| /kernel/linux/linux-6.6/Documentation/block/ |
| D | inline-encryption.rst | 6 Inline Encryption
12 Inline encryption hardware sits logically between memory and disk, and can
14 can control exactly how the inline encryption hardware will en/decrypt the data
18 Some inline encryption hardware accepts all encryption parameters including raw
19 keys directly in low-level I/O requests. However, most inline encryption
24 Note that inline encryption hardware is very different from traditional crypto
26 crypto accelerators operate on memory regions, whereas inline encryption
27 hardware operates on I/O requests. Thus, inline encryption hardware needs to be
30 Inline encryption hardware is also very different from "self-encrypting drives",
32 drives don't provide fine-grained control of encryption and provide no way to
[all …]
|
| /kernel/linux/linux-5.10/Documentation/x86/ |
| D | amd-memory-encryption.rst | 4 AMD Memory Encryption
7 Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV) are
23 A page is encrypted when a page table entry has the encryption bit set (see
24 below on how to determine its position). The encryption bit can also be
26 successive level of page tables can also be encrypted by setting the encryption
29 encryption bit is set in cr3, doesn't imply the full hierarchy is encrypted.
30 Each page table entry in the hierarchy needs to have the encryption bit set to
31 achieve that. So, theoretically, you could have the encryption bit set in cr3
32 so that the PGD is encrypted, but not set the encryption bit in the PGD entry
38 memory. Since the memory encryption bit is controlled by the guest OS when it
[all …]
|
| /kernel/linux/linux-6.6/Documentation/filesystems/ |
| D | fscrypt.rst | 2 Filesystem-level encryption (fscrypt)
9 transparent encryption of files and directories.
15 use encryption, see the documentation for the userspace tool `fscrypt
20 <https://source.android.com/security/encryption/file-based>`_, over
56 Provided that userspace chooses a strong encryption key, fscrypt
72 fscrypt (and storage encryption in general) can only provide limited
80 Cryptographic API algorithms or inline encryption hardware are. If a
89 After an encryption key has been added, fscrypt does not hide the
97 encryption but rather only by the correctness of the kernel.
98 Therefore, any encryption-specific access control checks would merely
[all …]
|
| /kernel/linux/linux-5.10/Documentation/block/ |
| D | inline-encryption.rst | 4 Inline Encryption
10 Inline encryption hardware sits logically between memory and the disk, and can
11 en/decrypt data as it goes in/out of the disk. Inline encryption hardware has a
12 fixed number of "keyslots" - slots into which encryption contexts (i.e. the
13 encryption key, encryption algorithm, data unit size) can be programmed by the
15 of a keyslot (and also a data unit number to act as an encryption tweak), and
16 the inline encryption hardware will en/decrypt the data in the request with the
17 encryption context programmed into that keyslot. This is very different from
18 full disk encryption solutions like self encrypting drives/TCG OPAL/ATA
19 Security standards, since with inline encryption, any block on disk could be
[all …]
|
| /kernel/linux/linux-5.10/Documentation/filesystems/ |
| D | fscrypt.rst | 2 Filesystem-level encryption (fscrypt)
9 transparent encryption of files and directories.
15 use encryption, see the documentation for the userspace tool `fscrypt
20 <https://source.android.com/security/encryption/file-based>`_, over
56 Provided that userspace chooses a strong encryption key, fscrypt
72 fscrypt (and storage encryption in general) can only provide limited
89 After an encryption key has been added, fscrypt does not hide the
97 encryption but rather only by the correctness of the kernel.
98 Therefore, any encryption-specific access control checks would merely
107 security vulnerability, can compromise all encryption keys that are
[all …]
|
| /kernel/linux/linux-6.6/Documentation/arch/x86/ |
| D | amd-memory-encryption.rst | 4 AMD Memory Encryption
7 Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV) are
23 A page is encrypted when a page table entry has the encryption bit set (see
24 below on how to determine its position). The encryption bit can also be
26 successive level of page tables can also be encrypted by setting the encryption
29 encryption bit is set in cr3, doesn't imply the full hierarchy is encrypted.
30 Each page table entry in the hierarchy needs to have the encryption bit set to
31 achieve that. So, theoretically, you could have the encryption bit set in cr3
32 so that the PGD is encrypted, but not set the encryption bit in the PGD entry
38 memory. Since the memory encryption bit is controlled by the guest OS when it
[all …]
|
| /kernel/linux/linux-5.10/include/linux/ |
| D | cc_platform.h | 24 * @CC_ATTR_MEM_ENCRYPT: Memory encryption is active
26 * The platform/OS is running with active memory encryption. This
28 * and actively using memory encryption or as a guest/virtual machine
29 * and actively using memory encryption.
