From 650329807f9d37cebc55e92bddf0b41ba78c51d9 Mon Sep 17 00:00:00 2001 From: Tianjia Zhang Date: Tue, 15 Nov 2022 14:43:27 +0800 Subject: [PATCH 1/3] anolis: blk-crypto: Add support for SM4-XTS blk crypto mode ANBZ: #3240 SM4 is a symmetric algorithm widely used in China, and SM4-XTS is also used to encrypt length-preserving data, this patch enables the use of SM4-XTS algorithm in block inline encryption, and provides support for fscrypt. Signed-off-by: Tianjia Zhang --- block/blk-crypto.c | 5 +++++ include/linux/blk-crypto.h | 1 + 2 files changed, 6 insertions(+) diff --git a/block/blk-crypto.c b/block/blk-crypto.c index 5ffa9aab49de..f29c71b1eecd 100644 --- a/block/blk-crypto.c +++ b/block/blk-crypto.c @@ -33,6 +33,11 @@ const struct blk_crypto_mode blk_crypto_modes[] = { .keysize = 32, .ivsize = 32, }, + [BLK_ENCRYPTION_MODE_SM4_XTS] = { + .cipher_str = "xts(sm4)", + .keysize = 32, + .ivsize = 16, + }, }; /* diff --git a/include/linux/blk-crypto.h b/include/linux/blk-crypto.h index 69b24fe92cbf..26b1b71c3091 100644 --- a/include/linux/blk-crypto.h +++ b/include/linux/blk-crypto.h @@ -13,6 +13,7 @@ enum blk_crypto_mode_num { BLK_ENCRYPTION_MODE_AES_256_XTS, BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV, BLK_ENCRYPTION_MODE_ADIANTUM, + BLK_ENCRYPTION_MODE_SM4_XTS, BLK_ENCRYPTION_MODE_MAX, }; -- Gitee From fed57332568d015974938e599c2d134a2f7c81ae Mon Sep 17 00:00:00 2001 From: Tianjia Zhang Date: Tue, 15 Nov 2022 14:44:39 +0800 Subject: [PATCH 2/3] anolis: fscrypt: Add SM4 XTS/CTS symmetric algorithm support ANBZ: #3240 SM4 is a symmetric algorithm widely used in China, and is even mandatory in many scenarios. We need to provide these users with the ability to encrypt files or disks using SM4-XTS, and many other algorithms that use SM2/3/4 algorithms or their combined algorithm scenarios, these features are demanded by many users, this patch enables to use SM4-XTS mode to encrypt file content, and use SM4-CBC-CTS to encrypt filename. Signed-off-by: Tianjia Zhang --- Documentation/filesystems/fscrypt.rst | 1 + fs/crypto/keysetup.c | 15 +++++++++++++++ fs/crypto/policy.c | 4 ++++ include/uapi/linux/fscrypt.h | 2 ++ 4 files changed, 22 insertions(+) diff --git a/Documentation/filesystems/fscrypt.rst b/Documentation/filesystems/fscrypt.rst index 936fae06db77..916643c00ff0 100644 --- a/Documentation/filesystems/fscrypt.rst +++ b/Documentation/filesystems/fscrypt.rst @@ -336,6 +336,7 @@ Currently, the following pairs of encryption modes are supported: - AES-256-XTS for contents and AES-256-CTS-CBC for filenames - AES-128-CBC for contents and AES-128-CTS-CBC for filenames +- SM4-XTS for contents and SM4-CTS-CBC for filenames - Adiantum for both contents and filenames If unsure, you should use the (AES-256-XTS, AES-256-CTS-CBC) pair. diff --git a/fs/crypto/keysetup.c b/fs/crypto/keysetup.c index 73d96e35d9ae..e6919bb5cd7a 100644 --- a/fs/crypto/keysetup.c +++ b/fs/crypto/keysetup.c @@ -45,6 +45,21 @@ struct fscrypt_mode fscrypt_modes[] = { .security_strength = 16, .ivsize = 16, }, + [FSCRYPT_MODE_SM4_XTS] = { + .friendly_name = "SM4-XTS", + .cipher_str = "xts(sm4)", + .keysize = 32, + .security_strength = 16, + .ivsize = 16, + .blk_crypto_mode = BLK_ENCRYPTION_MODE_SM4_XTS, + }, + [FSCRYPT_MODE_SM4_CTS] = { + .friendly_name = "SM4-CTS", + .cipher_str = "cts(cbc(sm4))", + .keysize = 16, + .security_strength = 16, + .ivsize = 16, + }, [FSCRYPT_MODE_ADIANTUM] = { .friendly_name = "Adiantum", .cipher_str = "adiantum(xchacha12,aes)", diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c index faa0f21daa68..fc87b8284d94 100644 --- a/fs/crypto/policy.c +++ b/fs/crypto/policy.c @@ -50,6 +50,10 @@ static bool fscrypt_valid_enc_modes(u32 contents_mode, u32 filenames_mode) filenames_mode == FSCRYPT_MODE_AES_128_CTS) return true; + if (contents_mode == FSCRYPT_MODE_SM4_XTS && + filenames_mode == FSCRYPT_MODE_SM4_CTS) + return true; + if (contents_mode == FSCRYPT_MODE_ADIANTUM && filenames_mode == FSCRYPT_MODE_ADIANTUM) return true; diff --git a/include/uapi/linux/fscrypt.h b/include/uapi/linux/fscrypt.h index 9f4428be3e36..cc50a50f5964 100644 --- a/include/uapi/linux/fscrypt.h +++ b/include/uapi/linux/fscrypt.h @@ -26,6 +26,8 @@ #define FSCRYPT_MODE_AES_256_CTS 4 #define FSCRYPT_MODE_AES_128_CBC 5 #define FSCRYPT_MODE_AES_128_CTS 6 +#define FSCRYPT_MODE_SM4_XTS 7 +#define FSCRYPT_MODE_SM4_CTS 8 #define FSCRYPT_MODE_ADIANTUM 9 /* If adding a mode number > 9, update FSCRYPT_MODE_MAX in fscrypt_private.h */ -- Gitee From d87850c8d7e74c614966fa376ae66f399162ce4f Mon Sep 17 00:00:00 2001 From: Tianjia Zhang Date: Wed, 23 Nov 2022 16:13:56 +0800 Subject: [PATCH 3/3] anolis: configs: Enable SM3/4 algorithm for default configs ANBZ: #3240 This patch enables the SM3/4 algorithm and instruction set optimization for different architectures. In addition, the IMA hash algorithm uses the SM3 algorithm by default. Finally, the fscrypt feature is enabled, as well as the CTS and XTS cipher modes that fscrypt depends on. Signed-off-by: Tianjia Zhang --- arch/arm64/configs/anolis-debug_defconfig | 19 +++++++++++++------ arch/arm64/configs/anolis_defconfig | 19 +++++++++++++------ arch/x86/configs/anolis-debug_defconfig | 11 +++++++---- arch/x86/configs/anolis_defconfig | 11 +++++++---- 4 files changed, 40 insertions(+), 20 deletions(-) diff --git a/arch/arm64/configs/anolis-debug_defconfig b/arch/arm64/configs/anolis-debug_defconfig index f0edb81e3036..69ae9dffa72f 100644 --- a/arch/arm64/configs/anolis-debug_defconfig +++ b/arch/arm64/configs/anolis-debug_defconfig @@ -716,8 +716,13 @@ CONFIG_CRYPTO_SHA1_ARM64_CE=m CONFIG_CRYPTO_SHA2_ARM64_CE=m # CONFIG_CRYPTO_SHA512_ARM64_CE is not set # CONFIG_CRYPTO_SHA3_ARM64 is not set -# CONFIG_CRYPTO_SM3_ARM64_CE is not set +CONFIG_CRYPTO_SM3_NEON=y +CONFIG_CRYPTO_SM3_ARM64_CE=y CONFIG_CRYPTO_SM4_ARM64_CE=m +CONFIG_CRYPTO_SM4_ARM64_CE_BLK=y +CONFIG_CRYPTO_SM4_ARM64_CE_CCM=m +CONFIG_CRYPTO_SM4_ARM64_CE_GCM=y +CONFIG_CRYPTO_SM4_ARM64_NEON_BLK=y CONFIG_CRYPTO_GHASH_ARM64_CE=m CONFIG_CRYPTO_CRCT10DIF_ARM64_CE=m CONFIG_CRYPTO_AES_ARM64=y @@ -5726,9 +5731,9 @@ CONFIG_IMA_LSM_RULES=y CONFIG_IMA_SIG_TEMPLATE=y CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set -CONFIG_IMA_DEFAULT_HASH_SHA256=y -# CONFIG_IMA_DEFAULT_HASH_SM3 