Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/fscrypt

        Documentation/filesystems/dax.txt.  Note that this option is

        incompatible with data=journal.

  inlinecrypt

        When possible, encrypt/decrypt the contents of encrypted files using the

        blk-crypto framework rather than filesystem-layer encryption. This

        allows the use of inline encryption hardware. The on-disk format is

        unaffected. For more details, see

        Documentation/block/inline-encryption.rst.

Data Mode

=========

There are 3 different data modes:

                       on compression extension list and enable compression on

                       these file by default rather than to enable it via ioctl.

                       For other files, we can still enable compression via ioctl.

inlinecrypt

                       When possible, encrypt/decrypt the contents of encrypted

                       files using the blk-crypto framework rather than

                       filesystem-layer encryption. This allows the use of

                       inline encryption hardware. The on-disk format is

                       unaffected. For more details, see

                       Documentation/block/inline-encryption.rst.

====================== ============================================================

Debugfs Entries

were to be added to or removed from anything other than an empty

directory.)  These structs are defined as follows::

    #define FS_KEY_DERIVATION_NONCE_SIZE 16

    #define FSCRYPT_FILE_NONCE_SIZE 16

    #define FSCRYPT_KEY_DESCRIPTOR_SIZE  8

    struct fscrypt_context_v1 {

            u8 filenames_encryption_mode;

            u8 flags;

            u8 master_key_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE];

            u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE];

            u8 nonce[FSCRYPT_FILE_NONCE_SIZE];

    };

    #define FSCRYPT_KEY_IDENTIFIER_SIZE  16

            u8 flags;

            u8 __reserved[4];

            u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE];

            u8 nonce[FS_KEY_DERIVATION_NONCE_SIZE];

            u8 nonce[FSCRYPT_FILE_NONCE_SIZE];

    };

The context structs contain the same information as the corresponding

buffers regardless of encryption.  Other filesystems, such as ext4 and

F2FS, have to allocate bounce pages specially for encryption.

Fscrypt is also able to use inline encryption hardware instead of the

kernel crypto API for en/decryption of file contents.  When possible,

and if directed to do so (by specifying the 'inlinecrypt' mount option

for an ext4/F2FS filesystem), it adds encryption contexts to bios and

uses blk-crypto to perform the en/decryption instead of making use of

the above read/write path changes.  Of course, even if directed to

make use of inline encryption, fscrypt will only be able to do so if

either hardware inline encryption support is available for the

selected encryption algorithm or CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK

is selected.  If neither is the case, fscrypt will fall back to using

the above mentioned read/write path changes for en/decryption.

Filename hashing and encoding

-----------------------------

To test fscrypt, use xfstests, which is Linux's de facto standard

filesystem test suite.  First, run all the tests in the "encrypt"

group on the relevant filesystem(s).  For example, to test ext4 and

group on the relevant filesystem(s).  One can also run the tests

with the 'inlinecrypt' mount option to test the implementation for

inline encryption support.  For example, to test ext4 and

f2fs encryption using `kvm-xfstests

<https://github.com/tytso/xfstests-bld/blob/master/Documentation/kvm-quickstart.md>`_::

    kvm-xfstests -c ext4,f2fs -g encrypt

    kvm-xfstests -c ext4,f2fs -g encrypt -m inlinecrypt

UBIFS encryption can also be tested this way, but it should be done in

a separate command, and it takes some time for kvm-xfstests to set up

kvm-xfstests, use the "encrypt" filesystem configuration::

    kvm-xfstests -c ext4/encrypt,f2fs/encrypt -g auto

    kvm-xfstests -c ext4/encrypt,f2fs/encrypt -g auto -m inlinecrypt

Because this runs many more tests than "-g encrypt" does, it takes

much longer to run; so also consider using `gce-xfstests

instead of kvm-xfstests::

    gce-xfstests -c ext4/encrypt,f2fs/encrypt -g auto

    gce-xfstests -c ext4/encrypt,f2fs/encrypt -g auto -m inlinecrypt

static void end_buffer_async_read_io(struct buffer_head *bh, int uptodate)

{

	/* Decrypt if needed */

	if (uptodate && IS_ENABLED(CONFIG_FS_ENCRYPTION) &&

	    IS_ENCRYPTED(bh->b_page->mapping->host) &&

	    S_ISREG(bh->b_page->mapping->host->i_mode)) {

	if (uptodate &&

	    fscrypt_inode_uses_fs_layer_crypto(bh->b_page->mapping->host)) {

		struct decrypt_bh_ctx *ctx = kmalloc(sizeof(*ctx), GFP_ATOMIC);

		if (ctx) {

	 */

	bio = bio_alloc(GFP_NOIO, 1);

	fscrypt_set_bio_crypt_ctx_bh(bio, bh, GFP_NOIO);

	bio->bi_iter.bi_sector = bh->b_blocknr * (bh->b_size >> 9);

	bio_set_dev(bio, bh->b_bdev);

	bio->bi_write_hint = write_hint;

	select CRYPTO

	select CRYPTO_HASH

	select CRYPTO_SKCIPHER

	select CRYPTO_LIB_SHA256

	select KEYS

	help

	  Enable encryption of files and directories.  This

	select CRYPTO_CTS

	select CRYPTO_ECB

	select CRYPTO_HMAC

	select CRYPTO_SHA256

	select CRYPTO_SHA512

	select CRYPTO_XTS

config FS_ENCRYPTION_INLINE_CRYPT

	bool "Enable fscrypt to use inline crypto"

	depends on FS_ENCRYPTION && BLK_INLINE_ENCRYPTION

	help

	  Enable fscrypt to use inline encryption hardware if available.