Message ID | 20190726224141.14044-15-ebiggers@kernel.org (mailing list archive) |
---|---|
State | Not Applicable |
Delegated to: | Herbert Xu |
Headers | show |
Series | fscrypt: key management improvements | expand |
On 07/26, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > Wire up the new ioctls for adding and removing fscrypt keys to/from the > filesystem, and the new ioctl for retrieving v2 encryption policies. > > FS_IOC_REMOVE_ENCRYPTION_KEY also required making f2fs_drop_inode() call > fscrypt_drop_inode(). > > For more details see Documentation/filesystems/fscrypt.rst and the > fscrypt patches that added the implementation of these ioctls. > > Signed-off-by: Eric Biggers <ebiggers@google.com> Acked-by: Jaegeuk Kim <jaegeuk@kernel.org> Thanks, > --- > fs/f2fs/file.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ > fs/f2fs/super.c | 2 ++ > 2 files changed, 48 insertions(+) > > diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c > index f8d46df8fa9ee..d81dda290b829 100644 > --- a/fs/f2fs/file.c > +++ b/fs/f2fs/file.c > @@ -2184,6 +2184,40 @@ static int f2fs_ioc_get_encryption_pwsalt(struct file *filp, unsigned long arg) > return err; > } > > +static int f2fs_ioc_get_encryption_policy_ex(struct file *filp, > + unsigned long arg) > +{ > + if (!f2fs_sb_has_encrypt(F2FS_I_SB(file_inode(filp)))) > + return -EOPNOTSUPP; > + > + return fscrypt_ioctl_get_policy_ex(filp, (void __user *)arg); > +} > + > +static int f2fs_ioc_add_encryption_key(struct file *filp, unsigned long arg) > +{ > + if (!f2fs_sb_has_encrypt(F2FS_I_SB(file_inode(filp)))) > + return -EOPNOTSUPP; > + > + return fscrypt_ioctl_add_key(filp, (void __user *)arg); > +} > + > +static int f2fs_ioc_remove_encryption_key(struct file *filp, unsigned long arg) > +{ > + if (!f2fs_sb_has_encrypt(F2FS_I_SB(file_inode(filp)))) > + return -EOPNOTSUPP; > + > + return fscrypt_ioctl_remove_key(filp, (const void __user *)arg); > +} > + > +static int f2fs_ioc_get_encryption_key_status(struct file *filp, > + unsigned long arg) > +{ > + if (!f2fs_sb_has_encrypt(F2FS_I_SB(file_inode(filp)))) > + return -EOPNOTSUPP; > + > + return fscrypt_ioctl_get_key_status(filp, (void __user *)arg); > +} > + > static int f2fs_ioc_gc(struct file *filp, unsigned long arg) > { > struct inode *inode = file_inode(filp); > @@ -3109,6 +3143,14 @@ long f2fs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) > return f2fs_ioc_get_encryption_policy(filp, arg); > case F2FS_IOC_GET_ENCRYPTION_PWSALT: > return f2fs_ioc_get_encryption_pwsalt(filp, arg); > + case FS_IOC_GET_ENCRYPTION_POLICY_EX: > + return f2fs_ioc_get_encryption_policy_ex(filp, arg); > + case FS_IOC_ADD_ENCRYPTION_KEY: > + return f2fs_ioc_add_encryption_key(filp, arg); > + case FS_IOC_REMOVE_ENCRYPTION_KEY: > + return f2fs_ioc_remove_encryption_key(filp, arg); > + case FS_IOC_GET_ENCRYPTION_KEY_STATUS: > + return f2fs_ioc_get_encryption_key_status(filp, arg); > case F2FS_IOC_GARBAGE_COLLECT: > return f2fs_ioc_gc(filp, arg); > case F2FS_IOC_GARBAGE_COLLECT_RANGE: > @@ -3236,6 +3278,10 @@ long f2fs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) > case F2FS_IOC_SET_ENCRYPTION_POLICY: > case F2FS_IOC_GET_ENCRYPTION_PWSALT: > case F2FS_IOC_GET_ENCRYPTION_POLICY: > + case FS_IOC_GET_ENCRYPTION_POLICY_EX: > + case FS_IOC_ADD_ENCRYPTION_KEY: > + case FS_IOC_REMOVE_ENCRYPTION_KEY: > + case FS_IOC_GET_ENCRYPTION_KEY_STATUS: > case F2FS_IOC_GARBAGE_COLLECT: > case F2FS_IOC_GARBAGE_COLLECT_RANGE: > case F2FS_IOC_WRITE_CHECKPOINT: > diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c > index 6de6cda440315..f5fae8d511a20 100644 > --- a/fs/f2fs/super.c > +++ b/fs/f2fs/super.c > @@ -913,6 +913,8 @@ static int f2fs_drop_inode(struct inode *inode) > return 0; > } > ret = generic_drop_inode(inode); > + if (!ret) > + ret = fscrypt_drop_inode(inode); > trace_f2fs_drop_inode(inode, ret); > return ret; > } > -- > 2.22.0
Hi Eric, On 2019/7/27 6:41, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > Wire up the new ioctls for adding and removing fscrypt keys to/from the > filesystem, and the new ioctl for retrieving v2 encryption policies. > > FS_IOC_REMOVE_ENCRYPTION_KEY also required making f2fs_drop_inode() call > fscrypt_drop_inode(). > > For more details see Documentation/filesystems/fscrypt.rst and the > fscrypt patches that added the implementation of these ioctls. > > Signed-off-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Chao Yu <yuchao0@huawei.com> BTW, do you think it needs to make xxfs_has_support_encrypt() function be a common interface defined in struct fscrypt_operations, as I see all fscrypt_ioctl_*() needs to check with it, tho such cleanup is minor... Thanks, > --- > fs/f2fs/file.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ > fs/f2fs/super.c | 2 ++ > 2 files changed, 48 insertions(+) > > diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c > index f8d46df8fa9ee..d81dda290b829 100644 > --- a/fs/f2fs/file.c > +++ b/fs/f2fs/file.c > @@ -2184,6 +2184,40 @@ static int f2fs_ioc_get_encryption_pwsalt(struct file *filp, unsigned long arg) > return err; > } > > +static int f2fs_ioc_get_encryption_policy_ex(struct file *filp, > + unsigned long arg) > +{ > + if (!f2fs_sb_has_encrypt(F2FS_I_SB(file_inode(filp)))) > + return -EOPNOTSUPP; > + > + return fscrypt_ioctl_get_policy_ex(filp, (void __user *)arg); > +} > + > +static int f2fs_ioc_add_encryption_key(struct file *filp, unsigned long arg) > +{ > + if (!f2fs_sb_has_encrypt(F2FS_I_SB(file_inode(filp)))) > + return -EOPNOTSUPP; > + > + return fscrypt_ioctl_add_key(filp, (void __user *)arg); > +} > + > +static int f2fs_ioc_remove_encryption_key(struct file *filp, unsigned long arg) > +{ > + if (!f2fs_sb_has_encrypt(F2FS_I_SB(file_inode(filp)))) > + return -EOPNOTSUPP; > + > + return fscrypt_ioctl_remove_key(filp, (const void __user *)arg); > +} > + > +static int f2fs_ioc_get_encryption_key_status(struct file *filp, > + unsigned long arg) > +{ > + if (!f2fs_sb_has_encrypt(F2FS_I_SB(file_inode(filp)))) > + return -EOPNOTSUPP; > + > + return fscrypt_ioctl_get_key_status(filp, (void __user *)arg); > +} > + > static int f2fs_ioc_gc(struct file *filp, unsigned long arg) > { > struct inode *inode = file_inode(filp); > @@ -3109,6 +3143,14 @@ long f2fs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) > return f2fs_ioc_get_encryption_policy(filp, arg); > case F2FS_IOC_GET_ENCRYPTION_PWSALT: > return f2fs_ioc_get_encryption_pwsalt(filp, arg); > + case FS_IOC_GET_ENCRYPTION_POLICY_EX: > + return f2fs_ioc_get_encryption_policy_ex(filp, arg); > + case FS_IOC_ADD_ENCRYPTION_KEY: > + return f2fs_ioc_add_encryption_key(filp, arg); > + case