Commit | Line | Data |
---|---|---|
3fda4c61 EB |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* | |
7bf765dd | 3 | * Ioctl to enable verity on a file |
3fda4c61 EB |
4 | * |
5 | * Copyright 2019 Google LLC | |
6 | */ | |
7 | ||
8 | #include "fsverity_private.h" | |
9 | ||
3fda4c61 | 10 | #include <linux/mount.h> |
3fda4c61 EB |
11 | #include <linux/sched/signal.h> |
12 | #include <linux/uaccess.h> | |
13 | ||
56124d6c EB |
14 | struct block_buffer { |
15 | u32 filled; | |
16 | u8 *data; | |
17 | }; | |
c22415d3 | 18 | |
56124d6c EB |
19 | /* Hash a block, writing the result to the next level's pending block buffer. */ |
20 | static int hash_one_block(struct inode *inode, | |
21 | const struct merkle_tree_params *params, | |
22 | struct ahash_request *req, struct block_buffer *cur) | |
3fda4c61 | 23 | { |
56124d6c | 24 | struct block_buffer *next = cur + 1; |
3fda4c61 EB |
25 | int err; |
26 | ||
56124d6c EB |
27 | /* Zero-pad the block if it's shorter than the block size. */ |
28 | memset(&cur->data[cur->filled], 0, params->block_size - cur->filled); | |
3fda4c61 | 29 | |
56124d6c EB |
30 | err = fsverity_hash_block(params, inode, req, virt_to_page(cur->data), |
31 | offset_in_page(cur->data), | |
32 | &next->data[next->filled]); | |
33 | if (err) | |
34 | return err; | |
35 | next->filled += params->digest_size; | |
36 | cur->filled = 0; | |
37 | return 0; | |
38 | } | |
3fda4c61 | 39 | |
56124d6c EB |
40 | static int write_merkle_tree_block(struct inode *inode, const u8 *buf, |
41 | unsigned long index, | |
42 | const struct merkle_tree_params *params) | |
43 | { | |
44 | u64 pos = (u64)index << params->log_blocksize; | |
45 | int err; | |
3fda4c61 | 46 | |
56124d6c EB |
47 | err = inode->i_sb->s_vop->write_merkle_tree_block(inode, buf, pos, |
48 | params->block_size); | |
49 | if (err) | |
50 | fsverity_err(inode, "Error %d writing Merkle tree block %lu", | |
51 | err, index); | |
52 | return err; | |
3fda4c61 EB |
53 | } |
54 | ||
55 | /* | |
c22415d3 | 56 | * Build the Merkle tree for the given file using the given parameters, and |
3fda4c61 EB |
57 | * return the root hash in @root_hash. |
58 | * | |
59 | * The tree is written to a filesystem-specific location as determined by the | |
60 | * ->write_merkle_tree_block() method. However, the blocks that comprise the | |
61 | * tree are the same for all filesystems. | |
62 | */ | |
c22415d3 | 63 | static int build_merkle_tree(struct file *filp, |
3fda4c61 EB |
64 | const struct merkle_tree_params *params, |
65 | u8 *root_hash) | |
66 | { | |
c22415d3 | 67 | struct inode *inode = file_inode(filp); |
56124d6c EB |
68 | const u64 data_size = inode->i_size; |
69 | const int num_levels = params->num_levels; | |
3fda4c61 | 70 | struct ahash_request *req; |
56124d6c EB |
71 | struct block_buffer _buffers[1 + FS_VERITY_MAX_LEVELS + 1] = {}; |
72 | struct block_buffer *buffers = &_buffers[1]; | |
73 | unsigned long level_offset[FS_VERITY_MAX_LEVELS]; | |
74 | int level; | |
75 | u64 offset; | |
76 | int err; | |
3fda4c61 | 77 | |
56124d6c | 78 | if (data_size == 0) { |
3fda4c61 EB |
79 | /* Empty file is a special case; root hash is all 0's */ |
80 | memset(root_hash, 0, params->digest_size); | |
81 | return 0; | |
82 | } | |
83 | ||
439bea10 EB |
84 | /* This allocation never fails, since it's mempool-backed. */ |
85 | req = fsverity_alloc_hash_request(params->hash_alg, GFP_KERNEL); | |
86 | ||
3fda4c61 | 87 | /* |
56124d6c EB |
88 | * Allocate the block buffers. Buffer "-1" is for data blocks. |
89 | * Buffers 0 <= level < num_levels are for the actual tree levels. | |
90 | * Buffer 'num_levels' is for the root hash. | |
3fda4c61 | 91 | */ |
56124d6c EB |
92 | for (level = -1; level < num_levels; level++) { |
93 | buffers[level].data = kzalloc(params->block_size, GFP_KERNEL); | |
94 | if (!buffers[level].data) { | |
