[mirror_ubuntu-jammy-kernel.git] / fs / verity / enable.c

// SPDX-License-Identifier: GPL-2.0
/*
 * fs/verity/enable.c: ioctl to enable verity on a file
 *
 * Copyright 2019 Google LLC
 */

#include "fsverity_private.h"

#include <crypto/hash.h>
#include <linux/mount.h>
#include <linux/pagemap.h>
#include <linux/sched/signal.h>
#include <linux/uaccess.h>

/*
 * Read a file data page for Merkle tree construction.  Do aggressive readahead,
 * since we're sequentially reading the entire file.
 */
static struct page *read_file_data_page(struct file *filp, pgoff_t index,
					struct file_ra_state *ra,
					unsigned long remaining_pages)
{
	struct page *page;

	page = find_get_page_flags(filp->f_mapping, index, FGP_ACCESSED);
	if (!page || !PageUptodate(page)) {
		if (page)
			put_page(page);
		else
			page_cache_sync_readahead(filp->f_mapping, ra, filp,
						  index, remaining_pages);
		page = read_mapping_page(filp->f_mapping, index, NULL);
		if (IS_ERR(page))
			return page;
	}
	if (PageReadahead(page))
		page_cache_async_readahead(filp->f_mapping, ra, filp, page,
					   index, remaining_pages);
	return page;
}

static int build_merkle_tree_level(struct file *filp, unsigned int level,
				   u64 num_blocks_to_hash,
				   const struct merkle_tree_params *params,
				   u8 *pending_hashes,
				   struct ahash_request *req)
{
	struct inode *inode = file_inode(filp);
	const struct fsverity_operations *vops = inode->i_sb->s_vop;
	struct file_ra_state ra = { 0 };
	unsigned int pending_size = 0;
	u64 dst_block_num;
	u64 i;
	int err;

	if (WARN_ON(params->block_size != PAGE_SIZE)) /* checked earlier too */
		return -EINVAL;

	if (level < params->num_levels) {
		dst_block_num = params->level_start[level];
	} else {
		if (WARN_ON(num_blocks_to_hash != 1))
			return -EINVAL;
		dst_block_num = 0; /* unused */
	}

	file_ra_state_init(&ra, filp->f_mapping);

	for (i = 0; i < num_blocks_to_hash; i++) {
		struct page *src_page;

		if ((pgoff_t)i % 10000 == 0 || i + 1 == num_blocks_to_hash)
			pr_debug("Hashing block %llu of %llu for level %u\n",
				 i + 1, num_blocks_to_hash, level);

		if (level == 0) {
			/* Leaf: hashing a data block */
			src_page = read_file_data_page(filp, i, &ra,
						       num_blocks_to_hash - i);
			if (IS_ERR(src_page)) {
				err = PTR_ERR(src_page);
				fsverity_err(inode,
					     "Error %d reading data page %llu",
					     err, i);
				return err;
			}
		} else {
			/* Non-leaf: hashing hash block from level below */
			src_page = vops->read_merkle_tree_page(inode,
					params->level_start[level - 1] + i);
			if (IS_ERR(src_page)) {
				err = PTR_ERR(src_page);
				fsverity_err(inode,
					     "Error %d reading Merkle tree page %llu",
					     err, params->level_start[level - 1] + i);
				return err;
			}
		}

		err = fsverity_hash_page(params, inode, req, src_page,
					 &pending_hashes[pending_size]);
		put_page(src_page);
		if (err)
			return err;
		pending_size += params->digest_size;

		if (level == params->num_levels) /* Root hash? */
			return 0;

		if (pending_size + params->digest_size > params->block_size ||
		    i + 1 == num_blocks_to_hash) {
			/* Flush the pending hash block */
			memset(&pending_hashes[pending_size], 0,
			       params->block_size - pending_size);
			err = vops->write_merkle_tree_block(inode,
					pending_hashes,
					dst_block_num,
					params->log_blocksize);
			if (err) {
				fsverity_err(inode,
					     "Error %d writing Merkle tree block %llu",
					     err, dst_block_num);
				return err;
			}
			dst_block_num++;
			pending_size = 0;
		}

		if (fatal_signal_pending(current))
			return -EINTR;
		cond_resched();
	}
	return 0;
}

