Merge tag 'fscrypt_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/fscrypt

Pull fscrypt updates from Ted Ts'o: "Add bunch of cleanups, and add support for the Speck128/256 algorithms. Yes, Speck is contrversial, but the intention is to use them only for the lowest end Android devices, where the alternative *really* is no encryption at all for data stored at rest" * tag 'fscrypt_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/fscrypt: fscrypt: log the crypto algorithm implementations fscrypt: add Speck128/256 support fscrypt: only derive the needed portion of the key fscrypt: separate key lookup from key derivation fscrypt: use a common logging function fscrypt: remove internal key size constants fscrypt: remove unnecessary check for non-logon key type fscrypt: make fscrypt_operations.max_namelen an integer fscrypt: drop empty name check from fname_decrypt() fscrypt: drop max_namelen check from fname_decrypt() fscrypt: don't special-case EOPNOTSUPP from fscrypt_get_encryption_info() fscrypt: don't clear flags on crypto transform fscrypt: remove stale comment from fscrypt_d_revalidate() fscrypt: remove error messages for skcipher_request_alloc() failure fscrypt: remove unnecessary NULL check when allocating skcipher fscrypt: clean up after fscrypt_prepare_lookup() conversions fs, fscrypt: only define ->s_cop when FS_ENCRYPTION is enabled fscrypt: use unbound workqueue for decryption
2018-06-05 15:15:32 -07:00
parent 6567af78ac e1cc40e5d4
commit fd59ccc530
13 changed files with 248 additions and 213 deletions
--- a/Documentation/filesystems/fscrypt.rst
+++ b/Documentation/filesystems/fscrypt.rst
@@ -191,11 +191,21 @@ Currently, the following pairs of encryption modes are supported:
 - AES-256-XTS for contents and AES-256-CTS-CBC for filenames
 - AES-128-CBC for contents and AES-128-CTS-CBC for filenames
 - Speck128/256-XTS for contents and Speck128/256-CTS-CBC for filenames
 It is strongly recommended to use AES-256-XTS for contents encryption.
 AES-128-CBC was added only for low-powered embedded devices with
 crypto accelerators such as CAAM or CESA that do not support XTS.
 Similarly, Speck128/256 support was only added for older or low-end
 CPUs which cannot do AES fast enough -- especially ARM CPUs which have
 NEON instructions but not the Cryptography Extensions -- and for which
 it would not otherwise be feasible to use encryption at all.  It is
 not recommended to use Speck on CPUs that have AES instructions.
 Speck support is only available if it has been enabled in the crypto
 API via CONFIG_CRYPTO_SPECK.  Also, on ARM platforms, to get
 acceptable performance CONFIG_CRYPTO_SPECK_NEON must be enabled.
 New encryption modes can be added relatively easily, without changes
 to individual filesystems.  However, authenticated encryption (AE)
 modes are not currently supported because of the difficulty of dealing
--- a/fs/crypto/crypto.c
+++ b/fs/crypto/crypto.c
@@ -156,12 +156,8 @@ int fscrypt_do_page_crypto(const struct inode *inode, fscrypt_direction_t rw,
 	}
 	req = skcipher_request_alloc(tfm, gfp_flags);
-	if (!req) {
+	if (!req)
 		printk_ratelimited(KERN_ERR
 				"%s: crypto_request_alloc() failed\n",
 				__func__);
 		return -ENOMEM;
 	}
 	skcipher_request_set_callback(
 		req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
@@ -178,9 +174,10 @@ int fscrypt_do_page_crypto(const struct inode *inode, fscrypt_direction_t rw,
 		res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
 	skcipher_request_free(req);
 	if (res) {
-		printk_ratelimited(KERN_ERR
+		fscrypt_err(inode->i_sb,
-			"%s: crypto_skcipher_encrypt() returned %d\n",
+			    "%scryption failed for inode %lu, block %llu: %d",
-			__func__, res);
+			    (rw == FS_DECRYPT ? "de" : "en"),
 			    inode->i_ino, lblk_num, res);
 		return res;
 	}
 	return 0;
@@ -326,7 +323,6 @@ static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
 		return 0;
 	}
 	/* this should eventually be an flag in d_flags */
 	spin_lock(&dentry->d_lock);
 	cached_with_key = dentry->d_flags & DCACHE_ENCRYPTED_WITH_KEY;
 	spin_unlock(&dentry->d_lock);
@@ -353,7 +349,6 @@ static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
 const struct dentry_operations fscrypt_d_ops = {
 	.d_revalidate = fscrypt_d_revalidate,
 };
 EXPORT_SYMBOL(fscrypt_d_ops);
 void fscrypt_restore_control_page(struct page *page)
 {
@@ -422,13 +417,43 @@ fail:
 	return res;
 }
 void fscrypt_msg(struct super_block *sb, const char *level,
 		 const char *fmt, ...)
