1*f80ad8b4SAndroid Build Coastguard Worker /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2*f80ad8b4SAndroid Build Coastguard Worker /* 3*f80ad8b4SAndroid Build Coastguard Worker * fscrypt user API 4*f80ad8b4SAndroid Build Coastguard Worker * 5*f80ad8b4SAndroid Build Coastguard Worker * These ioctls can be used on filesystems that support fscrypt. See the 6*f80ad8b4SAndroid Build Coastguard Worker * "User API" section of Documentation/filesystems/fscrypt.rst. 7*f80ad8b4SAndroid Build Coastguard Worker */ 8*f80ad8b4SAndroid Build Coastguard Worker #ifndef _UAPI_LINUX_FSCRYPT_H 9*f80ad8b4SAndroid Build Coastguard Worker #define _UAPI_LINUX_FSCRYPT_H 10*f80ad8b4SAndroid Build Coastguard Worker 11*f80ad8b4SAndroid Build Coastguard Worker #include <linux/ioctl.h> 12*f80ad8b4SAndroid Build Coastguard Worker #include <linux/types.h> 13*f80ad8b4SAndroid Build Coastguard Worker 14*f80ad8b4SAndroid Build Coastguard Worker /* Encryption policy flags */ 15*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_POLICY_FLAGS_PAD_4 0x00 16*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_POLICY_FLAGS_PAD_8 0x01 17*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_POLICY_FLAGS_PAD_16 0x02 18*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_POLICY_FLAGS_PAD_32 0x03 19*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_POLICY_FLAGS_PAD_MASK 0x03 20*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_POLICY_FLAG_DIRECT_KEY 0x04 21*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 0x08 22*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32 0x10 23*f80ad8b4SAndroid Build Coastguard Worker 24*f80ad8b4SAndroid Build Coastguard Worker /* Encryption algorithms */ 25*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_MODE_AES_256_XTS 1 26*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_MODE_AES_256_CTS 4 27*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_MODE_AES_128_CBC 5 28*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_MODE_AES_128_CTS 6 29*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_MODE_SM4_XTS 7 30*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_MODE_SM4_CTS 8 31*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_MODE_ADIANTUM 9 32*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_MODE_AES_256_HCTR2 10 33*f80ad8b4SAndroid Build Coastguard Worker /* If adding a mode number > 10, update FSCRYPT_MODE_MAX in fscrypt_private.h */ 34*f80ad8b4SAndroid Build Coastguard Worker 35*f80ad8b4SAndroid Build Coastguard Worker /* 36*f80ad8b4SAndroid Build Coastguard Worker * Legacy policy version; ad-hoc KDF and no key verification. 37*f80ad8b4SAndroid Build Coastguard Worker * For new encrypted directories, use fscrypt_policy_v2 instead. 38*f80ad8b4SAndroid Build Coastguard Worker * 39*f80ad8b4SAndroid Build Coastguard Worker * Careful: the .version field for this is actually 0, not 1. 