Linux-FSCrypt Archive on lore.kernel.org
 help / color / Atom feed
* [xfstests PATCH] generic: verify ciphertext of IV_INO_LBLK_32 encryption policies
@ 2020-06-04  2:25 Eric Biggers
  0 siblings, 0 replies; only message in thread
From: Eric Biggers @ 2020-06-04  2:25 UTC (permalink / raw)
  To: fstests; +Cc: linux-fscrypt, linux-ext4, linux-f2fs-devel

From: Eric Biggers <ebiggers@google.com>

Verify the ciphertext for v2 encryption policies that use the
IV_INO_LBLK_32 flag and that use AES-256-XTS to encrypt file contents
and AES-256-CTS-CBC to encrypt file names.

The IV_INO_LBLK_32 encryption policy flag modifies the IV generation and
key derivation to be optimized for use with inline encryption hardware
that only accepts 32-bit IVs.  It is similar to IV_INO_LBLK_64 (which is
tested by generic/592), but it uses a trick to get the IV down to 32
bits.  For more information, see kernel commit e3b1078bedd3 ("fscrypt:
add support for IV_INO_LBLK_32 policies").

This test required adding SipHash support to fscrypt-crypt-util.

Running this test requires a kernel containing the above commit, e.g.
the latest mainline (which will become v5.8 and later).  For ext4, it
also needs an e2fsprogs version that supports the stable_inodes feature,
e.g. the latest git master branch (which will become v1.46 and later).

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 common/encrypt           |  18 ++++--
 src/fscrypt-crypt-util.c | 121 ++++++++++++++++++++++++++++++++++-----
 tests/generic/900        |  43 ++++++++++++++
 tests/generic/900.out    |   6 ++
 tests/generic/group      |   1 +
 5 files changed, 171 insertions(+), 18 deletions(-)
 create mode 100755 tests/generic/900
 create mode 100644 tests/generic/900.out

diff --git a/common/encrypt b/common/encrypt
index 5695a123..c4cc2d83 100644
--- a/common/encrypt
+++ b/common/encrypt
@@ -97,7 +97,8 @@ _require_encryption_policy_support()
 	echo "Checking whether kernel supports encryption policy: $set_encpolicy_args" \
 		>> $seqres.full
 
-	if (( policy_flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 )); then
+	if (( policy_flags & (FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 |
+			      FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) )); then
 		_scratch_unmount
 		_scratch_mkfs_stable_inodes_encrypted &>> $seqres.full
 		_scratch_mount
@@ -769,6 +770,7 @@ FSCRYPT_MODE_ADIANTUM=9
 
 FSCRYPT_POLICY_FLAG_DIRECT_KEY=0x04
 FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64=0x08
+FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32=0x10
 
 FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR=1
 FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER=2
@@ -797,6 +799,7 @@ _fscrypt_mode_name_to_num()
 #	'v2':			test a v2 encryption policy
 #	'direct':		test the DIRECT_KEY policy flag
 #	'iv_ino_lblk_64':	test the IV_INO_LBLK_64 policy flag
+#	'iv_ino_lblk_32':	test the IV_INO_LBLK_32 policy flag
 #
 _verify_ciphertext_for_encryption_policy()
 {
@@ -826,6 +829,9 @@ _verify_ciphertext_for_encryption_policy()
 		iv_ino_lblk_64)
 			(( policy_flags |= FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 ))
 			;;
+		iv_ino_lblk_32)
+			(( policy_flags |= FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32 ))
+			;;
 		*)
 			_fail "Unknown option '$opt' passed to ${FUNCNAME[0]}"
 			;;
@@ -841,14 +847,15 @@ _verify_ciphertext_for_encryption_policy()
 		set_encpolicy_args+=" -v 2"
 		crypt_util_args+=" --kdf=HKDF-SHA512"
 		if (( policy_flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY )); then
-			if (( policy_flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 )); then
-				_fail "'direct' and 'iv_ino_lblk_64' options are mutually exclusive"
-			fi
 			crypt_util_args+=" --mode-num=$contents_mode_num"
 		elif (( policy_flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 )); then
 			crypt_util_args+=" --iv-ino-lblk-64"
 			crypt_util_contents_args+=" --mode-num=$contents_mode_num"
 			crypt_util_filename_args+=" --mode-num=$filenames_mode_num"
+		elif (( policy_flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32 )); then
+			crypt_util_args+=" --iv-ino-lblk-32"
+			crypt_util_contents_args+=" --mode-num=$contents_mode_num"
+			crypt_util_filename_args+=" --mode-num=$filenames_mode_num"
 		fi
 	else
 		if (( policy_flags & ~FSCRYPT_POLICY_FLAG_DIRECT_KEY )); then
@@ -872,7 +879,8 @@ _verify_ciphertext_for_encryption_policy()
 	fi
 
