#include <libcfs/libcfs.h>
#include <libcfs/libcfs_crypto.h>
#include <lnet/lib-lnet.h>
-#include <libcfs/crypto/llcrypt.h>
+#include <lustre_crypto.h>
#include "tracefile.h"
struct lnet_debugfs_symlink_def {
rc = llcrypt_init();
if (rc) {
CERROR("llcrypt_init: error %d\n", rc);
- goto cleanup_wi;
+ goto cleanup_crypto;
}
- CDEBUG (D_OTHER, "portals setup OK\n");
+ CDEBUG(D_OTHER, "portals setup OK\n");
return 0;
+cleanup_crypto:
+ cfs_crypto_unregister();
cleanup_wi:
cfs_wi_shutdown();
cleanup_deregister:
]) # LC_FSCRYPT_SUPPORT
#
+# LC_FSCRYPT_DIGESTED_NAME
+#
+# Kernel 5.5-rc4 edc440e3d27fb31e6f9663cf413fad97d714c060
+# improved the format of no-key names. This results in the
+# removal of FSCRYPT_FNAME_DIGEST and FSCRYPT_FNAME_DIGEST_SIZE.
+#
+AC_DEFUN([LC_FSCRYPT_DIGESTED_NAME], [
+tmp_flags="$EXTRA_KCFLAGS"
+EXTRA_KCFLAGS="-Werror"
+LB_CHECK_COMPILE([if fscrypt has 'struct fscrypt_digested_name'],
+fscrypt_digested_name, [
+ #include <linux/fscrypt.h>
+],[
+ struct fscrypt_digested_name fname;
+
+ fname.hash = 0;
+],[
+ AC_DEFINE(HAVE_FSCRYPT_DIGESTED_NAME, 1,
+ ['struct fscrypt_digested_name' exists])
+])
+EXTRA_KCFLAGS="$tmp_flags"
+]) # LC_FSCRYPT_DIGESTED_NAME
+
+#
+# LC_FSCRYPT_DUMMY_CONTEXT_ENABLED
+#
+# Kernel 5.7-rc7 ed318a6cc0b620440e65f48eb527dc3df7269ce4
+# replaces fscrypt_dummy_context_enabled() with
+# fscrypt_get_dummy_context(). Later kernels rename
+# fscrypt_get_dummy_context() to fscrypt_get_dummy_policy()
+# which is why we test fscrypt_dummy_context_enabled().
+#
+AC_DEFUN([LC_FSCRYPT_DUMMY_CONTEXT_ENABLED], [
+tmp_flags="$EXTRA_KCFLAGS"
+EXTRA_KCFLAGS="-Werror"
+LB_CHECK_COMPILE([if fscrypt_dummy_context_enabled() exists],
+fscrypt_dummy_context_enabled, [
+ #include <linux/fscrypt.h>
+],[
+ fscrypt_dummy_context_enabled(NULL);
+],[
+ AC_DEFINE(HAVE_FSCRYPT_DUMMY_CONTEXT_ENABLED, 1,
+ [fscrypt_dummy_context_enabled() exists])
+])
+EXTRA_KCFLAGS="$tmp_flags"
+]) # LC_FSCRYPT_DUMMY_CONTEXT_ENABLED
+
+#
+# LC_FSCRYPT_IS_NOKEY_NAME
+#
+# Kernel 5.10-rc4 159e1de201b6fca10bfec50405a3b53a561096a8
+# introduced fscrypt_is_nokey_name() inline macro. While
+# introduced for 5.10 kernels it was backported to earlier
+# Ubuntu kernels. Also it hides the change introduced due
+# to git commit 501e43fbe for kernel 5.9 which also was
+# backported to earlier Ubuntu kernels.
