fs/ecryptfs/keystore.c
Source file repositories/reference/linux-study-clean/fs/ecryptfs/keystore.c
File Facts
- System
- Linux kernel
- Corpus path
fs/ecryptfs/keystore.c- Extension
.c- Size
- 79065 bytes
- Lines
- 2490
- Domain
- Core OS
- Bucket
- VFS And Filesystem Core
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Uses kernel synchronization; read lock ordering, sleepability, and interrupt context assumptions before translating.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
crypto/skcipher.hlinux/string.hlinux/pagemap.hlinux/key.hlinux/random.hlinux/scatterlist.hlinux/slab.hecryptfs_kernel.h
Detected Declarations
struct ecryptfs_write_tag_70_packet_silly_stackstruct ecryptfs_parse_tag_70_packet_silly_stackfunction process_request_key_errfunction process_find_global_auth_tok_for_sig_errfunction ecryptfs_parse_packet_lengthfunction ecryptfs_write_packet_lengthfunction write_tag_64_packetfunction parse_tag_65_packetfunction write_tag_66_packetfunction parse_tag_67_packetfunction ecryptfs_verify_versionfunction ecryptfs_verify_auth_tok_from_keyfunction ecryptfs_find_global_auth_tok_for_sigfunction ecryptfs_find_auth_tok_for_sigfunction keyfunction ecryptfs_parse_tag_70_packetfunction ecryptfs_get_auth_tok_sigfunction decrypt_pki_encrypted_session_keyfunction wipe_auth_tok_listfunction list_for_each_entry_safefunction parse_tag_1_packetfunction identifierfunction parse_tag_3_packetfunction identifierfunction parse_tag_11_packetfunction identifierfunction ecryptfs_keyring_auth_tok_for_sigfunction decrypt_passphrase_encrypted_session_keyfunction ecryptfs_parse_packet_setfunction list_for_each_entry_safefunction pki_encrypt_session_keyfunction write_tag_1_packetfunction write_tag_11_packetfunction write_tag_3_packetfunction ecryptfs_generate_key_packet_setfunction ecryptfs_add_keysigfunction ecryptfs_add_global_auth_tok
Annotated Snippet
struct ecryptfs_write_tag_70_packet_silly_stack {
u8 cipher_code;
size_t max_packet_size;
size_t packet_size_len;
size_t block_aligned_filename_size;
size_t block_size;
size_t i;
size_t j;
size_t num_rand_bytes;
struct mutex *tfm_mutex;
char *block_aligned_filename;
struct ecryptfs_auth_tok *auth_tok;
struct scatterlist src_sg[2];
struct scatterlist dst_sg[2];
struct crypto_skcipher *skcipher_tfm;
struct skcipher_request *skcipher_req;
char iv[ECRYPTFS_MAX_IV_BYTES];
char hash[MD5_DIGEST_SIZE];
};
/*
* write_tag_70_packet - Write encrypted filename (EFN) packet against FNEK
* @filename: NULL-terminated filename string
*
* This is the simplest mechanism for achieving filename encryption in
* eCryptfs. It encrypts the given filename with the mount-wide
* filename encryption key (FNEK) and stores it in a packet to @dest,
* which the callee will encode and write directly into the dentry
* name.
*/
int
ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
size_t *packet_size,
struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
char *filename, size_t filename_size)
{
struct ecryptfs_write_tag_70_packet_silly_stack *s;
struct key *auth_tok_key = NULL;
int rc = 0;
s = kzalloc_obj(*s);
if (!s)
return -ENOMEM;
(*packet_size) = 0;
rc = ecryptfs_find_auth_tok_for_sig(
&auth_tok_key,
&s->auth_tok, mount_crypt_stat,
mount_crypt_stat->global_default_fnek_sig);
if (rc) {
printk(KERN_ERR "%s: Error attempting to find auth tok for "
"fnek sig [%s]; rc = [%d]\n", __func__,
mount_crypt_stat->global_default_fnek_sig, rc);
goto out;
}
rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(
&s->skcipher_tfm,
&s->tfm_mutex, mount_crypt_stat->global_default_fn_cipher_name);
if (unlikely(rc)) {
printk(KERN_ERR "Internal error whilst attempting to get "
"tfm and mutex for cipher name [%s]; rc = [%d]\n",
mount_crypt_stat->global_default_fn_cipher_name, rc);
goto out;
}
mutex_lock(s->tfm_mutex);
s->block_size = crypto_skcipher_blocksize(s->skcipher_tfm);
/* Plus one for the \0 separator between the random prefix
* and the plaintext filename */
s->num_rand_bytes = (ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES + 1);
s->block_aligned_filename_size = (s->num_rand_bytes + filename_size);
if ((s->block_aligned_filename_size % s->block_size) != 0) {
s->num_rand_bytes += (s->block_size
- (s->block_aligned_filename_size
% s->block_size));
s->block_aligned_filename_size = (s->num_rand_bytes
+ filename_size);
}
/* Octet 0: Tag 70 identifier
* Octets 1-N1: Tag 70 packet size (includes cipher identifier
* and block-aligned encrypted filename size)
* Octets N1-N2: FNEK sig (ECRYPTFS_SIG_SIZE)
* Octet N2-N3: Cipher identifier (1 octet)
* Octets N3-N4: Block-aligned encrypted filename
* - Consists of a minimum number of random characters, a \0
* separator, and then the filename */
s->max_packet_size = (ECRYPTFS_TAG_70_MAX_METADATA_SIZE
+ s->block_aligned_filename_size);
if (!dest) {
(*packet_size) = s->max_packet_size;
goto out_unlock;
Annotation
- Immediate include surface: `crypto/skcipher.h`, `linux/string.h`, `linux/pagemap.h`, `linux/key.h`, `linux/random.h`, `linux/scatterlist.h`, `linux/slab.h`, `ecryptfs_kernel.h`.
- Detected declarations: `struct ecryptfs_write_tag_70_packet_silly_stack`, `struct ecryptfs_parse_tag_70_packet_silly_stack`, `function process_request_key_err`, `function process_find_global_auth_tok_for_sig_err`, `function ecryptfs_parse_packet_length`, `function ecryptfs_write_packet_length`, `function write_tag_64_packet`, `function parse_tag_65_packet`, `function write_tag_66_packet`, `function parse_tag_67_packet`.
- Atlas domain: Core OS / VFS And Filesystem Core.
- Implementation status: source implementation candidate.
- Synchronization appears in or near this file; preserve lock ordering, sleepability, and interrupt-context constraints.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.