Re: [PATCH V3 3/9] fscrypt: remove filesystem specific build config option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Dec 08, 2018 at 12:21:38PM +0530, Chandan Rajendra wrote:
> In order to have a common code base for fscrypt "post read" processing
> for all filesystems which support encryption, this commit removes
> filesystem specific build config option (e.g. CONFIG_EXT4_FS_ENCRYPTION)
> and replaces it with a build option (i.e. CONFIG_FS_ENCRYPTION) whose
> value affects all the filesystems making use of fscrypt.
> 
> Signed-off-by: Chandan Rajendra <chandan@xxxxxxxxxxxxxxxxxx>

Reviewed-by: Eric Biggers <ebiggers@xxxxxxxxxx>

> ---
>  Documentation/filesystems/fscrypt.rst   |   4 +-
>  arch/mips/configs/generic_defconfig     |   2 +-
>  arch/nds32/configs/defconfig            |   2 +-
>  arch/s390/configs/debug_defconfig       |   2 +-
>  arch/s390/configs/performance_defconfig |   2 +-
>  fs/crypto/Kconfig                       |   5 +-
>  fs/crypto/fscrypt_private.h             |   1 -
>  fs/ext4/Kconfig                         |  15 -
>  fs/ext4/dir.c                           |   2 -
>  fs/ext4/ext4.h                          |   7 +-
>  fs/ext4/inode.c                         |   8 +-
>  fs/ext4/ioctl.c                         |   4 +-
>  fs/ext4/namei.c                         |  10 +-
>  fs/ext4/page-io.c                       |   6 +-
>  fs/ext4/readpage.c                      |   2 +-
>  fs/ext4/super.c                         |   6 +-
>  fs/ext4/sysfs.c                         |   4 +-
>  fs/f2fs/Kconfig                         |  12 +-
>  fs/f2fs/f2fs.h                          |   7 +-
>  fs/f2fs/super.c                         |   8 +-
>  fs/f2fs/sysfs.c                         |   4 +-
>  fs/ubifs/Kconfig                        |  13 +-
>  fs/ubifs/Makefile                       |   2 +-
>  fs/ubifs/ioctl.c                        |   4 +-
>  fs/ubifs/sb.c                           |   2 +-
>  fs/ubifs/super.c                        |   2 +-
>  fs/ubifs/ubifs.h                        |   5 +-
>  include/linux/fs.h                      |   4 +-
>  include/linux/fscrypt.h                 | 416 +++++++++++++++++++++++-
>  include/linux/fscrypt_notsupp.h         | 231 -------------
>  include/linux/fscrypt_supp.h            | 204 ------------
>  31 files changed, 461 insertions(+), 535 deletions(-)
>  delete mode 100644 include/linux/fscrypt_notsupp.h
>  delete mode 100644 include/linux/fscrypt_supp.h
> 
> diff --git a/Documentation/filesystems/fscrypt.rst b/Documentation/filesystems/fscrypt.rst
> index cfbc18f0d9c9..92084762ad20 100644
> --- a/Documentation/filesystems/fscrypt.rst
> +++ b/Documentation/filesystems/fscrypt.rst
> @@ -318,9 +318,9 @@ FS_IOC_SET_ENCRYPTION_POLICY can fail with the following errors:
>  - ``ENOTEMPTY``: the file is unencrypted and is a nonempty directory
>  - ``ENOTTY``: this type of filesystem does not implement encryption
>  - ``EOPNOTSUPP``: the kernel was not configured with encryption
> -  support for this filesystem, or the filesystem superblock has not
> +  support for filesystems, or the filesystem superblock has not
>    had encryption enabled on it.  (For example, to use encryption on an
> -  ext4 filesystem, CONFIG_EXT4_ENCRYPTION must be enabled in the
> +  ext4 filesystem, CONFIG_FS_ENCRYPTION must be enabled in the
>    kernel config, and the superblock must have had the "encrypt"
>    feature flag enabled using ``tune2fs -O encrypt`` or ``mkfs.ext4 -O
>    encrypt``.)
> diff --git a/arch/mips/configs/generic_defconfig b/arch/mips/configs/generic_defconfig
> index 684c9dcba126..b8a21b9b934a 100644
> --- a/arch/mips/configs/generic_defconfig
> +++ b/arch/mips/configs/generic_defconfig
> @@ -63,7 +63,7 @@ CONFIG_HID_MONTEREY=y
>  CONFIG_EXT4_FS=y
>  CONFIG_EXT4_FS_POSIX_ACL=y
>  CONFIG_EXT4_FS_SECURITY=y
> -CONFIG_EXT4_ENCRYPTION=y
> +CONFIG_FS_ENCRYPTION=y
>  CONFIG_FANOTIFY=y
>  CONFIG_FUSE_FS=y
>  CONFIG_CUSE=y
> diff --git a/arch/nds32/configs/defconfig b/arch/nds32/configs/defconfig
> index 2546d8770785..65ce9259081b 100644
> --- a/arch/nds32/configs/defconfig
> +++ b/arch/nds32/configs/defconfig
> @@ -74,7 +74,7 @@ CONFIG_GENERIC_PHY=y
>  CONFIG_EXT4_FS=y
>  CONFIG_EXT4_FS_POSIX_ACL=y
>  CONFIG_EXT4_FS_SECURITY=y
> -CONFIG_EXT4_ENCRYPTION=y
> +CONFIG_FS_ENCRYPTION=y
>  CONFIG_FUSE_FS=y
>  CONFIG_MSDOS_FS=y
>  CONFIG_VFAT_FS=y
> diff --git a/arch/s390/configs/debug_defconfig b/arch/s390/configs/debug_defconfig
> index 259d1698ac50..e8868e0fba76 100644
> --- a/arch/s390/configs/debug_defconfig
> +++ b/arch/s390/configs/debug_defconfig
> @@ -492,7 +492,6 @@ CONFIG_VIRTIO_INPUT=y
>  CONFIG_EXT4_FS=y
>  CONFIG_EXT4_FS_POSIX_ACL=y
>  CONFIG_EXT4_FS_SECURITY=y
> -CONFIG_EXT4_ENCRYPTION=y
>  CONFIG_JBD2_DEBUG=y
>  CONFIG_JFS_FS=m
>  CONFIG_JFS_POSIX_ACL=y
> @@ -512,6 +511,7 @@ CONFIG_BTRFS_DEBUG=y
>  CONFIG_NILFS2_FS=m
>  CONFIG_FS_DAX=y
>  CONFIG_EXPORTFS_BLOCK_OPS=y
> +CONFIG_FS_ENCRYPTION=y
>  CONFIG_FANOTIFY=y
>  CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
>  CONFIG_QUOTA_NETLINK_INTERFACE=y
> diff --git a/arch/s390/configs/performance_defconfig b/arch/s390/configs/performance_defconfig
> index 37fd60c20e22..ef1dd74b29f5 100644
> --- a/arch/s390/configs/performance_defconfig
> +++ b/arch/s390/configs/performance_defconfig
> @@ -489,7 +489,6 @@ CONFIG_VIRTIO_INPUT=y
>  CONFIG_EXT4_FS=y
>  CONFIG_EXT4_FS_POSIX_ACL=y
>  CONFIG_EXT4_FS_SECURITY=y
> -CONFIG_EXT4_ENCRYPTION=y
>  CONFIG_JBD2_DEBUG=y
>  CONFIG_JFS_FS=m
>  CONFIG_JFS_POSIX_ACL=y
> @@ -507,6 +506,7 @@ CONFIG_BTRFS_FS_POSIX_ACL=y
>  CONFIG_NILFS2_FS=m
>  CONFIG_FS_DAX=y
>  CONFIG_EXPORTFS_BLOCK_OPS=y
> +CONFIG_FS_ENCRYPTION=y
>  CONFIG_FANOTIFY=y
>  CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
>  CONFIG_QUOTA_NETLINK_INTERFACE=y
> diff --git a/fs/crypto/Kconfig b/fs/crypto/Kconfig
> index 02b7d91c9231..9a639da0464f 100644
> --- a/fs/crypto/Kconfig
> +++ b/fs/crypto/Kconfig
> @@ -1,5 +1,5 @@
>  config FS_ENCRYPTION
> -	tristate "FS Encryption (Per-file encryption)"
> +	bool "FS Encryption (Per-file encryption)"
>  	select CRYPTO
>  	select CRYPTO_AES
>  	select CRYPTO_CBC
> @@ -13,4 +13,5 @@ config FS_ENCRYPTION
>  	  Enable encryption of files and directories.  This
>  	  feature is similar to ecryptfs, but it is more memory
>  	  efficient since it avoids caching the encrypted and
> -	  decrypted pages in the page cache.
