1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
2 * vim:expandtab:shiftwidth=8:tabstop=8:
4 * Copyright (C) 2004, 2005 Cluster File Systems, Inc.
6 * This file is part of Lustre, http://www.lustre.org.
8 * Lustre is free software; you can redistribute it and/or
9 * modify it under the terms of version 2 of the GNU General Public
10 * License as published by the Free Software Foundation.
12 * Lustre is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with Lustre; if not, write to the Free Software
19 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #define DEBUG_SUBSYSTEM S_LLITE
25 #include <linux/types.h>
26 #include <linux/version.h>
27 #include <asm/uaccess.h>
28 #include <linux/file.h>
29 #include <linux/kmod.h>
30 #include <linux/posix_acl.h>
31 #include <linux/xattr_acl.h>
33 #include <linux/lustre_acl.h>
34 #include <linux/lustre_lite.h>
35 #include <linux/lustre_gs.h>
36 #include "llite_internal.h"
38 int ll_gs_intent_init(struct lookup_intent *it)
40 struct lustre_intent_data *lustre_data;
42 LASSERT(it->d.fs_data != NULL);
43 lustre_data = (struct lustre_intent_data *)it->d.fs_data;
44 /*set lustre key size when there is gss server
45 *or other configuration*/
46 lustre_data->it_key = NULL;
47 lustre_data->it_key_size = 0;
51 static int ll_get_acl_key(struct inode *inode, struct posix_acl **acl,
52 struct lustre_key **lkey)
54 struct lookup_intent it = { .it_op = IT_GETATTR };
55 struct dentry de = { .d_inode = inode };
56 struct ll_sb_info *sbi;
58 struct ptlrpc_request *req = NULL;
59 struct ll_inode_info *lli = ll_i2info(inode);
63 sbi = ll_i2sbi(inode);
64 ll_inode2id(&id, inode);
66 if (ll_intent_alloc(&it))
69 rc = md_intent_lock(sbi->ll_md_exp, &id, NULL, 0, NULL, 0, &id,
70 &it, 0, &req, ll_mdc_blocking_ast);
76 rc = revalidate_it_finish(req, 1, &it, &de);
78 ll_intent_release(&it);
82 ll_lookup_finish_locks(&it, &de);
85 spin_lock(&lli->lli_lock);
86 *acl = posix_acl_dup(lli->lli_posix_acl);
87 *lkey = lustre_key_get(lli->lli_key_info);
88 spin_unlock(&lli->lli_lock);
92 ptlrpc_req_finished(req);
96 static int ll_init_key_perm(struct key_perm *kperm, struct posix_acl *acl,
97 __u32 uid, __u32 gid, int mode)
101 kperm->kp_acl_count = acl->a_count;
102 memcpy(kperm->kp_acls, acl->a_entries,
103 acl->a_count * sizeof(struct posix_acl_entry));
105 kperm->kp_mode = mode;
111 static int ll_init_key_context(struct key_context *pkc, __u32 uid,
112 __u32 gid, struct crypto_key *ck,
113 struct posix_acl *acl, int mode,
114 int command, int valid)
116 struct key_perm *kperm;
119 pkc->kc_command = command;
120 pkc->kc_valid = valid;
123 memcpy(&pkc->kc_ck, ck, sizeof(*ck));
125 kperm = &pkc->kc_perm;
127 ll_init_key_perm(kperm, acl, uid, gid, mode);
130 static int ll_get_default_acl(struct inode *inode, struct posix_acl **acl,
133 int rc = 0, buf_size, ea_size;
137 if (!S_ISDIR(inode->i_mode))
