1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
2 * vim:expandtab:shiftwidth=8:tabstop=8:
4 * Copyright (C) 2004, 2005 Cluster File Systems, Inc.
6 * This file is part of Lustre, http://www.lustre.org.
8 * Lustre is free software; you can redistribute it and/or
9 * modify it under the terms of version 2 of the GNU General Public
10 * License as published by the Free Software Foundation.
12 * Lustre is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with Lustre; if not, write to the Free Software
19 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #define DEBUG_SUBSYSTEM S_LLITE
25 #include <linux/types.h>
26 #include <linux/version.h>
27 #include <asm/uaccess.h>
28 #include <linux/file.h>
29 #include <linux/kmod.h>
30 #include <linux/posix_acl.h>
31 #include <linux/xattr_acl.h>
33 #include <linux/lustre_acl.h>
34 #include <linux/lustre_lite.h>
35 #include <linux/lustre_gs.h>
36 #include "llite_internal.h"
38 int ll_gs_intent_init(struct lookup_intent *it)
40 struct lustre_intent_data *lustre_data;
42 LASSERT(it->d.fs_data != NULL);
43 lustre_data = (struct lustre_intent_data *)it->d.fs_data;
44 /*set lustre key size when there is gss server
45 *or other configuration*/
46 lustre_data->it_key = NULL;
47 lustre_data->it_key_size = 0;
51 static int ll_get_acl_key(struct inode *inode, struct posix_acl **acl,
52 struct lustre_key **lkey)
54 struct lookup_intent it = { .it_op = IT_GETATTR };
55 struct dentry de = { .d_inode = inode };
56 struct ll_sb_info *sbi;
58 struct ptlrpc_request *req = NULL;
59 struct ll_inode_info *lli = ll_i2info(inode);
63 if (lli->lli_posix_acl && lli->lli_key_info) {
64 /*If they are in the local cache, just fetch them*/
65 spin_lock(&lli->lli_lock);
66 *acl = posix_acl_dup(lli->lli_posix_acl);
67 *lkey = lustre_key_get(lli->lli_key_info);
68 spin_unlock(&lli->lli_lock);
71 sbi = ll_i2sbi(inode);
72 ll_inode2id(&id, inode);
74 if (ll_intent_alloc(&it))
77 rc = md_intent_lock(sbi->ll_md_exp, &id, NULL, 0, NULL, 0, &id,
78 &it, 0, &req, ll_mdc_blocking_ast);
84 rc = revalidate_it_finish(req, 1, &it, &de);
86 ll_intent_release(&it);
90 ll_lookup_finish_locks(&it, &de);
93 spin_lock(&lli->lli_lock);
94 *acl = posix_acl_dup(lli->lli_posix_acl);
95 *lkey = lustre_key_get(lli->lli_key_info);
96 spin_unlock(&lli->lli_lock);
100 ptlrpc_req_finished(req);
104 static int ll_init_key_perm(struct key_perm *kperm, struct posix_acl *acl,
105 __u32 uid, __u32 gid, int mode)
109 kperm->kp_acl_count = acl->a_count;
110 memcpy(kperm->kp_acls, acl->a_entries,
111 acl->a_count * sizeof(struct posix_acl_entry));
113 kperm->kp_mode = mode;
119 static int ll_init_key_context(struct key_context *pkc, __u32 uid,
120 __u32 gid, struct crypto_key *ck,
121 struct posix_acl *acl, int mode,
122 int command, int valid)
124 struct key_perm *kperm;
127 pkc->kc_command = command;
128 pkc->kc_valid = valid;
131 memcpy(&pkc->kc_ck, ck, sizeof(*ck));
