xref: /linux/fs/crypto/crypto.c (revision fd639726bf15fca8ee1a00dce8e0096d0ad9bd18)
1 /*
2  * This contains encryption functions for per-file encryption.
3  *
4  * Copyright (C) 2015, Google, Inc.
5  * Copyright (C) 2015, Motorola Mobility
6  *
7  * Written by Michael Halcrow, 2014.
8  *
9  * Filename encryption additions
10  *	Uday Savagaonkar, 2014
11  * Encryption policy handling additions
12  *	Ildar Muslukhov, 2014
13  * Add fscrypt_pullback_bio_page()
14  *	Jaegeuk Kim, 2015.
15  *
16  * This has not yet undergone a rigorous security audit.
17  *
18  * The usage of AES-XTS should conform to recommendations in NIST
19  * Special Publication 800-38E and IEEE P1619/D16.
20  */
21 
22 #include <linux/pagemap.h>
23 #include <linux/mempool.h>
24 #include <linux/module.h>
25 #include <linux/scatterlist.h>
26 #include <linux/ratelimit.h>
27 #include <linux/dcache.h>
28 #include <linux/namei.h>
29 #include <crypto/aes.h>
30 #include "fscrypt_private.h"
31 
32 static unsigned int num_prealloc_crypto_pages = 32;
33 static unsigned int num_prealloc_crypto_ctxs = 128;
34 
35 module_param(num_prealloc_crypto_pages, uint, 0444);
36 MODULE_PARM_DESC(num_prealloc_crypto_pages,
37 		"Number of crypto pages to preallocate");
38 module_param(num_prealloc_crypto_ctxs, uint, 0444);
39 MODULE_PARM_DESC(num_prealloc_crypto_ctxs,
40 		"Number of crypto contexts to preallocate");
41 
42 static mempool_t *fscrypt_bounce_page_pool = NULL;
43 
44 static LIST_HEAD(fscrypt_free_ctxs);
45 static DEFINE_SPINLOCK(fscrypt_ctx_lock);
46 
47 struct workqueue_struct *fscrypt_read_workqueue;
48 static DEFINE_MUTEX(fscrypt_init_mutex);
49 
50 static struct kmem_cache *fscrypt_ctx_cachep;
51 struct kmem_cache *fscrypt_info_cachep;
52 
53 /**
54  * fscrypt_release_ctx() - Releases an encryption context
55  * @ctx: The encryption context to release.
56  *
57  * If the encryption context was allocated from the pre-allocated pool, returns
58  * it to that pool. Else, frees it.
59  *
60  * If there's a bounce page in the context, this frees that.
61  */
62 void fscrypt_release_ctx(struct fscrypt_ctx *ctx)
63 {
64 	unsigned long flags;
65 
66 	if (ctx->flags & FS_CTX_HAS_BOUNCE_BUFFER_FL && ctx->w.bounce_page) {
67 		mempool_free(ctx->w.bounce_page, fscrypt_bounce_page_pool);
68 		ctx->w.bounce_page = NULL;
69 	}
70 	ctx->w.control_page = NULL;
71 	if (ctx->flags & FS_CTX_REQUIRES_FREE_ENCRYPT_FL) {
72 		kmem_cache_free(fscrypt_ctx_cachep, ctx);
73 	} else {
74 		spin_lock_irqsave(&fscrypt_ctx_lock, flags);
75 		list_add(&ctx->free_list, &fscrypt_free_ctxs);
76 		spin_unlock_irqrestore(&fscrypt_ctx_lock, flags);
77 	}
78 }
79 EXPORT_SYMBOL(fscrypt_release_ctx);
80 
81 /**
82  * fscrypt_get_ctx() - Gets an encryption context
83  * @inode:       The inode for which we are doing the crypto
84  * @gfp_flags:   The gfp flag for memory allocation
85  *
86  * Allocates and initializes an encryption context.
87  *
88  * Return: An allocated and initialized encryption context on success; error
89  * value or NULL otherwise.