FS_IOC_REMOVE_ENCRYPTION_KEY: > + return f2fs_ioc_remove_encryption_key(filp, arg); > + case FS_IOC_GET_ENCRYPTION_KEY_STATUS: > + return f2fs_ioc_get_encryption_key_status(filp, arg); > case F2FS_IOC_GARBAGE_COLLECT: > return f2fs_ioc_gc(filp, arg); > case F2FS_IOC_GARBAGE_COLLECT_RANGE: > @@ -3236,6 +3278,10 @@ long f2fs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) > case F2FS_IOC_SET_ENCRYPTION_POLICY: > case F2FS_IOC_GET_ENCRYPTION_PWSALT: > case F2FS_IOC_GET_ENCRYPTION_POLICY: > + case FS_IOC_GET_ENCRYPTION_POLICY_EX: > + case FS_IOC_ADD_ENCRYPTION_KEY: > + case FS_IOC_REMOVE_ENCRYPTION_KEY: > + case FS_IOC_GET_ENCRYPTION_KEY_STATUS: > case F2FS_IOC_GARBAGE_COLLECT: > case F2FS_IOC_GARBAGE_COLLECT_RANGE: > case F2FS_IOC_WRITE_CHECKPOINT: > diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c > index 6de6cda440315..f5fae8d511a20 100644 > --- a/fs/f2fs/super.c > +++ b/fs/f2fs/super.c > @@ -913,6 +913,8 @@ static int f2fs_drop_inode(struct inode *inode) > return 0; > } > ret = generic_drop_inode(inode); > + if (!ret) > + ret = fscrypt_drop_inode(inode); > trace_f2fs_drop_inode(inode, ret); > return ret; > } >
On Fri, Aug 02, 2019 at 04:10:15PM +0800, Chao Yu wrote: > Hi Eric, > > On 2019/7/27 6:41, Eric Biggers wrote: > > From: Eric Biggers <ebiggers@google.com> > > > > Wire up the new ioctls for adding and removing fscrypt keys to/from the > > filesystem, and the new ioctl for retrieving v2 encryption policies. > > > > FS_IOC_REMOVE_ENCRYPTION_KEY also required making f2fs_drop_inode() call > > fscrypt_drop_inode(). > > > > For more details see Documentation/filesystems/fscrypt.rst and the > > fscrypt patches that added the implementation of these ioctls. > > > > Signed-off-by: Eric Biggers <ebiggers@google.com> > > Reviewed-by: Chao Yu <yuchao0@huawei.com> > > BTW, do you think it needs to make xxfs_has_support_encrypt() function be a > common interface defined in struct fscrypt_operations, as I see all > fscrypt_ioctl_*() needs to check with it, tho such cleanup is minor... > Maybe. It would work nicely for ext4 and f2fs, but ubifs does things differently since it automatically enables the encryption feature if needed. So we'd have to make the callback optional. In any case, I think this should be separate from this patchset. - Eric
On 2019-8-3 1:31, Eric Biggers wrote: > On Fri, Aug 02, 2019 at 04:10:15PM +0800, Chao Yu wrote: >> Hi Eric, >> >> On 2019/7/27 6:41, Eric Biggers wrote: >>> From: Eric Biggers <ebiggers@google.com> >>> >>> Wire up the new ioctls for adding and removing fscrypt keys to/from the >>> filesystem, and the new ioctl for retrieving v2 encryption policies. >>> >>> FS_IOC_REMOVE_ENCRYPTION_KEY also required making f2fs_drop_inode() call >>> fscrypt_drop_inode(). >>> >>> For more details see Documentation/filesystems/fscrypt.rst and the >>> fscrypt patches that added the implementation of these ioctls. >>> >>> Signed-off-by: Eric Biggers <ebiggers@google.com> >> >> Reviewed-by: Chao Yu <yuchao0@huawei.com> >> >> BTW, do you think it needs to make xxfs_has_support_encrypt() function be a >> common interface defined in struct fscrypt_operations, as I see all >> fscrypt_ioctl_*() needs to check with it, tho such cleanup is minor... >> > > Maybe. It would work nicely for ext4 and