1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
2 * vim:expandtab:shiftwidth=8:tabstop=8:
4 * Copyright (C) 2004, 2005 Cluster File Systems, Inc.
6 * This file is part of Lustre, http://www.lustre.org.
8 * Lustre is free software; you can redistribute it and/or
9 * modify it under the terms of version 2 of the GNU General Public
10 * License as published by the Free Software Foundation.
12 * Lustre is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with Lustre; if not, write to the Free Software
19 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #define DEBUG_SUBSYSTEM S_LLITE
25 #include <linux/types.h>
26 #include <linux/version.h>
27 #include <asm/uaccess.h>
28 #include <linux/file.h>
29 #include <linux/kmod.h>
30 #include <linux/posix_acl.h>
31 #include <linux/xattr_acl.h>
33 #include <linux/lustre_acl.h>
34 #include <linux/lustre_lite.h>
35 #include <linux/lustre_gs.h>
36 #include "llite_internal.h"
38 int ll_gs_intent_init(struct lookup_intent *it)
40 struct lustre_intent_data *lustre_data;
42 LASSERT(it->d.fs_data != NULL);
43 lustre_data = (struct lustre_intent_data *)it->d.fs_data;
44 /*set lustre key size when there is gss server
45 *or other configuration*/
46 lustre_data->it_key = NULL;
47 lustre_data->it_key_size = 0;
51 static int ll_get_acl_key(struct inode *inode, struct posix_acl **acl,
52 struct lustre_key **lkey)
54 struct lookup_intent it = { .it_op = IT_GETATTR };
55 struct dentry de = { .d_inode = inode };
56 struct ll_sb_info *sbi;
58 struct ptlrpc_request *req = NULL;
59 struct ll_inode_info *lli = ll_i2info(inode);
63 if (lli->lli_posix_acl && lli->lli_key_info) {
64 /*If they are in the local cache, just fetch them*/
65 spin_lock(&lli->lli_lock);
66 *acl = posix_acl_dup(lli->lli_posix_acl);
67 *lkey = lustre_key_get(lli->lli_key_info);
68 spin_unlock(&lli->lli_lock);
71 sbi = ll_i2sbi(inode);
72 ll_inode2id(&id, inode);
74 if (ll_intent_alloc(&it))
77 rc = md_intent_lock(sbi->ll_md_exp, &id, NULL, 0, NULL, 0, &id,
78 &it, 0, &req, ll_mdc_blocking_ast);
84 rc = revalidate_it_finish(req, 1, &it, &de);
86 ll_intent_release(&it);
90 ll_lookup_finish_locks(&it, &de);
93 spin_lock(&lli->lli_lock);
94 *acl = posix_acl_dup(lli->lli_posix_acl);
95 *lkey = lustre_key_get(lli->lli_key_info);
96 spin_unlock(&lli->lli_lock);
99 ptlrpc_req_finished(req);
103 static int ll_init_key_perm(struct key_perm *kperm, struct posix_acl *acl,
104 __u32 uid, __u32 gid, int mode)
107 kperm->kp_acl_count = acl->a_count;
108 memcpy(kperm->kp_acls, acl->a_entries,
109 acl->a_count * sizeof(struct posix_acl_entry));
111 kperm->kp_mode = mode;
117 static int ll_init_key_context(struct key_context *pkc, __u32 uid,
118 __u32 gid, struct crypto_key *ck,
119 struct posix_acl *acl, int mode,
120 int command, int valid)
122 struct key_perm *kperm;
125 pkc->kc_command = command;
126 pkc->kc_valid = valid;
