keysetup.c source code [linux/fs/crypto/keysetup.c]

1	// SPDX-License-Identifier: GPL-2.0
2	/*
3	* Key setup facility for FS encryption support.
4	*
5	* Copyright (C) 2015, Google, Inc.
6	*
7	* Originally written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar.
8	* Heavily modified since then.
9	*/
10
11	#include <crypto/skcipher.h>
12	#include <linux/random.h>
13
14	#include "fscrypt_private.h"
15
16	struct fscrypt_mode fscrypt_modes[] = {
17	[FSCRYPT_MODE_AES_256_XTS] = {
18	.friendly_name = "AES-256-XTS",
19	.cipher_str = "xts(aes)",
20	.keysize = `64`,
21	.security_strength = `32`,
22	.ivsize = `16`,
23	.blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_256_XTS,
24	},
25	[FSCRYPT_MODE_AES_256_CTS] = {
26	.friendly_name = "AES-256-CBC-CTS",
27	.cipher_str = "cts(cbc(aes))",
28	.keysize = `32`,
29	.security_strength = `32`,
30	.ivsize = `16`,
31	},
32	[FSCRYPT_MODE_AES_128_CBC] = {
33	.friendly_name = "AES-128-CBC-ESSIV",
34	.cipher_str = "essiv(cbc(aes),sha256)",
35	.keysize = `16`,
36	.security_strength = `16`,
37	.ivsize = `16`,
38	.blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV,
39	},
40	[FSCRYPT_MODE_AES_128_CTS] = {
41	.friendly_name = "AES-128-CBC-CTS",
42	.cipher_str = "cts(cbc(aes))",
43	.keysize = `16`,
44	.security_strength = `16`,
45	.ivsize = `16`,
46	},
47	[FSCRYPT_MODE_SM4_XTS] = {
48	.friendly_name = "SM4-XTS",
49	.cipher_str = "xts(sm4)",
50	.keysize = `32`,
51	.security_strength = `16`,
52	.ivsize = `16`,
53	.blk_crypto_mode = BLK_ENCRYPTION_MODE_SM4_XTS,
54	},
55	[FSCRYPT_MODE_SM4_CTS] = {
56	.friendly_name = "SM4-CBC-CTS",
57	.cipher_str = "cts(cbc(sm4))",
58	.keysize = `16`,
59	.security_strength = `16`,
60	.ivsize = `16`,
61	},
62	[FSCRYPT_MODE_ADIANTUM] = {
63	.friendly_name = "Adiantum",
64	.cipher_str = "adiantum(xchacha12,aes)",
65	.keysize = `32`,
66	.security_strength = `32`,
67	.ivsize = `32`,
68	.blk_crypto_mode = BLK_ENCRYPTION_MODE_ADIANTUM,
69	},
70	[FSCRYPT_MODE_AES_256_HCTR2] = {
71	.friendly_name = "AES-256-HCTR2",
72	.cipher_str = "hctr2(aes)",
73	.keysize = `32`,
74	.security_strength = `32`,
75	.ivsize = `32`,
76	},
77	};
78
79	static DEFINE_MUTEX(fscrypt_mode_key_setup_mutex);
80
81	static struct fscrypt_mode *
82	select_encryption_mode(const union fscrypt_policy *policy,
83	const struct inode *inode)
84	{
85	BUILD_BUG_ON(ARRAY_SIZE(fscrypt_modes) != FSCRYPT_MODE_MAX + `1`);
86
87	if (S_ISREG(inode->i_mode))
88	return &fscrypt_modes[fscrypt_policy_contents_mode(policy)];
89
90	if (S_ISDIR(inode->i_mode) \|\| S_ISLNK(inode->i_mode))
91	return &fscrypt_modes[fscrypt_policy_fnames_mode(policy)];
92
93	WARN_ONCE(`1`, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n",
94	inode->i_ino, (inode->i_mode & S_IFMT));
95	return ERR_PTR(error: -EINVAL);
96	}
97
98	/ Create a symmetric cipher object for the given encryption mode and key /
99	static struct crypto_skcipher *
100	fscrypt_allocate_skcipher(struct fscrypt_mode mode, const* u8 *raw_key,
101	const struct inode *inode)
102	{
103	struct crypto_skcipher *tfm;
104	int err;
105
106	tfm = crypto_alloc_skcipher(alg_name: mode->cipher_str, type: `0`, mask: `0`);
107	if (IS_ERR(ptr: tfm)) {
108	if (PTR_ERR(ptr: tfm) == -ENOENT) {
109	fscrypt_warn(inode,
110	"Missing crypto API support for %s (API name: \"%s\")",
111	mode->friendly_name, mode->cipher_str);
112	return ERR_PTR(error: -ENOPKG);
113	}
114	fscrypt_err(inode, "Error allocating '%s' transform: %ld",
115	mode->cipher_str, PTR_ERR(tfm));
116	return tfm;
117	}
118	if (!xchg(&mode->logged_cryptoapi_impl, `1`)) {
119	/*
120	* fscrypt performance can vary greatly depending on which
121	* crypto algorithm implementation is used. Help people debug
122	* performance problems by logging the ->cra_driver_name the
123	* first time a mode is used.
