[linux-block.git] / fs / verity / enable.c

// SPDX-License-Identifier: GPL-2.0
/*
 * Ioctl to enable verity on a file
 *
 * Copyright 2019 Google LLC
 */

#include "fsverity_private.h"

#include <linux/mount.h>
#include <linux/sched/signal.h>
#include <linux/uaccess.h>

struct block_buffer {
	u32 filled;
	u8 *data;
};

/* Hash a block, writing the result to the next level's pending block buffer. */
static int hash_one_block(struct inode *inode,
			  const struct merkle_tree_params *params,
			  struct ahash_request *req, struct block_buffer *cur)
{
	struct block_buffer *next = cur + 1;
	int err;

	/* Zero-pad the block if it's shorter than the block size. */
	memset(&cur->data[cur->filled], 0, params->block_size - cur->filled);

	err = fsverity_hash_block(params, inode, req, virt_to_page(cur->data),
				  offset_in_page(cur->data),
				  &next->data[next->filled]);
	if (err)
		return err;
	next->filled += params->digest_size;
	cur->filled = 0;
	return 0;
}

static int write_merkle_tree_block(struct inode *inode, const u8 *buf,
				   unsigned long index,
				   const struct merkle_tree_params *params)
{
	u64 pos = (u64)index << params->log_blocksize;
	int err;

	err = inode->i_sb->s_vop->write_merkle_tree_block(inode, buf, pos,
							  params->block_size);
	if (err)
		fsverity_err(inode, "Error %d writing Merkle tree block %lu",
			     err, index);
	return err;
}

/*
 * Build the Merkle tree for the given file using the given parameters, and
 * return the root hash in @root_hash.
 *
 * The tree is written to a filesystem-specific location as determined by the
 * ->write_merkle_tree_block() method.  However, the blocks that comprise the
 * tree are the same for all filesystems.
 */
static int build_merkle_tree(struct file *filp,
			     const struct merkle_tree_params *params,
			     u8 *root_hash)
{
	struct inode *inode = file_inode(filp);
	const u64 data_size = inode->i_size;
	const int num_levels = params->num_levels;
	struct ahash_request *req;
	struct block_buffer _buffers[1 + FS_VERITY_MAX_LEVELS + 1] = {};
	struct block_buffer *buffers = &_buffers[1];
	unsigned long level_offset[FS_VERITY_MAX_LEVELS];
	int level;
	u64 offset;
	int err;

	if (data_size == 0) {
		/* Empty file is a special case; root hash is all 0's */
		memset(root_hash, 0, params->digest_size);
		return 0;
	}

	/* This allocation never fails, since it's mempool-backed. */
	req = fsverity_alloc_hash_request(params->hash_alg, GFP_KERNEL);

	/*
	 * Allocate the block buffers.  Buffer "-1" is for data blocks.
	 * Buffers 0 <= level < num_levels are for the actual tree levels.
	 * Buffer 'num_levels' is for the root hash.
	 */
	for (level = -1; level < num_levels; level++) {
		buffers[level].data = kzalloc(params->block_size, GFP_KERNEL);
		if (!buffers[level].data) {
			err = -ENOMEM;
			goto out;
		}
	}
	buffers[num_levels].data = root_hash;

	BUILD_BUG_ON(sizeof(level_offset) != sizeof(params->level_start));
	memcpy(level_offset, params->level_start, sizeof(level_offset));

	/* Hash each data block, also hashing the tree blocks as they fill up */
	for (offset = 0; offset < data_size; offset += params->block_size) {
		ssize_t bytes_read;
		loff_t pos = offset;

		buffers[-1].filled = min_t(u64, params->block_size,
					   data_size - offset);
		bytes_read = __kernel_read(filp, buffers[-1].data,
					   buffers[-1].filled, &pos);
		if (bytes_read < 0) {
			err = bytes_read;
			fsverity_err(inode, "Error %d reading file data", err);
			goto out;
		}
		if (bytes_read != buffers[-1].filled) {
			err = -EINVAL;
			fsverity_err(inode, "Short read of file data");
			goto out;
		}
		err = hash_one_block(inode, params, req, &buffers[-1]);
		if (err)
			goto out;
		for (level = 0; level < num_levels; level++) {
			if (buffers[level].filled + params->digest_size <=
			    params->block_size) {
				/* Next block at @level isn't full yet */
				break;
			}
			/* Next block at @level is full */

