1 // SPDX-License-Identifier: GPL-2.0
8 #include <linux/crc32c.h>
9 #include <linux/crypto.h>
10 #include <linux/xxhash.h>
11 #include <linux/key.h>
12 #include <linux/random.h>
13 #include <linux/scatterlist.h>
14 #include <crypto/algapi.h>
15 #include <crypto/chacha.h>
16 #include <crypto/hash.h>
17 #include <crypto/poly1305.h>
18 #include <crypto/skcipher.h>
19 #include <keys/user-type.h>
22 * bch2_checksum state is an abstraction of the checksum state calculated over different pages.
23 * it features page merging without having the checksum algorithm lose its state.
24 * for native checksum aglorithms (like crc), a default seed value will do.
25 * for hash-like algorithms, a state needs to be stored
28 struct bch2_checksum_state {
31 struct xxh64_state h64state;
36 static void bch2_checksum_init(struct bch2_checksum_state *state)
38 switch (state->type) {
44 case BCH_CSUM_crc32c_nonzero:
45 state->seed = U32_MAX;
47 case BCH_CSUM_crc64_nonzero:
48 state->seed = U64_MAX;
51 xxh64_reset(&state->h64state, 0);
58 static u64 bch2_checksum_final(const struct bch2_checksum_state *state)
60 switch (state->type) {
65 case BCH_CSUM_crc32c_nonzero:
66 return state->seed ^ U32_MAX;
67 case BCH_CSUM_crc64_nonzero:
68 return state->seed ^ U64_MAX;
70 return xxh64_digest(&state->h64state);
76 static void bch2_checksum_update(struct bch2_checksum_state *state, const void *data, size_t len)
78 switch (state->type) {
81 case BCH_CSUM_crc32c_nonzero:
83 state->seed = crc32c(state->seed, data, len);
85 case BCH_CSUM_crc64_nonzero:
87 state->seed = crc64_be(state->seed, data, len);
90 xxh64_update(&state->h64state, data, len);
97 static inline int do_encrypt_sg(struct crypto_sync_skcipher *tfm,
99 struct scatterlist *sg, size_t len)
101 SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
104 skcipher_request_set_sync_tfm(req, tfm);
105 skcipher_request_set_crypt(req, sg, sg, len, nonce.d);
107 ret = crypto_skcipher_encrypt(req);
109 pr_err("got error %i from crypto_skcipher_encrypt()", ret);
114 static inline int do_encrypt(struct crypto_sync_skcipher *tfm,
116 void *buf, size_t len)
118 if (!is_vmalloc_addr(buf)) {
119 struct scatterlist sg;
121 sg_init_table(&sg, 1);
124 ? vmalloc_to_page(buf)
126 len, offset_in_page(buf));
127 return do_encrypt_sg(tfm, nonce, &sg, len);
129 unsigned pages = buf_pages(buf, len);
130 struct scatterlist *sg;
131 size_t orig_len = len;
134 sg = kmalloc_array(pages, sizeof(*sg), GFP_KERNEL);
136 return -BCH_ERR_ENOMEM_do_encrypt;
138 sg_init_table(sg, pages);
140 for (i = 0; i < pages; i++) {
141 unsigned offset = offset_in_page(buf);
142 unsigned pg_len = min(len, PAGE_SIZE - offset);
144 sg_set_page(sg + i, vmalloc_to_page(buf), pg_len, offset);
149 ret = do_encrypt_sg(tfm, nonce, sg, orig_len);
155 int bch2_chacha_encrypt_key(struct bch_key *key, struct nonce nonce,
156 void *buf, size_t len)
158 struct crypto_sync_skcipher *chacha20 =
159 crypto_alloc_sync_skcipher("chacha20", 0, 0);