124	*/
125	pr_info("fscrypt: %s using implementation \"%s\"\n",
126	mode->friendly_name, crypto_skcipher_driver_name(tfm));
127	}
128	if (WARN_ON_ONCE(crypto_skcipher_ivsize(tfm) != mode->ivsize)) {
129	err = -EINVAL;
130	goto err_free_tfm;
131	}
132	crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
133	err = crypto_skcipher_setkey(tfm, key: raw_key, keylen: mode->keysize);
134	if (err)
135	goto err_free_tfm;
136
137	return tfm;
138
139	err_free_tfm:
140	crypto_free_skcipher(tfm);
141	return ERR_PTR(error: err);
142	}
143
144	/*
145	* Prepare the crypto transform object or blk-crypto key in @prep_key, given the
146	* raw key, encryption mode (@ci->ci_mode), flag indicating which encryption
147	* implementation (fs-layer or blk-crypto) will be used (@ci->ci_inlinecrypt),
148	* and IV generation method (@ci->ci_policy.flags).
149	*/
150	int fscrypt_prepare_key(struct fscrypt_prepared_key *prep_key,
151	const u8 raw_key, const* struct fscrypt_inode_info *ci)
152	{
153	struct crypto_skcipher *tfm;
154
155	if (fscrypt_using_inline_encryption(ci))
156	return fscrypt_prepare_inline_crypt_key(prep_key, raw_key, ci);
157
158	tfm = fscrypt_allocate_skcipher(mode: ci->ci_mode, raw_key, inode: ci->ci_inode);
159	if (IS_ERR(ptr: tfm))
160	return PTR_ERR(ptr: tfm);
161	/*
162	* Pairs with the smp_load_acquire() in fscrypt_is_key_prepared().
163	* I.e., here we publish ->tfm with a RELEASE barrier so that
164	* concurrent tasks can ACQUIRE it. Note that this concurrency is only
165	* possible for per-mode keys, not for per-file keys.
166	*/
167	smp_store_release(&prep_key->tfm, tfm);
168	return `0`;
169	}
170
171	/ Destroy a crypto transform object and/or blk-crypto key. /
172	void fscrypt_destroy_prepared_key(struct super_block *sb,
173	struct fscrypt_prepared_key *prep_key)
174	{
175	crypto_free_skcipher(tfm: prep_key->tfm);
176	fscrypt_destroy_inline_crypt_key(sb, prep_key);
177	memzero_explicit(s: prep_key, count: sizeof(*prep_key));
178	}
179
180	/ Given a per-file encryption key, set up the file's crypto transform object /
181	int fscrypt_set_per_file_enc_key(struct fscrypt_inode_info *ci,
182	const u8 *raw_key)
183	{
184	ci->ci_owns_key = true;
185	return fscrypt_prepare_key(prep_key: &ci->ci_enc_key, raw_key, ci);
186	}
187
188	static int setup_per_mode_enc_key(struct fscrypt_inode_info *ci,
189	struct fscrypt_master_key *mk,
190	struct fscrypt_prepared_key *keys,
191	u8 hkdf_context, bool include_fs_uuid)
192	{
193	const struct inode *inode = ci->ci_inode;
194	const struct super_block *sb = inode->i_sb;
195	struct fscrypt_mode *mode = ci->ci_mode;
196	const u8 mode_num = mode - fscrypt_modes;
197	struct fscrypt_prepared_key *prep_key;
198	u8 mode_key[FSCRYPT_MAX_KEY_SIZE];
199	u8 hkdf_info[sizeof(mode_num) + sizeof(sb->s_uuid)];
200	unsigned int hkdf_infolen = `0`;
201	int err;
202
203	if (WARN_ON_ONCE(mode_num > FSCRYPT_MODE_MAX))
204	return -EINVAL;
205
206	prep_key = &keys[mode_num];
207	if (fscrypt_is_key_prepared(prep_key, ci)) {
208	ci->ci_enc_key = *prep_key;
209	return `0`;
210	}
211
212	mutex_lock(&fscrypt_mode_key_setup_mutex);
213
214	if (fscrypt_is_key_prepared(prep_key, ci))
215	goto done_unlock;
216
217	BUILD_BUG_ON(sizeof(mode_num) != `1`);
218	BUILD_BUG_ON(sizeof(sb->s_uuid) != `16`);
219	BUILD_BUG_ON(sizeof(hkdf_info) != `17`);