is not set -CONFIG_IMA_DEFAULT_HASH="sha256" +# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +CONFIG_IMA_DEFAULT_HASH_SM3=y +CONFIG_IMA_DEFAULT_HASH="sm3" CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA_READ_POLICY=y CONFIG_IMA_APPRAISE=y @@ -5838,12 +5843,12 @@ CONFIG_CRYPTO_ECHAINIV=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CFB=y CONFIG_CRYPTO_CTR=y -CONFIG_CRYPTO_CTS=m +CONFIG_CRYPTO_CTS=y CONFIG_CRYPTO_ECB=y CONFIG_CRYPTO_LRW=m # CONFIG_CRYPTO_OFB is not set CONFIG_CRYPTO_PCBC=m -CONFIG_CRYPTO_XTS=m +CONFIG_CRYPTO_XTS=y # CONFIG_CRYPTO_KEYWRAP is not set # CONFIG_CRYPTO_ADIANTUM is not set CONFIG_CRYPTO_ESSIV=m @@ -5879,6 +5884,7 @@ CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_SHA512=m CONFIG_CRYPTO_SHA3=m CONFIG_CRYPTO_SM3=y +CONFIG_CRYPTO_SM3_GENERIC=y # CONFIG_CRYPTO_STREEBOG is not set CONFIG_CRYPTO_TGR192=m CONFIG_CRYPTO_WP512=m @@ -5904,6 +5910,7 @@ CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_SEED=m CONFIG_CRYPTO_SERPENT=m CONFIG_CRYPTO_SM4=y +CONFIG_CRYPTO_SM4_GENERIC=y CONFIG_CRYPTO_TEA=m CONFIG_CRYPTO_TWOFISH=m CONFIG_CRYPTO_TWOFISH_COMMON=m diff --git a/arch/arm64/configs/anolis_defconfig b/arch/arm64/configs/anolis_defconfig index dea21eff90f0..7987e5ec6bd0 100644 --- a/arch/arm64/configs/anolis_defconfig +++ b/arch/arm64/configs/anolis_defconfig @@ -711,8 +711,13 @@ CONFIG_CRYPTO_SHA1_ARM64_CE=m CONFIG_CRYPTO_SHA2_ARM64_CE=m # CONFIG_CRYPTO_SHA512_ARM64_CE is not set # CONFIG_CRYPTO_SHA3_ARM64 is not set -# CONFIG_CRYPTO_SM3_ARM64_CE is not set +CONFIG_CRYPTO_SM3_NEON=y +CONFIG_CRYPTO_SM3_ARM64_CE=y CONFIG_CRYPTO_SM4_ARM64_CE=m +CONFIG_CRYPTO_SM4_ARM64_CE_BLK=y +CONFIG_CRYPTO_SM4_ARM64_CE_CCM=m +CONFIG_CRYPTO_SM4_ARM64_CE_GCM=y +CONFIG_CRYPTO_SM4_ARM64_NEON_BLK=y CONFIG_CRYPTO_GHASH_ARM64_CE=m CONFIG_CRYPTO_CRCT10DIF_ARM64_CE=m CONFIG_CRYPTO_AES_ARM64=y @@ -5744,9 +5749,9 @@ CONFIG_IMA_LSM_RULES=y CONFIG_IMA_SIG_TEMPLATE=y CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set -CONFIG_IMA_DEFAULT_HASH_SHA256=y -# CONFIG_IMA_DEFAULT_HASH_SM3 is not set -CONFIG_IMA_DEFAULT_HASH="sha256" +# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +CONFIG_IMA_DEFAULT_HASH_SM3=y +CONFIG_IMA_DEFAULT_HASH="sm3" CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA_READ_POLICY=y CONFIG_IMA_APPRAISE=y @@ -5856,12 +5861,12 @@ CONFIG_CRYPTO_ECHAINIV=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CFB=y CONFIG_CRYPTO_CTR=y -CONFIG_CRYPTO_CTS=m +CONFIG_CRYPTO_CTS=y CONFIG_CRYPTO_ECB=y CONFIG_CRYPTO_LRW=m # CONFIG_CRYPTO_OFB is not set CONFIG_CRYPTO_PCBC=m -CONFIG_CRYPTO_XTS=m +CONFIG_CRYPTO_XTS=y # CONFIG_CRYPTO_KEYWRAP is not set # CONFIG_CRYPTO_ADIANTUM is not set CONFIG_CRYPTO_ESSIV=m @@ -5897,6 +5902,7 @@ CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_SHA512=m CONFIG_CRYPTO_SHA3=m CONFIG_CRYPTO_SM3=y +CONFIG_CRYPTO_SM3_GENERIC=y # CONFIG_CRYPTO_STREEBOG is not set CONFIG_CRYPTO_TGR192=m CONFIG_CRYPTO_WP512=m @@ -5922,6 +5928,7 @@ CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_SEED=m CONFIG_CRYPTO_SERPENT=m CONFIG_CRYPTO_SM4=y +CONFIG_CRYPTO_SM4_GENERIC=y CONFIG_CRYPTO_TEA=m