Loading...
1#ifndef _LINUX_ECRYPTFS_H
2#define _LINUX_ECRYPTFS_H
3
4/* Version verification for shared data structures w/ userspace */
5#define ECRYPTFS_VERSION_MAJOR 0x00
6#define ECRYPTFS_VERSION_MINOR 0x04
7#define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03
8/* These flags indicate which features are supported by the kernel
9 * module; userspace tools such as the mount helper read the feature
10 * bits from a sysfs handle in order to determine how to behave. */
11#define ECRYPTFS_VERSIONING_PASSPHRASE 0x00000001
12#define ECRYPTFS_VERSIONING_PUBKEY 0x00000002
13#define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004
14#define ECRYPTFS_VERSIONING_POLICY 0x00000008
15#define ECRYPTFS_VERSIONING_XATTR 0x00000010
16#define ECRYPTFS_VERSIONING_MULTKEY 0x00000020
17#define ECRYPTFS_VERSIONING_DEVMISC 0x00000040
18#define ECRYPTFS_VERSIONING_HMAC 0x00000080
19#define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION 0x00000100
20#define ECRYPTFS_VERSIONING_GCM 0x00000200
21#define ECRYPTFS_MAX_PASSWORD_LENGTH 64
22#define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH
23#define ECRYPTFS_SALT_SIZE 8
24#define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2)
25/* The original signature size is only for what is stored on disk; all
26 * in-memory representations are expanded hex, so it better adapted to
27 * be passed around or referenced on the command line */
28#define ECRYPTFS_SIG_SIZE 8
29#define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
30#define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
31#define ECRYPTFS_MAX_KEY_BYTES 64
32#define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
33#define ECRYPTFS_FILE_VERSION 0x03
34#define ECRYPTFS_MAX_PKI_NAME_BYTES 16
35
36#define RFC2440_CIPHER_DES3_EDE 0x02
37#define RFC2440_CIPHER_CAST_5 0x03
38#define RFC2440_CIPHER_BLOWFISH 0x04
39#define RFC2440_CIPHER_AES_128 0x07
40#define RFC2440_CIPHER_AES_192 0x08
41#define RFC2440_CIPHER_AES_256 0x09
42#define RFC2440_CIPHER_TWOFISH 0x0a
43#define RFC2440_CIPHER_CAST_6 0x0b
44
45#define RFC2440_CIPHER_RSA 0x01
46
47/**
48 * For convenience, we may need to pass around the encrypted session
49 * key between kernel and userspace because the authentication token
50 * may not be extractable. For example, the TPM may not release the
51 * private key, instead requiring the encrypted data and returning the
52 * decrypted data.
53 */
54struct ecryptfs_session_key {
55#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001
56#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002
57#define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004
58#define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008
59 u32 flags;
60 u32 encrypted_key_size;
61 u32 decrypted_key_size;
62 u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES];
63 u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES];
64};
65
66struct ecryptfs_password {
67 u32 password_bytes;
68 s32 hash_algo;
69 u32 hash_iterations;
70 u32 session_key_encryption_key_bytes;
71#define ECRYPTFS_PERSISTENT_PASSWORD 0x01
72#define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02
73 u32 flags;
74 /* Iterated-hash concatenation of salt and passphrase */
75 u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
76 u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
77 /* Always in expanded hex */
78 u8 salt[ECRYPTFS_SALT_SIZE];
79};
80
81enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY};
82
83struct ecryptfs_private_key {
84 u32 key_size;
85 u32 data_len;
86 u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
87 char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1];
88 u8 data[];
89};
90
91/* May be a password or a private key */
92struct ecryptfs_auth_tok {
93 u16 version; /* 8-bit major and 8-bit minor */
94 u16 token_type;
95#define ECRYPTFS_ENCRYPT_ONLY 0x00000001
96 u32 flags;
97 struct ecryptfs_session_key session_key;
98 u8 reserved[32];
99 union {
100 struct ecryptfs_password password;
101 struct ecryptfs_private_key private_key;
102 } token;
103} __attribute__ ((packed));
104
105#endif /* _LINUX_ECRYPTFS_H */
