44e1174c18
Update the device-mapper core to support exposing the inline crypto support of the underlying device(s) through the device-mapper device. This works by creating a "passthrough keyslot manager" for the dm device, which declares support for the set of (crypto_mode, data_unit_size) combos which all the underlying devices support. When a supported combo is used, the bio cloning code handles cloning the crypto context to the bios for all the underlying devices. When an unsupported combo is used, the blk-crypto fallback is used as usual. Crypto support on each underlying device is ignored unless the corresponding dm target opts into exposing it. This is needed because for inline crypto to semantically operate on the original bio, the data must not be transformed by the dm target. Thus, targets like dm-linear can expose crypto support of the underlying device, but targets like dm-crypt can't. (dm-crypt could use inline crypto itself, though.) When a key is evicted from the dm device, it is evicted from all underlying devices. Bug: 137270441 Bug: 147814592 Change-Id: If28b574f2e28268db5eb9f325d4cf8f96cb63e3f Signed-off-by: Eric Biggers <ebiggers@google.com>
85 lines
2.9 KiB
C
85 lines
2.9 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* Copyright 2019 Google LLC
|
|
*/
|
|
|
|
#ifndef __LINUX_KEYSLOT_MANAGER_H
|
|
#define __LINUX_KEYSLOT_MANAGER_H
|
|
|
|
#include <linux/bio.h>
|
|
|
|
#ifdef CONFIG_BLK_INLINE_ENCRYPTION
|
|
|
|
struct keyslot_manager;
|
|
|
|
/**
|
|
* struct keyslot_mgmt_ll_ops - functions to manage keyslots in hardware
|
|
* @keyslot_program: Program the specified key into the specified slot in the
|
|
* inline encryption hardware.
|
|
* @keyslot_evict: Evict key from the specified keyslot in the hardware.
|
|
* The key is provided so that e.g. dm layers can evict
|
|
* keys from the devices that they map over.
|
|
* Returns 0 on success, -errno otherwise.
|
|
* @derive_raw_secret: (Optional) Derive a software secret from a
|
|
* hardware-wrapped key. Returns 0 on success, -EOPNOTSUPP
|
|
* if unsupported on the hardware, or another -errno code.
|
|
*
|
|
* This structure should be provided by storage device drivers when they set up
|
|
* a keyslot manager - this structure holds the function ptrs that the keyslot
|
|
* manager will use to manipulate keyslots in the hardware.
|
|
*/
|
|
struct keyslot_mgmt_ll_ops {
|
|
int (*keyslot_program)(struct keyslot_manager *ksm,
|
|
const struct blk_crypto_key *key,
|
|
unsigned int slot);
|
|
int (*keyslot_evict)(struct keyslot_manager *ksm,
|
|
const struct blk_crypto_key *key,
|
|
unsigned int slot);
|
|
int (*derive_raw_secret)(struct keyslot_manager *ksm,
|
|
const u8 *wrapped_key,
|
|
unsigned int wrapped_key_size,
|
|
u8 *secret, unsigned int secret_size);
|
|
};
|
|
|
|
struct keyslot_manager *keyslot_manager_create(unsigned int num_slots,
|
|
const struct keyslot_mgmt_ll_ops *ksm_ops,
|
|
const unsigned int crypto_mode_supported[BLK_ENCRYPTION_MODE_MAX],
|
|
void *ll_priv_data);
|
|
|
|
int keyslot_manager_get_slot_for_key(struct keyslot_manager *ksm,
|
|
const struct blk_crypto_key *key);
|
|
|
|
void keyslot_manager_get_slot(struct keyslot_manager *ksm, unsigned int slot);
|
|
|
|
void keyslot_manager_put_slot(struct keyslot_manager *ksm, unsigned int slot);
|
|
|
|
bool keyslot_manager_crypto_mode_supported(struct keyslot_manager *ksm,
|
|
enum blk_crypto_mode_num crypto_mode,
|
|
unsigned int data_unit_size);
|
|
|
|
int keyslot_manager_evict_key(struct keyslot_manager *ksm,
|
|
const struct blk_crypto_key *key);
|
|
|
|
void keyslot_manager_reprogram_all_keys(struct keyslot_manager *ksm);
|
|
|
|
void *keyslot_manager_private(struct keyslot_manager *ksm);
|
|
|
|
void keyslot_manager_destroy(struct keyslot_manager *ksm);
|
|
|
|
struct keyslot_manager *keyslot_manager_create_passthrough(
|
|
const struct keyslot_mgmt_ll_ops *ksm_ops,
|
|
const unsigned int crypto_mode_supported[BLK_ENCRYPTION_MODE_MAX],
|
|
void *ll_priv_data);
|
|
|
|
void keyslot_manager_intersect_modes(struct keyslot_manager *parent,
|
|
const struct keyslot_manager *child);
|
|
|
|
int keyslot_manager_derive_raw_secret(struct keyslot_manager *ksm,
|
|
const u8 *wrapped_key,
|
|
unsigned int wrapped_key_size,
|
|
u8 *secret, unsigned int secret_size);
|
|
|
|
#endif /* CONFIG_BLK_INLINE_ENCRYPTION */
|
|
|
|
#endif /* __LINUX_KEYSLOT_MANAGER_H */
|