95 | err = -ENOMEM; | |
96 | goto out; | |
97 | } | |
98 | } | |
99 | buffers[num_levels].data = root_hash; | |
100 | ||
101 | BUILD_BUG_ON(sizeof(level_offset) != sizeof(params->level_start)); | |
102 | memcpy(level_offset, params->level_start, sizeof(level_offset)); | |
103 | ||
104 | /* Hash each data block, also hashing the tree blocks as they fill up */ | |
105 | for (offset = 0; offset < data_size; offset += params->block_size) { | |
106 | ssize_t bytes_read; | |
107 | loff_t pos = offset; | |
108 | ||
109 | buffers[-1].filled = min_t(u64, params->block_size, | |
110 | data_size - offset); | |
111 | bytes_read = __kernel_read(filp, buffers[-1].data, | |
112 | buffers[-1].filled, &pos); | |
113 | if (bytes_read < 0) { | |
114 | err = bytes_read; | |
115 | fsverity_err(inode, "Error %d reading file data", err); | |
116 | goto out; | |
117 | } | |
118 | if (bytes_read != buffers[-1].filled) { | |
119 | err = -EINVAL; | |
120 | fsverity_err(inode, "Short read of file data"); | |
121 | goto out; | |
122 | } | |
123 | err = hash_one_block(inode, params, req, &buffers[-1]); | |
3fda4c61 EB |
124 | if (err) |
125 | goto out; | |
56124d6c EB |
126 | for (level = 0; level < num_levels; level++) { |
127 | if (buffers[level].filled + params->digest_size <= | |
128 | params->block_size) { | |
129 | /* Next block at @level isn't full yet */ | |
130 | break; | |
131 | } | |
132 | /* Next block at @level is full */ | |
133 | ||
134 | err = hash_one_block(inode, params, req, | |
135 | &buffers[level]); | |
136 | if (err) | |
137 | goto out; | |
138 | err = write_merkle_tree_block(inode, | |
139 | buffers[level].data, | |
140 | level_offset[level], | |
141 | params); | |
142 | if (err) | |
143 | goto out; | |
144 | level_offset[level]++; | |
145 | } | |
146 | if (fatal_signal_pending(current)) { | |
147 | err = -EINTR; | |
148 | goto out; | |
149 | } | |
150 | cond_resched(); | |
151 | } | |
152 | /* Finish all nonempty pending tree blocks. */ | |
153 | for (level = 0; level < num_levels; level++) { | |
154 | if (buffers[level].filled != 0) { | |
155 | err = hash_one_block(inode, params, req, | |
156 | &buffers[level]); | |
157 | if (err) | |
158 | goto out; | |
159 | err = write_merkle_tree_block(inode, | |
160 | buffers[level].data, | |
161 | level_offset[level], | |
162 | params); | |
163 | if (err) | |
164 | goto out; | |
165 | } | |
166 | } | |
167 | /* The root hash was filled by the last call to hash_one_block(). */ | |
168 | if (WARN_ON(buffers[num_levels].filled != params->digest_size)) { | |
169 | err = -EINVAL; | |
170 | goto out; | |
3fda4c61 | 171 | } |
3fda4c61 EB |
172 | err = 0; |
173 | out: | |
56124d6c EB |
174 | for (level = -1; level < num_levels; level++) |
175 | kfree(buffers[level].data); | |
439bea10 | 176 | fsverity_free_hash_request(params->hash_alg, req); |
3fda4c61 EB |
177 | return err; |
178 | } | |
179 | ||
180 | static int enable_verity(struct file *filp, | |
181 | const struct fsverity_enable_arg *arg) | |
182 | { | |
183 | struct inode *inode = file_inode(filp); | |
184 | const struct fsverity_operations *vops = inode->i_sb->s_vop; | |
185 | struct merkle_tree_params params = { }; | |
186 | struct fsverity_descriptor *desc; | |
e6af1bb0 | 187 | size_t desc_size = struct_size(desc, signature, arg->sig_size); |
3fda4c61 EB |
188 | struct fsverity_info *vi; |
189 | int err; | |
190 | ||
191 | /* Start initializing the fsverity_descriptor */ | |
192 | desc = kzalloc(desc_size, GFP_KERNEL); | |
193 | if (!desc) | |
194 | return -ENOMEM; | |
195 | desc->version = 1; | |
196 | desc->hash_algorithm = arg->hash_algorithm; | |
197 | desc->log_blocksize = ilog2(arg->block_size); | |
198 | ||
199 | /* Get the salt if the user provided one */ | |
200 | if (arg->salt_size && | |
da3a3da4 | 201 | copy_from_user(desc->salt, u64_to_user_ptr(arg->salt_ptr), |
