1 | /* SPDX-License-Identifier: GPL-2.0 */ |
2 | #ifndef _LINUX_ECRYPTFS_H |
3 | #define _LINUX_ECRYPTFS_H |
4 | |
5 | /* Version verification for shared data structures w/ userspace */ |
6 | #define ECRYPTFS_VERSION_MAJOR 0x00 |
7 | #define ECRYPTFS_VERSION_MINOR 0x04 |
8 | #define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03 |
9 | /* These flags indicate which features are supported by the kernel |
10 | * module; userspace tools such as the mount helper read the feature |
11 | * bits from a sysfs handle in order to determine how to behave. */ |
12 | #define ECRYPTFS_VERSIONING_PASSPHRASE 0x00000001 |
13 | #define ECRYPTFS_VERSIONING_PUBKEY 0x00000002 |
14 | #define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004 |
15 | #define ECRYPTFS_VERSIONING_POLICY 0x00000008 |
16 | #define ECRYPTFS_VERSIONING_XATTR 0x00000010 |
17 | #define ECRYPTFS_VERSIONING_MULTKEY 0x00000020 |
18 | #define ECRYPTFS_VERSIONING_DEVMISC 0x00000040 |
19 | #define ECRYPTFS_VERSIONING_HMAC 0x00000080 |
20 | #define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION 0x00000100 |
21 | #define ECRYPTFS_VERSIONING_GCM 0x00000200 |
22 | #define ECRYPTFS_MAX_PASSWORD_LENGTH 64 |
23 | #define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH |
24 | #define ECRYPTFS_SALT_SIZE 8 |
25 | #define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2) |
26 | /* The original signature size is only for what is stored on disk; all |
27 | * in-memory representations are expanded hex, so it better adapted to |
28 | * be passed around or referenced on the command line */ |
29 | #define ECRYPTFS_SIG_SIZE 8 |
30 | #define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2) |
31 | #define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX |
32 | #define ECRYPTFS_MAX_KEY_BYTES 64 |
33 | #define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512 |
34 | #define ECRYPTFS_FILE_VERSION 0x03 |
35 | #define ECRYPTFS_MAX_PKI_NAME_BYTES 16 |
36 | |
37 | #define RFC2440_CIPHER_DES3_EDE 0x02 |
38 | #define RFC2440_CIPHER_CAST_5 0x03 |
39 | #define RFC2440_CIPHER_BLOWFISH 0x04 |
40 | #define RFC2440_CIPHER_AES_128 0x07 |
41 | #define RFC2440_CIPHER_AES_192 0x08 |
42 | #define RFC2440_CIPHER_AES_256 0x09 |
43 | #define RFC2440_CIPHER_TWOFISH 0x0a |
44 | #define RFC2440_CIPHER_CAST_6 0x0b |
45 | |
46 | #define RFC2440_CIPHER_RSA 0x01 |
47 | |
48 | /** |
49 | * For convenience, we may need to pass around the encrypted session |
50 | * key between kernel and userspace because the authentication token |
51 | * may not be extractable. For example, the TPM may not release the |
52 | * private key, instead requiring the encrypted data and returning the |
53 | * decrypted data. |
54 | */ |
55 | struct ecryptfs_session_key { |
56 | #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001 |
57 | #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002 |
58 | #define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004 |
59 | #define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008 |
60 | u32 flags; |
61 | u32 encrypted_key_size; |
62 | u32 decrypted_key_size; |
63 | u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES]; |
64 | u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES]; |
65 | }; |
66 | |
67 | struct ecryptfs_password { |
68 | u32 password_bytes; |
69 | s32 hash_algo; |
70 | u32 hash_iterations; |
71 | u32 session_key_encryption_key_bytes; |
72 | #define ECRYPTFS_PERSISTENT_PASSWORD 0x01 |
73 | #define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02 |
74 | u32 flags; |
75 | /* Iterated-hash concatenation of salt and passphrase */ |
76 | u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES]; |
77 | u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1]; |
78 | /* Always in expanded hex */ |
79 | u8 salt[ECRYPTFS_SALT_SIZE]; |
80 | }; |
81 | |
82 | enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY}; |
83 | |
84 | struct ecryptfs_private_key { |
85 | u32 key_size; |
86 | u32 data_len; |
87 | u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1]; |
88 | char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1]; |
89 | u8 data[]; |
90 | }; |
91 | |
92 | /* May be a password or a private key */ |
93 | struct ecryptfs_auth_tok { |
94 | u16 version; /* 8-bit major and 8-bit minor */ |
95 | u16 token_type; |
96 | #define ECRYPTFS_ENCRYPT_ONLY 0x00000001 |
97 | u32 flags; |
98 | struct ecryptfs_session_key session_key; |
99 | u8 reserved[32]; |
100 | union { |
101 | struct ecryptfs_password password; |
102 | struct ecryptfs_private_key private_key; |
103 | } token; |
104 | } __attribute__ ((packed)); |
105 | |
106 | #endif /* _LINUX_ECRYPTFS_H */ |
107 | |