[linux-block.git] / fs / verity / open.c

// SPDX-License-Identifier: GPL-2.0
/*
 * Opening fs-verity files
 *
 * Copyright 2019 Google LLC
 */

#include "fsverity_private.h"

#include <linux/mm.h>
#include <linux/slab.h>

static struct kmem_cache *fsverity_info_cachep;

/**
 * fsverity_init_merkle_tree_params() - initialize Merkle tree parameters
 * @params: the parameters struct to initialize
 * @inode: the inode for which the Merkle tree is being built
 * @hash_algorithm: number of hash algorithm to use
 * @log_blocksize: log base 2 of block size to use
 * @salt: pointer to salt (optional)
 * @salt_size: size of salt, possibly 0
 *
 * Validate the hash algorithm and block size, then compute the tree topology
 * (num levels, num blocks in each level, etc.) and initialize @params.
 *
 * Return: 0 on success, -errno on failure
 */
int fsverity_init_merkle_tree_params(struct merkle_tree_params *params,
				     const struct inode *inode,
				     unsigned int hash_algorithm,
				     unsigned int log_blocksize,
				     const u8 *salt, size_t salt_size)
{
	const struct fsverity_hash_alg *hash_alg;
	int err;
	u64 blocks;
	u64 blocks_in_level[FS_VERITY_MAX_LEVELS];
	u64 offset;
	int level;

	memset(params, 0, sizeof(*params));

	hash_alg = fsverity_get_hash_alg(inode, hash_algorithm);
	if (IS_ERR(hash_alg))
		return PTR_ERR(hash_alg);
	params->hash_alg = hash_alg;
	params->digest_size = hash_alg->digest_size;

	params->hashstate = fsverity_prepare_hash_state(hash_alg, salt,
							salt_size);
	if (IS_ERR(params->hashstate)) {
		err = PTR_ERR(params->hashstate);
		params->hashstate = NULL;
		fsverity_err(inode, "Error %d preparing hash state", err);
		goto out_err;
	}

	/*
	 * fs/verity/ directly assumes that the Merkle tree block size is a
	 * power of 2 less than or equal to PAGE_SIZE.  Another restriction
	 * arises from the interaction between fs/verity/ and the filesystems
	 * themselves: filesystems expect to be able to verify a single
	 * filesystem block of data at a time.  Therefore, the Merkle tree block
	 * size must also be less than or equal to the filesystem block size.
	 *
	 * The above are the only hard limitations, so in theory the Merkle tree
	 * block size could be as small as twice the digest size.  However,
	 * that's not useful, and it would result in some unusually deep and
	 * large Merkle trees.  So we currently require that the Merkle tree
	 * block size be at least 1024 bytes.  That's small enough to test the
	 * sub-page block case on systems with 4K pages, but not too small.
	 */
	if (log_blocksize < 10 || log_blocksize > PAGE_SHIFT ||
	    log_blocksize > inode->i_blkbits) {
		fsverity_warn(inode, "Unsupported log_blocksize: %u",
			      log_blocksize);
		err = -EINVAL;
		goto out_err;
	}
	params->log_blocksize = log_blocksize;
	params->block_size = 1 << log_blocksize;
	params->log_blocks_per_page = PAGE_SHIFT - log_blocksize;
	params->blocks_per_page = 1 << params->log_blocks_per_page;

	if (WARN_ON_ONCE(!is_power_of_2(params->digest_size))) {
		err = -EINVAL;
		goto out_err;
	}
	if (params->block_size < 2 * params->digest_size) {
		fsverity_warn(inode,
			      "Merkle tree block size (%u) too small for hash algorithm \"%s\"",
			      params->block_size, hash_alg->name);
		err = -EINVAL;
		goto out_err;
	}
	params->log_digestsize = ilog2(params->digest_size);
	params->log_arity = log_blocksize - params->log_digestsize;
	params->hashes_per_block = 1 << params->log_arity;

	/*
	 * Compute the number of levels in the Merkle tree and create a map from
	 * level to the starting block of that level.  Level 'num_levels - 1' is
	 * the root and is stored first.  Level 0 is the level directly "above"
	 * the data blocks and is stored last.
	 */

