4b08356a76
fscrypt currently only supports AES encryption. However, many low-end mobile devices have older CPUs that don't have AES instructions, e.g. the ARMv8 Cryptography Extensions. Currently, user data on such devices is not encrypted at rest because AES is too slow, even when the NEON bit-sliced implementation of AES is used. Unfortunately, it is infeasible to encrypt these devices at all when AES is the only option. Therefore, this patch updates fscrypt to support the Speck block cipher, which was recently added to the crypto API. The C implementation of Speck is not especially fast, but Speck can be implemented very efficiently with general-purpose vector instructions, e.g. ARM NEON. For example, on an ARMv7 processor, we measured the NEON-accelerated Speck128/256-XTS at 69 MB/s for both encryption and decryption, while AES-256-XTS with the NEON bit-sliced implementation was only 22 MB/s encryption and 19 MB/s decryption. There are multiple variants of Speck. This patch only adds support for Speck128/256, which is the variant with a 128-bit block size and 256-bit key size -- the same as AES-256. This is believed to be the most secure variant of Speck, and it's only about 6% slower than Speck128/128. Speck64/128 would be at least 20% faster because it has 20% rounds, and it can be even faster on CPUs that can't efficiently do the 64-bit operations needed for Speck128. However, Speck64's 64-bit block size is not preferred security-wise. ARM NEON also supports the needed 64-bit operations even on 32-bit CPUs, resulting in Speck128 being fast enough for our targeted use cases so far. The chosen modes of operation are XTS for contents and CTS-CBC for filenames. These are the same modes of operation that fscrypt defaults to for AES. Note that as with the other fscrypt modes, Speck will not be used unless userspace chooses to use it. Nor are any of the existing modes (which are all AES-based) being removed, of course. We intentionally don't make CONFIG_FS_ENCRYPTION select CONFIG_CRYPTO_SPECK, so people will have to enable Speck support themselves if they need it. This is because we shouldn't bloat the FS_ENCRYPTION dependencies with every new cipher, especially ones that aren't recommended for most users. Moreover, CRYPTO_SPECK is just the generic implementation, which won't be fast enough for many users; in practice, they'll need to enable CRYPTO_SPECK_NEON to get acceptable performance. More details about our choice of Speck can be found in our patches that added Speck to the crypto API, and the follow-on discussion threads. We're planning a publication that explains the choice in more detail. But briefly, we can't use ChaCha20 as we previously proposed, since it would be insecure to use a stream cipher in this context, with potential IV reuse during writes on f2fs and/or on wear-leveling flash storage. We also evaluated many other lightweight and/or ARX-based block ciphers such as Chaskey-LTS, RC5, LEA, CHAM, Threefish, RC6, NOEKEON, SPARX, and XTEA. However, all had disadvantages vs. Speck, such as insufficient performance with NEON, much less published cryptanalysis, or an insufficient security level. Various design choices in Speck make it perform better with NEON than competing ciphers while still having a security margin similar to AES, and in the case of Speck128 also the same available security levels. Unfortunately, Speck does have some political baggage attached -- it's an NSA designed cipher, and was rejected from an ISO standard (though for context, as far as I know none of the above-mentioned alternatives are ISO standards either). Nevertheless, we believe it is a good solution to the problem from a technical perspective. Certain algorithms constructed from ChaCha or the ChaCha permutation, such as MEM (Masked Even-Mansour) or HPolyC, may also meet our performance requirements. However, these are new constructions that need more time to receive the cryptographic review and acceptance needed to be confident in their security. HPolyC hasn't been published yet, and we are concerned that MEM makes stronger assumptions about the underlying permutation than the ChaCha stream cipher does. In contrast, the XTS mode of operation is relatively well accepted, and Speck has over 70 cryptanalysis papers. Of course, these ChaCha-based algorithms can still be added later if they become ready. The best known attack on Speck128/256 is a differential cryptanalysis attack on 25 of 34 rounds with 2^253 time complexity and 2^125 chosen plaintexts, i.e. only marginally faster than brute force. There is no known attack on the full 34 rounds. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> (cherry-picked from commit 12d28f79558f2e987c5f3817f89e1ccc0f11a7b5 https://git.kernel.org/pub/scm/linux/kernel/git/tytso/fscrypt.git master) (dropped Documentation/filesystems/fscrypt.rst change) (fixed merge conflict in fs/crypto/keyinfo.c) (also ported change to fs/ext4/, which isn't using fs/crypto/ in this kernel version) Change-Id: I62c632044dfd06a2c5b74c2fb058f9c3b8af0add Signed-off-by: Eric Biggers <ebiggers@google.com>
264 lines
8 KiB
C
264 lines
8 KiB
C
/*
|
|
* linux/fs/ext4/crypto_policy.c
|
|
*
|
|
* Copyright (C) 2015, Google, Inc.
