xref: /linux-6.15/include/linux/blk-crypto.h (revision 1ebd4a3c) 
11b262839SSatya Tangirala /* SPDX-License-Identifier: GPL-2.0 */
21b262839SSatya Tangirala /*
31b262839SSatya Tangirala  * Copyright 2019 Google LLC
41b262839SSatya Tangirala  */
51b262839SSatya Tangirala 
61b262839SSatya Tangirala #ifndef __LINUX_BLK_CRYPTO_H
71b262839SSatya Tangirala #define __LINUX_BLK_CRYPTO_H
81b262839SSatya Tangirala 
9ebc41765SEric Biggers #include <linux/minmax.h>
10a892c8d5SSatya Tangirala #include <linux/types.h>
11*1ebd4a3cSEric Biggers #include <uapi/linux/blk-crypto.h>
12a892c8d5SSatya Tangirala 
131b262839SSatya Tangirala enum blk_crypto_mode_num {
141b262839SSatya Tangirala 	BLK_ENCRYPTION_MODE_INVALID,
151b262839SSatya Tangirala 	BLK_ENCRYPTION_MODE_AES_256_XTS,
161b262839SSatya Tangirala 	BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV,
171b262839SSatya Tangirala 	BLK_ENCRYPTION_MODE_ADIANTUM,
18d209ce35STianjia Zhang 	BLK_ENCRYPTION_MODE_SM4_XTS,
191b262839SSatya Tangirala 	BLK_ENCRYPTION_MODE_MAX,
201b262839SSatya Tangirala };
211b262839SSatya Tangirala 
22ebc41765SEric Biggers /*
23ebc41765SEric Biggers  * Supported types of keys.  Must be bitflags due to their use in
24ebc41765SEric Biggers  * blk_crypto_profile::key_types_supported.
25ebc41765SEric Biggers  */
26ebc41765SEric Biggers enum blk_crypto_key_type {
27ebc41765SEric Biggers 	/*
28ebc41765SEric Biggers 	 * Raw keys (i.e. "software keys").  These keys are simply kept in raw,
29ebc41765SEric Biggers 	 * plaintext form in kernel memory.
30ebc41765SEric Biggers 	 */
31ebc41765SEric Biggers 	BLK_CRYPTO_KEY_TYPE_RAW = 0x1,
32ebc41765SEric Biggers 
33ebc41765SEric Biggers 	/*
34ebc41765SEric Biggers 	 * Hardware-wrapped keys.  These keys are only present in kernel memory
35ebc41765SEric Biggers 	 * in ephemerally-wrapped form, and they can only be unwrapped by
36ebc41765SEric Biggers 	 * dedicated hardware.  For details, see the "Hardware-wrapped keys"
37ebc41765SEric Biggers 	 * section of Documentation/block/inline-encryption.rst.
38ebc41765SEric Biggers 	 */
39ebc41765SEric Biggers 	BLK_CRYPTO_KEY_TYPE_HW_WRAPPED = 0x2,
40ebc41765SEric Biggers };
41ebc41765SEric Biggers 
42ebc41765SEric Biggers /*
43ebc41765SEric Biggers  * Currently the maximum raw key size is 64 bytes, as that is the key size of
44ebc41765SEric Biggers  * BLK_ENCRYPTION_MODE_AES_256_XTS which takes the longest key.
45ebc41765SEric Biggers  *
46ebc41765SEric Biggers  * The maximum hardware-wrapped key size depends on the hardware's key wrapping
47ebc41765SEric Biggers  * algorithm, which is a hardware implementation detail, so it isn't precisely
48ebc41765SEric Biggers  * specified.  But currently 128 bytes is plenty in practice.  Implementations
49ebc41765SEric Biggers  * are recommended to wrap a 32-byte key for the hardware KDF with AES-256-GCM,
50ebc41765SEric Biggers  * which should result in a size closer to 64 bytes than 128.
51ebc41765SEric Biggers  *
52ebc41765SEric Biggers  * Both of these values can trivially be increased if ever needed.
53ebc41765SEric Biggers  */
54ebc41765SEric Biggers #define BLK_CRYPTO_MAX_RAW_KEY_SIZE		64
55ebc41765SEric Biggers #define BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE	128
56ebc41765SEric Biggers 
57ebc41765SEric Biggers #define BLK_CRYPTO_MAX_ANY_KEY_SIZE \
58ebc41765SEric Biggers 	MAX(BLK_CRYPTO_MAX_RAW_KEY_SIZE, BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE)
59ebc41765SEric Biggers 
60ebc41765SEric Biggers /*
61ebc41765SEric Biggers  * Size of the "software secret" which can be derived from a hardware-wrapped
62ebc41765SEric Biggers  * key.  This is currently always 32 bytes.  Note, the choice of 32 bytes
63ebc41765SEric Biggers  * assumes that the software secret is only used directly for algorithms that
64ebc41765SEric Biggers  * don't require more than a 256-bit key to get the desired security strength.
