Loading Documentation/ABI/testing/procfs-concurrent_time 0 → 100644 +16 −0 Original line number Diff line number Diff line What: /proc/uid_concurrent_active_time Date: December 2018 Contact: Connor O'Brien <connoro@google.com> Description: The /proc/uid_concurrent_active_time file displays aggregated cputime numbers for each uid, broken down by the total number of cores that were active while the uid's task was running. What: /proc/uid_concurrent_policy_time Date: December 2018 Contact: Connor O'Brien <connoro@google.com> Description: The /proc/uid_concurrent_policy_time file displays aggregated cputime numbers for each uid, broken down based on the cpufreq policy of the core used by the uid's task and the number of cores associated with that policy that were active while the uid's task was running. Documentation/ABI/testing/sysfs-fs-f2fs +25 −1 Original line number Diff line number Diff line Loading @@ -92,6 +92,15 @@ Contact: "Jaegeuk Kim" <jaegeuk.kim@samsung.com> Description: Controls the number of trials to find a victim segment. What: /sys/fs/f2fs/<disk>/migration_granularity Date: October 2018 Contact: "Chao Yu" <yuchao0@huawei.com> Description: Controls migration granularity of garbage collection on large section, it can let GC move partial segment{s} of one section in one GC cycle, so that dispersing heavy overhead GC to multiple lightweight one. What: /sys/fs/f2fs/<disk>/dir_level Date: March 2014 Contact: "Jaegeuk Kim" <jaegeuk.kim@samsung.com> Loading Loading @@ -121,7 +130,22 @@ What: /sys/fs/f2fs/<disk>/idle_interval Date: January 2016 Contact: "Jaegeuk Kim" <jaegeuk@kernel.org> Description: Controls the idle timing. Controls the idle timing for all paths other than discard and gc path. What: /sys/fs/f2fs/<disk>/discard_idle_interval Date: September 2018 Contact: "Chao Yu" <yuchao0@huawei.com> Contact: "Sahitya Tummala" <stummala@codeaurora.org> Description: Controls the idle timing for discard path. What: /sys/fs/f2fs/<disk>/gc_idle_interval Date: September 2018 Contact: "Chao Yu" <yuchao0@huawei.com> Contact: "Sahitya Tummala" <stummala@codeaurora.org> Description: Controls the idle timing for gc path. What: /sys/fs/f2fs/<disk>/iostat_enable Date: August 2017 Loading Documentation/arm64/cpu-feature-registers.txt +11 −1 Original line number Diff line number Diff line Loading @@ -110,10 +110,20 @@ infrastructure: x--------------------------------------------------x | Name | bits | visible | |--------------------------------------------------| | RES0 | [63-32] | n | | RES0 | [63-48] | n | |--------------------------------------------------| | DP | [47-44] | y | |--------------------------------------------------| | SM4 | [43-40] | y | |--------------------------------------------------| | SM3 | [39-36] | y | |--------------------------------------------------| | SHA3 | [35-32] | y | |--------------------------------------------------| | RDM | [31-28] | y | |--------------------------------------------------| | RES0 | [27-24] | n | |--------------------------------------------------| | ATOMICS | [23-20] | y | |--------------------------------------------------| | CRC32 | [19-16] | y | Loading Documentation/filesystems/f2fs.txt +24 −0 Original line number Diff line number Diff line Loading @@ -157,6 +157,25 @@ data_flush Enable data flushing before checkpoint in order to persist data of regular and symlink. fault_injection=%d Enable fault injection in all supported types with specified injection rate. fault_type=%d Support configuring fault injection type, should be enabled with fault_injection option, fault type value is shown below, it supports single or combined type. Type_Name Type_Value FAULT_KMALLOC 0x000000001 FAULT_KVMALLOC 0x000000002 FAULT_PAGE_ALLOC 0x000000004 FAULT_PAGE_GET 0x000000008 FAULT_ALLOC_BIO 0x000000010 FAULT_ALLOC_NID 0x000000020 FAULT_ORPHAN 0x000000040 FAULT_BLOCK 0x000000080 FAULT_DIR_DEPTH 0x000000100 FAULT_EVICT_INODE 0x000000200 FAULT_TRUNCATE 0x000000400 FAULT_READ_IO 0x000000800 FAULT_CHECKPOINT 0x000001000 FAULT_DISCARD 0x000002000 FAULT_WRITE_IO 0x000004000 mode=%s Control block allocation mode which supports "adaptive" and "lfs". In "lfs" mode, there should be no random writes towards main area. Loading Loading @@ -193,6 +212,11 @@ fsync_mode=%s