diff mbox series

[v7,2/7] fs: crypto: invoke crypto API for ESSIV handling

Message ID 20190702164815.6341-3-ard.biesheuvel@linaro.org
State Superseded
Headers show
Series crypto: switch to crypto API for ESSIV generation | expand

Commit Message

Ard Biesheuvel July 2, 2019, 4:48 p.m. UTC
Instead of open coding the calculations for ESSIV handling, use a
ESSIV skcipher which does all of this under the hood.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 fs/crypto/Kconfig           |  1 +
 fs/crypto/crypto.c          |  5 --
 fs/crypto/fscrypt_private.h |  9 --
 fs/crypto/keyinfo.c         | 95 +-------------------
 4 files changed, 5 insertions(+), 105 deletions(-)

Comments

Eric Biggers July 2, 2019, 9:55 p.m. UTC | #1
Hi Ard,

On Tue, Jul 02, 2019 at 06:48:10PM +0200, Ard Biesheuvel wrote:
> Instead of open coding the calculations for ESSIV handling, use a
> ESSIV skcipher which does all of this under the hood.
> 
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
>  fs/crypto/Kconfig           |  1 +
>  fs/crypto/crypto.c          |  5 --
>  fs/crypto/fscrypt_private.h |  9 --
>  fs/crypto/keyinfo.c         | 95 +-------------------
>  4 files changed, 5 insertions(+), 105 deletions(-)
> 
> diff --git a/fs/crypto/Kconfig b/fs/crypto/Kconfig
> index 24ed99e2eca0..b0292da8613c 100644
> --- a/fs/crypto/Kconfig
> +++ b/fs/crypto/Kconfig
> @@ -5,6 +5,7 @@ config FS_ENCRYPTION
>  	select CRYPTO_AES
>  	select CRYPTO_CBC
>  	select CRYPTO_ECB
> +	select CRYPTO_ESSIV
>  	select CRYPTO_XTS
>  	select CRYPTO_CTS
>  	select CRYPTO_SHA256
> diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
> index 335a362ee446..c53ce262a06c 100644
> --- a/fs/crypto/crypto.c
> +++ b/fs/crypto/crypto.c
> @@ -136,9 +136,6 @@ void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num,
>  
>  	if (ci->ci_flags & FS_POLICY_FLAG_DIRECT_KEY)
>  		memcpy(iv->nonce, ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE);
> -
> -	if (ci->ci_essiv_tfm != NULL)
> -		crypto_cipher_encrypt_one(ci->ci_essiv_tfm, iv->raw, iv->raw);
>  }
>  
>  int fscrypt_do_page_crypto(const struct inode *inode, fscrypt_direction_t rw,
> @@ -492,8 +489,6 @@ static void __exit fscrypt_exit(void)
>  		destroy_workqueue(fscrypt_read_workqueue);
>  	kmem_cache_destroy(fscrypt_ctx_cachep);
>  	kmem_cache_destroy(fscrypt_info_cachep);
> -
> -	fscrypt_essiv_cleanup();
>  }
>  module_exit(fscrypt_exit);
>  
> diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h
> index 7da276159593..59d0cba9cfb9 100644
> --- a/fs/crypto/fscrypt_private.h
> +++ b/fs/crypto/fscrypt_private.h
> @@ -61,12 +61,6 @@ struct fscrypt_info {
>  	/* The actual crypto transform used for encryption and decryption */
>  	struct crypto_skcipher *ci_ctfm;
>  
> -	/*
> -	 * Cipher for ESSIV IV generation.  Only set for CBC contents
> -	 * encryption, otherwise is NULL.
> -	 */
> -	struct crypto_cipher *ci_essiv_tfm;
> -
>  	/*
>  	 * Encryption mode used for this inode.  It corresponds to either
>  	 * ci_data_mode or ci_filename_mode, depending on the inode type.
> @@ -166,9 +160,6 @@ struct fscrypt_mode {
>  	int keysize;
>  	int ivsize;
>  	bool logged_impl_name;
> -	bool needs_essiv;
>  };
>  
> -extern void __exit fscrypt_essiv_cleanup(void);
> -
>  #endif /* _FSCRYPT_PRIVATE_H */
> diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
> index dcd91a3fbe49..f39667d4316a 100644
> --- a/fs/crypto/keyinfo.c
> +++ b/fs/crypto/keyinfo.c
> @@ -13,14 +13,10 @@
>  #include <linux/hashtable.h>
>  #include <linux/scatterlist.h>
>  #include <linux/ratelimit.h>
> -#include <crypto/aes.h>
>  #include <crypto/algapi.h>
> -#include <crypto/sha.h>
>  #include <crypto/skcipher.h>
>  #include "fscrypt_private.h"
>  
> -static struct crypto_shash *essiv_hash_tfm;
> -
>  /* Table of keys referenced by FS_POLICY_FLAG_DIRECT_KEY policies */
>  static DEFINE_HASHTABLE(fscrypt_master_keys, 6); /* 6 bits = 64 buckets */
>  static DEFINE_SPINLOCK(fscrypt_master_keys_lock);
> @@ -144,10 +140,9 @@ static struct fscrypt_mode available_modes[] = {
>  	},
>  	[FS_ENCRYPTION_MODE_AES_128_CBC] = {
>  		.friendly_name = "AES-128-CBC",
> -		.cipher_str = "cbc(aes)",
> +		.cipher_str = "essiv(cbc(aes),aes,sha256)",
>  		.keysize = 16,
> -		.ivsize = 16,
> -		.needs_essiv = true,
> +		.ivsize = 8,

