Merge tag 'fscrypt_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/fscrypt

Pull fscrypt updates from Ted Ts'o:
 "Add bunch of cleanups, and add support for the Speck128/256
  algorithms.

  Yes, Speck is contrversial, but the intention is to use them only for
  the lowest end Android devices, where the alternative *really* is no
  encryption at all for data stored at rest"

* tag 'fscrypt_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/fscrypt:
  fscrypt: log the crypto algorithm implementations
  fscrypt: add Speck128/256 support
  fscrypt: only derive the needed portion of the key
  fscrypt: separate key lookup from key derivation
  fscrypt: use a common logging function
  fscrypt: remove internal key size constants
  fscrypt: remove unnecessary check for non-logon key type
  fscrypt: make fscrypt_operations.max_namelen an integer
  fscrypt: drop empty name check from fname_decrypt()
  fscrypt: drop max_namelen check from fname_decrypt()
  fscrypt: don't special-case EOPNOTSUPP from fscrypt_get_encryption_info()
  fscrypt: don't clear flags on crypto transform
  fscrypt: remove stale comment from fscrypt_d_revalidate()
  fscrypt: remove error messages for skcipher_request_alloc() failure
  fscrypt: remove unnecessary NULL check when allocating skcipher
  fscrypt: clean up after fscrypt_prepare_lookup() conversions
  fs, fscrypt: only define ->s_cop when FS_ENCRYPTION is enabled
  fscrypt: use unbound workqueue for decryption

13 files changed, 248 insertions, 213 deletions

diff --git a/Documentation/filesystems/fscrypt.rst b/Documentation/filesystems/fscrypt.rst
index cfbc18f0d9c9..48b424de85bb 100644
--- a/Documentation/filesystems/fscrypt.rst
+++ b/Documentation/filesystems/fscrypt.rst
@@ -191,11 +191,21 @@ Currently, the following pairs of encryption modes are supported:
 
 - AES-256-XTS for contents and AES-256-CTS-CBC for filenames
 - AES-128-CBC for contents and AES-128-CTS-CBC for filenames
+- Speck128/256-XTS for contents and Speck128/256-CTS-CBC for filenames
 
 It is strongly recommended to use AES-256-XTS for contents encryption.
 AES-128-CBC was added only for low-powered embedded devices with
 crypto accelerators such as CAAM or CESA that do not support XTS.
 
+Similarly, Speck128/256 support was only added for older or low-end
+CPUs which cannot do AES fast enough -- especially ARM CPUs which have
+NEON instructions but not the Cryptography Extensions -- and for which
+it would not otherwise be feasible to use encryption at all.  It is
+not recommended to use Speck on CPUs that have AES instructions.
+Speck support is only available if it has been enabled in the crypto
+API via CONFIG_CRYPTO_SPECK.  Also, on ARM platforms, to get
+acceptable performance CONFIG_CRYPTO_SPECK_NEON must be enabled.
+
 New encryption modes can be added relatively easily, without changes
 to individual filesystems.  However, authenticated encryption (AE)
 modes are not currently supported because of the difficulty of dealing
diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
index ce654526c0fb..243a269e6c5f 100644
--- a/fs/crypto/crypto.c
+++ b/fs/crypto/crypto.c
@@ -156,12 +156,8 @@ int fscrypt_do_page_crypto(const struct inode *inode, fscrypt_direction_t rw,
         }
 
         req = skcipher_request_alloc(tfm, gfp_flags);
-        if (!req) {
-                printk_ratelimited(KERN_ERR
-                                "%s: crypto_request_alloc() failed\n",
-                                __func__);
+        if (!req)
                 return -ENOMEM;
-        }
 
         skcipher_request_set_callback(
                 req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
@@ -178,9 +174,10 @@ int fscrypt_do_page_crypto(const struct inode *inode, fscrypt_direction_t rw,
                 res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
         skcipher_request_free(req);
         if (res) {
-                printk_ratelimited(KERN_ERR
-                        "%s: crypto_skcipher_encrypt() returned %d\n",
-                        __func__, res);
+                fscrypt_err(inode->i_sb,
+                            "%scryption failed for inode %lu, block %llu: %d",
+                            (rw == FS_DECRYPT ? "de" : "en"),
+                            inode->i_ino, lblk_num, res);
                 return res;
         }
         return 0;
@@ -326,7 +323,6 @@ static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
                 return 0;
         }
 