140 buf_size = xattr_acl_size(LL_ACL_MAX_ENTRIES);
141 OBD_ALLOC(buf, buf_size);
145 ea_size = ll_getxattr_internal(inode, XATTR_NAME_ACL_DEFAULT,
146 buf, buf_size, OBD_MD_FLXATTR);
148 if (ea_size < 0 && ea_size != -ENODATA)
149 CERROR("get default acl of ino %lu error rc %d \n",
150 inode->i_ino, ea_size);
153 *acl = posix_acl_from_xattr(buf, ea_size);
156 CERROR("convert xattr to acl failed: %d\n", rc);
159 rc = posix_acl_valid(*acl);
161 CERROR("acl valid error: %d\n", rc);
162 posix_acl_release(*acl);
167 rc = posix_acl_create_masq(*acl, &mode);
171 OBD_FREE(buf, buf_size);
175 int ll_gks_create_key(struct inode *dir, mode_t mode, void **key,
178 struct obd_export *gs_exp = ll_i2gsexp(dir);
179 struct key_context *kcontext = NULL;
180 struct posix_acl *default_acl = NULL;
181 struct key_parms kparms;
185 OBD_ALLOC(kcontext, sizeof(struct key_context));
187 GOTO(out, rc = -ENOMEM);
189 rc = ll_get_default_acl(dir, &default_acl, mode);
193 ll_init_key_context(kcontext, current->fsuid, current->fsgid,
194 NULL, default_acl, mode, GKS_GET_KEY, 0);
196 kparms.context = kcontext;
197 kparms.context_size = sizeof(struct key_context);
200 *key_size = sizeof(struct crypto_key);
201 OBD_ALLOC(*key, *key_size);
203 GOTO(out, rc = -ENOMEM);
205 /* GET an encrypt key from GS server */
206 rc = obd_get_info(gs_exp, sizeof(struct key_parms), (void *)&kparms,
209 CERROR("get key error rc %d \n", rc);
212 CDEBUG(D_INFO, "Get enkey %s MAC %s from exp %p \n",
213 (char*)((struct crypto_key *)(*key))->ck_key,
214 (char*)((struct crypto_key *)(*key))->ck_mac,
219 OBD_FREE(kcontext, sizeof(struct key_context));
221 posix_acl_release(default_acl);
226 int ll_gks_init_it(struct inode *parent, struct lookup_intent *it)
228 struct obd_export *gs_exp = ll_i2gsexp(parent);
229 struct lustre_intent_data *lustre_data;
230 mode_t mode = (it->it_create_mode | S_IFREG) & (~current->fs->umask);
232 int key_size = 0, rc = 0;
238 ll_gs_intent_init(it);
239 if (!(it->it_flags & O_CREAT))
242 LASSERT(it->d.fs_data != NULL);
243 lustre_data = (struct lustre_intent_data *)it->d.fs_data;
245 if (lustre_data->it_key) {
246 LASSERT(lustre_data->it_key_size ==
247 sizeof(struct crypto_key));
248 OBD_FREE(lustre_data->it_key, sizeof(struct crypto_key));
251 rc = ll_gks_create_key(parent, mode, &key, &key_size);
255 lustre_data->it_key = key;
256 lustre_data->it_key_size = key_size;
261 OBD_FREE(key, key_size);
266 int ll_gks_decrypt_key(struct inode *inode, struct lookup_intent *it)
268 struct obd_export *gs_exp = ll_i2gsexp(inode);
269 struct ll_inode_info *lli = ll_i2info(inode);
270 struct key_context *kcontext = NULL;
271 struct key_perm *kperm = NULL;
272 struct key_parms kparms;
273 struct lustre_key *lkey = NULL;
274 struct crypto_key *ckey = NULL;
275 struct posix_acl *acl = NULL;
277 int rc = 0, ck_size = 0, kcontext_size = 0, acl_count;