133 kperm = &pkc->kc_perm;
135 ll_init_key_perm(kperm, acl, uid, gid, mode);
138 static int ll_get_default_acl(struct inode *inode, struct posix_acl **acl,
141 int rc = 0, buf_size, ea_size;
145 if (!S_ISDIR(inode->i_mode))
148 buf_size = xattr_acl_size(LL_ACL_MAX_ENTRIES);
149 OBD_ALLOC(buf, buf_size);
153 ea_size = ll_getxattr_internal(inode, XATTR_NAME_ACL_DEFAULT,
154 buf, buf_size, OBD_MD_FLXATTR);
156 if (ea_size < 0 && ea_size != -ENODATA)
157 CERROR("get default acl of ino %lu error rc %d \n",
158 inode->i_ino, ea_size);
161 *acl = posix_acl_from_xattr(buf, ea_size);
164 CERROR("convert xattr to acl failed: %d\n", rc);
167 rc = posix_acl_valid(*acl);
169 CERROR("acl valid error: %d\n", rc);
170 posix_acl_release(*acl);
175 rc = posix_acl_create_masq(*acl, &mode);
179 OBD_FREE(buf, buf_size);
183 int ll_gks_create_key(struct inode *dir, mode_t mode, void **key,
186 struct obd_export *gs_exp = ll_i2gsexp(dir);
187 struct key_context *kcontext = NULL;
188 struct posix_acl *default_acl = NULL;
189 struct key_parms kparms;
193 OBD_ALLOC(kcontext, sizeof(struct key_context));
195 GOTO(out, rc = -ENOMEM);
197 rc = ll_get_default_acl(dir, &default_acl, mode);
201 ll_init_key_context(kcontext, current->fsuid, current->fsgid,
202 NULL, default_acl, mode, GKS_GET_KEY, 0);
204 kparms.context = kcontext;
205 kparms.context_size = sizeof(struct key_context);
208 *key_size = sizeof(struct crypto_key);
209 OBD_ALLOC(*key, *key_size);
211 GOTO(out, rc = -ENOMEM);
213 /* GET an encrypt key from GS server */
214 rc = obd_get_info(gs_exp, sizeof(struct key_parms), (void *)&kparms,
217 CERROR("get key error rc %d \n", rc);
220 CDEBUG(D_INFO, "Get enkey %s MAC %s from exp %p \n",
221 (char*)((struct crypto_key *)(*key))->ck_key,
222 (char*)((struct crypto_key *)(*key))->ck_mac,
227 OBD_FREE(kcontext, sizeof(struct key_context));
229 posix_acl_release(default_acl);
234 int ll_gks_init_it(struct inode *parent, struct lookup_intent *it)
236 struct obd_export *gs_exp = ll_i2gsexp(parent);
237 struct lustre_intent_data *lustre_data;
238 mode_t mode = (it->it_create_mode | S_IFREG) & (~current->fs->umask);
240 int key_size = 0, rc = 0;
246 ll_gs_intent_init(it);
247 if (!(it->it_flags & O_CREAT))
250 LASSERT(it->d.fs_data != NULL);
251 lustre_data = (struct lustre_intent_data *)it->d.fs_data;
253 if (lustre_data->it_key) {
254 LASSERT(lustre_data->it_key_size ==
255 sizeof(struct crypto_key));
256 OBD_FREE(lustre_data->it_key, sizeof(struct crypto_key));
259 rc = ll_gks_create_key(parent, mode, &key, &key_size);
263 lustre_data->it_key = key;
264 lustre_data->it_key_size = key_size;
269 OBD_FREE(key, key_size);
274 int ll_gks_decrypt_key(struct inode *inode, struct lookup_intent *it)
276 struct obd_export *gs_exp = ll_i2gsexp(inode);
277 struct ll_inode_info *lli = ll_i2info(inode);
278 struct key_context *kcontext = NULL;