90  */
91 struct fscrypt_ctx *fscrypt_get_ctx(const struct inode *inode, gfp_t gfp_flags)
92 {
93 	struct fscrypt_ctx *ctx = NULL;
94 	struct fscrypt_info *ci = inode->i_crypt_info;
95 	unsigned long flags;
96 
97 	if (ci == NULL)
98 		return ERR_PTR(-ENOKEY);
99 
100 	/*
101 	 * We first try getting the ctx from a free list because in
102 	 * the common case the ctx will have an allocated and
103 	 * initialized crypto tfm, so it's probably a worthwhile
104 	 * optimization. For the bounce page, we first try getting it
105 	 * from the kernel allocator because that's just about as fast
106 	 * as getting it from a list and because a cache of free pages
107 	 * should generally be a "last resort" option for a filesystem
108 	 * to be able to do its job.
109 	 */
110 	spin_lock_irqsave(&fscrypt_ctx_lock, flags);
111 	ctx = list_first_entry_or_null(&fscrypt_free_ctxs,
112 					struct fscrypt_ctx, free_list);
113 	if (ctx)
114 		list_del(&ctx->free_list);
115 	spin_unlock_irqrestore(&fscrypt_ctx_lock, flags);
116 	if (!ctx) {
117 		ctx = kmem_cache_zalloc(fscrypt_ctx_cachep, gfp_flags);
118 		if (!ctx)
119 			return ERR_PTR(-ENOMEM);
120 		ctx->flags |= FS_CTX_REQUIRES_FREE_ENCRYPT_FL;
121 	} else {
122 		ctx->flags &= ~FS_CTX_REQUIRES_FREE_ENCRYPT_FL;
123 	}
124 	ctx->flags &= ~FS_CTX_HAS_BOUNCE_BUFFER_FL;
125 	return ctx;
126 }
127 EXPORT_SYMBOL(fscrypt_get_ctx);
128 
129 int fscrypt_do_page_crypto(const struct inode *inode, fscrypt_direction_t rw,
130 			   u64 lblk_num, struct page *src_page,
131 			   struct page *dest_page, unsigned int len,
132 			   unsigned int offs, gfp_t gfp_flags)
133 {
134 	struct {
135 		__le64 index;
136 		u8 padding[FS_IV_SIZE - sizeof(__le64)];
137 	} iv;
138 	struct skcipher_request *req = NULL;
139 	DECLARE_CRYPTO_WAIT(wait);
140 	struct scatterlist dst, src;
141 	struct fscrypt_info *ci = inode->i_crypt_info;
142 	struct crypto_skcipher *tfm = ci->ci_ctfm;
143 	int res = 0;
144 
145 	BUG_ON(len == 0);
146 
147 	BUILD_BUG_ON(sizeof(iv) != FS_IV_SIZE);
148 	BUILD_BUG_ON(AES_BLOCK_SIZE != FS_IV_SIZE);
149 	iv.index = cpu_to_le64(lblk_num);
150 	memset(iv.padding, 0, sizeof(iv.padding));
151 
152 	if (ci->ci_essiv_tfm != NULL) {
153 		crypto_cipher_encrypt_one(ci->ci_essiv_tfm, (u8 *)&iv,
154 					  (u8 *)&iv);
155 	}
156 
157 	req = skcipher_request_alloc(tfm, gfp_flags);
158 	if (!req) {
159 		printk_ratelimited(KERN_ERR
160 				"%s: crypto_request_alloc() failed\n",
161 				__func__);
162 		return -ENOMEM;
163 	}
164 
165 	skcipher_request_set_callback(
166 		req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
167 		crypto_req_done, &wait);
168 
169 	sg_init_table(&dst, 1);
170 	sg_set_page(&dst, dest_page, len, offs);
171 	sg_init_table(&src, 1);
172 	sg_set_page(&src, src_page, len, offs);
173 	skcipher_request_set_crypt(req, &src, &dst, len, &iv);
174 	if (rw == FS_DECRYPT)
175 		res = crypto_wait_req(crypto_skcipher_decrypt(req), &wait);
176 	else
177 		res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
178 	skcipher_request_free(req);
179 	if (res) {
180 		printk_ratelimited(KERN_ERR
181 			"%s: crypto_skcipher_encrypt() returned %d\n",
182 			__func__, res);
183 		return res;
184 	}
185 	return 0;
186 }
187 
188 struct page *fscrypt_alloc_bounce_page(struct fscrypt_ctx *ctx,
189 				       gfp_t gfp_flags)
190 {
191 	ctx->w.bounce_page = mempool_alloc(fscrypt_bounce_page_pool, gfp_flags);
