", ret); 111 112 return ret; 113 } 114 115 static inline int do_encrypt(struct crypto_sync_skcipher *tfm, 116 struct nonce nonce, 117 void *buf, size_t len) 118 { 119 if (!is_vmalloc_addr(buf)) { 120 struct scatterlist sg = {}; 121 122 sg_mark_end(&sg); 123 sg_set_page(&sg, virt_to_page(buf), len, offset_in_page(buf)); 124 return do_encrypt_sg(tfm, nonce, &sg, len); 125 } else { 126 DARRAY_PREALLOCATED(struct scatterlist, 4) sgl; 127 size_t sgl_len = 0; 128 int ret; 129 130 darray_init(&sgl); 131 132 while (len) { 133 unsigned offset = offset_in_page(buf); 134 struct scatterlist sg = { 135 .page_link = (unsigned long) vmalloc_to_page(buf), 136 .offset = offset, 137 .length = min(len, PAGE_SIZE - offset), 138 }; 139 140 if (darray_push(&sgl, sg)) { 141 sg_mark_end(&darray_last(sgl)); 142 ret = do_encrypt_sg(tfm, nonce, sgl.data, sgl_len); 143 if (ret) 144 goto err; 145 146 nonce = nonce_add(nonce, sgl_len); 147 sgl_len = 0; 148 sgl.nr = 0; 149 BUG_ON(darray_push(&sgl, sg)); 150 } 151 152 buf += sg.length; 153 len -= sg.length; 154 sgl_len += sg.length; 155 } 156 157 sg_mark_end(&darray_last(sgl)); 158 ret = do_encrypt_sg(tfm, nonce, sgl.data, sgl_len); 159 err: 160 darray_exit(&sgl); 161 return ret; 162 } 163 } 164 165 int bch2_chacha_encrypt_key(struct bch_key *key, struct nonce nonce, 166 void *buf, size_t len) 167 { 168 struct crypto_sync_skcipher *chacha20 = 169 crypto_alloc_sync_skcipher("chacha20", 0, 0); 170 int ret; 171 172 ret = PTR_ERR_OR_ZERO(chacha20); 173 if (ret) { 174 pr_err("error requesting chacha20 cipher: %s", bch2_err_str(ret)); 175 return ret; 176 } 177 178 ret = crypto_skcipher_setkey(&chacha20->base, 179 (void *) key, sizeof(*key)); 180 if (ret) { 181 pr_err("error from crypto_skcipher_setkey(): %s", bch2_err_str(ret)); 182 goto err; 183 } 184 185 ret = do_encrypt(chacha20, nonce, buf, len); 186 err: 187 crypto_free_sync_skcipher(chacha20); 188 return ret; 189 } 190 191 static int gen_poly_key(struct bch_fs *c, struct shash_desc *desc, 192 struct nonce nonce) 193 { 194 u8 key[POLY1305_KEY_SIZE]; 195 int ret; 196 197 nonce.d[3] ^= BCH_NONCE_POLY; 198 199 memset(key, 0, sizeof(key)); 200 ret = do_encrypt(c->chacha20, nonce, key, sizeof(key)); 201 if (ret) 202 return ret; 203 204 desc->tfm = c->poly1305; 205 crypto_shash_init(desc); 206 crypto_shash_update(desc, key, sizeof(key)); 207 return 0; 208 } 209 210 struct bch_csum bch2_checksum(struct bch_fs *c, unsigned type, 211 struct nonce nonce, const void *data, size_t len) 212 { 213 switch (type) { 214 case BCH_CSUM_none: 215 case BCH_CSUM_crc32c_nonzero: 216 case BCH_CSUM_crc64_nonzero: 217 case BCH_CSUM_crc32c: 218 case BCH_CSUM_xxhash: 219 case BCH_CSUM_crc64: { 220 struct bch2_checksum_state state; 221 222 state.type = type; 223 224 bch2_checksum_init(&state); 225 bch2_checksum_update(&state, data, len); 226 227 return (struct bch_csum) { .lo = cpu_to_le64(bch2_checksum_final(&state)) }; 228 } 229 230 case BCH_CSUM_chacha20_poly1305_80: 231 case BCH_CSUM_chacha20_poly1305_128: { 232 SHASH_DESC_ON_STACK(desc, c->poly1305); 233 u8 