1 // SPDX-License-Identifier: GPL-2.0
7 #include <linux/crc32c.h>
8 #include <linux/crypto.h>
9 #include <linux/xxhash.h>
10 #include <linux/key.h>
11 #include <linux/random.h>
12 #include <linux/scatterlist.h>
13 #include <crypto/algapi.h>
14 #include <crypto/chacha.h>
15 #include <crypto/hash.h>
16 #include <crypto/poly1305.h>
17 #include <crypto/skcipher.h>
18 #include <keys/user-type.h>
21 * bch2_checksum state is an abstraction of the checksum state calculated over different pages.
22 * it features page merging without having the checksum algorithm lose its state.
23 * for native checksum aglorithms (like crc), a default seed value will do.
24 * for hash-like algorithms, a state needs to be stored
27 struct bch2_checksum_state {
30 struct xxh64_state h64state;
35 static void bch2_checksum_init(struct bch2_checksum_state *state)
37 switch (state->type) {
43 case BCH_CSUM_crc32c_nonzero:
44 state->seed = U32_MAX;
46 case BCH_CSUM_crc64_nonzero:
47 state->seed = U64_MAX;
50 xxh64_reset(&state->h64state, 0);
57 static u64 bch2_checksum_final(const struct bch2_checksum_state *state)
59 switch (state->type) {
64 case BCH_CSUM_crc32c_nonzero:
65 return state->seed ^ U32_MAX;
66 case BCH_CSUM_crc64_nonzero:
67 return state->seed ^ U64_MAX;
69 return xxh64_digest(&state->h64state);
75 static void bch2_checksum_update(struct bch2_checksum_state *state, const void *data, size_t len)
77 switch (state->type) {
80 case BCH_CSUM_crc32c_nonzero:
82 state->seed = crc32c(state->seed, data, len);
84 case BCH_CSUM_crc64_nonzero:
86 state->seed = crc64_be(state->seed, data, len);
89 xxh64_update(&state->h64state, data, len);
96 static inline int do_encrypt_sg(struct crypto_sync_skcipher *tfm,
98 struct scatterlist *sg, size_t len)
100 SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
103 skcipher_request_set_sync_tfm(req, tfm);
104 skcipher_request_set_crypt(req, sg, sg, len, nonce.d);
106 ret = crypto_skcipher_encrypt(req);
108 pr_err("got error %i from crypto_skcipher_encrypt()", ret);
113 static inline int do_encrypt(struct crypto_sync_skcipher *tfm,
115 void *buf, size_t len)
117 struct scatterlist sg;
119 sg_init_one(&sg, buf, len);
120 return do_encrypt_sg(tfm, nonce, &sg, len);
123 int bch2_chacha_encrypt_key(struct bch_key *key, struct nonce nonce,
124 void *buf, size_t len)
126 struct crypto_sync_skcipher *chacha20 =
127 crypto_alloc_sync_skcipher("chacha20", 0, 0);
131 pr_err("error requesting chacha20 module: %li", PTR_ERR(chacha20));
132 return PTR_ERR(chacha20);
135 ret = crypto_skcipher_setkey(&chacha20->base,
136 (void *) key, sizeof(*key));
138 pr_err("crypto_skcipher_setkey() error: %i", ret);
142 ret = do_encrypt(chacha20, nonce, buf, len);
144 crypto_free_sync_skcipher(chacha20);
148 static int gen_poly_key(struct bch_fs *c, struct shash_desc *desc,
151 u8 key[POLY1305_KEY_SIZE];
154 nonce.d[3] ^= BCH_NONCE_POLY;
156 memset(key, 0, sizeof(key));
157 ret = do_encrypt(c->chacha20, nonce, key, sizeof(key));
161 desc->tfm = c->poly1305;
162 crypto_shash_init(desc);
163 crypto_shash_update(desc, key, sizeof(key));
167 struct bch_csum bch2_checksum(struct bch_fs *c, unsigned type,
168 struct nonce nonce, const void *data, size_t len)
172 case BCH_CSUM_crc32c_nonzero:
173 case BCH_CSUM_crc64_nonzero:
174 case BCH_CSUM_crc32c:
175 case BCH_CSUM_xxhash:
176 case BCH_CSUM_crc64: {
177 struct bch2_checksum_state state;
181 bch2_checksum_init(&state);
182 bch2_checksum_update(&state, data, len);
184 return (struct bch_csum) { .lo = cpu_to_le64(bch2_checksum_final(&state)) };
187 case BCH_CSUM_chacha20_poly1305_80:
188 case BCH_CSUM_chacha20_poly1305_128: {
189 SHASH_DESC_ON_STACK(desc, c->poly1305);
190 u8 digest[POLY1305_DIGEST_SIZE];
191 struct bch_csum ret = { 0 };
193 gen_poly_key(c, desc, nonce);
195 crypto_shash_update(desc, data, len);
196 crypto_shash_final(desc, digest);
198 memcpy(&ret, digest, bch_crc_bytes[type]);
206 int bch2_encrypt(struct bch_fs *c, unsigned type,
207 struct nonce nonce, void *data, size_t len)
209 if (!bch2_csum_type_is_encryption(type))
212 return do_encrypt(c->chacha20, nonce, data, len);
215 static struct bch_csum __bch2_checksum_bio(struct bch_fs *c, unsigned type,
216 struct nonce nonce, struct bio *bio,
217 struct bvec_iter *iter)
223 return (struct bch_csum) { 0 };
224 case BCH_CSUM_crc32c_nonzero:
225 case BCH_CSUM_crc64_nonzero:
226 case BCH_CSUM_crc32c:
227 case BCH_CSUM_xxhash:
228 case BCH_CSUM_crc64: {
229 struct bch2_checksum_state state;
232 bch2_checksum_init(&state);
234 #ifdef CONFIG_HIGHMEM
235 __bio_for_each_segment(bv, bio, *iter, *iter) {
236 void *p = kmap_atomic(bv.bv_page) + bv.bv_offset;
237 bch2_checksum_update(&state, p, bv.bv_len);
241 __bio_for_each_bvec(bv, bio, *iter, *iter)
242 bch2_checksum_update(&state, page_address(bv.bv_page) + bv.bv_offset,
245 return (struct bch_csum) { .lo = cpu_to_le64(bch2_checksum_final(&state)) };
248 case BCH_CSUM_chacha20_poly1305_80:
249 case BCH_CSUM_chacha20_poly1305_128: {
250 SHASH_DESC_ON_STACK(desc, c->poly1305);
251 u8 digest[POLY1305_DIGEST_SIZE];
252 struct bch_csum ret = { 0 };
254 gen_poly_key(c, desc, nonce);
256 #ifdef CONFIG_HIGHMEM
257 __bio_for_each_segment(bv, bio, *iter, *iter) {
258 void *p = kmap_atomic(bv.bv_page) + bv.bv_offset;
260 crypto_shash_update(desc, p, bv.bv_len);
264 __bio_for_each_bvec(bv, bio, *iter, *iter)
265 crypto_shash_update(desc,
266 page_address(bv.bv_page) + bv.bv_offset,
269 crypto_shash_final(desc, digest);
271 memcpy(&ret, digest, bch_crc_bytes[type]);
279 struct bch_csum bch2_checksum_bio(struct bch_fs *c, unsigned type,
280 struct nonce nonce, struct bio *bio)
282 struct bvec_iter iter = bio->bi_iter;
284 return __bch2_checksum_bio(c, type, nonce, bio, &iter);
287 int bch2_encrypt_bio(struct bch_fs *c, unsigned type,
288 struct nonce nonce, struct bio *bio)
291 struct bvec_iter iter;
292 struct scatterlist sgl[16], *sg = sgl;
296 if (!bch2_csum_type_is_encryption(type))
299 sg_init_table(sgl, ARRAY_SIZE(sgl));
301 bio_for_each_segment(bv, bio, iter) {
302 if (sg == sgl + ARRAY_SIZE(sgl)) {
305 ret = do_encrypt_sg(c->chacha20, nonce, sgl, bytes);
309 nonce = nonce_add(nonce, bytes);
312 sg_init_table(sgl, ARRAY_SIZE(sgl));
316 sg_set_page(sg++, bv.bv_page, bv.bv_len, bv.bv_offset);
321 return do_encrypt_sg(c->chacha20, nonce, sgl, bytes);
324 struct bch_csum bch2_checksum_merge(unsigned type, struct bch_csum a,
325 struct bch_csum b, size_t b_len)
327 struct bch2_checksum_state state;
330 bch2_checksum_init(&state);