+#
+AC_DEFUN([LC_FSCRYPT_IS_NOKEY_NAME], [
+tmp_flags="$EXTRA_KCFLAGS"
+EXTRA_KCFLAGS="-Werror"
+LB_CHECK_COMPILE([if fscrypt_is_nokey_name() exists],
+fscrypt_is_no_key_name, [
+ #include <linux/fscrypt.h>
+],[
+ fscrypt_is_nokey_name(NULL);
+],[
+ AC_DEFINE(HAVE_FSCRYPT_IS_NOKEY_NAME, 1,
+ [fscrypt_is_nokey_name() exists])
+])
+EXTRA_KCFLAGS="$tmp_flags"
+]) # LC_FSCRYPT_IS_NOKEY_NAME
+
+#
# LC_HAVE_USER_NAMESPACE_ARG
#
# kernel 5.12 commit 549c7297717c32ee53f156cd949e055e601f67bb
LC_BIO_BI_PHYS_SEGMENTS
LC_LM_COMPARE_OWNER_EXISTS
+ # 5.5
+ LC_FSCRYPT_DIGESTED_NAME
+
+ # 5.7
+ LC_FSCRYPT_DUMMY_CONTEXT_ENABLED
+
+ # 5.10
+ LC_FSCRYPT_IS_NOKEY_NAME
+
# 5.12
LC_HAVE_USER_NAMESPACE_ARG
[AS_IF([test "x$has_is_encrypted" = xyes], [
AC_DEFINE(HAVE_LUSTRE_CRYPTO, 1, [Enable Lustre client crypto via embedded llcrypt])
AC_DEFINE(CONFIG_LL_ENCRYPTION, 1, [embedded llcrypt])
+ AC_DEFINE(HAVE_FSCRYPT_DUMMY_CONTEXT_ENABLED, 1, [embedded llcrypt uses llcrypt_dummy_context_enabled()])
enable_crypto="embedded llcrypt"
enable_llcrypt=yes], [
AS_IF([test "x$enable_crypto" = xyes],
#ifndef _LUSTRE_CRYPTO_H_
#define _LUSTRE_CRYPTO_H_
+#if defined(HAVE_LUSTRE_CRYPTO) && !defined(CONFIG_LL_ENCRYPTION)
+#define __FS_HAS_ENCRYPTION 1
+#include <linux/fscrypt.h>
+
+#define LL_CRYPTO_BLOCK_SIZE FS_CRYPTO_BLOCK_SIZE
+#define llcrypt_name fscrypt_name
+#define llcrypt_str fscrypt_str
+#define LLTR_INIT FSTR_INIT
+#define llcrypt_operations fscrypt_operations
+#define llcrypt_symlink_data fscrypt_symlink_data
+#define llcrypt_init() 0
+#define llcrypt_exit() {}
+#ifndef HAVE_FSCRYPT_DUMMY_CONTEXT_ENABLED
+#define llcrypt_context fscrypt_context
+#define llcrypt_dummy_context fscrypt_dummy_context
+#endif
+#define llcrypt_require_key(inode) \
+ fscrypt_require_key(inode)
+#define llcrypt_has_encryption_key(inode) fscrypt_has_encryption_key(inode)
+#define llcrypt_encrypt_pagecache_blocks(page, len, offs, gfp_flags) \
+ fscrypt_encrypt_pagecache_blocks(page, len, offs, gfp_flags)
+#define llcrypt_encrypt_block_inplace(inode, page, len, offs, lblk, gfp_flags) \
+ fscrypt_encrypt_block_inplace(inode, page, len, offs, lblk, gfp_flags)
+#define llcrypt_decrypt_pagecache_blocks(page, len, offs) \
+ fscrypt_decrypt_pagecache_blocks(page, len, offs)
+#define llcrypt_decrypt_block_inplace(inode, page, len, offs, lblk_num) \
+ fscrypt_decrypt_block_inplace(inode, page, len, offs, lblk_num)
+#define llcrypt_inherit_context(parent, child, fs_data, preload) \
+ fscrypt_inherit_context(parent, child, fs_data, preload)
+#define llcrypt_get_encryption_info(inode) fscrypt_get_encryption_info(inode)
+#define llcrypt_put_encryption_info(inode) fscrypt_put_encryption_info(inode)
+#define llcrypt_free_inode(inode) fscrypt_free_inode(inode)
+#define llcrypt_finalize_bounce_page(pagep) fscrypt_finalize_bounce_page(pagep)
+#define llcrypt_file_open(inode, filp) fscrypt_file_open(inode, filp)
+#define llcrypt_ioctl_set_policy(filp, arg) fscrypt_ioctl_set_policy(filp, arg)
+#define llcrypt_ioctl_get_policy_ex(filp, arg) \
+ fscrypt_ioctl_get_policy_ex(filp, arg)
+#define llcrypt_policy_has_filename_enc(inode) true
+#define llcrypt_ioctl_add_key(filp, arg) fscrypt_ioctl_add_key(filp, arg)
+#define llcrypt_ioctl_remove_key(filp, arg) fscrypt_ioctl_remove_key(filp, arg)
+#define llcrypt_ioctl_remove_key_all_users(filp, arg) \
+ fscrypt_ioctl_remove_key_all_users(filp, arg)
+#define llcrypt_ioctl_get_key_status(filp, arg) \
+ fscrypt_ioctl_get_key_status(filp, arg)
+#define llcrypt_drop_inode(inode) fscrypt_drop_inode(inode)
+#define llcrypt_prepare_rename(olddir, olddentry, newdir, newdentry, flags) \
+ fscrypt_prepare_rename(olddir, olddentry, newdir, newdentry, flags)
+#define llcrypt_prepare_link(old_dentry, dir, dentry) \
+ fscrypt_prepare_link(old_dentry, dir, dentry)
+#define llcrypt_prepare_setattr(dentry, attr) \
+ fscrypt_prepare_setattr(dentry, attr)
