xref: /linux/fs/bcachefs/checksum.c (revision ad30469a841b50dbb541df4d6971d891f703c297)
1 // SPDX-License-Identifier: GPL-2.0
2 #include "bcachefs.h"
3 #include "checksum.h"
4 #include "errcode.h"
5 #include "super.h"
6 #include "super-io.h"
7 
8 #include <linux/crc32c.h>
9 #include <linux/crypto.h>
10 #include <linux/xxhash.h>
11 #include <linux/key.h>
12 #include <linux/random.h>
13 #include <linux/scatterlist.h>
14 #include <crypto/algapi.h>
15 #include <crypto/chacha.h>
16 #include <crypto/hash.h>
17 #include <crypto/poly1305.h>
18 #include <crypto/skcipher.h>
19 #include <keys/user-type.h>
20 
21 /*
22  * bch2_checksum state is an abstraction of the checksum state calculated over different pages.
23  * it features page merging without having the checksum algorithm lose its state.
24  * for native checksum aglorithms (like crc), a default seed value will do.
25  * for hash-like algorithms, a state needs to be stored
26  */
27 
28 struct bch2_checksum_state {
29 	union {
30 		u64 seed;
31 		struct xxh64_state h64state;
32 	};
33 	unsigned int type;
34 };
35 
36 static void bch2_checksum_init(struct bch2_checksum_state *state)
37 {
38 	switch (state->type) {
39 	case BCH_CSUM_none:
40 	case BCH_CSUM_crc32c:
41 	case BCH_CSUM_crc64:
42 		state->seed = 0;
43 		break;
44 	case BCH_CSUM_crc32c_nonzero:
45 		state->seed = U32_MAX;
46 		break;
47 	case BCH_CSUM_crc64_nonzero:
48 		state->seed = U64_MAX;
49 		break;
50 	case BCH_CSUM_xxhash:
51 		xxh64_reset(&state->h64state, 0);
52 		break;
53 	default:
54 		BUG();
55 	}
56 }
57 
58 static u64 bch2_checksum_final(const struct bch2_checksum_state *state)
59 {
60 	switch (state->type) {
61 	case BCH_CSUM_none:
62 	case BCH_CSUM_crc32c:
63 	case BCH_CSUM_crc64:
64 		return state->seed;
65 	case BCH_CSUM_crc32c_nonzero:
66 		return state->seed ^ U32_MAX;
67 	case BCH_CSUM_crc64_nonzero:
68 		return state->seed ^ U64_MAX;
69 	case BCH_CSUM_xxhash:
70 		return xxh64_digest(&state->h64state);
71 	default:
72 		BUG();
73 	}
74 }
75 
76 static void bch2_checksum_update(struct bch2_checksum_state *state, const void *data, size_t len)
77 {
78 	switch (state->type) {
79 	case BCH_CSUM_none:
80 		return;
81 	case BCH_CSUM_crc32c_nonzero:
82 	case BCH_CSUM_crc32c:
83 		state->seed = crc32c(state->seed, data, len);
84 		break;
85 	case BCH_CSUM_crc64_nonzero:
86 	case BCH_CSUM_crc64:
87 		state->seed = crc64_be(state->seed, data, len);
88 		break;
89 	case BCH_CSUM_xxhash:
90 		xxh64_update(&state->h64state, data, len);
91 		break;
92 	default:
93 		BUG();
94 	}
95 }
96 
97 static inline int do_encrypt_sg(struct crypto_sync_skcipher *tfm,
98 				struct nonce nonce,
99 				struct scatterlist *sg, size_t len)
100 {
101 	SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
102 	int ret;
103 
104 	skcipher_request_set_sync_tfm(req, tfm);
105 	skcipher_request_set_crypt(req, sg, sg, len, nonce.d);
106 
107 	ret = crypto_skcipher_encrypt(req);
108 	if (ret)
109 		pr_err("got error %i from crypto_skcipher_encrypt()", ret);
110 
111 	return ret;
112 }
113 
114 static inline int do_encrypt(struct crypto_sync_skcipher *tfm,
115 			      struct nonce nonce,
