From: "Pali Rohár" <pali.rohar@gmail.com>
To: Alasdair Kergon <agk@redhat.com>,
Mike Snitzer <snitzer@redhat.com>, Neil Brown <neilb@suse.de>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>
Cc: dm-devel@redhat.com, linux-raid@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-pm@vger.kernel.org,
"Pali Rohár" <pali.rohar@gmail.com>
Subject: [PATCH v2 3/3] dm-crypt: Adds support for wiping key when doing suspend/hibernation
Date: Sun, 21 Jun 2015 13:20:34 +0200 [thread overview]
Message-ID: <1434885634-19895-4-git-send-email-pali.rohar@gmail.com> (raw)
In-Reply-To: <1434885634-19895-1-git-send-email-pali.rohar@gmail.com>
This patch adds dm message commands and option strings to optionally wipe key
from dm-crypt device before entering suspend or hibernate state.
Before key is wiped dm device must be suspended. To prevent race conditions with
I/O and userspace processes, wiping action must be called after processes are
freezed. Otherwise userspace processes could start reading/writing to disk after
dm device is suspened and freezing processes before suspend/hibernate action
will fail.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
---
Changes since v1:
* Use "retain_on_hibernation" message instead "wipe_on_hibernation 0"
* In crypt_suspend_and_wipe_key() check for errors and return status
* In crypt_status() show also key_wipe_on_hibernation/key_wipe_on_suspend
---
drivers/md/dm-crypt.c | 126 +++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 118 insertions(+), 8 deletions(-)
diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
index 5503e43..f8536fb 100644
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -23,6 +23,7 @@
#include <linux/atomic.h>
#include <linux/scatterlist.h>
#include <linux/rbtree.h>
+#include <linux/suspend.h>
#include <asm/page.h>
#include <asm/unaligned.h>
#include <crypto/hash.h>
@@ -31,6 +32,8 @@
#include <linux/device-mapper.h>
+#include "dm.h"
+
#define DM_MSG_PREFIX "crypt"
/*
@@ -112,13 +115,18 @@ struct iv_tcw_private {
* and encrypts / decrypts at the same time.
*/
enum flags { DM_CRYPT_SUSPENDED, DM_CRYPT_KEY_VALID,
- DM_CRYPT_SAME_CPU, DM_CRYPT_NO_OFFLOAD };
+ DM_CRYPT_SAME_CPU, DM_CRYPT_NO_OFFLOAD,
+ DM_CRYPT_KEY_WIPE_ON_HIBERNATION,
+ DM_CRYPT_KEY_WIPE_ON_SUSPEND,
+};
/*
* The fields in here must be read only after initialization.
*/
struct crypt_config {
struct dm_dev *dev;
+ struct dm_target *ti;
+ struct list_head entry;
sector_t start;
/*
@@ -181,6 +189,9 @@ struct crypt_config {
#define MIN_IOS 16
+static LIST_HEAD(crypt_list);
+static DEFINE_MUTEX(crypt_list_mtx);
+
static void clone_init(struct dm_crypt_io *, struct bio *);
static void kcryptd_queue_crypt(struct dm_crypt_io *io);
static u8 *iv_of_dmreq(struct crypt_config *cc, struct dm_crypt_request *dmreq);
@@ -1497,12 +1508,33 @@ out:
