aboutsummaryrefslogtreecommitdiffstats
path: root/fs/ecryptfs/netlink.c
diff options
context:
space:
mode:
authorMichael Halcrow <mhalcrow@us.ibm.com>2007-02-12 03:53:43 -0500
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-02-12 12:48:36 -0500
commit88b4a07e6610f4c93b08b0bb103318218db1e9f6 (patch)
tree32e2f2650bd4841ba6b2fafc724c2806219351b4 /fs/ecryptfs/netlink.c
parentb5d5dfbd59577aed72263f22e28d3eaf98e1c6e5 (diff)
[PATCH] eCryptfs: Public key transport mechanism
This is the transport code for public key functionality in eCryptfs. It manages encryption/decryption request queues with a transport mechanism. Currently, netlink is the only implemented transport. Each inode has a unique File Encryption Key (FEK). Under passphrase, a File Encryption Key Encryption Key (FEKEK) is generated from a salt/passphrase combo on mount. This FEKEK encrypts each FEK and writes it into the header of each file using the packet format specified in RFC 2440. This is all symmetric key encryption, so it can all be done via the kernel crypto API. These new patches introduce public key encryption of the FEK. There is no asymmetric key encryption support in the kernel crypto API, so eCryptfs pushes the FEK encryption and decryption out to a userspace daemon. After considering our requirements and determining the complexity of using various transport mechanisms, we settled on netlink for this communication. eCryptfs stores authentication tokens into the kernel keyring. These tokens correlate with individual keys. For passphrase mode of operation, the authentication token contains the symmetric FEKEK. For public key, the authentication token contains a PKI type and an opaque data blob managed by individual PKI modules in userspace. Each user who opens a file under an eCryptfs partition mounted in public key mode must be running a daemon. That daemon has the user's credentials and has access to all of the keys to which the user should have access. The daemon, when started, initializes the pluggable PKI modules available on the system and registers itself with the eCryptfs kernel module. Userspace utilities register public key authentication tokens into the user session keyring. These authentication tokens correlate key signatures with PKI modules and PKI blobs. The PKI blobs contain PKI-specific information necessary for the PKI module to carry out asymmetric key encryption and decryption. When the eCryptfs module parses the header of an existing file and finds a Tag 1 (Public Key) packet (see RFC 2440), it reads in the public key identifier (signature). The asymmetrically encrypted FEK is in the Tag 1 packet; eCryptfs puts together a decrypt request packet containing the signature and the encrypted FEK, then it passes it to the daemon registered for the current->euid via a netlink unicast to the PID of the daemon, which was registered at the time the daemon was started by the user. The daemon actually just makes calls to libecryptfs, which implements request packet parsing and manages PKI modules. libecryptfs grabs the public key authentication token for the given signature from the user session keyring. This auth tok tells libecryptfs which PKI module should receive the request. libecryptfs then makes a decrypt() call to the PKI module, and it passes along the PKI block from the auth tok. The PKI uses the blob to figure out how it should decrypt the data passed to it; it performs the decryption and passes the decrypted data back to libecryptfs. libecryptfs then puts together a reply packet with the decrypted FEK and passes that back to the eCryptfs module. The eCryptfs module manages these request callouts to userspace code via message context structs. The module maintains an array of message context structs and places the elements of the array on two lists: a free and an allocated list. When eCryptfs wants to make a request, it moves a msg ctx from the free list to the allocated list, sets its state to pending, and fires off the message to the user's registered daemon. When eCryptfs receives a netlink message (via the callback), it correlates the msg ctx struct in the alloc list with the data in the message itself. The msg->index contains the offset of the array of msg ctx structs. It verifies that the registered daemon PID is the same as the PID of the process that sent