36 * @CC_ATTR_HOST_MEM_ENCRYPT: Host memory encryption is active
39 * and actively using memory encryption.
46 * @CC_ATTR_GUEST_MEM_ENCRYPT: Guest memory encryption is active
49 * using memory encryption.
56 * @CC_ATTR_GUEST_STATE_ENCRYPT: Guest state encryption is active
59 * using memory encryption and register state encryption.
|
| D | fscrypt.h | 3 * fscrypt.h: declarations for per-file encryption
5 * Filesystems that implement per-file encryption must include this header
88 * contents encryption
104 * as a result of the encryption key being added, DCACHE_NOKEY_NAME must be
120 * encryption key added yet. Such dentries may be either positive or negative.
129 * encryption key, but just checking for the key on the directory inode during
480 /* Encryption support disabled; use standard comparison */ in fscrypt_match_name()
643 * encryption
646 * Return: true if the inode requires file contents encryption and if the
647 * encryption should be done in the block layer via blk-crypto rather
[all …]
|
| /kernel/linux/linux-6.6/include/linux/ |
| D | cc_platform.h | 24 * @CC_ATTR_MEM_ENCRYPT: Memory encryption is active
26 * The platform/OS is running with active memory encryption. This
28 * and actively using memory encryption or as a guest/virtual machine
29 * and actively using memory encryption.
36 * @CC_ATTR_HOST_MEM_ENCRYPT: Host memory encryption is active
39 * and actively using memory encryption.
46 * @CC_ATTR_GUEST_MEM_ENCRYPT: Guest memory encryption is active
49 * using memory encryption.
56 * @CC_ATTR_GUEST_STATE_ENCRYPT: Guest state encryption is active
59 * using memory encryption and register state encryption.
|
| D | blk-crypto-profile.h | 15 * struct blk_crypto_ll_ops - functions to control inline encryption hardware
17 * Low-level operations for controlling inline encryption hardware. This
19 * encryption. All functions may sleep, are serialized by profile->lock, and
25 * @keyslot_program: Program a key into the inline encryption hardware.
27 * Program @key into the specified @slot in the inline encryption
42 * @keyslot_evict: Evict a key from the inline encryption hardware.
63 * struct blk_crypto_profile - inline encryption profile for a device
65 * This struct contains a storage device's inline encryption capabilities (e.g.
67 * inline encryption hardware (e.g. programming and evicting keys), and optional
75 * @ll_ops: Driver-provided functions to control the inline encryption
|
| D | fscrypt.h | 3 * fscrypt.h: declarations for per-file encryption
5 * Filesystems that implement per-file encryption must include this header
23 * This is needed to ensure that all contents encryption modes will work, as
29 * compression), then it will need to pad to this alignment before encryption.
136 * encryption without the possibility of files becoming unreadable.
174 * external journal devices), and wants to support inline encryption,
194 * contents encryption
210 * as a result of the encryption key being added, DCACHE_NOKEY_NAME must be
226 * encryption key added yet. Such dentries may be either positive or negative.
235 * encryption key, but just checking for the key on the directory inode during
[all …]
|
| /kernel/linux/linux-5.10/arch/x86/mm/ |
| D | mem_encrypt_boot.S | 3 * AMD Memory Encryption Support
26 * RCX - virtual address of the encryption workarea, including:
28 * - encryption routine page (PAGE_SIZE)
30 * R8 - physcial address of the pagetables to use for encryption
39 addq $PAGE_SIZE, %rax /* Workarea encryption routine */
46 /* Copy encryption routine into the workarea */
47 movq %rax, %rdi /* Workarea encryption routine */
48 leaq __enc_copy(%rip), %rsi /* Encryption routine */
49 movq $(.L__enc_copy_end - __enc_copy), %rcx /* Encryption routine length */
55 movq %r8, %rdx /* Pagetables used for encryption */
[all …]
|
| /kernel/linux/linux-6.6/arch/x86/mm/ |
| D | mem_encrypt_boot.S | 3 * AMD Memory Encryption Support
26 * RCX - virtual address of the encryption workarea, including:
28 * - encryption routine page (PAGE_SIZE)
30 * R8 - physical address of the pagetables to use for encryption
39 addq $PAGE_SIZE, %rax /* Workarea encryption routine */
46 /* Copy encryption routine into the workarea */
47 movq %rax, %rdi /* Workarea encryption routine */
48 leaq __enc_copy(%rip), %rsi /* Encryption routine */
49 movq $(.L__enc_copy_end - __enc_copy), %rcx /* Encryption routine length */
55 movq %r8, %rdx /* Pagetables used for encryption */
[all …]
|
| /kernel/linux/linux-6.6/fs/crypto/ |
| D | Kconfig | 3 bool "FS Encryption (Per-file encryption)"
10 Enable encryption of files and directories. This
16 # Filesystems supporting encryption must select this if FS_ENCRYPTION. This
20 # Note: this option only pulls in the algorithms that filesystem encryption
21 # needs "by default". If userspace will use "non-default" encryption modes such
22 # as Adiantum encryption, then those other modes need to be explicitly enabled