-        /* this should eventually be an flag in d_flags */
         spin_lock(&dentry->d_lock);
         cached_with_key = dentry->d_flags & DCACHE_ENCRYPTED_WITH_KEY;
         spin_unlock(&dentry->d_lock);
@@ -353,7 +349,6 @@ static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
 const struct dentry_operations fscrypt_d_ops = {
         .d_revalidate = fscrypt_d_revalidate,
 };
-EXPORT_SYMBOL(fscrypt_d_ops);
 
 void fscrypt_restore_control_page(struct page *page)
 {
@@ -422,13 +417,43 @@ fail:
         return res;
 }
 
+void fscrypt_msg(struct super_block *sb, const char *level,
+                 const char *fmt, ...)
+{
+        static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL,
+                                      DEFAULT_RATELIMIT_BURST);
+        struct va_format vaf;
+        va_list args;
+
+        if (!__ratelimit(&rs))
+                return;
+
+        va_start(args, fmt);
+        vaf.fmt = fmt;
+        vaf.va = &args;
+        if (sb)
+                printk("%sfscrypt (%s): %pV\n", level, sb->s_id, &vaf);
+        else
+                printk("%sfscrypt: %pV\n", level, &vaf);
+        va_end(args);
+}
+
 /**
  * fscrypt_init() - Set up for fs encryption.
  */
 static int __init fscrypt_init(void)
 {
+        /*
+         * Use an unbound workqueue to allow bios to be decrypted in parallel
+         * even when they happen to complete on the same CPU.  This sacrifices
+         * locality, but it's worthwhile since decryption is CPU-intensive.
+         *
+         * Also use a high-priority workqueue to prioritize decryption work,
+         * which blocks reads from completing, over regular application tasks.
+         */
         fscrypt_read_workqueue = alloc_workqueue("fscrypt_read_queue",
-                                                        WQ_HIGHPRI, 0);
+                                                 WQ_UNBOUND | WQ_HIGHPRI,
+                                                 num_online_cpus());
         if (!fscrypt_read_workqueue)
                 goto fail;
 
diff --git a/fs/crypto/fname.c b/fs/crypto/fname.c
index e33f3d3c5ade..d7a0f682ca12 100644
--- a/fs/crypto/fname.c
+++ b/fs/crypto/fname.c
@@ -59,11 +59,8 @@ int fname_encrypt(struct inode *inode, const struct qstr *iname,
 
         /* Set up the encryption request */
         req = skcipher_request_alloc(tfm, GFP_NOFS);
-        if (!req) {
-                printk_ratelimited(KERN_ERR
-                        "%s: skcipher_request_alloc() failed\n", __func__);
+        if (!req)
                 return -ENOMEM;
-        }
         skcipher_request_set_callback(req,
                         CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
                         crypto_req_done, &wait);
@@ -74,8 +71,9 @@ int fname_encrypt(struct inode *inode, const struct qstr *iname,
         res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
         skcipher_request_free(req);
         if (res < 0) {
-                printk_ratelimited(KERN_ERR
-                                "%s: Error (error code %d)\n", __func__, res);
+                fscrypt_err(inode->i_sb,
+                            "Filename encryption failed for inode %lu: %d",
+                            inode->i_ino, res);
                 return res;
         }
 
@@ -96,23 +94,14 @@ static int fname_decrypt(struct inode *inode,
         struct skcipher_request *req = NULL;
         DECLARE_CRYPTO_WAIT(wait);
         struct scatterlist src_sg, dst_sg;
-        struct fscrypt_info *ci = inode->i_crypt_info;
-        struct crypto_skcipher *tfm = ci->ci_ctfm;
+        struct crypto_skcipher *tfm = inode->i_crypt_info->ci_ctfm;
         int res = 0;
         char iv[FS_CRYPTO_BLOCK_SIZE];
-        unsigned lim;
-
-        lim = inode->i_sb->s_cop->max_namelen(inode);
-        if (iname->len <= 0 || iname->len > lim)
-                return -EIO;
 
         /* Allocate request */
         req = skcipher_request_alloc(tfm, GFP_NOFS);
-        if (!req) {
-                printk_ratelimited(KERN_ERR
-                        "%s: crypto_request_alloc() failed\n",  __func__);
+        if (!req)
                 return -ENOMEM;
-        }
         skcipher_request_set_callback(req,
                 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
                 crypto_req_done, &wait);
@@ -127,8 +116,9 @@ static int fname_decrypt(struct inode *inode,
         res = crypto_wait_req(crypto_skcipher_decrypt(req), &wait);
         skcipher_request_free(req);
         if (res < 0) {
-                printk_ratelimited(KERN_ERR
-                                "%s: Error (error code %d)\n", __func__, res);
+                fscrypt_err(inode->i_sb,
+                            "Filename decryption failed for inode %lu: %d",
+                            inode->i_ino, res);
                 return res;
         }
 
