1. 07 2月, 2008 3 次提交
  2. 17 10月, 2007 10 次提交
  3. 29 6月, 2007 1 次提交
    • M
      eCryptfs: fix write zeros behavior · 240e2df5
      Michael Halcrow 提交于
      This patch fixes the processes involved in wiping regions of the data during
      truncate and write events, fixing a kernel hang in 2.6.22-rc4 while assuring
      that zero values are written out to the appropriate locations during events in
      which the i_size will change.
      
      The range passed to ecryptfs_truncate() from ecryptfs_prepare_write() includes
      the page that is the object of ecryptfs_prepare_write().  This leads to a
      kernel hang as read_cache_page() is executed on the same page in the
      ecryptfs_truncate() execution path.  This patch remedies this by limiting the
      range passed to ecryptfs_truncate() so as to exclude the page that is the
      object of ecryptfs_prepare_write(); it also adds code to
      ecryptfs_prepare_write() to zero out the region of its own page when writing
      past the i_size position.  This patch also modifies ecryptfs_truncate() so
      that when a file is truncated to a smaller size, eCryptfs will zero out the
      contents of the new last page from the new size through to the end of the last
      page.
      Signed-off-by: NMichael Halcrow <mhalcrow@us.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      240e2df5
  4. 17 2月, 2007 1 次提交
  5. 13 2月, 2007 9 次提交
    • J
      [PATCH] Mark struct super_operations const · ee9b6d61
      Josef 'Jeff' Sipek 提交于
      This patch is inspired by Arjan's "Patch series to mark struct
      file_operations and struct inode_operations const".
      
      Compile tested with gcc & sparse.
      Signed-off-by: NJosef 'Jeff' Sipek <jsipek@cs.sunysb.edu>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ee9b6d61
    • A
      [PATCH] mark struct inode_operations const 1 · 754661f1
      Arjan van de Ven 提交于
      Many struct inode_operations in the kernel can be "const".  Marking them const
      moves these to the .rodata section, which avoids false sharing with potential
      dirty data.  In addition it'll catch accidental writes at compile time to
      these shared resources.
      Signed-off-by: NArjan van de Ven <arjan@linux.intel.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      754661f1
    • M
      [PATCH] eCryptfs: open-code flag checking and manipulation · e2bd99ec
      Michael Halcrow 提交于
      Open-code flag checking and manipulation.
      Signed-off-by: NMichael Halcrow <mhalcrow@us.ibm.com>
      Signed-off-by: NTrevor Highland <tshighla@us.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e2bd99ec
    • M
      [PATCH] eCryptfs: convert kmap() to kmap_atomic() · 9d8b8ce5
      Michael Halcrow 提交于
      Replace kmap() with kmap_atomic().  Reduce the amount of time that mappings
      are held.
      Signed-off-by: NMichael Halcrow <mhalcrow@us.ibm.com>
      Signed-off-by: NTrevor Highland <tshighla@us.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      9d8b8ce5
    • M
      [PATCH] eCryptfs: Encrypted passthrough · e77a56dd
      Michael Halcrow 提交于
      Provide an option to provide a view of the encrypted files such that the
      metadata is always in the header of the files, regardless of whether the
      metadata is actually in the header or in the extended attribute.  This mode of
      operation is useful for applications like incremental backup utilities that do
      not preserve the extended attributes when directly accessing the lower files.
      
      With this option enabled, the files under the eCryptfs mount point will be
      read-only.
      Signed-off-by: NMichael Halcrow <mhalcrow@us.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e77a56dd
    • M
      [PATCH] eCryptfs: Generalize metadata read/write · dd2a3b7a
      Michael Halcrow 提交于
      Generalize the metadata reading and writing mechanisms, with two targets for
      now: metadata in file header and metadata in the user.ecryptfs xattr of the
      lower file.
      
      [akpm@osdl.org: printk warning fix]
      [bunk@stusta.de: make some needlessly global code static]
      Signed-off-by: NMichael Halcrow <mhalcrow@us.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      dd2a3b7a
    • M
      [PATCH] eCryptfs: xattr flags and mount options · 17398957
      Michael Halcrow 提交于
      This patch set introduces the ability to store cryptographic metadata into an
      lower file extended attribute rather than the lower file header region.
      
      This patch set implements two new mount options:
      
      ecryptfs_xattr_metadata
       - When set, newly created files will have their cryptographic
         metadata stored in the extended attribute region of the file rather
         than the header.
      
