aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Halcrow <mhalcrow@google.com>2015-04-12 00:55:06 -0400
committerTheodore Ts'o <tytso@mit.edu>2015-04-12 00:55:06 -0400
commit88bd6ccdcdd638faa11e9746affc21d5f2fe2acf (patch)
tree1c86a994b5273756f6c90627af2131d8bc616481
parentb30ab0e03407d2aa2d9316cba199c757e4bfc8ad (diff)
ext4 crypto: add encryption key management facilities
Signed-off-by: Michael Halcrow <mhalcrow@google.com> Signed-off-by: Ildar Muslukhov <muslukhovi@gmail.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-rw-r--r--fs/ext4/Makefile2
-rw-r--r--fs/ext4/crypto_key.c162
-rw-r--r--fs/ext4/ext4.h13
-rw-r--r--fs/ext4/ext4_crypto.h3
4 files changed, 179 insertions, 1 deletions
diff --git a/fs/ext4/Makefile b/fs/ext4/Makefile
index 1b1c5619523d..4e5af21f1050 100644
--- a/fs/ext4/Makefile
+++ b/fs/ext4/Makefile
@@ -12,4 +12,4 @@ ext4-y := balloc.o bitmap.o dir.o file.o fsync.o ialloc.o inode.o page-io.o \
12 12
13ext4-$(CONFIG_EXT4_FS_POSIX_ACL) += acl.o 13ext4-$(CONFIG_EXT4_FS_POSIX_ACL) += acl.o
14ext4-$(CONFIG_EXT4_FS_SECURITY) += xattr_security.o 14ext4-$(CONFIG_EXT4_FS_SECURITY) += xattr_security.o
15ext4-$(CONFIG_EXT4_FS_ENCRYPTION) += crypto_policy.o crypto.o 15ext4-$(CONFIG_EXT4_FS_ENCRYPTION) += crypto_policy.o crypto.o crypto_key.o
diff --git a/fs/ext4/crypto_key.c b/fs/ext4/crypto_key.c
new file mode 100644
index 000000000000..572bd97f58dd
--- /dev/null
+++ b/fs/ext4/crypto_key.c
@@ -0,0 +1,162 @@
1/*
2 * linux/fs/ext4/crypto_key.c
3 *
4 * Copyright (C) 2015, Google, Inc.
5 *
6 * This contains encryption key functions for ext4
7 *
8 * Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015.
9 */
10
11#include <keys/encrypted-type.h>
12#include <keys/user-type.h>
13#include <linux/random.h>
14#include <linux/scatterlist.h>
15#include <uapi/linux/keyctl.h>
16
17#include "ext4.h"
18#include "xattr.h"
19
20static void derive_crypt_complete(struct crypto_async_request *req, int rc)
21{
22 struct ext4_completion_result *ecr = req->data;
23
24 if (rc == -EINPROGRESS)
25 return;
26
27 ecr->res = rc;
28 complete(&ecr->completion);
29}
30
31/**
32 * ext4_derive_key_aes() - Derive a key using AES-128-ECB
33 * @deriving_key: Encryption key used for derivatio.
34 * @source_key: Source key to which to apply derivation.
35 * @derived_key: Derived key.
36 *
37 * Return: Zero on success; non-zero otherwise.
38 */
39static int ext4_derive_key_aes(char deriving_key[EXT4_AES_128_ECB_KEY_SIZE],
40 char source_key[EXT4_AES_256_XTS_KEY_SIZE],
41 char derived_key[EXT4_AES_256_XTS_KEY_SIZE])
42{
43 int res = 0;
44 struct ablkcipher_request *req = NULL;
45 DECLARE_EXT4_COMPLETION_RESULT(ecr);
46 struct scatterlist src_sg, dst_sg;
47 struct crypto_ablkcipher *tfm = crypto_alloc_ablkcipher("ecb(aes)", 0,
48 0);
49
50 if (IS_ERR(tfm)) {
51 res = PTR_ERR(tfm);
52 tfm = NULL;
53 goto out;
54 }
55 crypto_ablkcipher_set_flags(tfm, CRYPTO_TFM_REQ_WEAK_KEY);
56 req = ablkcipher_request_alloc(tfm, GFP_NOFS);
57 if (!req) {
58 res = -ENOMEM;
59 goto out;
60 }
61 ablkcipher_request_set_callback(req,
62 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
63 derive_crypt_complete, &ecr);
64 res = crypto_ablkcipher_setkey(tfm, deriving_key,
65 EXT4_AES_128_ECB_KEY_SIZE);
66 if (res < 0)
67 goto out;
68 sg_init_one(&src_sg, source_key, EXT4_AES_256_XTS_KEY_SIZE);
69 sg_init_one(&dst_sg, derived_key, EXT4_AES_256_XTS_KEY_SIZE);
70 ablkcipher_request_set_crypt(req, &src_sg, &dst_sg,
71 EXT4_AES_256_XTS_KEY_SIZE, NULL);
72 res = crypto_ablkcipher_encrypt(req);
73 if (res == -EINPROGRESS || res == -EBUSY) {
74 BUG_ON(req->base.data != &ecr);
75 wait_for_completion(&ecr.completion);
76 res = ecr.res;
77 }
78
79out:
80 if (req)
81 ablkcipher_request_free(req);
82 if (tfm)
83 crypto_free_ablkcipher(tfm);
84 return res;
85}
86
87/**
88 * ext4_generate_encryption_key() - generates an encryption key
89 * @inode: The inode to generate the encryption key for.