220	hkdf_info[hkdf_infolen++] = mode_num;
221	if (include_fs_uuid) {
222	memcpy(&hkdf_info[hkdf_infolen], &sb->s_uuid,
223	sizeof(sb->s_uuid));
224	hkdf_infolen += sizeof(sb->s_uuid);
225	}
226	err = fscrypt_hkdf_expand(hkdf: &mk->mk_secret.hkdf,
227	context: hkdf_context, info: hkdf_info, infolen: hkdf_infolen,
228	okm: mode_key, okmlen: mode->keysize);
229	if (err)
230	goto out_unlock;
231	err = fscrypt_prepare_key(prep_key, raw_key: mode_key, ci);
232	memzero_explicit(s: mode_key, count: mode->keysize);
233	if (err)
234	goto out_unlock;
235	done_unlock:
236	ci->ci_enc_key = *prep_key;
237	err = `0`;
238	out_unlock:
239	mutex_unlock(lock: &fscrypt_mode_key_setup_mutex);
240	return err;
241	}
242
243	/*
244	* Derive a SipHash key from the given fscrypt master key and the given
245	* application-specific information string.
246	*
247	* Note that the KDF produces a byte array, but the SipHash APIs expect the key
248	* as a pair of 64-bit words. Therefore, on big endian CPUs we have to do an
249	* endianness swap in order to get the same results as on little endian CPUs.
250	*/
251	static int fscrypt_derive_siphash_key(const struct fscrypt_master_key *mk,
252	u8 context, const u8 *info,
253	unsigned int infolen, siphash_key_t *key)
254	{
255	int err;
256
257	err = fscrypt_hkdf_expand(hkdf: &mk->mk_secret.hkdf, context, info, infolen,
258	okm: (u8 )key, okmlen: sizeof(key));
259	if (err)
260	return err;
261
262	BUILD_BUG_ON(sizeof(*key) != `16`);
263	BUILD_BUG_ON(ARRAY_SIZE(key->key) != `2`);
264	le64_to_cpus(&key->key[`0`]);
265	le64_to_cpus(&key->key[`1`]);
266	return `0`;
267	}
268
269	int fscrypt_derive_dirhash_key(struct fscrypt_inode_info *ci,
270	const struct fscrypt_master_key *mk)
271	{
272	int err;
273
274	err = fscrypt_derive_siphash_key(mk, HKDF_CONTEXT_DIRHASH_KEY,
275	info: ci->ci_nonce, FSCRYPT_FILE_NONCE_SIZE,
276	key: &ci->ci_dirhash_key);
277	if (err)
278	return err;
279	ci->ci_dirhash_key_initialized = true;
280	return `0`;
281	}
282
283	void fscrypt_hash_inode_number(struct fscrypt_inode_info *ci,
284	const struct fscrypt_master_key *mk)
285	{
286	WARN_ON_ONCE(ci->ci_inode->i_ino == `0`);
287	WARN_ON_ONCE(!mk->mk_ino_hash_key_initialized);
288
289	ci->ci_hashed_ino = (u32)siphash_1u64(a: ci->ci_inode->i_ino,
290	key: &mk->mk_ino_hash_key);
291	}
292
293	static int fscrypt_setup_iv_ino_lblk_32_key(struct fscrypt_inode_info *ci,
294	struct fscrypt_master_key *mk)
295	{
296	int err;
297
298	err = setup_per_mode_enc_key(ci, mk, keys: mk->mk_iv_ino_lblk_32_keys,
299	HKDF_CONTEXT_IV_INO_LBLK_32_KEY, include_fs_uuid: true);
300	if (err)
301	return err;
302
303	/ pairs with smp_store_release() below /
304	if (!smp_load_acquire(&mk->mk_ino_hash_key_initialized)) {
305
306	mutex_lock(&fscrypt_mode_key_setup_mutex);
307
308	if (mk->mk_ino_hash_key_initialized)
309	goto unlock;
310
311	err = fscrypt_derive_siphash_key(mk,
312	HKDF_CONTEXT_INODE_HASH_KEY,
313	NULL, infolen: `0`, key: &mk->mk_ino_hash_key);
314	if (err)
315	goto unlock;
316	/ pairs with smp_load_acquire() above /
317	smp_store_release(&mk->mk_ino_hash_key_initialized, true);
318	unlock:
319	mutex_unlock(lock: &fscrypt_mode_key_setup_mutex);
320	if (err)
321	return err;
322	}
323
324	/*
325	* New inodes may not have an inode number assigned yet.
