/Linux-v6.6/Documentation/block/ |
D | inline-encryption.rst | 6 Inline Encryption 12 Inline encryption hardware sits logically between memory and disk, and can 14 can control exactly how the inline encryption hardware will en/decrypt the data 18 Some inline encryption hardware accepts all encryption parameters including raw 19 keys directly in low-level I/O requests. However, most inline encryption 24 Note that inline encryption hardware is very different from traditional crypto 26 crypto accelerators operate on memory regions, whereas inline encryption 27 hardware operates on I/O requests. Thus, inline encryption hardware needs to be 30 Inline encryption hardware is also very different from "self-encrypting drives", 32 drives don't provide fine-grained control of encryption and provide no way to [all …]
|
/Linux-v6.6/Documentation/filesystems/ |
D | fscrypt.rst | 2 Filesystem-level encryption (fscrypt) 9 transparent encryption of files and directories. 15 use encryption, see the documentation for the userspace tool `fscrypt 20 <https://source.android.com/security/encryption/file-based>`_, over 56 Provided that userspace chooses a strong encryption key, fscrypt 72 fscrypt (and storage encryption in general) can only provide limited 80 Cryptographic API algorithms or inline encryption hardware are. If a 89 After an encryption key has been added, fscrypt does not hide the 97 encryption but rather only by the correctness of the kernel. 98 Therefore, any encryption-specific access control checks would merely [all …]
|
/Linux-v6.6/Documentation/arch/x86/ |
D | amd-memory-encryption.rst | 4 AMD Memory Encryption 7 Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV) are 23 A page is encrypted when a page table entry has the encryption bit set (see 24 below on how to determine its position). The encryption bit can also be 26 successive level of page tables can also be encrypted by setting the encryption 29 encryption bit is set in cr3, doesn't imply the full hierarchy is encrypted. 30 Each page table entry in the hierarchy needs to have the encryption bit set to 31 achieve that. So, theoretically, you could have the encryption bit set in cr3 32 so that the PGD is encrypted, but not set the encryption bit in the PGD entry 38 memory. Since the memory encryption bit is controlled by the guest OS when it [all …]
|
/Linux-v6.6/include/linux/ |
D | cc_platform.h | 24 * @CC_ATTR_MEM_ENCRYPT: Memory encryption is active 26 * The platform/OS is running with active memory encryption. This 28 * and actively using memory encryption or as a guest/virtual machine 29 * and actively using memory encryption. 36 * @CC_ATTR_HOST_MEM_ENCRYPT: Host memory encryption is active 39 * and actively using memory encryption. 46 * @CC_ATTR_GUEST_MEM_ENCRYPT: Guest memory encryption is active 49 * using memory encryption. 56 * @CC_ATTR_GUEST_STATE_ENCRYPT: Guest state encryption is active 59 * using memory encryption and register state encryption.
|
D | blk-crypto-profile.h | 15 * struct blk_crypto_ll_ops - functions to control inline encryption hardware 17 * Low-level operations for controlling inline encryption hardware. This 19 * encryption. All functions may sleep, are serialized by profile->lock, and 25 * @keyslot_program: Program a key into the inline encryption hardware. 27 * Program @key into the specified @slot in the inline encryption 42 * @keyslot_evict: Evict a key from the inline encryption hardware. 63 * struct blk_crypto_profile - inline encryption profile for a device 65 * This struct contains a storage device's inline encryption capabilities (e.g. 67 * inline encryption hardware (e.g. programming and evicting keys), and optional 75 * @ll_ops: Driver-provided functions to control the inline encryption
|
D | fscrypt.h | 3 * fscrypt.h: declarations for per-file encryption 5 * Filesystems that implement per-file encryption must include this header 23 * This is needed to ensure that all contents encryption modes will work, as 29 * compression), then it will need to pad to this alignment before encryption. 136 * encryption without the possibility of files becoming unreadable. 174 * external journal devices), and wants to support inline encryption, 194 * contents encryption 210 * as a result of the encryption key being added, DCACHE_NOKEY_NAME must be 226 * encryption key added yet. Such dentries may be either positive or negative. 235 * encryption key, but just checking for the key on the directory inode during [all …]
|
D | blk-crypto.h | 22 * struct blk_crypto_config - an inline encryption key's crypto configuration 23 * @crypto_mode: encryption algorithm this key is for 24 * @data_unit_size: the data unit size for all encryption/decryptions with this 37 * struct blk_crypto_key - an inline encryption key 59 * struct bio_crypt_ctx - an inline encryption context 117 * bio_crypt_clone - clone bio encryption context 122 * If @src has an encryption context, clone it to @dst.
