fscrypt.h (6591B) - Raw
1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 /* 3 * fscrypt user API 4 * 5 * These ioctls can be used on filesystems that support fscrypt. See the 6 * "User API" section of Documentation/filesystems/fscrypt.rst. 7 */ 8 #ifndef _LINUX_FSCRYPT_H 9 #define _LINUX_FSCRYPT_H 10 11 #include <linux/ioctl.h> 12 #include <linux/types.h> 13 14 /* Encryption policy flags */ 15 #define FSCRYPT_POLICY_FLAGS_PAD_4 0x00 16 #define FSCRYPT_POLICY_FLAGS_PAD_8 0x01 17 #define FSCRYPT_POLICY_FLAGS_PAD_16 0x02 18 #define FSCRYPT_POLICY_FLAGS_PAD_32 0x03 19 #define FSCRYPT_POLICY_FLAGS_PAD_MASK 0x03 20 #define FSCRYPT_POLICY_FLAG_DIRECT_KEY 0x04 21 #define FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 0x08 22 #define FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32 0x10 23 24 /* Encryption algorithms */ 25 #define FSCRYPT_MODE_AES_256_XTS 1 26 #define FSCRYPT_MODE_AES_256_CTS 4 27 #define FSCRYPT_MODE_AES_128_CBC 5 28 #define FSCRYPT_MODE_AES_128_CTS 6 29 #define FSCRYPT_MODE_SM4_XTS 7 30 #define FSCRYPT_MODE_SM4_CTS 8 31 #define FSCRYPT_MODE_ADIANTUM 9 32 #define FSCRYPT_MODE_AES_256_HCTR2 10 33 /* If adding a mode number > 10, update FSCRYPT_MODE_MAX in fscrypt_private.h */ 34 35 /* 36 * Legacy policy version; ad-hoc KDF and no key verification. 37 * For new encrypted directories, use fscrypt_policy_v2 instead. 38 * 39 * Careful: the .version field for this is actually 0, not 1. 40 */ 41 #define FSCRYPT_POLICY_V1 0 42 #define FSCRYPT_KEY_DESCRIPTOR_SIZE 8 43 struct fscrypt_policy_v1 { 44 __u8 version; 45 __u8 contents_encryption_mode; 46 __u8 filenames_encryption_mode; 47 __u8 flags; 48 __u8 master_key_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE]; 49 }; 50 51 /* 52 * Process-subscribed "logon" key description prefix and payload format. 53 * Deprecated; prefer FS_IOC_ADD_ENCRYPTION_KEY instead. 54 */ 55 #define FSCRYPT_KEY_DESC_PREFIX "fscrypt:" 56 #define FSCRYPT_KEY_DESC_PREFIX_SIZE 8 57 #define FSCRYPT_MAX_KEY_SIZE 64 58 struct fscrypt_key { 59 __u32 mode; 60 __u8 raw[FSCRYPT_MAX_KEY_SIZE]; 61 __u32 size; 62 }; 63 64 /* 65 * New policy version with HKDF and key verification (recommended). 66 */ 67 #define FSCRYPT_POLICY_V2 2 68 #define FSCRYPT_KEY_IDENTIFIER_SIZE 16 69 struct fscrypt_policy_v2 { 70 __u8 version; 71 __u8 contents_encryption_mode; 72 __u8 filenames_encryption_mode; 73 __u8 flags; 74 __u8 log2_data_unit_size; 75 __u8 __reserved[3]; 76 __u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]; 77 }; 78 79 /* Struct passed to FS_IOC_GET_ENCRYPTION_POLICY_EX */ 80 struct fscrypt_get_policy_ex_arg { 81 __u64 policy_size; /* input/output */ 82 union { 83 __u8 version; 84 struct fscrypt_policy_v1 v1; 85 struct fscrypt_policy_v2 v2; 86 } policy; /* output */ 87 }; 88 89 /* 90 * v1 policy keys are specified by an arbitrary 8-byte key "descriptor", 91 * matching fscrypt_policy_v1::master_key_descriptor. 92 */ 93 #define FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR 1 94 95 /* 96 * v2 policy keys are specified by a 16-byte key "identifier" which the kernel 97 * calculates as a cryptographic hash of the key itself, 98 * matching fscrypt_policy_v2::master_key_identifier. 