cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

usnjrnl.h (8593B)

      1/* SPDX-License-Identifier: GPL-2.0-or-later */
      2/*
      3 * usnjrnl.h - Defines for NTFS kernel transaction log ($UsnJrnl) handling.
      4 *	       Part of the Linux-NTFS project.
      5 *
      6 * Copyright (c) 2005 Anton Altaparmakov
      7 */
      8
      9#ifndef _LINUX_NTFS_USNJRNL_H
     10#define _LINUX_NTFS_USNJRNL_H
     11
     12#ifdef NTFS_RW
     13
     14#include "types.h"
     15#include "endian.h"
     16#include "layout.h"
     17#include "volume.h"
     18
     19/*
     20 * Transaction log ($UsnJrnl) organization:
     21 *
     22 * The transaction log records whenever a file is modified in any way.  So for
     23 * example it will record that file "blah" was written to at a particular time
     24 * but not what was written.  If will record that a file was deleted or
     25 * created, that a file was truncated, etc.  See below for all the reason
     26 * codes used.
     27 *
     28 * The transaction log is in the $Extend directory which is in the root
     29 * directory of each volume.  If it is not present it means transaction
     30 * logging is disabled.  If it is present it means transaction logging is
     31 * either enabled or in the process of being disabled in which case we can
     32 * ignore it as it will go away as soon as Windows gets its hands on it.
     33 *
     34 * To determine whether the transaction logging is enabled or in the process
     35 * of being disabled, need to check the volume flags in the
     36 * $VOLUME_INFORMATION attribute in the $Volume system file (which is present
     37 * in the root directory and has a fixed mft record number, see layout.h).
     38 * If the flag VOLUME_DELETE_USN_UNDERWAY is set it means the transaction log
     39 * is in the process of being disabled and if this flag is clear it means the
     40 * transaction log is enabled.
     41 *
     42 * The transaction log consists of two parts; the $DATA/$Max attribute as well
     43 * as the $DATA/$J attribute.  $Max is a header describing the transaction
     44 * log whilst $J is the transaction log data itself as a sequence of variable
     45 * sized USN_RECORDs (see below for all the structures).
     46 *
     47 * We do not care about transaction logging at this point in time but we still
     48 * need to let windows know that the transaction log is out of date.  To do
     49 * this we need to stamp the transaction log.  This involves setting the
     50 * lowest_valid_usn field in the $DATA/$Max attribute to the usn to be used
     51 * for the next added USN_RECORD to the $DATA/$J attribute as well as
     52 * generating a new journal_id in $DATA/$Max.
     53 *
     54 * The journal_id is as of the current version (2.0) of the transaction log
     55 * simply the 64-bit timestamp of when the journal was either created or last
     56 * stamped.
     57 *
     58 * To determine the next usn there are two ways.  The first is to parse
     59 * $DATA/$J and to find the last USN_RECORD in it and to add its record_length
     60 * to its usn (which is the byte offset in the $DATA/$J attribute).  The
     61 * second is simply to take the data size of the attribute.  Since the usns
     62 * are simply byte offsets into $DATA/$J, this is exactly the next usn.  For
     63 * obvious reasons we use the second method as it is much simpler and faster.
     64 *
     65 * As an aside, note that to actually disable the transaction log, one would
     66 * need to set the VOLUME_DELETE_USN_UNDERWAY flag (see above), then go
     67 * through all the mft records on the volume and set the usn field in their
     68 * $STANDARD_INFORMATION attribute to zero.  Once that is done, one would need
     69 * to delete the transaction log file, i.e. \$Extent\$UsnJrnl, and finally,
     70 * one would need to clear the VOLUME_DELETE_USN_UNDERWAY flag.
     71 *
     72 * Note that if a volume is unmounted whilst the transaction log is being
     73 * disabled, the process will continue the next time the volume is mounted.
     74 * This is why we can safely mount read-write when we see a transaction log
     75 * in the process of being deleted.
     76 */
     77
     78/* Some $UsnJrnl related constants. */
     79#define UsnJrnlMajorVer		2
     80#define UsnJrnlMinorVer		0
     81
     82/*
     83 * $DATA/$Max attribute.  This is (always?) resident and has a fixed size of
     84 * 32 bytes.  It contains the header describing the transaction log.