> +	  decrypted pages in the page cache.  Currently Ext4,
> +	  F2FS and UBIFS make use of this feature.
> diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h
> index 79debfc9cef9..9549cf8d9641 100644
> --- a/fs/crypto/fscrypt_private.h
> +++ b/fs/crypto/fscrypt_private.h
> @@ -12,7 +12,6 @@
>  #ifndef _FSCRYPT_PRIVATE_H
>  #define _FSCRYPT_PRIVATE_H
>  
> -#define __FS_HAS_ENCRYPTION 1
>  #include <linux/fscrypt.h>
>  #include <crypto/hash.h>
>  
> diff --git a/fs/ext4/Kconfig b/fs/ext4/Kconfig
> index 5a76125ac0f8..e1002bbf35bf 100644
> --- a/fs/ext4/Kconfig
> +++ b/fs/ext4/Kconfig
> @@ -96,21 +96,6 @@ config EXT4_FS_SECURITY
>  	  If you are not using a security module that requires using
>  	  extended attributes for file security labels, say N.
>  
> -config EXT4_ENCRYPTION
> -	bool "Ext4 Encryption"
> -	depends on EXT4_FS
> -	select FS_ENCRYPTION
> -	help
> -	  Enable encryption of ext4 files and directories.  This
> -	  feature is similar to ecryptfs, but it is more memory
> -	  efficient since it avoids caching the encrypted and
> -	  decrypted pages in the page cache.
> -
> -config EXT4_FS_ENCRYPTION
> -	bool
> -	default y
> -	depends on EXT4_ENCRYPTION
> -
>  config EXT4_FS_VERITY
>  	bool "Ext4 Verity"
>  	depends on EXT4_FS
> diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c
> index fb7a64ea5679..0ccd51f72048 100644
> --- a/fs/ext4/dir.c
> +++ b/fs/ext4/dir.c
> @@ -283,9 +283,7 @@ static int ext4_readdir(struct file *file, struct dir_context *ctx)
>  done:
>  	err = 0;
>  errout:
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
>  	fscrypt_fname_free_buffer(&fstr);
> -#endif
>  	brelse(bh);
>  	return err;
>  }
> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> index 2ae6ab88f218..db21df885186 100644
> --- a/fs/ext4/ext4.h
> +++ b/fs/ext4/ext4.h
> @@ -40,7 +40,6 @@
>  #include <linux/compat.h>
>  #endif
>  
> -#define __FS_HAS_ENCRYPTION IS_ENABLED(CONFIG_EXT4_FS_ENCRYPTION)
>  #include <linux/fscrypt.h>
>  
>  #define __FS_HAS_VERITY IS_ENABLED(CONFIG_EXT4_FS_VERITY)
> @@ -1341,7 +1340,7 @@ struct ext4_super_block {
>  #define EXT4_MF_FS_ABORTED		0x0002	/* Fatal error detected */
>  #define EXT4_MF_TEST_DUMMY_ENCRYPTION	0x0004
>  
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  #define DUMMY_ENCRYPTION_ENABLED(sbi) (unlikely((sbi)->s_mount_flags & \
>  						EXT4_MF_TEST_DUMMY_ENCRYPTION))
>  #else
> @@ -2069,7 +2068,7 @@ struct ext4_filename {
>  	const struct qstr *usr_fname;
>  	struct fscrypt_str disk_name;
>  	struct dx_hash_info hinfo;
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	struct fscrypt_str crypto_buf;
>  #endif
>  };
> @@ -2306,7 +2305,7 @@ static inline bool ext4_verity_inode(struct inode *inode)
>  #endif
>  }
>  
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  static inline int ext4_fname_setup_filename(struct inode *dir,
>  			const struct qstr *iname,
>  			int lookup, struct ext4_filename *fname)
> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
> index 0efa30f921b0..8a55255a6c32 100644
> --- a/fs/ext4/inode.c
> +++ b/fs/ext4/inode.c
> @@ -1150,7 +1150,7 @@ int do_journal_get_write_access(handle_t *handle,
>  	return ret;
>  }
>  
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  static int ext4_block_write_begin(struct page *page, loff_t pos, unsigned len,
>  				  get_block_t *get_block)
>  {
> @@ -1302,7 +1302,7 @@ static int ext4_write_begin(struct file *file, struct address_space *mapping,
>  	/* In case writeback began while the page was unlocked */
>  	wait_for_stable_page(page);
>  
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	if (ext4_should_dioread_nolock(inode))
>  		ret = ext4_block_write_begin(page, pos, len,
>  					     ext4_get_block_unwritten);
> @@ -3103,7 +3103,7 @@ static int ext4_da_write_begin(struct file *file, struct address_space *mapping,
>  	/* In case writeback began while the page was unlocked */
>  	wait_for_stable_page(page);
>  
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	ret = ext4_block_write_begin(page, pos, len,
>  				     ext4_da_get_block_prep);
>  #else
> @@ -3878,7 +3878,7 @@ static ssize_t ext4_direct_IO(struct kiocb *iocb, struct iov_iter *iter)
>  	loff_t offset = iocb->ki_pos;
>  	ssize_t ret;
>  
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	if (IS_ENCRYPTED(inode) && S_ISREG(inode->i_mode))
>  		return 0;
>  #endif
> diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
> index 9bb6cc1ae8ce..892fb1925836 100644
> --- a/fs/ext4/ioctl.c
> +++ b/fs/ext4/ioctl.c
> @@ -210,7 +210,7 @@ static long swap_inode_boot_loader(struct super_block *sb,
>  	return err;
>  }
>  
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  static int uuid_is_zero(__u8 u[16])
>  {
>  	int	i;
> @@ -978,7 +978,7 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
>  		return fscrypt_ioctl_set_policy(filp, (const void __user *)arg);
>  
>  	case EXT4_IOC_GET_ENCRYPTION_PWSALT: {
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  		int err, err2;
>  		struct ext4_sb_info *sbi = EXT4_SB(sb);
>  		handle_t *handle;
> diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
> index 0de60207a963..1e1a3c8c3a8b 100644
> --- a/fs/ext4/namei.c
> +++ b/fs/ext4/namei.c
> @@ -611,7 +611,7 @@ static struct stats dx_show_leaf(struct inode *dir,
>  		{
>  			if (show_names)
>  			{
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  				int len;
>  				char *name;
>  				struct fscrypt_str fname_crypto_str =
> @@ -983,7 +983,7 @@ static int htree_dirblock_to_tree(struct file *dir_file,
>  	top = (struct ext4_dir_entry_2 *) ((char *) de +
>  					   dir->i_sb->s_blocksize -
>  					   EXT4_DIR_REC_LEN(0));
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	/* Check if the directory is encrypted */
>  	if (IS_ENCRYPTED(dir)) {
>  		err = fscrypt_get_encryption_info(dir);
> @@ -1046,7 +1046,7 @@ static int htree_dirblock_to_tree(struct file *dir_file,
>  	}
>  errout:
>  	brelse(bh);
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	fscrypt_fname_free_buffer(&fname_crypto_str);
>  #endif
>  	return count;
> @@ -1266,7 +1266,7 @@ static inline bool ext4_match(const struct ext4_filename *fname,
>  
>  	f.usr_fname = fname->usr_fname;
>  	f.disk_name = fname->disk_name;
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	f.crypto_buf = fname->crypto_buf;
>  #endif
>  	return fscrypt_match_name(&f, de->name, de->name_len);
> @@ -1497,7 +1497,7 @@ static struct buffer_head * ext4_dx_find_entry(struct inode *dir,
>  	ext4_lblk_t block;
>  	int retval;
>  
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	*res_dir = NULL;
>  #endif
>  	frame = dx_probe(fname, dir, NULL, frames);
> diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
> index c398b55da854..b9d6cabe2ea8 100644
> --- a/fs/ext4/page-io.c
> +++ b/fs/ext4/page-io.c
> @@ -66,7 +66,7 @@ static void ext4_finish_bio(struct bio *bio)
>  
>  	bio_for_each_segment_all(bvec, bio, i) {
>  		struct page *page = bvec->bv_page;
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  		struct page *data_page = NULL;
>  #endif
>  		struct buffer_head *bh, *head;
> @@ -78,7 +78,7 @@ static void ext4_finish_bio(struct bio *bio)
>  		if (!page)
>  			continue;
>  
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  		if (!page->mapping) {
>  			/* The bounce data pages are unmapped. */
>  			data_page = page;
> @@ -111,7 +111,7 @@ static void ext4_finish_bio(struct bio *bio)
>  		bit_spin_unlock(BH_Uptodate_Lock, &head->b_state);
>  		local_irq_restore(flags);
>  		if (!under_io) {
