This is a changeset adding encryption to btrfs.
Last October, Omar Sandoval sent out a design document for having fscrypt
integration with btrfs [1]. In summary, it proposes btrfs storing its
own encryption IVs on a per-file-extent basis. fscrypt usually encrypts
files using an IV derived from per-inode information; this would prevent
snapshotting or reflinking or data relocation for btrfs. We have
refined this into a fscrypt extent context object, opaque to the
filesystem, which fscrypt uses to generate an IV associated with each
block in an extent. Thus, all the inodes sharing a particular
key and file extent may decrypt the extent.
This series implements this integration for the simple
case, non-compressed data extents. Followup changes will allow
encryption of compressed extents, inline extents, and verity items, and
will add tests around subvolume encryption. This series should provide
encryption for the simplest cases, but this series should not be used in
production, as there are likely bugs.
Preliminary btrfs-progs changes are available at [2]; fstests changes
are available at [3].
[1]
https://lore.kernel.org/linux-btrfs/YXGyq+buM79A1S0L@relinquished.localdomain/
Changelog:
v2:
- Amended the fscrypt side to generically add extent contexts,
hopefully as per Eric Biggers' past comments. IVs are now entirely
abstracted within an extent context, and there is no longer a new
encryption policy, as DIRECT_KEY sufficiently encapsulates the
needs of extent-based encryption. Documented its usage in btrfs
briefly in the documentation.
- Adjusted the btrfs side to deal in opaque extent contexts. Improved
optimization to skip storing inode contexts if they are the same as
the inode's root item's inode context.
- Combined 'add fscrypt operation table to superblock' into 'start
using fscrypt hooks'.
- https://lore.kernel.org/linux-btrfs/cover.1662420176.git.sweettea-kernel@xxxxxxxxxx
- progs: https://lore.kernel.org/linux-btrfs/cover.1662417859.git.sweettea-kernel@xxxxxxxxxx
- tests: https://lore.kernel.org/linux-btrfs/cover.1662417905.git.sweettea-kernel@xxxxxxxxxx
v1:
- Recombined the fscrypt changes back into this patchset.
- Fixed several races and incorrectly ordered operations.
- Improved IV retrieval to correctly distinguish between
filename/symlink encryption and encryption of block 0 of a file.
- https://lore.kernel.org/linux-btrfs/cover.1660744500.git.sweettea-kernel@xxxxxxxxxx
- progs: https://lore.kernel.org/linux-btrfs/cover.1660729916.git.sweettea-kernel@xxxxxxxxxx
- tests: https://lore.kernel.org/linux-btrfs/cover.1660729861.git.sweettea-kernel@xxxxxxxxxx
RFC v2:
- Fixed all warnings and known incorrectnesses.
- Split fscrypt changes into their own patchset:
https://lore.kernel.org/linux-fscrypt/cover.1658623235.git.sweettea-kernel@xxxxxxxxxx
- Combined and reordered changes so that enabling fscrypt is the last change.
- Removed unnecessary factoring.
- Split a cleanup change off.
- https://lore.kernel.org/linux-btrfs/cover.1658623319.git.sweettea-kernel@xxxxxxxxxx
RFC v1:
- https://lore.kernel.org/linux-btrfs/cover.1657707686.git.sweettea-kernel@xxxxxxxxxx
Omar Sandoval (14):
fscrypt: expose fscrypt_nokey_name
fscrypt: add flag allowing partially-encrypted directories
fscrypt: add fscrypt_have_same_policy() to check inode compatibility
btrfs: store directory's encryption state
btrfs: factor a fscrypt_name matching method
btrfs: disable various operations on encrypted inodes
btrfs: start using fscrypt hooks.
btrfs: add fscrypt_context items.
btrfs: translate btrfs encryption flags and encrypted inode flag.
btrfs: Add new FEATURE_INCOMPAT_FSCRYPT feature flag.
btrfs: reuse encrypted filename hash when possible.
btrfs: adapt directory read and lookup to potentially encrypted
filenames
btrfs: encrypt normal file extent data if appropriate
btrfs: implement fscrypt ioctls
Sweet Tea Dorminy (6):
fscrypt: allow fscrypt_generate_iv() to distinguish filenames
fscrypt: add extent-based encryption
fscrypt: document btrfs' fscrypt quirks.
btrfs: use fscrypt_names instead of name/len everywhere.
btrfs: setup fscrypt_names from dentrys using helper
btrfs: store a fscrypt extent context per normal file extent
Documentation/filesystems/fscrypt.rst | 62 ++-
fs/btrfs/Makefile | 1 +
fs/btrfs/btrfs_inode.h | 3 +
fs/btrfs/ctree.h | 119 ++++--
fs/btrfs/delayed-inode.c | 48 ++-
fs/btrfs/delayed-inode.h | 9 +-
fs/btrfs/dir-item.c | 119 +++---
fs/btrfs/extent_io.c | 93 ++++-
fs/btrfs/extent_io.h | 2 +
fs/btrfs/extent_map.h | 4 +
fs/btrfs/file-item.c | 22 +-
fs/btrfs/file.c | 11 +-
fs/btrfs/fscrypt.c | 244 +++++++++++
fs/btrfs/fscrypt.h | 49 +++
fs/btrfs/inode-item.c | 84 ++--
fs/btrfs/inode-item.h | 14 +-
fs/btrfs/inode.c | 581 +++++++++++++++++++-------
fs/btrfs/ioctl.c | 80 +++-
fs/btrfs/ordered-data.c | 9 +-
fs/btrfs/ordered-data.h | 4 +-
fs/btrfs/print-tree.c | 4 +-
fs/btrfs/props.c | 11 +-
fs/btrfs/reflink.c | 8 +
fs/btrfs/root-tree.c | 20 +-
fs/btrfs/send.c | 141 ++++---
fs/btrfs/super.c | 8 +-
fs/btrfs/transaction.c | 43 +-
fs/btrfs/tree-checker.c | 56 ++-
fs/btrfs/tree-log.c | 237 ++++++-----
fs/btrfs/tree-log.h | 4 +-
fs/btrfs/xattr.c | 21 +-
fs/crypto/crypto.c | 24 +-
fs/crypto/fname.c | 60 +--
fs/crypto/fscrypt_private.h | 26 +-
fs/crypto/inline_crypt.c | 29 +-
fs/crypto/policy.c | 103 +++++
include/linux/fscrypt.h | 81 ++++
include/uapi/linux/btrfs.h | 1 +
include/uapi/linux/btrfs_tree.h | 26 ++
39 files changed, 1881 insertions(+), 580 deletions(-)
create mode 100644 fs/btrfs/fscrypt.c
create mode 100644 fs/btrfs/fscrypt.h
--
2.35.1
|