	/* Compute number of levels and the number of blocks in each level */
	blocks = ((u64)inode->i_size + params->block_size - 1) >> log_blocksize;
	while (blocks > 1) {
		if (params->num_levels >= FS_VERITY_MAX_LEVELS) {
			fsverity_err(inode, "Too many levels in Merkle tree");
			err = -EFBIG;
			goto out_err;
		}
		blocks = (blocks + params->hashes_per_block - 1) >>
			 params->log_arity;
		blocks_in_level[params->num_levels++] = blocks;
	}

	/* Compute the starting block of each level */
	offset = 0;
	for (level = (int)params->num_levels - 1; level >= 0; level--) {
		params->level_start[level] = offset;
		offset += blocks_in_level[level];
	}

	/*
	 * With block_size != PAGE_SIZE, an in-memory bitmap will need to be
	 * allocated to track the "verified" status of hash blocks.  Don't allow
	 * this bitmap to get too large.  For now, limit it to 1 MiB, which
	 * limits the file size to about 4.4 TB with SHA-256 and 4K blocks.
	 *
	 * Together with the fact that the data, and thus also the Merkle tree,
	 * cannot have more than ULONG_MAX pages, this implies that hash block
	 * indices can always fit in an 'unsigned long'.  But to be safe, we
	 * explicitly check for that too.  Note, this is only for hash block
	 * indices; data block indices might not fit in an 'unsigned long'.
	 */
	if ((params->block_size != PAGE_SIZE && offset > 1 << 23) ||
	    offset > ULONG_MAX) {
		fsverity_err(inode, "Too many blocks in Merkle tree");
		err = -EFBIG;
		goto out_err;
	}

	params->tree_size = offset << log_blocksize;
	params->tree_pages = PAGE_ALIGN(params->tree_size) >> PAGE_SHIFT;
	return 0;

out_err:
	kfree(params->hashstate);
	memset(params, 0, sizeof(*params));
	return err;
}

/*
 * Compute the file digest by hashing the fsverity_descriptor excluding the
 * builtin signature and with the sig_size field set to 0.
 */
static int compute_file_digest(const struct fsverity_hash_alg *hash_alg,
			       struct fsverity_descriptor *desc,
			       u8 *file_digest)
{
	__le32 sig_size = desc->sig_size;
	int err;

	desc->sig_size = 0;
	err = fsverity_hash_buffer(hash_alg, desc, sizeof(*desc), file_digest);
	desc->sig_size = sig_size;

	return err;
}

/*
 * Create a new fsverity_info from the given fsverity_descriptor (with optional
 * appended builtin signature), and check the signature if present.  The
 * fsverity_descriptor must have already undergone basic validation.
 */
struct fsverity_info *fsverity_create_info(const struct inode *inode,
					   struct fsverity_descriptor *desc)
{
	struct fsverity_info *vi;
	int err;

	vi = kmem_cache_zalloc(fsverity_info_cachep, GFP_KERNEL);
	if (!vi)
		return ERR_PTR(-ENOMEM);
	vi->inode = inode;

	err = fsverity_init_merkle_tree_params(&vi->tree_params, inode,
					       desc->hash_algorithm,
					       desc->log_blocksize,
					       desc->salt, desc->salt_size);
	if (err) {
		fsverity_err(inode,
			     "Error %d initializing Merkle tree parameters",
			     err);
		goto fail;
	}

	memcpy(vi->root_hash, desc->root_hash, vi->tree_params.digest_size);

	err = compute_file_digest(vi->tree_params.hash_alg, desc,
				  vi->file_digest);
	if (err) {
		fsverity_err(inode, "Error %d computing file digest", err);
		goto fail;
	}

	err = fsverity_verify_signature(vi, desc->signature,
					le32_to_cpu(desc->sig_size));
	if (err)
		goto fail;