@@ -341,12 +331,12 @@ int fscrypt_setup_filename(struct inode *dir, const struct qstr *iname,
                 return 0;
         }
         ret = fscrypt_get_encryption_info(dir);
-        if (ret && ret != -EOPNOTSUPP)
+        if (ret)
                 return ret;
 
         if (dir->i_crypt_info) {
                 if (!fscrypt_fname_encrypted_size(dir, iname->len,
-                                                  dir->i_sb->s_cop->max_namelen(dir),
+                                                  dir->i_sb->s_cop->max_namelen,
                                                   &fname->crypto_buf.len))
                         return -ENAMETOOLONG;
                 fname->crypto_buf.name = kmalloc(fname->crypto_buf.len,
diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h
index ad6722bae8b7..37562394c5de 100644
--- a/fs/crypto/fscrypt_private.h
+++ b/fs/crypto/fscrypt_private.h
@@ -18,15 +18,7 @@
 
 /* Encryption parameters */
 #define FS_IV_SIZE                      16
-#define FS_AES_128_ECB_KEY_SIZE         16
-#define FS_AES_128_CBC_KEY_SIZE         16
-#define FS_AES_128_CTS_KEY_SIZE         16
-#define FS_AES_256_GCM_KEY_SIZE         32
-#define FS_AES_256_CBC_KEY_SIZE         32
-#define FS_AES_256_CTS_KEY_SIZE         32
-#define FS_AES_256_XTS_KEY_SIZE         64
-
-#define FS_KEY_DERIVATION_NONCE_SIZE            16
+#define FS_KEY_DERIVATION_NONCE_SIZE    16
 
 /**
  * Encryption context for inode
@@ -91,6 +83,10 @@ static inline bool fscrypt_valid_enc_modes(u32 contents_mode,
             filenames_mode == FS_ENCRYPTION_MODE_AES_256_CTS)
                 return true;
 
+        if (contents_mode == FS_ENCRYPTION_MODE_SPECK128_256_XTS &&
+            filenames_mode == FS_ENCRYPTION_MODE_SPECK128_256_CTS)
+                return true;
+
         return false;
 }
 
@@ -106,6 +102,15 @@ extern int fscrypt_do_page_crypto(const struct inode *inode,
                                   gfp_t gfp_flags);
 extern struct page *fscrypt_alloc_bounce_page(struct fscrypt_ctx *ctx,
                                               gfp_t gfp_flags);
+extern const struct dentry_operations fscrypt_d_ops;
+
+extern void __printf(3, 4) __cold
+fscrypt_msg(struct super_block *sb, const char *level, const char *fmt, ...);
+
+#define fscrypt_warn(sb, fmt, ...)              \
+        fscrypt_msg(sb, KERN_WARNING, fmt, ##__VA_ARGS__)
+#define fscrypt_err(sb, fmt, ...)               \
+        fscrypt_msg(sb, KERN_ERR, fmt, ##__VA_ARGS__)
 
 /* fname.c */
 extern int fname_encrypt(struct inode *inode, const struct qstr *iname,
diff --git a/fs/crypto/hooks.c b/fs/crypto/hooks.c
index bec06490fb13..926e5df20ec3 100644
--- a/fs/crypto/hooks.c
+++ b/fs/crypto/hooks.c
@@ -39,8 +39,9 @@ int fscrypt_file_open(struct inode *inode, struct file *filp)
         dir = dget_parent(file_dentry(filp));
         if (IS_ENCRYPTED(d_inode(dir)) &&
             !fscrypt_has_permitted_context(d_inode(dir), inode)) {
-                pr_warn_ratelimited("fscrypt: inconsistent encryption contexts: %lu/%lu",
-                                    d_inode(dir)->i_ino, inode->i_ino);
+                fscrypt_warn(inode->i_sb,
+                             "inconsistent encryption contexts: %lu/%lu",
+                             d_inode(dir)->i_ino, inode->i_ino);
                 err = -EPERM;
         }
         dput(dir);
diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
index 05f5ee1f0705..e997ca51192f 100644
--- a/fs/crypto/keyinfo.c
+++ b/fs/crypto/keyinfo.c
@@ -19,17 +19,16 @@
 
 static struct crypto_shash *essiv_hash_tfm;
 