116 			      void *buf, size_t len)
117 {
118 	if (!is_vmalloc_addr(buf)) {
119 		struct scatterlist sg;
120 
121 		sg_init_table(&sg, 1);
122 		sg_set_page(&sg,
123 			    is_vmalloc_addr(buf)
124 			    ? vmalloc_to_page(buf)
125 			    : virt_to_page(buf),
126 			    len, offset_in_page(buf));
127 		return do_encrypt_sg(tfm, nonce, &sg, len);
128 	} else {
129 		unsigned pages = buf_pages(buf, len);
130 		struct scatterlist *sg;
131 		size_t orig_len = len;
132 		int ret, i;
133 
134 		sg = kmalloc_array(pages, sizeof(*sg), GFP_KERNEL);
135 		if (!sg)
136 			return -BCH_ERR_ENOMEM_do_encrypt;
137 
138 		sg_init_table(sg, pages);
139 
140 		for (i = 0; i < pages; i++) {
141 			unsigned offset = offset_in_page(buf);
142 			unsigned pg_len = min_t(size_t, len, PAGE_SIZE - offset);
143 
144 			sg_set_page(sg + i, vmalloc_to_page(buf), pg_len, offset);
145 			buf += pg_len;
146 			len -= pg_len;
147 		}
148 
149 		ret = do_encrypt_sg(tfm, nonce, sg, orig_len);
150 		kfree(sg);
151 		return ret;
152 	}
153 }
154 
155 int bch2_chacha_encrypt_key(struct bch_key *key, struct nonce nonce,
156 			    void *buf, size_t len)
157 {
158 	struct crypto_sync_skcipher *chacha20 =
159 		crypto_alloc_sync_skcipher("chacha20", 0, 0);
160 	int ret;
161 
162 	ret = PTR_ERR_OR_ZERO(chacha20);
163 	if (ret) {
164 		pr_err("error requesting chacha20 cipher: %s", bch2_err_str(ret));
165 		return ret;
166 	}
167 
168 	ret = crypto_skcipher_setkey(&chacha20->base,
169 				     (void *) key, sizeof(*key));
170 	if (ret) {
171 		pr_err("error from crypto_skcipher_setkey(): %s", bch2_err_str(ret));
172 		goto err;
173 	}
174 
175 	ret = do_encrypt(chacha20, nonce, buf, len);
176 err:
177 	crypto_free_sync_skcipher(chacha20);
178 	return ret;
179 }
180 
181 static int gen_poly_key(struct bch_fs *c, struct shash_desc *desc,
182 			struct nonce nonce)
183 {
184 	u8 key[POLY1305_KEY_SIZE];
185 	int ret;
186 
187 	nonce.d[3] ^= BCH_NONCE_POLY;
188 
189 	memset(key, 0, sizeof(key));
190 	ret = do_encrypt(c->chacha20, nonce, key, sizeof(key));
191 	if (ret)
192 		return ret;
193 
194 	desc->tfm = c->poly1305;
195 	crypto_shash_init(desc);
196 	crypto_shash_update(desc, key, sizeof(key));
197 	return 0;
198 }
199 
200 struct bch_csum bch2_checksum(struct bch_fs *c, unsigned type,
201 			      struct nonce nonce, const void *data, size_t len)
202 {
203 	switch (type) {
204 	case BCH_CSUM_none:
205 	case BCH_CSUM_crc32c_nonzero:
206 	case BCH_CSUM_crc64_nonzero:
207 	case BCH_CSUM_crc32c:
208 	case BCH_CSUM_xxhash:
209 	case BCH_CSUM_crc64: {
210 		struct bch2_checksum_state state;
211 
212 		state.type = type;
213 
214 		bch2_checksum_init(&state);
215 		bch2_checksum_update(&state, data, len);
216 
217 		return (struct bch_csum) { .lo = cpu_to_le64(bch2_checksum_final(&state)) };
218 	}
219 
220 	case BCH_CSUM_chacha20_poly1305_80:
221 	case BCH_CSUM_chacha20_poly1305_128: {
222 		SHASH_DESC_ON_STACK(desc, c->poly1305);
223 		u8 digest[POLY1305_DIGEST_SIZE];
224 		struct bch_csum ret = { 0 };
225 
226 		gen_poly_key(c, desc, nonce);
227 
228 		crypto_shash_update(desc, data, len);
229 		crypto_shash_final(desc, digest);
230 
