Introduce blk_crypto_supported, Filesystems may use this to check wheather
storage device support inline encryption.
Signed-off-by: Fengnan Chang <[email protected]>
---
block/blk-crypto.c | 6 +++++-
include/linux/blk-crypto.h | 5 +++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/block/blk-crypto.c b/block/blk-crypto.c
index a496aaef85ba..bef0833f9621 100644
--- a/block/blk-crypto.c
+++ b/block/blk-crypto.c
@@ -363,7 +363,11 @@ bool blk_crypto_config_supported(struct request_queue *q,
return IS_ENABLED(CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK) ||
__blk_crypto_cfg_supported(q->crypto_profile, cfg);
}
-
+bool blk_crypto_supported(struct request_queue *q)
+{
+ return IS_ENABLED(CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK) ||
+ q->crypto_profile;
+}
/**
* blk_crypto_start_using_key() - Start using a blk_crypto_key on a device
* @key: A key to use on the device
diff --git a/include/linux/blk-crypto.h b/include/linux/blk-crypto.h
index 69b24fe92cbf..6806cef24d0f 100644
--- a/include/linux/blk-crypto.h
+++ b/include/linux/blk-crypto.h
@@ -103,6 +103,7 @@ int blk_crypto_evict_key(struct request_queue *q,
bool blk_crypto_config_supported(struct request_queue *q,
const struct blk_crypto_config *cfg);
+bool blk_crypto_supported(struct request_queue *q);
#else /* CONFIG_BLK_INLINE_ENCRYPTION */
static inline bool bio_has_crypt_ctx(struct bio *bio)
@@ -110,6 +111,10 @@ static inline bool bio_has_crypt_ctx(struct bio *bio)
return false;
}
+static inline bool blk_crypto_supported(struct request_queue *q)
+{
+ return false;
+}
#endif /* CONFIG_BLK_INLINE_ENCRYPTION */
int __bio_crypt_clone(struct bio *dst, struct bio *src, gfp_t gfp_mask);
--
2.32.0
Notify when mount filesystem with -o inlinecrypt option, but the device
not support inlinecrypt.
Signed-off-by: Fengnan Chang <[email protected]>
---
fs/ext4/super.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 81749eaddf4c..f91454d3a877 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -48,6 +48,7 @@
#include <linux/fsnotify.h>
#include <linux/fs_context.h>
#include <linux/fs_parser.h>
+#include <linux/blk-crypto.h>
#include "ext4.h"
#include "ext4_extents.h" /* Needed for trace points definition */
@@ -5466,6 +5467,17 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
"the device does not support discard");
}
+#ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
+ if (sb->s_flags & SB_INLINECRYPT) {
+ struct request_queue *q = bdev_get_queue(sb->s_bdev);
+
+ if (!blk_crypto_supported(q)) {
+ ext4_msg(sb, KERN_WARNING,
+ "mounting with \"inlinecrypt\" option, but the device does not support inlinecrypt");
+ sb->s_flags &= ~SB_INLINECRYPT;
+ }
+ }
+#endif
+
if (es->s_error_count)
mod_timer(&sbi->s_err_report, jiffies + 300*HZ); /* 5 minutes */
--
2.32.0
Notify when mount filesystem with -o inlinecrypt option, but the device
not support inlinecrypt.
Signed-off-by: Fengnan Chang <[email protected]>
---
fs/f2fs/f2fs.h | 18 ++++++++++++++++++
fs/f2fs/super.c | 7 +++++++
2 files changed, 25 insertions(+)
diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index 38cbed0f544e..dc27a708c283 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -27,6 +27,7 @@
#include <linux/fscrypt.h>
#include <linux/fsverity.h>
+#include <linux/blk-crypto.h>
struct pagevec;
@@ -4395,6 +4396,23 @@ static inline bool f2fs_realtime_discard_enable(struct f2fs_sb_info *sbi)
f2fs_hw_should_discard(sbi);
}
+#ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
+static inline bool f2fs_hw_support_crypto(struct f2fs_sb_info *sbi)
+{
+ int i;
+
+ if (!f2fs_is_multi_device(sbi))
+ if (!blk_crypto_supported(bdev_get_queue(sbi->sb->s_bdev)))
+ return false;
+
+ for (i = 0; i < sbi->s_ndevs; i++)
+ if (!blk_crypto_supported(bdev_get_queue(FDEV(i).bdev)))
+ return false;
+
+ return true;
+}
+#endif
+
static inline bool f2fs_hw_is_readonly(struct f2fs_sb_info *sbi)
{
int i;
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 4368f90571bd..624d8791b82d 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1275,6 +1275,13 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount)
}
#endif
+#ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
+ if ((sb->s_flags & SB_INLINECRYPT) && !f2fs_hw_support_crypto(sbi)) {
+ f2fs_info(sbi, "mounting with \"inlinecrypt\" option, but the device does not support inlinecrypt");
+ sb->s_flags &= ~SB_INLINECRYPT;
+ }
+#endif
+
if (F2FS_IO_SIZE_BITS(sbi) && !f2fs_lfs_mode(sbi)) {
f2fs_err(sbi, "Should set mode=lfs with %uKB-sized IO",
F2FS_IO_SIZE_KB(sbi));
--
2.32.0
On Mon, Apr 18, 2022 at 03:27:16PM -0700, Eric Biggers wrote:
> > When I test fscrypt first, it make me confused. Not a real problem, just make this logical more reasonable.
> > Do you think this needs to be revised?
>
> Well, I'm just not sure we should do this, or at least by itself, given that
> support for inline encryption is not an either-or thing, and the inlinecrypt
> mount option is already documented to apply only to files where inline
> encryption can be used.
Indeed; some encryption algorithms won't be available because they
weren't compiled into the kernel; others because block device for a
particular file system doesn't support inline crypto.
It seems to me that the test or the test runner should be able to
figure this out. It should be able to explicitly try to set a
particular policy, and if that policy fails, it should give an
intelligent message, e.g., "Skipping this test config because
inline-crypto isn't supported."
Why can't we fix this in the test runner's scripts?
- Ted
On Tue, Apr 19, 2022 at 03:14:51AM +0000, 常凤楠 wrote:
>
> Thanks for your explanation, this patchset has too many case to forget to handle...
> Back to my first thought, maybe there should have one sysfs node to indicate the
> device support inlinecrypt or not ? So user can know it's device not support inlinecrypt
> and not for other reasons.
>
Linux v5.18 has that. See https://git.kernel.org/linus/20f01f1632036660
("blk-crypto: show crypto capabilities in sysfs").
- Eric
> -----Original Message-----
> From: Eric Biggers <[email protected]>
> Sent: Tuesday, April 19, 2022 11:19 AM
> To: 常凤楠 <[email protected]>
> Cc: [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]
> Subject: Re: [PATCH 2/3] f2fs: notify when device not supprt inlinecrypt
>
> On Tue, Apr 19, 2022 at 03:14:51AM +0000, 常凤楠 wrote:
> >
> > Thanks for your explanation, this patchset has too many case to forget to
> handle...
> > Back to my first thought, maybe there should have one sysfs node to
> > indicate the device support inlinecrypt or not ? So user can know it's
> > device not support inlinecrypt and not for other reasons.
> >
>
> Linux v5.18 has that. See https://git.kernel.org/linus/20f01f1632036660
> ("blk-crypto: show crypto capabilities in sysfs").
Oh, I see, thanks a lot.
>
> - Eric