mirror of
https://github.com/torvalds/linux.git
synced 2026-06-08 14:42:37 +02:00
cb39ec0c10
Add a device-mapper target "dm-default-key" which assigns an encryption key to bios that aren't for the contents of an encrypted file. This ensures that all blocks on-disk will be encrypted with some key, without the performance hit of file contents being encrypted twice when fscrypt (File-Based Encryption) is used. It is only appropriate to use dm-default-key when key configuration is tightly controlled, like it is in Android, such that all fscrypt keys are at least as hard to compromise as the default key. Compared to the original version of dm-default-key, this has been modified to use the new vendor-independent inline encryption framework (which works even when no inline encryption hardware is present), the table syntax has been changed to match dm-crypt, and support for specifying Adiantum encryption has been added. These changes also mean that dm-default-key now always explicitly specifies the DUN (the IV). Also, to handle f2fs moving blocks of encrypted files around without the key, and to handle ext4 and f2fs filesystems mounted without '-o inlinecrypt', the mapping logic is no longer "set a key on the bio if it doesn't have one already", but rather "set a key on the bio unless the bio has the bi_skip_dm_default_key flag set". Filesystems set this flag on *all* bios for encrypted file contents, regardless of whether they are encrypting/decrypting the file using inline encryption or the traditional filesystem-layer encryption, or moving the raw data. For the bi_skip_dm_default_key flag, a new field in struct bio is used rather than a bit in bi_opf so that fscrypt_set_bio_crypt_ctx() can set the flag, minimizing the changes needed to filesystems. (bi_opf is usually overwritten after fscrypt_set_bio_crypt_ctx() is called.) Bug: 137270441 Bug: 147814592 Change-Id: I69c9cd1e968ccf990e4ad96e5115b662237f5095 Signed-off-by: Eric Biggers <ebiggers@google.com> |
||
|---|---|---|
| .. | ||
| acl.c | ||
| acl.h | ||
| checkpoint.c | ||
| data.c | ||
| debug.c | ||
| dir.c | ||
| extent_cache.c | ||
| f2fs.h | ||
| file.c | ||
| gc.c | ||
| gc.h | ||
| hash.c | ||
| inline.c | ||
| inode.c | ||
| Kconfig | ||
| Makefile | ||
| namei.c | ||
| node.c | ||
| node.h | ||
| recovery.c | ||
| segment.c | ||
| segment.h | ||
| shrinker.c | ||
| super.c | ||
| sysfs.c | ||
| trace.c | ||
| trace.h | ||
| verity.c | ||
| xattr.c | ||
| xattr.h | ||