| /Linux-v5.15/Documentation/x86/ |
| D | amd-memory-encryption.rst | 4 AMD Memory Encryption
7 Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV) are
23 A page is encrypted when a page table entry has the encryption bit set (see
24 below on how to determine its position). The encryption bit can also be
26 successive level of page tables can also be encrypted by setting the encryption
29 encryption bit is set in cr3, doesn't imply the full hierarchy is encrypted.
30 Each page table entry in the hierarchy needs to have the encryption bit set to
31 achieve that. So, theoretically, you could have the encryption bit set in cr3
32 so that the PGD is encrypted, but not set the encryption bit in the PGD entry
38 memory. Since the memory encryption bit is controlled by the guest OS when it
[all …]
|
| /Linux-v5.15/Documentation/block/ |
| D | inline-encryption.rst | 4 Inline Encryption
10 Inline encryption hardware sits logically between memory and the disk, and can
11 en/decrypt data as it goes in/out of the disk. Inline encryption hardware has a
12 fixed number of "keyslots" - slots into which encryption contexts (i.e. the
13 encryption key, encryption algorithm, data unit size) can be programmed by the
15 of a keyslot (and also a data unit number to act as an encryption tweak), and
16 the inline encryption hardware will en/decrypt the data in the request with the
17 encryption context programmed into that keyslot. This is very different from
18 full disk encryption solutions like self encrypting drives/TCG OPAL/ATA
19 Security standards, since with inline encryption, any block on disk could be
[all …]
|
| /Linux-v5.15/Documentation/filesystems/ |
| D | fscrypt.rst | 2 Filesystem-level encryption (fscrypt)
9 transparent encryption of files and directories.
15 use encryption, see the documentation for the userspace tool `fscrypt
20 <https://source.android.com/security/encryption/file-based>`_, over
56 Provided that userspace chooses a strong encryption key, fscrypt
72 fscrypt (and storage encryption in general) can only provide limited
89 After an encryption key has been added, fscrypt does not hide the
97 encryption but rather only by the correctness of the kernel.
98 Therefore, any encryption-specific access control checks would merely
107 security vulnerability, can compromise all encryption keys that are
[all …]
|
| /Linux-v5.15/arch/x86/mm/ |
| D | mem_encrypt_boot.S | 3 * AMD Memory Encryption Support
26 * RCX - virtual address of the encryption workarea, including:
28 * - encryption routine page (PAGE_SIZE)
30 * R8 - physical address of the pagetables to use for encryption
39 addq $PAGE_SIZE, %rax /* Workarea encryption routine */
46 /* Copy encryption routine into the workarea */
47 movq %rax, %rdi /* Workarea encryption routine */
48 leaq __enc_copy(%rip), %rsi /* Encryption routine */
49 movq $(.L__enc_copy_end - __enc_copy), %rcx /* Encryption routine length */
55 movq %r8, %rdx /* Pagetables used for encryption */
[all …]
|
| D | mem_encrypt.c | 3 * AMD Memory Encryption Support
48 /* Buffer used for early in-place encryption by BSP, no locking needed */
52 * This routine does not change the underlying encryption setting of the
126 /* Use early_pmd_flags but remove the encryption mask */ in __sme_early_map_unmap_mem()
192 /* Update the protection map with memory encryption mask */ in sme_early_init()
280 /* Change the page encryption mask. */ in __set_clr_pte_enc()
316 * the number of pages to set/clear encryption bit is smaller in early_set_memory_enc_dec()
404 * encryption mask. in force_dma_unencrypted()
428 * The unused memory range was mapped decrypted, change the encryption in mem_encrypt_free_decrypted_mem()
444 pr_info("AMD Memory Encryption Features active:"); in print_mem_encrypt_feature_info()
[all …]
|
| D | mem_encrypt_identity.c | 3 * AMD Memory Encryption Support
80 * placed such that the in-place encryption logic overwrites them. This
329 * SME encryption workarea using rip-relative addressing. in sme_encrypt_kernel()
337 * executable encryption area size: in sme_encrypt_kernel()
339 * encryption routine page (PAGE_SIZE) in sme_encrypt_kernel()
341 * pagetable structures for the encryption of the kernel in sme_encrypt_kernel()
361 * The total workarea includes the executable encryption area and in sme_encrypt_kernel()
455 /* Perform the encryption */ in sme_encrypt_kernel()
510 * - Bit 0 - Secure Memory Encryption support in sme_enable()
513 * - Bits 5:0 - Pagetable bit position used to indicate encryption in sme_enable()
[all …]
|
| /Linux-v5.15/fs/crypto/ |
| D | Kconfig | 3 bool "FS Encryption (Per-file encryption)"
10 Enable encryption of files and directories. This
16 # Filesystems supporting encryption must select this if FS_ENCRYPTION. This
20 # Note: this option only pulls in the algorithms that filesystem encryption
21 # needs "by default". If userspace will use "non-default" encryption modes such
22 # as Adiantum encryption, then those other modes need to be explicitly enabled
