xref: /linux/fs/crypto/fscrypt_private.h (revision 6fdcba32711044c35c0e1b094cbd8f3f0b4472c9)
1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3  * fscrypt_private.h
4  *
5  * Copyright (C) 2015, Google, Inc.
6  *
7  * Originally written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar.
8  * Heavily modified since then.
9  */
10 
11 #ifndef _FSCRYPT_PRIVATE_H
12 #define _FSCRYPT_PRIVATE_H
13 
14 #include <linux/fscrypt.h>
15 #include <crypto/hash.h>
16 
17 #define CONST_STRLEN(str)	(sizeof(str) - 1)
18 
19 #define FS_KEY_DERIVATION_NONCE_SIZE	16
20 
21 #define FSCRYPT_MIN_KEY_SIZE		16
22 
23 #define FSCRYPT_CONTEXT_V1	1
24 #define FSCRYPT_CONTEXT_V2	2
25 
26 struct fscrypt_context_v1 {
27 	u8 version; /* FSCRYPT_CONTEXT_V1 */
28 	u8 contents_encryption_mode;
29 	u8 filenames_encryption_mode;
30 	u8 flags;
31 	u8 master_key_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE];
32 	u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE];
33 };
34 
35 struct fscrypt_context_v2 {
36 	u8 version; /* FSCRYPT_CONTEXT_V2 */
37 	u8 contents_encryption_mode;
38 	u8 filenames_encryption_mode;
39 	u8 flags;
40 	u8 __reserved[4];
41 	u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE];
42 	u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE];
43 };
44 
45 /**
46  * fscrypt_context - the encryption context of an inode
47  *
48  * This is the on-disk equivalent of an fscrypt_policy, stored alongside each
49  * encrypted file usually in a hidden extended attribute.  It contains the
50  * fields from the fscrypt_policy, in order to identify the encryption algorithm
51  * and key with which the file is encrypted.  It also contains a nonce that was
52  * randomly generated by fscrypt itself; this is used as KDF input or as a tweak
53  * to cause different files to be encrypted differently.
54  */
55 union fscrypt_context {
56 	u8 version;
57 	struct fscrypt_context_v1 v1;
58 	struct fscrypt_context_v2 v2;
59 };
60 
61 /*
62  * Return the size expected for the given fscrypt_context based on its version
63  * number, or 0 if the context version is unrecognized.
64  */
65 static inline int fscrypt_context_size(const union fscrypt_context *ctx)
66 {
67 	switch (ctx->version) {
68 	case FSCRYPT_CONTEXT_V1:
69 		BUILD_BUG_ON(sizeof(ctx->v1) != 28);
70 		return sizeof(ctx->v1);
71 	case FSCRYPT_CONTEXT_V2:
72 		BUILD_BUG_ON(sizeof(ctx->v2) != 40);
73 		return sizeof(ctx->v2);
74 	}
75 	return 0;
76 }
77 
78 #undef fscrypt_policy
79 union fscrypt_policy {
80 	u8 version;
81 	struct fscrypt_policy_v1 v1;
82 	struct fscrypt_policy_v2 v2;
83 };
84 
85 /*
86  * Return the size expected for the given fscrypt_policy based on its version
87  * number, or 0 if the policy version is unrecognized.
88  */
89 static inline int fscrypt_policy_size(const union fscrypt_policy *policy)
90 {
91 	switch (policy->version) {
92 	case FSCRYPT_POLICY_V1:
93 		return sizeof(policy->v1);
94 	case FSCRYPT_POLICY_V2:
95 		return sizeof(policy->v2);
96 	}
97 	return 0;
98 }
99 
100 /* Return the contents encryption mode of a valid encryption policy */
101 static inline u8
102 fscrypt_policy_contents_mode(const union fscrypt_policy *policy)
103 {
104 	switch (policy->version) {
105 	case FSCRYPT_POLICY_V1:
106 		return policy->v1.contents_encryption_mode;
107 	case FSCRYPT_POLICY_V2:
108 		return policy->v2.contents_encryption_mode;
109 	}
110 	BUG();
111 }
112 
113 /* Return the filenames encryption mode of a valid encryption policy */
114 static inline u8
115 fscrypt_policy_fnames_mode(const union fscrypt_policy *policy)
116 {
117 	switch (policy->version) {
118 	case FSCRYPT_POLICY_V1:
119 		return policy->v1.filenames_encryption_mode;
120 	case FSCRYPT_POLICY_V2:
121 		return policy->v2.filenames_encryption_mode;
122 	}
123 	BUG();
124 }
125 
126 /* Return the flags (FSCRYPT_POLICY_FLAG*) of a valid encryption policy */
127 static inline u8
128 fscrypt_policy_flags(const union fscrypt_policy *policy)
129 {
130 	switch (policy->version) {
131 	case FSCRYPT_POLICY_V1:
132 		return policy->v1.flags;
133 	case FSCRYPT_POLICY_V2:
134 		return policy->v2.flags;
135 	}
136 	BUG();
137 }
138 
139 static inline bool
140 fscrypt_is_direct_key_policy(const union fscrypt_policy *policy)
141 {
142 	return fscrypt_policy_flags(policy) & FSCRYPT_POLICY_FLAG_DIRECT_KEY;
143 }
144 
145 /**
146  * For encrypted symlinks, the ciphertext length is stored at the beginning
147  * of the string in little-endian format.