|
|
*
|
|
* This contains encryption policy functions for ext4
|
|
*
|
|
* Written by Michael Halcrow, 2015.
|
|
*/
|
|
|
|
#include <linux/random.h>
|
|
#include <linux/string.h>
|
|
#include <linux/types.h>
|
|
|
|
#include "ext4_jbd2.h"
|
|
#include "ext4.h"
|
|
#include "xattr.h"
|
|
|
|
static int ext4_inode_has_encryption_context(struct inode *inode)
|
|
{
|
|
int res = ext4_xattr_get(inode, EXT4_XATTR_INDEX_ENCRYPTION,
|
|
EXT4_XATTR_NAME_ENCRYPTION_CONTEXT, NULL, 0);
|
|
return (res > 0);
|
|
}
|
|
|
|
/*
|
|
* check whether the policy is consistent with the encryption context
|
|
* for the inode
|
|
*/
|
|
static int ext4_is_encryption_context_consistent_with_policy(
|
|
struct inode *inode, const struct ext4_encryption_policy *policy)
|
|
{
|
|
struct ext4_encryption_context ctx;
|
|
int res = ext4_xattr_get(inode, EXT4_XATTR_INDEX_ENCRYPTION,
|
|
EXT4_XATTR_NAME_ENCRYPTION_CONTEXT, &ctx,
|
|
sizeof(ctx));
|
|
if (res != sizeof(ctx))
|
|
return 0;
|
|
return (memcmp(ctx.master_key_descriptor, policy->master_key_descriptor,
|
|
EXT4_KEY_DESCRIPTOR_SIZE) == 0 &&
|
|
(ctx.flags ==
|
|
policy->flags) &&
|
|
(ctx.contents_encryption_mode ==
|
|
policy->contents_encryption_mode) &&
|
|
(ctx.filenames_encryption_mode ==
|
|
policy->filenames_encryption_mode));
|
|
}
|
|
|
|
static int ext4_create_encryption_context_from_policy(
|
|
struct inode *inode, const struct ext4_encryption_policy *policy)
|
|
{
|
|
struct ext4_encryption_context ctx;
|
|
handle_t *handle;
|
|
int res, res2;
|
|
|
|
res = ext4_convert_inline_data(inode);
|
|
if (res)
|
|
return res;
|
|
|
|
ctx.format = EXT4_ENCRYPTION_CONTEXT_FORMAT_V1;
|
|
memcpy(ctx.master_key_descriptor, policy->master_key_descriptor,
|
|
EXT4_KEY_DESCRIPTOR_SIZE);
|
|
if (!ext4_valid_enc_modes(policy->contents_encryption_mode,
|
|
policy->filenames_encryption_mode)) {
|
|
printk(KERN_WARNING
|
|
"%s: Invalid encryption modes (contents %d, filenames %d)\n",
|
|
__func__, policy->contents_encryption_mode,
|
|
policy->filenames_encryption_mode);
|
|
return -EINVAL;
|
|
}
|
|
if (policy->flags & ~EXT4_POLICY_FLAGS_VALID)
|
|
return -EINVAL;
|
|
ctx.contents_encryption_mode = policy->contents_encryption_mode;
|
|
ctx.filenames_encryption_mode = policy->filenames_encryption_mode;
|
|
ctx.flags = policy->flags;
|
|
BUILD_BUG_ON(sizeof(ctx.nonce) != EXT4_KEY_DERIVATION_NONCE_SIZE);
|
|
get_random_bytes(ctx.nonce, EXT4_KEY_DERIVATION_NONCE_SIZE);
|
|
|
|
handle = ext4_journal_start(inode, EXT4_HT_MISC,
|
|
ext4_jbd2_credits_xattr(inode));
|
|
if (IS_ERR(handle))
|
|
return PTR_ERR(handle);
|
|
res = ext4_xattr_set(inode, EXT4_XATTR_INDEX_ENCRYPTION,
|
|
EXT4_XATTR_NAME_ENCRYPTION_CONTEXT, &ctx,
|
|
sizeof(ctx), 0);
|
|
if (!res) {
|
|
ext4_set_inode_flag(inode, EXT4_INODE_ENCRYPT);
|
|
res = ext4_mark_inode_dirty(handle, inode);
|
|
if (res)
|
|
EXT4_ERROR_INODE(inode, "Failed to mark inode dirty");
