search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ARM: dts: omap5: Add bus_dma_limit for L3 bus
[linux/fpc-iii.git] / fs / verity / enable.c
blobb79e3fd19d1152388c1972191f0a525a71a8c7f6
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * fs/verity/enable.c: ioctl to enable verity on a file
4 *
5 * Copyright 2019 Google LLC
6 */
7
8 #include "fsverity_private.h"
9
10 #include <crypto/hash.h>
11 #include <linux/mount.h>
12 #include <linux/pagemap.h>
13 #include <linux/sched/signal.h>
14 #include <linux/uaccess.h>
15
16 static int build_merkle_tree_level(struct inode *inode, unsigned int level,
17 u64 num_blocks_to_hash,
18 const struct merkle_tree_params *params,
19 u8 *pending_hashes,
20 struct ahash_request *req)
21 {
22 const struct fsverity_operations *vops = inode->i_sb->s_vop;
23 unsigned int pending_size = 0;
24 u64 dst_block_num;
25 u64 i;
26 int err;
27
28 if (WARN_ON(params->block_size != PAGE_SIZE)) /* checked earlier too */
29 return -EINVAL;
30
31 if (level < params->num_levels) {
32 dst_block_num = params->level_start[level];
33 } else {
34 if (WARN_ON(num_blocks_to_hash != 1))
35 return -EINVAL;
36 dst_block_num = 0; /* unused */
37 }
38
39 for (i = 0; i < num_blocks_to_hash; i++) {
40 struct page *src_page;
41
42 if ((pgoff_t)i % 10000 == 0 || i + 1 == num_blocks_to_hash)
43 pr_debug("Hashing block %llu of %llu for level %u\n",
44 i + 1, num_blocks_to_hash, level);
45
46 if (level == 0) {
47 /* Leaf: hashing a data block */
48 src_page = read_mapping_page(inode->i_mapping, i, NULL);
49 if (IS_ERR(src_page)) {
50 err = PTR_ERR(src_page);
51 fsverity_err(inode,
52 "Error %d reading data page %llu",
53 err, i);
54 return err;
55 }
56 } else {
57 /* Non-leaf: hashing hash block from level below */
58 src_page = vops->read_merkle_tree_page(inode,
59 params->level_start[level - 1] + i);
60 if (IS_ERR(src_page)) {
61 err = PTR_ERR(src_page);
62 fsverity_err(inode,
63 "Error %d reading Merkle tree page %llu",
64 err, params->level_start[level - 1] + i);
65 return err;
66 }
67 }
68
69 err = fsverity_hash_page(params, inode, req, src_page,
70 &pending_hashes[pending_size]);
71 put_page(src_page);
72 if (err)
73 return err;
74 pending_size += params->digest_size;
75
76 if (level == params->num_levels) /* Root hash? */
77 return 0;
78
79 if (pending_size + params->digest_size > params->block_size ||
80 i + 1 == num_blocks_to_hash) {
81 /* Flush the pending hash block */
82 memset(&pending_hashes[pending_size], 0,
83 params->block_size - pending_size);
84 err = vops->write_merkle_tree_block(inode,
85 pending_hashes,
86 dst_block_num,
87 params->log_blocksize);
88 if (err) {
89 fsverity_err(inode,
90 "Error %d writing Merkle tree block %llu",
91 err, dst_block_num);
92 return err;
93 }
94 dst_block_num++;
95 pending_size = 0;
96 }
97
98 if (fatal_signal_pending(current))
99 return -EINTR;
100 cond_resched();
101 }
102 return 0;
103 }
104
105 /*
106 * Build the Merkle tree for the given inode using the given parameters, and
107 * return the root hash in @root_hash.
108 *
109 * The tree is written to a filesystem-specific location as determined by the
110 * ->write_merkle_tree_block() method. However, the blocks that comprise the
111 * tree are the same for all filesystems.
112 */
113 static int build_merkle_tree(struct inode *inode,
114 const struct merkle_tree_params *params,
115 u8 *root_hash)
116 {
117 u8 *pending_hashes;
118 struct ahash_request *req;
119 u64 blocks;
120 unsigned int level;
121 int err = -ENOMEM;
122
123 if (inode->i_size == 0) {
124 /* Empty file is a special case; root hash is all 0's */
125 memset(root_hash, 0, params->digest_size);
126 return 0;
127 }
128
129 pending_hashes = kmalloc(params->block_size, GFP_KERNEL);
130 req = ahash_request_alloc(params->hash_alg->tfm, GFP_KERNEL);
131 if (!pending_hashes || !req)
132 goto out;
133
134 /*
135 * Build each level of the Merkle tree, starting at the leaf level
136 * (level 0) and ascending to the root node (level 'num_levels - 1').
