search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
WIP FPC-III support
[linux/fpc-iii.git] / fs / verity / enable.c
blobf7e997a01ad07c4699d435223057af0b7fc49b82
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Ioctl to enable verity on a file
4 *
5 * Copyright 2019 Google LLC
6 */
7
8 #include "fsverity_private.h"
9
10 #include <crypto/hash.h>
11 #include <linux/backing-dev.h>
12 #include <linux/mount.h>
13 #include <linux/pagemap.h>
14 #include <linux/sched/signal.h>
15 #include <linux/uaccess.h>
16
17 /*
18 * Read a file data page for Merkle tree construction. Do aggressive readahead,
19 * since we're sequentially reading the entire file.
20 */
21 static struct page *read_file_data_page(struct file *filp, pgoff_t index,
22 struct file_ra_state *ra,
23 unsigned long remaining_pages)
24 {
25 struct page *page;
26
27 page = find_get_page_flags(filp->f_mapping, index, FGP_ACCESSED);
28 if (!page || !PageUptodate(page)) {
29 if (page)
30 put_page(page);
31 else
32 page_cache_sync_readahead(filp->f_mapping, ra, filp,
33 index, remaining_pages);
34 page = read_mapping_page(filp->f_mapping, index, NULL);
35 if (IS_ERR(page))
36 return page;
37 }
38 if (PageReadahead(page))
39 page_cache_async_readahead(filp->f_mapping, ra, filp, page,
40 index, remaining_pages);
41 return page;
42 }
43
44 static int build_merkle_tree_level(struct file *filp, unsigned int level,
45 u64 num_blocks_to_hash,
46 const struct merkle_tree_params *params,
47 u8 *pending_hashes,
48 struct ahash_request *req)
49 {
50 struct inode *inode = file_inode(filp);
51 const struct fsverity_operations *vops = inode->i_sb->s_vop;
52 struct file_ra_state ra = { 0 };
53 unsigned int pending_size = 0;
54 u64 dst_block_num;
55 u64 i;
56 int err;
57
58 if (WARN_ON(params->block_size != PAGE_SIZE)) /* checked earlier too */
59 return -EINVAL;
60
61 if (level < params->num_levels) {
62 dst_block_num = params->level_start[level];
63 } else {
64 if (WARN_ON(num_blocks_to_hash != 1))
65 return -EINVAL;
66 dst_block_num = 0; /* unused */
67 }
68
69 file_ra_state_init(&ra, filp->f_mapping);
70
71 for (i = 0; i < num_blocks_to_hash; i++) {
72 struct page *src_page;
73
74 if ((pgoff_t)i % 10000 == 0 || i + 1 == num_blocks_to_hash)
75 pr_debug("Hashing block %llu of %llu for level %u\n",
76 i + 1, num_blocks_to_hash, level);
77
78 if (level == 0) {
79 /* Leaf: hashing a data block */
80 src_page = read_file_data_page(filp, i, &ra,
81 num_blocks_to_hash - i);
82 if (IS_ERR(src_page)) {
83 err = PTR_ERR(src_page);
84 fsverity_err(inode,
85 "Error %d reading data page %llu",
86 err, i);
87 return err;
88 }
89 } else {
90 unsigned long num_ra_pages =
91 min_t(unsigned long, num_blocks_to_hash - i,
92 inode->i_sb->s_bdi->io_pages);
93
94 /* Non-leaf: hashing hash block from level below */
95 src_page = vops->read_merkle_tree_page(inode,
96 params->level_start[level - 1] + i,
97 num_ra_pages);
98 if (IS_ERR(src_page)) {
99 err = PTR_ERR(src_page);
100 fsverity_err(inode,
101 "Error %d reading Merkle tree page %llu",
102 err, params->level_start[level - 1] + i);
103 return err;
104 }
105 }
106
107 err = fsverity_hash_page(params, inode, req, src_page,
108 &pending_hashes[pending_size]);
109 put_page(src_page);
110 if (err)
111 return err;
112 pending_size += params->digest_size;
113
114 if (level == params->num_levels) /* Root hash? */
115 return 0;
116
117 if (pending_size + params->digest_size > params->block_size ||
118 i + 1 == num_blocks_to_hash) {
119 /* Flush the pending hash block */
120 memset(&pending_hashes[pending_size], 0,
121 params->block_size - pending_size);
122 err = vops->write_merkle_tree_block(inode,
123 pending_hashes,
124 dst_block_num,
125 params->log_blocksize);
126 if (err) {
127 fsverity_err(inode,
128 "Error %d writing Merkle tree block %llu",
129 err, dst_block_num);
130 return err;
131 }
132 dst_block_num++;
133 pending_size = 0;
134 }
135
136 if (fatal_signal_pending(current))
137 return -EINTR;
138 cond_resched();
139 }
140 return 0;
141 }
142
143 /*
144 * Build the Merkle tree for the given file using the given parameters, and
145 * return the root hash in @root_hash.