163 pr_err("error requesting chacha20 module: %li", PTR_ERR(chacha20));
164 return PTR_ERR(chacha20);
167 ret = crypto_skcipher_setkey(&chacha20->base,
168 (void *) key, sizeof(*key));
170 pr_err("crypto_skcipher_setkey() error: %i", ret);
174 ret = do_encrypt(chacha20, nonce, buf, len);
176 crypto_free_sync_skcipher(chacha20);
180 static int gen_poly_key(struct bch_fs *c, struct shash_desc *desc,
183 u8 key[POLY1305_KEY_SIZE];
186 nonce.d[3] ^= BCH_NONCE_POLY;
188 memset(key, 0, sizeof(key));
189 ret = do_encrypt(c->chacha20, nonce, key, sizeof(key));
193 desc->tfm = c->poly1305;
194 crypto_shash_init(desc);
195 crypto_shash_update(desc, key, sizeof(key));
199 struct bch_csum bch2_checksum(struct bch_fs *c, unsigned type,
200 struct nonce nonce, const void *data, size_t len)
204 case BCH_CSUM_crc32c_nonzero:
205 case BCH_CSUM_crc64_nonzero:
206 case BCH_CSUM_crc32c:
207 case BCH_CSUM_xxhash:
208 case BCH_CSUM_crc64: {
209 struct bch2_checksum_state state;
213 bch2_checksum_init(&state);
214 bch2_checksum_update(&state, data, len);
216 return (struct bch_csum) { .lo = cpu_to_le64(bch2_checksum_final(&state)) };
219 case BCH_CSUM_chacha20_poly1305_80:
220 case BCH_CSUM_chacha20_poly1305_128: {
221 SHASH_DESC_ON_STACK(desc, c->poly1305);
222 u8 digest[POLY1305_DIGEST_SIZE];
223 struct bch_csum ret = { 0 };
225 gen_poly_key(c, desc, nonce);
227 crypto_shash_update(desc, data, len);
228 crypto_shash_final(desc, digest);
230 memcpy(&ret, digest, bch_crc_bytes[type]);
238 int bch2_encrypt(struct bch_fs *c, unsigned type,
239 struct nonce nonce, void *data, size_t len)
241 if (!bch2_csum_type_is_encryption(type))
244 return do_encrypt(c->chacha20, nonce, data, len);
247 static struct bch_csum __bch2_checksum_bio(struct bch_fs *c, unsigned type,
248 struct nonce nonce, struct bio *bio,
249 struct bvec_iter *iter)
255 return (struct bch_csum) { 0 };
256 case BCH_CSUM_crc32c_nonzero:
257 case BCH_CSUM_crc64_nonzero:
258 case BCH_CSUM_crc32c:
259 case BCH_CSUM_xxhash:
260 case BCH_CSUM_crc64: {
261 struct bch2_checksum_state state;
264 bch2_checksum_init(&state);
266 #ifdef CONFIG_HIGHMEM
267 __bio_for_each_segment(bv, bio, *iter, *iter) {
268 void *p = kmap_local_page(bv.bv_page) + bv.bv_offset;
270 bch2_checksum_update(&state, p, bv.bv_len);
274 __bio_for_each_bvec(bv, bio, *iter, *iter)
275 bch2_checksum_update(&state, page_address(bv.bv_page) + bv.bv_offset,
278 return (struct bch_csum) { .lo = cpu_to_le64(bch2_checksum_final(&state)) };
281 case BCH_CSUM_chacha20_poly1305_80:
282 case BCH_CSUM_chacha20_poly1305_128: {
283 SHASH_DESC_ON_STACK(desc, c->poly1305);
284 u8 digest[POLY1305_DIGEST_SIZE];
285 struct bch_csum ret = { 0 };
287 gen_poly_key(c, desc, nonce);
289 #ifdef CONFIG_HIGHMEM
290 __bio_for_each_segment(bv, bio, *iter, *iter) {
291 void *p = kmap_local_page(bv.bv_page) + bv.bv_offset;
293 crypto_shash_update(desc, p, bv.bv_len);
297 __bio_for_each_bvec(bv, bio, *iter, *iter)
298 crypto_shash_update(desc,
299 page_address(bv.bv_page) + bv.bv_offset,