			err = hash_one_block(inode, params, req,
					     &buffers[level]);
			if (err)
				goto out;
			err = write_merkle_tree_block(inode,
						      buffers[level].data,
						      level_offset[level],
						      params);
			if (err)
				goto out;
			level_offset[level]++;
		}
		if (fatal_signal_pending(current)) {
			err = -EINTR;
			goto out;
		}
		cond_resched();
	}
	/* Finish all nonempty pending tree blocks. */
	for (level = 0; level < num_levels; level++) {
		if (buffers[level].filled != 0) {
			err = hash_one_block(inode, params, req,
					     &buffers[level]);
			if (err)
				goto out;
			err = write_merkle_tree_block(inode,
						      buffers[level].data,
						      level_offset[level],
						      params);
			if (err)
				goto out;
		}
	}
	/* The root hash was filled by the last call to hash_one_block(). */
	if (WARN_ON(buffers[num_levels].filled != params->digest_size)) {
		err = -EINVAL;
		goto out;
	}
	err = 0;
out:
	for (level = -1; level < num_levels; level++)
		kfree(buffers[level].data);
	fsverity_free_hash_request(params->hash_alg, req);
	return err;
}

static int enable_verity(struct file *filp,
			 const struct fsverity_enable_arg *arg)
{
	struct inode *inode = file_inode(filp);
	const struct fsverity_operations *vops = inode->i_sb->s_vop;
	struct merkle_tree_params params = { };
	struct fsverity_descriptor *desc;
	size_t desc_size = struct_size(desc, signature, arg->sig_size);
	struct fsverity_info *vi;
	int err;

	/* Start initializing the fsverity_descriptor */
	desc = kzalloc(desc_size, GFP_KERNEL);
	if (!desc)
		return -ENOMEM;
	desc->version = 1;
	desc->hash_algorithm = arg->hash_algorithm;
	desc->log_blocksize = ilog2(arg->block_size);

	/* Get the salt if the user provided one */
	if (arg->salt_size &&
	    copy_from_user(desc->salt, u64_to_user_ptr(arg->salt_ptr),
			   arg->salt_size)) {
		err = -EFAULT;
		goto out;
	}
	desc->salt_size = arg->salt_size;

	/* Get the signature if the user provided one */
	if (arg->sig_size &&
	    copy_from_user(desc->signature, u64_to_user_ptr(arg->sig_ptr),
			   arg->sig_size)) {
		err = -EFAULT;
		goto out;
	}
	desc->sig_size = cpu_to_le32(arg->sig_size);

	desc->data_size = cpu_to_le64(inode->i_size);

	/* Prepare the Merkle tree parameters */
	err = fsverity_init_merkle_tree_params(&params, inode,
					       arg->hash_algorithm,
					       desc->log_blocksize,
					       desc->salt, desc->salt_size);
	if (err)
		goto out;

	/*
	 * Start enabling verity on this file, serialized by the inode lock.
	 * Fail if verity is already enabled or is already being enabled.
	 */
	inode_lock(inode);
	if (IS_VERITY(inode))
		err = -EEXIST;
	else
		err = vops->begin_enable_verity(filp);
	inode_unlock(inode);
	if (err)
		goto out;

	/*
	 * Build the Merkle tree.  Don't hold the inode lock during this, since
	 * on huge files this may take a very long time and we don't want to
	 * force unrelated syscalls like chown() to block forever.  We don't
	 * need the inode lock here because deny_write_access() already prevents
	 * the file from being written to or truncated, and we still serialize
	 * ->begin_enable_verity() and ->end_enable_verity() using the inode
	 * lock and only allow one process to be here at a time on a given file.
	 */
	BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE);
	err = build_merkle_tree(filp, &params, desc->root_hash);
	if (err) {
		fsverity_err(inode, "Error %d building Merkle tree", err);
		goto rollback;
	}

