diff --git a/block/blk-crypto-fallback.c b/block/blk-crypto-fallback.c index 379596813b93..669872d84aaa 100644 --- a/block/blk-crypto-fallback.c +++ b/block/blk-crypto-fallback.c @@ -553,7 +553,6 @@ static int blk_crypto_fallback_init(void) blk_crypto_ksm.ksm_ll_ops = blk_crypto_ksm_ll_ops; blk_crypto_ksm.max_dun_bytes_supported = BLK_CRYPTO_MAX_IV_SIZE; - blk_crypto_ksm.features = BLK_CRYPTO_FEATURE_STANDARD_KEYS; /* All blk-crypto modes have a crypto API fallback. */ for (i = 0; i < BLK_ENCRYPTION_MODE_MAX; i++) diff --git a/block/blk-crypto.c b/block/blk-crypto.c index 6fb15510a4b3..18d8d3ce84ad 100644 --- a/block/blk-crypto.c +++ b/block/blk-crypto.c @@ -307,13 +307,8 @@ int __blk_crypto_rq_bio_prep(struct request *rq, struct bio *bio, /** * blk_crypto_init_key() - Prepare a key for use with blk-crypto * @blk_key: Pointer to the blk_crypto_key to initialize. - * @raw_key: Pointer to the raw key. - * @raw_key_size: Size of raw key. Must be at least the required size for the - * chosen @crypto_mode; see blk_crypto_modes[]. (It's allowed - * to be longer than the mode's actual key size, in order to - * support inline encryption hardware that accepts wrapped keys. - * @is_hw_wrapped has to be set for such keys) - * @is_hw_wrapped: Denotes @raw_key is wrapped. + * @raw_key: Pointer to the raw key. Must be the correct length for the chosen + * @crypto_mode; see blk_crypto_modes[]. * @crypto_mode: identifier for the encryption algorithm to use * @dun_bytes: number of bytes that will be used to specify the DUN when this * key is used @@ -322,9 +317,7 @@ int __blk_crypto_rq_bio_prep(struct request *rq, struct bio *bio, * Return: 0 on success, -errno on failure. The caller is responsible for * zeroizing both blk_key and raw_key when done with them. */ -int blk_crypto_init_key(struct blk_crypto_key *blk_key, - const u8 *raw_key, unsigned int raw_key_size, - bool is_hw_wrapped, +int blk_crypto_init_key(struct blk_crypto_key *blk_key, const u8 *raw_key, enum blk_crypto_mode_num crypto_mode, unsigned int dun_bytes, unsigned int data_unit_size) @@ -336,17 +329,9 @@ int blk_crypto_init_key(struct blk_crypto_key *blk_key, if (crypto_mode >= ARRAY_SIZE(blk_crypto_modes)) return -EINVAL; - BUILD_BUG_ON(BLK_CRYPTO_MAX_WRAPPED_KEY_SIZE < BLK_CRYPTO_MAX_KEY_SIZE); - mode = &blk_crypto_modes[crypto_mode]; - if (is_hw_wrapped) { - if (raw_key_size < mode->keysize || - raw_key_size > BLK_CRYPTO_MAX_WRAPPED_KEY_SIZE) - return -EINVAL; - } else { - if (raw_key_size != mode->keysize) - return -EINVAL; - } + if (mode->keysize == 0) + return -EINVAL; if (dun_bytes == 0 || dun_bytes > mode->ivsize) return -EINVAL; @@ -357,10 +342,9 @@ int blk_crypto_init_key(struct blk_crypto_key *blk_key, blk_key->crypto_cfg.crypto_mode = crypto_mode; blk_key->crypto_cfg.dun_bytes = dun_bytes; blk_key->crypto_cfg.data_unit_size = data_unit_size; - blk_key->crypto_cfg.is_hw_wrapped = is_hw_wrapped; blk_key->data_unit_size_bits = ilog2(data_unit_size); - blk_key->size = raw_key_size; - memcpy(blk_key->raw, raw_key, raw_key_size); + blk_key->size = mode->keysize; + memcpy(blk_key->raw, raw_key, mode->keysize); return 0; } @@ -374,10 +358,8 @@ EXPORT_SYMBOL_GPL(blk_crypto_init_key); bool blk_crypto_config_supported(struct request_queue *q, const struct blk_crypto_config *cfg) { - if (IS_ENABLED(CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK) && - !cfg->is_hw_wrapped) - return true; - return blk_ksm_crypto_cfg_supported(q->ksm, cfg); + return