231 		memcpy(&ret, digest, bch_crc_bytes[type]);
232 		return ret;
233 	}
234 	default:
235 		BUG();
236 	}
237 }
238 
239 int bch2_encrypt(struct bch_fs *c, unsigned type,
240 		  struct nonce nonce, void *data, size_t len)
241 {
242 	if (!bch2_csum_type_is_encryption(type))
243 		return 0;
244 
245 	return do_encrypt(c->chacha20, nonce, data, len);
246 }
247 
248 static struct bch_csum __bch2_checksum_bio(struct bch_fs *c, unsigned type,
249 					   struct nonce nonce, struct bio *bio,
250 					   struct bvec_iter *iter)
251 {
252 	struct bio_vec bv;
253 
254 	switch (type) {
255 	case BCH_CSUM_none:
256 		return (struct bch_csum) { 0 };
257 	case BCH_CSUM_crc32c_nonzero:
258 	case BCH_CSUM_crc64_nonzero:
259 	case BCH_CSUM_crc32c:
260 	case BCH_CSUM_xxhash:
261 	case BCH_CSUM_crc64: {
262 		struct bch2_checksum_state state;
263 
264 		state.type = type;
265 		bch2_checksum_init(&state);
266 
267 #ifdef CONFIG_HIGHMEM
268 		__bio_for_each_segment(bv, bio, *iter, *iter) {
269 			void *p = kmap_local_page(bv.bv_page) + bv.bv_offset;
270 
271 			bch2_checksum_update(&state, p, bv.bv_len);
272 			kunmap_local(p);
273 		}
274 #else
275 		__bio_for_each_bvec(bv, bio, *iter, *iter)
276 			bch2_checksum_update(&state, page_address(bv.bv_page) + bv.bv_offset,
277 				bv.bv_len);
278 #endif
279 		return (struct bch_csum) { .lo = cpu_to_le64(bch2_checksum_final(&state)) };
280 	}
281 
282 	case BCH_CSUM_chacha20_poly1305_80:
283 	case BCH_CSUM_chacha20_poly1305_128: {
284 		SHASH_DESC_ON_STACK(desc, c->poly1305);
285 		u8 digest[POLY1305_DIGEST_SIZE];
286 		struct bch_csum ret = { 0 };
287 
288 		gen_poly_key(c, desc, nonce);
289 
290 #ifdef CONFIG_HIGHMEM
291 		__bio_for_each_segment(bv, bio, *iter, *iter) {
292 			void *p = kmap_local_page(bv.bv_page) + bv.bv_offset;
293 
294 			crypto_shash_update(desc, p, bv.bv_len);
295 			kunmap_local(p);
296 		}
297 #else
298 		__bio_for_each_bvec(bv, bio, *iter, *iter)
299 			crypto_shash_update(desc,
300 				page_address(bv.bv_page) + bv.bv_offset,
301 				bv.bv_len);
302 #endif
303 		crypto_shash_final(desc, digest);
304 
305 		memcpy(&ret, digest, bch_crc_bytes[type]);
306 		return ret;
307 	}
308 	default:
309 		BUG();
310 	}
311 }
312 
313 struct bch_csum bch2_checksum_bio(struct bch_fs *c, unsigned type,
314 				  struct nonce nonce, struct bio *bio)
315 {
316 	struct bvec_iter iter = bio->bi_iter;
317 
318 	return __bch2_checksum_bio(c, type, nonce, bio, &iter);
319 }
320 
321 int __bch2_encrypt_bio(struct bch_fs *c, unsigned type,
322 		     struct nonce nonce, struct bio *bio)
323 {
324 	struct bio_vec bv;
325 	struct bvec_iter iter;
326 	struct scatterlist sgl[16], *sg = sgl;
327 	size_t bytes = 0;
328 	int ret = 0;
329 
330 	if (!bch2_csum_type_is_encryption(type))
331 		return 0;
332 
333 	sg_init_table(sgl, ARRAY_SIZE(sgl));
334 
335 	bio_for_each_segment(bv, bio, iter) {
336 		if (sg == sgl + ARRAY_SIZE(sgl)) {
337 			sg_mark_end(sg - 1);
338 
339 			ret = do_encrypt_sg(c->chacha20, nonce, sgl, bytes);
340 			if (ret)
341 				return ret;
342 
343 			nonce = nonce_add(nonce, bytes);
344 			bytes = 0;
345 
346 			sg_init_table(sgl, ARRAY_SIZE(sgl));