f2fs, but ubifs does things > differently since it automatically enables the encryption feature if needed. > So we'd have to make the callback optional. Correct, ubifs can leave the callback as NULL function pointer. > > In any case, I think this should be separate from this patchset. Yup, it can be done in a separated patch if need. Thanks, > > - Eric > > > _______________________________________________ > Linux-f2fs-devel mailing list > Linux-f2fs-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel >
diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index f8d46df8fa9ee..d81dda290b829 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -2184,6 +2184,40 @@ static int f2fs_ioc_get_encryption_pwsalt(struct file *filp, unsigned long arg) return err; } +static int f2fs_ioc_get_encryption_policy_ex(struct file *filp, + unsigned long arg) +{ + if (!f2fs_sb_has_encrypt(F2FS_I_SB(file_inode(filp)))) + return -EOPNOTSUPP; + + return fscrypt_ioctl_get_policy_ex(filp, (void __user *)arg); +} + +static int f2fs_ioc_add_encryption_key(struct file *filp, unsigned long arg) +{ + if (!f2fs_sb_has_encrypt(F2FS_I_SB(file_inode(filp)))) + return -EOPNOTSUPP; + + return fscrypt_ioctl_add_key(filp, (void __user *)arg); +} + +static int f2fs_ioc_remove_encryption_key(struct file *filp, unsigned long arg) +{ + if (!f2fs_sb_has_encrypt(F2FS_I_SB(file_inode(filp)))) + return -EOPNOTSUPP; + + return fscrypt_ioctl_remove_key(filp, (const void __user *)arg); +} + +static int f2fs_ioc_get_encryption_key_status(struct file *filp, + unsigned long arg) +{ + if (!f2fs_sb_has_encrypt(F2FS_I_SB(file_inode(filp)))) + return -EOPNOTSUPP; + + return fscrypt_ioctl_get_key_status(filp, (void __user *)arg); +} + static int f2fs_ioc_gc(struct file *filp, unsigned long arg) { struct inode *inode = file_inode(filp); @@ -3109,6 +3143,14 @@ long f2fs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) return f2fs_ioc_get_encryption_policy(filp, arg); case F2FS_IOC_GET_ENCRYPTION_PWSALT: return f2fs_ioc_get_encryption_pwsalt(filp, arg); + case FS_IOC_GET_ENCRYPTION_POLICY_EX: + return f2fs_ioc_get_encryption_policy_ex(filp, arg); + case FS_IOC_ADD_ENCRYPTION_KEY: + return f2fs_ioc_add_encryption_key(filp, arg); + case FS_IOC_REMOVE_ENCRYPTION_KEY: + return f2fs_ioc_remove_encryption_key(filp, arg); + case FS_IOC_GET_ENCRYPTION_KEY_STATUS: + return f2fs_ioc_get_encryption_key_status(filp, arg); case F2FS_IOC_GARBAGE_COLLECT: return f2fs_ioc_gc(filp, arg); case F2FS_IOC_GARBAGE_COLLECT_RANGE: @@ -3236,6 +3278,10 @@ long f2fs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) case F2FS_IOC_SET_ENCRYPTION_POLICY: case F2FS_IOC_GET_ENCRYPTION_PWSALT: case F2FS_IOC_GET_ENCRYPTION_POLICY: + case FS_IOC_GET_ENCRYPTION_POLICY_EX: + case FS_IOC_ADD_ENCRYPTION_KEY: + case FS_IOC_REMOVE_ENCRYPTION_KEY: + case FS_IOC_GET_ENCRYPTION_KEY_STATUS: case F2FS_IOC_GARBAGE_COLLECT: case F2FS_IOC_GARBAGE_COLLECT_RANGE: case F2FS_IOC_WRITE_CHECKPOINT: diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index 6de6cda440315..f5fae8d511a20 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -913,6 +913,8 @@ static int f2fs_drop_inode(struct inode *inode) return 0; } ret = generic_drop_inode(inode); + if (!ret) + ret = fscrypt_drop_inode(inode); trace_f2fs_drop_inode(inode, ret); return ret; }