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  			if (data_page)
>  				fscrypt_restore_control_page(data_page);
>  #endif
> diff --git a/fs/ext4/readpage.c b/fs/ext4/readpage.c
> index 45e707fb9749..7252f0a60cdb 100644
> --- a/fs/ext4/readpage.c
> +++ b/fs/ext4/readpage.c
> @@ -54,7 +54,7 @@ static mempool_t *bio_post_read_ctx_pool;
>  
>  static inline bool ext4_bio_encrypted(struct bio *bio)
>  {
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	return unlikely(bio->bi_private != NULL);
>  #else
>  	return false;
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index fb4e060f28ec..16fb483a6f4a 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -1210,7 +1210,7 @@ static int bdev_try_to_free_page(struct super_block *sb, struct page *page,
>  	return try_to_free_buffers(page);
>  }
>  
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  static int ext4_get_context(struct inode *inode, void *ctx, size_t len)
>  {
>  	return ext4_xattr_get(inode, EXT4_XATTR_INDEX_ENCRYPTION,
> @@ -1986,7 +1986,7 @@ static int handle_mount_opt(struct super_block *sb, char *opt, int token,
>  		*journal_ioprio =
>  			IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, arg);
>  	} else if (token == Opt_test_dummy_encryption) {
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  		sbi->s_mount_flags |= EXT4_MF_TEST_DUMMY_ENCRYPTION;
>  		ext4_msg(sb, KERN_WARNING,
>  			 "Test dummy encryption mode enabled");
> @@ -4231,7 +4231,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
>  	sb->s_op = &ext4_sops;
>  	sb->s_export_op = &ext4_export_ops;
>  	sb->s_xattr = ext4_xattr_handlers;
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	sb->s_cop = &ext4_cryptops;
>  #endif
>  #ifdef CONFIG_EXT4_FS_VERITY
> diff --git a/fs/ext4/sysfs.c b/fs/ext4/sysfs.c
> index 8e86087c2f03..8bc915452a38 100644
> --- a/fs/ext4/sysfs.c
> +++ b/fs/ext4/sysfs.c
> @@ -224,7 +224,7 @@ static struct attribute *ext4_attrs[] = {
>  EXT4_ATTR_FEATURE(lazy_itable_init);
>  EXT4_ATTR_FEATURE(batched_discard);
>  EXT4_ATTR_FEATURE(meta_bg_resize);
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  EXT4_ATTR_FEATURE(encryption);
>  #endif
>  #ifdef CONFIG_EXT4_FS_VERITY
> @@ -236,7 +236,7 @@ static struct attribute *ext4_feat_attrs[] = {
>  	ATTR_LIST(lazy_itable_init),
>  	ATTR_LIST(batched_discard),
>  	ATTR_LIST(meta_bg_resize),
> -#ifdef CONFIG_EXT4_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	ATTR_LIST(encryption),
>  #endif
>  #ifdef CONFIG_EXT4_FS_VERITY
> diff --git a/fs/f2fs/Kconfig b/fs/f2fs/Kconfig
> index c8396c7220f2..a5a1a381fcf1 100644
> --- a/fs/f2fs/Kconfig
> +++ b/fs/f2fs/Kconfig
> @@ -3,6 +3,7 @@ config F2FS_FS
>  	depends on BLOCK
>  	select CRYPTO
>  	select CRYPTO_CRC32
> +	select F2FS_FS_XATTR if FS_ENCRYPTION
>  	help
>  	  F2FS is based on Log-structured File System (LFS), which supports
>  	  versatile "flash-friendly" features. The design has been focused on
> @@ -70,17 +71,6 @@ config F2FS_CHECK_FS
>  
>  	  If you want to improve the performance, say N.
>  
> -config F2FS_FS_ENCRYPTION
> -	bool "F2FS Encryption"
> -	depends on F2FS_FS
> -	depends on F2FS_FS_XATTR
> -	select FS_ENCRYPTION
> -	help
> -	  Enable encryption of f2fs files and directories.  This
> -	  feature is similar to ecryptfs, but it is more memory
> -	  efficient since it avoids caching the encrypted and
> -	  decrypted pages in the page cache.
> -
>  config F2FS_FS_VERITY
>  	bool "F2FS Verity"
>  	depends on F2FS_FS
> diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
> index 368c7e78fe6b..f9c8b0afc1de 100644
> --- a/fs/f2fs/f2fs.h
> +++ b/fs/f2fs/f2fs.h
> @@ -24,7 +24,6 @@
>  #include <linux/quotaops.h>
>  #include <crypto/hash.h>
>  
> -#define __FS_HAS_ENCRYPTION IS_ENABLED(CONFIG_F2FS_FS_ENCRYPTION)
>  #include <linux/fscrypt.h>
>  
>  #define __FS_HAS_VERITY IS_ENABLED(CONFIG_F2FS_FS_VERITY)
> @@ -1145,7 +1144,7 @@ enum fsync_mode {
>  	FSYNC_MODE_NOBARRIER,	/* fsync behaves nobarrier based on posix */
>  };
>  
> -#ifdef CONFIG_F2FS_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  #define DUMMY_ENCRYPTION_ENABLED(sbi) \
>  			(unlikely(F2FS_OPTION(sbi).test_dummy_encryption))
>  #else
> @@ -3443,7 +3442,7 @@ static inline bool f2fs_encrypted_file(struct inode *inode)
>  
>  static inline void f2fs_set_encrypted_inode(struct inode *inode)
>  {
> -#ifdef CONFIG_F2FS_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	file_set_encrypt(inode);
>  	f2fs_set_inode_flags(inode);
>  #endif
> @@ -3528,7 +3527,7 @@ static inline void set_opt_mode(struct f2fs_sb_info *sbi, unsigned int mt)
>  
>  static inline bool f2fs_may_encrypt(struct inode *inode)
>  {
> -#ifdef CONFIG_F2FS_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	umode_t mode = inode->i_mode;
>  
>  	return (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode));
> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> index adf38c1b6414..4287cf348d3c 100644
> --- a/fs/f2fs/super.c
> +++ b/fs/f2fs/super.c
> @@ -757,7 +757,7 @@ static int parse_options(struct super_block *sb, char *options)
>  			kfree(name);
>  			break;
>  		case Opt_test_dummy_encryption:
> -#ifdef CONFIG_F2FS_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  			if (!f2fs_sb_has_encrypt(sb)) {
>  				f2fs_msg(sb, KERN_ERR, "Encrypt feature is off");
>  				return -EINVAL;
> @@ -1387,7 +1387,7 @@ static int f2fs_show_options(struct seq_file *seq, struct dentry *root)
>  		seq_printf(seq, ",whint_mode=%s", "user-based");
>  	else if (F2FS_OPTION(sbi).whint_mode == WHINT_MODE_FS)
>  		seq_printf(seq, ",whint_mode=%s", "fs-based");
> -#ifdef CONFIG_F2FS_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	if (F2FS_OPTION(sbi).test_dummy_encryption)
>  		seq_puts(seq, ",test_dummy_encryption");
>  #endif
> @@ -2154,7 +2154,7 @@ static const struct super_operations f2fs_sops = {
>  	.remount_fs	= f2fs_remount,
>  };
>  
> -#ifdef CONFIG_F2FS_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  static int f2fs_get_context(struct inode *inode, void *ctx, size_t len)
>  {
>  	return f2fs_getxattr(inode, F2FS_XATTR_INDEX_ENCRYPTION,
> @@ -3143,7 +3143,7 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>  #endif
>  
>  	sb->s_op = &f2fs_sops;
> -#ifdef CONFIG_F2FS_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	sb->s_cop = &f2fs_cryptops;
>  #endif
>  #ifdef CONFIG_F2FS_FS_VERITY
> diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
> index 5599c9ac4426..737677655bc0 100644
> --- a/fs/f2fs/sysfs.c
> +++ b/fs/f2fs/sysfs.c
> @@ -430,7 +430,7 @@ F2FS_GENERAL_RO_ATTR(lifetime_write_kbytes);
>  F2FS_GENERAL_RO_ATTR(features);
>  F2FS_GENERAL_RO_ATTR(current_reserved_blocks);
>  
> -#ifdef CONFIG_F2FS_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  F2FS_FEATURE_RO_ATTR(encryption, FEAT_CRYPTO);
>  #endif
>  #ifdef CONFIG_BLK_DEV_ZONED
> @@ -493,7 +493,7 @@ static struct attribute *f2fs_attrs[] = {
>  };
>  
>  static struct attribute *f2fs_feat_attrs[] = {
> -#ifdef CONFIG_F2FS_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	ATTR_LIST(encryption),
>  #endif
>  #ifdef CONFIG_BLK_DEV_ZONED
> diff --git a/fs/ubifs/Kconfig b/fs/ubifs/Kconfig
> index bbc78549be4c..c2638da8ec5d 100644
> --- a/fs/ubifs/Kconfig
> +++ b/fs/ubifs/Kconfig
> @@ -7,6 +7,8 @@ config UBIFS_FS
>  	select CRYPTO if UBIFS_FS_ZLIB
>  	select CRYPTO_LZO if UBIFS_FS_LZO
>  	select CRYPTO_DEFLATE if UBIFS_FS_ZLIB
> +	select UBIFS_FS_XATTR if FS_ENCRYPTION
> +	select BLOCK if FS_ENCRYPTION
>  	depends on MTD_UBI
>  	help
>  	  UBIFS is a file system for flash devices which works on top of UBI.