279 struct key_perm *kperm = NULL;
280 struct key_parms kparms;
281 struct lustre_key *lkey = NULL;
282 struct crypto_key *ckey = NULL;
283 struct posix_acl *acl = NULL;
285 int rc = 0, ck_size = 0, kcontext_size = 0, acl_count;
292 rc = ll_get_acl_key(inode, &acl, &lkey);
295 if (!lkey || IS_DECRYPTED(lkey->lk_flags))
298 acl_count = acl ? acl->a_count : 0;
299 kcontext_size = crypto_kcontext_size(acl_count);
300 OBD_ALLOC(kcontext, kcontext_size);
302 GOTO(out, rc = -ENOMEM);
304 flags = mds_pack_open_flags(it->it_flags);
306 spin_lock(&lli->lli_lock);
307 ll_init_key_context(kcontext, inode->i_uid, inode->i_gid, &lkey->lk_ck,
308 acl, inode->i_mode, GKS_DECRYPT_KEY, flags);
310 spin_unlock(&lli->lli_lock);
312 OBD_ALLOC(kperm, sizeof(struct key_perm));
314 GOTO(out, rc = -ENOMEM);
316 ll_init_key_perm(kperm, NULL, current->uid, current->gid, 0);
318 kparms.context = kcontext;
319 kparms.context_size = kcontext_size;
321 kparms.perm_size = sizeof(struct key_perm);
323 ck_size = sizeof(*ckey);
324 OBD_ALLOC(ckey, ck_size);
326 GOTO(out, rc = -ENOMEM);
328 /*GET an encrypt key from GS server*/
329 rc = obd_get_info(gs_exp, sizeof(struct key_parms), (void *)&kparms,
332 CERROR("decrypt key error rc %d \n", rc);
335 CDEBUG(D_INFO, "decrypt key %s MAC %s from exp %p \n",
336 ckey->ck_mac, ckey->ck_mac, gs_exp);
338 /*copy the decrypt key from kcontext to the lustre key*/
340 spin_lock(&lli->lli_lock);
341 memcpy(&lkey->lk_dk, ckey->ck_key, KEY_SIZE);
342 SET_DECRYPTED(lkey->lk_flags);
343 spin_unlock(&lli->lli_lock);
347 posix_acl_release(acl);
349 lustre_key_release(lkey);
351 OBD_FREE(kperm, sizeof(struct key_perm));
353 OBD_FREE(kcontext, kcontext_size);
355 OBD_FREE(ckey, ck_size);
359 static void get_real_parameters(struct inode *inode, struct iattr *iattr,
360 struct posix_acl *new_acl, mode_t *mode,
361 __u32 *uid, __u32 *gid)
365 if (iattr->ia_valid & ATTR_MODE) {
366 *mode = iattr->ia_mode;
368 *mode = inode->i_mode;
370 posix_acl_equiv_mode(new_acl, mode);
371 CDEBUG(D_INFO, "get new mode %d \n", *mode);
375 if (iattr->ia_valid & ATTR_UID)
376 *uid = iattr->ia_uid;
380 if (iattr->ia_valid & ATTR_GID)
381 *gid = iattr->ia_gid;
386 int ll_gks_get_mac(struct inode *inode, struct iattr *iattr, void *value,
387 int size, void **key, int *key_size)
389 struct ll_inode_info *lli = ll_i2info(inode);
390 struct obd_export *gs_exp = ll_i2gsexp(inode);
391 struct key_context *kcontext = NULL;
392 struct key_perm *kperm = NULL;
393 struct key_parms kparms;
394 struct lustre_key *lkey = NULL;
395 struct crypto_key *ckey = NULL;
396 struct posix_acl *acl = NULL, *new_acl = NULL;
397 int rc = 0, kperm_size = 0, kcontext_size = 0;
407 rc = ll_get_acl_key(inode, &acl, &lkey);
413 acl_count = acl ? acl->a_count : 0;
414 kcontext_size = crypto_kcontext_size(acl_count);
415 OBD_ALLOC(kcontext, kcontext_size);
417 GOTO(out, rc = -ENOMEM);
418 spin_lock(&lli->lli_lock);