	/*
	 * Create the fsverity_info.  Don't bother trying to save work by
	 * reusing the merkle_tree_params from above.  Instead, just create the
	 * fsverity_info from the fsverity_descriptor as if it were just loaded
	 * from disk.  This is simpler, and it serves as an extra check that the
	 * metadata we're writing is valid before actually enabling verity.
	 */
	vi = fsverity_create_info(inode, desc);
	if (IS_ERR(vi)) {
		err = PTR_ERR(vi);
		goto rollback;
	}

	/*
	 * Tell the filesystem to finish enabling verity on the file.
	 * Serialized with ->begin_enable_verity() by the inode lock.
	 */
	inode_lock(inode);
	err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size);
	inode_unlock(inode);
	if (err) {
		fsverity_err(inode, "%ps() failed with err %d",
			     vops->end_enable_verity, err);
		fsverity_free_info(vi);
	} else if (WARN_ON(!IS_VERITY(inode))) {
		err = -EINVAL;
		fsverity_free_info(vi);
	} else {
		/* Successfully enabled verity */

		/*
		 * Readers can start using ->i_verity_info immediately, so it
		 * can't be rolled back once set.  So don't set it until just
		 * after the filesystem has successfully enabled verity.
		 */
		fsverity_set_info(inode, vi);
	}
out:
	kfree(params.hashstate);
	kfree(desc);
	return err;

rollback:
	inode_lock(inode);
	(void)vops->end_enable_verity(filp, NULL, 0, params.tree_size);
	inode_unlock(inode);
	goto out;
}

/**
 * fsverity_ioctl_enable() - enable verity on a file
 * @filp: file to enable verity on
 * @uarg: user pointer to fsverity_enable_arg
 *
 * Enable fs-verity on a file.  See the "FS_IOC_ENABLE_VERITY" section of
 * Documentation/filesystems/fsverity.rst for the documentation.
 *
 * Return: 0 on success, -errno on failure
 */
int fsverity_ioctl_enable(struct file *filp, const void __user *uarg)
{
	struct inode *inode = file_inode(filp);
	struct fsverity_enable_arg arg;
	int err;

	if (copy_from_user(&arg, uarg, sizeof(arg)))
		return -EFAULT;

	if (arg.version != 1)
		return -EINVAL;

	if (arg.__reserved1 ||
	    memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2)))
		return -EINVAL;

	if (!is_power_of_2(arg.block_size))
		return -EINVAL;

	if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt))
		return -EMSGSIZE;

	if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE)
		return -EMSGSIZE;

	/*
	 * Require a regular file with write access.  But the actual fd must
	 * still be readonly so that we can lock out all writers.  This is
	 * needed to guarantee that no writable fds exist to the file once it
	 * has verity enabled, and to stabilize the data being hashed.
	 */

	err = file_permission(filp, MAY_WRITE);
	if (err)
		return err;

	if (IS_APPEND(inode))
		return -EPERM;

	if (S_ISDIR(inode->i_mode))
		return -EISDIR;

	if (!S_ISREG(inode->i_mode))
		return -EINVAL;

	err = mnt_want_write_file(filp);
	if (err) /* -EROFS */
		return err;

	err = deny_write_access(filp);
	if (err) /* -ETXTBSY */
		goto out_drop_write;

	err = enable_verity(filp, &arg);

	/*
	 * We no longer drop the inode's pagecache after enabling verity.  This
	 * used to be done to try to avoid a race condition where pages could be
	 * evicted after being used in the Merkle tree construction, then
	 * re-instantiated by a concurrent read.  Such pages are unverified, and
	 * the backing storage could have filled them with different content, so
	 * they shouldn't be used to fulfill reads once verity is enabled.
	 *
	 * But, dropping the pagecache has a big performance impact, and it
	 * doesn't fully solve the race condition anyway.  So for those reasons,
	 * and also because this race condition isn't very important relatively
	 * speaking (especially for small-ish files, where the chance of a page
	 * being used, evicted, *and* re-instantiated all while enabling verity
	 * is quite small), we no longer drop the inode's pagecache.
	 */

