linux-headers (unknown)
1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2 /*
3 * fscrypt user API
4 *
5 * These ioctls can be used on filesystems that support fscrypt. See the
6 * "User API" section of Documentation/filesystems/fscrypt.rst.
7 */
8 #ifndef _LINUX_FSCRYPT_H
9 #define _LINUX_FSCRYPT_H
10
11 #include <linux/ioctl.h>
12 #include <linux/types.h>
13
14 /* Encryption policy flags */
15 #define FSCRYPT_POLICY_FLAGS_PAD_4 0x00
16 #define FSCRYPT_POLICY_FLAGS_PAD_8 0x01
17 #define FSCRYPT_POLICY_FLAGS_PAD_16 0x02
18 #define FSCRYPT_POLICY_FLAGS_PAD_32 0x03
19 #define FSCRYPT_POLICY_FLAGS_PAD_MASK 0x03
20 #define FSCRYPT_POLICY_FLAG_DIRECT_KEY 0x04
21 #define FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 0x08
22 #define FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32 0x10
23
24 /* Encryption algorithms */
25 #define FSCRYPT_MODE_AES_256_XTS 1
26 #define FSCRYPT_MODE_AES_256_CTS 4
27 #define FSCRYPT_MODE_AES_128_CBC 5
28 #define FSCRYPT_MODE_AES_128_CTS 6
29 #define FSCRYPT_MODE_SM4_XTS 7
30 #define FSCRYPT_MODE_SM4_CTS 8
31 #define FSCRYPT_MODE_ADIANTUM 9
32 #define FSCRYPT_MODE_AES_256_HCTR2 10
33 /* If adding a mode number > 10, update FSCRYPT_MODE_MAX in fscrypt_private.h */
34
35 /*
36 * Legacy policy version; ad-hoc KDF and no key verification.
37 * For new encrypted directories, use fscrypt_policy_v2 instead.
38 *
39 * Careful: the .version field for this is actually 0, not 1.
40 */
41 #define FSCRYPT_POLICY_V1 0
42 #define FSCRYPT_KEY_DESCRIPTOR_SIZE 8
43 struct fscrypt_policy_v1 {
44 __u8 version;
45 __u8 contents_encryption_mode;
46 __u8 filenames_encryption_mode;
47 __u8 flags;
48 __u8 master_key_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE];
49 };
50
51 /*
52 * Process-subscribed "logon" key description prefix and payload format.
53 * Deprecated; prefer FS_IOC_ADD_ENCRYPTION_KEY instead.
54 */
55 #define FSCRYPT_KEY_DESC_PREFIX "fscrypt:"
56 #define FSCRYPT_KEY_DESC_PREFIX_SIZE 8
57 #define FSCRYPT_MAX_KEY_SIZE 64
58 struct fscrypt_key {
59 __u32 mode;
60 __u8 raw[FSCRYPT_MAX_KEY_SIZE];
61 __u32 size;
62 };
63
64 /*
65 * New policy version with HKDF and key verification (recommended).
66 */
67 #define FSCRYPT_POLICY_V2 2
68 #define FSCRYPT_KEY_IDENTIFIER_SIZE 16
69 struct fscrypt_policy_v2 {
70 __u8 version;
71 __u8 contents_encryption_mode;
72 __u8 filenames_encryption_mode;
73 __u8 flags;
74 __u8 __reserved[4];
75 __u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE];
76 };
77
78 /* Struct passed to FS_IOC_GET_ENCRYPTION_POLICY_EX */
79 struct fscrypt_get_policy_ex_arg {
80 __u64 policy_size; /* input/output */
81 union {
82 __u8 version;
83 struct fscrypt_policy_v1 v1;
84 struct fscrypt_policy_v2 v2;
85 } policy; /* output */
86 };
87
88 /*
89 * v1 policy keys are specified by an arbitrary 8-byte key "descriptor",
90 * matching fscrypt_policy_v1::master_key_descriptor.
91 */
92 #define FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR 1
93
94 /*
95 * v2 policy keys are specified by a 16-byte key "identifier" which the kernel
96 * calculates as a cryptographic hash of the key itself,
97 * matching fscrypt_policy_v2::master_key_identifier.
98 */
99 #define FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER 2
100
101 /*
102 * Specifies a key, either for v1 or v2 policies. This doesn't contain the
103 * actual key itself; this is just the "name" of the key.
104 */
105 struct fscrypt_key_specifier {
106 __u32 type; /* one of FSCRYPT_KEY_SPEC_TYPE_* */
107 __u32 __reserved;
108 union {
109 __u8 __reserved[32]; /* reserve some extra space */
110 __u8 descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE];
111 __u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE];
112 } u;
113 };
114
115 /*
116 * Payload of Linux keyring key of type "fscrypt-provisioning", referenced by
117 * fscrypt_add_key_arg::key_id as an alternative to fscrypt_add_key_arg::raw.
