aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
Diffstat (limited to 'fs')
-rw-r--r--fs/Kconfig2
-rw-r--r--fs/Makefile1
-rw-r--r--fs/crypto/Kconfig18
-rw-r--r--fs/crypto/Makefile3
-rw-r--r--fs/crypto/crypto.c556
-rw-r--r--fs/crypto/fname.c (renamed from fs/f2fs/crypto_fname.c)245
-rw-r--r--fs/crypto/keyinfo.c (renamed from fs/f2fs/crypto_key.c)189
-rw-r--r--fs/crypto/policy.c229
-rw-r--r--fs/f2fs/Kconfig10
-rw-r--r--fs/f2fs/Makefile2
-rw-r--r--fs/f2fs/crypto.c473
-rw-r--r--fs/f2fs/crypto_policy.c210
-rw-r--r--fs/f2fs/data.c31
-rw-r--r--fs/f2fs/dir.c44
-rw-r--r--fs/f2fs/f2fs.h172
-rw-r--r--fs/f2fs/f2fs_crypto.h151
-rw-r--r--fs/f2fs/file.c38
-rw-r--r--fs/f2fs/inline.c4
-rw-r--r--fs/f2fs/inode.c5
-rw-r--r--fs/f2fs/namei.c56
-rw-r--r--fs/f2fs/super.c55
21 files changed, 1172 insertions, 1322 deletions
diff --git a/fs/Kconfig b/fs/Kconfig
index 9adee0d7536e..9d757673bf40 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -84,6 +84,8 @@ config MANDATORY_FILE_LOCKING
84 84
85 To the best of my knowledge this is dead code that no one cares about. 85 To the best of my knowledge this is dead code that no one cares about.
86 86
87source "fs/crypto/Kconfig"
88
87source "fs/notify/Kconfig" 89source "fs/notify/Kconfig"
88 90
89source "fs/quota/Kconfig" 91source "fs/quota/Kconfig"
diff --git a/fs/Makefile b/fs/Makefile
index 79f522575cba..252c96898a43 100644
--- a/fs/Makefile
+++ b/fs/Makefile
@@ -30,6 +30,7 @@ obj-$(CONFIG_EVENTFD) += eventfd.o
30obj-$(CONFIG_USERFAULTFD) += userfaultfd.o 30obj-$(CONFIG_USERFAULTFD) += userfaultfd.o
31obj-$(CONFIG_AIO) += aio.o 31obj-$(CONFIG_AIO) += aio.o
32obj-$(CONFIG_FS_DAX) += dax.o 32obj-$(CONFIG_FS_DAX) += dax.o
33obj-$(CONFIG_FS_ENCRYPTION) += crypto/
33obj-$(CONFIG_FILE_LOCKING) += locks.o 34obj-$(CONFIG_FILE_LOCKING) += locks.o
34obj-$(CONFIG_COMPAT) += compat.o compat_ioctl.o 35obj-$(CONFIG_COMPAT) += compat.o compat_ioctl.o
35obj-$(CONFIG_BINFMT_AOUT) += binfmt_aout.o 36obj-$(CONFIG_BINFMT_AOUT) += binfmt_aout.o
diff --git a/fs/crypto/Kconfig b/fs/crypto/Kconfig
new file mode 100644
index 000000000000..92348faf9865
--- /dev/null
+++ b/fs/crypto/Kconfig
@@ -0,0 +1,18 @@
1config FS_ENCRYPTION
2 tristate "FS Encryption (Per-file encryption)"
3 depends on BLOCK
4 select CRYPTO
5 select CRYPTO_AES
6 select CRYPTO_CBC
7 select CRYPTO_ECB
8 select CRYPTO_XTS
9 select CRYPTO_CTS
10 select CRYPTO_CTR
11 select CRYPTO_SHA256
12 select KEYS
13 select ENCRYPTED_KEYS
14 help
15 Enable encryption of files and directories. This
16 feature is similar to ecryptfs, but it is more memory
17 efficient since it avoids caching the encrypted and
18 decrypted pages in the page cache.
diff --git a/fs/crypto/Makefile b/fs/crypto/Makefile
new file mode 100644
index 000000000000..f17684c48739
--- /dev/null
+++ b/fs/crypto/Makefile
@@ -0,0 +1,3 @@
1obj-$(CONFIG_FS_ENCRYPTION) += fscrypto.o
2
3fscrypto-y := crypto.o fname.o policy.o keyinfo.o
diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
new file mode 100644
index 000000000000..d45c33157e2b
--- /dev/null
+++ b/fs/crypto/crypto.c
@@ -0,0 +1,556 @@
1/*
2 * This contains encryption functions for per-file encryption.
3 *
4 * Copyright (C) 2015, Google, Inc.
5 * Copyright (C) 2015, Motorola Mobility
6 *
7 * Written by Michael Halcrow, 2014.
8 *
9 * Filename encryption additions
10 * Uday Savagaonkar, 2014
11 * Encryption policy handling additions
12 * Ildar Muslukhov, 2014
13 * Add fscrypt_pullback_bio_page()
14 * Jaegeuk Kim, 2015.
15 *
16 * This has not yet undergone a rigorous security audit.
17 *
18 * The usage of AES-XTS should conform to recommendations in NIST
19 * Special Publication 800-38E and IEEE P1619/D16.
20 */
21
22#include <linux/crypto.h>
23#include <linux/ecryptfs.h>
24#include <linux/pagemap.h>
25#include <linux/mempool.h>
26#include <linux/module.h>
27#include <linux/scatterlist.h>
28#include <linux/ratelimit.h>
29#include <linux/bio.h>
30#include <linux/dcache.h>
31#include <linux/fscrypto.h>
32
33static unsigned int num_prealloc_crypto_pages = 32;
34static unsigned int num_prealloc_crypto_ctxs = 128;
35
36module_param(num_prealloc_crypto_pages, uint, 0444);
37MODULE_PARM_DESC(num_prealloc_crypto_pages,
38 "Number of crypto pages to preallocate");
39module_param(num_prealloc_crypto_ctxs, uint, 0444);
40MODULE_PARM_DESC(num_prealloc_crypto_ctxs,
41 "Number of crypto contexts to preallocate");
42
43static mempool_t *fscrypt_bounce_page_pool = NULL;
44
45static LIST_HEAD(fscrypt_free_ctxs);
46static DEFINE_SPINLOCK(fscrypt_ctx_lock);
47
48static struct workqueue_struct *fscrypt_read_workqueue;
49static DEFINE_MUTEX(fscrypt_init_mutex);
50
51static struct kmem_cache *fscrypt_ctx_cachep;
52struct kmem_cache *fscrypt_info_cachep;
53
54/**
55 * fscrypt_release_ctx() - Releases an encryption context
56 * @ctx: The encryption context to release.
57 *
58 * If the encryption context was allocated from the pre-allocated pool, returns
59 * it to that pool. Else, frees it.
60 *
61 * If there's a bounce page in the context, this frees that.
62 */
63void fscrypt_release_ctx(struct fscrypt_ctx *ctx)
64{
65 unsigned long flags;
66
67 if (ctx->flags & FS_WRITE_PATH_FL && ctx->w.bounce_page) {
68 mempool_free(ctx->w.bounce_page, fscrypt_bounce_page_pool);
69 ctx->w.bounce_page = NULL;
70 }
71 ctx->w.control_page = NULL;
72 if (ctx->flags & FS_CTX_REQUIRES_FREE_ENCRYPT_FL) {
73 kmem_cache_free(fscrypt_ctx_cachep, ctx);
74 } else {
75 spin_lock_irqsave(&fscrypt_ctx_lock, flags);
76 list_add(&ctx->free_list, &fscrypt_free_ctxs);
77 spin_unlock_irqrestore(&fscrypt_ctx_lock, flags);
78 }
79}
80EXPORT_SYMBOL(fscrypt_release_ctx);
81
82/**
83 * fscrypt_get_ctx() - Gets an encryption context
84 * @inode: The inode for which we are doing the crypto
85 *
86 * Allocates and initializes an encryption context.
87 *
88 * Return: An allocated and initialized encryption context on success; error
89 * value or NULL otherwise.
90 */
91struct fscrypt_ctx *fscrypt_get_ctx(struct inode *inode)
92{
93 struct fscrypt_ctx *ctx = NULL;
94 struct fscrypt_info *ci = inode->i_crypt_info;
95 unsigned long flags;
96
97 if (ci == NULL)
98 return ERR_PTR(-ENOKEY);
99
100 /*
101 * We first try getting the ctx from a free list because in
102 * the common case the ctx will have an allocated and
103 * initialized crypto tfm, so it's probably a worthwhile
104 * optimization. For the bounce page, we first try getting it
105 * from the kernel allocator because that's just about as fast
106 * as getting it from a list and because a cache of free pages
107 * should generally be a "last resort" option for a filesystem
108 * to be able to do its job.
109 */
110 spin_lock_irqsave(&fscrypt_ctx_lock, flags);
111 ctx = list_first_entry_or_null(&fscrypt_free_ctxs,
112 struct fscrypt_ctx, free_list);
113 if (ctx)
114 list_del(&ctx->free_list);
115 spin_unlock_irqrestore(&fscrypt_ctx_lock, flags);
116 if (!ctx) {
117 ctx = kmem_cache_zalloc(fscrypt_ctx_cachep, GFP_NOFS);
118 if (!ctx)
119 return ERR_PTR(-ENOMEM);
120 ctx->flags |= FS_CTX_REQUIRES_FREE_ENCRYPT_FL;
121 } else {
122 ctx->flags &= ~FS_CTX_REQUIRES_FREE_ENCRYPT_FL;
123 }
124 ctx->flags &= ~FS_WRITE_PATH_FL;
125 return ctx;
126}
127EXPORT_SYMBOL(fscrypt_get_ctx);
128
129/**
130 * fscrypt_complete() - The completion callback for page encryption
131 * @req: The asynchronous encryption request context
132 * @res: The result of the encryption operation
133 */
134static void fscrypt_complete(struct crypto_async_request *req, int res)
135{
136 struct fscrypt_completion_result *ecr = req->data;
137
138 if (res == -EINPROGRESS)
139 return;
140 ecr->res = res;
141 complete(&ecr->completion);
142}
143
144typedef enum {
145 FS_DECRYPT = 0,
146 FS_ENCRYPT,
147} fscrypt_direction_t;
148
149static int do_page_crypto(struct inode *inode,
150 fscrypt_direction_t rw, pgoff_t index,
151 struct page *src_page, struct page *dest_page)
152{
153 u8 xts_tweak[FS_XTS_TWEAK_SIZE];
154 struct ablkcipher_request *req = NULL;
155 DECLARE_FS_COMPLETION_RESULT(ecr);
156 struct scatterlist dst, src;
157 struct fscrypt_info *ci = inode->i_crypt_info;
158 struct crypto_ablkcipher *tfm = ci->ci_ctfm;
159 int res = 0;
160
161 req = ablkcipher_request_alloc(tfm, GFP_NOFS);
162 if (!req) {
163 printk_ratelimited(KERN_ERR
164 "%s: crypto_request_alloc() failed\n",
165 __func__);
166 return -ENOMEM;
167 }
168
169 ablkcipher_request_set_callback(
170 req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
171 fscrypt_complete, &ecr);
172
173 BUILD_BUG_ON(FS_XTS_TWEAK_SIZE < sizeof(index));
174 memcpy(xts_tweak, &inode->i_ino, sizeof(index));
175 memset(&xts_tweak[sizeof(index)], 0,
176 FS_XTS_TWEAK_SIZE - sizeof(index));
177
178 sg_init_table(&dst, 1);
179 sg_set_page(&dst, dest_page, PAGE_CACHE_SIZE, 0);
180 sg_init_table(&src, 1);
181 sg_set_page(&src, src_page, PAGE_CACHE_SIZE, 0);
182 ablkcipher_request_set_crypt(req, &src, &dst, PAGE_CACHE_SIZE,
183 xts_tweak);
184 if (rw == FS_DECRYPT)
185 res = crypto_ablkcipher_decrypt(req);
186 else
187 res = crypto_ablkcipher_encrypt(req);
188 if (res == -EINPROGRESS || res == -EBUSY) {
189 BUG_ON(req->base.data != &ecr);
190 wait_for_completion(&ecr.completion);
191 res = ecr.res;
192 }
193 ablkcipher_request_free(req);
194 if (res) {
195 printk_ratelimited(KERN_ERR
196 "%s: crypto_ablkcipher_encrypt() returned %d\n",
197 __func__, res);
198 return res;
199 }
200 return 0;
201}
202
203static struct page *alloc_bounce_page(struct fscrypt_ctx *ctx)
204{
205 ctx->w.bounce_page = mempool_alloc(fscrypt_bounce_page_pool,
206 GFP_NOWAIT);
207 if (ctx->w.bounce_page == NULL)
208 return ERR_PTR(-ENOMEM);
209 ctx->flags |= FS_WRITE_PATH_FL;
210 return ctx->w.bounce_page;
211}
212
213/**
214 * fscypt_encrypt_page() - Encrypts a page
215 * @inode: The inode for which the encryption should take place
216 * @plaintext_page: The page to encrypt. Must be locked.
217 *
218 * Allocates a ciphertext page and encrypts plaintext_page into it using the ctx
219 * encryption context.
220 *
221 * Called on the page write path. The caller must call
222 * fscrypt_restore_control_page() on the returned ciphertext page to
223 * release the bounce buffer and the encryption context.
224 *
225 * Return: An allocated page with the encrypted content on success. Else, an
226 * error value or NULL.
227 */
228struct page *fscrypt_encrypt_page(struct inode *inode,
229 struct page *plaintext_page)
230{
231 struct fscrypt_ctx *ctx;
232 struct page *ciphertext_page = NULL;
233 int err;
234
235 BUG_ON(!PageLocked(plaintext_page));
236
237 ctx = fscrypt_get_ctx(inode);
238 if (IS_ERR(ctx))
239 return (struct page *)ctx;
240
241 /* The encryption operation will require a bounce page. */
242 ciphertext_page = alloc_bounce_page(ctx);
243 if (IS_ERR(ciphertext_page))
244 goto errout;
245
246 ctx->w.control_page = plaintext_page;
247 err = do_page_crypto(inode, FS_ENCRYPT, plaintext_page->index,
248 plaintext_page, ciphertext_page);
249 if (err) {
250 ciphertext_page = ERR_PTR(err);
251 goto errout;
252 }
253 SetPagePrivate(ciphertext_page);
254 set_page_private(ciphertext_page, (unsigned long)ctx);
255 lock_page(ciphertext_page);
256 return ciphertext_page;
257
258errout:
259 fscrypt_release_ctx(ctx);
260 return ciphertext_page;
261}
262EXPORT_SYMBOL(fscrypt_encrypt_page);
263
264/**
265 * f2crypt_decrypt_page() - Decrypts a page in-place
266 * @page: The page to decrypt. Must be locked.
267 *
268 * Decrypts page in-place using the ctx encryption context.
269 *
270 * Called from the read completion callback.
271 *
272 * Return: Zero on success, non-zero otherwise.
273 */
274int fscrypt_decrypt_page(struct page *page)
275{
276 BUG_ON(!PageLocked(page));
277
278 return do_page_crypto(page->mapping->host,
279 FS_DECRYPT, page->index, page, page);
280}
281EXPORT_SYMBOL(fscrypt_decrypt_page);
282
283int fscrypt_zeroout_range(struct inode *inode, pgoff_t lblk,
284 sector_t pblk, unsigned int len)
285{
286 struct fscrypt_ctx *ctx;
287 struct page *ciphertext_page = NULL;
288 struct bio *bio;
289 int ret, err = 0;
290
291 BUG_ON(inode->i_sb->s_blocksize != PAGE_CACHE_SIZE);
292
293 ctx = fscrypt_get_ctx(inode);
294 if (IS_ERR(ctx))
295 return PTR_ERR(ctx);
296
297 ciphertext_page = alloc_bounce_page(ctx);
298 if (IS_ERR(ciphertext_page)) {
299 err = PTR_ERR(ciphertext_page);
300 goto errout;
301 }
302
303 while (len--) {
304 err = do_page_crypto(inode, FS_ENCRYPT, lblk,
305 ZERO_PAGE(0), ciphertext_page);
306 if (err)
307 goto errout;
308
309 bio = bio_alloc(GFP_KERNEL, 1);
310 if (!bio) {
311 err = -ENOMEM;
312 goto errout;
313 }
314 bio->bi_bdev = inode->i_sb->s_bdev;
315 bio->bi_iter.bi_sector =
316 pblk << (inode->i_sb->s_blocksize_bits - 9);
317 ret = bio_add_page(bio, ciphertext_page,
318 inode->i_sb->s_blocksize, 0);
319 if (ret != inode->i_sb->s_blocksize) {
320 /* should never happen! */
321 WARN_ON(1);
322 bio_put(bio);
323 err = -EIO;
324 goto errout;
325 }
326 err = submit_bio_wait(WRITE, bio);
327 if ((err == 0) && bio->bi_error)
328 err = -EIO;
329 bio_put(bio);
330 if (err)
331 goto errout;
332 lblk++;
333 pblk++;
334 }
335 err = 0;
336errout:
337 fscrypt_release_ctx(ctx);
338 return err;
339}
340EXPORT_SYMBOL(fscrypt_zeroout_range);
341
342/*
343 * Validate dentries for encrypted directories to make sure we aren't
344 * potentially caching stale data after a key has been added or
345 * removed.
346 */
347static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
348{
349 struct inode *dir = d_inode(dentry->d_parent);
350 struct fscrypt_info *ci = dir->i_crypt_info;
351 int dir_has_key, cached_with_key;
352
353 if (!dir->i_sb->s_cop->is_encrypted(dir))
354 return 0;
355
356 if (ci && ci->ci_keyring_key &&
357 (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) |
358 (1 << KEY_FLAG_REVOKED) |
359 (1 << KEY_FLAG_DEAD))))
360 ci = NULL;
361
362 /* this should eventually be an flag in d_flags */
363 spin_lock(&dentry->d_lock);
364 cached_with_key = dentry->d_flags & DCACHE_ENCRYPTED_WITH_KEY;
365 spin_unlock(&dentry->d_lock);
366 dir_has_key = (ci != NULL);
367
368 /*
369 * If the dentry was cached without the key, and it is a
370 * negative dentry, it might be a valid name. We can't check
371 * if the key has since been made available due to locking
372 * reasons, so we fail the validation so ext4_lookup() can do
373 * this check.
374 *
375 * We also fail the validation if the dentry was created with
376 * the key present, but we no longer have the key, or vice versa.
377 */
378 if ((!cached_with_key && d_is_negative(dentry)) ||
379 (!cached_with_key && dir_has_key) ||
380 (cached_with_key && !dir_has_key))
381 return 0;
382 return 1;
383}
384
385const struct dentry_operations fscrypt_d_ops = {
386 .d_revalidate = fscrypt_d_revalidate,
387};
388EXPORT_SYMBOL(fscrypt_d_ops);
389
390/*
391 * Call fscrypt_decrypt_page on every single page, reusing the encryption
392 * context.
393 */
394static void completion_pages(struct work_struct *work)
395{
396 struct fscrypt_ctx *ctx =
397 container_of(work, struct fscrypt_ctx, r.work);
398 struct bio *bio = ctx->r.bio;
399 struct bio_vec *bv;
400 int i;
401
402 bio_for_each_segment_all(bv, bio, i) {
403 struct page *page = bv->bv_page;
404 int ret = fscrypt_decrypt_page(page);
405
406 if (ret) {
407 WARN_ON_ONCE(1);
408 SetPageError(page);
409 } else {
410 SetPageUptodate(page);
411 }
412 unlock_page(page);
413 }
414 fscrypt_release_ctx(ctx);
415 bio_put(bio);
416}
417
418void fscrypt_decrypt_bio_pages(struct fscrypt_ctx *ctx, struct bio *bio)
419{
420 INIT_WORK(&ctx->r.work, completion_pages);
421 ctx->r.bio = bio;
422 queue_work(fscrypt_read_workqueue, &ctx->r.work);
423}
424EXPORT_SYMBOL(fscrypt_decrypt_bio_pages);
425
426void fscrypt_pullback_bio_page(struct page **page, bool restore)
427{
428 struct fscrypt_ctx *ctx;
429 struct page *bounce_page;
430
431 /* The bounce data pages are unmapped. */
432 if ((*page)->mapping)
433 return;
434
435 /* The bounce data page is unmapped. */
436 bounce_page = *page;
437 ctx = (struct fscrypt_ctx *)page_private(bounce_page);
438
439 /* restore control page */
440 *page = ctx->w.control_page;
441
442 if (restore)
443 fscrypt_restore_control_page(bounce_page);
444}
445EXPORT_SYMBOL(fscrypt_pullback_bio_page);
446
447void fscrypt_restore_control_page(struct page *page)
448{
449 struct fscrypt_ctx *ctx;
450
451 ctx = (struct fscrypt_ctx *)page_private(page);
452 set_page_private(page, (unsigned long)NULL);
453 ClearPagePrivate(page);
454 unlock_page(page);
455 fscrypt_release_ctx(ctx);
456}
457EXPORT_SYMBOL(fscrypt_restore_control_page);
458
459static void fscrypt_destroy(void)
460{
461 struct fscrypt_ctx *pos, *n;
462
463 list_for_each_entry_safe(pos, n, &fscrypt_free_ctxs, free_list)
464 kmem_cache_free(fscrypt_ctx_cachep, pos);
465 INIT_LIST_HEAD(&fscrypt_free_ctxs);
466 mempool_destroy(fscrypt_bounce_page_pool);
467 fscrypt_bounce_page_pool = NULL;
468}
469
470/**
471 * fscrypt_initialize() - allocate major buffers for fs encryption.
