|
|
Subscribe / Log in / New account

btrfs: add encryption feature

From:  Sweet Tea Dorminy <sweettea-kernel-AT-dorminy.me>
To:  Chris Mason <clm-AT-fb.com>, Josef Bacik <josef-AT-toxicpanda.com>, David Sterba <dsterba-AT-suse.com>, Eric Biggers <ebiggers-AT-kernel.org>, "Theodore Y. Ts'o" <tytso-AT-mit.edu>, Jaegeuk Kim <jaegeuk-AT-kernel.org>, kernel-team-AT-meta.com, linux-btrfs-AT-vger.kernel.org, linux-fscrypt-AT-vger.kernel.org
Subject:  [PATCH v1 00/17] btrfs: add encryption feature
Date:  Wed, 28 Jun 2023 20:35:23 -0400
Message-ID:  <cover.1687988380.git.sweettea-kernel@dorminy.me>
Cc:  Sweet Tea Dorminy <sweettea-kernel-AT-dorminy.me>
Archive-link:  Article

This is a changeset adding encryption to btrfs. It is not complete; it
does not support inline data or verity or authenticated encryption. It
is primarily intended as a proof that the fscrypt extent encryption
changeset it builds on work. 

As per the design doc refined in the fall of last year [1], btrfs
encryption has several steps: first, adding extent encryption to fscrypt
and then btrfs; second, adding authenticated encryption support to the
block layer, fscrypt, and then btrfs; and later adding potentially the
ability to change the key used by a directory (either for all data or
just newly written data) and/or allowing use of inline extents and
verity items in combination with encryption and/or enabling send/receive
of encrypted volumes. As such, this change is only the first step and is
unsafe.

This change does not pass a couple of encryption xfstests, because of
different properties of extent encryption. It hasn't been tested with
direct IO or RAID. Because currently extent encryption always uses inline
encryption (i.e. IO-block-only) for data encryption, it does not support
encryption of inline extents; similarly, since btrfs stores verity items
in the tree instead of in inline encryptable blocks on disk as other
filesystems do, btrfs cannot currently encrypt verity items. Finally,
this is insecure; the checksums are calculated on the unencrypted data
and stored unencrypted, which is a potential information leak. (This
will be addressed by authenticated encryption).

This changeset is built on two prior changesets to fscrypt: [2] and [3]
and should have no effect on unencrypted usage.

[1] https://docs.google.com/document/d/1janjxewlewtVPqctkWOjS...
[2]
https://lore.kernel.org/linux-fscrypt/cover.1687988119.gi...
[3]
https://lore.kernel.org/linux-fscrypt/cover.1687988246.gi...

Omar Sandoval (7):
  btrfs: disable various operations on encrypted inodes
  fscrypt: expose fscrypt_nokey_name
  btrfs: start using fscrypt hooks
  btrfs: add inode encryption contexts
  btrfs: add new FEATURE_INCOMPAT_ENCRYPT flag
  btrfs: adapt readdir for encrypted and nokey names
  btrfs: implement fscrypt ioctls

Sweet Tea Dorminy (10):
  btrfs: disable verity on encrypted inodes
  btrfs: use correct name hash for nokey names
  btrfs: add encryption to CONFIG_BTRFS_DEBUG
  btrfs: add get_devices hook for fscrypt
  btrfs: turn on inlinecrypt mount option for encrypt
  btrfs: turn on the encryption ioctls
  btrfs: create and free extent fscrypt_infos
  btrfs: start tracking extent encryption context info
  btrfs: explicitly track file extent length and encryption
  btrfs: save and load fscrypt extent contexts

 fs/btrfs/Kconfig                |   2 +-
 fs/btrfs/Makefile               |   1 +
 fs/btrfs/accessors.h            |  31 +++
 fs/btrfs/btrfs_inode.h          |   3 +-
 fs/btrfs/ctree.h                |   2 +
 fs/btrfs/delayed-inode.c        |  30 ++-
 fs/btrfs/delayed-inode.h        |   4 +-
 fs/btrfs/dir-item.c             |  81 ++++++--
 fs/btrfs/dir-item.h             |  13 +-
 fs/btrfs/extent_io.c            |  49 +++++
 fs/btrfs/extent_io.h            |   3 +
 fs/btrfs/extent_map.c           |   9 +
 fs/btrfs/extent_map.h           |   3 +
 fs/btrfs/file-item.c            |  29 +++
 fs/btrfs/file.c                 |  11 +-
 fs/btrfs/fs.h                   |   7 +-
 fs/btrfs/fscrypt.c              | 236 ++++++++++++++++++++++
 fs/btrfs/fscrypt.h              |  61 ++++++
 fs/btrfs/inode.c                | 333 +++++++++++++++++++++++++-------
 fs/btrfs/ioctl.c                |  42 +++-
 fs/btrfs/reflink.c              |   8 +
 fs/btrfs/root-tree.c            |   8 +-
 fs/btrfs/root-tree.h            |   2 +-
 fs/btrfs/super.c                |  17 ++
 fs/btrfs/tree-checker.c         |  37 +++-
 fs/btrfs/tree-log.c             |  28 ++-
 fs/btrfs/verity.c               |   3 +
 fs/crypto/fname.c               |  39 +---
 include/linux/fscrypt.h         |  37 ++++
 include/uapi/linux/btrfs.h      |   1 +
 include/uapi/linux/btrfs_tree.h |  20 ++
 31 files changed, 1004 insertions(+), 146 deletions(-)
 create mode 100644 fs/btrfs/fscrypt.c
 create mode 100644 fs/btrfs/fscrypt.h


base-commit: 212cb3d0b8f4abf657671f05dbe0b3d9d858211d
-- 
2.40.1

Copyright © 2023, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds