[v4,05/21] fscrypt: direct key policies for extent-based encryption

Commit Message

Sweet Tea Dorminy Oct. 24, 2022, 11:13 p.m. UTC

For inode-based direct key encryption policies, the inode provides a
nonce, and the encryption IV is generated by concatenating the nonce and
the offset into the inode. For extent-based direct key policies,
however, we would like to use 16-byte nonces in combination with various
AES modes with 16-byte IVs. Additionally, since contents and filenames
are encrypted with different context items in this case, we don't need
to require the encryption modes match in the two cases.

This change allows extent-based encryption to use 16-byte IVs with
direct key policies, and allows a mismatch of modes (under the usual
compatible modes constraints).

Signed-off-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
---
 fs/crypto/crypto.c          | 15 +++++++++++++--
 fs/crypto/fscrypt_private.h |  4 +---
 fs/crypto/policy.c          |  4 ++++
 3 files changed, 18 insertions(+), 5 deletions(-)

Patch

diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
index 08b495dc5c0c..144a3a59ce51 100644
--- a/fs/crypto/crypto.c
+++ b/fs/crypto/crypto.c
@@ -93,8 +93,19 @@  void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num,
 		ret = fscrypt_get_extent_context(inode, lblk_num, &ctx,
 						 &extent_offset, NULL);
 		WARN_ON_ONCE(ret);
-		memcpy(iv->raw, ctx.v1.iv.raw, sizeof(*iv));
-		iv->lblk_num += cpu_to_le64(extent_offset);
+		if (ci->ci_mode->ivsize < offsetofend(union fscrypt_iv, nonce)) {
+			/*
+			 *  We need a 16 byte IV, but our nonce is 16 bytes.
+			 *  Copy to the start of the buffer and add the extent
+			 *  offset manually.
+			 */
+			memcpy(iv->raw, ctx.v1.nonce, FSCRYPT_FILE_NONCE_SIZE);
+			iv->lblk_num = cpu_to_le64(extent_offset +
+						   le64_to_cpu(iv->lblk_num));
+			return;
+		}
+		memcpy(iv->nonce, ctx.v1.nonce, FSCRYPT_FILE_NONCE_SIZE);
+		iv->lblk_num = cpu_to_le64(extent_offset);
 		return;
 	}
 
diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h
index 9c4cae2580de..bb2a18c83e56 100644
--- a/fs/crypto/fscrypt_private.h
+++ b/fs/crypto/fscrypt_private.h
@@ -292,7 +292,6 @@  union fscrypt_iv {
 	__le64 dun[FSCRYPT_MAX_IV_SIZE / sizeof(__le64)];
 };
 
-
 /*
  * fscrypt_extent_context - the encryption context for an extent
  *
@@ -304,7 +303,7 @@  union fscrypt_iv {
  */
 struct fscrypt_extent_context_v1 {
 	u8 version;
-	union fscrypt_iv iv;
+	u8 nonce[FSCRYPT_FILE_NONCE_SIZE];
 } __packed;
 
 union fscrypt_extent_context {
@@ -312,7 +311,6 @@  union fscrypt_extent_context {
 	struct fscrypt_extent_context_v1 v1;
 };
 
-
 void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num,
 			 const struct fscrypt_info *ci);
 
diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c
index 4a86b80e7c0b..15653933f19e 100644
--- a/fs/crypto/policy.c
+++ b/fs/crypto/policy.c
@@ -91,6 +91,10 @@  static bool supported_direct_key_modes(const struct inode *inode,
 {
 	const struct fscrypt_mode *mode;
 
+	/* Extent-based encryption allows any mixed mode and IV size */
+	if (inode->i_sb->s_cop->get_extent_context)
+		return true;
+
 	if (contents_mode != filenames_mode) {
 		fscrypt_warn(inode,
 			     "Direct key flag not allowed with different contents and filenames modes");