LU-12275 sec: decryption for read path

With the support for encryption, all files need to be opened with
fscrypt_file_open(). fscrypt will retrieve encryption context if
file is encrypted, or immediately return if not.
Decryption itself is carried out in osc_brw_fini_request(), right
after the reply has been received from the server.

Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I8f8f87eb8e07e35e1a4e6cc157ceddfef6934753
Reviewed-on: https://review.whamcloud.com/36145
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Patrick Farrell <farr0186@gmail.com>
Reviewed-by: John L. Hammond <jhammond@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lustre/llite/crypto.c b/lustre/llite/crypto.c
index cdaac80..84509dd 100644 (file)
--- a/lustre/llite/crypto.c
+++ b/lustre/llite/crypto.c
@@ -45,6 +45,9 @@ static int ll_get_context(struct inode *inode, void *ctx, size_t len)
        rc = ll_vfs_getxattr(dentry, inode, LL_XATTR_NAME_ENCRYPTION_CONTEXT,
                             ctx, len);
 
+       /* used as encryption unit size */
+       if (S_ISREG(inode->i_mode))
+               inode->i_blkbits = LUSTRE_ENCRYPTION_BLOCKBITS;
        return rc;
 }
 

diff --git a/lustre/llite/file.c b/lustre/llite/file.c
index aac8685..5a543da 100644 (file)
--- a/lustre/llite/file.c
+++ b/lustre/llite/file.c
@@ -706,6 +706,12 @@ int ll_file_open(struct inode *inode, struct file *file)
        it = file->private_data; /* XXX: compat macro */
        file->private_data = NULL; /* prevent ll_local_open assertion */
 
+       if (S_ISREG(inode->i_mode)) {
+               rc = llcrypt_file_open(inode, file);
+               if (rc)
+                       GOTO(out_nofiledata, rc);
+       }
+
        fd = ll_file_data_get();
        if (fd == NULL)
                GOTO(out_nofiledata, rc = -ENOMEM);

diff --git a/lustre/osc/osc_request.c b/lustre/osc/osc_request.c
index fea0c94..cb53cc6 100644 (file)
--- a/lustre/osc/osc_request.c
+++ b/lustre/osc/osc_request.c
@@ -1850,6 +1850,7 @@ static int osc_brw_fini_request(struct ptlrpc_request *req, int rc)
                &req->rq_import->imp_connection->c_peer;
        struct ost_body *body;
        u32 client_cksum = 0;
+       struct inode *inode;
 
        ENTRY;
 
@@ -2037,6 +2038,36 @@ static int osc_brw_fini_request(struct ptlrpc_request *req, int rc)
        } else {
                rc = 0;
        }
+
+       inode = page2inode(aa->aa_ppga[0]->pg);
+       if (inode && IS_ENCRYPTED(inode)) {
+               int idx;
+
+               if (!llcrypt_has_encryption_key(inode)) {
+                       CDEBUG(D_SEC, "no enc key for ino %lu\n", inode->i_ino);
+                       GOTO(out, rc);
+               }
+               for (idx = 0; idx < aa->aa_page_count; idx++) {
+                       struct brw_page *pg = aa->aa_ppga[idx];
+                       __u64 *p, *q;
+
+                       /* do not decrypt if page is all 0s */
+                       p = q = page_address(pg->pg);
+                       while (p - q < PAGE_SIZE / sizeof(*p)) {
+                               if (*p != 0)
+                                       break;
+                               p++;
+                       }
+                       if (p - q == PAGE_SIZE / sizeof(*p))
+                               continue;
+
+                       rc = llcrypt_decrypt_pagecache_blocks(pg->pg,
+                                                             PAGE_SIZE, 0);
+                       if (rc)
+                               GOTO(out, rc);
+               }
+       }
+
 out:
        if (rc >= 0)
                lustre_get_wire_obdo(&req->rq_import->imp_connect_data,