1/* SPDX-License-Identifier: GPL-2.0 */
2#ifndef _LINUX_ECRYPTFS_H
3#define _LINUX_ECRYPTFS_H
4
5/* Version verification for shared data structures w/ userspace */
6#define ECRYPTFS_VERSION_MAJOR 0x00
7#define ECRYPTFS_VERSION_MINOR 0x04
8#define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03
9/* These flags indicate which features are supported by the kernel
10 * module; userspace tools such as the mount helper read the feature
11 * bits from a sysfs handle in order to determine how to behave. */
12#define ECRYPTFS_VERSIONING_PASSPHRASE 0x00000001
13#define ECRYPTFS_VERSIONING_PUBKEY 0x00000002
14#define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004
15#define ECRYPTFS_VERSIONING_POLICY 0x00000008
16#define ECRYPTFS_VERSIONING_XATTR 0x00000010
17#define ECRYPTFS_VERSIONING_MULTKEY 0x00000020
18#define ECRYPTFS_VERSIONING_DEVMISC 0x00000040
19#define ECRYPTFS_VERSIONING_HMAC 0x00000080
20#define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION 0x00000100
21#define ECRYPTFS_VERSIONING_GCM 0x00000200
22#define ECRYPTFS_MAX_PASSWORD_LENGTH 64
23#define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH
24#define ECRYPTFS_SALT_SIZE 8
25#define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2)
26/* The original signature size is only for what is stored on disk; all
27 * in-memory representations are expanded hex, so it better adapted to
28 * be passed around or referenced on the command line */
29#define ECRYPTFS_SIG_SIZE 8
30#define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
31#define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
32#define ECRYPTFS_MAX_KEY_BYTES 64
33#define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
34#define ECRYPTFS_FILE_VERSION 0x03
35#define ECRYPTFS_MAX_PKI_NAME_BYTES 16
36
37#define RFC2440_CIPHER_DES3_EDE 0x02
38#define RFC2440_CIPHER_CAST_5 0x03
39#define RFC2440_CIPHER_BLOWFISH 0x04
40#define RFC2440_CIPHER_AES_128 0x07
41#define RFC2440_CIPHER_AES_192 0x08
42#define RFC2440_CIPHER_AES_256 0x09
43#define RFC2440_CIPHER_TWOFISH 0x0a
44#define RFC2440_CIPHER_CAST_6 0x0b
45
46#define RFC2440_CIPHER_RSA 0x01
47
48/**
49 * For convenience, we may need to pass around the encrypted session
50 * key between kernel and userspace because the authentication token
51 * may not be extractable. For example, the TPM may not release the
52 * private key, instead requiring the encrypted data and returning the
53 * decrypted data.
54 */
55struct ecryptfs_session_key {
56#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001
57#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002
58#define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004
59#define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008
60 u32 flags;
61 u32 encrypted_key_size;
62 u32 decrypted_key_size;
63 u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES];
64 u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES];
65};
66
67struct ecryptfs_password {
68 u32 password_bytes;
69 s32 hash_algo;
70 u32 hash_iterations;
71 u32 session_key_encryption_key_bytes;
72#define ECRYPTFS_PERSISTENT_PASSWORD 0x01
73#define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02
74 u32 flags;
75 /* Iterated-hash concatenation of salt and passphrase */
76 u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
77 u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
78 /* Always in expanded hex */
79 u8 salt[ECRYPTFS_SALT_SIZE];
80};
81
82enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY};
83
84struct ecryptfs_private_key {
85 u32 key_size;
86 u32 data_len;
87 u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
88 char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1];
89 u8 data[];
90};
91
92/* May be a password or a private key */
93struct ecryptfs_auth_tok {
94 u16 version; /* 8-bit major and 8-bit minor */
95 u16 token_type;
96#define ECRYPTFS_ENCRYPT_ONLY 0x00000001
97 u32 flags;
98 struct ecryptfs_session_key session_key;
99 u8 reserved[32];
100 union {
101 struct ecryptfs_password password;
102 struct ecryptfs_private_key private_key;
103 } token;
104} __attribute__ ((packed));
105
106#endif /* _LINUX_ECRYPTFS_H */