/*
 * Build the Merkle tree for the given file using the given parameters, and
 * return the root hash in @root_hash.
 *
 * The tree is written to a filesystem-specific location as determined by the
 * ->write_merkle_tree_block() method.  However, the blocks that comprise the
 * tree are the same for all filesystems.
 */
static int build_merkle_tree(struct file *filp,
			     const struct merkle_tree_params *params,
			     u8 *root_hash)
{
	struct inode *inode = file_inode(filp);
	u8 *pending_hashes;
	struct ahash_request *req;
	u64 blocks;
	unsigned int level;
	int err = -ENOMEM;

	if (inode->i_size == 0) {
		/* Empty file is a special case; root hash is all 0's */
		memset(root_hash, 0, params->digest_size);
		return 0;
	}

	pending_hashes = kmalloc(params->block_size, GFP_KERNEL);
	req = ahash_request_alloc(params->hash_alg->tfm, GFP_KERNEL);
	if (!pending_hashes || !req)
		goto out;

	/*
	 * Build each level of the Merkle tree, starting at the leaf level
	 * (level 0) and ascending to the root node (level 'num_levels - 1').
	 * Then at the end (level 'num_levels'), calculate the root hash.
	 */
	blocks = (inode->i_size + params->block_size - 1) >>
		 params->log_blocksize;
	for (level = 0; level <= params->num_levels; level++) {
		err = build_merkle_tree_level(filp, level, blocks, params,
					      pending_hashes, req);
		if (err)
			goto out;
		blocks = (blocks + params->hashes_per_block - 1) >>
			 params->log_arity;
	}
	memcpy(root_hash, pending_hashes, params->digest_size);
	err = 0;
out:
	kfree(pending_hashes);
	ahash_request_free(req);
	return err;
}

static int enable_verity(struct file *filp,
			 const struct fsverity_enable_arg *arg)
{
	struct inode *inode = file_inode(filp);
	const struct fsverity_operations *vops = inode->i_sb->s_vop;
	struct merkle_tree_params params = { };
	struct fsverity_descriptor *desc;
	size_t desc_size = sizeof(*desc) + arg->sig_size;
	struct fsverity_info *vi;
	int err;

	/* Start initializing the fsverity_descriptor */
	desc = kzalloc(desc_size, GFP_KERNEL);
	if (!desc)
		return -ENOMEM;
	desc->version = 1;
	desc->hash_algorithm = arg->hash_algorithm;
	desc->log_blocksize = ilog2(arg->block_size);

	/* Get the salt if the user provided one */
	if (arg->salt_size &&
	    copy_from_user(desc->salt,
			   (const u8 __user *)(uintptr_t)arg->salt_ptr,
			   arg->salt_size)) {
		err = -EFAULT;
		goto out;
	}
	desc->salt_size = arg->salt_size;

	/* Get the signature if the user provided one */
	if (arg->sig_size &&
	    copy_from_user(desc->signature,
			   (const u8 __user *)(uintptr_t)arg->sig_ptr,
			   arg->sig_size)) {
		err = -EFAULT;
		goto out;
	}
	desc->sig_size = cpu_to_le32(arg->sig_size);

	desc->data_size = cpu_to_le64(inode->i_size);

	/* Prepare the Merkle tree parameters */
	err = fsverity_init_merkle_tree_params(&params, inode,
					       arg->hash_algorithm,
					       desc->log_blocksize,
					       desc->salt, desc->salt_size);
	if (err)
		goto out;

	/*
	 * Start enabling verity on this file, serialized by the inode lock.
	 * Fail if verity is already enabled or is already being enabled.
	 */
	inode_lock(inode);
	if (IS_VERITY(inode))
		err = -EEXIST;
	else
		err = vops->begin_enable_verity(filp);
	inode_unlock(inode);
	if (err)
		goto out;

