1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef _LINUX_ECRYPTFS_H 3 #define _LINUX_ECRYPTFS_H 4 5 /* Version verification for shared data structures w/ userspace */ 6 #define ECRYPTFS_VERSION_MAJOR 0x00 7 #define ECRYPTFS_VERSION_MINOR 0x04 8 #define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03 9 /* These flags indicate which features are supported by the kernel 10 * module; userspace tools such as the mount helper read the feature 11 * bits from a sysfs handle in order to determine how to behave. */ 12 #define ECRYPTFS_VERSIONING_PASSPHRASE 0x00000001 13 #define ECRYPTFS_VERSIONING_PUBKEY 0x00000002 14 #define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004 15 #define ECRYPTFS_VERSIONING_POLICY 0x00000008 16 #define ECRYPTFS_VERSIONING_XATTR 0x00000010 17 #define ECRYPTFS_VERSIONING_MULTKEY 0x00000020 18 #define ECRYPTFS_VERSIONING_DEVMISC 0x00000040 19 #define ECRYPTFS_VERSIONING_HMAC 0x00000080 20 #define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION 0x00000100 21 #define ECRYPTFS_VERSIONING_GCM 0x00000200 22 #define ECRYPTFS_MAX_PASSWORD_LENGTH 64 23 #define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH 24 #define ECRYPTFS_SALT_SIZE 8 25 #define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2) 26 /* The original signature size is only for what is stored on disk; all 27 * in-memory representations are expanded hex, so it better adapted to 28 * be passed around or referenced on the command line */ 29 #define ECRYPTFS_SIG_SIZE 8 30 #define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2) 31 #define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX 32 #define ECRYPTFS_MAX_KEY_BYTES 64 33 #define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512 34 #define ECRYPTFS_FILE_VERSION 0x03 35 #define ECRYPTFS_MAX_PKI_NAME_BYTES 16 36 37 #define RFC2440_CIPHER_DES3_EDE 0x02 38 #define RFC2440_CIPHER_CAST_5 0x03 39 #define RFC2440_CIPHER_BLOWFISH 0x04 40 #define RFC2440_CIPHER_AES_128 0x07 41 #define RFC2440_CIPHER_AES_192 0x08 42 #define RFC2440_CIPHER_AES_256 0x09 43 #define RFC2440_CIPHER_TWOFISH 0x0a 44 #define RFC2440_CIPHER_CAST_6 0x0b 45 46 #define RFC2440_CIPHER_RSA 0x01 47 48 /** 49 * For convenience, we may need to pass around the encrypted session 50 * key between kernel and userspace because the authentication token 51 * may not be extractable. For example, the TPM may not release the 52 * private key, instead requiring the encrypted data and returning the 53 * decrypted data. 54 */ 55 struct ecryptfs_session_key { 56 #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001 57 #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002 58 #define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004 59 #define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008 60 u32 flags; 61 u32 encrypted_key_size; 62 u32 decrypted_key_size; 63 u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES]; 64 u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES]; 65 }; 66 67 struct ecryptfs_password { 68 u32 password_bytes; 69 s32 hash_algo; 70 u32 hash_iterations; 71 u32 session_key_encryption_key_bytes; 72 #define ECRYPTFS_PERSISTENT_PASSWORD 0x01 73 #define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02 74 u32 flags; 75 /* Iterated-hash concatenation of salt and passphrase */ 76 u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES]; 77 u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1]; 78 /* Always in expanded hex */ 79 u8 salt[ECRYPTFS_SALT_SIZE]; 80 }; 81 82 enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY}; 83 84 struct ecryptfs_private_key { 85 u32 key_size; 86 u32 data_len; 87 u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1]; 88 char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1]; 89 u8 data[]; 90 }; 91 92 /* May be a password or a private key */ 93 struct ecryptfs_auth_tok { 94 u16 version; /* 8-bit major and 8-bit minor */ 95 u16 token_type; 96 #define ECRYPTFS_ENCRYPT_ONLY 0x00000001 97 u32 flags; 98 struct ecryptfs_session_key session_key; 99 u8 reserved[32]; 100 union { 101 struct ecryptfs_password password; 102 struct ecryptfs_private_key private_key; 103 } token; 104 } __attribute__ ((packed)); 105 106 #endif /* _LINUX_ECRYPTFS_H */ 107
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.