digest[POLY1305_DIGEST_SIZE]; 234 struct bch_csum ret = { 0 }; 235 236 gen_poly_key(c, desc, nonce); 237 238 crypto_shash_update(desc, data, len); 239 crypto_shash_final(desc, digest); 240 241 memcpy(&ret, digest, bch_crc_bytes[type]); 242 return ret; 243 } 244 default: 245 return (struct bch_csum) {}; 246 } 247 } 248 249 int bch2_encrypt(struct bch_fs *c, unsigned type, 250 struct nonce nonce, void *data, size_t len) 251 { 252 if (!bch2_csum_type_is_encryption(type)) 253 return 0; 254 255 return do_encrypt(c->chacha20, nonce, data, len); 256 } 257 258 static struct bch_csum __bch2_checksum_bio(struct bch_fs *c, unsigned type, 259 struct nonce nonce, struct bio *bio, 260 struct bvec_iter *iter) 261 { 262 struct bio_vec bv; 263 264 switch (type) { 265 case BCH_CSUM_none: 266 return (struct bch_csum) { 0 }; 267 case BCH_CSUM_crc32c_nonzero: 268 case BCH_CSUM_crc64_nonzero: 269 case BCH_CSUM_crc32c: 270 case BCH_CSUM_xxhash: 271 case BCH_CSUM_crc64: { 272 struct bch2_checksum_state state; 273 274 state.type = type; 275 bch2_checksum_init(&state); 276 277 #ifdef CONFIG_HIGHMEM 278 __bio_for_each_segment(bv, bio, *iter, *iter) { 279 void *p = kmap_local_page(bv.bv_page) + bv.bv_offset; 280 281 bch2_checksum_update(&state, p, bv.bv_len); 282 kunmap_local(p); 283 } 284 #else 285 __bio_for_each_bvec(bv, bio, *iter, *iter) 286 bch2_checksum_update(&state, page_address(bv.bv_page) + bv.bv_offset, 287 bv.bv_len); 288 #endif 289 return (struct bch_csum) { .lo = cpu_to_le64(bch2_checksum_final(&state)) }; 290 } 291 292 case BCH_CSUM_chacha20_poly1305_80: 293 case BCH_CSUM_chacha20_poly1305_128: { 294 SHASH_DESC_ON_STACK(desc, c->poly1305); 295 u8 digest[POLY1305_DIGEST_SIZE]; 296 struct bch_csum ret = { 0 }; 297 298 gen_poly_key(c, desc, nonce); 299 300 #ifdef CONFIG_HIGHMEM 301 __bio_for_each_segment(bv, bio, *iter, *iter) { 302 void *p = kmap_local_page(bv.bv_page) + bv.bv_offset; 303 304 crypto_shash_update(desc, p, bv.bv_len); 305 kunmap_local(p); 306 } 307 #else 308 __bio_for_each_bvec(bv, bio, *iter, *iter) 309 crypto_shash_update(desc, 310 page_address(bv.bv_page) + bv.bv_offset, 311 bv.bv_len); 312 #endif 313 crypto_shash_final(desc, digest); 314 315 memcpy(&ret, digest, bch_crc_bytes[type]); 316 return ret; 317 } 318 default: 319 return (struct bch_csum) {}; 320 } 321 } 322 323 struct bch_csum bch2_checksum_bio(struct bch_fs *c, unsigned type, 324 struct nonce nonce, struct bio *bio) 325 { 326 struct bvec_iter iter = bio->bi_iter; 327 328 return __bch2_checksum_bio(c, type, nonce, bio, &iter); 329 } 330 331 int __bch2_encrypt_bio(struct bch_fs *c, unsigned type, 332 struct nonce nonce, struct bio *bio) 333 { 334 struct bio_vec bv; 335 struct bvec_iter iter; 336 DARRAY_PREALLOCATED(struct scatterlist, 4) sgl; 337 size_t sgl_len = 0; 338 int ret = 0; 339 340 if (!bch2_csum_type_is_encryption(type)) 341 return 0; 342 343 darray_init(&sgl); 344 345 bio_for_each_segment(bv, bio, iter) { 346 struct scatterlist sg = { 347 .page_link = (unsigned long) bv.bv_page, 348 .offset = bv.bv_offset, 349 .length = bv.bv_len, 350 }; 351 352 if (darray_push(&sgl, sg)) { 353 sg_mark_end(&darray_last(sgl)); 354 ret = do_encrypt_sg(c->chacha20, nonce, sgl.data, sgl_len); 355 if (ret) 356 goto err; 357 358 nonce = nonce_add(nonce, sgl_len); 359 sgl_len = 0; 360 sgl.nr = 0; 361 362 BUG_ON(darray_push(&sgl, sg)); 363 } 364 365 sgl_len += sg.length; 366 } 367 368 sg_mark_end(&darray_last(sgl)); 369 ret = do_encrypt_sg(c->chacha20, nonce, sgl.data, sgl_len); 370 err: 371 darray_exit(&sgl); 372 return ret; 373 } 374 375 struct bch_csum bch2_checksum_merge(unsigned type, struct bch_csum a, 376 struct bch_csum b, size_t b_len) 377 { 378 struct bch2_checksum_state state; 379 380 state.type = type; 381 bch2_checksum_init(&state); 382 state.seed = le64_to_cpu(a.lo); 383 384 BUG_ON(!bch2_checksum_mergeable(type)); 385 386 while (b_len) { 387 unsigned page_len = min_t(unsigned, b_len, PAGE_SIZE); 388 389 bch2_checksum_update(&state, 390 page_address(ZERO_PAGE(0)), page_len); 391 b_len -= page_len; 392 } 393 a.lo = cpu_to_le64(bch2_checksum_final(&state)); 394 a.lo ^= b.lo; 395 a.hi ^= b.hi; 396 return a; 397 } 398 399 int bch2_rechecksum_bio(struct bch_fs *c, struct bio *bio, 400 struct bversion version, 401 struct bch_extent_crc_unpacked crc_old, 402 struct bch_extent_crc_unpacked *crc_a, 403 struct bch_extent_crc_unpacked *crc_b, 404 unsigned len_a, unsigned len_b, 405 unsigned new_csum_type) 406 { 407 struct bvec_iter iter = bio->bi_iter; 408 struct nonce nonce = extent_nonce(version, crc_old); 409 struct bch_csum merged = { 0 }; 410 struct crc_split { 411 struct bch_extent_crc_unpacked *crc; 412 unsigned len; 413 unsigned csum_type; 414 struct bch_csum csum; 415 } splits[3] = { 416 { crc_a, len_a, new_csum_type, { 0 }}, 417 { crc_b, len_b, new_csum_type, { 0 } }, 418 { NULL, bio_sectors(bio) - len_a - len_b, new_csum_type, { 0 } }, 419 }, *i; 420 bool mergeable = crc_old.csum_type == new_csum_type && 421 bch2_checksum_mergeable(new_csum_type); 422 unsigned crc_nonce = crc_old.nonce; 423 424 BUG_ON(len_a + len_b > bio_sectors(bio)); 425 BUG_ON(crc_old.uncompressed_size != bio_sectors(bio)); 426 BUG_ON(crc_is_compressed(crc_old)); 427 BUG_ON(bch2_csum_type_is_encryption(crc_old.csum_type) != 428 bch2_csum_type_is_encryption(new_csum_type)); 429 430 for (i = splits; i < splits + ARRAY_SIZE(splits); i++) { 431 iter.bi_size = i->len << 9; 432 if (mergeable || i->crc) 433 i->csum = __bch2_checksum_bio(c, i->csum_type, 434 nonce, bio, &iter); 435 else 436 bio_advance_iter(bio, &iter, i->len << 9); 437 nonce = nonce_add(nonce, i->len << 9); 438 } 439 440 if (mergeable) 441 for (i = splits; i < splits + ARRAY_SIZE(splits); i++) 442 merged = bch2_checksum_merge(new_csum_type, merged, 443 i->csum, i->len << 9); 444 else 445 merged = bch2_checksum_bio(c, crc_old.csum_type, 446 extent_nonce(version, crc_old), bio); 447 448 if (bch2_crc_cmp(merged, crc_old.csum) && !c->opts.no_data_io) { 449 struct printbuf buf = PRINTBUF; 450 prt_printf(&buf, "checksum error in %s() (memory corruption or bug?)