-/**
- * derive_key_aes() - Derive a key using AES-128-ECB
- * @deriving_key: Encryption key used for derivation.
- * @source_key:   Source key to which to apply derivation.
- * @derived_raw_key:  Derived raw key.
+/*
+ * Key derivation function.  This generates the derived key by encrypting the
+ * master key with AES-128-ECB using the inode's nonce as the AES key.
  *
- * Return: Zero on success; non-zero otherwise.
+ * The master key must be at least as long as the derived key.  If the master
+ * key is longer, then only the first 'derived_keysize' bytes are used.
  */
-static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE],
-                                const struct fscrypt_key *source_key,
-                                u8 derived_raw_key[FS_MAX_KEY_SIZE])
+static int derive_key_aes(const u8 *master_key,
+                          const struct fscrypt_context *ctx,
+                          u8 *derived_key, unsigned int derived_keysize)
 {
         int res = 0;
         struct skcipher_request *req = NULL;
@@ -51,14 +50,13 @@ static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE],
         skcipher_request_set_callback(req,
                         CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
                         crypto_req_done, &wait);
-        res = crypto_skcipher_setkey(tfm, deriving_key,
-                                        FS_AES_128_ECB_KEY_SIZE);
+        res = crypto_skcipher_setkey(tfm, ctx->nonce, sizeof(ctx->nonce));
         if (res < 0)
                 goto out;
 
-        sg_init_one(&src_sg, source_key->raw, source_key->size);
-        sg_init_one(&dst_sg, derived_raw_key, source_key->size);
-        skcipher_request_set_crypt(req, &src_sg, &dst_sg, source_key->size,
+        sg_init_one(&src_sg, master_key, derived_keysize);
+        sg_init_one(&dst_sg, derived_key, derived_keysize);
+        skcipher_request_set_crypt(req, &src_sg, &dst_sg, derived_keysize,
                                    NULL);
         res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
 out:
@@ -67,101 +65,147 @@ out:
         return res;
 }
 
-static int validate_user_key(struct fscrypt_info *crypt_info,
-                        struct fscrypt_context *ctx, u8 *raw_key,
-                        const char *prefix, int min_keysize)
+/*
+ * Search the current task's subscribed keyrings for a "logon" key with
+ * description prefix:descriptor, and if found acquire a read lock on it and
+ * return a pointer to its validated payload in *payload_ret.
+ */
+static struct key *
+find_and_lock_process_key(const char *prefix,
+                          const u8 descriptor[FS_KEY_DESCRIPTOR_SIZE],
+                          unsigned int min_keysize,
+                          const struct fscrypt_key **payload_ret)
 {
         char *description;
-        struct key *keyring_key;
-        struct fscrypt_key *master_key;
+        struct key *key;
         const struct user_key_payload *ukp;
-        int res;
+        const struct fscrypt_key *payload;
 
         description = kasprintf(GFP_NOFS, "%s%*phN", prefix,
-                                FS_KEY_DESCRIPTOR_SIZE,
-                                ctx->master_key_descriptor);
+                                FS_KEY_DESCRIPTOR_SIZE, descriptor);
         if (!description)
-                return -ENOMEM;
+                return ERR_PTR(-ENOMEM);
 