> @@ -62,17 +64,6 @@ config UBIFS_FS_XATTR
>  
>  	  If unsure, say Y.
>  
> -config UBIFS_FS_ENCRYPTION
> -	bool "UBIFS Encryption"
> -	depends on UBIFS_FS && UBIFS_FS_XATTR && BLOCK
> -	select FS_ENCRYPTION
> -	default n
> -	help
> -	  Enable encryption of UBIFS files and directories. This
> -	  feature is similar to ecryptfs, but it is more memory
> -	  efficient since it avoids caching the encrypted and
> -	  decrypted pages in the page cache.
> -
>  config UBIFS_FS_SECURITY
>  	bool "UBIFS Security Labels"
>  	depends on UBIFS_FS && UBIFS_FS_XATTR
> diff --git a/fs/ubifs/Makefile b/fs/ubifs/Makefile
> index 6197d7e539e4..079b13fb88a2 100644
> --- a/fs/ubifs/Makefile
> +++ b/fs/ubifs/Makefile
> @@ -6,5 +6,5 @@ ubifs-y += tnc.o master.o scan.o replay.o log.o commit.o gc.o orphan.o
>  ubifs-y += budget.o find.o tnc_commit.o compress.o lpt.o lprops.o
>  ubifs-y += recovery.o ioctl.o lpt_commit.o tnc_misc.o debug.o
>  ubifs-y += misc.o
> -ubifs-$(CONFIG_UBIFS_FS_ENCRYPTION) += crypto.o
> +ubifs-$(CONFIG_FS_ENCRYPTION) += crypto.o
>  ubifs-$(CONFIG_UBIFS_FS_XATTR) += xattr.o
> diff --git a/fs/ubifs/ioctl.c b/fs/ubifs/ioctl.c
> index 0164bcc827f8..0f9c362a3402 100644
> --- a/fs/ubifs/ioctl.c
> +++ b/fs/ubifs/ioctl.c
> @@ -185,7 +185,7 @@ long ubifs_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
>  		return err;
>  	}
>  	case FS_IOC_SET_ENCRYPTION_POLICY: {
> -#ifdef CONFIG_UBIFS_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  		struct ubifs_info *c = inode->i_sb->s_fs_info;
>  
>  		err = ubifs_enable_encryption(c);
> @@ -198,7 +198,7 @@ long ubifs_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
>  #endif
>  	}
>  	case FS_IOC_GET_ENCRYPTION_POLICY: {
> -#ifdef CONFIG_UBIFS_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  		return fscrypt_ioctl_get_policy(file, (void __user *)arg);
>  #else
>  		return -EOPNOTSUPP;
> diff --git a/fs/ubifs/sb.c b/fs/ubifs/sb.c
> index bf17f58908ff..3dffa595a60f 100644
> --- a/fs/ubifs/sb.c
> +++ b/fs/ubifs/sb.c
> @@ -647,7 +647,7 @@ int ubifs_read_superblock(struct ubifs_info *c)
>  		goto out;
>  	}
>  
> -#ifndef CONFIG_UBIFS_FS_ENCRYPTION
> +#ifndef CONFIG_FS_ENCRYPTION
>  	if (c->encrypted) {
>  		ubifs_err(c, "file system contains encrypted files but UBIFS"
>  			     " was built without crypto support.");
> diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
> index fec62e9dfbe6..7c98ccca2c41 100644
> --- a/fs/ubifs/super.c
> +++ b/fs/ubifs/super.c
> @@ -2087,7 +2087,7 @@ static int ubifs_fill_super(struct super_block *sb, void *data, int silent)
>  #ifdef CONFIG_UBIFS_FS_XATTR
>  	sb->s_xattr = ubifs_xattr_handlers;
>  #endif
> -#ifdef CONFIG_UBIFS_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  	sb->s_cop = &ubifs_crypt_operations;
>  #endif
>  
> diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h
> index 4368cde476b0..4d46bb83b964 100644
> --- a/fs/ubifs/ubifs.h
> +++ b/fs/ubifs/ubifs.h
> @@ -40,7 +40,6 @@
>  #include <linux/xattr.h>
>  #include <linux/random.h>
>  
> -#define __FS_HAS_ENCRYPTION IS_ENABLED(CONFIG_UBIFS_FS_ENCRYPTION)
>  #include <linux/fscrypt.h>
>  
>  #include "ubifs-media.h"
> @@ -139,7 +138,7 @@
>   */
>  #define WORST_COMPR_FACTOR 2
>  
> -#ifdef CONFIG_UBIFS_FS_ENCRYPTION
> +#ifdef CONFIG_FS_ENCRYPTION
>  #define UBIFS_CIPHER_BLOCK_SIZE FS_CRYPTO_BLOCK_SIZE
>  #else
>  #define UBIFS_CIPHER_BLOCK_SIZE 0
> @@ -1829,7 +1828,7 @@ int ubifs_decompress(const struct ubifs_info *c, const void *buf, int len,
>  #include "misc.h"
>  #include "key.h"
>  
> -#ifndef CONFIG_UBIFS_FS_ENCRYPTION
> +#ifndef CONFIG_FS_ENCRYPTION
>  static inline int ubifs_encrypt(const struct inode *inode,
>  				struct ubifs_data_node *dn,
>  				unsigned int in_len, unsigned int *out_len,
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index bcfc40062757..389a35e028bf 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -700,7 +700,7 @@ struct inode {
>  	struct fsnotify_mark_connector __rcu	*i_fsnotify_marks;
>  #endif
>  
> -#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
> +#ifdef CONFIG_FS_ENCRYPTION
>  	struct fscrypt_info	*i_crypt_info;
>  #endif
>  
> @@ -1404,7 +1404,7 @@ struct super_block {
>  	void                    *s_security;
>  #endif
>  	const struct xattr_handler **s_xattr;
> -#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
> +#ifdef CONFIG_FS_ENCRYPTION
>  	const struct fscrypt_operations	*s_cop;
>  #endif
>  #if IS_ENABLED(CONFIG_FS_VERITY)
> diff --git a/include/linux/fscrypt.h b/include/linux/fscrypt.h
> index 952ab97af325..6ba193c23f37 100644
> --- a/include/linux/fscrypt.h
> +++ b/include/linux/fscrypt.h
> @@ -2,9 +2,8 @@
>  /*
>   * fscrypt.h: declarations for per-file encryption
>   *
> - * Filesystems that implement per-file encryption include this header
> - * file with the __FS_HAS_ENCRYPTION set according to whether that filesystem
> - * is being built with encryption support or not.