148  */
149 struct fscrypt_symlink_data {
150 	__le16 len;
151 	char encrypted_path[1];
152 } __packed;
153 
154 /*
155  * fscrypt_info - the "encryption key" for an inode
156  *
157  * When an encrypted file's key is made available, an instance of this struct is
158  * allocated and stored in ->i_crypt_info.  Once created, it remains until the
159  * inode is evicted.
160  */
161 struct fscrypt_info {
162 
163 	/* The actual crypto transform used for encryption and decryption */
164 	struct crypto_skcipher *ci_ctfm;
165 
166 	/* True if the key should be freed when this fscrypt_info is freed */
167 	bool ci_owns_key;
168 
169 	/*
170 	 * Encryption mode used for this inode.  It corresponds to either the
171 	 * contents or filenames encryption mode, depending on the inode type.
172 	 */
173 	struct fscrypt_mode *ci_mode;
174 
175 	/* Back-pointer to the inode */
176 	struct inode *ci_inode;
177 
178 	/*
179 	 * The master key with which this inode was unlocked (decrypted).  This
180 	 * will be NULL if the master key was found in a process-subscribed
181 	 * keyring rather than in the filesystem-level keyring.
182 	 */
183 	struct key *ci_master_key;
184 
185 	/*
186 	 * Link in list of inodes that were unlocked with the master key.
187 	 * Only used when ->ci_master_key is set.
188 	 */
189 	struct list_head ci_master_key_link;
190 
191 	/*
192 	 * If non-NULL, then encryption is done using the master key directly
193 	 * and ci_ctfm will equal ci_direct_key->dk_ctfm.
194 	 */
195 	struct fscrypt_direct_key *ci_direct_key;
196 
197 	/* The encryption policy used by this inode */
198 	union fscrypt_policy ci_policy;
199 
200 	/* This inode's nonce, copied from the fscrypt_context */
201 	u8 ci_nonce[FS_KEY_DERIVATION_NONCE_SIZE];
202 };
203 
204 typedef enum {
205 	FS_DECRYPT = 0,
206 	FS_ENCRYPT,
207 } fscrypt_direction_t;
208 
209 static inline bool fscrypt_valid_enc_modes(u32 contents_mode,
210 					   u32 filenames_mode)
211 {
212 	if (contents_mode == FSCRYPT_MODE_AES_128_CBC &&
213 	    filenames_mode == FSCRYPT_MODE_AES_128_CTS)
214 		return true;
215 
216 	if (contents_mode == FSCRYPT_MODE_AES_256_XTS &&
217 	    filenames_mode == FSCRYPT_MODE_AES_256_CTS)
218 		return true;
219 
220 	if (contents_mode == FSCRYPT_MODE_ADIANTUM &&
221 	    filenames_mode == FSCRYPT_MODE_ADIANTUM)
222 		return true;
223 
224 	return false;
225 }
226 
227 /* crypto.c */
228 extern struct kmem_cache *fscrypt_info_cachep;
229 extern int fscrypt_initialize(unsigned int cop_flags);
230 extern int fscrypt_crypt_block(const struct inode *inode,
231 			       fscrypt_direction_t rw, u64 lblk_num,
232 			       struct page *src_page, struct page *dest_page,
233 			       unsigned int len, unsigned int offs,
234 			       gfp_t gfp_flags);
235 extern struct page *fscrypt_alloc_bounce_page(gfp_t gfp_flags);
236 extern const struct dentry_operations fscrypt_d_ops;
237 
238 extern void __printf(3, 4) __cold
239 fscrypt_msg(const struct inode *inode, const char *level, const char *fmt, ...);
240 
241 #define fscrypt_warn(inode, fmt, ...)		\
242 	fscrypt_msg((inode), KERN_WARNING, fmt, ##__VA_ARGS__)
243 #define fscrypt_err(inode, fmt, ...)		\
244 	fscrypt_msg((inode), KERN_ERR, fmt, ##__VA_ARGS__)
245 
246 #define FSCRYPT_MAX_IV_SIZE	32
247 
248 union fscrypt_iv {
249 	struct {
250 		/* logical block number within the file */
251 		__le64 lblk_num;
252 
253 		/* per-file nonce; only set in DIRECT_KEY mode */
254 		u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE];
255 	};
256 	u8 raw[FSCRYPT_MAX_IV_SIZE];
257 };
258 
259 void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num,
260 			 const struct fscrypt_info *ci);
261 
262 /* fname.c */
263 extern int fname_encrypt(struct inode *inode, const struct qstr *iname,
264 			 u8 *out, unsigned int olen);
265 extern bool fscrypt_fname_encrypted_size(const struct inode *inode,
266 					 u32 orig_len, u32 max_len,
267 					 u32 *encrypted_len_ret);
268 
269 /* hkdf.c */
270 
271 struct fscrypt_hkdf {
272 	struct crypto_shash *hmac_tfm;
273 };
274 
275 extern int fscrypt_init_hkdf(struct fscrypt_hkdf *hkdf, const u8 *master_key,
276 			     unsigned int master_key_size);
277 
278 /*
279  * The list of contexts in which fscrypt uses HKDF.  These values are used as
280  * the first byte of the HKDF application-specific info string to guarantee that
281  * info strings are never repeated between contexts.  This ensures that all HKDF
282  * outputs are unique and cryptographically isolated, i.e. knowledge of one
283  * output doesn't reveal another.
