Document the F2FS encrypted_inline_data feature, including the on-disk feature requirement, the CONFIG_F2FS_FS_ENCRYPTED_INLINE_DATA dependency, how inline payloads are encrypted and decrypted, and the truncate behavior.
Also document the supported key combinations. Files using filesystem-layer encryption reuse the normal software transform. Raw-key inlinecrypt is supported only for per-mode policies, while per-file inlinecrypt keys and hardware-wrapped keys are not supported for encrypted inline data. List encrypted_inline_data in the supported F2FS feature sysfs documentation. Signed-off-by: LiaoYuanhong-vivo <[email protected]> --- Changes in v2: - Document raw-key inlinecrypt support as limited to per-mode policies. - Document unsupported per-file inlinecrypt and hardware-wrapped key cases. - Clarify when fscrypt prepares the software transform for inline payloads. Documentation/ABI/testing/sysfs-fs-f2fs | 5 ++-- Documentation/filesystems/f2fs.rst | 34 +++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/Documentation/ABI/testing/sysfs-fs-f2fs b/Documentation/ABI/testing/sysfs-fs-f2fs index 27d5e88facbe..dad483fb2fc1 100644 --- a/Documentation/ABI/testing/sysfs-fs-f2fs +++ b/Documentation/ABI/testing/sysfs-fs-f2fs @@ -258,7 +258,8 @@ Description: Expand /sys/fs/f2fs/<disk>/features to meet sysfs rule. encryption, block_zoned (aka blkzoned), extra_attr, project_quota (aka projquota), inode_checksum, flexible_inline_xattr, quota_ino, inode_crtime, lost_found, - verity, sb_checksum, casefold, readonly, compression. + verity, sb_checksum, casefold, readonly, compression, + encrypted_inline_data. Note that, pin_file is moved into /sys/fs/f2fs/features/. What: /sys/fs/f2fs/features/ @@ -271,7 +272,7 @@ Description: Shows all enabled kernel features. inode_crtime, lost_found, verity, sb_checksum, casefold, readonly, compression, test_dummy_encryption_v2, atomic_write, pin_file, encrypted_casefold, linear_lookup, - fserror. + fserror, encrypted_inline_data. What: /sys/fs/f2fs/<disk>/inject_rate Date: May 2016 diff --git a/Documentation/filesystems/f2fs.rst b/Documentation/filesystems/f2fs.rst index 5bc37a1c4e51..feffad89db01 100644 --- a/Documentation/filesystems/f2fs.rst +++ b/Documentation/filesystems/f2fs.rst @@ -420,6 +420,40 @@ lookup_mode=%s Control the directory lookup behavior for casefolded ================== ======================================== ======================== ============================================================ +Encrypted inline data +===================== + +F2FS normally disables inline data for encrypted regular files, since inline +data is stored inside the inode block and does not pass through the regular +block I/O path. When a filesystem is formatted with the encrypted_inline_data +feature, encrypted regular files may keep small file contents in the inode +block. The inline payload is encrypted with fscrypt contents-key semantics +before it is written to the inode, and it is decrypted back to page-cache +plaintext when it is read. + +This feature requires the encrypt feature on disk and kernel support for +CONFIG_F2FS_FS_ENCRYPTED_INLINE_DATA. It is intended to be used together with +the inline_data mount option. Files using filesystem-layer encryption reuse the +normal software contents-key transform. When the normal encrypted file +contents path uses blk-crypto with a raw per-mode key, fscrypt can prepare a +software contents-key transform when the filesystem-managed inline payload is +read or written. +Per-file inlinecrypt keys are not supported for encrypted inline data, to avoid +per-file software transform memory growth. Hardware-wrapped keys are not +supported for encrypted inline data, so F2FS does not create encrypted inline +payloads for such files and existing unsupported inline payloads fail rather +than being interpreted with the wrong key. + +Encrypted inline data is stored in fscrypt contents-aligned units. Therefore, +the maximum plaintext size that can stay inline may be slightly smaller than the +ordinary inline data capacity. If an encrypted inline-data file is truncated +from a non-zero offset, F2FS first converts the inline payload to normal data +blocks and then applies the truncate operation. + +Recovery copies inline payloads as on-disk bytes. Encryption and decryption are +performed only when moving data between the inode inline area and page-cache +plaintext. + Debugfs Entries =============== -- 2.34.1 _______________________________________________ Linux-f2fs-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