40*f80ad8b4SAndroid Build Coastguard Worker */ 41*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_POLICY_V1 0 42*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_KEY_DESCRIPTOR_SIZE 8 43*f80ad8b4SAndroid Build Coastguard Worker struct fscrypt_policy_v1 { 44*f80ad8b4SAndroid Build Coastguard Worker __u8 version; 45*f80ad8b4SAndroid Build Coastguard Worker __u8 contents_encryption_mode; 46*f80ad8b4SAndroid Build Coastguard Worker __u8 filenames_encryption_mode; 47*f80ad8b4SAndroid Build Coastguard Worker __u8 flags; 48*f80ad8b4SAndroid Build Coastguard Worker __u8 master_key_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE]; 49*f80ad8b4SAndroid Build Coastguard Worker }; 50*f80ad8b4SAndroid Build Coastguard Worker 51*f80ad8b4SAndroid Build Coastguard Worker /* 52*f80ad8b4SAndroid Build Coastguard Worker * Process-subscribed "logon" key description prefix and payload format. 53*f80ad8b4SAndroid Build Coastguard Worker * Deprecated; prefer FS_IOC_ADD_ENCRYPTION_KEY instead. 54*f80ad8b4SAndroid Build Coastguard Worker */ 55*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_KEY_DESC_PREFIX "fscrypt:" 56*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_KEY_DESC_PREFIX_SIZE 8 57*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_MAX_KEY_SIZE 64 58*f80ad8b4SAndroid Build Coastguard Worker struct fscrypt_key { 59*f80ad8b4SAndroid Build Coastguard Worker __u32 mode; 60*f80ad8b4SAndroid Build Coastguard Worker __u8 raw[FSCRYPT_MAX_KEY_SIZE]; 61*f80ad8b4SAndroid Build Coastguard Worker __u32 size; 62*f80ad8b4SAndroid Build Coastguard Worker }; 63*f80ad8b4SAndroid Build Coastguard Worker 64*f80ad8b4SAndroid Build Coastguard Worker /* 65*f80ad8b4SAndroid Build Coastguard Worker * New policy version with HKDF and key verification (recommended). 66*f80ad8b4SAndroid Build Coastguard Worker */ 67*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_POLICY_V2 2 68*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_KEY_IDENTIFIER_SIZE 16 69*f80ad8b4SAndroid Build Coastguard Worker struct fscrypt_policy_v2 { 70*f80ad8b4SAndroid Build Coastguard Worker __u8 version; 71*f80ad8b4SAndroid Build Coastguard Worker __u8 contents_encryption_mode; 72*f80ad8b4SAndroid Build Coastguard Worker __u8 filenames_encryption_mode; 73*f80ad8b4SAndroid Build Coastguard Worker __u8 flags; 74*f80ad8b4SAndroid Build Coastguard Worker __u8 log2_data_unit_size; 75*f80ad8b4SAndroid Build Coastguard Worker __u8 __reserved[3]; 76*f80ad8b4SAndroid Build Coastguard Worker __u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]; 77*f80ad8b4SAndroid Build Coastguard Worker }; 78*f80ad8b4SAndroid Build Coastguard Worker 79*f80ad8b4SAndroid Build Coastguard Worker /* Struct passed to FS_IOC_GET_ENCRYPTION_POLICY_EX */ 80*f80ad8b4SAndroid Build Coastguard Worker struct fscrypt_get_policy_ex_arg { 81*f80ad8b4SAndroid Build Coastguard Worker __u64 policy_size; /* input/output */ 82*f80ad8b4SAndroid Build Coastguard Worker union { 83*f80ad8b4SAndroid Build Coastguard Worker __u8 version; 84*f80ad8b4SAndroid Build Coastguard Worker struct fscrypt_policy_v1 v1; 85*f80ad8b4SAndroid Build Coastguard Worker struct fscrypt_policy_v2 v2; 86*f80ad8b4SAndroid Build Coastguard Worker } policy; /* output */ 87*f80ad8b4SAndroid Build Coastguard Worker }; 88*f80ad8b4SAndroid Build Coastguard Worker 89*f80ad8b4SAndroid Build Coastguard Worker /* 90*f80ad8b4SAndroid Build Coastguard Worker * v1 policy keys are specified by an arbitrary 8-byte key "descriptor", 91*f80ad8b4SAndroid Build Coastguard Worker * matching fscrypt_policy_v1::master_key_descriptor. 