 {
 	static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL,
 				      DEFAULT_RATELIMIT_BURST);
 	struct va_format vaf;
 	va_list args;
 	if (!__ratelimit(&rs))
 		return;
 	va_start(args, fmt);
 	vaf.fmt = fmt;
 	vaf.va = &args;
 	if (sb)
 		printk("%sfscrypt (%s): %pV\n", level, sb->s_id, &vaf);
 	else
 		printk("%sfscrypt: %pV\n", level, &vaf);
 	va_end(args);
 }
 /**
 * fscrypt_init() - Set up for fs encryption.
 */
 static int __init fscrypt_init(void)
 {
 	/*
 	 * Use an unbound workqueue to allow bios to be decrypted in parallel
 	 * even when they happen to complete on the same CPU.  This sacrifices
 	 * locality, but it's worthwhile since decryption is CPU-intensive.
 	 *
 	 * Also use a high-priority workqueue to prioritize decryption work,
 	 * which blocks reads from completing, over regular application tasks.
 	 */
 	fscrypt_read_workqueue = alloc_workqueue("fscrypt_read_queue",
-							WQ_HIGHPRI, 0);
+						 WQ_UNBOUND | WQ_HIGHPRI,
 						 num_online_cpus());
 	if (!fscrypt_read_workqueue)
 		goto fail;
--- a/fs/crypto/fname.c
+++ b/fs/crypto/fname.c
@@ -59,11 +59,8 @@ int fname_encrypt(struct inode *inode, const struct qstr *iname,
 	/* Set up the encryption request */
 	req = skcipher_request_alloc(tfm, GFP_NOFS);
-	if (!req) {
+	if (!req)
 		printk_ratelimited(KERN_ERR
 			"%s: skcipher_request_alloc() failed\n", __func__);
 		return -ENOMEM;
 	}
 	skcipher_request_set_callback(req,
 			CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
 			crypto_req_done, &wait);
@@ -74,8 +71,9 @@ int fname_encrypt(struct inode *inode, const struct qstr *iname,
 	res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
 	skcipher_request_free(req);
 	if (res < 0) {
-		printk_ratelimited(KERN_ERR
+		fscrypt_err(inode->i_sb,
-				"%s: Error (error code %d)\n", __func__, res);
+			    "Filename encryption failed for inode %lu: %d",
 			    inode->i_ino, res);
 		return res;
 	}
@@ -96,23 +94,14 @@ static int fname_decrypt(struct inode *inode,
 	struct skcipher_request *req = NULL;
 	DECLARE_CRYPTO_WAIT(wait);
 	struct scatterlist src_sg, dst_sg;
-	struct fscrypt_info *ci = inode->i_crypt_info;
+	struct crypto_skcipher *tfm = inode->i_crypt_info->ci_ctfm;
 	struct crypto_skcipher *tfm = ci->ci_ctfm;
 	int res = 0;
 	char iv[FS_CRYPTO_BLOCK_SIZE];
 	unsigned lim;
 	lim = inode->i_sb->s_cop->max_namelen(inode);
 	if (iname->len <= 0 || iname->len > lim)
 		return -EIO;
 	/* Allocate request */
 	req = skcipher_request_alloc(tfm, GFP_NOFS);
-	if (!req) {
+	if (!req)
 		printk_ratelimited(KERN_ERR
 			"%s: crypto_request_alloc() failed\n",  __func__);
 		return -ENOMEM;
 	}
 	skcipher_request_set_callback(req,
 		CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
 		crypto_req_done, &wait);
@@ -127,8 +116,9 @@ static int fname_decrypt(struct inode *inode,
 	res = crypto_wait_req(crypto_skcipher_decrypt(req), &wait);
 	skcipher_request_free(req);
 	if (res < 0) {
-		printk_ratelimited(KERN_ERR
+		fscrypt_err(inode->i_sb,