+#define __llcrypt_prepare_lookup(inode, dentry, fname) \
+ __fscrypt_prepare_lookup(inode, dentry, fname)
+#define llcrypt_set_ops(sb, cop) fscrypt_set_ops(sb, cop)
+#define llcrypt_sb_free(sb) {}
+#define llcrypt_fname_alloc_buffer(inode, max_encrypted_len, crypto_str) \
+ fscrypt_fname_alloc_buffer(inode, max_encrypted_len, crypto_str)
+#define llcrypt_fname_disk_to_usr(inode, hash, minor_hash, iname, oname) \
+ fscrypt_fname_disk_to_usr(inode, hash, minor_hash, iname, oname)
+#define llcrypt_fname_free_buffer(crypto_str) \
+ fscrypt_fname_free_buffer(crypto_str)
+#define llcrypt_setup_filename(dir, iname, lookup, fname) \
+ fscrypt_setup_filename(dir, iname, lookup, fname)
+#define llcrypt_free_filename(fname) \
+ fscrypt_free_filename(fname)
+#define llcrypt_match_name(fname, de_name, name_len) \
+ fscrypt_match_name(fname, de_name, name_len)
+#define llcrypt_prepare_lookup(dir, dentry, fname) \
+ fscrypt_prepare_lookup(dir, dentry, fname)
+#define llcrypt_encrypt_symlink(inode, target, len, disk_link) \
+ fscrypt_encrypt_symlink(inode, target, len, disk_link)
+#define __llcrypt_encrypt_symlink(inode, target, len, disk_link) \
+ __fscrypt_encrypt_symlink(inode, target, len, disk_link)
+#define llcrypt_prepare_symlink(dir, target, len, max_len, disk_link) \
+ fscrypt_prepare_symlink(dir, target, len, max_len, disk_link)
+#define llcrypt_get_symlink(inode, caddr, max_size, done) \
+ fscrypt_get_symlink(inode, caddr, max_size, done)
+
+#define LL_IOC_SET_ENCRYPTION_POLICY FS_IOC_SET_ENCRYPTION_POLICY
+#define LL_IOC_GET_ENCRYPTION_POLICY_EX FS_IOC_GET_ENCRYPTION_POLICY_EX
+#define LL_IOC_ADD_ENCRYPTION_KEY FS_IOC_ADD_ENCRYPTION_KEY
+#define LL_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY
+#define LL_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS \
+ FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS
+#define LL_IOC_GET_ENCRYPTION_KEY_STATUS FS_IOC_GET_ENCRYPTION_KEY_STATUS
+
+#else /* HAVE_LUSTRE_CRYPTO && !CONFIG_LL_ENCRYPTION */
+#include <libcfs/crypto/llcrypt.h>
+#endif /* !HAVE_LUSTRE_CRYPTO || CONFIG_LL_ENCRYPTION */
+
+#ifndef DCACHE_NOKEY_NAME
+#define DCACHE_NOKEY_NAME 0x02000000 /* Enc name without key */
+#endif
+
+#if !defined(HAVE_FSCRYPT_IS_NOKEY_NAME) || defined(CONFIG_LL_ENCRYPTION)
+
+static inline bool llcrypt_is_nokey_name(const struct dentry *dentry)
+{
+ return dentry->d_flags & DCACHE_NOKEY_NAME;
+}
+#else
+#define llcrypt_is_nokey_name(dentry) \
+ fscrypt_is_nokey_name(dentry)
+#endif
+
+#if defined(HAVE_LUSTRE_CRYPTO) && !defined(HAVE_FSCRYPT_DUMMY_CONTEXT_ENABLED)
+#define llcrypt_show_test_dummy_encryption(seq, sep, sb) \
+ fscrypt_show_test_dummy_encryption(seq, sep, sb)
+#define llcrypt_set_test_dummy_encryption(sb, arg, ctx) \
+ fscrypt_set_test_dummy_encryption(sb, arg, ctx)
+#define llcrypt_free_dummy_context(ctx) \
+ fscrypt_free_dummy_context(ctx)
+#else
+#define llcrypt_show_test_dummy_encryption(seq, sep, sb) {}
+#define llcrypt_free_dummy_context(ctx) {}
+#endif
+
+/* Macro to extract digest from Lustre specific structures */
+#if defined(HAVE_FSCRYPT_DIGESTED_NAME) && !defined(CONFIG_LL_ENCRYPTION)
+#define LLCRYPT_EXTRACT_DIGEST FSCRYPT_FNAME_DIGEST
+#else
+#define LLCRYPT_EXTRACT_DIGEST(name, len) \
+ ((name) + round_down((len) - LL_CRYPTO_BLOCK_SIZE - 1, \
+ LL_CRYPTO_BLOCK_SIZE))
+#endif
+
struct ll_sb_info;
int ll_set_encflags(struct inode *inode, void *encctx, __u32 encctxlen,
bool preload);
void llcrypt_free_ctx(void *encctx, __u32 size);
-bool ll_sbi_has_test_dummy_encryption(struct ll_sb_info *sbi);
+bool ll_sb_has_test_dummy_encryption(struct super_block *sb);
bool ll_sbi_has_encrypt(struct ll_sb_info *sbi);
void ll_sbi_set_encrypt(struct ll_sb_info *sbi, bool set);
/* sizeof(struct fscrypt_context_v2) = 40 */
#define LLCRYPT_ENC_CTX_SIZE 40
-
/* Encoding/decoding routines inspired from yEnc principles.