92*f80ad8b4SAndroid Build Coastguard Worker */ 93*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR 1 94*f80ad8b4SAndroid Build Coastguard Worker 95*f80ad8b4SAndroid Build Coastguard Worker /* 96*f80ad8b4SAndroid Build Coastguard Worker * v2 policy keys are specified by a 16-byte key "identifier" which the kernel 97*f80ad8b4SAndroid Build Coastguard Worker * calculates as a cryptographic hash of the key itself, 98*f80ad8b4SAndroid Build Coastguard Worker * matching fscrypt_policy_v2::master_key_identifier. 99*f80ad8b4SAndroid Build Coastguard Worker */ 100*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER 2 101*f80ad8b4SAndroid Build Coastguard Worker 102*f80ad8b4SAndroid Build Coastguard Worker /* 103*f80ad8b4SAndroid Build Coastguard Worker * Specifies a key, either for v1 or v2 policies. This doesn't contain the 104*f80ad8b4SAndroid Build Coastguard Worker * actual key itself; this is just the "name" of the key. 105*f80ad8b4SAndroid Build Coastguard Worker */ 106*f80ad8b4SAndroid Build Coastguard Worker struct fscrypt_key_specifier { 107*f80ad8b4SAndroid Build Coastguard Worker __u32 type; /* one of FSCRYPT_KEY_SPEC_TYPE_* */ 108*f80ad8b4SAndroid Build Coastguard Worker __u32 __reserved; 109*f80ad8b4SAndroid Build Coastguard Worker union { 110*f80ad8b4SAndroid Build Coastguard Worker __u8 __reserved[32]; /* reserve some extra space */ 111*f80ad8b4SAndroid Build Coastguard Worker __u8 descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE]; 112*f80ad8b4SAndroid Build Coastguard Worker __u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]; 113*f80ad8b4SAndroid Build Coastguard Worker } u; 114*f80ad8b4SAndroid Build Coastguard Worker }; 115*f80ad8b4SAndroid Build Coastguard Worker 116*f80ad8b4SAndroid Build Coastguard Worker /* 117*f80ad8b4SAndroid Build Coastguard Worker * Payload of Linux keyring key of type "fscrypt-provisioning", referenced by 118*f80ad8b4SAndroid Build Coastguard Worker * fscrypt_add_key_arg::key_id as an alternative to fscrypt_add_key_arg::raw. 119*f80ad8b4SAndroid Build Coastguard Worker */ 120*f80ad8b4SAndroid Build Coastguard Worker struct fscrypt_provisioning_key_payload { 121*f80ad8b4SAndroid Build Coastguard Worker __u32 type; 122*f80ad8b4SAndroid Build Coastguard Worker __u32 __reserved; 123*f80ad8b4SAndroid Build Coastguard Worker __u8 raw[]; 124*f80ad8b4SAndroid Build Coastguard Worker }; 125*f80ad8b4SAndroid Build Coastguard Worker 126*f80ad8b4SAndroid Build Coastguard Worker /* Struct passed to FS_IOC_ADD_ENCRYPTION_KEY */ 127*f80ad8b4SAndroid Build Coastguard Worker struct fscrypt_add_key_arg { 128*f80ad8b4SAndroid Build Coastguard Worker struct fscrypt_key_specifier key_spec; 129*f80ad8b4SAndroid Build Coastguard Worker __u32 