|
|
}
|
|
res2 = ext4_journal_stop(handle);
|
|
if (!res)
|
|
res = res2;
|
|
return res;
|
|
}
|
|
|
|
int ext4_process_policy(const struct ext4_encryption_policy *policy,
|
|
struct inode *inode)
|
|
{
|
|
if (!inode_owner_or_capable(inode))
|
|
return -EACCES;
|
|
|
|
if (policy->version != 0)
|
|
return -EINVAL;
|
|
|
|
if (!ext4_inode_has_encryption_context(inode)) {
|
|
if (!S_ISDIR(inode->i_mode))
|
|
return -EINVAL;
|
|
if (!ext4_empty_dir(inode))
|
|
return -ENOTEMPTY;
|
|
return ext4_create_encryption_context_from_policy(inode,
|
|
policy);
|
|
}
|
|
|
|
if (ext4_is_encryption_context_consistent_with_policy(inode, policy))
|
|
return 0;
|
|
|
|
printk(KERN_WARNING "%s: Policy inconsistent with encryption context\n",
|
|
__func__);
|
|
return -EINVAL;
|
|
}
|
|
|
|
int ext4_get_policy(struct inode *inode, struct ext4_encryption_policy *policy)
|
|
{
|
|
struct ext4_encryption_context ctx;
|
|
|
|
int res = ext4_xattr_get(inode, EXT4_XATTR_INDEX_ENCRYPTION,
|
|
EXT4_XATTR_NAME_ENCRYPTION_CONTEXT,
|
|
&ctx, sizeof(ctx));
|
|
if (res != sizeof(ctx))
|
|
return -ENOENT;
|
|
if (ctx.format != EXT4_ENCRYPTION_CONTEXT_FORMAT_V1)
|
|
return -EINVAL;
|
|
policy->version = 0;
|
|
policy->contents_encryption_mode = ctx.contents_encryption_mode;
|
|
policy->filenames_encryption_mode = ctx.filenames_encryption_mode;
|
|
policy->flags = ctx.flags;
|
|
memcpy(&policy->master_key_descriptor, ctx.master_key_descriptor,
|
|
EXT4_KEY_DESCRIPTOR_SIZE);
|
|
return 0;
|
|
}
|
|
|
|
int ext4_is_child_context_consistent_with_parent(struct inode *parent,
|
|
struct inode *child)
|
|
{
|
|
const struct ext4_crypt_info *parent_ci, *child_ci;
|
|
struct ext4_encryption_context parent_ctx, child_ctx;
|
|
int res;
|
|
|
|
/* No restrictions on file types which are never encrypted */
|
|
if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) &&
|
|
!S_ISLNK(child->i_mode))
|
|
return 1;
|
|
|
|
/* No restrictions if the parent directory is unencrypted */
|
|
if (!ext4_encrypted_inode(parent))
|
|
return 1;
|
|
|
|
/* Encrypted directories must not contain unencrypted files */
|
|
if (!ext4_encrypted_inode(child))
|
|
return 0;
|
|
|
|
/*
|
|
* Both parent and child are encrypted, so verify they use the same
|
|
* encryption policy. Compare the fscrypt_info structs if the keys are
|
|
* available, otherwise retrieve and compare the fscrypt_contexts.
|
|
*
|
|
* Note that the fscrypt_context retrieval will be required frequently
|
|
* when accessing an encrypted directory tree without the key.
|
|
* Performance-wise this is not a big deal because we already don't
|
|
* really optimize for file access without the key (to the extent that
|
|
* such access is even possible), given that any attempted access
|
|
* already causes a fscrypt_context retrieval and keyring search.
|
|
*
|
|
* In any case, if an unexpected error occurs, fall back to "forbidden".