	if (vi->tree_params.block_size != PAGE_SIZE) {
		/*
		 * When the Merkle tree block size and page size differ, we use
		 * a bitmap to keep track of which hash blocks have been
		 * verified.  This bitmap must contain one bit per hash block,
		 * including alignment to a page boundary at the end.
		 *
		 * Eventually, to support extremely large files in an efficient
		 * way, it might be necessary to make pages of this bitmap
		 * reclaimable.  But for now, simply allocating the whole bitmap
		 * is a simple solution that works well on the files on which
		 * fsverity is realistically used.  E.g., with SHA-256 and 4K
		 * blocks, a 100MB file only needs a 24-byte bitmap, and the
		 * bitmap for any file under 17GB fits in a 4K page.
		 */
		unsigned long num_bits =
			vi->tree_params.tree_pages <<
			vi->tree_params.log_blocks_per_page;

		vi->hash_block_verified = kvcalloc(BITS_TO_LONGS(num_bits),
						   sizeof(unsigned long),
						   GFP_KERNEL);
		if (!vi->hash_block_verified) {
			err = -ENOMEM;
			goto fail;
		}
		spin_lock_init(&vi->hash_page_init_lock);
	}

	return vi;

fail:
	fsverity_free_info(vi);
	return ERR_PTR(err);
}

void fsverity_set_info(struct inode *inode, struct fsverity_info *vi)
{
	/*
	 * Multiple tasks may race to set ->i_verity_info, so use
	 * cmpxchg_release().  This pairs with the smp_load_acquire() in
	 * fsverity_get_info().  I.e., here we publish ->i_verity_info with a
	 * RELEASE barrier so that other tasks can ACQUIRE it.
	 */
	if (cmpxchg_release(&inode->i_verity_info, NULL, vi) != NULL) {
		/* Lost the race, so free the fsverity_info we allocated. */
		fsverity_free_info(vi);
		/*
		 * Afterwards, the caller may access ->i_verity_info directly,
		 * so make sure to ACQUIRE the winning fsverity_info.
		 */
		(void)fsverity_get_info(inode);
	}
}

void fsverity_free_info(struct fsverity_info *vi)
{
	if (!vi)
		return;
	kfree(vi->tree_params.hashstate);
	kvfree(vi->hash_block_verified);
	kmem_cache_free(fsverity_info_cachep, vi);
}

static bool validate_fsverity_descriptor(struct inode *inode,
					 const struct fsverity_descriptor *desc,
					 size_t desc_size)
{
	if (desc_size < sizeof(*desc)) {
		fsverity_err(inode, "Unrecognized descriptor size: %zu bytes",
			     desc_size);
		return false;
	}

	if (desc->version != 1) {
		fsverity_err(inode, "Unrecognized descriptor version: %u",
			     desc->version);
		return false;
	}

	if (memchr_inv(desc->__reserved, 0, sizeof(desc->__reserved))) {
		fsverity_err(inode, "Reserved bits set in descriptor");
		return false;
	}

	if (desc->salt_size > sizeof(desc->salt)) {
		fsverity_err(inode, "Invalid salt_size: %u", desc->salt_size);
		return false;
	}

	if (le64_to_cpu(desc->data_size) != inode->i_size) {
		fsverity_err(inode,
			     "Wrong data_size: %llu (desc) != %lld (inode)",
			     le64_to_cpu(desc->data_size), inode->i_size);
		return false;
	}

	if (le32_to_cpu(desc->sig_size) > desc_size - sizeof(*desc)) {
		fsverity_err(inode, "Signature overflows verity descriptor");
		return false;
	}

	return true;
}

/*
 * Read the inode's fsverity_descriptor (with optional appended builtin
 * signature) from the filesystem, and do basic validation of it.
 */
int fsverity_get_descriptor(struct inode *inode,
			    struct fsverity_descriptor **desc_ret)
{
	int res;
	struct fsverity_descriptor *desc;

	res = inode->i_sb->s_vop->get_verity_descriptor(inode, NULL, 0);
	if (res < 0) {
		fsverity_err(inode,
			     "Error %d getting verity descriptor size", res);
		return res;
	}
	if (res > FS_VERITY_MAX_DESCRIPTOR_SIZE) {
		fsverity_err(inode, "Verity descriptor is too large (%d bytes)",
			     res);
		return -EMSGSIZE;
	}
	desc = kmalloc(res, GFP_KERNEL);
	if (!desc)
		return -ENOMEM;
	res = inode->i_sb->s_vop->get_verity_descriptor(inode, desc, res);
	if (res < 0) {
		fsverity_err(inode, "Error %d reading verity descriptor", res);
		kfree(desc);
		return res;
	}

	if (!validate_fsverity_descriptor(inode, desc, res)) {
		kfree(desc);
		return -EINVAL;
	}

