diff --git a/fs/crypto/Kconfig b/fs/crypto/Kconfig index 97c0a113f4cc..fbf7b094703b 100644 --- a/fs/crypto/Kconfig +++ b/fs/crypto/Kconfig @@ -29,3 +29,12 @@ config FS_ENCRYPTION_INLINE_CRYPT depends on FS_ENCRYPTION && BLK_INLINE_ENCRYPTION help Enable fscrypt to use inline encryption hardware if available. + +config ENABLE_LEGACY_PFK + bool "Legacy method to generate per file key" + default n + help + Enable legacy method to generate aes keys derived + from nonce and master key. In private mode the keys + will be used by inline crypto hardware to encrypt the + file content. diff --git a/fs/crypto/keysetup_v1.c b/fs/crypto/keysetup_v1.c index 59ffa3c64324..0dc04c55ad55 100644 --- a/fs/crypto/keysetup_v1.c +++ b/fs/crypto/keysetup_v1.c @@ -302,7 +302,7 @@ static int setup_v1_file_key_direct(struct fscrypt_info *ci, static int setup_v1_file_key_derived(struct fscrypt_info *ci, const u8 *raw_master_key) { - u8 *derived_key; + u8 *derived_key = NULL; int err; int i; union { @@ -334,7 +334,21 @@ static int setup_v1_file_key_derived(struct fscrypt_info *ci, ci->ci_hashed_ino = siphash_1u64(ci->ci_inode->i_ino, &ino_hash_key.k); } + +#if IS_ENABLED(CONFIG_ENABLE_LEGACY_PFK) + derived_key = kmalloc(ci->ci_mode->keysize, GFP_NOFS); + if (!derived_key) + return -ENOMEM; + + err = derive_key_aes(raw_master_key, ci->ci_nonce, + derived_key, ci->ci_mode->keysize); + if (err) + goto out; + + memcpy(key_new.bytes, derived_key, ci->ci_mode->keysize); +#else memcpy(key_new.bytes, raw_master_key, ci->ci_mode->keysize); +#endif for (i = 0; i < ARRAY_SIZE(key_new.words); i++) __cpu_to_be32s(&key_new.words[i]); @@ -344,6 +358,9 @@ static int setup_v1_file_key_derived(struct fscrypt_info *ci, ci->ci_mode->keysize, false, ci); + if (derived_key) + kzfree(derived_key); + return err; } /* @@ -361,7 +378,9 @@ static int setup_v1_file_key_derived(struct fscrypt_info *ci, err = fscrypt_set_per_file_enc_key(ci, derived_key); out: - kzfree(derived_key); + if (derived_key) + kzfree(derived_key); + return err; }