vic
8 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Eric Biggers
|
883ead7297 |
f2fs, fscrypt: clean up ICE support
In preparation for adding the IV_INO_LBLK_32 IV generation method, stop hard-coding the DUN generation. Instead, make f2fs and fs/direct-io.c use helper functions fscrypt_set_bio_crypt_ctx() and fscrypt_mergeable_bio(), like blk-crypto in newer kernels. No change is made to how the DUN and key are actually passed down to the block layer. So unlike real blk-crypto, fscrypt_set_bio_crypt_ctx() only sets the DUN. The key is still implicit via pfk_bio_get_inode(). Change-Id: I79bde6714ea710086345bfe3396cadad1a0204bb Signed-off-by: Eric Biggers <ebiggers@google.com> |
||
|
Jaegeuk Kim
|
bca123c931 |
Merge remote-tracking branch 'origin/upstream-f2fs-stable-linux-4.9.y' into android-4.9
Fix build errors. * origin/upstream-f2fs-stable-linux-4.9.y: f2fs: use EINVAL for superblock with invalid magic f2fs: fix to read source block before invalidating it f2fs: remove redundant check from f2fs_setflags_common() f2fs: use generic checking and prep function for FS_IOC_SETFLAGS vfs: use READ_ONCE() to access ->i_link fs, fscrypt: clear DCACHE_ENCRYPTED_NAME when unaliasing directory fscrypt: cache decrypted symlink target in ->i_link fscrypt: fix race where ->lookup() marks plaintext dentry as ciphertext ext4: remove unused d_name argument from ext4_search_dir() et al. fscrypt: only set dentry_operations on ciphertext dentries fscrypt: fix race allowing rename() and link() of ciphertext dentries fscrypt: clean up and improve dentry revalidation fscrypt: use READ_ONCE() to access ->i_crypt_info fscrypt: remove WARN_ON_ONCE() when decryption fails fscrypt: drop inode argument from fscrypt_get_ctx() f2fs: improve print log in f2fs_sanity_check_ckpt() f2fs: avoid out-of-range memory access f2fs: fix to avoid long latency during umount f2fs: allow all the users to pin a file f2fs: support swap file w/ DIO f2fs: allocate blocks for pinned file f2fs: fix is_idle() check for discard type f2fs: add a rw_sem to cover quota flag changes f2fs: set SBI_NEED_FSCK for xattr corruption case f2fs: use generic EFSBADCRC/EFSCORRUPTED f2fs: Use DIV_ROUND_UP() instead of open-coding f2fs: print kernel message if filesystem is inconsistent f2fs: introduce f2fs_<level> macros to wrap f2fs_printk() f2fs: avoid get_valid_blocks() for cleanup f2fs: ioctl for removing a range from F2FS f2fs: only set project inherit bit for directory f2fs: separate f2fs i_flags from fs_flags and ext4 i_flags f2fs: Add option to limit required GC for checkpoint=disable f2fs: Fix accounting for unusable blocks f2fs: Fix root reserved on remount f2fs: Lower threshold for disable_cp_again f2fs: fix sparse warning f2fs: fix f2fs_show_options to show nodiscard mount option f2fs: add error prints for debugging mount failure f2fs: fix to do sanity check on segment bitmap of LFS curseg f2fs: add missing sysfs entries in documentation f2fs: fix to avoid deadloop if data_flush is on f2fs: always assume that the device is idle under gc_urgent f2fs: add bio cache for IPU f2fs: allow ssr block allocation during checkpoint=disable period f2fs: fix to check layout on last valid checkpoint park Change-Id: I7ec07950386e32e3955b6a8192804b7d3174fd18 Signed-off-by: Jaegeuk Kim <jaegeuk@google.com> |
||
|
Chandan Rajendra
|
7cc130e51c |
fscrypt: remove filesystem specific build config option
In order to have a common code base for fscrypt "post read" processing for all filesystems which support encryption, this commit removes filesystem specific build config option (e.g. CONFIG_EXT4_FS_ENCRYPTION) and replaces it with a build option (i.e. CONFIG_FS_ENCRYPTION) whose value affects all the filesystems making use of fscrypt. Change-Id: If3c1effb67f36c8656f87d3a8135be04eff10a0a Reviewed-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com> Signed-off-by: Eric Biggers <ebiggers@google.com> |
||
|
Eric Biggers
|
6bbfb52c1a |
fscrypt: return -EXDEV for incompatible rename or link into encrypted dir
Currently, trying to rename or link a regular file, directory, or symlink into an encrypted directory fails with EPERM when the source file is unencrypted or is encrypted with a different encryption policy, and is on the same mountpoint. It is correct for the operation to fail, but the choice of EPERM breaks tools like 'mv' that know to copy rather than rename if they see EXDEV, but don't know what to do with EPERM. Our original motivation for EPERM was to encourage users to securely handle their data. Encrypting files by "moving" them into an encrypted directory can be insecure because the unencrypted data may remain in free space on disk, where it can later be recovered by an attacker. It's much better to encrypt the data from the start, or at least try to securely delete the source data e.g. using the 'shred' program. However, the current behavior hasn't been effective at achieving its goal because users tend to be confused, hack around it, and complain; see e.g. https://github.com/google/fscrypt/issues/76. And in some cases it's actually inconsistent or unnecessary. For example, 'mv'-ing files between