IS_ENABLED(CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK) || + blk_ksm_crypto_cfg_supported(q->ksm, cfg); } /** @@ -400,10 +382,6 @@ int blk_crypto_start_using_key(const struct blk_crypto_key *key, { if (blk_ksm_crypto_cfg_supported(q->ksm, &key->crypto_cfg)) return 0; - if (key->crypto_cfg.is_hw_wrapped) { - pr_warn_once("hardware doesn't support wrapped keys\n"); - return -EOPNOTSUPP; - } return blk_crypto_fallback_start_using_mode(key->crypto_cfg.crypto_mode); } EXPORT_SYMBOL_GPL(blk_crypto_start_using_key); diff --git a/block/keyslot-manager.c b/block/keyslot-manager.c index 7ba541f73ce8..2c4a55bea6ca 100644 --- a/block/keyslot-manager.c +++ b/block/keyslot-manager.c @@ -340,13 +340,6 @@ bool blk_ksm_crypto_cfg_supported(struct blk_keyslot_manager *ksm, return false; if (ksm->max_dun_bytes_supported < cfg->dun_bytes) return false; - if (cfg->is_hw_wrapped) { - if (!(ksm->features & BLK_CRYPTO_FEATURE_WRAPPED_KEYS)) - return false; - } else { - if (!(ksm->features & BLK_CRYPTO_FEATURE_STANDARD_KEYS)) - return false; - } return true; } @@ -460,44 +453,6 @@ void blk_ksm_unregister(struct request_queue *q) q->ksm = NULL; } -/** - * blk_ksm_derive_raw_secret() - Derive software secret from wrapped key - * @ksm: The keyslot manager - * @wrapped_key: The wrapped key - * @wrapped_key_size: Size of the wrapped key in bytes - * @secret: (output) the software secret - * @secret_size: (output) the number of secret bytes to derive - * - * Given a hardware-wrapped key, ask the hardware to derive a secret which - * software can use for cryptographic tasks other than inline encryption. The - * derived secret is guaranteed to be cryptographically isolated from the key - * with which any inline encryption with this wrapped key would actually be - * done. I.e., both will be derived from the unwrapped key. - * - * Return: 0 on success, -EOPNOTSUPP if hardware-wrapped keys are unsupported, - * or another -errno code. - */ -int blk_ksm_derive_raw_secret(struct blk_keyslot_manager *ksm, - const u8 *wrapped_key, - unsigned int wrapped_key_size, - u8 *secret, unsigned int secret_size) -{ - int err; - - if (ksm->ksm_ll_ops.derive_raw_secret) { - blk_ksm_hw_enter(ksm); - err = ksm->ksm_ll_ops.derive_raw_secret(ksm, wrapped_key, - wrapped_key_size, - secret, secret_size); - blk_ksm_hw_exit(ksm); - } else { - err = -EOPNOTSUPP; - } - - return err; -} -EXPORT_SYMBOL_GPL(blk_ksm_derive_raw_secret); - /** * blk_ksm_intersect_modes() - restrict supported modes by child device * @parent: The keyslot manager for parent device @@ -523,12 +478,10 @@ void blk_ksm_intersect_modes(struct blk_keyslot_manager *parent, parent->crypto_modes_supported[i] &= child->crypto_modes_supported[i]; } - parent->features &= child->features; } else { parent->max_dun_bytes_supported = 0; memset(parent->crypto_modes_supported, 0, sizeof(parent->crypto_modes_supported)); - parent->features = 0; } } EXPORT_SYMBOL_GPL(blk_ksm_intersect_modes); @@ -568,9 +521,6 @@ bool blk_ksm_is_superset(struct blk_keyslot_manager *ksm_superset, return false; } - if (ksm_subset->features & ~ksm_superset->features) - return false; - return true; } EXPORT_SYMBOL_GPL(blk_ksm_is_superset); @@ -607,8 +557,6 @@ void blk_ksm_update_capabilities(struct blk_keyslot_manager *target_ksm, target_ksm->max_dun_bytes_supported = reference_ksm->max_dun_bytes_supported; - - target_ksm->features = reference_ksm->features; } EXPORT_SYMBOL_GPL(blk_ksm_update_capabilities); diff --git a/drivers/md/dm-default-key.c b/drivers/md/dm-default-key.c