472 *
473 * We only call this when we start accessing encrypted files, since it
474 * results in memory getting allocated that wouldn't otherwise be used.
475 *
476 * Return: Zero on success, non-zero otherwise.
477 */
478int fscrypt_initialize(void)
479{
480 int i, res = -ENOMEM;
481
482 if (fscrypt_bounce_page_pool)
483 return 0;
484
485 mutex_lock(&fscrypt_init_mutex);
486 if (fscrypt_bounce_page_pool)
487 goto already_initialized;
488
489 for (i = 0; i < num_prealloc_crypto_ctxs; i++) {
490 struct fscrypt_ctx *ctx;
491
492 ctx = kmem_cache_zalloc(fscrypt_ctx_cachep, GFP_NOFS);
493 if (!ctx)
494 goto fail;
495 list_add(&ctx->free_list, &fscrypt_free_ctxs);
496 }
497
498 fscrypt_bounce_page_pool =
499 mempool_create_page_pool(num_prealloc_crypto_pages, 0);
500 if (!fscrypt_bounce_page_pool)
501 goto fail;
502
503already_initialized:
504 mutex_unlock(&fscrypt_init_mutex);
505 return 0;
506fail:
507 fscrypt_destroy();
508 mutex_unlock(&fscrypt_init_mutex);
509 return res;
510}
511EXPORT_SYMBOL(fscrypt_initialize);
512
513/**
514 * fscrypt_init() - Set up for fs encryption.
515 */
516static int __init fscrypt_init(void)
517{
518 fscrypt_read_workqueue = alloc_workqueue("fscrypt_read_queue",
519 WQ_HIGHPRI, 0);
520 if (!fscrypt_read_workqueue)
521 goto fail;
522
523 fscrypt_ctx_cachep = KMEM_CACHE(fscrypt_ctx, SLAB_RECLAIM_ACCOUNT);
524 if (!fscrypt_ctx_cachep)
525 goto fail_free_queue;
526
527 fscrypt_info_cachep = KMEM_CACHE(fscrypt_info, SLAB_RECLAIM_ACCOUNT);
528 if (!fscrypt_info_cachep)
529 goto fail_free_ctx;
530
531 return 0;
532
533fail_free_ctx:
534 kmem_cache_destroy(fscrypt_ctx_cachep);
535fail_free_queue:
536 destroy_workqueue(fscrypt_read_workqueue);
537fail:
538 return -ENOMEM;
539}
540module_init(fscrypt_init)
541
542/**
543 * fscrypt_exit() - Shutdown the fs encryption system
544 */
545static void __exit fscrypt_exit(void)
546{
547 fscrypt_destroy();
548
549 if (fscrypt_read_workqueue)
550 destroy_workqueue(fscrypt_read_workqueue);
551 kmem_cache_destroy(fscrypt_ctx_cachep);
552 kmem_cache_destroy(fscrypt_info_cachep);
553}
554module_exit(fscrypt_exit);
555
556MODULE_LICENSE("GPL");
diff --git a/fs/f2fs/crypto_fname.c b/fs/crypto/fname.c
index 6dfdc978fe45..5e4ddeeba267 100644
--- a/fs/f2fs/crypto_fname.c
+++ b/fs/crypto/fname.c
@@ -1,46 +1,35 @@
1/* 1/*
2 * linux/fs/f2fs/crypto_fname.c 2 * This contains functions for filename crypto management
3 *
4 * Copied from linux/fs/ext4/crypto.c
5 * 3 *
6 * Copyright (C) 2015, Google, Inc. 4 * Copyright (C) 2015, Google, Inc.
7 * Copyright (C) 2015, Motorola Mobility 5 * Copyright (C) 2015, Motorola Mobility
8 * 6 *
9 * This contains functions for filename crypto management in f2fs
10 *
11 * Written by Uday Savagaonkar, 2014. 7 * Written by Uday Savagaonkar, 2014.
12 * 8 * Modified by Jaegeuk Kim, 2015.
13 * Adjust f2fs dentry structure
14 * Jaegeuk Kim, 2015.
15 * 9 *
16 * This has not yet undergone a rigorous security audit. 10 * This has not yet undergone a rigorous security audit.
17 */ 11 */
12
18#include <crypto/hash.h> 13#include <crypto/hash.h>
19#include <crypto/sha.h> 14#include <crypto/sha.h>
20#include <keys/encrypted-type.h> 15#include <keys/encrypted-type.h>
21#include <keys/user-type.h> 16#include <keys/user-type.h>
22#include <linux/crypto.h> 17#include <linux/crypto.h>
23#include <linux/gfp.h>
24#include <linux/kernel.h>
25#include <linux/key.h>
26#include <linux/list.h>
27#include <linux/mempool.h>
28#include <linux/random.h>
29#include <linux/scatterlist.h> 18#include <linux/scatterlist.h>
30#include <linux/spinlock_types.h>
31#include <linux/f2fs_fs.h>
32#include <linux/ratelimit.h> 19#include <linux/ratelimit.h>
20#include <linux/fscrypto.h>
33 21
34#include "f2fs.h" 22static u32 size_round_up(size_t size, size_t blksize)
35#include "f2fs_crypto.h" 23{
36#include "xattr.h" 24 return ((size + blksize - 1) / blksize) * blksize;
25}
37 26
38/** 27/**
39 * f2fs_dir_crypt_complete() - 28 * dir_crypt_complete() -
40 */ 29 */
41static void f2fs_dir_crypt_complete(struct crypto_async_request *req, int res) 30static void dir_crypt_complete(struct crypto_async_request *req, int res)
42{ 31{
43 struct f2fs_completion_result *ecr = req->data; 32 struct fscrypt_completion_result *ecr = req->data;
44 33
45 if (res == -EINPROGRESS) 34 if (res == -EINPROGRESS)
46 return; 35 return;
@@ -48,45 +37,35 @@ static void f2fs_dir_crypt_complete(struct crypto_async_request *req, int res)
48 complete(&ecr->completion); 37 complete(&ecr->completion);
49} 38}
50 39
51bool f2fs_valid_filenames_enc_mode(uint32_t mode)
52{
53 return (mode == F2FS_ENCRYPTION_MODE_AES_256_CTS);
54}
55
56static unsigned max_name_len(struct inode *inode)
57{
58 return S_ISLNK(inode->i_mode) ? inode->i_sb->s_blocksize :
59 F2FS_NAME_LEN;
60}
61
62/** 40/**
63 * f2fs_fname_encrypt() - 41 * fname_encrypt() -
64 * 42 *
65 * This function encrypts the input filename, and returns the length of the 43 * This function encrypts the input filename, and returns the length of the
66 * ciphertext. Errors are returned as negative numbers. We trust the caller to 44 * ciphertext. Errors are returned as negative numbers. We trust the caller to
67 * allocate sufficient memory to oname string. 45 * allocate sufficient memory to oname string.
68 */ 46 */
69static int f2fs_fname_encrypt(struct inode *inode, 47static int fname_encrypt(struct inode *inode,
70 const struct qstr *iname, struct f2fs_str *oname) 48 const struct qstr *iname, struct fscrypt_str *oname)
71{ 49{
72 u32 ciphertext_len; 50 u32 ciphertext_len;
73 struct ablkcipher_request *req = NULL; 51 struct ablkcipher_request *req = NULL;
74 DECLARE_F2FS_COMPLETION_RESULT(ecr); 52 DECLARE_FS_COMPLETION_RESULT(ecr);
75 struct f2fs_crypt_info *ci = F2FS_I(inode)->i_crypt_info; 53 struct fscrypt_info *ci = inode->i_crypt_info;
76 struct crypto_ablkcipher *tfm = ci->ci_ctfm; 54 struct crypto_ablkcipher *tfm = ci->ci_ctfm;
77 int res = 0; 55 int res = 0;
78 char iv[F2FS_CRYPTO_BLOCK_SIZE]; 56 char iv[FS_CRYPTO_BLOCK_SIZE];
79 struct scatterlist src_sg, dst_sg; 57 struct scatterlist src_sg, dst_sg;
80 int padding = 4 << (ci->ci_flags & F2FS_POLICY_FLAGS_PAD_MASK); 58 int padding = 4 << (ci->ci_flags & FS_POLICY_FLAGS_PAD_MASK);
81 char *workbuf, buf[32], *alloc_buf = NULL; 59 char *workbuf, buf[32], *alloc_buf = NULL;
82 unsigned lim = max_name_len(inode); 60 unsigned lim;
83 61
62 lim = inode->i_sb->s_cop->max_namelen(inode);
84 if (iname->len <= 0 || iname->len > lim) 63 if (iname->len <= 0 || iname->len > lim)
85 return -EIO; 64 return -EIO;
86 65
87 ciphertext_len = (iname->len < F2FS_CRYPTO_BLOCK_SIZE) ? 66 ciphertext_len = (iname->len < FS_CRYPTO_BLOCK_SIZE) ?
88 F2FS_CRYPTO_BLOCK_SIZE : iname->len; 67 FS_CRYPTO_BLOCK_SIZE : iname->len;
89 ciphertext_len = f2fs_fname_crypto_round_up(ciphertext_len, padding); 68 ciphertext_len = size_round_up(ciphertext_len, padding);
90 ciphertext_len = (ciphertext_len > lim) ? lim : ciphertext_len; 69 ciphertext_len = (ciphertext_len > lim) ? lim : ciphertext_len;
91 70
92 if (ciphertext_len <= sizeof(buf)) { 71 if (ciphertext_len <= sizeof(buf)) {
@@ -108,7 +87,7 @@ static int f2fs_fname_encrypt(struct inode *inode,
108 } 87 }
109 ablkcipher_request_set_callback(req, 88 ablkcipher_request_set_callback(req,
110 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, 89 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
111 f2fs_dir_crypt_complete, &ecr); 90 dir_crypt_complete, &ecr);
112 91
113 /* Copy the input */ 92 /* Copy the input */
114 memcpy(workbuf, iname->name, iname->len); 93 memcpy(workbuf, iname->name, iname->len);
@@ -116,7 +95,7 @@ static int f2fs_fname_encrypt(struct inode *inode,
116 memset(workbuf + iname->len, 0, ciphertext_len - iname->len); 95 memset(workbuf + iname->len, 0, ciphertext_len - iname->len);
117 96
118 /* Initialize IV */ 97 /* Initialize IV */
119 memset(iv, 0, F2FS_CRYPTO_BLOCK_SIZE); 98 memset(iv, 0, FS_CRYPTO_BLOCK_SIZE);
120 99
121 /* Create encryption request */ 100 /* Create encryption request */
122 sg_init_one(&src_sg, workbuf, ciphertext_len); 101 sg_init_one(&src_sg, workbuf, ciphertext_len);
@@ -129,33 +108,35 @@ static int f2fs_fname_encrypt(struct inode *inode,
129 } 108 }
130 kfree(alloc_buf); 109 kfree(alloc_buf);
131 ablkcipher_request_free(req); 110 ablkcipher_request_free(req);
132 if (res < 0) { 111 if (res < 0)
133 printk_ratelimited(KERN_ERR 112 printk_ratelimited(KERN_ERR
134 "%s: Error (error code %d)\n", __func__, res); 113 "%s: Error (error code %d)\n", __func__, res);
135 } 114
136 oname->len = ciphertext_len; 115 oname->len = ciphertext_len;
137 return res; 116 return res;
138} 117}
139 118
140/* 119/*
141 * f2fs_fname_decrypt() 120 * fname_decrypt()
142 * This function decrypts the input filename, and returns 121 * This function decrypts the input filename, and returns
143 * the length of the plaintext. 122 * the length of the plaintext.
144 * Errors are returned as negative numbers. 123 * Errors are returned as negative numbers.
145 * We trust the caller to allocate sufficient memory to oname string. 124 * We trust the caller to allocate sufficient memory to oname string.
146 */ 125 */
147static int f2fs_fname_decrypt(struct inode *inode, 126static int fname_decrypt(struct inode *inode,
148 const struct f2fs_str *iname, struct f2fs_str *oname) 127 const struct fscrypt_str *iname,
128 struct fscrypt_str *oname)
149{ 129{
150 struct ablkcipher_request *req = NULL; 130 struct ablkcipher_request *req = NULL;
151 DECLARE_F2FS_COMPLETION_RESULT(ecr); 131 DECLARE_FS_COMPLETION_RESULT(ecr);
152 struct scatterlist src_sg, dst_sg; 132 struct scatterlist src_sg, dst_sg;
153 struct f2fs_crypt_info *ci = F2FS_I(inode)->i_crypt_info; 133 struct fscrypt_info *ci = inode->i_crypt_info;
154 struct crypto_ablkcipher *tfm = ci->ci_ctfm; 134 struct crypto_ablkcipher *tfm = ci->ci_ctfm;
155 int res = 0; 135 int res = 0;
156 char iv[F2FS_CRYPTO_BLOCK_SIZE]; 136 char iv[FS_CRYPTO_BLOCK_SIZE];
157 unsigned lim = max_name_len(inode); 137 unsigned lim;
158 138
139 lim = inode->i_sb->s_cop->max_namelen(inode);
159 if (iname->len <= 0 || iname->len > lim) 140 if (iname->len <= 0 || iname->len > lim)
160 return -EIO; 141 return -EIO;
161 142
@@ -168,10 +149,10 @@ static int f2fs_fname_decrypt(struct inode *inode,
168 } 149 }
169 ablkcipher_request_set_callback(req, 150 ablkcipher_request_set_callback(req,
170 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, 151 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
171 f2fs_dir_crypt_complete, &ecr); 152 dir_crypt_complete, &ecr);
172 153
173 /* Initialize IV */ 154 /* Initialize IV */
174 memset(iv, 0, F2FS_CRYPTO_BLOCK_SIZE); 155 memset(iv, 0, FS_CRYPTO_BLOCK_SIZE);
175 156
176 /* Create decryption request */ 157 /* Create decryption request */
177 sg_init_one(&src_sg, iname->name, iname->len); 158 sg_init_one(&src_sg, iname->name, iname->len);
@@ -185,8 +166,7 @@ static int f2fs_fname_decrypt(struct inode *inode,
185 ablkcipher_request_free(req); 166 ablkcipher_request_free(req);
186 if (res < 0) { 167 if (res < 0) {
187 printk_ratelimited(KERN_ERR 168 printk_ratelimited(KERN_ERR
188 "%s: Error in f2fs_fname_decrypt (error code %d)\n", 169 "%s: Error (error code %d)\n", __func__, res);
189 __func__, res);
190 return res; 170 return res;
191 } 171 }
192 172
@@ -198,7 +178,7 @@ static const char *lookup_table =
198 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+,"; 178 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+,";
199 179
200/** 180/**
201 * f2fs_fname_encode_digest() - 181 * digest_encode() -
202 * 182 *
203 * Encodes the input digest using characters from the set [a-zA-Z0-9_+]. 183 * Encodes the input digest using characters from the set [a-zA-Z0-9_+].
204 * The encoded string is roughly 4/3 times the size of the input string. 184 * The encoded string is roughly 4/3 times the size of the input string.
@@ -247,156 +227,152 @@ static int digest_decode(const char *src, int len, char *dst)
247 return cp - dst; 227 return cp - dst;
248} 228}
249 229
250/** 230u32 fscrypt_fname_encrypted_size(struct inode *inode, u32 ilen)
251 * f2fs_fname_crypto_round_up() -
252 *
253 * Return: The next multiple of block size
254 */
255u32 f2fs_fname_crypto_round_up(u32 size, u32 blksize)
256{
257 return ((size + blksize - 1) / blksize) * blksize;
258}
259
260unsigned f2fs_fname_encrypted_size(struct inode *inode, u32 ilen)
261{ 231{
262 struct f2fs_crypt_info *ci = F2FS_I(inode)->i_crypt_info;
263 int padding = 32; 232 int padding = 32;
233 struct fscrypt_info *ci = inode->i_crypt_info;
264 234
265 if (ci) 235 if (ci)
266 padding = 4 << (ci->ci_flags & F2FS_POLICY_FLAGS_PAD_MASK); 236 padding = 4 << (ci->ci_flags & FS_POLICY_FLAGS_PAD_MASK);
267 if (ilen < F2FS_CRYPTO_BLOCK_SIZE) 237 if (ilen < FS_CRYPTO_BLOCK_SIZE)
268 ilen = F2FS_CRYPTO_BLOCK_SIZE; 238 ilen = FS_CRYPTO_BLOCK_SIZE;
269 return f2fs_fname_crypto_round_up(ilen, padding); 239 return size_round_up(ilen, padding);
270} 240}
241EXPORT_SYMBOL(fscrypt_fname_encrypted_size);
271 242
272/** 243/**
273 * f2fs_fname_crypto_alloc_obuff() - 244 * fscrypt_fname_crypto_alloc_obuff() -
274 * 245 *
275 * Allocates an output buffer that is sufficient for the crypto operation 246 * Allocates an output buffer that is sufficient for the crypto operation
276 * specified by the context and the direction. 247 * specified by the context and the direction.
277 */ 248 */
278int f2fs_fname_crypto_alloc_buffer(struct inode *inode, 249int fscrypt_fname_alloc_buffer(struct inode *inode,
279 u32 ilen, struct f2fs_str *crypto_str) 250 u32 ilen, struct fscrypt_str *crypto_str)
280{ 251{
281 unsigned int olen = f2fs_fname_encrypted_size(inode, ilen); 252 unsigned int olen = fscrypt_fname_encrypted_size(inode, ilen);
282 253
283 crypto_str->len = olen; 254 crypto_str->len = olen;
284 if (olen < F2FS_FNAME_CRYPTO_DIGEST_SIZE * 2) 255 if (olen < FS_FNAME_CRYPTO_DIGEST_SIZE * 2)
285 olen = F2FS_FNAME_CRYPTO_DIGEST_SIZE * 2; 256 olen = FS_FNAME_CRYPTO_DIGEST_SIZE * 2;
286 /* Allocated buffer can hold one more character to null-terminate the 257 /*
287 * string */ 258 * Allocated buffer can hold one more character to null-terminate the
259 * string
260 */
288 crypto_str->name = kmalloc(olen + 1, GFP_NOFS); 261 crypto_str->name = kmalloc(olen + 1, GFP_NOFS);
289 if (!(crypto_str->name)) 262 if (!(crypto_str->name))
290 return -ENOMEM; 263 return -ENOMEM;
291 return 0; 264 return 0;
292} 265}
266EXPORT_SYMBOL(fscrypt_fname_alloc_buffer);
293 267
294/** 268/**
295 * f2fs_fname_crypto_free_buffer() - 269 * fscrypt_fname_crypto_free_buffer() -
296 * 270 *
297 * Frees the buffer allocated for crypto operation. 271 * Frees the buffer allocated for crypto operation.