> + * Filesystems that implement per-file encryption must include this header
> + * file.
>   *
>   * Copyright (C) 2015, Google, Inc.
>   *
> @@ -15,6 +14,8 @@
>  #define _LINUX_FSCRYPT_H
>  
>  #include <linux/fs.h>
> +#include <linux/mm.h>
> +#include <linux/slab.h>
>  
>  #define FS_CRYPTO_BLOCK_SIZE		16
>  
> @@ -42,11 +43,410 @@ struct fscrypt_name {
>  /* Maximum value for the third parameter of fscrypt_operations.set_context(). */
>  #define FSCRYPT_SET_CONTEXT_MAX_SIZE	28
>  
> -#if __FS_HAS_ENCRYPTION
> -#include <linux/fscrypt_supp.h>
> -#else
> -#include <linux/fscrypt_notsupp.h>
> -#endif
> +#ifdef CONFIG_FS_ENCRYPTION
> +/*
> + * fscrypt superblock flags
> + */
> +#define FS_CFLG_OWN_PAGES (1U << 1)
> +
> +/*
> + * crypto operations for filesystems
> + */
> +struct fscrypt_operations {
> +	unsigned int flags;
> +	const char *key_prefix;
> +	int (*get_context)(struct inode *, void *, size_t);
> +	int (*set_context)(struct inode *, const void *, size_t, void *);
> +	bool (*dummy_context)(struct inode *);
> +	bool (*empty_dir)(struct inode *);
> +	unsigned int max_namelen;
> +};
> +
> +struct fscrypt_ctx {
> +	union {
> +		struct {
> +			struct page *bounce_page;	/* Ciphertext page */
> +			struct page *control_page;	/* Original page  */
> +		} w;
> +		struct {
> +			struct bio *bio;
> +			struct work_struct work;
> +		} r;
> +		struct list_head free_list;	/* Free list */
> +	};
> +	u8 flags;				/* Flags */
> +};
> +
> +static inline bool fscrypt_has_encryption_key(const struct inode *inode)
> +{
> +	return (inode->i_crypt_info != NULL);
> +}
> +
> +static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
> +{
> +	return inode->i_sb->s_cop->dummy_context &&
> +		inode->i_sb->s_cop->dummy_context(inode);
> +}
> +
> +/* crypto.c */
> +extern void fscrypt_enqueue_decrypt_work(struct work_struct *);
> +extern struct fscrypt_ctx *fscrypt_get_ctx(const struct inode *, gfp_t);
> +extern void fscrypt_release_ctx(struct fscrypt_ctx *);
> +extern struct page *fscrypt_encrypt_page(const struct inode *, struct page *,
> +						unsigned int, unsigned int,
> +						u64, gfp_t);
> +extern int fscrypt_decrypt_page(const struct inode *, struct page *, unsigned int,
> +				unsigned int, u64);
> +
> +static inline struct page *fscrypt_control_page(struct page *page)
> +{
> +	return ((struct fscrypt_ctx *)page_private(page))->w.control_page;
> +}
> +
> +extern void fscrypt_restore_control_page(struct page *);
> +
> +/* policy.c */
> +extern int fscrypt_ioctl_set_policy(struct file *, const void __user *);
> +extern int fscrypt_ioctl_get_policy(struct file *, void __user *);
> +extern int fscrypt_has_permitted_context(struct inode *, struct inode *);
> +extern int fscrypt_inherit_context(struct inode *, struct inode *,
> +					void *, bool);
> +/* keyinfo.c */
> +extern int fscrypt_get_encryption_info(struct inode *);
> +extern void fscrypt_put_encryption_info(struct inode *);
> +
> +/* fname.c */
> +extern int fscrypt_setup_filename(struct inode *, const struct qstr *,
> +				int lookup, struct fscrypt_name *);
> +
> +static inline void fscrypt_free_filename(struct fscrypt_name *fname)
> +{
> +	kfree(fname->crypto_buf.name);
> +}
> +
> +extern int fscrypt_fname_alloc_buffer(const struct inode *, u32,
> +				struct fscrypt_str *);
> +extern void fscrypt_fname_free_buffer(struct fscrypt_str *);
> +extern int fscrypt_fname_disk_to_usr(struct inode *, u32, u32,
> +			const struct fscrypt_str *, struct fscrypt_str *);
> +
> +#define FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE	32
> +
> +/* Extracts the second-to-last ciphertext block; see explanation below */
> +#define FSCRYPT_FNAME_DIGEST(name, len)	\
> +	((name) + round_down((len) - FS_CRYPTO_BLOCK_SIZE - 1, \
> +			     FS_CRYPTO_BLOCK_SIZE))
> +
> +#define FSCRYPT_FNAME_DIGEST_SIZE	FS_CRYPTO_BLOCK_SIZE
> +
> +/**
> + * fscrypt_digested_name - alternate identifier for an on-disk filename
> + *
> + * When userspace lists an encrypted directory without access to the key,
> + * filenames whose ciphertext is longer than FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE
> + * bytes are shown in this abbreviated form (base64-encoded) rather than as the
> + * full ciphertext (base64-encoded).  This is necessary to allow supporting
> + * filenames up to NAME_MAX bytes, since base64 encoding expands the length.
> + *
> + * To make it possible for filesystems to still find the correct directory entry
> + * despite not knowing the full on-disk name, we encode any filesystem-specific
> + * 'hash' and/or 'minor_hash' which the filesystem may need for its lookups,
> + * followed by the second-to-last ciphertext block of the filename.  Due to the
> + * use of the CBC-CTS encryption mode, the second-to-last ciphertext block
> + * depends on the full plaintext.  (Note that ciphertext stealing causes the
> + * last two blocks to appear "flipped".)  This makes accidental collisions very
> + * unlikely: just a 1 in 2^128 chance for two filenames to collide even if they
> + * share the same filesystem-specific hashes.
> + *
> + * However, this scheme isn't immune to intentional collisions, which can be
> + * created by anyone able to create arbitrary plaintext filenames and view them
> + * without the key.  Making the "digest" be a real cryptographic hash like
> + * SHA-256 over the full ciphertext would prevent this, although it would be
> + * less efficient and harder to implement, especially since the filesystem would
> + * need to calculate it for each directory entry examined during a search.
> + */
> +struct fscrypt_digested_name {
> +	u32 hash;
> +	u32 minor_hash;
> +	u8 digest[FSCRYPT_FNAME_DIGEST_SIZE];
> +};
> +
> +/**
> + * fscrypt_match_name() - test whether the given name matches a directory entry
> + * @fname: the name being searched for
> + * @de_name: the name from the directory entry
> + * @de_name_len: the length of @de_name in bytes
> + *
> + * Normally @fname->disk_name will be set, and in that case we simply compare
> + * that to the name stored in the directory entry.  The only exception is that
> + * if we don't have the key for an encrypted directory and a filename in it is
> + * very long, then we won't have the full disk_name and we'll instead need to
> + * match against the fscrypt_digested_name.
> + *
> + * Return: %true if the name matches, otherwise %false.
