]>
Commit | Line | Data |
---|---|---|
3fda4c61 EB |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* | |
3 | * fs/verity/enable.c: ioctl to enable verity on a file | |
4 | * | |
5 | * Copyright 2019 Google LLC | |
6 | */ | |
7 | ||
8 | #include "fsverity_private.h" | |
9 | ||
10 | #include <crypto/hash.h> | |
11 | #include <linux/mount.h> | |
12 | #include <linux/pagemap.h> | |
13 | #include <linux/sched/signal.h> | |
14 | #include <linux/uaccess.h> | |
15 | ||
c22415d3 EB |
16 | /* |
17 | * Read a file data page for Merkle tree construction. Do aggressive readahead, | |
18 | * since we're sequentially reading the entire file. | |
19 | */ | |
20 | static struct page *read_file_data_page(struct file *filp, pgoff_t index, | |
21 | struct file_ra_state *ra, | |
22 | unsigned long remaining_pages) | |
23 | { | |
24 | struct page *page; | |
25 | ||
26 | page = find_get_page_flags(filp->f_mapping, index, FGP_ACCESSED); | |
27 | if (!page || !PageUptodate(page)) { | |
28 | if (page) | |
29 | put_page(page); | |
30 | else | |
31 | page_cache_sync_readahead(filp->f_mapping, ra, filp, | |
32 | index, remaining_pages); | |
33 | page = read_mapping_page(filp->f_mapping, index, NULL); | |
34 | if (IS_ERR(page)) | |
35 | return page; | |
36 | } | |
37 | if (PageReadahead(page)) | |
38 | page_cache_async_readahead(filp->f_mapping, ra, filp, page, | |
39 | index, remaining_pages); | |
40 | return page; | |
41 | } | |
42 | ||
43 | static int build_merkle_tree_level(struct file *filp, unsigned int level, | |
3fda4c61 EB |
44 | u64 num_blocks_to_hash, |
45 | const struct merkle_tree_params *params, | |
46 | u8 *pending_hashes, | |
47 | struct ahash_request *req) | |
48 | { | |
c22415d3 | 49 | struct inode *inode = file_inode(filp); |
3fda4c61 | 50 | const struct fsverity_operations *vops = inode->i_sb->s_vop; |
c22415d3 | 51 | struct file_ra_state ra = { 0 }; |
3fda4c61 EB |
52 | unsigned int pending_size = 0; |
53 | u64 dst_block_num; | |
54 | u64 i; | |
55 | int err; | |
56 | ||
57 | if (WARN_ON(params->block_size != PAGE_SIZE)) /* checked earlier too */ | |
58 | return -EINVAL; | |
59 | ||
60 | if (level < params->num_levels) { | |
61 | dst_block_num = params->level_start[level]; | |
62 | } else { | |
63 | if (WARN_ON(num_blocks_to_hash != 1)) | |
64 | return -EINVAL; | |
65 | dst_block_num = 0; /* unused */ | |
66 | } | |
67 | ||
c22415d3 EB |
68 | file_ra_state_init(&ra, filp->f_mapping); |
69 | ||
3fda4c61 EB |
70 | for (i = 0; i < num_blocks_to_hash; i++) { |
71 | struct page *src_page; | |
72 | ||
73 | if ((pgoff_t)i % 10000 == 0 || i + 1 == num_blocks_to_hash) | |
74 | pr_debug("Hashing block %llu of %llu for level %u\n", | |
75 | i + 1, num_blocks_to_hash, level); | |
76 | ||
77 | if (level == 0) { | |
78 | /* Leaf: hashing a data block */ | |
c22415d3 EB |
79 | src_page = read_file_data_page(filp, i, &ra, |
80 | num_blocks_to_hash - i); | |
3fda4c61 EB |
81 | if (IS_ERR(src_page)) { |
82 | err = PTR_ERR(src_page); | |
83 | fsverity_err(inode, | |
84 | "Error %d reading data page %llu", | |
85 | err, i); | |
86 | return err; | |
87 | } | |
88 | } else { | |
89 | /* Non-leaf: hashing hash block from level below */ | |
90 | src_page = vops->read_merkle_tree_page(inode, | |
91 | params->level_start[level - 1] + i); | |
92 | if (IS_ERR(src_page)) { | |
93 | err = PTR_ERR(src_page); | |
94 | fsverity_err(inode, | |
95 | "Error %d reading Merkle tree page %llu", | |
96 | err, params->level_start[level - 1] + i); | |
97 | return err; | |
98 | } | |
99 | } | |
100 | ||
101 | err = fsverity_hash_page(params, inode, req, src_page, | |
102 | &pending_hashes[pending_size]); | |
103 | put_page(src_page); | |
104 | if (err) | |
105 | return err; | |
106 | pending_size += params->digest_size; | |
107 | ||
