4b08356a76
fscrypt currently only supports AES encryption. However, many low-end mobile devices have older CPUs that don't have AES instructions, e.g. the ARMv8 Cryptography Extensions. Currently, user data on such devices is not encrypted at rest because AES is too slow, even when the NEON bit-sliced implementation of AES is used. Unfortunately, it is infeasible to encrypt these devices at all when AES is the only option. Therefore, this patch updates fscrypt to support the Speck block cipher, which was recently added to the crypto API. The C implementation of Speck is not especially fast, but Speck can be implemented very efficiently with general-purpose vector instructions, e.g. ARM NEON. For example, on an ARMv7 processor, we measured the NEON-accelerated Speck128/256-XTS at 69 MB/s for both encryption and decryption, while AES-256-XTS with the NEON bit-sliced implementation was only 22 MB/s encryption and 19 MB/s decryption. There are multiple variants of Speck. This patch only adds support for Speck128/256, which is the variant with a 128-bit block size and 256-bit key size -- the same as AES-256. This is believed to be the most secure variant of Speck, and it's only about 6% slower than Speck128/128. Speck64/128 would be at least 20% faster because it has 20% rounds, and it can be even faster on CPUs that can't efficiently do the 64-bit operations needed for Speck128. However, Speck64's 64-bit block size is not preferred security-wise. ARM NEON also supports the needed 64-bit operations even on 32-bit CPUs, resulting in Speck128 being fast enough for our targeted use cases so far. The chosen modes of operation are XTS for contents and CTS-CBC for filenames. These are the same modes of operation that fscrypt defaults to for AES. Note that as with the other fscrypt modes, Speck will not be used unless userspace chooses to use it. Nor are any of the existing modes (which are all AES-based) being removed, of course. We intentionally don't make CONFIG_FS_ENCRYPTION select CONFIG_CRYPTO_SPECK, so people will have to enable Speck support themselves if they need it. This is because we shouldn't bloat the FS_ENCRYPTION dependencies with every new cipher, especially ones that aren't recommended for most users. Moreover, CRYPTO_SPECK is just the generic implementation, which won't be fast enough for many users; in practice, they'll need to enable CRYPTO_SPECK_NEON to get acceptable performance. More details about our choice of Speck can be found in our patches that added Speck to the crypto API, and the follow-on discussion threads. We're planning a publication that explains the choice in more detail. But briefly, we can't use ChaCha20 as we previously proposed, since it would be insecure to use a stream cipher in this context, with potential IV reuse during writes on f2fs and/or on wear-leveling flash storage. We also evaluated many other lightweight and/or ARX-based block ciphers such as Chaskey-LTS, RC5, LEA, CHAM, Threefish, RC6, NOEKEON, SPARX, and XTEA. However, all had disadvantages vs. Speck, such as insufficient performance with NEON, much less published cryptanalysis, or an insufficient security level. Various design choices in Speck make it perform better with NEON than competing ciphers while still having a security margin similar to AES, and in the case of Speck128 also the same available security levels. Unfortunately, Speck does have some political baggage attached -- it's an NSA designed cipher, and was rejected from an ISO standard (though for context, as far as I know none of the above-mentioned alternatives are ISO standards either). Nevertheless, we believe it is a good solution to the problem from a technical perspective. Certain algorithms constructed from ChaCha or the ChaCha permutation, such as MEM (Masked Even-Mansour) or HPolyC, may also meet our performance requirements. However, these are new constructions that need more time to receive the cryptographic review and acceptance needed to be confident in their security. HPolyC hasn't been published yet, and we are concerned that MEM makes stronger assumptions about the underlying permutation than the ChaCha stream cipher does. In contrast, the XTS mode of operation is relatively well accepted, and Speck has over 70 cryptanalysis papers. Of course, these ChaCha-based algorithms can still be added later if they become ready. The best known attack on Speck128/256 is a differential cryptanalysis attack on 25 of 34 rounds with 2^253 time complexity and 2^125 chosen plaintexts, i.e. only marginally faster than brute force. There is no known attack on the full 34 rounds. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> (cherry-picked from commit 12d28f79558f2e987c5f3817f89e1ccc0f11a7b5 https://git.kernel.org/pub/scm/linux/kernel/git/tytso/fscrypt.git master) (dropped Documentation/filesystems/fscrypt.rst change) (fixed merge conflict in fs/crypto/keyinfo.c) (also ported change to fs/ext4/, which isn't using fs/crypto/ in this kernel version) Change-Id: I62c632044dfd06a2c5b74c2fb058f9c3b8af0add Signed-off-by: Eric Biggers <ebiggers@google.com>
263 lines
9.7 KiB
C
263 lines
9.7 KiB
C
#ifndef _UAPI_LINUX_FS_H
|
|
#define _UAPI_LINUX_FS_H
|
|
|
|
/*
|
|
* This file has definitions for some important file table
|
|
* structures etc.
