Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux

Currently, the following pairs of encryption modes are supported:

- AES-256-XTS for contents and AES-256-CTS-CBC for filenames

- AES-256-XTS for contents and AES-256-CBC-CTS for filenames

- AES-256-XTS for contents and AES-256-HCTR2 for filenames

- Adiantum for both contents and filenames

- AES-128-CBC-ESSIV for contents and AES-128-CTS-CBC for filenames

- SM4-XTS for contents and SM4-CTS-CBC for filenames

- AES-128-CBC-ESSIV for contents and AES-128-CBC-CTS for filenames

- SM4-XTS for contents and SM4-CBC-CTS for filenames

Note: in the API, "CBC" means CBC-ESSIV, and "CTS" means CBC-CTS.

So, for example, FSCRYPT_MODE_AES_256_CTS means AES-256-CBC-CTS.

Authenticated encryption modes are not currently supported because of

the difficulty of dealing with ciphertext expansion.  Therefore,

`CBC-ESSIV mode

<https://en.wikipedia.org/wiki/Disk_encryption_theory#Encrypted_salt-sector_initialization_vector_(ESSIV)>`_,

or a wide-block cipher.  Filenames encryption uses a

block cipher in `CTS-CBC mode

block cipher in `CBC-CTS mode

<https://en.wikipedia.org/wiki/Ciphertext_stealing>`_ or a wide-block

cipher.

The (AES-256-XTS, AES-256-CTS-CBC) pair is the recommended default.

The (AES-256-XTS, AES-256-CBC-CTS) pair is the recommended default.

It is also the only option that is *guaranteed* to always be supported

if the kernel supports fscrypt at all; see `Kernel config options`_.

*wide-block cipher*, also called a tweakable super-pseudorandom

permutation, has the property that changing one bit scrambles the

entire result.)  As described in `Filenames encryption`_, a wide-block

cipher is the ideal mode for the problem domain, though CTS-CBC is the

cipher is the ideal mode for the problem domain, though CBC-CTS is the

"least bad" choice among the alternatives.  For more information about

HCTR2, see `the HCTR2 paper <https://eprint.iacr.org/2021/1441.pdf>`_.

acceleration is unavailable.  For more information about Adiantum, see

`the Adiantum paper <https://eprint.iacr.org/2018/720.pdf>`_.

The (AES-128-CBC-ESSIV, AES-128-CTS-CBC) pair exists only to support

The (AES-128-CBC-ESSIV, AES-128-CBC-CTS) pair exists only to support

systems whose only form of AES acceleration is an off-CPU crypto

accelerator such as CAAM or CESA that does not support XTS.

The remaining mode pairs are the "national pride ciphers":

- (SM4-XTS, SM4-CTS-CBC)

- (SM4-XTS, SM4-CBC-CTS)

Generally speaking, these ciphers aren't "bad" per se, but they

receive limited security review compared to the usual choices such as

Enabling fscrypt support (CONFIG_FS_ENCRYPTION) automatically pulls in

only the basic support from the crypto API needed to use AES-256-XTS

and AES-256-CTS-CBC encryption.  For optimal performance, it is

and AES-256-CBC-CTS encryption.  For optimal performance, it is

strongly recommended to also enable any available platform-specific

kconfig options that provide acceleration for the algorithm(s) you

wish to use.  Support for any "non-default" encryption modes typically

the file contents mode doesn't need to supported in the kernel crypto

API, but the filenames mode still does.

- AES-256-XTS and AES-256-CTS-CBC

- AES-256-XTS and AES-256-CBC-CTS

    - Recommended:

        - arm64: CONFIG_CRYPTO_AES_ARM64_CE_BLK

        - x86: CONFIG_CRYPTO_AES_NI_INTEL

        - x86: CONFIG_CRYPTO_NHPOLY1305_SSE2

        - x86: CONFIG_CRYPTO_NHPOLY1305_AVX2

- AES-128-CBC-ESSIV and AES-128-CTS-CBC:

- AES-128-CBC-ESSIV and AES-128-CBC-CTS:

    - Mandatory:

        - CONFIG_CRYPTO_ESSIV

        - CONFIG_CRYPTO_SHA256 or another SHA-256 implementation

inode number (for `IV_INO_LBLK_64 policies`_) included in the IVs.