284 rc = ll_get_acl_key(inode, &acl, &lkey);
287 if (!lkey || IS_DECRYPTED(lkey->lk_flags))
290 acl_count = acl ? acl->a_count : 0;
291 kcontext_size = crypto_kcontext_size(acl_count);
292 OBD_ALLOC(kcontext, kcontext_size);
294 GOTO(out, rc = -ENOMEM);
296 flags = mds_pack_open_flags(it->it_flags);
298 spin_lock(&lli->lli_lock);
299 ll_init_key_context(kcontext, inode->i_uid, inode->i_gid, &lkey->lk_ck,
300 acl, inode->i_mode, GKS_DECRYPT_KEY, flags);
302 spin_unlock(&lli->lli_lock);
304 OBD_ALLOC(kperm, sizeof(struct key_perm));
306 GOTO(out, rc = -ENOMEM);
308 ll_init_key_perm(kperm, NULL, current->uid, current->gid, 0);
310 kparms.context = kcontext;
311 kparms.context_size = kcontext_size;
313 kparms.perm_size = sizeof(struct key_perm);
315 ck_size = sizeof(*ckey);
316 OBD_ALLOC(ckey, ck_size);
318 GOTO(out, rc = -ENOMEM);
320 /*GET an encrypt key from GS server*/
321 rc = obd_get_info(gs_exp, sizeof(struct key_parms), (void *)&kparms,
324 CERROR("decrypt key error rc %d \n", rc);
327 CDEBUG(D_INFO, "decrypt key %s MAC %s from exp %p \n",
328 ckey->ck_mac, ckey->ck_mac, gs_exp);
330 /*copy the decrypt key from kcontext to the lustre key*/
332 spin_lock(&lli->lli_lock);
333 memcpy(&lkey->lk_dk, ckey->ck_key, KEY_SIZE);
334 SET_DECRYPTED(lkey->lk_flags);
335 spin_unlock(&lli->lli_lock);
339 posix_acl_release(acl);
341 lustre_key_release(lkey);
343 OBD_FREE(kperm, sizeof(struct key_perm));
345 OBD_FREE(kcontext, kcontext_size);
347 OBD_FREE(ckey, ck_size);
351 static void get_real_parameters(struct inode *inode, struct iattr *iattr,
352 struct posix_acl *new_acl, mode_t *mode,
353 __u32 *uid, __u32 *gid)
357 if (iattr->ia_valid & ATTR_MODE) {
358 *mode = iattr->ia_mode;
360 *mode = inode->i_mode;
362 posix_acl_equiv_mode(new_acl, mode);
363 CDEBUG(D_INFO, "get new mode %d \n", *mode);
367 if (iattr->ia_valid & ATTR_UID)
368 *uid = iattr->ia_uid;
372 if (iattr->ia_valid & ATTR_GID)
373 *gid = iattr->ia_gid;
378 int ll_gks_get_mac(struct inode *inode, struct iattr *iattr, void *value,
379 int size, void **key, int *key_size)
381 struct ll_inode_info *lli = ll_i2info(inode);
382 struct obd_export *gs_exp = ll_i2gsexp(inode);
383 struct key_context *kcontext = NULL;
384 struct key_perm *kperm = NULL;
385 struct key_parms kparms;
386 struct lustre_key *lkey = NULL;
387 struct crypto_key *ckey = NULL;
388 struct posix_acl *acl = NULL, *new_acl = NULL;
389 int rc = 0, kperm_size = 0, kcontext_size = 0;
399 rc = ll_get_acl_key(inode, &acl, &lkey);
405 acl_count = acl ? acl->a_count : 0;
406 kcontext_size = crypto_kcontext_size(acl_count);
407 OBD_ALLOC(kcontext, kcontext_size);
409 GOTO(out, rc = -ENOMEM);
410 spin_lock(&lli->lli_lock);
411 ll_init_key_context(kcontext, inode->i_uid, inode->i_gid, &lkey->lk_ck,
412 acl, inode->i_mode, GKS_GET_MAC, iattr->ia_valid);
413 spin_unlock(&lli->lli_lock);
415 new_acl = posix_acl_from_xattr(value, size);