-        keyring_key = request_key(&key_type_logon, description, NULL);
+        key = request_key(&key_type_logon, description, NULL);
         kfree(description);
-        if (IS_ERR(keyring_key))
-                return PTR_ERR(keyring_key);
-        down_read(&keyring_key->sem);
-
-        if (keyring_key->type != &key_type_logon) {
-                printk_once(KERN_WARNING
-                                "%s: key type must be logon\n", __func__);
-                res = -ENOKEY;
-                goto out;
-        }
-        ukp = user_key_payload_locked(keyring_key);
-        if (!ukp) {
-                /* key was revoked before we acquired its semaphore */
-                res = -EKEYREVOKED;
-                goto out;
+        if (IS_ERR(key))
+                return key;
+
+        down_read(&key->sem);
+        ukp = user_key_payload_locked(key);
+
+        if (!ukp) /* was the key revoked before we acquired its semaphore? */
+                goto invalid;
+
+        payload = (const struct fscrypt_key *)ukp->data;
+
+        if (ukp->datalen != sizeof(struct fscrypt_key) ||
+            payload->size < 1 || payload->size > FS_MAX_KEY_SIZE) {
+                fscrypt_warn(NULL,
+                             "key with description '%s' has invalid payload",
+                             key->description);
+                goto invalid;
         }
-        if (ukp->datalen != sizeof(struct fscrypt_key)) {
-                res = -EINVAL;
-                goto out;
+
+        if (payload->size < min_keysize) {
+                fscrypt_warn(NULL,
+                             "key with description '%s' is too short (got %u bytes, need %u+ bytes)",
+                             key->description, payload->size, min_keysize);
+                goto invalid;
         }
-        master_key = (struct fscrypt_key *)ukp->data;
-        BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE);
-
-        if (master_key->size < min_keysize || master_key->size > FS_MAX_KEY_SIZE
-            || master_key->size % AES_BLOCK_SIZE != 0) {
-                printk_once(KERN_WARNING
-                                "%s: key size incorrect: %d\n",
-                                __func__, master_key->size);
-                res = -ENOKEY;
-                goto out;
+
+        *payload_ret = payload;
+        return key;
+
+invalid:
+        up_read(&key->sem);
+        key_put(key);
+        return ERR_PTR(-ENOKEY);
+}
+
+/* Find the master key, then derive the inode's actual encryption key */
+static int find_and_derive_key(const struct inode *inode,
+                               const struct fscrypt_context *ctx,
+                               u8 *derived_key, unsigned int derived_keysize)
+{
+        struct key *key;
+        const struct fscrypt_key *payload;
+        int err;
+
+        key = find_and_lock_process_key(FS_KEY_DESC_PREFIX,
+                                        ctx->master_key_descriptor,
+                                        derived_keysize, &payload);
+        if (key == ERR_PTR(-ENOKEY) && inode->i_sb->s_cop->key_prefix) {
+                key = find_and_lock_process_key(inode->i_sb->s_cop->key_prefix,
+                                                ctx->master_key_descriptor,
+                                                derived_keysize, &payload);
         }
-        res = derive_key_aes(ctx->nonce, master_key, raw_key);
-out:
-        up_read(&keyring_key->sem);
-        key_put(keyring_key);
-        return res;
+        if (IS_ERR(key))
+                return PTR_ERR(key);
+        err = derive_key_aes(payload->raw, ctx, derived_key, derived_keysize);
+        up_read(&key->sem);
+        key_put(key);
+        return err;
 }
 
-static const struct {
+static struct fscrypt_mode {
+        const char *friendly_name;
         const char *cipher_str;
         int keysize;
+        bool logged_impl_name;
 } available_modes[] = {
-        [FS_ENCRYPTION_MODE_AES_256_XTS] = { "xts(aes)",
-                                             FS_AES_256_XTS_KEY_SIZE },
-        [FS_ENCRYPTION_MODE_AES_256_CTS] = { "cts(cbc(aes))",
-                                             FS_AES_256_CTS_KEY_SIZE },
-        [FS_ENCRYPTION_MODE_AES_128_CBC] = { "cbc(aes)",
-                                             FS_AES_128_CBC_KEY_SIZE },
-        [FS_ENCRYPTION_MODE_AES_128_CTS] = { "cts(cbc(aes))",
-                                             FS_AES_128_CTS_KEY_SIZE },
+        [FS_ENCRYPTION_MODE_AES_256_XTS] = {
+                .friendly_name = "AES-256-XTS",
+                .cipher_str = "xts(aes)",
+                .keysize = 64,
+        },
+        [FS_ENCRYPTION_MODE_AES_256_CTS] = {
+                .friendly_name = "AES-256-CTS-CBC",
+                .cipher_str = "cts(cbc(aes))",
+                .keysize = 32,
+        },
+        [FS_ENCRYPTION_MODE_AES_128_CBC] = {
+                .friendly_name = "AES-128-CBC",
+                .cipher_str = "cbc(aes)",
+                .keysize = 16,
+        },
+        [FS_ENCRYPTION_MODE_AES_128_CTS] = {
+                .friendly_name = "AES-128-CTS-CBC",
+                .cipher_str = "cts(cbc(aes))",
+                .keysize = 16,
+        },
+        [FS_ENCRYPTION_MODE_SPECK128_256_XTS] = {
+                .friendly_name = "Speck128/256-XTS",
+                .cipher_str = "xts(speck128)",
+                .keysize = 64,
+        },
+        [FS_ENCRYPTION_MODE_SPECK128_256_CTS] = {
+                .friendly_name = "Speck128/256-CTS-CBC",
+                .cipher_str = "cts(cbc(speck128))",
+                .keysize = 32,
+        },
 };
 
