1
// SPDX-License-Identifier: GPL-2.0
2
/*
3
 * Filesystem-level keyring for fscrypt
4
 *
5
 * Copyright 2019 Google LLC
6
 */
7

8
/*
9
 * This file implements management of fscrypt master keys in the
10
 * filesystem-level keyring, including the ioctls:
11
 *
12
 * - FS_IOC_ADD_ENCRYPTION_KEY
13
 * - FS_IOC_REMOVE_ENCRYPTION_KEY
14
 * - FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS
15
 * - FS_IOC_GET_ENCRYPTION_KEY_STATUS
16
 *
17
 * See the "User API" section of Documentation/filesystems/fscrypt.rst for more
18
 * information about these ioctls.
19
 */
20

21
#include <crypto/skcipher.h>
22
#include <linux/export.h>
23
#include <linux/key-type.h>
24
#include <linux/once.h>
25
#include <linux/random.h>
26
#include <linux/seq_file.h>
27
#include <linux/unaligned.h>
28

29
#include "fscrypt_private.h"
30

31
/* The master encryption keys for a filesystem (->s_master_keys) */
32
struct fscrypt_keyring {
33
	/*
34
	 * Lock that protects ->key_hashtable.  It does *not* protect the
35
	 * fscrypt_master_key structs themselves.
36
	 */
37
	spinlock_t lock;
38

39
	/* Hash table that maps fscrypt_key_specifier to fscrypt_master_key */
40
	struct hlist_head key_hashtable[128];
41
};
42

43
static void wipe_master_key_secret(struct fscrypt_master_key_secret *secret)
44
{
45
	fscrypt_destroy_hkdf(&secret->hkdf);
46
	memzero_explicit(secret, sizeof(*secret));
47
}
48

49
static void move_master_key_secret(struct fscrypt_master_key_secret *dst,
50
				   struct fscrypt_master_key_secret *src)
51
{
52
	memcpy(dst, src, sizeof(*dst));
53
	memzero_explicit(src, sizeof(*src));
54
}
55

56
static void fscrypt_free_master_key(struct rcu_head *head)
57
{
58
	struct fscrypt_master_key *mk =
59
		container_of(head, struct fscrypt_master_key, mk_rcu_head);
60
	/*
61
	 * The master key secret and any embedded subkeys should have already
62
	 * been wiped when the last active reference to the fscrypt_master_key
63
	 * struct was dropped; doing it here would be unnecessarily late.
64
	 * Nevertheless, use kfree_sensitive() in case anything was missed.
65
	 */
66
	kfree_sensitive(mk);
67
}
68

69
void fscrypt_put_master_key(struct fscrypt_master_key *mk)
70
{
71
	if (!refcount_dec_and_test(&mk->mk_struct_refs))
72
		return;
73
	/*
74
	 * No structural references left, so free ->mk_users, and also free the
75
	 * fscrypt_master_key struct itself after an RCU grace period ensures
76
	 * that concurrent keyring lookups can no longer find it.
77
	 */
78
	WARN_ON_ONCE(refcount_read(&mk->mk_active_refs) != 0);
79
	if (mk->mk_users) {
80
		/* Clear the keyring so the quota gets released right away. */
81
		keyring_clear(mk->mk_users);
82
		key_put(mk->mk_users);
83
		mk->mk_users = NULL;
84
	}
85
	call_rcu(&mk->mk_rcu_head, fscrypt_free_master_key);
86
}
87

88
void fscrypt_put_master_key_activeref(struct super_block *sb,
89
				      struct fscrypt_master_key *mk)
90
{
91
	size_t i;
92

93
	if (!refcount_dec_and_test(&mk->mk_active_refs))
94
		return;
95
	/*
96
	 * No active references left, so complete the full removal of this
97
	 * fscrypt_master_key struct by removing it from the keyring and
98
	 * destroying any subkeys embedded in it.
99
	 */
100

101
	if (WARN_ON_ONCE(!sb->s_master_keys))
102
		return;
103
	spin_lock(&sb->s_master_keys->lock);
104
	hlist_del_rcu(&mk->mk_node);
105
	spin_unlock(&sb->s_master_keys->lock);
106

107
	/*
108
	 * ->mk_active_refs == 0 implies that ->mk_present is false and
109
	 * ->mk_decrypted_inodes is empty.
110
	 */
111
	WARN_ON_ONCE(mk->mk_present);
112
	WARN_ON_ONCE(!list_empty(&mk->mk_decrypted_inodes));
113

114
	for (i = 0; i <= FSCRYPT_MODE_MAX; i++) {
115
		fscrypt_destroy_prepared_key(
116
				sb, &mk->mk_direct_keys[i]);
117
		fscrypt_destroy_prepared_key(
118
				sb, &mk->mk_iv_ino_lblk_64_keys[i]);
119
		fscrypt_destroy_prepared_key(
120
				sb, &mk->mk_iv_ino_lblk_32_keys[i]);
121
	}
122
	memzero_explicit(&mk->mk_ino_hash_key,
123
			 sizeof(mk->mk_ino_hash_key));
124
	mk->mk_ino_hash_key_initialized = false;
125

126
	/* Drop the structural ref associated with the active refs. */
127
	fscrypt_put_master_key(mk);
128
}
129

130
/*
131
 * This transitions the key state from present to incompletely removed, and then
132
 * potentially to absent (depending on whether inodes remain).
133
 */
134
static void fscrypt_initiate_key_removal(struct super_block *sb,
135
					 struct fscrypt_master_key *mk)
136
{
137
	WRITE_ONCE(mk->mk_present, false);
138
	wipe_master_key_secret(&mk->mk_secret);
139
	fscrypt_put_master_key_activeref(sb, mk);
140
}
141

142
static inline bool valid_key_spec(const struct fscrypt_key_specifier *spec)
143
{
144
	if (spec->__reserved)
145
		return false;
146
	return master_key_spec_len(spec) != 0;
147
}
148

149
static int fscrypt_user_key_instantiate(struct key *key,
150
					struct key_preparsed_payload *prep)
151
{
152
	/*
153
	 * We just charge FSCRYPT_MAX_RAW_KEY_SIZE bytes to the user's key quota
154
	 * for each key, regardless of the exact key size.  The amount of memory
155
	 * actually used is greater than the size of the raw key anyway.
156
	 */
157
	return key_payload_reserve(key, FSCRYPT_MAX_RAW_KEY_SIZE);
158
}
159

160
static void fscrypt_user_key_describe(const struct key *key, struct seq_file *m)
161
{
162
	seq_puts(m, key->description);
163
}
164