137 * Then at the end (level 'num_levels'), calculate the root hash.
138 */
139 blocks = (inode->i_size + params->block_size - 1) >>
140 params->log_blocksize;
141 for (level = 0; level <= params->num_levels; level++) {
142 err = build_merkle_tree_level(inode, level, blocks, params,
143 pending_hashes, req);
144 if (err)
145 goto out;
146 blocks = (blocks + params->hashes_per_block - 1) >>
147 params->log_arity;
148 }
149 memcpy(root_hash, pending_hashes, params->digest_size);
150 err = 0;
151 out:
152 kfree(pending_hashes);
153 ahash_request_free(req);
154 return err;
155 }
156
157 static int enable_verity(struct file *filp,
158 const struct fsverity_enable_arg *arg)
159 {
160 struct inode *inode = file_inode(filp);
161 const struct fsverity_operations *vops = inode->i_sb->s_vop;
162 struct merkle_tree_params params = { };
163 struct fsverity_descriptor *desc;
164 size_t desc_size = sizeof(*desc) + arg->sig_size;
165 struct fsverity_info *vi;
166 int err;
167
168 /* Start initializing the fsverity_descriptor */
169 desc = kzalloc(desc_size, GFP_KERNEL);
170 if (!desc)
171 return -ENOMEM;
172 desc->version = 1;
173 desc->hash_algorithm = arg->hash_algorithm;
174 desc->log_blocksize = ilog2(arg->block_size);
175
176 /* Get the salt if the user provided one */
177 if (arg->salt_size &&
178 copy_from_user(desc->salt,
179 (const u8 __user *)(uintptr_t)arg->salt_ptr,
180 arg->salt_size)) {
181 err = -EFAULT;
182 goto out;
183 }
184 desc->salt_size = arg->salt_size;
185
186 /* Get the signature if the user provided one */
187 if (arg->sig_size &&
188 copy_from_user(desc->signature,
189 (const u8 __user *)(uintptr_t)arg->sig_ptr,
190 arg->sig_size)) {
191 err = -EFAULT;
192 goto out;
193 }
194 desc->sig_size = cpu_to_le32(arg->sig_size);
195
196 desc->data_size = cpu_to_le64(inode->i_size);
197
198 /* Prepare the Merkle tree parameters */
199 err = fsverity_init_merkle_tree_params(&params, inode,
200 arg->hash_algorithm,
201 desc->log_blocksize,
202 desc->salt, desc->salt_size);
203 if (err)
204 goto out;
205
206 /*
207 * Start enabling verity on this file, serialized by the inode lock.
208 * Fail if verity is already enabled or is already being enabled.
209 */
210 inode_lock(inode);
211 if (IS_VERITY(inode))
212 err = -EEXIST;
213 else
214 err = vops->begin_enable_verity(filp);
215 inode_unlock(inode);
216 if (err)
217 goto out;
218
219 /*
220 * Build the Merkle tree. Don't hold the inode lock during this, since
221 * on huge files this may take a very long time and we don't want to
222 * force unrelated syscalls like chown() to block forever. We don't
223 * need the inode lock here because deny_write_access() already prevents
224 * the file from being written to or truncated, and we still serialize
225 * ->begin_enable_verity() and ->end_enable_verity() using the inode
226 * lock and only allow one process to be here at a time on a given file.
227 */
228 pr_debug("Building Merkle tree...\n");
229 BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE);
230 err = build_merkle_tree(inode, &params, desc->root_hash);
231 if (err) {
232 fsverity_err(inode, "Error %d building Merkle tree", err);
233 goto rollback;
234 }
235 pr_debug("Done building Merkle tree. Root hash is %s:%*phN\n",
236 params.hash_alg->name, params.digest_size, desc->root_hash);
237
238 /*
239 * Create the fsverity_info. Don't bother trying to save work by
240 * reusing the merkle_tree_params from above. Instead, just create the
241 * fsverity_info from the fsverity_descriptor as if it were just loaded
242 * from disk. This is simpler, and it serves as an extra check that the
243 * metadata we're writing is valid before actually enabling verity.