	*desc_ret = desc;
	return 0;
}

/* Ensure the inode has an ->i_verity_info */
static int ensure_verity_info(struct inode *inode)
{
	struct fsverity_info *vi = fsverity_get_info(inode);
	struct fsverity_descriptor *desc;
	int err;

	if (vi)
		return 0;

	err = fsverity_get_descriptor(inode, &desc);
	if (err)
		return err;

	vi = fsverity_create_info(inode, desc);
	if (IS_ERR(vi)) {
		err = PTR_ERR(vi);
		goto out_free_desc;
	}

	fsverity_set_info(inode, vi);
	err = 0;
out_free_desc:
	kfree(desc);
	return err;
}

int __fsverity_file_open(struct inode *inode, struct file *filp)
{
	if (filp->f_mode & FMODE_WRITE)
		return -EPERM;
	return ensure_verity_info(inode);
}
EXPORT_SYMBOL_GPL(__fsverity_file_open);

int __fsverity_prepare_setattr(struct dentry *dentry, struct iattr *attr)
{
	if (attr->ia_valid & ATTR_SIZE)
		return -EPERM;
	return 0;
}
EXPORT_SYMBOL_GPL(__fsverity_prepare_setattr);

void __fsverity_cleanup_inode(struct inode *inode)
{
	fsverity_free_info(inode->i_verity_info);
	inode->i_verity_info = NULL;
}
EXPORT_SYMBOL_GPL(__fsverity_cleanup_inode);