-				"%s: Error (error code %d)\n", __func__, res);
+			    "Filename decryption failed for inode %lu: %d",
 			    inode->i_ino, res);
 		return res;
 	}
@@ -341,12 +331,12 @@ int fscrypt_setup_filename(struct inode *dir, const struct qstr *iname,
 		return 0;
 	}
 	ret = fscrypt_get_encryption_info(dir);
-	if (ret && ret != -EOPNOTSUPP)
+	if (ret)
 		return ret;
 	if (dir->i_crypt_info) {
 		if (!fscrypt_fname_encrypted_size(dir, iname->len,
-						  dir->i_sb->s_cop->max_namelen(dir),
+						  dir->i_sb->s_cop->max_namelen,
 						  &fname->crypto_buf.len))
 			return -ENAMETOOLONG;
 		fname->crypto_buf.name = kmalloc(fname->crypto_buf.len,
--- a/fs/crypto/fscrypt_private.h
+++ b/fs/crypto/fscrypt_private.h
@@ -18,15 +18,7 @@
 /* Encryption parameters */
 #define FS_IV_SIZE			16
-#define FS_AES_128_ECB_KEY_SIZE		16
+#define FS_KEY_DERIVATION_NONCE_SIZE	16
 #define FS_AES_128_CBC_KEY_SIZE		16
 #define FS_AES_128_CTS_KEY_SIZE		16
 #define FS_AES_256_GCM_KEY_SIZE		32
 #define FS_AES_256_CBC_KEY_SIZE		32
 #define FS_AES_256_CTS_KEY_SIZE		32
 #define FS_AES_256_XTS_KEY_SIZE		64
 #define FS_KEY_DERIVATION_NONCE_SIZE		16
 /**
 * Encryption context for inode
@@ -91,6 +83,10 @@ static inline bool fscrypt_valid_enc_modes(u32 contents_mode,
 	    filenames_mode == FS_ENCRYPTION_MODE_AES_256_CTS)
 		return true;
 	if (contents_mode == FS_ENCRYPTION_MODE_SPECK128_256_XTS &&
 	    filenames_mode == FS_ENCRYPTION_MODE_SPECK128_256_CTS)
 		return true;
 	return false;
 }
@@ -106,6 +102,15 @@ extern int fscrypt_do_page_crypto(const struct inode *inode,
 				  gfp_t gfp_flags);
 extern struct page *fscrypt_alloc_bounce_page(struct fscrypt_ctx *ctx,
 					      gfp_t gfp_flags);
 extern const struct dentry_operations fscrypt_d_ops;
 extern void __printf(3, 4) __cold
 fscrypt_msg(struct super_block *sb, const char *level, const char *fmt, ...);
 #define fscrypt_warn(sb, fmt, ...)		\
 	fscrypt_msg(sb, KERN_WARNING, fmt, ##__VA_ARGS__)
 #define fscrypt_err(sb, fmt, ...)		\
 	fscrypt_msg(sb, KERN_ERR, fmt, ##__VA_ARGS__)
 /* fname.c */
 extern int fname_encrypt(struct inode *inode, const struct qstr *iname,
--- a/fs/crypto/hooks.c
+++ b/fs/crypto/hooks.c
@@ -39,8 +39,9 @@ int fscrypt_file_open(struct inode *inode, struct file *filp)
 	dir = dget_parent(file_dentry(filp));
 	if (IS_ENCRYPTED(d_inode(dir)) &&
 	    !fscrypt_has_permitted_context(d_inode(dir), inode)) {
-		pr_warn_ratelimited("fscrypt: inconsistent encryption contexts: %lu/%lu",
+		fscrypt_warn(inode->i_sb,
-				    d_inode(dir)->i_ino, inode->i_ino);
+			     "inconsistent encryption contexts: %lu/%lu",
 			     d_inode(dir)->i_ino, inode->i_ino);
 		err = -EPERM;
 	}
 	dput(dir);
--- a/fs/crypto/keyinfo.c
+++ b/fs/crypto/keyinfo.c
@@ -19,17 +19,16 @@
 static struct crypto_shash *essiv_hash_tfm;
-/**
+/*
- * derive_key_aes() - Derive a key using AES-128-ECB
+ * Key derivation function.  This generates the derived key by encrypting the
- * @deriving_key: Encryption key used for derivation.