165
/*
166
 * Type of key in ->mk_users.  Each key of this type represents a particular
167
 * user who has added a particular master key.
168
 *
169
 * Note that the name of this key type really should be something like
170
 * ".fscrypt-user" instead of simply ".fscrypt".  But the shorter name is chosen
171
 * mainly for simplicity of presentation in /proc/keys when read by a non-root
172
 * user.  And it is expected to be rare that a key is actually added by multiple
173
 * users, since users should keep their encryption keys confidential.
174
 */
175
static struct key_type key_type_fscrypt_user = {
176
	.name			= ".fscrypt",
177
	.instantiate		= fscrypt_user_key_instantiate,
178
	.describe		= fscrypt_user_key_describe,
179
};
180

181
#define FSCRYPT_MK_USERS_DESCRIPTION_SIZE	\
182
	(CONST_STRLEN("fscrypt-") + 2 * FSCRYPT_KEY_IDENTIFIER_SIZE + \
183
	 CONST_STRLEN("-users") + 1)
184

185
#define FSCRYPT_MK_USER_DESCRIPTION_SIZE	\
186
	(2 * FSCRYPT_KEY_IDENTIFIER_SIZE + CONST_STRLEN(".uid.") + 10 + 1)
187

188
static void format_mk_users_keyring_description(
189
			char description[FSCRYPT_MK_USERS_DESCRIPTION_SIZE],
190
			const u8 mk_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE])
191
{
192
	sprintf(description, "fscrypt-%*phN-users",
193
		FSCRYPT_KEY_IDENTIFIER_SIZE, mk_identifier);
194
}
195

196
static void format_mk_user_description(
197
			char description[FSCRYPT_MK_USER_DESCRIPTION_SIZE],
198
			const u8 mk_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE])
199
{
200

201
	sprintf(description, "%*phN.uid.%u", FSCRYPT_KEY_IDENTIFIER_SIZE,
202
		mk_identifier, __kuid_val(current_fsuid()));
203
}
204

205
/* Create ->s_master_keys if needed.  Synchronized by fscrypt_add_key_mutex. */
206
static int allocate_filesystem_keyring(struct super_block *sb)
207
{
208
	struct fscrypt_keyring *keyring;
209

210
	if (sb->s_master_keys)
211
		return 0;
212

213
	keyring = kzalloc(sizeof(*keyring), GFP_KERNEL);
214
	if (!keyring)
215
		return -ENOMEM;
216
	spin_lock_init(&keyring->lock);
217
	/*
218
	 * Pairs with the smp_load_acquire() in fscrypt_find_master_key().
219
	 * I.e., here we publish ->s_master_keys with a RELEASE barrier so that
220
	 * concurrent tasks can ACQUIRE it.
221
	 */
222
	smp_store_release(&sb->s_master_keys, keyring);
223
	return 0;
224
}
225

226
/*
227
 * Release all encryption keys that have been added to the filesystem, along
228
 * with the keyring that contains them.
229
 *
230
 * This is called at unmount time, after all potentially-encrypted inodes have
231
 * been evicted.  The filesystem's underlying block device(s) are still
232
 * available at this time; this is important because after user file accesses
233
 * have been allowed, this function may need to evict keys from the keyslots of
234
 * an inline crypto engine, which requires the block device(s).
235
 */
236
void fscrypt_destroy_keyring(struct super_block *sb)
237
{
238
	struct fscrypt_keyring *keyring = sb->s_master_keys;
239
	size_t i;
240

241
	if (!keyring)
242
		return;
243

244
	for (i = 0; i < ARRAY_SIZE(keyring->key_hashtable); i++) {
245
		struct hlist_head *bucket = &keyring->key_hashtable[i];
246
		struct fscrypt_master_key *mk;
247
		struct hlist_node *tmp;
248

249
		hlist_for_each_entry_safe(mk, tmp, bucket, mk_node) {
250
			/*
251
			 * Since all potentially-encrypted inodes were already
252
			 * evicted, every key remaining in the keyring should
253
			 * have an empty inode list, and should only still be in
254
			 * the keyring due to the single active ref associated
255
			 * with ->mk_present.  There should be no structural
256
			 * refs beyond the one associated with the active ref.
257
			 */
258
			WARN_ON_ONCE(refcount_read(&mk->mk_active_refs) != 1);
259
			WARN_ON_ONCE(refcount_read(&mk->mk_struct_refs) != 1);
260
			WARN_ON_ONCE(!mk->mk_present);
261
			fscrypt_initiate_key_removal(sb, mk);
262
		}
263
	}
264
	kfree_sensitive(keyring);
265
	sb->s_master_keys = NULL;
266
}
267

268
static struct hlist_head *
269
fscrypt_mk_hash_bucket(struct fscrypt_keyring *keyring,
270
		       const struct fscrypt_key_specifier *mk_spec)
271
{
272
	/*
273
	 * Since key specifiers should be "random" values, it is sufficient to
274
	 * use a trivial hash function that just takes the first several bits of
275
	 * the key specifier.
276
	 */
277
	unsigned long i = get_unaligned((unsigned long *)&mk_spec->u);
278

279
	return &keyring->key_hashtable[i % ARRAY_SIZE(keyring->key_hashtable)];
280
}
281

282
/*
283
 * Find the specified master key struct in ->s_master_keys and take a structural
284
 * ref to it.  The structural ref guarantees that the key struct continues to
285
 * exist, but it does *not* guarantee that ->s_master_keys continues to contain
286
 * the key struct.  The structural ref needs to be dropped by
287
 * fscrypt_put_master_key().  Returns NULL if the key struct is not found.
288
 */
289
struct fscrypt_master_key *
290
fscrypt_find_master_key(struct super_block *sb,
291
			const struct fscrypt_key_specifier *mk_spec)
292
{
293
	struct fscrypt_keyring *keyring;
294
	struct hlist_head *bucket;
295
	struct fscrypt_master_key *mk;
296

297
	/*
298
	 * Pairs with the smp_store_release() in allocate_filesystem_keyring().
299
	 * I.e., another task can publish ->s_master_keys concurrently,
300
	 * executing a RELEASE barrier.  We need to use smp_load_acquire() here
301
	 * to safely ACQUIRE the memory the other task published.
302
	 */
303
	keyring = smp_load_acquire(&sb->s_master_keys);
304
	if (keyring == NULL)
305
		return NULL; /* No keyring yet, so no keys yet. */
306