129 memcpy(&pkc->kc_ck, ck, sizeof(*ck));
131 kperm = &pkc->kc_perm;
133 ll_init_key_perm(kperm, acl, uid, gid, mode);
136 static int ll_get_default_acl(struct inode *inode, struct posix_acl **acl,
139 int rc = 0, buf_size, ea_size;
143 if (!S_ISDIR(inode->i_mode))
146 buf_size = xattr_acl_size(LL_ACL_MAX_ENTRIES);
147 OBD_ALLOC(buf, buf_size);
151 ea_size = ll_getxattr_internal(inode, XATTR_NAME_ACL_DEFAULT,
152 buf, buf_size, OBD_MD_FLXATTR);
154 if (ea_size < 0 && ea_size != -ENODATA)
155 CERROR("get default acl of ino %lu error rc %d \n",
156 inode->i_ino, ea_size);
159 *acl = posix_acl_from_xattr(buf, ea_size);
162 CERROR("convert xattr to acl failed: %d\n", rc);
165 rc = posix_acl_valid(*acl);
167 CERROR("acl valid error: %d\n", rc);
168 posix_acl_release(*acl);
173 rc = posix_acl_create_masq(*acl, &mode);
176 OBD_FREE(buf, buf_size);
180 int ll_gks_create_key(struct inode *dir, mode_t mode, void **key,
183 struct obd_export *gs_exp = ll_i2gsexp(dir);
184 struct key_context *kcontext = NULL;
185 struct key_parms kparms;
186 struct posix_acl *default_acl = NULL;
190 OBD_ALLOC(kcontext, sizeof(struct key_context));
192 GOTO(out, rc = -ENOMEM);
194 rc = ll_get_default_acl(dir, &default_acl, mode);
198 ll_init_key_context(kcontext, current->fsuid, current->fsgid,
199 NULL, default_acl, mode, GKS_GET_KEY, 0);
201 kparms.context = kcontext;
202 kparms.context_size = sizeof(struct key_context);
205 *key_size = sizeof(struct crypto_key);
206 OBD_ALLOC(*key, *key_size);
208 GOTO(out, rc = -ENOMEM);
210 /*GET an encrypt key from GS server*/
211 rc = obd_get_info(gs_exp, sizeof(struct key_parms), (void *)&kparms,
214 CERROR("get key error rc %d \n", rc);
217 CDEBUG(D_INFO, "Get enkey %s MAC %s from exp %p \n",
218 (char*)((struct crypto_key *)(*key))->ck_key,
219 (char*)((struct crypto_key *)(*key))->ck_mac,
223 OBD_FREE(kcontext, sizeof(struct key_context));
225 posix_acl_release(default_acl);
230 int ll_gks_init_it(struct inode *parent, struct lookup_intent *it)
232 struct obd_export *gs_exp = ll_i2gsexp(parent);
233 struct lustre_intent_data *lustre_data;
234 mode_t mode = (it->it_create_mode | S_IFREG) & (~current->fs->umask);
236 int key_size = 0, rc = 0;
242 ll_gs_intent_init(it);
243 if (!(it->it_flags & O_CREAT))
246 LASSERT(it->d.fs_data != NULL);
247 lustre_data = (struct lustre_intent_data *)it->d.fs_data;
249 if (lustre_data->it_key) {
250 LASSERT(lustre_data->it_key_size ==
251 sizeof(struct crypto_key));
252 OBD_FREE(lustre_data->it_key, sizeof(struct crypto_key));
255 rc = ll_gks_create_key(parent, mode, &key, &key_size);
259 lustre_data->it_key = key;
260 lustre_data->it_key_size = key_size;
264 OBD_FREE(key, key_size);
269 int ll_gks_decrypt_key(struct inode *inode, struct lookup_intent *it)
271 struct obd_export *gs_exp = ll_i2gsexp(inode);
272 struct ll_inode_info *lli = ll_i2info(inode);
273 struct key_context *kcontext = NULL;
