On Wed, Aug 21, 2019 at 12:57:13AM -0700, Satya Tangirala wrote:
> Introduce fscrypt_set_bio_crypt_ctx for filesystems to call to set up
> encryption contexts in bios, and fscrypt_evict_crypt_key to evict
> the encryption context associated with an inode.
>
> Inline encryption is controlled by a policy flag in the fscrypt_info
> in the inode, and filesystems may check if an inode should use inline
> encryption by calling fscrypt_inode_is_inline_crypted. Files can be marked
> as inline encrypted from userspace by appropriately modifying the flags
> (OR-ing FS_POLICY_FLAGS_INLINE_ENCRYPTION to it) in the fscrypt_policy
> passed to fscrypt_ioctl_set_policy.
>
> To test inline encryption with the fscrypt dummy context, add
> ctx.flags |= FS_POLICY_FLAGS_INLINE_ENCRYPTION
> when setting up the dummy context in fs/crypto/keyinfo.c.
INLINE_ENCRYPTION => INLINE_CRYPT_OPTIMIZED.
(Code was updated, but the commit message was not.)
> diff --git a/fs/crypto/bio.c b/fs/crypto/bio.c
> index 82da2510721f..d3c3f63ec109 100644
> --- a/fs/crypto/bio.c
> +++ b/fs/crypto/bio.c
[...]
> +#ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
> +enum blk_crypto_mode_num
> +get_blk_crypto_mode_for_fscryptalg(u8 fscrypt_alg)
> +{
> + switch (fscrypt_alg) {
> + case FS_ENCRYPTION_MODE_AES_256_XTS:
> + return BLK_ENCRYPTION_MODE_AES_256_XTS;
> + default: return BLK_ENCRYPTION_MODE_INVALID;
> + }
> +}
This function isn't static, so it needs the "fscrypt_" prefix.
How about: fscrypt_mode_to_block_mode(u8 fscrypt_mode);
> +int fscrypt_set_bio_crypt_ctx(struct bio *bio,
> + const struct inode *inode,
> + u64 data_unit_num,
> + gfp_t gfp_mask)
> +{
> + struct fscrypt_info *ci = inode->i_crypt_info;
> + int err;
> + enum blk_crypto_mode_num blk_crypto_mode;
> +
> +
> + /* If inode is not inline encrypted, nothing to do. */
> + if (!fscrypt_inode_is_inline_crypted(inode))
> + return 0;
> +
> + blk_crypto_mode = get_blk_crypto_mode_for_fscryptalg(ci->ci_data_mode);
> + if (blk_crypto_mode == BLK_ENCRYPTION_MODE_INVALID)
> + return -EINVAL;
> +
> + err = bio_crypt_set_ctx(bio, ci->ci_master_key->mk_raw,
> + blk_crypto_mode,
> + data_unit_num,
> + inode->i_blkbits,
> + gfp_mask);
> + if (err)
> + return err;
> +
> + return 0;
> +}
> +EXPORT_SYMBOL(fscrypt_set_bio_crypt_ctx);
The end can shortened to: return bio_crypt_set_ctx(...)
> +int fscrypt_evict_crypt_key(struct inode *inode)
> +{
> + struct request_queue *q;
> + struct fscrypt_info *ci;
> +
> + if (!inode)
> + return 0;
> +
> + q = inode->i_sb->s_bdev->bd_queue;
> + ci = inode->i_crypt_info;
> +
> + if (!q || !q->ksm || !ci ||
> + !fscrypt_inode_is_inline_crypted(inode)) {
> + return 0;
> + }
> +
> + return keyslot_manager_evict_key(q->ksm,
> + ci->ci_master_key->mk_raw,
> + get_blk_crypto_mode_for_fscryptalg(
> + ci->ci_data_mode),
> + 1 << inode->i_blkbits);
> +}
> +EXPORT_SYMBOL(fscrypt_evict_crypt_key);
This is really evicting a master key that may be shared by many inodes... So it
doesn't make sense to pass a specific inode here. Shouldn't it pass the struct
fscrypt_master_key itself?
Also, this function needs kerneldoc.
> +
> +bool fscrypt_inode_crypt_mergeable(const struct inode *inode_1,
> + const struct inode *inode_2)
> +{
> + struct fscrypt_info *ci_1, *ci_2;
> + bool enc_1 = !inode_1 || fscrypt_inode_is_inline_crypted(inode_1);
> + bool enc_2 = !inode_2 || fscrypt_inode_is_inline_crypted(inode_2);
> +
> + if (enc_1 != enc_2)
> + return false;
> +
> + if (!enc_1)
> + return true;
> +
> + if (inode_1 == inode_2)
> + return true;
> +
> + ci_1 = inode_1->i_crypt_info;
> + ci_2 = inode_2->i_crypt_info;
> +
> + return ci_1->ci_data_mode == ci_2->ci_data_mode &&
> + crypto_memneq(ci_1->ci_master_key->mk_raw,
> + ci_2->ci_master_key->mk_raw,
> + ci_1->ci_master_key->mk_mode->keysize) == 0;
> +}
> +EXPORT_SYMBOL(fscrypt_inode_crypt_mergeable);
Needs kerneldoc.
> diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
> index 207ebed918c1..989cf12217df 100644
> --- a/fs/crypto/keyinfo.c
> +++ b/fs/crypto/keyinfo.c
[...]