244 */
245 vi = fsverity_create_info(inode, desc, desc_size);
246 if (IS_ERR(vi)) {
247 err = PTR_ERR(vi);
248 goto rollback;
249 }
250
251 if (arg->sig_size)
252 pr_debug("Storing a %u-byte PKCS#7 signature alongside the file\n",
253 arg->sig_size);
254
255 /*
256 * Tell the filesystem to finish enabling verity on the file.
257 * Serialized with ->begin_enable_verity() by the inode lock.
258 */
259 inode_lock(inode);
260 err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size);
261 inode_unlock(inode);
262 if (err) {
263 fsverity_err(inode, "%ps() failed with err %d",
264 vops->end_enable_verity, err);
265 fsverity_free_info(vi);
266 } else if (WARN_ON(!IS_VERITY(inode))) {
267 err = -EINVAL;
268 fsverity_free_info(vi);
269 } else {
270 /* Successfully enabled verity */
271
272 /*
273 * Readers can start using ->i_verity_info immediately, so it
274 * can't be rolled back once set. So don't set it until just
275 * after the filesystem has successfully enabled verity.
276 */
277 fsverity_set_info(inode, vi);
278 }
279 out:
280 kfree(params.hashstate);
281 kfree(desc);
282 return err;
283
284 rollback:
285 inode_lock(inode);
286 (void)vops->end_enable_verity(filp, NULL, 0, params.tree_size);
287 inode_unlock(inode);
288 goto out;
289 }
290
291 /**
292 * fsverity_ioctl_enable() - enable verity on a file
293 *
294 * Enable fs-verity on a file. See the "FS_IOC_ENABLE_VERITY" section of
295 * Documentation/filesystems/fsverity.rst for the documentation.
296 *
297 * Return: 0 on success, -errno on failure
298 */
299 int fsverity_ioctl_enable(struct file *filp, const void __user *uarg)
300 {
301 struct inode *inode = file_inode(filp);
302 struct fsverity_enable_arg arg;
303 int err;
304
305 if (copy_from_user(&arg, uarg, sizeof(arg)))
306 return -EFAULT;
307
308 if (arg.version != 1)
309 return -EINVAL;
310
311 if (arg.__reserved1 ||
312 memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2)))
313 return -EINVAL;
314
315 if (arg.block_size != PAGE_SIZE)
316 return -EINVAL;
317
318 if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt))
319 return -EMSGSIZE;
320
321 if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE)
322 return -EMSGSIZE;
323
324 /*
325 * Require a regular file with write access. But the actual fd must
326 * still be readonly so that we can lock out all writers. This is
327 * needed to guarantee that no writable fds exist to the file once it
328 * has verity enabled, and to stabilize the data being hashed.
329 */
330
331 err = inode_permission(inode, MAY_WRITE);
332 if (err)
333 return err;
334
335 if (IS_APPEND(inode))
336 return -EPERM;
337
338 if (S_ISDIR(inode->i_mode))
339 return -EISDIR;
340
341 if (!S_ISREG(inode->i_mode))
342 return -EINVAL;
343
344 err = mnt_want_write_file(filp);
345 if (err) /* -EROFS */
346 return err;
347
348 err = deny_write_access(filp);
349 if (err) /* -ETXTBSY */
350 goto out_drop_write;
351
352 err = enable_verity(filp, &arg);
353 if (err)
354 goto out_allow_write_access;
355
356 /*
357 * Some pages of the file may have been evicted from pagecache after
358 * being used in the Merkle tree construction, then read into pagecache
359 * again by another process reading from the file concurrently. Since
360 * these pages didn't undergo verification against the file measurement
361 * which fs-verity now claims to be enforcing, we have to wipe the
362 * pagecache to ensure that all future reads are verified.
363 */
364 filemap_write_and_wait(inode->i_mapping);
365 invalidate_inode_pages2(inode->i_mapping);
366
367 /*
368 * allow_write_access() is needed to pair with deny_write_access().
369 * Regardless, the filesystem won't allow writing to verity files.
370 */
371 out_allow_write_access:
372 allow_write_access(filp);
373 out_drop_write:
374 mnt_drop_write_file(filp);
375 return err;
376 }
377 EXPORT_SYMBOL_GPL(fsverity_ioctl_enable);
Linux with added FPC-III support