3fda4c61 EB |
202 | arg->salt_size)) { |
203 | err = -EFAULT; | |
204 | goto out; | |
205 | } | |
206 | desc->salt_size = arg->salt_size; | |
207 | ||
432434c9 EB |
208 | /* Get the signature if the user provided one */ |
209 | if (arg->sig_size && | |
da3a3da4 | 210 | copy_from_user(desc->signature, u64_to_user_ptr(arg->sig_ptr), |
432434c9 EB |
211 | arg->sig_size)) { |
212 | err = -EFAULT; | |
213 | goto out; | |
214 | } | |
215 | desc->sig_size = cpu_to_le32(arg->sig_size); | |
216 | ||
3fda4c61 EB |
217 | desc->data_size = cpu_to_le64(inode->i_size); |
218 | ||
219 | /* Prepare the Merkle tree parameters */ | |
220 | err = fsverity_init_merkle_tree_params(¶ms, inode, | |
221 | arg->hash_algorithm, | |
222 | desc->log_blocksize, | |
223 | desc->salt, desc->salt_size); | |
224 | if (err) | |
225 | goto out; | |
226 | ||
227 | /* | |
228 | * Start enabling verity on this file, serialized by the inode lock. | |
229 | * Fail if verity is already enabled or is already being enabled. | |
230 | */ | |
231 | inode_lock(inode); | |
232 | if (IS_VERITY(inode)) | |
233 | err = -EEXIST; | |
234 | else | |
235 | err = vops->begin_enable_verity(filp); | |
236 | inode_unlock(inode); | |
237 | if (err) | |
238 | goto out; | |
239 | ||
240 | /* | |
241 | * Build the Merkle tree. Don't hold the inode lock during this, since | |
242 | * on huge files this may take a very long time and we don't want to | |
243 | * force unrelated syscalls like chown() to block forever. We don't | |
244 | * need the inode lock here because deny_write_access() already prevents | |
245 | * the file from being written to or truncated, and we still serialize | |
246 | * ->begin_enable_verity() and ->end_enable_verity() using the inode | |
247 | * lock and only allow one process to be here at a time on a given file. | |
248 | */ | |
3fda4c61 | 249 | BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE); |
c22415d3 | 250 | err = build_merkle_tree(filp, ¶ms, desc->root_hash); |
3fda4c61 EB |
251 | if (err) { |
252 | fsverity_err(inode, "Error %d building Merkle tree", err); | |
253 | goto rollback; | |
254 | } | |
3fda4c61 EB |
255 | |
256 | /* | |
257 | * Create the fsverity_info. Don't bother trying to save work by | |
258 | * reusing the merkle_tree_params from above. Instead, just create the | |
259 | * fsverity_info from the fsverity_descriptor as if it were just loaded | |
260 | * from disk. This is simpler, and it serves as an extra check that the | |
261 | * metadata we're writing is valid before actually enabling verity. | |
262 | */ | |
b0487ede | 263 | vi = fsverity_create_info(inode, desc); |
3fda4c61 EB |
264 | if (IS_ERR(vi)) { |
265 | err = PTR_ERR(vi); | |
266 | goto rollback; | |
267 | } | |
268 | ||
269 | /* | |
270 | * Tell the filesystem to finish enabling verity on the file. | |
271 | * Serialized with ->begin_enable_verity() by the inode lock. | |
272 | */ | |
273 | inode_lock(inode); | |
274 | err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size); | |
275 | inode_unlock(inode); | |
276 | if (err) { | |
277 | fsverity_err(inode, "%ps() failed with err %d", | |
278 | vops->end_enable_verity, err); | |
279 | fsverity_free_info(vi); | |
280 | } else if (WARN_ON(!IS_VERITY(inode))) { | |
281 | err = -EINVAL; | |
282 | fsverity_free_info(vi); | |
283 | } else { | |
284 | /* Successfully enabled verity */ | |
285 | ||
286 | /* | |
287 | * Readers can start using ->i_verity_info immediately, so it | |
288 | * can't be rolled back once set. So don't set it until just | |
289 | * after the filesystem has successfully enabled verity. | |
290 | */ | |
291 | fsverity_set_info(inode, vi); | |
292 | } | |
293 | out: | |
294 | kfree(params.hashstate); | |
295 | kfree(desc); | |
296 | return err; | |
297 | ||
298 | rollback: | |
299 | inode_lock(inode); | |
