fscrypt currently only supports AES encryption. However, many low-end
mobile devices have older CPUs that don't have AES instructions, e.g.
the ARMv8 Cryptography Extensions. Currently, user data on such devices
is not encrypted at rest because AES is too slow, even when the NEON
bit-sliced implementation of AES is used. Unfortunately, it is
infeasible to encrypt these devices at all when AES is the only option.
Therefore, this patch updates fscrypt to support the Speck block cipher,
which was recently added to the crypto API. The C implementation of
Speck is not especially fast, but Speck can be implemented very
efficiently with general-purpose vector instructions, e.g. ARM NEON.
For example, on an ARMv7 processor, we measured the NEON-accelerated
Speck128/256-XTS at 69 MB/s for both encryption and decryption, while
AES-256-XTS with the NEON bit-sliced implementation was only 22 MB/s
encryption and 19 MB/s decryption.
There are multiple variants of Speck. This patch only adds support for
Speck128/256, which is the variant with a 128-bit block size and 256-bit
key size -- the same as AES-256. This is believed to be the most secure
variant of Speck, and it's only about 6% slower than Speck128/128.
Speck64/128 would be at least 20% faster because it has 20% rounds, and
it can be even faster on CPUs that can't efficiently do the 64-bit
operations needed for Speck128. However, Speck64's 64-bit block size is
not preferred security-wise. ARM NEON also supports the needed 64-bit
operations even on 32-bit CPUs, resulting in Speck128 being fast enough
for our targeted use cases so far.
The chosen modes of operation are XTS for contents and CTS-CBC for
filenames. These are the same modes of operation that fscrypt defaults
to for AES. Note that as with the other fscrypt modes, Speck will not
be used unless userspace chooses to use it. Nor are any of the existing
modes (which are all AES-based) being removed, of course.
We intentionally don't make CONFIG_FS_ENCRYPTION select
CONFIG_CRYPTO_SPECK, so people will have to enable Speck support
themselves if they need it. This is because we shouldn't bloat the
FS_ENCRYPTION dependencies with every new cipher, especially ones that
aren't recommended for most users. Moreover, CRYPTO_SPECK is just the
generic implementation, which won't be fast enough for many users; in
practice, they'll need to enable CRYPTO_SPECK_NEON to get acceptable
performance.
More details about our choice of Speck can be found in our patches that
added Speck to the crypto API, and the follow-on discussion threads.
We're planning a publication that explains the choice in more detail.
But briefly, we can't use ChaCha20 as we previously proposed, since it
would be insecure to use a stream cipher in this context, with potential
IV reuse during writes on f2fs and/or on wear-leveling flash storage.
We also evaluated many other lightweight and/or ARX-based block ciphers
such as Chaskey-LTS, RC5, LEA, CHAM, Threefish, RC6, NOEKEON, SPARX, and
XTEA. However, all had disadvantages vs. Speck, such as insufficient
performance with NEON, much less published cryptanalysis, or an
insufficient security level. Various design choices in Speck make it
perform better with NEON than competing ciphers while still having a
security margin similar to AES, and in the case of Speck128 also the
same available security levels. Unfortunately, Speck does have some
political baggage attached -- it's an NSA designed cipher, and was
rejected from an ISO standard (though for context, as far as I know none
of the above-mentioned alternatives are ISO standards either).
Nevertheless, we believe it is a good solution to the problem from a
technical perspective.
Certain algorithms constructed from ChaCha or the ChaCha permutation,
such as MEM (Masked Even-Mansour) or HPolyC, may also meet our
performance requirements. However, these are new constructions that
need more time to receive the cryptographic review and acceptance needed
to be confident in their security. HPolyC hasn't been published yet,
and we are concerned that MEM makes stronger assumptions about the
underlying permutation than the ChaCha stream cipher does. In contrast,
the XTS mode of operation is relatively well accepted, and Speck has
over 70 cryptanalysis papers. Of course, these ChaCha-based algorithms
can still be added later if they become ready.
The best known attack on Speck128/256 is a differential cryptanalysis
attack on 25 of 34 rounds with 2^253 time complexity and 2^125 chosen
plaintexts, i.e. only marginally faster than brute force. There is no
known attack on the full 34 rounds.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
(cherry-picked from commit 12d28f79558f2e987c5f3817f89e1ccc0f11a7b5
https://git.kernel.org/pub/scm/linux/kernel/git/tytso/fscrypt.git master)
(dropped Documentation/filesystems/fscrypt.rst change)
(fixed merge conflict in fs/crypto/keyinfo.c)
(also ported change to fs/ext4/, which isn't using fs/crypto/ in this
kernel version)
Change-Id: I62c632044dfd06a2c5b74c2fb058f9c3b8af0add
Signed-off-by: Eric Biggers <ebiggers@google.com>
Cherry-pick from origin/upstream-f2fs-stable-linux-4.4.y:
13890bed20 ("fscrypt: allow synchronous bio decryption")
Currently, fscrypt provides fscrypt_decrypt_bio_pages() which decrypts a
bio's pages asynchronously, then unlocks them afterwards. But, this
assumes that decryption is the last "postprocessing step" for the bio,
so it's incompatible with additional postprocessing steps such as
authenticity verification after decryption.