302 crypto_shash_final(desc, digest);
304 memcpy(&ret, digest, bch_crc_bytes[type]);
312 struct bch_csum bch2_checksum_bio(struct bch_fs *c, unsigned type,
313 struct nonce nonce, struct bio *bio)
315 struct bvec_iter iter = bio->bi_iter;
317 return __bch2_checksum_bio(c, type, nonce, bio, &iter);
320 int __bch2_encrypt_bio(struct bch_fs *c, unsigned type,
321 struct nonce nonce, struct bio *bio)
324 struct bvec_iter iter;
325 struct scatterlist sgl[16], *sg = sgl;
329 if (!bch2_csum_type_is_encryption(type))
332 sg_init_table(sgl, ARRAY_SIZE(sgl));
334 bio_for_each_segment(bv, bio, iter) {
335 if (sg == sgl + ARRAY_SIZE(sgl)) {
338 ret = do_encrypt_sg(c->chacha20, nonce, sgl, bytes);
342 nonce = nonce_add(nonce, bytes);
345 sg_init_table(sgl, ARRAY_SIZE(sgl));
349 sg_set_page(sg++, bv.bv_page, bv.bv_len, bv.bv_offset);
354 return do_encrypt_sg(c->chacha20, nonce, sgl, bytes);
357 struct bch_csum bch2_checksum_merge(unsigned type, struct bch_csum a,
358 struct bch_csum b, size_t b_len)
360 struct bch2_checksum_state state;
363 bch2_checksum_init(&state);
364 state.seed = (u64 __force) a.lo;
366 BUG_ON(!bch2_checksum_mergeable(type));
369 unsigned b = min_t(unsigned, b_len, PAGE_SIZE);
371 bch2_checksum_update(&state,
372 page_address(ZERO_PAGE(0)), b);
375 a.lo = (__le64 __force) bch2_checksum_final(&state);
381 int bch2_rechecksum_bio(struct bch_fs *c, struct bio *bio,
382 struct bversion version,
383 struct bch_extent_crc_unpacked crc_old,
384 struct bch_extent_crc_unpacked *crc_a,
385 struct bch_extent_crc_unpacked *crc_b,
386 unsigned len_a, unsigned len_b,
387 unsigned new_csum_type)
389 struct bvec_iter iter = bio->bi_iter;
390 struct nonce nonce = extent_nonce(version, crc_old);
391 struct bch_csum merged = { 0 };
393 struct bch_extent_crc_unpacked *crc;
396 struct bch_csum csum;
398 { crc_a, len_a, new_csum_type },
399 { crc_b, len_b, new_csum_type },
400 { NULL, bio_sectors(bio) - len_a - len_b, new_csum_type },
402 bool mergeable = crc_old.csum_type == new_csum_type &&
403 bch2_checksum_mergeable(new_csum_type);
404 unsigned crc_nonce = crc_old.nonce;
406 BUG_ON(len_a + len_b > bio_sectors(bio));
407 BUG_ON(crc_old.uncompressed_size != bio_sectors(bio));
408 BUG_ON(crc_is_compressed(crc_old));
409 BUG_ON(bch2_csum_type_is_encryption(crc_old.csum_type) !=
410 bch2_csum_type_is_encryption(new_csum_type));
412 for (i = splits; i < splits + ARRAY_SIZE(splits); i++) {
413 iter.bi_size = i->len << 9;
414 if (mergeable || i->crc)
415 i->csum = __bch2_checksum_bio(c, i->csum_type,
418 bio_advance_iter(bio, &iter, i->len << 9);
419 nonce = nonce_add(nonce, i->len << 9);
423 for (i = splits; i < splits + ARRAY_SIZE(splits); i++)
424 merged = bch2_checksum_merge(new_csum_type, merged,
425 i->csum, i->len << 9);
427 merged = bch2_checksum_bio(c, crc_old.csum_type,
428 extent_nonce(version, crc_old), bio);
430 if (bch2_crc_cmp(merged, crc_old.csum) && !c->opts.no_data_io) {
431 bch_err(c, "checksum error in %s() (memory corruption or bug?)\n"
