Whamcloud - gitweb
LU-16621 enc: file names encryption when using secure boot 19/50219/2
authorAlex Deiter <alex.deiter@gmail.com>
Mon, 6 Mar 2023 13:59:46 +0000 (13:59 +0000)
committerOleg Drokin <green@whamcloud.com>
Mon, 13 Mar 2023 06:05:44 +0000 (06:05 +0000)
Secure boot activates lockdown mode in the Linux kernel.
And debugfs is restricted when the kernel is locked down.
This patch moves file names encryption from debugfs to sysfs.

Test-Parameters: trivial testlist=sanity-sec
Signed-off-by: Alex Deiter <alex.deiter@gmail.com>
Change-Id: I434714941ffac2a4694cabd33f613aef70933678
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/50219
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-by: jsimmons <jsimmons@infradead.org>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
lustre/llite/llite_internal.h
lustre/llite/llite_lib.c
lustre/llite/lproc_llite.c

index 5ce54fc..89edc09 100644 (file)
@@ -747,6 +747,7 @@ struct ll_sb_info {
        spinlock_t               ll_lock;
        spinlock_t               ll_pp_extent_lock; /* pp_extent entry*/
        spinlock_t               ll_process_lock; /* ll_rw_process_info */
+       struct lustre_sb_info    *lsi;
        struct obd_uuid          ll_sb_uuid;
        struct obd_export       *ll_md_exp;
        struct obd_export       *ll_dt_exp;
index e59c84a..054661e 100644 (file)
@@ -86,7 +86,7 @@ static inline unsigned int ll_get_ra_async_max_active(void)
        return cfs_cpt_weight(cfs_cpt_tab, CFS_CPT_ANY) >> 1;
 }
 
-static struct ll_sb_info *ll_init_sbi(void)
+static struct ll_sb_info *ll_init_sbi(struct lustre_sb_info *lsi)
 {
        struct ll_sb_info *sbi = NULL;
        unsigned long pages;
@@ -108,7 +108,8 @@ static struct ll_sb_info *ll_init_sbi(void)
        mutex_init(&sbi->ll_lco.lco_lock);
        spin_lock_init(&sbi->ll_pp_extent_lock);
        spin_lock_init(&sbi->ll_process_lock);
-        sbi->ll_rw_stats_on = 0;
+       sbi->lsi = lsi;
+       sbi->ll_rw_stats_on = 0;
        sbi->ll_statfs_max_age = OBD_STATFS_CACHE_SECONDS;
 
         si_meminfo(&si);
@@ -1332,7 +1333,7 @@ int ll_fill_super(struct super_block *sb)
                GOTO(out_free_cfg, err = -ENOMEM);
 
        /* client additional sb info */
-       lsi->lsi_llsbi = sbi = ll_init_sbi();
+       lsi->lsi_llsbi = sbi = ll_init_sbi(lsi);
        if (IS_ERR(sbi))
                GOTO(out_free_cfg, err = PTR_ERR(sbi));
 
index d5e7625..4887946 100644 (file)
@@ -1643,27 +1643,30 @@ static ssize_t ll_nosquash_nids_seq_write(struct file *file,
 LDEBUGFS_SEQ_FOPS(ll_nosquash_nids);
 
 #if defined(CONFIG_LL_ENCRYPTION)
-static int ll_filename_enc_seq_show(struct seq_file *m, void *v)
+static ssize_t enable_filename_encryption_show(struct kobject *kobj,
+                                              struct attribute *attr,
+                                              char *buffer)
 {
-       struct super_block *sb = m->private;
-       struct lustre_sb_info *lsi = s2lsi(sb);
+       struct ll_sb_info *sbi = container_of(kobj, struct ll_sb_info,
+                                             ll_kset.kobj);
+       struct lustre_sb_info *lsi = sbi->lsi;
 
-       seq_printf(m, "%u\n", lsi->lsi_flags & LSI_FILENAME_ENC ? 1 : 0);
-       return 0;
+       return snprintf(buffer, PAGE_SIZE,  "%u\n",
+                       lsi->lsi_flags & LSI_FILENAME_ENC ? 1 : 0);
 }
 
-static ssize_t ll_filename_enc_seq_write(struct file *file,
-                                        const char __user *buffer,
-                                        size_t count, loff_t *off)
+static ssize_t enable_filename_encryption_store(struct kobject *kobj,
+                                               struct attribute *attr,
+                                               const char *buffer,
+                                               size_t count)
 {
-       struct seq_file *m = file->private_data;
-       struct super_block *sb = m->private;
-       struct lustre_sb_info *lsi = s2lsi(sb);
-       struct ll_sb_info *sbi = ll_s2sbi(sb);
+       struct ll_sb_info *sbi = container_of(kobj, struct ll_sb_info,
+                                             ll_kset.kobj);
+       struct lustre_sb_info *lsi = sbi->lsi;
        bool val;
        int rc;
 