347 			sg = sgl;
348 		}
349 
350 		sg_set_page(sg++, bv.bv_page, bv.bv_len, bv.bv_offset);
351 		bytes += bv.bv_len;
352 	}
353 
354 	sg_mark_end(sg - 1);
355 	return do_encrypt_sg(c->chacha20, nonce, sgl, bytes);
356 }
357 
358 struct bch_csum bch2_checksum_merge(unsigned type, struct bch_csum a,
359 				    struct bch_csum b, size_t b_len)
360 {
361 	struct bch2_checksum_state state;
362 
363 	state.type = type;
364 	bch2_checksum_init(&state);
365 	state.seed = le64_to_cpu(a.lo);
366 
367 	BUG_ON(!bch2_checksum_mergeable(type));
368 
369 	while (b_len) {
370 		unsigned page_len = min_t(unsigned, b_len, PAGE_SIZE);
371 
372 		bch2_checksum_update(&state,
373 				page_address(ZERO_PAGE(0)), page_len);
374 		b_len -= page_len;
375 	}
376 	a.lo = cpu_to_le64(bch2_checksum_final(&state));
377 	a.lo ^= b.lo;
378 	a.hi ^= b.hi;
379 	return a;
380 }
381 
382 int bch2_rechecksum_bio(struct bch_fs *c, struct bio *bio,
383 			struct bversion version,
384 			struct bch_extent_crc_unpacked crc_old,
385 			struct bch_extent_crc_unpacked *crc_a,
386 			struct bch_extent_crc_unpacked *crc_b,
387 			unsigned len_a, unsigned len_b,
388 			unsigned new_csum_type)
389 {
390 	struct bvec_iter iter = bio->bi_iter;
391 	struct nonce nonce = extent_nonce(version, crc_old);
392 	struct bch_csum merged = { 0 };
393 	struct crc_split {
394 		struct bch_extent_crc_unpacked	*crc;
395 		unsigned			len;
396 		unsigned			csum_type;
397 		struct bch_csum			csum;
398 	} splits[3] = {
399 		{ crc_a, len_a, new_csum_type, { 0 }},
400 		{ crc_b, len_b, new_csum_type, { 0 } },
401 		{ NULL,	 bio_sectors(bio) - len_a - len_b, new_csum_type, { 0 } },
402 	}, *i;
403 	bool mergeable = crc_old.csum_type == new_csum_type &&
404 		bch2_checksum_mergeable(new_csum_type);
405 	unsigned crc_nonce = crc_old.nonce;
406 
407 	BUG_ON(len_a + len_b > bio_sectors(bio));
408 	BUG_ON(crc_old.uncompressed_size != bio_sectors(bio));
409 	BUG_ON(crc_is_compressed(crc_old));
410 	BUG_ON(bch2_csum_type_is_encryption(crc_old.csum_type) !=
411 	       bch2_csum_type_is_encryption(new_csum_type));
412 
413 	for (i = splits; i < splits + ARRAY_SIZE(splits); i++) {
414 		iter.bi_size = i->len << 9;
415 		if (mergeable || i->crc)
416 			i->csum = __bch2_checksum_bio(c, i->csum_type,
417 						      nonce, bio, &iter);
418 		else
419 			bio_advance_iter(bio, &iter, i->len << 9);
420 		nonce = nonce_add(nonce, i->len << 9);
421 	}
422 
423 	if (mergeable)
424 		for (i = splits; i < splits + ARRAY_SIZE(splits); i++)
425 			merged = bch2_checksum_merge(new_csum_type, merged,
426 						     i->csum, i->len << 9);
427 	else
428 		merged = bch2_checksum_bio(c, crc_old.csum_type,
429 				extent_nonce(version, crc_old), bio);
430 
431 	if (bch2_crc_cmp(merged, crc_old.csum) && !c->opts.no_data_io) {
432 		bch_err(c, "checksum error in %s() (memory corruption or bug?)\n"
433 			"expected %0llx:%0llx got %0llx:%0llx (old type %s new type %s)",
434 			__func__,
435 			crc_old.csum.hi,
436 			crc_old.csum.lo,
437 			merged.hi,
438 			merged.lo,
439 			bch2_csum_types[crc_old.csum_type],
440 			bch2_csum_types[new_csum_type]);
441 		return -EIO;
442 	}