284  */
285 #define HKDF_CONTEXT_KEY_IDENTIFIER	1
286 #define HKDF_CONTEXT_PER_FILE_KEY	2
287 #define HKDF_CONTEXT_DIRECT_KEY		3
288 #define HKDF_CONTEXT_IV_INO_LBLK_64_KEY	4
289 
290 extern int fscrypt_hkdf_expand(struct fscrypt_hkdf *hkdf, u8 context,
291 			       const u8 *info, unsigned int infolen,
292 			       u8 *okm, unsigned int okmlen);
293 
294 extern void fscrypt_destroy_hkdf(struct fscrypt_hkdf *hkdf);
295 
296 /* keyring.c */
297 
298 /*
299  * fscrypt_master_key_secret - secret key material of an in-use master key
300  */
301 struct fscrypt_master_key_secret {
302 
303 	/*
304 	 * For v2 policy keys: HKDF context keyed by this master key.
305 	 * For v1 policy keys: not set (hkdf.hmac_tfm == NULL).
306 	 */
307 	struct fscrypt_hkdf	hkdf;
308 
309 	/* Size of the raw key in bytes.  Set even if ->raw isn't set. */
310 	u32			size;
311 
312 	/* For v1 policy keys: the raw key.  Wiped for v2 policy keys. */
313 	u8			raw[FSCRYPT_MAX_KEY_SIZE];
314 
315 } __randomize_layout;
316 
317 /*
318  * fscrypt_master_key - an in-use master key
319  *
320  * This represents a master encryption key which has been added to the
321  * filesystem and can be used to "unlock" the encrypted files which were
322  * encrypted with it.
323  */
324 struct fscrypt_master_key {
325 
326 	/*
327 	 * The secret key material.  After FS_IOC_REMOVE_ENCRYPTION_KEY is
328 	 * executed, this is wiped and no new inodes can be unlocked with this
329 	 * key; however, there may still be inodes in ->mk_decrypted_inodes
330 	 * which could not be evicted.  As long as some inodes still remain,
331 	 * FS_IOC_REMOVE_ENCRYPTION_KEY can be retried, or
332 	 * FS_IOC_ADD_ENCRYPTION_KEY can add the secret again.
333 	 *
334 	 * Locking: protected by key->sem (outer) and mk_secret_sem (inner).
335 	 * The reason for two locks is that key->sem also protects modifying
336 	 * mk_users, which ranks it above the semaphore for the keyring key
337 	 * type, which is in turn above page faults (via keyring_read).  But
338 	 * sometimes filesystems call fscrypt_get_encryption_info() from within
339 	 * a transaction, which ranks it below page faults.  So we need a
340 	 * separate lock which protects mk_secret but not also mk_users.
341 	 */
342 	struct fscrypt_master_key_secret	mk_secret;
343 	struct rw_semaphore			mk_secret_sem;
344 
345 	/*
346 	 * For v1 policy keys: an arbitrary key descriptor which was assigned by
347 	 * userspace (->descriptor).
348 	 *
349 	 * For v2 policy keys: a cryptographic hash of this key (->identifier).
350 	 */
351 	struct fscrypt_key_specifier		mk_spec;
352 
353 	/*
354 	 * Keyring which contains a key of type 'key_type_fscrypt_user' for each
355 	 * user who has added this key.  Normally each key will be added by just
356 	 * one user, but it's possible that multiple users share a key, and in
357 	 * that case we need to keep track of those users so that one user can't
358 	 * remove the key before the others want it removed too.
359 	 *
360 	 * This is NULL for v1 policy keys; those can only be added by root.