the message. It also validates a sequence number between the received packet and the msg ctx. Then, it copies the contents of the message (the reply packet) into the msg ctx struct, sets the state in the msg ctx to done, and wakes up the process that was sleeping while waiting for the reply. The sleeping process was whatever was performing the sys_open(). This process originally called ecryptfs_send_message(); it is now in ecryptfs_wait_for_response(). When it wakes up and sees that the msg ctx state was set to done, it returns a pointer to the message contents (the reply packet) and returns. If all went well, this packet contains the decrypted FEK, which is then copied into the crypt_stat struct, and life continues as normal. The case for creation of a new file is very similar, only instead of a decrypt request, eCryptfs sends out an encrypt request. > - We have a great clod of key mangement code in-kernel. Why is that > not suitable (or growable) for public key management? eCryptfs uses Howells' keyring to store persistent key data and PKI state information. It defers public key cryptographic transformations to userspace code. The userspace data manipulation request really is orthogonal to key management in and of itself. What eCryptfs basically needs is a secure way to communicate with a particular daemon for a particular task doing a syscall, based on the UID. Nothing running under another UID should be able to access that channel of communication. > - Is it appropriate that new infrastructure for public key > management be private to a particular fs? The messaging.c file contains a lot of code that, perhaps, could be extracted into a separate kernel service. In essence, this would be a sort of request/reply mechanism that would involve a userspace daemon. I am not aware of anything that does quite what eCryptfs does, so I was not aware of any existing tools to do just what we wanted. > What happens if one of these daemons exits without sending a quit > message? There is a stale uid<->pid association in the hash table for that user. When the user registers a new daemon, eCryptfs cleans up the old association and generates a new one. See ecryptfs_process_helo(). > - _why_ does it use netlink? Netlink provides the transport mechanism that would minimize the complexity of the implementation, given that we can have multiple daemons (one per user). I explored the possibility of using relayfs, but that would involve having to introduce control channels and a protocol for creating and tearing down channels for the daemons. We do not have to worry about any of that with netlink. Signed-off-by: Michael Halcrow <mhalcrow@us.ibm.com> Cc: David Howells <dhowells@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/ecryptfs/netlink.c')
-rw-r--r--fs/ecryptfs/netlink.c255
1 files changed, 255 insertions, 0 deletions
diff --git a/fs/ecryptfs/netlink.c b/fs/ecryptfs/netlink.c
new file mode 100644
index 000000000000..aba061d62118
--- /dev/null
+++ b/fs/ecryptfs/netlink.c
@@ -0,0 +1,255 @@
1/**
2 * eCryptfs: Linux filesystem encryption layer
3 *
4 * Copyright (C) 2004-2006 International Business Machines Corp.
5 * Author(s): Michael A. Halcrow <mhalcrow@us.ibm.com>
6 * Tyler Hicks <tyhicks@ou.edu>
7 *
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License version
10 * 2 as published by the Free Software Foundation.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
20 * 02111-1307, USA.
21 */
22
23#include <net/sock.h>
24#include <linux/hash.h>
25#include <linux/random.h>
26#include "ecryptfs_kernel.h"
27
28static struct sock *ecryptfs_nl_sock;
29
30/**
31 * ecryptfs_send_netlink
32 * @data: The data to include as the payload
33 * @data_len: The byte count of the data
34 * @msg_ctx: The netlink context that will be used to handle the
35 * response message
36 * @msg_type: The type of netlink message to send
37 * @msg_flags: The flags to include in the netlink header
38 * @daemon_pid: The process id of the daemon to send the message to
39 *
40 * Sends the data to the specified daemon pid and uses the netlink
41 * context element to store the data needed for validation upon
42 * receiving the response. The data and the netlink context can be
43 * null if just sending a netlink header is sufficient. Returns zero
44 * upon sending the message; non-zero upon error.