         When storing the data in the file header, there is a minimum of 8KB
         reserved for the header information for each file, making each file at
         least 12KB in size.  This can take up a lot of extra disk space if the user
         creates a lot of small files.  By storing the data in the extended
         attribute, each file will only occupy at least of 4KB of space.
      
         As the eCryptfs metadata set becomes larger with new features such as
         multi-key associations, most popular filesystems will not be able to store
         all of the information in the xattr region in some cases due to space
         constraints.  However, the majority of users will only ever associate one
         key per file, so most users will be okay with storing their data in the
         xattr region.
      
         This option should be used with caution.  I want to emphasize that the
         xattr must be maintained under all circumstances, or the file will be
         rendered permanently unrecoverable.  The last thing I want is for a user to
         forget to set an xattr flag in a backup utility, only to later discover
         that their backups are worthless.
      
      ecryptfs_encrypted_view
       - When set, this option causes eCryptfs to present applications a
         view of encrypted files as if the cryptographic metadata were
         stored in the file header, whether the metadata is actually stored
         in the header or in the extended attributes.
      
         No matter what eCryptfs winds up doing in the lower filesystem, I want
         to preserve a baseline format compatibility for the encrypted files.  As of
         right now, the metadata may be in the file header or in an xattr.  There is
         no reason why the metadata could not be put in a separate file in future
         versions.
      
         Without the compatibility mode, backup utilities would have to know to
         back up the metadata file along with the files.  The semantics of eCryptfs
         have always been that the lower files are self-contained units of encrypted
         data, and the only additional information required to decrypt any given
         eCryptfs file is the key.  That is what has always been emphasized about
         eCryptfs lower files, and that is what users expect.  Providing the
         encrypted view option will provide a way to userspace applications wherein
         they can always get to the same old familiar eCryptfs encrypted files,
         regardless of what eCryptfs winds up doing with the metadata behind the
         scenes.
      
      This patch:
      
      Add extended attribute support to version bit vector, flags to indicate when
      xattr or encrypted view modes are enabled, and support for the new mount
      options.
      Signed-off-by: NMichael Halcrow <mhalcrow@us.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      17398957
    • M
      [PATCH] eCryptfs: Public key; packet management · dddfa461
      Michael Halcrow 提交于
      Public key support code.  This reads and writes packets in the header that
      contain public key encrypted file keys.  It calls the messaging code in the
      previous patch to send and receive encryption and decryption request
      packets from the userspace daemon.
      
      [akpm@osdl.org: cleab fix]
      Signed-off-by: NMichael Halcrow <mhalcrow@us.ibm.com>
      Cc: David Howells <dhowells@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      dddfa461
    • M
      [PATCH] eCryptfs: Public key transport mechanism · 88b4a07e
      Michael Halcrow 提交于
      This is the transport code for public key functionality in eCryptfs.  It
      manages encryption/decryption request queues with a transport mechanism.
      Currently, netlink is the only implemented transport.
      
      Each inode has a unique File Encryption Key (FEK).  Under passphrase, a File
      Encryption Key Encryption Key (FEKEK) is generated from a salt/passphrase
      combo on mount.  This FEKEK encrypts each FEK and writes it into the header of
      each file using the packet format specified in RFC 2440.  This is all
      symmetric key encryption, so it can all be done via the kernel crypto API.
      
      These new patches introduce public key encryption of the FEK.  There is no
      asymmetric key encryption support in the kernel crypto API, so eCryptfs pushes
      the FEK encryption and decryption out to a userspace daemon.  After
      considering our requirements and determining the complexity of using various
      transport mechanisms, we settled on netlink for this communication.
      
      eCryptfs stores authentication tokens into the kernel keyring.  These tokens
      correlate with individual keys.  For passphrase mode of operation, the
      authentication token contains the symmetric FEKEK.  For public key, the
      authentication token contains a PKI type and an opaque data blob managed by
      individual PKI modules in userspace.
      
      Each user who opens a file under an eCryptfs partition mounted in public key
      mode must be running a daemon.  That daemon has the user's credentials and has
      access to all of the keys to which the user should have access.  The daemon,
      when started, initializes the pluggable PKI modules available on the system
      and registers itself with the eCryptfs kernel module.  Userspace utilities
      register public key authentication tokens into the user session keyring.
      These authentication tokens correlate key signatures with PKI modules and PKI
      blobs.  The PKI blobs contain PKI-specific information necessary for the PKI
      module to carry out asymmetric key encryption and decryption.
      
