2 * This contains encryption functions for per-file encryption.
4 * Copyright (C) 2015, Google, Inc.
5 * Copyright (C) 2015, Motorola Mobility
7 * Written by Michael Halcrow, 2014.
9 * Filename encryption additions
10 * Uday Savagaonkar, 2014
11 * Encryption policy handling additions
12 * Ildar Muslukhov, 2014
13 * Add fscrypt_pullback_bio_page()
16 * This has not yet undergone a rigorous security audit.
18 * The usage of AES-XTS should conform to recommendations in NIST
19 * Special Publication 800-38E and IEEE P1619/D16.
22 #include <linux/pagemap.h>
23 #include <linux/mempool.h>
24 #include <linux/module.h>
25 #include <linux/scatterlist.h>
26 #include <linux/ratelimit.h>
27 #include <linux/bio.h>
28 #include <linux/dcache.h>
29 #include <linux/namei.h>
30 #include <linux/fscrypto.h>
32 static unsigned int num_prealloc_crypto_pages
= 32;
33 static unsigned int num_prealloc_crypto_ctxs
= 128;
35 module_param(num_prealloc_crypto_pages
, uint
, 0444);
36 MODULE_PARM_DESC(num_prealloc_crypto_pages
,
37 "Number of crypto pages to preallocate");
38 module_param(num_prealloc_crypto_ctxs
, uint
, 0444);
39 MODULE_PARM_DESC(num_prealloc_crypto_ctxs
,
40 "Number of crypto contexts to preallocate");
42 static mempool_t
*fscrypt_bounce_page_pool
= NULL
;
44 static LIST_HEAD(fscrypt_free_ctxs
);
45 static DEFINE_SPINLOCK(fscrypt_ctx_lock
);
47 static struct workqueue_struct
*fscrypt_read_workqueue
;
48 static DEFINE_MUTEX(fscrypt_init_mutex
);
50 static struct kmem_cache
*fscrypt_ctx_cachep
;
51 struct kmem_cache
*fscrypt_info_cachep
;
54 * fscrypt_release_ctx() - Releases an encryption context
55 * @ctx: The encryption context to release.
57 * If the encryption context was allocated from the pre-allocated pool, returns
58 * it to that pool. Else, frees it.
60 * If there's a bounce page in the context, this frees that.
62 void fscrypt_release_ctx(struct fscrypt_ctx
*ctx
)
66 if (ctx
->flags
& FS_WRITE_PATH_FL
&& ctx
->w
.bounce_page
) {
67 mempool_free(ctx
->w
.bounce_page
, fscrypt_bounce_page_pool
);
68 ctx
->w
.bounce_page
= NULL
;
70 ctx
->w
.control_page
= NULL
;
71 if (ctx
->flags
& FS_CTX_REQUIRES_FREE_ENCRYPT_FL
) {
72 kmem_cache_free(fscrypt_ctx_cachep
, ctx
);
74 spin_lock_irqsave(&fscrypt_ctx_lock
, flags
);
75 list_add(&ctx
->free_list
, &fscrypt_free_ctxs
);
76 spin_unlock_irqrestore(&fscrypt_ctx_lock
, flags
);
79 EXPORT_SYMBOL(fscrypt_release_ctx
);
82 * fscrypt_get_ctx() - Gets an encryption context
83 * @inode: The inode for which we are doing the crypto
84 * @gfp_flags: The gfp flag for memory allocation
86 * Allocates and initializes an encryption context.
88 * Return: An allocated and initialized encryption context on success; error
89 * value or NULL otherwise.