As I said before, this needs to be kept as .ivsize = 16.

This bug actually causes the generic/549 test to fail.

Otherwise this patch looks good.  FYI: to avoid conflicts with planned fscrypt
work I'd prefer to take this patch through the fscrypt.git tree after the ESSIV
template is merged, rather than have Herbert take it through cryptodev.  (Unless
he's going to apply this whole series for v5.3, in which case I'm fine with him
taking the fscrypt patch too, though it seems too late for that.)

Thanks!

- Eric
Ard Biesheuvel July 2, 2019, 10:06 p.m. UTC | #2
On Tue, 2 Jul 2019 at 23:55, Eric Biggers <ebiggers@kernel.org> wrote:
>
> Hi Ard,
>
> On Tue, Jul 02, 2019 at 06:48:10PM +0200, Ard Biesheuvel wrote:
> > Instead of open coding the calculations for ESSIV handling, use a
> > ESSIV skcipher which does all of this under the hood.
> >
> > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> > ---
> >  fs/crypto/Kconfig           |  1 +
> >  fs/crypto/crypto.c          |  5 --
> >  fs/crypto/fscrypt_private.h |  9 --
> >  fs/crypto/keyinfo.c         | 95 +-------------------
> >  4 files changed, 5 insertions(+), 105 deletions(-)
> >
> > diff --git a/fs/crypto/Kconfig b/fs/crypto/Kconfig
> > index 24ed99e2eca0..b0292da8613c 100644
> > --- a/fs/crypto/Kconfig
> > +++ b/fs/crypto/Kconfig
> > @@ -5,6 +5,7 @@ config FS_ENCRYPTION
> >       select CRYPTO_AES
> >       select CRYPTO_CBC
> >       select CRYPTO_ECB
> > +     select CRYPTO_ESSIV
> >       select CRYPTO_XTS
> >       select CRYPTO_CTS
> >       select CRYPTO_SHA256
> > diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
> > index 335a362ee446..c53ce262a06c 100644
> > --- a/fs/crypto/crypto.c
> > +++ b/fs/crypto/crypto.c
> > @@ -136,9 +136,6 @@ void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num,
> >
> >       if (ci->ci_flags & FS_POLICY_FLAG_DIRECT_KEY)
> >               memcpy(iv->nonce, ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE);
> > -
> > -     if (ci->ci_essiv_tfm != NULL)
> > -             crypto_cipher_encrypt_one(ci->ci_essiv_tfm, iv->raw, iv->raw);
> >  }
> >
> >  int fscrypt_do_page_crypto(const struct inode *inode, fscrypt_direction_t rw,
> > @@ -492,8 +489,6 @@ static void __exit fscrypt_exit(void)
> >               destroy_workqueue(fscrypt_read_workqueue);
> >       kmem_cache_destroy(fscrypt_ctx_cachep);
> >       kmem_cache_destroy(fscrypt_info_cachep);
> > -
> > -     fscrypt_essiv_cleanup();
> >  }
> >  module_exit(fscrypt_exit);
> >
> > diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h
> > index 7da276159593..59d0cba9cfb9 100644
> > --- a/fs/crypto/fscrypt_private.h
> > +++ b/fs/crypto/fscrypt_private.h