 	echo "Creating encryption-capable filesystem" >> $seqres.full
-	if (( policy_flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 )); then
+	if (( policy_flags & (FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 |
+			      FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) )); then
 		_scratch_mkfs_stable_inodes_encrypted &>> $seqres.full
 	else
 		_scratch_mkfs_encrypted &>> $seqres.full
diff --git a/src/fscrypt-crypt-util.c b/src/fscrypt-crypt-util.c
index 1bf8f95c..ce9da85d 100644
--- a/src/fscrypt-crypt-util.c
+++ b/src/fscrypt-crypt-util.c
@@ -63,10 +63,14 @@ static void usage(FILE *fp)
 "  --decrypt                   Decrypt instead of encrypt\n"
 "  --file-nonce=NONCE          File's nonce as a 32-character hex string\n"
 "  --fs-uuid=UUID              The filesystem UUID as a 32-character hex string.\n"
-"                                Only required for --iv-ino-lblk-64.\n"
+"                                Required for --iv-ino-lblk-32 and\n"
+"                                --iv-ino-lblk-64; otherwise is unused.\n"
 "  --help                      Show this help\n"
-"  --inode-number=INUM         The file's inode number.  Only required for\n"
-"                                --iv-ino-lblk-64.\n"
+"  --inode-number=INUM         The file's inode number.  Required for\n"
+"                                --iv-ino-lblk-32 and --iv-ino-lblk-64;\n"
+"                                otherwise is unused.\n"
+"  --iv-ino-lblk-32            Similar to --iv-ino-lblk-64, but selects the\n"
+"                                32-bit variant.\n"
 "  --iv-ino-lblk-64            Use the format where the IVs include the inode\n"
 "                                number and the same key is shared across files.\n"
 "                                Requires --kdf=HKDF-SHA512, --fs-uuid,\n"
@@ -143,6 +147,11 @@ static inline u32 ror32(u32 v, int n)
 	return (v >> n) | (v << (32 - n));
 }
 
+static inline u64 rol64(u64 v, int n)
+{
+	return (v << n) | (v >> (64 - n));
+}
+
 static inline u64 ror64(u64 v, int n)
 {
 	return (v >> n) | (v << (64 - n));
@@ -1579,6 +1588,50 @@ static void test_adiantum(void)
 }
 #endif /* ENABLE_ALG_TESTS */
 
+/*----------------------------------------------------------------------------*
+ *                               SipHash-2-4                                  *
+ *----------------------------------------------------------------------------*/
+
+/*
+ * Reference: "SipHash: a fast short-input PRF"
+ *	https://cr.yp.to/siphash/siphash-20120918.pdf
+ */
+
+#define SIPROUND						\
+	do {							\
+		v0 += v1;	    v2 += v3;			\
+		v1 = rol64(v1, 13); v3 = rol64(v3, 16);		\
+		v1 ^= v0;	    v3 ^= v2;			\
+		v0 = rol64(v0, 32);				\
+		v2 += v1;	    v0 += v3;			\
+		v1 = rol64(v1, 17); v3 = rol64(v3, 21);		\
+		v1 ^= v2;	    v3 ^= v0;			\
+		v2 = rol64(v2, 32);				\
+	} while (0)
+
+/* Compute the SipHash-2-4 of a 64-bit number when formatted as little endian */
+static u64 siphash_1u64(const u64 key[2], u64 data)
+{
+	u64 v0 = key[0] ^ 0x736f6d6570736575ULL;
+	u64 v1 = key[1] ^ 0x646f72616e646f6dULL;
+	u64 v2 = key[0] ^ 0x6c7967656e657261ULL;
+	u64 v3 = key[1] ^ 0x7465646279746573ULL;
+	u64 m[2] = {data, (u64)sizeof(data) << 56};
+	size_t i;
+
+	for (i = 0; i < ARRAY_SIZE(m); i++) {
+		v3 ^= m[i];
+		SIPROUND;
+		SIPROUND;
+		v0 ^= m[i];
+	}
+
+	v2 ^= 0xff;
+	for (i = 0; i < 4; i++)
+		SIPROUND;
+	return v0 ^ v1 ^ v2 ^ v3;
+}
+
 /*----------------------------------------------------------------------------*
  *                               Main program                                 *
  *----------------------------------------------------------------------------*/
@@ -1723,15 +1776,39 @@ struct key_and_iv_params {
 	u8 file_nonce[FILE_NONCE_SIZE];
 	bool file_nonce_specified;
 	bool iv_ino_lblk_64;
+	bool iv_ino_lblk_32;
 	u32 inode_number;
 	u8 fs_uuid[UUID_SIZE];
 	bool fs_uuid_specified;
 };
 