|
|
*/
|
|
|
|
#include <linux/limits.h>
|
|
#include <linux/ioctl.h>
|
|
#include <linux/types.h>
|
|
|
|
/*
|
|
* It's silly to have NR_OPEN bigger than NR_FILE, but you can change
|
|
* the file limit at runtime and only root can increase the per-process
|
|
* nr_file rlimit, so it's safe to set up a ridiculously high absolute
|
|
* upper limit on files-per-process.
|
|
*
|
|
* Some programs (notably those using select()) may have to be
|
|
* recompiled to take full advantage of the new limits..
|
|
*/
|
|
|
|
/* Fixed constants first: */
|
|
#undef NR_OPEN
|
|
#define INR_OPEN_CUR 1024 /* Initial setting for nfile rlimits */
|
|
#define INR_OPEN_MAX 4096 /* Hard limit for nfile rlimits */
|
|
|
|
#define BLOCK_SIZE_BITS 10
|
|
#define BLOCK_SIZE (1<<BLOCK_SIZE_BITS)
|
|
|
|
#define SEEK_SET 0 /* seek relative to beginning of file */
|
|
#define SEEK_CUR 1 /* seek relative to current file position */
|
|
#define SEEK_END 2 /* seek relative to end of file */
|
|
#define SEEK_DATA 3 /* seek to the next data */
|
|
#define SEEK_HOLE 4 /* seek to the next hole */
|
|
#define SEEK_MAX SEEK_HOLE
|
|
|
|
#define RENAME_NOREPLACE (1 << 0) /* Don't overwrite target */
|
|
#define RENAME_EXCHANGE (1 << 1) /* Exchange source and dest */
|
|
#define RENAME_WHITEOUT (1 << 2) /* Whiteout source */
|
|
|
|
struct fstrim_range {
|
|
__u64 start;
|
|
__u64 len;
|
|
__u64 minlen;
|
|
};
|
|
|
|
/* And dynamically-tunable limits and defaults: */
|
|
struct files_stat_struct {
|
|
unsigned long nr_files; /* read only */
|
|
unsigned long nr_free_files; /* read only */
|
|
unsigned long max_files; /* tunable */
|
|
};
|
|
|
|
struct inodes_stat_t {
|
|
long nr_inodes;
|
|
long nr_unused;
|
|
long dummy[5]; /* padding for sysctl ABI compatibility */
|
|
};
|
|
|
|
|
|
#define NR_FILE 8192 /* this can well be larger on a larger system */
|
|
|
|
|
|
/*
|
|
* These are the fs-independent mount-flags: up to 32 flags are supported
|
|
*/
|
|
#define MS_RDONLY 1 /* Mount read-only */
|
|
#define MS_NOSUID 2 /* Ignore suid and sgid bits */
|
|
#define MS_NODEV 4 /* Disallow access to device special files */
|
|
#define MS_NOEXEC 8 /* Disallow program execution */
|
|
#define MS_SYNCHRONOUS 16 /* Writes are synced at once */
|
|
#define MS_REMOUNT 32 /* Alter flags of a mounted FS */
|
|
#define MS_MANDLOCK 64 /* Allow mandatory locks on an FS */
|
|
#define MS_DIRSYNC 128 /* Directory modifications are synchronous */
|
|
#define MS_NOATIME 1024 /* Do not update access times. */
|
|
#define MS_NODIRATIME 2048 /* Do not update directory access times */
|
|
#define MS_BIND 4096
|
|
#define MS_MOVE 8192
|
|
#define MS_REC 16384
|
|
#define MS_VERBOSE 32768 /* War is peace. Verbosity is silence.