307
	bucket = fscrypt_mk_hash_bucket(keyring, mk_spec);
308
	rcu_read_lock();
309
	switch (mk_spec->type) {
310
	case FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR:
311
		hlist_for_each_entry_rcu(mk, bucket, mk_node) {
312
			if (mk->mk_spec.type ==
313
				FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR &&
314
			    memcmp(mk->mk_spec.u.descriptor,
315
				   mk_spec->u.descriptor,
316
				   FSCRYPT_KEY_DESCRIPTOR_SIZE) == 0 &&
317
			    refcount_inc_not_zero(&mk->mk_struct_refs))
318
				goto out;
319
		}
320
		break;
321
	case FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER:
322
		hlist_for_each_entry_rcu(mk, bucket, mk_node) {
323
			if (mk->mk_spec.type ==
324
				FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER &&
325
			    memcmp(mk->mk_spec.u.identifier,
326
				   mk_spec->u.identifier,
327
				   FSCRYPT_KEY_IDENTIFIER_SIZE) == 0 &&
328
			    refcount_inc_not_zero(&mk->mk_struct_refs))
329
				goto out;
330
		}
331
		break;
332
	}
333
	mk = NULL;
334
out:
335
	rcu_read_unlock();
336
	return mk;
337
}
338

339
static int allocate_master_key_users_keyring(struct fscrypt_master_key *mk)
340
{
341
	char description[FSCRYPT_MK_USERS_DESCRIPTION_SIZE];
342
	struct key *keyring;
343

344
	format_mk_users_keyring_description(description,
345
					    mk->mk_spec.u.identifier);
346
	keyring = keyring_alloc(description, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID,
347
				current_cred(), KEY_POS_SEARCH |
348
				  KEY_USR_SEARCH | KEY_USR_READ | KEY_USR_VIEW,
349
				KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
350
	if (IS_ERR(keyring))
351
		return PTR_ERR(keyring);
352

353
	mk->mk_users = keyring;
354
	return 0;
355
}
356

357
/*
358
 * Find the current user's "key" in the master key's ->mk_users.
359
 * Returns ERR_PTR(-ENOKEY) if not found.
360
 */
361
static struct key *find_master_key_user(struct fscrypt_master_key *mk)
362
{
363
	char description[FSCRYPT_MK_USER_DESCRIPTION_SIZE];
364
	key_ref_t keyref;
365

366
	format_mk_user_description(description, mk->mk_spec.u.identifier);
367

368
	/*
369
	 * We need to mark the keyring reference as "possessed" so that we
370
	 * acquire permission to search it, via the KEY_POS_SEARCH permission.
371
	 */
372
	keyref = keyring_search(make_key_ref(mk->mk_users, true /*possessed*/),
373
				&key_type_fscrypt_user, description, false);
374
	if (IS_ERR(keyref)) {
375
		if (PTR_ERR(keyref) == -EAGAIN || /* not found */
376
		    PTR_ERR(keyref) == -EKEYREVOKED) /* recently invalidated */
377
			keyref = ERR_PTR(-ENOKEY);
378
		return ERR_CAST(keyref);
379
	}
380
	return key_ref_to_ptr(keyref);
381
}
382

383
/*
384
 * Give the current user a "key" in ->mk_users.  This charges the user's quota
385
 * and marks the master key as added by the current user, so that it cannot be
386
 * removed by another user with the key.  Either ->mk_sem must be held for
387
 * write, or the master key must be still undergoing initialization.
388
 */
389
static int add_master_key_user(struct fscrypt_master_key *mk)
390
{
391
	char description[FSCRYPT_MK_USER_DESCRIPTION_SIZE];
392
	struct key *mk_user;
393
	int err;
394

395
	format_mk_user_description(description, mk->mk_spec.u.identifier);
396
	mk_user = key_alloc(&key_type_fscrypt_user, description,
397
			    current_fsuid(), current_gid(), current_cred(),
398
			    KEY_POS_SEARCH | KEY_USR_VIEW, 0, NULL);
399
	if (IS_ERR(mk_user))
400
		return PTR_ERR(mk_user);
401

402
	err = key_instantiate_and_link(mk_user, NULL, 0, mk->mk_users, NULL);
403
	key_put(mk_user);
404
	return err;
405
}
406

407
/*
408
 * Remove the current user's "key" from ->mk_users.
409
 * ->mk_sem must be held for write.
410
 *
411
 * Returns 0 if removed, -ENOKEY if not found, or another -errno code.
412
 */
413
static int remove_master_key_user(struct fscrypt_master_key *mk)
414
{
415
	struct key *mk_user;
416
	int err;
417

418
	mk_user = find_master_key_user(mk);
419
	if (IS_ERR(mk_user))
420
		return PTR_ERR(mk_user);
421
	err = key_unlink(mk->mk_users, mk_user);
422
	key_put(mk_user);
423
	return err;
424
}
425

426
/*
427
 * Allocate a new fscrypt_master_key, transfer the given secret over to it, and
428
 * insert it into sb->s_master_keys.
429
 */
430
static int add_new_master_key(struct super_block *sb,
431
			      struct fscrypt_master_key_secret *secret,
432
			      const struct fscrypt_key_specifier *mk_spec)
433
{
434
	struct fscrypt_keyring *keyring = sb->s_master_keys;
435
	struct fscrypt_master_key *mk;
436
	int err;
437

438
	mk = kzalloc(sizeof(*mk), GFP_KERNEL);
439
	if (!mk)
440
		return -ENOMEM;
441

442
	init_rwsem(&mk->mk_sem);
443
	refcount_set(&mk->mk_struct_refs, 1);
444
	mk->mk_spec = *mk_spec;
445

446
	INIT_LIST_HEAD(&mk->mk_decrypted_inodes);
447
	spin_lock_init(&mk->mk_decrypted_inodes_lock);
448

449
	if (mk_spec->type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) {
450
		err = allocate_master_key_users_keyring(mk);
451
		if (err)
452
			goto out_put;
453
		err = add_master_key_user(mk);
454
		if (err)
455
			goto out_put;
456
	}
457

458
	move_master_key_secret(&mk->mk_secret, secret);
459
	mk->mk_present = true;
460
	refcount_set(&mk->mk_active_refs, 1); /* ->mk_present is true */
461

462
	spin_lock(&keyring->lock);
463
	hlist_add_head_rcu(&mk->mk_node,
464
			   fscrypt_mk_hash_bucket(keyring, mk_spec));
465
	spin_unlock(&keyring->lock);
466
	return 0;
467

468
out_put:
469
	fscrypt_put_master_key(mk);
470
	return err;
471
}
472

473
#define KEY_DEAD	1
474

475
static int add_existing_master_key(struct fscrypt_master_key *mk,
476
				   struct fscrypt_master_key_secret *secret)
477
{
478
	int err;
479