298 */ 272 */
299void f2fs_fname_crypto_free_buffer(struct f2fs_str *crypto_str) 273void fscrypt_fname_free_buffer(struct fscrypt_str *crypto_str)
300{ 274{
301 if (!crypto_str) 275 if (!crypto_str)
302 return; 276 return;
303 kfree(crypto_str->name); 277 kfree(crypto_str->name);
304 crypto_str->name = NULL; 278 crypto_str->name = NULL;
305} 279}
280EXPORT_SYMBOL(fscrypt_fname_free_buffer);
306 281
307/** 282/**
308 * f2fs_fname_disk_to_usr() - converts a filename from disk space to user space 283 * fscrypt_fname_disk_to_usr() - converts a filename from disk space to user
284 * space
309 */ 285 */
310int f2fs_fname_disk_to_usr(struct inode *inode, 286int fscrypt_fname_disk_to_usr(struct inode *inode,
311 f2fs_hash_t *hash, 287 u32 hash, u32 minor_hash,
312 const struct f2fs_str *iname, 288 const struct fscrypt_str *iname,
313 struct f2fs_str *oname) 289 struct fscrypt_str *oname)
314{ 290{
315 const struct qstr qname = FSTR_TO_QSTR(iname); 291 const struct qstr qname = FSTR_TO_QSTR(iname);
316 char buf[24]; 292 char buf[24];
317 int ret; 293 int ret;
318 294
319 if (is_dot_dotdot(&qname)) { 295 if (fscrypt_is_dot_dotdot(&qname)) {
320 oname->name[0] = '.'; 296 oname->name[0] = '.';
321 oname->name[iname->len - 1] = '.'; 297 oname->name[iname->len - 1] = '.';
322 oname->len = iname->len; 298 oname->len = iname->len;
323 return oname->len; 299 return oname->len;
324 } 300 }
325 if (iname->len < F2FS_CRYPTO_BLOCK_SIZE) { 301
326 printk("encrypted inode too small"); 302 if (iname->len < FS_CRYPTO_BLOCK_SIZE)
327 return -EUCLEAN; 303 return -EUCLEAN;
328 }
329 if (F2FS_I(inode)->i_crypt_info)
330 return f2fs_fname_decrypt(inode, iname, oname);
331 304
332 if (iname->len <= F2FS_FNAME_CRYPTO_DIGEST_SIZE) { 305 if (inode->i_crypt_info)
306 return fname_decrypt(inode, iname, oname);
307
308 if (iname->len <= FS_FNAME_CRYPTO_DIGEST_SIZE) {
333 ret = digest_encode(iname->name, iname->len, oname->name); 309 ret = digest_encode(iname->name, iname->len, oname->name);
334 oname->len = ret; 310 oname->len = ret;
335 return ret; 311 return ret;
336 } 312 }
337 if (hash) { 313 if (hash) {
338 memcpy(buf, hash, 4); 314 memcpy(buf, &hash, 4);
339 memset(buf + 4, 0, 4); 315 memcpy(buf + 4, &minor_hash, 4);
340 } else 316 } else {
341 memset(buf, 0, 8); 317 memset(buf, 0, 8);
318 }
342 memcpy(buf + 8, iname->name + iname->len - 16, 16); 319 memcpy(buf + 8, iname->name + iname->len - 16, 16);
343 oname->name[0] = '_'; 320 oname->name[0] = '_';
344 ret = digest_encode(buf, 24, oname->name + 1); 321 ret = digest_encode(buf, 24, oname->name + 1);
345 oname->len = ret + 1; 322 oname->len = ret + 1;
346 return ret + 1; 323 return ret + 1;
347} 324}
325EXPORT_SYMBOL(fscrypt_fname_disk_to_usr);
348 326
349/** 327/**
350 * f2fs_fname_usr_to_disk() - converts a filename from user space to disk space 328 * fscrypt_fname_usr_to_disk() - converts a filename from user space to disk
329 * space
351 */ 330 */
352int f2fs_fname_usr_to_disk(struct inode *inode, 331int fscrypt_fname_usr_to_disk(struct inode *inode,
353 const struct qstr *iname, 332 const struct qstr *iname,
354 struct f2fs_str *oname) 333 struct fscrypt_str *oname)
355{ 334{
356 int res; 335 if (fscrypt_is_dot_dotdot(iname)) {
357 struct f2fs_crypt_info *ci = F2FS_I(inode)->i_crypt_info;
358
359 if (is_dot_dotdot(iname)) {
360 oname->name[0] = '.'; 336 oname->name[0] = '.';
361 oname->name[iname->len - 1] = '.'; 337 oname->name[iname->len - 1] = '.';
362 oname->len = iname->len; 338 oname->len = iname->len;
363 return oname->len; 339 return oname->len;
364 } 340 }
365 341 if (inode->i_crypt_info)
366 if (ci) { 342 return fname_encrypt(inode, iname, oname);
367 res = f2fs_fname_encrypt(inode, iname, oname); 343 /*
368 return res; 344 * Without a proper key, a user is not allowed to modify the filenames
369 }
370 /* Without a proper key, a user is not allowed to modify the filenames
371 * in a directory. Consequently, a user space name cannot be mapped to 345 * in a directory. Consequently, a user space name cannot be mapped to
372 * a disk-space name */ 346 * a disk-space name
347 */
373 return -EACCES; 348 return -EACCES;
374} 349}
350EXPORT_SYMBOL(fscrypt_fname_usr_to_disk);
375 351
376int f2fs_fname_setup_filename(struct inode *dir, const struct qstr *iname, 352int fscrypt_setup_filename(struct inode *dir, const struct qstr *iname,
377 int lookup, struct f2fs_filename *fname) 353 int lookup, struct fscrypt_name *fname)
378{ 354{
379 struct f2fs_crypt_info *ci;
380 int ret = 0, bigname = 0; 355 int ret = 0, bigname = 0;
381 356
382 memset(fname, 0, sizeof(struct f2fs_filename)); 357 memset(fname, 0, sizeof(struct fscrypt_name));
383 fname->usr_fname = iname; 358 fname->usr_fname = iname;
384 359
385 if (!f2fs_encrypted_inode(dir) || is_dot_dotdot(iname)) { 360 if (!dir->i_sb->s_cop->is_encrypted(dir) ||
361 fscrypt_is_dot_dotdot(iname)) {
386 fname->disk_name.name = (unsigned char *)iname->name; 362 fname->disk_name.name = (unsigned char *)iname->name;
387 fname->disk_name.len = iname->len; 363 fname->disk_name.len = iname->len;
388 return 0; 364 return 0;
389 } 365 }
390 ret = f2fs_get_encryption_info(dir); 366 ret = get_crypt_info(dir);
391 if (ret) 367 if (ret && ret != -EOPNOTSUPP)
392 return ret; 368 return ret;
393 ci = F2FS_I(dir)->i_crypt_info; 369
394 if (ci) { 370 if (dir->i_crypt_info) {
395 ret = f2fs_fname_crypto_alloc_buffer(dir, iname->len, 371 ret = fscrypt_fname_alloc_buffer(dir, iname->len,
396 &fname->crypto_buf); 372 &fname->crypto_buf);
397 if (ret < 0) 373 if (ret < 0)
398 return ret; 374 return ret;
399 ret = f2fs_fname_encrypt(dir, iname, &fname->crypto_buf); 375 ret = fname_encrypt(dir, iname, &fname->crypto_buf);
400 if (ret < 0) 376 if (ret < 0)
401 goto errout; 377 goto errout;
402 fname->disk_name.name = fname->crypto_buf.name; 378 fname->disk_name.name = fname->crypto_buf.name;
@@ -406,18 +382,19 @@ int f2fs_fname_setup_filename(struct inode *dir, const struct qstr *iname,
406 if (!lookup) 382 if (!lookup)
407 return -EACCES; 383 return -EACCES;
408 384
409 /* We don't have the key and we are doing a lookup; decode the 385 /*
386 * We don't have the key and we are doing a lookup; decode the
410 * user-supplied name 387 * user-supplied name
411 */ 388 */
412 if (iname->name[0] == '_') 389 if (iname->name[0] == '_')
413 bigname = 1; 390 bigname = 1;
414 if ((bigname && (iname->len != 33)) || 391 if ((bigname && (iname->len != 33)) || (!bigname && (iname->len > 43)))
415 (!bigname && (iname->len > 43)))
416 return -ENOENT; 392 return -ENOENT;
417 393
418 fname->crypto_buf.name = kmalloc(32, GFP_KERNEL); 394 fname->crypto_buf.name = kmalloc(32, GFP_KERNEL);
419 if (fname->crypto_buf.name == NULL) 395 if (fname->crypto_buf.name == NULL)
420 return -ENOMEM; 396 return -ENOMEM;
397
421 ret = digest_decode(iname->name + bigname, iname->len - bigname, 398 ret = digest_decode(iname->name + bigname, iname->len - bigname,
422 fname->crypto_buf.name); 399 fname->crypto_buf.name);
423 if (ret < 0) { 400 if (ret < 0) {
@@ -427,20 +404,24 @@ int f2fs_fname_setup_filename(struct inode *dir, const struct qstr *iname,
427 fname->crypto_buf.len = ret; 404 fname->crypto_buf.len = ret;
428 if (bigname) { 405 if (bigname) {
429 memcpy(&fname->hash, fname->crypto_buf.name, 4); 406 memcpy(&fname->hash, fname->crypto_buf.name, 4);
407 memcpy(&fname->minor_hash, fname->crypto_buf.name + 4, 4);
430 } else { 408 } else {
431 fname->disk_name.name = fname->crypto_buf.name; 409 fname->disk_name.name = fname->crypto_buf.name;
432 fname->disk_name.len = fname->crypto_buf.len; 410 fname->disk_name.len = fname->crypto_buf.len;
433 } 411 }
434 return 0; 412 return 0;
413
435errout: 414errout:
436 f2fs_fname_crypto_free_buffer(&fname->crypto_buf); 415 fscrypt_fname_free_buffer(&fname->crypto_buf);
437 return ret; 416 return ret;
438} 417}
418EXPORT_SYMBOL(fscrypt_setup_filename);
439 419
440void f2fs_fname_free_filename(struct f2fs_filename *fname) 420void fscrypt_free_filename(struct fscrypt_name *fname)
441{ 421{
442 kfree(fname->crypto_buf.name); 422 kfree(fname->crypto_buf.name);
443 fname->crypto_buf.name = NULL; 423 fname->crypto_buf.name = NULL;
444 fname->usr_fname = NULL; 424 fname->usr_fname = NULL;
445 fname->disk_name.name = NULL; 425 fname->disk_name.name = NULL;
446} 426}
427EXPORT_SYMBOL(fscrypt_free_filename);
diff --git a/fs/f2fs/crypto_key.c b/fs/crypto/keyinfo.c
index 9094fca692fb..cb618425b73c 100644
--- a/fs/f2fs/crypto_key.c
+++ b/fs/crypto/keyinfo.c
@@ -1,28 +1,24 @@
1/* 1/*
2 * linux/fs/f2fs/crypto_key.c 2 * key management facility for FS encryption support.
3 *
4 * Copied from linux/fs/f2fs/crypto_key.c
5 * 3 *
6 * Copyright (C) 2015, Google, Inc. 4 * Copyright (C) 2015, Google, Inc.
7 * 5 *
8 * This contains encryption key functions for f2fs 6 * This contains encryption key functions.
9 * 7 *
10 * Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015. 8 * Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015.
11 */ 9 */
10
12#include <keys/encrypted-type.h> 11#include <keys/encrypted-type.h>
13#include <keys/user-type.h> 12#include <keys/user-type.h>
14#include <linux/random.h> 13#include <linux/random.h>
15#include <linux/scatterlist.h> 14#include <linux/scatterlist.h>
16#include <uapi/linux/keyctl.h> 15#include <uapi/linux/keyctl.h>
17#include <crypto/hash.h> 16#include <crypto/hash.h>
18#include <linux/f2fs_fs.h> 17#include <linux/fscrypto.h>
19
20#include "f2fs.h"
21#include "xattr.h"
22 18
23static void derive_crypt_complete(struct crypto_async_request *req, int rc) 19static void derive_crypt_complete(struct crypto_async_request *req, int rc)
24{ 20{
25 struct f2fs_completion_result *ecr = req->data; 21 struct fscrypt_completion_result *ecr = req->data;
26 22
27 if (rc == -EINPROGRESS) 23 if (rc == -EINPROGRESS)
28 return; 24 return;
@@ -32,20 +28,20 @@ static void derive_crypt_complete(struct crypto_async_request *req, int rc)
32} 28}
33 29
34/** 30/**
35 * f2fs_derive_key_aes() - Derive a key using AES-128-ECB 31 * derive_key_aes() - Derive a key using AES-128-ECB
36 * @deriving_key: Encryption key used for derivation. 32 * @deriving_key: Encryption key used for derivation.
37 * @source_key: Source key to which to apply derivation. 33 * @source_key: Source key to which to apply derivation.
38 * @derived_key: Derived key. 34 * @derived_key: Derived key.
39 * 35 *
40 * Return: Zero on success; non-zero otherwise. 36 * Return: Zero on success; non-zero otherwise.
41 */ 37 */
42static int f2fs_derive_key_aes(char deriving_key[F2FS_AES_128_ECB_KEY_SIZE], 38static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE],
43 char source_key[F2FS_AES_256_XTS_KEY_SIZE], 39 u8 source_key[FS_AES_256_XTS_KEY_SIZE],
44 char derived_key[F2FS_AES_256_XTS_KEY_SIZE]) 40 u8 derived_key[FS_AES_256_XTS_KEY_SIZE])
45{ 41{
46 int res = 0; 42 int res = 0;
47 struct ablkcipher_request *req = NULL; 43 struct ablkcipher_request *req = NULL;
48 DECLARE_F2FS_COMPLETION_RESULT(ecr); 44 DECLARE_FS_COMPLETION_RESULT(ecr);
49 struct scatterlist src_sg, dst_sg; 45 struct scatterlist src_sg, dst_sg;
50 struct crypto_ablkcipher *tfm = crypto_alloc_ablkcipher("ecb(aes)", 0, 46 struct crypto_ablkcipher *tfm = crypto_alloc_ablkcipher("ecb(aes)", 0,
51 0); 47 0);
@@ -65,14 +61,14 @@ static int f2fs_derive_key_aes(char deriving_key[F2FS_AES_128_ECB_KEY_SIZE],
65 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, 61 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
66 derive_crypt_complete, &ecr); 62 derive_crypt_complete, &ecr);
67 res = crypto_ablkcipher_setkey(tfm, deriving_key, 63 res = crypto_ablkcipher_setkey(tfm, deriving_key,
68 F2FS_AES_128_ECB_KEY_SIZE); 64 FS_AES_128_ECB_KEY_SIZE);
69 if (res < 0) 65 if (res < 0)
70 goto out; 66 goto out;
71 67
72 sg_init_one(&src_sg, source_key, F2FS_AES_256_XTS_KEY_SIZE); 68 sg_init_one(&src_sg, source_key, FS_AES_256_XTS_KEY_SIZE);
73 sg_init_one(&dst_sg, derived_key, F2FS_AES_256_XTS_KEY_SIZE); 69 sg_init_one(&dst_sg, derived_key, FS_AES_256_XTS_KEY_SIZE);
74 ablkcipher_request_set_crypt(req, &src_sg, &dst_sg, 70 ablkcipher_request_set_crypt(req, &src_sg, &dst_sg,
75 F2FS_AES_256_XTS_KEY_SIZE, NULL); 71 FS_AES_256_XTS_KEY_SIZE, NULL);
76 res = crypto_ablkcipher_encrypt(req); 72 res = crypto_ablkcipher_encrypt(req);
77 if (res == -EINPROGRESS || res == -EBUSY) { 73 if (res == -EINPROGRESS || res == -EBUSY) {
78 wait_for_completion(&ecr.completion); 74 wait_for_completion(&ecr.completion);
@@ -86,71 +82,61 @@ out:
86 return res; 82 return res;
87} 83}
88 84
89static void f2fs_free_crypt_info(struct f2fs_crypt_info *ci) 85static void put_crypt_info(struct fscrypt_info *ci)
90{ 86{
91 if (!ci) 87 if (!ci)
92 return; 88 return;
93 89
94 key_put(ci->ci_keyring_key); 90 if (ci->ci_keyring_key)
91 key_put(ci->ci_keyring_key);
95 crypto_free_ablkcipher(ci->ci_ctfm); 92 crypto_free_ablkcipher(ci->ci_ctfm);
96 kmem_cache_free(f2fs_crypt_info_cachep, ci); 93 kmem_cache_free(fscrypt_info_cachep, ci);
97}
98
99void f2fs_free_encryption_info(struct inode *inode, struct f2fs_crypt_info *ci)
100{
101 struct f2fs_inode_info *fi = F2FS_I(inode);
102 struct f2fs_crypt_info *prev;
103
104 if (ci == NULL)
105 ci = ACCESS_ONCE(fi->i_crypt_info);
106 if (ci == NULL)
107 return;
108 prev = cmpxchg(&fi->i_crypt_info, ci, NULL);
109 if (prev != ci)
110 return;
111
112 f2fs_free_crypt_info(ci);
113} 94}
114 95
115int _f2fs_get_encryption_info(struct inode *inode) 96int get_crypt_info(struct inode *inode)
116{ 97{
117 struct f2fs_inode_info *fi = F2FS_I(inode); 98 struct fscrypt_info *crypt_info;
118 struct f2fs_crypt_info *crypt_info; 99 u8 full_key_descriptor[FS_KEY_DESC_PREFIX_SIZE +
119 char full_key_descriptor[F2FS_KEY_DESC_PREFIX_SIZE + 100 (FS_KEY_DESCRIPTOR_SIZE * 2) + 1];
120 (F2FS_KEY_DESCRIPTOR_SIZE * 2) + 1];
121 struct key *keyring_key = NULL; 101 struct key *keyring_key = NULL;
122 struct f2fs_encryption_key *master_key; 102 struct fscrypt_key *master_key;
123 struct f2fs_encryption_context ctx; 103 struct fscrypt_context ctx;
124 const struct user_key_payload *ukp; 104 const struct user_key_payload *ukp;
125 struct crypto_ablkcipher *ctfm; 105 struct crypto_ablkcipher *ctfm;
126 const char *cipher_str; 106 const char *cipher_str;
127 char raw_key[F2FS_MAX_KEY_SIZE]; 107 u8 raw_key[FS_MAX_KEY_SIZE];
128 char mode; 108 u8 mode;
129 int res; 109 int res;
130 110
131 res = f2fs_crypto_initialize(); 111 res = fscrypt_initialize();
132 if (res) 112 if (res)
133 return res; 113 return res;
114
115 if (!inode->i_sb->s_cop->get_context)
116 return -EOPNOTSUPP;
134retry: 117retry:
135 crypt_info = ACCESS_ONCE(fi->i_crypt_info); 118 crypt_info = ACCESS_ONCE(inode->i_crypt_info);
136 if (crypt_info) { 119 if (crypt_info) {
137 if (!crypt_info->ci_keyring_key || 120 if (!crypt_info->ci_keyring_key ||
138 key_validate(crypt_info->ci_keyring_key) == 0) 121 key_validate(crypt_info->ci_keyring_key) == 0)
139 return 0; 122 return 0;
140 f2fs_free_encryption_info(inode, crypt_info); 123 fscrypt_put_encryption_info(inode, crypt_info);
141 goto retry; 124 goto retry;
142 } 125 }
143 126
144 res = f2fs_getxattr(inode, F2FS_XATTR_INDEX_ENCRYPTION, 127 res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
145 F2FS_XATTR_NAME_ENCRYPTION_CONTEXT, 128 if (res < 0) {
146 &ctx, sizeof(ctx), NULL); 129 if (!fscrypt_dummy_context_enabled(inode))
147 if (res < 0) 130 return res;
148 return res; 131 ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS;
149 else if (res != sizeof(ctx)) 132 ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS;
133 ctx.flags = 0;
134 } else if (res != sizeof(ctx)) {
150 return -EINVAL; 135 return -EINVAL;
136 }
151 res = 0; 137 res = 0;
152 138
153 crypt_info = kmem_cache_alloc(f2fs_crypt_info_cachep, GFP_NOFS); 139 crypt_info = kmem_cache_alloc(fscrypt_info_cachep, GFP_NOFS);
154 if (!crypt_info) 140 if (!crypt_info)
155 return -ENOMEM; 141 return -ENOMEM;
156 142
@@ -169,27 +155,30 @@ retry:
169 BUG(); 155 BUG();
170 156
171 switch (mode) { 157 switch (mode) {
172 case F2FS_ENCRYPTION_MODE_AES_256_XTS: 158 case FS_ENCRYPTION_MODE_AES_256_XTS:
173 cipher_str = "xts(aes)"; 159 cipher_str = "xts(aes)";
174 break; 160 break;
175 case F2FS_ENCRYPTION_MODE_AES_256_CTS: 161 case FS_ENCRYPTION_MODE_AES_256_CTS:
176 cipher_str = "cts(cbc(aes))"; 162 cipher_str = "cts(cbc(aes))";
177 break; 163 break;
178 default: 164 default:
179 printk_once(KERN_WARNING 165 printk_once(KERN_WARNING
180 "f2fs: unsupported key mode %d (ino %u)\n", 166 "%s: unsupported key mode %d (ino %u)\n",
181 mode, (unsigned) inode->i_ino); 167 __func__, mode, (unsigned) inode->i_ino);
182 res = -ENOKEY; 168 res = -ENOKEY;
183 goto out; 169 goto out;
184 } 170 }
185 171 if (fscrypt_dummy_context_enabled(inode)) {
186 memcpy(full_key_descriptor, F2FS_KEY_DESC_PREFIX, 172 memset(raw_key, 0x42, FS_AES_256_XTS_KEY_SIZE);
187 F2FS_KEY_DESC_PREFIX_SIZE); 173 goto got_key;
188 sprintf(full_key_descriptor + F2FS_KEY_DESC_PREFIX_SIZE, 174 }
189 "%*phN", F2FS_KEY_DESCRIPTOR_SIZE, 175 memcpy(full_key_descriptor, FS_KEY_DESC_PREFIX,
176 FS_KEY_DESC_PREFIX_SIZE);
177 sprintf(full_key_descriptor + FS_KEY_DESC_PREFIX_SIZE,
178 "%*phN", FS_KEY_DESCRIPTOR_SIZE,
190 ctx.master_key_descriptor); 179 ctx.master_key_descriptor);
191 full_key_descriptor[F2FS_KEY_DESC_PREFIX_SIZE + 180 full_key_descriptor[FS_KEY_DESC_PREFIX_SIZE +
192 (2 * F2FS_KEY_DESCRIPTOR_SIZE)] = '\0'; 181 (2 * FS_KEY_DESCRIPTOR_SIZE)] = '\0';
193 keyring_key = request_key(&key_type_logon, full_key_descriptor, NULL); 182 keyring_key = request_key(&key_type_logon, full_key_descriptor, NULL);
194 if (IS_ERR(keyring_key)) { 183 if (IS_ERR(keyring_key)) {
195 res = PTR_ERR(keyring_key); 184 res = PTR_ERR(keyring_key);
@@ -198,34 +187,34 @@ retry:
198 } 187 }
199 crypt_info->ci_keyring_key = keyring_key; 188 crypt_info->ci_keyring_key = keyring_key;
200 if (keyring_key->type != &key_type_logon) { 189 if (keyring_key->type != &key_type_logon) {
201 printk_once(KERN_WARNING "f2fs: key type must be logon\n"); 190 printk_once(KERN_WARNING
191 "%s: key type must be logon\n", __func__);
202 res = -ENOKEY; 192 res = -ENOKEY;
203 goto out; 193 goto out;
204 } 194 }
205 down_read(&keyring_key->sem); 195 down_read(&keyring_key->sem);
206 ukp = user_key_payload(keyring_key); 196 ukp = user_key_payload(keyring_key);
207 if (ukp->datalen != sizeof(struct f2fs_encryption_key)) { 197 if (ukp->datalen != sizeof(struct fscrypt_key)) {
208 res = -EINVAL; 198 res = -EINVAL;
209 up_read(&keyring_key->sem); 199 up_read(&keyring_key->sem);
210 goto out; 200 goto out;
211 } 201 }
212 master_key = (struct f2fs_encryption_key *)ukp->data; 202 master_key = (struct fscrypt_key *)ukp->data;
213 BUILD_BUG_ON(F2FS_AES_128_ECB_KEY_SIZE != 203 BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE);
214 F2FS_KEY_DERIVATION_NONCE_SIZE); 204
215 if (master_key->size != F2FS_AES_256_XTS_KEY_SIZE) { 205 if (master_key->size != FS_AES_256_XTS_KEY_SIZE) {
216 printk_once(KERN_WARNING 206 printk_once(KERN_WARNING
217 "f2fs: key size incorrect: %d\n", 207 "%s: key size incorrect: %d\n",
218 master_key->size); 208 __func__, master_key->size);
219 res = -ENOKEY; 209 res = -ENOKEY;
220 up_read(&keyring_key->sem); 210 up_read(&keyring_key->sem);
221 goto out; 211 goto out;
222 } 212 }
223 res = f2fs_derive_key_aes(ctx.nonce, master_key->raw, 213 res = derive_key_aes(ctx.nonce, master_key->raw, raw_key);
224 raw_key);
225 up_read(&keyring_key->sem); 214 up_read(&keyring_key->sem);
226 if (res) 215 if (res)
227 goto out; 216 goto out;
228 217got_key:
229 ctfm = crypto_alloc_ablkcipher(cipher_str, 0, 0); 218 ctfm = crypto_alloc_ablkcipher(cipher_str, 0, 0);
230 if (!ctfm || IS_ERR(ctfm)) { 219 if (!ctfm || IS_ERR(ctfm)) {
231 res = ctfm ? PTR_ERR(ctfm) : -ENOMEM; 220 res = ctfm ? PTR_ERR(ctfm) : -ENOMEM;
@@ -237,31 +226,53 @@ retry:
237 crypt_info->ci_ctfm = ctfm; 226 crypt_info->ci_ctfm = ctfm;
238 crypto_ablkcipher_clear_flags(ctfm, ~0); 227 crypto_ablkcipher_clear_flags(ctfm, ~0);
239 crypto_tfm_set_flags(crypto_ablkcipher_tfm(ctfm), 228 crypto_tfm_set_flags(crypto_ablkcipher_tfm(ctfm),
240 CRYPTO_TFM_REQ_WEAK_KEY); 229 CRYPTO_TFM_REQ_WEAK_KEY);
241 res = crypto_ablkcipher_setkey(ctfm, raw_key, 230 res = crypto_ablkcipher_setkey(ctfm, raw_key, fscrypt_key_size(mode));
242 f2fs_encryption_key_size(mode));
243 if (res) 231 if (res)
244 goto out; 232 goto out;
245 233
246 memzero_explicit(raw_key, sizeof(raw_key)); 234 memzero_explicit(raw_key, sizeof(raw_key));
247 if (cmpxchg(&fi->i_crypt_info, NULL, crypt_info) != NULL) { 235 if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) != NULL) {
248 f2fs_free_crypt_info(crypt_info); 236 put_crypt_info(crypt_info);
249 goto retry; 237 goto retry;
250 } 238 }
251 return 0; 239 return 0;
252 240
253out: 241out:
254 if (res == -ENOKEY && !S_ISREG(inode->i_mode)) 242 if (res == -ENOKEY)
255 res = 0; 243 res = 0;
256 244 put_crypt_info(crypt_info);
257 f2fs_free_crypt_info(crypt_info);
258 memzero_explicit(raw_key, sizeof(raw_key)); 245 memzero_explicit(raw_key, sizeof(raw_key));
259 return res; 246 return res;
260} 247}
261 248
262int f2fs_has_encryption_key(struct inode *inode) 249void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci)
263{ 250{
264 struct f2fs_inode_info *fi = F2FS_I(inode); 251 struct fscrypt_info *prev;
252
253 if (ci == NULL)
254 ci = ACCESS_ONCE(inode->i_crypt_info);
255 if (ci == NULL)
256 return;
265 257
266 return (fi->i_crypt_info != NULL); 258 prev = cmpxchg(&inode->i_crypt_info, ci, NULL);
259 if (prev != ci)
260 return;
261
262 put_crypt_info(ci);
263}
264EXPORT_SYMBOL(fscrypt_put_encryption_info);
265
266int fscrypt_get_encryption_info(struct inode *inode)
267{
268 struct fscrypt_info *ci = inode->i_crypt_info;
269
270 if (!ci ||
271 (ci->ci_keyring_key &&
272 (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) |
273 (1 << KEY_FLAG_REVOKED) |
274 (1 << KEY_FLAG_DEAD)))))
275 return get_crypt_info(inode);
276 return 0;
267} 277}
278EXPORT_SYMBOL(fscrypt_get_encryption_info);
diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c
new file mode 100644
index 000000000000..0f9961eede1e
--- /dev/null
+++ b/fs/crypto/policy.c
@@ -0,0 +1,229 @@
1/*
2 * Encryption policy functions for per-file encryption support.