-       rc = kstrtobool_from_user(buffer, count, &val);
+       rc = kstrtobool(buffer, &val);
        if (rc)
                return rc;
 
@@ -1686,32 +1689,34 @@ static ssize_t ll_filename_enc_seq_write(struct file *file,
        return count;
 }
 
-LDEBUGFS_SEQ_FOPS(ll_filename_enc);
+LUSTRE_RW_ATTR(enable_filename_encryption);
 #endif /* CONFIG_LL_ENCRYPTION */
 
 #if defined(CONFIG_LL_ENCRYPTION) || defined(HAVE_LUSTRE_CRYPTO)
-static int ll_old_b64_enc_seq_show(struct seq_file *m, void *v)
+static ssize_t filename_enc_use_old_base64_show(struct kobject *kobj,
+                                               struct attribute *attr,
+                                               char *buffer)
 {
-       struct super_block *sb = m->private;
-       struct lustre_sb_info *lsi = s2lsi(sb);
+       struct ll_sb_info *sbi = container_of(kobj, struct ll_sb_info,
+                                             ll_kset.kobj);
+       struct lustre_sb_info *lsi = sbi->lsi;
 
-       seq_printf(m, "%u\n",
-                  lsi->lsi_flags & LSI_FILENAME_ENC_B64_OLD_CLI ? 1 : 0);
-       return 0;
+       return snprintf(buffer, PAGE_SIZE, "%u\n",
+                       lsi->lsi_flags & LSI_FILENAME_ENC_B64_OLD_CLI ? 1 : 0);
 }
 
-static ssize_t ll_old_b64_enc_seq_write(struct file *file,
-                                        const char __user *buffer,
-                                        size_t count, loff_t *off)
+static ssize_t filename_enc_use_old_base64_store(struct kobject *kobj,
+                                                struct attribute *attr,
+                                                const char *buffer,
+                                                size_t count)
 {
-       struct seq_file *m = file->private_data;
-       struct super_block *sb = m->private;
-       struct lustre_sb_info *lsi = s2lsi(sb);
-       struct ll_sb_info *sbi = ll_s2sbi(sb);
+       struct ll_sb_info *sbi = container_of(kobj, struct ll_sb_info,
+                                             ll_kset.kobj);
+       struct lustre_sb_info *lsi = sbi->lsi;
        bool val;
        int rc;
 
-       rc = kstrtobool_from_user(buffer, count, &val);
+       rc = kstrtobool(buffer, &val);
        if (rc)
                return rc;
 
@@ -1735,7 +1740,7 @@ static ssize_t ll_old_b64_enc_seq_write(struct file *file,
        return count;
 }
 
-LDEBUGFS_SEQ_FOPS(ll_old_b64_enc);
+LUSTRE_RW_ATTR(filename_enc_use_old_base64);
 #endif /* CONFIG_LL_ENCRYPTION || HAVE_LUSTRE_CRYPTO */
 
 static int ll_pcc_seq_show(struct seq_file *m, void *v)
@@ -1792,14 +1797,6 @@ struct ldebugfs_vars lprocfs_llite_obd_vars[] = {
          .fops =       &ll_nosquash_nids_fops                  },
        { .name =       "pcc",
          .fops =       &ll_pcc_fops,                           },
-#ifdef CONFIG_LL_ENCRYPTION
-       { .name =       "enable_filename_encryption",
-         .fops =       &ll_filename_enc_fops,                  },
-#endif
-#if defined(CONFIG_LL_ENCRYPTION) || defined(HAVE_LUSTRE_CRYPTO)
-       { .name =       "filename_enc_use_old_base64",
-         .fops =       &ll_old_b64_enc_fops,                   },
-#endif
        { NULL }
 };
 
@@ -1849,6 +1846,12 @@ static struct attribute *llite_attrs[] = {
        &lustre_attr_opencache_threshold_ms.attr,
        &lustre_attr_opencache_max_ms.attr,
        &lustre_attr_inode_cache.attr,
+#ifdef CONFIG_LL_ENCRYPTION
+       &lustre_attr_enable_filename_encryption.attr,
+#endif
+#if defined(CONFIG_LL_ENCRYPTION) || defined(HAVE_LUSTRE_CRYPTO)
+       &lustre_attr_filename_enc_use_old_base64.attr,
+#endif
        NULL,
 };