480
	/*
481
	 * If the current user is already in ->mk_users, then there's nothing to
482
	 * do.  Otherwise, we need to add the user to ->mk_users.  (Neither is
483
	 * applicable for v1 policy keys, which have NULL ->mk_users.)
484
	 */
485
	if (mk->mk_users) {
486
		struct key *mk_user = find_master_key_user(mk);
487

488
		if (mk_user != ERR_PTR(-ENOKEY)) {
489
			if (IS_ERR(mk_user))
490
				return PTR_ERR(mk_user);
491
			key_put(mk_user);
492
			return 0;
493
		}
494
		err = add_master_key_user(mk);
495
		if (err)
496
			return err;
497
	}
498

499
	/* If the key is incompletely removed, make it present again. */
500
	if (!mk->mk_present) {
501
		if (!refcount_inc_not_zero(&mk->mk_active_refs)) {
502
			/*
503
			 * Raced with the last active ref being dropped, so the
504
			 * key has become, or is about to become, "absent".
505
			 * Therefore, we need to allocate a new key struct.
506
			 */
507
			return KEY_DEAD;
508
		}
509
		move_master_key_secret(&mk->mk_secret, secret);
510
		WRITE_ONCE(mk->mk_present, true);
511
	}
512

513
	return 0;
514
}
515

516
static int do_add_master_key(struct super_block *sb,
517
			     struct fscrypt_master_key_secret *secret,
518
			     const struct fscrypt_key_specifier *mk_spec)
519
{
520
	static DEFINE_MUTEX(fscrypt_add_key_mutex);
521
	struct fscrypt_master_key *mk;
522
	int err;
523

524
	mutex_lock(&fscrypt_add_key_mutex); /* serialize find + link */
525

526
	mk = fscrypt_find_master_key(sb, mk_spec);
527
	if (!mk) {
528
		/* Didn't find the key in ->s_master_keys.  Add it. */
529
		err = allocate_filesystem_keyring(sb);
530
		if (!err)
531
			err = add_new_master_key(sb, secret, mk_spec);
532
	} else {
533
		/*
534
		 * Found the key in ->s_master_keys.  Add the user to ->mk_users
535
		 * if needed, and make the key "present" again if possible.
536
		 */
537
		down_write(&mk->mk_sem);
538
		err = add_existing_master_key(mk, secret);
539
		up_write(&mk->mk_sem);
540
		if (err == KEY_DEAD) {
541
			/*
542
			 * We found a key struct, but it's already been fully
543
			 * removed.  Ignore the old struct and add a new one.
544
			 * fscrypt_add_key_mutex means we don't need to worry
545
			 * about concurrent adds.
546
			 */
547
			err = add_new_master_key(sb, secret, mk_spec);
548
		}
549
		fscrypt_put_master_key(mk);
550
	}
551
	mutex_unlock(&fscrypt_add_key_mutex);
552
	return err;
553
}
554

555
static int add_master_key(struct super_block *sb,
556
			  struct fscrypt_master_key_secret *secret,
557
			  struct fscrypt_key_specifier *key_spec)
558
{
559
	int err;
560

561
	if (key_spec->type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) {
562
		u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE];
563
		u8 *kdf_key = secret->bytes;
564
		unsigned int kdf_key_size = secret->size;
565
		u8 keyid_kdf_ctx = HKDF_CONTEXT_KEY_IDENTIFIER_FOR_RAW_KEY;
566

567
		/*
568
		 * For raw keys, the fscrypt master key is used directly as the
569
		 * fscrypt KDF key.  For hardware-wrapped keys, we have to pass
570
		 * the master key to the hardware to derive the KDF key, which
571
		 * is then only used to derive non-file-contents subkeys.
572
		 */
573
		if (secret->is_hw_wrapped) {
574
			err = fscrypt_derive_sw_secret(sb, secret->bytes,
575
						       secret->size, sw_secret);
576
			if (err)
577
				return err;
578
			kdf_key = sw_secret;
579
			kdf_key_size = sizeof(sw_secret);
580
			/*
581
			 * To avoid weird behavior if someone manages to
582
			 * determine sw_secret and add it as a raw key, ensure
583
			 * that hardware-wrapped keys and raw keys will have
584
			 * different key identifiers by deriving their key
585
			 * identifiers using different KDF contexts.
586
			 */
587
			keyid_kdf_ctx =
588
				HKDF_CONTEXT_KEY_IDENTIFIER_FOR_HW_WRAPPED_KEY;
589
		}
590
		err = fscrypt_init_hkdf(&secret->hkdf, kdf_key, kdf_key_size);
591
		/*
592
		 * Now that the KDF context is initialized, the raw KDF key is
593
		 * no longer needed.
594
		 */
595
		memzero_explicit(kdf_key, kdf_key_size);
596
		if (err)
597
			return err;
598

599
		/* Calculate the key identifier */
600
		err = fscrypt_hkdf_expand(&secret->hkdf, keyid_kdf_ctx, NULL, 0,
601
					  key_spec->u.identifier,
602
					  FSCRYPT_KEY_IDENTIFIER_SIZE);
603
		if (err)
604
			return err;
605
	}
606
	return do_add_master_key(sb, secret, key_spec);
607
}
608

609
/*
610
 * Validate the size of an fscrypt master key being added.  Note that this is
611
 * just an initial check, as we don't know which ciphers will be used yet.
612
 * There is a stricter size check later when the key is actually used by a file.
613
 */
614
static inline bool fscrypt_valid_key_size(size_t size, u32 add_key_flags)
615
{
616
	u32 max_size = (add_key_flags & FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED) ?
617
		       FSCRYPT_MAX_HW_WRAPPED_KEY_SIZE :
618
		       FSCRYPT_MAX_RAW_KEY_SIZE;
619

620
	return size >= FSCRYPT_MIN_KEY_SIZE && size <= max_size;
621
}
622

623
static int fscrypt_provisioning_key_preparse(struct key_preparsed_payload *prep)
624
{
625
	const struct fscrypt_provisioning_key_payload *payload = prep->data;
626

627
	if (prep->datalen < sizeof(*payload))
628
		return -EINVAL;
629

630
	if (!fscrypt_valid_key_size(prep->datalen - sizeof(*payload),
631
				    payload->flags))
632
		return -EINVAL;
633

634
	if (payload->type != FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR &&
635
	    payload->type != FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER)
636
		return -EINVAL;
637

638
	if (payload->flags & ~FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED)
639
		return -EINVAL;
640

