ANDROID: block: Prevent crypto fallback for wrapped keys (66b3c812) · Commits · e / devices / android_kernel_fairphone_FP4

abi_gki_aarch64.xml

+13397 −13281

File changed.

Preview size limit exceeded, changes collapsed.

block/blk-crypto-fallback.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -571,6 +571,12 @@ int blk_crypto_fallback_submit_bio(struct bio **bio_ptr)
		struct bio_crypt_ctx *bc = bio->bi_crypt_context;
		struct bio_fallback_crypt_ctx *f_ctx;

		if (bc->bc_key->is_hw_wrapped) {
		pr_warn_once("HW wrapped key cannot be used with fallback.\n");
		bio->bi_status = BLK_STS_NOTSUPP;
		return -EOPNOTSUPP;
		}

		if (!tfms_inited[bc->bc_key->crypto_mode]) {
		bio->bi_status = BLK_STS_IOERR;
		return -EIO;

block/blk-crypto.c

+13 −4

Original line number	Diff line number	Diff line
		@@ -175,7 +175,9 @@ bool blk_crypto_endio(struct bio *bio)
		* @raw_key_size: Size of raw key. Must be at least the required size for the
		* chosen @crypto_mode; see blk_crypto_modes[]. (It's allowed
		* to be longer than the mode's actual key size, in order to
		* support inline encryption hardware that accepts wrapped keys.)
		* support inline encryption hardware that accepts wrapped keys.
		* @is_hw_wrapped has to be set for such keys)
		* @is_hw_wrapped: Denotes @raw_key is wrapped.
		* @crypto_mode: identifier for the encryption algorithm to use
		* @data_unit_size: the data unit size to use for en/decryption
		*
		@@ -184,6 +186,7 @@ bool blk_crypto_endio(struct bio *bio)
		*/
		int blk_crypto_init_key(struct blk_crypto_key *blk_key,
		const u8 *raw_key, unsigned int raw_key_size,
		bool is_hw_wrapped,
		enum blk_crypto_mode_num crypto_mode,
		unsigned int data_unit_size)
		{
		@@ -198,9 +201,14 @@ int blk_crypto_init_key(struct blk_crypto_key *blk_key,
		BUILD_BUG_ON(BLK_CRYPTO_MAX_WRAPPED_KEY_SIZE < BLK_CRYPTO_MAX_KEY_SIZE);

		mode = &blk_crypto_modes[crypto_mode];
		if (is_hw_wrapped) {
		if (raw_key_size < mode->keysize \|\|
		raw_key_size > BLK_CRYPTO_MAX_WRAPPED_KEY_SIZE)
		return -EINVAL;
		} else {
		if (raw_key_size != mode->keysize)
		return -EINVAL;
		}

		if (!is_power_of_2(data_unit_size))
		return -EINVAL;
		@@ -209,6 +217,7 @@ int blk_crypto_init_key(struct blk_crypto_key *blk_key,
		blk_key->data_unit_size = data_unit_size;
		blk_key->data_unit_size_bits = ilog2(data_unit_size);
		blk_key->size = raw_key_size;
		blk_key->is_hw_wrapped = is_hw_wrapped;
		memcpy(blk_key->raw, raw_key, raw_key_size);

		/*

drivers/md/dm-default-key.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -224,7 +224,7 @@ static int default_key_ctr(struct dm_target ti, unsigned int argc, char *argv)
		}

		err = blk_crypto_init_key(&dkc->key, raw_key, cipher->key_size,
		cipher->mode_num, dkc->sector_size);
		false, cipher->mode_num, dkc->sector_size);
		if (err) {
		ti->error = "Error initializing blk-crypto key";
		goto bad;

fs/crypto/fscrypt_private.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -319,6 +319,7 @@ extern int fscrypt_prepare_inline_crypt_key(
		struct fscrypt_prepared_key *prep_key,
		const u8 *raw_key,
		unsigned int raw_key_size,
		bool is_hw_wrapped,
		const struct fscrypt_info *ci);

		extern void fscrypt_destroy_inline_crypt_key(
		@@ -363,6 +364,7 @@ static inline bool fscrypt_using_inline_encryption(
		static inline int
		fscrypt_prepare_inline_crypt_key(struct fscrypt_prepared_key *prep_key,
		const u8 *raw_key, unsigned int raw_key_size,
		bool is_hw_wrapped,
		const struct fscrypt_info *ci)
		{
		WARN_ON(1);
		@@ -557,6 +559,7 @@ extern struct fscrypt_mode fscrypt_modes[];

		extern int fscrypt_prepare_key(struct fscrypt_prepared_key *prep_key,
		const u8 *raw_key, unsigned int raw_key_size,
		bool is_hw_wrapped,
		const struct fscrypt_info *ci);

		extern void fscrypt_destroy_prepared_key(struct fscrypt_prepared_key *prep_key);