274 struct key_perm *kperm = NULL;
275 struct key_parms kparms;
276 struct lustre_key *lkey = NULL;
277 struct crypto_key *ckey = NULL;
278 struct posix_acl *acl = NULL;
280 int rc = 0, ck_size = 0, kcontext_size = 0, acl_count;
287 rc = ll_get_acl_key(inode, &acl, &lkey);
290 if (!lkey || IS_DECRYPTED(lkey->lk_flags))
293 acl_count = acl ? acl->a_count : 0;
294 kcontext_size = crypto_kcontext_size(acl_count);
295 OBD_ALLOC(kcontext, kcontext_size);
297 GOTO(out, rc = -ENOMEM);
299 flags = mds_pack_open_flags(it->it_flags);
301 spin_lock(&lli->lli_lock);
302 ll_init_key_context(kcontext, inode->i_uid, inode->i_gid, &lkey->lk_ck,
303 acl, inode->i_mode, GKS_DECRYPT_KEY, flags);
305 spin_unlock(&lli->lli_lock);
307 OBD_ALLOC(kperm, sizeof(struct key_perm));
308 ll_init_key_perm(kperm, NULL, current->uid, current->gid, 0);
310 kparms.context = kcontext;
311 kparms.context_size = kcontext_size;
313 kparms.perm_size = sizeof(struct key_perm);
315 ck_size = sizeof(*ckey);
316 OBD_ALLOC(ckey, ck_size);
318 GOTO(out, rc = -ENOMEM);
320 /*GET an encrypt key from GS server*/
321 rc = obd_get_info(gs_exp, sizeof(struct key_parms), (void *)&kparms,
324 CERROR("decrypt key error rc %d \n", rc);
327 CDEBUG(D_INFO, "decrypt key %s MAC %s from exp %p \n",
328 ckey->ck_mac, ckey->ck_mac, gs_exp);
330 /*copy the decrypt key from kcontext to the lustre key*/
332 spin_lock(&lli->lli_lock);
333 memcpy(&lkey->lk_dk, ckey->ck_key, KEY_SIZE);
334 SET_DECRYPTED(lkey->lk_flags);
335 spin_unlock(&lli->lli_lock);
338 posix_acl_release(acl);
340 lustre_key_release(lkey);
342 OBD_FREE(kperm, sizeof(struct key_perm));
344 OBD_FREE(kcontext, kcontext_size);
346 OBD_FREE(ckey, ck_size);
349 static void get_real_parameters(struct inode *inode, struct iattr *iattr,
350 struct posix_acl *new_acl, mode_t *mode,
351 __u32 *uid, __u32 *gid)
355 if (iattr->ia_valid & ATTR_MODE) {
356 *mode = iattr->ia_mode;
358 *mode = inode->i_mode;
360 posix_acl_equiv_mode(new_acl, mode);
361 CDEBUG(D_INFO, "get new mode %d \n", *mode);
365 if (iattr->ia_valid & ATTR_UID)
366 *uid = iattr->ia_uid;
370 if (iattr->ia_valid & ATTR_GID)
371 *gid = iattr->ia_gid;
376 int ll_gks_get_mac(struct inode *inode, struct iattr *iattr, void *value,
377 int size, void **key, int *key_size)
379 struct ll_inode_info *lli = ll_i2info(inode);
380 struct obd_export *gs_exp = ll_i2gsexp(inode);
381 struct key_context *kcontext = NULL;
382 struct key_perm *kperm = NULL;
383 struct key_parms kparms;
384 struct lustre_key *lkey = NULL;
385 struct crypto_key *ckey = NULL;
386 struct posix_acl *acl = NULL, *new_acl = NULL;
387 int rc = 0, kperm_size = 0, kcontext_size = 0;
397 rc = ll_get_acl_key(inode, &acl, &lkey);
403 acl_count = acl ? acl->a_count : 0;
404 kcontext_size = crypto_kcontext_size(acl_count);
405 OBD_ALLOC(kcontext, kcontext_size);
407 GOTO(out, rc = -ENOMEM);
408 spin_lock(&lli->lli_lock);