641
	prep->payload.data[0] = kmemdup(payload, prep->datalen, GFP_KERNEL);
642
	if (!prep->payload.data[0])
643
		return -ENOMEM;
644

645
	prep->quotalen = prep->datalen;
646
	return 0;
647
}
648

649
static void fscrypt_provisioning_key_free_preparse(
650
					struct key_preparsed_payload *prep)
651
{
652
	kfree_sensitive(prep->payload.data[0]);
653
}
654

655
static void fscrypt_provisioning_key_describe(const struct key *key,
656
					      struct seq_file *m)
657
{
658
	seq_puts(m, key->description);
659
	if (key_is_positive(key)) {
660
		const struct fscrypt_provisioning_key_payload *payload =
661
			key->payload.data[0];
662

663
		seq_printf(m, ": %u [%u]", key->datalen, payload->type);
664
	}
665
}
666

667
static void fscrypt_provisioning_key_destroy(struct key *key)
668
{
669
	kfree_sensitive(key->payload.data[0]);
670
}
671

672
static struct key_type key_type_fscrypt_provisioning = {
673
	.name			= "fscrypt-provisioning",
674
	.preparse		= fscrypt_provisioning_key_preparse,
675
	.free_preparse		= fscrypt_provisioning_key_free_preparse,
676
	.instantiate		= generic_key_instantiate,
677
	.describe		= fscrypt_provisioning_key_describe,
678
	.destroy		= fscrypt_provisioning_key_destroy,
679
};
680

681
/*
682
 * Retrieve the key from the Linux keyring key specified by 'key_id', and store
683
 * it into 'secret'.
684
 *
685
 * The key must be of type "fscrypt-provisioning" and must have the 'type' and
686
 * 'flags' field of the payload set to the given values, indicating that the key
687
 * is intended for use for the specified purpose.  We don't use the "logon" key
688
 * type because there's no way to completely restrict the use of such keys; they
689
 * can be used by any kernel API that accepts "logon" keys and doesn't require a
690
 * specific service prefix.
691
 *
692
 * The ability to specify the key via Linux keyring key is intended for cases
693
 * where userspace needs to re-add keys after the filesystem is unmounted and
694
 * re-mounted.  Most users should just provide the key directly instead.
695
 */
696
static int get_keyring_key(u32 key_id, u32 type, u32 flags,
697
			   struct fscrypt_master_key_secret *secret)
698
{
699
	key_ref_t ref;
700
	struct key *key;
701
	const struct fscrypt_provisioning_key_payload *payload;
702
	int err;
703

704
	ref = lookup_user_key(key_id, 0, KEY_NEED_SEARCH);
705
	if (IS_ERR(ref))
706
		return PTR_ERR(ref);
707
	key = key_ref_to_ptr(ref);
708

709
	if (key->type != &key_type_fscrypt_provisioning)
710
		goto bad_key;
711
	payload = key->payload.data[0];
712

713
	/*
714
	 * Don't allow fscrypt v1 keys to be used as v2 keys and vice versa.
715
	 * Similarly, don't allow hardware-wrapped keys to be used as
716
	 * non-hardware-wrapped keys and vice versa.
717
	 */
718
	if (payload->type != type || payload->flags != flags)
719
		goto bad_key;
720

721
	secret->size = key->datalen - sizeof(*payload);
722
	memcpy(secret->bytes, payload->raw, secret->size);
723
	err = 0;
724
	goto out_put;
725

726
bad_key:
727
	err = -EKEYREJECTED;
728
out_put:
729
	key_ref_put(ref);
730
	return err;
731
}
732

733
/*
734
 * Add a master encryption key to the filesystem, causing all files which were
735
 * encrypted with it to appear "unlocked" (decrypted) when accessed.
736
 *
737
 * When adding a key for use by v1 encryption policies, this ioctl is
738
 * privileged, and userspace must provide the 'key_descriptor'.
739
 *
740
 * When adding a key for use by v2+ encryption policies, this ioctl is
741
 * unprivileged.  This is needed, in general, to allow non-root users to use
742
 * encryption without encountering the visibility problems of process-subscribed
743
 * keyrings and the inability to properly remove keys.  This works by having
744
 * each key identified by its cryptographically secure hash --- the
745
 * 'key_identifier'.  The cryptographic hash ensures that a malicious user
746
 * cannot add the wrong key for a given identifier.  Furthermore, each added key
747
 * is charged to the appropriate user's quota for the keyrings service, which
748
 * prevents a malicious user from adding too many keys.  Finally, we forbid a
749
 * user from removing a key while other users have added it too, which prevents
750
 * a user who knows another user's key from causing a denial-of-service by
751
 * removing it at an inopportune time.  (We tolerate that a user who knows a key
752
 * can prevent other users from removing it.)
753
 *
754
 * For more details, see the "FS_IOC_ADD_ENCRYPTION_KEY" section of
755
 * Documentation/filesystems/fscrypt.rst.
756
 */
757
int fscrypt_ioctl_add_key(struct file *filp, void __user *_uarg)
758
{
759
	struct super_block *sb = file_inode(filp)->i_sb;
760
	struct fscrypt_add_key_arg __user *uarg = _uarg;
761
	struct fscrypt_add_key_arg arg;
762
	struct fscrypt_master_key_secret secret;
763
	int err;
764

765
	if (copy_from_user(&arg, uarg, sizeof(arg)))
766
		return -EFAULT;
767

768
	if (!valid_key_spec(&arg.key_spec))
769
		return -EINVAL;
770

771
	if (memchr_inv(arg.__reserved, 0, sizeof(arg.__reserved)))
772
		return -EINVAL;
773

774
	/*
775
	 * Only root can add keys that are identified by an arbitrary descriptor
776
	 * rather than by a cryptographic hash --- since otherwise a malicious
777
	 * user could add the wrong key.
778
	 */
779
	if (arg.key_spec.type == FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR &&
780
	    !capable(CAP_SYS_ADMIN))
781
		return -EACCES;
782

783
	memset(&secret, 0, sizeof(secret));
784

785
	if (arg.flags) {
786
		if (arg.flags & ~FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED)
787
			return -EINVAL;
788
		if (arg.key_spec.type != FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER)
789
			return -EINVAL;
790
		secret.is_hw_wrapped = true;
791
	}
792

793
	if (arg.key_id) {
794
		if (arg.raw_size != 0)
795
			return -EINVAL;
796
		err = get_keyring_key(arg.key_id, arg.key_spec.type, arg.flags,
797
				      &secret);
798
		if (err)
799
			goto out_wipe_secret;
800
	} else {
801
		if (!fscrypt_valid_key_size(arg.raw_size, arg.flags))
802
			return -EINVAL;
803
		secret.size = arg.raw_size;
804
		err = -EFAULT;
805
		if (copy_from_user(secret.bytes, uarg->raw, secret.size))
806
			goto out_wipe_secret;
807
	}
808