|
|
*/
|
|
|
|
res = ext4_get_encryption_info(parent);
|
|
if (res)
|
|
return 0;
|
|
res = ext4_get_encryption_info(child);
|
|
if (res)
|
|
return 0;
|
|
parent_ci = EXT4_I(parent)->i_crypt_info;
|
|
child_ci = EXT4_I(child)->i_crypt_info;
|
|
if (parent_ci && child_ci) {
|
|
return memcmp(parent_ci->ci_master_key, child_ci->ci_master_key,
|
|
EXT4_KEY_DESCRIPTOR_SIZE) == 0 &&
|
|
(parent_ci->ci_data_mode == child_ci->ci_data_mode) &&
|
|
(parent_ci->ci_filename_mode ==
|
|
child_ci->ci_filename_mode) &&
|
|
(parent_ci->ci_flags == child_ci->ci_flags);
|
|
}
|
|
|
|
res = ext4_xattr_get(parent, EXT4_XATTR_INDEX_ENCRYPTION,
|
|
EXT4_XATTR_NAME_ENCRYPTION_CONTEXT,
|
|
&parent_ctx, sizeof(parent_ctx));
|
|
if (res != sizeof(parent_ctx))
|
|
return 0;
|
|
|
|
res = ext4_xattr_get(child, EXT4_XATTR_INDEX_ENCRYPTION,
|
|
EXT4_XATTR_NAME_ENCRYPTION_CONTEXT,
|
|
&child_ctx, sizeof(child_ctx));
|
|
if (res != sizeof(child_ctx))
|
|
return 0;
|
|
|
|
return memcmp(parent_ctx.master_key_descriptor,
|
|
child_ctx.master_key_descriptor,
|
|
EXT4_KEY_DESCRIPTOR_SIZE) == 0 &&
|
|
(parent_ctx.contents_encryption_mode ==
|
|
child_ctx.contents_encryption_mode) &&
|
|
(parent_ctx.filenames_encryption_mode ==
|
|
child_ctx.filenames_encryption_mode) &&
|
|
(parent_ctx.flags == child_ctx.flags);
|
|
}
|
|
|
|
/**
|
|
* ext4_inherit_context() - Sets a child context from its parent
|
|
* @parent: Parent inode from which the context is inherited.
|
|
* @child: Child inode that inherits the context from @parent.
|
|
*
|
|
* Return: Zero on success, non-zero otherwise
|
|
*/
|
|
int ext4_inherit_context(struct inode *parent, struct inode *child)
|
|
{
|
|
struct ext4_encryption_context ctx;
|
|
struct ext4_crypt_info *ci;
|
|
int res;
|
|
|
|
res = ext4_get_encryption_info(parent);
|
|
if (res < 0)
|
|
return res;
|
|
ci = EXT4_I(parent)->i_crypt_info;
|
|
if (ci == NULL)
|
|
return -ENOKEY;
|
|
|
|
ctx.format = EXT4_ENCRYPTION_CONTEXT_FORMAT_V1;
|
|
if (DUMMY_ENCRYPTION_ENABLED(EXT4_SB(parent->i_sb))) {
|
|
ctx.contents_encryption_mode = EXT4_ENCRYPTION_MODE_AES_256_XTS;
|
|
ctx.filenames_encryption_mode =
|
|
EXT4_ENCRYPTION_MODE_AES_256_CTS;
|
|
ctx.flags = 0;
|
|
memset(ctx.master_key_descriptor, 0x42,
|
|
EXT4_KEY_DESCRIPTOR_SIZE);
|
|
res = 0;
|
|
} else {
|
|
ctx.contents_encryption_mode = ci->ci_data_mode;
|
|
ctx.filenames_encryption_mode = ci->ci_filename_mode;
|
|
ctx.flags = ci->ci_flags;
|
|
memcpy(ctx.master_key_descriptor, ci->ci_master_key,
|
|
EXT4_KEY_DESCRIPTOR_SIZE);
|
|
}
|
|
get_random_bytes(ctx.nonce, EXT4_KEY_DERIVATION_NONCE_SIZE);
|
|
res = ext4_xattr_set(child, EXT4_XATTR_INDEX_ENCRYPTION,
|
|
EXT4_XATTR_NAME_ENCRYPTION_CONTEXT, &ctx,
|
|
sizeof(ctx), 0);
|
|
if (!res) {
|
|
ext4_set_inode_flag(child, EXT4_INODE_ENCRYPT);
|
|
ext4_clear_inode_state(child, EXT4_STATE_MAY_INLINE_DATA);
|
|
res = ext4_get_encryption_info(child);
|
|
}
|
|
return res;
|
|
}
|