@@ -261,9 +261,9 @@ DIRECT_KEY policies
261261
262262The Adiantum encryption mode (see `Encryption modes and usage `_) is
263263suitable for both contents and filenames encryption, and it accepts
264- long IVs --- long enough to hold both an 8-byte logical block number
265- and a 16-byte per-file nonce. Also, the overhead of each Adiantum key
266- is greater than that of an AES-256-XTS key.
264+ long IVs --- long enough to hold both an 8-byte data unit index and a
265+ 16-byte per-file nonce. Also, the overhead of each Adiantum key is
266+ greater than that of an AES-256-XTS key.
267267
268268Therefore, to improve performance and save memory, for Adiantum a
269269"direct key" configuration is supported. When the user has enabled
@@ -300,8 +300,8 @@ IV_INO_LBLK_32 policies
300300
301301IV_INO_LBLK_32 policies work like IV_INO_LBLK_64, except that for
302302IV_INO_LBLK_32, the inode number is hashed with SipHash-2-4 (where the
303- SipHash key is derived from the master key) and added to the file
304- logical block number mod 2^32 to produce a 32-bit IV.
303+ SipHash key is derived from the master key) and added to the file data
304+ unit index mod 2^32 to produce a 32-bit IV.
305305
306306This format is optimized for use with inline encryption hardware
307307compliant with the eMMC v5.2 standard, which supports only 32 IV bits
@@ -384,31 +384,62 @@ with ciphertext expansion.
384384Contents encryption
385385-------------------
386386
387- For file contents, each filesystem block is encrypted independently.
388- Starting from Linux kernel 5.5, encryption of filesystems with block
389- size less than system's page size is supported.
390-
391- Each block's IV is set to the logical block number within the file as
392- a little endian number, except that:
393-
394- - With CBC mode encryption, ESSIV is also used. Specifically, each IV
395- is encrypted with AES-256 where the AES-256 key is the SHA-256 hash
396- of the file's data encryption key.
397-
398- - With `DIRECT_KEY policies `_, the file's nonce is appended to the IV.
399- Currently this is only allowed with the Adiantum encryption mode.
400-
401- - With `IV_INO_LBLK_64 policies `_, the logical block number is limited
402- to 32 bits and is placed in bits 0-31 of the IV. The inode number
403- (which is also limited to 32 bits) is placed in bits 32-63.
404-
405- - With `IV_INO_LBLK_32 policies `_, the logical block number is limited
406- to 32 bits and is placed in bits 0-31 of the IV. The inode number
407- is then hashed and added mod 2^32.
408-
409- Note that because file logical block numbers are included in the IVs,
410- filesystems must enforce that blocks are never shifted around within
411- encrypted files, e.g. via "collapse range" or "insert range".
387+ For contents encryption, each file's contents is divided into "data
388+ units". Each data unit is encrypted independently. The IV for each
389+ data unit incorporates the zero-based index of the data unit within
390+ the file. This ensures that each data unit within a file is encrypted
391+ differently, which is essential to prevent leaking information.
392+
393+ Note: the encryption depending on the offset into the file means that
394+ operations like "collapse range" and "insert range" that rearrange the
395+ extent mapping of files are not supported on encrypted files.
396+
397+ There are two cases for the sizes of the data units:
398+
399+ * Fixed-size data units. This is how all filesystems other than UBIFS
400+ work. A file's data units are all the same size; the last data unit
401+ is zero-padded if needed. By default, the data unit size is equal
402+ to the filesystem block size. On some filesystems, users can select
403+ a sub-block data unit size via the ``log2_data_unit_size `` field of
404+ the encryption policy; see `FS_IOC_SET_ENCRYPTION_POLICY `_.
405+
406+ * Variable-size data units. This is what UBIFS does. Each "UBIFS
407+ data node" is treated as a crypto data unit. Each contains variable
408+ length, possibly compressed data, zero-padded to the next 16-byte
409+ boundary. Users cannot select a sub-block data unit size on UBIFS.
