| blob | 787e9c8938ba333ef63f9c498172b278df8d7ceb |
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Filesystem-level keyring for fscrypt
4 *
5 * Copyright 2019 Google LLC
6 */
8 /*
9 * This file implements management of fscrypt master keys in the
10 * filesystem-level keyring, including the ioctls:
11 *
12 * - FS_IOC_ADD_ENCRYPTION_KEY
13 * - FS_IOC_REMOVE_ENCRYPTION_KEY
14 * - FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS
15 * - FS_IOC_GET_ENCRYPTION_KEY_STATUS
16 *
17 * See the "User API" section of Documentation/filesystems/fscrypt.rst for more
18 * information about these ioctls.
19 */
21 #include <linux/unaligned.h>
22 #include <crypto/skcipher.h>
23 #include <linux/key-type.h>
24 #include <linux/random.h>
25 #include <linux/once.h>
26 #include <linux/seq_file.h>
30 /* The master encryption keys for a filesystem (->s_master_keys) */
32 /*
33 * Lock that protects ->key_hashtable. It does *not* protect the
34 * fscrypt_master_key structs themselves.
35 */
36 spinlock_t lock;
38 /* Hash table that maps fscrypt_key_specifier to fscrypt_master_key */
40 };
43 {
46 }
50 {
53 }
56 {
59 /*
60 * The master key secret and any embedded subkeys should have already
61 * been wiped when the last active reference to the fscrypt_master_key
62 * struct was dropped; doing it here would be unnecessarily late.
63 * Nevertheless, use kfree_sensitive() in case anything was missed.
64 */
66 }
69 {
72 /*
73 * No structural references left, so free ->mk_users, and also free the
74 * fscrypt_master_key struct itself after an RCU grace period ensures
75 * that concurrent keyring lookups can no longer find it.
76 */
79 /* Clear the keyring so the quota gets released right away. */
83 }
85 }
89 {
94 /*
95 * No active references left, so complete the full removal of this
96 * fscrypt_master_key struct by removing it from the keyring and
97 * destroying any subkeys embedded in it.
98 */
106 /*
107 * ->mk_active_refs == 0 implies that ->mk_present is false and
108 * ->mk_decrypted_inodes is empty.
109 */
120 }
125 /* Drop the structural ref associated with the active refs. */
127 }
129 /*
130 * This transitions the key state from present to incompletely removed, and then
131 * potentially to absent (depending on whether inodes remain).
132 */
135 {
139 }
142 {
146 }
150 {
151 /*
152 * We just charge FSCRYPT_MAX_KEY_SIZE bytes to the user's key quota for
153 * each key, regardless of the exact key size. The amount of memory
154 * actually used is greater than the size of the raw key anyway.
155 */
157 }
160 {
162 }
164 /*
165 * Type of key in ->mk_users. Each key of this type represents a particular
166 * user who has added a particular master key.
167 *
168 * Note that the name of this key type really should be something like
169 * ".fscrypt-user" instead of simply ".fscrypt". But the shorter name is chosen
170 * mainly for simplicity of presentation in /proc/keys when read by a non-root
171 * user. And it is expected to be rare that a key is actually added by multiple
172 * users, since users should keep their encryption keys confidential.
173 */
178 };
180 #define FSCRYPT_MK_USERS_DESCRIPTION_SIZE \
184 #define FSCRYPT_MK_USER_DESCRIPTION_SIZE \
190 {
193 }
198 {
202 }
204 /* Create ->s_master_keys if needed. Synchronized by fscrypt_add_key_mutex. */
206 {
216 /*
217 * Pairs with the smp_load_acquire() in fscrypt_find_master_key().
218 * I.e., here we publish ->s_master_keys with a RELEASE barrier so that
219 * concurrent tasks can ACQUIRE it.
220 */
223 }
225 /*
226 * Release all encryption keys that have been added to the filesystem, along
227 * with the keyring that contains them.
228 *
229 * This is called at unmount time, after all potentially-encrypted inodes have
230 * been evicted. The filesystem's underlying block device(s) are still
231 * available at this time; this is important because after user file accesses
232 * have been allowed, this function may need to evict keys from the keyslots of
233 * an inline crypto engine, which requires the block device(s).