-static int determine_cipher_type(struct fscrypt_info *ci, struct inode *inode,
-                                 const char **cipher_str_ret, int *keysize_ret)
+static struct fscrypt_mode *
+select_encryption_mode(const struct fscrypt_info *ci, const struct inode *inode)
 {
-        u32 mode;
-
         if (!fscrypt_valid_enc_modes(ci->ci_data_mode, ci->ci_filename_mode)) {
-                pr_warn_ratelimited("fscrypt: inode %lu uses unsupported encryption modes (contents mode %d, filenames mode %d)\n",
-                                    inode->i_ino,
-                                    ci->ci_data_mode, ci->ci_filename_mode);
-                return -EINVAL;
+                fscrypt_warn(inode->i_sb,
+                             "inode %lu uses unsupported encryption modes (contents mode %d, filenames mode %d)",
+                             inode->i_ino, ci->ci_data_mode,
+                             ci->ci_filename_mode);
+                return ERR_PTR(-EINVAL);
         }
 
-        if (S_ISREG(inode->i_mode)) {
-                mode = ci->ci_data_mode;
-        } else if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) {
-                mode = ci->ci_filename_mode;
-        } else {
-                WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n",
-                          inode->i_ino, (inode->i_mode & S_IFMT));
-                return -EINVAL;
-        }
+        if (S_ISREG(inode->i_mode))
+                return &available_modes[ci->ci_data_mode];
+
+        if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode))
+                return &available_modes[ci->ci_filename_mode];
 
-        *cipher_str_ret = available_modes[mode].cipher_str;
-        *keysize_ret = available_modes[mode].keysize;
-        return 0;
+        WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n",
+                  inode->i_ino, (inode->i_mode & S_IFMT));
+        return ERR_PTR(-EINVAL);
 }
 
 static void put_crypt_info(struct fscrypt_info *ci)
@@ -184,8 +228,9 @@ static int derive_essiv_salt(const u8 *key, int keysize, u8 *salt)
 
                 tfm = crypto_alloc_shash("sha256", 0, 0);
                 if (IS_ERR(tfm)) {
-                        pr_warn_ratelimited("fscrypt: error allocating SHA-256 transform: %ld\n",
-                                            PTR_ERR(tfm));
+                        fscrypt_warn(NULL,
+                                     "error allocating SHA-256 transform: %ld",
+                                     PTR_ERR(tfm));
                         return PTR_ERR(tfm);
                 }
                 prev_tfm = cmpxchg(&essiv_hash_tfm, NULL, tfm);
@@ -245,8 +290,7 @@ int fscrypt_get_encryption_info(struct inode *inode)
         struct fscrypt_info *crypt_info;
         struct fscrypt_context ctx;
         struct crypto_skcipher *ctfm;
-        const char *cipher_str;
-        int keysize;
+        struct fscrypt_mode *mode;
         u8 *raw_key = NULL;
         int res;
 
@@ -290,57 +334,59 @@ int fscrypt_get_encryption_info(struct inode *inode)
         memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor,
                                 sizeof(crypt_info->ci_master_key));
 
-        res = determine_cipher_type(crypt_info, inode, &cipher_str, &keysize);
-        if (res)
+        mode = select_encryption_mode(crypt_info, inode);
+        if (IS_ERR(mode)) {
+                res = PTR_ERR(mode);
                 goto out;
+        }
 
         /*
          * This cannot be a stack buffer because it is passed to the scatterlist
          * crypto API as part of key derivation.
          */
         res = -ENOMEM;
-        raw_key = kmalloc(FS_MAX_KEY_SIZE, GFP_NOFS);
+        raw_key = kmalloc(mode->keysize, GFP_NOFS);
         if (!raw_key)
                 goto out;
 