index 238412e21011..6ecfbbe96e53 100644 --- a/drivers/md/dm-default-key.c +++ b/drivers/md/dm-default-key.c @@ -231,8 +231,7 @@ static int default_key_ctr(struct dm_target *ti, unsigned int argc, char **argv) (dkc->sector_bits - SECTOR_SHIFT); dun_bytes = DIV_ROUND_UP(fls64(dkc->max_dun), 8); - err = blk_crypto_init_key(&dkc->key, raw_key, cipher->key_size, - false, cipher->mode_num, + err = blk_crypto_init_key(&dkc->key, raw_key, cipher->mode_num, dun_bytes, dkc->sector_size); if (err) { ti->error = "Error initializing blk-crypto key"; diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 4cba8bf6a9d0..2111daaacaba 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -1303,8 +1303,6 @@ static int dm_table_construct_keyslot_manager(struct dm_table *t) ksm->max_dun_bytes_supported = UINT_MAX; memset(ksm->crypto_modes_supported, 0xFF, sizeof(ksm->crypto_modes_supported)); - ksm->features = BLK_CRYPTO_FEATURE_STANDARD_KEYS | - BLK_CRYPTO_FEATURE_WRAPPED_KEYS; for (i = 0; i < dm_table_get_num_targets(t); i++) { ti = dm_table_get_target(t, i); diff --git a/drivers/mmc/host/cqhci-crypto.c b/drivers/mmc/host/cqhci-crypto.c index 5698bc48ac5b..6419cfbb4ab7 100644 --- a/drivers/mmc/host/cqhci-crypto.c +++ b/drivers/mmc/host/cqhci-crypto.c @@ -209,8 +209,6 @@ int cqhci_crypto_init(struct cqhci_host *cq_host) /* Unfortunately, CQHCI crypto only supports 32 DUN bits. */ ksm->max_dun_bytes_supported = 4; - ksm->features = BLK_CRYPTO_FEATURE_STANDARD_KEYS; - /* * Cache all the crypto capabilities and advertise the supported crypto * modes and data unit sizes to the block layer. diff --git a/drivers/scsi/ufs/ufshcd-crypto.c b/drivers/scsi/ufs/ufshcd-crypto.c index d7a844dfa299..468389a5780d 100644 --- a/drivers/scsi/ufs/ufshcd-crypto.c +++ b/drivers/scsi/ufs/ufshcd-crypto.c @@ -195,7 +195,6 @@ int ufshcd_hba_init_crypto_capabilities(struct ufs_hba *hba) hba->ksm.ksm_ll_ops = ufshcd_ksm_ops; /* UFS only supports 8 bytes for any DUN */ hba->ksm.max_dun_bytes_supported = 8; - hba->ksm.features = BLK_CRYPTO_FEATURE_STANDARD_KEYS; hba->ksm.dev = hba->dev; /* diff --git a/fs/crypto/inline_crypt.c b/fs/crypto/inline_crypt.c index 2b1019c013ad..04c56fc71798 100644 --- a/fs/crypto/inline_crypt.c +++ b/fs/crypto/inline_crypt.c @@ -106,7 +106,6 @@ int fscrypt_select_encryption_impl(struct fscrypt_info *ci) crypto_cfg.crypto_mode = ci->ci_mode->blk_crypto_mode; crypto_cfg.data_unit_size = sb->s_blocksize; crypto_cfg.dun_bytes = fscrypt_get_dun_bytes(ci); - crypto_cfg.is_hw_wrapped = false; num_devs = fscrypt_get_num_devices(sb); devs = kmalloc_array(num_devs, sizeof(*devs), GFP_KERNEL); if (!devs) @@ -145,9 +144,8 @@ int fscrypt_prepare_inline_crypt_key(struct fscrypt_prepared_key *prep_key, blk_key->num_devs = num_devs; fscrypt_get_devices(sb, num_devs, blk_key->devs); - err = blk_crypto_init_key(&blk_key->base, raw_key, ci->ci_mode->keysize, - false, crypto_mode, fscrypt_get_dun_bytes(ci), - sb->s_blocksize); + err = blk_crypto_init_key(&blk_key->base, raw_key, crypto_mode, + fscrypt_get_dun_bytes(ci), sb->s_blocksize); if (err) { fscrypt_err(inode, "error %d initializing blk-crypto key", err); goto fail; diff --git a/include/linux/blk-crypto.h b/include/linux/blk-crypto.h index c495572a3c46..1a709496fad5 100644 --- a/include/linux/blk-crypto.h +++ b/include/linux/blk-crypto.h @@ -17,8 +17,6 @@ enum blk_crypto_mode_num { }; #define BLK_CRYPTO_MAX_KEY_SIZE 64 -#define BLK_CRYPTO_MAX_WRAPPED_KEY_SIZE 128 - /** * struct blk_crypto_config - an inline encryption