aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/ecryptfs.h113
1 files changed, 113 insertions, 0 deletions
diff --git a/include/linux/ecryptfs.h b/include/linux/ecryptfs.h
new file mode 100644
index 000000000000..2224a8c0cb64
--- /dev/null
+++ b/include/linux/ecryptfs.h
@@ -0,0 +1,113 @@
1#ifndef _LINUX_ECRYPTFS_H
2#define _LINUX_ECRYPTFS_H
3
4/* Version verification for shared data structures w/ userspace */
5#define ECRYPTFS_VERSION_MAJOR 0x00
6#define ECRYPTFS_VERSION_MINOR 0x04
7#define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03
8/* These flags indicate which features are supported by the kernel
9 * module; userspace tools such as the mount helper read
10 * ECRYPTFS_VERSIONING_MASK from a sysfs handle in order to determine
11 * how to behave. */
12#define ECRYPTFS_VERSIONING_PASSPHRASE 0x00000001
13#define ECRYPTFS_VERSIONING_PUBKEY 0x00000002
14#define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004
15#define ECRYPTFS_VERSIONING_POLICY 0x00000008
16#define ECRYPTFS_VERSIONING_XATTR 0x00000010
17#define ECRYPTFS_VERSIONING_MULTKEY 0x00000020
18#define ECRYPTFS_VERSIONING_DEVMISC 0x00000040
19#define ECRYPTFS_VERSIONING_HMAC 0x00000080
20#define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION 0x00000100
21#define ECRYPTFS_VERSIONING_GCM 0x00000200
22#define ECRYPTFS_VERSIONING_MASK (ECRYPTFS_VERSIONING_PASSPHRASE \
23 | ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH \
24 | ECRYPTFS_VERSIONING_PUBKEY \
25 | ECRYPTFS_VERSIONING_XATTR \
26 | ECRYPTFS_VERSIONING_MULTKEY \
27 | ECRYPTFS_VERSIONING_DEVMISC \
28 | ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION)
29#define ECRYPTFS_MAX_PASSWORD_LENGTH 64
30#define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH
31#define ECRYPTFS_SALT_SIZE 8
32#define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2)
33/* The original signature size is only for what is stored on disk; all
34 * in-memory representations are expanded hex, so it better adapted to
35 * be passed around or referenced on the command line */
36#define ECRYPTFS_SIG_SIZE 8
37#define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
38#define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
39#define ECRYPTFS_MAX_KEY_BYTES 64
40#define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
41#define ECRYPTFS_FILE_VERSION 0x03
42#define ECRYPTFS_MAX_PKI_NAME_BYTES 16
43
44#define RFC2440_CIPHER_DES3_EDE 0x02
45#define RFC2440_CIPHER_CAST_5 0x03
46#define RFC2440_CIPHER_BLOWFISH 0x04
47#define RFC2440_CIPHER_AES_128 0x07
48#define RFC2440_CIPHER_AES_192 0x08
49#define RFC2440_CIPHER_AES_256 0x09
50#define RFC2440_CIPHER_TWOFISH 0x0a
51#define RFC2440_CIPHER_CAST_6 0x0b
52
53#define RFC2440_CIPHER_RSA 0x01
54
55/**
56 * For convenience, we may need to pass around the encrypted session
57 * key between kernel and userspace because the authentication token
58 * may not be extractable. For example, the TPM may not release the
59 * private key, instead requiring the encrypted data and returning the
60 * decrypted data.
61 */
62struct ecryptfs_session_key {
63#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001
64#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002
65#define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004
66#define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008
67 u32 flags;
68 u32 encrypted_key_size;
69 u32 decrypted_key_size;
70 u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES];
71 u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES];
72};
73
74struct ecryptfs_password {
75 u32 password_bytes;
76 s32 hash_algo;
77 u32 hash_iterations;
78 u32 session_key_encryption_key_bytes;
79#define ECRYPTFS_PERSISTENT_PASSWORD 0x01
80#define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02
81 u32 flags;
82 /* Iterated-hash concatenation of salt and passphrase */
83 u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
84 u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
85 /* Always in expanded hex */
86 u8 salt[ECRYPTFS_SALT_SIZE];
87};
88
89enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY};
90
91struct ecryptfs_private_key {
92 u32 key_size;
93 u32 data_len;
94 u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
95 char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1];
96 u8 data[];
97};
98
99/* May be a password or a private key */
100struct ecryptfs_auth_tok {
101 u16 version; /* 8-bit major and 8-bit minor */
102 u16 token_type;
103#define ECRYPTFS_ENCRYPT_ONLY 0x00000001
104 u32 flags;
105 struct ecryptfs_session_key session_key;
106 u8 reserved[32];
107 union {
108 struct ecryptfs_password password;
109 struct ecryptfs_private_key private_key;
110 } token;
111} __attribute__ ((packed));
112
113#endif /* _LINUX_ECRYPTFS_H */