* We just take care of a few critical characters:
* NULL, LF, CR, /, DEL and =.
return (char *)q - dst;
}
-#ifdef CONFIG_LL_ENCRYPTION
-#include <libcfs/crypto/llcrypt.h>
-#else /* !CONFIG_LL_ENCRYPTION */
-#ifdef HAVE_LUSTRE_CRYPTO
-#define __FS_HAS_ENCRYPTION 1
-#include <linux/fscrypt.h>
-
-#define LLCRYPT_FNAME_DIGEST_SIZE FSCRYPT_FNAME_DIGEST_SIZE
-#define LLCRYPT_FNAME_DIGEST FSCRYPT_FNAME_DIGEST
-#define llcrypt_name fscrypt_name
-#define llcrypt_str fscrypt_str
-#define LLTR_INIT FSTR_INIT
-#define LLCRYPT_FNAME_MAX_UNDIGESTED_SIZE \
- FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE
-#define llcrypt_operations fscrypt_operations
-#define llcrypt_symlink_data fscrypt_symlink_data
-#define llcrypt_dummy_context_enabled(inode) \
- fscrypt_dummy_context_enabled(inode)
-#define llcrypt_require_key(inode) \
- fscrypt_require_key(inode)
-#define llcrypt_has_encryption_key(inode) fscrypt_has_encryption_key(inode)
-#define llcrypt_encrypt_pagecache_blocks(page, len, offs, gfp_flags) \
- fscrypt_encrypt_pagecache_blocks(page, len, offs, gfp_flags)
-#define llcrypt_encrypt_block_inplace(inode, page, len, offs, lblk, gfp_flags) \
- fscrypt_encrypt_block_inplace(inode, page, len, offs, lblk, gfp_flags)
-#define llcrypt_decrypt_pagecache_blocks(page, len, offs) \
- fscrypt_decrypt_pagecache_blocks(page, len, offs)
-#define llcrypt_decrypt_block_inplace(inode, page, len, offs, lblk_num) \
- fscrypt_decrypt_block_inplace(inode, page, len, offs, lblk_num)
-#define llcrypt_inherit_context(parent, child, fs_data, preload) \
- fscrypt_inherit_context(parent, child, fs_data, preload)
-#define llcrypt_get_encryption_info(inode) fscrypt_get_encryption_info(inode)
-#define llcrypt_put_encryption_info(inode) fscrypt_put_encryption_info(inode)
-#define llcrypt_free_inode(inode) fscrypt_free_inode(inode)
-#define llcrypt_finalize_bounce_page(pagep) fscrypt_finalize_bounce_page(pagep)
-#define llcrypt_file_open(inode, filp) fscrypt_file_open(inode, filp)
-#define llcrypt_ioctl_set_policy(filp, arg) fscrypt_ioctl_set_policy(filp, arg)
-#define llcrypt_ioctl_get_policy_ex(filp, arg) \
- fscrypt_ioctl_get_policy_ex(filp, arg)
-#define llcrypt_policy_has_filename_enc(inode) true
-#define llcrypt_ioctl_add_key(filp, arg) fscrypt_ioctl_add_key(filp, arg)
-#define llcrypt_ioctl_remove_key(filp, arg) fscrypt_ioctl_remove_key(filp, arg)
-#define llcrypt_ioctl_remove_key_all_users(filp, arg) \
- fscrypt_ioctl_remove_key_all_users(filp, arg)
-#define llcrypt_ioctl_get_key_status(filp, arg) \
- fscrypt_ioctl_get_key_status(filp, arg)
-#define llcrypt_drop_inode(inode) fscrypt_drop_inode(inode)
-#define llcrypt_prepare_rename(olddir, olddentry, newdir, newdentry, flags) \
- fscrypt_prepare_rename(olddir, olddentry, newdir, newdentry, flags)
-#define llcrypt_prepare_link(old_dentry, dir, dentry) \
- fscrypt_prepare_link(old_dentry, dir, dentry)
-#define llcrypt_prepare_setattr(dentry, attr) \
- fscrypt_prepare_setattr(dentry, attr)
-#define llcrypt_set_ops(sb, cop) fscrypt_set_ops(sb, cop)
-#define llcrypt_fname_alloc_buffer(inode, max_encrypted_len, crypto_str) \
- fscrypt_fname_alloc_buffer(inode, max_encrypted_len, crypto_str)
-#define llcrypt_fname_disk_to_usr(inode, hash, minor_hash, iname, oname) \
- fscrypt_fname_disk_to_usr(inode, hash, minor_hash, iname, oname)
-#define llcrypt_fname_free_buffer(crypto_str) \
- fscrypt_fname_free_buffer(crypto_str)
-#define llcrypt_setup_filename(dir, iname, lookup, fname) \
- fscrypt_setup_filename(dir, iname, lookup, fname)
-#define llcrypt_free_filename(fname) \
- fscrypt_free_filename(fname)
-#define llcrypt_prepare_lookup(dir, dentry, fname) \
- fscrypt_prepare_lookup(dir, dentry, fname)