void __init fsverity_init_info_cache(void)
{
	fsverity_info_cachep = KMEM_CACHE_USERCOPY(
					fsverity_info,
					SLAB_RECLAIM_ACCOUNT | SLAB_PANIC,
					file_digest);
}
Commit	Line	Data
fd2d1acf EB	1	// SPDX-License-Identifier: GPL-2.0
fd2d1acf EB	2	/*
7bf765dd	3	* Opening fs-verity files
fd2d1acf EB	4	*
	5	* Copyright 2019 Google LLC
	6	*/
	7
	8	#include "fsverity_private.h"
	9
9098f36b	10	#include <linux/mm.h>
fd2d1acf EB	11	#include <linux/slab.h>
	12
	13	static struct kmem_cache *fsverity_info_cachep;
	14
	15	/**
	16	* fsverity_init_merkle_tree_params() - initialize Merkle tree parameters
	17	* @params: the parameters struct to initialize
	18	* @inode: the inode for which the Merkle tree is being built
	19	* @hash_algorithm: number of hash algorithm to use
	20	* @log_blocksize: log base 2 of block size to use
	21	* @salt: pointer to salt (optional)
	22	* @salt_size: size of salt, possibly 0
	23	*
	24	* Validate the hash algorithm and block size, then compute the tree topology
	25	* (num levels, num blocks in each level, etc.) and initialize @params.
	26	*
	27	* Return: 0 on success, -errno on failure
	28	*/
	29	int fsverity_init_merkle_tree_params(struct merkle_tree_params *params,
	30	const struct inode *inode,
	31	unsigned int hash_algorithm,
	32	unsigned int log_blocksize,
	33	const u8 *salt, size_t salt_size)
	34	{
32ab3c5e	35	const struct fsverity_hash_alg *hash_alg;
fd2d1acf EB	36	int err;
fd2d1acf EB	37	u64 blocks;
284d5db5	38	u64 blocks_in_level[FS_VERITY_MAX_LEVELS];
fd2d1acf EB	39	u64 offset;
	40	int level;
	41
	42	memset(params, 0, sizeof(*params));
	43
	44	hash_alg = fsverity_get_hash_alg(inode, hash_algorithm);
	45	if (IS_ERR(hash_alg))
	46	return PTR_ERR(hash_alg);
	47	params->hash_alg = hash_alg;
	48	params->digest_size = hash_alg->digest_size;
	49
	50	params->hashstate = fsverity_prepare_hash_state(hash_alg, salt,
	51	salt_size);
	52	if (IS_ERR(params->hashstate)) {
	53	err = PTR_ERR(params->hashstate);
	54	params->hashstate = NULL;
	55	fsverity_err(inode, "Error %d preparing hash state", err);
	56	goto out_err;
	57	}
	58
5306892a EB	59	/*
	60	* fs/verity/ directly assumes that the Merkle tree block size is a
	61	* power of 2 less than or equal to PAGE_SIZE. Another restriction
	62	* arises from the interaction between fs/verity/ and the filesystems
	63	* themselves: filesystems expect to be able to verify a single
	64	* filesystem block of data at a time. Therefore, the Merkle tree block
	65	* size must also be less than or equal to the filesystem block size.
	66	*
	67	* The above are the only hard limitations, so in theory the Merkle tree
	68	* block size could be as small as twice the digest size. However,
	69	* that's not useful, and it would result in some unusually deep and
	70	* large Merkle trees. So we currently require that the Merkle tree
	71	* block size be at least 1024 bytes. That's small enough to test the
	72	* sub-page block case on systems with 4K pages, but not too small.
	73	*/
	74	if (log_blocksize < 10 \|\| log_blocksize > PAGE_SHIFT \|\|
	75	log_blocksize > inode->i_blkbits) {
fd2d1acf EB	76	fsverity_warn(inode, "Unsupported log_blocksize: %u",
	77	log_blocksize);
	78	err = -EINVAL;
	79	goto out_err;
	80	}
	81	params->log_blocksize = log_blocksize;
	82	params->block_size = 1 << log_blocksize;
5306892a EB	83	params->log_blocks_per_page = PAGE_SHIFT - log_blocksize;
5306892a EB	84	params->blocks_per_page = 1 << params->log_blocks_per_page;
fd2d1acf	85
8eb8af4b	86	if (WARN_ON_ONCE(!is_power_of_2(params->digest_size))) {
fd2d1acf EB	87	err = -EINVAL;
	88	goto out_err;
	89	}
	90	if (params->block_size < 2 * params->digest_size) {
	91	fsverity_warn(inode,
	92	"Merkle tree block size (%u) too small for hash algorithm \"%s\"",