3 *
4 * Copyright (C) 2015, Google, Inc.
5 * Copyright (C) 2015, Motorola Mobility.
6 *
7 * Written by Michael Halcrow, 2015.
8 * Modified by Jaegeuk Kim, 2015.
9 */
10
11#include <linux/random.h>
12#include <linux/string.h>
13#include <linux/fscrypto.h>
14
15static int inode_has_encryption_context(struct inode *inode)
16{
17 if (!inode->i_sb->s_cop->get_context)
18 return 0;
19 return (inode->i_sb->s_cop->get_context(inode, NULL, 0L) > 0);
20}
21
22/*
23 * check whether the policy is consistent with the encryption context
24 * for the inode
25 */
26static int is_encryption_context_consistent_with_policy(struct inode *inode,
27 const struct fscrypt_policy *policy)
28{
29 struct fscrypt_context ctx;
30 int res;
31
32 if (!inode->i_sb->s_cop->get_context)
33 return 0;
34
35 res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
36 if (res != sizeof(ctx))
37 return 0;
38
39 return (memcmp(ctx.master_key_descriptor, policy->master_key_descriptor,
40 FS_KEY_DESCRIPTOR_SIZE) == 0 &&
41 (ctx.flags == policy->flags) &&
42 (ctx.contents_encryption_mode ==
43 policy->contents_encryption_mode) &&
44 (ctx.filenames_encryption_mode ==
45 policy->filenames_encryption_mode));
46}
47
48static int create_encryption_context_from_policy(struct inode *inode,
49 const struct fscrypt_policy *policy)
50{
51 struct fscrypt_context ctx;
52 int res;
53
54 if (!inode->i_sb->s_cop->set_context)
55 return -EOPNOTSUPP;
56
57 if (inode->i_sb->s_cop->prepare_context) {
58 res = inode->i_sb->s_cop->prepare_context(inode);
59 if (res)
60 return res;
61 }
62
63 ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1;
64 memcpy(ctx.master_key_descriptor, policy->master_key_descriptor,
65 FS_KEY_DESCRIPTOR_SIZE);
66
67 if (!fscrypt_valid_contents_enc_mode(
68 policy->contents_encryption_mode)) {
69 printk(KERN_WARNING
70 "%s: Invalid contents encryption mode %d\n", __func__,
71 policy->contents_encryption_mode);
72 return -EINVAL;
73 }
74
75 if (!fscrypt_valid_filenames_enc_mode(
76 policy->filenames_encryption_mode)) {
77 printk(KERN_WARNING
78 "%s: Invalid filenames encryption mode %d\n", __func__,
79 policy->filenames_encryption_mode);
80 return -EINVAL;
81 }
82
83 if (policy->flags & ~FS_POLICY_FLAGS_VALID)
84 return -EINVAL;
85
86 ctx.contents_encryption_mode = policy->contents_encryption_mode;
87 ctx.filenames_encryption_mode = policy->filenames_encryption_mode;
88 ctx.flags = policy->flags;
89 BUILD_BUG_ON(sizeof(ctx.nonce) != FS_KEY_DERIVATION_NONCE_SIZE);
90 get_random_bytes(ctx.nonce, FS_KEY_DERIVATION_NONCE_SIZE);
91
92 return inode->i_sb->s_cop->set_context(inode, &ctx, sizeof(ctx), NULL);
93}
94
95int fscrypt_process_policy(struct inode *inode,
96 const struct fscrypt_policy *policy)
97{
98 if (policy->version != 0)
99 return -EINVAL;
100
101 if (!inode_has_encryption_context(inode)) {
102 if (!inode->i_sb->s_cop->empty_dir)
103 return -EOPNOTSUPP;
104 if (!inode->i_sb->s_cop->empty_dir(inode))
105 return -ENOTEMPTY;
106 return create_encryption_context_from_policy(inode, policy);
107 }
108
109 if (is_encryption_context_consistent_with_policy(inode, policy))
110 return 0;
111
112 printk(KERN_WARNING "%s: Policy inconsistent with encryption context\n",
113 __func__);
114 return -EINVAL;
115}
116EXPORT_SYMBOL(fscrypt_process_policy);
117
118int fscrypt_get_policy(struct inode *inode, struct fscrypt_policy *policy)
119{
120 struct fscrypt_context ctx;
121 int res;
122
123 if (!inode->i_sb->s_cop->get_context ||
124 !inode->i_sb->s_cop->is_encrypted(inode))
125 return -ENODATA;
126
127 res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
128 if (res != sizeof(ctx))
129 return -ENODATA;
130 if (ctx.format != FS_ENCRYPTION_CONTEXT_FORMAT_V1)
131 return -EINVAL;
132
133 policy->version = 0;
134 policy->contents_encryption_mode = ctx.contents_encryption_mode;
135 policy->filenames_encryption_mode = ctx.filenames_encryption_mode;
136 policy->flags = ctx.flags;
137 memcpy(&policy->master_key_descriptor, ctx.master_key_descriptor,
138 FS_KEY_DESCRIPTOR_SIZE);
139 return 0;
140}
141EXPORT_SYMBOL(fscrypt_get_policy);
142
143int fscrypt_has_permitted_context(struct inode *parent, struct inode *child)
144{
145 struct fscrypt_info *parent_ci, *child_ci;
146 int res;
147
148 if ((parent == NULL) || (child == NULL)) {
149 printk(KERN_ERR "parent %p child %p\n", parent, child);
150 BUG_ON(1);
151 }
152
153 /* no restrictions if the parent directory is not encrypted */
154 if (!parent->i_sb->s_cop->is_encrypted(parent))
155 return 1;
156 /* if the child directory is not encrypted, this is always a problem */
157 if (!parent->i_sb->s_cop->is_encrypted(child))
158 return 0;
159 res = fscrypt_get_encryption_info(parent);
160 if (res)
161 return 0;
162 res = fscrypt_get_encryption_info(child);
163 if (res)
164 return 0;
165 parent_ci = parent->i_crypt_info;
166 child_ci = child->i_crypt_info;
167 if (!parent_ci && !child_ci)
168 return 1;
169 if (!parent_ci || !child_ci)
170 return 0;
171
172 return (memcmp(parent_ci->ci_master_key,
173 child_ci->ci_master_key,
174 FS_KEY_DESCRIPTOR_SIZE) == 0 &&
175 (parent_ci->ci_data_mode == child_ci->ci_data_mode) &&
176 (parent_ci->ci_filename_mode == child_ci->ci_filename_mode) &&
177 (parent_ci->ci_flags == child_ci->ci_flags));
178}
179EXPORT_SYMBOL(fscrypt_has_permitted_context);
180
181/**
182 * fscrypt_inherit_context() - Sets a child context from its parent
183 * @parent: Parent inode from which the context is inherited.
184 * @child: Child inode that inherits the context from @parent.
185 * @fs_data: private data given by FS.
186 * @preload: preload child i_crypt_info
187 *
188 * Return: Zero on success, non-zero otherwise
189 */
190int fscrypt_inherit_context(struct inode *parent, struct inode *child,
191 void *fs_data, bool preload)
192{
193 struct fscrypt_context ctx;
194 struct fscrypt_info *ci;
195 int res;
196
197 if (!parent->i_sb->s_cop->set_context)
198 return -EOPNOTSUPP;
199
200 res = fscrypt_get_encryption_info(parent);
201 if (res < 0)
202 return res;
203
204 ci = parent->i_crypt_info;
205 if (ci == NULL)
206 return -ENOKEY;
207
208 ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1;
209 if (fscrypt_dummy_context_enabled(parent)) {
210 ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS;
211 ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS;
212 ctx.flags = 0;
213 memset(ctx.master_key_descriptor, 0x42, FS_KEY_DESCRIPTOR_SIZE);
214 res = 0;
215 } else {
216 ctx.contents_encryption_mode = ci->ci_data_mode;
217 ctx.filenames_encryption_mode = ci->ci_filename_mode;
218 ctx.flags = ci->ci_flags;
219 memcpy(ctx.master_key_descriptor, ci->ci_master_key,
220 FS_KEY_DESCRIPTOR_SIZE);
221 }
222 get_random_bytes(ctx.nonce, FS_KEY_DERIVATION_NONCE_SIZE);
223 res = parent->i_sb->s_cop->set_context(child, &ctx,
224 sizeof(ctx), fs_data);
225 if (res)
226 return res;
227 return preload ? fscrypt_get_encryption_info(child): 0;
228}
229EXPORT_SYMBOL(fscrypt_inherit_context);
diff --git a/fs/f2fs/Kconfig b/fs/f2fs/Kconfig
index b0a9dc929f88..402792bae503 100644
--- a/fs/f2fs/Kconfig
+++ b/fs/f2fs/Kconfig
@@ -76,15 +76,7 @@ config F2FS_FS_ENCRYPTION
76 bool "F2FS Encryption" 76 bool "F2FS Encryption"
77 depends on F2FS_FS 77 depends on F2FS_FS
78 depends on F2FS_FS_XATTR 78 depends on F2FS_FS_XATTR
79 select CRYPTO_AES 79 select FS_ENCRYPTION
80 select CRYPTO_CBC
81 select CRYPTO_ECB
82 select CRYPTO_XTS
83 select CRYPTO_CTS
84 select CRYPTO_CTR
85 select CRYPTO_SHA256
86 select KEYS
87 select ENCRYPTED_KEYS
88 help 80 help
89 Enable encryption of f2fs files and directories. This 81 Enable encryption of f2fs files and directories. This
90 feature is similar to ecryptfs, but it is more memory 82 feature is similar to ecryptfs, but it is more memory
diff --git a/fs/f2fs/Makefile b/fs/f2fs/Makefile
index 08e101ed914c..ca949ea7c02f 100644
--- a/fs/f2fs/Makefile
+++ b/fs/f2fs/Makefile
@@ -7,5 +7,3 @@ f2fs-$(CONFIG_F2FS_STAT_FS) += debug.o
7f2fs-$(CONFIG_F2FS_FS_XATTR) += xattr.o 7f2fs-$(CONFIG_F2FS_FS_XATTR) += xattr.o
8f2fs-$(CONFIG_F2FS_FS_POSIX_ACL) += acl.o 8f2fs-$(CONFIG_F2FS_FS_POSIX_ACL) += acl.o
9f2fs-$(CONFIG_F2FS_IO_TRACE) += trace.o 9f2fs-$(CONFIG_F2FS_IO_TRACE) += trace.o
10f2fs-$(CONFIG_F2FS_FS_ENCRYPTION) += crypto_policy.o crypto.o \
11 crypto_key.o crypto_fname.o
diff --git a/fs/f2fs/crypto.c b/fs/f2fs/crypto.c
deleted file mode 100644
index 3ef37868d0c7..000000000000
--- a/fs/f2fs/crypto.c
+++ /dev/null
@@ -1,473 +0,0 @@
1/*
2 * linux/fs/f2fs/crypto.c
3 *
4 * Copied from linux/fs/ext4/crypto.c
5 *
6 * Copyright (C) 2015, Google, Inc.
7 * Copyright (C) 2015, Motorola Mobility
8 *
9 * This contains encryption functions for f2fs
10 *
11 * Written by Michael Halcrow, 2014.
12 *
13 * Filename encryption additions
14 * Uday Savagaonkar, 2014
15 * Encryption policy handling additions
16 * Ildar Muslukhov, 2014
17 * Remove ext4_encrypted_zeroout(),
18 * add f2fs_restore_and_release_control_page()
19 * Jaegeuk Kim, 2015.
20 *
21 * This has not yet undergone a rigorous security audit.
22 *
23 * The usage of AES-XTS should conform to recommendations in NIST
24 * Special Publication 800-38E and IEEE P1619/D16.
25 */
26#include <crypto/hash.h>
27#include <crypto/sha.h>
28#include <keys/user-type.h>
29#include <keys/encrypted-type.h>
30#include <linux/crypto.h>
31#include <linux/ecryptfs.h>
32#include <linux/gfp.h>
33#include <linux/kernel.h>
34#include <linux/key.h>
35#include <linux/list.h>
36#include <linux/mempool.h>
37#include <linux/module.h>
38#include <linux/mutex.h>
39#include <linux/random.h>
40#include <linux/scatterlist.h>
41#include <linux/spinlock_types.h>
42#include <linux/f2fs_fs.h>
43#include <linux/ratelimit.h>
44#include <linux/bio.h>
45
46#include "f2fs.h"
47#include "xattr.h"
48
49/* Encryption added and removed here! (L: */
50
51static unsigned int num_prealloc_crypto_pages = 32;
52static unsigned int num_prealloc_crypto_ctxs = 128;
53
54module_param(num_prealloc_crypto_pages, uint, 0444);
55MODULE_PARM_DESC(num_prealloc_crypto_pages,
56 "Number of crypto pages to preallocate");
57module_param(num_prealloc_crypto_ctxs, uint, 0444);
58MODULE_PARM_DESC(num_prealloc_crypto_ctxs,
59 "Number of crypto contexts to preallocate");
60
61static mempool_t *f2fs_bounce_page_pool;
62
63static LIST_HEAD(f2fs_free_crypto_ctxs);
64static DEFINE_SPINLOCK(f2fs_crypto_ctx_lock);
65
66static struct workqueue_struct *f2fs_read_workqueue;
67static DEFINE_MUTEX(crypto_init);
68
69static struct kmem_cache *f2fs_crypto_ctx_cachep;
70struct kmem_cache *f2fs_crypt_info_cachep;
71
72/**
73 * f2fs_release_crypto_ctx() - Releases an encryption context
74 * @ctx: The encryption context to release.
75 *
76 * If the encryption context was allocated from the pre-allocated pool, returns
77 * it to that pool. Else, frees it.
78 *
79 * If there's a bounce page in the context, this frees that.
80 */
81void f2fs_release_crypto_ctx(struct f2fs_crypto_ctx *ctx)
82{
83 unsigned long flags;
84
85 if (ctx->flags & F2FS_WRITE_PATH_FL && ctx->w.bounce_page) {
86 mempool_free(ctx->w.bounce_page, f2fs_bounce_page_pool);
87 ctx->w.bounce_page = NULL;
88 }
89 ctx->w.control_page = NULL;
90 if (ctx->flags & F2FS_CTX_REQUIRES_FREE_ENCRYPT_FL) {
91 kmem_cache_free(f2fs_crypto_ctx_cachep, ctx);
92 } else {
93 spin_lock_irqsave(&f2fs_crypto_ctx_lock, flags);
94 list_add(&ctx->free_list, &f2fs_free_crypto_ctxs);
95 spin_unlock_irqrestore(&f2fs_crypto_ctx_lock, flags);
96 }
97}
98
99/**
100 * f2fs_get_crypto_ctx() - Gets an encryption context
101 * @inode: The inode for which we are doing the crypto
102 *
103 * Allocates and initializes an encryption context.
104 *
105 * Return: An allocated and initialized encryption context on success; error
106 * value or NULL otherwise.