differently encrypted directories doesn't work even in cases where it can be secure, such as when in userspace the same passphrase protects both directories. Yet, you *can* already 'mv' unencrypted files into an encrypted directory if the source files are on a different mountpoint, even though doing so is often insecure. There are probably better ways to teach users to securely handle their files. For example, the 'fscrypt' userspace tool could provide a command that migrates unencrypted files into an encrypted directory, acting like 'shred' on the source files and providing appropriate warnings depending on the type of the source filesystem and disk. Receiving errors on unimportant files might also force some users to disable encryption, thus making the behavior counterproductive. It's desirable to make encryption as unobtrusive as possible. Therefore, change the error code from EPERM to EXDEV so that tools looking for EXDEV will fall back to a copy. This, of course, doesn't prevent users from still doing the right things to securely manage their files. Note that this also matches the behavior when a file is renamed between two project quota hierarchies; so there's precedent for using EXDEV for things other than mountpoints. xfstests generic/398 will require an update with this change. [Rewritten from an earlier patch series by Michael Halcrow.] Cc: Michael Halcrow <mhalcrow@google.com> Cc: Joe Richey <joerichey@google.com> Signed-off-by: Eric Biggers <ebiggers@google.com> |
||
|
Jaegeuk Kim
|
3f457d2cff |
dm-default-key, f2fs, ICE: support dm-default-key with f2fs/ICE
This patch fixes assigning bi_crypt_key for moving data which was previously encrypted by f2fs. Note that, dm-default-key should not assign bi_crypt_key, if bi_crypt_skip is set. The bug sceanrios is: 1. write data with user key by f2fs - ENC(KU, IVU, DATA) 2. log out user key 3. read data #1 w/o user key from LBA #a 4. dm-default-key assigns default key - DEC(KD, LBA#a, ENC(KU, IVU, DATA)) 5. write data #1 w/o user key into LBA #b 6. dm-default-key assigns default key - ENC(KD, LBA#b, DEC(KD, LBA#a, ENC(KU, IVU, DATA))) 7. Read DATA out with valid logged-in user key - DEC(KU, IVU, ENC(KD, LBA#b, DEC(KD, LBA#a, ENC(KU, IVU, DATA)))) So, this patch introduces bi_crypt_skip to avoid 4. ~ 6 with right flow: 1. write data with user key by f2fs - ENC(KU, IVU, DATA) 2. log out user key 3. read data #1 w/o user key from LBA #a 4. dm-default-key skip to assign default key - ENC(KU, IVU, DATA) 5. write data #1 w/o user key into LBA #b 6. dm-default-key skips to assign default key - ENC(KU, IVU, DATA) 7. Try to read DATA with valid logged-in user key - DEC(KU, IVU, ENC(KU, IVU, DATA)) Bug: 68721442 Change-Id: I99b4bcb5f00e2c510a34c0ecee030638bdfe1625 Signed-off-by: Jaegeuk Kim <jaegeuk@google.com> |
||
|
Jaegeuk Kim
|
78b34421fa |
fscrypt, pfk, ice: cover ICE-related data structures in CONFIG_PFK
This patch makes CONFIG_PFK cover all the per-file key structures. Otherwise, for example, f2fs will set DUN, resulting in IO fragmentation, even if PFK is not set. Bug: 68721442 Change-Id: I93808db0b00feae53888fd9ae6c91fc2727ffca9 Signed-off-by: Jaegeuk Kim <jaegeuk@google.com> |
||
|
Jaegeuk Kim
|
898c81ac6a |
f2fs/fscrypt: updates to v4.17-rc1
Pull f2fs update from Jaegeuk Kim: "In this round, we've mainly focused on performance tuning and critical bug fixes occurred in low-end devices. Sheng Yong introduced lost_found feature to keep missing files during recovery instead of thrashing them. We're preparing coming fsverity implementation. And, we've got more features to communicate with users for better performance. In low-end devices, some memory-related issues were fixed, and subtle race condtions and corner cases were addressed as well. Enhancements: - large nat bitmaps for more free node ids - add three block allocation policies to pass down write hints given by user - expose extension list to user and introduce hot file extension - tune small devices seamlessly for low-end devices - set readdir_ra by default - give more resources under gc_urgent mode regarding to discard and cleaning - introduce fsync_mode to enforce posix or not - nowait aio support - add lost_found feature to keep dangling inodes - reserve bits for future fsverity feature - add test_dummy_encryption for FBE Bug fixes: - don't use highmem for dentry pages - align memory boundary for bitops - truncate preallocated blocks in write errors - guarantee i_times on fsync call - clear CP_TRIMMED_FLAG correctly - prevent node chain loop during recovery - avoid data race between atomic write and background cleaning - avoid unnecessary selinux violation warnings on resgid option - GFP_NOFS to avoid deadlock in quota and read paths - fix f2fs_skip_inode_update to allow i_size recovery In addition to the above, there are several minor bug fixes and clean-ups" Cherry-pick from origin/upstream-f2fs-stable-linux-4.9.y: |
||
|
Jaegeuk Kim
|
77ba32c0ef |
fscrypt: updates on 4.15-rc4
Cherry-picked from common/android-4.9:
8363bf827a80 ("fscrypt: updates on 4.15-rc4")
Including:
Cherry-picked from origin/upstream-f2fs-stable-linux-4.9.y:
|