416 if (IS_ERR(new_acl)) {
417 rc = PTR_ERR(new_acl);
418 CERROR("convert from xattr to acl error: %d",rc);
421 } else if (new_acl) {
422 rc = posix_acl_valid(new_acl);
424 CERROR("acl valid error: %d", rc);
431 acl_count = new_acl ? new_acl->a_count : 0;
432 kperm_size = crypto_kperm_size(acl_count);
433 OBD_ALLOC(kperm, kperm_size);
435 GOTO(out, rc = -ENOMEM);
437 get_real_parameters(inode, iattr, new_acl, &mac_mode, &uid, &gid);
438 ll_init_key_perm(kperm, new_acl, uid, gid, mac_mode);
439 kparms.context = kcontext;
440 kparms.context_size = kcontext_size;
442 kparms.perm_size = kperm_size;
444 *key_size = sizeof(struct crypto_key);
445 OBD_ALLOC(ckey, sizeof(struct crypto_key));
447 GOTO(out, rc = -ENOMEM);
448 /*GET an encrypt key from GS server*/
449 rc = obd_get_info(gs_exp, sizeof(struct key_parms), (void *)&kparms,
452 CERROR("decrypt key error rc %d \n", rc);
457 iattr->ia_valid |= ATTR_MAC;
460 posix_acl_release(acl);
462 posix_acl_release(new_acl);
464 lustre_key_release(lkey);
466 OBD_FREE(kperm, kperm_size);
468 OBD_FREE(kcontext, kcontext_size);
472 static int ll_crypt_permission_check(struct lustre_key *lkey,
476 if (!IS_DECRYPTED(lkey->lk_flags))
478 if (flags == ENCRYPT_DATA && !IS_ENABLE_ENCRYPT(lkey->lk_flags))
480 if (flags == DECRYPT_DATA && !IS_ENABLE_DECRYPT(lkey->lk_flags))
484 /*key function for calculate the key for countermode method*/
485 static int ll_crypt_cb(struct page *page, __u64 offset, __u64 count,
488 struct inode *inode = page->mapping->host;
489 struct ll_inode_info *lli = ll_i2info(inode);
490 struct lustre_key *lkey = ll_i2info(inode)->lli_key_info;
493 int index = page->index;
500 spin_lock(&lli->lli_lock);
501 rc = ll_crypt_permission_check(lkey, flags);
503 spin_unlock(&lli->lli_lock);
507 key_ptr = &lkey->lk_dk[0];
508 for (i=0; i < KEY_SIZE; i++)
509 data_key += *key_ptr++;
510 spin_unlock(&lli->lli_lock);
513 CDEBUG(D_INFO, "data_key is %d \n", data_key);
515 CDEBUG(D_INFO, "data_key is 0, inc 1 \n");
518 LASSERT((__u8)data_key != 0);
520 ptr = (char *)kmap(page);
522 ptr += offset & (PAGE_SIZE - 1);
523 //CDEBUG(D_INFO, "ptr is %s \n", ptr);
524 for (i = 0; i < count; i++)
525 *ptr++ ^= (__u8)data_key;
526 //CDEBUG(D_INFO, "encrypted ptr is %s \n", key_ptr);
532 int ll_gs_init_inode_key(struct inode *inode, void *mkey)
534 struct ll_inode_info *lli = ll_i2info(inode);
535 struct crypto_key *key = (struct crypto_key*)mkey;
536 struct lustre_key *lkey = NULL;
542 if (lli->lli_key_info == NULL) {
543 OBD_ALLOC(lkey, sizeof(struct lustre_key));
546 memcpy(&lkey->lk_ck, key, sizeof(*key));
547 atomic_set(&lkey->lk_refcount, 1);
548 SET_UNDECRYPTED(lkey->lk_flags);
549 ENABLE_ENCRYPT(lkey->lk_flags);
550 ENABLE_DECRYPT(lkey->lk_flags);
551 spin_lock(&lli->lli_lock);
552 lli->lli_key_info = lkey;
553 spin_unlock(&lli->lli_lock);
554 CDEBUG(D_INFO, "set key %s mac %s in inode %lu \n",