> + */
> +static inline bool fscrypt_match_name(const struct fscrypt_name *fname,
> +				      const u8 *de_name, u32 de_name_len)
> +{
> +	if (unlikely(!fname->disk_name.name)) {
> +		const struct fscrypt_digested_name *n =
> +			(const void *)fname->crypto_buf.name;
> +		if (WARN_ON_ONCE(fname->usr_fname->name[0] != '_'))
> +			return false;
> +		if (de_name_len <= FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE)
> +			return false;
> +		return !memcmp(FSCRYPT_FNAME_DIGEST(de_name, de_name_len),
> +			       n->digest, FSCRYPT_FNAME_DIGEST_SIZE);
> +	}
> +
> +	if (de_name_len != fname->disk_name.len)
> +		return false;
> +	return !memcmp(de_name, fname->disk_name.name, fname->disk_name.len);
> +}
> +
> +/* bio.c */
> +extern void fscrypt_decrypt_bio(struct bio *);
> +extern void fscrypt_enqueue_decrypt_bio(struct fscrypt_ctx *ctx,
> +					struct bio *bio);
> +extern void fscrypt_pullback_bio_page(struct page **, bool);
> +extern int fscrypt_zeroout_range(const struct inode *, pgoff_t, sector_t,
> +				 unsigned int);
> +
> +/* hooks.c */
> +extern int fscrypt_file_open(struct inode *inode, struct file *filp);
> +extern int __fscrypt_prepare_link(struct inode *inode, struct inode *dir);
> +extern int __fscrypt_prepare_rename(struct inode *old_dir,
> +				    struct dentry *old_dentry,
> +				    struct inode *new_dir,
> +				    struct dentry *new_dentry,
> +				    unsigned int flags);
> +extern int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry);
> +extern int __fscrypt_prepare_symlink(struct inode *dir, unsigned int len,
> +				     unsigned int max_len,
> +				     struct fscrypt_str *disk_link);
> +extern int __fscrypt_encrypt_symlink(struct inode *inode, const char *target,
> +				     unsigned int len,
> +				     struct fscrypt_str *disk_link);
> +extern const char *fscrypt_get_symlink(struct inode *inode, const void *caddr,
> +				       unsigned int max_size,
> +				       struct delayed_call *done);
> +#else  /* ! CONFIG_FS_ENCRYPTION */
> +
> +static inline bool fscrypt_has_encryption_key(const struct inode *inode)
> +{
> +	return false;
> +}
> +
> +static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
> +{
> +	return false;
> +}
> +
> +/* crypto.c */
> +static inline void fscrypt_enqueue_decrypt_work(struct work_struct *work)
> +{
> +}
> +
> +static inline struct fscrypt_ctx *fscrypt_get_ctx(const struct inode *inode,
> +						  gfp_t gfp_flags)
> +{
> +	return ERR_PTR(-EOPNOTSUPP);
> +}
> +
> +static inline void fscrypt_release_ctx(struct fscrypt_ctx *ctx)
> +{
> +	return;
> +}
> +
> +static inline struct page *fscrypt_encrypt_page(const struct inode *inode,
> +						struct page *page,
> +						unsigned int len,
> +						unsigned int offs,
> +						u64 lblk_num, gfp_t gfp_flags)
> +{
> +	return ERR_PTR(-EOPNOTSUPP);
> +}
> +
> +static inline int fscrypt_decrypt_page(const struct inode *inode,
> +				       struct page *page,
> +				       unsigned int len, unsigned int offs,
> +				       u64 lblk_num)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +static inline struct page *fscrypt_control_page(struct page *page)
> +{
> +	WARN_ON_ONCE(1);
> +	return ERR_PTR(-EINVAL);
> +}
> +
> +static inline void fscrypt_restore_control_page(struct page *page)
> +{
> +	return;
> +}
> +
> +/* policy.c */
> +static inline int fscrypt_ioctl_set_policy(struct file *filp,
> +					   const void __user *arg)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +static inline int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +static inline int fscrypt_has_permitted_context(struct inode *parent,
> +						struct inode *child)
> +{
> +	return 0;
> +}
> +
> +static inline int fscrypt_inherit_context(struct inode *parent,
> +					  struct inode *child,
> +					  void *fs_data, bool preload)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +/* keyinfo.c */
> +static inline int fscrypt_get_encryption_info(struct inode *inode)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +static inline void fscrypt_put_encryption_info(struct inode *inode)
> +{
> +	return;
> +}
> +
> + /* fname.c */
> +static inline int fscrypt_setup_filename(struct inode *dir,
> +					 const struct qstr *iname,
> +					 int lookup, struct fscrypt_name *fname)
> +{
> +	if (IS_ENCRYPTED(dir))
> +		return -EOPNOTSUPP;
> +
> +	memset(fname, 0, sizeof(struct fscrypt_name));
> +	fname->usr_fname = iname;
> +	fname->disk_name.name = (unsigned char *)iname->name;
> +	fname->disk_name.len = iname->len;
> +	return 0;
> +}
> +
> +static inline void fscrypt_free_filename(struct fscrypt_name *fname)
> +{
> +	return;
> +}
> +
> +static inline int fscrypt_fname_alloc_buffer(const struct inode *inode,
> +					     u32 max_encrypted_len,
> +					     struct fscrypt_str *crypto_str)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +static inline void fscrypt_fname_free_buffer(struct fscrypt_str *crypto_str)
> +{
> +	return;
> +}
> +
> +static inline int fscrypt_fname_disk_to_usr(struct inode *inode,
> +					    u32 hash, u32 minor_hash,
> +					    const struct fscrypt_str *iname,
> +					    struct fscrypt_str *oname)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +static inline bool fscrypt_match_name(const struct fscrypt_name *fname,
> +				      const u8 *de_name, u32 de_name_len)
> +{
> +	/* Encryption support disabled; use standard comparison */
> +	if (de_name_len != fname->disk_name.len)
> +		return false;
> +	return !memcmp(de_name, fname->disk_name.name, fname->disk_name.len);
> +}
> +
> +/* bio.c */
> +static inline void fscrypt_decrypt_bio(struct bio *bio)
> +{
> +}
> +
> +static inline void fscrypt_enqueue_decrypt_bio(struct fscrypt_ctx *ctx,
> +					       struct bio *bio)
> +{
> +}
> +
> +static inline void fscrypt_pullback_bio_page(struct page **page, bool restore)
> +{
> +	return;
> +}
> +
> +static inline int fscrypt_zeroout_range(const struct inode *inode, pgoff_t lblk,
> +					sector_t pblk, unsigned int len)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +/* hooks.c */
> +
> +static inline int fscrypt_file_open(struct inode *inode, struct file *filp)
> +{
> +	if (IS_ENCRYPTED(inode))
> +		return -EOPNOTSUPP;
> +	return 0;
> +}
> +
> +static inline int __fscrypt_prepare_link(struct inode *inode,
> +					 struct inode *dir)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +static inline int __fscrypt_prepare_rename(struct inode *old_dir,
> +					   struct dentry *old_dentry,
> +					   struct inode *new_dir,
> +					   struct dentry *new_dentry,
> +					   unsigned int flags)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +static inline int __fscrypt_prepare_lookup(struct inode *dir,
> +					   struct dentry *dentry)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +static inline int __fscrypt_prepare_symlink(struct inode *dir,
> +					    unsigned int len,
> +					    unsigned int max_len,
> +					    struct fscrypt_str *disk_link)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +
> +static inline int __fscrypt_encrypt_symlink(struct inode *inode,
> +					    const char *target,
> +					    unsigned int len,
> +					    struct fscrypt_str *disk_link)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +static inline const char *fscrypt_get_symlink(struct inode *inode,
> +					      const void *caddr,
> +					      unsigned int max_size,
> +					      struct delayed_call *done)
> +{
> +	return ERR_PTR(-EOPNOTSUPP);
> +}
> +#endif	/* ! CONFIG_FS_ENCRYPTION */
>  
>  /**
>   * fscrypt_require_key - require an inode's encryption key
> diff --git a/include/linux/fscrypt_notsupp.h b/include/linux/fscrypt_notsupp.h
> deleted file mode 100644
> index ee8b43e4c15a..000000000000
> --- a/include/linux/fscrypt_notsupp.h
> +++ /dev/null
> @@ -1,231 +0,0 @@
> -/* SPDX-License-Identifier: GPL-2.0 */
> -/*
> - * fscrypt_notsupp.h
> - *
> - * This stubs out the fscrypt functions for filesystems configured without
> - * encryption support.
> - *
> - * Do not include this file directly. Use fscrypt.h instead!