Control the policy of fsync. Currently supports "posix", non-atomic files likewise "nobarrier" mount option. test_dummy_encryption Enable dummy encryption, which provides a fake fscrypt context. The fake fscrypt context is used by xfstests. checkpoint=%s Set to "disable" to turn off checkpointing. Set to "enable" to reenable checkpointing. Is enabled by default. While disabled, any unmounting or unexpected shutdowns will cause the filesystem contents to appear as they did when the filesystem was mounted with that option. ================================================================================ DEBUGFS ENTRIES Loading Documentation/filesystems/fscrypt.rst +101 −86 Original line number Diff line number Diff line Loading @@ -132,47 +132,28 @@ designed for this purpose be used, such as scrypt, PBKDF2, or Argon2. Per-file keys ------------- Master keys are not used to encrypt file contents or names directly. Instead, a unique key is derived for each encrypted file, including each regular file, directory, and symbolic link. This has several advantages: - In cryptosystems, the same key material should never be used for different purposes. Using the master key as both an XTS key for contents encryption and as a CTS-CBC key for filenames encryption would violate this rule. - Per-file keys simplify the choice of IVs (Initialization Vectors) for contents encryption. Without per-file keys, to ensure IV uniqueness both the inode and logical block number would need to be encoded in the IVs. This would make it impossible to renumber inodes, which e.g. ``resize2fs`` can do when resizing an ext4 filesystem. With per-file keys, it is sufficient to encode just the logical block number in the IVs. - Per-file keys strengthen the encryption of filenames, where IVs are reused out of necessity. With a unique key per directory, IV reuse is limited to within a single directory. - Per-file keys allow individual files to be securely erased simply by securely erasing their keys. (Not yet implemented.) A KDF (Key Derivation Function) is used to derive per-file keys from the master key. This is done instead of wrapping a randomly-generated key for each file because it reduces the size of the encryption xattr, which for some filesystems makes the xattr more likely to fit in-line in the filesystem's inode table. With a KDF, only a 16-byte nonce is required --- long enough to make key reuse extremely unlikely. A wrapped key, on the other hand, would need to be up to 64 bytes --- the length of an AES-256-XTS key. Furthermore, currently there is no requirement to support unlocking a file with multiple alternative master keys or to support rotating master keys. Instead, the master keys may be wrapped in userspace, e.g. as done by the `fscrypt <https://github.com/google/fscrypt>`_ tool. The current KDF encrypts the master key using the 16-byte nonce as an AES-128-ECB key. The output is used as the derived key. If the output is longer than needed, then it is truncated to the needed length. Truncation is the norm for directories and symlinks, since those use the CTS-CBC encryption mode which requires a key half as long as that required by the XTS encryption mode. Since each master key can protect many files, it is necessary to "tweak" the encryption of each file so that the same plaintext in two files doesn't map to the same ciphertext, or vice versa. In most cases, fscrypt does this by deriving per-file keys. When a new encrypted inode (regular file, directory, or symlink) is created, fscrypt randomly generates a 16-byte nonce and stores it in the inode's encryption xattr. Then, it uses a KDF (Key Derivation Function) to derive the file's key from the master key and nonce. The Adiantum encryption mode (see `Encryption modes and usage`_) is special, since it accepts longer IVs and is suitable for both contents and filenames encryption. For it, a "direct key" option is offered where the file's nonce is included in the IVs and the master key is used for encryption directly. This improves performance; however, users must not use the same master key for any other encryption mode. Below, the KDF and design considerations are described in more detail. The current KDF works by encrypting the master key with AES-128-ECB, using