107 */
108struct f2fs_crypto_ctx *f2fs_get_crypto_ctx(struct inode *inode)
109{
110 struct f2fs_crypto_ctx *ctx = NULL;
111 unsigned long flags;
112 struct f2fs_crypt_info *ci = F2FS_I(inode)->i_crypt_info;
113
114 if (ci == NULL)
115 return ERR_PTR(-ENOKEY);
116
117 /*
118 * We first try getting the ctx from a free list because in
119 * the common case the ctx will have an allocated and
120 * initialized crypto tfm, so it's probably a worthwhile
121 * optimization. For the bounce page, we first try getting it
122 * from the kernel allocator because that's just about as fast
123 * as getting it from a list and because a cache of free pages
124 * should generally be a "last resort" option for a filesystem
125 * to be able to do its job.
126 */
127 spin_lock_irqsave(&f2fs_crypto_ctx_lock, flags);
128 ctx = list_first_entry_or_null(&f2fs_free_crypto_ctxs,
129 struct f2fs_crypto_ctx, free_list);
130 if (ctx)
131 list_del(&ctx->free_list);
132 spin_unlock_irqrestore(&f2fs_crypto_ctx_lock, flags);
133 if (!ctx) {
134 ctx = kmem_cache_zalloc(f2fs_crypto_ctx_cachep, GFP_NOFS);
135 if (!ctx)
136 return ERR_PTR(-ENOMEM);
137 ctx->flags |= F2FS_CTX_REQUIRES_FREE_ENCRYPT_FL;
138 } else {
139 ctx->flags &= ~F2FS_CTX_REQUIRES_FREE_ENCRYPT_FL;
140 }
141 ctx->flags &= ~F2FS_WRITE_PATH_FL;
142 return ctx;
143}
144
145/*
146 * Call f2fs_decrypt on every single page, reusing the encryption
147 * context.
148 */
149static void completion_pages(struct work_struct *work)
150{
151 struct f2fs_crypto_ctx *ctx =
152 container_of(work, struct f2fs_crypto_ctx, r.work);
153 struct bio *bio = ctx->r.bio;
154 struct bio_vec *bv;
155 int i;
156
157 bio_for_each_segment_all(bv, bio, i) {
158 struct page *page = bv->bv_page;
159 int ret = f2fs_decrypt(page);
160
161 if (ret) {
162 WARN_ON_ONCE(1);
163 SetPageError(page);
164 } else
165 SetPageUptodate(page);
166 unlock_page(page);
167 }
168 f2fs_release_crypto_ctx(ctx);
169 bio_put(bio);
170}
171
172void f2fs_end_io_crypto_work(struct f2fs_crypto_ctx *ctx, struct bio *bio)
173{
174 INIT_WORK(&ctx->r.work, completion_pages);
175 ctx->r.bio = bio;
176 queue_work(f2fs_read_workqueue, &ctx->r.work);
177}
178
179static void f2fs_crypto_destroy(void)
180{
181 struct f2fs_crypto_ctx *pos, *n;
182
183 list_for_each_entry_safe(pos, n, &f2fs_free_crypto_ctxs, free_list)
184 kmem_cache_free(f2fs_crypto_ctx_cachep, pos);
185 INIT_LIST_HEAD(&f2fs_free_crypto_ctxs);
186 if (f2fs_bounce_page_pool)
187 mempool_destroy(f2fs_bounce_page_pool);
188 f2fs_bounce_page_pool = NULL;
189}
190
191/**
192 * f2fs_crypto_initialize() - Set up for f2fs encryption.
193 *
194 * We only call this when we start accessing encrypted files, since it
195 * results in memory getting allocated that wouldn't otherwise be used.
196 *
197 * Return: Zero on success, non-zero otherwise.
198 */
199int f2fs_crypto_initialize(void)
200{
201 int i, res = -ENOMEM;
202
203 if (f2fs_bounce_page_pool)
204 return 0;
205
206 mutex_lock(&crypto_init);
207 if (f2fs_bounce_page_pool)
208 goto already_initialized;
209
210 for (i = 0; i < num_prealloc_crypto_ctxs; i++) {
211 struct f2fs_crypto_ctx *ctx;
212
213 ctx = kmem_cache_zalloc(f2fs_crypto_ctx_cachep, GFP_KERNEL);
214 if (!ctx)
215 goto fail;
216 list_add(&ctx->free_list, &f2fs_free_crypto_ctxs);
217 }
218
219 /* must be allocated at the last step to avoid race condition above */
220 f2fs_bounce_page_pool =
221 mempool_create_page_pool(num_prealloc_crypto_pages, 0);
222 if (!f2fs_bounce_page_pool)
223 goto fail;
224
225already_initialized:
226 mutex_unlock(&crypto_init);
227 return 0;
228fail:
229 f2fs_crypto_destroy();
230 mutex_unlock(&crypto_init);
231 return res;
232}
233
234/**
235 * f2fs_exit_crypto() - Shutdown the f2fs encryption system
236 */
237void f2fs_exit_crypto(void)
238{
239 f2fs_crypto_destroy();
240
241 if (f2fs_read_workqueue)
242 destroy_workqueue(f2fs_read_workqueue);
243 if (f2fs_crypto_ctx_cachep)
244 kmem_cache_destroy(f2fs_crypto_ctx_cachep);
245 if (f2fs_crypt_info_cachep)
246 kmem_cache_destroy(f2fs_crypt_info_cachep);
247}
248
249int __init f2fs_init_crypto(void)
250{
251 int res = -ENOMEM;
252
253 f2fs_read_workqueue = alloc_workqueue("f2fs_crypto", WQ_HIGHPRI, 0);
254 if (!f2fs_read_workqueue)
255 goto fail;
256
257 f2fs_crypto_ctx_cachep = KMEM_CACHE(f2fs_crypto_ctx,
258 SLAB_RECLAIM_ACCOUNT);
259 if (!f2fs_crypto_ctx_cachep)
260 goto fail;
261
262 f2fs_crypt_info_cachep = KMEM_CACHE(f2fs_crypt_info,
263 SLAB_RECLAIM_ACCOUNT);
264 if (!f2fs_crypt_info_cachep)
265 goto fail;
266
267 return 0;
268fail:
269 f2fs_exit_crypto();
270 return res;
271}
272
273void f2fs_restore_and_release_control_page(struct page **page)
274{
275 struct f2fs_crypto_ctx *ctx;
276 struct page *bounce_page;
277
278 /* The bounce data pages are unmapped. */
279 if ((*page)->mapping)
280 return;
281
282 /* The bounce data page is unmapped. */
283 bounce_page = *page;
284 ctx = (struct f2fs_crypto_ctx *)page_private(bounce_page);
285
286 /* restore control page */
287 *page = ctx->w.control_page;
288
289 f2fs_restore_control_page(bounce_page);
290}
291
292void f2fs_restore_control_page(struct page *data_page)
293{
294 struct f2fs_crypto_ctx *ctx =
295 (struct f2fs_crypto_ctx *)page_private(data_page);
296
297 set_page_private(data_page, (unsigned long)NULL);
298 ClearPagePrivate(data_page);
299 unlock_page(data_page);
300 f2fs_release_crypto_ctx(ctx);
301}
302
303/**
304 * f2fs_crypt_complete() - The completion callback for page encryption
305 * @req: The asynchronous encryption request context
306 * @res: The result of the encryption operation
307 */
308static void f2fs_crypt_complete(struct crypto_async_request *req, int res)
309{
310 struct f2fs_completion_result *ecr = req->data;
311
312 if (res == -EINPROGRESS)
313 return;
314 ecr->res = res;
315 complete(&ecr->completion);
316}
317
318typedef enum {
319 F2FS_DECRYPT = 0,
320 F2FS_ENCRYPT,
321} f2fs_direction_t;
322
323static int f2fs_page_crypto(struct inode *inode,
324 f2fs_direction_t rw,
325 pgoff_t index,
326 struct page *src_page,
327 struct page *dest_page)
328{
329 u8 xts_tweak[F2FS_XTS_TWEAK_SIZE];
330 struct ablkcipher_request *req = NULL;
331 DECLARE_F2FS_COMPLETION_RESULT(ecr);
332 struct scatterlist dst, src;
333 struct f2fs_crypt_info *ci = F2FS_I(inode)->i_crypt_info;
334 struct crypto_ablkcipher *tfm = ci->ci_ctfm;
335 int res = 0;
336
337 req = ablkcipher_request_alloc(tfm, GFP_NOFS);
338 if (!req) {
339 printk_ratelimited(KERN_ERR
340 "%s: crypto_request_alloc() failed\n",
341 __func__);
342 return -ENOMEM;
343 }
344 ablkcipher_request_set_callback(
345 req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
346 f2fs_crypt_complete, &ecr);
347
348 BUILD_BUG_ON(F2FS_XTS_TWEAK_SIZE < sizeof(index));
349 memcpy(xts_tweak, &index, sizeof(index));
350 memset(&xts_tweak[sizeof(index)], 0,
351 F2FS_XTS_TWEAK_SIZE - sizeof(index));
352
353 sg_init_table(&dst, 1);
354 sg_set_page(&dst, dest_page, PAGE_CACHE_SIZE, 0);
355 sg_init_table(&src, 1);
356 sg_set_page(&src, src_page, PAGE_CACHE_SIZE, 0);
357 ablkcipher_request_set_crypt(req, &src, &dst, PAGE_CACHE_SIZE,
358 xts_tweak);
359 if (rw == F2FS_DECRYPT)
360 res = crypto_ablkcipher_decrypt(req);
361 else
362 res = crypto_ablkcipher_encrypt(req);
363 if (res == -EINPROGRESS || res == -EBUSY) {
364 wait_for_completion(&ecr.completion);
365 res = ecr.res;
366 }
367 ablkcipher_request_free(req);
368 if (res) {
369 printk_ratelimited(KERN_ERR
370 "%s: crypto_ablkcipher_encrypt() returned %d\n",
371 __func__, res);
372 return res;
373 }
374 return 0;
375}
376
377static struct page *alloc_bounce_page(struct f2fs_crypto_ctx *ctx)
378{
379 ctx->w.bounce_page = mempool_alloc(f2fs_bounce_page_pool, GFP_NOWAIT);
380 if (ctx->w.bounce_page == NULL)
381 return ERR_PTR(-ENOMEM);
382 ctx->flags |= F2FS_WRITE_PATH_FL;
383 return ctx->w.bounce_page;
384}
385
386/**
387 * f2fs_encrypt() - Encrypts a page
388 * @inode: The inode for which the encryption should take place
389 * @plaintext_page: The page to encrypt. Must be locked.
390 *
391 * Allocates a ciphertext page and encrypts plaintext_page into it using the ctx
392 * encryption context.
393 *
394 * Called on the page write path. The caller must call
395 * f2fs_restore_control_page() on the returned ciphertext page to
396 * release the bounce buffer and the encryption context.
397 *
398 * Return: An allocated page with the encrypted content on success. Else, an
399 * error value or NULL.
400 */
401struct page *f2fs_encrypt(struct inode *inode,
402 struct page *plaintext_page)
403{
404 struct f2fs_crypto_ctx *ctx;
405 struct page *ciphertext_page = NULL;
406 int err;
407
408 BUG_ON(!PageLocked(plaintext_page));
409
410 ctx = f2fs_get_crypto_ctx(inode);
411 if (IS_ERR(ctx))
412 return (struct page *)ctx;
413
414 /* The encryption operation will require a bounce page. */
415 ciphertext_page = alloc_bounce_page(ctx);
416 if (IS_ERR(ciphertext_page))
417 goto err_out;
418
419 ctx->w.control_page = plaintext_page;
420 err = f2fs_page_crypto(inode, F2FS_ENCRYPT, plaintext_page->index,
421 plaintext_page, ciphertext_page);
422 if (err) {
423 ciphertext_page = ERR_PTR(err);
424 goto err_out;
425 }
426
427 SetPagePrivate(ciphertext_page);
428 set_page_private(ciphertext_page, (unsigned long)ctx);
429 lock_page(ciphertext_page);
430 return ciphertext_page;
431
432err_out:
433 f2fs_release_crypto_ctx(ctx);
434 return ciphertext_page;
435}
436
437/**
438 * f2fs_decrypt() - Decrypts a page in-place
439 * @ctx: The encryption context.
440 * @page: The page to decrypt. Must be locked.
441 *
442 * Decrypts page in-place using the ctx encryption context.
443 *
444 * Called from the read completion callback.
445 *
446 * Return: Zero on success, non-zero otherwise.
447 */
448int f2fs_decrypt(struct page *page)
449{
450 BUG_ON(!PageLocked(page));
451
452 return f2fs_page_crypto(page->mapping->host,
453 F2FS_DECRYPT, page->index, page, page);
454}
455
456bool f2fs_valid_contents_enc_mode(uint32_t mode)
457{
458 return (mode == F2FS_ENCRYPTION_MODE_AES_256_XTS);
459}
460
461/**
462 * f2fs_validate_encryption_key_size() - Validate the encryption key size
463 * @mode: The key mode.
464 * @size: The key size to validate.
465 *
466 * Return: The validated key size for @mode. Zero if invalid.
467 */
468uint32_t f2fs_validate_encryption_key_size(uint32_t mode, uint32_t size)
469{
470 if (size == f2fs_encryption_key_size(mode))
471 return size;
472 return 0;
473}
diff --git a/fs/f2fs/crypto_policy.c b/fs/f2fs/crypto_policy.c
deleted file mode 100644
index 596f02490f27..000000000000
--- a/fs/f2fs/crypto_policy.c
+++ /dev/null
@@ -1,210 +0,0 @@
1/*
2 * copied from linux/fs/ext4/crypto_policy.c
3 *
4 * Copyright (C) 2015, Google, Inc.
5 * Copyright (C) 2015, Motorola Mobility.
6 *
7 * This contains encryption policy functions for f2fs with some modifications
8 * to support f2fs-specific xattr APIs.
9 *
10 * Written by Michael Halcrow, 2015.
11 * Modified by Jaegeuk Kim, 2015.
12 */
13#include <linux/random.h>
14#include <linux/string.h>
15#include <linux/types.h>
16#include <linux/f2fs_fs.h>
17
18#include "f2fs.h"
19#include "xattr.h"
20
21static int f2fs_inode_has_encryption_context(struct inode *inode)
22{
23 int res = f2fs_getxattr(inode, F2FS_XATTR_INDEX_ENCRYPTION,
24 F2FS_XATTR_NAME_ENCRYPTION_CONTEXT, NULL, 0, NULL);
25 return (res > 0);
26}
27
28/*
29 * check whether the policy is consistent with the encryption context
30 * for the inode
31 */
32static int f2fs_is_encryption_context_consistent_with_policy(
33 struct inode *inode, const struct f2fs_encryption_policy *policy)
34{
35 struct f2fs_encryption_context ctx;
36 int res = f2fs_getxattr(inode, F2FS_XATTR_INDEX_ENCRYPTION,
37 F2FS_XATTR_NAME_ENCRYPTION_CONTEXT, &ctx,
38 sizeof(ctx), NULL);
39
40 if (res != sizeof(ctx))
41 return 0;
42
43 return (memcmp(ctx.master_key_descriptor, policy->master_key_descriptor,
44 F2FS_KEY_DESCRIPTOR_SIZE) == 0 &&
45 (ctx.flags == policy->flags) &&
46 (ctx.contents_encryption_mode ==
47 policy->contents_encryption_mode) &&
48 (ctx.filenames_encryption_mode ==
49 policy->filenames_encryption_mode));
50}
51
52static int f2fs_create_encryption_context_from_policy(
53 struct inode *inode, const struct f2fs_encryption_policy *policy)
54{
55 struct f2fs_encryption_context ctx;
56
57 ctx.format = F2FS_ENCRYPTION_CONTEXT_FORMAT_V1;
58 memcpy(ctx.master_key_descriptor, policy->master_key_descriptor,
59 F2FS_KEY_DESCRIPTOR_SIZE);
60
61 if (!f2fs_valid_contents_enc_mode(policy->contents_encryption_mode)) {
62 printk(KERN_WARNING
63 "%s: Invalid contents encryption mode %d\n", __func__,
64 policy->contents_encryption_mode);
65 return -EINVAL;
66 }
67
68 if (!f2fs_valid_filenames_enc_mode(policy->filenames_encryption_mode)) {
69 printk(KERN_WARNING
70 "%s: Invalid filenames encryption mode %d\n", __func__,
71 policy->filenames_encryption_mode);
72 return -EINVAL;
73 }
74
75 if (policy->flags & ~F2FS_POLICY_FLAGS_VALID)
76 return -EINVAL;
77
78 ctx.contents_encryption_mode = policy->contents_encryption_mode;
79 ctx.filenames_encryption_mode = policy->filenames_encryption_mode;
80 ctx.flags = policy->flags;
81 BUILD_BUG_ON(sizeof(ctx.nonce) != F2FS_KEY_DERIVATION_NONCE_SIZE);
82 get_random_bytes(ctx.nonce, F2FS_KEY_DERIVATION_NONCE_SIZE);
83
84 return f2fs_setxattr(inode, F2FS_XATTR_INDEX_ENCRYPTION,
85 F2FS_XATTR_NAME_ENCRYPTION_CONTEXT, &ctx,
86 sizeof(ctx), NULL, XATTR_CREATE);
87}
88
89int f2fs_process_policy(const struct f2fs_encryption_policy *policy,
90 struct inode *inode)
91{
92 if (policy->version != 0)
93 return -EINVAL;
94
95 if (!S_ISDIR(inode->i_mode))
96 return -EINVAL;
97
98 if (!f2fs_inode_has_encryption_context(inode)) {
99 if (!f2fs_empty_dir(inode))
100 return -ENOTEMPTY;
101 return f2fs_create_encryption_context_from_policy(inode,
102 policy);
103 }
104
105 if (f2fs_is_encryption_context_consistent_with_policy(inode, policy))
106 return 0;
107
108 printk(KERN_WARNING "%s: Policy inconsistent with encryption context\n",
109 __func__);
110 return -EINVAL;
111}
112
113int f2fs_get_policy(struct inode *inode, struct f2fs_encryption_policy *policy)
114{
115 struct f2fs_encryption_context ctx;
116 int res;
117
118 if (!f2fs_encrypted_inode(inode))
119 return -ENODATA;
120
121 res = f2fs_getxattr(inode, F2FS_XATTR_INDEX_ENCRYPTION,
122 F2FS_XATTR_NAME_ENCRYPTION_CONTEXT,
123 &ctx, sizeof(ctx), NULL);
124 if (res != sizeof(ctx))
125 return -ENODATA;
126 if (ctx.format != F2FS_ENCRYPTION_CONTEXT_FORMAT_V1)
127 return -EINVAL;
128
129 policy->version = 0;
130 policy->contents_encryption_mode = ctx.contents_encryption_mode;
131 policy->filenames_encryption_mode = ctx.filenames_encryption_mode;
132 policy->flags = ctx.flags;
133 memcpy(&policy->master_key_descriptor, ctx.master_key_descriptor,
134 F2FS_KEY_DESCRIPTOR_SIZE);
135 return 0;
136}
137
138int f2fs_is_child_context_consistent_with_parent(struct inode *parent,
139 struct inode *child)
140{
141 struct f2fs_crypt_info *parent_ci, *child_ci;
142 int res;
143
144 if ((parent == NULL) || (child == NULL)) {
145 pr_err("parent %p child %p\n", parent, child);
146 BUG_ON(1);
147 }
148
149 /* no restrictions if the parent directory is not encrypted */
150 if (!f2fs_encrypted_inode(parent))
151 return 1;
152 /* if the child directory is not encrypted, this is always a problem */
153 if (!f2fs_encrypted_inode(child))
154 return 0;
155 res = f2fs_get_encryption_info(parent);
156 if (res)
157 return 0;
158 res = f2fs_get_encryption_info(child);
159 if (res)
160 return 0;
161 parent_ci = F2FS_I(parent)->i_crypt_info;
162 child_ci = F2FS_I(child)->i_crypt_info;
163 if (!parent_ci && !child_ci)
164 return 1;
165 if (!parent_ci || !child_ci)
166 return 0;
167
168 return (memcmp(parent_ci->ci_master_key,
169 child_ci->ci_master_key,
170 F2FS_KEY_DESCRIPTOR_SIZE) == 0 &&
171 (parent_ci->ci_data_mode == child_ci->ci_data_mode) &&
172 (parent_ci->ci_filename_mode == child_ci->ci_filename_mode) &&
173 (parent_ci->ci_flags == child_ci->ci_flags));
174}
175
176/**
177 * f2fs_inherit_context() - Sets a child context from its parent
178 * @parent: Parent inode from which the context is inherited.
179 * @child: Child inode that inherits the context from @parent.