> - if (cmpxchg_release(&inode->i_crypt_info, NULL, crypt_info) == NULL)
> + if (cmpxchg_release(&inode->i_crypt_info, NULL, crypt_info) == NULL) {
> crypt_info = NULL;
> + if (!flags_inline_crypted(ctx.flags, inode))
> + goto out;
> + blk_crypto_mode = get_blk_crypto_mode_for_fscryptalg(
> + inode->i_crypt_info->ci_mode - available_modes);
> +
> + if (keyslot_manager_rq_crypto_mode_supported(
> + inode->i_sb->s_bdev->bd_queue,
> + blk_crypto_mode,
> + (1 << inode->i_blkbits))) {
> + goto out;
> + }
> +
> + blk_crypto_mode_alloc_ciphers(blk_crypto_mode);
> + }
As soon as ->i_crypt_info is set by the cmpxchg_release(), another thread can
start I/O to the file. So it's too late to call blk_crypto_mode_alloc_ciphers()
here; it needs to happen before the cmpxchg_release().
Also, shouldn't keyslot_manager_rq_crypto_mode_supported() and
blk_crypto_mode_alloc_ciphers() be combined into a single function like
blk_crypto_start_using_mode()? The fact that it may have to pre-allocate the
crypto transforms is an implementation detail, not something that users of the
block layer should care about, it seems...
> diff --git a/include/linux/fscrypt.h b/include/linux/fscrypt.h
> index bd8f207a2fb6..6db1c7c5009d 100644
> --- a/include/linux/fscrypt.h
> +++ b/include/linux/fscrypt.h
> @@ -61,6 +61,7 @@ struct fscrypt_operations {
> bool (*dummy_context)(struct inode *);
> bool (*empty_dir)(struct inode *);
> unsigned int max_namelen;
> + bool inline_crypt_supp;
> };
>
> /* Decryption work */
> @@ -141,6 +142,23 @@ extern int fscrypt_inherit_context(struct inode *,
> struct inode *,
> extern int fscrypt_get_encryption_info(struct inode *);
> extern void fscrypt_put_encryption_info(struct inode *);
> extern void fscrypt_free_inode(struct inode *);
> +extern bool fscrypt_needs_fs_layer_crypto(const struct inode *inode);
> +
> +#ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
> +extern bool fscrypt_inode_is_inline_crypted(const struct inode *inode);
> +extern bool fscrypt_inode_crypt_mergeable(const struct inode *inode_1,
> + const struct inode *inode_2);
> +#else
> +static inline bool fscrypt_inode_is_inline_crypted(const struct inode *inode)
> +{
> + return false;
> +}
> +static inline bool fscrypt_inode_crypt_mergeable(const struct inode *inode_1,
> + const struct inode *inode_2)
> +{
> + return true;
> +}
> +#endif /* CONFIG_FS_ENCRYPTION_INLINE_CRYPT */
Please try to put all the declarations in the right place. E.g.
fscrypt_inode_crypt_mergeable() is in the /* keyinfo.c */ part of
this header, but it's actually defined in fs/crypto/bio.c.
>
> /* fname.c */
> extern int fscrypt_setup_filename(struct inode *, const struct qstr *,
> @@ -237,6 +255,29 @@ extern void fscrypt_enqueue_decrypt_bio(struct
> fscrypt_ctx *ctx,
> struct bio *bio);
> extern int fscrypt_zeroout_range(const struct inode *, pgoff_t, sector_t,
> unsigned int);
> +#ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
> +extern int fscrypt_set_bio_crypt_ctx(struct bio *bio,
> + const struct inode *inode,
> + u64 data_unit_num,
> + gfp_t gfp_mask);
> +extern void fscrypt_unset_bio_crypt_ctx(struct bio *bio);
> +extern int fscrypt_evict_crypt_key(struct inode *inode);
> +#else
> +static inline int fscrypt_set_bio_crypt_ctx(struct bio *bio,
> + const struct inode *inode,
> + u64 data_unit_num,
> + gfp_t gfp_mask)
> +{
> + return 0;
> +}
> +
> +static inline void fscrypt_unset_bio_crypt_ctx(struct bio *bio) { }
> +
> +static inline int fscrypt_evict_crypt_key(struct inode *inode)
> +{
> + return 0;
> +}
> +#endif
fscrypt_evict_crypt_key() is only called by fs/crypto/ itself, so why is it
being exported to filesystems?
> diff --git a/include/uapi/linux/fs.h b/include/uapi/linux/fs.h
> index 59c71fa8c553..dea16d0f9d2e 100644
> --- a/include/uapi/linux/fs.h
> +++ b/include/uapi/linux/fs.h
> @@ -224,7 +224,8 @@ struct fsxattr {
> #define FS_POLICY_FLAGS_PAD_32 0x03
> #define FS_POLICY_FLAGS_PAD_MASK 0x03
> #define FS_POLICY_FLAG_DIRECT_KEY 0x04 /* use master key directly */
> -#define FS_POLICY_FLAGS_VALID 0x07
> +#define FS_POLICY_FLAGS_INLINE_CRYPT_OPTIMIZED 0x08
Should be "FLAG" instead of "FLAGS" since it's a single flag, not a mask or
multi-bit field. See FS_POLICY_FLAG_DIRECT_KEY.
- Eric