the file's nonce as the AES key. The output is used as the derived key. If the output is longer than needed, then it is truncated to the needed length. Note: this KDF meets the primary security requirement, which is to produce unique derived keys that preserve the entropy of the master Loading @@ -181,6 +162,20 @@ However, it is nonstandard and has some problems such as being reversible, so it is generally considered to be a mistake! It may be replaced with HKDF or another more standard KDF in the future. Key derivation was chosen over key wrapping because wrapped keys would require larger xattrs which would be less likely to fit in-line in the filesystem's inode table, and there didn't appear to be any significant advantages to key wrapping. In particular, currently there is no requirement to support unlocking a file with multiple alternative master keys or to support rotating master keys. Instead, the master keys may be wrapped in userspace, e.g. as is done by the `fscrypt <https://github.com/google/fscrypt>`_ tool. Including the inode number in the IVs was considered. However, it was rejected as it would have prevented ext4 filesystems from being resized, and by itself still wouldn't have been sufficient to prevent the same key from being directly reused for both XTS and CTS-CBC. Encryption modes and usage ========================== Loading @@ -191,64 +186,80 @@ Currently, the following pairs of encryption modes are supported: - AES-256-XTS for contents and AES-256-CTS-CBC for filenames - AES-128-CBC for contents and AES-128-CTS-CBC for filenames - Speck128/256-XTS for contents and Speck128/256-CTS-CBC for filenames - Adiantum for both contents and filenames If unsure, you should use the (AES-256-XTS, AES-256-CTS-CBC) pair. It is strongly recommended to use AES-256-XTS for contents encryption. AES-128-CBC was added only for low-powered embedded devices with crypto accelerators such as CAAM or CESA that do not support XTS. Similarly, Speck128/256 support was only added for older or low-end CPUs which cannot do AES fast enough -- especially ARM CPUs which have NEON instructions but not the Cryptography Extensions -- and for which it would not otherwise be feasible to use encryption at all. It is not recommended to use Speck on CPUs that have AES instructions. Speck support is only available if it has been enabled in the crypto API via CONFIG_CRYPTO_SPECK. Also, on ARM platforms, to get acceptable performance CONFIG_CRYPTO_SPECK_NEON must be enabled. Adiantum is a (primarily) stream cipher-based mode that is fast even on CPUs without dedicated crypto instructions. It's also a true wide-block mode, unlike XTS. It can also eliminate the need to derive per-file keys. However, it depends on the security of two primitives, XChaCha12 and AES-256, rather than just one. See the paper "Adiantum: length-preserving encryption for entry-level processors" (https://eprint.iacr.org/2018/720.pdf) for more details. To use Adiantum, CONFIG_CRYPTO_ADIANTUM must be enabled. Also, fast implementations of ChaCha and NHPoly1305 should be enabled, e.g. CONFIG_CRYPTO_CHACHA20_NEON and CONFIG_CRYPTO_NHPOLY1305_NEON for ARM. New encryption modes can be added relatively easily, without changes to individual filesystems. However, authenticated encryption (AE) modes are not currently supported because of the difficulty of dealing with ciphertext expansion. Contents encryption ------------------- For file contents, each filesystem block is encrypted independently. Currently, only the case where the filesystem block size is equal to the system's page size (usually 4096 bytes) is supported. With the XTS mode of operation (recommended), the logical block number within the file is used as the IV. With the CBC mode of operation (not recommended), ESSIV is used; specifically, the IV for CBC is the logical block number encrypted with AES-256, where the AES-256 key is the SHA-256 hash of the inode's data encryption key. For filenames, the full filename is encrypted at once. Because of the requirements to retain support for efficient directory lookups and filenames of up to 255 bytes, a constant initialization vector (IV) is used. However, each encrypted directory uses a unique key, which limits IV reuse to within a single