-#define llcrypt_encrypt_symlink(inode, target, len, disk_link) \
- fscrypt_encrypt_symlink(inode, target, len, disk_link)
-#define __llcrypt_encrypt_symlink(inode, target, len, disk_link) \
- __fscrypt_encrypt_symlink(inode, target, len, disk_link)
-#define llcrypt_prepare_symlink(dir, target, len, max_len, disk_link) \
- fscrypt_prepare_symlink(dir, target, len, max_len, disk_link)
-#define llcrypt_get_symlink(inode, caddr, max_size, done) \
- fscrypt_get_symlink(inode, caddr, max_size, done)
-#define llcrypt_handle_d_move(dentry) \
- fscrypt_handle_d_move(dentry)
-#else /* !HAVE_LUSTRE_CRYPTO */
-/* Extracts the second-to-last ciphertext block */
-#define LLCRYPT_FNAME_DIGEST(name, len) \
- ((name) + round_down((len) - LL_CRYPTO_BLOCK_SIZE - 1, \
- LL_CRYPTO_BLOCK_SIZE))
-#define LLCRYPT_FNAME_DIGEST_SIZE LL_CRYPTO_BLOCK_SIZE
-#include <libcfs/crypto/llcrypt.h>
-#endif /* HAVE_LUSTRE_CRYPTO */
-#endif /* !CONFIG_LL_ENCRYPTION */
-
#endif /* _LUSTRE_CRYPTO_H_ */
#include <libcfs/libcfs.h>
#include <uapi/linux/lustre/lustre_disk.h>
#include <uapi/linux/lustre/lustre_idl.h>
+#if !defined(CONFIG_LL_ENCRYPTION) && defined(HAVE_LUSTRE_CRYPTO)
+#include <lustre_crypto.h>
+#endif
#define IS_MDT(data) ((data)->lsi_flags & LDD_F_SV_TYPE_MDT)
#define IS_OST(data) ((data)->lsi_flags & LDD_F_SV_TYPE_OST)
#ifdef CONFIG_LL_ENCRYPTION
const struct llcrypt_operations *lsi_cop;
struct key *lsi_master_keys; /* master crypto keys used */
+#elif defined(HAVE_LUSTRE_CRYPTO) && !defined(HAVE_FSCRYPT_DUMMY_CONTEXT_ENABLED)
+ /* Encryption context for '-o test_dummy_encryption' */
+ struct llcrypt_dummy_context lsi_dummy_enc_ctx;
#endif
};
OBD_FREE(encctx, size);
}
-bool ll_sbi_has_test_dummy_encryption(struct ll_sb_info *sbi)
+#ifdef HAVE_FSCRYPT_DUMMY_CONTEXT_ENABLED
+bool ll_sb_has_test_dummy_encryption(struct super_block *sb)
{
- return unlikely(test_bit(LL_SBI_TEST_DUMMY_ENCRYPTION, sbi->ll_flags));
+ struct ll_sb_info *sbi = s2lsi(sb)->lsi_llsbi;
+
+ return sbi ?
+ unlikely(test_bit(LL_SBI_TEST_DUMMY_ENCRYPTION, sbi->ll_flags)) :
+ false;
}
static bool ll_dummy_context(struct inode *inode)
{
- struct ll_sb_info *sbi = ll_i2sbi(inode);
+ return ll_sb_has_test_dummy_encryption(inode->i_sb);
+}
+#else
+static const union llcrypt_context *
+ll_get_dummy_context(struct super_block *sb)
+{
+ struct lustre_sb_info *lsi = s2lsi(sb);
+
+ return lsi ? lsi->lsi_dummy_enc_ctx.ctx : NULL;
+}
- return sbi ? ll_sbi_has_test_dummy_encryption(sbi) : false;
+bool ll_sb_has_test_dummy_encryption(struct super_block *sb)
+{
+ return ll_get_dummy_context(sb) != NULL;
}
+#endif
bool ll_sbi_has_encrypt(struct ll_sb_info *sbi)
{
rc = -EINVAL;
goto out_free;
}
- digest = (struct ll_digest_filename *)fname->crypto_buf.name;
+ digest = (struct ll_digest_filename *)fname->disk_name.name;
*fid = digest->ldf_fid;
if (!fid_is_sane(fid)) {
rc = -EINVAL;
goto out_free;
}
fname->disk_name.name = digest->ldf_excerpt;
- fname->disk_name.len = LLCRYPT_FNAME_DIGEST_SIZE;
+ fname->disk_name.len = sizeof(digest->ldf_excerpt);
}
if (IS_ENCRYPTED(dir) &&
!name_is_dot_or_dotdot(fname->disk_name.name,
lltr.name = buf;
lltr.len = len;
}
- if (lltr.len > LLCRYPT_FNAME_MAX_UNDIGESTED_SIZE &&
+ if (lltr.len > LL_CRYPTO_BLOCK_SIZE * 2 &&
!llcrypt_has_encryption_key(inode) &&
llcrypt_policy_has_filename_enc(inode)) {
digested = 1;
return -EINVAL;
digest.ldf_fid = *fid;
memcpy(digest.ldf_excerpt,
- LLCRYPT_FNAME_DIGEST(lltr.name, lltr.len),
- LLCRYPT_FNAME_DIGEST_SIZE);
+ LLCRYPT_EXTRACT_DIGEST(lltr.name, lltr.len),
+ sizeof(digest.ldf_excerpt));
lltr.name = (char *)&digest;
lltr.len = sizeof(digest);
* reverting to ciphertext names without evicting the directory's inode
* -- which implies eviction of the dentries in the directory.