raw_size; 130*f80ad8b4SAndroid Build Coastguard Worker __u32 key_id; 131*f80ad8b4SAndroid Build Coastguard Worker __u32 __reserved[7]; 132*f80ad8b4SAndroid Build Coastguard Worker /* N.B.: "temporary" flag, not reserved upstream */ 133*f80ad8b4SAndroid Build Coastguard Worker #define __FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED 0x00000001 134*f80ad8b4SAndroid Build Coastguard Worker __u32 __flags; 135*f80ad8b4SAndroid Build Coastguard Worker __u8 raw[]; 136*f80ad8b4SAndroid Build Coastguard Worker }; 137*f80ad8b4SAndroid Build Coastguard Worker 138*f80ad8b4SAndroid Build Coastguard Worker /* Struct passed to FS_IOC_REMOVE_ENCRYPTION_KEY */ 139*f80ad8b4SAndroid Build Coastguard Worker struct fscrypt_remove_key_arg { 140*f80ad8b4SAndroid Build Coastguard Worker struct fscrypt_key_specifier key_spec; 141*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY 0x00000001 142*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS 0x00000002 143*f80ad8b4SAndroid Build Coastguard Worker __u32 removal_status_flags; /* output */ 144*f80ad8b4SAndroid Build Coastguard Worker __u32 __reserved[5]; 145*f80ad8b4SAndroid Build Coastguard Worker }; 146*f80ad8b4SAndroid Build Coastguard Worker 147*f80ad8b4SAndroid Build Coastguard Worker /* Struct passed to FS_IOC_GET_ENCRYPTION_KEY_STATUS */ 148*f80ad8b4SAndroid Build Coastguard Worker struct fscrypt_get_key_status_arg { 149*f80ad8b4SAndroid Build Coastguard Worker /* input */ 150*f80ad8b4SAndroid Build Coastguard Worker struct fscrypt_key_specifier key_spec; 151*f80ad8b4SAndroid Build Coastguard Worker __u32 __reserved[6]; 152*f80ad8b4SAndroid Build Coastguard Worker 153*f80ad8b4SAndroid Build Coastguard Worker /* output */ 154*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_KEY_STATUS_ABSENT 1 155*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_KEY_STATUS_PRESENT 2 156*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED 3 157*f80ad8b4SAndroid Build Coastguard Worker __u32 status; 158*f80ad8b4SAndroid Build Coastguard Worker #define FSCRYPT_KEY_STATUS_FLAG_ADDED_BY_SELF 0x00000001 159*f80ad8b4SAndroid Build Coastguard Worker __u32 status_flags; 160*f80ad8b4SAndroid Build Coastguard Worker __u32 user_count; 161*f80ad8b4SAndroid Build Coastguard Worker __u32 __out_reserved[13]; 162*f80ad8b4SAndroid Build Coastguard Worker }; 163*f80ad8b4SAndroid Build Coastguard Worker 164*f80ad8b4SAndroid Build Coastguard Worker #define FS_IOC_SET_ENCRYPTION_POLICY _IOR('f', 19, struct fscrypt_policy_v1) 165*f80ad8b4SAndroid Build Coastguard Worker #define FS_IOC_GET_ENCRYPTION_PWSALT _IOW('f', 20, __u8[16]) 166*f80ad8b4SAndroid Build Coastguard Worker #define FS_IOC_GET_ENCRYPTION_POLICY _IOW('f', 21, struct fscrypt_policy_v1) 167*f80ad8b4SAndroid Build Coastguard Worker #define FS_IOC_GET_ENCRYPTION_POLICY_EX _IOWR('f', 22, __u8[9]) /* size + version */ 168*f80ad8b4SAndroid Build Coastguard Worker #define FS_IOC_ADD_ENCRYPTION_KEY _IOWR('f', 23, struct fscrypt_add_key_arg) 169*f80ad8b4SAndroid Build Coastguard Worker #define FS_IOC_REMOVE_ENCRYPTION_KEY _IOWR('f', 