linux

mirror of https://github.com/torvalds/linux.git synced 2026-06-06 05:27:07 +02:00

Linux kernel source tree

Go to file

Eric Biggers 391cceee6d fscrypt: stop using keyrings subsystem for fscrypt_master_key commit `d7e7b9af10` upstream. The approach of fs/crypto/ internally managing the fscrypt_master_key structs as the payloads of "struct key" objects contained in a "struct key" keyring has outlived its usefulness. The original idea was to simplify the code by reusing code from the keyrings subsystem. However, several issues have arisen that can't easily be resolved: - When a master key struct is destroyed, blk_crypto_evict_key() must be called on any per-mode keys embedded in it. (This started being the case when inline encryption support was added.) Yet, the keyrings subsystem can arbitrarily delay the destruction of keys, even past the time the filesystem was unmounted. Therefore, currently there is no easy way to call blk_crypto_evict_key() when a master key is destroyed. Currently, this is worked around by holding an extra reference to the filesystem's request_queue(s). But it was overlooked that the request_queue reference is not guaranteed to pin the corresponding blk_crypto_profile too; for device-mapper devices that support inline crypto, it doesn't. This can cause a use-after-free. - When the last inode that was using an incompletely-removed master key is evicted, the master key removal is completed by removing the key struct from the keyring. Currently this is done via key_invalidate(). Yet, key_invalidate() takes the key semaphore. This can deadlock when called from the shrinker, since in fscrypt_ioctl_add_key(), memory is allocated with GFP_KERNEL under the same semaphore. - More generally, the fact that the keyrings subsystem can arbitrarily delay the destruction of keys (via garbage collection delay, or via random processes getting temporary key references) is undesirable, as it means we can't strictly guarantee that all secrets are ever wiped. - Doing the master key lookups via the keyrings subsystem results in the key_permission LSM hook being called. fscrypt doesn't want this, as all access control for encrypted files is designed to happen via the files themselves, like any other files. The workaround which SELinux users are using is to change their SELinux policy to grant key search access to all domains. This works, but it is an odd extra step that shouldn't really have to be done. The fix for all these issues is to change the implementation to what I should have done originally: don't use the keyrings subsystem to keep track of the filesystem's fscrypt_master_key structs. Instead, just store them in a regular kernel data structure, and rework the reference counting, locking, and lifetime accordingly. Retain support for RCU-mode key lookups by using a hash table. Replace fscrypt_sb_free() with fscrypt_sb_delete(), which releases the keys synchronously and runs a bit earlier during unmount, so that block devices are still available. A side effect of this patch is that neither the master keys themselves nor the filesystem keyrings will be listed in /proc/keys anymore. ("Master key users" and the master key users keyrings will still be listed.) However, this was mostly an implementation detail, and it was intended just for debugging purposes. I don't know of anyone using it. This patch does not change how "master key users" (->mk_users) works; that still uses the keyrings subsystem. That is still needed for key quotas, and changing that isn't necessary to solve the issues listed above. If we decide to change that too, it would be a separate patch. I've marked this as fixing the original commit that added the fscrypt keyring, but as noted above the most important issue that this patch fixes wasn't introduced until the addition of inline encryption support. Fixes: `22d94f493b` ("fscrypt: add FS_IOC_ADD_ENCRYPTION_KEY ioctl") Signed-off-by: Eric Biggers <ebiggers@google.com> Link: https://lore.kernel.org/r/20220901193208.138056-2-ebiggers@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2022-11-10 18:14:24 +01:00
arch	arm64: dts: juno: Add thermal critical trip points	2022-11-10 18:14:23 +01:00
block	block, bfq: protect 'bfqd->queued' by 'bfqd->lock'	2022-11-10 18:14:24 +01:00
certs	certs/blacklist_hashes.c: fix const confusion in certs blacklist	2022-06-22 14:13:17 +02:00
crypto	crypto: akcipher - default implementation for setting a private key	2022-10-26 13:25:42 +02:00
Documentation	arm64: errata: Remove AES hwcap for COMPAT tasks	2022-10-30 09:41:16 +01:00
drivers	i2c: piix4: Fix adapter not be removed in piix4_remove()	2022-11-10 18:14:24 +01:00
fs	fscrypt: stop using keyrings subsystem for fscrypt_master_key	2022-11-10 18:14:24 +01:00
include	fscrypt: stop using keyrings subsystem for fscrypt_master_key	2022-11-10 18:14:24 +01:00
init	Kconfig: Add option for asm goto w/ tied outputs to workaround clang-13 bug	2022-06-09 10:21:25 +02:00
ipc	ipc/mqueue: use get_tree_nodev() in mqueue_get_tree()	2022-06-09 10:21:17 +02:00
kernel	PM: hibernate: Allow hybrid sleep to work with s2idle	2022-11-03 23:57:52 +09:00
lib	dyndbg: drop EXPORTed dynamic_debug_exec_queries	2022-10-26 13:25:34 +02:00
LICENSES	LICENSES/deprecated: add Zlib license text	2020-09-16 14:33:49 +02:00
mm	mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages	2022-11-03 23:57:50 +09:00
net	Bluetooth: L2CAP: Fix attempting to access uninitialized memory	2022-11-10 18:14:24 +01:00
samples	x86: Prepare inline-asm for straight-line-speculation	2022-07-25 11:26:29 +02:00
scripts	kbuild: Add skip_encoding_btf_enum64 option to pahole	2022-10-28 12:57:12 +02:00
security	selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()	2022-10-30 09:41:15 +01:00
sound	ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices	2022-11-10 18:14:24 +01:00
tools	perf auxtrace: Fix address filter symbol name match for modules	2022-11-03 23:57:50 +09:00
usr	usr/include/Makefile: add linux/nfc.h to the compile-test coverage	2022-02-01 17:25:48 +01:00
virt	kvm: Add support for arch compat vm ioctls	2022-10-30 09:41:15 +01:00
.clang-format	RDMA 5.10 pull request	2020-10-17 11:18:18 -07:00
.cocciconfig	scripts: add Linux .cocciconfig for coccinelle	2016-07-22 12:13:39 +02:00
.get_maintainer.ignore	Opt out of scripts/get_maintainer.pl	2019-05-16 10:53:40 -07:00
.gitattributes	.gitattributes: use 'dts' diff driver for dts files	2019-12-04 19:44:11 -08:00
.gitignore	kbuild: generate Module.symvers only when vmlinux exists	2021-05-19 10:12:59 +02:00
.mailmap	mailmap: add two more addresses of Uwe Kleine-König	2020-12-06 10:19:07 -08:00
COPYING	COPYING: state that all contributions really are covered by this file	2020-02-10 13:32:20 -08:00
CREDITS	MAINTAINERS: Move Jason Cooper to CREDITS	2020-11-30 10:20:34 +01:00
Kbuild	kbuild: rename hostprogs-y/always to hostprogs/always-y	2020-02-04 01:53:07 +09:00
Kconfig	kbuild: ensure full rebuild when the compiler is updated	2020-05-12 13:28:33 +09:00
MAINTAINERS	MAINTAINERS: add Amir as xfs maintainer for 5.10.y	2022-07-02 16:39:22 +02:00
Makefile	Linux 5.10.153	2022-11-03 23:57:54 +09:00
README	Drop all 00-INDEX files from Documentation/	2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.