45 */
46int ecryptfs_send_netlink(char *data, int data_len,
47 struct ecryptfs_msg_ctx *msg_ctx, u16 msg_type,
48 u16 msg_flags, pid_t daemon_pid)
49{
50 struct sk_buff *skb;
51 struct nlmsghdr *nlh;
52 struct ecryptfs_message *msg;
53 size_t payload_len;
54 int rc;
55
56 payload_len = ((data && data_len) ? (sizeof(*msg) + data_len) : 0);
57 skb = alloc_skb(NLMSG_SPACE(payload_len), GFP_KERNEL);
58 if (!skb) {
59 rc = -ENOMEM;
60 ecryptfs_printk(KERN_ERR, "Failed to allocate socket buffer\n");
61 goto out;
62 }
63 nlh = NLMSG_PUT(skb, daemon_pid, msg_ctx ? msg_ctx->counter : 0,
64 msg_type, payload_len);
65 nlh->nlmsg_flags = msg_flags;
66 if (msg_ctx && payload_len) {
67 msg = (struct ecryptfs_message *)NLMSG_DATA(nlh);
68 msg->index = msg_ctx->index;
69 msg->data_len = data_len;
70 memcpy(msg->data, data, data_len);
71 }
72 rc = netlink_unicast(ecryptfs_nl_sock, skb, daemon_pid, 0);
73 if (rc < 0) {
74 ecryptfs_printk(KERN_ERR, "Failed to send eCryptfs netlink "
75 "message; rc = [%d]\n", rc);
76 goto out;
77 }
78 rc = 0;
79 goto out;
80nlmsg_failure:
81 rc = -EMSGSIZE;
82 kfree_skb(skb);
83out:
84 return rc;
85}
86
87/**
88 * ecryptfs_process_nl_reponse
89 * @skb: The socket buffer containing the netlink message of state
90 * RESPONSE
91 *
92 * Processes a response message after sending a operation request to
93 * userspace. Attempts to assign the msg to a netlink context element
94 * at the index specified in the msg. The sk_buff and nlmsghdr must
95 * be validated before this function. Returns zero upon delivery to
96 * desired context element; non-zero upon delivery failure or error.
97 */
98static int ecryptfs_process_nl_response(struct sk_buff *skb)
99{
100 struct nlmsghdr *nlh = (struct nlmsghdr*)skb->data;
101 struct ecryptfs_message *msg = NLMSG_DATA(nlh);
102 int rc;
103
104 if (skb->len - NLMSG_HDRLEN - sizeof(*msg) != msg->data_len) {
105 rc = -EINVAL;
106 ecryptfs_printk(KERN_ERR, "Received netlink message with "
107 "incorrectly specified data length\n");
108 goto out;
109 }
110 rc = ecryptfs_process_response(msg, NETLINK_CREDS(skb)->pid,
111 nlh->nlmsg_seq);
112 if (rc)
113 printk(KERN_ERR
114 "Error processing response message; rc = [%d]\n", rc);
115out:
116 return rc;
117}
118
119/**
120 * ecryptfs_process_nl_helo
121 * @skb: The socket buffer containing the nlmsghdr in HELO state
122 *
123 * Gets uid and pid of the skb and adds the values to the daemon id
124 * hash. Returns zero after adding a new daemon id to the hash list;
125 * non-zero otherwise.
126 */
127static int ecryptfs_process_nl_helo(struct sk_buff *skb)
128{
129 int rc;
130
131 rc = ecryptfs_process_helo(ECRYPTFS_TRANSPORT_NETLINK,
132 NETLINK_CREDS(skb)->uid,
133 NETLINK_CREDS(skb)->pid);
134 if (rc)
135 printk(KERN_WARNING "Error processing HELO; rc = [%d]\n", rc);
136 return rc;
137}
138
139/**
140 * ecryptfs_process_nl_quit
141 * @skb: The socket buffer containing the nlmsghdr in QUIT state
142 *
143 * Gets uid and pid of the skb and deletes the corresponding daemon
144 * id, if it is the registered that is requesting the
145 * deletion. Returns zero after deleting the desired daemon id;
146 * non-zero otherwise.