	93	params->block_size, hash_alg->name);
	94	err = -EINVAL;
	95	goto out_err;
	96	}
579a12f7 EB	97	params->log_digestsize = ilog2(params->digest_size);
579a12f7 EB	98	params->log_arity = log_blocksize - params->log_digestsize;
fd2d1acf EB	99	params->hashes_per_block = 1 << params->log_arity;
fd2d1acf EB	100
fd2d1acf EB	101	/*
	102	* Compute the number of levels in the Merkle tree and create a map from
	103	* level to the starting block of that level. Level 'num_levels - 1' is
	104	* the root and is stored first. Level 0 is the level directly "above"
	105	* the data blocks and is stored last.
	106	*/
	107
	108	/* Compute number of levels and the number of blocks in each level */
80f6e308	109	blocks = ((u64)inode->i_size + params->block_size - 1) >> log_blocksize;
fd2d1acf EB	110	while (blocks > 1) {
	111	if (params->num_levels >= FS_VERITY_MAX_LEVELS) {
	112	fsverity_err(inode, "Too many levels in Merkle tree");
55eed69c	113	err = -EFBIG;
fd2d1acf EB	114	goto out_err;
	115	}
	116	blocks = (blocks + params->hashes_per_block - 1) >>
	117	params->log_arity;
284d5db5	118	blocks_in_level[params->num_levels++] = blocks;
fd2d1acf EB	119	}
	120
	121	/* Compute the starting block of each level */
	122	offset = 0;
	123	for (level = (int)params->num_levels - 1; level >= 0; level--) {
fd2d1acf	124	params->level_start[level] = offset;
284d5db5 EB	125	offset += blocks_in_level[level];
	126	}
	127
	128	/*
5306892a EB	129	* With block_size != PAGE_SIZE, an in-memory bitmap will need to be
	130	* allocated to track the "verified" status of hash blocks. Don't allow
	131	* this bitmap to get too large. For now, limit it to 1 MiB, which
	132	* limits the file size to about 4.4 TB with SHA-256 and 4K blocks.
	133	*
	134	* Together with the fact that the data, and thus also the Merkle tree,
	135	* cannot have more than ULONG_MAX pages, this implies that hash block
	136	* indices can always fit in an 'unsigned long'. But to be safe, we
	137	* explicitly check for that too. Note, this is only for hash block
	138	* indices; data block indices might not fit in an 'unsigned long'.
284d5db5	139	*/
5306892a EB	140	if ((params->block_size != PAGE_SIZE && offset > 1 << 23) \|\|
5306892a EB	141	offset > ULONG_MAX) {
284d5db5 EB	142	fsverity_err(inode, "Too many blocks in Merkle tree");
	143	err = -EFBIG;
	144	goto out_err;
fd2d1acf EB	145	}
	146
	147	params->tree_size = offset << log_blocksize;
9098f36b	148	params->tree_pages = PAGE_ALIGN(params->tree_size) >> PAGE_SHIFT;
fd2d1acf EB	149	return 0;
	150
	151	out_err:
	152	kfree(params->hashstate);
	153	memset(params, 0, sizeof(*params));
	154	return err;
	155	}
	156
432434c9	157	/*
ed45e201	158	* Compute the file digest by hashing the fsverity_descriptor excluding the
672d6ef4	159	* builtin signature and with the sig_size field set to 0.
432434c9	160	*/
32ab3c5e	161	static int compute_file_digest(const struct fsverity_hash_alg *hash_alg,
ed45e201 EB	162	struct fsverity_descriptor *desc,
ed45e201 EB	163	u8 *file_digest)
fd2d1acf	164	{
432434c9 EB	165	__le32 sig_size = desc->sig_size;
	166	int err;
	167
	168	desc->sig_size = 0;
ed45e201	169	err = fsverity_hash_buffer(hash_alg, desc, sizeof(*desc), file_digest);
432434c9 EB	170	desc->sig_size = sig_size;
	171
	172	return err;
fd2d1acf EB	173	}
	174
	175	/*
c2c82611	176	* Create a new fsverity_info from the given fsverity_descriptor (with optional
672d6ef4	177	* appended builtin signature), and check the signature if present. The
c2c82611	178	* fsverity_descriptor must have already undergone basic validation.
fd2d1acf EB	179	*/
fd2d1acf EB	180	struct fsverity_info fsverity_create_info(const struct inode inode,
b0487ede	181	struct fsverity_descriptor *desc)
fd2d1acf	182	{
fd2d1acf EB	183	struct fsverity_info *vi;
	184	int err;
	185
