@@ -13,6 +13,17 @@
#include "fscrypt_private.h"
+#define MAX_MODE_KEY_HKDF_INFO_SIZE 17
+
+/*
+ * Constant defining the various policy flags which require a non-default key
+ * policy.
+ */
+#define FSCRYPT_POLICY_FLAGS_KEY_MASK \
+ (FSCRYPT_POLICY_FLAG_DIRECT_KEY \
+ | FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 \
+ | FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)
+
struct fscrypt_mode fscrypt_modes[] = {
[FSCRYPT_MODE_AES_256_XTS] = {
.friendly_name = "AES-256-XTS",
@@ -184,20 +195,83 @@ int fscrypt_set_per_file_enc_key(struct fscrypt_info *ci, const u8 *raw_key)
return fscrypt_prepare_key(&ci->ci_enc_key, raw_key, ci);
}
+static struct fscrypt_prepared_key *
+mk_prepared_key_for_mode_policy(struct fscrypt_master_key *mk,
+ union fscrypt_policy *policy,
+ struct fscrypt_mode *mode)
+{
+ const u8 mode_num = mode - fscrypt_modes;
+
+ switch (policy->v2.flags & FSCRYPT_POLICY_FLAGS_KEY_MASK) {
+ case FSCRYPT_POLICY_FLAG_DIRECT_KEY:
+ return &mk->mk_direct_keys[mode_num];
+ case FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64:
+ return &mk->mk_iv_ino_lblk_64_keys[mode_num];
+ case FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32:
+ return &mk->mk_iv_ino_lblk_32_keys[mode_num];
+ default:
+ return ERR_PTR(-EINVAL);
+ }
+}
+
+static size_t
+fill_hkdf_info_for_mode_key(const struct fscrypt_info *ci,
+ u8 hkdf_info[MAX_MODE_KEY_HKDF_INFO_SIZE])
+{
+ const u8 mode_num = ci->ci_mode - fscrypt_modes;
+ const struct super_block *sb = ci->ci_inode->i_sb;
+ u8 hkdf_infolen = 0;
+
+ hkdf_info[hkdf_infolen++] = mode_num;
+ if (!(ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY)) {
+ memcpy(&hkdf_info[hkdf_infolen], &sb->s_uuid,
+ sizeof(sb->s_uuid));
+ hkdf_infolen += sizeof(sb->s_uuid);
+ }
+ return hkdf_infolen;
+}
+
static int setup_new_mode_prepared_key(struct fscrypt_master_key *mk,
struct fscrypt_prepared_key *prep_key,
- const struct fscrypt_info *ci,
- u8 hkdf_context, bool include_fs_uuid)
+ const struct fscrypt_info *ci)
{
const struct inode *inode = ci->ci_inode;
const struct super_block *sb = inode->i_sb;
+ unsigned int policy_flags = fscrypt_policy_flags(&ci->ci_policy);
struct fscrypt_mode *mode = ci->ci_mode;
const u8 mode_num = mode - fscrypt_modes;
u8 mode_key[FSCRYPT_MAX_KEY_SIZE];
u8 hkdf_info[sizeof(mode_num) + sizeof(sb->s_uuid)];
unsigned int hkdf_infolen = 0;
+ u8 hkdf_context = 0;
int err = 0;
+ switch (policy_flags & FSCRYPT_POLICY_FLAGS_KEY_MASK) {
+ case FSCRYPT_POLICY_FLAG_DIRECT_KEY:
+ hkdf_context = HKDF_CONTEXT_DIRECT_KEY;
+ break;
+ case FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64:
+ hkdf_context = HKDF_CONTEXT_IV_INO_LBLK_64_KEY;
+ break;
+ case FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32:
+ hkdf_context = HKDF_CONTEXT_IV_INO_LBLK_32_KEY;
+ break;
+ }
+
+ /*
+ * For DIRECT_KEY policies: instead of deriving per-file encryption
+ * keys, the per-file nonce will be included in all the IVs. But
+ * unlike v1 policies, for v2 policies in this case we don't encrypt
+ * with the master key directly but rather derive a per-mode encryption
+ * key. This ensures that the master key is consistently used only for
+ * HKDF, avoiding key reuse issues.
+ *
+ * For IV_INO_LBLK policies: encryption keys are derived from
+ * (master_key, mode_num, filesystem_uuid), and inode number is
+ * included in the IVs. This format is optimized for use with inline
+ * encryption hardware compliant with the UFS standard.