409 ll_init_key_context(kcontext, inode->i_uid, inode->i_gid, &lkey->lk_ck,
410 acl, inode->i_mode, GKS_GET_MAC, iattr->ia_valid);
411 spin_unlock(&lli->lli_lock);
413 new_acl = posix_acl_from_xattr(value, size);
414 if (IS_ERR(new_acl)) {
415 rc = PTR_ERR(new_acl);
416 CERROR("convert from xattr to acl error: %d",rc);
419 } else if (new_acl) {
420 rc = posix_acl_valid(new_acl);
422 CERROR("acl valid error: %d", rc);
429 acl_count = new_acl ? new_acl->a_count : 0;
430 kperm_size = crypto_kperm_size(acl_count);
431 OBD_ALLOC(kperm, kperm_size);
432 get_real_parameters(inode, iattr, new_acl, &mac_mode, &uid, &gid);
433 ll_init_key_perm(kperm, new_acl, uid, gid, mac_mode);
434 kparms.context = kcontext;
435 kparms.context_size = kcontext_size;
437 kparms.perm_size = kperm_size;
439 *key_size = sizeof(struct crypto_key);
440 OBD_ALLOC(ckey, sizeof(struct crypto_key));
442 GOTO(out, rc = -ENOMEM);
443 /*GET an encrypt key from GS server*/
444 rc = obd_get_info(gs_exp, sizeof(struct key_parms), (void *)&kparms,
447 CERROR("decrypt key error rc %d \n", rc);
451 iattr->ia_valid |= ATTR_MAC;
454 posix_acl_release(acl);
456 posix_acl_release(new_acl);
458 lustre_key_release(lkey);
460 OBD_FREE(kperm, kperm_size);
462 OBD_FREE(kcontext, kcontext_size);
466 static int ll_crypt_permission_check(struct lustre_key *lkey,
469 if (!IS_DECRYPTED(lkey->lk_flags))
471 if (flags == ENCRYPT_DATA && !IS_ENABLE_ENCRYPT(lkey->lk_flags))
473 if (flags == DECRYPT_DATA && !IS_ENABLE_DECRYPT(lkey->lk_flags))
477 /*key function for calculate the key for countermode method*/
478 static int ll_crypt_cb(struct page *page, __u64 offset, __u64 count,
481 struct inode *inode = page->mapping->host;
482 struct ll_inode_info *lli = ll_i2info(inode);
483 struct lustre_key *lkey = ll_i2info(inode)->lli_key_info;
486 int index = page->index;
493 spin_lock(&lli->lli_lock);
494 rc = ll_crypt_permission_check(lkey, flags);
496 spin_unlock(&lli->lli_lock);
500 key_ptr = &lkey->lk_dk[0];
501 for (i=0; i < KEY_SIZE; i++)
502 data_key += *key_ptr++;
503 spin_unlock(&lli->lli_lock);
506 CDEBUG(D_INFO, "data_key is "LPU64" \n", data_key);
508 ptr = (char *)kmap(page);
511 CDEBUG(D_INFO, "ptr is %s \n", ptr);
512 for (i = 0; i < count; i++)
513 *ptr++ ^= (__u8)data_key;
514 CDEBUG(D_INFO, "encrypted ptr is %s \n", key_ptr);
520 int ll_gs_init_inode_key(struct inode *inode, void *mkey)
522 struct ll_inode_info *lli = ll_i2info(inode);
523 struct crypto_key *key = (struct crypto_key*)mkey;
524 struct lustre_key *lkey = NULL;
530 if (lli->lli_key_info == NULL) {
531 OBD_ALLOC(lkey, sizeof(struct lustre_key));
534 memcpy(&lkey->lk_ck, key, sizeof(*key));
535 atomic_set(&lkey->lk_refcount, 1);
536 SET_UNDECRYPTED(lkey->lk_flags);
537 ENABLE_ENCRYPT(lkey->lk_flags);
538 ENABLE_DECRYPT(lkey->lk_flags);
539 spin_lock(&lli->lli_lock);
540 lli->lli_key_info = lkey;