234 */
236 {
249 /*
250 * Since all potentially-encrypted inodes were already
251 * evicted, every key remaining in the keyring should
252 * have an empty inode list, and should only still be in
253 * the keyring due to the single active ref associated
254 * with ->mk_present. There should be no structural
255 * refs beyond the one associated with the active ref.
256 */
261 }
262 }
265 }
270 {
271 /*
272 * Since key specifiers should be "random" values, it is sufficient to
273 * use a trivial hash function that just takes the first several bits of
274 * the key specifier.
275 */
279 }
281 /*
282 * Find the specified master key struct in ->s_master_keys and take a structural
283 * ref to it. The structural ref guarantees that the key struct continues to
284 * exist, but it does *not* guarantee that ->s_master_keys continues to contain
285 * the key struct. The structural ref needs to be dropped by
286 * fscrypt_put_master_key(). Returns NULL if the key struct is not found.
287 */
291 {
296 /*
297 * Pairs with the smp_store_release() in allocate_filesystem_keyring().
298 * I.e., another task can publish ->s_master_keys concurrently,
299 * executing a RELEASE barrier. We need to use smp_load_acquire() here
300 * to safely ACQUIRE the memory the other task published.
301 */
312 FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR &&
318 }
323 FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER &&
329 }
331 }
333 out:
336 }
339 {
354 }
356 /*
357 * Find the current user's "key" in the master key's ->mk_users.
358 * Returns ERR_PTR(-ENOKEY) if not found.
359 */
361 {
363 key_ref_t keyref;
367 /*
368 * We need to mark the keyring reference as "possessed" so that we
369 * acquire permission to search it, via the KEY_POS_SEARCH permission.
370 */
378 }
380 }
382 /*
383 * Give the current user a "key" in ->mk_users. This charges the user's quota
384 * and marks the master key as added by the current user, so that it cannot be
385 * removed by another user with the key. Either ->mk_sem must be held for
386 * write, or the master key must be still undergoing initialization.
387 */
389 {
404 }
406 /*
407 * Remove the current user's "key" from ->mk_users.
408 * ->mk_sem must be held for write.
409 *
410 * Returns 0 if removed, -ENOKEY if not found, or another -errno code.
411 */
413 {
423 }
425 /*
426 * Allocate a new fscrypt_master_key, transfer the given secret over to it, and
427 * insert it into sb->s_master_keys.
428 */
432 {
455 }
467 out_put:
470 }
472 #define KEY_DEAD 1
476 {
479 /*
480 * If the current user is already in ->mk_users, then there's nothing to
481 * do. Otherwise, we need to add the user to ->mk_users. (Neither is
482 * applicable for v1 policy keys, which have NULL ->mk_users.)
483 */
492 }
496 }
498 /* If the key is incompletely removed, make it present again. */
501 /*
502 * Raced with the last active ref being dropped, so the
503 * key has become, or is about to become, "absent".
504 * Therefore, we need to allocate a new key struct.
505 */
507 }
510 }
513 }
518 {
527 /* Didn't find the key in ->s_master_keys. Add it. */
532 /*
533 * Found the key in ->s_master_keys. Add the user to ->mk_users
534 * if needed, and make the key "present" again if possible.
535 */
540 /*
541 * We found a key struct, but it's already been fully
542 * removed. Ignore the old struct and add a new one.
543 * fscrypt_add_key_mutex means we don't need to worry
544 * about concurrent adds.
545 */
547 }
549 }
552 }
557 {
566 /*
567 * Now that the HKDF context is initialized, the raw key is no
568 * longer needed.
569 */
572 /* Calculate the key identifier */
576 FSCRYPT_KEY_IDENTIFIER_SIZE);
579 }
581 }
584 {
604 }
608 {
610 }
614 {
621 }
622 }
625 {
627 }
636 };
638 /*
639 * Retrieve the raw key from the Linux keyring key specified by 'key_id', and
640 * store it into 'secret'.
641 *
642 * The key must be of type "fscrypt-provisioning" and must have the field
643 * fscrypt_provisioning_key_payload::type set to 'type', indicating that it's
644 * only usable with fscrypt with the particular KDF version identified by
645 * 'type'. We don't use the "logon" key type because there's no way to
646 * completely restrict the use of such keys; they can be used by any kernel API
647 * that accepts "logon" keys and doesn't require a specific service prefix.
648 *
649 * The ability to specify the key via Linux keyring key is intended for cases
650 * where userspace needs to re-add keys after the filesystem is unmounted and
651 * re-mounted. Most users should just provide the raw key directly instead.