147 */
148static int ecryptfs_process_nl_quit(struct sk_buff *skb)
149{
150 int rc;
151
152 rc = ecryptfs_process_quit(NETLINK_CREDS(skb)->uid,
153 NETLINK_CREDS(skb)->pid);
154 if (rc)
155 printk(KERN_WARNING
156 "Error processing QUIT message; rc = [%d]\n", rc);
157 return rc;
158}
159
160/**
161 * ecryptfs_receive_nl_message
162 *
163 * Callback function called by netlink system when a message arrives.
164 * If the message looks to be valid, then an attempt is made to assign
165 * it to its desired netlink context element and wake up the process
166 * that is waiting for a response.
167 */
168static void ecryptfs_receive_nl_message(struct sock *sk, int len)
169{
170 struct sk_buff *skb;
171 struct nlmsghdr *nlh;
172 int rc = 0; /* skb_recv_datagram requires this */
173
174receive:
175 skb = skb_recv_datagram(sk, 0, 0, &rc);
176 if (rc == -EINTR)
177 goto receive;
178 else if (rc < 0) {
179 ecryptfs_printk(KERN_ERR, "Error occurred while "
180 "receiving eCryptfs netlink message; "
181 "rc = [%d]\n", rc);
182 return;
183 }
184 nlh = (struct nlmsghdr *)skb->data;
185 if (!NLMSG_OK(nlh, skb->len)) {
186 ecryptfs_printk(KERN_ERR, "Received corrupt netlink "
187 "message\n");
188 goto free;
189 }
190 switch (nlh->nlmsg_type) {
191 case ECRYPTFS_NLMSG_RESPONSE:
192 if (ecryptfs_process_nl_response(skb)) {
193 ecryptfs_printk(KERN_WARNING, "Failed to "
194 "deliver netlink response to "
195 "requesting operation\n");
196 }
197 break;
198 case ECRYPTFS_NLMSG_HELO:
199 if (ecryptfs_process_nl_helo(skb)) {
200 ecryptfs_printk(KERN_WARNING, "Failed to "
201 "fulfill HELO request\n");
202 }
203 break;
204 case ECRYPTFS_NLMSG_QUIT:
205 if (ecryptfs_process_nl_quit(skb)) {
206 ecryptfs_printk(KERN_WARNING, "Failed to "
207 "fulfill QUIT request\n");
208 }
209 break;
210 default:
211 ecryptfs_printk(KERN_WARNING, "Dropping netlink "
212 "message of unrecognized type [%d]\n",
213 nlh->nlmsg_type);
214 break;
215 }
216free:
217 kfree_skb(skb);
218}
219
220/**
221 * ecryptfs_init_netlink
222 *
223 * Initializes the daemon id hash list, netlink context array, and
224 * necessary locks. Returns zero upon success; non-zero upon error.
225 */
226int ecryptfs_init_netlink(void)
227{
228 int rc;
229
230 ecryptfs_nl_sock = netlink_kernel_create(NETLINK_ECRYPTFS, 0,
231 ecryptfs_receive_nl_message,
232 THIS_MODULE);
233 if (!ecryptfs_nl_sock) {
234 rc = -EIO;
235 ecryptfs_printk(KERN_ERR, "Failed to create netlink socket\n");
236 goto out;
237 }
238 ecryptfs_nl_sock->sk_sndtimeo = ECRYPTFS_DEFAULT_SEND_TIMEOUT;
239 rc = 0;
240out:
241 return rc;
242}
243
244/**
245 * ecryptfs_release_netlink
246 *
247 * Frees all memory used by the netlink context array and releases the
248 * netlink socket.
249 */
250void ecryptfs_release_netlink(void)
251{
252 if (ecryptfs_nl_sock && ecryptfs_nl_sock->sk_socket)
253 sock_release(ecryptfs_nl_sock->sk_socket);
254 ecryptfs_nl_sock = NULL;
255}