443 
444 	for (i = splits; i < splits + ARRAY_SIZE(splits); i++) {
445 		if (i->crc)
446 			*i->crc = (struct bch_extent_crc_unpacked) {
447 				.csum_type		= i->csum_type,
448 				.compression_type	= crc_old.compression_type,
449 				.compressed_size	= i->len,
450 				.uncompressed_size	= i->len,
451 				.offset			= 0,
452 				.live_size		= i->len,
453 				.nonce			= crc_nonce,
454 				.csum			= i->csum,
455 			};
456 
457 		if (bch2_csum_type_is_encryption(new_csum_type))
458 			crc_nonce += i->len;
459 	}
460 
461 	return 0;
462 }
463 
464 /* BCH_SB_FIELD_crypt: */
465 
466 static int bch2_sb_crypt_validate(struct bch_sb *sb,
467 				  struct bch_sb_field *f,
468 				  struct printbuf *err)
469 {
470 	struct bch_sb_field_crypt *crypt = field_to_type(f, crypt);
471 
472 	if (vstruct_bytes(&crypt->field) < sizeof(*crypt)) {
473 		prt_printf(err, "wrong size (got %zu should be %zu)",
474 		       vstruct_bytes(&crypt->field), sizeof(*crypt));
475 		return -BCH_ERR_invalid_sb_crypt;
476 	}
477 
478 	if (BCH_CRYPT_KDF_TYPE(crypt)) {
479 		prt_printf(err, "bad kdf type %llu", BCH_CRYPT_KDF_TYPE(crypt));
480 		return -BCH_ERR_invalid_sb_crypt;
481 	}
482 
483 	return 0;
484 }
485 
486 static void bch2_sb_crypt_to_text(struct printbuf *out, struct bch_sb *sb,
487 				  struct bch_sb_field *f)
488 {
489 	struct bch_sb_field_crypt *crypt = field_to_type(f, crypt);
490 
491 	prt_printf(out, "KFD:               %llu", BCH_CRYPT_KDF_TYPE(crypt));
492 	prt_newline(out);
493 	prt_printf(out, "scrypt n:          %llu", BCH_KDF_SCRYPT_N(crypt));
494 	prt_newline(out);
495 	prt_printf(out, "scrypt r:          %llu", BCH_KDF_SCRYPT_R(crypt));
496 	prt_newline(out);
497 	prt_printf(out, "scrypt p:          %llu", BCH_KDF_SCRYPT_P(crypt));
498 	prt_newline(out);
499 }
500 
501 const struct bch_sb_field_ops bch_sb_field_ops_crypt = {
502 	.validate	= bch2_sb_crypt_validate,
503 	.to_text	= bch2_sb_crypt_to_text,
504 };
505 
506 #ifdef __KERNEL__
507 static int __bch2_request_key(char *key_description, struct bch_key *key)
508 {
509 	struct key *keyring_key;
510 	const struct user_key_payload *ukp;
511 	int ret;
512 
513 	keyring_key = request_key(&key_type_user, key_description, NULL);
514 	if (IS_ERR(keyring_key))
515 		return PTR_ERR(keyring_key);
516 
517 	down_read(&keyring_key->sem);
518 	ukp = dereference_key_locked(keyring_key);
519 	if (ukp->datalen == sizeof(*key)) {
520 		memcpy(key, ukp->data, ukp->datalen);
521 		ret = 0;
522 	} else {
523 		ret = -EINVAL;
524 	}
525 	up_read(&keyring_key->sem);
526 	key_put(keyring_key);
527 
528 	return ret;
529 }
530 #else
531 #include <keyutils.h>
532 
533 static int __bch2_request_key(char *key_description, struct bch_key *key)
534 {
535 	key_serial_t key_id;
536 
537 	key_id = request_key("user", key_description, NULL,
538 			     KEY_SPEC_SESSION_KEYRING);
539 	if (key_id >= 0)
540 		goto got_key;
541 
542 	key_id = request_key("user", key_description, NULL,
543 			     KEY_SPEC_USER_KEYRING);
544 	if (key_id >= 0)
545 		goto got_key;
546 
547 	key_id = request_key("user", key_description, NULL,
548 			     KEY_SPEC_USER_SESSION_KEYRING);
549 	if (key_id >= 0)