> - */
> -#ifndef _LINUX_FSCRYPT_H
> -#error "Incorrect include of linux/fscrypt_notsupp.h!"
> -#endif
> -
> -#ifndef _LINUX_FSCRYPT_NOTSUPP_H
> -#define _LINUX_FSCRYPT_NOTSUPP_H
> -
> -static inline bool fscrypt_has_encryption_key(const struct inode *inode)
> -{
> -	return false;
> -}
> -
> -static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
> -{
> -	return false;
> -}
> -
> -/* crypto.c */
> -static inline void fscrypt_enqueue_decrypt_work(struct work_struct *work)
> -{
> -}
> -
> -static inline struct fscrypt_ctx *fscrypt_get_ctx(const struct inode *inode,
> -						  gfp_t gfp_flags)
> -{
> -	return ERR_PTR(-EOPNOTSUPP);
> -}
> -
> -static inline void fscrypt_release_ctx(struct fscrypt_ctx *ctx)
> -{
> -	return;
> -}
> -
> -static inline struct page *fscrypt_encrypt_page(const struct inode *inode,
> -						struct page *page,
> -						unsigned int len,
> -						unsigned int offs,
> -						u64 lblk_num, gfp_t gfp_flags)
> -{
> -	return ERR_PTR(-EOPNOTSUPP);
> -}
> -
> -static inline int fscrypt_decrypt_page(const struct inode *inode,
> -				       struct page *page,
> -				       unsigned int len, unsigned int offs,
> -				       u64 lblk_num)
> -{
> -	return -EOPNOTSUPP;
> -}
> -
> -static inline struct page *fscrypt_control_page(struct page *page)
> -{
> -	WARN_ON_ONCE(1);
> -	return ERR_PTR(-EINVAL);
> -}
> -
> -static inline void fscrypt_restore_control_page(struct page *page)
> -{
> -	return;
> -}
> -
> -/* policy.c */
> -static inline int fscrypt_ioctl_set_policy(struct file *filp,
> -					   const void __user *arg)
> -{
> -	return -EOPNOTSUPP;
> -}
> -
> -static inline int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg)
> -{
> -	return -EOPNOTSUPP;
> -}
> -
> -static inline int fscrypt_has_permitted_context(struct inode *parent,
> -						struct inode *child)
> -{
> -	return 0;
> -}
> -
> -static inline int fscrypt_inherit_context(struct inode *parent,
> -					  struct inode *child,
> -					  void *fs_data, bool preload)
> -{
> -	return -EOPNOTSUPP;
> -}
> -
> -/* keyinfo.c */
> -static inline int fscrypt_get_encryption_info(struct inode *inode)
> -{
> -	return -EOPNOTSUPP;
> -}
> -
> -static inline void fscrypt_put_encryption_info(struct inode *inode)
> -{
> -	return;
> -}
> -
> - /* fname.c */
> -static inline int fscrypt_setup_filename(struct inode *dir,
> -					 const struct qstr *iname,
> -					 int lookup, struct fscrypt_name *fname)
> -{
> -	if (IS_ENCRYPTED(dir))
> -		return -EOPNOTSUPP;
> -
> -	memset(fname, 0, sizeof(struct fscrypt_name));
> -	fname->usr_fname = iname;
> -	fname->disk_name.name = (unsigned char *)iname->name;
> -	fname->disk_name.len = iname->len;
> -	return 0;
> -}
> -
> -static inline void fscrypt_free_filename(struct fscrypt_name *fname)
> -{
> -	return;
> -}
> -
> -static inline int fscrypt_fname_alloc_buffer(const struct inode *inode,
> -					     u32 max_encrypted_len,
> -					     struct fscrypt_str *crypto_str)
> -{
> -	return -EOPNOTSUPP;
> -}
> -
> -static inline void fscrypt_fname_free_buffer(struct fscrypt_str *crypto_str)
> -{
> -	return;
> -}
> -
> -static inline int fscrypt_fname_disk_to_usr(struct inode *inode,
> -					    u32 hash, u32 minor_hash,
> -					    const struct fscrypt_str *iname,
> -					    struct fscrypt_str *oname)
> -{
> -	return -EOPNOTSUPP;
> -}
> -
> -static inline bool fscrypt_match_name(const struct fscrypt_name *fname,
> -				      const u8 *de_name, u32 de_name_len)
> -{
> -	/* Encryption support disabled; use standard comparison */
> -	if (de_name_len != fname->disk_name.len)
> -		return false;
> -	return !memcmp(de_name, fname->disk_name.name, fname->disk_name.len);
> -}
> -
> -/* bio.c */
> -static inline void fscrypt_decrypt_bio(struct bio *bio)
> -{
> -}
> -
> -static inline void fscrypt_enqueue_decrypt_bio(struct fscrypt_ctx *ctx,
> -					       struct bio *bio)
> -{
> -}
> -
> -static inline void fscrypt_pullback_bio_page(struct page **page, bool restore)
> -{
> -	return;
> -}
> -
> -static inline int fscrypt_zeroout_range(const struct inode *inode, pgoff_t lblk,
> -					sector_t pblk, unsigned int len)
> -{
> -	return -EOPNOTSUPP;
> -}
> -
> -/* hooks.c */
> -
> -static inline int fscrypt_file_open(struct inode *inode, struct file *filp)
> -{
> -	if (IS_ENCRYPTED(inode))
> -		return -EOPNOTSUPP;
> -	return 0;
> -}
> -
> -static inline int __fscrypt_prepare_link(struct inode *inode,
> -					 struct inode *dir)
> -{
> -	return -EOPNOTSUPP;
> -}
> -
> -static inline int __fscrypt_prepare_rename(struct inode *old_dir,
> -					   struct dentry *old_dentry,
> -					   struct inode *new_dir,
> -					   struct dentry *new_dentry,
> -					   unsigned int flags)
> -{
> -	return -EOPNOTSUPP;
> -}
> -
> -static inline int __fscrypt_prepare_lookup(struct inode *dir,
> -					   struct dentry *dentry)
> -{
> -	return -EOPNOTSUPP;
> -}
> -
> -static inline int __fscrypt_prepare_symlink(struct inode *dir,
> -					    unsigned int len,
> -					    unsigned int max_len,
> -					    struct fscrypt_str *disk_link)
> -{
> -	return -EOPNOTSUPP;
> -}
> -
> -static inline int __fscrypt_encrypt_symlink(struct inode *inode,
> -					    const char *target,
> -					    unsigned int len,
> -					    struct fscrypt_str *disk_link)
> -{
> -	return -EOPNOTSUPP;
> -}
> -
> -static inline const char *fscrypt_get_symlink(struct inode *inode,
> -					      const void *caddr,
> -					      unsigned int max_size,
> -					      struct delayed_call *done)
> -{
> -	return ERR_PTR(-EOPNOTSUPP);
> -}
> -
> -#endif	/* _LINUX_FSCRYPT_NOTSUPP_H */
> diff --git a/include/linux/fscrypt_supp.h b/include/linux/fscrypt_supp.h
> deleted file mode 100644
> index 6456c6b2005f..000000000000
> --- a/include/linux/fscrypt_supp.h
> +++ /dev/null
> @@ -1,204 +0,0 @@
> -/* SPDX-License-Identifier: GPL-2.0 */
> -/*
> - * fscrypt_supp.h
> - *
> - * Do not include this file directly. Use fscrypt.h instead!
> - */
> -#ifndef _LINUX_FSCRYPT_H
> -#error "Incorrect include of linux/fscrypt_supp.h!"