118 */
119 struct fscrypt_provisioning_key_payload {
120 __u32 type;
121 __u32 __reserved;
122 __u8 raw[];
123 };
124
125 /* Struct passed to FS_IOC_ADD_ENCRYPTION_KEY */
126 struct fscrypt_add_key_arg {
127 struct fscrypt_key_specifier key_spec;
128 __u32 raw_size;
129 __u32 key_id;
130 __u32 __reserved[8];
131 __u8 raw[];
132 };
133
134 /* Struct passed to FS_IOC_REMOVE_ENCRYPTION_KEY */
135 struct fscrypt_remove_key_arg {
136 struct fscrypt_key_specifier key_spec;
137 #define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY 0x00000001
138 #define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS 0x00000002
139 __u32 removal_status_flags; /* output */
140 __u32 __reserved[5];
141 };
142
143 /* Struct passed to FS_IOC_GET_ENCRYPTION_KEY_STATUS */
144 struct fscrypt_get_key_status_arg {
145 /* input */
146 struct fscrypt_key_specifier key_spec;
147 __u32 __reserved[6];
148
149 /* output */
150 #define FSCRYPT_KEY_STATUS_ABSENT 1
151 #define FSCRYPT_KEY_STATUS_PRESENT 2
152 #define FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED 3
153 __u32 status;
154 #define FSCRYPT_KEY_STATUS_FLAG_ADDED_BY_SELF 0x00000001
155 __u32 status_flags;
156 __u32 user_count;
157 __u32 __out_reserved[13];
158 };
159
160 #define FS_IOC_SET_ENCRYPTION_POLICY _IOR('f', 19, struct fscrypt_policy_v1)
161 #define FS_IOC_GET_ENCRYPTION_PWSALT _IOW('f', 20, __u8[16])
162 #define FS_IOC_GET_ENCRYPTION_POLICY _IOW('f', 21, struct fscrypt_policy_v1)
163 #define FS_IOC_GET_ENCRYPTION_POLICY_EX _IOWR('f', 22, __u8[9]) /* size + version */
164 #define FS_IOC_ADD_ENCRYPTION_KEY _IOWR('f', 23, struct fscrypt_add_key_arg)
165 #define FS_IOC_REMOVE_ENCRYPTION_KEY _IOWR('f', 24, struct fscrypt_remove_key_arg)
166 #define FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS _IOWR('f', 25, struct fscrypt_remove_key_arg)
167 #define FS_IOC_GET_ENCRYPTION_KEY_STATUS _IOWR('f', 26, struct fscrypt_get_key_status_arg)
168 #define FS_IOC_GET_ENCRYPTION_NONCE _IOR('f', 27, __u8[16])
169
170 /**********************************************************************/
171
172 /* old names; don't add anything new here! */
173 #define fscrypt_policy fscrypt_policy_v1
174 #define FS_KEY_DESCRIPTOR_SIZE FSCRYPT_KEY_DESCRIPTOR_SIZE
175 #define FS_POLICY_FLAGS_PAD_4 FSCRYPT_POLICY_FLAGS_PAD_4
176 #define FS_POLICY_FLAGS_PAD_8 FSCRYPT_POLICY_FLAGS_PAD_8
177 #define FS_POLICY_FLAGS_PAD_16 FSCRYPT_POLICY_FLAGS_PAD_16
178 #define FS_POLICY_FLAGS_PAD_32 FSCRYPT_POLICY_FLAGS_PAD_32
179 #define FS_POLICY_FLAGS_PAD_MASK FSCRYPT_POLICY_FLAGS_PAD_MASK
180 #define FS_POLICY_FLAG_DIRECT_KEY FSCRYPT_POLICY_FLAG_DIRECT_KEY
181 #define FS_POLICY_FLAGS_VALID 0x07 /* contains old flags only */
182 #define FS_ENCRYPTION_MODE_INVALID 0 /* never used */
183 #define FS_ENCRYPTION_MODE_AES_256_XTS FSCRYPT_MODE_AES_256_XTS
184 #define FS_ENCRYPTION_MODE_AES_256_GCM 2 /* never used */
185 #define FS_ENCRYPTION_MODE_AES_256_CBC 3 /* never used */
186 #define FS_ENCRYPTION_MODE_AES_256_CTS FSCRYPT_MODE_AES_256_CTS
187 #define FS_ENCRYPTION_MODE_AES_128_CBC FSCRYPT_MODE_AES_128_CBC
188 #define FS_ENCRYPTION_MODE_AES_128_CTS FSCRYPT_MODE_AES_128_CTS
189 #define FS_ENCRYPTION_MODE_ADIANTUM FSCRYPT_MODE_ADIANTUM
190 #define FS_KEY_DESC_PREFIX FSCRYPT_KEY_DESC_PREFIX
191 #define FS_KEY_DESC_PREFIX_SIZE FSCRYPT_KEY_DESC_PREFIX_SIZE
192 #define FS_MAX_KEY_SIZE FSCRYPT_MAX_KEY_SIZE
193
194 #endif /* _LINUX_FSCRYPT_H */
Browse
Usage
Versions