[mirror_ubuntu-jammy-kernel.git] / fs / verity / open.c

// SPDX-License-Identifier: GPL-2.0
/*
 * Opening fs-verity files
 *
 * Copyright 2019 Google LLC
 */

#include "fsverity_private.h"

#include <linux/slab.h>

static struct kmem_cache *fsverity_info_cachep;

/**
 * fsverity_init_merkle_tree_params() - initialize Merkle tree parameters
 * @params: the parameters struct to initialize
 * @inode: the inode for which the Merkle tree is being built
 * @hash_algorithm: number of hash algorithm to use
 * @log_blocksize: log base 2 of block size to use
 * @salt: pointer to salt (optional)
 * @salt_size: size of salt, possibly 0
 *
 * Validate the hash algorithm and block size, then compute the tree topology
 * (num levels, num blocks in each level, etc.) and initialize @params.
 *
 * Return: 0 on success, -errno on failure
 */
int fsverity_init_merkle_tree_params(struct merkle_tree_params *params,
				     const struct inode *inode,
				     unsigned int hash_algorithm,
				     unsigned int log_blocksize,
				     const u8 *salt, size_t salt_size)
{
	struct fsverity_hash_alg *hash_alg;
	int err;
	u64 blocks;
	u64 offset;
	int level;

	memset(params, 0, sizeof(*params));

	hash_alg = fsverity_get_hash_alg(inode, hash_algorithm);
	if (IS_ERR(hash_alg))
		return PTR_ERR(hash_alg);
	params->hash_alg = hash_alg;
	params->digest_size = hash_alg->digest_size;

	params->hashstate = fsverity_prepare_hash_state(hash_alg, salt,
							salt_size);
	if (IS_ERR(params->hashstate)) {
		err = PTR_ERR(params->hashstate);
		params->hashstate = NULL;
		fsverity_err(inode, "Error %d preparing hash state", err);
		goto out_err;
	}

	if (log_blocksize != PAGE_SHIFT) {
		fsverity_warn(inode, "Unsupported log_blocksize: %u",
			      log_blocksize);
		err = -EINVAL;
		goto out_err;
	}
	params->log_blocksize = log_blocksize;
	params->block_size = 1 << log_blocksize;

	if (WARN_ON(!is_power_of_2(params->digest_size))) {
		err = -EINVAL;
		goto out_err;
	}
	if (params->block_size < 2 * params->digest_size) {
		fsverity_warn(inode,
			      "Merkle tree block size (%u) too small for hash algorithm \"%s\"",
			      params->block_size, hash_alg->name);
		err = -EINVAL;
		goto out_err;
	}
	params->log_arity = params->log_blocksize - ilog2(params->digest_size);
	params->hashes_per_block = 1 << params->log_arity;

	pr_debug("Merkle tree uses %s with %u-byte blocks (%u hashes/block), salt=%*phN\n",
		 hash_alg->name, params->block_size, params->hashes_per_block,
		 (int)salt_size, salt);

	/*
	 * Compute the number of levels in the Merkle tree and create a map from
	 * level to the starting block of that level.  Level 'num_levels - 1' is
	 * the root and is stored first.  Level 0 is the level directly "above"
	 * the data blocks and is stored last.
	 */

	/* Compute number of levels and the number of blocks in each level */
	blocks = ((u64)inode->i_size + params->block_size - 1) >> log_blocksize;
	pr_debug("Data is %lld bytes (%llu blocks)\n", inode->i_size, blocks);
	while (blocks > 1) {
		if (params->num_levels >= FS_VERITY_MAX_LEVELS) {
			fsverity_err(inode, "Too many levels in Merkle tree");
			err = -EINVAL;
			goto out_err;
		}
		blocks = (blocks + params->hashes_per_block - 1) >>
			 params->log_arity;
		/* temporarily using level_start[] to store blocks in level */
		params->level_start[params->num_levels++] = blocks;
	}
	params->level0_blocks = params->level_start[0];