91 struct fscrypt_ctx
*fscrypt_get_ctx(struct inode
*inode
, gfp_t gfp_flags
)
93 struct fscrypt_ctx
*ctx
= NULL
;
94 struct fscrypt_info
*ci
= inode
->i_crypt_info
;
98 return ERR_PTR(-ENOKEY
);
101 * We first try getting the ctx from a free list because in
102 * the common case the ctx will have an allocated and
103 * initialized crypto tfm, so it's probably a worthwhile
104 * optimization. For the bounce page, we first try getting it
105 * from the kernel allocator because that's just about as fast
106 * as getting it from a list and because a cache of free pages
107 * should generally be a "last resort" option for a filesystem
108 * to be able to do its job.
110 spin_lock_irqsave(&fscrypt_ctx_lock
, flags
);
111 ctx
= list_first_entry_or_null(&fscrypt_free_ctxs
,
112 struct fscrypt_ctx
, free_list
);
114 list_del(&ctx
->free_list
);
115 spin_unlock_irqrestore(&fscrypt_ctx_lock
, flags
);
117 ctx
= kmem_cache_zalloc(fscrypt_ctx_cachep
, gfp_flags
);
119 return ERR_PTR(-ENOMEM
);
120 ctx
->flags
|= FS_CTX_REQUIRES_FREE_ENCRYPT_FL
;
122 ctx
->flags
&= ~FS_CTX_REQUIRES_FREE_ENCRYPT_FL
;
124 ctx
->flags
&= ~FS_WRITE_PATH_FL
;
127 EXPORT_SYMBOL(fscrypt_get_ctx
);
130 * page_crypt_complete() - completion callback for page crypto
131 * @req: The asynchronous cipher request context
132 * @res: The result of the cipher operation
134 static void page_crypt_complete(struct crypto_async_request
*req
, int res
)
136 struct fscrypt_completion_result
*ecr
= req
->data
;
138 if (res
== -EINPROGRESS
)
141 complete(&ecr
->completion
);
147 } fscrypt_direction_t
;
149 static int do_page_crypto(struct inode
*inode
,
150 fscrypt_direction_t rw
, pgoff_t index
,
151 struct page
*src_page
, struct page
*dest_page
,
154 u8 xts_tweak
[FS_XTS_TWEAK_SIZE
];
155 struct skcipher_request
*req
= NULL
;
156 DECLARE_FS_COMPLETION_RESULT(ecr
);
157 struct scatterlist dst
, src
;
158 struct fscrypt_info
*ci
= inode
->i_crypt_info
;
159 struct crypto_skcipher
*tfm
= ci
->ci_ctfm
;
162 req
= skcipher_request_alloc(tfm
, gfp_flags
);
164 printk_ratelimited(KERN_ERR
165 "%s: crypto_request_alloc() failed\n",
170 skcipher_request_set_callback(
171 req
, CRYPTO_TFM_REQ_MAY_BACKLOG
| CRYPTO_TFM_REQ_MAY_SLEEP
,
172 page_crypt_complete
, &ecr
);
174 BUILD_BUG_ON(FS_XTS_TWEAK_SIZE
< sizeof(index
));
175 memcpy(xts_tweak
, &index
, sizeof(index
));
176 memset(&xts_tweak
[sizeof(index
)], 0,
177 FS_XTS_TWEAK_SIZE
- sizeof(index
));
179 sg_init_table(&dst
, 1);
180 sg_set_page(&dst
, dest_page
, PAGE_SIZE
, 0);
181 sg_init_table(&src
, 1);
182 sg_set_page(&src
, src_page
, PAGE_SIZE
, 0);
183 skcipher_request_set_crypt(req
, &src
, &dst
, PAGE_SIZE
,
185 if (rw
== FS_DECRYPT
)
186 res
= crypto_skcipher_decrypt(req
);
188 res
= crypto_skcipher_encrypt(req
);
189 if (res
== -EINPROGRESS
|| res
== -EBUSY
) {
190 BUG_ON(req
->base
.data
!= &ecr
);
191 wait_for_completion(&ecr
.completion
);
194 skcipher_request_free(req
);
196 printk_ratelimited(KERN_ERR
197 "%s: crypto_skcipher_encrypt() returned %d\n",
204 static struct page
*alloc_bounce_page(struct fscrypt_ctx
*ctx
, gfp_t gfp_flags
)
206 ctx
->w
.bounce_page
= mempool_alloc(fscrypt_bounce_page_pool
, gfp_flags
);
207 if (ctx
->w
.bounce_page
== NULL
)
208 return ERR_PTR(-ENOMEM
);
209 ctx
->flags
|= FS_WRITE_PATH_FL
;
210 return ctx
->w
.bounce_page
;
214 * fscypt_encrypt_page() - Encrypts a page
215 * @inode: The inode for which the encryption should take place
216 * @plaintext_page: The page to encrypt. Must be locked.
