From patchwork Tue Apr 5 09:46:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Luis Henriques X-Patchwork-Id: 556271 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9EA05C4321E for ; Tue, 5 Apr 2022 11:08:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237171AbiDELJQ (ORCPT ); Tue, 5 Apr 2022 07:09:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52538 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349449AbiDEJtx (ORCPT ); Tue, 5 Apr 2022 05:49:53 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34B07BC21; Tue, 5 Apr 2022 02:46:13 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id CC66F1F745; Tue, 5 Apr 2022 09:46:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1649151971; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0uwiZrHoEAwcm/6E7Q4jt1XioHQJ0mFo4nPx9wPkC7M=; b=vTn7v+5eE15F5XfHC49KXH+GbYNHajNpptQnF+HdxDHcDqC5/E2zq7VyorIH4WHv63ULg0 2qJRneUAxahohw9lAX3IV44S+WYD2+SWA+no5R8erN+S7hS3XIX957vJ1TOCi3jKmTJHSR SWjo/6/b2npudNu3Ns72QZN9LNLe/HU= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1649151971; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0uwiZrHoEAwcm/6E7Q4jt1XioHQJ0mFo4nPx9wPkC7M=; b=ZURMVzrBie0K8SUtopzCCv8PIes2tV/5g2C0ME6LLs4Ml3WuF6n5XCnsd0H6HVf4kETvx6 KzpG7Mc4JuhDEADw== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 6B3D813A04; Tue, 5 Apr 2022 09:46:11 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id 6i9RF+MPTGKdPQAAMHmgww (envelope-from ); Tue, 05 Apr 2022 09:46:11 +0000 Received: from localhost (brahms.olymp [local]) by brahms.olymp (OpenSMTPD) with ESMTPA id 33f2eaf2; Tue, 5 Apr 2022 09:46:34 +0000 (UTC) From: =?utf-8?q?Lu=C3=ADs_Henriques?= To: Eric Biggers , Jeff Layton Cc: ceph-devel@vger.kernel.org, fstests@vger.kernel.org, =?utf-8?q?Lu=C3=ADs?= =?utf-8?q?_Henriques?= Subject: [PATCH v3] common/encrypt: allow the use of 'fscrypt:' as key prefix Date: Tue, 5 Apr 2022 10:46:33 +0100 Message-Id: <20220405094633.17285-1-lhenriques@suse.de> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: ceph-devel@vger.kernel.org fscrypt keys have used the $FSTYP as prefix. However this format is being deprecated and newer kernels are expected to use the generic 'fscrypt:' prefix instead. This patch adds support for this new prefix, and only uses $FSTYP on filesystems that didn't initially supported it, i.e. ext4 and f2fs. This will allow old kernels to be tested. Signed-off-by: Luís Henriques --- common/encrypt | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) Changes since v2: - updated _get_fs_keyprefix() and commit description Changes since v1: - ubifs now follows into the default case (i.e. to use the 'fscrypt' key prefix) - dropped local variable from _get_fs_keyprefix() diff --git a/common/encrypt b/common/encrypt index f90c4ef05a3f..e2683f99dcc2 100644 --- a/common/encrypt +++ b/common/encrypt @@ -250,6 +250,25 @@ _num_to_hex() fi } +# When fscrypt keys are added using the legacy mechanism (process-subscribed +# keyrings rather than filesystem keyrings), they are normally named +# "fscrypt:KEYDESC" where KEYDESC is the 16-character key descriptor hex string. +# However, ext4 and f2fs didn't add support for the "fscrypt" prefix until +# kernel v4.8 and v4.6, respectively. Before that, they used "ext4" and "f2fs", +# respectively. To allow testing ext4 and f2fs encryption on kernels older than +# this, we use these filesystem-specific prefixes for ext4 and f2fs. +_get_fs_keyprefix() +{ + case $FSTYP in + ext4|f2fs) + echo $FSTYP + ;; + *) + echo fscrypt + ;; + esac +} + # Add the specified raw encryption key to the session keyring, using the # specified key descriptor. _add_session_encryption_key() @@ -268,18 +287,11 @@ _add_session_encryption_key() # }; # # The kernel ignores 'mode' but requires that 'size' be 64. - # - # Keys are named $FSTYP:KEYDESC where KEYDESC is the 16-character key - # descriptor hex string. Newer kernels (ext4 4.8 and later, f2fs 4.6 - # and later) also allow the common key prefix "fscrypt:" in addition to - # their filesystem-specific key prefix ("ext4:", "f2fs:"). It would be - # nice to use the common key prefix, but for now use the filesystem- - # specific prefix to make it possible to test older kernels... - # local mode=$(_num_to_hex 0 4) local size=$(_num_to_hex 64 4) + local prefix=$(_get_fs_keyprefix) echo -n -e "${mode}${raw}${size}" | - $KEYCTL_PROG padd logon $FSTYP:$keydesc @s >>$seqres.full + $KEYCTL_PROG padd logon $prefix:$keydesc @s >>$seqres.full } # @@ -302,7 +314,8 @@ _generate_session_encryption_key() _unlink_session_encryption_key() { local keydesc=$1 - local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc) + local prefix=$(_get_fs_keyprefix) + local keyid=$($KEYCTL_PROG search @s logon $prefix:$keydesc) $KEYCTL_PROG unlink $keyid >>$seqres.full } @@ -310,7 +323,8 @@ _unlink_session_encryption_key() _revoke_session_encryption_key() { local keydesc=$1 - local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc) + local prefix=$(_get_fs_keyprefix) + local keyid=$($KEYCTL_PROG search @s logon $prefix:$keydesc) $KEYCTL_PROG revoke $keyid >>$seqres.full }