	/*
	 * allow_write_access() is needed to pair with deny_write_access().
	 * Regardless, the filesystem won't allow writing to verity files.
	 */
	allow_write_access(filp);
out_drop_write:
	mnt_drop_write_file(filp);
	return err;
}
EXPORT_SYMBOL_GPL(fsverity_ioctl_enable);
Commit	Line	Data
3fda4c61 EB	1	// SPDX-License-Identifier: GPL-2.0
3fda4c61 EB	2	/*
7bf765dd	3	* Ioctl to enable verity on a file
3fda4c61 EB	4	*
	5	* Copyright 2019 Google LLC
	6	*/
	7
	8	#include "fsverity_private.h"
	9
3fda4c61	10	#include <linux/mount.h>
3fda4c61 EB	11	#include <linux/sched/signal.h>
	12	#include <linux/uaccess.h>
	13
56124d6c EB	14	struct block_buffer {
	15	u32 filled;
	16	u8 *data;
	17	};
c22415d3	18
56124d6c EB	19	/* Hash a block, writing the result to the next level's pending block buffer. */
	20	static int hash_one_block(struct inode *inode,
	21	const struct merkle_tree_params *params,
	22	struct ahash_request req, struct block_buffer cur)
3fda4c61	23	{
56124d6c	24	struct block_buffer *next = cur + 1;
3fda4c61 EB	25	int err;
3fda4c61 EB	26
56124d6c EB	27	/* Zero-pad the block if it's shorter than the block size. */
56124d6c EB	28	memset(&cur->data[cur->filled], 0, params->block_size - cur->filled);
3fda4c61	29
56124d6c EB	30	err = fsverity_hash_block(params, inode, req, virt_to_page(cur->data),
	31	offset_in_page(cur->data),
	32	&next->data[next->filled]);
	33	if (err)
	34	return err;
	35	next->filled += params->digest_size;
	36	cur->filled = 0;
	37	return 0;
	38	}
3fda4c61	39
56124d6c EB	40	static int write_merkle_tree_block(struct inode inode, const u8 buf,
	41	unsigned long index,
	42	const struct merkle_tree_params *params)
	43	{
	44	u64 pos = (u64)index << params->log_blocksize;
	45	int err;
3fda4c61	46
56124d6c EB	47	err = inode->i_sb->s_vop->write_merkle_tree_block(inode, buf, pos,
	48	params->block_size);
	49	if (err)
	50	fsverity_err(inode, "Error %d writing Merkle tree block %lu",
	51	err, index);
	52	return err;
3fda4c61 EB	53	}
	54
	55	/*
c22415d3	56	* Build the Merkle tree for the given file using the given parameters, and
3fda4c61 EB	57	* return the root hash in @root_hash.
	58	*
	59	* The tree is written to a filesystem-specific location as determined by the
	60	* ->write_merkle_tree_block() method. However, the blocks that comprise the
	61	* tree are the same for all filesystems.
	62	*/
c22415d3	63	static int build_merkle_tree(struct file *filp,
3fda4c61 EB	64	const struct merkle_tree_params *params,
	65	u8 *root_hash)
	66	{
c22415d3	67	struct inode *inode = file_inode(filp);
56124d6c EB	68	const u64 data_size = inode->i_size;
56124d6c EB	69	const int num_levels = params->num_levels;
3fda4c61	70	struct ahash_request *req;
56124d6c EB	71	struct block_buffer _buffers[1 + FS_VERITY_MAX_LEVELS + 1] = {};
	72	struct block_buffer *buffers = &_buffers[1];
	73	unsigned long level_offset[FS_VERITY_MAX_LEVELS];
	74	int level;
	75	u64 offset;
	76	int err;
3fda4c61	77
56124d6c	78	if (data_size == 0) {
3fda4c61 EB	79	/* Empty file is a special case; root hash is all 0's */
	80	memset(root_hash, 0, params->digest_size);
	81	return 0;
	82	}
	83
439bea10 EB	84	/* This allocation never fails, since it's mempool-backed. */
	85	req = fsverity_alloc_hash_request(params->hash_alg, GFP_KERNEL);
	86
3fda4c61	87	/*
56124d6c EB	88	* Allocate the block buffers. Buffer "-1" is for data blocks.
	89	* Buffers 0 <= level < num_levels are for the actual tree levels.