46 Enable fscrypt to use inline encryption hardware if available.
|
| D | fscrypt_private.h | 51 * fscrypt_context - the encryption context of an inode
55 * fields from the fscrypt_policy, in order to identify the encryption algorithm
124 /* Return the contents encryption mode of a valid encryption policy */
137 /* Return the filenames encryption mode of a valid encryption policy */
150 /* Return the flags (FSCRYPT_POLICY_FLAG*) of a valid encryption policy */
173 * struct fscrypt_prepared_key - a key prepared for actual encryption/decryption
187 * fscrypt_info - the "encryption key" for an inode
195 /* The key in a form prepared for actual encryption/decryption */
203 * True if this inode will use inline encryption (blk-crypto) instead of
204 * the traditional filesystem-layer encryption.
[all …]
|
| D | policy.c | 3 * Encryption policy functions for per-file encryption support.
20 * fscrypt_policies_equal() - check whether two encryption policies are the same
93 * IV_INO_LBLK_* with other encryption modes arises. in supported_iv_ino_lblk_policy()
136 "Unsupported encryption modes (contents %d, filenames %d)", in fscrypt_supported_v1_policy()
144 fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", in fscrypt_supported_v1_policy()
172 "Unsupported encryption modes (contents %d, filenames %d)", in fscrypt_supported_v2_policy()
182 fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", in fscrypt_supported_v2_policy()
191 fscrypt_warn(inode, "Mutually exclusive encryption flags (0x%02x)", in fscrypt_supported_v2_policy()
218 fscrypt_warn(inode, "Reserved bits set in encryption policy"); in fscrypt_supported_v2_policy()
226 * fscrypt_supported_policy() - check whether an encryption policy is supported
[all …]
|
| D | inline_crypt.c | 3 * Inline encryption support for fscrypt
9 * With "inline encryption", the block layer handles the decryption/encryption
11 * crypto API. See Documentation/block/inline-encryption.rst. fscrypt still
66 /* Enable inline encryption for this file if supported. */
76 /* The file must need contents encryption, not filenames encryption */ in fscrypt_select_encryption_impl()
94 * IV_INO_LBLK_32 with blocksize != PAGE_SIZE from inline encryption. in fscrypt_select_encryption_impl()
235 * encryption, then assign the appropriate encryption context to the bio.
240 * The encryption context will be freed automatically when the bio is freed.
310 * encryption (or decryption) via fscrypt, filesystems should call this function
313 * bio because either the encryption key would be different or the encryption
|
| D | keysetup.c | 3 * Key setup facility for FS encryption support.
67 …WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryp… in select_encryption_mode()
72 /* Create a symmetric cipher object for the given encryption mode and key */
120 * raw key, encryption mode, and flag indicating which encryption implementation
151 /* Given a per-file encryption key, set up the file's crypto transform object */
311 * DIRECT_KEY: instead of deriving per-file encryption keys, the in fscrypt_setup_v2_file_key()
315 * encryption key. This ensures that the master key is in fscrypt_setup_v2_file_key()
323 * IV_INO_LBLK_64: encryption keys are derived from (master_key, in fscrypt_setup_v2_file_key()
326 * encryption hardware compliant with the UFS standard. in fscrypt_setup_v2_file_key()
361 * Find the master key, then set up the inode's actual encryption key.
