1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * This contains encryption functions for per-file encryption. 4 * 5 * Copyright (C) 2015, Google, Inc. 6 * Copyright (C) 2015, Motorola Mobility 7 * 8 * Written by Michael Halcrow, 2014. 9 * 10 * Filename encryption additions 11 * Uday Savagaonkar, 2014 12 * Encryption policy handling additions 13 * Ildar Muslukhov, 2014 14 * Add fscrypt_pullback_bio_page() 15 * Jaegeuk Kim, 2015. 16 * 17 * This has not yet undergone a rigorous security audit. 18 * 19 * The usage of AES-XTS should conform to recommendations in NIST 20 * Special Publication 800-38E and IEEE P1619/D16. 21 */ 22 23 #include <linux/pagemap.h> 24 #include <linux/mempool.h> 25 #include <linux/module.h> 26 #include <linux/scatterlist.h> 27 #include <linux/ratelimit.h> 28 #include <linux/dcache.h> 29 #include <linux/namei.h> 30 #include <crypto/aes.h> 31 #include <crypto/skcipher.h> 32 #include "fscrypt_private.h" 33 34 static unsigned int num_prealloc_crypto_pages = 32; 35 static unsigned int num_prealloc_crypto_ctxs = 128; 36 37 module_param(num_prealloc_crypto_pages, uint, 0444); 38 MODULE_PARM_DESC(num_prealloc_crypto_pages, 39 "Number of crypto pages to preallocate"); 40 module_param(num_prealloc_crypto_ctxs, uint, 0444); 41 MODULE_PARM_DESC(num_prealloc_crypto_ctxs, 42 "Number of crypto contexts to preallocate"); 43 44 static mempool_t *fscrypt_bounce_page_pool = NULL; 45 46 static LIST_HEAD(fscrypt_free_ctxs); 47 static DEFINE_SPINLOCK(fscrypt_ctx_lock); 48 49 static struct workqueue_struct *fscrypt_read_workqueue; 50 static DEFINE_MUTEX(fscrypt_init_mutex); 51 52 static struct kmem_cache *fscrypt_ctx_cachep; 53 struct kmem_cache *fscrypt_info_cachep; 54 55 void fscrypt_enqueue_decrypt_work(struct work_struct *work) 56 { 57 queue_work(fscrypt_read_workqueue, work); 58 } 59 EXPORT_SYMBOL(fscrypt_enqueue_decrypt_work); 60 61 /** 62 * fscrypt_release_ctx() - Release a decryption context 63 * @ctx: The decryption context to release. 64 * 65 * If the decryption context was allocated from the pre-allocated pool, return 66 * it to that pool. Else, free it. 67 */ 68 void fscrypt_release_ctx(struct fscrypt_ctx *ctx) 69 { 70 unsigned long flags; 71 72 if (ctx->flags & FS_CTX_REQUIRES_FREE_ENCRYPT_FL) { 73 kmem_cache_free(fscrypt_ctx_cachep, ctx); 74 } else { 75 spin_lock_irqsave(&fscrypt_ctx_lock, flags); 76 list_add(&ctx->free_list, &fscrypt_free_ctxs); 77 spin_unlock_irqrestore(&fscrypt_ctx_lock, flags); 78 } 79 } 80 EXPORT_SYMBOL(fscrypt_release_ctx); 81 82 /** 83 * fscrypt_get_ctx() - Get a decryption context 84 * @gfp_flags: The gfp flag for memory allocation 85 * 86 * Allocate and initialize a decryption context. 87 * 88 * Return: A new decryption context on success; an ERR_PTR() otherwise. 89 */ 90 struct fscrypt_ctx *fscrypt_get_ctx(gfp_t gfp_flags) 91 { 92 struct fscrypt_ctx *ctx; 93 unsigned long flags; 94 95 /* 96 * First try getting a ctx from the free list so that we don't have to 97 * call into the slab allocator. 98 */ 99 spin_lock_irqsave(&fscrypt_ctx_lock, flags); 100 ctx = list_first_entry_or_null(&fscrypt_free_ctxs, 101 struct fscrypt_ctx, free_list); 102 if (ctx) 103 list_del(&ctx->free_list); 104 spin_unlock_irqrestore(&fscrypt_ctx_lock, flags); 105 if (!ctx) { 106 ctx = kmem_cache_zalloc(fscrypt_ctx_cachep, gfp_flags); 107 if (!ctx) 108 return ERR_PTR(-ENOMEM); 109 ctx->flags |= FS_CTX_REQUIRES_FREE_ENCRYPT_FL; 110 } else { 111 ctx->flags &= ~FS_CTX_REQUIRES_FREE_ENCRYPT_FL; 112 } 113 return ctx; 114 } 115 EXPORT_SYMBOL(fscrypt_get_ctx); 116 117 struct page *fscrypt_alloc_bounce_page(gfp_t gfp_flags) 118 { 119 return mempool_alloc(fscrypt_bounce_page_pool, gfp_flags); 120 } 121 122 /** 123 * fscrypt_free_bounce_page() - free a ciphertext bounce page 124 * 125 * Free a bounce page that was allocated by fscrypt_encrypt_pagecache_blocks(), 126 * or by fscrypt_alloc_bounce_page() directly. 