Therefore, rename the existing fscrypt_decrypt_bio_pages() to
fscrypt_enqueue_decrypt_bio(). Then, add fscrypt_decrypt_bio() which
decrypts the pages in the bio synchronously without unlocking the pages,
nor setting them Uptodate; and add fscrypt_enqueue_decrypt_work(), which
enqueues work on the fscrypt_read_workqueue. The new functions will be
used by filesystems that support both fscrypt and fs-verity.
Change-Id: I99f1c7bfb79381f6e4abf2b1f418776b19bd8e08
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Pull f2fs update from Jaegeuk Kim:
"In this round, we've mainly focused on performance tuning and critical
bug fixes occurred in low-end devices. Sheng Yong introduced
lost_found feature to keep missing files during recovery instead of
thrashing them. We're preparing coming fsverity implementation. And,
we've got more features to communicate with users for better
performance. In low-end devices, some memory-related issues were
fixed, and subtle race condtions and corner cases were addressed as
well.
Enhancements:
- large nat bitmaps for more free node ids
- add three block allocation policies to pass down write hints given by user
- expose extension list to user and introduce hot file extension
- tune small devices seamlessly for low-end devices
- set readdir_ra by default
- give more resources under gc_urgent mode regarding to discard and cleaning
- introduce fsync_mode to enforce posix or not
- nowait aio support
- add lost_found feature to keep dangling inodes
- reserve bits for future fsverity feature
- add test_dummy_encryption for FBE
Bug fixes:
- don't use highmem for dentry pages
- align memory boundary for bitops
- truncate preallocated blocks in write errors
- guarantee i_times on fsync call
- clear CP_TRIMMED_FLAG correctly
- prevent node chain loop during recovery
- avoid data race between atomic write and background cleaning
- avoid unnecessary selinux violation warnings on resgid option
- GFP_NOFS to avoid deadlock in quota and read paths
- fix f2fs_skip_inode_update to allow i_size recovery
In addition to the above, there are several minor bug fixes and clean-ups"
Cherry-pick from origin/upstream-f2fs-stable-linux-4.4.y:
42bf67fc54 f2fs: remain written times to update inode during fsync
6cb5aa02bf f2fs: make assignment of t->dentry_bitmap more readable
a8d07f1f9c f2fs: truncate preallocated blocks in error case
86444d6006 f2fs: fix a wrong condition in f2fs_skip_inode_update
db2188a687 f2fs: reserve bits for fs-verity
ee2e74b3f0 f2fs: Add a segment type check in inplace write
0192e0a450 f2fs: no need to initialize zero value for GFP_F2FS_ZERO
49338842e9 f2fs: don't track new nat entry in nat set
d6a69d5e65 f2fs: clean up with F2FS_BLK_ALIGN
2c8834a7a2 f2fs: check blkaddr more accuratly before issue a bio
6ab573a9d9 f2fs: Set GF_NOFS in read_cache_page_gfp while doing f2fs_quota_read
7419dcb8be f2fs: introduce a new mount option test_dummy_encryption
9321e22c03 f2fs: introduce F2FS_FEATURE_LOST_FOUND feature
8a57196158 f2fs: release locks before return in f2fs_ioc_gc_range()
739ace131c f2fs: align memory boundary for bitops
4c55abe4f8 f2fs: remove unneeded set_cold_node()
30654507e0 f2fs: add nowait aio support
d909e94106 f2fs: wrap all options with f2fs_sb_info.mount_opt
5738be52b3 f2fs: Don't overwrite all types of node to keep node chain
0bdeb167c8 f2fs: introduce mount option for fsync mode
6bc490f0ee f2fs: fix to restore old mount option in ->remount_fs
0c9c3e0344 f2fs: wrap sb_rdonly with f2fs_readonly
6c6611223a f2fs: avoid selinux denial on CAP_SYS_RESOURCE
076a6f32fe f2fs: support hot file extension
58edcdbca6 f2fs: fix to avoid race in between atomic write and background GC
1e0aeb0af9 f2fs: do gc in greedy mode for whole range if gc_urgent mode is set
10b2d001d6 f2fs: issue discard aggressively in the gc_urgent mode
a5052f32b9 f2fs: set readdir_ra by default
1aa536a624 f2fs: add auto tuning for small devices
0ffdffc8f1 f2fs: add mount option for segment allocation policy
b798298912 f2fs: don't stop GC if GC is contended
766d232169 f2fs: expose extension_list sysfs entry
98b329de50 f2fs: fix to set KEEP_SIZE bit in f2fs_zero_range
4d409fa334 f2fs: introduce sb_lock to make encrypt pwsalt update exclusive
