hamza.kesraoui/sst-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

blk-crypto: don't use struct request_queue for public interfaces

Browse Source 
commit fce3caea0f241f5d34855c82c399d5e0e2d91f07 upstream.

Switch all public blk-crypto interfaces to use struct block_device
arguments to specify the device they operate on instead of th
request_queue, which is a block layer implementation detail.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20221114042944.1009870-2-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Christoph Hellwig 2023-05-03 20:54:11 -07:00 committed by Greg Kroah-Hartman
parent 316ad076e0
commit f0efb23651
5 changed files with 28 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Documentation/block/inline-encryption.rst
View File

@ -142,7 +142,7 @@ Therefore, we also introduce *blk-crypto-fallback*, which is an implementation
of inline encryption using the kernel crypto API. blk-crypto-fallback is built of inline encryption using the kernel crypto API. blk-crypto-fallback is built
into the block layer, so it works on any block device without any special setup. into the block layer, so it works on any block device without any special setup.
Essentially, when a bio with an encryption context is submitted to a Essentially, when a bio with an encryption context is submitted to a
request_queue that doesn't support that encryption context, the block layer will block_device that doesn't support that encryption context, the block layer will
handle en/decryption of the bio using blk-crypto-fallback. handle en/decryption of the bio using blk-crypto-fallback.
For encryption, the data cannot be encrypted in-place, as callers usually rely For encryption, the data cannot be encrypted in-place, as callers usually rely
@ -187,7 +187,7 @@ API presented to users of the block layer
``blk_crypto_config_supported()`` allows users to check ahead of time whether ``blk_crypto_config_supported()`` allows users to check ahead of time whether
inline encryption with particular crypto settings will work on a particular inline encryption with particular crypto settings will work on a particular
request_queue -- either via hardware or via blk-crypto-fallback. This function block_device -- either via hardware or via blk-crypto-fallback. This function
takes in a ``struct blk_crypto_config`` which is like blk_crypto_key, but omits takes in a ``struct blk_crypto_config`` which is like blk_crypto_key, but omits
the actual bytes of the key and instead just contains the algorithm, data unit the actual bytes of the key and instead just contains the algorithm, data unit
size, etc. This function can be useful if blk-crypto-fallback is disabled. size, etc. This function can be useful if blk-crypto-fallback is disabled.
@ -195,7 +195,7 @@ size, etc. This function can be useful if blk-crypto-fallback is disabled.
``blk_crypto_init_key()`` allows users to initialize a blk_crypto_key. ``blk_crypto_init_key()`` allows users to initialize a blk_crypto_key.
Users must call ``blk_crypto_start_using_key()`` before actually starting to use Users must call ``blk_crypto_start_using_key()`` before actually starting to use
a blk_crypto_key on a request_queue (even if ``blk_crypto_config_supported()`` a blk_crypto_key on a block_device (even if ``blk_crypto_config_supported()``
was called earlier). This is needed to initialize blk-crypto-fallback if it was called earlier). This is needed to initialize blk-crypto-fallback if it
will be needed. This must not be called from the data path, as this may have to will be needed. This must not be called from the data path, as this may have to
allocate resources, which may deadlock in that case. allocate resources, which may deadlock in that case.
@ -207,7 +207,7 @@ for en/decryption. Users don't need to worry about freeing the bio_crypt_ctx
later, as that happens automatically when the bio is freed or reset. later, as that happens automatically when the bio is freed or reset.
Finally, when done using inline encryption with a blk_crypto_key on a Finally, when done using inline encryption with a blk_crypto_key on a
request_queue, users must call ``blk_crypto_evict_key()``. This ensures that block_device, users must call ``blk_crypto_evict_key()``. This ensures that
the key is evicted from all keyslots it may be programmed into and unlinked from the key is evicted from all keyslots it may be programmed into and unlinked from
any kernel data structures it may be linked into. any kernel data structures it may be linked into.
@ -221,9 +221,9 @@ as follows:
5. ``blk_crypto_evict_key()`` (after all I/O has completed) 5. ``blk_crypto_evict_key()`` (after all I/O has completed)
6. Zeroize the blk_crypto_key (this has no dedicated function) 6. Zeroize the blk_crypto_key (this has no dedicated function)
If a blk_crypto_key is being used on multiple request_queues, then If a blk_crypto_key is being used on multiple block_devices, then
``blk_crypto_config_supported()`` (if used), ``blk_crypto_start_using_key()``, ``blk_crypto_config_supported()`` (if used), ``blk_crypto_start_using_key()``,
and ``blk_crypto_evict_key()`` must be called on each request_queue. and ``blk_crypto_evict_key()`` must be called on each block_device.
API presented to device drivers API presented to device drivers
=============================== ===============================