	/*
	 * Build the Merkle tree.  Don't hold the inode lock during this, since
	 * on huge files this may take a very long time and we don't want to
	 * force unrelated syscalls like chown() to block forever.  We don't
	 * need the inode lock here because deny_write_access() already prevents
	 * the file from being written to or truncated, and we still serialize
	 * ->begin_enable_verity() and ->end_enable_verity() using the inode
	 * lock and only allow one process to be here at a time on a given file.
	 */
	pr_debug("Building Merkle tree...\n");
	BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE);
	err = build_merkle_tree(filp, &params, desc->root_hash);
	if (err) {
		fsverity_err(inode, "Error %d building Merkle tree", err);
		goto rollback;
	}
	pr_debug("Done building Merkle tree.  Root hash is %s:%*phN\n",
		 params.hash_alg->name, params.digest_size, desc->root_hash);

	/*
	 * Create the fsverity_info.  Don't bother trying to save work by
	 * reusing the merkle_tree_params from above.  Instead, just create the
	 * fsverity_info from the fsverity_descriptor as if it were just loaded
	 * from disk.  This is simpler, and it serves as an extra check that the
	 * metadata we're writing is valid before actually enabling verity.
	 */
	vi = fsverity_create_info(inode, desc, desc_size);
	if (IS_ERR(vi)) {
		err = PTR_ERR(vi);
		goto rollback;
	}

	if (arg->sig_size)
		pr_debug("Storing a %u-byte PKCS#7 signature alongside the file\n",
			 arg->sig_size);

	/*
	 * Tell the filesystem to finish enabling verity on the file.
	 * Serialized with ->begin_enable_verity() by the inode lock.
	 */
	inode_lock(inode);
	err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size);
	inode_unlock(inode);
	if (err) {
		fsverity_err(inode, "%ps() failed with err %d",
			     vops->end_enable_verity, err);
		fsverity_free_info(vi);
	} else if (WARN_ON(!IS_VERITY(inode))) {
		err = -EINVAL;
		fsverity_free_info(vi);
	} else {
		/* Successfully enabled verity */

		/*
		 * Readers can start using ->i_verity_info immediately, so it
		 * can't be rolled back once set.  So don't set it until just
		 * after the filesystem has successfully enabled verity.
		 */
		fsverity_set_info(inode, vi);
	}
out:
	kfree(params.hashstate);
	kfree(desc);
	return err;

rollback:
	inode_lock(inode);
	(void)vops->end_enable_verity(filp, NULL, 0, params.tree_size);
	inode_unlock(inode);
	goto out;
}

/**
 * fsverity_ioctl_enable() - enable verity on a file
 *
 * Enable fs-verity on a file.  See the "FS_IOC_ENABLE_VERITY" section of
 * Documentation/filesystems/fsverity.rst for the documentation.
 *
 * Return: 0 on success, -errno on failure
 */
int fsverity_ioctl_enable(struct file *filp, const void __user *uarg)
{
	struct inode *inode = file_inode(filp);
	struct fsverity_enable_arg arg;
	int err;

	if (copy_from_user(&arg, uarg, sizeof(arg)))
		return -EFAULT;

	if (arg.version != 1)
		return -EINVAL;

	if (arg.__reserved1 ||
	    memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2)))
		return -EINVAL;

	if (arg.block_size != PAGE_SIZE)
		return -EINVAL;

	if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt))
		return -EMSGSIZE;

	if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE)
		return -EMSGSIZE;

	/*
	 * Require a regular file with write access.  But the actual fd must
	 * still be readonly so that we can lock out all writers.  This is
	 * needed to guarantee that no writable fds exist to the file once it
	 * has verity enabled, and to stabilize the data being hashed.
	 */

	err = inode_permission(inode, MAY_WRITE);
	if (err)
		return err;

	if (IS_APPEND(inode))
		return -EPERM;

	if (S_ISDIR(inode->i_mode))
		return -EISDIR;

	if (!S_ISREG(inode->i_mode))
		return -EINVAL;

	err = mnt_want_write_file(filp);
	if (err) /* -EROFS */
		return err;

	err = deny_write_access(filp);
	if (err) /* -ETXTBSY */
		goto out_drop_write;

	err = enable_verity(filp, &arg);
	if (err)
		goto out_allow_write_access;