[all …]
|
| D | hooks.c | 5 * Encryption hooks for higher-level filesystem operations.
17 * Currently, an encrypted regular file can only be opened if its encryption key
19 * Therefore, we first set up the inode's encryption key (if not already done)
24 * encryption policy. This is needed as part of the enforcement that all files
25 * in an encrypted directory tree use the same encryption policy, as a
45 "Inconsistent encryption context (parent directory: %lu)", in fscrypt_file_open()
152 * if the directory uses a v2 encryption policy. in fscrypt_prepare_setflags()
194 * -ENOKEY if the encryption key is missing, or another -errno code if a problem
195 * occurred while setting up the encryption key.
206 * the encryption policy which will be inherited from the directory. in fscrypt_prepare_symlink()
[all …]
|
| /Linux-v5.15/Documentation/admin-guide/device-mapper/ |
| D | dm-crypt.rst | 5 Device-Mapper's "crypt" target provides transparent encryption of block devices
17 Encryption cipher, encryption mode and Initial Vector (IV) generator.
52 Key used for encryption. It is encoded either as a hexadecimal number
66 The encryption key size in bytes. The kernel key payload size must match
112 Perform encryption using the same cpu that IO was submitted on.
113 The default is to use an unbound workqueue so that encryption work
117 Disable offloading writes to a separate thread after encryption.
119 encryption threads to a single thread degrades performance
139 For Authenticated Encryption with Additional Data (AEAD)
145 Use <bytes> as the encryption unit instead of 512 bytes sectors.
[all …]
|
| /Linux-v5.15/drivers/crypto/ |
| D | sa2ul.h | 71 #define SA_ENG_ID_EM2 3 /* Encryption/Decryption enginefor pass 2 */
112 #define SA_CTX_ENC_TYPE1_SZ 64 /* Encryption SC with Key only */
113 #define SA_CTX_ENC_TYPE2_SZ 96 /* Encryption SC with Key and Aux1 */
125 * Bit 2-3: Fetch Encryption/Air Ciphering Bytes
230 * @submode: Encryption submodes
231 * @enc_size: Size of first pass encryption size
232 * @enc_size2: Size of second pass encryption size
233 * @enc_offset: Encryption payload offset in the packet
234 * @enc_iv: Encryption initialization vector for pass2
235 * @enc_iv2: Encryption initialization vector for pass2
[all …]
|
| /Linux-v5.15/include/linux/ |
| D | fscrypt.h | 3 * fscrypt.h: declarations for per-file encryption
5 * Filesystems that implement per-file encryption must include this header
128 * encryption without the possibility of files becoming unreadable.
161 * external journal devices), and wants to support inline encryption,
189 * contents encryption
205 * as a result of the encryption key being added, DCACHE_NOKEY_NAME must be
221 * encryption key added yet. Such dentries may be either positive or negative.
230 * encryption key, but just checking for the key on the directory inode during
578 /* Encryption support disabled; use standard comparison */ in fscrypt_match_name()
752 * encryption
[all …]
|
| D | blk-crypto.h | 21 * struct blk_crypto_config - an inline encryption key's crypto configuration
22 * @crypto_mode: encryption algorithm this key is for
23 * @data_unit_size: the data unit size for all encryption/decryptions with this
36 * struct blk_crypto_key - an inline encryption key
58 * struct bio_crypt_ctx - an inline encryption context
117 * bio_crypt_clone - clone bio encryption context
122 * If @src has an encryption context, clone it to @dst.
|
| /Linux-v5.15/net/sunrpc/ |
| D | Kconfig | 38 bool "Secure RPC: Disable insecure Kerberos encryption types"
42 Choose Y here to disable the use of deprecated encryption types
44 deprecated encryption types include DES-CBC-MD5, DES-CBC-CRC,
49 keytabs that contain only these deprecated encryption types.
50 Choosing Y prevents the use of known-insecure encryption types
|
| /Linux-v5.15/Documentation/crypto/ |
| D | descore-readme.rst | 5 Fast & Portable DES encryption & decryption
15 des - fast & portable DES encryption & decryption.
41 1. Highest possible encryption/decryption PERFORMANCE.