300 | (void)vops->end_enable_verity(filp, NULL, 0, params.tree_size); | |
301 | inode_unlock(inode); | |
302 | goto out; | |
303 | } | |
304 | ||
305 | /** | |
306 | * fsverity_ioctl_enable() - enable verity on a file | |
6377a38b EB |
307 | * @filp: file to enable verity on |
308 | * @uarg: user pointer to fsverity_enable_arg | |
3fda4c61 EB |
309 | * |
310 | * Enable fs-verity on a file. See the "FS_IOC_ENABLE_VERITY" section of | |
311 | * Documentation/filesystems/fsverity.rst for the documentation. | |
312 | * | |
313 | * Return: 0 on success, -errno on failure | |
314 | */ | |
315 | int fsverity_ioctl_enable(struct file *filp, const void __user *uarg) | |
316 | { | |
317 | struct inode *inode = file_inode(filp); | |
318 | struct fsverity_enable_arg arg; | |
319 | int err; | |
320 | ||
321 | if (copy_from_user(&arg, uarg, sizeof(arg))) | |
322 | return -EFAULT; | |
323 | ||
324 | if (arg.version != 1) | |
325 | return -EINVAL; | |
326 | ||
327 | if (arg.__reserved1 || | |
328 | memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2))) | |
329 | return -EINVAL; | |
330 | ||
56124d6c | 331 | if (!is_power_of_2(arg.block_size)) |
3fda4c61 EB |
332 | return -EINVAL; |
333 | ||
c593642c | 334 | if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt)) |
3fda4c61 EB |
335 | return -EMSGSIZE; |
336 | ||
432434c9 EB |
337 | if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE) |
338 | return -EMSGSIZE; | |
3fda4c61 EB |
339 | |
340 | /* | |
341 | * Require a regular file with write access. But the actual fd must | |
342 | * still be readonly so that we can lock out all writers. This is | |
343 | * needed to guarantee that no writable fds exist to the file once it | |
344 | * has verity enabled, and to stabilize the data being hashed. | |
345 | */ | |
346 | ||
02f92b38 | 347 | err = file_permission(filp, MAY_WRITE); |
3fda4c61 EB |
348 | if (err) |
349 | return err; | |
350 | ||
351 | if (IS_APPEND(inode)) | |
352 | return -EPERM; | |
353 | ||
354 | if (S_ISDIR(inode->i_mode)) | |
355 | return -EISDIR; | |
356 | ||
357 | if (!S_ISREG(inode->i_mode)) | |
358 | return -EINVAL; | |
359 | ||
360 | err = mnt_want_write_file(filp); | |
361 | if (err) /* -EROFS */ | |
362 | return err; | |
363 | ||
364 | err = deny_write_access(filp); | |
365 | if (err) /* -ETXTBSY */ | |
366 | goto out_drop_write; | |
367 | ||
368 | err = enable_verity(filp, &arg); | |
3fda4c61 EB |
369 | |
370 | /* | |
a075bacd EB |
371 | * We no longer drop the inode's pagecache after enabling verity. This |
372 | * used to be done to try to avoid a race condition where pages could be | |
373 | * evicted after being used in the Merkle tree construction, then | |
374 | * re-instantiated by a concurrent read. Such pages are unverified, and | |
375 | * the backing storage could have filled them with different content, so | |
376 | * they shouldn't be used to fulfill reads once verity is enabled. | |
377 | * | |
378 | * But, dropping the pagecache has a big performance impact, and it | |
379 | * doesn't fully solve the race condition anyway. So for those reasons, | |
380 | * and also because this race condition isn't very important relatively | |
381 | * speaking (especially for small-ish files, where the chance of a page | |
382 | * being used, evicted, *and* re-instantiated all while enabling verity | |
383 | * is quite small), we no longer drop the inode's pagecache. | |
3fda4c61 | 384 | */ |
3fda4c61 EB |
385 | |
386 | /* | |
387 | * allow_write_access() is needed to pair with deny_write_access(). | |
388 | * Regardless, the filesystem won't allow writing to verity files. | |
389 | */ | |
3fda4c61 EB |
390 | allow_write_access(filp); |
391 | out_drop_write: | |
392 | mnt_drop_write_file(filp); | |
393 | return err; | |
394 | } | |
395 | EXPORT_SYMBOL_GPL(fsverity_ioctl_enable); |