directory. Note that IV reuse in the context of CTS-CBC encryption means that when the original filenames share a common prefix at least as long as the cipher block size (16 bytes for AES), the corresponding encrypted filenames will also share a common prefix. This is undesirable; it may be fixed in the future by switching to an encryption mode that is a strong pseudorandom permutation on arbitrary-length messages, e.g. the HEH (Hash-Encrypt-Hash) mode. Since filenames are encrypted with the CTS-CBC mode of operation, the plaintext and ciphertext filenames need not be multiples of the AES block size, i.e. 16 bytes. However, the minimum size that can be encrypted is 16 bytes, so shorter filenames are NUL-padded to 16 bytes before being encrypted. In addition, to reduce leakage of filename lengths via their ciphertexts, all filenames are NUL-padded to the next 4, 8, 16, or 32-byte boundary (configurable). 32 is recommended since this provides the best confidentiality, at the cost of making directory entries consume slightly more space. Note that since NUL (``\0``) is not otherwise a valid character in filenames, the padding will never produce duplicate plaintexts. the system's page size (usually 4096 bytes) is supported. Each block's IV is set to the logical block number within the file as a little endian number, except that: - With CBC mode encryption, ESSIV is also used. Specifically, each IV is encrypted with AES-256 where the AES-256 key is the SHA-256 hash of the file's data encryption key. - In the "direct key" configuration (FS_POLICY_FLAG_DIRECT_KEY set in the fscrypt_policy), the file's nonce is also appended to the IV. Currently this is only allowed with the Adiantum encryption mode. Filenames encryption -------------------- For filenames, each full filename is encrypted at once. Because of the requirements to retain support for efficient directory lookups and filenames of up to 255 bytes, the same IV is used for every filename in a directory. However, each encrypted directory still uses a unique key; or alternatively (for the "direct key" configuration) has the file's nonce included in the IVs. Thus, IV reuse is limited to within a single directory. With CTS-CBC, the IV reuse means that when the plaintext filenames share a common prefix at least as long as the cipher block size (16 bytes for AES), the corresponding encrypted filenames will also share a common prefix. This is undesirable. Adiantum does not have this weakness, as it is a wide-block encryption mode. All supported filenames encryption modes accept any plaintext length >= 16 bytes; cipher block alignment is not required. However, filenames shorter than 16 bytes are NUL-padded to 16 bytes before being encrypted. In addition, to reduce leakage of filename lengths via their ciphertexts, all filenames are NUL-padded to the next 4, 8, 16, or 32-byte boundary (configurable). 32 is recommended since this provides the best confidentiality, at the cost of making directory entries consume slightly more space. Note that since NUL (``\0``) is not otherwise a valid character in filenames, the padding will never produce duplicate plaintexts. Symbolic link targets are considered a type of filename and are encrypted in the same way as filenames in directory entries. Each symlink also uses a unique key; hence, the hardcoded IV is not a problem for symlinks. encrypted in the same way as filenames in directory entries, except that IV reuse is not a problem as each symlink has its own inode. User API ======== Loading Loading @@ -282,9 +293,13 @@ This structure must be initialized as follows: and FS_ENCRYPTION_MODE_AES_256_CTS (4) for ``filenames_encryption_mode``. - ``flags`` must be set to a value from ``<linux/fs.h>`` which - ``flags`` must contain a value from ``<linux/fs.h>`` which identifies the amount of NUL-padding to use when encrypting filenames. If unsure, use FS_POLICY_FLAGS_PAD_32 (0x3). In addition, if the chosen encryption modes are both FS_ENCRYPTION_MODE_ADIANTUM, this can contain FS_POLICY_FLAG_DIRECT_KEY to specify that the master key should be used directly, without key derivation. - ``master_key_descriptor`` specifies how to find the master key in the keyring; see `Adding keys`_. It is up to userspace to choose a Loading Loading