192 	if (ctx->w.bounce_page == NULL)
193 		return ERR_PTR(-ENOMEM);
194 	ctx->flags |= FS_CTX_HAS_BOUNCE_BUFFER_FL;
195 	return ctx->w.bounce_page;
196 }
197 
198 /**
199  * fscypt_encrypt_page() - Encrypts a page
200  * @inode:     The inode for which the encryption should take place
201  * @page:      The page to encrypt. Must be locked for bounce-page
202  *             encryption.
203  * @len:       Length of data to encrypt in @page and encrypted
204  *             data in returned page.
205  * @offs:      Offset of data within @page and returned
206  *             page holding encrypted data.
207  * @lblk_num:  Logical block number. This must be unique for multiple
208  *             calls with same inode, except when overwriting
209  *             previously written data.
210  * @gfp_flags: The gfp flag for memory allocation
211  *
212  * Encrypts @page using the ctx encryption context. Performs encryption
213  * either in-place or into a newly allocated bounce page.
214  * Called on the page write path.
215  *
216  * Bounce page allocation is the default.
217  * In this case, the contents of @page are encrypted and stored in an
218  * allocated bounce page. @page has to be locked and the caller must call
219  * fscrypt_restore_control_page() on the returned ciphertext page to
220  * release the bounce buffer and the encryption context.
221  *
222  * In-place encryption is used by setting the FS_CFLG_OWN_PAGES flag in
223  * fscrypt_operations. Here, the input-page is returned with its content
224  * encrypted.
225  *
226  * Return: A page with the encrypted content on success. Else, an
227  * error value or NULL.
228  */
229 struct page *fscrypt_encrypt_page(const struct inode *inode,
230 				struct page *page,
231 				unsigned int len,
232 				unsigned int offs,
233 				u64 lblk_num, gfp_t gfp_flags)
234 
235 {
236 	struct fscrypt_ctx *ctx;
237 	struct page *ciphertext_page = page;
238 	int err;
239 
240 	BUG_ON(len % FS_CRYPTO_BLOCK_SIZE != 0);
241 
242 	if (inode->i_sb->s_cop->flags & FS_CFLG_OWN_PAGES) {
243 		/* with inplace-encryption we just encrypt the page */
244 		err = fscrypt_do_page_crypto(inode, FS_ENCRYPT, lblk_num, page,
245 					     ciphertext_page, len, offs,
246 					     gfp_flags);
247 		if (err)
248 			return ERR_PTR(err);
249 
250 		return ciphertext_page;
251 	}
252 
253 	BUG_ON(!PageLocked(page));
254 
255 	ctx = fscrypt_get_ctx(inode, gfp_flags);
256 	if (IS_ERR(ctx))
257 		return (struct page *)ctx;
258 
259 	/* The encryption operation will require a bounce page. */
260 	ciphertext_page = fscrypt_alloc_bounce_page(ctx, gfp_flags);
261 	if (IS_ERR(ciphertext_page))
262 		goto errout;
263 
264 	ctx->w.control_page = page;
265 	err = fscrypt_do_page_crypto(inode, FS_ENCRYPT, lblk_num,
266 				     page, ciphertext_page, len, offs,
267 				     gfp_flags);
268 	if (err) {
269 		ciphertext_page = ERR_PTR(err);
270 		goto errout;
271 	}
272 	SetPagePrivate(ciphertext_page);
273 	set_page_private(ciphertext_page, (unsigned long)ctx);
274 	lock_page(ciphertext_page);
275 	return ciphertext_page;
276 
277 errout:
278 	fscrypt_release_ctx(ctx);
279 	return ciphertext_page;
280 }
281 EXPORT_SYMBOL(fscrypt_encrypt_page);
282 
283 /**
284  * fscrypt_decrypt_page() - Decrypts a page in-place
285  * @inode:     The corresponding inode for the page to decrypt.