24, struct fscrypt_remove_key_arg) 170*f80ad8b4SAndroid Build Coastguard Worker #define FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS _IOWR('f', 25, struct fscrypt_remove_key_arg) 171*f80ad8b4SAndroid Build Coastguard Worker #define FS_IOC_GET_ENCRYPTION_KEY_STATUS _IOWR('f', 26, struct fscrypt_get_key_status_arg) 172*f80ad8b4SAndroid Build Coastguard Worker #define FS_IOC_GET_ENCRYPTION_NONCE _IOR('f', 27, __u8[16]) 173*f80ad8b4SAndroid Build Coastguard Worker 174*f80ad8b4SAndroid Build Coastguard Worker /**********************************************************************/ 175*f80ad8b4SAndroid Build Coastguard Worker 176*f80ad8b4SAndroid Build Coastguard Worker /* old names; don't add anything new here! */ 177*f80ad8b4SAndroid Build Coastguard Worker #ifndef __KERNEL__ 178*f80ad8b4SAndroid Build Coastguard Worker #define fscrypt_policy fscrypt_policy_v1 179*f80ad8b4SAndroid Build Coastguard Worker #define FS_KEY_DESCRIPTOR_SIZE FSCRYPT_KEY_DESCRIPTOR_SIZE 180*f80ad8b4SAndroid Build Coastguard Worker #define FS_POLICY_FLAGS_PAD_4 FSCRYPT_POLICY_FLAGS_PAD_4 181*f80ad8b4SAndroid Build Coastguard Worker #define FS_POLICY_FLAGS_PAD_8 FSCRYPT_POLICY_FLAGS_PAD_8 182*f80ad8b4SAndroid Build Coastguard Worker #define FS_POLICY_FLAGS_PAD_16 FSCRYPT_POLICY_FLAGS_PAD_16 183*f80ad8b4SAndroid Build Coastguard Worker #define FS_POLICY_FLAGS_PAD_32 FSCRYPT_POLICY_FLAGS_PAD_32 184*f80ad8b4SAndroid Build Coastguard Worker #define FS_POLICY_FLAGS_PAD_MASK FSCRYPT_POLICY_FLAGS_PAD_MASK 185*f80ad8b4SAndroid Build Coastguard Worker #define FS_POLICY_FLAG_DIRECT_KEY FSCRYPT_POLICY_FLAG_DIRECT_KEY 186*f80ad8b4SAndroid Build Coastguard Worker #define FS_POLICY_FLAGS_VALID 0x07 /* contains old flags only */ 187*f80ad8b4SAndroid Build Coastguard Worker #define FS_ENCRYPTION_MODE_INVALID 0 /* never used */ 188*f80ad8b4SAndroid Build Coastguard Worker #define FS_ENCRYPTION_MODE_AES_256_XTS FSCRYPT_MODE_AES_256_XTS 189*f80ad8b4SAndroid Build Coastguard Worker #define FS_ENCRYPTION_MODE_AES_256_GCM 2 /* never used */ 190*f80ad8b4SAndroid Build Coastguard Worker #define FS_ENCRYPTION_MODE_AES_256_CBC 3 /* never used */ 191*f80ad8b4SAndroid Build Coastguard Worker #define FS_ENCRYPTION_MODE_AES_256_CTS FSCRYPT_MODE_AES_256_CTS 192*f80ad8b4SAndroid Build Coastguard Worker #define FS_ENCRYPTION_MODE_AES_128_CBC FSCRYPT_MODE_AES_128_CBC 193*f80ad8b4SAndroid Build Coastguard Worker #define FS_ENCRYPTION_MODE_AES_128_CTS FSCRYPT_MODE_AES_128_CTS 194*f80ad8b4SAndroid Build Coastguard Worker #define FS_ENCRYPTION_MODE_ADIANTUM FSCRYPT_MODE_ADIANTUM 195*f80ad8b4SAndroid Build Coastguard Worker #define FS_KEY_DESC_PREFIX FSCRYPT_KEY_DESC_PREFIX 196*f80ad8b4SAndroid Build Coastguard Worker #define FS_KEY_DESC_PREFIX_SIZE FSCRYPT_KEY_DESC_PREFIX_SIZE 197*f80ad8b4SAndroid Build Coastguard Worker #define FS_MAX_KEY_SIZE FSCRYPT_MAX_KEY_SIZE 198*f80ad8b4SAndroid Build Coastguard Worker #endif /* !__KERNEL__ */ 199*f80ad8b4SAndroid Build Coastguard Worker 200*f80ad8b4SAndroid Build Coastguard Worker #endif /* _UAPI_LINUX_FSCRYPT_H */ 201