419 ll_init_key_context(kcontext, inode->i_uid, inode->i_gid, &lkey->lk_ck,
420 acl, inode->i_mode, GKS_GET_MAC, iattr->ia_valid);
421 spin_unlock(&lli->lli_lock);
423 new_acl = posix_acl_from_xattr(value, size);
424 if (IS_ERR(new_acl)) {
425 rc = PTR_ERR(new_acl);
426 CERROR("convert from xattr to acl error: %d",rc);
429 } else if (new_acl) {
430 rc = posix_acl_valid(new_acl);
432 CERROR("acl valid error: %d", rc);
439 acl_count = new_acl ? new_acl->a_count : 0;
440 kperm_size = crypto_kperm_size(acl_count);
441 OBD_ALLOC(kperm, kperm_size);
443 GOTO(out, rc = -ENOMEM);
445 get_real_parameters(inode, iattr, new_acl, &mac_mode, &uid, &gid);
446 ll_init_key_perm(kperm, new_acl, uid, gid, mac_mode);
447 kparms.context = kcontext;
448 kparms.context_size = kcontext_size;
450 kparms.perm_size = kperm_size;
452 *key_size = sizeof(struct crypto_key);
453 OBD_ALLOC(ckey, sizeof(struct crypto_key));
455 GOTO(out, rc = -ENOMEM);
456 /*GET an encrypt key from GS server*/
457 rc = obd_get_info(gs_exp, sizeof(struct key_parms), (void *)&kparms,
460 CERROR("decrypt key error rc %d \n", rc);
464 iattr->ia_valid |= ATTR_MAC;
468 posix_acl_release(acl);
470 posix_acl_release(new_acl);
472 lustre_key_release(lkey);
474 OBD_FREE(kperm, kperm_size);
476 OBD_FREE(kcontext, kcontext_size);
480 static int ll_crypt_permission_check(struct lustre_key *lkey,
484 if (!IS_DECRYPTED(lkey->lk_flags))
486 if (flags == ENCRYPT_DATA && !IS_ENABLE_ENCRYPT(lkey->lk_flags))
488 if (flags == DECRYPT_DATA && !IS_ENABLE_DECRYPT(lkey->lk_flags))
492 /*key function for calculate the key for countermode method*/
493 static int ll_crypt_cb(struct page *page, __u64 offset, __u64 count,
496 struct inode *inode = page->mapping->host;
497 struct ll_inode_info *lli = ll_i2info(inode);
498 struct lustre_key *lkey = ll_i2info(inode)->lli_key_info;
501 int index = page->index;
508 spin_lock(&lli->lli_lock);
509 rc = ll_crypt_permission_check(lkey, flags);
511 spin_unlock(&lli->lli_lock);
515 key_ptr = &lkey->lk_dk[0];
516 for (i=0; i < KEY_SIZE; i++)
517 data_key += *key_ptr++;
518 spin_unlock(&lli->lli_lock);
521 CDEBUG(D_INFO, "data_key is "LPU64" \n", data_key);
523 ptr = (char *)kmap(page);
526 CDEBUG(D_INFO, "ptr is %s \n", ptr);
527 for (i = 0; i < count; i++)
528 *ptr++ ^= (__u8)data_key;
529 CDEBUG(D_INFO, "encrypted ptr is %s \n", key_ptr);
535 int ll_gs_init_inode_key(struct inode *inode, void *mkey)
537 struct ll_inode_info *lli = ll_i2info(inode);
538 struct crypto_key *key = (struct crypto_key*)mkey;
539 struct lustre_key *lkey = NULL;
545 if (lli->lli_key_info == NULL) {
546 OBD_ALLOC(lkey, sizeof(struct lustre_key));
549 memcpy(&lkey->lk_ck, key, sizeof(*key));
550 atomic_set(&lkey->lk_refcount, 1);
551 SET_UNDECRYPTED(lkey->lk_flags);
552 ENABLE_ENCRYPT(lkey->lk_flags);
553 ENABLE_DECRYPT(lkey->lk_flags);
554 spin_lock(&lli->lli_lock);
555 lli->lli_key_info = lkey;