\n" 451 " expected %0llx:%0llx got %0llx:%0llx (old type ", 452 __func__, 453 crc_old.csum.hi, 454 crc_old.csum.lo, 455 merged.hi, 456 merged.lo); 457 bch2_prt_csum_type(&buf, crc_old.csum_type); 458 prt_str(&buf, " new type "); 459 bch2_prt_csum_type(&buf, new_csum_type); 460 prt_str(&buf, ")"); 461 WARN_RATELIMIT(1, "%s", buf.buf); 462 printbuf_exit(&buf); 463 return -EIO; 464 } 465 466 for (i = splits; i < splits + ARRAY_SIZE(splits); i++) { 467 if (i->crc) 468 *i->crc = (struct bch_extent_crc_unpacked) { 469 .csum_type = i->csum_type, 470 .compression_type = crc_old.compression_type, 471 .compressed_size = i->len, 472 .uncompressed_size = i->len, 473 .offset = 0, 474 .live_size = i->len, 475 .nonce = crc_nonce, 476 .csum = i->csum, 477 }; 478 479 if (bch2_csum_type_is_encryption(new_csum_type)) 480 crc_nonce += i->len; 481 } 482 483 return 0; 484 } 485 486 /* BCH_SB_FIELD_crypt: */ 487 488 static int bch2_sb_crypt_validate(struct bch_sb *sb, struct bch_sb_field *f, 489 enum bch_validate_flags flags, struct printbuf *err) 490 { 491 struct bch_sb_field_crypt *crypt = field_to_type(f, crypt); 492 493 if (vstruct_bytes(&crypt->field) < sizeof(*crypt)) { 494 prt_printf(err, "wrong size (got %zu should be %zu)", 495 vstruct_bytes(&crypt->field), sizeof(*crypt)); 496 return -BCH_ERR_invalid_sb_crypt; 497 } 498 499 if (BCH_CRYPT_KDF_TYPE(crypt)) { 500 prt_printf(err, "bad kdf type %llu", BCH_CRYPT_KDF_TYPE(crypt)); 501 return -BCH_ERR_invalid_sb_crypt; 502 } 503 504 return 0; 505 } 506 507 static void bch2_sb_crypt_to_text(struct printbuf *out, struct bch_sb *sb, 508 struct bch_sb_field *f) 509 { 510 struct bch_sb_field_crypt *crypt = field_to_type(f, crypt); 511 512 prt_printf(out, "KFD: %llu\n", BCH_CRYPT_KDF_TYPE(crypt)); 513 prt_printf(out, "scrypt n: %llu\n", BCH_KDF_SCRYPT_N(crypt)); 514 prt_printf(out, "scrypt r: %llu\n", BCH_KDF_SCRYPT_R(crypt)); 515 prt_printf(out, "scrypt p: %llu\n", BCH_KDF_SCRYPT_P(crypt)); 516 } 517 518 const struct bch_sb_field_ops bch_sb_field_ops_crypt = { 519 .validate = bch2_sb_crypt_validate, 520 .to_text = bch2_sb_crypt_to_text, 521 }; 522 523 #ifdef __KERNEL__ 524 static int __bch2_request_key(char *key_description, struct bch_key *key) 525 { 526 struct key *keyring_key; 527 const struct user_key_payload *ukp; 528 int ret; 529 530 keyring_key = request_key(&key_type_user, key_description, NULL); 531 if (IS_ERR(keyring_key)) 532 return PTR_ERR(keyring_key); 533 534 down_read(&keyring_key->sem); 535 ukp = dereference_key_locked(keyring_key); 536 if (ukp->datalen == sizeof(*key)) { 537 memcpy(key, ukp->data, ukp->datalen); 538 ret = 0; 539 } else { 540 ret = -EINVAL; 541 } 542 up_read(&keyring_key->sem); 543 key_put(keyring_key); 544 545 return ret; 546 } 547 #else 548 #include <keyutils.h> 549 550 static int __bch2_request_key(char *key_description, struct bch_key *key) 551 { 552 key_serial_t key_id; 553 554 key_id = request_key("user", key_description, NULL, 555 KEY_SPEC_SESSION_KEYRING); 556 if (key_id >= 0) 557 goto got_key; 558 559 key_id = request_key("user", key_description, NULL, 560 KEY_SPEC_USER_KEYRING); 561 if (key_id >= 0) 562 goto got_key; 563 564 key_id = request_key("user", key_description, NULL, 565 KEY_SPEC_USER_SESSION_KEYRING); 566 if (key_id >= 0) 567 goto got_key; 568 569 return -errno; 570 got_key: 571 572 if (keyctl_read(key_id, (void *) key, sizeof(*key)) != sizeof(*key)) 573 return -1; 574 575 return 0; 576 } 577 578 #include "crypto.h" 579 #endif 580 581 int bch2_request_key(struct bch_sb *sb, struct bch_key *key) 582 { 583 struct printbuf key_description = PRINTBUF; 584 int ret; 585 586 prt_printf(&key_description, "bcachefs:"); 587 pr_uuid(&key_description, sb->user_uuid.b); 588 589 ret = __bch2_request_key(key_description.buf, key); 590 printbuf_exit(&key_description); 591 592 #ifndef __KERNEL__ 593 if (ret) { 594 char *passphrase = read_passphrase("Enter passphrase: "); 595 struct bch_encrypted_key sb_key; 596 597 bch2_passphrase_check(sb, passphrase, 598 key, &sb_key); 599 ret = 0; 600 } 601 #endif 602 603 /* stash with memfd, pass memfd fd to mount */ 604 605 return ret; 606 } 607 608 #ifndef __KERNEL__ 609 int bch2_revoke_key(struct bch_sb *sb) 610 { 611 key_serial_t key_id; 612 struct printbuf key_description = PRINTBUF; 613 614 prt_printf(&key_description, "bcachefs:"); 615 pr_uuid(&key_description, sb->user_uuid.b); 616 617 key_id = request_key("user", key_description.buf, NULL, KEY_SPEC_USER_KEYRING); 618 printbuf_exit(&key_description); 619 if (key_id < 0) 620 return errno; 621 622 keyctl_revoke(key_id); 623 624 return 0; 625 } 626 #endif 627 628 int bch2_decrypt_sb_key(struct bch_fs *c, 629 struct bch_sb_field_crypt *crypt, 630 struct bch_key *key) 631 { 632 struct bch_encrypted_key sb_key = crypt->key; 633 struct bch_key user_key; 634 int ret = 0; 635 636 /* is key encrypted? */ 637 if (!bch2_key_is_encrypted(&sb_key)) 638 goto out; 639 640 ret = bch2_request_key(c->disk_sb.sb, &user_key); 641 if (ret) { 642 bch_err(c, "error requesting encryption key: %s", bch2_err_str(ret)); 643 goto err; 644 } 645 646 /* decrypt real key: */ 647 ret = bch2_chacha_encrypt_key(&user_key, bch2_sb_key_nonce(c), 648 &sb_key, sizeof(sb_key)); 649 if (ret) 650 goto err; 651 652 if (bch2_key_is_encrypted(&sb_key)) { 653 bch_err(c, "incorrect encryption key"); 654 ret = -EINVAL; 655 goto err; 656 } 657 out: 658 *key = sb_key.key; 659 err: 660 memzero_explicit(&sb_key, sizeof(sb_key)); 661 memzero_explicit(&user_key, sizeof(user_key)); 662 return ret; 663 } 664 665 static int bch2_alloc_ciphers(struct bch_fs *c) 666 { 667 if (c->chacha20) 668 return 0; 669 670 struct crypto_sync_skcipher *chacha20 = crypto_alloc_sync_skcipher("chacha20", 0, 0); 671 int ret = PTR_ERR_OR_ZERO(chacha20); 672 if (ret) { 673 bch_err(c, "error requesting chacha20 module: %s", bch2_err_str(ret)); 674 return ret; 675 } 676 677 struct crypto_shash *poly1305 = crypto_alloc_shash("poly1305", 0, 0); 678 ret = PTR_ERR_OR_ZERO(poly1305); 679 if (ret) { 680 bch_err(c, "error requesting poly1305 module: %s", bch2_err_str(ret)); 681 crypto_free_sync_skcipher(chacha20); 682 return ret; 683 } 684 685 c->chacha20 = chacha20; 686 c->poly1305 = poly1305; 687 return 0; 688 } 689 690 int bch2_disable_encryption(struct