> > @@ -61,12 +61,6 @@ struct fscrypt_info {
> >       /* The actual crypto transform used for encryption and decryption */
> >       struct crypto_skcipher *ci_ctfm;
> >
> > -     /*
> > -      * Cipher for ESSIV IV generation.  Only set for CBC contents
> > -      * encryption, otherwise is NULL.
> > -      */
> > -     struct crypto_cipher *ci_essiv_tfm;
> > -
> >       /*
> >        * Encryption mode used for this inode.  It corresponds to either
> >        * ci_data_mode or ci_filename_mode, depending on the inode type.
> > @@ -166,9 +160,6 @@ struct fscrypt_mode {
> >       int keysize;
> >       int ivsize;
> >       bool logged_impl_name;
> > -     bool needs_essiv;
> >  };
> >
> > -extern void __exit fscrypt_essiv_cleanup(void);
> > -
> >  #endif /* _FSCRYPT_PRIVATE_H */
> > diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
> > index dcd91a3fbe49..f39667d4316a 100644
> > --- a/fs/crypto/keyinfo.c
> > +++ b/fs/crypto/keyinfo.c
> > @@ -13,14 +13,10 @@
> >  #include <linux/hashtable.h>
> >  #include <linux/scatterlist.h>
> >  #include <linux/ratelimit.h>
> > -#include <crypto/aes.h>
> >  #include <crypto/algapi.h>
> > -#include <crypto/sha.h>
> >  #include <crypto/skcipher.h>
> >  #include "fscrypt_private.h"
> >
> > -static struct crypto_shash *essiv_hash_tfm;
> > -
> >  /* Table of keys referenced by FS_POLICY_FLAG_DIRECT_KEY policies */
> >  static DEFINE_HASHTABLE(fscrypt_master_keys, 6); /* 6 bits = 64 buckets */
> >  static DEFINE_SPINLOCK(fscrypt_master_keys_lock);
> > @@ -144,10 +140,9 @@ static struct fscrypt_mode available_modes[] = {
> >       },
> >       [FS_ENCRYPTION_MODE_AES_128_CBC] = {
> >               .friendly_name = "AES-128-CBC",
> > -             .cipher_str = "cbc(aes)",
> > +             .cipher_str = "essiv(cbc(aes),aes,sha256)",
> >               .keysize = 16,
> > -             .ivsize = 16,
> > -             .needs_essiv = true,
> > +             .ivsize = 8,
>
> As I said before, this needs to be kept as .ivsize = 16.
>
> This bug actually causes the generic/549 test to fail.
>

Ugh, yes, I intended to fix that. Apologies for the sloppiness, I have
been trying to wrap this up in time for my holidays, but the end
result is quite the opposite :-)

> Otherwise this patch looks good.  FYI: to avoid conflicts with planned fscrypt
> work I'd prefer to take this patch through the fscrypt.git tree after the ESSIV
> template is merged, rather than have Herbert take it through cryptodev.  (Unless
> he's going to apply this whole series for v5.3, in which case I'm fine with him
> taking the fscrypt patch too, though it seems too late for that.)
>

