Metadata support for v2 encryption policies

Linux v5.4 and later supports v2 encryption policies.  These have
several advantages over v1 encryption policies:

- Their encryption keys can be added/removed to/from the filesystem by
  non-root users, thus gaining the benefits of the filesystem keyring
  while also retaining support for non-root use.

- They use a more standard, secure, and flexible key derivation
  function.  Because of this, some future kernel-level fscrypt features
  will be implemented for v2 policies only.

- They prevent a denial-of-service attack where a user could associate
  the wrong key with another user's encrypted files.

Prepare the fscrypt tool to support v2 encryption policies by:

- Adding a policy_version field to the EncryptionOptions, i.e. to the
  config file and to the policy metadata files.

- Using the kernel-specified algorithm to compute the key descriptor for
  v2 policies.

- Handling setting and getting v2 policies.

Actually adding/removing the keys for v2 policies to/from the kernel is
left for the next patch.

1 files changed, 4 insertions, 0 deletions

diff --git a/actions/config.go b/actions/config.go
index 7fdaf5b..6b019df 100644
--- a/actions/config.go
+++ b/actions/config.go
@@ -133,6 +133,10 @@ func getConfig() (*metadata.Config, error) {
 		config.Options.Filenames = metadata.DefaultOptions.Filenames
 		log.Printf("Falling back to filenames mode of %q", config.Options.Filenames)
 	}
+	if config.Options.PolicyVersion == 0 {
+		config.Options.PolicyVersion = metadata.DefaultOptions.PolicyVersion
+		log.Printf("Falling back to policy version of %d", config.Options.PolicyVersion)
+	}
 
 	if err := config.CheckValidity(); err != nil {
 		return nil, errors.Wrap(ErrBadConfigFile, err.Error())