fd2d1acf EB	186	vi = kmem_cache_zalloc(fsverity_info_cachep, GFP_KERNEL);
	187	if (!vi)
	188	return ERR_PTR(-ENOMEM);
	189	vi->inode = inode;
	190
	191	err = fsverity_init_merkle_tree_params(&vi->tree_params, inode,
	192	desc->hash_algorithm,
	193	desc->log_blocksize,
	194	desc->salt, desc->salt_size);
	195	if (err) {
	196	fsverity_err(inode,
	197	"Error %d initializing Merkle tree parameters",
	198	err);
5306892a	199	goto fail;
fd2d1acf EB	200	}
	201
	202	memcpy(vi->root_hash, desc->root_hash, vi->tree_params.digest_size);
	203
ed45e201 EB	204	err = compute_file_digest(vi->tree_params.hash_alg, desc,
ed45e201 EB	205	vi->file_digest);
fd2d1acf	206	if (err) {
ed45e201	207	fsverity_err(inode, "Error %d computing file digest", err);
5306892a	208	goto fail;
fd2d1acf	209	}
432434c9	210
fab634c4 EB	211	err = fsverity_verify_signature(vi, desc->signature,
fab634c4 EB	212	le32_to_cpu(desc->sig_size));
5306892a EB	213	if (err)
	214	goto fail;
	215
	216	if (vi->tree_params.block_size != PAGE_SIZE) {
	217	/*
	218	* When the Merkle tree block size and page size differ, we use
	219	* a bitmap to keep track of which hash blocks have been
	220	* verified. This bitmap must contain one bit per hash block,
	221	* including alignment to a page boundary at the end.
	222	*
	223	* Eventually, to support extremely large files in an efficient
	224	* way, it might be necessary to make pages of this bitmap
	225	* reclaimable. But for now, simply allocating the whole bitmap
	226	* is a simple solution that works well on the files on which
	227	* fsverity is realistically used. E.g., with SHA-256 and 4K
	228	* blocks, a 100MB file only needs a 24-byte bitmap, and the
	229	* bitmap for any file under 17GB fits in a 4K page.
	230	*/
	231	unsigned long num_bits =
	232	vi->tree_params.tree_pages <<
	233	vi->tree_params.log_blocks_per_page;
	234
	235	vi->hash_block_verified = kvcalloc(BITS_TO_LONGS(num_bits),
	236	sizeof(unsigned long),
	237	GFP_KERNEL);
	238	if (!vi->hash_block_verified) {
	239	err = -ENOMEM;
	240	goto fail;
	241	}
	242	spin_lock_init(&vi->hash_page_init_lock);
fd2d1acf	243	}
5306892a	244
fd2d1acf	245	return vi;
5306892a EB	246
	247	fail:
	248	fsverity_free_info(vi);
	249	return ERR_PTR(err);
fd2d1acf EB	250	}
	251
	252	void fsverity_set_info(struct inode inode, struct fsverity_info vi)
	253	{
	254	/*
f3db0bed EB	255	* Multiple tasks may race to set ->i_verity_info, so use
	256	* cmpxchg_release(). This pairs with the smp_load_acquire() in
	257	* fsverity_get_info(). I.e., here we publish ->i_verity_info with a
	258	* RELEASE barrier so that other tasks can ACQUIRE it.
fd2d1acf	259	*/
f3db0bed EB	260	if (cmpxchg_release(&inode->i_verity_info, NULL, vi) != NULL) {
f3db0bed EB	261	/* Lost the race, so free the fsverity_info we allocated. */
fd2d1acf	262	fsverity_free_info(vi);
f3db0bed EB	263	/*
	264	* Afterwards, the caller may access ->i_verity_info directly,
	265	* so make sure to ACQUIRE the winning fsverity_info.
	266	*/
	267	(void)fsverity_get_info(inode);
	268	}
fd2d1acf EB	269	}
	270
	271	void fsverity_free_info(struct fsverity_info *vi)
	272	{
	273	if (!vi)
	274	return;
	275	kfree(vi->tree_params.hashstate);
5306892a	276	kvfree(vi->hash_block_verified);
fd2d1acf EB	277	kmem_cache_free(fsverity_info_cachep, vi);
	278	}
	279
c2c82611 EB	280	static bool validate_fsverity_descriptor(struct inode *inode,
	281	const struct fsverity_descriptor *desc,
	282	size_t desc_size)
fd2d1acf	283	{
c2c82611 EB	284	if (desc_size < sizeof(*desc)) {
	285	fsverity_err(inode, "Unrecognized descriptor size: %zu bytes",
	286	desc_size);
	287	return false;
	288	}
fd2d1acf	289
c2c82611 EB	290	if (desc->version != 1) {
	291	fsverity_err(inode, "Unrecognized descriptor version: %u",
	292	desc->version);
	293	return false;
	294	}