127 */ 128 void fscrypt_free_bounce_page(struct page *bounce_page) 129 { 130 if (!bounce_page) 131 return; 132 set_page_private(bounce_page, (unsigned long)NULL); 133 ClearPagePrivate(bounce_page); 134 mempool_free(bounce_page, fscrypt_bounce_page_pool); 135 } 136 EXPORT_SYMBOL(fscrypt_free_bounce_page); 137 138 void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num, 139 const struct fscrypt_info *ci) 140 { 141 memset(iv, 0, ci->ci_mode->ivsize); 142 iv->lblk_num = cpu_to_le64(lblk_num); 143 144 if (ci->ci_flags & FS_POLICY_FLAG_DIRECT_KEY) 145 memcpy(iv->nonce, ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE); 146 147 if (ci->ci_essiv_tfm != NULL) 148 crypto_cipher_encrypt_one(ci->ci_essiv_tfm, iv->raw, iv->raw); 149 } 150 151 /* Encrypt or decrypt a single filesystem block of file contents */ 152 int fscrypt_crypt_block(const struct inode *inode, fscrypt_direction_t rw, 153 u64 lblk_num, struct page *src_page, 154 struct page *dest_page, unsigned int len, 155 unsigned int offs, gfp_t gfp_flags) 156 { 157 union fscrypt_iv iv; 158 struct skcipher_request *req = NULL; 159 DECLARE_CRYPTO_WAIT(wait); 160 struct scatterlist dst, src; 161 struct fscrypt_info *ci = inode->i_crypt_info; 162 struct crypto_skcipher *tfm = ci->ci_ctfm; 163 int res = 0; 164 165 if (WARN_ON_ONCE(len <= 0)) 166 return -EINVAL; 167 if (WARN_ON_ONCE(len % FS_CRYPTO_BLOCK_SIZE != 0)) 168 return -EINVAL; 169 170 fscrypt_generate_iv(&iv, lblk_num, ci); 171 172 req = skcipher_request_alloc(tfm, gfp_flags); 173 if (!req) 174 return -ENOMEM; 175 176 skcipher_request_set_callback( 177 req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, 178 crypto_req_done, &wait); 179 180 sg_init_table(&dst, 1); 181 sg_set_page(&dst, dest_page, len, offs); 182 sg_init_table(&src, 1); 183 sg_set_page(&src, src_page, len, offs); 184 skcipher_request_set_crypt(req, &src, &dst, len, &iv); 185 if (rw == FS_DECRYPT) 186 res = crypto_wait_req(crypto_skcipher_decrypt(req), &wait); 187 else 188 res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait); 189 skcipher_request_free(req); 190 if (res) { 191 fscrypt_err(inode->i_sb, 192 "%scryption failed for inode %lu, block %llu: %d", 193 (rw == FS_DECRYPT ? "de" : "en"), 194 inode->i_ino, lblk_num, res); 195 return res; 196 } 197 return 0; 198 } 199 200 /** 201 * fscrypt_encrypt_pagecache_blocks() - Encrypt filesystem blocks from a pagecache page 202 * @page: The locked pagecache page containing the block(s) to encrypt 203 * @len: Total size of the block(s) to encrypt. Must be a nonzero 204 * multiple of the filesystem's block size. 205 * @offs: Byte offset within @page of the first block to encrypt. Must be 206 * a multiple of the filesystem's block size. 207 * @gfp_flags: Memory allocation flags 208 * 209 * A new bounce page is allocated, and the specified block(s) are encrypted into 210 * it. In the bounce page, the ciphertext block(s) will be located at the same 211 * offsets at which the plaintext block(s) were located in the source page; any 212 * other parts of the bounce page will be left uninitialized. However, normally 213 * blocksize == PAGE_SIZE and the whole page is encrypted at once. 214 * 215 * This is for use by the filesystem's ->writepages() method. 