-        res = validate_user_key(crypt_info, &ctx, raw_key, FS_KEY_DESC_PREFIX,
-                                keysize);
-        if (res && inode->i_sb->s_cop->key_prefix) {
-                int res2 = validate_user_key(crypt_info, &ctx, raw_key,
-                                             inode->i_sb->s_cop->key_prefix,
-                                             keysize);
-                if (res2) {
-                        if (res2 == -ENOKEY)
-                                res = -ENOKEY;
-                        goto out;
-                }
-        } else if (res) {
+        res = find_and_derive_key(inode, &ctx, raw_key, mode->keysize);
+        if (res)
                 goto out;
-        }
-        ctfm = crypto_alloc_skcipher(cipher_str, 0, 0);
-        if (!ctfm || IS_ERR(ctfm)) {
-                res = ctfm ? PTR_ERR(ctfm) : -ENOMEM;
-                pr_debug("%s: error %d (inode %lu) allocating crypto tfm\n",
-                         __func__, res, inode->i_ino);
+
+        ctfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0);
+        if (IS_ERR(ctfm)) {
+                res = PTR_ERR(ctfm);
+                fscrypt_warn(inode->i_sb,
+                             "error allocating '%s' transform for inode %lu: %d",
+                             mode->cipher_str, inode->i_ino, res);
                 goto out;
         }
+        if (unlikely(!mode->logged_impl_name)) {
+                /*
+                 * fscrypt performance can vary greatly depending on which
+                 * crypto algorithm implementation is used.  Help people debug
+                 * performance problems by logging the ->cra_driver_name the
+                 * first time a mode is used.  Note that multiple threads can
+                 * race here, but it doesn't really matter.
+                 */
+                mode->logged_impl_name = true;
+                pr_info("fscrypt: %s using implementation \"%s\"\n",
+                        mode->friendly_name,
+                        crypto_skcipher_alg(ctfm)->base.cra_driver_name);
+        }
         crypt_info->ci_ctfm = ctfm;
-        crypto_skcipher_clear_flags(ctfm, ~0);
         crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY);
-        /*
-         * if the provided key is longer than keysize, we use the first
-         * keysize bytes of the derived key only
-         */
-        res = crypto_skcipher_setkey(ctfm, raw_key, keysize);
+        res = crypto_skcipher_setkey(ctfm, raw_key, mode->keysize);
         if (res)
                 goto out;
 
         if (S_ISREG(inode->i_mode) &&
             crypt_info->ci_data_mode == FS_ENCRYPTION_MODE_AES_128_CBC) {
-                res = init_essiv_generator(crypt_info, raw_key, keysize);
+                res = init_essiv_generator(crypt_info, raw_key, mode->keysize);
                 if (res) {
-                        pr_debug("%s: error %d (inode %lu) allocating essiv tfm\n",
-                                 __func__, res, inode->i_ino);
+                        fscrypt_warn(inode->i_sb,
+                                     "error initializing ESSIV generator for inode %lu: %d",
+                                     inode->i_ino, res);
                         goto out;
                 }
         }
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 7022d843c667..00fe75a71c4b 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1267,19 +1267,13 @@ static bool ext4_dummy_context(struct inode *inode)
         return DUMMY_ENCRYPTION_ENABLED(EXT4_SB(inode->i_sb));
 }
 
-static unsigned ext4_max_namelen(struct inode *inode)
-{
-        return S_ISLNK(inode->i_mode) ? inode->i_sb->s_blocksize :
-                EXT4_NAME_LEN;
-}
-
 static const struct fscrypt_operations ext4_cryptops = {
         .key_prefix             = "ext4:",
         .get_context            = ext4_get_context,
         .set_context            = ext4_set_context,
         .dummy_context          = ext4_dummy_context,
         .empty_dir              = ext4_empty_dir,
-        .max_namelen            = ext4_max_namelen,
+        .max_namelen            = EXT4_NAME_LEN,
 };
 #endif
 
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 42d564c5ccd0..970ae27f401c 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1930,19 +1930,13 @@ static bool f2fs_dummy_context(struct inode *inode)
         return DUMMY_ENCRYPTION_ENABLED(F2FS_I_SB(inode));
 }
 
-static unsigned f2fs_max_namelen(struct inode *inode)
-{
-        return S_ISLNK(inode->i_mode) ?
-                        inode->i_sb->s_blocksize : F2FS_NAME_LEN;
-}
-
 static const struct fscrypt_operations f2fs_cryptops = {
         .key_prefix     = "f2fs:",
         .get_context    = f2fs_get_context,
         .set_context    = f2fs_set_context,
         .dummy_context  = f2fs_dummy_context,
         .empty_dir      = f2fs_empty_dir,
-        .max_namelen    = f2fs_max_namelen,
+        .max_namelen    = F2FS_NAME_LEN,
 };
 #endif
 
diff --git a/fs/ubifs/crypto.c b/fs/ubifs/crypto.c
index 616a688f5d8f..55c508fe8131 100644
--- a/fs/ubifs/crypto.c
+++ b/fs/ubifs/crypto.c
@@ -24,14 +24,6 @@ static bool ubifs_crypt_empty_dir(struct inode *inode)
         return ubifs_check_dir_empty(inode) == 0;
 }
 