333 BUG_ON(!bch2_checksum_mergeable(type));
336 unsigned b = min_t(unsigned, b_len, PAGE_SIZE);
338 bch2_checksum_update(&state,
339 page_address(ZERO_PAGE(0)), b);
342 a.lo = bch2_checksum_final(&state);
348 int bch2_rechecksum_bio(struct bch_fs *c, struct bio *bio,
349 struct bversion version,
350 struct bch_extent_crc_unpacked crc_old,
351 struct bch_extent_crc_unpacked *crc_a,
352 struct bch_extent_crc_unpacked *crc_b,
353 unsigned len_a, unsigned len_b,
354 unsigned new_csum_type)
356 struct bvec_iter iter = bio->bi_iter;
357 struct nonce nonce = extent_nonce(version, crc_old);
358 struct bch_csum merged = { 0 };
360 struct bch_extent_crc_unpacked *crc;
363 struct bch_csum csum;
365 { crc_a, len_a, new_csum_type },
366 { crc_b, len_b, new_csum_type },
367 { NULL, bio_sectors(bio) - len_a - len_b, new_csum_type },
369 bool mergeable = crc_old.csum_type == new_csum_type &&
370 bch2_checksum_mergeable(new_csum_type);
371 unsigned crc_nonce = crc_old.nonce;
373 BUG_ON(len_a + len_b > bio_sectors(bio));
374 BUG_ON(crc_old.uncompressed_size != bio_sectors(bio));
375 BUG_ON(crc_is_compressed(crc_old));
376 BUG_ON(bch2_csum_type_is_encryption(crc_old.csum_type) !=
377 bch2_csum_type_is_encryption(new_csum_type));
379 for (i = splits; i < splits + ARRAY_SIZE(splits); i++) {
380 iter.bi_size = i->len << 9;
381 if (mergeable || i->crc)
382 i->csum = __bch2_checksum_bio(c, i->csum_type,
385 bio_advance_iter(bio, &iter, i->len << 9);
386 nonce = nonce_add(nonce, i->len << 9);
390 for (i = splits; i < splits + ARRAY_SIZE(splits); i++)
391 merged = bch2_checksum_merge(new_csum_type, merged,
392 i->csum, i->len << 9);
394 merged = bch2_checksum_bio(c, crc_old.csum_type,
395 extent_nonce(version, crc_old), bio);
397 if (bch2_crc_cmp(merged, crc_old.csum))
400 for (i = splits; i < splits + ARRAY_SIZE(splits); i++) {
402 *i->crc = (struct bch_extent_crc_unpacked) {
403 .csum_type = i->csum_type,
404 .compression_type = crc_old.compression_type,
405 .compressed_size = i->len,
406 .uncompressed_size = i->len,
413 if (bch2_csum_type_is_encryption(new_csum_type))
421 static int __bch2_request_key(char *key_description, struct bch_key *key)
423 struct key *keyring_key;
424 const struct user_key_payload *ukp;
427 keyring_key = request_key(&key_type_logon, key_description, NULL);
428 if (IS_ERR(keyring_key))
429 return PTR_ERR(keyring_key);
431 down_read(&keyring_key->sem);
432 ukp = dereference_key_locked(keyring_key);
433 if (ukp->datalen == sizeof(*key)) {
434 memcpy(key, ukp->data, ukp->datalen);
439 up_read(&keyring_key->sem);
440 key_put(keyring_key);
445 #include <keyutils.h>
447 static int __bch2_request_key(char *key_description, struct bch_key *key)
451 key_id = request_key("user", key_description, NULL,
452 KEY_SPEC_USER_KEYRING);
456 if (keyctl_read(key_id, (void *) key, sizeof(*key)) != sizeof(*key))
463 int bch2_request_key(struct bch_sb *sb, struct bch_key *key)
465 char key_description[60];
468 uuid_unparse_lower(sb->user_uuid.b, uuid);
469 sprintf(key_description, "bcachefs:%s", uuid);
471 return __bch2_request_key(key_description, key);
474 int bch2_decrypt_sb_key(struct bch_fs *c,
475 struct bch_sb_field_crypt *crypt,
478 struct bch_encrypted_key sb_key = crypt->key;
479 struct bch_key user_key;