	90	* Buffer 'num_levels' is for the root hash.
3fda4c61	91	*/
56124d6c EB	92	for (level = -1; level < num_levels; level++) {
	93	buffers[level].data = kzalloc(params->block_size, GFP_KERNEL);
	94	if (!buffers[level].data) {
	95	err = -ENOMEM;
	96	goto out;
	97	}
	98	}
	99	buffers[num_levels].data = root_hash;
	100
	101	BUILD_BUG_ON(sizeof(level_offset) != sizeof(params->level_start));
	102	memcpy(level_offset, params->level_start, sizeof(level_offset));
	103
	104	/* Hash each data block, also hashing the tree blocks as they fill up */
	105	for (offset = 0; offset < data_size; offset += params->block_size) {
	106	ssize_t bytes_read;
	107	loff_t pos = offset;
	108
	109	buffers[-1].filled = min_t(u64, params->block_size,
	110	data_size - offset);
	111	bytes_read = __kernel_read(filp, buffers[-1].data,
	112	buffers[-1].filled, &pos);
	113	if (bytes_read < 0) {
	114	err = bytes_read;
	115	fsverity_err(inode, "Error %d reading file data", err);
	116	goto out;
	117	}
	118	if (bytes_read != buffers[-1].filled) {
	119	err = -EINVAL;
	120	fsverity_err(inode, "Short read of file data");
	121	goto out;
	122	}
	123	err = hash_one_block(inode, params, req, &buffers[-1]);
3fda4c61 EB	124	if (err)
3fda4c61 EB	125	goto out;
56124d6c EB	126	for (level = 0; level < num_levels; level++) {
	127	if (buffers[level].filled + params->digest_size <=
	128	params->block_size) {
	129	/* Next block at @level isn't full yet */
	130	break;
	131	}
	132	/* Next block at @level is full */
	133
	134	err = hash_one_block(inode, params, req,
	135	&buffers[level]);
	136	if (err)
	137	goto out;
	138	err = write_merkle_tree_block(inode,
	139	buffers[level].data,
	140	level_offset[level],
	141	params);
	142	if (err)
	143	goto out;
	144	level_offset[level]++;
	145	}
	146	if (fatal_signal_pending(current)) {
	147	err = -EINTR;
	148	goto out;
	149	}
	150	cond_resched();
	151	}
	152	/* Finish all nonempty pending tree blocks. */
	153	for (level = 0; level < num_levels; level++) {
	154	if (buffers[level].filled != 0) {
	155	err = hash_one_block(inode, params, req,
	156	&buffers[level]);
	157	if (err)
	158	goto out;
	159	err = write_merkle_tree_block(inode,
	160	buffers[level].data,
	161	level_offset[level],
	162	params);
	163	if (err)
	164	goto out;
	165	}
	166	}
	167	/* The root hash was filled by the last call to hash_one_block(). */
	168	if (WARN_ON(buffers[num_levels].filled != params->digest_size)) {
	169	err = -EINVAL;
	170	goto out;
3fda4c61	171	}
3fda4c61 EB	172	err = 0;
3fda4c61 EB	173	out:
56124d6c EB	174	for (level = -1; level < num_levels; level++)
56124d6c EB	175	kfree(buffers[level].data);
439bea10	176	fsverity_free_hash_request(params->hash_alg, req);
3fda4c61 EB	177	return err;
	178	}
	179
	180	static int enable_verity(struct file *filp,
	181	const struct fsverity_enable_arg *arg)
	182	{
	183	struct inode *inode = file_inode(filp);
	184	const struct fsverity_operations *vops = inode->i_sb->s_vop;
	185	struct merkle_tree_params params = { };
	186	struct fsverity_descriptor *desc;
e6af1bb0	187	size_t desc_size = struct_size(desc, signature, arg->sig_size);
3fda4c61 EB	188	struct fsverity_info *vi;
	189	int err;
	190
	191	/* Start initializing the fsverity_descriptor */
	192	desc = kzalloc(desc_size, GFP_KERNEL);
	193	if (!desc)
	194	return -ENOMEM;
	195	desc->version = 1;
	196	desc->hash_algorithm = arg->hash_algorithm;
	197	desc->log_blocksize = ilog2(arg->block_size);
	198
	199	/* Get the salt if the user provided one */