550 		goto got_key;
551 
552 	return -errno;
553 got_key:
554 
555 	if (keyctl_read(key_id, (void *) key, sizeof(*key)) != sizeof(*key))
556 		return -1;
557 
558 	return 0;
559 }
560 
561 #include "../crypto.h"
562 #endif
563 
564 int bch2_request_key(struct bch_sb *sb, struct bch_key *key)
565 {
566 	struct printbuf key_description = PRINTBUF;
567 	int ret;
568 
569 	prt_printf(&key_description, "bcachefs:");
570 	pr_uuid(&key_description, sb->user_uuid.b);
571 
572 	ret = __bch2_request_key(key_description.buf, key);
573 	printbuf_exit(&key_description);
574 
575 #ifndef __KERNEL__
576 	if (ret) {
577 		char *passphrase = read_passphrase("Enter passphrase: ");
578 		struct bch_encrypted_key sb_key;
579 
580 		bch2_passphrase_check(sb, passphrase,
581 				      key, &sb_key);
582 		ret = 0;
583 	}
584 #endif
585 
586 	/* stash with memfd, pass memfd fd to mount */
587 
588 	return ret;
589 }
590 
591 #ifndef __KERNEL__
592 int bch2_revoke_key(struct bch_sb *sb)
593 {
594 	key_serial_t key_id;
595 	struct printbuf key_description = PRINTBUF;
596 
597 	prt_printf(&key_description, "bcachefs:");
598 	pr_uuid(&key_description, sb->user_uuid.b);
599 
600 	key_id = request_key("user", key_description.buf, NULL, KEY_SPEC_USER_KEYRING);
601 	printbuf_exit(&key_description);
602 	if (key_id < 0)
603 		return errno;
604 
605 	keyctl_revoke(key_id);
606 
607 	return 0;
608 }
609 #endif
610 
611 int bch2_decrypt_sb_key(struct bch_fs *c,
612 			struct bch_sb_field_crypt *crypt,
613 			struct bch_key *key)
614 {
615 	struct bch_encrypted_key sb_key = crypt->key;
616 	struct bch_key user_key;
617 	int ret = 0;
618 
619 	/* is key encrypted? */
620 	if (!bch2_key_is_encrypted(&sb_key))
621 		goto out;
622 
623 	ret = bch2_request_key(c->disk_sb.sb, &user_key);
624 	if (ret) {
625 		bch_err(c, "error requesting encryption key: %s", bch2_err_str(ret));
626 		goto err;
627 	}
628 
629 	/* decrypt real key: */
630 	ret = bch2_chacha_encrypt_key(&user_key, bch2_sb_key_nonce(c),
631 				      &sb_key, sizeof(sb_key));
632 	if (ret)
633 		goto err;
634 
635 	if (bch2_key_is_encrypted(&sb_key)) {
636 		bch_err(c, "incorrect encryption key");
637 		ret = -EINVAL;
638 		goto err;
639 	}
640 out:
641 	*key = sb_key.key;
642 err:
643 	memzero_explicit(&sb_key, sizeof(sb_key));
644 	memzero_explicit(&user_key, sizeof(user_key));
645 	return ret;
646 }
647 
648 static int bch2_alloc_ciphers(struct bch_fs *c)
649 {
650 	int ret;
651 
652 	if (!c->chacha20)
653 		c->chacha20 = crypto_alloc_sync_skcipher("chacha20", 0, 0);
654 	ret = PTR_ERR_OR_ZERO(c->chacha20);
655 
656 	if (ret) {
657 		bch_err(c, "error requesting chacha20 module: %s", bch2_err_str(ret));
658 		return ret;
659 	}
660 
661 	if (!c->poly1305)
662 		c->poly1305 = crypto_alloc_shash("poly1305", 0, 0);
663 	ret = PTR_ERR_OR_ZERO(c->poly1305);
664 
665 	if (ret) {
666 		bch_err(c, "error requesting poly1305 module: %s", bch2_err_str(ret));
667 		return ret;
668 	}
669 
670 	return 0;
671 }
672 
673 int bch2_disable_encryption(struct bch_fs *c)
674 {
675 	struct bch_sb_field_crypt *crypt;
676 	struct bch_key key;
677 	int ret = -EINVAL;
678 