+ * master key with AES-128-ECB using the inode's nonce as the AES key.
 * @source_key:   Source key to which to apply derivation.
 * @derived_raw_key:  Derived raw key.
 *
- * Return: Zero on success; non-zero otherwise.
+ * The master key must be at least as long as the derived key.  If the master
 * key is longer, then only the first 'derived_keysize' bytes are used.
 */
-static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE],
+static int derive_key_aes(const u8 *master_key,
-				const struct fscrypt_key *source_key,
+			  const struct fscrypt_context *ctx,
-				u8 derived_raw_key[FS_MAX_KEY_SIZE])
+			  u8 *derived_key, unsigned int derived_keysize)
 {
 	int res = 0;
 	struct skcipher_request *req = NULL;
@@ -51,14 +50,13 @@ static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE],
 	skcipher_request_set_callback(req,
 			CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
 			crypto_req_done, &wait);
-	res = crypto_skcipher_setkey(tfm, deriving_key,
+	res = crypto_skcipher_setkey(tfm, ctx->nonce, sizeof(ctx->nonce));
 					FS_AES_128_ECB_KEY_SIZE);
 	if (res < 0)
 		goto out;
-	sg_init_one(&src_sg, source_key->raw, source_key->size);
+	sg_init_one(&src_sg, master_key, derived_keysize);
-	sg_init_one(&dst_sg, derived_raw_key, source_key->size);
+	sg_init_one(&dst_sg, derived_key, derived_keysize);
-	skcipher_request_set_crypt(req, &src_sg, &dst_sg, source_key->size,
+	skcipher_request_set_crypt(req, &src_sg, &dst_sg, derived_keysize,
 				   NULL);
 	res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
 out:
@@ -67,101 +65,147 @@ out:
 	return res;
 }
-static int validate_user_key(struct fscrypt_info *crypt_info,
+/*
-			struct fscrypt_context *ctx, u8 *raw_key,
+ * Search the current task's subscribed keyrings for a "logon" key with
-			const char *prefix, int min_keysize)
+ * description prefix:descriptor, and if found acquire a read lock on it and
 * return a pointer to its validated payload in *payload_ret.
 */
 static struct key *
 find_and_lock_process_key(const char *prefix,
 			  const u8 descriptor[FS_KEY_DESCRIPTOR_SIZE],
 			  unsigned int min_keysize,
 			  const struct fscrypt_key **payload_ret)
 {
 	char *description;
-	struct key *keyring_key;
+	struct key *key;
 	struct fscrypt_key *master_key;
 	const struct user_key_payload *ukp;
-	int res;
+	const struct fscrypt_key *payload;
 	description = kasprintf(GFP_NOFS, "%s%*phN", prefix,
-				FS_KEY_DESCRIPTOR_SIZE,
+				FS_KEY_DESCRIPTOR_SIZE, descriptor);
 				ctx->master_key_descriptor);
 	if (!description)
-		return -ENOMEM;
+		return ERR_PTR(-ENOMEM);
-	keyring_key = request_key(&key_type_logon, description, NULL);
+	key = request_key(&key_type_logon, description, NULL);
 	kfree(description);
-	if (IS_ERR(keyring_key))
+	if (IS_ERR(key))
-		return PTR_ERR(keyring_key);
+		return key;
 	down_read(&keyring_key->sem);
-	if (keyring_key->type != &key_type_logon) {
+	down_read(&key->sem);
-		printk_once(KERN_WARNING
+	ukp = user_key_payload_locked(key);
 				"%s: key type must be logon\n", __func__);
 		res = -ENOKEY;
 		goto out;
 	}
 	ukp = user_key_payload_locked(keyring_key);
 	if (!ukp) {