217 * @gfp_flags: The gfp flag for memory allocation
219 * Allocates a ciphertext page and encrypts plaintext_page into it using the ctx
220 * encryption context.
222 * Called on the page write path. The caller must call
223 * fscrypt_restore_control_page() on the returned ciphertext page to
224 * release the bounce buffer and the encryption context.
226 * Return: An allocated page with the encrypted content on success. Else, an
227 * error value or NULL.
229 struct page
*fscrypt_encrypt_page(struct inode
*inode
,
230 struct page
*plaintext_page
, gfp_t gfp_flags
)
232 struct fscrypt_ctx
*ctx
;
233 struct page
*ciphertext_page
= NULL
;
236 BUG_ON(!PageLocked(plaintext_page
));
238 ctx
= fscrypt_get_ctx(inode
, gfp_flags
);
240 return (struct page
*)ctx
;
242 /* The encryption operation will require a bounce page. */
243 ciphertext_page
= alloc_bounce_page(ctx
, gfp_flags
);
244 if (IS_ERR(ciphertext_page
))
247 ctx
->w
.control_page
= plaintext_page
;
248 err
= do_page_crypto(inode
, FS_ENCRYPT
, plaintext_page
->index
,
249 plaintext_page
, ciphertext_page
,
252 ciphertext_page
= ERR_PTR(err
);
255 SetPagePrivate(ciphertext_page
);
256 set_page_private(ciphertext_page
, (unsigned long)ctx
);
257 lock_page(ciphertext_page
);
258 return ciphertext_page
;
261 fscrypt_release_ctx(ctx
);
262 return ciphertext_page
;
264 EXPORT_SYMBOL(fscrypt_encrypt_page
);
267 * f2crypt_decrypt_page() - Decrypts a page in-place
268 * @page: The page to decrypt. Must be locked.
270 * Decrypts page in-place using the ctx encryption context.
272 * Called from the read completion callback.
274 * Return: Zero on success, non-zero otherwise.
276 int fscrypt_decrypt_page(struct page
*page
)
278 BUG_ON(!PageLocked(page
));
280 return do_page_crypto(page
->mapping
->host
,
281 FS_DECRYPT
, page
->index
, page
, page
, GFP_NOFS
);
283 EXPORT_SYMBOL(fscrypt_decrypt_page
);
285 int fscrypt_zeroout_range(struct inode
*inode
, pgoff_t lblk
,
286 sector_t pblk
, unsigned int len
)
288 struct fscrypt_ctx
*ctx
;
289 struct page
*ciphertext_page
= NULL
;
293 BUG_ON(inode
->i_sb
->s_blocksize
!= PAGE_SIZE
);
295 ctx
= fscrypt_get_ctx(inode
, GFP_NOFS
);
299 ciphertext_page
= alloc_bounce_page(ctx
, GFP_NOWAIT
);
300 if (IS_ERR(ciphertext_page
)) {
301 err
= PTR_ERR(ciphertext_page
);
306 err
= do_page_crypto(inode
, FS_ENCRYPT
, lblk
,
307 ZERO_PAGE(0), ciphertext_page
,
312 bio
= bio_alloc(GFP_NOWAIT
, 1);
317 bio
->bi_bdev
= inode
->i_sb
->s_bdev
;
318 bio
->bi_iter
.bi_sector
=
319 pblk
<< (inode
->i_sb
->s_blocksize_bits
- 9);
320 bio_set_op_attrs(bio
, REQ_OP_WRITE
, 0);
321 ret
= bio_add_page(bio
, ciphertext_page
,
322 inode
->i_sb
->s_blocksize