	295
	296	if (memchr_inv(desc->__reserved, 0, sizeof(desc->__reserved))) {
	297	fsverity_err(inode, "Reserved bits set in descriptor");
	298	return false;
	299	}
	300
	301	if (desc->salt_size > sizeof(desc->salt)) {
	302	fsverity_err(inode, "Invalid salt_size: %u", desc->salt_size);
	303	return false;
	304	}
	305
	306	if (le64_to_cpu(desc->data_size) != inode->i_size) {
	307	fsverity_err(inode,
	308	"Wrong data_size: %llu (desc) != %lld (inode)",
	309	le64_to_cpu(desc->data_size), inode->i_size);
	310	return false;
	311	}
	312
	313	if (le32_to_cpu(desc->sig_size) > desc_size - sizeof(*desc)) {
	314	fsverity_err(inode, "Signature overflows verity descriptor");
	315	return false;
	316	}
	317
	318	return true;
	319	}
	320
	321	/*
672d6ef4 EB	322	* Read the inode's fsverity_descriptor (with optional appended builtin
672d6ef4 EB	323	* signature) from the filesystem, and do basic validation of it.
c2c82611 EB	324	*/
c2c82611 EB	325	int fsverity_get_descriptor(struct inode *inode,
b0487ede	326	struct fsverity_descriptor **desc_ret)
c2c82611 EB	327	{
	328	int res;
	329	struct fsverity_descriptor *desc;
fd2d1acf EB	330
	331	res = inode->i_sb->s_vop->get_verity_descriptor(inode, NULL, 0);
	332	if (res < 0) {
	333	fsverity_err(inode,
	334	"Error %d getting verity descriptor size", res);
	335	return res;
	336	}
	337	if (res > FS_VERITY_MAX_DESCRIPTOR_SIZE) {
	338	fsverity_err(inode, "Verity descriptor is too large (%d bytes)",
	339	res);
	340	return -EMSGSIZE;
	341	}
	342	desc = kmalloc(res, GFP_KERNEL);
	343	if (!desc)
	344	return -ENOMEM;
	345	res = inode->i_sb->s_vop->get_verity_descriptor(inode, desc, res);
	346	if (res < 0) {
	347	fsverity_err(inode, "Error %d reading verity descriptor", res);
c2c82611 EB	348	kfree(desc);
	349	return res;
	350	}
	351
	352	if (!validate_fsverity_descriptor(inode, desc, res)) {
	353	kfree(desc);
	354	return -EINVAL;
fd2d1acf EB	355	}
fd2d1acf EB	356
c2c82611	357	*desc_ret = desc;
c2c82611 EB	358	return 0;
	359	}
	360
	361	/* Ensure the inode has an ->i_verity_info */
	362	static int ensure_verity_info(struct inode *inode)
	363	{
	364	struct fsverity_info *vi = fsverity_get_info(inode);
	365	struct fsverity_descriptor *desc;
c2c82611 EB	366	int err;
	367
	368	if (vi)
	369	return 0;
	370
b0487ede	371	err = fsverity_get_descriptor(inode, &desc);
c2c82611 EB	372	if (err)
	373	return err;
	374
b0487ede	375	vi = fsverity_create_info(inode, desc);
fd2d1acf	376	if (IS_ERR(vi)) {
c2c82611	377	err = PTR_ERR(vi);
fd2d1acf EB	378	goto out_free_desc;
	379	}
	380
	381	fsverity_set_info(inode, vi);
c2c82611	382	err = 0;
fd2d1acf EB	383	out_free_desc:
fd2d1acf EB	384	kfree(desc);
c2c82611	385	return err;
fd2d1acf EB	386	}
fd2d1acf EB	387
a6528a96	388	int __fsverity_file_open(struct inode inode, struct file filp)
fd2d1acf	389	{
86f66569	390	if (filp->f_mode & FMODE_WRITE)
fd2d1acf	391	return -EPERM;
fd2d1acf EB	392	return ensure_verity_info(inode);
fd2d1acf EB	393	}
a6528a96	394	EXPORT_SYMBOL_GPL(__fsverity_file_open);
fd2d1acf	395
01d90c07	396	int __fsverity_prepare_setattr(struct dentry dentry, struct iattr attr)
c1d9b584	397	{
86f66569	398	if (attr->ia_valid & ATTR_SIZE)
c1d9b584	399	return -EPERM;
c1d9b584 EB	400	return 0;
c1d9b584 EB	401	}
01d90c07	402	EXPORT_SYMBOL_GPL(__fsverity_prepare_setattr);
c1d9b584	403
9642946c	404	void __fsverity_cleanup_inode(struct inode *inode)
fd2d1acf EB	405	{
	406	fsverity_free_info(inode->i_verity_info);
	407	inode->i_verity_info = NULL;
	408	}
9642946c	409	EXPORT_SYMBOL_GPL(__fsverity_cleanup_inode);
fd2d1acf	410
e77000cc	411	void __init fsverity_init_info_cache(void)
fd2d1acf	412	{
e77000cc EB	413	fsverity_info_cachep = KMEM_CACHE_USERCOPY(
	414	fsverity_info,
	415	SLAB_RECLAIM_ACCOUNT \| SLAB_PANIC,
	416	file_digest);
8a1d0f9c	417	}