	/*
	 * Some pages of the file may have been evicted from pagecache after
	 * being used in the Merkle tree construction, then read into pagecache
	 * again by another process reading from the file concurrently.  Since
	 * these pages didn't undergo verification against the file measurement
	 * which fs-verity now claims to be enforcing, we have to wipe the
	 * pagecache to ensure that all future reads are verified.
	 */
	filemap_write_and_wait(inode->i_mapping);
	invalidate_inode_pages2(inode->i_mapping);

	/*
	 * allow_write_access() is needed to pair with deny_write_access().
	 * Regardless, the filesystem won't allow writing to verity files.
	 */
out_allow_write_access:
	allow_write_access(filp);
out_drop_write:
	mnt_drop_write_file(filp);
	return err;
}
EXPORT_SYMBOL_GPL(fsverity_ioctl_enable);
Commit	Line	Data
3fda4c61 EB	1	// SPDX-License-Identifier: GPL-2.0
	2	/*
	3	* fs/verity/enable.c: ioctl to enable verity on a file
	4	*
	5	* Copyright 2019 Google LLC
	6	*/
	7
	8	#include "fsverity_private.h"
	9
	10	#include <crypto/hash.h>
	11	#include <linux/mount.h>
	12	#include <linux/pagemap.h>
	13	#include <linux/sched/signal.h>
	14	#include <linux/uaccess.h>
	15
c22415d3 EB	16	/*
	17	* Read a file data page for Merkle tree construction. Do aggressive readahead,
	18	* since we're sequentially reading the entire file.
	19	*/
	20	static struct page read_file_data_page(struct file filp, pgoff_t index,
	21	struct file_ra_state *ra,
	22	unsigned long remaining_pages)
	23	{
	24	struct page *page;
	25
	26	page = find_get_page_flags(filp->f_mapping, index, FGP_ACCESSED);
	27	if (!page \|\| !PageUptodate(page)) {
	28	if (page)
	29	put_page(page);
	30	else
	31	page_cache_sync_readahead(filp->f_mapping, ra, filp,
	32	index, remaining_pages);
	33	page = read_mapping_page(filp->f_mapping, index, NULL);
	34	if (IS_ERR(page))
	35	return page;
	36	}
	37	if (PageReadahead(page))
	38	page_cache_async_readahead(filp->f_mapping, ra, filp, page,
	39	index, remaining_pages);
	40	return page;
	41	}
	42
	43	static int build_merkle_tree_level(struct file *filp, unsigned int level,
3fda4c61 EB	44	u64 num_blocks_to_hash,
	45	const struct merkle_tree_params *params,
	46	u8 *pending_hashes,
	47	struct ahash_request *req)
	48	{
c22415d3	49	struct inode *inode = file_inode(filp);
3fda4c61	50	const struct fsverity_operations *vops = inode->i_sb->s_vop;
c22415d3	51	struct file_ra_state ra = { 0 };
3fda4c61 EB	52	unsigned int pending_size = 0;
	53	u64 dst_block_num;
	54	u64 i;
	55	int err;
	56
	57	if (WARN_ON(params->block_size != PAGE_SIZE)) /* checked earlier too */
	58	return -EINVAL;
	59
	60	if (level < params->num_levels) {
	61	dst_block_num = params->level_start[level];
	62	} else {
	63	if (WARN_ON(num_blocks_to_hash != 1))
	64	return -EINVAL;
	65	dst_block_num = 0; /* unused */
	66	}
	67
c22415d3 EB	68	file_ra_state_init(&ra, filp->f_mapping);
c22415d3 EB	69
3fda4c61 EB	70	for (i = 0; i < num_blocks_to_hash; i++) {
	71	struct page *src_page;
	72
	73	if ((pgoff_t)i % 10000 == 0 \|\| i + 1 == num_blocks_to_hash)
	74	pr_debug("Hashing block %llu of %llu for level %u\n",
	75	i + 1, num_blocks_to_hash, level);
	76
	77	if (level == 0) {
	78	/* Leaf: hashing a data block */
c22415d3 EB	79	src_page = read_file_data_page(filp, i, &ra,
c22415d3 EB	80	num_blocks_to_hash - i);
3fda4c61 EB	81	if (IS_ERR(src_page)) {
	82	err = PTR_ERR(src_page);
	83	fsverity_err(inode,
	84	"Error %d reading data page %llu",
	85	err, i);
	86	return err;
	87	}
	88	} else {