 		/* key was revoked before we acquired its semaphore */
 		res = -EKEYREVOKED;
 		goto out;
 	}
 	if (ukp->datalen != sizeof(struct fscrypt_key)) {
 		res = -EINVAL;
 		goto out;
 	}
 	master_key = (struct fscrypt_key *)ukp->data;
 	BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE);
-	if (master_key->size < min_keysize || master_key->size > FS_MAX_KEY_SIZE
+	if (!ukp) /* was the key revoked before we acquired its semaphore? */
-	    || master_key->size % AES_BLOCK_SIZE != 0) {
+		goto invalid;
-		printk_once(KERN_WARNING
+
-				"%s: key size incorrect: %d\n",
+	payload = (const struct fscrypt_key *)ukp->data;
-				__func__, master_key->size);
+
-		res = -ENOKEY;
+	if (ukp->datalen != sizeof(struct fscrypt_key) ||
-		goto out;
+	    payload->size < 1 || payload->size > FS_MAX_KEY_SIZE) {
 		fscrypt_warn(NULL,
 			     "key with description '%s' has invalid payload",
 			     key->description);
 		goto invalid;
 	}
-	res = derive_key_aes(ctx->nonce, master_key, raw_key);
+
-out:
+	if (payload->size < min_keysize) {
-	up_read(&keyring_key->sem);
+		fscrypt_warn(NULL,
-	key_put(keyring_key);
+			     "key with description '%s' is too short (got %u bytes, need %u+ bytes)",
-	return res;
+			     key->description, payload->size, min_keysize);
 		goto invalid;
 	}
 	*payload_ret = payload;
 	return key;
 invalid:
 	up_read(&key->sem);
 	key_put(key);
 	return ERR_PTR(-ENOKEY);
 }
-static const struct {
+/* Find the master key, then derive the inode's actual encryption key */
 static int find_and_derive_key(const struct inode *inode,
 			       const struct fscrypt_context *ctx,
 			       u8 *derived_key, unsigned int derived_keysize)
 {
 	struct key *key;
 	const struct fscrypt_key *payload;
 	int err;
 	key = find_and_lock_process_key(FS_KEY_DESC_PREFIX,
 					ctx->master_key_descriptor,
 					derived_keysize, &payload);
 	if (key == ERR_PTR(-ENOKEY) && inode->i_sb->s_cop->key_prefix) {
 		key = find_and_lock_process_key(inode->i_sb->s_cop->key_prefix,
 						ctx->master_key_descriptor,
 						derived_keysize, &payload);
 	}
 	if (IS_ERR(key))
 		return PTR_ERR(key);
 	err = derive_key_aes(payload->raw, ctx, derived_key, derived_keysize);
 	up_read(&key->sem);
 	key_put(key);
 	return err;
 }
 static struct fscrypt_mode {
 	const char *friendly_name;
 	const char *cipher_str;
 	int keysize;
 	bool logged_impl_name;
 } available_modes[] = {
-	[FS_ENCRYPTION_MODE_AES_256_XTS] = { "xts(aes)",
+	[FS_ENCRYPTION_MODE_AES_256_XTS] = {
-					     FS_AES_256_XTS_KEY_SIZE },
+		.friendly_name = "AES-256-XTS",
-	[FS_ENCRYPTION_MODE_AES_256_CTS] = { "cts(cbc(aes))",
+		.cipher_str = "xts(aes)",
-					     FS_AES_256_CTS_KEY_SIZE },
+		.keysize = 64,
-	[FS_ENCRYPTION_MODE_AES_128_CBC] = { "cbc(aes)",
+	},
-					     FS_AES_128_CBC_KEY_SIZE },
+	[FS_ENCRYPTION_MODE_AES_256_CTS] = {
-	[FS_ENCRYPTION_MODE_AES_128_CTS] = { "cts(cbc(aes))",
+		.friendly_name = "AES-256-CTS-CBC",
-					     FS_AES_128_CTS_KEY_SIZE },
+		.cipher_str = "cts(cbc(aes))",
 		.keysize = 32,
 	},
 	[FS_ENCRYPTION_MODE_AES_128_CBC] = {
 		.friendly_name = "AES-128-CBC",
 		.cipher_str = "cbc(aes)",
 		.keysize = 16,
 	},
 	[FS_ENCRYPTION_MODE_AES_128_CTS] = {