326	* Hashing their inode number is delayed until later.
327	*/
328	if (ci->ci_inode->i_ino)
329	fscrypt_hash_inode_number(ci, mk);
330	return `0`;
331	}
332
333	static int fscrypt_setup_v2_file_key(struct fscrypt_inode_info *ci,
334	struct fscrypt_master_key *mk,
335	bool need_dirhash_key)
336	{
337	int err;
338
339	if (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) {
340	/*
341	* DIRECT_KEY: instead of deriving per-file encryption keys, the
342	* per-file nonce will be included in all the IVs. But unlike
343	* v1 policies, for v2 policies in this case we don't encrypt
344	* with the master key directly but rather derive a per-mode
345	* encryption key. This ensures that the master key is
346	* consistently used only for HKDF, avoiding key reuse issues.
347	*/
348	err = setup_per_mode_enc_key(ci, mk, keys: mk->mk_direct_keys,
349	HKDF_CONTEXT_DIRECT_KEY, include_fs_uuid: false);
350	} else if (ci->ci_policy.v2.flags &
351	FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) {
352	/*
353	* IV_INO_LBLK_64: encryption keys are derived from (master_key,
354	* mode_num, filesystem_uuid), and inode number is included in
355	* the IVs. This format is optimized for use with inline
356	* encryption hardware compliant with the UFS standard.
357	*/
358	err = setup_per_mode_enc_key(ci, mk, keys: mk->mk_iv_ino_lblk_64_keys,
359	HKDF_CONTEXT_IV_INO_LBLK_64_KEY,
360	include_fs_uuid: true);
361	} else if (ci->ci_policy.v2.flags &
362	FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) {
363	err = fscrypt_setup_iv_ino_lblk_32_key(ci, mk);
364	} else {
365	u8 derived_key[FSCRYPT_MAX_KEY_SIZE];
366
367	err = fscrypt_hkdf_expand(hkdf: &mk->mk_secret.hkdf,
368	HKDF_CONTEXT_PER_FILE_ENC_KEY,
369	info: ci->ci_nonce, FSCRYPT_FILE_NONCE_SIZE,
370	okm: derived_key, okmlen: ci->ci_mode->keysize);
371	if (err)
372	return err;
373
374	err = fscrypt_set_per_file_enc_key(ci, raw_key: derived_key);
375	memzero_explicit(s: derived_key, count: ci->ci_mode->keysize);
376	}
377	if (err)
378	return err;
379
380	/ Derive a secret dirhash key for directories that need it. /
381	if (need_dirhash_key) {
382	err = fscrypt_derive_dirhash_key(ci, mk);
383	if (err)
384	return err;
385	}
386
387	return `0`;
388	}
389
390	/*
391	* Check whether the size of the given master key (@mk) is appropriate for the
392	* encryption settings which a particular file will use (@ci).
393	*
394	* If the file uses a v1 encryption policy, then the master key must be at least
395	* as long as the derived key, as this is a requirement of the v1 KDF.