, 0);
323 if (ret
!= inode
->i_sb
->s_blocksize
) {
324 /* should never happen! */
330 err
= submit_bio_wait(bio
);
331 if ((err
== 0) && bio
->bi_error
)
341 fscrypt_release_ctx(ctx
);
344 EXPORT_SYMBOL(fscrypt_zeroout_range
);
347 * Validate dentries for encrypted directories to make sure we aren't
348 * potentially caching stale data after a key has been added or
351 static int fscrypt_d_revalidate(struct dentry
*dentry
, unsigned int flags
)
354 struct fscrypt_info
*ci
;
355 int dir_has_key
, cached_with_key
;
357 if (flags
& LOOKUP_RCU
)
360 dir
= dget_parent(dentry
);
361 if (!d_inode(dir
)->i_sb
->s_cop
->is_encrypted(d_inode(dir
))) {
366 ci
= d_inode(dir
)->i_crypt_info
;
367 if (ci
&& ci
->ci_keyring_key
&&
368 (ci
->ci_keyring_key
->flags
& ((1 << KEY_FLAG_INVALIDATED
) |
369 (1 << KEY_FLAG_REVOKED
) |
370 (1 << KEY_FLAG_DEAD
))))
373 /* this should eventually be an flag in d_flags */
374 spin_lock(&dentry
->d_lock
);
375 cached_with_key
= dentry
->d_flags
& DCACHE_ENCRYPTED_WITH_KEY
;
376 spin_unlock(&dentry
->d_lock
);
377 dir_has_key
= (ci
!= NULL
);
381 * If the dentry was cached without the key, and it is a
382 * negative dentry, it might be a valid name. We can't check
383 * if the key has since been made available due to locking
384 * reasons, so we fail the validation so ext4_lookup() can do
387 * We also fail the validation if the dentry was created with
388 * the key present, but we no longer have the key, or vice versa.
390 if ((!cached_with_key
&& d_is_negative(dentry
)) ||
391 (!cached_with_key
&& dir_has_key
) ||
392 (cached_with_key
&& !dir_has_key
))
397 const struct dentry_operations fscrypt_d_ops
= {
398 .d_revalidate
= fscrypt_d_revalidate
,
400 EXPORT_SYMBOL(fscrypt_d_ops
);
403 * Call fscrypt_decrypt_page on every single page, reusing the encryption
406 static void completion_pages(struct work_struct
*work
)
408 struct fscrypt_ctx
*ctx
=
409 container_of(work
, struct fscrypt_ctx
, r
.work
);
410 struct bio
*bio
= ctx
->r
.bio
;
414 bio_for_each_segment_all(bv
, bio
, i
) {
415 struct page
*page
= bv
->bv_page
;
416 int ret
= fscrypt_decrypt_page(page
);
422 SetPageUptodate(page
);
426 fscrypt_release_ctx(ctx
);
430 void fscrypt_decrypt_bio_pages(struct fscrypt_ctx
*ctx
, struct bio
*bio
)
432 INIT_WORK(&ctx
->r
.work
, completion_pages
);
434 queue_work(fscrypt_read_workqueue
, &ctx
->r
.work
);
436 EXPORT_SYMBOL(fscrypt_decrypt_bio_pages
);
438 void fscrypt_pullback_bio_page(struct page
**page
, bool restore
)
440 struct fscrypt_ctx
*ctx
;
441 struct page
*bounce_page
;
443 /* The bounce data pages are unmapped. */
444 if ((*page
)->mapping
)
447 /* The bounce data page is unmapped. */