286  * @page:      The page to decrypt. Must be locked in case
287  *             it is a writeback page (FS_CFLG_OWN_PAGES unset).
288  * @len:       Number of bytes in @page to be decrypted.
289  * @offs:      Start of data in @page.
290  * @lblk_num:  Logical block number.
291  *
292  * Decrypts page in-place using the ctx encryption context.
293  *
294  * Called from the read completion callback.
295  *
296  * Return: Zero on success, non-zero otherwise.
297  */
298 int fscrypt_decrypt_page(const struct inode *inode, struct page *page,
299 			unsigned int len, unsigned int offs, u64 lblk_num)
300 {
301 	if (!(inode->i_sb->s_cop->flags & FS_CFLG_OWN_PAGES))
302 		BUG_ON(!PageLocked(page));
303 
304 	return fscrypt_do_page_crypto(inode, FS_DECRYPT, lblk_num, page, page,
305 				      len, offs, GFP_NOFS);
306 }
307 EXPORT_SYMBOL(fscrypt_decrypt_page);
308 
309 /*
310  * Validate dentries for encrypted directories to make sure we aren't
311  * potentially caching stale data after a key has been added or
312  * removed.
313  */
314 static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
315 {
316 	struct dentry *dir;
317 	int dir_has_key, cached_with_key;
318 
319 	if (flags & LOOKUP_RCU)
320 		return -ECHILD;
321 
322 	dir = dget_parent(dentry);
323 	if (!IS_ENCRYPTED(d_inode(dir))) {
324 		dput(dir);
325 		return 0;
326 	}
327 
328 	/* this should eventually be an flag in d_flags */
329 	spin_lock(&dentry->d_lock);
330 	cached_with_key = dentry->d_flags & DCACHE_ENCRYPTED_WITH_KEY;
331 	spin_unlock(&dentry->d_lock);
332 	dir_has_key = (d_inode(dir)->i_crypt_info != NULL);
333 	dput(dir);
334 
335 	/*
336 	 * If the dentry was cached without the key, and it is a
337 	 * negative dentry, it might be a valid name.  We can't check
338 	 * if the key has since been made available due to locking
339 	 * reasons, so we fail the validation so ext4_lookup() can do
340 	 * this check.
341 	 *
342 	 * We also fail the validation if the dentry was created with
343 	 * the key present, but we no longer have the key, or vice versa.
344 	 */
345 	if ((!cached_with_key && d_is_negative(dentry)) ||
346 			(!cached_with_key && dir_has_key) ||
347 			(cached_with_key && !dir_has_key))
348 		return 0;
349 	return 1;
350 }
351 
352 const struct dentry_operations fscrypt_d_ops = {
353 	.d_revalidate = fscrypt_d_revalidate,
354 };
355 EXPORT_SYMBOL(fscrypt_d_ops);
356 
357 void fscrypt_restore_control_page(struct page *page)
358 {
359 	struct fscrypt_ctx *ctx;
360 
361 	ctx = (struct fscrypt_ctx *)page_private(page);
362 	set_page_private(page, (unsigned long)NULL);
363 	ClearPagePrivate(page);
364 	unlock_page(page);
365 	fscrypt_release_ctx(ctx);
366 }
367 EXPORT_SYMBOL(fscrypt_restore_control_page);
368 
369 static void fscrypt_destroy(void)
370 {
371 	struct fscrypt_ctx *pos, *n;
372 
373 	list_for_each_entry_safe(pos, n, &fscrypt_free_ctxs, free_list)
374 		kmem_cache_free(fscrypt_ctx_cachep, pos);
375 	INIT_LIST_HEAD(&fscrypt_free_ctxs);
376 	mempool_destroy(fscrypt_bounce_page_pool);
377 	fscrypt_bounce_page_pool = NULL;
378 }
379 
380 /**
381  * fscrypt_initialize() - allocate major buffers for fs encryption.