|
/Linux-v6.6/arch/x86/mm/ |
D | mem_encrypt_boot.S | 3 * AMD Memory Encryption Support 26 * RCX - virtual address of the encryption workarea, including: 28 * - encryption routine page (PAGE_SIZE) 30 * R8 - physical address of the pagetables to use for encryption 39 addq $PAGE_SIZE, %rax /* Workarea encryption routine */ 46 /* Copy encryption routine into the workarea */ 47 movq %rax, %rdi /* Workarea encryption routine */ 48 leaq __enc_copy(%rip), %rsi /* Encryption routine */ 49 movq $(.L__enc_copy_end - __enc_copy), %rcx /* Encryption routine length */ 55 movq %r8, %rdx /* Pagetables used for encryption */ [all …]
|
D | mem_encrypt.c | 3 * Memory Encryption Support Common Code 28 * encryption mask. in force_dma_unencrypted() 44 pr_info("Memory Encryption Features active:"); in print_mem_encrypt_feature_info() 53 /* Secure Memory Encryption */ in print_mem_encrypt_feature_info()
|
D | mem_encrypt_amd.c | 3 * AMD Memory Encryption Support 50 /* Buffer used for early in-place encryption by BSP, no locking needed */ 84 * This routine does not change the underlying encryption setting of the 163 /* Use early_pmd_flags but remove the encryption mask */ in __sme_early_map_unmap_mem() 325 * to invalidate the memory before encryption attribute is cleared. in amd_enc_status_change_prepare() 392 /* Change the page encryption mask. */ in __set_clr_pte_enc() 436 * the number of pages to set/clear encryption bit is smaller in early_set_memory_enc_dec() 498 /* Update the protection map with memory encryption mask */ in sme_early_init() 532 * If the unused memory range was mapped decrypted, change the encryption in mem_encrypt_free_decrypted_mem() 534 * re-encryption on the same condition used for the decryption in in mem_encrypt_free_decrypted_mem()
|
/Linux-v6.6/fs/crypto/ |
D | Kconfig | 3 bool "FS Encryption (Per-file encryption)" 10 Enable encryption of files and directories. This 16 # Filesystems supporting encryption must select this if FS_ENCRYPTION. This 20 # Note: this option only pulls in the algorithms that filesystem encryption 21 # needs "by default". If userspace will use "non-default" encryption modes such 22 # as Adiantum encryption, then those other modes need to be explicitly enabled 46 Enable fscrypt to use inline encryption hardware if available.