180 *
181 * Return: Zero on success, non-zero otherwise
182 */
183int f2fs_inherit_context(struct inode *parent, struct inode *child,
184 struct page *ipage)
185{
186 struct f2fs_encryption_context ctx;
187 struct f2fs_crypt_info *ci;
188 int res;
189
190 res = f2fs_get_encryption_info(parent);
191 if (res < 0)
192 return res;
193
194 ci = F2FS_I(parent)->i_crypt_info;
195 if (ci == NULL)
196 return -ENOKEY;
197
198 ctx.format = F2FS_ENCRYPTION_CONTEXT_FORMAT_V1;
199
200 ctx.contents_encryption_mode = ci->ci_data_mode;
201 ctx.filenames_encryption_mode = ci->ci_filename_mode;
202 ctx.flags = ci->ci_flags;
203 memcpy(ctx.master_key_descriptor, ci->ci_master_key,
204 F2FS_KEY_DESCRIPTOR_SIZE);
205
206 get_random_bytes(ctx.nonce, F2FS_KEY_DERIVATION_NONCE_SIZE);
207 return f2fs_setxattr(child, F2FS_XATTR_INDEX_ENCRYPTION,
208 F2FS_XATTR_NAME_ENCRYPTION_CONTEXT, &ctx,
209 sizeof(ctx), ipage, XATTR_CREATE);
210}
diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index 9643d88a01af..e5c762b37239 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -34,9 +34,9 @@ static void f2fs_read_end_io(struct bio *bio)
34 34
35 if (f2fs_bio_encrypted(bio)) { 35 if (f2fs_bio_encrypted(bio)) {
36 if (bio->bi_error) { 36 if (bio->bi_error) {
37 f2fs_release_crypto_ctx(bio->bi_private); 37 fscrypt_release_ctx(bio->bi_private);
38 } else { 38 } else {
39 f2fs_end_io_crypto_work(bio->bi_private, bio); 39 fscrypt_decrypt_bio_pages(bio->bi_private, bio);
40 return; 40 return;
41 } 41 }
42 } 42 }
@@ -64,7 +64,7 @@ static void f2fs_write_end_io(struct bio *bio)
64 bio_for_each_segment_all(bvec, bio, i) { 64 bio_for_each_segment_all(bvec, bio, i) {
65 struct page *page = bvec->bv_page; 65 struct page *page = bvec->bv_page;
66 66
67 f2fs_restore_and_release_control_page(&page); 67 fscrypt_pullback_bio_page(&page, true);
68 68
69 if (unlikely(bio->bi_error)) { 69 if (unlikely(bio->bi_error)) {
70 set_bit(AS_EIO, &page->mapping->flags); 70 set_bit(AS_EIO, &page->mapping->flags);
@@ -129,16 +129,10 @@ static bool __has_merged_page(struct f2fs_bio_info *io, struct inode *inode,
129 129
130 bio_for_each_segment_all(bvec, io->bio, i) { 130 bio_for_each_segment_all(bvec, io->bio, i) {
131 131
132 if (bvec->bv_page->mapping) { 132 if (bvec->bv_page->mapping)
133 target = bvec->bv_page; 133 target = bvec->bv_page;
134 } else { 134 else
135 struct f2fs_crypto_ctx *ctx; 135 target = fscrypt_control_page(bvec->bv_page);
136
137 /* encrypted page */
138 ctx = (struct f2fs_crypto_ctx *)page_private(
139 bvec->bv_page);
140 target = ctx->w.control_page;
141 }
142 136
143 if (inode && inode == target->mapping->host) 137 if (inode && inode == target->mapping->host)
144 return true; 138 return true;
@@ -220,7 +214,8 @@ void f2fs_flush_merged_bios(struct f2fs_sb_info *sbi)
220int f2fs_submit_page_bio(struct f2fs_io_info *fio) 214int f2fs_submit_page_bio(struct f2fs_io_info *fio)
221{ 215{
222 struct bio *bio; 216 struct bio *bio;
223 struct page *page = fio->encrypted_page ? fio->encrypted_page : fio->page; 217 struct page *page = fio->encrypted_page ?
218 fio->encrypted_page : fio->page;
224 219
225 trace_f2fs_submit_page_bio(page, fio); 220 trace_f2fs_submit_page_bio(page, fio);
226 f2fs_trace_ios(fio, 0); 221 f2fs_trace_ios(fio, 0);
@@ -992,12 +987,12 @@ submit_and_realloc:
992 bio = NULL; 987 bio = NULL;
993 } 988 }
994 if (bio == NULL) { 989 if (bio == NULL) {
995 struct f2fs_crypto_ctx *ctx = NULL; 990 struct fscrypt_ctx *ctx = NULL;
996 991
997 if (f2fs_encrypted_inode(inode) && 992 if (f2fs_encrypted_inode(inode) &&
998 S_ISREG(inode->i_mode)) { 993 S_ISREG(inode->i_mode)) {
999 994
1000 ctx = f2fs_get_crypto_ctx(inode); 995 ctx = fscrypt_get_ctx(inode);
1001 if (IS_ERR(ctx)) 996 if (IS_ERR(ctx))
1002 goto set_error_page; 997 goto set_error_page;
1003 998
@@ -1010,7 +1005,7 @@ submit_and_realloc:
1010 min_t(int, nr_pages, BIO_MAX_PAGES)); 1005 min_t(int, nr_pages, BIO_MAX_PAGES));
1011 if (!bio) { 1006 if (!bio) {
1012 if (ctx) 1007 if (ctx)
1013 f2fs_release_crypto_ctx(ctx); 1008 fscrypt_release_ctx(ctx);
1014 goto set_error_page; 1009 goto set_error_page;
1015 } 1010 }
1016 bio->bi_bdev = bdev; 1011 bio->bi_bdev = bdev;
@@ -1102,7 +1097,7 @@ int do_write_data_page(struct f2fs_io_info *fio)
1102 f2fs_wait_on_encrypted_page_writeback(F2FS_I_SB(inode), 1097 f2fs_wait_on_encrypted_page_writeback(F2FS_I_SB(inode),
1103 fio->old_blkaddr); 1098 fio->old_blkaddr);
1104 1099
1105 fio->encrypted_page = f2fs_encrypt(inode, fio->page); 1100 fio->encrypted_page = fscrypt_encrypt_page(inode, fio->page);
1106 if (IS_ERR(fio->encrypted_page)) { 1101 if (IS_ERR(fio->encrypted_page)) {
1107 err = PTR_ERR(fio->encrypted_page); 1102 err = PTR_ERR(fio->encrypted_page);
1108 goto out_writepage; 1103 goto out_writepage;
@@ -1608,7 +1603,7 @@ repeat:
1608 1603
1609 /* avoid symlink page */ 1604 /* avoid symlink page */
1610 if (f2fs_encrypted_inode(inode) && S_ISREG(inode->i_mode)) { 1605 if (f2fs_encrypted_inode(inode) && S_ISREG(inode->i_mode)) {
1611 err = f2fs_decrypt(page); 1606 err = fscrypt_decrypt_page(page);
1612 if (err) 1607 if (err)
1613 goto fail; 1608 goto fail;
1614 } 1609 }
diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
index 8f09da0552ac..f82e28b121a8 100644
--- a/fs/f2fs/dir.c
+++ b/fs/f2fs/dir.c
@@ -77,7 +77,7 @@ static unsigned long dir_block_index(unsigned int level,
77} 77}
78 78
79static struct f2fs_dir_entry *find_in_block(struct page *dentry_page, 79static struct f2fs_dir_entry *find_in_block(struct page *dentry_page,
80 struct f2fs_filename *fname, 80 struct fscrypt_name *fname,
81 f2fs_hash_t namehash, 81 f2fs_hash_t namehash,
82 int *max_slots, 82 int *max_slots,
83 struct page **res_page) 83 struct page **res_page)
@@ -103,15 +103,15 @@ static struct f2fs_dir_entry *find_in_block(struct page *dentry_page,
103 return de; 103 return de;
104} 104}
105 105
106struct f2fs_dir_entry *find_target_dentry(struct f2fs_filename *fname, 106struct f2fs_dir_entry *find_target_dentry(struct fscrypt_name *fname,
107 f2fs_hash_t namehash, int *max_slots, 107 f2fs_hash_t namehash, int *max_slots,
108 struct f2fs_dentry_ptr *d) 108 struct f2fs_dentry_ptr *d)
109{ 109{
110 struct f2fs_dir_entry *de; 110 struct f2fs_dir_entry *de;
111 unsigned long bit_pos = 0; 111 unsigned long bit_pos = 0;
112 int max_len = 0; 112 int max_len = 0;
113 struct f2fs_str de_name = FSTR_INIT(NULL, 0); 113 struct fscrypt_str de_name = FSTR_INIT(NULL, 0);
114 struct f2fs_str *name = &fname->disk_name; 114 struct fscrypt_str *name = &fname->disk_name;
115 115
116 if (max_slots) 116 if (max_slots)
117 *max_slots = 0; 117 *max_slots = 0;
@@ -157,7 +157,7 @@ found:
157 157
158static struct f2fs_dir_entry *find_in_level(struct inode *dir, 158static struct f2fs_dir_entry *find_in_level(struct inode *dir,
159 unsigned int level, 159 unsigned int level,
160 struct f2fs_filename *fname, 160 struct fscrypt_name *fname,
161 struct page **res_page) 161 struct page **res_page)
162{ 162{
163 struct qstr name = FSTR_TO_QSTR(&fname->disk_name); 163 struct qstr name = FSTR_TO_QSTR(&fname->disk_name);
@@ -218,12 +218,12 @@ struct f2fs_dir_entry *f2fs_find_entry(struct inode *dir,
218 struct f2fs_dir_entry *de = NULL; 218 struct f2fs_dir_entry *de = NULL;
219 unsigned int max_depth; 219 unsigned int max_depth;
220 unsigned int level; 220 unsigned int level;
221 struct f2fs_filename fname; 221 struct fscrypt_name fname;
222 int err; 222 int err;
223 223
224 *res_page = NULL; 224 *res_page = NULL;
225 225
226 err = f2fs_fname_setup_filename(dir, child, 1, &fname); 226 err = fscrypt_setup_filename(dir, child, 1, &fname);
227 if (err) 227 if (err)
228 return NULL; 228 return NULL;
229 229
@@ -251,7 +251,7 @@ struct f2fs_dir_entry *f2fs_find_entry(struct inode *dir,
251 break; 251 break;
252 } 252 }
253out: 253out:
254 f2fs_fname_free_filename(&fname); 254 fscrypt_free_filename(&fname);
255 return de; 255 return de;
256} 256}
257 257
@@ -413,7 +413,7 @@ struct page *init_inode_metadata(struct inode *inode, struct inode *dir,
413 goto put_error; 413 goto put_error;
414 414
415 if (f2fs_encrypted_inode(dir) && f2fs_may_encrypt(inode)) { 415 if (f2fs_encrypted_inode(dir) && f2fs_may_encrypt(inode)) {
416 err = f2fs_inherit_context(dir, inode, page); 416 err = fscrypt_inherit_context(dir, inode, page, false);
417 if (err) 417 if (err)
418 goto put_error; 418 goto put_error;
419 } 419 }
@@ -536,11 +536,11 @@ int __f2fs_add_link(struct inode *dir, const struct qstr *name,
536 struct f2fs_dentry_block *dentry_blk = NULL; 536 struct f2fs_dentry_block *dentry_blk = NULL;
537 struct f2fs_dentry_ptr d; 537 struct f2fs_dentry_ptr d;
538 struct page *page = NULL; 538 struct page *page = NULL;
539 struct f2fs_filename fname; 539 struct fscrypt_name fname;
540 struct qstr new_name; 540 struct qstr new_name;
541 int slots, err; 541 int slots, err;
542 542
543 err = f2fs_fname_setup_filename(dir, name, 0, &fname); 543 err = fscrypt_setup_filename(dir, name, 0, &fname);
544 if (err) 544 if (err)
545 return err; 545 return err;
546 546
@@ -639,7 +639,7 @@ fail:
639 kunmap(dentry_page); 639 kunmap(dentry_page);
640 f2fs_put_page(dentry_page, 1); 640 f2fs_put_page(dentry_page, 1);
641out: 641out:
642 f2fs_fname_free_filename(&fname); 642 fscrypt_free_filename(&fname);
643 f2fs_update_time(F2FS_I_SB(dir), REQ_TIME); 643 f2fs_update_time(F2FS_I_SB(dir), REQ_TIME);
644 return err; 644 return err;
645} 645}
@@ -781,12 +781,12 @@ bool f2fs_empty_dir(struct inode *dir)
781} 781}
782 782
783bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d, 783bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
784 unsigned int start_pos, struct f2fs_str *fstr) 784 unsigned int start_pos, struct fscrypt_str *fstr)
785{ 785{
786 unsigned char d_type = DT_UNKNOWN; 786 unsigned char d_type = DT_UNKNOWN;
787 unsigned int bit_pos; 787 unsigned int bit_pos;
788 struct f2fs_dir_entry *de = NULL; 788 struct f2fs_dir_entry *de = NULL;
789 struct f2fs_str de_name = FSTR_INIT(NULL, 0); 789 struct fscrypt_str de_name = FSTR_INIT(NULL, 0);
790 790
791 bit_pos = ((unsigned long)ctx->pos % d->max); 791 bit_pos = ((unsigned long)ctx->pos % d->max);
792 792
@@ -820,8 +820,9 @@ bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
820 820
821 memcpy(de_name.name, d->filename[bit_pos], de_name.len); 821 memcpy(de_name.name, d->filename[bit_pos], de_name.len);
822 822
823 ret = f2fs_fname_disk_to_usr(d->inode, &de->hash_code, 823 ret = fscrypt_fname_disk_to_usr(d->inode,
824 &de_name, fstr); 824 (u32)de->hash_code, 0,
825 &de_name, fstr);
825 kfree(de_name.name); 826 kfree(de_name.name);
826 if (ret < 0) 827 if (ret < 0)
827 return true; 828 return true;
@@ -849,16 +850,15 @@ static int f2fs_readdir(struct file *file, struct dir_context *ctx)
849 struct file_ra_state *ra = &file->f_ra; 850 struct file_ra_state *ra = &file->f_ra;
850 unsigned int n = ((unsigned long)ctx->pos / NR_DENTRY_IN_BLOCK); 851 unsigned int n = ((unsigned long)ctx->pos / NR_DENTRY_IN_BLOCK);
851 struct f2fs_dentry_ptr d; 852 struct f2fs_dentry_ptr d;
852 struct f2fs_str fstr = FSTR_INIT(NULL, 0); 853 struct fscrypt_str fstr = FSTR_INIT(NULL, 0);
853 int err = 0; 854 int err = 0;
854 855
855 if (f2fs_encrypted_inode(inode)) { 856 if (f2fs_encrypted_inode(inode)) {
856 err = f2fs_get_encryption_info(inode); 857 err = fscrypt_get_encryption_info(inode);
857 if (err) 858 if (err)
858 return err; 859 return err;
859 860
860 err = f2fs_fname_crypto_alloc_buffer(inode, F2FS_NAME_LEN, 861 err = fscrypt_fname_alloc_buffer(inode, F2FS_NAME_LEN, &fstr);
861 &fstr);
862 if (err < 0) 862 if (err < 0)
863 return err; 863 return err;
864 } 864 }
@@ -898,14 +898,14 @@ static int f2fs_readdir(struct file *file, struct dir_context *ctx)
898 f2fs_put_page(dentry_page, 1); 898 f2fs_put_page(dentry_page, 1);
899 } 899 }
900out: 900out:
901 f2fs_fname_crypto_free_buffer(&fstr); 901 fscrypt_fname_free_buffer(&fstr);
902 return err; 902 return err;
903} 903}
904 904
905static int f2fs_dir_open(struct inode *inode, struct file *filp) 905static int f2fs_dir_open(struct inode *inode, struct file *filp)
906{ 906{
907 if (f2fs_encrypted_inode(inode)) 907 if (f2fs_encrypted_inode(inode))
908 return f2fs_get_encryption_info(inode) ? -EACCES : 0; 908 return fscrypt_get_encryption_info(inode) ? -EACCES : 0;
909 return 0; 909 return 0;
910} 910}
911 911
diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index ffd03363989b..6447e9002807 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -22,6 +22,7 @@
22#include <linux/vmalloc.h> 22#include <linux/vmalloc.h>
23#include <linux/bio.h> 23#include <linux/bio.h>
24#include <linux/blkdev.h> 24#include <linux/blkdev.h>
25#include <linux/fscrypto.h>
25 26
26#ifdef CONFIG_F2FS_CHECK_FS 27#ifdef CONFIG_F2FS_CHECK_FS
27#define f2fs_bug_on(sbi, condition) BUG_ON(condition) 28#define f2fs_bug_on(sbi, condition) BUG_ON(condition)
@@ -231,12 +232,9 @@ static inline bool __has_cursum_space(struct f2fs_journal *journal,
231#define F2FS_IOC_WRITE_CHECKPOINT _IO(F2FS_IOCTL_MAGIC, 7) 232#define F2FS_IOC_WRITE_CHECKPOINT _IO(F2FS_IOCTL_MAGIC, 7)
232#define F2FS_IOC_DEFRAGMENT _IO(F2FS_IOCTL_MAGIC, 8) 233#define F2FS_IOC_DEFRAGMENT _IO(F2FS_IOCTL_MAGIC, 8)
233 234
234#define F2FS_IOC_SET_ENCRYPTION_POLICY \ 235#define F2FS_IOC_SET_ENCRYPTION_POLICY FS_IOC_SET_ENCRYPTION_POLICY
235 _IOR('f', 19, struct f2fs_encryption_policy) 236#define F2FS_IOC_GET_ENCRYPTION_POLICY FS_IOC_GET_ENCRYPTION_POLICY
236#define F2FS_IOC_GET_ENCRYPTION_PWSALT \ 237#define F2FS_IOC_GET_ENCRYPTION_PWSALT FS_IOC_GET_ENCRYPTION_PWSALT
237 _IOW('f', 20, __u8[16])
238#define F2FS_IOC_GET_ENCRYPTION_POLICY \
239 _IOW('f', 21, struct f2fs_encryption_policy)
240 238
241/* 239/*
242 * should be same as XFS_IOC_GOINGDOWN. 240 * should be same as XFS_IOC_GOINGDOWN.