62 - 30us per encryption (options: 64k tables, no IP/FP)
63 - 33us per encryption (options: 64k tables, FIPS standard bit ordering)
64 - 45us per encryption (options: 2k tables, no IP/FP)
65 - 48us per encryption (options: 2k tables, FIPS standard bit ordering)
68 this has the quickest encryption/decryption routines i've seen.
80 - 53us per encryption (uses 2k of tables)
85 encryption/decryption is still slower on the sparc and 68000.
[all …]
|
| D | api-aead.rst | 1 Authenticated Encryption With Associated Data (AEAD) Algorithm Definitions
5 :doc: Authenticated Encryption With Associated Data (AEAD) Cipher API
10 Authenticated Encryption With Associated Data (AEAD) Cipher API
|
| /Linux-v5.15/Documentation/virt/kvm/ |
| D | amd-memory-encryption.rst | 29 Bit[23] 1 = memory encryption can be enabled
30 0 = memory encryption can not be enabled
33 Bit[0] 1 = memory encryption can be enabled
34 0 = memory encryption can not be enabled
43 SEV hardware uses ASIDs to associate a memory encryption key with a VM.
93 The KVM_SEV_LAUNCH_START command is used for creating the memory encryption
94 context. To create the encryption context, user must provide a guest policy,
297 outgoing guest encryption context.
328 outgoing guest memory region with the encryption context creating using
356 issued by the hypervisor to delete the encryption context.
[all …]
|
| /Linux-v5.15/crypto/ |
| D | Kconfig | 277 published by State Encryption Management Bureau, China.
296 comment "Authenticated Encryption with Associated Data"
369 This IV generator generates an IV based on the encryption of
410 for AES encryption.
445 normally even when applied before encryption.
484 Adiantum encryption mode.
492 Adiantum encryption mode.
501 Adiantum is a tweakable, length-preserving encryption mode
502 designed for fast and secure disk encryption, especially on
512 bound. Unlike XTS, Adiantum is a true wide-block encryption
[all …]
|
| /Linux-v5.15/include/crypto/ |
| D | aead.h | 3 * AEAD: Authenticated Encryption with Associated Data
16 * DOC: Authenticated Encryption With Associated Data (AEAD) Cipher API
21 * The most prominent examples for this type of encryption is GCM and CCM.
34 * encryption or decryption operation. In case of an encryption, the associated
35 * data memory is filled during the encryption operation. For decryption, the
51 * during encryption (resp. decryption).
53 * In-place encryption/decryption is enabled by using the same scatterlist
112 * during encryption or the size of the authentication tag to be
259 * data returned by the encryption or decryption operation
333 * IMPORTANT NOTE The encryption operation creates the authentication data /
[all …]
|
| /Linux-v5.15/block/ |
| D | blk-crypto.c | 7 * Refer to Documentation/block/inline-encryption.rst for detailed explanation.
231 * been programmed into some inline encryption hardware, that keyslot is
242 * __blk_crypto_bio_prep - Prepare bio for inline encryption
247 * device's inline encryption hardware, do nothing.
250 * kernel crypto API. When the crypto API fallback is used for encryption,
280 * Success if device supports the encryption context, or if we succeeded in __blk_crypto_bio_prep()
311 * @crypto_mode: identifier for the encryption algorithm to use
387 * blk_crypto_evict_key() - Evict a key from any inline encryption hardware
389 * @q: The request queue who's associated inline encryption hardware this key
406 * If the request queue's associated inline encryption hardware didn't in blk_crypto_evict_key()
|
| D | Kconfig | 177 bool "Enable inline encryption support in block layer"
180 block layer handle encryption, so users can take
181 advantage of inline encryption hardware if present.
189 Enabling this lets the block layer handle inline encryption
191 encryption hardware is not present.
|
| /Linux-v5.15/arch/s390/include/uapi/asm/ |
| D | tape390.h | 4 * enables user programs to display messages and control encryption
40 * Tape encryption support
68 * The TAPE390_CRYPT_SET ioctl is used to switch on/off encryption.
74 * The TAPE390_CRYPT_QUERY ioctl is used to query the encryption state.
|