809
	err = add_master_key(sb, &secret, &arg.key_spec);
810
	if (err)
811
		goto out_wipe_secret;
812

813
	/* Return the key identifier to userspace, if applicable */
814
	err = -EFAULT;
815
	if (arg.key_spec.type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER &&
816
	    copy_to_user(uarg->key_spec.u.identifier, arg.key_spec.u.identifier,
817
			 FSCRYPT_KEY_IDENTIFIER_SIZE))
818
		goto out_wipe_secret;
819
	err = 0;
820
out_wipe_secret:
821
	wipe_master_key_secret(&secret);
822
	return err;
823
}
824
EXPORT_SYMBOL_GPL(fscrypt_ioctl_add_key);
825

826
static void
827
fscrypt_get_test_dummy_secret(struct fscrypt_master_key_secret *secret)
828
{
829
	static u8 test_key[FSCRYPT_MAX_RAW_KEY_SIZE];
830

831
	get_random_once(test_key, sizeof(test_key));
832

833
	memset(secret, 0, sizeof(*secret));
834
	secret->size = sizeof(test_key);
835
	memcpy(secret->bytes, test_key, sizeof(test_key));
836
}
837

838
int fscrypt_get_test_dummy_key_identifier(
839
				u8 key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE])
840
{
841
	struct fscrypt_master_key_secret secret;
842
	int err;
843

844
	fscrypt_get_test_dummy_secret(&secret);
845

846
	err = fscrypt_init_hkdf(&secret.hkdf, secret.bytes, secret.size);
847
	if (err)
848
		goto out;
849
	err = fscrypt_hkdf_expand(&secret.hkdf,
850
				  HKDF_CONTEXT_KEY_IDENTIFIER_FOR_RAW_KEY,
851
				  NULL, 0, key_identifier,
852
				  FSCRYPT_KEY_IDENTIFIER_SIZE);
853
out:
854
	wipe_master_key_secret(&secret);
855
	return err;
856
}
857

858
/**
859
 * fscrypt_add_test_dummy_key() - add the test dummy encryption key
860
 * @sb: the filesystem instance to add the key to
861
 * @key_spec: the key specifier of the test dummy encryption key
862
 *
863
 * Add the key for the test_dummy_encryption mount option to the filesystem.  To
864
 * prevent misuse of this mount option, a per-boot random key is used instead of
865
 * a hardcoded one.  This makes it so that any encrypted files created using
866
 * this option won't be accessible after a reboot.
867
 *
868
 * Return: 0 on success, -errno on failure
869
 */
870
int fscrypt_add_test_dummy_key(struct super_block *sb,
871
			       struct fscrypt_key_specifier *key_spec)
872
{
873
	struct fscrypt_master_key_secret secret;
874
	int err;
875

876
	fscrypt_get_test_dummy_secret(&secret);
877
	err = add_master_key(sb, &secret, key_spec);
878
	wipe_master_key_secret(&secret);
879
	return err;
880
}
881

882
/*
883
 * Verify that the current user has added a master key with the given identifier
884
 * (returns -ENOKEY if not).  This is needed to prevent a user from encrypting
885
 * their files using some other user's key which they don't actually know.
886
 * Cryptographically this isn't much of a problem, but the semantics of this
887
 * would be a bit weird, so it's best to just forbid it.
888
 *
889
 * The system administrator (CAP_FOWNER) can override this, which should be
890
 * enough for any use cases where encryption policies are being set using keys
891
 * that were chosen ahead of time but aren't available at the moment.
892
 *
893
 * Note that the key may have already removed by the time this returns, but
894
 * that's okay; we just care whether the key was there at some point.
895
 *
896
 * Return: 0 if the key is added, -ENOKEY if it isn't, or another -errno code
897
 */
898
int fscrypt_verify_key_added(struct super_block *sb,
899
			     const u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE])
900
{
901
	struct fscrypt_key_specifier mk_spec;
902
	struct fscrypt_master_key *mk;
903
	struct key *mk_user;
904
	int err;
905

906
	mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
907
	memcpy(mk_spec.u.identifier, identifier, FSCRYPT_KEY_IDENTIFIER_SIZE);
908

909
	mk = fscrypt_find_master_key(sb, &mk_spec);
910
	if (!mk) {
911
		err = -ENOKEY;
912
		goto out;
913
	}
914
	down_read(&mk->mk_sem);
915
	mk_user = find_master_key_user(mk);
916
	if (IS_ERR(mk_user)) {
917
		err = PTR_ERR(mk_user);
918
	} else {
919
		key_put(mk_user);
920
		err = 0;
921
	}
922
	up_read(&mk->mk_sem);
923
	fscrypt_put_master_key(mk);
924
out:
925
	if (err == -ENOKEY && capable(CAP_FOWNER))
926
		err = 0;
927
	return err;
928
}
929

930
/*
931
 * Try to evict the inode's dentries from the dentry cache.  If the inode is a
932
 * directory, then it can have at most one dentry; however, that dentry may be
933
 * pinned by child dentries, so first try to evict the children too.
934
 */
935
static void shrink_dcache_inode(struct inode *inode)
936
{
937
	struct dentry *dentry;
938

939
	if (S_ISDIR(inode->i_mode)) {
940
		dentry = d_find_any_alias(inode);
941
		if (dentry) {
942
			shrink_dcache_parent(dentry);
943
			dput(dentry);
944
		}
945
	}
946
	d_prune_aliases(inode);
947
}
948

949
static void evict_dentries_for_decrypted_inodes(struct fscrypt_master_key *mk)
950
{
951
	struct fscrypt_inode_info *ci;
952
	struct inode *inode;
953
	struct inode *toput_inode = NULL;
954

955
	spin_lock(&mk->mk_decrypted_inodes_lock);
956

957
	list_for_each_entry(ci, &mk->mk_decrypted_inodes, ci_master_key_link) {
958
		inode = ci->ci_inode;
959
		spin_lock(&inode->i_lock);
960
		if (inode->i_state & (I_FREEING | I_WILL_FREE | I_NEW)) {
961
			spin_unlock(&inode->i_lock);
962
			continue;
963
		}
964
		__iget(inode);
965
		spin_unlock(&inode->i_lock);
966
		spin_unlock(&mk->mk_decrypted_inodes_lock);
967

968
		shrink_dcache_inode(inode);
969
		iput(toput_inode);
970
		toput_inode = inode;
971