	89	/* Non-leaf: hashing hash block from level below */
	90	src_page = vops->read_merkle_tree_page(inode,
	91	params->level_start[level - 1] + i);
	92	if (IS_ERR(src_page)) {
	93	err = PTR_ERR(src_page);
	94	fsverity_err(inode,
	95	"Error %d reading Merkle tree page %llu",
	96	err, params->level_start[level - 1] + i);
	97	return err;
	98	}
	99	}
	100
	101	err = fsverity_hash_page(params, inode, req, src_page,
	102	&pending_hashes[pending_size]);
	103	put_page(src_page);
	104	if (err)
	105	return err;
	106	pending_size += params->digest_size;
	107
	108	if (level == params->num_levels) /* Root hash? */
	109	return 0;
	110
	111	if (pending_size + params->digest_size > params->block_size \|\|
	112	i + 1 == num_blocks_to_hash) {
	113	/* Flush the pending hash block */
	114	memset(&pending_hashes[pending_size], 0,
	115	params->block_size - pending_size);
	116	err = vops->write_merkle_tree_block(inode,
	117	pending_hashes,
	118	dst_block_num,
	119	params->log_blocksize);
	120	if (err) {
	121	fsverity_err(inode,
	122	"Error %d writing Merkle tree block %llu",
	123	err, dst_block_num);
	124	return err;
	125	}
	126	dst_block_num++;
	127	pending_size = 0;
	128	}
	129
	130	if (fatal_signal_pending(current))
	131	return -EINTR;
	132	cond_resched();
	133	}
	134	return 0;
	135	}
	136
	137	/*
c22415d3	138	* Build the Merkle tree for the given file using the given parameters, and
3fda4c61 EB	139	* return the root hash in @root_hash.
	140	*
	141	* The tree is written to a filesystem-specific location as determined by the
	142	* ->write_merkle_tree_block() method. However, the blocks that comprise the
	143	* tree are the same for all filesystems.
	144	*/
c22415d3	145	static int build_merkle_tree(struct file *filp,
3fda4c61 EB	146	const struct merkle_tree_params *params,
	147	u8 *root_hash)
	148	{
c22415d3	149	struct inode *inode = file_inode(filp);
3fda4c61 EB	150	u8 *pending_hashes;
	151	struct ahash_request *req;
	152	u64 blocks;
	153	unsigned int level;
	154	int err = -ENOMEM;
	155
	156	if (inode->i_size == 0) {
	157	/* Empty file is a special case; root hash is all 0's */
	158	memset(root_hash, 0, params->digest_size);
	159	return 0;
	160	}
	161
	162	pending_hashes = kmalloc(params->block_size, GFP_KERNEL);
	163	req = ahash_request_alloc(params->hash_alg->tfm, GFP_KERNEL);
	164	if (!pending_hashes \|\| !req)
	165	goto out;
	166
	167	/*
	168	* Build each level of the Merkle tree, starting at the leaf level
	169	* (level 0) and ascending to the root node (level 'num_levels - 1').
	170	* Then at the end (level 'num_levels'), calculate the root hash.
	171	*/
	172	blocks = (inode->i_size + params->block_size - 1) >>
	173	params->log_blocksize;
	174	for (level = 0; level <= params->num_levels; level++) {
c22415d3	175	err = build_merkle_tree_level(filp, level, blocks, params,
3fda4c61 EB	176	pending_hashes, req);
	177	if (err)
	178	goto out;
	179	blocks = (blocks + params->hashes_per_block - 1) >>
	180	params->log_arity;
	181	}
	182	memcpy(root_hash, pending_hashes, params->digest_size);
	183	err = 0;
	184	out:
	185	kfree(pending_hashes);
	186	ahash_request_free(req);
	187	return err;
	188	}
	189
	190	static int enable_verity(struct file *filp,
	191	const struct fsverity_enable_arg *arg)
	192	{
	193	struct inode *inode = file_inode(filp);
	194	const struct fsverity_operations *vops = inode->i_sb->s_vop;
	195	struct merkle_tree_params params = { };
	196	struct fsverity_descriptor *desc;
432434c9	197	size_t desc_size = sizeof(*desc) + arg->sig_size;
