Kernel commit
de3cdc6e75179a2324c moved fscrypt_require_key()
to the fscrypt_private.h which makes it no longer visible.
With this change move to fscrypt_has_encryption_key() which
existed for some time. Once difference is
fscrypt_has_encryption_key() reports success when the inode has
no encryption so we need to test IS_ENCRYPT(inode) as well.
Expand the ll_has_encryption_key() to also test for IS_ENCRYPT
since this is the most common use case.
Update LLCRYPT_FNAME_DIGEST to LLCRYPT_EXTRACT_DIGEST for mdd
layer.
Test-Parameters: trivial testlist=sanity-sec
Change-Id: I402f222f635e7c0f026c53093bb17ec4d461e189
Signed-off-by: James Simmons <jsimmons@infradead.org>
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/57754
Tested-by: Maloo <maloo@whamcloud.com>
Tested-by: jenkins <devops@whamcloud.com>
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-by: Shaun Tancheff <shaun.tancheff@hpe.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
#else
int llcrypt_d_revalidate(struct dentry *dentry, unsigned int flags);
#endif
-#define llcrypt_require_key(inode) \
- fscrypt_require_key(inode)
-#define llcrypt_has_encryption_key(inode) fscrypt_has_encryption_key(inode)
+#define llcrypt_has_encryption_key(inode) \
+ fscrypt_has_encryption_key(inode)
#define llcrypt_encrypt_pagecache_blocks(page, len, offs, gfp_flags) \
fscrypt_encrypt_pagecache_blocks(page, len, offs, gfp_flags)
#define llcrypt_decrypt_pagecache_blocks(page, len, offs) \
*/
#define S_PCCCOPY S_DIRSYNC
#define IS_PCCCOPY(inode) ((inode)->i_flags & S_PCCCOPY)
-#define ll_require_key(inode) \
- (IS_PCCCOPY(inode) ? -ENOKEY : llcrypt_require_key(inode))
#define ll_has_encryption_key(inode) \
(IS_PCCCOPY(inode) ? false : llcrypt_has_encryption_key(inode))
return llcrypt_file_open(inode, filp);
}
-void llcrypt_free_ctx(void *encctx, __u32 size)
-{
-}
-
bool ll_sb_has_test_dummy_encryption(struct super_block *sb)
{
return false;
st.st_uid = body->mbo_uid;
st.st_gid = body->mbo_gid;
st.st_rdev = body->mbo_rdev;
- if (ll_require_key(inode) == -ENOKEY)
+ if (IS_ENCRYPTED(inode) &&
+ !ll_has_encryption_key(inode))
st.st_size = round_up(st.st_size,
LUSTRE_ENCRYPTION_UNIT_SIZE);
else
stx.stx_mode = body->mbo_mode;
stx.stx_ino = cl_fid_build_ino(&body->mbo_fid1,
api32);
- if (ll_require_key(inode) == -ENOKEY)
+ if (IS_ENCRYPTED(inode) &&
+ !ll_has_encryption_key(inode))
stx.stx_size = round_up(stx.stx_size,
LUSTRE_ENCRYPTION_UNIT_SIZE);
else
* stored into lli_lazysize in ll_merge_attr(), so set proper file size
* now that we are closing.
*/
- if (ll_require_key(inode) == -ENOKEY &&
+ if (IS_ENCRYPTED(inode) && !ll_has_encryption_key(inode) &&
ll_i2info(inode)->lli_attr_valid & OBD_MD_FLLAZYSIZE) {
op_data->op_attr.ia_size = ll_i2info(inode)->lli_lazysize;
if (IS_PCCCOPY(inode)) {
CDEBUG(D_VFSTRACE, DFID" updating i_size %llu i_blocks %llu\n",
PFID(&lli->lli_fid), attr->cat_size, attr->cat_blocks);
- if (ll_require_key(inode) == -ENOKEY) {
+ if (IS_ENCRYPTED(inode) && !ll_has_encryption_key(inode)) {
/* Without the key, round up encrypted file size to next
* LUSTRE_ENCRYPTION_UNIT_SIZE. Clear text size is put in
* lli_lazysize for proper file size setting at close time.
/* Without the key, SEEK_HOLE return value has to be
* rounded up to next LUSTRE_ENCRYPTION_UNIT_SIZE.
*/
- if (ll_require_key(inode) == -ENOKEY && whence == SEEK_HOLE)
+ if (IS_ENCRYPTED(inode) && !ll_has_encryption_key(inode) &&
+ whence == SEEK_HOLE)
retval = round_up(retval, LUSTRE_ENCRYPTION_UNIT_SIZE);
RETURN(retval);
if (filename_is_volatile(dentry->d_name.name,
dentry->d_name.len,
NULL) &&
- ll_require_key(inode) == -ENOKEY) {
+ !ll_has_encryption_key(inode)) {
struct file *ref_file;
struct inode *ref_inode;
struct ll_inode_info *ref_lli;
* we will need it in ll_prepare_close().
*/
if (lli->lli_attr_valid & OBD_MD_FLLAZYSIZE && lli->lli_lazysize &&
- ll_require_key(inode) == -ENOKEY)
+ IS_ENCRYPTED(inode) && !ll_has_encryption_key(inode))
lli->lli_attr_valid = body->mbo_valid | OBD_MD_FLLAZYSIZE;
else
lli->lli_attr_valid = body->mbo_valid;
if (!IS_ENCRYPTED(inode))
RETURN(0);
- if (ll_require_key(inode) == -ENOKEY &&
+ if (!ll_has_encryption_key(inode) &&
pcci->pcci_lli->lli_attr_valid & OBD_MD_FLLAZYSIZE)
size = pcci->pcci_lli->lli_lazysize;
else
digest->cdf_fid = *fid;
memcpy(digest->cdf_excerpt,
- LLCRYPT_FNAME_DIGEST(ln->ln_name, ln->ln_namelen),
+ LLCRYPT_EXTRACT_DIGEST(ln->ln_name, ln->ln_namelen),
LL_CRYPTO_BLOCK_SIZE);
p = (char *)digest;
len = sizeof(*digest);
stack_trap cleanup_local_client_nodemap EXIT
mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
+ echo "setup local client nodmap c0"
setup_local_client_nodemap "c0" 1 1
yes | fscrypt setup --force --verbose ||
/etc/fscrypt.conf
yes | fscrypt setup --verbose $MOUNT ||
echo "fscrypt setup $MOUNT already done"
+ echo "fscrypt for mount $MOUNT is ready for use"
stack_trap "rm -rf $MOUNT/.fscrypt"
# file_perms is required because fscrypt uses chmod/chown
do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
--value $rbac ||
error "setting rbac $rbac failed (1)"
+ echo "waiting for nodemap file_perms and fscrypt to be modified"
wait_nm_sync c0 rbac
mkdir -p $vaultdir
- set -vx
echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
--source=custom_passphrase --name=protector_64 $vaultdir ||
error "fscrypt encrypt $vaultdir failed"
fscrypt lock $vaultdir || error "fscrypt lock $vaultdir failed (1)"
+ echo "$vaultdir is locked away with encryption"
policy=$(fscrypt status $vaultdir | awk '$1 == "Policy:"{print $2}')
[ -n "$policy" ] || error "could not get enc policy"
+ echo "fscrypt policy $policy is ready"
protector=$(fscrypt status $vaultdir |
awk 'BEGIN {found=0} { if (found == 1) { print $1 }} \
$1 == "PROTECTOR" {found=1}')
git://git.whamcloud.com / fs / lustre-release.git / commitdiff