652 */
655 {
656 key_ref_t ref;
670 /* Don't allow fscrypt v1 keys to be used as v2 keys and vice versa. */
679 bad_key:
681 out_put:
684 }
686 /*
687 * Add a master encryption key to the filesystem, causing all files which were
688 * encrypted with it to appear "unlocked" (decrypted) when accessed.
689 *
690 * When adding a key for use by v1 encryption policies, this ioctl is
691 * privileged, and userspace must provide the 'key_descriptor'.
692 *
693 * When adding a key for use by v2+ encryption policies, this ioctl is
694 * unprivileged. This is needed, in general, to allow non-root users to use
695 * encryption without encountering the visibility problems of process-subscribed
696 * keyrings and the inability to properly remove keys. This works by having
697 * each key identified by its cryptographically secure hash --- the
698 * 'key_identifier'. The cryptographic hash ensures that a malicious user
699 * cannot add the wrong key for a given identifier. Furthermore, each added key
700 * is charged to the appropriate user's quota for the keyrings service, which
701 * prevents a malicious user from adding too many keys. Finally, we forbid a
702 * user from removing a key while other users have added it too, which prevents
703 * a user who knows another user's key from causing a denial-of-service by
704 * removing it at an inopportune time. (We tolerate that a user who knows a key
705 * can prevent other users from removing it.)
706 *
707 * For more details, see the "FS_IOC_ADD_ENCRYPTION_KEY" section of
708 * Documentation/filesystems/fscrypt.rst.
709 */
711 {
727 /*
728 * Only root can add keys that are identified by an arbitrary descriptor
729 * rather than by a cryptographic hash --- since otherwise a malicious
730 * user could add the wrong key.
731 */
751 }
757 /* Return the key identifier to userspace, if applicable */
761 FSCRYPT_KEY_IDENTIFIER_SIZE))
764 out_wipe_secret:
767 }
770 static void
772 {
780 }
784 {
795 FSCRYPT_KEY_IDENTIFIER_SIZE);
796 out:
799 }
801 /**
802 * fscrypt_add_test_dummy_key() - add the test dummy encryption key
803 * @sb: the filesystem instance to add the key to
804 * @key_spec: the key specifier of the test dummy encryption key
805 *
806 * Add the key for the test_dummy_encryption mount option to the filesystem. To
807 * prevent misuse of this mount option, a per-boot random key is used instead of
808 * a hardcoded one. This makes it so that any encrypted files created using
809 * this option won't be accessible after a reboot.
810 *
811 * Return: 0 on success, -errno on failure
812 */
815 {
823 }
825 /*
826 * Verify that the current user has added a master key with the given identifier
827 * (returns -ENOKEY if not). This is needed to prevent a user from encrypting
828 * their files using some other user's key which they don't actually know.
829 * Cryptographically this isn't much of a problem, but the semantics of this
830 * would be a bit weird, so it's best to just forbid it.
831 *
832 * The system administrator (CAP_FOWNER) can override this, which should be
833 * enough for any use cases where encryption policies are being set using keys
834 * that were chosen ahead of time but aren't available at the moment.
835 *
836 * Note that the key may have already removed by the time this returns, but
837 * that's okay; we just care whether the key was there at some point.
838 *
839 * Return: 0 if the key is added, -ENOKEY if it isn't, or another -errno code
840 */
843 {
856 }
864 }
867 out:
871 }
873 /*
874 * Try to evict the inode's dentries from the dentry cache. If the inode is a
875 * directory, then it can have at most one dentry; however, that dentry may be
876 * pinned by child dentries, so first try to evict the children too.
877 */
879 {
887 }
888 }
890 }
893 {
906 }
916 }
920 }
924 {
933 busy_count++;
938 }
940 {
941 /* select an example file to show for debugging purposes */
947 }
950 /* If the inode is currently being created, ino may still be 0. */
958 ino_str);
960 }
964 {
968 /*
969 * An inode can't be evicted while it is dirty or has dirty pages.
970 * Thus, we first have to clean the inodes in ->mk_decrypted_inodes.
971 *
972 * Just do it the easy way: call sync_filesystem(). It's overkill, but
973 * it works, and it's more important to minimize the amount of caches we
974 * drop than the amount of data we sync. Also, unprivileged users can
975 * already call sync_filesystem() via sys_syncfs() or sys_sync().
