| Age | Commit message (Collapse) | Author |
|---|
|
There's no real need to allow users to choose the key description prefix
(a.k.a. the "service"), since on ext4 and f2fs we can just use "ext4"
and "f2fs" for compatibility with all kernels both old and new, and on
other filesystems we can just use "fscrypt". So, let's do that.
Since this removes the point of the "--legacy" option to 'fscrypt setup'
and the "compatibility" field in /etc/fscrypt.conf, remove those too.
Specifically, we start ignoring the "compatibility" in existing config
files and not writing it to new ones. The corresponding protobuf field
number and name are reserved. We stop accepting the "--legacy" option
at all, although since it was default true and there was no real reason
for anyone to change it to false, probably no one will notice. If
anyone does, they should just stop specifying the option.
Note that this change only affects user keyrings and thus only affects
v1 encryption policies, which are deprecated in favor of v2 anyway.
|
|
Linux v5.4 and later supports v2 encryption policies. These have
several advantages over v1 encryption policies:
- Their encryption keys can be added/removed to/from the filesystem by
non-root users, thus gaining the benefits of the filesystem keyring
while also retaining support for non-root use.
- They use a more standard, secure, and flexible key derivation
function. Because of this, some future kernel-level fscrypt features
will be implemented for v2 policies only.
- They prevent a denial-of-service attack where a user could associate
the wrong key with another user's encrypted files.
Prepare the fscrypt tool to support v2 encryption policies by:
- Adding a policy_version field to the EncryptionOptions, i.e. to the
config file and to the policy metadata files.
- Using the kernel-specified algorithm to compute the key descriptor for
v2 policies.
- Handling setting and getting v2 policies.
Actually adding/removing the keys for v2 policies to/from the kernel is
left for the next patch.
|
|
Linux v5.4 and later allows fscrypt keys to be added/removed directly
to/from the filesystem via the new ioctls FS_IOC_ADD_ENCRYPTION_KEY and
FS_IOC_REMOVE_ENCRYPTION_KEY. Among other benefits, these fix the key
visibility problems that many users have been running into, where system
services and containers can't access encrypted files.
Allow the user to opt-in to using these new ioctls for their existing
encrypted directories by setting in their /etc/fscrypt.conf:
"use_fs_keyring_for_v1_policies": true
Note that it can't really be on by default, since for v1 policies the
ioctls require root, whereas user keyrings don't. I.e., setting this to
true means that users will need to use 'sudo fscrypt unlock', not
'fscrypt unlock'. v2 policies won't have this restriction.
|
|
|
|
As new encryption modes are being added to the kernel that use 128 bit
keys (see https://patchwork.kernel.org/patch/9741913), we will need the
encryption modes to be more descriptive.
This change breaks backwards compatibility for the protobuf, but that's
fine because we have not released yet.
Change-Id: Ifb58d3d5a42db491f1e5393c12f3d260d9a091de
|
|
This commit adds in IsValid() checks for the metadata structures that
let us enforce stronger invariants than those imposed by the protobuf
package. The main uses of this will be to check that metadata is valid
before writing it to the filesystem, and to check that the filesystem
contains valid metadata before returning it to the user. These functions
also will log the exact reason if the validity checks fail.
To have these checks in the metadata package, all of the various
constants have been moved to a single metadata/constants.go file. The
uses of these constants were changed accordingly.
Finally, this commit standardizes our use of errors so that they always
begin with an appropriate prefix.
Change-Id: I99008e2ee803ebe5f6236eb8d83fc83efcd22718
|
|
This commit adds in the ability to get and set policy data from go using
the GetPolicy and SetPolicy functions. This is done via a patch of the
x/sys/unix package that exposes the filesystem encryption structures.
Note that not all the fields of the PolicyData protocol buffer are
needed to get and set policies. The wrapped_policy_keys are not used and
will be written and read by other components of fscrypt.
To run the policy tests, the environment variable BASE_TEST_DIR must be
set to a directory for testing on a filesystem that supports encryption.
Change-Id: I13b1d983356845f3ffc1945cedf53234218f32e5
|
|
This commit adds in the metadata package. The primary purpose of this
package is to provide the on-disk metadata structures in the form of
protocol buffers. This includes:
- Policy metadata structure
- Protector metadata structure
- Config file structure
- All necessary sub-structures (wrapped keys, parameters, etc)
This commit also adds in an example usage of the Config structure, which
represents the structure of the global config file. All the package
does at this point is convert between the Config structure and a JSON
representation.
Here we introduce govendor, which is described more in the README. This
means we will have all of our Go dependencies in the vendor
subdirectory. This means we will have no Go source dependencies, only
dependencies on the build tools (Go and govendor). The README describes
this in detail.
Note that we commit the generated files.
see: https://blog.golang.org/generate
Change-Id: Iaacd46666b5d3e4e865a0f4045dd63ed7e3d6f96
|