Thus, IV reuse is limited to within a single directory.

With CTS-CBC, the IV reuse means that when the plaintext filenames share a

With CBC-CTS, the IV reuse means that when the plaintext filenames share a

common prefix at least as long as the cipher block size (16 bytes for AES), the

corresponding encrypted filenames will also share a common prefix.  This is

undesirable.  Adiantum and HCTR2 do not have this weakness, as they are

	struct fscrypt_prepared_key ci_enc_key;

	/* True if ci_enc_key should be freed when this struct is freed */

	bool ci_owns_key;

	u8 ci_owns_key : 1;

#ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT

	/*

	 * True if this inode will use inline encryption (blk-crypto) instead of

	 * the traditional filesystem-layer encryption.

	 */

	bool ci_inlinecrypt;

	u8 ci_inlinecrypt : 1;

#endif

	/* True if ci_dirhash_key is initialized */

	u8 ci_dirhash_key_initialized : 1;

	/*

	 * log2 of the data unit size (granularity of contents encryption) of

	 * this file.  This is computable from ci_policy and ci_inode but is

	/* Cached value: log2 of number of data units per FS block */

	u8 ci_data_units_per_block_bits;

	/* Hashed inode number.  Only set for IV_INO_LBLK_32 */

	u32 ci_hashed_ino;

	/*

	 * Encryption mode used for this inode.  It corresponds to either the

	 * contents or filenames encryption mode, depending on the inode type.

	 * the plaintext filenames -- currently just casefolded directories.

	 */

	siphash_key_t ci_dirhash_key;

	bool ci_dirhash_key_initialized;

	/* The encryption policy used by this inode */

	union fscrypt_policy ci_policy;

	/* This inode's nonce, copied from the fscrypt_context */

	u8 ci_nonce[FSCRYPT_FILE_NONCE_SIZE];

	/* Hashed inode number.  Only set for IV_INO_LBLK_32 */

	u32 ci_hashed_ino;

};

typedef enum {

	 * that concurrent keyring lookups can no longer find it.

	 */

	WARN_ON_ONCE(refcount_read(&mk->mk_active_refs) != 0);

	if (mk->mk_users) {

		/* Clear the keyring so the quota gets released right away. */

		keyring_clear(mk->mk_users);

		key_put(mk->mk_users);

		mk->mk_users = NULL;

	}

	call_rcu(&mk->mk_rcu_head, fscrypt_free_master_key);

}

		.blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_256_XTS,

	},

	[FSCRYPT_MODE_AES_256_CTS] = {

		.friendly_name = "AES-256-CTS-CBC",

		.friendly_name = "AES-256-CBC-CTS",

		.cipher_str = "cts(cbc(aes))",

		.keysize = 32,

		.security_strength = 32,

		.blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV,

	},

	[FSCRYPT_MODE_AES_128_CTS] = {

		.friendly_name = "AES-128-CTS-CBC",

		.friendly_name = "AES-128-CBC-CTS",

		.cipher_str = "cts(cbc(aes))",

		.keysize = 16,

		.security_strength = 16,

		.blk_crypto_mode = BLK_ENCRYPTION_MODE_SM4_XTS,

	},

	[FSCRYPT_MODE_SM4_CTS] = {

		.friendly_name = "SM4-CTS-CBC",

		.friendly_name = "SM4-CBC-CTS",

		.cipher_str = "cts(cbc(sm4))",

		.keysize = 16,

		.security_strength = 16,

/**

 * fscrypt_prepare_new_inode() - prepare to create a new inode in a directory

 * @dir: a possibly-encrypted directory

 * @inode: the new inode.  ->i_mode must be set already.

 * @inode: the new inode.  ->i_mode and ->i_blkbits must be set already.

 *	   ->i_ino doesn't need to be set yet.

 * @encrypt_ret: (output) set to %true if the new inode will be encrypted

 *

	if (IS_ERR(policy))

		return PTR_ERR(policy);

	if (WARN_ON_ONCE(inode->i_blkbits == 0))

		return -EINVAL;

	if (WARN_ON_ONCE(inode->i_mode == 0))

		return -EINVAL;