65ebc41765SEric Biggers  * If it were to be used e.g. directly as an AES-256-XTS key, then this would
66ebc41765SEric Biggers  * need to be increased (which is possible if hardware supports it, but care
67ebc41765SEric Biggers  * would need to be taken to avoid breaking users who need exactly 32 bytes).
68ebc41765SEric Biggers  */
69ebc41765SEric Biggers #define BLK_CRYPTO_SW_SECRET_SIZE	32
70ebc41765SEric Biggers 
711b262839SSatya Tangirala /**
721b262839SSatya Tangirala  * struct blk_crypto_config - an inline encryption key's crypto configuration
731b262839SSatya Tangirala  * @crypto_mode: encryption algorithm this key is for
741b262839SSatya Tangirala  * @data_unit_size: the data unit size for all encryption/decryptions with this
751b262839SSatya Tangirala  *	key.  This is the size in bytes of each individual plaintext and
761b262839SSatya Tangirala  *	ciphertext.  This is always a power of 2.  It might be e.g. the
771b262839SSatya Tangirala  *	filesystem block size or the disk sector size.
781b262839SSatya Tangirala  * @dun_bytes: the maximum number of bytes of DUN used when using this key
79ebc41765SEric Biggers  * @key_type: the type of this key -- either raw or hardware-wrapped
801b262839SSatya Tangirala  */
811b262839SSatya Tangirala struct blk_crypto_config {
821b262839SSatya Tangirala 	enum blk_crypto_mode_num crypto_mode;
831b262839SSatya Tangirala 	unsigned int data_unit_size;
841b262839SSatya Tangirala 	unsigned int dun_bytes;
85ebc41765SEric Biggers 	enum blk_crypto_key_type key_type;
861b262839SSatya Tangirala };
871b262839SSatya Tangirala 
881b262839SSatya Tangirala /**
891b262839SSatya Tangirala  * struct blk_crypto_key - an inline encryption key
90ebc41765SEric Biggers  * @crypto_cfg: the crypto mode, data unit size, key type, and other
91ebc41765SEric Biggers  *		characteristics of this key and how it will be used
921b262839SSatya Tangirala  * @data_unit_size_bits: log2 of data_unit_size
93ebc41765SEric Biggers  * @size: size of this key in bytes.  The size of a raw key is fixed for a given
94ebc41765SEric Biggers  *	  crypto mode, but the size of a hardware-wrapped key can vary.
95ebc41765SEric Biggers  * @bytes: the bytes of this key.  Only the first @size bytes are significant.
961b262839SSatya Tangirala  *
971b262839SSatya Tangirala  * A blk_crypto_key is immutable once created, and many bios can reference it at
981b262839SSatya Tangirala  * the same time.  It must not be freed until all bios using it have completed
991b262839SSatya Tangirala  * and it has been evicted from all devices on which it may have been used.
1001b262839SSatya Tangirala  */
1011b262839SSatya Tangirala struct blk_crypto_key {
1021b262839SSatya Tangirala 	struct blk_crypto_config crypto_cfg;
1031b262839SSatya Tangirala 	unsigned int data_unit_size_bits;
1041b262839SSatya Tangirala 	unsigned int size;
105ebc41765SEric Biggers 	u8 bytes[BLK_CRYPTO_MAX_ANY_KEY_SIZE];
1061b262839SSatya Tangirala };
1071b262839SSatya Tangirala 
108a892c8d5SSatya Tangirala #define BLK_CRYPTO_MAX_IV_SIZE		32
109a892c8d5SSatya Tangirala #define BLK_CRYPTO_DUN_ARRAY_SIZE	(BLK_CRYPTO_MAX_IV_SIZE / sizeof(u64))
110a892c8d5SSatya Tangirala 
111a892c8d5SSatya Tangirala /**
112a892c8d5SSatya Tangirala  * struct bio_crypt_ctx - an inline encryption context
113a892c8d5SSatya Tangirala  * @bc_key: the key, algorithm, and data unit size to use
114a892c8d5SSatya Tangirala  * @bc_dun: the data unit number (starting IV) to use
115a892c8d5SSatya Tangirala  *
116a892c8d5SSatya Tangirala  * A bio_crypt_ctx specifies that the contents of the bio will be encrypted (for
117a892c8d5SSatya Tangirala  * write requests) or decrypted (for read requests) inline by the storage device
118488f6682SSatya Tangirala  * or controller, or by the crypto API fallback.