396	*
397	* Otherwise, the KDF can accept any size key, so we enforce a slightly looser
398	* requirement: we require that the size of the master key be at least the
399	* maximum security strength of any algorithm whose key will be derived from it
400	* (but in practice we only need to consider @ci->ci_mode, since any other
401	* possible subkeys such as DIRHASH and INODE_HASH will never increase the
402	* required key size over @ci->ci_mode). This allows AES-256-XTS keys to be
403	* derived from a 256-bit master key, which is cryptographically sufficient,
404	* rather than requiring a 512-bit master key which is unnecessarily long. (We
405	* still allow 512-bit master keys if the user chooses to use them, though.)
406	*/
407	static bool fscrypt_valid_master_key_size(const struct fscrypt_master_key *mk,
408	const struct fscrypt_inode_info *ci)
409	{
410	unsigned int min_keysize;
411
412	if (ci->ci_policy.version == FSCRYPT_POLICY_V1)
413	min_keysize = ci->ci_mode->keysize;
414	else
415	min_keysize = ci->ci_mode->security_strength;
416
417	if (mk->mk_secret.size < min_keysize) {
418	fscrypt_warn(NULL,
419	"key with %s %*phN is too short (got %u bytes, need %u+ bytes)",
420	master_key_spec_type(&mk->mk_spec),
421	master_key_spec_len(&mk->mk_spec),
422	(u8 *)&mk->mk_spec.u,
423	mk->mk_secret.size, min_keysize);
424	return false;
425	}
426	return true;
427	}
428
429	/*
430	* Find the master key, then set up the inode's actual encryption key.
431	*
432	* If the master key is found in the filesystem-level keyring, then it is
433	* returned in *mk_ret with its semaphore read-locked. This is needed to ensure
434	* that only one task links the fscrypt_inode_info into ->mk_decrypted_inodes
435	* (as multiple tasks may race to create an fscrypt_inode_info for the same
436	* inode), and to synchronize the master key being removed with a new inode
437	* starting to use it.
438	*/
439	static int setup_file_encryption_key(struct fscrypt_inode_info *ci,
440	bool need_dirhash_key,
441	struct fscrypt_master_key **mk_ret)
442	{
443	struct super_block *sb = ci->ci_inode->i_sb;
444	struct fscrypt_key_specifier mk_spec;
445	struct fscrypt_master_key *mk;
446	int err;
447
448	err = fscrypt_select_encryption_impl(ci);
449	if (err)
450	return err;
451
452	err = fscrypt_policy_to_key_spec(policy: &ci->ci_policy, key_spec: &mk_spec);
453	if (err)
454	return err;
455
456	mk = fscrypt_find_master_key(sb, mk_spec: &mk_spec);
457	if (unlikely(!mk)) {
458	const union fscrypt_policy *dummy_policy =
459	fscrypt_get_dummy_policy(sb);
460
461	/*
462	* Add the test_dummy_encryption key on-demand. In principle,
463	* it should be added at mount time. Do it here instead so that
464	* the individual filesystems don't need to worry about adding
465	* this key at mount time and cleaning up on mount failure.
466	*/
467	if (dummy_policy &&
468	fscrypt_policies_equal(policy1: dummy_policy, policy2: &ci->ci_policy)) {
469	err = fscrypt_add_test_dummy_key(sb, key_spec: &mk_spec);
470	if (err)
471	return err;
472	mk = fscrypt_find_master_key(sb, mk_spec: &mk_spec);
473	}
474	}
475	if (unlikely(!mk)) {
476	if (ci->ci_policy.version != FSCRYPT_POLICY_V1)
477	return -ENOKEY;
478
479	/*
480	* As a legacy fallback for v1 policies, search for the key in
481	* the current task's subscribed keyrings too. Don't move this
482	* to before the search of ->s_master_keys, since users
483	* shouldn't be able to override filesystem-level keys.