410+
411+ In the case of compression + encryption, the compressed data is
412+ encrypted. UBIFS compression works as described above. f2fs
413+ compression works a bit differently; it compresses a number of
414+ filesystem blocks into a smaller number of filesystem blocks.
415+ Therefore a f2fs-compressed file still uses fixed-size data units, and
416+ it is encrypted in a similar way to a file containing holes.
417+
418+ As mentioned in `Key hierarchy `_, the default encryption setting uses
419+ per-file keys. In this case, the IV for each data unit is simply the
420+ index of the data unit in the file. However, users can select an
421+ encryption setting that does not use per-file keys. For these, some
422+ kind of file identifier is incorporated into the IVs as follows:
423+
424+ - With `DIRECT_KEY policies `_, the data unit index is placed in bits
425+ 0-63 of the IV, and the file's nonce is placed in bits 64-191.
426+
427+ - With `IV_INO_LBLK_64 policies `_, the data unit index is placed in
428+ bits 0-31 of the IV, and the file's inode number is placed in bits
429+ 32-63. This setting is only allowed when data unit indices and
430+ inode numbers fit in 32 bits.
431+
432+ - With `IV_INO_LBLK_32 policies `_, the file's inode number is hashed
433+ and added to the data unit index. The resulting value is truncated
434+ to 32 bits and placed in bits 0-31 of the IV. This setting is only
435+ allowed when data unit indices and inode numbers fit in 32 bits.
436+
437+ The byte order of the IV is always little endian.
438+
439+ If the user selects FSCRYPT_MODE_AES_128_CBC for the contents mode, an
440+ ESSIV layer is automatically included. In this case, before the IV is
441+ passed to AES-128-CBC, it is encrypted with AES-256 where the AES-256
442+ key is the SHA-256 hash of the file's contents encryption key.
412443
413444Filenames encryption
414445--------------------
@@ -477,7 +508,8 @@ follows::
477508 __u8 contents_encryption_mode;
478509 __u8 filenames_encryption_mode;
479510 __u8 flags;
480- __u8 __reserved[4];
511+ __u8 log2_data_unit_size;
512+ __u8 __reserved[3];
481513 __u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE];
482514 };
483515
@@ -512,6 +544,29 @@ This structure must be initialized as follows:
512544 The DIRECT_KEY, IV_INO_LBLK_64, and IV_INO_LBLK_32 flags are
513545 mutually exclusive.
514546
547+ - ``log2_data_unit_size `` is the log2 of the data unit size in bytes,
548+ or 0 to select the default data unit size. The data unit size is
549+ the granularity of file contents encryption. For example, setting
550+ ``log2_data_unit_size `` to 12 causes file contents be passed to the
551+ underlying encryption algorithm (such as AES-256-XTS) in 4096-byte
552+ data units, each with its own IV.
553+
554+ Not all filesystems support setting ``log2_data_unit_size ``. ext4
555+ and f2fs support it since Linux v6.7. On filesystems that support
556+ it, the supported nonzero values are 9 through the log2 of the
557+ filesystem block size, inclusively. The default value of 0 selects
558+ the filesystem block size.
559+
560+ The main use case for ``log2_data_unit_size `` is for selecting a
561+ data unit size smaller than the filesystem block size for
562+ compatibility with inline encryption hardware that only supports
563+ smaller data unit sizes. ``/sys/block/$disk/queue/crypto/ `` may be
564+ useful for checking which data unit sizes are supported by a
565+ particular system's inline encryption hardware.
566+
567+ Leave this field zeroed unless you are certain you need it. Using
568+ an unnecessarily small data unit size reduces performance.
569+
515570- For v2 encryption policies, ``__reserved `` must be zeroed.
516571
517572- For v1 encryption policies, ``master_key_descriptor `` specifies how
0 commit comments