216 * 217 * Return: the new encrypted bounce page on success; an ERR_PTR() on failure 218 */ 219 struct page *fscrypt_encrypt_pagecache_blocks(struct page *page, 220 unsigned int len, 221 unsigned int offs, 222 gfp_t gfp_flags) 223 224 { 225 const struct inode *inode = page->mapping->host; 226 const unsigned int blockbits = inode->i_blkbits; 227 const unsigned int blocksize = 1 << blockbits; 228 struct page *ciphertext_page; 229 u64 lblk_num = ((u64)page->index << (PAGE_SHIFT - blockbits)) + 230 (offs >> blockbits); 231 unsigned int i; 232 int err; 233 234 if (WARN_ON_ONCE(!PageLocked(page))) 235 return ERR_PTR(-EINVAL); 236 237 if (WARN_ON_ONCE(len <= 0 || !IS_ALIGNED(len | offs, blocksize))) 238 return ERR_PTR(-EINVAL); 239 240 ciphertext_page = fscrypt_alloc_bounce_page(gfp_flags); 241 if (!ciphertext_page) 242 return ERR_PTR(-ENOMEM); 243 244 for (i = offs; i < offs + len; i += blocksize, lblk_num++) { 245 err = fscrypt_crypt_block(inode, FS_ENCRYPT, lblk_num, 246 page, ciphertext_page, 247 blocksize, i, gfp_flags); 248 if (err) { 249 fscrypt_free_bounce_page(ciphertext_page); 250 return ERR_PTR(err); 251 } 252 } 253 SetPagePrivate(ciphertext_page); 254 set_page_private(ciphertext_page, (unsigned long)page); 255 return ciphertext_page; 256 } 257 EXPORT_SYMBOL(fscrypt_encrypt_pagecache_blocks); 258 259 /** 260 * fscrypt_encrypt_block_inplace() - Encrypt a filesystem block in-place 261 * @inode: The inode to which this block belongs 262 * @page: The page containing the block to encrypt 263 * @len: Size of block to encrypt. Doesn't need to be a multiple of the 264 * fs block size, but must be a multiple of FS_CRYPTO_BLOCK_SIZE. 265 * @offs: Byte offset within @page at which the block to encrypt begins 266 * @lblk_num: Filesystem logical block number of the block, i.e. the 0-based 267 * number of the block within the file 268 * @gfp_flags: Memory allocation flags 269 * 270 * Encrypt a possibly-compressed filesystem block that is located in an 271 * arbitrary page, not necessarily in the original pagecache page. The @inode 272 * and @lblk_num must be specified, as they can't be determined from @page. 273 * 274 * Return: 0 on success; -errno on failure 275 */ 276 int fscrypt_encrypt_block_inplace(const struct inode *inode, struct page *page, 277 unsigned int len, unsigned int offs, 278 u64 lblk_num, gfp_t gfp_flags) 279 { 280 return fscrypt_crypt_block(inode, FS_ENCRYPT, lblk_num, page, page, 281 len, offs, gfp_flags); 282 } 283 EXPORT_SYMBOL(fscrypt_encrypt_block_inplace); 284 285 /** 286 * fscrypt_decrypt_pagecache_blocks() - Decrypt filesystem blocks in a pagecache page 287 * @page: The locked pagecache page containing the block(s) to decrypt 288 * @len: Total size of the block(s) to decrypt. Must be a nonzero 289 * multiple of the filesystem's block size. 290 * @offs: Byte offset within @page of the first block to decrypt. Must be 291 * a multiple of the filesystem's block size. 292 * 293 * The specified block(s) are decrypted in-place within the pagecache page, 294 * which must still be locked and not uptodate. Normally, blocksize == 295 * PAGE_SIZE and the whole page is decrypted at once. 296 * 297 * This is for use by the filesystem's ->readpages() method. 