484	*/
485	return fscrypt_setup_v1_file_key_via_subscribed_keyrings(ci);
486	}
487	down_read(sem: &mk->mk_sem);
488
489	if (!mk->mk_present) {
490	/ FS_IOC_REMOVE_ENCRYPTION_KEY has been executed on this key /
491	err = -ENOKEY;
492	goto out_release_key;
493	}
494
495	if (!fscrypt_valid_master_key_size(mk, ci)) {
496	err = -ENOKEY;
497	goto out_release_key;
498	}
499
500	switch (ci->ci_policy.version) {
501	case FSCRYPT_POLICY_V1:
502	err = fscrypt_setup_v1_file_key(ci, raw_master_key: mk->mk_secret.raw);
503	break;
504	case FSCRYPT_POLICY_V2:
505	err = fscrypt_setup_v2_file_key(ci, mk, need_dirhash_key);
506	break;
507	default:
508	WARN_ON_ONCE(`1`);
509	err = -EINVAL;
510	break;
511	}
512	if (err)
513	goto out_release_key;
514
515	*mk_ret = mk;
516	return `0`;
517
518	out_release_key:
519	up_read(sem: &mk->mk_sem);
520	fscrypt_put_master_key(mk);
521	return err;
522	}
523
524	static void put_crypt_info(struct fscrypt_inode_info *ci)
525	{
526	struct fscrypt_master_key *mk;
527
528	if (!ci)
529	return;
530
531	if (ci->ci_direct_key)
532	fscrypt_put_direct_key(dk: ci->ci_direct_key);
533	else if (ci->ci_owns_key)
534	fscrypt_destroy_prepared_key(sb: ci->ci_inode->i_sb,
535	prep_key: &ci->ci_enc_key);
536
537	mk = ci->ci_master_key;
538	if (mk) {
539	/*
540	* Remove this inode from the list of inodes that were unlocked
541	* with the master key. In addition, if we're removing the last
542	* inode from an incompletely removed key, then complete the
543	* full removal of the key.
544	*/
545	spin_lock(lock: &mk->mk_decrypted_inodes_lock);
546	list_del(entry: &ci->ci_master_key_link);
547	spin_unlock(lock: &mk->mk_decrypted_inodes_lock);
548	fscrypt_put_master_key_activeref(sb: ci->ci_inode->i_sb, mk);
549	}
550	memzero_explicit(s: ci, count: sizeof(*ci));
551	kmem_cache_free(s: fscrypt_inode_info_cachep, objp: ci);
552	}
553
554	static int
555	fscrypt_setup_encryption_info(struct inode *inode,
556	const union fscrypt_policy *policy,
557	const u8 nonce[FSCRYPT_FILE_NONCE_SIZE],
558	bool need_dirhash_key)
559	{
560	struct fscrypt_inode_info *crypt_info;
561	struct fscrypt_mode *mode;
562	struct fscrypt_master_key *mk = NULL;
563	int res;
564
565	res = fscrypt_initialize(sb: inode->i_sb);
566	if (res)
567	return res;
568
569	crypt_info = kmem_cache_zalloc(k: fscrypt_inode_info_cachep, GFP_KERNEL);
570	if (!crypt_info)
571	return -ENOMEM;
572
573	crypt_info->ci_inode = inode;
574	crypt_info->ci_policy = *policy;
575	memcpy(crypt_info->ci_nonce, nonce, FSCRYPT_FILE_NONCE_SIZE);
576
577	mode = select_encryption_mode(policy: &crypt_info->ci_policy, inode);
578	if (IS_ERR(ptr: mode)) {
579	res = PTR_ERR(ptr: mode);
580	goto out;
581	}
582	WARN_ON_ONCE(mode->ivsize > FSCRYPT_MAX_IV_SIZE);
583	crypt_info->ci_mode = mode;
584
585	crypt_info->ci_data_unit_bits =
586	fscrypt_policy_du_bits(policy: &crypt_info->ci_policy, inode);
587	crypt_info->ci_data_units_per_block_bits =
588	inode->i_blkbits - crypt_info->ci_data_unit_bits;
589
590	res = setup_file_encryption_key(ci: crypt_info, need_dirhash_key, mk_ret: &mk);
591	if (res)
592	goto out;
593
594	/*
595	* For existing inodes, multiple tasks may race to set ->i_crypt_info.
596	* So use cmpxchg_release(). This pairs with the smp_load_acquire() in
597	* fscrypt_get_inode_info(). I.e., here we publish ->i_crypt_info with
598	* a RELEASE barrier so that other tasks can ACQUIRE it.
599	*/
600	if (cmpxchg_release(&inode->i_crypt_info, NULL, crypt_info) == NULL) {
601	/*
602	* We won the race and set ->i_crypt_info to our crypt_info.
603	* Now link it into the master key's inode list.