@@ -266,25 +264,6 @@ struct f2fs_defragment {
266 * For INODE and NODE manager 264 * For INODE and NODE manager
267 */ 265 */
268/* for directory operations */ 266/* for directory operations */
269struct f2fs_str {
270 unsigned char *name;
271 u32 len;
272};
273
274struct f2fs_filename {
275 const struct qstr *usr_fname;
276 struct f2fs_str disk_name;
277 f2fs_hash_t hash;
278#ifdef CONFIG_F2FS_FS_ENCRYPTION
279 struct f2fs_str crypto_buf;
280#endif
281};
282
283#define FSTR_INIT(n, l) { .name = n, .len = l }
284#define FSTR_TO_QSTR(f) QSTR_INIT((f)->name, (f)->len)
285#define fname_name(p) ((p)->disk_name.name)
286#define fname_len(p) ((p)->disk_name.len)
287
288struct f2fs_dentry_ptr { 267struct f2fs_dentry_ptr {
289 struct inode *inode; 268 struct inode *inode;
290 const void *bitmap; 269 const void *bitmap;
@@ -412,15 +391,6 @@ struct f2fs_map_blocks {
412#define file_enc_name(inode) is_file(inode, FADVISE_ENC_NAME_BIT) 391#define file_enc_name(inode) is_file(inode, FADVISE_ENC_NAME_BIT)
413#define file_set_enc_name(inode) set_file(inode, FADVISE_ENC_NAME_BIT) 392#define file_set_enc_name(inode) set_file(inode, FADVISE_ENC_NAME_BIT)
414 393
415/* Encryption algorithms */
416#define F2FS_ENCRYPTION_MODE_INVALID 0
417#define F2FS_ENCRYPTION_MODE_AES_256_XTS 1
418#define F2FS_ENCRYPTION_MODE_AES_256_GCM 2
419#define F2FS_ENCRYPTION_MODE_AES_256_CBC 3
420#define F2FS_ENCRYPTION_MODE_AES_256_CTS 4
421
422#include "f2fs_crypto.h"
423
424#define DEF_DIR_LEVEL 0 394#define DEF_DIR_LEVEL 0
425 395
426struct f2fs_inode_info { 396struct f2fs_inode_info {
@@ -444,13 +414,7 @@ struct f2fs_inode_info {
444 struct list_head dirty_list; /* linked in global dirty list */ 414 struct list_head dirty_list; /* linked in global dirty list */
445 struct list_head inmem_pages; /* inmemory pages managed by f2fs */ 415 struct list_head inmem_pages; /* inmemory pages managed by f2fs */
446 struct mutex inmem_lock; /* lock for inmemory pages */ 416 struct mutex inmem_lock; /* lock for inmemory pages */
447
448 struct extent_tree *extent_tree; /* cached extent_tree entry */ 417 struct extent_tree *extent_tree; /* cached extent_tree entry */
449
450#ifdef CONFIG_F2FS_FS_ENCRYPTION
451 /* Encryption params */
452 struct f2fs_crypt_info *i_crypt_info;
453#endif
454}; 418};
455 419
456static inline void get_extent_info(struct extent_info *ext, 420static inline void get_extent_info(struct extent_info *ext,
@@ -1741,10 +1705,10 @@ struct dentry *f2fs_get_parent(struct dentry *child);
1741extern unsigned char f2fs_filetype_table[F2FS_FT_MAX]; 1705extern unsigned char f2fs_filetype_table[F2FS_FT_MAX];
1742void set_de_type(struct f2fs_dir_entry *, umode_t); 1706void set_de_type(struct f2fs_dir_entry *, umode_t);
1743 1707
1744struct f2fs_dir_entry *find_target_dentry(struct f2fs_filename *, 1708struct f2fs_dir_entry *find_target_dentry(struct fscrypt_name *,
1745 f2fs_hash_t, int *, struct f2fs_dentry_ptr *); 1709 f2fs_hash_t, int *, struct f2fs_dentry_ptr *);
1746bool f2fs_fill_dentries(struct dir_context *, struct f2fs_dentry_ptr *, 1710bool f2fs_fill_dentries(struct dir_context *, struct f2fs_dentry_ptr *,
1747 unsigned int, struct f2fs_str *); 1711 unsigned int, struct fscrypt_str *);
1748void do_make_empty_dir(struct inode *, struct inode *, 1712void do_make_empty_dir(struct inode *, struct inode *,
1749 struct f2fs_dentry_ptr *); 1713 struct f2fs_dentry_ptr *);
1750struct page *init_inode_metadata(struct inode *, struct inode *, 1714struct page *init_inode_metadata(struct inode *, struct inode *,
@@ -2120,7 +2084,7 @@ int f2fs_convert_inline_inode(struct inode *);
2120int f2fs_write_inline_data(struct inode *, struct page *); 2084int f2fs_write_inline_data(struct inode *, struct page *);
2121bool recover_inline_data(struct inode *, struct page *); 2085bool recover_inline_data(struct inode *, struct page *);
2122struct f2fs_dir_entry *find_in_inline_dir(struct inode *, 2086struct f2fs_dir_entry *find_in_inline_dir(struct inode *,
2123 struct f2fs_filename *, struct page **); 2087 struct fscrypt_name *, struct page **);
2124struct f2fs_dir_entry *f2fs_parent_inline_dir(struct inode *, struct page **); 2088struct f2fs_dir_entry *f2fs_parent_inline_dir(struct inode *, struct page **);
2125int make_empty_inline_dir(struct inode *inode, struct inode *, struct page *); 2089int make_empty_inline_dir(struct inode *inode, struct inode *, struct page *);
2126int f2fs_add_inline_entry(struct inode *, const struct qstr *, struct inode *, 2090int f2fs_add_inline_entry(struct inode *, const struct qstr *, struct inode *,
@@ -2129,7 +2093,7 @@ void f2fs_delete_inline_entry(struct f2fs_dir_entry *, struct page *,
2129 struct inode *, struct inode *); 2093 struct inode *, struct inode *);
2130bool f2fs_empty_inline_dir(struct inode *); 2094bool f2fs_empty_inline_dir(struct inode *);
2131int f2fs_read_inline_dir(struct file *, struct dir_context *, 2095int f2fs_read_inline_dir(struct file *, struct dir_context *,
2132 struct f2fs_str *); 2096 struct fscrypt_str *);
2133int f2fs_inline_data_fiemap(struct inode *, 2097int f2fs_inline_data_fiemap(struct inode *,
2134 struct fiemap_extent_info *, __u64, __u64); 2098 struct fiemap_extent_info *, __u64, __u64);
2135 2099
@@ -2159,13 +2123,9 @@ void destroy_extent_cache(void);
2159/* 2123/*
2160 * crypto support 2124 * crypto support
2161 */ 2125 */
2162static inline int f2fs_encrypted_inode(struct inode *inode) 2126static inline bool f2fs_encrypted_inode(struct inode *inode)
2163{ 2127{
2164#ifdef CONFIG_F2FS_FS_ENCRYPTION
2165 return file_is_encrypt(inode); 2128 return file_is_encrypt(inode);
2166#else
2167 return 0;
2168#endif
2169} 2129}
2170 2130
2171static inline void f2fs_set_encrypted_inode(struct inode *inode) 2131static inline void f2fs_set_encrypted_inode(struct inode *inode)
@@ -2177,20 +2137,12 @@ static inline void f2fs_set_encrypted_inode(struct inode *inode)
2177 2137
2178static inline bool f2fs_bio_encrypted(struct bio *bio) 2138static inline bool f2fs_bio_encrypted(struct bio *bio)
2179{ 2139{
2180#ifdef CONFIG_F2FS_FS_ENCRYPTION 2140 return bio->bi_private != NULL;
2181 return unlikely(bio->bi_private != NULL);
2182#else
2183 return false;
2184#endif
2185} 2141}
2186 2142
2187static inline int f2fs_sb_has_crypto(struct super_block *sb) 2143static inline int f2fs_sb_has_crypto(struct super_block *sb)
2188{ 2144{
2189#ifdef CONFIG_F2FS_FS_ENCRYPTION
2190 return F2FS_HAS_FEATURE(sb, F2FS_FEATURE_ENCRYPT); 2145 return F2FS_HAS_FEATURE(sb, F2FS_FEATURE_ENCRYPT);
2191#else
2192 return 0;
2193#endif
2194} 2146}
2195 2147
2196static inline bool f2fs_may_encrypt(struct inode *inode) 2148static inline bool f2fs_may_encrypt(struct inode *inode)
@@ -2204,86 +2156,28 @@ static inline bool f2fs_may_encrypt(struct inode *inode)
2204#endif 2156#endif
2205} 2157}
2206 2158
2207/* crypto_policy.c */ 2159#ifndef CONFIG_F2FS_FS_ENCRYPTION
2208int f2fs_is_child_context_consistent_with_parent(struct inode *, 2160#define fscrypt_set_d_op(i)
2209 struct inode *); 2161#define fscrypt_get_ctx fscrypt_notsupp_get_ctx
2210int f2fs_inherit_context(struct inode *, struct inode *, struct page *); 2162#define fscrypt_release_ctx fscrypt_notsupp_release_ctx
2211int f2fs_process_policy(const struct f2fs_encryption_policy *, struct inode *); 2163#define fscrypt_encrypt_page fscrypt_notsupp_encrypt_page
2212int f2fs_get_policy(struct inode *, struct f2fs_encryption_policy *); 2164#define fscrypt_decrypt_page fscrypt_notsupp_decrypt_page
2213 2165#define fscrypt_decrypt_bio_pages fscrypt_notsupp_decrypt_bio_pages
2214/* crypt.c */ 2166#define fscrypt_pullback_bio_page fscrypt_notsupp_pullback_bio_page
2215extern struct kmem_cache *f2fs_crypt_info_cachep; 2167#define fscrypt_restore_control_page fscrypt_notsupp_restore_control_page
2216bool f2fs_valid_contents_enc_mode(uint32_t); 2168#define fscrypt_zeroout_range fscrypt_notsupp_zeroout_range
2217uint32_t f2fs_validate_encryption_key_size(uint32_t, uint32_t); 2169#define fscrypt_process_policy fscrypt_notsupp_process_policy
2218struct f2fs_crypto_ctx *f2fs_get_crypto_ctx(struct inode *); 2170#define fscrypt_get_policy fscrypt_notsupp_get_policy
2219void f2fs_release_crypto_ctx(struct f2fs_crypto_ctx *); 2171#define fscrypt_has_permitted_context fscrypt_notsupp_has_permitted_context
2220struct page *f2fs_encrypt(struct inode *, struct page *); 2172#define fscrypt_inherit_context fscrypt_notsupp_inherit_context
2221int f2fs_decrypt(struct page *); 2173#define fscrypt_get_encryption_info fscrypt_notsupp_get_encryption_info
2222void f2fs_end_io_crypto_work(struct f2fs_crypto_ctx *, struct bio *); 2174#define fscrypt_put_encryption_info fscrypt_notsupp_put_encryption_info
2223 2175#define fscrypt_setup_filename fscrypt_notsupp_setup_filename
2224/* crypto_key.c */ 2176#define fscrypt_free_filename fscrypt_notsupp_free_filename
2225void f2fs_free_encryption_info(struct inode *, struct f2fs_crypt_info *); 2177#define fscrypt_fname_encrypted_size fscrypt_notsupp_fname_encrypted_size
2226int _f2fs_get_encryption_info(struct inode *inode); 2178#define fscrypt_fname_alloc_buffer fscrypt_notsupp_fname_alloc_buffer
2227 2179#define fscrypt_fname_free_buffer fscrypt_notsupp_fname_free_buffer
2228/* crypto_fname.c */ 2180#define fscrypt_fname_disk_to_usr fscrypt_notsupp_fname_disk_to_usr
2229bool f2fs_valid_filenames_enc_mode(uint32_t); 2181#define fscrypt_fname_usr_to_disk fscrypt_notsupp_fname_usr_to_disk
2230u32 f2fs_fname_crypto_round_up(u32, u32);
2231unsigned f2fs_fname_encrypted_size(struct inode *, u32);
2232int f2fs_fname_crypto_alloc_buffer(struct inode *, u32, struct f2fs_str *);
2233int f2fs_fname_disk_to_usr(struct inode *, f2fs_hash_t *,
2234 const struct f2fs_str *, struct f2fs_str *);
2235int f2fs_fname_usr_to_disk(struct inode *, const struct qstr *,
2236 struct f2fs_str *);
2237
2238#ifdef CONFIG_F2FS_FS_ENCRYPTION
2239void f2fs_restore_and_release_control_page(struct page **);
2240void f2fs_restore_control_page(struct page *);
2241
2242int __init f2fs_init_crypto(void);
2243int f2fs_crypto_initialize(void);
2244void f2fs_exit_crypto(void);
2245
2246int f2fs_has_encryption_key(struct inode *);
2247
2248static inline int f2fs_get_encryption_info(struct inode *inode)
2249{
2250 struct f2fs_crypt_info *ci = F2FS_I(inode)->i_crypt_info;
2251
2252 if (!ci ||
2253 (ci->ci_keyring_key &&
2254 (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) |
2255 (1 << KEY_FLAG_REVOKED) |
2256 (1 << KEY_FLAG_DEAD)))))
2257 return _f2fs_get_encryption_info(inode);
2258 return 0;
2259}
2260
2261void f2fs_fname_crypto_free_buffer(struct f2fs_str *);
2262int f2fs_fname_setup_filename(struct inode *, const struct qstr *,
2263 int lookup, struct f2fs_filename *);
2264void f2fs_fname_free_filename(struct f2fs_filename *);
2265#else
2266static inline void f2fs_restore_and_release_control_page(struct page **p) { }
2267static inline void f2fs_restore_control_page(struct page *p) { }
2268
2269static inline int __init f2fs_init_crypto(void) { return 0; }
2270static inline void f2fs_exit_crypto(void) { }
2271
2272static inline int f2fs_has_encryption_key(struct inode *i) { return 0; }
2273static inline int f2fs_get_encryption_info(struct inode *i) { return 0; }
2274static inline void f2fs_fname_crypto_free_buffer(struct f2fs_str *p) { }
2275
2276static inline int f2fs_fname_setup_filename(struct inode *dir,
2277 const struct qstr *iname,
2278 int lookup, struct f2fs_filename *fname)
2279{
2280 memset(fname, 0, sizeof(struct f2fs_filename));
2281 fname->usr_fname = iname;
2282 fname->disk_name.name = (unsigned char *)iname->name;
2283 fname->disk_name.len = iname->len;
2284 return 0;
2285}
2286
2287static inline void f2fs_fname_free_filename(struct f2fs_filename *fname) { }
2288#endif 2182#endif
2289#endif 2183#endif
diff --git a/fs/f2fs/f2fs_crypto.h b/fs/f2fs/f2fs_crypto.h
deleted file mode 100644
index c2c1c2b63b25..000000000000
--- a/fs/f2fs/f2fs_crypto.h
+++ /dev/null
@@ -1,151 +0,0 @@
1/*
2 * linux/fs/f2fs/f2fs_crypto.h
3 *
4 * Copied from linux/fs/ext4/ext4_crypto.h
5 *
6 * Copyright (C) 2015, Google, Inc.
7 *
8 * This contains encryption header content for f2fs
9 *
10 * Written by Michael Halcrow, 2015.
11 * Modified by Jaegeuk Kim, 2015.
12 */
13#ifndef _F2FS_CRYPTO_H
14#define _F2FS_CRYPTO_H
15
16#include <linux/fs.h>
17
18#define F2FS_KEY_DESCRIPTOR_SIZE 8
19
20/* Policy provided via an ioctl on the topmost directory */
21struct f2fs_encryption_policy {
22 char version;
23 char contents_encryption_mode;
24 char filenames_encryption_mode;
25 char flags;
26 char master_key_descriptor[F2FS_KEY_DESCRIPTOR_SIZE];
27} __attribute__((__packed__));
28
29#define F2FS_ENCRYPTION_CONTEXT_FORMAT_V1 1
30#define F2FS_KEY_DERIVATION_NONCE_SIZE 16
31
32#define F2FS_POLICY_FLAGS_PAD_4 0x00
33#define F2FS_POLICY_FLAGS_PAD_8 0x01
34#define F2FS_POLICY_FLAGS_PAD_16 0x02
35#define F2FS_POLICY_FLAGS_PAD_32 0x03
36#define F2FS_POLICY_FLAGS_PAD_MASK 0x03
37#define F2FS_POLICY_FLAGS_VALID 0x03
38
39/**
40 * Encryption context for inode
41 *
42 * Protector format:
43 * 1 byte: Protector format (1 = this version)
44 * 1 byte: File contents encryption mode
45 * 1 byte: File names encryption mode
46 * 1 byte: Flags
47 * 8 bytes: Master Key descriptor
48 * 16 bytes: Encryption Key derivation nonce
49 */
50struct f2fs_encryption_context {
51 char format;
52 char contents_encryption_mode;
53 char filenames_encryption_mode;
54 char flags;
55 char master_key_descriptor[F2FS_KEY_DESCRIPTOR_SIZE];
56 char nonce[F2FS_KEY_DERIVATION_NONCE_SIZE];
57} __attribute__((__packed__));
58
59/* Encryption parameters */
60#define F2FS_XTS_TWEAK_SIZE 16
61#define F2FS_AES_128_ECB_KEY_SIZE 16
62#define F2FS_AES_256_GCM_KEY_SIZE 32
63#define F2FS_AES_256_CBC_KEY_SIZE 32
64#define F2FS_AES_256_CTS_KEY_SIZE 32
65#define F2FS_AES_256_XTS_KEY_SIZE 64
66#define F2FS_MAX_KEY_SIZE 64
67
68#define F2FS_KEY_DESC_PREFIX "f2fs:"
69#define F2FS_KEY_DESC_PREFIX_SIZE 5
70
71struct f2fs_encryption_key {
72 __u32 mode;
73 char raw[F2FS_MAX_KEY_SIZE];
74 __u32 size;
75} __attribute__((__packed__));
76
77struct f2fs_crypt_info {
78 char ci_data_mode;
79 char ci_filename_mode;
80 char ci_flags;
81 struct crypto_ablkcipher *ci_ctfm;
82 struct key *ci_keyring_key;
83 char ci_master_key[F2FS_KEY_DESCRIPTOR_SIZE];
84};
85
86#define F2FS_CTX_REQUIRES_FREE_ENCRYPT_FL 0x00000001
87#define F2FS_WRITE_PATH_FL 0x00000002
88
89struct f2fs_crypto_ctx {
90 union {
91 struct {
92 struct page *bounce_page; /* Ciphertext page */
93 struct page *control_page; /* Original page */
94 } w;
95 struct {
96 struct bio *bio;
97 struct work_struct work;
98 } r;
99 struct list_head free_list; /* Free list */
100 };
101 char flags; /* Flags */
102};
103
104struct f2fs_completion_result {
105 struct completion completion;
106 int res;
107};
108
109#define DECLARE_F2FS_COMPLETION_RESULT(ecr) \
110 struct f2fs_completion_result ecr = { \
111 COMPLETION_INITIALIZER((ecr).completion), 0 }
112
113static inline int f2fs_encryption_key_size(int mode)
114{
115 switch (mode) {
116 case F2FS_ENCRYPTION_MODE_AES_256_XTS:
117 return F2FS_AES_256_XTS_KEY_SIZE;
118 case F2FS_ENCRYPTION_MODE_AES_256_GCM:
119 return F2FS_AES_256_GCM_KEY_SIZE;
120 case F2FS_ENCRYPTION_MODE_AES_256_CBC:
121 return F2FS_AES_256_CBC_KEY_SIZE;
122 case F2FS_ENCRYPTION_MODE_AES_256_CTS:
123 return F2FS_AES_256_CTS_KEY_SIZE;
124 default:
125 BUG();
126 }
127 return 0;
128}
129
130#define F2FS_FNAME_NUM_SCATTER_ENTRIES 4
131#define F2FS_CRYPTO_BLOCK_SIZE 16
132#define F2FS_FNAME_CRYPTO_DIGEST_SIZE 32
133
134/**
135 * For encrypted symlinks, the ciphertext length is stored at the beginning
136 * of the string in little-endian format.
137 */
138struct f2fs_encrypted_symlink_data {
139 __le16 len;
140 char encrypted_path[1];
141} __attribute__((__packed__));
142
143/**
144 * This function is used to calculate the disk space required to
145 * store a filename of length l in encrypted symlink format.