119a892c8d5SSatya Tangirala  */
120a892c8d5SSatya Tangirala struct bio_crypt_ctx {
121a892c8d5SSatya Tangirala 	const struct blk_crypto_key	*bc_key;
122a892c8d5SSatya Tangirala 	u64				bc_dun[BLK_CRYPTO_DUN_ARRAY_SIZE];
123a892c8d5SSatya Tangirala };
124a892c8d5SSatya Tangirala 
125a892c8d5SSatya Tangirala #include <linux/blk_types.h>
126a892c8d5SSatya Tangirala #include <linux/blkdev.h>
127a892c8d5SSatya Tangirala 
128a892c8d5SSatya Tangirala #ifdef CONFIG_BLK_INLINE_ENCRYPTION
129a892c8d5SSatya Tangirala 
bio_has_crypt_ctx(struct bio * bio)130a892c8d5SSatya Tangirala static inline bool bio_has_crypt_ctx(struct bio *bio)
131a892c8d5SSatya Tangirala {
132a892c8d5SSatya Tangirala 	return bio->bi_crypt_context;
133a892c8d5SSatya Tangirala }
134a892c8d5SSatya Tangirala 
135a892c8d5SSatya Tangirala void bio_crypt_set_ctx(struct bio *bio, const struct blk_crypto_key *key,
136a892c8d5SSatya Tangirala 		       const u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE],
137a892c8d5SSatya Tangirala 		       gfp_t gfp_mask);
138a892c8d5SSatya Tangirala 
139a892c8d5SSatya Tangirala bool bio_crypt_dun_is_contiguous(const struct bio_crypt_ctx *bc,
140a892c8d5SSatya Tangirala 				 unsigned int bytes,
141a892c8d5SSatya Tangirala 				 const u64 next_dun[BLK_CRYPTO_DUN_ARRAY_SIZE]);
142a892c8d5SSatya Tangirala 
143ebc41765SEric Biggers int blk_crypto_init_key(struct blk_crypto_key *blk_key,
144ebc41765SEric Biggers 			const u8 *key_bytes, size_t key_size,
145ebc41765SEric Biggers 			enum blk_crypto_key_type key_type,
146a892c8d5SSatya Tangirala 			enum blk_crypto_mode_num crypto_mode,
147a892c8d5SSatya Tangirala 			unsigned int dun_bytes,
148a892c8d5SSatya Tangirala 			unsigned int data_unit_size);
149a892c8d5SSatya Tangirala 
150fce3caeaSChristoph Hellwig int blk_crypto_start_using_key(struct block_device *bdev,
151a892c8d5SSatya Tangirala 			       const struct blk_crypto_key *key);
152a892c8d5SSatya Tangirala 
15370493a63SEric Biggers void blk_crypto_evict_key(struct block_device *bdev,
154fce3caeaSChristoph Hellwig 			  const struct blk_crypto_key *key);
155fce3caeaSChristoph Hellwig 
1566715c98bSChristoph Hellwig bool blk_crypto_config_supported_natively(struct block_device *bdev,
1576715c98bSChristoph Hellwig 					  const struct blk_crypto_config *cfg);
158fce3caeaSChristoph Hellwig bool blk_crypto_config_supported(struct block_device *bdev,
159a892c8d5SSatya Tangirala 				 const struct blk_crypto_config *cfg);
160a892c8d5SSatya Tangirala 
161ebc41765SEric Biggers int blk_crypto_derive_sw_secret(struct block_device *bdev,
162ebc41765SEric Biggers 				const u8 *eph_key, size_t eph_key_size,
163ebc41765SEric Biggers 				u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]);
164ebc41765SEric Biggers 
165a892c8d5SSatya Tangirala #else /* CONFIG_BLK_INLINE_ENCRYPTION */
166a892c8d5SSatya Tangirala 
bio_has_crypt_ctx(struct bio * bio)167a892c8d5SSatya Tangirala static inline bool bio_has_crypt_ctx(struct bio *bio)
168a892c8d5SSatya Tangirala {
169a892c8d5SSatya Tangirala 	return false;
170a892c8d5SSatya Tangirala }
171a892c8d5SSatya Tangirala 
172a892c8d5SSatya Tangirala #endif /* CONFIG_BLK_INLINE_ENCRYPTION */
173a892c8d5SSatya Tangirala 
17407560151SEric Biggers int __bio_crypt_clone(struct bio *dst, struct bio *src, gfp_t gfp_mask);
17507560151SEric Biggers /**
17607560151SEric Biggers  * bio_crypt_clone - clone bio encryption context
17707560151SEric Biggers  * @dst: destination bio
17807560151SEric Biggers  * @src: source bio
17907560151SEric Biggers  * @gfp_mask: memory allocation flags
18007560151SEric Biggers  *
18107560151SEric Biggers  * If @src has an encryption context, clone it to @dst.
18207560151SEric Biggers  *
18307560151SEric Biggers  * Return: 0 on success, -ENOMEM if out of memory.  -ENOMEM is only possible if
18407560151SEric Biggers  *	   @gfp_mask doesn't include %__GFP_DIRECT_RECLAIM.
18507560151SEric Biggers  */
bio_crypt_clone(struct bio * dst,struct bio * src,gfp_t gfp_mask)18607560151SEric Biggers static inline int bio_crypt_clone(struct bio *dst, struct bio *src,
187a892c8d5SSatya Tangirala 				  gfp_t gfp_mask)
188a892c8d5SSatya Tangirala {
189a892c8d5SSatya Tangirala 	if (bio_has_crypt_ctx(src))
19007560151SEric Biggers 		return __bio_crypt_clone(dst, src, gfp_mask);
19107560151SEric Biggers 	return 0;
192a892c8d5SSatya Tangirala }
193a892c8d5SSatya Tangirala 
1941b262839SSatya Tangirala #endif /* __LINUX_BLK_CRYPTO_H */
195