99 */ 100 #define FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER 2 101 102 /* 103 * Specifies a key, either for v1 or v2 policies. This doesn't contain the 104 * actual key itself; this is just the "name" of the key. 105 */ 106 struct fscrypt_key_specifier { 107 __u32 type; /* one of FSCRYPT_KEY_SPEC_TYPE_* */ 108 __u32 __reserved; 109 union { 110 __u8 __reserved[32]; /* reserve some extra space */ 111 __u8 descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE]; 112 __u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]; 113 } u; 114 }; 115 116 /* 117 * Payload of Linux keyring key of type "fscrypt-provisioning", referenced by 118 * fscrypt_add_key_arg::key_id as an alternative to fscrypt_add_key_arg::raw. 119 */ 120 struct fscrypt_provisioning_key_payload { 121 __u32 type; 122 __u32 __reserved; 123 __u8 raw[]; 124 }; 125 126 /* Struct passed to FS_IOC_ADD_ENCRYPTION_KEY */ 127 struct fscrypt_add_key_arg { 128 struct fscrypt_key_specifier key_spec; 129 __u32 raw_size; 130 __u32 key_id; 131 __u32 __reserved[8]; 132 __u8 raw[]; 133 }; 134 135 /* Struct passed to FS_IOC_REMOVE_ENCRYPTION_KEY */ 136 struct fscrypt_remove_key_arg { 137 struct fscrypt_key_specifier key_spec; 138 #define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY 0x00000001 139 #define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS 0x00000002 140 __u32 removal_status_flags; /* output */ 141 __u32 __reserved[5]; 142 }; 143 144 /* Struct passed to FS_IOC_GET_ENCRYPTION_KEY_STATUS */ 145 struct fscrypt_get_key_status_arg { 146 /* input */ 147 struct fscrypt_key_specifier key_spec; 148 __u32 __reserved[6]; 149 150 /* output */ 151 #define FSCRYPT_KEY_STATUS_ABSENT 1 152 #define FSCRYPT_KEY_STATUS_PRESENT 2 153 #define FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED 3 154 __u32 status; 155 #define FSCRYPT_KEY_STATUS_FLAG_ADDED_BY_SELF 0x00000001 156 __u32 status_flags; 157 __u32 user_count; 158 __u32 __out_reserved[13]; 159 }; 160 161 #define FS_IOC_SET_ENCRYPTION_POLICY _IOR('f', 19, struct fscrypt_policy_v1) 162 #define FS_IOC_GET_ENCRYPTION_PWSALT _IOW('f', 20, __u8[16]) 163 #define FS_IOC_GET_ENCRYPTION_POLICY _IOW('f', 21, struct fscrypt_policy_v1) 164 #define FS_IOC_GET_ENCRYPTION_POLICY_EX _IOWR('f', 22, __u8[9]) /* size + version */ 165 #define FS_IOC_ADD_ENCRYPTION_KEY _IOWR('f', 23, struct fscrypt_add_key_arg) 166 #define FS_IOC_REMOVE_ENCRYPTION_KEY _IOWR('f', 24, struct fscrypt_remove_key_arg) 167 #define FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS _IOWR('f', 25, struct fscrypt_remove_key_arg) 168 #define FS_IOC_GET_ENCRYPTION_KEY_STATUS _IOWR('f', 26, struct fscrypt_get_key_status_arg) 169 #define FS_IOC_GET_ENCRYPTION_NONCE _IOR('f', 27, __u8[16]) 170 171 /**********************************************************************/ 172 173 /* old names; don't add anything new here! */ 174 #define fscrypt_policy fscrypt_policy_v1 175 #define FS_KEY_DESCRIPTOR_SIZE FSCRYPT_KEY_DESCRIPTOR_SIZE 176 #define FS_POLICY_FLAGS_PAD_4 FSCRYPT_POLICY_FLAGS_PAD_4 177 #define FS_POLICY_FLAGS_PAD_8 FSCRYPT_POLICY_FLAGS_PAD_8 178 #define FS_POLICY_FLAGS_PAD_16 FSCRYPT_POLICY_FLAGS_PAD_16 179 #define FS_POLICY_FLAGS_PAD_32 FSCRYPT_POLICY_FLAGS_PAD_32 180 #define FS_POLICY_FLAGS_PAD_MASK FSCRYPT_POLICY_FLAGS_PAD_MASK 181 #define FS_POLICY_FLAG_DIRECT_KEY FSCRYPT_POLICY_FLAG_DIRECT_KEY 182 #define FS_POLICY_FLAGS_VALID 0x07 /* contains old flags only */ 183 #define FS_ENCRYPTION_MODE_INVALID 0 /* never used */ 184 #define FS_ENCRYPTION_MODE_AES_256_XTS FSCRYPT_MODE_AES_256_XTS 185 #define FS_ENCRYPTION_MODE_AES_256_GCM 2 /* never used */ 186 #define FS_ENCRYPTION_MODE_AES_256_CBC 3 /* never used */ 187 #define FS_ENCRYPTION_MODE_AES_256_CTS FSCRYPT_MODE_AES_256_CTS 188 #define FS_ENCRYPTION_MODE_AES_128_CBC FSCRYPT_MODE_AES_128_CBC 189 #define FS_ENCRYPTION_MODE_AES_128_CTS FSCRYPT_MODE_AES_128_CTS 190 #define FS_ENCRYPTION_MODE_ADIANTUM FSCRYPT_MODE_ADIANTUM 191 #define FS_KEY_DESC_PREFIX FSCRYPT_KEY_DESC_PREFIX 192 #define FS_KEY_DESC_PREFIX_SIZE FSCRYPT_KEY_DESC_PREFIX_SIZE 193 #define FS_MAX_KEY_SIZE FSCRYPT_MAX_KEY_SIZE 194 195 #endif /* _LINUX_FSCRYPT_H */