46 Enable fscrypt to use inline encryption hardware if available.
|
| D | policy.c | 3 * Encryption policy functions for per-file encryption support.
21 * fscrypt_policies_equal() - check whether two encryption policies are the same
64 * Return %true if the given combination of encryption modes is supported for v1
65 * (and later) encryption policies.
67 * Do *not* add anything new here, since v1 encryption policies are deprecated.
133 * IV_INO_LBLK_* with other encryption modes arises. in supported_iv_ino_lblk_policy()
176 "Unsupported encryption modes (contents %d, filenames %d)", in fscrypt_supported_v1_policy()
184 fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", in fscrypt_supported_v1_policy()
212 "Unsupported encryption modes (contents %d, filenames %d)", in fscrypt_supported_v2_policy()
222 fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", in fscrypt_supported_v2_policy()
[all …]
|
| D | fscrypt_private.h | 26 * absolute minimum, which applies when only 128-bit encryption is used.
56 * fscrypt_context - the encryption context of an inode
60 * fields from the fscrypt_policy, in order to identify the encryption algorithm
129 /* Return the contents encryption mode of a valid encryption policy */
142 /* Return the filenames encryption mode of a valid encryption policy */
155 /* Return the flags (FSCRYPT_POLICY_FLAG*) of a valid encryption policy */
178 * struct fscrypt_prepared_key - a key prepared for actual encryption/decryption
192 * fscrypt_info - the "encryption key" for an inode
200 /* The key in a form prepared for actual encryption/decryption */
208 * True if this inode will use inline encryption (blk-crypto) instead of
[all …]
|
| D | inline_crypt.c | 3 * Inline encryption support for fscrypt
9 * With "inline encryption", the block layer handles the decryption/encryption
11 * crypto API. See Documentation/block/inline-encryption.rst. fscrypt still
65 * for an encryption mode for the first time. This is the blk-crypto
92 /* Enable inline encryption for this file if supported. */
102 /* The file must need contents encryption, not filenames encryption */ in fscrypt_select_encryption_impl()
120 * IV_INO_LBLK_32 with blocksize != PAGE_SIZE from inline encryption. in fscrypt_select_encryption_impl()
258 * encryption, then assign the appropriate encryption context to the bio.
263 * The encryption context will be freed automatically when the bio is freed.
333 * encryption (or decryption) via fscrypt, filesystems should call this function
[all …]
|
| D | hooks.c | 5 * Encryption hooks for higher-level filesystem operations.
15 * Currently, an encrypted regular file can only be opened if its encryption key
17 * Therefore, we first set up the inode's encryption key (if not already done)
22 * encryption policy. This is needed as part of the enforcement that all files
23 * in an encrypted directory tree use the same encryption policy, as a
43 "Inconsistent encryption context (parent directory: %lu)", in fscrypt_file_open()
120 * filesystems that handle filename encryption and no-key name encoding
122 * fscrypt_prepare_lookup(), this will try to set up the directory's encryption
126 * Return: 0 on success; -errno on error. Note that the encryption key being
128 * the encryption policy is unsupported by this kernel; that is treated
[all …]
|
| /kernel/linux/linux-5.10/Documentation/admin-guide/device-mapper/ |
| D | dm-crypt.rst | 5 Device-Mapper's "crypt" target provides transparent encryption of block devices
