8094c3ceb2
Add support for the Adiantum encryption mode to fscrypt. Adiantum is a
tweakable, length-preserving encryption mode with security provably
reducible to that of XChaCha12 and AES-256, subject to a security bound.
It's also a true wide-block mode, unlike XTS. See the paper
"Adiantum: length-preserving encryption for entry-level processors"
(https://eprint.iacr.org/2018/720.pdf) for more details. Also see
commit 059c2a4d8e ("crypto: adiantum - add Adiantum support").
On sufficiently long messages, Adiantum's bottlenecks are XChaCha12 and
the NH hash function. These algorithms are fast even on processors
without dedicated crypto instructions. Adiantum makes it feasible to
enable storage encryption on low-end mobile devices that lack AES
instructions; currently such devices are unencrypted. On ARM Cortex-A7,
on 4096-byte messages Adiantum encryption is about 4 times faster than
AES-256-XTS encryption; decryption is about 5 times faster.
In fscrypt, Adiantum is suitable for encrypting both file contents and
names. With filenames, it fixes a known weakness: when two filenames in
a directory share a common prefix of >= 16 bytes, with CTS-CBC their
encrypted filenames share a common prefix too, leaking information.
Adiantum does not have this problem.
Since Adiantum also accepts long tweaks (IVs), it's also safe to use the
master key directly for Adiantum encryption rather than deriving
per-file keys, provided that the per-file nonce is included in the IVs
and the master key isn't used for any other encryption mode. This
configuration saves memory and improves performance. A new fscrypt
policy flag is added to allow users to opt-in to this configuration.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
176 lines
4.5 KiB
C
176 lines
4.5 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* fscrypt_private.h
|
|
*
|
|
* Copyright (C) 2015, Google, Inc.
|
|
*
|
|
* This contains encryption key functions.
|
|
*
|
|
* Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015.
|
|
*/
|
|
|
|
#ifndef _FSCRYPT_PRIVATE_H
|
|
#define _FSCRYPT_PRIVATE_H
|
|
|
|
#define __FS_HAS_ENCRYPTION 1
|
|
#include <linux/fscrypt.h>
|
|
#include <crypto/hash.h>
|
|
|
|
/* Encryption parameters */
|
|
#define FS_KEY_DERIVATION_NONCE_SIZE 16
|
|
|
|
/**
|
|
* Encryption context for inode
|
|
*
|
|
* Protector format:
|
|
* 1 byte: Protector format (1 = this version)
|
|
* 1 byte: File contents encryption mode
|
|
* 1 byte: File names encryption mode
|
|
* 1 byte: Flags
|
|
* 8 bytes: Master Key descriptor
|
|
* 16 bytes: Encryption Key derivation nonce
|
|
*/
|
|
struct fscrypt_context {
|
|
u8 format;
|
|
u8 contents_encryption_mode;
|
|
u8 filenames_encryption_mode;
|
|
u8 flags;
|
|
u8 master_key_descriptor[FS_KEY_DESCRIPTOR_SIZE];
|
|
u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE];
|
|
} __packed;
|
|
|
|
#define FS_ENCRYPTION_CONTEXT_FORMAT_V1 1
|
|
|
|
/**
|
|
* For encrypted symlinks, the ciphertext length is stored at the beginning
|
|
* of the string in little-endian format.
|
|
*/
|
|
struct fscrypt_symlink_data {
|
|
__le16 len;
|
|
char encrypted_path[1];
|
|
} __packed;
|
|
|
|
/*
|
|
* fscrypt_info - the "encryption key" for an inode
|
|
*
|
|
* When an encrypted file's key is made available, an instance of this struct is
|
|
* allocated and stored in ->i_crypt_info. Once created, it remains until the
|
|
* inode is evicted.
|
|
*/
|
|
struct fscrypt_info {
|
|
|
|
/* The actual crypto transform used for encryption and decryption */
|
|
struct crypto_skcipher *ci_ctfm;
|
|
|
|
/*
|
|
* Cipher for ESSIV IV generation. Only set for CBC contents
|
|
* encryption, otherwise is NULL.
|
|
*/
|
|
struct crypto_cipher *ci_essiv_tfm;
|
|
|
|
/*
|
|
* Encryption mode used for this inode. It corresponds to either
|
|
* ci_data_mode or ci_filename_mode, depending on the inode type.