Documentation/ABI/testing/procfs-concurrent_time 0 → 100644 +16 −0 Original line number Diff line number Diff line What: /proc/uid_concurrent_active_time Date: December 2018 Contact: Connor O'Brien <connoro@google.com> Description: The /proc/uid_concurrent_active_time file displays aggregated cputime numbers for each uid, broken down by the total number of cores that were active while the uid's task was running. What: /proc/uid_concurrent_policy_time Date: December 2018 Contact: Connor O'Brien <connoro@google.com> Description: The /proc/uid_concurrent_policy_time file displays aggregated cputime numbers for each uid, broken down based on the cpufreq policy of the core used by the uid's task and the number of cores associated with that policy that were active while the uid's task was running.
Documentation/ABI/testing/sysfs-fs-f2fs +25 −1 Original line number Diff line number Diff line Loading @@ -92,6 +92,15 @@ Contact: "Jaegeuk Kim" <jaegeuk.kim@samsung.com> Description: Controls the number of trials to find a victim segment. What: /sys/fs/f2fs/<disk>/migration_granularity Date: October 2018 Contact: "Chao Yu" <yuchao0@huawei.com> Description: Controls migration granularity of garbage collection on large section, it can let GC move partial segment{s} of one section in one GC cycle, so that dispersing heavy overhead GC to multiple lightweight one. What: /sys/fs/f2fs/<disk>/dir_level Date: March 2014 Contact: "Jaegeuk Kim" <jaegeuk.kim@samsung.com> Loading Loading @@ -121,7 +130,22 @@ What: /sys/fs/f2fs/<disk>/idle_interval Date: January 2016 Contact: "Jaegeuk Kim" <jaegeuk@kernel.org> Description: Controls the idle timing. Controls the idle timing for all paths other than discard and gc path. What: /sys/fs/f2fs/<disk>/discard_idle_interval Date: September 2018 Contact: "Chao Yu" <yuchao0@huawei.com> Contact: "Sahitya Tummala" <stummala@codeaurora.org> Description: Controls the idle timing for discard path. What: /sys/fs/f2fs/<disk>/gc_idle_interval Date: September 2018 Contact: "Chao Yu" <yuchao0@huawei.com> Contact: "Sahitya Tummala" <stummala@codeaurora.org> Description: Controls the idle timing for gc path. What: /sys/fs/f2fs/<disk>/iostat_enable Date: August 2017 Loading
Documentation/arm64/cpu-feature-registers.txt +11 −1 Original line number Diff line number Diff line Loading @@ -110,10 +110,20 @@ infrastructure: x--------------------------------------------------x | Name | bits | visible | |--------------------------------------------------| | RES0 | [63-32] | n | | RES0 | [63-48] | n | |--------------------------------------------------| | DP | [47-44] | y | |--------------------------------------------------| | SM4 | [43-40] | y | |--------------------------------------------------| | SM3 | [39-36] | y | |--------------------------------------------------| | SHA3 | [35-32] | y | |--------------------------------------------------| | RDM | [31-28] | y | |--------------------------------------------------| | RES0 | [27-24] | n | |--------------------------------------------------| | ATOMICS | [23-20] | y | |--------------------------------------------------| | CRC32 | [19-16] | y | Loading
Documentation/filesystems/f2fs.txt +24 −0 Original line number Diff line number Diff line Loading @@ -157,6 +157,25 @@ data_flush Enable data flushing before checkpoint in order to persist data of regular and symlink. fault_injection=%d Enable fault injection in all supported types with specified injection rate. fault_type=%d Support configuring fault injection type, should be enabled with fault_injection option, fault type value is shown below, it supports single or combined type. Type_Name Type_Value FAULT_KMALLOC 0x000000001 FAULT_KVMALLOC 0x000000002 FAULT_PAGE_ALLOC 0x000000004 FAULT_PAGE_GET 0x000000008 FAULT_ALLOC_BIO 0x000000010 FAULT_ALLOC_NID 0x000000020 FAULT_ORPHAN 0x000000040 FAULT_BLOCK 0x000000080 FAULT_DIR_DEPTH 0x000000100 FAULT_EVICT_INODE 0x000000200 FAULT_TRUNCATE 0x000000400 FAULT_READ_IO 0x000000800 FAULT_CHECKPOINT 0x000001000 FAULT_DISCARD 0x000002000 FAULT_WRITE_IO 0x000004000 mode=%s Control block allocation mode which supports "adaptive" and "lfs". In "lfs" mode, there should be no random writes towards main area. Loading Loading @@ -193,6 +212,11 @@ fsync_mode=%s Control the policy of fsync. Currently supports "posix", non-atomic files likewise "nobarrier" mount option. test_dummy_encryption Enable dummy encryption, which provides a fake fscrypt context. The fake fscrypt context is used by xfstests. checkpoint=%s Set to "disable" to turn off checkpointing. Set to "enable" to reenable checkpointing. Is enabled by default. While disabled, any unmounting or unexpected shutdowns will cause the filesystem contents to appear as they did when the filesystem was mounted with that option. ================================================================================ DEBUGFS ENTRIES Loading