976 */
980 /* If a sync error occurs, still try to evict as much as possible. */
982 /*
983 * Inodes are pinned by their dentries, so we have to evict their
984 * dentries. shrink_dcache_sb() would suffice, but would be overkill
985 * and inappropriate for use by unprivileged users. So instead go
986 * through the inodes' alias lists and try to evict each dentry.
987 */
990 /*
991 * evict_dentries_for_decrypted_inodes() already iput() each inode in
992 * the list; any inodes for which that dropped the last reference will
993 * have been evicted due to fscrypt_drop_inode() detecting the key
994 * removal and telling the VFS to evict the inode. So to finish, we
995 * just need to check whether any inodes couldn't be evicted.
996 */
1000 }
1002 /*
1003 * Try to remove an fscrypt master encryption key.
1004 *
1005 * FS_IOC_REMOVE_ENCRYPTION_KEY (all_users=false) removes the current user's
1006 * claim to the key, then removes the key itself if no other users have claims.
1007 * FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS (all_users=true) always removes the
1008 * key itself.
1009 *
1010 * To "remove the key itself", first we transition the key to the "incompletely
1011 * removed" state, so that no more inodes can be unlocked with it. Then we try
1012 * to evict all cached inodes that had been unlocked with the key.
1013 *
1014 * If all inodes were evicted, then we unlink the fscrypt_master_key from the
1015 * keyring. Otherwise it remains in the keyring in the "incompletely removed"
1016 * state where it tracks the list of remaining inodes. Userspace can execute
1017 * the ioctl again later to retry eviction, or alternatively can re-add the key.
1018 *
1019 * For more details, see the "Removing keys" section of
1020 * Documentation/filesystems/fscrypt.rst.
1021 */
1023 {
1041 /*
1042 * Only root can add and remove keys that are identified by an arbitrary
1043 * descriptor rather than by a cryptographic hash.
1044 */
1049 /* Find the key being removed. */
1055 /* If relevant, remove current user's (or all users) claim to the key */
1059 else
1064 }
1066 /*
1067 * Other users have still added the key too. We removed
1068 * the current user's claim to the key, but we still
1069 * can't remove the key itself.
1070 */
1071 status_flags |=
1072 FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS;
1076 }
1077 }
1079 /* No user claims remaining. Initiate removal of the key. */
1084 }
1089 /* Some inodes still reference this key; try to evict them. */
1092 status_flags |=
1093 FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY;
1095 }
1096 }
1097 /*
1098 * We return 0 if we successfully did something: removed a claim to the
1099 * key, initiated removal of the key, or tried locking the files again.
1100 * Users need to check the informational status flags if they care
1101 * whether the key has been fully removed including all files locked.
1102 */
1103 out_put_key:
1108 }
1111 {
1113 }
1117 {
1121 }
1124 /*
1125 * Retrieve the status of an fscrypt master encryption key.
1126 *
1127 * We set ->status to indicate whether the key is absent, present, or
1128 * incompletely removed. (For an explanation of what these statuses mean and
1129 * how they are represented internally, see struct fscrypt_master_key.) This
1130 * field allows applications to easily determine the status of an encrypted
1131 * directory without using a hack such as trying to open a regular file in it
1132 * (which can confuse the "incompletely removed" status with absent or present).
1133 *
1134 * In addition, for v2 policy keys we allow applications to determine, via
1135 * ->status_flags and ->user_count, whether the key has been added by the
1136 * current user, by other users, or by both. Most applications should not need
1137 * this, since ordinarily only one user should know a given key. However, if a
1138 * secret key is shared by multiple users, applications may wish to add an
1139 * already-present key to prevent other users from removing it. This ioctl can
1140 * be used to check whether that really is the case before the work is done to
1141 * add the key --- which might e.g. require prompting the user for a passphrase.
1142 *
1143 * For more details, see the "FS_IOC_GET_ENCRYPTION_KEY_STATUS" section of
1144 * Documentation/filesystems/fscrypt.rst.
1145 */
1147 {
1171 }
1176 FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED :
1180 }
1190 FSCRYPT_KEY_STATUS_FLAG_ADDED_BY_SELF;
1195 }
1196 }
1198 out_release_key:
1201 out:
1205 }
1209 {
1222 err_unregister_fscrypt_user:
1225 }