|
|
*/
|
|
struct fscrypt_mode *ci_mode;
|
|
|
|
/*
|
|
* If non-NULL, then this inode uses a master key directly rather than a
|
|
* derived key, and ci_ctfm will equal ci_master_key->mk_ctfm.
|
|
* Otherwise, this inode uses a derived key.
|
|
*/
|
|
struct fscrypt_master_key *ci_master_key;
|
|
|
|
/* fields from the fscrypt_context */
|
|
u8 ci_data_mode;
|
|
u8 ci_filename_mode;
|
|
u8 ci_flags;
|
|
u8 ci_master_key_descriptor[FS_KEY_DESCRIPTOR_SIZE];
|
|
u8 ci_nonce[FS_KEY_DERIVATION_NONCE_SIZE];
|
|
};
|
|
|
|
typedef enum {
|
|
FS_DECRYPT = 0,
|
|
FS_ENCRYPT,
|
|
} fscrypt_direction_t;
|
|
|
|
#define FS_CTX_REQUIRES_FREE_ENCRYPT_FL 0x00000001
|
|
#define FS_CTX_HAS_BOUNCE_BUFFER_FL 0x00000002
|
|
|
|
static inline bool fscrypt_valid_enc_modes(u32 contents_mode,
|
|
u32 filenames_mode)
|
|
{
|
|
if (contents_mode == FS_ENCRYPTION_MODE_AES_128_CBC &&
|
|
filenames_mode == FS_ENCRYPTION_MODE_AES_128_CTS)
|
|
return true;
|
|
|
|
if (contents_mode == FS_ENCRYPTION_MODE_AES_256_XTS &&
|
|
filenames_mode == FS_ENCRYPTION_MODE_AES_256_CTS)
|
|
return true;
|
|
|
|
if (contents_mode == FS_ENCRYPTION_MODE_ADIANTUM &&
|
|
filenames_mode == FS_ENCRYPTION_MODE_ADIANTUM)
|
|
return true;
|
|
|
|
return false;
|
|
}
|
|
|
|
/* crypto.c */
|
|
extern struct kmem_cache *fscrypt_info_cachep;
|
|
extern int fscrypt_initialize(unsigned int cop_flags);
|
|
extern int fscrypt_do_page_crypto(const struct inode *inode,
|
|
fscrypt_direction_t rw, u64 lblk_num,
|
|
struct page *src_page,
|
|
struct page *dest_page,
|
|
unsigned int len, unsigned int offs,
|
|
gfp_t gfp_flags);
|
|
extern struct page *fscrypt_alloc_bounce_page(struct fscrypt_ctx *ctx,
|
|
gfp_t gfp_flags);
|
|
extern const struct dentry_operations fscrypt_d_ops;
|
|
|
|
extern void __printf(3, 4) __cold
|
|
fscrypt_msg(struct super_block *sb, const char *level, const char *fmt, ...);
|
|
|
|
#define fscrypt_warn(sb, fmt, ...) \
|
|
fscrypt_msg(sb, KERN_WARNING, fmt, ##__VA_ARGS__)
|
|
#define fscrypt_err(sb, fmt, ...) \
|
|
fscrypt_msg(sb, KERN_ERR, fmt, ##__VA_ARGS__)
|
|
|
|
#define FSCRYPT_MAX_IV_SIZE 32
|
|
|
|
union fscrypt_iv {
|
|
struct {
|
|
/* logical block number within the file */
|
|
__le64 lblk_num;
|
|
|
|
/* per-file nonce; only set in DIRECT_KEY mode */
|
|
u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE];
|
|
};
|
|
u8 raw[FSCRYPT_MAX_IV_SIZE];
|
|
};
|
|
|
|
void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num,
|
|
const struct fscrypt_info *ci);
|
|
|
|
/* fname.c */
|
|
extern int fname_encrypt(struct inode *inode, const struct qstr *iname,
|
|
u8 *out, unsigned int olen);
|
|
extern bool fscrypt_fname_encrypted_size(const struct inode *inode,
|
|
u32 orig_len, u32 max_len,
|
|
u32 *encrypted_len_ret);
|
|
|
|
/* keyinfo.c */
|
|
|
|
struct fscrypt_mode {
|
|
const char *friendly_name;
|
|
const char *cipher_str;
|
|
int keysize;
|
|
int ivsize;
|
|
bool logged_impl_name;
|
|
bool needs_essiv;
|
|
};
|
|
|
|
extern void __exit fscrypt_essiv_cleanup(void);
|
|
|
|
#endif /* _FSCRYPT_PRIVATE_H */
|