972
		spin_lock(&mk->mk_decrypted_inodes_lock);
973
	}
974

975
	spin_unlock(&mk->mk_decrypted_inodes_lock);
976
	iput(toput_inode);
977
}
978

979
static int check_for_busy_inodes(struct super_block *sb,
980
				 struct fscrypt_master_key *mk)
981
{
982
	struct list_head *pos;
983
	size_t busy_count = 0;
984
	unsigned long ino;
985
	char ino_str[50] = "";
986

987
	spin_lock(&mk->mk_decrypted_inodes_lock);
988

989
	list_for_each(pos, &mk->mk_decrypted_inodes)
990
		busy_count++;
991

992
	if (busy_count == 0) {
993
		spin_unlock(&mk->mk_decrypted_inodes_lock);
994
		return 0;
995
	}
996

997
	{
998
		/* select an example file to show for debugging purposes */
999
		struct inode *inode =
1000
			list_first_entry(&mk->mk_decrypted_inodes,
1001
					 struct fscrypt_inode_info,
1002
					 ci_master_key_link)->ci_inode;
1003
		ino = inode->i_ino;
1004
	}
1005
	spin_unlock(&mk->mk_decrypted_inodes_lock);
1006

1007
	/* If the inode is currently being created, ino may still be 0. */
1008
	if (ino)
1009
		snprintf(ino_str, sizeof(ino_str), ", including ino %lu", ino);
1010

1011
	fscrypt_warn(NULL,
1012
		     "%s: %zu inode(s) still busy after removing key with %s %*phN%s",
1013
		     sb->s_id, busy_count, master_key_spec_type(&mk->mk_spec),
1014
		     master_key_spec_len(&mk->mk_spec), (u8 *)&mk->mk_spec.u,
1015
		     ino_str);
1016
	return -EBUSY;
1017
}
1018

1019
static int try_to_lock_encrypted_files(struct super_block *sb,
1020
				       struct fscrypt_master_key *mk)
1021
{
1022
	int err1;
1023
	int err2;
1024

1025
	/*
1026
	 * An inode can't be evicted while it is dirty or has dirty pages.
1027
	 * Thus, we first have to clean the inodes in ->mk_decrypted_inodes.
1028
	 *
1029
	 * Just do it the easy way: call sync_filesystem().  It's overkill, but
1030
	 * it works, and it's more important to minimize the amount of caches we
1031
	 * drop than the amount of data we sync.  Also, unprivileged users can
1032
	 * already call sync_filesystem() via sys_syncfs() or sys_sync().
1033
	 */
1034
	down_read(&sb->s_umount);
1035
	err1 = sync_filesystem(sb);
1036
	up_read(&sb->s_umount);
1037
	/* If a sync error occurs, still try to evict as much as possible. */
1038

1039
	/*
1040
	 * Inodes are pinned by their dentries, so we have to evict their
1041
	 * dentries.  shrink_dcache_sb() would suffice, but would be overkill
1042
	 * and inappropriate for use by unprivileged users.  So instead go
1043
	 * through the inodes' alias lists and try to evict each dentry.
1044
	 */
1045
	evict_dentries_for_decrypted_inodes(mk);
1046

1047
	/*
1048
	 * evict_dentries_for_decrypted_inodes() already iput() each inode in
1049
	 * the list; any inodes for which that dropped the last reference will
1050
	 * have been evicted due to fscrypt_drop_inode() detecting the key
1051
	 * removal and telling the VFS to evict the inode.  So to finish, we
1052
	 * just need to check whether any inodes couldn't be evicted.
1053
	 */
1054
	err2 = check_for_busy_inodes(sb, mk);
1055

1056
	return err1 ?: err2;
1057
}
1058

1059
/*
1060
 * Try to remove an fscrypt master encryption key.
1061
 *
1062
 * FS_IOC_REMOVE_ENCRYPTION_KEY (all_users=false) removes the current user's
1063
 * claim to the key, then removes the key itself if no other users have claims.
1064
 * FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS (all_users=true) always removes the
1065
 * key itself.
1066
 *
1067
 * To "remove the key itself", first we transition the key to the "incompletely
1068
 * removed" state, so that no more inodes can be unlocked with it.  Then we try
1069
 * to evict all cached inodes that had been unlocked with the key.
1070
 *
1071
 * If all inodes were evicted, then we unlink the fscrypt_master_key from the
1072
 * keyring.  Otherwise it remains in the keyring in the "incompletely removed"
1073
 * state where it tracks the list of remaining inodes.  Userspace can execute
1074
 * the ioctl again later to retry eviction, or alternatively can re-add the key.
1075
 *
1076
 * For more details, see the "Removing keys" section of
1077
 * Documentation/filesystems/fscrypt.rst.
1078
 */
1079
static int do_remove_key(struct file *filp, void __user *_uarg, bool all_users)
1080
{
1081
	struct super_block *sb = file_inode(filp)->i_sb;
1082
	struct fscrypt_remove_key_arg __user *uarg = _uarg;
1083
	struct fscrypt_remove_key_arg arg;
1084
	struct fscrypt_master_key *mk;
1085
	u32 status_flags = 0;
1086
	int err;
1087
	bool inodes_remain;
1088

1089
	if (copy_from_user(&arg, uarg, sizeof(arg)))
1090
		return -EFAULT;
1091

1092
	if (!valid_key_spec(&arg.key_spec))
1093
		return -EINVAL;
1094

1095
	if (memchr_inv(arg.__reserved, 0, sizeof(arg.__reserved)))
1096
		return -EINVAL;
1097

1098
	/*
1099
	 * Only root can add and remove keys that are identified by an arbitrary
1100
	 * descriptor rather than by a cryptographic hash.
1101
	 */
1102
	if (arg.key_spec.type == FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR &&
1103
	    !capable(CAP_SYS_ADMIN))
1104
		return -EACCES;
1105

1106
	/* Find the key being removed. */
1107
	mk = fscrypt_find_master_key(sb, &arg.key_spec);
1108
	if (!mk)
1109
		return -ENOKEY;
1110
	down_write(&mk->mk_sem);
1111

1112
	/* If relevant, remove current user's (or all users) claim to the key */
1113
	if (mk->mk_users && mk->mk_users->keys.nr_leaves_on_tree != 0) {
1114
		if (all_users)
1115
			err = keyring_clear(mk->mk_users);
1116
		else
1117
			err = remove_master_key_user(mk);
1118
		if (err) {
1119
			up_write(&mk->mk_sem);
1120
			goto out_put_key;
1121
		}
1122
		if (mk->mk_users->keys.nr_leaves_on_tree != 0) {
1123
			/*
1124
			 * Other users have still added the key too.  We removed
1125
			 * the current user's claim to the key, but we still
1126
			 * can't remove the key itself.
1127
			 */
1128
			status_flags |=
1129
				FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS;
1130
			err = 0;
1131
			up_write(&mk->mk_sem);
1132
			goto out_put_key;
1133
		}
1134
	}
1135