24
block/blk-crypto.c
View File

@ -354,20 +354,21 @@ int blk_crypto_init_key(struct blk_crypto_key *blk_key, const u8 *raw_key,
/* /*
* Check if bios with @cfg can be en/decrypted by blk-crypto (i.e. either the * Check if bios with @cfg can be en/decrypted by blk-crypto (i.e. either the
* request queue it's submitted to supports inline crypto, or the * block_device it's submitted to supports inline crypto, or the
* blk-crypto-fallback is enabled and supports the cfg). * blk-crypto-fallback is enabled and supports the cfg).
*/ */
bool blk_crypto_config_supported(struct request_queue *q, bool blk_crypto_config_supported(struct block_device *bdev,
const struct blk_crypto_config *cfg) const struct blk_crypto_config *cfg)
{ {
return IS_ENABLED(CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK) || return IS_ENABLED(CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK) ||
__blk_crypto_cfg_supported(q->crypto_profile, cfg); __blk_crypto_cfg_supported(bdev_get_queue(bdev)->crypto_profile,
cfg);
} }
/** /**
* blk_crypto_start_using_key() - Start using a blk_crypto_key on a device * blk_crypto_start_using_key() - Start using a blk_crypto_key on a device
* @bdev: block device to operate on
* @key: A key to use on the device * @key: A key to use on the device
* @q: the request queue for the device
* *
* Upper layers must call this function to ensure that either the hardware * Upper layers must call this function to ensure that either the hardware
* supports the key's crypto settings, or the crypto API fallback has transforms * supports the key's crypto settings, or the crypto API fallback has transforms
@ -379,10 +380,11 @@ bool blk_crypto_config_supported(struct request_queue *q,
* blk-crypto-fallback is either disabled or the needed algorithm * blk-crypto-fallback is either disabled or the needed algorithm
* is disabled in the crypto API; or another -errno code. * is disabled in the crypto API; or another -errno code.
*/ */
int blk_crypto_start_using_key(const struct blk_crypto_key *key, int blk_crypto_start_using_key(struct block_device *bdev,
struct request_queue *q) const struct blk_crypto_key *key)
{ {
if (__blk_crypto_cfg_supported(q->crypto_profile, &key->crypto_cfg)) if (__blk_crypto_cfg_supported(bdev_get_queue(bdev)->crypto_profile,
&key->crypto_cfg))
return 0; return 0;
return blk_crypto_fallback_start_using_mode(key->crypto_cfg.crypto_mode); return blk_crypto_fallback_start_using_mode(key->crypto_cfg.crypto_mode);
} }
@ -390,7 +392,7 @@ int blk_crypto_start_using_key(const struct blk_crypto_key *key,
/** /**
* blk_crypto_evict_key() - Evict a key from any inline encryption hardware * blk_crypto_evict_key() - Evict a key from any inline encryption hardware
* it may have been programmed into * it may have been programmed into
* @q: The request queue who's associated inline encryption hardware this key * @bdev: The block_device who's associated inline encryption hardware this key
* might have been programmed into * might have been programmed into
* @key: The key to evict * @key: The key to evict
* *
@ -400,14 +402,16 @@ int blk_crypto_start_using_key(const struct blk_crypto_key *key,
* *
* Return: 0 on success or if the key wasn't in any keyslot; -errno on error. * Return: 0 on success or if the key wasn't in any keyslot; -errno on error.
*/ */
int blk_crypto_evict_key(struct request_queue *q, int blk_crypto_evict_key(struct block_device *bdev,
const struct blk_crypto_key *key) const struct blk_crypto_key *key)
{ {
struct request_queue *q = bdev_get_queue(bdev);
if (__blk_crypto_cfg_supported(q->crypto_profile, &key->crypto_cfg)) if (__blk_crypto_cfg_supported(q->crypto_profile, &key->crypto_cfg))
return __blk_crypto_evict_key(q->crypto_profile, key); return __blk_crypto_evict_key(q->crypto_profile, key);
/* /*
* If the request_queue didn't support the key, then blk-crypto-fallback * If the block_device didn't support the key, then blk-crypto-fallback
* may have been used, so try to evict the key from blk-crypto-fallback. * may have been used, so try to evict the key from blk-crypto-fallback.
*/ */
return blk_crypto_fallback_evict_key(key); return blk_crypto_fallback_evict_key(key);