static int crypt_wipe_key(struct crypt_config *cc)
{
+ int ret;
+
+ if (cc->iv_gen_ops && cc->iv_gen_ops->wipe) {
+ ret = cc->iv_gen_ops->wipe(cc);
+ if (ret)
+ return ret;
+ }
+
clear_bit(DM_CRYPT_KEY_VALID, &cc->flags);
memset(&cc->key, 0, cc->key_size * sizeof(u8));
return crypt_setkey_allcpus(cc);
}
+static int crypt_suspend_and_wipe_key(struct crypt_config *cc)
+{
+ int ret;
+
+ if (!dm_suspended(cc->ti)) {
+ ret = dm_suspend_md(dm_table_get_md(cc->ti->table));
+ if (ret)
+ return ret;
+ }
+
+ return crypt_wipe_key(cc);
+}
+
static void crypt_dtr(struct dm_target *ti)
{
struct crypt_config *cc = ti->private;
@@ -1512,6 +1544,10 @@ static void crypt_dtr(struct dm_target *ti)
if (!cc)
return;
+ mutex_lock(&crypt_list_mtx);
+ list_del(&cc->entry);
+ mutex_unlock(&crypt_list_mtx);
+
if (cc->write_thread)
kthread_stop(cc->write_thread);
@@ -1738,6 +1774,7 @@ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv)
cc->key_size = key_size;
ti->private = cc;
+ cc->ti = ti;
ret = crypt_ctr_cipher(ti, argv[0], argv[1]);
if (ret < 0)
goto bad;
@@ -1833,7 +1870,14 @@ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv)
else if (!strcasecmp(opt_string, "submit_from_crypt_cpus"))
set_bit(DM_CRYPT_NO_OFFLOAD, &cc->flags);
+ else if (!strcasecmp(opt_string, "key_wipe_on_hibernation"))
+ set_bit(DM_CRYPT_KEY_WIPE_ON_HIBERNATION, &cc->flags);
+
+ else if (!strcasecmp(opt_string, "key_wipe_on_suspend"))
+ set_bit(DM_CRYPT_KEY_WIPE_ON_SUSPEND, &cc->flags);
+
else {
+ ret = -EINVAL;
ti->error = "Invalid feature arguments";
goto bad;
}
@@ -1872,6 +1916,10 @@ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv)
ti->num_flush_bios = 1;
ti->discard_zeroes_data_unsupported = true;
+ mutex_lock(&crypt_list_mtx);
+ list_add(&cc->entry, &crypt_list);
+ mutex_unlock(&crypt_list_mtx);
+
return 0;
bad:
@@ -1937,6 +1985,10 @@ static void crypt_status(struct dm_target *ti, status_type_t type,
num_feature_args += !!ti->num_discard_bios;
num_feature_args += test_bit(DM_CRYPT_SAME_CPU, &cc->flags);
num_feature_args += test_bit(DM_CRYPT_NO_OFFLOAD, &cc->flags);
+ num_feature_args += test_bit(DM_CRYPT_KEY_WIPE_ON_HIBERNATION,
+ &cc->flags);
+ num_feature_args += test_bit(DM_CRYPT_KEY_WIPE_ON_SUSPEND,
+ &cc->flags);
if (num_feature_args) {
DMEMIT(" %d", num_feature_args);
if (ti->num_discard_bios)
@@ -1945,6 +1997,10 @@ static void crypt_status(struct dm_target *ti, status_type_t type,
DMEMIT(" same_cpu_crypt");
if (test_bit(DM_CRYPT_NO_OFFLOAD, &cc->flags))
DMEMIT(" submit_from_crypt_cpus");
+ if (test_bit(DM_CRYPT_KEY_WIPE_ON_HIBERNATION, &cc->flags))
+ DMEMIT(" key_wipe_on_hibernation");
+ if (test_bit(DM_CRYPT_KEY_WIPE_ON_SUSPEND, &cc->flags))
+ DMEMIT(" key_wipe_on_suspend");
}
break;
@@ -1980,6 +2036,10 @@ static void crypt_resume(struct dm_target *ti)