382  * @cop_flags:  fscrypt operations flags
383  *
384  * We only call this when we start accessing encrypted files, since it
385  * results in memory getting allocated that wouldn't otherwise be used.
386  *
387  * Return: Zero on success, non-zero otherwise.
388  */
389 int fscrypt_initialize(unsigned int cop_flags)
390 {
391 	int i, res = -ENOMEM;
392 
393 	/* No need to allocate a bounce page pool if this FS won't use it. */
394 	if (cop_flags & FS_CFLG_OWN_PAGES)
395 		return 0;
396 
397 	mutex_lock(&fscrypt_init_mutex);
398 	if (fscrypt_bounce_page_pool)
399 		goto already_initialized;
400 
401 	for (i = 0; i < num_prealloc_crypto_ctxs; i++) {
402 		struct fscrypt_ctx *ctx;
403 
404 		ctx = kmem_cache_zalloc(fscrypt_ctx_cachep, GFP_NOFS);
405 		if (!ctx)
406 			goto fail;
407 		list_add(&ctx->free_list, &fscrypt_free_ctxs);
408 	}
409 
410 	fscrypt_bounce_page_pool =
411 		mempool_create_page_pool(num_prealloc_crypto_pages, 0);
412 	if (!fscrypt_bounce_page_pool)
413 		goto fail;
414 
415 already_initialized:
416 	mutex_unlock(&fscrypt_init_mutex);
417 	return 0;
418 fail:
419 	fscrypt_destroy();
420 	mutex_unlock(&fscrypt_init_mutex);
421 	return res;
422 }
423 
424 /**
425  * fscrypt_init() - Set up for fs encryption.
426  */
427 static int __init fscrypt_init(void)
428 {
429 	fscrypt_read_workqueue = alloc_workqueue("fscrypt_read_queue",
430 							WQ_HIGHPRI, 0);
431 	if (!fscrypt_read_workqueue)
432 		goto fail;
433 
434 	fscrypt_ctx_cachep = KMEM_CACHE(fscrypt_ctx, SLAB_RECLAIM_ACCOUNT);
435 	if (!fscrypt_ctx_cachep)
436 		goto fail_free_queue;
437 
438 	fscrypt_info_cachep = KMEM_CACHE(fscrypt_info, SLAB_RECLAIM_ACCOUNT);
439 	if (!fscrypt_info_cachep)
440 		goto fail_free_ctx;
441 
442 	return 0;
443 
444 fail_free_ctx:
445 	kmem_cache_destroy(fscrypt_ctx_cachep);
446 fail_free_queue:
447 	destroy_workqueue(fscrypt_read_workqueue);
448 fail:
449 	return -ENOMEM;
450 }
451 module_init(fscrypt_init)
452 
453 /**
454  * fscrypt_exit() - Shutdown the fs encryption system
455  */
456 static void __exit fscrypt_exit(void)
457 {
458 	fscrypt_destroy();
459 
460 	if (fscrypt_read_workqueue)
461 		destroy_workqueue(fscrypt_read_workqueue);
462 	kmem_cache_destroy(fscrypt_ctx_cachep);
463 	kmem_cache_destroy(fscrypt_info_cachep);
464 
465 	fscrypt_essiv_cleanup();
466 }
467 module_exit(fscrypt_exit);
468 
469 MODULE_LICENSE("GPL");
470