2
drivers/md/dm-table.c
View File

@ -1214,7 +1214,7 @@ static int dm_keyslot_evict_callback(struct dm_target *ti, struct dm_dev *dev,
struct dm_keyslot_evict_args *args = data; struct dm_keyslot_evict_args *args = data;
int err; int err;
err = blk_crypto_evict_key(bdev_get_queue(dev->bdev), args->key); err = blk_crypto_evict_key(dev->bdev, args->key);
if (!args->err) if (!args->err)
args->err = err; args->err = err;
/* Always try to evict the key from all devices. */ /* Always try to evict the key from all devices. */

8
fs/crypto/inline_crypt.c
View File

@ -139,8 +139,7 @@ int fscrypt_select_encryption_impl(struct fscrypt_info *ci)
return PTR_ERR(devs); return PTR_ERR(devs);
for (i = 0; i < num_devs; i++) { for (i = 0; i < num_devs; i++) {
if (!blk_crypto_config_supported(bdev_get_queue(devs[i]), if (!blk_crypto_config_supported(devs[i], &crypto_cfg))
&crypto_cfg))
goto out_free_devs; goto out_free_devs;
} }
@ -184,8 +183,7 @@ int fscrypt_prepare_inline_crypt_key(struct fscrypt_prepared_key *prep_key,
goto fail; goto fail;
} }
for (i = 0; i < num_devs; i++) { for (i = 0; i < num_devs; i++) {
err = blk_crypto_start_using_key(blk_key, err = blk_crypto_start_using_key(devs[i], blk_key);
bdev_get_queue(devs[i]));
if (err) if (err)
break; break;
} }
@ -224,7 +222,7 @@ void fscrypt_destroy_inline_crypt_key(struct super_block *sb,
devs = fscrypt_get_devices(sb, &num_devs); devs = fscrypt_get_devices(sb, &num_devs);
if (!IS_ERR(devs)) { if (!IS_ERR(devs)) {
for (i = 0; i < num_devs; i++) for (i = 0; i < num_devs; i++)
blk_crypto_evict_key(bdev_get_queue(devs[i]), blk_key); blk_crypto_evict_key(devs[i], blk_key);
kfree(devs); kfree(devs);
} }
kfree_sensitive(blk_key); kfree_sensitive(blk_key);

11
include/linux/blk-crypto.h
View File

@ -71,9 +71,6 @@ struct bio_crypt_ctx {
#include <linux/blk_types.h> #include <linux/blk_types.h>
#include <linux/blkdev.h> #include <linux/blkdev.h>
struct request;
struct request_queue;
#ifdef CONFIG_BLK_INLINE_ENCRYPTION #ifdef CONFIG_BLK_INLINE_ENCRYPTION
static inline bool bio_has_crypt_ctx(struct bio *bio) static inline bool bio_has_crypt_ctx(struct bio *bio)
@ -94,13 +91,13 @@ int blk_crypto_init_key(struct blk_crypto_key *blk_key, const u8 *raw_key,
unsigned int dun_bytes, unsigned int dun_bytes,
unsigned int data_unit_size); unsigned int data_unit_size);
int blk_crypto_start_using_key(const struct blk_crypto_key *key, int blk_crypto_start_using_key(struct block_device *bdev,
struct request_queue *q); const struct blk_crypto_key *key);
int blk_crypto_evict_key(struct request_queue *q, int blk_crypto_evict_key(struct block_device *bdev,
const struct blk_crypto_key *key); const struct blk_crypto_key *key);
bool blk_crypto_config_supported(struct request_queue *q, bool blk_crypto_config_supported(struct block_device *bdev,
const struct blk_crypto_config *cfg); const struct blk_crypto_config *cfg);
#else /* CONFIG_BLK_INLINE_ENCRYPTION */ #else /* CONFIG_BLK_INLINE_ENCRYPTION */