|
|
MS_VERBOSE is deprecated. */
|
|
#define MS_SILENT 32768
|
|
#define MS_POSIXACL (1<<16) /* VFS does not apply the umask */
|
|
#define MS_UNBINDABLE (1<<17) /* change to unbindable */
|
|
#define MS_PRIVATE (1<<18) /* change to private */
|
|
#define MS_SLAVE (1<<19) /* change to slave */
|
|
#define MS_SHARED (1<<20) /* change to shared */
|
|
#define MS_RELATIME (1<<21) /* Update atime relative to mtime/ctime. */
|
|
#define MS_KERNMOUNT (1<<22) /* this is a kern_mount call */
|
|
#define MS_I_VERSION (1<<23) /* Update inode I_version field */
|
|
#define MS_STRICTATIME (1<<24) /* Always perform atime updates */
|
|
#define MS_LAZYTIME (1<<25) /* Update the on-disk [acm]times lazily */
|
|
|
|
/* These sb flags are internal to the kernel */
|
|
#define MS_NOSEC (1<<28)
|
|
#define MS_BORN (1<<29)
|
|
#define MS_ACTIVE (1<<30)
|
|
#define MS_NOUSER (1<<31)
|
|
|
|
/*
|
|
* Superblock flags that can be altered by MS_REMOUNT
|
|
*/
|
|
#define MS_RMT_MASK (MS_RDONLY|MS_SYNCHRONOUS|MS_MANDLOCK|MS_I_VERSION|\
|
|
MS_LAZYTIME)
|
|
|
|
/*
|
|
* Old magic mount flag and mask
|
|
*/
|
|
#define MS_MGC_VAL 0xC0ED0000
|
|
#define MS_MGC_MSK 0xffff0000
|
|
|
|
/* the read-only stuff doesn't really belong here, but any other place is
|
|
probably as bad and I don't want to create yet another include file. */
|
|
|
|
#define BLKROSET _IO(0x12,93) /* set device read-only (0 = read-write) */
|
|
#define BLKROGET _IO(0x12,94) /* get read-only status (0 = read_write) */
|
|
#define BLKRRPART _IO(0x12,95) /* re-read partition table */
|
|
#define BLKGETSIZE _IO(0x12,96) /* return device size /512 (long *arg) */
|
|
#define BLKFLSBUF _IO(0x12,97) /* flush buffer cache */
|
|
#define BLKRASET _IO(0x12,98) /* set read ahead for block device */
|
|
#define BLKRAGET _IO(0x12,99) /* get current read ahead setting */
|
|
#define BLKFRASET _IO(0x12,100)/* set filesystem (mm/filemap.c) read-ahead */
|
|
#define BLKFRAGET _IO(0x12,101)/* get filesystem (mm/filemap.c) read-ahead */
|
|
#define BLKSECTSET _IO(0x12,102)/* set max sectors per request (ll_rw_blk.c) */
|
|
#define BLKSECTGET _IO(0x12,103)/* get max sectors per request (ll_rw_blk.c) */
|
|
#define BLKSSZGET _IO(0x12,104)/* get block device sector size */
|
|
#if 0
|
|
#define BLKPG _IO(0x12,105)/* See blkpg.h */
|
|
|
|
/* Some people are morons. Do not use sizeof! */
|
|
|
|
#define BLKELVGET _IOR(0x12,106,size_t)/* elevator get */
|
|
#define BLKELVSET _IOW(0x12,107,size_t)/* elevator set */
|
|
/* This was here just to show that the number is taken -
|
|
probably all these _IO(0x12,*) ioctls should be moved to blkpg.h. */
|
|
#endif
|
|