Documentation/filesystems/fscrypt.rst +101 −86 Original line number Diff line number Diff line Loading @@ -132,47 +132,28 @@ designed for this purpose be used, such as scrypt, PBKDF2, or Argon2. Per-file keys ------------- Master keys are not used to encrypt file contents or names directly. Instead, a unique key is derived for each encrypted file, including each regular file, directory, and symbolic link. This has several advantages: - In cryptosystems, the same key material should never be used for different purposes. Using the master key as both an XTS key for contents encryption and as a CTS-CBC key for filenames encryption would violate this rule. - Per-file keys simplify the choice of IVs (Initialization Vectors) for contents encryption. Without per-file keys, to ensure IV uniqueness both the inode and logical block number would need to be encoded in the IVs. This would make it impossible to renumber inodes, which e.g. ``resize2fs`` can do when resizing an ext4 filesystem. With per-file keys, it is sufficient to encode just the logical block number in the IVs. - Per-file keys strengthen the encryption of filenames, where IVs are reused out of necessity. With a unique key per directory, IV reuse is limited to within a single directory. - Per-file keys allow individual files to be securely erased simply by securely erasing their keys. (Not yet implemented.) A KDF (Key Derivation Function) is used to derive per-file keys from the master key. This is done instead of wrapping a randomly-generated key for each file because it reduces the size of the encryption xattr, which for some filesystems makes the xattr more likely to fit in-line in the filesystem's inode table. With a KDF, only a 16-byte nonce is required --- long enough to make key reuse extremely unlikely. A wrapped key, on the other hand, would need to be up to 64 bytes --- the length of an AES-256-XTS key. Furthermore, currently there is no requirement to support unlocking a file with multiple alternative master keys or to support rotating master keys. Instead, the master keys may be wrapped in userspace, e.g. as done by the `fscrypt <https://github.com/google/fscrypt>`_ tool. The current KDF encrypts the master key using the 16-byte nonce as an AES-128-ECB key. The output is used as the derived key. If the output is longer than needed, then it is truncated to the needed length. Truncation is the norm for directories and symlinks, since those use the CTS-CBC encryption mode which requires a key half as long as that required by the XTS encryption mode. Since each master key can protect many files, it is necessary to "tweak" the encryption of each file so that the same plaintext in two files doesn't map to the same ciphertext, or vice versa. In most cases, fscrypt does this by deriving per-file keys. When a new encrypted inode (regular file, directory, or symlink) is created, fscrypt randomly generates a 16-byte nonce and stores it in the inode's encryption xattr. Then, it uses a KDF (Key Derivation Function) to derive the file's key from the master key and nonce. The Adiantum encryption mode (see `Encryption modes and usage`_) is special, since it accepts longer IVs and is suitable for both contents and filenames encryption. For it, a "direct key" option is offered where the file's nonce is included in the IVs and the master key is used for encryption directly. This improves performance; however, users must not use the same master key for any other encryption mode. Below, the KDF and design considerations are described in more detail. The current KDF works by encrypting the master key with AES-128-ECB, using