3fda4c61 EB	198	struct fsverity_info *vi;
	199	int err;
	200
	201	/* Start initializing the fsverity_descriptor */
	202	desc = kzalloc(desc_size, GFP_KERNEL);
	203	if (!desc)
	204	return -ENOMEM;
	205	desc->version = 1;
	206	desc->hash_algorithm = arg->hash_algorithm;
	207	desc->log_blocksize = ilog2(arg->block_size);
	208
	209	/* Get the salt if the user provided one */
	210	if (arg->salt_size &&
	211	copy_from_user(desc->salt,
	212	(const u8 __user *)(uintptr_t)arg->salt_ptr,
	213	arg->salt_size)) {
	214	err = -EFAULT;
	215	goto out;
	216	}
	217	desc->salt_size = arg->salt_size;
	218
432434c9 EB	219	/* Get the signature if the user provided one */
	220	if (arg->sig_size &&
	221	copy_from_user(desc->signature,
	222	(const u8 __user *)(uintptr_t)arg->sig_ptr,
	223	arg->sig_size)) {
	224	err = -EFAULT;
	225	goto out;
	226	}
	227	desc->sig_size = cpu_to_le32(arg->sig_size);
	228
3fda4c61 EB	229	desc->data_size = cpu_to_le64(inode->i_size);
	230
	231	/* Prepare the Merkle tree parameters */
	232	err = fsverity_init_merkle_tree_params(&params, inode,
	233	arg->hash_algorithm,
	234	desc->log_blocksize,
	235	desc->salt, desc->salt_size);
	236	if (err)
	237	goto out;
	238
	239	/*
	240	* Start enabling verity on this file, serialized by the inode lock.
	241	* Fail if verity is already enabled or is already being enabled.
	242	*/
	243	inode_lock(inode);
	244	if (IS_VERITY(inode))
	245	err = -EEXIST;
	246	else
	247	err = vops->begin_enable_verity(filp);
	248	inode_unlock(inode);
	249	if (err)
	250	goto out;
	251
	252	/*
	253	* Build the Merkle tree. Don't hold the inode lock during this, since
	254	* on huge files this may take a very long time and we don't want to
	255	* force unrelated syscalls like chown() to block forever. We don't
	256	* need the inode lock here because deny_write_access() already prevents
	257	* the file from being written to or truncated, and we still serialize
	258	* ->begin_enable_verity() and ->end_enable_verity() using the inode
	259	* lock and only allow one process to be here at a time on a given file.
	260	*/
	261	pr_debug("Building Merkle tree...\n");
	262	BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE);
c22415d3	263	err = build_merkle_tree(filp, &params, desc->root_hash);
3fda4c61 EB	264	if (err) {
	265	fsverity_err(inode, "Error %d building Merkle tree", err);
	266	goto rollback;
	267	}
	268	pr_debug("Done building Merkle tree. Root hash is %s:%*phN\n",
	269	params.hash_alg->name, params.digest_size, desc->root_hash);
	270
	271	/*
	272	* Create the fsverity_info. Don't bother trying to save work by
	273	* reusing the merkle_tree_params from above. Instead, just create the
	274	* fsverity_info from the fsverity_descriptor as if it were just loaded
	275	* from disk. This is simpler, and it serves as an extra check that the
	276	* metadata we're writing is valid before actually enabling verity.
	277	*/
	278	vi = fsverity_create_info(inode, desc, desc_size);
	279	if (IS_ERR(vi)) {
	280	err = PTR_ERR(vi);
	281	goto rollback;
	282	}
	283
432434c9 EB	284	if (arg->sig_size)
	285	pr_debug("Storing a %u-byte PKCS#7 signature alongside the file\n",
	286	arg->sig_size);
	287
3fda4c61 EB	288	/*
	289	* Tell the filesystem to finish enabling verity on the file.
	290	* Serialized with ->begin_enable_verity() by the inode lock.
	291	*/
	292	inode_lock(inode);
	293	err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size);
	294	inode_unlock(inode);
	295	if (err) {
	296	fsverity_err(inode, "%ps() failed with err %d",
