LU-16621 enc: file names encryption when using secure boot

Secure boot activates lockdown mode in the Linux kernel.
And debugfs is restricted when the kernel is locked down.
This patch moves file names encryption from debugfs to sysfs.

Lustre-change: https://review.whamcloud.com/50219
Lustre-commit: 716675fff642655c4d4715654b0b4880b96139b6

Test-Parameters: trivial testlist=sanity-sec
Signed-off-by: Alex Deiter <alex.deiter@gmail.com>
Change-Id: I434714941ffac2a4694cabd33f613aef70933678
Reviewed-on: https://review.whamcloud.com/c/ex/lustre-release/+/50578
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>

diff --git a/lustre/llite/llite_internal.h b/lustre/llite/llite_internal.h
index 74de436..f0eb8f0 100644 (file)
--- a/lustre/llite/llite_internal.h
+++ b/lustre/llite/llite_internal.h
@@ -810,6 +810,7 @@ struct ll_sb_info {
        spinlock_t               ll_lock;
        spinlock_t               ll_pp_extent_lock; /* pp_extent entry*/
        spinlock_t               ll_process_lock; /* ll_rw_process_info */
+       struct lustre_sb_info    *lsi;
        struct obd_uuid          ll_sb_uuid;
        struct obd_export       *ll_md_exp;
        struct obd_export       *ll_dt_exp;

diff --git a/lustre/llite/llite_lib.c b/lustre/llite/llite_lib.c
index f6104c4..16c1d47 100644 (file)
--- a/lustre/llite/llite_lib.c
+++ b/lustre/llite/llite_lib.c
@@ -86,7 +86,7 @@ static inline unsigned int ll_get_ra_async_max_active(void)
        return cfs_cpt_weight(cfs_cpt_tab, CFS_CPT_ANY) >> 1;
 }
 
-static struct ll_sb_info *ll_init_sbi(void)
+static struct ll_sb_info *ll_init_sbi(struct lustre_sb_info *lsi)
 {
        struct ll_sb_info *sbi = NULL;
        unsigned long pages;
@@ -109,7 +109,8 @@ static struct ll_sb_info *ll_init_sbi(void)
        mutex_init(&sbi->ll_lco.lco_lock);
        spin_lock_init(&sbi->ll_pp_extent_lock);
        spin_lock_init(&sbi->ll_process_lock);
-        sbi->ll_rw_stats_on = 0;
+       sbi->lsi = lsi;
+       sbi->ll_rw_stats_on = 0;
        sbi->ll_statfs_max_age = OBD_STATFS_CACHE_SECONDS;
 
         si_meminfo(&si);
@@ -1206,7 +1207,7 @@ int ll_fill_super(struct super_block *sb)
                GOTO(out_free_cfg, err = -ENOMEM);
 
        /* client additional sb info */
-       lsi->lsi_llsbi = sbi = ll_init_sbi();
+       lsi->lsi_llsbi = sbi = ll_init_sbi(lsi);
        if (IS_ERR(sbi))
                GOTO(out_free_cfg, err = PTR_ERR(sbi));
 

diff --git a/lustre/llite/lproc_llite.c b/lustre/llite/lproc_llite.c
index 5612a41..1588b0c 100644 (file)
--- a/lustre/llite/lproc_llite.c
+++ b/lustre/llite/lproc_llite.c
@@ -1880,27 +1880,30 @@ static ssize_t ll_nosquash_nids_seq_write(struct file *file,
 LDEBUGFS_SEQ_FOPS(ll_nosquash_nids);
 
 #ifdef CONFIG_LL_ENCRYPTION
-static int ll_filename_enc_seq_show(struct seq_file *m, void *v)
+static ssize_t enable_filename_encryption_show(struct kobject *kobj,
+                                              struct attribute *attr,
+                                              char *buffer)
 {
-       struct super_block *sb = m->private;
-       struct lustre_sb_info *lsi = s2lsi(sb);
+       struct ll_sb_info *sbi = container_of(kobj, struct ll_sb_info,
+                                             ll_kset.kobj);
+       struct lustre_sb_info *lsi = sbi->lsi;
 
-       seq_printf(m, "%u\n", lsi->lsi_flags & LSI_FILENAME_ENC ? 1 : 0);
-       return 0;
+       return snprintf(buffer, PAGE_SIZE,  "%u\n",
+                       lsi->lsi_flags & LSI_FILENAME_ENC ? 1 : 0);
 }
 