key's crypto configuration * @crypto_mode: encryption algorithm this key is for @@ -27,14 +25,11 @@ enum blk_crypto_mode_num { * ciphertext. This is always a power of 2. It might be e.g. the * filesystem block size or the disk sector size. * @dun_bytes: the maximum number of bytes of DUN used when using this key - * @is_hw_wrapped: @raw points to a wrapped key to be used by an inline - * encryption hardware that accepts wrapped keys. */ struct blk_crypto_config { enum blk_crypto_mode_num crypto_mode; unsigned int data_unit_size; unsigned int dun_bytes; - bool is_hw_wrapped; }; /** @@ -53,7 +48,7 @@ struct blk_crypto_key { struct blk_crypto_config crypto_cfg; unsigned int data_unit_size_bits; unsigned int size; - u8 raw[BLK_CRYPTO_MAX_WRAPPED_KEY_SIZE]; + u8 raw[BLK_CRYPTO_MAX_KEY_SIZE]; }; #define BLK_CRYPTO_MAX_IV_SIZE 32 @@ -94,9 +89,7 @@ bool bio_crypt_dun_is_contiguous(const struct bio_crypt_ctx *bc, unsigned int bytes, const u64 next_dun[BLK_CRYPTO_DUN_ARRAY_SIZE]); -int blk_crypto_init_key(struct blk_crypto_key *blk_key, - const u8 *raw_key, unsigned int raw_key_size, - bool is_hw_wrapped, +int blk_crypto_init_key(struct blk_crypto_key *blk_key, const u8 *raw_key, enum blk_crypto_mode_num crypto_mode, unsigned int dun_bytes, unsigned int data_unit_size); diff --git a/include/linux/keyslot-manager.h b/include/linux/keyslot-manager.h index 2eb44e2ad81d..a27605e2f826 100644 --- a/include/linux/keyslot-manager.h +++ b/include/linux/keyslot-manager.h @@ -9,15 +9,6 @@ #include #include -/* Inline crypto feature bits. Must set at least one. */ -enum { - /* Support for standard software-specified keys */ - BLK_CRYPTO_FEATURE_STANDARD_KEYS = BIT(0), - - /* Support for hardware-wrapped keys */ - BLK_CRYPTO_FEATURE_WRAPPED_KEYS = BIT(1), -}; - struct blk_keyslot_manager; /** @@ -28,9 +19,6 @@ struct blk_keyslot_manager; * The key is provided so that e.g. dm layers can evict * keys from the devices that they map over. * Returns 0 on success, -errno otherwise. - * @derive_raw_secret: (Optional) Derive a software secret from a - * hardware-wrapped key. Returns 0 on success, -EOPNOTSUPP - * if unsupported on the hardware, or another -errno code. * * This structure should be provided by storage device drivers when they set up * a keyslot manager - this structure holds the function ptrs that the keyslot @@ -43,10 +31,6 @@ struct blk_ksm_ll_ops { int (*keyslot_evict)(struct blk_keyslot_manager *ksm, const struct blk_crypto_key *key, unsigned int slot); - int (*derive_raw_secret)(struct blk_keyslot_manager *ksm, - const u8 *wrapped_key, - unsigned int wrapped_key_size, - u8 *secret, unsigned int secret_size); }; struct blk_keyslot_manager { @@ -63,12 +47,6 @@ struct blk_keyslot_manager { */ unsigned int max_dun_bytes_supported; - /* - * The supported features as a bitmask of BLK_CRYPTO_FEATURE_* flags. - * Most drivers should set BLK_CRYPTO_FEATURE_STANDARD_KEYS here. - */ - unsigned int features; - /* * Array of size BLK_ENCRYPTION_MODE_MAX of bitmasks that represents * whether a crypto mode and data unit size are supported. The i'th @@ -128,11 +106,6 @@ void blk_ksm_reprogram_all_keys(struct blk_keyslot_manager *ksm); void blk_ksm_destroy(struct blk_keyslot_manager *ksm); -int blk_ksm_derive_raw_secret(struct blk_keyslot_manager *ksm, - const u8 *wrapped_key, - unsigned int wrapped_key_size, - u8 *secret, unsigned int secret_size); - void blk_ksm_intersect_modes(struct blk_keyslot_manager *parent, const struct blk_keyslot_manager *child);