108 | if (level == params->num_levels) /* Root hash? */ | |
109 | return 0; | |
110 | ||
111 | if (pending_size + params->digest_size > params->block_size || | |
112 | i + 1 == num_blocks_to_hash) { | |
113 | /* Flush the pending hash block */ | |
114 | memset(&pending_hashes[pending_size], 0, | |
115 | params->block_size - pending_size); | |
116 | err = vops->write_merkle_tree_block(inode, | |
117 | pending_hashes, | |
118 | dst_block_num, | |
119 | params->log_blocksize); | |
120 | if (err) { | |
121 | fsverity_err(inode, | |
122 | "Error %d writing Merkle tree block %llu", | |
123 | err, dst_block_num); | |
124 | return err; | |
125 | } | |
126 | dst_block_num++; | |
127 | pending_size = 0; | |
128 | } | |
129 | ||
130 | if (fatal_signal_pending(current)) | |
131 | return -EINTR; | |
132 | cond_resched(); | |
133 | } | |
134 | return 0; | |
135 | } | |
136 | ||
137 | /* | |
c22415d3 | 138 | * Build the Merkle tree for the given file using the given parameters, and |
3fda4c61 EB |
139 | * return the root hash in @root_hash. |
140 | * | |
141 | * The tree is written to a filesystem-specific location as determined by the | |
142 | * ->write_merkle_tree_block() method. However, the blocks that comprise the | |
143 | * tree are the same for all filesystems. | |
144 | */ | |
c22415d3 | 145 | static int build_merkle_tree(struct file *filp, |
3fda4c61 EB |
146 | const struct merkle_tree_params *params, |
147 | u8 *root_hash) | |
148 | { | |
c22415d3 | 149 | struct inode *inode = file_inode(filp); |
3fda4c61 EB |
150 | u8 *pending_hashes; |
151 | struct ahash_request *req; | |
152 | u64 blocks; | |
153 | unsigned int level; | |
154 | int err = -ENOMEM; | |
155 | ||
156 | if (inode->i_size == 0) { | |
157 | /* Empty file is a special case; root hash is all 0's */ | |
158 | memset(root_hash, 0, params->digest_size); | |
159 | return 0; | |
160 | } | |
161 | ||
162 | pending_hashes = kmalloc(params->block_size, GFP_KERNEL); | |
163 | req = ahash_request_alloc(params->hash_alg->tfm, GFP_KERNEL); | |
164 | if (!pending_hashes || !req) | |
165 | goto out; | |
166 | ||
167 | /* | |
168 | * Build each level of the Merkle tree, starting at the leaf level | |
169 | * (level 0) and ascending to the root node (level 'num_levels - 1'). | |
170 | * Then at the end (level 'num_levels'), calculate the root hash. | |
171 | */ | |
172 | blocks = (inode->i_size + params->block_size - 1) >> | |
173 | params->log_blocksize; | |
174 | for (level = 0; level <= params->num_levels; level++) { | |
c22415d3 | 175 | err = build_merkle_tree_level(filp, level, blocks, params, |
3fda4c61 EB |
176 | pending_hashes, req); |
177 | if (err) | |
178 | goto out; | |
179 | blocks = (blocks + params->hashes_per_block - 1) >> | |
180 | params->log_arity; | |
181 | } | |
182 | memcpy(root_hash, pending_hashes, params->digest_size); | |
183 | err = 0; | |
184 | out: | |
185 | kfree(pending_hashes); | |
186 | ahash_request_free(req); | |
187 | return err; | |
188 | } | |
189 | ||
190 | static int enable_verity(struct file *filp, | |
191 | const struct fsverity_enable_arg *arg) | |
192 | { | |
193 | struct inode *inode = file_inode(filp); | |
194 | const struct fsverity_operations *vops = inode->i_sb->s_vop; | |
195 | struct merkle_tree_params params = { }; | |
196 | struct fsverity_descriptor *desc; | |
432434c9 | 197 | size_t desc_size = sizeof(*desc) + arg->sig_size; |
3fda4c61 EB |
198 | struct fsverity_info *vi; |
199 | int err; | |
200 | ||
201 | /* Start initializing the fsverity_descriptor */ | |
202 | desc = kzalloc(desc_size, GFP_KERNEL); | |
203 | if (!desc) | |
204 | return -ENOMEM; | |
205 | desc->version = 1; | |
206 | desc->hash_algorithm = arg->hash_algorithm; | |
207 | desc->log_blocksize = ilog2(arg->block_size); | |
208 | ||
209 | /* Get the salt if the user provided one */ | |