the file's nonce as the AES key. The output is used as the derived key. If the output is longer than needed, then it is truncated to the needed length. Note: this KDF meets the primary security requirement, which is to produce unique derived keys that preserve the entropy of the master Loading @@ -181,6 +162,20 @@ However, it is nonstandard and has some problems such as being reversible, so it is generally considered to be a mistake! It may be replaced with HKDF or another more standard KDF in the future. Key derivation was chosen over key wrapping because wrapped keys would require larger xattrs which would be less likely to fit in-line in the filesystem's inode table, and there didn't appear to be any significant advantages to key wrapping. In particular, currently there is no requirement to support unlocking a file with multiple alternative master keys or to support rotating master keys. Instead, the master keys may be wrapped in userspace, e.g. as is done by the `fscrypt <https://github.com/google/fscrypt>`_ tool. Including the inode number in the IVs was considered. However, it was rejected as it would have prevented ext4 filesystems from being resized, and by itself still wouldn't have been sufficient to prevent the same key from being directly reused for both XTS and CTS-CBC. Encryption modes and usage ========================== Loading @@ -191,64 +186,80 @@ Currently, the following pairs of encryption modes are supported: - AES-256-XTS for contents and AES-256-CTS-CBC for filenames - AES-128-CBC for contents and AES-128-CTS-CBC for filenames - Speck128/256-XTS for contents and Speck128/256-CTS-CBC for filenames - Adiantum for both contents and filenames If unsure, you should use the (AES-256-XTS, AES-256-CTS-CBC) pair. It is strongly recommended to use AES-256-XTS for contents encryption. AES-128-CBC was added only for low-powered embedded devices with crypto accelerators such as CAAM or CESA that do not support XTS. Similarly, Speck128/256 support was only added for older or low-end CPUs which cannot do AES fast enough -- especially ARM CPUs which have NEON instructions but not the Cryptography Extensions -- and for which it would not otherwise be feasible to use encryption at all. It is not recommended to use Speck on CPUs that have AES instructions. Speck support is only available if it has been enabled in the crypto API via CONFIG_CRYPTO_SPECK. Also, on ARM platforms, to get acceptable performance CONFIG_CRYPTO_SPECK_NEON must be enabled. Adiantum is a (primarily) stream cipher-based mode that is fast even on CPUs without dedicated crypto instructions. It's also a true wide-block mode, unlike XTS. It can also eliminate the need to derive per-file keys. However, it depends on the security of two primitives, XChaCha12 and AES-256, rather than just one. See the paper "Adiantum: length-preserving encryption for entry-level processors" (https://eprint.iacr.org/2018/720.pdf) for more details. To use Adiantum, CONFIG_CRYPTO_ADIANTUM must be enabled. Also, fast implementations of ChaCha and NHPoly1305 should be enabled, e.g. CONFIG_CRYPTO_CHACHA20_NEON and CONFIG_CRYPTO_NHPOLY1305_NEON for ARM. New encryption modes can be added relatively easily, without changes to individual filesystems. However, authenticated encryption (AE) modes are not currently supported because of the difficulty of dealing with ciphertext expansion. Contents encryption ------------------- For file contents, each filesystem block is encrypted independently. Currently, only the case where the filesystem block size is equal to the system's page size (usually 4096 bytes) is supported. With the XTS mode of operation (recommended), the logical block number within the file is used as the IV. With the CBC mode of operation (not recommended), ESSIV is used; specifically, the IV for CBC is the logical block number encrypted with AES-256, where the AES-256 key is the SHA-256 hash of the inode's data encryption key. For filenames, the full filename is encrypted at once. Because of the requirements to retain support for efficient directory lookups and filenames of up to 255 bytes, a constant initialization vector (IV) is used. However, each encrypted directory uses a unique key, which limits IV reuse to within a single