*/
- if (!(dentry->d_flags & DCACHE_ENCRYPTED_NAME))
+ if (!llcrypt_is_nokey_name(dentry))
return 1;
/*
.key_prefix = "lustre:",
.get_context = ll_get_context,
.set_context = ll_set_context,
+#ifdef HAVE_FSCRYPT_DUMMY_CONTEXT_ENABLED
.dummy_context = ll_dummy_context,
+#else
+ .get_dummy_context = ll_get_dummy_context,
+#endif
.empty_dir = ll_empty_dir,
.max_namelen = NAME_MAX,
};
{
}
-bool ll_sbi_has_test_dummy_encryption(struct ll_sb_info *sbi)
+bool ll_sb_has_test_dummy_encryption(struct super_block *sb)
{
return false;
}
#include <obd_support.h>
#include <obd_class.h>
#include <uapi/linux/lustre/lustre_ioctl.h>
-#include <uapi/linux/llcrypt.h>
#include <lustre_lib.h>
#include <lustre_dlm.h>
#include <lustre_fid.h>
if (ll_sbi_has_encrypt(sbi) &&
(IS_ENCRYPTED(parent) ||
- unlikely(llcrypt_dummy_context_enabled(parent)))) {
+ unlikely(ll_sb_has_test_dummy_encryption(parent->i_sb)))) {
err = llcrypt_get_encryption_info(parent);
if (err)
GOTO(out_op_data, err);
#include <linux/ktime.h>
#include <uapi/linux/lustre/lustre_ioctl.h>
-#include <uapi/linux/llcrypt.h>
#include <lustre_swab.h>
#include "cl_object.h"
*/
struct ll_digest_filename {
struct lu_fid ldf_fid;
- char ldf_excerpt[LLCRYPT_FNAME_DIGEST_SIZE];
+ char ldf_excerpt[LL_CRYPTO_BLOCK_SIZE];
};
int ll_setup_filename(struct inode *dir, const struct qstr *iname,
set_bit(LL_SBI_FILE_SECCTX, sbi->ll_flags);
if (ll_sbi_has_encrypt(sbi) && !obd_connect_has_enc(data)) {
- if (ll_sbi_has_test_dummy_encryption(sbi))
+ if (ll_sb_has_test_dummy_encryption(sb))
LCONSOLE_WARN("%s: server %s does not support encryption feature, encryption deactivated.\n",
sbi->ll_fsname,
sbi->ll_md_exp->exp_obd->obd_name);
if (ll_sbi_has_encrypt(sbi) &&
!obd_connect_has_enc(&sbi->ll_dt_obd->u.lov.lov_ocd)) {
- if (ll_sbi_has_test_dummy_encryption(sbi))
+ if (ll_sb_has_test_dummy_encryption(sb))
LCONSOLE_WARN("%s: server %s does not support encryption feature, encryption deactivated.\n",
sbi->ll_fsname, dt);
ll_sbi_set_encrypt(sbi, false);
- } else if (ll_sbi_has_test_dummy_encryption(sbi)) {
+ } else if (ll_sb_has_test_dummy_encryption(sb)) {
LCONSOLE_WARN("Test dummy encryption mode enabled\n");
}
{LL_SBI_VERBOSE, "verbose"},
{LL_SBI_VERBOSE, "noverbose"},
{LL_SBI_ALWAYS_PING, "always_ping"},
+ {LL_SBI_TEST_DUMMY_ENCRYPTION, "test_dummy_encryption=%s"},
{LL_SBI_TEST_DUMMY_ENCRYPTION, "test_dummy_encryption"},
{LL_SBI_ENCRYPT, "encrypt"},
{LL_SBI_ENCRYPT, "noencrypt"},
{
struct ll_sb_info *sbi = ll_s2sbi(sb);
char *s2, *s1, *opts;
+ int err = 0;
ENTRY;
if (!options)
break;
case LL_SBI_TEST_DUMMY_ENCRYPTION: {
#ifdef HAVE_LUSTRE_CRYPTO
+#ifdef HAVE_FSCRYPT_DUMMY_CONTEXT_ENABLED
set_bit(token, sbi->ll_flags);
#else
+ struct lustre_sb_info *lsi = s2lsi(sb);
+
+ err = llcrypt_set_test_dummy_encryption(sb, &args[0],
+ &lsi->lsi_dummy_enc_ctx);
+ if (!err)
+ break;
+
+ if (err == -EEXIST)
+ LCONSOLE_WARN(
+ "Can't change test_dummy_encryption");
+ else if (err == -EINVAL)
+ LCONSOLE_WARN(
+ "Value of option \"%s\" unrecognized",
+ options);
+ else
+ LCONSOLE_WARN(
+ "Error processing option \"%s\" [%d]",
+ options, err);
+ err = -1;
+#endif
+#else
LCONSOLE_WARN("Test dummy encryption mount option ignored: encryption not supported\n");
#endif
break;
}
}
kfree(opts);
- RETURN(0);
+ RETURN(err);
}
void ll_lli_init(struct ll_inode_info *lli)
}
#endif
+ llcrypt_free_dummy_context(&lsi->lsi_dummy_enc_ctx);
ll_free_sbi(sb);
lsi->lsi_llsbi = NULL;
out_no_sbi:
op_data->op_bias = MDS_FID_OP;
}
if (fname.disk_name.name &&
- fname.disk_name.name != (unsigned char *)name)
+ fname.disk_name.name != (unsigned char *)name) {
/* op_data->op_name must be freed after use */
op_data->op_flags |= MF_OPNAME_KMALLOCED;
+ }
}
/* In fact LUSTRE_OPC_LOOKUP, LUSTRE_OPC_OPEN
}
}
+ llcrypt_show_test_dummy_encryption(seq, ',', dentry->d_sb);
+
RETURN(0);
}
rc = ll_setup_filename(parent, &dentry->d_name, 1, &fname, &fid);
if ((!rc || rc == -ENOENT) && fname.is_ciphertext_name) {