210 | if (arg->salt_size && | |
211 | copy_from_user(desc->salt, | |
212 | (const u8 __user *)(uintptr_t)arg->salt_ptr, | |
213 | arg->salt_size)) { | |
214 | err = -EFAULT; | |
215 | goto out; | |
216 | } | |
217 | desc->salt_size = arg->salt_size; | |
218 | ||
432434c9 EB |
219 | /* Get the signature if the user provided one */ |
220 | if (arg->sig_size && | |
221 | copy_from_user(desc->signature, | |
222 | (const u8 __user *)(uintptr_t)arg->sig_ptr, | |
223 | arg->sig_size)) { | |
224 | err = -EFAULT; | |
225 | goto out; | |
226 | } | |
227 | desc->sig_size = cpu_to_le32(arg->sig_size); | |
228 | ||
3fda4c61 EB |
229 | desc->data_size = cpu_to_le64(inode->i_size); |
230 | ||
231 | /* Prepare the Merkle tree parameters */ | |
232 | err = fsverity_init_merkle_tree_params(¶ms, inode, | |
233 | arg->hash_algorithm, | |
234 | desc->log_blocksize, | |
235 | desc->salt, desc->salt_size); | |
236 | if (err) | |
237 | goto out; | |
238 | ||
239 | /* | |
240 | * Start enabling verity on this file, serialized by the inode lock. | |
241 | * Fail if verity is already enabled or is already being enabled. | |
242 | */ | |
243 | inode_lock(inode); | |
244 | if (IS_VERITY(inode)) | |
245 | err = -EEXIST; | |
246 | else | |
247 | err = vops->begin_enable_verity(filp); | |
248 | inode_unlock(inode); | |
249 | if (err) | |
250 | goto out; | |
251 | ||
252 | /* | |
253 | * Build the Merkle tree. Don't hold the inode lock during this, since | |
254 | * on huge files this may take a very long time and we don't want to | |
255 | * force unrelated syscalls like chown() to block forever. We don't | |
256 | * need the inode lock here because deny_write_access() already prevents | |
257 | * the file from being written to or truncated, and we still serialize | |
258 | * ->begin_enable_verity() and ->end_enable_verity() using the inode | |
259 | * lock and only allow one process to be here at a time on a given file. | |
260 | */ | |
261 | pr_debug("Building Merkle tree...\n"); | |
262 | BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE); | |
c22415d3 | 263 | err = build_merkle_tree(filp, ¶ms, desc->root_hash); |
3fda4c61 EB |
264 | if (err) { |
265 | fsverity_err(inode, "Error %d building Merkle tree", err); | |
266 | goto rollback; | |
267 | } | |
268 | pr_debug("Done building Merkle tree. Root hash is %s:%*phN\n", | |
269 | params.hash_alg->name, params.digest_size, desc->root_hash); | |
270 | ||
271 | /* | |
272 | * Create the fsverity_info. Don't bother trying to save work by | |
273 | * reusing the merkle_tree_params from above. Instead, just create the | |
274 | * fsverity_info from the fsverity_descriptor as if it were just loaded | |
275 | * from disk. This is simpler, and it serves as an extra check that the | |
276 | * metadata we're writing is valid before actually enabling verity. | |
277 | */ | |
278 | vi = fsverity_create_info(inode, desc, desc_size); | |
279 | if (IS_ERR(vi)) { | |
280 | err = PTR_ERR(vi); | |
281 | goto rollback; | |
282 | } | |
283 | ||
432434c9 EB |
284 | if (arg->sig_size) |
285 | pr_debug("Storing a %u-byte PKCS#7 signature alongside the file\n", | |
286 | arg->sig_size); | |
287 | ||
3fda4c61 EB |
288 | /* |
289 | * Tell the filesystem to finish enabling verity on the file. | |
290 | * Serialized with ->begin_enable_verity() by the inode lock. | |
291 | */ | |
292 | inode_lock(inode); | |
293 | err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size); | |
294 | inode_unlock(inode); | |
295 | if (err) { | |
296 | fsverity_err(inode, "%ps() failed with err %d", | |
297 | vops->end_enable_verity, err); | |
298 | fsverity_free_info(vi); | |
299 | } else if (WARN_ON(!IS_VERITY(inode))) { | |
300 | err = -EINVAL; | |
301 | fsverity_free_info(vi); | |
302 | } else { | |
303 | /* Successfully enabled verity */ | |
304 | ||
305 | /* | |
306 | * Readers can start using ->i_verity_info immediately, so it | |
307 | * can't be rolled back once set. So don't set it until just | |
308 | * after the filesystem has successfully enabled verity. | |
309 | */ | |
310 | fsverity_set_info(inode, vi); | |
311 | } | |
312 | out: | |
313 | kfree(params.hashstate); | |
314 | kfree(desc); | |
315 | return err; | |
316 | ||
317 | rollback: | |
318 | inode_lock(inode); | |
319 | (void)vops->end_enable_verity(filp, NULL, 0, params.tree_size); | |
320 | inode_unlock(inode); | |
321 | goto out; | |
322 | } | |
323 | ||
324 | /** | |
325 | * fsverity_ioctl_enable() - enable verity on a file | |
326 | * | |
327 | * Enable fs-verity on a file. See the "FS_IOC_ENABLE_VERITY" section of | |
328 | * Documentation/filesystems/fsverity.rst for the documentation. | |
329 | * | |
330 | * Return: 0 on success, -errno on failure | |
331 | */ | |
332 | int fsverity_ioctl_enable(struct file *filp, const void __user *uarg) | |
333 | { | |
334 | struct inode *inode = file_inode(filp); | |
335 | struct fsverity_enable_arg arg; | |
336 | int err; | |
337 | ||
338 | if (copy_from_user(&arg, uarg, sizeof(arg))) | |
339 | return -EFAULT; | |
340 | ||
341 | if (arg.version != 1) | |
342 | return -EINVAL; | |
343 | ||
344 | if (arg.__reserved1 || | |
345 | memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2))) | |
346 | return -EINVAL; | |
347 | ||
348 | if (arg.block_size != PAGE_SIZE) | |
349 | return -EINVAL; | |
350 | ||
c593642c | 351 | if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt)) |
3fda4c61 EB |
352 | return -EMSGSIZE; |
353 | ||
432434c9 EB |
354 | if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE) |
355 | return -EMSGSIZE; | |
3fda4c61 EB |
356 | |
357 | /* | |
358 | * Require a regular file with write access. But the actual fd must | |
359 | * still be readonly so that we can lock out all writers. This is | |
360 | * needed to guarantee that no writable fds exist to the file once it | |
361 | * has verity enabled, and to stabilize the data being hashed. | |
362 | */ | |
363 | ||
364 | err = inode_permission(inode, MAY_WRITE); | |
365 | if (err) | |
366 | return err; | |
367 | ||
368 | if (IS_APPEND(inode)) | |
369 | return -EPERM; | |
370 | ||
371 | if (S_ISDIR(inode->i_mode)) | |
372 | return -EISDIR; | |
373 | ||
374 | if (!S_ISREG(inode->i_mode)) | |
375 | return -EINVAL; | |
376 | ||
377 | err = mnt_want_write_file(filp); | |
378 | if (err) /* -EROFS */ | |
379 | return err; | |
380 | ||
381 | err = deny_write_access(filp); | |
382 | if (err) /* -ETXTBSY */ | |
383 | goto out_drop_write; | |
384 | ||
385 | err = enable_verity(filp, &arg); | |
386 | if (err) | |
387 | goto out_allow_write_access; | |
388 | ||
389 | /* | |
390 | * Some pages of the file may have been evicted from pagecache after | |
391 | * being used in the Merkle tree construction, then read into pagecache | |
392 | * again by another process reading from the file concurrently. Since | |
393 | * these pages didn't undergo verification against the file measurement | |
394 | * which fs-verity now claims to be enforcing, we have to wipe the | |
395 | * pagecache to ensure that all future reads are verified. | |
396 | */ | |
397 | filemap_write_and_wait(inode->i_mapping); | |
398 | invalidate_inode_pages2(inode->i_mapping); | |
399 | ||
400 | /* | |
401 | * allow_write_access() is needed to pair with deny_write_access(). | |
402 | * Regardless, the filesystem won't allow writing to verity files. | |
403 | */ | |
404 | out_allow_write_access: | |
405 | allow_write_access(filp); | |
406 | out_drop_write: | |
407 | mnt_drop_write_file(filp); | |
408 | return err; | |
409 | } | |
410 | EXPORT_SYMBOL_GPL(fsverity_ioctl_enable); |