/* A jump here: 108-111 have been used for various private purposes. */
|
|
#define BLKBSZGET _IOR(0x12,112,size_t)
|
|
#define BLKBSZSET _IOW(0x12,113,size_t)
|
|
#define BLKGETSIZE64 _IOR(0x12,114,size_t) /* return device size in bytes (u64 *arg) */
|
|
#define BLKTRACESETUP _IOWR(0x12,115,struct blk_user_trace_setup)
|
|
#define BLKTRACESTART _IO(0x12,116)
|
|
#define BLKTRACESTOP _IO(0x12,117)
|
|
#define BLKTRACETEARDOWN _IO(0x12,118)
|
|
#define BLKDISCARD _IO(0x12,119)
|
|
#define BLKIOMIN _IO(0x12,120)
|
|
#define BLKIOOPT _IO(0x12,121)
|
|
#define BLKALIGNOFF _IO(0x12,122)
|
|
#define BLKPBSZGET _IO(0x12,123)
|
|
#define BLKDISCARDZEROES _IO(0x12,124)
|
|
#define BLKSECDISCARD _IO(0x12,125)
|
|
#define BLKROTATIONAL _IO(0x12,126)
|
|
#define BLKZEROOUT _IO(0x12,127)
|
|
|
|
#define BMAP_IOCTL 1 /* obsolete - kept for compatibility */
|
|
#define FIBMAP _IO(0x00,1) /* bmap access */
|
|
#define FIGETBSZ _IO(0x00,2) /* get the block size used for bmap */
|
|
#define FIFREEZE _IOWR('X', 119, int) /* Freeze */
|
|
#define FITHAW _IOWR('X', 120, int) /* Thaw */
|
|
#define FITRIM _IOWR('X', 121, struct fstrim_range) /* Trim */
|
|
|
|
#define FIDTRIM _IOWR('f', 128, struct fstrim_range) /* Deep discard trim */
|
|
|
|
#define FS_IOC_GETFLAGS _IOR('f', 1, long)
|
|
#define FS_IOC_SETFLAGS _IOW('f', 2, long)
|
|
#define FS_IOC_GETVERSION _IOR('v', 1, long)
|
|
#define FS_IOC_SETVERSION _IOW('v', 2, long)
|
|
#define FS_IOC_FIEMAP _IOWR('f', 11, struct fiemap)
|
|
#define FS_IOC32_GETFLAGS _IOR('f', 1, int)
|
|
#define FS_IOC32_SETFLAGS _IOW('f', 2, int)
|
|
#define FS_IOC32_GETVERSION _IOR('v', 1, int)
|
|
#define FS_IOC32_SETVERSION _IOW('v', 2, int)
|
|
|
|
/*
|
|
* File system encryption support
|
|
*/
|
|
/* Policy provided via an ioctl on the topmost directory */
|
|
#define FS_KEY_DESCRIPTOR_SIZE 8
|
|
|
|
#define FS_POLICY_FLAGS_PAD_4 0x00
|
|
#define FS_POLICY_FLAGS_PAD_8 0x01
|
|
#define FS_POLICY_FLAGS_PAD_16 0x02
|
|
#define FS_POLICY_FLAGS_PAD_32 0x03
|
|
#define FS_POLICY_FLAGS_PAD_MASK 0x03
|
|
#define FS_POLICY_FLAGS_VALID 0x03
|
|
|
|
/* Encryption algorithms */
|
|
#define FS_ENCRYPTION_MODE_INVALID 0
|
|
#define FS_ENCRYPTION_MODE_AES_256_XTS 1
|
|
#define FS_ENCRYPTION_MODE_AES_256_GCM 2
|
|
#define FS_ENCRYPTION_MODE_AES_256_CBC 3
|
|
#define FS_ENCRYPTION_MODE_AES_256_CTS 4
|
|
#define FS_ENCRYPTION_MODE_AES_128_CBC 5
|
|
#define FS_ENCRYPTION_MODE_AES_128_CTS 6
|
|
#define FS_ENCRYPTION_MODE_SPECK128_256_XTS 7
|
|
#define FS_ENCRYPTION_MODE_SPECK128_256_CTS 8
|
|
|
|
|
|
struct fscrypt_policy {
|
|
__u8 version;
|
|
__u8 contents_encryption_mode;
|
|
__u8 filenames_encryption_mode;
|