556 spin_unlock(&lli->lli_lock);
557 CDEBUG(D_INFO, "set key %s mac %s in inode %lu \n",
558 lli->lli_key_info->lk_ck.ck_key,
559 lli->lli_key_info->lk_ck.ck_mac,
562 lkey = lustre_key_get(lli->lli_key_info);
563 LASSERTF(!memcmp(lkey->lk_ck.ck_key, key->ck_key, KEY_SIZE),
564 "old key %s != new key %s\n", lkey->lk_ck.ck_key,
566 spin_lock(&lli->lli_lock);
567 if (memcmp(lkey->lk_ck.ck_mac, key->ck_mac, MAC_SIZE)){
568 CDEBUG(D_INFO, "reset mac %s to %s ino %ld \n",
569 lkey->lk_ck.ck_mac, key->ck_mac, inode->i_ino);
570 memcpy(lkey->lk_ck.ck_mac, key->ck_mac, MAC_SIZE);
571 SET_UNDECRYPTED(lkey->lk_flags);
573 spin_unlock(&lli->lli_lock);
574 lustre_key_release(lkey);
579 static int ll_gs_destroy_key(struct inode *inode)
581 struct ll_inode_info *lli = ll_i2info(inode);
583 spin_lock(&lli->lli_lock);
584 if (lli->lli_key_info) {
585 LASSERTF(atomic_read(&lli->lli_key_info->lk_refcount) == 1,
586 "lk_refcount %d != 1 when destory\n",
587 atomic_read(&lli->lli_key_info->lk_refcount));
588 lustre_key_release(lli->lli_key_info);
589 lli->lli_key_info = NULL;
591 spin_unlock(&lli->lli_lock);
595 struct crypto_helper_ops ll_cgs_ops = {
596 .init_it_key = ll_gks_init_it,
597 .create_key = ll_gks_create_key,
598 .init_inode_key = ll_gs_init_inode_key,
599 .get_mac = ll_gks_get_mac,
600 .decrypt_key = ll_gks_decrypt_key,
601 .destroy_key = ll_gs_destroy_key,
604 int ll_mks_create_key(struct inode *inode, struct lookup_intent *it)
606 struct lustre_intent_data *lustre_data;
607 struct crypto_key *crypto_key;
611 LASSERT(it->d.fs_data != NULL);
612 lustre_data = (struct lustre_intent_data *)it->d.fs_data;
614 if (lustre_data->it_key)
615 OBD_FREE(lustre_data->it_key, sizeof(struct crypto_key));
617 OBD_ALLOC(crypto_key, sizeof(struct crypto_key));
621 crypto_key->ck_type = MKS_TYPE;
622 lustre_data->it_key = crypto_key;
623 lustre_data->it_key_size = sizeof(struct crypto_key);
627 int ll_mks_init_it(struct inode *parent, struct lookup_intent *it)
635 ll_gs_intent_init(it);
636 if (it->it_op & IT_CREAT) {
637 ll_mks_create_key(parent, it);
642 int ll_mks_decrypt_key(struct inode *inode, struct lookup_intent *it)
644 struct ll_inode_info *lli = ll_i2info(inode);
645 struct lustre_key *lkey = NULL;
646 struct posix_acl *acl = NULL;
650 rc = ll_get_acl_key(inode, &acl, &lkey);
653 spin_lock(&lli->lli_lock);
654 SET_DECRYPTED(lkey->lk_flags);
655 spin_unlock(&lli->lli_lock);
659 posix_acl_release(acl);
661 lustre_key_release(lkey);
665 struct crypto_helper_ops ll_cmd_ops = {
666 .init_it_key = ll_mks_init_it,
667 .init_inode_key = ll_gs_init_inode_key,
668 .decrypt_key = ll_mks_decrypt_key,
669 .destroy_key = ll_gs_destroy_key,
673 static int ll_register_cops(struct ll_crypto_info *llci, char *type,
674 struct crypto_helper_ops *cops)
676 struct list_head *list = &llci->ll_cops_list;
677 struct crypto_ops_item *opi = NULL, *tmp;
