fscrypt.h (6638B)
1/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2/* 3 * fscrypt user API 4 * 5 * These ioctls can be used on filesystems that support fscrypt. See the 6 * "User API" section of Documentation/filesystems/fscrypt.rst. 7 */ 8#ifndef _UAPI_LINUX_FSCRYPT_H 9#define _UAPI_LINUX_FSCRYPT_H 10 11#include <linux/ioctl.h> 12#include <linux/types.h> 13 14/* Encryption policy flags */ 15#define FSCRYPT_POLICY_FLAGS_PAD_4 0x00 16#define FSCRYPT_POLICY_FLAGS_PAD_8 0x01 17#define FSCRYPT_POLICY_FLAGS_PAD_16 0x02 18#define FSCRYPT_POLICY_FLAGS_PAD_32 0x03 19#define FSCRYPT_POLICY_FLAGS_PAD_MASK 0x03 20#define FSCRYPT_POLICY_FLAG_DIRECT_KEY 0x04 21#define FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 0x08 22#define FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32 0x10 23 24/* Encryption algorithms */ 25#define FSCRYPT_MODE_AES_256_XTS 1 26#define FSCRYPT_MODE_AES_256_CTS 4 27#define FSCRYPT_MODE_AES_128_CBC 5 28#define FSCRYPT_MODE_AES_128_CTS 6 29#define FSCRYPT_MODE_ADIANTUM 9 30/* If adding a mode number > 9, update FSCRYPT_MODE_MAX in fscrypt_private.h */ 31 32/* 33 * Legacy policy version; ad-hoc KDF and no key verification. 34 * For new encrypted directories, use fscrypt_policy_v2 instead. 35 * 36 * Careful: the .version field for this is actually 0, not 1. 37 */ 38#define FSCRYPT_POLICY_V1 0 39#define FSCRYPT_KEY_DESCRIPTOR_SIZE 8 40struct fscrypt_policy_v1 { 41 __u8 version; 42 __u8 contents_encryption_mode; 43 __u8 filenames_encryption_mode; 44 __u8 flags; 45 __u8 master_key_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE]; 46}; 47 48/* 49 * Process-subscribed "logon" key description prefix and payload format. 50 * Deprecated; prefer FS_IOC_ADD_ENCRYPTION_KEY instead. 51 */ 52#define FSCRYPT_KEY_DESC_PREFIX "fscrypt:" 53#define FSCRYPT_KEY_DESC_PREFIX_SIZE 8 54#define FSCRYPT_MAX_KEY_SIZE 64 55struct fscrypt_key { 56 __u32 mode; 57 __u8 raw[FSCRYPT_MAX_KEY_SIZE]; 58 __u32 size; 59}; 60 61/* 62 * New policy version with HKDF and key verification (recommended). 63 */ 64#define FSCRYPT_POLICY_V2 2 65#define FSCRYPT_KEY_IDENTIFIER_SIZE 16 66struct fscrypt_policy_v2 { 67 __u8 version; 68 __u8 contents_encryption_mode; 69 __u8 filenames_encryption_mode; 70 __u8 flags; 71 __u8 __reserved[4]; 72 __u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]; 73}; 74 75/* Struct passed to FS_IOC_GET_ENCRYPTION_POLICY_EX */ 76struct fscrypt_get_policy_ex_arg { 77 __u64 policy_size; /* input/output */ 78 union { 79 __u8 version; 80 struct fscrypt_policy_v1 v1; 81 struct fscrypt_policy_v2 v2; 82 } policy; /* output */ 83}; 84 85/* 86 * v1 policy keys are specified by an arbitrary 8-byte key "descriptor", 87 * matching fscrypt_policy_v1::master_key_descriptor. 88 */ 89#define FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR 1 90 91/* 92 * v2 policy keys are specified by a 16-byte key "identifier" which the kernel 93 * calculates as a cryptographic hash of the key itself, 94 * matching fscrypt_policy_v2::master_key_identifier. 95 */ 96#define FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER 2 97 98/* 99 * Specifies a key, either for v1 or v2 policies. This doesn't contain the 100 * actual key itself; this is just the "name" of the key. 101 */ 102struct fscrypt_key_specifier { 103 __u32 type; /* one of FSCRYPT_KEY_SPEC_TYPE_* */ 104 __u32 __reserved; 105 union { 106 __u8 __reserved[32]; /* reserve some extra space */ 107 __u8 descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE]; 108 __u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]; 109 } u; 110}; 111 112/* 113 * Payload of Linux keyring key of type "fscrypt-provisioning", referenced