1f6bac14c1 f2fs: remove redundant initialization of pointer 'p'
946aefc754 f2fs: flush cp pack except cp pack 2 page at first
e5081a52ac f2fs: clean up f2fs_sb_has_xxx functions
a292477154 f2fs: remove redundant check of page type when submit bio
190e64a819 f2fs: fix to handle looped node chain during recovery
889d980876 f2fs: handle quota for orphan inodes
92b12bb1a2 f2fs: support passing down write hints to block layer with F2FS policy
22fa74c2b0 f2fs: support passing down write hints given by users to block layer
180900373e f2fs: fix to clear CP_TRIMMED_FLAG
0671fae134 f2fs: support large nat bitmap
eceb943d5d f2fs: fix to check extent cache in f2fs_drop_extent_tree
2e2a339c98 f2fs: restrict inline_xattr_size configuration
41dda11641 f2fs: fix heap mode to reset it back
39575737bb f2fs: fix potential corruption in area before F2FS_SUPER_OFFSET
7e0e7995ee fscrypt: fix build with pre-4.6 gcc versions
31d3279a4f fscrypt: fix up fscrypt_fname_encrypted_size() for internal use
82bec88856 fscrypt: define fscrypt_fname_alloc_buffer() to be for presented names
168a907828 fscrypt: calculate NUL-padding length in one place only
042ae9f4cf fscrypt: move fscrypt_symlink_data to fscrypt_private.h
f9550c24c2 fscrypt: remove fscrypt_fname_usr_to_disk()
7ac4756a24 f2fs: switch to fscrypt_get_symlink()
6b76f58e24 f2fs: switch to fscrypt ->symlink() helper functions
fd457d2c4e fscrypt: new helper function - fscrypt_get_symlink()
a1cdacb7ae fscrypt: new helper functions for ->symlink()
7f43602f4d fscrypt: trim down fscrypt.h includes
d9cadc11bd fscrypt: move fscrypt_is_dot_dotdot() to fs/crypto/fname.c
e6fe930580 fscrypt: move fscrypt_valid_enc_modes() to fscrypt_private.h
efefa434f4 fscrypt: move fscrypt_operations declaration to fscrypt_supp.h
7ed178bc8a fscrypt: split fscrypt_dummy_context_enabled() into supp/notsupp versions
3f16e09dad fscrypt: move fscrypt_ctx declaration to fscrypt_supp.h
8216a0b51a fscrypt: move fscrypt_info_cachep declaration to fscrypt_private.h
dfe0b3b1b6 fscrypt: move fscrypt_control_page() to supp/notsupp headers
3a2c791778 fscrypt: move fscrypt_has_encryption_key() to supp/notsupp headers
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Cherry-picked from origin/upstream-f2fs-stable-linux-4.4.y:
ba1ade7101 fscrypt: resolve some cherry-pick bugs
9e32f17d24 fscrypt: move to generic async completion
4ecacbed6e crypto: introduce crypto wait for async op
42d89da82b fscrypt: lock mutex before checking for bounce page pool
2286508d17 fscrypt: new helper function - fscrypt_prepare_setattr()
5cbdd42ad2 fscrypt: new helper function - fscrypt_prepare_lookup()
a31feba5c1 fscrypt: new helper function - fscrypt_prepare_rename()
95efafb623 fscrypt: new helper function - fscrypt_prepare_link()
2b4b4f98dd fscrypt: new helper function - fscrypt_file_open()
8c815f381c fscrypt: new helper function - fscrypt_require_key()
272e435025 fscrypt: remove unneeded empty fscrypt_operations structs
1034eeec51 fscrypt: remove ->is_encrypted()
32c0d3ae9d fscrypt: switch from ->is_encrypted() to IS_ENCRYPTED()
a4781dd1f1 fs, fscrypt: add an S_ENCRYPTED inode flag
ff0a3dbc93 fscrypt: clean up include file mess
bc4a61c60b fscrypt: fix dereference of NULL user_key_payload
a53dc7e005 fscrypt: make ->dummy_context() return bool
Change-Id: I461d742adc7b77177df91429a1fd9c8624a698d6
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
This is cherry-picked from upstrea-f2fs-stable-linux-4.4.y.
Changes include:
commit c7fd9e2b4a ("f2fs: hurry up to issue discard after io interruption")
commit 603dde3965 ("f2fs: fix to show correct discard_granularity in sysfs")
...
commit 565f0225f9 ("f2fs: factor out discard command info into discard_cmd_control")
commit c4cc29d19e ("f2fs: remove batched discard in f2fs_trim_fs")
Change-Id: Icd8a85ac0c19a8aa25cd2591a12b4e9b85bdf1c5
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
commit d117b9acaeada0b243f31e0fe83e111fcc9a6644 upstream.
Merge tag 'ext4_for_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
Pull ext4 fixes from Ted Ts'o:
"A security fix (so a maliciously corrupted file system image won't
panic the kernel) and some fixes for CONFIG_VMAP_STACK"
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Eric Biggers
Jaegeuk Kim
Jaegeuk Kim