604	*/
605	if (mk) {
606	crypt_info->ci_master_key = mk;
607	refcount_inc(r: &mk->mk_active_refs);
608	spin_lock(lock: &mk->mk_decrypted_inodes_lock);
609	list_add(new: &crypt_info->ci_master_key_link,
610	head: &mk->mk_decrypted_inodes);
611	spin_unlock(lock: &mk->mk_decrypted_inodes_lock);
612	}
613	crypt_info = NULL;
614	}
615	res = `0`;
616	out:
617	if (mk) {
618	up_read(sem: &mk->mk_sem);
619	fscrypt_put_master_key(mk);
620	}
621	put_crypt_info(ci: crypt_info);
622	return res;
623	}
624
625	/**
626	* fscrypt_get_encryption_info() - set up an inode's encryption key
627	* @inode: the inode to set up the key for. Must be encrypted.
628	* @allow_unsupported: if %true, treat an unsupported encryption policy (or
629	* unrecognized encryption context) the same way as the key
630	* being unavailable, instead of returning an error. Use
631	* %false unless the operation being performed is needed in
632	* order for files (or directories) to be deleted.
633	*
634	* Set up ->i_crypt_info, if it hasn't already been done.
635	*
636	* Note: unless ->i_crypt_info is already set, this isn't %GFP_NOFS-safe. So
637	* generally this shouldn't be called from within a filesystem transaction.
638	*
639	* Return: 0 if ->i_crypt_info was set or was already set, or if the
640	* encryption key is unavailable. (Use fscrypt_has_encryption_key() to
641	* distinguish these cases.) Also can return another -errno code.
642	*/
643	int fscrypt_get_encryption_info(struct inode *inode, bool allow_unsupported)
644	{
645	int res;
646	union fscrypt_context ctx;
647	union fscrypt_policy policy;
648
649	if (fscrypt_has_encryption_key(inode))
650	return `0`;
651
652	res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
653	if (res < `0`) {
654	if (res == -ERANGE && allow_unsupported)
655	return `0`;
656	fscrypt_warn(inode, "Error %d getting encryption context", res);
657	return res;
658	}
659
660	res = fscrypt_policy_from_context(policy_u: &policy, ctx_u: &ctx, ctx_size: res);
661	if (res) {
662	if (allow_unsupported)
663	return `0`;
664	fscrypt_warn(inode,
665	"Unrecognized or corrupt encryption context");
666	return res;
667	}
668
669	if (!fscrypt_supported_policy(policy_u: &policy, inode)) {
670	if (allow_unsupported)
671	return `0`;
672	return -EINVAL;
673	}
674
675	res = fscrypt_setup_encryption_info(inode, policy: &policy,
676	nonce: fscrypt_context_nonce(ctx: &ctx),
677	IS_CASEFOLDED(inode) &&
678	S_ISDIR(inode->i_mode));
679
680	if (res == -ENOPKG && allow_unsupported) / Algorithm unavailable? /
681	res = `0`;
682	if (res == -ENOKEY)
683	res = `0`;
684	return res;
685	}
686
687	/**
688	* fscrypt_prepare_new_inode() - prepare to create a new inode in a directory
689	* @dir: a possibly-encrypted directory
690	* @inode: the new inode. ->i_mode and ->i_blkbits must be set already.
691	* ->i_ino doesn't need to be set yet.
692	* @encrypt_ret: (output) set to %true if the new inode will be encrypted
693	*
694	* If the directory is encrypted, set up its ->i_crypt_info in preparation for
695	* encrypting the name of the new file. Also, if the new inode will be
696	* encrypted, set up its ->i_crypt_info and set *encrypt_ret=true.
697	*
698	* This isn't %GFP_NOFS-safe, and therefore it should be called before starting
699	* any filesystem transaction to create the inode. For this reason, ->i_ino
700	* isn't required to be set yet, as the filesystem may not have set it yet.
701	*
702	* This doesn't persist the new inode's encryption context. That still needs to
703	* be done later by calling fscrypt_set_context().
704	*
705	* Return: 0 on success, -ENOKEY if the encryption key is missing, or another
706	* -errno code
707	*/
708	int fscrypt_prepare_new_inode(struct inode dir, struct* inode *inode,
709	bool *encrypt_ret)
710	{
711	const union fscrypt_policy *policy;
712	u8 nonce[FSCRYPT_FILE_NONCE_SIZE];
713
714	policy = fscrypt_policy_to_inherit(dir);
715	if (policy == NULL)
716	return `0`;
717	if (IS_ERR(ptr: policy))
718	return PTR_ERR(ptr: policy);
719
720	if (WARN_ON_ONCE(inode->i_blkbits == `0`))
721	return -EINVAL;
722
723	if (WARN_ON_ONCE(inode->i_mode == `0`))
724	return -EINVAL;
725
726	/*
727	* Only regular files, directories, and symlinks are encrypted.