|
D | policy.c | 3 * Encryption policy functions for per-file encryption support. 21 * fscrypt_policies_equal() - check whether two encryption policies are the same 64 * Return %true if the given combination of encryption modes is supported for v1 65 * (and later) encryption policies. 67 * Do *not* add anything new here, since v1 encryption policies are deprecated. 133 * IV_INO_LBLK_* with other encryption modes arises. in supported_iv_ino_lblk_policy() 176 "Unsupported encryption modes (contents %d, filenames %d)", in fscrypt_supported_v1_policy() 184 fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", in fscrypt_supported_v1_policy() 212 "Unsupported encryption modes (contents %d, filenames %d)", in fscrypt_supported_v2_policy() 222 fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", in fscrypt_supported_v2_policy() [all …]
|
D | fscrypt_private.h | 26 * absolute minimum, which applies when only 128-bit encryption is used. 56 * fscrypt_context - the encryption context of an inode 60 * fields from the fscrypt_policy, in order to identify the encryption algorithm 129 /* Return the contents encryption mode of a valid encryption policy */ 142 /* Return the filenames encryption mode of a valid encryption policy */ 155 /* Return the flags (FSCRYPT_POLICY_FLAG*) of a valid encryption policy */ 178 * struct fscrypt_prepared_key - a key prepared for actual encryption/decryption 192 * fscrypt_info - the "encryption key" for an inode 200 /* The key in a form prepared for actual encryption/decryption */ 208 * True if this inode will use inline encryption (blk-crypto) instead of [all …]
|
D | inline_crypt.c | 3 * Inline encryption support for fscrypt 9 * With "inline encryption", the block layer handles the decryption/encryption 11 * crypto API. See Documentation/block/inline-encryption.rst. fscrypt still 65 * for an encryption mode for the first time. This is the blk-crypto 92 /* Enable inline encryption for this file if supported. */ 102 /* The file must need contents encryption, not filenames encryption */ in fscrypt_select_encryption_impl() 120 * IV_INO_LBLK_32 with blocksize != PAGE_SIZE from inline encryption. in fscrypt_select_encryption_impl() 258 * encryption, then assign the appropriate encryption context to the bio. 263 * The encryption context will be freed automatically when the bio is freed. 333 * encryption (or decryption) via fscrypt, filesystems should call this function [all …]
|
D | hooks.c | 5 * Encryption hooks for higher-level filesystem operations. 15 * Currently, an encrypted regular file can only be opened if its encryption key 17 * Therefore, we first set up the inode's encryption key (if not already done) 22 * encryption policy. This is needed as part of the enforcement that all files 23 * in an encrypted directory tree use the same encryption policy, as a 43 "Inconsistent encryption context (parent directory: %lu)", in fscrypt_file_open() 120 * filesystems that handle filename encryption and no-key name encoding 122 * fscrypt_prepare_lookup(), this will try to set up the directory's encryption 126 * Return: 0 on success; -errno on error. Note that the encryption key being 128 * the encryption policy is unsupported by this kernel; that is treated [all …]
|
D | keysetup.c | 3 * Key setup facility for FS encryption support. 93 …WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryp… in select_encryption_mode() 98 /* Create a symmetric cipher object for the given encryption mode and key */ 146 * raw key, encryption mode (@ci->ci_mode), flag indicating which encryption 180 /* Given a per-file encryption key, set up the file's crypto transform object */ 340 * DIRECT_KEY: instead of deriving per-file encryption keys, the in fscrypt_setup_v2_file_key() 344 * encryption key. This ensures that the master key is in fscrypt_setup_v2_file_key() 352 * IV_INO_LBLK_64: encryption keys are derived from (master_key, in fscrypt_setup_v2_file_key() 355 * encryption hardware compliant with the UFS standard. in fscrypt_setup_v2_file_key() 391 * encryption settings which a particular file will use (@ci). [all …]
|
/Linux-v6.6/Documentation/admin-guide/device-mapper/ |
D | dm-crypt.rst | 5 Device-Mapper's "crypt" target provides transparent encryption of block devices 17 Encryption cipher, encryption mode and Initial Vector (IV) generator. 52 Key used for encryption. It is encoded either as a hexadecimal number 66 The encryption key size in bytes. The kernel key payload size must match 112 Perform encryption using the same cpu that IO was submitted on. 113 The default is to use an unbound workqueue so that encryption work 117 Disable offloading writes to a separate thread after encryption. 119 encryption threads to a single thread degrades performance 139 For Authenticated Encryption with Additional Data (AEAD) 145 Use <bytes> as the encryption unit instead of 512 bytes sectors. [all …]