I agree that the fscrypt and dm-crypt changes should not be merged for v5.3

I know that Herbert typically prefers not to take any new code without
any of its users, but perhaps we can make an exception in this case,
and merge patches #1, #5, #6 and #7 now (which is mostly risk free
since no code uses essiv yet, and patch #5 is a straight-forward
refactor) and take the fscrypt and dm-crypt patches through their
respective trees for the next cycle.
Ard Biesheuvel July 3, 2019, 6:23 p.m. UTC | #3
On Wed, 3 Jul 2019 at 00:06, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>
> On Tue, 2 Jul 2019 at 23:55, Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > Hi Ard,
> >
> > On Tue, Jul 02, 2019 at 06:48:10PM +0200, Ard Biesheuvel wrote:
> > > Instead of open coding the calculations for ESSIV handling, use a
> > > ESSIV skcipher which does all of this under the hood.
> > >
> > > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> > > ---
> > >  fs/crypto/Kconfig           |  1 +
> > >  fs/crypto/crypto.c          |  5 --
> > >  fs/crypto/fscrypt_private.h |  9 --
> > >  fs/crypto/keyinfo.c         | 95 +-------------------
> > >  4 files changed, 5 insertions(+), 105 deletions(-)
> > >
> > > diff --git a/fs/crypto/Kconfig b/fs/crypto/Kconfig
> > > index 24ed99e2eca0..b0292da8613c 100644
> > > --- a/fs/crypto/Kconfig
> > > +++ b/fs/crypto/Kconfig
> > > @@ -5,6 +5,7 @@ config FS_ENCRYPTION
> > >       select CRYPTO_AES
> > >       select CRYPTO_CBC
> > >       select CRYPTO_ECB
> > > +     select CRYPTO_ESSIV
> > >       select CRYPTO_XTS
> > >       select CRYPTO_CTS
> > >       select CRYPTO_SHA256
> > > diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
> > > index 335a362ee446..c53ce262a06c 100644
> > > --- a/fs/crypto/crypto.c
> > > +++ b/fs/crypto/crypto.c
> > > @@ -136,9 +136,6 @@ void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num,
> > >
> > >       if (ci->ci_flags & FS_POLICY_FLAG_DIRECT_KEY)
> > >               memcpy(iv->nonce, ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE);
> > > -
> > > -     if (ci->ci_essiv_tfm != NULL)
> > > -             crypto_cipher_encrypt_one(ci->ci_essiv_tfm, iv->raw, iv->raw);
> > >  }
> > >
> > >  int fscrypt_do_page_crypto(const struct inode *inode, fscrypt_direction_t rw,
> > > @@ -492,8 +489,6 @@ static void __exit fscrypt_exit(void)
> > >               destroy_workqueue(fscrypt_read_workqueue);
> > >       kmem_cache_destroy(fscrypt_ctx_cachep);
> > >       kmem_cache_destroy(fscrypt_info_cachep);
> > > -
> > > -     fscrypt_essiv_cleanup();
> > >  }
> > >  module_exit(fscrypt_exit);
> > >
> > > diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h
> > > index 7da276159593..59d0cba9cfb9 100644
> > > --- a/fs/crypto/fscrypt_private.h
> > > +++ b/fs/crypto/fscrypt_private.h
> > > @@ -61,12 +61,6 @@ struct fscrypt_info {
> > >       /* The actual crypto transform used for encryption and decryption */
> > >       struct crypto_skcipher *ci_ctfm;
> > >
> > > -     /*