-static ssize_t ll_filename_enc_seq_write(struct file *file,
-                                        const char __user *buffer,
-                                        size_t count, loff_t *off)
+static ssize_t enable_filename_encryption_store(struct kobject *kobj,
+                                               struct attribute *attr,
+                                               const char *buffer,
+                                               size_t count)
 {
-       struct seq_file *m = file->private_data;
-       struct super_block *sb = m->private;
-       struct lustre_sb_info *lsi = s2lsi(sb);
-       struct ll_sb_info *sbi = ll_s2sbi(sb);
+       struct ll_sb_info *sbi = container_of(kobj, struct ll_sb_info,
+                                             ll_kset.kobj);
+       struct lustre_sb_info *lsi = sbi->lsi;
        bool val;
        int rc;
 
-       rc = kstrtobool_from_user(buffer, count, &val);
+       rc = kstrtobool(buffer, &val);
        if (rc)
                return rc;
 
@@ -1923,30 +1926,32 @@ static ssize_t ll_filename_enc_seq_write(struct file *file,
        return count;
 }
 
-LDEBUGFS_SEQ_FOPS(ll_filename_enc);
+LUSTRE_RW_ATTR(enable_filename_encryption);
 
-static int ll_old_b64_enc_seq_show(struct seq_file *m, void *v)
+static ssize_t filename_enc_use_old_base64_show(struct kobject *kobj,
+                                               struct attribute *attr,
+                                               char *buffer)
 {
-       struct super_block *sb = m->private;
-       struct lustre_sb_info *lsi = s2lsi(sb);
+       struct ll_sb_info *sbi = container_of(kobj, struct ll_sb_info,
+                                             ll_kset.kobj);
+       struct lustre_sb_info *lsi = sbi->lsi;
 
-       seq_printf(m, "%u\n",
-                  lsi->lsi_flags & LSI_FILENAME_ENC_B64_OLD_CLI ? 1 : 0);
-       return 0;
+       return snprintf(buffer, PAGE_SIZE, "%u\n",
+                       lsi->lsi_flags & LSI_FILENAME_ENC_B64_OLD_CLI ? 1 : 0);
 }
 
-static ssize_t ll_old_b64_enc_seq_write(struct file *file,
-                                        const char __user *buffer,
-                                        size_t count, loff_t *off)
+static ssize_t filename_enc_use_old_base64_store(struct kobject *kobj,
+                                                struct attribute *attr,
+                                                const char *buffer,
+                                                size_t count)
 {
-       struct seq_file *m = file->private_data;
-       struct super_block *sb = m->private;
-       struct lustre_sb_info *lsi = s2lsi(sb);
-       struct ll_sb_info *sbi = ll_s2sbi(sb);
+       struct ll_sb_info *sbi = container_of(kobj, struct ll_sb_info,
+                                             ll_kset.kobj);
+       struct lustre_sb_info *lsi = sbi->lsi;
        bool val;
        int rc;
 
-       rc = kstrtobool_from_user(buffer, count, &val);
+       rc = kstrtobool(buffer, &val);
        if (rc)
                return rc;
 
@@ -1970,7 +1975,7 @@ static ssize_t ll_old_b64_enc_seq_write(struct file *file,
        return count;
 }
 
-LDEBUGFS_SEQ_FOPS(ll_old_b64_enc);
+LUSTRE_RW_ATTR(filename_enc_use_old_base64);
 #endif /* CONFIG_LL_ENCRYPTION */
 
 static int ll_pcc_seq_show(struct seq_file *m, void *v)
@@ -2027,12 +2032,6 @@ struct ldebugfs_vars lprocfs_llite_obd_vars[] = {
          .fops =       &ll_nosquash_nids_fops                  },
        { .name =       "pcc",
          .fops =       &ll_pcc_fops,                           },
-#ifdef CONFIG_LL_ENCRYPTION
-       { .name =       "enable_filename_encryption",
-         .fops =       &ll_filename_enc_fops,                  },
-       { .name =       "filename_enc_use_old_base64",
-         .fops =       &ll_old_b64_enc_fops,                   },
-#endif
        { NULL }
 };
 
@@ -2086,6 +2085,10 @@ static struct attribute *llite_attrs[] = {
        &lustre_attr_opencache_threshold_count.attr,
        &lustre_attr_opencache_threshold_ms.attr,
        &lustre_attr_opencache_max_ms.attr,
+#ifdef CONFIG_LL_ENCRYPTION
+       &lustre_attr_enable_filename_encryption.attr,
+       &lustre_attr_filename_enc_use_old_base64.attr,
+#endif
        NULL,
 };