 		.friendly_name = "AES-128-CTS-CBC",
 		.cipher_str = "cts(cbc(aes))",
 		.keysize = 16,
 	},
 	[FS_ENCRYPTION_MODE_SPECK128_256_XTS] = {
 		.friendly_name = "Speck128/256-XTS",
 		.cipher_str = "xts(speck128)",
 		.keysize = 64,
 	},
 	[FS_ENCRYPTION_MODE_SPECK128_256_CTS] = {
 		.friendly_name = "Speck128/256-CTS-CBC",
 		.cipher_str = "cts(cbc(speck128))",
 		.keysize = 32,
 	},
 };
-static int determine_cipher_type(struct fscrypt_info *ci, struct inode *inode,
+static struct fscrypt_mode *
-				 const char **cipher_str_ret, int *keysize_ret)
+select_encryption_mode(const struct fscrypt_info *ci, const struct inode *inode)
 {
 	u32 mode;
 	if (!fscrypt_valid_enc_modes(ci->ci_data_mode, ci->ci_filename_mode)) {
-		pr_warn_ratelimited("fscrypt: inode %lu uses unsupported encryption modes (contents mode %d, filenames mode %d)\n",
+		fscrypt_warn(inode->i_sb,
-				    inode->i_ino,
+			     "inode %lu uses unsupported encryption modes (contents mode %d, filenames mode %d)",
-				    ci->ci_data_mode, ci->ci_filename_mode);
+			     inode->i_ino, ci->ci_data_mode,
-		return -EINVAL;
+			     ci->ci_filename_mode);
 		return ERR_PTR(-EINVAL);
 	}
-	if (S_ISREG(inode->i_mode)) {
+	if (S_ISREG(inode->i_mode))
-		mode = ci->ci_data_mode;
+		return &available_modes[ci->ci_data_mode];
 	} else if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) {
 		mode = ci->ci_filename_mode;
 	} else {
 		WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n",
 			  inode->i_ino, (inode->i_mode & S_IFMT));
 		return -EINVAL;
 	}
-	*cipher_str_ret = available_modes[mode].cipher_str;
+	if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode))
-	*keysize_ret = available_modes[mode].keysize;
+		return &available_modes[ci->ci_filename_mode];
-	return 0;
+
 	WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n",
 		  inode->i_ino, (inode->i_mode & S_IFMT));
 	return ERR_PTR(-EINVAL);
 }
 static void put_crypt_info(struct fscrypt_info *ci)
@@ -184,8 +228,9 @@ static int derive_essiv_salt(const u8 *key, int keysize, u8 *salt)
 		tfm = crypto_alloc_shash("sha256", 0, 0);
 		if (IS_ERR(tfm)) {
-			pr_warn_ratelimited("fscrypt: error allocating SHA-256 transform: %ld\n",
+			fscrypt_warn(NULL,
-					    PTR_ERR(tfm));
+				     "error allocating SHA-256 transform: %ld",
 				     PTR_ERR(tfm));
 			return PTR_ERR(tfm);
 		}
 		prev_tfm = cmpxchg(&essiv_hash_tfm, NULL, tfm);
@@ -245,8 +290,7 @@ int fscrypt_get_encryption_info(struct inode *inode)
 	struct fscrypt_info *crypt_info;
 	struct fscrypt_context ctx;
 	struct crypto_skcipher *ctfm;
-	const char *cipher_str;
+	struct fscrypt_mode *mode;
 	int keysize;
 	u8 *raw_key = NULL;
 	int res;
@@ -290,57 +334,59 @@ int fscrypt_get_encryption_info(struct inode *inode)
 	memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor,
 				sizeof(crypt_info->ci_master_key));
-	res = determine_cipher_type(crypt_info, inode, &cipher_str, &keysize);
+	mode = select_encryption_mode(crypt_info, inode);
-	if (res)
+	if (IS_ERR(mode)) {
 		res = PTR_ERR(mode);
 		goto out;
 	}
 	/*
 	 * This cannot be a stack buffer because it is passed to the scatterlist
 	 * crypto API as part of key derivation.