/* Message interface
* key set <key>
* key wipe
+ * key wipe_on_hibernation
+ * key retain_on_hibernation
+ * key wipe_on_suspend
+ * key retain_on_suspend
*/
static int crypt_message(struct dm_target *ti, unsigned argc, char **argv)
{
@@ -1990,6 +2050,22 @@ static int crypt_message(struct dm_target *ti, unsigned argc, char **argv)
goto error;
if (!strcasecmp(argv[0], "key")) {
+ if (argc == 2 && !strcasecmp(argv[1], "wipe_on_hibernation")) {
+ set_bit(DM_CRYPT_KEY_WIPE_ON_HIBERNATION, &cc->flags);
+ return 0;
+ }
+ if (argc == 2 && !strcasecmp(argv[1], "retain_on_hibernation")) {
+ clear_bit(DM_CRYPT_KEY_WIPE_ON_HIBERNATION, &cc->flags);
+ return 0;
+ }
+ if (argc == 2 && !strcasecmp(argv[1], "wipe_on_suspend")) {
+ set_bit(DM_CRYPT_KEY_WIPE_ON_SUSPEND, &cc->flags);
+ return 0;
+ }
+ if (argc == 2 && !strcasecmp(argv[1], "retain_on_suspend")) {
+ clear_bit(DM_CRYPT_KEY_WIPE_ON_SUSPEND, &cc->flags);
+ return 0;
+ }
if (!test_bit(DM_CRYPT_SUSPENDED, &cc->flags)) {
DMWARN("not suspended during key manipulation.");
return -EINVAL;
@@ -2003,11 +2079,6 @@ static int crypt_message(struct dm_target *ti, unsigned argc, char **argv)
return ret;
}
if (argc == 2 && !strcasecmp(argv[1], "wipe")) {
- if (cc->iv_gen_ops && cc->iv_gen_ops->wipe) {
- ret = cc->iv_gen_ops->wipe(cc);
- if (ret)
- return ret;
- }
return crypt_wipe_key(cc);
}
}
@@ -2056,19 +2127,58 @@ static struct target_type crypt_target = {
.iterate_devices = crypt_iterate_devices,
};
+static int dm_crypt_pm_notifier_call(struct notifier_block *nb,
+ unsigned long action, void *data)
+{
+ struct crypt_config *cc;
+ int r;
+
+ mutex_lock(&crypt_list_mtx);
+
+ list_for_each_entry(cc, &crypt_list, entry) {
+ if ((action == PM_HIBERNATION_AFTER_FREEZE &&
+ test_bit(DM_CRYPT_KEY_WIPE_ON_HIBERNATION, &cc->flags)) ||
+ (action == PM_SUSPEND_AFTER_FREEZE &&
+ test_bit(DM_CRYPT_KEY_WIPE_ON_SUSPEND, &cc->flags))) {
+ r = crypt_suspend_and_wipe_key(cc);
+ if (r) {
+ DMWARN("wiping key failed %d", r);
+ }
+ }
+ }
+
+ mutex_unlock(&crypt_list_mtx);
+
+ return NOTIFY_OK;
+}
+
+static struct notifier_block dm_crypt_pm_notifier_block = {
+ .notifier_call = dm_crypt_pm_notifier_call,
+};
+
static int __init dm_crypt_init(void)
{
int r;
r = dm_register_target(&crypt_target);
- if (r < 0)
+ if (r < 0) {
DMERR("register failed %d", r);
+ return r;
+ }
- return r;
+ r = register_pm_notifier(&dm_crypt_pm_notifier_block);
+ if (r) {
+ DMERR("register_pm_notifier failed %d", r);
+ dm_unregister_target(&crypt_target);
+ return r;
+ }
+
+ return 0;
}
static void __exit dm_crypt_exit(void)
{
+ unregister_pm_notifier(&dm_crypt_pm_notifier_block);
dm_unregister_target(&crypt_target);
}
--
1.7.9.5
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2015-06-21 11:22 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-05 17:20 [PATCH 0/3] dm-crypt: Adds support for wiping key when doing suspend/hibernation Pali Rohár