679 	mutex_lock(&c->sb_lock);
680 
681 	crypt = bch2_sb_field_get(c->disk_sb.sb, crypt);
682 	if (!crypt)
683 		goto out;
684 
685 	/* is key encrypted? */
686 	ret = 0;
687 	if (bch2_key_is_encrypted(&crypt->key))
688 		goto out;
689 
690 	ret = bch2_decrypt_sb_key(c, crypt, &key);
691 	if (ret)
692 		goto out;
693 
694 	crypt->key.magic	= cpu_to_le64(BCH_KEY_MAGIC);
695 	crypt->key.key		= key;
696 
697 	SET_BCH_SB_ENCRYPTION_TYPE(c->disk_sb.sb, 0);
698 	bch2_write_super(c);
699 out:
700 	mutex_unlock(&c->sb_lock);
701 
702 	return ret;
703 }
704 
705 int bch2_enable_encryption(struct bch_fs *c, bool keyed)
706 {
707 	struct bch_encrypted_key key;
708 	struct bch_key user_key;
709 	struct bch_sb_field_crypt *crypt;
710 	int ret = -EINVAL;
711 
712 	mutex_lock(&c->sb_lock);
713 
714 	/* Do we already have an encryption key? */
715 	if (bch2_sb_field_get(c->disk_sb.sb, crypt))
716 		goto err;
717 
718 	ret = bch2_alloc_ciphers(c);
719 	if (ret)
720 		goto err;
721 
722 	key.magic = cpu_to_le64(BCH_KEY_MAGIC);
723 	get_random_bytes(&key.key, sizeof(key.key));
724 
725 	if (keyed) {
726 		ret = bch2_request_key(c->disk_sb.sb, &user_key);
727 		if (ret) {
728 			bch_err(c, "error requesting encryption key: %s", bch2_err_str(ret));
729 			goto err;
730 		}
731 
732 		ret = bch2_chacha_encrypt_key(&user_key, bch2_sb_key_nonce(c),
733 					      &key, sizeof(key));
734 		if (ret)
735 			goto err;
736 	}
737 
738 	ret = crypto_skcipher_setkey(&c->chacha20->base,
739 			(void *) &key.key, sizeof(key.key));
740 	if (ret)
741 		goto err;
742 
743 	crypt = bch2_sb_field_resize(&c->disk_sb, crypt,
744 				     sizeof(*crypt) / sizeof(u64));
745 	if (!crypt) {
746 		ret = -BCH_ERR_ENOSPC_sb_crypt;
747 		goto err;
748 	}
749 
750 	crypt->key = key;
751 
752 	/* write superblock */
753 	SET_BCH_SB_ENCRYPTION_TYPE(c->disk_sb.sb, 1);
754 	bch2_write_super(c);
755 err:
756 	mutex_unlock(&c->sb_lock);
757 	memzero_explicit(&user_key, sizeof(user_key));
758 	memzero_explicit(&key, sizeof(key));
759 	return ret;
760 }
761 
762 void bch2_fs_encryption_exit(struct bch_fs *c)
763 {
764 	if (!IS_ERR_OR_NULL(c->poly1305))
765 		crypto_free_shash(c->poly1305);
766 	if (!IS_ERR_OR_NULL(c->chacha20))
767 		crypto_free_sync_skcipher(c->chacha20);
768 	if (!IS_ERR_OR_NULL(c->sha256))
769 		crypto_free_shash(c->sha256);
770 }
771 
772 int bch2_fs_encryption_init(struct bch_fs *c)
773 {
774 	struct bch_sb_field_crypt *crypt;
775 	struct bch_key key;
776 	int ret = 0;
777 
778 	c->sha256 = crypto_alloc_shash("sha256", 0, 0);
779 	ret = PTR_ERR_OR_ZERO(c->sha256);
780 	if (ret) {
781 		bch_err(c, "error requesting sha256 module: %s", bch2_err_str(ret));
782 		goto out;
783 	}
784 
785 	crypt = bch2_sb_field_get(c->disk_sb.sb, crypt);
786 	if (!crypt)
787 		goto out;
788 
789 	ret = bch2_alloc_ciphers(c);
790 	if (ret)
791 		goto out;
792 
793 	ret = bch2_decrypt_sb_key(c, crypt, &key);
794 	if (ret)
795 		goto out;
796 
797 	ret = crypto_skcipher_setkey(&c->chacha20->base,
798 			(void *) &key.key, sizeof(key.key));
799 	if (ret)
800 		goto out;
801 out:
802 	memzero_explicit(&key, sizeof(key));
803 	return ret;
804 }
805