+ */
+
mutex_lock(&fscrypt_mode_key_setup_mutex);
if (fscrypt_is_key_prepared(prep_key, ci))
@@ -205,13 +279,9 @@ static int setup_new_mode_prepared_key(struct fscrypt_master_key *mk,
BUILD_BUG_ON(sizeof(mode_num) != 1);
BUILD_BUG_ON(sizeof(sb->s_uuid) != 16);
- BUILD_BUG_ON(sizeof(hkdf_info) != 17);
- hkdf_info[hkdf_infolen++] = mode_num;
- if (include_fs_uuid) {
- memcpy(&hkdf_info[hkdf_infolen], &sb->s_uuid,
- sizeof(sb->s_uuid));
- hkdf_infolen += sizeof(sb->s_uuid);
- }
+ BUILD_BUG_ON(sizeof(hkdf_info) != MAX_MODE_KEY_HKDF_INFO_SIZE);
+ hkdf_infolen = fill_hkdf_info_for_mode_key(ci, hkdf_info);
+
err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf,
hkdf_context, hkdf_info, hkdf_infolen,
mode_key, mode->keysize);
@@ -225,10 +295,8 @@ static int setup_new_mode_prepared_key(struct fscrypt_master_key *mk,
return err;
}
-static int find_mode_prepared_key(struct fscrypt_info *ci,
- struct fscrypt_master_key *mk,
- struct fscrypt_prepared_key *keys,
- u8 hkdf_context, bool include_fs_uuid)
+static int setup_mode_prepared_key(struct fscrypt_info *ci,
+ struct fscrypt_master_key *mk)
{
struct fscrypt_mode *mode = ci->ci_mode;
const u8 mode_num = mode - fscrypt_modes;
@@ -238,13 +306,15 @@ static int find_mode_prepared_key(struct fscrypt_info *ci,
if (WARN_ON_ONCE(mode_num > FSCRYPT_MODE_MAX))
return -EINVAL;
- prep_key = &keys[mode_num];
+ prep_key = mk_prepared_key_for_mode_policy(mk, &ci->ci_policy, mode);
+ if (IS_ERR(prep_key))
+ return PTR_ERR(prep_key);
+
if (fscrypt_is_key_prepared(prep_key, ci)) {
ci->ci_enc_key = *prep_key;
return 0;
}
- err = setup_new_mode_prepared_key(mk, prep_key, ci, hkdf_context,
- include_fs_uuid);
+ err = setup_new_mode_prepared_key(mk, prep_key, ci);
if (err)
return err;
@@ -333,33 +403,8 @@ static int fscrypt_setup_v2_file_key(struct fscrypt_info *ci,
{
int err;
- if (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) {
- /*
- * DIRECT_KEY: instead of deriving per-file encryption keys, the
- * per-file nonce will be included in all the IVs. But unlike
- * v1 policies, for v2 policies in this case we don't encrypt
- * with the master key directly but rather derive a per-mode
- * encryption key. This ensures that the master key is
- * consistently used only for HKDF, avoiding key reuse issues.
- */
- err = find_mode_prepared_key(ci, mk, mk->mk_direct_keys,
- HKDF_CONTEXT_DIRECT_KEY, false);
- } else if (ci->ci_policy.v2.flags &
- FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) {
- /*
- * IV_INO_LBLK_64: encryption keys are derived from (master_key,
- * mode_num, filesystem_uuid), and inode number is included in
- * the IVs. This format is optimized for use with inline
- * encryption hardware compliant with the UFS standard.
- */
- err = find_mode_prepared_key(ci, mk, mk->mk_iv_ino_lblk_64_keys,
- HKDF_CONTEXT_IV_INO_LBLK_64_KEY,
- true);
- } else if (ci->ci_policy.v2.flags &
- FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) {
- err = find_mode_prepared_key(ci, mk, mk->mk_iv_ino_lblk_32_keys,
- HKDF_CONTEXT_IV_INO_LBLK_32_KEY,
- true);
+ if (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAGS_KEY_MASK) {
+ err = setup_mode_prepared_key(ci, mk);
} else {
u8 derived_key[FSCRYPT_MAX_KEY_SIZE];
Currently, fscrypt_setup_v2_file_key() has a set of ifs which encode various information about how to set up a new mode key if necessary for a shared-key policy (DIRECT or IV_INO_LBLK_*). This is somewhat awkward -- this information is only needed at the point that we need to setup a new key, which is not the common case; the setup details are recorded as function parameters relatively far from where they're actually used; and at the point we use the parameters, we can derive the information equally well. So this moves mode and policy checking as deep into the callstack as possible. mk_prepared_key_for_mode_policy() deals with the array lookup within a master key. And fill_hkdf_info_for mode_key() deals with filling in the hkdf info as necessary for a particular policy. These seem a little clearer in broad strokes, emphasizing the similarities between the policies, but it does spread out the information on how the key is derived for a particular policy more. Signed-off-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me> --- fs/crypto/keysetup.c | 131 +++++++++++++++++++++++++++++-------------- 1 file changed, 88 insertions(+), 43 deletions(-)