 	 */
 	res = -ENOMEM;
-	raw_key = kmalloc(FS_MAX_KEY_SIZE, GFP_NOFS);
+	raw_key = kmalloc(mode->keysize, GFP_NOFS);
 	if (!raw_key)
 		goto out;
-	res = validate_user_key(crypt_info, &ctx, raw_key, FS_KEY_DESC_PREFIX,
+	res = find_and_derive_key(inode, &ctx, raw_key, mode->keysize);
-				keysize);
+	if (res)
-	if (res && inode->i_sb->s_cop->key_prefix) {
+		goto out;
-		int res2 = validate_user_key(crypt_info, &ctx, raw_key,
+
-					     inode->i_sb->s_cop->key_prefix,
+	ctfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0);
-					     keysize);
+	if (IS_ERR(ctfm)) {
-		if (res2) {
+		res = PTR_ERR(ctfm);
-			if (res2 == -ENOKEY)
+		fscrypt_warn(inode->i_sb,
-				res = -ENOKEY;
+			     "error allocating '%s' transform for inode %lu: %d",
-			goto out;
+			     mode->cipher_str, inode->i_ino, res);
 		}
 	} else if (res) {
 		goto out;
 	}
-	ctfm = crypto_alloc_skcipher(cipher_str, 0, 0);
+	if (unlikely(!mode->logged_impl_name)) {
-	if (!ctfm || IS_ERR(ctfm)) {
+		/*
-		res = ctfm ? PTR_ERR(ctfm) : -ENOMEM;
+		 * fscrypt performance can vary greatly depending on which
-		pr_debug("%s: error %d (inode %lu) allocating crypto tfm\n",
+		 * crypto algorithm implementation is used.  Help people debug
-			 __func__, res, inode->i_ino);
+		 * performance problems by logging the ->cra_driver_name the
-		goto out;
+		 * first time a mode is used.  Note that multiple threads can
 		 * race here, but it doesn't really matter.
 		 */
 		mode->logged_impl_name = true;
 		pr_info("fscrypt: %s using implementation \"%s\"\n",
 			mode->friendly_name,
 			crypto_skcipher_alg(ctfm)->base.cra_driver_name);
 	}
 	crypt_info->ci_ctfm = ctfm;
 	crypto_skcipher_clear_flags(ctfm, ~0);
 	crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY);
-	/*
+	res = crypto_skcipher_setkey(ctfm, raw_key, mode->keysize);
 	 * if the provided key is longer than keysize, we use the first
 	 * keysize bytes of the derived key only
 	 */
 	res = crypto_skcipher_setkey(ctfm, raw_key, keysize);
 	if (res)
 		goto out;
 	if (S_ISREG(inode->i_mode) &&
 	    crypt_info->ci_data_mode == FS_ENCRYPTION_MODE_AES_128_CBC) {
-		res = init_essiv_generator(crypt_info, raw_key, keysize);
+		res = init_essiv_generator(crypt_info, raw_key, mode->keysize);
 		if (res) {
-			pr_debug("%s: error %d (inode %lu) allocating essiv tfm\n",
+			fscrypt_warn(inode->i_sb,
-				 __func__, res, inode->i_ino);
+				     "error initializing ESSIV generator for inode %lu: %d",
 				     inode->i_ino, res);
 			goto out;
 		}
 	}
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1267,19 +1267,13 @@ static bool ext4_dummy_context(struct inode *inode)
 	return DUMMY_ENCRYPTION_ENABLED(EXT4_SB(inode->i_sb));
 }
 static unsigned ext4_max_namelen(struct inode *inode)
 {
 	return S_ISLNK(inode->i_mode) ? inode->i_sb->s_blocksize :
 		EXT4_NAME_LEN;
 }
 static const struct fscrypt_operations ext4_cryptops = {
 	.key_prefix		= "ext4:",
 	.get_context		= ext4_get_context,
 	.set_context		= ext4_set_context,
 	.dummy_context		= ext4_dummy_context,
 	.empty_dir		= ext4_empty_dir,
-	.max_namelen		= ext4_max_namelen,
+	.max_namelen		= EXT4_NAME_LEN,
 };
 #endif
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1930,19 +1930,13 @@ static bool f2fs_dummy_context(struct inode *inode)
 	return DUMMY_ENCRYPTION_ENABLED(F2FS_I_SB(inode));
 }
 static unsigned f2fs_max_namelen(struct inode *inode)
 {
 	return S_ISLNK(inode->i_mode) ?