> > > -      * Cipher for ESSIV IV generation.  Only set for CBC contents
> > > -      * encryption, otherwise is NULL.
> > > -      */
> > > -     struct crypto_cipher *ci_essiv_tfm;
> > > -
> > >       /*
> > >        * Encryption mode used for this inode.  It corresponds to either
> > >        * ci_data_mode or ci_filename_mode, depending on the inode type.
> > > @@ -166,9 +160,6 @@ struct fscrypt_mode {
> > >       int keysize;
> > >       int ivsize;
> > >       bool logged_impl_name;
> > > -     bool needs_essiv;
> > >  };
> > >
> > > -extern void __exit fscrypt_essiv_cleanup(void);
> > > -
> > >  #endif /* _FSCRYPT_PRIVATE_H */
> > > diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
> > > index dcd91a3fbe49..f39667d4316a 100644
> > > --- a/fs/crypto/keyinfo.c
> > > +++ b/fs/crypto/keyinfo.c
> > > @@ -13,14 +13,10 @@
> > >  #include <linux/hashtable.h>
> > >  #include <linux/scatterlist.h>
> > >  #include <linux/ratelimit.h>
> > > -#include <crypto/aes.h>
> > >  #include <crypto/algapi.h>
> > > -#include <crypto/sha.h>
> > >  #include <crypto/skcipher.h>
> > >  #include "fscrypt_private.h"
> > >
> > > -static struct crypto_shash *essiv_hash_tfm;
> > > -
> > >  /* Table of keys referenced by FS_POLICY_FLAG_DIRECT_KEY policies */
> > >  static DEFINE_HASHTABLE(fscrypt_master_keys, 6); /* 6 bits = 64 buckets */
> > >  static DEFINE_SPINLOCK(fscrypt_master_keys_lock);
> > > @@ -144,10 +140,9 @@ static struct fscrypt_mode available_modes[] = {
> > >       },
> > >       [FS_ENCRYPTION_MODE_AES_128_CBC] = {
> > >               .friendly_name = "AES-128-CBC",
> > > -             .cipher_str = "cbc(aes)",
> > > +             .cipher_str = "essiv(cbc(aes),aes,sha256)",
> > >               .keysize = 16,
> > > -             .ivsize = 16,
> > > -             .needs_essiv = true,
> > > +             .ivsize = 8,
> >
> > As I said before, this needs to be kept as .ivsize = 16.
> >
> > This bug actually causes the generic/549 test to fail.
> >
>
> Ugh, yes, I intended to fix that. Apologies for the sloppiness, I have
> been trying to wrap this up in time for my holidays, but the end
> result is quite the opposite :-)
>
> > Otherwise this patch looks good.  FYI: to avoid conflicts with planned fscrypt
> > work I'd prefer to take this patch through the fscrypt.git tree after the ESSIV
> > template is merged, rather than have Herbert take it through cryptodev.  (Unless
> > he's going to apply this whole series for v5.3, in which case I'm fine with him
> > taking the fscrypt patch too, though it seems too late for that.)
> >
>
> I agree that the fscrypt and dm-crypt changes should not be merged for v5.3
>
> I know that Herbert typically prefers not to take any new code without
> any of its users, but perhaps we can make an exception in this case,
> and merge patches #1, #5, #6 and #7 now (which is mostly risk free
> since no code uses essiv yet, and patch #5 is a straight-forward
> refactor) and take the fscrypt and dm-crypt patches through their
> respective trees for the next cycle.