361 	 *
362 	 * Locking: in addition to this keyrings own semaphore, this is
363 	 * protected by the master key's key->sem, so we can do atomic
364 	 * search+insert.  It can also be searched without taking any locks, but
365 	 * in that case the returned key may have already been removed.
366 	 */
367 	struct key		*mk_users;
368 
369 	/*
370 	 * Length of ->mk_decrypted_inodes, plus one if mk_secret is present.
371 	 * Once this goes to 0, the master key is removed from ->s_master_keys.
372 	 * The 'struct fscrypt_master_key' will continue to live as long as the
373 	 * 'struct key' whose payload it is, but we won't let this reference
374 	 * count rise again.
375 	 */
376 	refcount_t		mk_refcount;
377 
378 	/*
379 	 * List of inodes that were unlocked using this key.  This allows the
380 	 * inodes to be evicted efficiently if the key is removed.
381 	 */
382 	struct list_head	mk_decrypted_inodes;
383 	spinlock_t		mk_decrypted_inodes_lock;
384 
385 	/* Crypto API transforms for DIRECT_KEY policies, allocated on-demand */
386 	struct crypto_skcipher	*mk_direct_tfms[__FSCRYPT_MODE_MAX + 1];
387 
388 	/*
389 	 * Crypto API transforms for filesystem-layer implementation of
390 	 * IV_INO_LBLK_64 policies, allocated on-demand.
391 	 */
392 	struct crypto_skcipher	*mk_iv_ino_lblk_64_tfms[__FSCRYPT_MODE_MAX + 1];
393 
394 } __randomize_layout;
395 
396 static inline bool
397 is_master_key_secret_present(const struct fscrypt_master_key_secret *secret)
398 {
399 	/*
400 	 * The READ_ONCE() is only necessary for fscrypt_drop_inode() and
401 	 * fscrypt_key_describe().  These run in atomic context, so they can't
402 	 * take ->mk_secret_sem and thus 'secret' can change concurrently which
403 	 * would be a data race.  But they only need to know whether the secret
404 	 * *was* present at the time of check, so READ_ONCE() suffices.
405 	 */
406 	return READ_ONCE(secret->size) != 0;
407 }
408 
409 static inline const char *master_key_spec_type(
410 				const struct fscrypt_key_specifier *spec)
411 {
412 	switch (spec->type) {
413 	case FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR:
414 		return "descriptor";
415 	case FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER:
416 		return "identifier";
417 	}
418 	return "[unknown]";
419 }
420 
421 static inline int master_key_spec_len(const struct fscrypt_key_specifier *spec)
422 {
423 	switch (spec->type) {
424 	case FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR:
425 		return FSCRYPT_KEY_DESCRIPTOR_SIZE;
426 	case FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER:
427 		return FSCRYPT_KEY_IDENTIFIER_SIZE;
428 	}
429 	return 0;
430 }
431 
432 extern struct key *
433 fscrypt_find_master_key(struct super_block *sb,
434 			const struct fscrypt_key_specifier *mk_spec);
435 
436 extern int fscrypt_verify_key_added(struct super_block *sb,
437 				    const u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]);
438 
439 extern int __init fscrypt_init_keyring(void);
440 
441 /* keysetup.c */
442 
443 struct fscrypt_mode {
444 	const char *friendly_name;
445 	const char *cipher_str;
446 	int keysize;
447 	int ivsize;
448 	int logged_impl_name;
449 };
450 
451 static inline bool
452 fscrypt_mode_supports_direct_key(const struct fscrypt_mode *mode)
453 {
454 	return mode->ivsize >= offsetofend(union fscrypt_iv, nonce);
455 }
456 
457 extern struct crypto_skcipher *
458 fscrypt_allocate_skcipher(struct fscrypt_mode *mode, const u8 *raw_key,
459 			  const struct inode *inode);
460 
461 extern int fscrypt_set_derived_key(struct fscrypt_info *ci,
462 				   const u8 *derived_key);
463 
464 /* keysetup_v1.c */
465 
466 extern void fscrypt_put_direct_key(struct fscrypt_direct_key *dk);
467 
468 extern int fscrypt_setup_v1_file_key(struct fscrypt_info *ci,
469 				     const u8 *raw_master_key);
470 
471 extern int fscrypt_setup_v1_file_key_via_subscribed_keyrings(
472 					struct fscrypt_info *ci);
473 /* policy.c */
474 
475 extern bool fscrypt_policies_equal(const union fscrypt_policy *policy1,
476 				   const union fscrypt_policy *policy2);
477 extern bool fscrypt_supported_policy(const union fscrypt_policy *policy_u,
478 				     const struct inode *inode);
479 extern int fscrypt_policy_from_context(union fscrypt_policy *policy_u,
480 				       const union fscrypt_context *ctx_u,
481 				       int ctx_size);
482 
483 #endif /* _FSCRYPT_PRIVATE_H */
484