678 char *opi_name = NULL;
682 list_for_each_entry(tmp, list, clist) {
683 if (!strcmp(type, tmp->ctype)) {
684 CWARN("%s is already registered\n", type);
689 OBD_ALLOC(opi, sizeof(*opi));
693 OBD_ALLOC(opi_name, strlen(type) + 1);
695 OBD_FREE(opi, sizeof(*opi));
699 memcpy(opi_name, type, strlen(type));
701 opi->ctype = opi_name;
704 list_add_tail(&opi->clist, list);
708 static int ll_init_sb_crypto(struct super_block *sb)
710 struct ll_crypto_info *llci = NULL;
714 OBD_ALLOC(llci, sizeof(*llci));
718 INIT_LIST_HEAD(&llci->ll_cops_list);
720 ll_register_cops(llci, "gks", &ll_cgs_ops);
721 ll_register_cops(llci, "mks", &ll_cmd_ops);
723 ll_s2sbi(sb)->ll_crypto_info = llci;
728 static int ll_unregister_cops(struct ll_crypto_info *llci)
730 struct list_head *list = &llci->ll_cops_list;
731 struct crypto_ops_item *tmp, *item;
734 list_for_each_entry_safe(item, tmp, list, clist) {
735 list_del_init(&item->clist);
736 OBD_FREE(item->ctype, strlen(item->ctype) + 1);
737 OBD_FREE(item, sizeof(*item));
742 int lustre_destroy_crypto(struct super_block *sb)
744 struct ll_crypto_info *llci = ll_s2crpi(sb);
751 obd_disconnect(llci->ll_gt_exp, 0);
753 ll_unregister_cops(llci);
754 OBD_FREE(llci, sizeof(*llci));
758 int lustre_init_crypto(struct super_block *sb, char *gkc,
759 struct obd_connect_data *data,
762 struct obd_device *obd = NULL;
763 struct ll_sb_info *sbi = ll_s2sbi(sb);
764 struct lustre_handle gt_conn;
768 rc = ll_init_sb_crypto(sb);
772 if (!gkc || !strcmp(gkc, "null")) {
773 CDEBUG(D_INFO, "No gks Server\n");
777 obd = class_name2obd(gkc);
779 CERROR("GSC %s: not setup or attached\n", gkc);
780 GOTO(out, rc = -EINVAL);
783 obd_set_info(obd->obd_self_export, strlen("async"), "async",
784 sizeof(async), &async);
786 rc = obd_connect(>_conn, obd, &sbi->ll_sb_uuid, data,
787 OBD_OPT_REAL_CLIENT);
789 CERROR("cannot connect to %s: rc = %d\n", gkc, rc);
792 ll_s2crpi(sb)->ll_gt_exp = class_conn2export(>_conn);
796 lustre_destroy_crypto(sb);
799 struct crypto_helper_ops *
800 ll_gks_find_ops(struct ll_crypto_info *llc_info, char *type)
802 struct list_head *list = &llc_info->ll_cops_list;
803 struct crypto_ops_item *tmp;
806 list_for_each_entry(tmp, list, clist) {
807 if (!strcmp(type, tmp->ctype)) {
812 CERROR("can not find crypto api %s \n", type);
816 int ll_set_sb_gksinfo(struct super_block *sb, char *type)
818 struct ll_crypto_info *llci = ll_s2crpi(sb);
819 struct obd_export *md_exp = ll_s2mdexp(sb);
820 struct obd_export *dt_exp = ll_s2dtexp(sb);
821 struct crypto_helper_ops *ops;
825 /*try to find the helper ops according to the type*/
826 ops = ll_gks_find_ops(llci, type);
828 CERROR("can not find the crypto ops by type %s \n", type);
833 rc = obd_set_info(md_exp, strlen("crypto_type"), "crypto_type",
836 /*set crypt call back func*/
838 rc = obd_set_info(dt_exp, strlen("crypto_cb"), "crypto_cb",
839 sizeof(crypt_cb_t), &ll_crypt_cb);