728	* Special files like device nodes and named pipes aren't.
729	*/
730	if (!S_ISREG(inode->i_mode) &&
731	!S_ISDIR(inode->i_mode) &&
732	!S_ISLNK(inode->i_mode))
733	return `0`;
734
735	*encrypt_ret = true;
736
737	get_random_bytes(buf: nonce, FSCRYPT_FILE_NONCE_SIZE);
738	return fscrypt_setup_encryption_info(inode, policy, nonce,
739	IS_CASEFOLDED(dir) &&
740	S_ISDIR(inode->i_mode));
741	}
742	EXPORT_SYMBOL_GPL(fscrypt_prepare_new_inode);
743
744	/**
745	* fscrypt_put_encryption_info() - free most of an inode's fscrypt data
746	* @inode: an inode being evicted
747	*
748	* Free the inode's fscrypt_inode_info. Filesystems must call this when the
749	* inode is being evicted. An RCU grace period need not have elapsed yet.
750	*/
751	void fscrypt_put_encryption_info(struct inode *inode)
752	{
753	put_crypt_info(ci: inode->i_crypt_info);
754	inode->i_crypt_info = NULL;
755	}
756	EXPORT_SYMBOL(fscrypt_put_encryption_info);
757
758	/**
759	* fscrypt_free_inode() - free an inode's fscrypt data requiring RCU delay
760	* @inode: an inode being freed
761	*
762	* Free the inode's cached decrypted symlink target, if any. Filesystems must
763	* call this after an RCU grace period, just before they free the inode.
764	*/
765	void fscrypt_free_inode(struct inode *inode)
766	{
767	if (IS_ENCRYPTED(inode) && S_ISLNK(inode->i_mode)) {
768	kfree(objp: inode->i_link);
769	inode->i_link = NULL;
770	}
771	}
772	EXPORT_SYMBOL(fscrypt_free_inode);
773
774	/**
775	* fscrypt_drop_inode() - check whether the inode's master key has been removed
776	* @inode: an inode being considered for eviction
777	*
778	* Filesystems supporting fscrypt must call this from their ->drop_inode()
779	* method so that encrypted inodes are evicted as soon as they're no longer in
780	* use and their master key has been removed.
781	*
782	* Return: 1 if fscrypt wants the inode to be evicted now, otherwise 0
783	*/
784	int fscrypt_drop_inode(struct inode *inode)
785	{
786	const struct fscrypt_inode_info *ci = fscrypt_get_inode_info(inode);
787
788	/*
789	* If ci is NULL, then the inode doesn't have an encryption key set up
790	* so it's irrelevant. If ci_master_key is NULL, then the master key
791	* was provided via the legacy mechanism of the process-subscribed
792	* keyrings, so we don't know whether it's been removed or not.
793	*/
794	if (!ci \|\| !ci->ci_master_key)
795	return `0`;
796
797	/*
798	* With proper, non-racy use of FS_IOC_REMOVE_ENCRYPTION_KEY, all inodes
799	* protected by the key were cleaned by sync_filesystem(). But if
800	* userspace is still using the files, inodes can be dirtied between
801	* then and now. We mustn't lose any writes, so skip dirty inodes here.
802	*/
803	if (inode->i_state & I_DIRTY_ALL)
804	return `0`;
805
806	/*
807	* We can't take ->mk_sem here, since this runs in atomic context.
808	* Therefore, ->mk_present can change concurrently, and our result may
809	* immediately become outdated. But there's no correctness problem with
810	* unnecessarily evicting. Nor is there a correctness problem with not
811	* evicting while iput() is racing with the key being removed, since
812	* then the thread removing the key will either evict the inode itself
813	* or will correctly detect that it wasn't evicted due to the race.
814	*/
815	return !READ_ONCE(ci->ci_master_key->mk_present);
816	}
817	EXPORT_SYMBOL_GPL(fscrypt_drop_inode);
818

source code of linux/fs/crypto/keysetup.c