555 lli->lli_key_info->lk_ck.ck_key,
556 lli->lli_key_info->lk_ck.ck_mac,
559 lkey = lustre_key_get(lli->lli_key_info);
560 LASSERTF(!memcmp(lkey->lk_ck.ck_key, key->ck_key, KEY_SIZE),
561 "old key %s != new key %s\n", lkey->lk_ck.ck_key,
563 spin_lock(&lli->lli_lock);
564 if (memcmp(lkey->lk_ck.ck_mac, key->ck_mac, MAC_SIZE)){
565 CDEBUG(D_INFO, "reset mac %s to %s ino %ld \n",
566 lkey->lk_ck.ck_mac, key->ck_mac, inode->i_ino);
567 memcpy(lkey->lk_ck.ck_mac, key->ck_mac, MAC_SIZE);
568 SET_UNDECRYPTED(lkey->lk_flags);
570 spin_unlock(&lli->lli_lock);
571 lustre_key_release(lkey);
576 static int ll_gs_destroy_key(struct inode *inode)
578 struct ll_inode_info *lli = ll_i2info(inode);
580 spin_lock(&lli->lli_lock);
581 if (lli->lli_key_info) {
582 LASSERTF(atomic_read(&lli->lli_key_info->lk_refcount) == 1,
583 "lk_refcount %d != 1 when destory\n",
584 atomic_read(&lli->lli_key_info->lk_refcount));
585 lustre_key_release(lli->lli_key_info);
586 lli->lli_key_info = NULL;
588 spin_unlock(&lli->lli_lock);
592 struct crypto_helper_ops ll_cgs_ops = {
593 .init_it_key = ll_gks_init_it,
594 .create_key = ll_gks_create_key,
595 .init_inode_key = ll_gs_init_inode_key,
596 .get_mac = ll_gks_get_mac,
597 .decrypt_key = ll_gks_decrypt_key,
598 .destroy_key = ll_gs_destroy_key,
601 int ll_mks_create_key(struct inode *inode, struct lookup_intent *it)
603 struct lustre_intent_data *lustre_data;
604 struct crypto_key *crypto_key;
608 LASSERT(it->d.fs_data != NULL);
609 lustre_data = (struct lustre_intent_data *)it->d.fs_data;
611 if (lustre_data->it_key)
612 OBD_FREE(lustre_data->it_key, sizeof(struct crypto_key));
614 OBD_ALLOC(crypto_key, sizeof(struct crypto_key));
618 crypto_key->ck_type = MKS_TYPE;
619 lustre_data->it_key = crypto_key;
620 lustre_data->it_key_size = sizeof(struct crypto_key);
624 int ll_mks_init_it(struct inode *parent, struct lookup_intent *it)
632 ll_gs_intent_init(it);
633 if (it->it_op & IT_CREAT) {
634 ll_mks_create_key(parent, it);
639 int ll_mks_decrypt_key(struct inode *inode, struct lookup_intent *it)
641 struct ll_inode_info *lli = ll_i2info(inode);
642 struct lustre_key *lkey = NULL;
643 struct posix_acl *acl = NULL;
647 rc = ll_get_acl_key(inode, &acl, &lkey);
650 spin_lock(&lli->lli_lock);
651 SET_DECRYPTED(lkey->lk_flags);
652 memcpy(&lkey->lk_dk, lkey->lk_ck.ck_key, KEY_SIZE);
653 spin_unlock(&lli->lli_lock);
657 posix_acl_release(acl);
659 lustre_key_release(lkey);
663 struct crypto_helper_ops ll_cmd_ops = {
664 .init_it_key = ll_mks_init_it,
665 .init_inode_key = ll_gs_init_inode_key,
666 .decrypt_key = ll_mks_decrypt_key,
667 .destroy_key = ll_gs_destroy_key,
671 static int ll_register_cops(struct ll_crypto_info *llci, char *type,
672 struct crypto_helper_ops *cops)
674 struct list_head *list = &llci->ll_cops_list;
675 struct crypto_ops_item *opi = NULL, *tmp;
676 char *opi_name = NULL;
