| blob | 9aae851409e55ffecedb9d9b2a7ac656acd25439 |
1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3 * fscrypt_private.h
4 *
5 * Copyright (C) 2015, Google, Inc.
6 *
7 * Originally written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar.
8 * Heavily modified since then.
9 */
11 #ifndef _FSCRYPT_PRIVATE_H
12 #define _FSCRYPT_PRIVATE_H
14 #include <linux/fscrypt.h>
15 #include <linux/siphash.h>
16 #include <crypto/hash.h>
18 #define CONST_STRLEN(str) (sizeof(str) - 1)
20 #define FS_KEY_DERIVATION_NONCE_SIZE 16
22 #define FSCRYPT_MIN_KEY_SIZE 16
24 #define FSCRYPT_CONTEXT_V1 1
25 #define FSCRYPT_CONTEXT_V2 2
29 u8 contents_encryption_mode;
30 u8 filenames_encryption_mode;
31 u8 flags;
34 };
38 u8 contents_encryption_mode;
39 u8 filenames_encryption_mode;
40 u8 flags;
44 };
46 /**
47 * fscrypt_context - the encryption context of an inode
48 *
49 * This is the on-disk equivalent of an fscrypt_policy, stored alongside each
50 * encrypted file usually in a hidden extended attribute. It contains the
51 * fields from the fscrypt_policy, in order to identify the encryption algorithm
52 * and key with which the file is encrypted. It also contains a nonce that was
53 * randomly generated by fscrypt itself; this is used as KDF input or as a tweak
54 * to cause different files to be encrypted differently.
55 */
57 u8 version;
60 };
62 /*
63 * Return the size expected for the given fscrypt_context based on its version
64 * number, or 0 if the context version is unrecognized.
65 */
67 {
75 }
77 }
79 #undef fscrypt_policy
81 u8 version;
84 };
86 /*
87 * Return the size expected for the given fscrypt_policy based on its version
88 * number, or 0 if the policy version is unrecognized.
89 */
91 {
97 }
99 }
101 /* Return the contents encryption mode of a valid encryption policy */
104 {
110 }
112 }
114 /* Return the filenames encryption mode of a valid encryption policy */
117 {
123 }
125 }
127 /* Return the flags (FSCRYPT_POLICY_FLAG*) of a valid encryption policy */
130 {
136 }
138 }
140 /**
141 * For encrypted symlinks, the ciphertext length is stored at the beginning
142 * of the string in little-endian format.
143 */
145 __le16 len;
149 /*
150 * fscrypt_info - the "encryption key" for an inode
151 *
152 * When an encrypted file's key is made available, an instance of this struct is
153 * allocated and stored in ->i_crypt_info. Once created, it remains until the
154 * inode is evicted.
155 */
158 /* The actual crypto transform used for encryption and decryption */
161 /* True if the key should be freed when this fscrypt_info is freed */
164 /*
165 * Encryption mode used for this inode. It corresponds to either the
166 * contents or filenames encryption mode, depending on the inode type.
167 */
170 /* Back-pointer to the inode */
173 /*
174 * The master key with which this inode was unlocked (decrypted). This
175 * will be NULL if the master key was found in a process-subscribed
176 * keyring rather than in the filesystem-level keyring.
177 */
180 /*
181 * Link in list of inodes that were unlocked with the master key.
182 * Only used when ->ci_master_key is set.
183 */
186 /*
187 * If non-NULL, then encryption is done using the master key directly
188 * and ci_ctfm will equal ci_direct_key->dk_ctfm.
189 */
192 /*
193 * This inode's hash key for filenames. This is a 128-bit SipHash-2-4
194 * key. This is only set for directories that use a keyed dirhash over
195 * the plaintext filenames -- currently just casefolded directories.
196 */
197 siphash_key_t ci_dirhash_key;
200 /* The encryption policy used by this inode */
203 /* This inode's nonce, copied from the fscrypt_context */
205 };
209 FS_ENCRYPT,
212 /* crypto.c */
219 gfp_t gfp_flags);
225 #define fscrypt_warn(inode, fmt, ...) \
226 fscrypt_msg((inode), KERN_WARNING, fmt, ##__VA_ARGS__)
227 #define fscrypt_err(inode, fmt, ...) \
228 fscrypt_msg((inode), KERN_ERR, fmt, ##__VA_ARGS__)
230 #define FSCRYPT_MAX_IV_SIZE 32
234 /* logical block number within the file */
235 __le64 lblk_num;
237 /* per-file nonce; only set in DIRECT_KEY mode */
239 };
241 };
246 /* fname.c */
255 /* hkdf.c */
259 };
264 /*
265 * The list of contexts in which fscrypt uses HKDF. These values are used as
266 * the first byte of the HKDF application-specific info string to guarantee that
267 * info strings are never repeated between contexts. This ensures that all HKDF
268 * outputs are unique and cryptographically isolated, i.e. knowledge of one
269 * output doesn't reveal another.