	297	vops->end_enable_verity, err);
	298	fsverity_free_info(vi);
	299	} else if (WARN_ON(!IS_VERITY(inode))) {
	300	err = -EINVAL;
	301	fsverity_free_info(vi);
	302	} else {
	303	/* Successfully enabled verity */
	304
	305	/*
	306	* Readers can start using ->i_verity_info immediately, so it
	307	* can't be rolled back once set. So don't set it until just
	308	* after the filesystem has successfully enabled verity.
	309	*/
	310	fsverity_set_info(inode, vi);
	311	}
	312	out:
	313	kfree(params.hashstate);
	314	kfree(desc);
	315	return err;
	316
	317	rollback:
	318	inode_lock(inode);
	319	(void)vops->end_enable_verity(filp, NULL, 0, params.tree_size);
	320	inode_unlock(inode);
	321	goto out;
	322	}
	323
	324	/**
	325	* fsverity_ioctl_enable() - enable verity on a file
	326	*
	327	* Enable fs-verity on a file. See the "FS_IOC_ENABLE_VERITY" section of
	328	* Documentation/filesystems/fsverity.rst for the documentation.
	329	*
	330	* Return: 0 on success, -errno on failure
	331	*/
	332	int fsverity_ioctl_enable(struct file filp, const void __user uarg)
	333	{
	334	struct inode *inode = file_inode(filp);
	335	struct fsverity_enable_arg arg;
	336	int err;
	337
	338	if (copy_from_user(&arg, uarg, sizeof(arg)))
	339	return -EFAULT;
	340
	341	if (arg.version != 1)
	342	return -EINVAL;
	343
	344	if (arg.__reserved1 \|\|
	345	memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2)))
	346	return -EINVAL;
	347
	348	if (arg.block_size != PAGE_SIZE)
	349	return -EINVAL;
	350
c593642c	351	if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt))
3fda4c61 EB	352	return -EMSGSIZE;
3fda4c61 EB	353
432434c9 EB	354	if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE)
432434c9 EB	355	return -EMSGSIZE;
3fda4c61 EB	356
	357	/*
	358	* Require a regular file with write access. But the actual fd must
	359	* still be readonly so that we can lock out all writers. This is
	360	* needed to guarantee that no writable fds exist to the file once it
	361	* has verity enabled, and to stabilize the data being hashed.
	362	*/
	363
	364	err = inode_permission(inode, MAY_WRITE);
	365	if (err)
	366	return err;
	367
	368	if (IS_APPEND(inode))
	369	return -EPERM;
	370
	371	if (S_ISDIR(inode->i_mode))
	372	return -EISDIR;
	373
	374	if (!S_ISREG(inode->i_mode))
	375	return -EINVAL;
	376
	377	err = mnt_want_write_file(filp);
	378	if (err) /* -EROFS */
	379	return err;
	380
	381	err = deny_write_access(filp);
	382	if (err) /* -ETXTBSY */
	383	goto out_drop_write;
	384
	385	err = enable_verity(filp, &arg);
	386	if (err)
	387	goto out_allow_write_access;
	388
	389	/*
	390	* Some pages of the file may have been evicted from pagecache after
	391	* being used in the Merkle tree construction, then read into pagecache
	392	* again by another process reading from the file concurrently. Since
	393	* these pages didn't undergo verification against the file measurement
	394	* which fs-verity now claims to be enforcing, we have to wipe the
	395	* pagecache to ensure that all future reads are verified.
	396	*/
	397	filemap_write_and_wait(inode->i_mapping);
	398	invalidate_inode_pages2(inode->i_mapping);
	399
	400	/*
	401	* allow_write_access() is needed to pair with deny_write_access().
	402	* Regardless, the filesystem won't allow writing to verity files.
	403	*/
	404	out_allow_write_access:
	405	allow_write_access(filp);
	406	out_drop_write:
	407	mnt_drop_write_file(filp);
	408	return err;
	409	}
	410	EXPORT_SYMBOL_GPL(fsverity_ioctl_enable);