From: Eric Biggers <ebiggers@kernel.org>
To: Satya Tangirala <satyat@google.com>
Cc: "Theodore Y . Ts'o" <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>, Chao Yu <chao@kernel.org>,
linux-kernel@vger.kernel.org, linux-fscrypt@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net
Subject: Re: [PATCH 0/3] add support for metadata encryption to F2FS
Date: Thu, 8 Oct 2020 10:01:43 -0700 [thread overview]
Message-ID: <20201008170143.GA1869638@gmail.com> (raw)
In-Reply-To: <20201007220500.GA2544297@google.com>
On Wed, Oct 07, 2020 at 10:05:00PM +0000, Satya Tangirala wrote:
> > I notice this is missing the step I suggested to include the metadata encryption
> > key in the HKDF application-specific info string when deriving subkeys from the
> > fscrypt master keys.
> >
> > The same effect could also be achieved by adding an additional level to the key
> > hierarchy: each HKDF key would be derived from a fscrypt master key and the
> > metadata encryption key.
> >
> > We need one of those, to guarantee that the file contents encryption is at least
> > as strong as the "metadata encryption".
> >
> Yes - I didn't get around to that in the first version, but I'll add
> that too in the next version. I was going to go with the first approach
> before I saw your comment - is there one method you'd recommend going
> with over the other?
I'm not entirely sure, but I'm now leaning towards the second approach because
it would avoid adding additional work (another SHA-512 block) to all later key
derivations. Also it would avoid having to add a super_block argument to
fscrypt_hkdf_expand(). But please ask Paul Crowley for his suggestion too.
Here's a quick untested patch to consider:
diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h
index dca254590a70..67f8ba3098d3 100644
--- a/fs/crypto/fscrypt_private.h
+++ b/fs/crypto/fscrypt_private.h
@@ -319,6 +319,7 @@ int fscrypt_init_hkdf(struct fscrypt_hkdf *hkdf, const u8 *master_key,
#define HKDF_CONTEXT_DIRHASH_KEY 5 /* info=file_nonce */
#define HKDF_CONTEXT_IV_INO_LBLK_32_KEY 6 /* info=mode_num||fs_uuid */
#define HKDF_CONTEXT_INODE_HASH_KEY 7 /* info=<empty> */
+#define HKDF_CONTEXT_MIX_METADATA_KEY 8 /* info=metadata_key */
int fscrypt_hkdf_expand(const struct fscrypt_hkdf *hkdf, u8 context,
const u8 *info, unsigned int infolen,
@@ -600,6 +601,20 @@ int fscrypt_setup_v1_file_key(struct fscrypt_info *ci,
int fscrypt_setup_v1_file_key_via_subscribed_keyrings(struct fscrypt_info *ci);
+/* metadata_crypt.c */
+
+#ifdef CONFIG_FS_ENCRYPTION_METADATA
+int fscrypt_mix_in_metadata_key(struct super_block *sb,
+ struct fscrypt_master_key_secret *secret);
+#else
+static inline int
+fscrypt_mix_in_metadata_key(struct super_block *sb,
+ struct fscrypt_master_key_secret *secret)
+{
+ return 0;
+}
+#endif
+
/* policy.c */
bool fscrypt_policies_equal(const union fscrypt_policy *policy1,
diff --git a/fs/crypto/hkdf.c b/fs/crypto/hkdf.c
index 0cba7928446d..61d1f0aa802e 100644
--- a/fs/crypto/hkdf.c
+++ b/fs/crypto/hkdf.c
@@ -174,4 +174,5 @@ int fscrypt_hkdf_expand(const struct fscrypt_hkdf *hkdf, u8 context,
void fscrypt_destroy_hkdf(struct fscrypt_hkdf *hkdf)
{
crypto_free_shash(hkdf->hmac_tfm);
+ hkdf->hmac_tfm = NULL;
}
diff --git a/fs/crypto/keyring.c b/fs/crypto/keyring.c
index e74f239c4428..43453a7f77b1 100644
--- a/fs/crypto/keyring.c
+++ b/fs/crypto/keyring.c
@@ -494,6 +494,10 @@ static int add_master_key(struct super_block *sb,
*/
memzero_explicit(secret->raw, secret->size);
+ err = fscrypt_mix_in_metadata_key(sb, secret);
+ if (err)
+ return err;
+
/* Calculate the key identifier */
err = fscrypt_hkdf_expand(&secret->hkdf,
HKDF_CONTEXT_KEY_IDENTIFIER, NULL, 0,
diff --git a/fs/crypto/metadata_crypt.c b/fs/crypto/metadata_crypt.c
index 5e16df130509..233e68c35504 100644
--- a/fs/crypto/metadata_crypt.c
+++ b/fs/crypto/metadata_crypt.c
@@ -13,6 +13,32 @@
#include "fscrypt_private.h"
+/* TODO: add comment */
+int fscrypt_mix_in_metadata_key(struct super_block *sb,
+ struct fscrypt_master_key_secret *secret)
+{
+ u8 real_key[FSCRYPT_MAX_KEY_SIZE];
+ int err;
+
+ if (WARN_ON(secret->size > sizeof(real_key)))
+ return -EINVAL;
+
+ if (!sb->s_metadata_key)
+ return 0;
+
+ err = fscrypt_hkdf_expand(&secret->hkdf, HKDF_CONTEXT_MIX_METADATA_KEY,
+ sb->s_metadata_key->raw,
+ sb->s_metadata_key->size,
+ real_key, secret->size);
+ if (err)
+ return err;
+
+ fscrypt_destroy_hkdf(&secret->hkdf);
+ err = fscrypt_init_hkdf(&secret->hkdf, real_key, secret->size);
+ memzero_explicit(real_key, secret->size);
+ return err;
+}
+
/* TODO: mostly copied from keysetup_v1.c - maybe refactor this function */
static int fscrypt_metadata_get_key_from_id(const char *prefix,
char *descriptor_hex,
next prev parent reply other threads:[~2020-10-08 17:01 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-05 7:36 [PATCH 0/3] add support for metadata encryption to F2FS Satya Tangirala
2020-10-05 7:36 ` [PATCH 1/3] fscrypt, f2fs: replace fscrypt_get_devices with fscrypt_get_device Satya Tangirala
2020-10-05 7:36 ` [PATCH 2/3] fscrypt: Add metadata encryption support Satya Tangirala
2020-10-07 20:52 ` Eric Biggers
2020-10-07 23:28 ` Satya Tangirala
2020-10-08 17:05 ` Eric Biggers
2020-10-05 7:36 ` [PATCH 3/3] f2fs: " Satya Tangirala
2020-10-05 10:19 ` kernel test robot
2020-10-07 21:20 ` Eric Biggers
2020-10-08 0:31 ` Satya Tangirala
2020-10-05 7:43 ` [PATCH 0/3] add support for metadata encryption to F2FS Satya Tangirala
2020-10-07 21:00 ` Eric Biggers
2020-10-07 22:05 ` Satya Tangirala
2020-10-08 17:01 ` Eric Biggers [this message]
2020-10-10 9:53 ` Chao Yu
2020-12-17 15:44 ` Satya Tangirala
2020-12-18 9:02 ` Chao Yu
2020-12-18 11:53 ` Satya Tangirala
2020-12-22 11:47 ` Chao Yu
2020-12-24 10:13 ` Satya Tangirala
2020-12-25 9:31 ` Chao Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201008170143.GA1869638@gmail.com \
--to=ebiggers@kernel.org \
--cc=chao@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=satyat@google.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).