146 */
147static inline u32 encrypted_symlink_data_len(u32 l)
148{
149 return (l + sizeof(struct f2fs_encrypted_symlink_data) - 1);
150}
151#endif /* _F2FS_CRYPTO_H */
diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index ffa1ec20f963..04ab1e4fc1df 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -421,7 +421,7 @@ static int f2fs_file_mmap(struct file *file, struct vm_area_struct *vma)
421 int err; 421 int err;
422 422
423 if (f2fs_encrypted_inode(inode)) { 423 if (f2fs_encrypted_inode(inode)) {
424 err = f2fs_get_encryption_info(inode); 424 err = fscrypt_get_encryption_info(inode);
425 if (err) 425 if (err)
426 return 0; 426 return 0;
427 if (!f2fs_encrypted_inode(inode)) 427 if (!f2fs_encrypted_inode(inode))
@@ -443,10 +443,10 @@ static int f2fs_file_open(struct inode *inode, struct file *filp)
443 int ret = generic_file_open(inode, filp); 443 int ret = generic_file_open(inode, filp);
444 444
445 if (!ret && f2fs_encrypted_inode(inode)) { 445 if (!ret && f2fs_encrypted_inode(inode)) {
446 ret = f2fs_get_encryption_info(inode); 446 ret = fscrypt_get_encryption_info(inode);
447 if (ret) 447 if (ret)
448 return -EACCES; 448 return -EACCES;
449 if (!f2fs_encrypted_inode(inode)) 449 if (!fscrypt_has_encryption_key(inode))
450 return -ENOKEY; 450 return -ENOKEY;
451 } 451 }
452 return ret; 452 return ret;
@@ -526,7 +526,8 @@ static int truncate_partial_data_page(struct inode *inode, u64 from,
526truncate_out: 526truncate_out:
527 f2fs_wait_on_page_writeback(page, DATA, true); 527 f2fs_wait_on_page_writeback(page, DATA, true);
528 zero_user(page, offset, PAGE_CACHE_SIZE - offset); 528 zero_user(page, offset, PAGE_CACHE_SIZE - offset);
529 if (!cache_only || !f2fs_encrypted_inode(inode) || !S_ISREG(inode->i_mode)) 529 if (!cache_only || !f2fs_encrypted_inode(inode) ||
530 !S_ISREG(inode->i_mode))
530 set_page_dirty(page); 531 set_page_dirty(page);
531 f2fs_put_page(page, 1); 532 f2fs_put_page(page, 1);
532 return 0; 533 return 0;
@@ -674,7 +675,7 @@ int f2fs_setattr(struct dentry *dentry, struct iattr *attr)
674 675
675 if (attr->ia_valid & ATTR_SIZE) { 676 if (attr->ia_valid & ATTR_SIZE) {
676 if (f2fs_encrypted_inode(inode) && 677 if (f2fs_encrypted_inode(inode) &&
677 f2fs_get_encryption_info(inode)) 678 fscrypt_get_encryption_info(inode))
678 return -EACCES; 679 return -EACCES;
679 680
680 if (attr->ia_size <= i_size_read(inode)) { 681 if (attr->ia_size <= i_size_read(inode)) {
@@ -1529,39 +1530,30 @@ static bool uuid_is_nonzero(__u8 u[16])
1529 1530
1530static int f2fs_ioc_set_encryption_policy(struct file *filp, unsigned long arg) 1531static int f2fs_ioc_set_encryption_policy(struct file *filp, unsigned long arg)
1531{ 1532{
1532#ifdef CONFIG_F2FS_FS_ENCRYPTION 1533 struct fscrypt_policy policy;
1533 struct f2fs_encryption_policy policy;
1534 struct inode *inode = file_inode(filp); 1534 struct inode *inode = file_inode(filp);
1535 1535
1536 if (copy_from_user(&policy, (struct f2fs_encryption_policy __user *)arg, 1536 if (copy_from_user(&policy, (struct fscrypt_policy __user *)arg,
1537 sizeof(policy))) 1537 sizeof(policy)))
1538 return -EFAULT; 1538 return -EFAULT;
1539 1539
1540 f2fs_update_time(F2FS_I_SB(inode), REQ_TIME); 1540 f2fs_update_time(F2FS_I_SB(inode), REQ_TIME);
1541 return f2fs_process_policy(&policy, inode); 1541 return fscrypt_process_policy(inode, &policy);
1542#else
1543 return -EOPNOTSUPP;
1544#endif
1545} 1542}
1546 1543
1547static int f2fs_ioc_get_encryption_policy(struct file *filp, unsigned long arg) 1544static int f2fs_ioc_get_encryption_policy(struct file *filp, unsigned long arg)
1548{ 1545{
1549#ifdef CONFIG_F2FS_FS_ENCRYPTION 1546 struct fscrypt_policy policy;
1550 struct f2fs_encryption_policy policy;
1551 struct inode *inode = file_inode(filp); 1547 struct inode *inode = file_inode(filp);
1552 int err; 1548 int err;
1553 1549
1554 err = f2fs_get_policy(inode, &policy); 1550 err = fscrypt_get_policy(inode, &policy);
1555 if (err) 1551 if (err)
1556 return err; 1552 return err;
1557 1553
1558 if (copy_to_user((struct f2fs_encryption_policy __user *)arg, &policy, 1554 if (copy_to_user((struct fscrypt_policy __user *)arg, &policy, sizeof(policy)))
1559 sizeof(policy)))
1560 return -EFAULT; 1555 return -EFAULT;
1561 return 0; 1556 return 0;
1562#else
1563 return -EOPNOTSUPP;
1564#endif
1565} 1557}
1566 1558
1567static int f2fs_ioc_get_encryption_pwsalt(struct file *filp, unsigned long arg) 1559static int f2fs_ioc_get_encryption_pwsalt(struct file *filp, unsigned long arg)
@@ -1873,8 +1865,8 @@ static ssize_t f2fs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
1873 ssize_t ret; 1865 ssize_t ret;
1874 1866
1875 if (f2fs_encrypted_inode(inode) && 1867 if (f2fs_encrypted_inode(inode) &&
1876 !f2fs_has_encryption_key(inode) && 1868 !fscrypt_has_encryption_key(inode) &&
1877 f2fs_get_encryption_info(inode)) 1869 fscrypt_get_encryption_info(inode))
1878 return -EACCES; 1870 return -EACCES;
1879 1871
1880 inode_lock(inode); 1872 inode_lock(inode);
diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c
index 1c00f2c718ae..358214e9f707 100644
--- a/fs/f2fs/inline.c
+++ b/fs/f2fs/inline.c
@@ -277,7 +277,7 @@ process_inline:
277} 277}
278 278
279struct f2fs_dir_entry *find_in_inline_dir(struct inode *dir, 279struct f2fs_dir_entry *find_in_inline_dir(struct inode *dir,
280 struct f2fs_filename *fname, struct page **res_page) 280 struct fscrypt_name *fname, struct page **res_page)
281{ 281{
282 struct f2fs_sb_info *sbi = F2FS_SB(dir->i_sb); 282 struct f2fs_sb_info *sbi = F2FS_SB(dir->i_sb);
283 struct f2fs_inline_dentry *inline_dentry; 283 struct f2fs_inline_dentry *inline_dentry;
@@ -535,7 +535,7 @@ bool f2fs_empty_inline_dir(struct inode *dir)
535} 535}
536 536
537int f2fs_read_inline_dir(struct file *file, struct dir_context *ctx, 537int f2fs_read_inline_dir(struct file *file, struct dir_context *ctx,
538 struct f2fs_str *fstr) 538 struct fscrypt_str *fstr)
539{ 539{
540 struct inode *inode = file_inode(file); 540 struct inode *inode = file_inode(file);
541 struct f2fs_inline_dentry *inline_dentry = NULL; 541 struct f2fs_inline_dentry *inline_dentry = NULL;
diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index d4477073dbb0..cb269c46ac25 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -389,10 +389,7 @@ no_delete:
389 } 389 }
390 } 390 }
391out_clear: 391out_clear:
392#ifdef CONFIG_F2FS_FS_ENCRYPTION 392 fscrypt_put_encryption_info(inode, NULL);
393 if (fi->i_crypt_info)
394 f2fs_free_encryption_info(inode, fi->i_crypt_info);
395#endif
396 clear_inode(inode); 393 clear_inode(inode);
397} 394}
398 395
diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
index b3c423a645bc..3bddd9f657e5 100644
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -169,7 +169,7 @@ static int f2fs_link(struct dentry *old_dentry, struct inode *dir,
169 int err; 169 int err;
170 170
171 if (f2fs_encrypted_inode(dir) && 171 if (f2fs_encrypted_inode(dir) &&
172 !f2fs_is_child_context_consistent_with_parent(dir, inode)) 172 !fscrypt_has_permitted_context(dir, inode))
173 return -EPERM; 173 return -EPERM;
174 174
175 f2fs_balance_fs(sbi, true); 175 f2fs_balance_fs(sbi, true);
@@ -352,20 +352,20 @@ static int f2fs_symlink(struct inode *dir, struct dentry *dentry,
352 struct f2fs_sb_info *sbi = F2FS_I_SB(dir); 352 struct f2fs_sb_info *sbi = F2FS_I_SB(dir);
353 struct inode *inode; 353 struct inode *inode;
354 size_t len = strlen(symname); 354 size_t len = strlen(symname);
355 struct f2fs_str disk_link = FSTR_INIT((char *)symname, len + 1); 355 struct fscrypt_str disk_link = FSTR_INIT((char *)symname, len + 1);
356 struct f2fs_encrypted_symlink_data *sd = NULL; 356 struct fscrypt_symlink_data *sd = NULL;
357 int err; 357 int err;
358 358
359 if (f2fs_encrypted_inode(dir)) { 359 if (f2fs_encrypted_inode(dir)) {
360 err = f2fs_get_encryption_info(dir); 360 err = fscrypt_get_encryption_info(dir);
361 if (err) 361 if (err)
362 return err; 362 return err;
363 363
364 if (!f2fs_encrypted_inode(dir)) 364 if (!fscrypt_has_encryption_key(dir))
365 return -EPERM; 365 return -EPERM;
366 366
367 disk_link.len = (f2fs_fname_encrypted_size(dir, len) + 367 disk_link.len = (fscrypt_fname_encrypted_size(dir, len) +
368 sizeof(struct f2fs_encrypted_symlink_data)); 368 sizeof(struct fscrypt_symlink_data));
369 } 369 }
370 370
371 if (disk_link.len > dir->i_sb->s_blocksize) 371 if (disk_link.len > dir->i_sb->s_blocksize)
@@ -393,7 +393,7 @@ static int f2fs_symlink(struct inode *dir, struct dentry *dentry,
393 393
394 if (f2fs_encrypted_inode(inode)) { 394 if (f2fs_encrypted_inode(inode)) {
395 struct qstr istr = QSTR_INIT(symname, len); 395 struct qstr istr = QSTR_INIT(symname, len);
396 struct f2fs_str ostr; 396 struct fscrypt_str ostr;
397 397
398 sd = kzalloc(disk_link.len, GFP_NOFS); 398 sd = kzalloc(disk_link.len, GFP_NOFS);
399 if (!sd) { 399 if (!sd) {
@@ -401,18 +401,18 @@ static int f2fs_symlink(struct inode *dir, struct dentry *dentry,
401 goto err_out; 401 goto err_out;
402 } 402 }
403 403
404 err = f2fs_get_encryption_info(inode); 404 err = fscrypt_get_encryption_info(inode);
405 if (err) 405 if (err)
406 goto err_out; 406 goto err_out;
407 407
408 if (!f2fs_encrypted_inode(inode)) { 408 if (!fscrypt_has_encryption_key(inode)) {
409 err = -EPERM; 409 err = -EPERM;
410 goto err_out; 410 goto err_out;
411 } 411 }
412 412
413 ostr.name = sd->encrypted_path; 413 ostr.name = sd->encrypted_path;
414 ostr.len = disk_link.len; 414 ostr.len = disk_link.len;
415 err = f2fs_fname_usr_to_disk(inode, &istr, &ostr); 415 err = fscrypt_fname_usr_to_disk(inode, &istr, &ostr);
416 if (err < 0) 416 if (err < 0)
417 goto err_out; 417 goto err_out;
418 418
@@ -593,7 +593,7 @@ out:
593static int f2fs_tmpfile(struct inode *dir, struct dentry *dentry, umode_t mode) 593static int f2fs_tmpfile(struct inode *dir, struct dentry *dentry, umode_t mode)
594{ 594{
595 if (f2fs_encrypted_inode(dir)) { 595 if (f2fs_encrypted_inode(dir)) {
596 int err = f2fs_get_encryption_info(dir); 596 int err = fscrypt_get_encryption_info(dir);
597 if (err) 597 if (err)
598 return err; 598 return err;
599 } 599 }
@@ -623,8 +623,7 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry,
623 int err = -ENOENT; 623 int err = -ENOENT;
624 624
625 if ((old_dir != new_dir) && f2fs_encrypted_inode(new_dir) && 625 if ((old_dir != new_dir) && f2fs_encrypted_inode(new_dir) &&
626 !f2fs_is_child_context_consistent_with_parent(new_dir, 626 !fscrypt_has_permitted_context(new_dir, old_inode)) {
627 old_inode)) {
628 err = -EPERM; 627 err = -EPERM;
629 goto out; 628 goto out;
630 } 629 }
@@ -804,11 +803,9 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry,
804 int err = -ENOENT; 803 int err = -ENOENT;
805 804
806 if ((f2fs_encrypted_inode(old_dir) || f2fs_encrypted_inode(new_dir)) && 805 if ((f2fs_encrypted_inode(old_dir) || f2fs_encrypted_inode(new_dir)) &&
807 (old_dir != new_dir) && 806 (old_dir != new_dir) &&
808 (!f2fs_is_child_context_consistent_with_parent(new_dir, 807 (!fscrypt_has_permitted_context(new_dir, old_inode) ||
809 old_inode) || 808 !fscrypt_has_permitted_context(old_dir, new_inode)))
810 !f2fs_is_child_context_consistent_with_parent(old_dir,
811 new_inode)))
812 return -EPERM; 809 return -EPERM;
813 810
814 old_entry = f2fs_find_entry(old_dir, &old_dentry->d_name, &old_page); 811 old_entry = f2fs_find_entry(old_dir, &old_dentry->d_name, &old_page);
@@ -970,16 +967,15 @@ static int f2fs_rename2(struct inode *old_dir, struct dentry *old_dentry,
970 return f2fs_rename(old_dir, old_dentry, new_dir, new_dentry, flags); 967 return f2fs_rename(old_dir, old_dentry, new_dir, new_dentry, flags);
971} 968}
972 969
973#ifdef CONFIG_F2FS_FS_ENCRYPTION
974static const char *f2fs_encrypted_get_link(struct dentry *dentry, 970static const char *f2fs_encrypted_get_link(struct dentry *dentry,
975 struct inode *inode, 971 struct inode *inode,
976 struct delayed_call *done) 972 struct delayed_call *done)
977{ 973{
978 struct page *cpage = NULL; 974 struct page *cpage = NULL;
979 char *caddr, *paddr = NULL; 975 char *caddr, *paddr = NULL;
980 struct f2fs_str cstr = FSTR_INIT(NULL, 0); 976 struct fscrypt_str cstr = FSTR_INIT(NULL, 0);
981 struct f2fs_str pstr = FSTR_INIT(NULL, 0); 977 struct fscrypt_str pstr = FSTR_INIT(NULL, 0);
982 struct f2fs_encrypted_symlink_data *sd; 978 struct fscrypt_symlink_data *sd;
983 loff_t size = min_t(loff_t, i_size_read(inode), PAGE_SIZE - 1); 979 loff_t size = min_t(loff_t, i_size_read(inode), PAGE_SIZE - 1);
984 u32 max_size = inode->i_sb->s_blocksize; 980 u32 max_size = inode->i_sb->s_blocksize;
985 int res; 981 int res;
@@ -987,7 +983,7 @@ static const char *f2fs_encrypted_get_link(struct dentry *dentry,
987 if (!dentry) 983 if (!dentry)
988 return ERR_PTR(-ECHILD); 984 return ERR_PTR(-ECHILD);
989 985
990 res = f2fs_get_encryption_info(inode); 986 res = fscrypt_get_encryption_info(inode);
991 if (res) 987 if (res)
992 return ERR_PTR(res); 988 return ERR_PTR(res);
993 989
@@ -998,7 +994,7 @@ static const char *f2fs_encrypted_get_link(struct dentry *dentry,
998 caddr[size] = 0; 994 caddr[size] = 0;
999 995
1000 /* Symlink is encrypted */ 996 /* Symlink is encrypted */
1001 sd = (struct f2fs_encrypted_symlink_data *)caddr; 997 sd = (struct fscrypt_symlink_data *)caddr;
1002 cstr.name = sd->encrypted_path; 998 cstr.name = sd->encrypted_path;
1003 cstr.len = le16_to_cpu(sd->len); 999 cstr.len = le16_to_cpu(sd->len);
1004 1000
@@ -1014,17 +1010,16 @@ static const char *f2fs_encrypted_get_link(struct dentry *dentry,
1014 goto errout; 1010 goto errout;
1015 } 1011 }
1016 1012
1017 if ((cstr.len + sizeof(struct f2fs_encrypted_symlink_data) - 1) > 1013 if ((cstr.len + sizeof(struct fscrypt_symlink_data) - 1) > max_size) {
1018 max_size) {
1019 /* Symlink data on the disk is corrupted */ 1014 /* Symlink data on the disk is corrupted */
1020 res = -EIO; 1015 res = -EIO;
1021 goto errout; 1016 goto errout;
1022 } 1017 }
1023 res = f2fs_fname_crypto_alloc_buffer(inode, cstr.len, &pstr); 1018 res = fscrypt_fname_alloc_buffer(inode, cstr.len, &pstr);
1024 if (res) 1019 if (res)
1025 goto errout; 1020 goto errout;
1026 1021
1027 res = f2fs_fname_disk_to_usr(inode, NULL, &cstr, &pstr); 1022 res = fscrypt_fname_disk_to_usr(inode, 0, 0, &cstr, &pstr);
1028 if (res < 0) 1023 if (res < 0)
1029 goto errout; 1024 goto errout;
1030 1025
@@ -1037,7 +1032,7 @@ static const char *f2fs_encrypted_get_link(struct dentry *dentry,
1037 set_delayed_call(done, kfree_link, paddr); 1032 set_delayed_call(done, kfree_link, paddr);
1038 return paddr; 1033 return paddr;
1039errout: 1034errout:
1040 f2fs_fname_crypto_free_buffer(&pstr); 1035 fscrypt_fname_free_buffer(&pstr);
1041 page_cache_release(cpage); 1036 page_cache_release(cpage);
1042 return ERR_PTR(res); 1037 return ERR_PTR(res);
1043} 1038}
@@ -1054,7 +1049,6 @@ const struct inode_operations f2fs_encrypted_symlink_inode_operations = {
1054 .removexattr = generic_removexattr, 1049 .removexattr = generic_removexattr,
1055#endif 1050#endif
1056}; 1051};
1057#endif
1058 1052
1059const struct inode_operations f2fs_dir_inode_operations = { 1053const struct inode_operations f2fs_dir_inode_operations = {
1060 .create = f2fs_create, 1054 .create = f2fs_create,
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 579372d9291f..7b62016e66cd 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -470,10 +470,6 @@ static struct inode *f2fs_alloc_inode(struct super_block *sb)
470 470
471 /* Will be used by directory only */ 471 /* Will be used by directory only */
472 fi->i_dir_level = F2FS_SB(sb)->dir_level; 472 fi->i_dir_level = F2FS_SB(sb)->dir_level;
473
474#ifdef CONFIG_F2FS_FS_ENCRYPTION
475 fi->i_crypt_info = NULL;
476#endif
477 return &fi->vfs_inode; 473 return &fi->vfs_inode;
478} 474}
479 475
@@ -507,11 +503,7 @@ static int f2fs_drop_inode(struct inode *inode)
507 503
508 sb_end_intwrite(inode->i_sb); 504 sb_end_intwrite(inode->i_sb);
509 505
510#ifdef CONFIG_F2FS_FS_ENCRYPTION 506 fscrypt_put_encryption_info(inode, NULL);
511 if (F2FS_I(inode)->i_crypt_info)
512 f2fs_free_encryption_info(inode,
513 F2FS_I(inode)->i_crypt_info);
514#endif
515 spin_lock(&inode->i_lock); 507 spin_lock(&inode->i_lock);
516 atomic_dec(&inode->i_count); 508 atomic_dec(&inode->i_count);
517 } 509 }
@@ -891,6 +883,41 @@ static struct super_operations f2fs_sops = {
891 .remount_fs = f2fs_remount, 883 .remount_fs = f2fs_remount,
892}; 884};
893 885
886#ifdef CONFIG_F2FS_FS_ENCRYPTION
887static int f2fs_get_context(struct inode *inode, void *ctx, size_t len)
888{
889 return f2fs_getxattr(inode, F2FS_XATTR_INDEX_ENCRYPTION,
890 F2FS_XATTR_NAME_ENCRYPTION_CONTEXT,
891 ctx, len, NULL);
892}
893
894static int f2fs_set_context(struct inode *inode, const void *ctx, size_t len,
895 void *fs_data)
896{
897 return f2fs_setxattr(inode, F2FS_XATTR_INDEX_ENCRYPTION,
898 F2FS_XATTR_NAME_ENCRYPTION_CONTEXT,
899 ctx, len, fs_data, XATTR_CREATE);
900}
901
902static unsigned f2fs_max_namelen(struct inode *inode)
903{
904 return S_ISLNK(inode->i_mode) ?
905 inode->i_sb->s_blocksize : F2FS_NAME_LEN;
906}
907
908static struct fscrypt_operations f2fs_cryptops = {
909 .get_context = f2fs_get_context,
910 .set_context = f2fs_set_context,
911 .is_encrypted = f2fs_encrypted_inode,
912 .empty_dir = f2fs_empty_dir,
913 .max_namelen = f2fs_max_namelen,
914};
915#else
916static struct fscrypt_operations f2fs_cryptops = {
917 .is_encrypted = f2fs_encrypted_inode,
918};
919#endif
920
894static struct inode *f2fs_nfs_get_inode(struct super_block *sb, 921static struct inode *f2fs_nfs_get_inode(struct super_block *sb,
895 u64 ino, u32 generation) 922 u64 ino, u32 generation)
896{ 923{
@@ -1314,6 +1341,7 @@ try_onemore:
1314 get_random_bytes(&sbi->s_next_generation, sizeof(u32)); 1341 get_random_bytes(&sbi->s_next_generation, sizeof(u32));
1315 1342
1316 sb->s_op = &f2fs_sops; 1343 sb->s_op = &f2fs_sops;
1344 sb->s_cop = &f2fs_cryptops;
1317 sb->s_xattr = f2fs_xattr_handlers; 1345 sb->s_xattr = f2fs_xattr_handlers;
1318 sb->s_export_op = &f2fs_export_ops; 1346 sb->s_export_op = &f2fs_export_ops;
1319 sb->s_magic = F2FS_SUPER_MAGIC; 1347 sb->s_magic = F2FS_SUPER_MAGIC;
@@ -1619,13 +1647,9 @@ static int __init init_f2fs_fs(void)
1619 err = -ENOMEM; 1647 err = -ENOMEM;
1620 goto free_extent_cache; 1648 goto free_extent_cache;
1621 } 1649 }
1622 err = f2fs_init_crypto();
1623 if (err)
1624 goto free_kset;
1625
1626 err = register_shrinker(&f2fs_shrinker_info); 1650 err = register_shrinker(&f2fs_shrinker_info);
1627 if (err) 1651 if (err)
1628 goto free_crypto; 1652 goto free_kset;
1629 1653
1630 err = register_filesystem(&f2fs_fs_type); 1654 err = register_filesystem(&f2fs_fs_type);
1631 if (err) 1655 if (err)
@@ -1640,8 +1664,6 @@ free_filesystem:
1640 unregister_filesystem(&f2fs_fs_type); 1664 unregister_filesystem(&f2fs_fs_type);
1641free_shrinker: 1665free_shrinker:
1642 unregister_shrinker(&f2fs_shrinker_info); 1666 unregister_shrinker(&f2fs_shrinker_info);
1643free_crypto:
1644 f2fs_exit_crypto();
1645free_kset: 1667free_kset:
1646 kset_unregister(f2fs_kset); 1668 kset_unregister(f2fs_kset);
1647free_extent_cache: 1669free_extent_cache:
@@ -1664,7 +1686,6 @@ static void __exit exit_f2fs_fs(void)
1664 f2fs_destroy_root_stats(); 1686 f2fs_destroy_root_stats();
1665 unregister_shrinker(&f2fs_shrinker_info); 1687 unregister_shrinker(&f2fs_shrinker_info);
1666 unregister_filesystem(&f2fs_fs_type); 1688 unregister_filesystem(&f2fs_fs_type);
1667 f2fs_exit_crypto();
1668 destroy_extent_cache(); 1689 destroy_extent_cache();
1669 destroy_checkpoint_caches(); 1690 destroy_checkpoint_caches();
1670 destroy_segment_manager_caches(); 1691 destroy_segment_manager_caches();
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-22 01:08:17 -0500