90 */
91int ext4_generate_encryption_key(struct inode *inode)
92{
93 struct ext4_inode_info *ei = EXT4_I(inode);
94 struct ext4_encryption_key *crypt_key = &ei->i_encryption_key;
95 char full_key_descriptor[EXT4_KEY_DESC_PREFIX_SIZE +
96 (EXT4_KEY_DESCRIPTOR_SIZE * 2) + 1];
97 struct key *keyring_key = NULL;
98 struct ext4_encryption_key *master_key;
99 struct ext4_encryption_context ctx;
100 struct user_key_payload *ukp;
101 int res = ext4_xattr_get(inode, EXT4_XATTR_INDEX_ENCRYPTION,
102 EXT4_XATTR_NAME_ENCRYPTION_CONTEXT,
103 &ctx, sizeof(ctx));
104
105 if (res != sizeof(ctx)) {
106 if (res > 0)
107 res = -EINVAL;
108 goto out;
109 }
110 res = 0;
111
112 memcpy(full_key_descriptor, EXT4_KEY_DESC_PREFIX,
113 EXT4_KEY_DESC_PREFIX_SIZE);
114 sprintf(full_key_descriptor + EXT4_KEY_DESC_PREFIX_SIZE,
115 "%*phN", EXT4_KEY_DESCRIPTOR_SIZE,
116 ctx.master_key_descriptor);
117 full_key_descriptor[EXT4_KEY_DESC_PREFIX_SIZE +
118 (2 * EXT4_KEY_DESCRIPTOR_SIZE)] = '\0';
119 keyring_key = request_key(&key_type_logon, full_key_descriptor, NULL);
120 if (IS_ERR(keyring_key)) {
121 res = PTR_ERR(keyring_key);
122 keyring_key = NULL;
123 goto out;
124 }
125 BUG_ON(keyring_key->type != &key_type_logon);
126 ukp = ((struct user_key_payload *)keyring_key->payload.data);
127 if (ukp->datalen != sizeof(struct ext4_encryption_key)) {
128 res = -EINVAL;
129 goto out;
130 }
131 master_key = (struct ext4_encryption_key *)ukp->data;
132
133 if (S_ISREG(inode->i_mode))
134 crypt_key->mode = ctx.contents_encryption_mode;
135 else if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode))
136 crypt_key->mode = ctx.filenames_encryption_mode;
137 else {
138 printk(KERN_ERR "ext4 crypto: Unsupported inode type.\n");
139 BUG();
140 }
141 crypt_key->size = ext4_encryption_key_size(crypt_key->mode);
142 BUG_ON(!crypt_key->size);
143 BUILD_BUG_ON(EXT4_AES_128_ECB_KEY_SIZE !=
144 EXT4_KEY_DERIVATION_NONCE_SIZE);
145 BUG_ON(master_key->size != EXT4_AES_256_XTS_KEY_SIZE);
146 BUG_ON(crypt_key->size < EXT4_AES_256_CBC_KEY_SIZE);
147 res = ext4_derive_key_aes(ctx.nonce, master_key->raw, crypt_key->raw);
148out:
149 if (keyring_key)
150 key_put(keyring_key);
151 if (res < 0)
152 crypt_key->mode = EXT4_ENCRYPTION_MODE_INVALID;
153 return res;
154}
155
156int ext4_has_encryption_key(struct inode *inode)
157{
158 struct ext4_inode_info *ei = EXT4_I(inode);
159 struct ext4_encryption_key *crypt_key = &ei->i_encryption_key;
160
161 return (crypt_key->mode != EXT4_ENCRYPTION_MODE_INVALID);
162}
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 71619ef72225..99a2d67f65b7 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -2078,6 +2078,19 @@ static inline int ext4_sb_has_crypto(struct super_block *sb)
2078} 2078}
2079#endif 2079#endif
2080 2080
2081/* crypto_key.c */
2082int ext4_generate_encryption_key(struct inode *inode);
2083
2084#ifdef CONFIG_EXT4_FS_ENCRYPTION
2085int ext4_has_encryption_key(struct inode *inode);
2086#else
2087static inline int ext4_has_encryption_key(struct inode *inode)
2088{
2089 return 0;
2090}
2091#endif
2092
2093
2081/* dir.c */ 2094/* dir.c */
2082extern int __ext4_check_dir_entry(const char *, unsigned int, struct inode *, 2095extern int __ext4_check_dir_entry(const char *, unsigned int, struct inode *,
2083 struct file *, 2096 struct file *,
diff --git a/fs/ext4/ext4_crypto.h b/fs/ext4/ext4_crypto.h
index 9d5d2e56cc46..6a7c0c06b2be 100644
--- a/fs/ext4/ext4_crypto.h
+++ b/fs/ext4/ext4_crypto.h
@@ -55,6 +55,9 @@ struct ext4_encryption_context {
55#define EXT4_AES_256_XTS_KEY_SIZE 64 55#define EXT4_AES_256_XTS_KEY_SIZE 64
56#define EXT4_MAX_KEY_SIZE 64 56#define EXT4_MAX_KEY_SIZE 64
57 57
58#define EXT4_KEY_DESC_PREFIX "ext4:"
59#define EXT4_KEY_DESC_PREFIX_SIZE 5
60
58struct ext4_encryption_key { 61struct ext4_encryption_key {
59 uint32_t mode; 62 uint32_t mode;
60 char raw[EXT4_MAX_KEY_SIZE]; 63 char raw[EXT4_MAX_KEY_SIZE];