Actually, #7 no longer applies cleanly to cryptodev, so I am going to
respin in any case, and finally fix the ivsize change.
diff mbox series

Patch

diff --git a/fs/crypto/Kconfig b/fs/crypto/Kconfig
index 24ed99e2eca0..b0292da8613c 100644
--- a/fs/crypto/Kconfig
+++ b/fs/crypto/Kconfig
@@ -5,6 +5,7 @@  config FS_ENCRYPTION
 	select CRYPTO_AES
 	select CRYPTO_CBC
 	select CRYPTO_ECB
+	select CRYPTO_ESSIV
 	select CRYPTO_XTS
 	select CRYPTO_CTS
 	select CRYPTO_SHA256
diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
index 335a362ee446..c53ce262a06c 100644
--- a/fs/crypto/crypto.c
+++ b/fs/crypto/crypto.c
@@ -136,9 +136,6 @@  void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num,
 
 	if (ci->ci_flags & FS_POLICY_FLAG_DIRECT_KEY)
 		memcpy(iv->nonce, ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE);
-
-	if (ci->ci_essiv_tfm != NULL)
-		crypto_cipher_encrypt_one(ci->ci_essiv_tfm, iv->raw, iv->raw);
 }
 
 int fscrypt_do_page_crypto(const struct inode *inode, fscrypt_direction_t rw,
@@ -492,8 +489,6 @@  static void __exit fscrypt_exit(void)
 		destroy_workqueue(fscrypt_read_workqueue);
 	kmem_cache_destroy(fscrypt_ctx_cachep);
 	kmem_cache_destroy(fscrypt_info_cachep);
-
-	fscrypt_essiv_cleanup();
 }
 module_exit(fscrypt_exit);
 
diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h
index 7da276159593..59d0cba9cfb9 100644
--- a/fs/crypto/fscrypt_private.h
+++ b/fs/crypto/fscrypt_private.h
@@ -61,12 +61,6 @@  struct fscrypt_info {
 	/* The actual crypto transform used for encryption and decryption */
 	struct crypto_skcipher *ci_ctfm;
 
-	/*
-	 * Cipher for ESSIV IV generation.  Only set for CBC contents
-	 * encryption, otherwise is NULL.
-	 */
-	struct crypto_cipher *ci_essiv_tfm;
-
 	/*
 	 * Encryption mode used for this inode.  It corresponds to either
 	 * ci_data_mode or ci_filename_mode, depending on the inode type.
@@ -166,9 +160,6 @@  struct fscrypt_mode {
 	int keysize;
 	int ivsize;
 	bool logged_impl_name;
-	bool needs_essiv;
 };
 
-extern void __exit fscrypt_essiv_cleanup(void);
-
 #endif /* _FSCRYPT_PRIVATE_H */
diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
index dcd91a3fbe49..f39667d4316a 100644
--- a/fs/crypto/keyinfo.c
+++ b/fs/crypto/keyinfo.c
@@ -13,14 +13,10 @@ 
 #include <linux/hashtable.h>
 #include <linux/scatterlist.h>
 #include <linux/ratelimit.h>
-#include <crypto/aes.h>
 #include <crypto/algapi.h>
-#include <crypto/sha.h>
 #include <crypto/skcipher.h>
 #include "fscrypt_private.h"
 
-static struct crypto_shash *essiv_hash_tfm;
-
 /* Table of keys referenced by FS_POLICY_FLAG_DIRECT_KEY policies */
 static DEFINE_HASHTABLE(fscrypt_master_keys, 6); /* 6 bits = 64 buckets */
 static DEFINE_SPINLOCK(fscrypt_master_keys_lock);
@@ -144,10 +140,9 @@  static struct fscrypt_mode available_modes[] = {
 	},
 	[FS_ENCRYPTION_MODE_AES_128_CBC] = {
 		.friendly_name = "AES-128-CBC",
-		.cipher_str = "cbc(aes)",
+		.cipher_str = "essiv(cbc(aes),aes,sha256)",
 		.keysize = 16,
-		.ivsize = 16,
-		.needs_essiv = true,
+		.ivsize = 8,
 	},
 	[FS_ENCRYPTION_MODE_AES_128_CTS] = {
 		.friendly_name = "AES-128-CTS-CBC",
@@ -377,72 +372,6 @@  fscrypt_get_master_key(const struct fscrypt_info *ci, struct fscrypt_mode *mode,
 	return ERR_PTR(err);
 }
 