270 */
271 #define HKDF_CONTEXT_KEY_IDENTIFIER 1
272 #define HKDF_CONTEXT_PER_FILE_ENC_KEY 2
273 #define HKDF_CONTEXT_DIRECT_KEY 3
274 #define HKDF_CONTEXT_IV_INO_LBLK_64_KEY 4
275 #define HKDF_CONTEXT_DIRHASH_KEY 5
283 /* keyring.c */
285 /*
286 * fscrypt_master_key_secret - secret key material of an in-use master key
287 */
290 /*
291 * For v2 policy keys: HKDF context keyed by this master key.
292 * For v1 policy keys: not set (hkdf.hmac_tfm == NULL).
293 */
296 /* Size of the raw key in bytes. Set even if ->raw isn't set. */
297 u32 size;
299 /* For v1 policy keys: the raw key. Wiped for v2 policy keys. */
304 /*
305 * fscrypt_master_key - an in-use master key
306 *
307 * This represents a master encryption key which has been added to the
308 * filesystem and can be used to "unlock" the encrypted files which were
309 * encrypted with it.
310 */
313 /*
314 * The secret key material. After FS_IOC_REMOVE_ENCRYPTION_KEY is
315 * executed, this is wiped and no new inodes can be unlocked with this
316 * key; however, there may still be inodes in ->mk_decrypted_inodes
317 * which could not be evicted. As long as some inodes still remain,
318 * FS_IOC_REMOVE_ENCRYPTION_KEY can be retried, or
319 * FS_IOC_ADD_ENCRYPTION_KEY can add the secret again.
320 *
321 * Locking: protected by key->sem (outer) and mk_secret_sem (inner).
322 * The reason for two locks is that key->sem also protects modifying
323 * mk_users, which ranks it above the semaphore for the keyring key
324 * type, which is in turn above page faults (via keyring_read). But
325 * sometimes filesystems call fscrypt_get_encryption_info() from within
326 * a transaction, which ranks it below page faults. So we need a
327 * separate lock which protects mk_secret but not also mk_users.
328 */
332 /*
333 * For v1 policy keys: an arbitrary key descriptor which was assigned by
334 * userspace (->descriptor).
335 *
336 * For v2 policy keys: a cryptographic hash of this key (->identifier).
337 */
340 /*
341 * Keyring which contains a key of type 'key_type_fscrypt_user' for each
342 * user who has added this key. Normally each key will be added by just
343 * one user, but it's possible that multiple users share a key, and in
344 * that case we need to keep track of those users so that one user can't
345 * remove the key before the others want it removed too.
346 *
347 * This is NULL for v1 policy keys; those can only be added by root.
348 *
349 * Locking: in addition to this keyrings own semaphore, this is
350 * protected by the master key's key->sem, so we can do atomic
351 * search+insert. It can also be searched without taking any locks, but
352 * in that case the returned key may have already been removed.
353 */
356 /*
357 * Length of ->mk_decrypted_inodes, plus one if mk_secret is present.
358 * Once this goes to 0, the master key is removed from ->s_master_keys.
359 * The 'struct fscrypt_master_key' will continue to live as long as the
360 * 'struct key' whose payload it is, but we won't let this reference
361 * count rise again.
362 */
363 refcount_t mk_refcount;
365 /*
366 * List of inodes that were unlocked using this key. This allows the
367 * inodes to be evicted efficiently if the key is removed.
368 */
370 spinlock_t mk_decrypted_inodes_lock;
372 /* Crypto API transforms for DIRECT_KEY policies, allocated on-demand */
375 /*
376 * Crypto API transforms for filesystem-layer implementation of
377 * IV_INO_LBLK_64 policies, allocated on-demand.
378 */
385 {
386 /*
387 * The READ_ONCE() is only necessary for fscrypt_drop_inode() and
388 * fscrypt_key_describe(). These run in atomic context, so they can't
389 * take ->mk_secret_sem and thus 'secret' can change concurrently which
390 * would be a data race. But they only need to know whether the secret
391 * *was* present at the time of check, so READ_ONCE() suffices.
392 */
394 }
398 {
404 }
406 }
409 {
415 }
417 }
428 /* keysetup.c */
436 };
450 /* keysetup_v1.c */
459 /* policy.c */