 #define HKDF_CONTEXT_KEY_IDENTIFIER	1
-#define HKDF_CONTEXT_PER_FILE_KEY	2
+#define HKDF_CONTEXT_PER_FILE_ENC_KEY	2
 #define HKDF_CONTEXT_DIRECT_KEY		3
 #define HKDF_CONTEXT_IV_INO_LBLK_64_KEY	4
+#define HKDF_CONTEXT_DIRHASH_KEY	5
+#define HKDF_CONTEXT_IV_INO_LBLK_32_KEY	6
+#define HKDF_CONTEXT_INODE_HASH_KEY	7
+
+/* Hash the file's inode number using SipHash keyed by a derived key */
+static u32 hash_inode_number(const struct key_and_iv_params *params)
+{
+	u8 info[9] = "fscrypt";
+	union {
+		u64 words[2];
+		u8 bytes[16];
+	} hash_key;
+
+	info[8] = HKDF_CONTEXT_INODE_HASH_KEY;
+	hkdf_sha512(params->master_key, params->master_key_size,
+		    NULL, 0, info, sizeof(info),
+		    hash_key.bytes, sizeof(hash_key));
+
+	hash_key.words[0] = get_unaligned_le64(&hash_key.bytes[0]);
+	hash_key.words[1] = get_unaligned_le64(&hash_key.bytes[8]);
+
+	return (u32)siphash_1u64(hash_key.words, params->inode_number);
+}
 
 /*
  * Get the key and starting IV with which the encryption will actually be done.
@@ -1752,8 +1829,20 @@ static void get_key_and_iv(const struct key_and_iv_params *params,
 
 	memset(iv, 0, sizeof(*iv));
 
-	if (params->iv_ino_lblk_64 && params->kdf != KDF_HKDF_SHA512)
-		die("--iv-ino-lblk-64 requires --kdf=HKDF-SHA512");
+	if (params->iv_ino_lblk_64 || params->iv_ino_lblk_32) {
+		const char *opt = params->iv_ino_lblk_64 ? "--iv-ino-lblk-64" :
+							   "--iv-ino-lblk-32";
+		if (params->iv_ino_lblk_64 && params->iv_ino_lblk_32)
+			die("--iv-ino-lblk-64 and --iv-ino-lblk-32 are mutually exclusive");
+		if (params->kdf != KDF_HKDF_SHA512)
+			die("%s requires --kdf=HKDF-SHA512", opt);
+		if (!params->fs_uuid_specified)
+			die("%s requires --fs-uuid", opt);
+		if (params->inode_number == 0)
+			die("%s requires --inode-number", opt);
+		if (params->mode_num == 0)
+			die("%s requires --mode-num", opt);
+	}
 