      When the eCryptfs module parses the header of an existing file and finds a Tag
      1 (Public Key) packet (see RFC 2440), it reads in the public key identifier
      (signature).  The asymmetrically encrypted FEK is in the Tag 1 packet;
      eCryptfs puts together a decrypt request packet containing the signature and
      the encrypted FEK, then it passes it to the daemon registered for the
      current->euid via a netlink unicast to the PID of the daemon, which was
      registered at the time the daemon was started by the user.
      
      The daemon actually just makes calls to libecryptfs, which implements request
      packet parsing and manages PKI modules.  libecryptfs grabs the public key
      authentication token for the given signature from the user session keyring.
      This auth tok tells libecryptfs which PKI module should receive the request.
      libecryptfs then makes a decrypt() call to the PKI module, and it passes along
      the PKI block from the auth tok.  The PKI uses the blob to figure out how it
      should decrypt the data passed to it; it performs the decryption and passes
      the decrypted data back to libecryptfs.  libecryptfs then puts together a
      reply packet with the decrypted FEK and passes that back to the eCryptfs
      module.
      
      The eCryptfs module manages these request callouts to userspace code via
      message context structs.  The module maintains an array of message context
      structs and places the elements of the array on two lists: a free and an
      allocated list.  When eCryptfs wants to make a request, it moves a msg ctx
      from the free list to the allocated list, sets its state to pending, and fires
      off the message to the user's registered daemon.
      
      When eCryptfs receives a netlink message (via the callback), it correlates the
      msg ctx struct in the alloc list with the data in the message itself.  The
      msg->index contains the offset of the array of msg ctx structs.  It verifies
      that the registered daemon PID is the same as the PID of the process that sent
      the message.  It also validates a sequence number between the received packet
      and the msg ctx.  Then, it copies the contents of the message (the reply
      packet) into the msg ctx struct, sets the state in the msg ctx to done, and
      wakes up the process that was sleeping while waiting for the reply.
      
      The sleeping process was whatever was performing the sys_open().  This process
      originally called ecryptfs_send_message(); it is now in
      ecryptfs_wait_for_response().  When it wakes up and sees that the msg ctx
      state was set to done, it returns a pointer to the message contents (the reply
      packet) and returns.  If all went well, this packet contains the decrypted
      FEK, which is then copied into the crypt_stat struct, and life continues as
      normal.
      
      The case for creation of a new file is very similar, only instead of a decrypt
      request, eCryptfs sends out an encrypt request.
      
      > - We have a great clod of key mangement code in-kernel.  Why is that
      >   not suitable (or growable) for public key management?
      
      eCryptfs uses Howells' keyring to store persistent key data and PKI state
      information.  It defers public key cryptographic transformations to userspace
      code.  The userspace data manipulation request really is orthogonal to key
      management in and of itself.  What eCryptfs basically needs is a secure way to
      communicate with a particular daemon for a particular task doing a syscall,
      based on the UID.  Nothing running under another UID should be able to access
      that channel of communication.
      
      > - Is it appropriate that new infrastructure for public key
      > management be private to a particular fs?
      
      The messaging.c file contains a lot of code that, perhaps, could be extracted
      into a separate kernel service.  In essence, this would be a sort of
      request/reply mechanism that would involve a userspace daemon.  I am not aware
      of anything that does quite what eCryptfs does, so I was not aware of any
      existing tools to do just what we wanted.
      
      >   What happens if one of these daemons exits without sending a quit
      >   message?
      
      There is a stale uid<->pid association in the hash table for that user.  When
      the user registers a new daemon, eCryptfs cleans up the old association and
      generates a new one.  See ecryptfs_process_helo().
      
      > - _why_ does it use netlink?
      
      Netlink provides the transport mechanism that would minimize the complexity of
      the implementation, given that we can have multiple daemons (one per user).  I
      explored the possibility of using relayfs, but that would involve having to
      introduce control channels and a protocol for creating and tearing down
      channels for the daemons.  We do not have to worry about any of that with
      netlink.
      Signed-off-by: NMichael Halcrow <mhalcrow@us.ibm.com>
      Cc: David Howells <dhowells@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      88b4a07e
  6. 07 2月, 2007 1 次提交
  7. 09 12月, 2006 2 次提交
  8. 01 11月, 2006 4 次提交
  9. 04 10月, 2006 1 次提交