|
/Linux-v6.6/drivers/crypto/ |
D | sa2ul.h | 72 #define SA_ENG_ID_EM2 3 /* Encryption/Decryption enginefor pass 2 */ 113 #define SA_CTX_ENC_TYPE1_SZ 64 /* Encryption SC with Key only */ 114 #define SA_CTX_ENC_TYPE2_SZ 96 /* Encryption SC with Key and Aux1 */ 126 * Bit 2-3: Fetch Encryption/Air Ciphering Bytes 231 * @submode: Encryption submodes 232 * @enc_size: Size of first pass encryption size 233 * @enc_size2: Size of second pass encryption size 234 * @enc_offset: Encryption payload offset in the packet 235 * @enc_iv: Encryption initialization vector for pass2 236 * @enc_iv2: Encryption initialization vector for pass2 [all …]
|
/Linux-v6.6/crypto/ |
D | Kconfig | 325 Published by State Encryption Management Bureau, China, 345 tristate "AES (Advanced Encryption Standard)" 363 tristate "AES (Advanced Encryption Standard) (fixed time)" 373 solely on encryption (although decryption is supported as well, but 376 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and 403 ARIA is a standard encryption algorithm of the Republic of Korea. 462 CAST6 (CAST-256) encryption algorithm (RFC2612) 469 DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and 505 national standard encryption algorithm of the Republic of Korea. 557 TEA (Tiny Encryption Algorithm) cipher algorithms [all …]
|
/Linux-v6.6/net/sunrpc/ |
D | Kconfig | 45 Choose Y to enable the use of Kerberos 5 encryption types 46 that utilize Advanced Encryption Standard (AES) ciphers and 51 bool "Enable Kerberos encryption types based on Camellia and CMAC" 57 Choose Y to enable the use of Kerberos 5 encryption types 70 Choose Y to enable the use of Kerberos 5 encryption types 71 that utilize Advanced Encryption Standard (AES) ciphers and
|
/Linux-v6.6/Documentation/crypto/ |
D | descore-readme.rst | 5 Fast & Portable DES encryption & decryption 15 des - fast & portable DES encryption & decryption. 41 1. Highest possible encryption/decryption PERFORMANCE. 62 - 30us per encryption (options: 64k tables, no IP/FP) 63 - 33us per encryption (options: 64k tables, FIPS standard bit ordering) 64 - 45us per encryption (options: 2k tables, no IP/FP) 65 - 48us per encryption (options: 2k tables, FIPS standard bit ordering) 68 this has the quickest encryption/decryption routines i've seen. 80 - 53us per encryption (uses 2k of tables) 85 encryption/decryption is still slower on the sparc and 68000. [all …]
|
/Linux-v6.6/Documentation/virt/kvm/x86/ |
D | amd-memory-encryption.rst | 31 Bit[23] 1 = memory encryption can be enabled 32 0 = memory encryption can not be enabled 35 Bit[0] 1 = memory encryption can be enabled 36 0 = memory encryption can not be enabled 45 SEV hardware uses ASIDs to associate a memory encryption key with a VM. 100 The KVM_SEV_LAUNCH_START command is used for creating the memory encryption 101 context. To create the encryption context, user must provide a guest policy, 304 outgoing guest encryption context. 335 outgoing guest memory region with the encryption context creating using 363 issued by the hypervisor to delete the encryption context. [all …]
|
/Linux-v6.6/include/crypto/ |
D | aead.h | 3 * AEAD: Authenticated Encryption with Associated Data 18 * DOC: Authenticated Encryption With Associated Data (AEAD) Cipher API 23 * The most prominent examples for this type of encryption is GCM and CCM. 35 * associated data memory location before performing the encryption or 50 * during encryption (resp. decryption). The authentication tag is generated 51 * during the encryption operation and appended to the ciphertext. During 55 * In-place encryption/decryption is enabled by using the same scatterlist 131 * during encryption or the size of the authentication tag to be 283 * data returned by the encryption or decryption operation 357 * IMPORTANT NOTE The encryption operation creates the authentication data / [all …]
|
/Linux-v6.6/block/ |
D | Kconfig | 195 bool "Enable inline encryption support in block layer" 198 block layer handle encryption, so users can take 199 advantage of inline encryption hardware if present. 207 Enabling this lets the block layer handle inline encryption 209 encryption hardware is not present.
|
/Linux-v6.6/arch/s390/include/uapi/asm/ |
D | tape390.h | 4 * enables user programs to display messages and control encryption 40 * Tape encryption support 68 * The TAPE390_CRYPT_SET ioctl is used to switch on/off encryption. 74 * The TAPE390_CRYPT_QUERY ioctl is used to query the encryption state.
|