directory. Note that IV reuse in the context of CTS-CBC encryption means that when the original filenames share a common prefix at least as long as the cipher block size (16 bytes for AES), the corresponding encrypted filenames will also share a common prefix. This is undesirable; it may be fixed in the future by switching to an encryption mode that is a strong pseudorandom permutation on arbitrary-length messages, e.g. the HEH (Hash-Encrypt-Hash) mode. Since filenames are encrypted with the CTS-CBC mode of operation, the plaintext and ciphertext filenames need not be multiples of the AES block size, i.e. 16 bytes. However, the minimum size that can be encrypted is 16 bytes, so shorter filenames are NUL-padded to 16 bytes before being encrypted. In addition, to reduce leakage of filename lengths via their ciphertexts, all filenames are NUL-padded to the next 4, 8, 16, or 32-byte boundary (configurable). 32 is recommended since this provides the best confidentiality, at the cost of making directory entries consume slightly more space. Note that since NUL (``\0``) is not otherwise a valid character in filenames, the padding will never produce duplicate plaintexts. the system's page size (usually 4096 bytes) is supported. Each block's IV is set to the logical block number within the file as a little endian number, except that: - With CBC mode encryption, ESSIV is also used. Specifically, each IV is encrypted with AES-256 where the AES-256 key is the SHA-256 hash of the file's data encryption key. - In the "direct key" configuration (FS_POLICY_FLAG_DIRECT_KEY set in the fscrypt_policy), the file's nonce is also appended to the IV. Currently this is only allowed with the Adiantum encryption mode. Filenames encryption -------------------- For filenames, each full filename is encrypted at once. Because of the requirements to retain support for efficient directory lookups and filenames of up to 255 bytes, the same IV is used for every filename in a directory. However, each encrypted directory still uses a unique key; or alternatively (for the "direct key" configuration) has the file's nonce included in the IVs. Thus, IV reuse is limited to within a single directory. With CTS-CBC, the IV reuse means that when the plaintext filenames share a common prefix at least as long as the cipher block size (16 bytes for AES), the corresponding encrypted filenames will also share a common prefix. This is undesirable. Adiantum does not have this weakness, as it is a wide-block encryption mode. All supported filenames encryption modes accept any plaintext length >= 16 bytes; cipher block alignment is not required. However, filenames shorter than 16 bytes are NUL-padded to 16 bytes before being encrypted. In addition, to reduce leakage of filename lengths via their ciphertexts, all filenames are NUL-padded to the next 4, 8, 16, or 32-byte boundary (configurable). 32 is recommended since this provides the best confidentiality, at the cost of making directory entries consume slightly more space. Note that since NUL (``\0``) is not otherwise a valid character in filenames, the padding will never produce duplicate plaintexts. Symbolic link targets are considered a type of filename and are encrypted in the same way as filenames in directory entries. Each symlink also uses a unique key; hence, the hardcoded IV is not a problem for symlinks. encrypted in the same way as filenames in directory entries, except that IV reuse is not a problem as each symlink has its own inode. User API ======== Loading Loading @@ -282,9 +293,13 @@ This structure must be initialized as follows: and FS_ENCRYPTION_MODE_AES_256_CTS (4) for ``filenames_encryption_mode``. - ``flags`` must be set to a value from ``<linux/fs.h>`` which - ``flags`` must contain a value from ``<linux/fs.h>`` which identifies the amount of NUL-padding to use when encrypting filenames. If unsure, use FS_POLICY_FLAGS_PAD_32 (0x3). In addition, if the chosen encryption modes are both FS_ENCRYPTION_MODE_ADIANTUM, this can contain FS_POLICY_FLAG_DIRECT_KEY to specify that the master key should be used directly, without key derivation. - ``master_key_descriptor`` specifies how to find the master key in the keyring; see `Adding keys`_. It is up to userspace to choose a Loading