spin_lock(&dentry->d_lock);
- dentry->d_flags |= DCACHE_ENCRYPTED_NAME;
+ dentry->d_flags |= DCACHE_NOKEY_NAME;
spin_unlock(&dentry->d_lock);
}
if (rc == -ENOENT)
if (ll_sbi_has_encrypt(sbi) &&
((IS_ENCRYPTED(dir) &&
(S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))) ||
- (unlikely(llcrypt_dummy_context_enabled(dir)) && S_ISDIR(mode)))) {
+ (unlikely(ll_sb_has_test_dummy_encryption(dir->i_sb)) &&
+ S_ISDIR(mode)))) {
err = llcrypt_get_encryption_info(dir);
if (err)
GOTO(err_exit, err);
int reclen, count, rc;
ENTRY;
-
- if (lname->ln_namelen < LLCRYPT_FNAME_DIGEST_SIZE)
+ if (lname->ln_namelen < LL_CRYPTO_BLOCK_SIZE)
RETURN(-EINVAL);
buf = lu_buf_check_and_alloc(buf, PATH_MAX);
rc = critical_decode(name.ln_name, name.ln_namelen,
link.lb_buf);
- if (memcmp(LLCRYPT_FNAME_DIGEST(link.lb_buf, rc),
- hash, LLCRYPT_FNAME_DIGEST_SIZE) == 0) {
+ if (memcmp(LLCRYPT_EXTRACT_DIGEST(link.lb_buf, rc),
+ hash, LL_CRYPTO_BLOCK_SIZE) == 0) {
*lname = name;
break;
}
#include <lustre_fid.h>
#include <cl_object.h>
#include "cl_internal.h"
-#include <libcfs/crypto/llcrypt.h>
/*****************************************************************************
*
#include <lustre_log.h>
#include <lustre_disk.h>
#include <uapi/linux/lustre/lustre_param.h>
-#include <libcfs/crypto/llcrypt.h>
+#include <lustre_crypto.h>
/**************** config llog ********************/
}
remove_enc_key() {
- cancel_lru_locks
- sync ; echo 3 > /proc/sys/vm/drop_caches
- keyctl revoke $(keyctl show | awk '$7 ~ "^fscrypt:" {print $1}')
- keyctl reap
-}
+ local dummy_key
-setup_for_enc_tests() {
- # remount client with test_dummy_encryption option
- if is_mounted $MOUNT; then
- umount_client $MOUNT || error "umount $MOUNT failed"
+ $LCTL set_param -n ldlm.namespaces.*.lru_size=clear
+ sync ; echo 3 > /proc/sys/vm/drop_caches
+ dummy_key=$(keyctl show | awk '$7 ~ "^fscrypt:" {print $1}')
+ if [ -n "$dummy_key" ]; then
+ keyctl revoke $dummy_key
+ keyctl reap
fi
- mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption ||
- error "mount with '-o test_dummy_encryption' failed"
-
- # this directory will be encrypted, because of dummy mode
- mkdir $DIR/$tdir
}
-cleanup_for_enc_tests() {
- local dummy_key
-
- rm -rf $DIR/$tdir $*
-
- # remount client normally
+remount_client_normally() {
+ # remount client without dummy encryption key
if is_mounted $MOUNT; then
umount_client $MOUNT || error "umount $MOUNT failed"
fi
error "remount failed"
fi
- # remove fscrypt key from keyring
- dummy_key=$(keyctl show | awk '$7 ~ "^fscrypt:" {print $1}')
- if [ -n "$dummy_key" ]; then
- keyctl revoke $dummy_key
- keyctl reap
+ remove_enc_key
+}
+
+remount_client_dummykey() {
+ insert_enc_key
+
+ # remount client with dummy encryption key
+ if is_mounted $MOUNT; then
+ umount_client $MOUNT || error "umount $MOUNT failed"
+ fi
+ mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption ||
+ error "remount failed"
+}
+
+setup_for_enc_tests() {
+ # remount client with test_dummy_encryption option
+ if is_mounted $MOUNT; then
+ umount_client $MOUNT || error "umount $MOUNT failed"
fi
+ mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption ||
+ error "mount with '-o test_dummy_encryption' failed"
+
+ # this directory will be encrypted, because of dummy mode
+ mkdir $DIR/$tdir
+}
+
+cleanup_for_enc_tests() {
+ rm -rf $DIR/$tdir $*
+
+ remount_client_normally
}
cleanup_nodemap_after_enc_tests() {
filesz=$(stat --format=%s $testfile)
filesz=$(((filesz+UNIT_SIZE-1)/UNIT_SIZE * UNIT_SIZE))
- sync ; echo 3 > /proc/sys/vm/drop_caches
-
- # remove fscrypt key from keyring
- keyctl revoke $(keyctl show | awk '$7 ~ "^fscrypt:" {print $1}')
- keyctl reap
+ # remount without dummy encryption key
+ remount_client_normally
scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type f)
[ $(stat --format=%s $scrambledfile) -eq $filesz ] ||
fi
sync ; echo 3 > /proc/sys/vm/drop_caches
- # remove fscrypt key from keyring