> -#endif
> -
> -#ifndef _LINUX_FSCRYPT_SUPP_H
> -#define _LINUX_FSCRYPT_SUPP_H
> -
> -#include <linux/mm.h>
> -#include <linux/slab.h>
> -
> -/*
> - * fscrypt superblock flags
> - */
> -#define FS_CFLG_OWN_PAGES (1U << 1)
> -
> -/*
> - * crypto operations for filesystems
> - */
> -struct fscrypt_operations {
> -	unsigned int flags;
> -	const char *key_prefix;
> -	int (*get_context)(struct inode *, void *, size_t);
> -	int (*set_context)(struct inode *, const void *, size_t, void *);
> -	bool (*dummy_context)(struct inode *);
> -	bool (*empty_dir)(struct inode *);
> -	unsigned int max_namelen;
> -};
> -
> -struct fscrypt_ctx {
> -	union {
> -		struct {
> -			struct page *bounce_page;	/* Ciphertext page */
> -			struct page *control_page;	/* Original page  */
> -		} w;
> -		struct {
> -			struct bio *bio;
> -			struct work_struct work;
> -		} r;
> -		struct list_head free_list;	/* Free list */
> -	};
> -	u8 flags;				/* Flags */
> -};
> -
> -static inline bool fscrypt_has_encryption_key(const struct inode *inode)
> -{
> -	return (inode->i_crypt_info != NULL);
> -}
> -
> -static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
> -{
> -	return inode->i_sb->s_cop->dummy_context &&
> -		inode->i_sb->s_cop->dummy_context(inode);
> -}
> -
> -/* crypto.c */
> -extern void fscrypt_enqueue_decrypt_work(struct work_struct *);
> -extern struct fscrypt_ctx *fscrypt_get_ctx(const struct inode *, gfp_t);
> -extern void fscrypt_release_ctx(struct fscrypt_ctx *);
> -extern struct page *fscrypt_encrypt_page(const struct inode *, struct page *,
> -						unsigned int, unsigned int,
> -						u64, gfp_t);
> -extern int fscrypt_decrypt_page(const struct inode *, struct page *, unsigned int,
> -				unsigned int, u64);
> -
> -static inline struct page *fscrypt_control_page(struct page *page)
> -{
> -	return ((struct fscrypt_ctx *)page_private(page))->w.control_page;
> -}
> -
> -extern void fscrypt_restore_control_page(struct page *);
> -
> -/* policy.c */
> -extern int fscrypt_ioctl_set_policy(struct file *, const void __user *);
> -extern int fscrypt_ioctl_get_policy(struct file *, void __user *);
> -extern int fscrypt_has_permitted_context(struct inode *, struct inode *);
> -extern int fscrypt_inherit_context(struct inode *, struct inode *,
> -					void *, bool);
> -/* keyinfo.c */
> -extern int fscrypt_get_encryption_info(struct inode *);
> -extern void fscrypt_put_encryption_info(struct inode *);
> -
> -/* fname.c */
> -extern int fscrypt_setup_filename(struct inode *, const struct qstr *,
> -				int lookup, struct fscrypt_name *);
> -
> -static inline void fscrypt_free_filename(struct fscrypt_name *fname)
> -{
> -	kfree(fname->crypto_buf.name);
> -}
> -
> -extern int fscrypt_fname_alloc_buffer(const struct inode *, u32,
> -				struct fscrypt_str *);
> -extern void fscrypt_fname_free_buffer(struct fscrypt_str *);
> -extern int fscrypt_fname_disk_to_usr(struct inode *, u32, u32,
> -			const struct fscrypt_str *, struct fscrypt_str *);
> -
> -#define FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE	32
> -
> -/* Extracts the second-to-last ciphertext block; see explanation below */
> -#define FSCRYPT_FNAME_DIGEST(name, len)	\
> -	((name) + round_down((len) - FS_CRYPTO_BLOCK_SIZE - 1, \
> -			     FS_CRYPTO_BLOCK_SIZE))
> -
> -#define FSCRYPT_FNAME_DIGEST_SIZE	FS_CRYPTO_BLOCK_SIZE
> -
> -/**
> - * fscrypt_digested_name - alternate identifier for an on-disk filename
> - *
> - * When userspace lists an encrypted directory without access to the key,
> - * filenames whose ciphertext is longer than FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE
> - * bytes are shown in this abbreviated form (base64-encoded) rather than as the
> - * full ciphertext (base64-encoded).  This is necessary to allow supporting
> - * filenames up to NAME_MAX bytes, since base64 encoding expands the length.
> - *
> - * To make it possible for filesystems to still find the correct directory entry
> - * despite not knowing the full on-disk name, we encode any filesystem-specific
> - * 'hash' and/or 'minor_hash' which the filesystem may need for its lookups,
> - * followed by the second-to-last ciphertext block of the filename.  Due to the
> - * use of the CBC-CTS encryption mode, the second-to-last ciphertext block
> - * depends on the full plaintext.  (Note that ciphertext stealing causes the
> - * last two blocks to appear "flipped".)  This makes accidental collisions very
> - * unlikely: just a 1 in 2^128 chance for two filenames to collide even if they
> - * share the same filesystem-specific hashes.
> - *
> - * However, this scheme isn't immune to intentional collisions, which can be
> - * created by anyone able to create arbitrary plaintext filenames and view them
> - * without the key.  Making the "digest" be a real cryptographic hash like
> - * SHA-256 over the full ciphertext would prevent this, although it would be
> - * less efficient and harder to implement, especially since the filesystem would
> - * need to calculate it for each directory entry examined during a search.
> - */
> -struct fscrypt_digested_name {
> -	u32 hash;
> -	u32 minor_hash;
> -	u8 digest[FSCRYPT_FNAME_DIGEST_SIZE];
> -};
> -
> -/**
> - * fscrypt_match_name() - test whether the given name matches a directory entry
> - * @fname: the name being searched for
> - * @de_name: the name from the directory entry
> - * @de_name_len: the length of @de_name in bytes
> - *
> - * Normally @fname->disk_name will be set, and in that case we simply compare
> - * that to the name stored in the directory entry.  The only exception is that
> - * if we don't have the key for an encrypted directory and a filename in it is
> - * very long, then we won't have the full disk_name and we'll instead need to
> - * match against the fscrypt_digested_name.
> - *
> - * Return: %true if the name matches, otherwise %false.
> - */
> -static inline bool fscrypt_match_name(const struct fscrypt_name *fname,
> -				      const u8 *de_name, u32 de_name_len)
> -{
> -	if (unlikely(!fname->disk_name.name)) {
> -		const struct fscrypt_digested_name *n =
> -			(const void *)fname->crypto_buf.name;
> -		if (WARN_ON_ONCE(fname->usr_fname->name[0] != '_'))
> -			return false;
> -		if (de_name_len <= FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE)
> -			return false;
> -		return !memcmp(FSCRYPT_FNAME_DIGEST(de_name, de_name_len),
> -			       n->digest, FSCRYPT_FNAME_DIGEST_SIZE);
> -	}
> -
> -	if (de_name_len != fname->disk_name.len)
> -		return false;
> -	return !memcmp(de_name, fname->disk_name.name, fname->disk_name.len);
> -}
> -
> -/* bio.c */
> -extern void fscrypt_decrypt_bio(struct bio *);
> -extern void fscrypt_enqueue_decrypt_bio(struct fscrypt_ctx *ctx,
> -					struct bio *bio);
> -extern void fscrypt_pullback_bio_page(struct page **, bool);
> -extern int fscrypt_zeroout_range(const struct inode *, pgoff_t, sector_t,
> -				 unsigned int);
> -
> -/* hooks.c */
> -extern int fscrypt_file_open(struct inode *inode, struct file *filp);
> -extern int __fscrypt_prepare_link(struct inode *inode, struct inode *dir);
> -extern int __fscrypt_prepare_rename(struct inode *old_dir,
> -				    struct dentry *old_dentry,
> -				    struct inode *new_dir,
> -				    struct dentry *new_dentry,
> -				    unsigned int flags);
> -extern int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry);
> -extern int __fscrypt_prepare_symlink(struct inode *dir, unsigned int len,
> -				     unsigned int max_len,
> -				     struct fscrypt_str *disk_link);
> -extern int __fscrypt_encrypt_symlink(struct inode *inode, const char *target,
> -				     unsigned int len,
> -				     struct fscrypt_str *disk_link);
> -extern const char *fscrypt_get_symlink(struct inode *inode, const void *caddr,
> -				       unsigned int max_size,
> -				       struct delayed_call *done);
> -
> -#endif	/* _LINUX_FSCRYPT_SUPP_H */
> -- 
> 2.19.1
> 




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Kernel Development]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Info]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Linux Media]     [Device Mapper]

  Powered by Linux