541 spin_unlock(&lli->lli_lock);
542 CDEBUG(D_INFO, "set key %s mac %s in inode %lu \n",
543 lli->lli_key_info->lk_ck.ck_key,
544 lli->lli_key_info->lk_ck.ck_mac,
547 lkey = lustre_key_get(lli->lli_key_info);
548 LASSERTF(!memcmp(lkey->lk_ck.ck_key, key->ck_key, KEY_SIZE),
549 "old key %s != new key %s\n", lkey->lk_ck.ck_key,
551 spin_lock(&lli->lli_lock);
552 if (memcmp(lkey->lk_ck.ck_mac, key->ck_mac, MAC_SIZE)){
553 CDEBUG(D_INFO, "reset mac %s to %s ino %ld \n",
554 lkey->lk_ck.ck_mac, key->ck_mac, inode->i_ino);
555 memcpy(lkey->lk_ck.ck_mac, key->ck_mac, MAC_SIZE);
556 SET_UNDECRYPTED(lkey->lk_flags);
558 spin_unlock(&lli->lli_lock);
559 lustre_key_release(lkey);
564 static int ll_gs_destroy_key(struct inode *inode)
566 struct ll_inode_info *lli = ll_i2info(inode);
568 spin_lock(&lli->lli_lock);
569 if (lli->lli_key_info) {
570 LASSERTF(atomic_read(&lli->lli_key_info->lk_refcount) == 1,
571 "lk_refcount %d != 1 when destory\n",
572 atomic_read(&lli->lli_key_info->lk_refcount));
573 lustre_key_release(lli->lli_key_info);
574 lli->lli_key_info = NULL;
576 spin_unlock(&lli->lli_lock);
580 struct crypto_helper_ops ll_cgs_ops = {
581 .init_it_key = ll_gks_init_it,
582 .create_key = ll_gks_create_key,
583 .init_inode_key = ll_gs_init_inode_key,
584 .get_mac = ll_gks_get_mac,
585 .decrypt_key = ll_gks_decrypt_key,
586 .destroy_key = ll_gs_destroy_key,
589 int ll_mks_create_key(struct inode *inode, struct lookup_intent *it)
591 struct lustre_intent_data *lustre_data;
592 struct crypto_key *crypto_key;
596 LASSERT(it->d.fs_data != NULL);
597 lustre_data = (struct lustre_intent_data *)it->d.fs_data;
599 if (lustre_data->it_key) {
600 OBD_FREE(lustre_data->it_key, sizeof(struct crypto_key));
602 OBD_ALLOC(crypto_key, sizeof(struct crypto_key));
604 crypto_key->ck_type = MKS_TYPE;
605 lustre_data->it_key = crypto_key;
606 lustre_data->it_key_size = sizeof(struct crypto_key);
610 int ll_mks_init_it(struct inode *parent, struct lookup_intent *it)
618 ll_gs_intent_init(it);
619 if (it->it_op & IT_CREAT) {
620 ll_mks_create_key(parent, it);
625 int ll_mks_decrypt_key(struct inode *inode, struct lookup_intent *it)
627 struct ll_inode_info *lli = ll_i2info(inode);
628 struct lustre_key *lkey = NULL;
629 struct posix_acl *acl = NULL;
634 rc = ll_get_acl_key(inode, &acl, &lkey);
637 spin_lock(&lli->lli_lock);
638 SET_DECRYPTED(lkey->lk_flags);
639 spin_unlock(&lli->lli_lock);
642 posix_acl_release(acl);
644 lustre_key_release(lkey);
648 struct crypto_helper_ops ll_cmd_ops = {
649 .init_it_key = ll_mks_init_it,
650 .init_inode_key = ll_gs_init_inode_key,
651 .decrypt_key = ll_mks_decrypt_key,
652 .destroy_key = ll_gs_destroy_key,
656 static int ll_register_cops(struct ll_crypto_info *llci, char *type,
657 struct crypto_helper_ops *cops)
659 struct list_head *list = &llci->ll_cops_list;
660 struct crypto_ops_item *opi = NULL, *tmp;
661 char *opi_name = NULL;