298 * 299 * Return: 0 on success; -errno on failure 300 */ 301 int fscrypt_decrypt_pagecache_blocks(struct page *page, unsigned int len, 302 unsigned int offs) 303 { 304 const struct inode *inode = page->mapping->host; 305 const unsigned int blockbits = inode->i_blkbits; 306 const unsigned int blocksize = 1 << blockbits; 307 u64 lblk_num = ((u64)page->index << (PAGE_SHIFT - blockbits)) + 308 (offs >> blockbits); 309 unsigned int i; 310 int err; 311 312 if (WARN_ON_ONCE(!PageLocked(page))) 313 return -EINVAL; 314 315 if (WARN_ON_ONCE(len <= 0 || !IS_ALIGNED(len | offs, blocksize))) 316 return -EINVAL; 317 318 for (i = offs; i < offs + len; i += blocksize, lblk_num++) { 319 err = fscrypt_crypt_block(inode, FS_DECRYPT, lblk_num, page, 320 page, blocksize, i, GFP_NOFS); 321 if (err) 322 return err; 323 } 324 return 0; 325 } 326 EXPORT_SYMBOL(fscrypt_decrypt_pagecache_blocks); 327 328 /** 329 * fscrypt_decrypt_block_inplace() - Decrypt a filesystem block in-place 330 * @inode: The inode to which this block belongs 331 * @page: The page containing the block to decrypt 332 * @len: Size of block to decrypt. Doesn't need to be a multiple of the 333 * fs block size, but must be a multiple of FS_CRYPTO_BLOCK_SIZE. 334 * @offs: Byte offset within @page at which the block to decrypt begins 335 * @lblk_num: Filesystem logical block number of the block, i.e. the 0-based 336 * number of the block within the file 337 * 338 * Decrypt a possibly-compressed filesystem block that is located in an 339 * arbitrary page, not necessarily in the original pagecache page. The @inode 340 * and @lblk_num must be specified, as they can't be determined from @page. 341 * 342 * Return: 0 on success; -errno on failure 343 */ 344 int fscrypt_decrypt_block_inplace(const struct inode *inode, struct page *page, 345 unsigned int len, unsigned int offs, 346 u64 lblk_num) 347 { 348 return fscrypt_crypt_block(inode, FS_DECRYPT, lblk_num, page, page, 349 len, offs, GFP_NOFS); 350 } 351 EXPORT_SYMBOL(fscrypt_decrypt_block_inplace); 352 353 /* 354 * Validate dentries in encrypted directories to make sure we aren't potentially 355 * caching stale dentries after a key has been added. 356 */ 357 static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags) 358 { 359 struct dentry *dir; 360 int err; 361 int valid; 362 363 /* 364 * Plaintext names are always valid, since fscrypt doesn't support 365 * reverting to ciphertext names without evicting the directory's inode 366 * -- which implies eviction of the dentries in the directory. 367 */ 368 if (!(dentry->d_flags & DCACHE_ENCRYPTED_NAME)) 369 return 1; 370 371 /* 372 * Ciphertext name; valid if the directory's key is still unavailable. 373 * 374 * Although fscrypt forbids rename() on ciphertext names, we still must 375 * use dget_parent() here rather than use ->d_parent directly. That's 376 * because a corrupted fs image may contain directory hard links, which 377 * the VFS handles by moving the directory's dentry tree in the dcache 378 * each time ->lookup() finds the directory and it already has a dentry 379 * elsewhere. Thus ->d_parent can be changing, and we must safely grab 380 * a reference to some ->d_parent to prevent it from being freed. 381 */ 382 383 if (flags & LOOKUP_RCU) 384 return -ECHILD; 385 386 dir = dget_parent(dentry); 387 err = fscrypt_get_encryption_info(d_inode(dir)); 388 valid = !fscrypt_has_encryption_key(d_inode(dir)); 389 dput(dir); 390 391 if (err < 0) 392 return err; 393 394 return valid; 395 } 396 397 const struct dentry_operations fscrypt_d_ops = { 398 .d_revalidate = fscrypt_d_revalidate, 399 }; 400 401 static void fscrypt_destroy(void) 402 { 403 struct fscrypt_ctx *pos, *n; 404 405 list_for_each_entry_safe(pos, n, &fscrypt_free_ctxs, free_list) 406 kmem_cache_free(fscrypt_ctx_cachep, pos); 407 INIT_LIST_HEAD(&fscrypt_free_ctxs); 408 mempool_destroy(fscrypt_bounce_page_pool); 409 fscrypt_bounce_page_pool = NULL; 410 } 411 412 /** 413 * fscrypt_initialize() - allocate major buffers for fs encryption. 