ANDROID: ext4: allow encrypting filenames using HEH algorithm

Update ext4 encryption to allow filenames to be encrypted using the
Hash-Encrypt-Hash (HEH) block cipher mode of operation, which is
believed to be more secure than CBC, particularly within the constant
initialization vector (IV) constraint of filename encryption.  Notably,
HEH avoids the "common prefix" problem of CBC.  Both algorithms use
AES-256 as the underlying block cipher and take a 256-bit key.

We assign mode number 126 to HEH, just below 127
(EXT4_ENCRYPTION_MODE_PRIVATE) which in some kernels is reserved for
inline encryption on MSM chipsets.  Note that these modes are not yet
upstream, which is why these numbers are being used; it's preferable to
avoid collisions with modes that may be added upstream.  Also, although
HEH is not hardware-specific, we aren't currently reserving mode number
5 for HEH upstream, since for now we are tying HEH to the new key
derivation method which might become an independent flag upstream, and
there's also a chance that details of HEH will change after it gets
wider review.

Bug: 32975945
Signed-off-by: Eric Biggers <ebiggers@google.com>
Change-Id: I81418709d47da0e0ac607ae3f91088063c2d5dd4

diff --git a/fs/ext4/Kconfig b/fs/ext4/Kconfig
index b46e9fc641960aeba81b48d61b6e933d724b5205..3c8293215603fbc34c1764d38492df083233f05f 100644 (file)
--- a/fs/ext4/Kconfig
+++ b/fs/ext4/Kconfig
@@ -106,6 +106,7 @@ config EXT4_ENCRYPTION
        select CRYPTO_ECB
        select CRYPTO_XTS
        select CRYPTO_CTS
+       select CRYPTO_HEH
        select CRYPTO_CTR
        select CRYPTO_SHA256
        select KEYS

diff --git a/fs/ext4/crypto_fname.c b/fs/ext4/crypto_fname.c
index 2fbef8a14760f4095300c9fdc0edcdc2909f4a65..e2645ca9b95e0651a34bab34405b68b4dc03f740 100644 (file)
--- a/fs/ext4/crypto_fname.c
+++ b/fs/ext4/crypto_fname.c
@@ -44,7 +44,8 @@ static void ext4_dir_crypt_complete(struct crypto_async_request *req, int res)
 
 bool ext4_valid_filenames_enc_mode(uint32_t mode)
 {
-       return (mode == EXT4_ENCRYPTION_MODE_AES_256_CTS);
+       return (mode == EXT4_ENCRYPTION_MODE_AES_256_CTS ||
+               mode == EXT4_ENCRYPTION_MODE_AES_256_HEH);
 }
 
 static unsigned max_name_len(struct inode *inode)

diff --git a/fs/ext4/crypto_key.c b/fs/ext4/crypto_key.c
index 505f8afde57c769819c985ef7afbe177daabf5b2..20e7f1f502838ff43ea59110bb3db61498d72592 100644 (file)
--- a/fs/ext4/crypto_key.c
+++ b/fs/ext4/crypto_key.c
@@ -172,6 +172,9 @@ int ext4_get_encryption_info(struct inode *inode)
        case EXT4_ENCRYPTION_MODE_AES_256_CTS:
                cipher_str = "cts(cbc(aes))";
                break;
+       case EXT4_ENCRYPTION_MODE_AES_256_HEH:
+               cipher_str = "heh(aes)";
+               break;
        default:
                printk_once(KERN_WARNING
                            "ext4: unsupported key mode %d (ino %u)\n",

diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index de05f161c8501097688dad183f45b25e1e8ca875..ac720a31e4ff9e478acb6178a7f38c994b3e55a4 100644 (file)
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -589,6 +589,7 @@ enum {
 #define EXT4_ENCRYPTION_MODE_AES_256_GCM       2
 #define EXT4_ENCRYPTION_MODE_AES_256_CBC       3
 #define EXT4_ENCRYPTION_MODE_AES_256_CTS       4
+#define EXT4_ENCRYPTION_MODE_AES_256_HEH       126
 
 #include "ext4_crypto.h"
 

diff --git a/fs/ext4/ext4_crypto.h b/fs/ext4/ext4_crypto.h
index 1b17b05b9f4d7f3bb4c98ffc29fc7b24a64044c2..acdeb3e032d3a19e1273e62be34c4bda606db1ec 100644 (file)
--- a/fs/ext4/ext4_crypto.h
+++ b/fs/ext4/ext4_crypto.h
@@ -60,6 +60,7 @@ struct ext4_encryption_context {
 #define EXT4_AES_256_GCM_KEY_SIZE 32
 #define EXT4_AES_256_CBC_KEY_SIZE 32
 #define EXT4_AES_256_CTS_KEY_SIZE 32
+#define EXT4_AES_256_HEH_KEY_SIZE 32
 #define EXT4_AES_256_XTS_KEY_SIZE 64
 #define EXT4_MAX_KEY_SIZE 64
 
@@ -120,6 +121,8 @@ static inline int ext4_encryption_key_size(int mode)
                return EXT4_AES_256_CBC_KEY_SIZE;
        case EXT4_ENCRYPTION_MODE_AES_256_CTS:
                return EXT4_AES_256_CTS_KEY_SIZE;
+       case EXT4_ENCRYPTION_MODE_AES_256_HEH:
+               return EXT4_AES_256_HEH_KEY_SIZE;
        default:
                BUG();
        }