665 list_for_each_entry(tmp, list, clist) {
666 if (!strcmp(type, tmp->ctype)) {
667 CWARN("%s is already registered\n", type);
673 OBD_ALLOC(opi, sizeof(*opi));
675 OBD_ALLOC(opi_name, strlen(type) + 1);
677 LASSERT(opi && opi_name);
679 memcpy(opi_name, type, strlen(type));
681 opi->ctype = opi_name;
684 list_add_tail(&opi->clist, list);
689 static int ll_init_sb_crypto(struct super_block *sb)
691 struct ll_crypto_info *llci = NULL;
695 OBD_ALLOC(llci, sizeof(*llci));
700 INIT_LIST_HEAD(&llci->ll_cops_list);
702 ll_register_cops(llci, "gks", &ll_cgs_ops);
703 ll_register_cops(llci, "mks", &ll_cmd_ops);
705 ll_s2sbi(sb)->ll_crypto_info = llci;
710 static int ll_unregister_cops(struct ll_crypto_info *llci)
712 struct list_head *list = &llci->ll_cops_list;
713 struct crypto_ops_item *tmp, *item;
715 list_for_each_entry_safe(item, tmp, list, clist) {
716 list_del_init(&item->clist);
717 OBD_FREE(item->ctype, strlen(item->ctype) + 1);
718 OBD_FREE(item, sizeof(*item));
723 int lustre_destroy_crypto(struct super_block *sb)
725 struct ll_crypto_info *llci = ll_s2crpi(sb);
732 obd_disconnect(llci->ll_gt_exp, 0);
734 ll_unregister_cops(llci);
735 OBD_FREE(llci, sizeof(*llci));
739 int lustre_init_crypto(struct super_block *sb, char *gkc,
740 struct obd_connect_data *data,
743 struct obd_device *obd = NULL;
744 struct ll_sb_info *sbi = ll_s2sbi(sb);
745 struct lustre_handle gt_conn;
749 rc = ll_init_sb_crypto(sb);
753 if (!gkc || !strcmp(gkc, "null")) {
754 CDEBUG(D_INFO, "No gks Server\n");
758 obd = class_name2obd(gkc);
760 CERROR("GSC %s: not setup or attached\n", gkc);
761 GOTO(out, rc = -EINVAL);
764 obd_set_info(obd->obd_self_export, strlen("async"), "async",
765 sizeof(async), &async);
767 rc = obd_connect(>_conn, obd, &sbi->ll_sb_uuid, data,
768 OBD_OPT_REAL_CLIENT);
770 CERROR("cannot connect to %s: rc = %d\n", gkc, rc);
773 ll_s2crpi(sb)->ll_gt_exp = class_conn2export(>_conn);
776 lustre_destroy_crypto(sb);
779 struct crypto_helper_ops *
780 ll_gks_find_ops(struct ll_crypto_info *llc_info, char *type)
782 struct list_head *list = &llc_info->ll_cops_list;
783 struct crypto_ops_item *tmp;
786 list_for_each_entry(tmp, list, clist) {
787 if (!strcmp(type, tmp->ctype)) {
792 CERROR("can not find crypto api %s \n", type);
796 int ll_set_sb_gksinfo(struct super_block *sb, char *type)
798 struct ll_crypto_info *llci = ll_s2crpi(sb);
799 struct obd_export *md_exp = ll_s2mdexp(sb);
800 struct obd_export *dt_exp = ll_s2dtexp(sb);
801 struct crypto_helper_ops *ops;
805 /*try to find the helper ops according to the type*/
806 ops = ll_gks_find_ops(llci, type);
808 CERROR("can not find the crypto ops by type %s \n", type);
813 rc = obd_set_info(md_exp, strlen("crypto_type"), "crypto_type",
816 /*set crypt call back func*/
818 rc = obd_set_info(dt_exp, strlen("crypto_cb"), "crypto_cb",
819 sizeof(crypt_cb_t), &ll_crypt_cb);