- keyctl revoke $(keyctl show | awk '$7 ~ "^fscrypt:" {print $1}')
- keyctl reap
- cancel_lru_locks
+ # remount without dummy encryption key
+ remount_client_normally
# this is $testdir2
scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type d| grep _)
sync ; echo 3 > /proc/sys/vm/drop_caches
- # remove fscrypt key from keyring
- keyctl revoke $(keyctl show | awk '$7 ~ "^fscrypt:" {print $1}')
- keyctl reap
- cancel_lru_locks
+ # remount without dummy encryption key
+ remount_client_normally
scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type d)
scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -type f)
sync ; echo 3 > /proc/sys/vm/drop_caches
- # remove fscrypt key from keyring
- keyctl revoke $(keyctl show | awk '$7 ~ "^fscrypt:" {print $1}')
- keyctl reap
+ # remount without dummy encryption key
+ remount_client_normally
scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -type f)
$TRUNCATE $scrambledfile 0 &&
error "could not write to $testfile"
$LFS getstripe $testfile
- # now, without the key
- remove_enc_key
+ # remount without dummy encryption key
+ remount_client_normally
+
scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type f)
$LFS mirror resync $scrambledfile ||
error "could not resync mirror"
error "read from mirror should fail"
# now, with the key
- insert_enc_key
+ remount_client_dummykey
verify_mirror $testfile $tmpfile
}
run_test 59a "mirror resync of encrypted files without key"
error "write to $testfile failed"
$LFS getstripe $testfile
- # now, without the key
- remove_enc_key
+ # remount without dummy encryption key
+ remount_client_normally
+
scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type f)
$LFS migrate -i1 $scrambledfile ||
error "migrate $scrambledfile failed"
cancel_lru_locks
# now, with the key
- insert_enc_key
+ remount_client_dummykey
cmp -bl $tmpfile $testfile ||
error "migrated file is corrupted"
- # now, without the key
- remove_enc_key
+ # remount without dummy encryption key
+ remount_client_normally
+
$LFS mirror extend -N -i0 $scrambledfile ||
error "mirror extend $scrambledfile failed (1)"
$LFS getstripe $scrambledfile
fi
# now, with the key
- insert_enc_key
+ remount_client_dummykey
verify_mirror $testfile $tmpfile
- # now, without the key
- remove_enc_key
+ # remount without dummy encryption key
+ remount_client_normally
+
$LFS mirror split --mirror-id 1 -d $scrambledfile ||
error "mirror split file $scrambledfile failed (1)"
$LFS getstripe $scrambledfile
[ $stripe -eq 0 ] || error "mirror split file $scrambledfile failed (4)"
# now, with the key
- insert_enc_key
+ remount_client_dummykey
cancel_lru_locks
cmp -bl $tmpfile $testfile ||
error "extended/split file is corrupted"
$LFS setdirstripe -i 0 $dirname
echo b > $dirname/subf
- # now, without the key
- remove_enc_key
+ # remount without dummy encryption key
+ remount_client_normally
+
scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type d)
# migrate a non-empty encrypted dir
if [ "$MOUNT_2" ]; then
mount_client $MOUNT2 ${MOUNT_OPTS} || error "remount failed"
fi
- export FILESET=""
ls -Rl $DIR || error "ls -Rl $DIR failed (1)"
# now, with the key
- insert_enc_key
+ remount_client_dummykey
+ export FILESET=""
ls -Rl $DIR || error "ls -Rl $DIR failed (2)"
cat $DIR/file1 || error "cat $DIR/$tdir/file1 failed"
#ifdef HAVE_LUSTRE_CRYPTO
} else if (strncmp(arg, "test_dummy_encryption", 21) == 0) {
#ifdef HAVE_LIBKEYUTILS
+#ifdef HAVE_FSCRYPT_DUMMY_CONTEXT_ENABLED
/* Using dummy encryption mode requires inserting a
* special dummy key into the session keyring.
* Key type is "logon", key description is
if (rc != 0)
goto out_options;
}
+#else /* !HAVE_FSCRYPT_DUMMY_CONTEXT_ENABLED */
+ /* pass this on as an option */
+ rc = append_option(options, options_len, opt,
+ NULL);
+ if (rc != 0)
+ goto out_options;
+#endif
#else /* HAVE_LIBKEYUTILS */
fprintf(stderr,
"%s: test dummy encryption option ignored: Lustre not built with libkeyutils support\n",