17 Encryption cipher, encryption mode and Initial Vector (IV) generator.
52 Key used for encryption. It is encoded either as a hexadecimal number
66 The encryption key size in bytes. The kernel key payload size must match
112 Perform encryption using the same cpu that IO was submitted on.
113 The default is to use an unbound workqueue so that encryption work
117 Disable offloading writes to a separate thread after encryption.
119 encryption threads to a single thread degrades performance
139 For Authenticated Encryption with Additional Data (AEAD)
145 Use <bytes> as the encryption unit instead of 512 bytes sectors.
[all …]
|
| /kernel/linux/linux-6.6/Documentation/admin-guide/device-mapper/ |
| D | dm-crypt.rst | 5 Device-Mapper's "crypt" target provides transparent encryption of block devices
17 Encryption cipher, encryption mode and Initial Vector (IV) generator.
52 Key used for encryption. It is encoded either as a hexadecimal number
66 The encryption key size in bytes. The kernel key payload size must match
112 Perform encryption using the same cpu that IO was submitted on.
113 The default is to use an unbound workqueue so that encryption work
117 Disable offloading writes to a separate thread after encryption.
119 encryption threads to a single thread degrades performance
139 For Authenticated Encryption with Additional Data (AEAD)
145 Use <bytes> as the encryption unit instead of 512 bytes sectors.
[all …]
|
| /kernel/linux/linux-6.6/drivers/crypto/ |
| D | sa2ul.h | 72 #define SA_ENG_ID_EM2 3 /* Encryption/Decryption enginefor pass 2 */
113 #define SA_CTX_ENC_TYPE1_SZ 64 /* Encryption SC with Key only */
114 #define SA_CTX_ENC_TYPE2_SZ 96 /* Encryption SC with Key and Aux1 */
126 * Bit 2-3: Fetch Encryption/Air Ciphering Bytes
231 * @submode: Encryption submodes
232 * @enc_size: Size of first pass encryption size
233 * @enc_size2: Size of second pass encryption size
234 * @enc_offset: Encryption payload offset in the packet
235 * @enc_iv: Encryption initialization vector for pass2
236 * @enc_iv2: Encryption initialization vector for pass2
[all …]
|
| /kernel/linux/linux-5.10/drivers/crypto/ |
| D | sa2ul.h | 72 #define SA_ENG_ID_EM2 3 /* Encryption/Decryption enginefor pass 2 */
113 #define SA_CTX_ENC_TYPE1_SZ 64 /* Encryption SC with Key only */
114 #define SA_CTX_ENC_TYPE2_SZ 96 /* Encryption SC with Key and Aux1 */
126 * Bit 2-3: Fetch Encryption/Air Ciphering Bytes
227 * @submode: Encryption submodes
228 * @enc_size: Size of first pass encryption size
229 * @enc_size2: Size of second pass encryption size
230 * @enc_offset: Encryption payload offset in the packet
231 * @enc_iv: Encryption initialization vector for pass2
232 * @enc_iv2: Encryption initialization vector for pass2
[all …]
|
| /kernel/linux/linux-5.10/fs/crypto/ |
| D | policy.c | 3 * Encryption policy functions for per-file encryption support.
20 * fscrypt_policies_equal() - check whether two encryption policies are the same
93 * IV_INO_LBLK_* with other encryption modes arises. in supported_iv_ino_lblk_policy()
136 "Unsupported encryption modes (contents %d, filenames %d)", in fscrypt_supported_v1_policy()
144 fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", in fscrypt_supported_v1_policy()
172 "Unsupported encryption modes (contents %d, filenames %d)", in fscrypt_supported_v2_policy()
182 fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", in fscrypt_supported_v2_policy()
191 fscrypt_warn(inode, "Mutually exclusive encryption flags (0x%02x)", in fscrypt_supported_v2_policy()
218 fscrypt_warn(inode, "Reserved bits set in encryption policy"); in fscrypt_supported_v2_policy()
226 * fscrypt_supported_policy() - check whether an encryption policy is supported
[all …]
|
| D | fscrypt_private.h | 51 * fscrypt_context - the encryption context of an inode
55 * fields from the fscrypt_policy, in order to identify the encryption algorithm
124 /* Return the contents encryption mode of a valid encryption policy */
137 /* Return the filenames encryption mode of a valid encryption policy */
150 /* Return the flags (FSCRYPT_POLICY_FLAG*) of a valid encryption policy */
173 * struct fscrypt_prepared_key - a key prepared for actual encryption/decryption
187 * fscrypt_info - the "encryption key" for an inode
195 /* The key in a form prepared for actual encryption/decryption */
203 * True if this inode will use inline encryption (blk-crypto) instead of
204 * the traditional filesystem-layer encryption.
[all …]
|
| D | Kconfig | 3 bool "FS Encryption (Per-file encryption)"
10 Enable encryption of files and directories. This
16 # Filesystems supporting encryption must select this if FS_ENCRYPTION. This
32 Enable fscrypt to use inline encryption hardware if available.
|