bch_fs *c) 691 { 692 struct bch_sb_field_crypt *crypt; 693 struct bch_key key; 694 int ret = -EINVAL; 695 696 mutex_lock(&c->sb_lock); 697 698 crypt = bch2_sb_field_get(c->disk_sb.sb, crypt); 699 if (!crypt) 700 goto out; 701 702 /* is key encrypted? */ 703 ret = 0; 704 if (bch2_key_is_encrypted(&crypt->key)) 705 goto out; 706 707 ret = bch2_decrypt_sb_key(c, crypt, &key); 708 if (ret) 709 goto out; 710 711 crypt->key.magic = cpu_to_le64(BCH_KEY_MAGIC); 712 crypt->key.key = key; 713 714 SET_BCH_SB_ENCRYPTION_TYPE(c->disk_sb.sb, 0); 715 bch2_write_super(c); 716 out: 717 mutex_unlock(&c->sb_lock); 718 719 return ret; 720 } 721 722 int bch2_enable_encryption(struct bch_fs *c, bool keyed) 723 { 724 struct bch_encrypted_key key; 725 struct bch_key user_key; 726 struct bch_sb_field_crypt *crypt; 727 int ret = -EINVAL; 728 729 mutex_lock(&c->sb_lock); 730 731 /* Do we already have an encryption key? */ 732 if (bch2_sb_field_get(c->disk_sb.sb, crypt)) 733 goto err; 734 735 ret = bch2_alloc_ciphers(c); 736 if (ret) 737 goto err; 738 739 key.magic = cpu_to_le64(BCH_KEY_MAGIC); 740 get_random_bytes(&key.key, sizeof(key.key)); 741 742 if (keyed) { 743 ret = bch2_request_key(c->disk_sb.sb, &user_key); 744 if (ret) { 745 bch_err(c, "error requesting encryption key: %s", bch2_err_str(ret)); 746 goto err; 747 } 748 749 ret = bch2_chacha_encrypt_key(&user_key, bch2_sb_key_nonce(c), 750 &key, sizeof(key)); 751 if (ret) 752 goto err; 753 } 754 755 ret = crypto_skcipher_setkey(&c->chacha20->base, 756 (void *) &key.key, sizeof(key.key)); 757 if (ret) 758 goto err; 759 760 crypt = bch2_sb_field_resize(&c->disk_sb, crypt, 761 sizeof(*crypt) / sizeof(u64)); 762 if (!crypt) { 763 ret = -BCH_ERR_ENOSPC_sb_crypt; 764 goto err; 765 } 766 767 crypt->key = key; 768 769 /* write superblock */ 770 SET_BCH_SB_ENCRYPTION_TYPE(c->disk_sb.sb, 1); 771 bch2_write_super(c); 772 err: 773 mutex_unlock(&c->sb_lock); 774 memzero_explicit(&user_key, sizeof(user_key)); 775 memzero_explicit(&key, sizeof(key)); 776 return ret; 777 } 778 779 void bch2_fs_encryption_exit(struct bch_fs *c) 780 { 781 if (c->poly1305) 782 crypto_free_shash(c->poly1305); 783 if (c->chacha20) 784 crypto_free_sync_skcipher(c->chacha20); 785 if (c->sha256) 786 crypto_free_shash(c->sha256); 787 } 788 789 int bch2_fs_encryption_init(struct bch_fs *c) 790 { 791 struct bch_sb_field_crypt *crypt; 792 struct bch_key key; 793 int ret = 0; 794 795 c->sha256 = crypto_alloc_shash("sha256", 0, 0); 796 ret = PTR_ERR_OR_ZERO(c->sha256); 797 if (ret) { 798 c->sha256 = NULL; 799 bch_err(c, "error requesting sha256 module: %s", bch2_err_str(ret)); 800 goto out; 801 } 802 803 crypt = bch2_sb_field_get(c->disk_sb.sb, crypt); 804 if (!crypt) 805 goto out; 806 807 ret = bch2_alloc_ciphers(c); 808 if (ret) 809 goto out; 810 811 ret = bch2_decrypt_sb_key(c, crypt, &key); 812 if (ret) 813 goto out; 814 815 ret = crypto_skcipher_setkey(&c->chacha20->base, 816 (void *) &key.key, sizeof(key.key)); 817 if (ret) 818 goto out; 819 out: 820 memzero_explicit(&key, sizeof(key)); 821 return ret; 822 } 823