1136
	/* No user claims remaining.  Initiate removal of the key. */
1137
	err = -ENOKEY;
1138
	if (mk->mk_present) {
1139
		fscrypt_initiate_key_removal(sb, mk);
1140
		err = 0;
1141
	}
1142
	inodes_remain = refcount_read(&mk->mk_active_refs) > 0;
1143
	up_write(&mk->mk_sem);
1144

1145
	if (inodes_remain) {
1146
		/* Some inodes still reference this key; try to evict them. */
1147
		err = try_to_lock_encrypted_files(sb, mk);
1148
		if (err == -EBUSY) {
1149
			status_flags |=
1150
				FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY;
1151
			err = 0;
1152
		}
1153
	}
1154
	/*
1155
	 * We return 0 if we successfully did something: removed a claim to the
1156
	 * key, initiated removal of the key, or tried locking the files again.
1157
	 * Users need to check the informational status flags if they care
1158
	 * whether the key has been fully removed including all files locked.
1159
	 */
1160
out_put_key:
1161
	fscrypt_put_master_key(mk);
1162
	if (err == 0)
1163
		err = put_user(status_flags, &uarg->removal_status_flags);
1164
	return err;
1165
}
1166

1167
int fscrypt_ioctl_remove_key(struct file *filp, void __user *uarg)
1168
{
1169
	return do_remove_key(filp, uarg, false);
1170
}
1171
EXPORT_SYMBOL_GPL(fscrypt_ioctl_remove_key);
1172

1173
int fscrypt_ioctl_remove_key_all_users(struct file *filp, void __user *uarg)
1174
{
1175
	if (!capable(CAP_SYS_ADMIN))
1176
		return -EACCES;
1177
	return do_remove_key(filp, uarg, true);
1178
}
1179
EXPORT_SYMBOL_GPL(fscrypt_ioctl_remove_key_all_users);
1180

1181
/*
1182
 * Retrieve the status of an fscrypt master encryption key.
1183
 *
1184
 * We set ->status to indicate whether the key is absent, present, or
1185
 * incompletely removed.  (For an explanation of what these statuses mean and
1186
 * how they are represented internally, see struct fscrypt_master_key.)  This
1187
 * field allows applications to easily determine the status of an encrypted
1188
 * directory without using a hack such as trying to open a regular file in it
1189
 * (which can confuse the "incompletely removed" status with absent or present).
1190
 *
1191
 * In addition, for v2 policy keys we allow applications to determine, via
1192
 * ->status_flags and ->user_count, whether the key has been added by the
1193
 * current user, by other users, or by both.  Most applications should not need
1194
 * this, since ordinarily only one user should know a given key.  However, if a
1195
 * secret key is shared by multiple users, applications may wish to add an
1196
 * already-present key to prevent other users from removing it.  This ioctl can
1197
 * be used to check whether that really is the case before the work is done to
1198
 * add the key --- which might e.g. require prompting the user for a passphrase.
1199
 *
1200
 * For more details, see the "FS_IOC_GET_ENCRYPTION_KEY_STATUS" section of
1201
 * Documentation/filesystems/fscrypt.rst.
1202
 */
1203
int fscrypt_ioctl_get_key_status(struct file *filp, void __user *uarg)
1204
{
1205
	struct super_block *sb = file_inode(filp)->i_sb;
1206
	struct fscrypt_get_key_status_arg arg;
1207
	struct fscrypt_master_key *mk;
1208
	int err;
1209

1210
	if (copy_from_user(&arg, uarg, sizeof(arg)))
1211
		return -EFAULT;
1212

1213
	if (!valid_key_spec(&arg.key_spec))
1214
		return -EINVAL;
1215

1216
	if (memchr_inv(arg.__reserved, 0, sizeof(arg.__reserved)))
1217
		return -EINVAL;
1218

1219
	arg.status_flags = 0;
1220
	arg.user_count = 0;
1221
	memset(arg.__out_reserved, 0, sizeof(arg.__out_reserved));
1222

1223
	mk = fscrypt_find_master_key(sb, &arg.key_spec);
1224
	if (!mk) {
1225
		arg.status = FSCRYPT_KEY_STATUS_ABSENT;
1226
		err = 0;
1227
		goto out;
1228
	}
1229
	down_read(&mk->mk_sem);
1230

1231
	if (!mk->mk_present) {
1232
		arg.status = refcount_read(&mk->mk_active_refs) > 0 ?
1233
			FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED :
1234
			FSCRYPT_KEY_STATUS_ABSENT /* raced with full removal */;
1235
		err = 0;
1236
		goto out_release_key;
1237
	}
1238

1239
	arg.status = FSCRYPT_KEY_STATUS_PRESENT;
1240
	if (mk->mk_users) {
1241
		struct key *mk_user;
1242

1243
		arg.user_count = mk->mk_users->keys.nr_leaves_on_tree;
1244
		mk_user = find_master_key_user(mk);
1245
		if (!IS_ERR(mk_user)) {
1246
			arg.status_flags |=
1247
				FSCRYPT_KEY_STATUS_FLAG_ADDED_BY_SELF;
1248
			key_put(mk_user);
1249
		} else if (mk_user != ERR_PTR(-ENOKEY)) {
1250
			err = PTR_ERR(mk_user);
1251
			goto out_release_key;
1252
		}
1253
	}
1254
	err = 0;
1255
out_release_key:
1256
	up_read(&mk->mk_sem);
1257
	fscrypt_put_master_key(mk);
1258
out:
1259
	if (!err && copy_to_user(uarg, &arg, sizeof(arg)))
1260
		err = -EFAULT;
1261
	return err;
1262
}
1263
EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_key_status);
1264

1265
int __init fscrypt_init_keyring(void)
1266
{
1267
	int err;
1268

1269
	err = register_key_type(&key_type_fscrypt_user);
1270
	if (err)
1271
		return err;
1272

1273
	err = register_key_type(&key_type_fscrypt_provisioning);
1274
	if (err)
1275
		goto err_unregister_fscrypt_user;
1276

1277
	return 0;
1278

1279
err_unregister_fscrypt_user:
1280
	unregister_key_type(&key_type_fscrypt_user);
1281
	return err;
1282
}
1283

1284