 	switch (params->kdf) {
 	case KDF_NONE:
@@ -1776,23 +1865,24 @@ static void get_key_and_iv(const struct key_and_iv_params *params,
 		break;
 	case KDF_HKDF_SHA512:
 		if (params->iv_ino_lblk_64) {
-			if (!params->fs_uuid_specified)
-				die("--iv-ino-lblk-64 requires --fs-uuid");
-			if (params->inode_number == 0)
-				die("--iv-ino-lblk-64 requires --inode-number");
-			if (params->mode_num == 0)
-				die("--iv-ino-lblk-64 requires --mode-num");
 			info[infolen++] = HKDF_CONTEXT_IV_INO_LBLK_64_KEY;
 			info[infolen++] = params->mode_num;
 			memcpy(&info[infolen], params->fs_uuid, UUID_SIZE);
 			infolen += UUID_SIZE;
 			put_unaligned_le32(params->inode_number, &iv->bytes[4]);
+		} else if (params->iv_ino_lblk_32) {
+			info[infolen++] = HKDF_CONTEXT_IV_INO_LBLK_32_KEY;
+			info[infolen++] = params->mode_num;
+			memcpy(&info[infolen], params->fs_uuid, UUID_SIZE);
+			infolen += UUID_SIZE;
+			put_unaligned_le32(hash_inode_number(params),
+					   iv->bytes);
 		} else if (params->mode_num != 0) {
 			info[infolen++] = HKDF_CONTEXT_DIRECT_KEY;
 			info[infolen++] = params->mode_num;
 			file_nonce_in_iv = true;
 		} else if (params->file_nonce_specified) {
-			info[infolen++] = HKDF_CONTEXT_PER_FILE_KEY;
+			info[infolen++] = HKDF_CONTEXT_PER_FILE_ENC_KEY;
 			memcpy(&info[infolen], params->file_nonce,
 			       FILE_NONCE_SIZE);
 			infolen += FILE_NONCE_SIZE;
@@ -1817,6 +1907,7 @@ enum {
 	OPT_FS_UUID,
 	OPT_HELP,
 	OPT_INODE_NUMBER,
+	OPT_IV_INO_LBLK_32,
 	OPT_IV_INO_LBLK_64,
 	OPT_KDF,
 	OPT_MODE_NUM,
@@ -1830,6 +1921,7 @@ static const struct option longopts[] = {
 	{ "fs-uuid",         required_argument, NULL, OPT_FS_UUID },
 	{ "help",            no_argument,       NULL, OPT_HELP },
 	{ "inode-number",    required_argument, NULL, OPT_INODE_NUMBER },
+	{ "iv-ino-lblk-32",  no_argument,       NULL, OPT_IV_INO_LBLK_32 },
 	{ "iv-ino-lblk-64",  no_argument,       NULL, OPT_IV_INO_LBLK_64 },
 	{ "kdf",             required_argument, NULL, OPT_KDF },
 	{ "mode-num",        required_argument, NULL, OPT_MODE_NUM },
@@ -1890,6 +1982,9 @@ int main(int argc, char *argv[])
 		case OPT_INODE_NUMBER:
 			params.inode_number = parse_inode_number(optarg);
 			break;
+		case OPT_IV_INO_LBLK_32:
+			params.iv_ino_lblk_32 = true;
+			break;
 		case OPT_IV_INO_LBLK_64:
 			params.iv_ino_lblk_64 = true;
 			break;
diff --git a/tests/generic/900 b/tests/generic/900
new file mode 100755
index 00000000..dc2a2225
--- /dev/null
+++ b/tests/generic/900
@@ -0,0 +1,43 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright 2020 Google LLC
+#
+# FS QA Test No. 900
+#
+# Verify ciphertext for v2 encryption policies that use the IV_INO_LBLK_32 flag
+# and use AES-256-XTS to encrypt file contents and AES-256-CTS-CBC to encrypt
+# file names.
+#
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	cd /
+	rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/encrypt
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+_supported_fs generic
+_supported_os Linux
+
+_verify_ciphertext_for_encryption_policy AES-256-XTS AES-256-CTS-CBC \
+	v2 iv_ino_lblk_32
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/900.out b/tests/generic/900.out
new file mode 100644
index 00000000..8fbb34cc
--- /dev/null
+++ b/tests/generic/900.out
@@ -0,0 +1,6 @@
+QA output created by 900
+
+Verifying ciphertext with parameters:
+	contents_encryption_mode: AES-256-XTS
+	filenames_encryption_mode: AES-256-CTS-CBC
+	options: v2 iv_ino_lblk_32
diff --git a/tests/generic/group b/tests/generic/group
index c6ce029c..d3501ccc 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -604,3 +604,4 @@
 599 auto quick remount shutdown
 600 auto quick quota
 601 auto quick quota
+900 auto quick encrypt
-- 
2.26.2


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-04  2:25 [xfstests PATCH] generic: verify ciphertext of IV_INO_LBLK_32 encryption policies Eric Biggers

Linux-FSCrypt Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-fscrypt/0 linux-fscrypt/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-fscrypt linux-fscrypt/ https://lore.kernel.org/linux-fscrypt \
		linux-fscrypt@vger.kernel.org
	public-inbox-index linux-fscrypt

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-fscrypt


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git