414 * @cop_flags: fscrypt operations flags 415 * 416 * We only call this when we start accessing encrypted files, since it 417 * results in memory getting allocated that wouldn't otherwise be used. 418 * 419 * Return: Zero on success, non-zero otherwise. 420 */ 421 int fscrypt_initialize(unsigned int cop_flags) 422 { 423 int i, res = -ENOMEM; 424 425 /* No need to allocate a bounce page pool if this FS won't use it. */ 426 if (cop_flags & FS_CFLG_OWN_PAGES) 427 return 0; 428 429 mutex_lock(&fscrypt_init_mutex); 430 if (fscrypt_bounce_page_pool) 431 goto already_initialized; 432 433 for (i = 0; i < num_prealloc_crypto_ctxs; i++) { 434 struct fscrypt_ctx *ctx; 435 436 ctx = kmem_cache_zalloc(fscrypt_ctx_cachep, GFP_NOFS); 437 if (!ctx) 438 goto fail; 439 list_add(&ctx->free_list, &fscrypt_free_ctxs); 440 } 441 442 fscrypt_bounce_page_pool = 443 mempool_create_page_pool(num_prealloc_crypto_pages, 0); 444 if (!fscrypt_bounce_page_pool) 445 goto fail; 446 447 already_initialized: 448 mutex_unlock(&fscrypt_init_mutex); 449 return 0; 450 fail: 451 fscrypt_destroy(); 452 mutex_unlock(&fscrypt_init_mutex); 453 return res; 454 } 455 456 void fscrypt_msg(struct super_block *sb, const char *level, 457 const char *fmt, ...) 458 { 459 static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL, 460 DEFAULT_RATELIMIT_BURST); 461 struct va_format vaf; 462 va_list args; 463 464 if (!__ratelimit(&rs)) 465 return; 466 467 va_start(args, fmt); 468 vaf.fmt = fmt; 469 vaf.va = &args; 470 if (sb) 471 printk("%sfscrypt (%s): %pV\n", level, sb->s_id, &vaf); 472 else 473 printk("%sfscrypt: %pV\n", level, &vaf); 474 va_end(args); 475 } 476 477 /** 478 * fscrypt_init() - Set up for fs encryption. 479 */ 480 static int __init fscrypt_init(void) 481 { 482 /* 483 * Use an unbound workqueue to allow bios to be decrypted in parallel 484 * even when they happen to complete on the same CPU. This sacrifices 485 * locality, but it's worthwhile since decryption is CPU-intensive. 486 * 487 * Also use a high-priority workqueue to prioritize decryption work, 488 * which blocks reads from completing, over regular application tasks. 489 */ 490 fscrypt_read_workqueue = alloc_workqueue("fscrypt_read_queue", 491 WQ_UNBOUND | WQ_HIGHPRI, 492 num_online_cpus()); 493 if (!fscrypt_read_workqueue) 494 goto fail; 495 496 fscrypt_ctx_cachep = KMEM_CACHE(fscrypt_ctx, SLAB_RECLAIM_ACCOUNT); 497 if (!fscrypt_ctx_cachep) 498 goto fail_free_queue; 499 500 fscrypt_info_cachep = KMEM_CACHE(fscrypt_info, SLAB_RECLAIM_ACCOUNT); 501 if (!fscrypt_info_cachep) 502 goto fail_free_ctx; 503 504 return 0; 505 506 fail_free_ctx: 507 kmem_cache_destroy(fscrypt_ctx_cachep); 508 fail_free_queue: 509 destroy_workqueue(fscrypt_read_workqueue); 510 fail: 511 return -ENOMEM; 512 } 513 module_init(fscrypt_init) 514 515 /** 516 * fscrypt_exit() - Shutdown the fs encryption system 517 */ 518 static void __exit fscrypt_exit(void) 519 { 520 fscrypt_destroy(); 521 522 if (fscrypt_read_workqueue) 523 destroy_workqueue(fscrypt_read_workqueue); 524 kmem_cache_destroy(fscrypt_ctx_cachep); 525 kmem_cache_destroy(fscrypt_info_cachep); 526 527 fscrypt_essiv_cleanup(); 528 } 529 module_exit(fscrypt_exit); 530 531 MODULE_LICENSE("GPL"); 532