432 "expected %0llx:%0llx got %0llx:%0llx (old type %s new type %s)",
438 bch2_csum_types[crc_old.csum_type],
439 bch2_csum_types[new_csum_type]);
443 for (i = splits; i < splits + ARRAY_SIZE(splits); i++) {
445 *i->crc = (struct bch_extent_crc_unpacked) {
446 .csum_type = i->csum_type,
447 .compression_type = crc_old.compression_type,
448 .compressed_size = i->len,
449 .uncompressed_size = i->len,
456 if (bch2_csum_type_is_encryption(new_csum_type))
463 /* BCH_SB_FIELD_crypt: */
465 static int bch2_sb_crypt_validate(struct bch_sb *sb,
466 struct bch_sb_field *f,
467 struct printbuf *err)
469 struct bch_sb_field_crypt *crypt = field_to_type(f, crypt);
471 if (vstruct_bytes(&crypt->field) < sizeof(*crypt)) {
472 prt_printf(err, "wrong size (got %zu should be %zu)",
473 vstruct_bytes(&crypt->field), sizeof(*crypt));
474 return -BCH_ERR_invalid_sb_crypt;
477 if (BCH_CRYPT_KDF_TYPE(crypt)) {
478 prt_printf(err, "bad kdf type %llu", BCH_CRYPT_KDF_TYPE(crypt));
479 return -BCH_ERR_invalid_sb_crypt;
485 static void bch2_sb_crypt_to_text(struct printbuf *out, struct bch_sb *sb,
486 struct bch_sb_field *f)
488 struct bch_sb_field_crypt *crypt = field_to_type(f, crypt);
490 prt_printf(out, "KFD: %llu", BCH_CRYPT_KDF_TYPE(crypt));
492 prt_printf(out, "scrypt n: %llu", BCH_KDF_SCRYPT_N(crypt));
494 prt_printf(out, "scrypt r: %llu", BCH_KDF_SCRYPT_R(crypt));
496 prt_printf(out, "scrypt p: %llu", BCH_KDF_SCRYPT_P(crypt));
500 const struct bch_sb_field_ops bch_sb_field_ops_crypt = {
501 .validate = bch2_sb_crypt_validate,
502 .to_text = bch2_sb_crypt_to_text,
506 static int __bch2_request_key(char *key_description, struct bch_key *key)
508 struct key *keyring_key;
509 const struct user_key_payload *ukp;
512 keyring_key = request_key(&key_type_user, key_description, NULL);
513 if (IS_ERR(keyring_key))
514 return PTR_ERR(keyring_key);
516 down_read(&keyring_key->sem);
517 ukp = dereference_key_locked(keyring_key);
518 if (ukp->datalen == sizeof(*key)) {
519 memcpy(key, ukp->data, ukp->datalen);
524 up_read(&keyring_key->sem);
525 key_put(keyring_key);
530 #include <keyutils.h>
532 static int __bch2_request_key(char *key_description, struct bch_key *key)
536 key_id = request_key("user", key_description, NULL,
537 KEY_SPEC_USER_KEYRING);
541 if (keyctl_read(key_id, (void *) key, sizeof(*key)) != sizeof(*key))
548 int bch2_request_key(struct bch_sb *sb, struct bch_key *key)
550 struct printbuf key_description = PRINTBUF;
553 prt_printf(&key_description, "bcachefs:");
554 pr_uuid(&key_description, sb->user_uuid.b);
556 ret = __bch2_request_key(key_description.buf, key);
557 printbuf_exit(&key_description);
561 int bch2_decrypt_sb_key(struct bch_fs *c,
562 struct bch_sb_field_crypt *crypt,
565 struct bch_encrypted_key sb_key = crypt->key;
566 struct bch_key user_key;
569 /* is key encrypted? */
570 if (!bch2_key_is_encrypted(&sb_key))
573 ret = bch2_request_key(c->disk_sb.sb, &user_key);
575 bch_err(c, "error requesting encryption key: %s", bch2_err_str(ret));
