[PATCH v5 05/18] fscrypt: extent direct key policies for extent-based encryption

From: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
To: "Theodore Y. Ts'o" <tytso@mit.edu>,
	Jaegeuk Kim <jaegeuk@kernel.org>,
	Eric Biggers <ebiggers@kernel.org>, Chris Mason <clm@fb.com>,
	Josef Bacik <josef@toxicpanda.com>,
	David Sterba <dsterba@suse.com>,
	linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org,
	kernel-team@meta.com
Cc: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
Subject: [PATCH v5 05/18] fscrypt: extent direct key policies for extent-based encryption
Date: Wed,  2 Nov 2022 07:52:54 -0400	[thread overview]
Message-ID: <857cdf24a4b74b32f0c3e955f7e3d1e940cf1a43.1667389115.git.sweettea-kernel@dorminy.me> (raw)
In-Reply-To: <cover.1667389115.git.sweettea-kernel@dorminy.me>

For inode-based direct key encryption policies, the inode provides a
nonce, and the encryption IV is generated by concatenating the nonce and
the offset into the inode. For extent-based direct key policies,
however, we would like to use 16-byte nonces in combination with various
AES modes with 16-byte IVs. Additionally, since contents and filenames
are encrypted with different context items in this case, we don't need
to require the encryption modes match in the two cases.

This change allows extent-based encryption to use 16-byte IVs with
direct key policies, and allows a mismatch of modes (under the usual
compatible modes constraints).

Signed-off-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
---
 fs/crypto/crypto.c          | 15 +++++++++++++--
 fs/crypto/fscrypt_private.h |  4 +---
 fs/crypto/policy.c          |  4 ++++
 3 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
index 08b495dc5c0c..144a3a59ce51 100644
--- a/fs/crypto/crypto.c
+++ b/fs/crypto/crypto.c
@@ -93,8 +93,19 @@ void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num,
 		ret = fscrypt_get_extent_context(inode, lblk_num, &ctx,
 						 &extent_offset, NULL);
 		WARN_ON_ONCE(ret);
-		memcpy(iv->raw, ctx.v1.iv.raw, sizeof(*iv));
-		iv->lblk_num += cpu_to_le64(extent_offset);
+		if (ci->ci_mode->ivsize < offsetofend(union fscrypt_iv, nonce)) {
+			/*
+			 *  We need a 16 byte IV, but our nonce is 16 bytes.
+			 *  Copy to the start of the buffer and add the extent
+			 *  offset manually.
+			 */
+			memcpy(iv->raw, ctx.v1.nonce, FSCRYPT_FILE_NONCE_SIZE);
+			iv->lblk_num = cpu_to_le64(extent_offset +
+						   le64_to_cpu(iv->lblk_num));
+			return;
+		}
+		memcpy(iv->nonce, ctx.v1.nonce, FSCRYPT_FILE_NONCE_SIZE);
+		iv->lblk_num = cpu_to_le64(extent_offset);
 		return;
 	}
 
diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h
index 9c4cae2580de..bb2a18c83e56 100644
--- a/fs/crypto/fscrypt_private.h
+++ b/fs/crypto/fscrypt_private.h
@@ -292,7 +292,6 @@ union fscrypt_iv {
 	__le64 dun[FSCRYPT_MAX_IV_SIZE / sizeof(__le64)];
 };
 
-
 /*
  * fscrypt_extent_context - the encryption context for an extent
  *
@@ -304,7 +303,7 @@ union fscrypt_iv {
  */
 struct fscrypt_extent_context_v1 {
 	u8 version;
-	union fscrypt_iv iv;
+	u8 nonce[FSCRYPT_FILE_NONCE_SIZE];
 } __packed;
 
 union fscrypt_extent_context {
@@ -312,7 +311,6 @@ union fscrypt_extent_context {
 	struct fscrypt_extent_context_v1 v1;
 };
 
-
 void fscrypt_generate_iv(union fscrypt_iv *iv, u64 lblk_num,
 			 const struct fscrypt_info *ci);
 
diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c
index a874afcf9652..39ef447ebaec 100644
--- a/fs/crypto/policy.c
+++ b/fs/crypto/policy.c
@@ -91,6 +91,10 @@ static bool supported_direct_key_modes(const struct inode *inode,
 {
 	const struct fscrypt_mode *mode;
 
+	/* Extent-based encryption allows any mixed mode and IV size */
+	if (inode->i_sb->s_cop->get_extent_context)
+		return true;
+
 	if (contents_mode != filenames_mode) {
 		fscrypt_warn(inode,
 			     "Direct key flag not allowed with different contents and filenames modes");
-- 
2.37.3