 			inode->i_sb->s_blocksize : F2FS_NAME_LEN;
 }
 static const struct fscrypt_operations f2fs_cryptops = {
 	.key_prefix	= "f2fs:",
 	.get_context	= f2fs_get_context,
 	.set_context	= f2fs_set_context,
 	.dummy_context	= f2fs_dummy_context,
 	.empty_dir	= f2fs_empty_dir,
-	.max_namelen	= f2fs_max_namelen,
+	.max_namelen	= F2FS_NAME_LEN,
 };
 #endif
--- a/fs/ubifs/crypto.c
+++ b/fs/ubifs/crypto.c
@@ -24,14 +24,6 @@ static bool ubifs_crypt_empty_dir(struct inode *inode)
 	return ubifs_check_dir_empty(inode) == 0;
 }
 static unsigned int ubifs_crypt_max_namelen(struct inode *inode)
 {
 	if (S_ISLNK(inode->i_mode))
 		return UBIFS_MAX_INO_DATA;
 	else
 		return UBIFS_MAX_NLEN;
 }
 int ubifs_encrypt(const struct inode *inode, struct ubifs_data_node *dn,
 		  unsigned int in_len, unsigned int *out_len, int block)
 {
@@ -89,5 +81,5 @@ const struct fscrypt_operations ubifs_crypt_operations = {
 	.get_context		= ubifs_crypt_get_context,
 	.set_context		= ubifs_crypt_set_context,
 	.empty_dir		= ubifs_crypt_empty_dir,
-	.max_namelen		= ubifs_crypt_max_namelen,
+	.max_namelen		= UBIFS_MAX_NLEN,
 };
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1364,9 +1364,9 @@ struct super_block {
 	void                    *s_security;
 #endif
 	const struct xattr_handler **s_xattr;
-
+#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
 	const struct fscrypt_operations	*s_cop;
-
+#endif
 	struct hlist_bl_head	s_roots;	/* alternate root dentries for NFS */
 	struct list_head	s_mounts;	/* list of mounts; _not_ for fs use */
 	struct block_device	*s_bdev;
--- a/include/linux/fscrypt_notsupp.h
+++ b/include/linux/fscrypt_notsupp.h
@@ -64,16 +64,6 @@ static inline void fscrypt_restore_control_page(struct page *page)
 	return;
 }
 static inline void fscrypt_set_d_op(struct dentry *dentry)
 {
 	return;
 }
 static inline void fscrypt_set_encrypted_dentry(struct dentry *dentry)
 {
 	return;
 }
 /* policy.c */
 static inline int fscrypt_ioctl_set_policy(struct file *filp,
 					   const void __user *arg)
--- a/include/linux/fscrypt_supp.h
+++ b/include/linux/fscrypt_supp.h
@@ -29,7 +29,7 @@ struct fscrypt_operations {
 	int (*set_context)(struct inode *, const void *, size_t, void *);
 	bool (*dummy_context)(struct inode *);
 	bool (*empty_dir)(struct inode *);
-	unsigned (*max_namelen)(struct inode *);
+	unsigned int max_namelen;
 };
 struct fscrypt_ctx {
@@ -74,20 +74,6 @@ static inline struct page *fscrypt_control_page(struct page *page)
 extern void fscrypt_restore_control_page(struct page *);
 extern const struct dentry_operations fscrypt_d_ops;
 static inline void fscrypt_set_d_op(struct dentry *dentry)
 {
 	d_set_d_op(dentry, &fscrypt_d_ops);
 }
 static inline void fscrypt_set_encrypted_dentry(struct dentry *dentry)
 {
 	spin_lock(&dentry->d_lock);
 	dentry->d_flags |= DCACHE_ENCRYPTED_WITH_KEY;
 	spin_unlock(&dentry->d_lock);
 }
 /* policy.c */
 extern int fscrypt_ioctl_set_policy(struct file *, const void __user *);
 extern int fscrypt_ioctl_get_policy(struct file *, void __user *);
--- a/include/uapi/linux/fs.h
+++ b/include/uapi/linux/fs.h
@@ -279,6 +279,8 @@ struct fsxattr {
 #define FS_ENCRYPTION_MODE_AES_256_CTS		4
 #define FS_ENCRYPTION_MODE_AES_128_CBC		5
 #define FS_ENCRYPTION_MODE_AES_128_CTS		6
 #define FS_ENCRYPTION_MODE_SPECK128_256_XTS	7
 #define FS_ENCRYPTION_MODE_SPECK128_256_CTS	8
 struct fscrypt_policy {
 	__u8 version;