579 /* decrypt real key: */
580 ret = bch2_chacha_encrypt_key(&user_key, bch2_sb_key_nonce(c),
581 &sb_key, sizeof(sb_key));
585 if (bch2_key_is_encrypted(&sb_key)) {
586 bch_err(c, "incorrect encryption key");
593 memzero_explicit(&sb_key, sizeof(sb_key));
594 memzero_explicit(&user_key, sizeof(user_key));
598 static int bch2_alloc_ciphers(struct bch_fs *c)
603 c->chacha20 = crypto_alloc_sync_skcipher("chacha20", 0, 0);
604 ret = PTR_ERR_OR_ZERO(c->chacha20);
607 bch_err(c, "error requesting chacha20 module: %s", bch2_err_str(ret));
612 c->poly1305 = crypto_alloc_shash("poly1305", 0, 0);
613 ret = PTR_ERR_OR_ZERO(c->poly1305);
616 bch_err(c, "error requesting poly1305 module: %s", bch2_err_str(ret));
623 int bch2_disable_encryption(struct bch_fs *c)
625 struct bch_sb_field_crypt *crypt;
629 mutex_lock(&c->sb_lock);
631 crypt = bch2_sb_get_crypt(c->disk_sb.sb);
635 /* is key encrypted? */
637 if (bch2_key_is_encrypted(&crypt->key))
640 ret = bch2_decrypt_sb_key(c, crypt, &key);
644 crypt->key.magic = cpu_to_le64(BCH_KEY_MAGIC);
645 crypt->key.key = key;
647 SET_BCH_SB_ENCRYPTION_TYPE(c->disk_sb.sb, 0);
650 mutex_unlock(&c->sb_lock);
655 int bch2_enable_encryption(struct bch_fs *c, bool keyed)
657 struct bch_encrypted_key key;
658 struct bch_key user_key;
659 struct bch_sb_field_crypt *crypt;
662 mutex_lock(&c->sb_lock);
664 /* Do we already have an encryption key? */
665 if (bch2_sb_get_crypt(c->disk_sb.sb))
668 ret = bch2_alloc_ciphers(c);
672 key.magic = cpu_to_le64(BCH_KEY_MAGIC);
673 get_random_bytes(&key.key, sizeof(key.key));
676 ret = bch2_request_key(c->disk_sb.sb, &user_key);
678 bch_err(c, "error requesting encryption key: %s", bch2_err_str(ret));
682 ret = bch2_chacha_encrypt_key(&user_key, bch2_sb_key_nonce(c),
688 ret = crypto_skcipher_setkey(&c->chacha20->base,
689 (void *) &key.key, sizeof(key.key));
693 crypt = bch2_sb_resize_crypt(&c->disk_sb, sizeof(*crypt) / sizeof(u64));
695 ret = -BCH_ERR_ENOSPC_sb_crypt;
701 /* write superblock */
702 SET_BCH_SB_ENCRYPTION_TYPE(c->disk_sb.sb, 1);
705 mutex_unlock(&c->sb_lock);
706 memzero_explicit(&user_key, sizeof(user_key));
707 memzero_explicit(&key, sizeof(key));
711 void bch2_fs_encryption_exit(struct bch_fs *c)
713 if (!IS_ERR_OR_NULL(c->poly1305))
714 crypto_free_shash(c->poly1305);
715 if (!IS_ERR_OR_NULL(c->chacha20))
716 crypto_free_sync_skcipher(c->chacha20);
717 if (!IS_ERR_OR_NULL(c->sha256))
718 crypto_free_shash(c->sha256);
721 int bch2_fs_encryption_init(struct bch_fs *c)
723 struct bch_sb_field_crypt *crypt;
727 c->sha256 = crypto_alloc_shash("sha256", 0, 0);
728 ret = PTR_ERR_OR_ZERO(c->sha256);
730 bch_err(c, "error requesting sha256 module: %s", bch2_err_str(ret));
734 crypt = bch2_sb_get_crypt(c->disk_sb.sb);
738 ret = bch2_alloc_ciphers(c);
742 ret = bch2_decrypt_sb_key(c, crypt, &key);
746 ret = crypto_skcipher_setkey(&c->chacha20->base,
747 (void *) &key.key, sizeof(key.key));
751 memzero_explicit(&key, sizeof(key));