	200	if (arg->salt_size &&
da3a3da4	201	copy_from_user(desc->salt, u64_to_user_ptr(arg->salt_ptr),
3fda4c61 EB	202	arg->salt_size)) {
	203	err = -EFAULT;
	204	goto out;
	205	}
	206	desc->salt_size = arg->salt_size;
	207
432434c9 EB	208	/* Get the signature if the user provided one */
432434c9 EB	209	if (arg->sig_size &&
da3a3da4	210	copy_from_user(desc->signature, u64_to_user_ptr(arg->sig_ptr),
432434c9 EB	211	arg->sig_size)) {
	212	err = -EFAULT;
	213	goto out;
	214	}
	215	desc->sig_size = cpu_to_le32(arg->sig_size);
	216
3fda4c61 EB	217	desc->data_size = cpu_to_le64(inode->i_size);
	218
	219	/* Prepare the Merkle tree parameters */
	220	err = fsverity_init_merkle_tree_params(&params, inode,
	221	arg->hash_algorithm,
	222	desc->log_blocksize,
	223	desc->salt, desc->salt_size);
	224	if (err)
	225	goto out;
	226
	227	/*
	228	* Start enabling verity on this file, serialized by the inode lock.
	229	* Fail if verity is already enabled or is already being enabled.
	230	*/
	231	inode_lock(inode);
	232	if (IS_VERITY(inode))
	233	err = -EEXIST;
	234	else
	235	err = vops->begin_enable_verity(filp);
	236	inode_unlock(inode);
	237	if (err)
	238	goto out;
	239
	240	/*
	241	* Build the Merkle tree. Don't hold the inode lock during this, since
	242	* on huge files this may take a very long time and we don't want to
	243	* force unrelated syscalls like chown() to block forever. We don't
	244	* need the inode lock here because deny_write_access() already prevents
	245	* the file from being written to or truncated, and we still serialize
	246	* ->begin_enable_verity() and ->end_enable_verity() using the inode
	247	* lock and only allow one process to be here at a time on a given file.
	248	*/
3fda4c61	249	BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE);
c22415d3	250	err = build_merkle_tree(filp, &params, desc->root_hash);
3fda4c61 EB	251	if (err) {
	252	fsverity_err(inode, "Error %d building Merkle tree", err);
	253	goto rollback;
	254	}
3fda4c61 EB	255
	256	/*
	257	* Create the fsverity_info. Don't bother trying to save work by
	258	* reusing the merkle_tree_params from above. Instead, just create the
	259	* fsverity_info from the fsverity_descriptor as if it were just loaded
	260	* from disk. This is simpler, and it serves as an extra check that the
	261	* metadata we're writing is valid before actually enabling verity.
	262	*/
b0487ede	263	vi = fsverity_create_info(inode, desc);
3fda4c61 EB	264	if (IS_ERR(vi)) {
	265	err = PTR_ERR(vi);
	266	goto rollback;
	267	}
	268
	269	/*
	270	* Tell the filesystem to finish enabling verity on the file.
	271	* Serialized with ->begin_enable_verity() by the inode lock.
	272	*/
	273	inode_lock(inode);
	274	err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size);
	275	inode_unlock(inode);
	276	if (err) {
	277	fsverity_err(inode, "%ps() failed with err %d",
	278	vops->end_enable_verity, err);
	279	fsverity_free_info(vi);
	280	} else if (WARN_ON(!IS_VERITY(inode))) {
	281	err = -EINVAL;
	282	fsverity_free_info(vi);
	283	} else {
	284	/* Successfully enabled verity */
	285
	286	/*
	287	* Readers can start using ->i_verity_info immediately, so it
	288	* can't be rolled back once set. So don't set it until just
	289	* after the filesystem has successfully enabled verity.
	290	*/
	291	fsverity_set_info(inode, vi);
	292	}
	293	out:
	294	kfree(params.hashstate);
	295	kfree(desc);
	296	return err;
	297
	298	rollback:
	299	inode_lock(inode);
	300	(void)vops->end_enable_verity(filp, NULL, 0, params.tree_size);
	301	inode_unlock(inode);
	302	goto out;
	303	}
	304
	305	/**
	306	* fsverity_ioctl_enable() - enable verity on a file
6377a38b EB	307	* @filp: file to enable verity on
6377a38b EB	308	* @uarg: user pointer to fsverity_enable_arg
3fda4c61 EB	309	*
	310	* Enable fs-verity on a file. See the "FS_IOC_ENABLE_VERITY" section of
	311	* Documentation/filesystems/fsverity.rst for the documentation.
	312	*
	313	* Return: 0 on success, -errno on failure
	314	*/
	315	int fsverity_ioctl_enable(struct file filp, const void __user uarg)
	316	{
	317	struct inode *inode = file_inode(filp);
	318	struct fsverity_enable_arg arg;
	319	int err;
	320
	321	if (copy_from_user(&arg, uarg, sizeof(arg)))
	322	return -EFAULT;
	323
	324	if (arg.version != 1)
	325	return -EINVAL;
	326
	327	if (arg.__reserved1 \|\|
	328	memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2)))
	329	return -EINVAL;
	330
56124d6c	331	if (!is_power_of_2(arg.block_size))
3fda4c61 EB	332	return -EINVAL;
3fda4c61 EB	333
c593642c	334	if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt))
3fda4c61 EB	335	return -EMSGSIZE;
3fda4c61 EB	336
432434c9 EB	337	if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE)
432434c9 EB	338	return -EMSGSIZE;
3fda4c61 EB	339
	340	/*
	341	* Require a regular file with write access. But the actual fd must
	342	* still be readonly so that we can lock out all writers. This is
	343	* needed to guarantee that no writable fds exist to the file once it
	344	* has verity enabled, and to stabilize the data being hashed.
	345	*/
	346
02f92b38	347	err = file_permission(filp, MAY_WRITE);
3fda4c61 EB	348	if (err)
	349	return err;
	350
	351	if (IS_APPEND(inode))
	352	return -EPERM;
	353
	354	if (S_ISDIR(inode->i_mode))
	355	return -EISDIR;
	356
	357	if (!S_ISREG(inode->i_mode))
	358	return -EINVAL;
	359
	360	err = mnt_want_write_file(filp);
	361	if (err) /* -EROFS */
	362	return err;
	363
	364	err = deny_write_access(filp);
	365	if (err) /* -ETXTBSY */
	366	goto out_drop_write;
	367
	368	err = enable_verity(filp, &arg);
3fda4c61 EB	369
3fda4c61 EB	370	/*
a075bacd EB	371	* We no longer drop the inode's pagecache after enabling verity. This
	372	* used to be done to try to avoid a race condition where pages could be
	373	* evicted after being used in the Merkle tree construction, then
	374	* re-instantiated by a concurrent read. Such pages are unverified, and
	375	* the backing storage could have filled them with different content, so
	376	* they shouldn't be used to fulfill reads once verity is enabled.
	377	*
	378	* But, dropping the pagecache has a big performance impact, and it
	379	* doesn't fully solve the race condition anyway. So for those reasons,
	380	* and also because this race condition isn't very important relatively
	381	* speaking (especially for small-ish files, where the chance of a page
	382	* being used, evicted, and re-instantiated all while enabling verity
	383	* is quite small), we no longer drop the inode's pagecache.
3fda4c61	384	*/
3fda4c61 EB	385
	386	/*
	387	* allow_write_access() is needed to pair with deny_write_access().
	388	* Regardless, the filesystem won't allow writing to verity files.
	389	*/
3fda4c61 EB	390	allow_write_access(filp);
	391	out_drop_write:
	392	mnt_drop_write_file(filp);
	393	return err;
	394	}
	395	EXPORT_SYMBOL_GPL(fsverity_ioctl_enable);