146 *
147 * The tree is written to a filesystem-specific location as determined by the
148 * ->write_merkle_tree_block() method. However, the blocks that comprise the
149 * tree are the same for all filesystems.
150 */
151 static int build_merkle_tree(struct file *filp,
152 const struct merkle_tree_params *params,
153 u8 *root_hash)
154 {
155 struct inode *inode = file_inode(filp);
156 u8 *pending_hashes;
157 struct ahash_request *req;
158 u64 blocks;
159 unsigned int level;
160 int err = -ENOMEM;
161
162 if (inode->i_size == 0) {
163 /* Empty file is a special case; root hash is all 0's */
164 memset(root_hash, 0, params->digest_size);
165 return 0;
166 }
167
168 /* This allocation never fails, since it's mempool-backed. */
169 req = fsverity_alloc_hash_request(params->hash_alg, GFP_KERNEL);
170
171 pending_hashes = kmalloc(params->block_size, GFP_KERNEL);
172 if (!pending_hashes)
173 goto out;
174
175 /*
176 * Build each level of the Merkle tree, starting at the leaf level
177 * (level 0) and ascending to the root node (level 'num_levels - 1').
178 * Then at the end (level 'num_levels'), calculate the root hash.
179 */
180 blocks = (inode->i_size + params->block_size - 1) >>
181 params->log_blocksize;
182 for (level = 0; level <= params->num_levels; level++) {
183 err = build_merkle_tree_level(filp, level, blocks, params,
184 pending_hashes, req);
185 if (err)
186 goto out;
187 blocks = (blocks + params->hashes_per_block - 1) >>
188 params->log_arity;
189 }
190 memcpy(root_hash, pending_hashes, params->digest_size);
191 err = 0;
192 out:
193 kfree(pending_hashes);
194 fsverity_free_hash_request(params->hash_alg, req);
195 return err;
196 }
197
198 static int enable_verity(struct file *filp,
199 const struct fsverity_enable_arg *arg)
200 {
201 struct inode *inode = file_inode(filp);
202 const struct fsverity_operations *vops = inode->i_sb->s_vop;
203 struct merkle_tree_params params = { };
204 struct fsverity_descriptor *desc;
205 size_t desc_size = sizeof(*desc) + arg->sig_size;
206 struct fsverity_info *vi;
207 int err;
208
209 /* Start initializing the fsverity_descriptor */
210 desc = kzalloc(desc_size, GFP_KERNEL);
211 if (!desc)
212 return -ENOMEM;
213 desc->version = 1;
214 desc->hash_algorithm = arg->hash_algorithm;
215 desc->log_blocksize = ilog2(arg->block_size);
216
217 /* Get the salt if the user provided one */
218 if (arg->salt_size &&
219 copy_from_user(desc->salt, u64_to_user_ptr(arg->salt_ptr),
220 arg->salt_size)) {
221 err = -EFAULT;
222 goto out;
223 }
224 desc->salt_size = arg->salt_size;
225
226 /* Get the signature if the user provided one */
227 if (arg->sig_size &&
228 copy_from_user(desc->signature, u64_to_user_ptr(arg->sig_ptr),
229 arg->sig_size)) {
230 err = -EFAULT;
231 goto out;
232 }
233 desc->sig_size = cpu_to_le32(arg->sig_size);
234
235 desc->data_size = cpu_to_le64(inode->i_size);
236
237 /* Prepare the Merkle tree parameters */
238 err = fsverity_init_merkle_tree_params(&params, inode,
239 arg->hash_algorithm,
240 desc->log_blocksize,
241 desc->salt, desc->salt_size);
242 if (err)
243 goto out;
244
245 /*
246 * Start enabling verity on this file, serialized by the inode lock.
247 * Fail if verity is already enabled or is already being enabled.
248 */
249 inode_lock(inode);
250 if (IS_VERITY(inode))
251 err = -EEXIST;
252 else
253 err = vops->begin_enable_verity(filp);
254 inode_unlock(inode);
255 if (err)
256 goto out;
257
258 /*
259 * Build the Merkle tree. Don't hold the inode lock during this, since
260 * on huge files this may take a very long time and we don't want to
261 * force unrelated syscalls like chown() to block forever. We don't
262 * need the inode lock here because deny_write_access() already prevents
263 * the file from being written to or truncated, and we still serialize
264 * ->begin_enable_verity() and ->end_enable_verity() using the inode
265 * lock and only allow one process to be here at a time on a given file.