-static int derive_essiv_salt(const u8 *key, int keysize, u8 *salt)
-{
-	struct crypto_shash *tfm = READ_ONCE(essiv_hash_tfm);
-
-	/* init hash transform on demand */
-	if (unlikely(!tfm)) {
-		struct crypto_shash *prev_tfm;
-
-		tfm = crypto_alloc_shash("sha256", 0, 0);
-		if (IS_ERR(tfm)) {
-			fscrypt_warn(NULL,
-				     "error allocating SHA-256 transform: %ld",
-				     PTR_ERR(tfm));
-			return PTR_ERR(tfm);
-		}
-		prev_tfm = cmpxchg(&essiv_hash_tfm, NULL, tfm);
-		if (prev_tfm) {
-			crypto_free_shash(tfm);
-			tfm = prev_tfm;
-		}
-	}
-
-	{
-		SHASH_DESC_ON_STACK(desc, tfm);
-		desc->tfm = tfm;
-
-		return crypto_shash_digest(desc, key, keysize, salt);
-	}
-}
-
-static int init_essiv_generator(struct fscrypt_info *ci, const u8 *raw_key,
-				int keysize)
-{
-	int err;
-	struct crypto_cipher *essiv_tfm;
-	u8 salt[SHA256_DIGEST_SIZE];
-
-	essiv_tfm = crypto_alloc_cipher("aes", 0, 0);
-	if (IS_ERR(essiv_tfm))
-		return PTR_ERR(essiv_tfm);
-
-	ci->ci_essiv_tfm = essiv_tfm;
-
-	err = derive_essiv_salt(raw_key, keysize, salt);
-	if (err)
-		goto out;
-
-	/*
-	 * Using SHA256 to derive the salt/key will result in AES-256 being
-	 * used for IV generation. File contents encryption will still use the
-	 * configured keysize (AES-128) nevertheless.
-	 */
-	err = crypto_cipher_setkey(essiv_tfm, salt, sizeof(salt));
-	if (err)
-		goto out;
-
-out:
-	memzero_explicit(salt, sizeof(salt));
-	return err;
-}
-
-void __exit fscrypt_essiv_cleanup(void)
-{
-	crypto_free_shash(essiv_hash_tfm);
-}
-
 /*
  * Given the encryption mode and key (normally the derived key, but for
  * FS_POLICY_FLAG_DIRECT_KEY mode it's the master key), set up the inode's
@@ -454,7 +383,6 @@  static int setup_crypto_transform(struct fscrypt_info *ci,
 {
 	struct fscrypt_master_key *mk;
 	struct crypto_skcipher *ctfm;
-	int err;
 
 	if (ci->ci_flags & FS_POLICY_FLAG_DIRECT_KEY) {
 		mk = fscrypt_get_master_key(ci, mode, raw_key, inode);
@@ -470,19 +398,6 @@  static int setup_crypto_transform(struct fscrypt_info *ci,
 	ci->ci_master_key = mk;
 	ci->ci_ctfm = ctfm;
 
-	if (mode->needs_essiv) {
-		/* ESSIV implies 16-byte IVs which implies !DIRECT_KEY */
-		WARN_ON(mode->ivsize != AES_BLOCK_SIZE);
-		WARN_ON(ci->ci_flags & FS_POLICY_FLAG_DIRECT_KEY);
-
-		err = init_essiv_generator(ci, raw_key, mode->keysize);
-		if (err) {
-			fscrypt_warn(inode->i_sb,
-				     "error initializing ESSIV generator for inode %lu: %d",
-				     inode->i_ino, err);
-			return err;
-		}
-	}
 	return 0;
 }
 
@@ -491,12 +406,10 @@  static void put_crypt_info(struct fscrypt_info *ci)
 	if (!ci)
 		return;
 
-	if (ci->ci_master_key) {
+	if (ci->ci_master_key)
 		put_master_key(ci->ci_master_key);
-	} else {
+	else
 		crypto_free_skcipher(ci->ci_ctfm);
-		crypto_free_cipher(ci->ci_essiv_tfm);
-	}
 	kmem_cache_free(fscrypt_info_cachep, ci);
 }