482 /* is key encrypted? */
483 if (!bch2_key_is_encrypted(&sb_key))
486 ret = bch2_request_key(c->disk_sb.sb, &user_key);
488 bch_err(c, "error requesting encryption key: %i", ret);
492 /* decrypt real key: */
493 ret = bch2_chacha_encrypt_key(&user_key, bch2_sb_key_nonce(c),
494 &sb_key, sizeof(sb_key));
498 if (bch2_key_is_encrypted(&sb_key)) {
499 bch_err(c, "incorrect encryption key");
506 memzero_explicit(&sb_key, sizeof(sb_key));
507 memzero_explicit(&user_key, sizeof(user_key));
511 static int bch2_alloc_ciphers(struct bch_fs *c)
514 c->chacha20 = crypto_alloc_sync_skcipher("chacha20", 0, 0);
515 if (IS_ERR(c->chacha20)) {
516 bch_err(c, "error requesting chacha20 module: %li",
517 PTR_ERR(c->chacha20));
518 return PTR_ERR(c->chacha20);
522 c->poly1305 = crypto_alloc_shash("poly1305", 0, 0);
523 if (IS_ERR(c->poly1305)) {
524 bch_err(c, "error requesting poly1305 module: %li",
525 PTR_ERR(c->poly1305));
526 return PTR_ERR(c->poly1305);
532 int bch2_disable_encryption(struct bch_fs *c)
534 struct bch_sb_field_crypt *crypt;
538 mutex_lock(&c->sb_lock);
540 crypt = bch2_sb_get_crypt(c->disk_sb.sb);
544 /* is key encrypted? */
546 if (bch2_key_is_encrypted(&crypt->key))
549 ret = bch2_decrypt_sb_key(c, crypt, &key);
553 crypt->key.magic = BCH_KEY_MAGIC;
554 crypt->key.key = key;
556 SET_BCH_SB_ENCRYPTION_TYPE(c->disk_sb.sb, 0);
559 mutex_unlock(&c->sb_lock);
564 int bch2_enable_encryption(struct bch_fs *c, bool keyed)
566 struct bch_encrypted_key key;
567 struct bch_key user_key;
568 struct bch_sb_field_crypt *crypt;
571 mutex_lock(&c->sb_lock);
573 /* Do we already have an encryption key? */
574 if (bch2_sb_get_crypt(c->disk_sb.sb))
577 ret = bch2_alloc_ciphers(c);
581 key.magic = BCH_KEY_MAGIC;
582 get_random_bytes(&key.key, sizeof(key.key));
585 ret = bch2_request_key(c->disk_sb.sb, &user_key);
587 bch_err(c, "error requesting encryption key: %i", ret);
591 ret = bch2_chacha_encrypt_key(&user_key, bch2_sb_key_nonce(c),
597 ret = crypto_skcipher_setkey(&c->chacha20->base,
598 (void *) &key.key, sizeof(key.key));
602 crypt = bch2_sb_resize_crypt(&c->disk_sb, sizeof(*crypt) / sizeof(u64));
604 ret = -ENOMEM; /* XXX this technically could be -ENOSPC */
610 /* write superblock */
611 SET_BCH_SB_ENCRYPTION_TYPE(c->disk_sb.sb, 1);
614 mutex_unlock(&c->sb_lock);
615 memzero_explicit(&user_key, sizeof(user_key));
616 memzero_explicit(&key, sizeof(key));
620 void bch2_fs_encryption_exit(struct bch_fs *c)
622 if (!IS_ERR_OR_NULL(c->poly1305))
623 crypto_free_shash(c->poly1305);
624 if (!IS_ERR_OR_NULL(c->chacha20))
625 crypto_free_sync_skcipher(c->chacha20);
626 if (!IS_ERR_OR_NULL(c->sha256))
627 crypto_free_shash(c->sha256);
630 int bch2_fs_encryption_init(struct bch_fs *c)
632 struct bch_sb_field_crypt *crypt;
636 pr_verbose_init(c->opts, "");
638 c->sha256 = crypto_alloc_shash("sha256", 0, 0);
639 if (IS_ERR(c->sha256)) {
640 bch_err(c, "error requesting sha256 module");
641 ret = PTR_ERR(c->sha256);
645 crypt = bch2_sb_get_crypt(c->disk_sb.sb);
649 ret = bch2_alloc_ciphers(c);
653 ret = bch2_decrypt_sb_key(c, crypt, &key);
657 ret = crypto_skcipher_setkey(&c->chacha20->base,
658 (void *) &key.key, sizeof(key.key));
662 memzero_explicit(&key, sizeof(key));
663 pr_verbose_init(c->opts, "ret %i", ret);