CONFIG_CRYPTO_TWOFISH=m CONFIG_CRYPTO_TWOFISH_COMMON=m diff --git a/arch/x86/configs/anolis-debug_defconfig b/arch/x86/configs/anolis-debug_defconfig index 9466347a34cd..88f15d964df8 100644 --- a/arch/x86/configs/anolis-debug_defconfig +++ b/arch/x86/configs/anolis-debug_defconfig @@ -6330,10 +6330,10 @@ CONFIG_IMA_LSM_RULES=y CONFIG_IMA_SIG_TEMPLATE=y CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set -CONFIG_IMA_DEFAULT_HASH_SHA256=y +# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set -# CONFIG_IMA_DEFAULT_HASH_SM3 is not set -CONFIG_IMA_DEFAULT_HASH="sha256" +CONFIG_IMA_DEFAULT_HASH_SM3=y +CONFIG_IMA_DEFAULT_HASH="sm3" # CONFIG_IMA_WRITE_POLICY is not set # CONFIG_IMA_READ_POLICY is not set CONFIG_IMA_APPRAISE=y @@ -6456,7 +6456,7 @@ CONFIG_CRYPTO_ECB=y CONFIG_CRYPTO_LRW=m # CONFIG_CRYPTO_OFB is not set CONFIG_CRYPTO_PCBC=m -CONFIG_CRYPTO_XTS=m +CONFIG_CRYPTO_XTS=y # CONFIG_CRYPTO_KEYWRAP is not set # CONFIG_CRYPTO_NHPOLY1305_SSE2 is not set # CONFIG_CRYPTO_NHPOLY1305_AVX2 is not set @@ -6502,6 +6502,8 @@ CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_SHA512=y CONFIG_CRYPTO_SHA3=m CONFIG_CRYPTO_SM3=y +CONFIG_CRYPTO_SM3_GENERIC=y +CONFIG_CRYPTO_SM3_AVX_X86_64=y # CONFIG_CRYPTO_STREEBOG is not set CONFIG_CRYPTO_TGR192=m CONFIG_CRYPTO_WP512=m @@ -6540,6 +6542,7 @@ CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m CONFIG_CRYPTO_SERPENT_AVX_X86_64=m CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m CONFIG_CRYPTO_SM4=y +CONFIG_CRYPTO_SM4_GENERIC=y CONFIG_CRYPTO_SM4_AESNI_AVX_X86_64=y CONFIG_CRYPTO_SM4_AESNI_AVX2_X86_64=y CONFIG_CRYPTO_TEA=m diff --git a/arch/x86/configs/anolis_defconfig b/arch/x86/configs/anolis_defconfig index f073840a72b0..3beaaa5de80b 100644 --- a/arch/x86/configs/anolis_defconfig +++ b/arch/x86/configs/anolis_defconfig @@ -6323,10 +6323,10 @@ CONFIG_IMA_LSM_RULES=y CONFIG_IMA_SIG_TEMPLATE=y CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set -CONFIG_IMA_DEFAULT_HASH_SHA256=y +# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set -# CONFIG_IMA_DEFAULT_HASH_SM3 is not set -CONFIG_IMA_DEFAULT_HASH="sha256" +CONFIG_IMA_DEFAULT_HASH_SM3=y +CONFIG_IMA_DEFAULT_HASH="sm3" # CONFIG_IMA_WRITE_POLICY is not set # CONFIG_IMA_READ_POLICY is not set CONFIG_IMA_APPRAISE=y @@ -6449,7 +6449,7 @@ CONFIG_CRYPTO_ECB=y CONFIG_CRYPTO_LRW=m # CONFIG_CRYPTO_OFB is not set CONFIG_CRYPTO_PCBC=m -CONFIG_CRYPTO_XTS=m +CONFIG_CRYPTO_XTS=y # CONFIG_CRYPTO_KEYWRAP is not set # CONFIG_CRYPTO_NHPOLY1305_SSE2 is not set # CONFIG_CRYPTO_NHPOLY1305_AVX2 is not set @@ -6495,6 +6495,8 @@ CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_SHA512=y CONFIG_CRYPTO_SHA3=m CONFIG_CRYPTO_SM3=y +CONFIG_CRYPTO_SM3_GENERIC=y +CONFIG_CRYPTO_SM3_AVX_X86_64=y # CONFIG_CRYPTO_STREEBOG is not set CONFIG_CRYPTO_TGR192=m CONFIG_CRYPTO_WP512=m @@ -6533,6 +6535,7 @@ CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m CONFIG_CRYPTO_SERPENT_AVX_X86_64=m CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m CONFIG_CRYPTO_SM4=y +CONFIG_CRYPTO_SM4_GENERIC=y CONFIG_CRYPTO_SM4_AESNI_AVX_X86_64=y CONFIG_CRYPTO_SM4_AESNI_AVX2_X86_64=y CONFIG_CRYPTO_TEA=m -- Gitee