266 */
267 pr_debug("Building Merkle tree...\n");
268 BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE);
269 err = build_merkle_tree(filp, &params, desc->root_hash);
270 if (err) {
271 fsverity_err(inode, "Error %d building Merkle tree", err);
272 goto rollback;
273 }
274 pr_debug("Done building Merkle tree. Root hash is %s:%*phN\n",
275 params.hash_alg->name, params.digest_size, desc->root_hash);
276
277 /*
278 * Create the fsverity_info. Don't bother trying to save work by
279 * reusing the merkle_tree_params from above. Instead, just create the
280 * fsverity_info from the fsverity_descriptor as if it were just loaded
281 * from disk. This is simpler, and it serves as an extra check that the
282 * metadata we're writing is valid before actually enabling verity.
283 */
284 vi = fsverity_create_info(inode, desc, desc_size);
285 if (IS_ERR(vi)) {
286 err = PTR_ERR(vi);
287 goto rollback;
288 }
289
290 if (arg->sig_size)
291 pr_debug("Storing a %u-byte PKCS#7 signature alongside the file\n",
292 arg->sig_size);
293
294 /*
295 * Tell the filesystem to finish enabling verity on the file.
296 * Serialized with ->begin_enable_verity() by the inode lock.
297 */
298 inode_lock(inode);
299 err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size);
300 inode_unlock(inode);
301 if (err) {
302 fsverity_err(inode, "%ps() failed with err %d",
303 vops->end_enable_verity, err);
304 fsverity_free_info(vi);
305 } else if (WARN_ON(!IS_VERITY(inode))) {
306 err = -EINVAL;
307 fsverity_free_info(vi);
308 } else {
309 /* Successfully enabled verity */
310
311 /*
312 * Readers can start using ->i_verity_info immediately, so it
313 * can't be rolled back once set. So don't set it until just
314 * after the filesystem has successfully enabled verity.
315 */
316 fsverity_set_info(inode, vi);
317 }
318 out:
319 kfree(params.hashstate);
320 kfree(desc);
321 return err;
322
323 rollback:
324 inode_lock(inode);
325 (void)vops->end_enable_verity(filp, NULL, 0, params.tree_size);
326 inode_unlock(inode);
327 goto out;
328 }
329
330 /**
331 * fsverity_ioctl_enable() - enable verity on a file
332 * @filp: file to enable verity on
333 * @uarg: user pointer to fsverity_enable_arg
334 *
335 * Enable fs-verity on a file. See the "FS_IOC_ENABLE_VERITY" section of
336 * Documentation/filesystems/fsverity.rst for the documentation.
337 *
338 * Return: 0 on success, -errno on failure
339 */
340 int fsverity_ioctl_enable(struct file *filp, const void __user *uarg)
341 {
342 struct inode *inode = file_inode(filp);
343 struct fsverity_enable_arg arg;
344 int err;
345
346 if (copy_from_user(&arg, uarg, sizeof(arg)))
347 return -EFAULT;
348
349 if (arg.version != 1)
350 return -EINVAL;
351
352 if (arg.__reserved1 ||
353 memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2)))
354 return -EINVAL;
355
356 if (arg.block_size != PAGE_SIZE)
357 return -EINVAL;
358
359 if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt))
360 return -EMSGSIZE;
361
362 if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE)
363 return -EMSGSIZE;
364
365 /*
366 * Require a regular file with write access. But the actual fd must
367 * still be readonly so that we can lock out all writers. This is
368 * needed to guarantee that no writable fds exist to the file once it
369 * has verity enabled, and to stabilize the data being hashed.
370 */
371
372 err = inode_permission(inode, MAY_WRITE);
373 if (err)
374 return err;
375
376 if (IS_APPEND(inode))
377 return -EPERM;
378
379 if (S_ISDIR(inode->i_mode))
380 return -EISDIR;
381
382 if (!S_ISREG(inode->i_mode))
383 return -EINVAL;
384
385 err = mnt_want_write_file(filp);
386 if (err) /* -EROFS */
387 return err;
388
389 err = deny_write_access(filp);
390 if (err) /* -ETXTBSY */
391 goto out_drop_write;
392
393 err = enable_verity(filp, &arg);
394 if (err)
395 goto out_allow_write_access;
396
397 /*
398 * Some pages of the file may have been evicted from pagecache after
399 * being used in the Merkle tree construction, then read into pagecache
400 * again by another process reading from the file concurrently. Since
401 * these pages didn't undergo verification against the file digest which
402 * fs-verity now claims to be enforcing, we have to wipe the pagecache
403 * to ensure that all future reads are verified.
404 */
405 filemap_write_and_wait(inode->i_mapping);
406 invalidate_inode_pages2(inode->i_mapping);
407
408 /*
409 * allow_write_access() is needed to pair with deny_write_access().
410 * Regardless, the filesystem won't allow writing to verity files.
411 */
412 out_allow_write_access:
413 allow_write_access(filp);
414 out_drop_write:
415 mnt_drop_write_file(filp);
416 return err;
417 }
418 EXPORT_SYMBOL_GPL(fsverity_ioctl_enable);
Linux with added FPC-III support