449 ctx
= (struct fscrypt_ctx
*)page_private(bounce_page
);
451 /* restore control page */
452 *page
= ctx
->w
.control_page
;
455 fscrypt_restore_control_page(bounce_page
);
457 EXPORT_SYMBOL(fscrypt_pullback_bio_page
);
459 void fscrypt_restore_control_page(struct page
*page
)
461 struct fscrypt_ctx
*ctx
;
463 ctx
= (struct fscrypt_ctx
*)page_private(page
);
464 set_page_private(page
, (unsigned long)NULL
);
465 ClearPagePrivate(page
);
467 fscrypt_release_ctx(ctx
);
469 EXPORT_SYMBOL(fscrypt_restore_control_page
);
471 static void fscrypt_destroy(void)
473 struct fscrypt_ctx
*pos
, *n
;
475 list_for_each_entry_safe(pos
, n
, &fscrypt_free_ctxs
, free_list
)
476 kmem_cache_free(fscrypt_ctx_cachep
, pos
);
477 INIT_LIST_HEAD(&fscrypt_free_ctxs
);
478 mempool_destroy(fscrypt_bounce_page_pool
);
479 fscrypt_bounce_page_pool
= NULL
;
483 * fscrypt_initialize() - allocate major buffers for fs encryption.
485 * We only call this when we start accessing encrypted files, since it
486 * results in memory getting allocated that wouldn't otherwise be used.
488 * Return: Zero on success, non-zero otherwise.
490 int fscrypt_initialize(void)
492 int i
, res
= -ENOMEM
;
494 if (fscrypt_bounce_page_pool
)
497 mutex_lock(&fscrypt_init_mutex
);
498 if (fscrypt_bounce_page_pool
)
499 goto already_initialized
;
501 for (i
= 0; i
< num_prealloc_crypto_ctxs
; i
++) {
502 struct fscrypt_ctx
*ctx
;
504 ctx
= kmem_cache_zalloc(fscrypt_ctx_cachep
, GFP_NOFS
);
507 list_add(&ctx
->free_list
, &fscrypt_free_ctxs
);
510 fscrypt_bounce_page_pool
=
511 mempool_create_page_pool(num_prealloc_crypto_pages
, 0);
512 if (!fscrypt_bounce_page_pool
)
516 mutex_unlock(&fscrypt_init_mutex
);
520 mutex_unlock(&fscrypt_init_mutex
);
523 EXPORT_SYMBOL(fscrypt_initialize
);
526 * fscrypt_init() - Set up for fs encryption.
528 static int __init
fscrypt_init(void)
530 fscrypt_read_workqueue
= alloc_workqueue("fscrypt_read_queue",
532 if (!fscrypt_read_workqueue
)
535 fscrypt_ctx_cachep
= KMEM_CACHE(fscrypt_ctx
, SLAB_RECLAIM_ACCOUNT
);
536 if (!fscrypt_ctx_cachep
)
537 goto fail_free_queue
;
539 fscrypt_info_cachep
= KMEM_CACHE(fscrypt_info
, SLAB_RECLAIM_ACCOUNT
);
540 if (!fscrypt_info_cachep
)
546 kmem_cache_destroy(fscrypt_ctx_cachep
);
548 destroy_workqueue(fscrypt_read_workqueue
);
552 module_init(fscrypt_init
)
555 * fscrypt_exit() - Shutdown the fs encryption system
557 static void __exit
fscrypt_exit(void)
561 if (fscrypt_read_workqueue
)
562 destroy_workqueue(fscrypt_read_workqueue
);
563 kmem_cache_destroy(fscrypt_ctx_cachep
);
564 kmem_cache_destroy(fscrypt_info_cachep
);
566 module_exit(fscrypt_exit
);
568 MODULE_LICENSE("GPL");