-static unsigned int ubifs_crypt_max_namelen(struct inode *inode)
-{
-        if (S_ISLNK(inode->i_mode))
-                return UBIFS_MAX_INO_DATA;
-        else
-                return UBIFS_MAX_NLEN;
-}
-
 int ubifs_encrypt(const struct inode *inode, struct ubifs_data_node *dn,
                   unsigned int in_len, unsigned int *out_len, int block)
 {
@@ -89,5 +81,5 @@ const struct fscrypt_operations ubifs_crypt_operations = {
         .get_context            = ubifs_crypt_get_context,
         .set_context            = ubifs_crypt_set_context,
         .empty_dir              = ubifs_crypt_empty_dir,
-        .max_namelen            = ubifs_crypt_max_namelen,
+        .max_namelen            = UBIFS_MAX_NLEN,
 };
diff --git a/include/linux/fs.h b/include/linux/fs.h
index f4b8c8dc67e3..7ef7193488b8 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1364,9 +1364,9 @@ struct super_block {
         void                    *s_security;
 #endif
         const struct xattr_handler **s_xattr;
-
+#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
         const struct fscrypt_operations *s_cop;
-
+#endif
         struct hlist_bl_head    s_roots;        /* alternate root dentries for NFS */
         struct list_head        s_mounts;       /* list of mounts; _not_ for fs use */
         struct block_device     *s_bdev;
diff --git a/include/linux/fscrypt_notsupp.h b/include/linux/fscrypt_notsupp.h
index 44b50c04bae9..25b6492de6e5 100644
--- a/include/linux/fscrypt_notsupp.h
+++ b/include/linux/fscrypt_notsupp.h
@@ -64,16 +64,6 @@ static inline void fscrypt_restore_control_page(struct page *page)
         return;
 }
 
-static inline void fscrypt_set_d_op(struct dentry *dentry)
-{
-        return;
-}
-
-static inline void fscrypt_set_encrypted_dentry(struct dentry *dentry)
-{
-        return;
-}
-
 /* policy.c */
 static inline int fscrypt_ioctl_set_policy(struct file *filp,
                                            const void __user *arg)
diff --git a/include/linux/fscrypt_supp.h b/include/linux/fscrypt_supp.h
index 477a7a6504d2..5080cb1bec4c 100644
--- a/include/linux/fscrypt_supp.h
+++ b/include/linux/fscrypt_supp.h
@@ -29,7 +29,7 @@ struct fscrypt_operations {
         int (*set_context)(struct inode *, const void *, size_t, void *);
         bool (*dummy_context)(struct inode *);
         bool (*empty_dir)(struct inode *);
-        unsigned (*max_namelen)(struct inode *);
+        unsigned int max_namelen;
 };
 
 struct fscrypt_ctx {
@@ -74,20 +74,6 @@ static inline struct page *fscrypt_control_page(struct page *page)
 
 extern void fscrypt_restore_control_page(struct page *);
 
-extern const struct dentry_operations fscrypt_d_ops;
-
-static inline void fscrypt_set_d_op(struct dentry *dentry)
-{
-        d_set_d_op(dentry, &fscrypt_d_ops);
-}
-
-static inline void fscrypt_set_encrypted_dentry(struct dentry *dentry)
-{
-        spin_lock(&dentry->d_lock);
-        dentry->d_flags |= DCACHE_ENCRYPTED_WITH_KEY;
-        spin_unlock(&dentry->d_lock);
-}
-
 /* policy.c */
 extern int fscrypt_ioctl_set_policy(struct file *, const void __user *);
 extern int fscrypt_ioctl_get_policy(struct file *, void __user *);
diff --git a/include/uapi/linux/fs.h b/include/uapi/linux/fs.h
index 9d132f8f2df8..73e01918f996 100644
--- a/include/uapi/linux/fs.h
+++ b/include/uapi/linux/fs.h
@@ -279,6 +279,8 @@ struct fsxattr {
 #define FS_ENCRYPTION_MODE_AES_256_CTS          4
 #define FS_ENCRYPTION_MODE_AES_128_CBC          5
 #define FS_ENCRYPTION_MODE_AES_128_CTS          6
+#define FS_ENCRYPTION_MODE_SPECK128_256_XTS     7
+#define FS_ENCRYPTION_MODE_SPECK128_256_CTS     8
 
 struct fscrypt_policy {
         __u8 version;