by 114 * fscrypt_add_key_arg::key_id as an alternative to fscrypt_add_key_arg::raw. 115 */ 116struct fscrypt_provisioning_key_payload { 117 __u32 type; 118 __u32 __reserved; 119 __u8 raw[]; 120}; 121 122/* Struct passed to FS_IOC_ADD_ENCRYPTION_KEY */ 123struct fscrypt_add_key_arg { 124 struct fscrypt_key_specifier key_spec; 125 __u32 raw_size; 126 __u32 key_id; 127 __u32 __reserved[8]; 128 __u8 raw[]; 129}; 130 131/* Struct passed to FS_IOC_REMOVE_ENCRYPTION_KEY */ 132struct fscrypt_remove_key_arg { 133 struct fscrypt_key_specifier key_spec; 134#define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY 0x00000001 135#define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS 0x00000002 136 __u32 removal_status_flags; /* output */ 137 __u32 __reserved[5]; 138}; 139 140/* Struct passed to FS_IOC_GET_ENCRYPTION_KEY_STATUS */ 141struct fscrypt_get_key_status_arg { 142 /* input */ 143 struct fscrypt_key_specifier key_spec; 144 __u32 __reserved[6]; 145 146 /* output */ 147#define FSCRYPT_KEY_STATUS_ABSENT 1 148#define FSCRYPT_KEY_STATUS_PRESENT 2 149#define FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED 3 150 __u32 status; 151#define FSCRYPT_KEY_STATUS_FLAG_ADDED_BY_SELF 0x00000001 152 __u32 status_flags; 153 __u32 user_count; 154 __u32 __out_reserved[13]; 155}; 156 157#define FS_IOC_SET_ENCRYPTION_POLICY _IOR('f', 19, struct fscrypt_policy_v1) 158#define FS_IOC_GET_ENCRYPTION_PWSALT _IOW('f', 20, __u8[16]) 159#define FS_IOC_GET_ENCRYPTION_POLICY _IOW('f', 21, struct fscrypt_policy_v1) 160#define FS_IOC_GET_ENCRYPTION_POLICY_EX _IOWR('f', 22, __u8[9]) /* size + version */ 161#define FS_IOC_ADD_ENCRYPTION_KEY _IOWR('f', 23, struct fscrypt_add_key_arg) 162#define FS_IOC_REMOVE_ENCRYPTION_KEY _IOWR('f', 24, struct fscrypt_remove_key_arg) 163#define FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS _IOWR('f', 25, struct fscrypt_remove_key_arg) 164#define FS_IOC_GET_ENCRYPTION_KEY_STATUS _IOWR('f', 26, struct fscrypt_get_key_status_arg) 165#define FS_IOC_GET_ENCRYPTION_NONCE _IOR('f', 27, __u8[16]) 166 167/**********************************************************************/ 168 169/* old names; don't add anything new here! */ 170#ifndef __KERNEL__ 171#define fscrypt_policy fscrypt_policy_v1 172#define FS_KEY_DESCRIPTOR_SIZE FSCRYPT_KEY_DESCRIPTOR_SIZE 173#define FS_POLICY_FLAGS_PAD_4 FSCRYPT_POLICY_FLAGS_PAD_4 174#define FS_POLICY_FLAGS_PAD_8 FSCRYPT_POLICY_FLAGS_PAD_8 175#define FS_POLICY_FLAGS_PAD_16 FSCRYPT_POLICY_FLAGS_PAD_16 176#define FS_POLICY_FLAGS_PAD_32 FSCRYPT_POLICY_FLAGS_PAD_32 177#define FS_POLICY_FLAGS_PAD_MASK FSCRYPT_POLICY_FLAGS_PAD_MASK 178#define FS_POLICY_FLAG_DIRECT_KEY FSCRYPT_POLICY_FLAG_DIRECT_KEY 179#define FS_POLICY_FLAGS_VALID 0x07 /* contains old flags only */ 180#define FS_ENCRYPTION_MODE_INVALID 0 /* never used */ 181#define FS_ENCRYPTION_MODE_AES_256_XTS FSCRYPT_MODE_AES_256_XTS 182#define FS_ENCRYPTION_MODE_AES_256_GCM 2 /* never used */ 183#define FS_ENCRYPTION_MODE_AES_256_CBC 3 /* never used */ 184#define FS_ENCRYPTION_MODE_AES_256_CTS FSCRYPT_MODE_AES_256_CTS 185#define FS_ENCRYPTION_MODE_AES_128_CBC FSCRYPT_MODE_AES_128_CBC 186#define FS_ENCRYPTION_MODE_AES_128_CTS FSCRYPT_MODE_AES_128_CTS 187#define FS_ENCRYPTION_MODE_SPECK128_256_XTS 7 /* removed */ 188#define FS_ENCRYPTION_MODE_SPECK128_256_CTS 8 /* removed */ 189#define FS_ENCRYPTION_MODE_ADIANTUM FSCRYPT_MODE_ADIANTUM 190#define FS_KEY_DESC_PREFIX FSCRYPT_KEY_DESC_PREFIX 191#define FS_KEY_DESC_PREFIX_SIZE FSCRYPT_KEY_DESC_PREFIX_SIZE 192#define FS_MAX_KEY_SIZE FSCRYPT_MAX_KEY_SIZE 193#endif /* !__KERNEL__ */ 194 195#endif /* _UAPI_LINUX_FSCRYPT_H */