]> git.baikalelectronics.ru Git - kernel.git/commitdiff
dm: support key eviction from keyslot managers of underlying devices
authorSatya Tangirala <satyat@google.com>
Mon, 1 Feb 2021 05:10:18 +0000 (05:10 +0000)
committerMike Snitzer <snitzer@redhat.com>
Thu, 11 Feb 2021 14:45:25 +0000 (09:45 -0500)
Now that device mapper supports inline encryption, add the ability to
evict keys from all underlying devices. When an upper layer requests
a key eviction, we simply iterate through all underlying devices
and evict that key from each device.

Co-developed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Satya Tangirala <satyat@google.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
block/blk-crypto.c
drivers/md/dm-table.c

index 09fcb18fa778fad699cc4ac52894814d22adfd0a..c5bdaafffa29f09db48813a0784a7e3b3603fdf9 100644 (file)
@@ -409,3 +409,4 @@ int blk_crypto_evict_key(struct request_queue *q,
         */
        return blk_crypto_fallback_evict_key(key);
 }
+EXPORT_SYMBOL_GPL(blk_crypto_evict_key);
index 8c4ed3ec9409d801fae03de2b2f4685c699c7e6c..95391f78b8d55e9b36e1d4ed036700c7c6b7b1ef 100644 (file)
@@ -1214,6 +1214,58 @@ struct dm_keyslot_manager {
        struct mapped_device *md;
 };
 
+struct dm_keyslot_evict_args {
+       const struct blk_crypto_key *key;
+       int err;
+};
+
+static int dm_keyslot_evict_callback(struct dm_target *ti, struct dm_dev *dev,
+                                    sector_t start, sector_t len, void *data)
+{
+       struct dm_keyslot_evict_args *args = data;
+       int err;
+
+       err = blk_crypto_evict_key(bdev_get_queue(dev->bdev), args->key);
+       if (!args->err)
+               args->err = err;
+       /* Always try to evict the key from all devices. */
+       return 0;
+}
+
+/*
+ * When an inline encryption key is evicted from a device-mapper device, evict
+ * it from all the underlying devices.
+ */
+static int dm_keyslot_evict(struct blk_keyslot_manager *ksm,
+                           const struct blk_crypto_key *key, unsigned int slot)
+{
+       struct dm_keyslot_manager *dksm = container_of(ksm,
+                                                      struct dm_keyslot_manager,
+                                                      ksm);
+       struct mapped_device *md = dksm->md;
+       struct dm_keyslot_evict_args args = { key };
+       struct dm_table *t;
+       int srcu_idx;
+       int i;
+       struct dm_target *ti;
+
+       t = dm_get_live_table(md, &srcu_idx);
+       if (!t)
+               return 0;
+       for (i = 0; i < dm_table_get_num_targets(t); i++) {
+               ti = dm_table_get_target(t, i);
+               if (!ti->type->iterate_devices)
+                       continue;
+               ti->type->iterate_devices(ti, dm_keyslot_evict_callback, &args);
+       }
+       dm_put_live_table(md, srcu_idx);
+       return args.err;
+}
+
+static struct blk_ksm_ll_ops dm_ksm_ll_ops = {
+       .keyslot_evict = dm_keyslot_evict,
+};
+
 static int device_intersect_crypto_modes(struct dm_target *ti,
                                         struct dm_dev *dev, sector_t start,
                                         sector_t len, void *data)
@@ -1270,6 +1322,7 @@ static int dm_table_construct_keyslot_manager(struct dm_table *t)
 
        ksm = &dksm->ksm;
        blk_ksm_init_passthrough(ksm);
+       ksm->ksm_ll_ops = dm_ksm_ll_ops;
        ksm->max_dun_bytes_supported = UINT_MAX;
        memset(ksm->crypto_modes_supported, 0xFF,
               sizeof(ksm->crypto_modes_supported));