2015-04-05 17:20 ` [PATCH 1/3] PM suspend/hibernate: Call notifier after freezing processes Pali Rohár
2015-04-09 0:28 ` Rafael J. Wysocki
2015-04-09 6:36 ` Pali Rohár
2015-04-09 17:13 ` Rafael J. Wysocki
2015-04-09 16:55 ` Pali Rohár
2015-04-05 17:20 ` [PATCH 2/3] dm: Export function dm_suspend_md() Pali Rohár
2015-04-05 17:20 ` [PATCH 3/3] dm-crypt: Adds support for wiping key when doing suspend/hibernation Pali Rohár
2015-04-07 13:55 ` [dm-devel] " Alasdair G Kergon
2015-04-06 13:00 ` [PATCH 0/3] " Mike Snitzer
2015-04-06 13:25 ` Pavel Machek
2015-04-06 20:51 ` Mike Snitzer
2015-04-06 21:13 ` Why wipe crypto keys during suspend (was Re: [PATCH 0/3] dm-crypt: Adds support for wiping key when doing suspend/hibernation) Pavel Machek
2015-04-06 13:29 ` [PATCH 0/3] dm-crypt: Adds support for wiping key when doing suspend/hibernation Pali Rohár
2015-04-06 18:17 ` Pavel Machek
2015-04-06 21:27 ` Pali Rohár
2015-04-09 13:12 ` Mike Snitzer
2015-04-09 13:28 ` Pali Rohár
2015-04-09 14:08 ` Mike Snitzer
2015-04-09 14:16 ` Pali Rohár
2015-04-09 14:26 ` Mike Snitzer
2015-04-09 14:38 ` Pali Rohár
2015-04-14 6:50 ` Pavel Machek
2015-04-23 17:02 ` Pali Rohár
[not found] ` <mgnv2g$if5$2@ger.gmane.org>
2015-04-17 7:52 ` Mike Snitzer
2015-04-17 8:52 ` [dm-devel] " Ondrej Kozina
2015-04-17 15:53 ` Alex Elsayed
2015-04-14 6:41 ` Pavel Machek
2015-06-21 11:20 ` [PATCH v2 " Pali Rohár
2015-06-21 11:20 ` [PATCH v2 1/3] PM suspend/hibernate: Call notifier after freezing processes Pali Rohár
2015-07-16 1:02 ` Rafael J. Wysocki
2015-07-16 7:33 ` Pali Rohár
2015-07-17 23:27 ` Rafael J. Wysocki
2015-07-20 7:32 ` Pali Rohár
2015-07-20 21:46 ` Rafael J. Wysocki
2015-07-21 22:08 ` NeilBrown
2015-07-21 23:00 ` Rafael J. Wysocki
2015-07-21 23:03 ` Rafael J. Wysocki
2016-12-27 14:29 ` Pali Rohár
2015-06-21 11:20 ` [PATCH v2 2/3] dm: Export function dm_suspend_md() Pali Rohár
2015-07-17 14:04 ` Mike Snitzer
2015-07-17 14:22 ` Pali Rohár
2015-07-17 15:22 ` Mike Snitzer
2015-07-17 15:30 ` Mike Snitzer
2015-07-17 17:13 ` Pali Rohár
2015-07-17 17:31 ` Mike Snitzer
2015-06-21 11:20 ` Pali Rohár [this message]
2015-07-28 14:44 ` [PATCH v2 3/3] dm-crypt: Adds support for wiping key when doing suspend/hibernation Pavel Machek
2015-07-28 14:48 ` Pali Rohár
2015-07-07 7:59 ` [PATCH v2 0/3] " Pali Rohár
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1434885634-19895-4-git-send-email-pali.rohar@gmail.com \
--to=pali.rohar@gmail.com \
--cc=agk@redhat.com \
--cc=dm-devel@redhat.com \
--cc=len.brown@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
--cc=neilb@suse.de \
--cc=pavel@ucw.cz \
--cc=rjw@rjwysocki.net \
--cc=snitzer@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).