     85 */
     86typedef struct {
     87/*Ofs*/
     88/*   0*/sle64 maximum_size;	/* The maximum on-disk size of the $DATA/$J
     89				   attribute. */
     90/*   8*/sle64 allocation_delta;	/* Number of bytes by which to increase the
     91				   size of the $DATA/$J attribute. */
     92/*0x10*/sle64 journal_id;	/* Current id of the transaction log. */
     93/*0x18*/leUSN lowest_valid_usn;	/* Lowest valid usn in $DATA/$J for the
     94				   current journal_id. */
     95/* sizeof() = 32 (0x20) bytes */
     96} __attribute__ ((__packed__)) USN_HEADER;
     97
     98/*
     99 * Reason flags (32-bit).  Cumulative flags describing the change(s) to the
    100 * file since it was last opened.  I think the names speak for themselves but
    101 * if you disagree check out the descriptions in the Linux NTFS project NTFS
    102 * documentation: http://www.linux-ntfs.org/
    103 */
    104enum {
    105	USN_REASON_DATA_OVERWRITE	= cpu_to_le32(0x00000001),
    106	USN_REASON_DATA_EXTEND		= cpu_to_le32(0x00000002),
    107	USN_REASON_DATA_TRUNCATION	= cpu_to_le32(0x00000004),
    108	USN_REASON_NAMED_DATA_OVERWRITE	= cpu_to_le32(0x00000010),
    109	USN_REASON_NAMED_DATA_EXTEND	= cpu_to_le32(0x00000020),
    110	USN_REASON_NAMED_DATA_TRUNCATION= cpu_to_le32(0x00000040),
    111	USN_REASON_FILE_CREATE		= cpu_to_le32(0x00000100),
    112	USN_REASON_FILE_DELETE		= cpu_to_le32(0x00000200),
    113	USN_REASON_EA_CHANGE		= cpu_to_le32(0x00000400),
    114	USN_REASON_SECURITY_CHANGE	= cpu_to_le32(0x00000800),
    115	USN_REASON_RENAME_OLD_NAME	= cpu_to_le32(0x00001000),
    116	USN_REASON_RENAME_NEW_NAME	= cpu_to_le32(0x00002000),
    117	USN_REASON_INDEXABLE_CHANGE	= cpu_to_le32(0x00004000),
    118	USN_REASON_BASIC_INFO_CHANGE	= cpu_to_le32(0x00008000),
    119	USN_REASON_HARD_LINK_CHANGE	= cpu_to_le32(0x00010000),
    120	USN_REASON_COMPRESSION_CHANGE	= cpu_to_le32(0x00020000),
    121	USN_REASON_ENCRYPTION_CHANGE	= cpu_to_le32(0x00040000),
    122	USN_REASON_OBJECT_ID_CHANGE	= cpu_to_le32(0x00080000),
    123	USN_REASON_REPARSE_POINT_CHANGE	= cpu_to_le32(0x00100000),
    124	USN_REASON_STREAM_CHANGE	= cpu_to_le32(0x00200000),
    125	USN_REASON_CLOSE		= cpu_to_le32(0x80000000),
    126};
    127
    128typedef le32 USN_REASON_FLAGS;
    129
    130/*
    131 * Source info flags (32-bit).  Information about the source of the change(s)
    132 * to the file.  For detailed descriptions of what these mean, see the Linux
    133 * NTFS project NTFS documentation:
    134 *	http://www.linux-ntfs.org/
    135 */
    136enum {
    137	USN_SOURCE_DATA_MANAGEMENT	  = cpu_to_le32(0x00000001),
    138	USN_SOURCE_AUXILIARY_DATA	  = cpu_to_le32(0x00000002),
    139	USN_SOURCE_REPLICATION_MANAGEMENT = cpu_to_le32(0x00000004),
    140};
    141
    142typedef le32 USN_SOURCE_INFO_FLAGS;
    143
    144/*
    145 * $DATA/$J attribute.  This is always non-resident, is marked as sparse, and
    146 * is of variabled size.  It consists of a sequence of variable size
    147 * USN_RECORDS.  The minimum allocated_size is allocation_delta as
    148 * specified in $DATA/$Max.  When the maximum_size specified in $DATA/$Max is
    149 * exceeded by more than allocation_delta bytes, allocation_delta bytes are
    150 * allocated and appended to the $DATA/$J attribute and an equal number of
    151 * bytes at the beginning of the attribute are freed and made sparse.  Note the
    152 * making sparse only happens at volume checkpoints and hence the actual
    153 * $DATA/$J size can exceed maximum_size + allocation_delta temporarily.
    154 */
    155typedef struct {
    156/*Ofs*/
    157/*   0*/le32 length;		/* Byte size of this record (8-byte
    158				   aligned). */
    159/*   4*/le16 major_ver;		/* Major version of the transaction log used
    160				   for this record. */
    161/*   6*/le16 minor_ver;		/* Minor version of the transaction log used
    162				   for this record. */
    163/*   8*/leMFT_REF mft_reference;/* The mft reference of the file (or
    164				   directory) described by this record. */
    165/*0x10*/leMFT_REF parent_directory;/* The mft reference of the parent
    166				   directory of the file described by this
    167				   record. */
    168/*0x18*/leUSN usn;		/* The usn of this record.  Equals the offset
    169				   within the $DATA/$J attribute. */
    170/*0x20*/sle64 time;		/* Time when this record was created. */
    171/*0x28*/USN_REASON_FLAGS reason;/* Reason flags (see above). */
    172/*0x2c*/USN_SOURCE_INFO_FLAGS source_info;/* Source info flags (see above). */
    173/*0x30*/le32 security_id;	/* File security_id copied from
    174				   $STANDARD_INFORMATION. */
    175/*0x34*/FILE_ATTR_FLAGS file_attributes;	/* File attributes copied from
    176				   $STANDARD_INFORMATION or $FILE_NAME (not
    177				   sure which). */
    178/*0x38*/le16 file_name_size;	/* Size of the file name in bytes. */
    179/*0x3a*/le16 file_name_offset;	/* Offset to the file name in bytes from the
    180				   start of this record. */
    181/*0x3c*/ntfschar file_name[0];	/* Use when creating only.  When reading use
    182				   file_name_offset to determine the location
    183				   of the name. */
    184/* sizeof() = 60 (0x3c) bytes */
    185} __attribute__ ((__packed__)) USN_RECORD;
    186
    187extern bool ntfs_stamp_usnjrnl(ntfs_volume *vol);
    188
    189#endif /* NTFS_RW */
    190
    191#endif /* _LINUX_NTFS_USNJRNL_H */