|
__u8 flags;
|
|
__u8 master_key_descriptor[FS_KEY_DESCRIPTOR_SIZE];
|
|
} __packed;
|
|
|
|
#define FS_IOC_SET_ENCRYPTION_POLICY _IOR('f', 19, struct fscrypt_policy)
|
|
#define FS_IOC_GET_ENCRYPTION_PWSALT _IOW('f', 20, __u8[16])
|
|
#define FS_IOC_GET_ENCRYPTION_POLICY _IOW('f', 21, struct fscrypt_policy)
|
|
|
|
/* Parameters for passing an encryption key into the kernel keyring */
|
|
#define FS_KEY_DESC_PREFIX "fscrypt:"
|
|
#define FS_KEY_DESC_PREFIX_SIZE 8
|
|
|
|
/* Structure that userspace passes to the kernel keyring */
|
|
#define FS_MAX_KEY_SIZE 64
|
|
|
|
struct fscrypt_key {
|
|
__u32 mode;
|
|
__u8 raw[FS_MAX_KEY_SIZE];
|
|
__u32 size;
|
|
};
|
|
|
|
/*
|
|
* Inode flags (FS_IOC_GETFLAGS / FS_IOC_SETFLAGS)
|
|
*/
|
|
#define FS_SECRM_FL 0x00000001 /* Secure deletion */
|
|
#define FS_UNRM_FL 0x00000002 /* Undelete */
|
|
#define FS_COMPR_FL 0x00000004 /* Compress file */
|
|
#define FS_SYNC_FL 0x00000008 /* Synchronous updates */
|
|
#define FS_IMMUTABLE_FL 0x00000010 /* Immutable file */
|
|
#define FS_APPEND_FL 0x00000020 /* writes to file may only append */
|
|
#define FS_NODUMP_FL 0x00000040 /* do not dump file */
|
|
#define FS_NOATIME_FL 0x00000080 /* do not update atime */
|
|
/* Reserved for compression usage... */
|
|
#define FS_DIRTY_FL 0x00000100
|
|
#define FS_COMPRBLK_FL 0x00000200 /* One or more compressed clusters */
|
|
#define FS_NOCOMP_FL 0x00000400 /* Don't compress */
|
|
#define FS_ECOMPR_FL 0x00000800 /* Compression error */
|
|
/* End compression flags --- maybe not all used */
|
|
#define FS_BTREE_FL 0x00001000 /* btree format dir */
|
|
#define FS_INDEX_FL 0x00001000 /* hash-indexed directory */
|
|
#define FS_IMAGIC_FL 0x00002000 /* AFS directory */
|
|
#define FS_JOURNAL_DATA_FL 0x00004000 /* Reserved for ext3 */
|
|
#define FS_NOTAIL_FL 0x00008000 /* file tail should not be merged */
|
|
#define FS_DIRSYNC_FL 0x00010000 /* dirsync behaviour (directories only) */
|
|
#define FS_TOPDIR_FL 0x00020000 /* Top of directory hierarchies*/
|
|
#define FS_EXTENT_FL 0x00080000 /* Extents */
|
|
#define FS_DIRECTIO_FL 0x00100000 /* Use direct i/o */
|
|
#define FS_NOCOW_FL 0x00800000 /* Do not cow file */
|
|
#define FS_PROJINHERIT_FL 0x20000000 /* Create with parents projid */
|
|
#define FS_RESERVED_FL 0x80000000 /* reserved for ext2 lib */
|
|
|
|
#define FS_FL_USER_VISIBLE 0x0003DFFF /* User visible flags */
|
|
#define FS_FL_USER_MODIFIABLE 0x000380FF /* User modifiable flags */
|
|
|
|
|
|
#define SYNC_FILE_RANGE_WAIT_BEFORE 1
|
|
#define SYNC_FILE_RANGE_WRITE 2
|
|
#define SYNC_FILE_RANGE_WAIT_AFTER 4
|
|
|
|
#endif /* _UAPI_LINUX_FS_H */
|