680 list_for_each_entry(tmp, list, clist) {
681 if (!strcmp(type, tmp->ctype)) {
682 CWARN("%s is already registered\n", type);
687 OBD_ALLOC(opi, sizeof(*opi));
691 OBD_ALLOC(opi_name, strlen(type) + 1);
693 OBD_FREE(opi, sizeof(*opi));
697 memcpy(opi_name, type, strlen(type));
699 opi->ctype = opi_name;
702 list_add_tail(&opi->clist, list);
706 static int ll_init_sb_crypto(struct super_block *sb)
708 struct ll_crypto_info *llci = NULL;
712 OBD_ALLOC(llci, sizeof(*llci));
716 INIT_LIST_HEAD(&llci->ll_cops_list);
718 ll_register_cops(llci, "gks", &ll_cgs_ops);
719 ll_register_cops(llci, "mks", &ll_cmd_ops);
721 ll_s2sbi(sb)->ll_crypto_info = llci;
726 static int ll_unregister_cops(struct ll_crypto_info *llci)
728 struct list_head *list = &llci->ll_cops_list;
729 struct crypto_ops_item *tmp, *item;
732 list_for_each_entry_safe(item, tmp, list, clist) {
733 list_del_init(&item->clist);
734 OBD_FREE(item->ctype, strlen(item->ctype) + 1);
735 OBD_FREE(item, sizeof(*item));
740 int lustre_destroy_crypto(struct super_block *sb)
742 struct ll_crypto_info *llci = ll_s2crpi(sb);
749 obd_disconnect(llci->ll_gt_exp, 0);
751 ll_unregister_cops(llci);
752 OBD_FREE(llci, sizeof(*llci));
756 int lustre_init_crypto(struct super_block *sb, char *gkc,
757 struct obd_connect_data *data,
760 struct obd_device *obd = NULL;
761 struct ll_sb_info *sbi = ll_s2sbi(sb);
762 struct lustre_handle gt_conn;
766 rc = ll_init_sb_crypto(sb);
770 if (!gkc || !strcmp(gkc, "null")) {
771 CDEBUG(D_INFO, "No gks Server\n");
775 obd = class_name2obd(gkc);
777 CERROR("GSC %s: not setup or attached\n", gkc);
778 GOTO(out, rc = -EINVAL);
781 obd_set_info(obd->obd_self_export, strlen("async"), "async",
782 sizeof(async), &async);
784 rc = obd_connect(>_conn, obd, &sbi->ll_sb_uuid, data,
785 OBD_OPT_REAL_CLIENT);
787 CERROR("cannot connect to %s: rc = %d\n", gkc, rc);
790 ll_s2crpi(sb)->ll_gt_exp = class_conn2export(>_conn);
794 lustre_destroy_crypto(sb);
797 struct crypto_helper_ops *
798 ll_gks_find_ops(struct ll_crypto_info *llc_info, char *type)
800 struct list_head *list = &llc_info->ll_cops_list;
801 struct crypto_ops_item *tmp;
804 list_for_each_entry(tmp, list, clist) {
805 if (!strcmp(type, tmp->ctype)) {
810 CERROR("can not find crypto api %s \n", type);
814 int ll_set_sb_gksinfo(struct super_block *sb, char *type)
816 struct ll_crypto_info *llci = ll_s2crpi(sb);
817 struct obd_export *md_exp = ll_s2mdexp(sb);
818 struct obd_export *dt_exp = ll_s2dtexp(sb);
819 struct crypto_helper_ops *ops;
823 /*try to find the helper ops according to the type*/
824 ops = ll_gks_find_ops(llci, type);
826 CERROR("can not find the crypto ops by type %s \n", type);
831 rc = obd_set_info(md_exp, strlen("crypto_type"), "crypto_type",
834 /*set crypt call back func*/
836 rc = obd_set_info(dt_exp, strlen("crypto_cb"), "crypto_cb",
837 sizeof(crypt_cb_t), &ll_crypt_cb);