	/* Compute the starting block of each level */
	offset = 0;
	for (level = (int)params->num_levels - 1; level >= 0; level--) {
		blocks = params->level_start[level];
		params->level_start[level] = offset;
		pr_debug("Level %d is %llu blocks starting at index %llu\n",
			 level, blocks, offset);
		offset += blocks;
	}

	params->tree_size = offset << log_blocksize;
	return 0;

out_err:
	kfree(params->hashstate);
	memset(params, 0, sizeof(*params));
	return err;
}

/*
 * Compute the file digest by hashing the fsverity_descriptor excluding the
 * signature and with the sig_size field set to 0.
 */
static int compute_file_digest(struct fsverity_hash_alg *hash_alg,
			       struct fsverity_descriptor *desc,
			       u8 *file_digest)
{
	__le32 sig_size = desc->sig_size;
	int err;

	desc->sig_size = 0;
	err = fsverity_hash_buffer(hash_alg, desc, sizeof(*desc), file_digest);
	desc->sig_size = sig_size;

	return err;
}

/*
 * Create a new fsverity_info from the given fsverity_descriptor (with optional
 * appended signature), and check the signature if present.  The
 * fsverity_descriptor must have already undergone basic validation.
 */
struct fsverity_info *fsverity_create_info(const struct inode *inode,
					   struct fsverity_descriptor *desc,
					   size_t desc_size)
{
	struct fsverity_info *vi;
	int err;

	vi = kmem_cache_zalloc(fsverity_info_cachep, GFP_KERNEL);
	if (!vi)
		return ERR_PTR(-ENOMEM);
	vi->inode = inode;

	err = fsverity_init_merkle_tree_params(&vi->tree_params, inode,
					       desc->hash_algorithm,
					       desc->log_blocksize,
					       desc->salt, desc->salt_size);
	if (err) {
		fsverity_err(inode,
			     "Error %d initializing Merkle tree parameters",
			     err);
		goto out;
	}

	memcpy(vi->root_hash, desc->root_hash, vi->tree_params.digest_size);

	err = compute_file_digest(vi->tree_params.hash_alg, desc,
				  vi->file_digest);
	if (err) {
		fsverity_err(inode, "Error %d computing file digest", err);
		goto out;
	}
	pr_debug("Computed file digest: %s:%*phN\n",
		 vi->tree_params.hash_alg->name,
		 vi->tree_params.digest_size, vi->file_digest);

	err = fsverity_verify_signature(vi, desc->signature,
					le32_to_cpu(desc->sig_size));
out:
	if (err) {
		fsverity_free_info(vi);
		vi = ERR_PTR(err);
	}
	return vi;
}

void fsverity_set_info(struct inode *inode, struct fsverity_info *vi)
{
	/*
	 * Multiple tasks may race to set ->i_verity_info, so use
	 * cmpxchg_release().  This pairs with the smp_load_acquire() in
	 * fsverity_get_info().  I.e., here we publish ->i_verity_info with a
	 * RELEASE barrier so that other tasks can ACQUIRE it.
	 */
	if (cmpxchg_release(&inode->i_verity_info, NULL, vi) != NULL) {
		/* Lost the race, so free the fsverity_info we allocated. */
		fsverity_free_info(vi);
		/*
		 * Afterwards, the caller may access ->i_verity_info directly,
		 * so make sure to ACQUIRE the winning fsverity_info.
		 */
		(void)fsverity_get_info(inode);
	}
}

void fsverity_free_info(struct fsverity_info *vi)
{
	if (!vi)
		return;
	kfree(vi->tree_params.hashstate);
	kmem_cache_free(fsverity_info_cachep, vi);
}

static bool validate_fsverity_descriptor(struct inode *inode,
					 const struct fsverity_descriptor *desc,
					 size_t desc_size)
{
	if (desc_size < sizeof(*desc)) {
		fsverity_err(inode, "Unrecognized descriptor size: %zu bytes",
			     desc_size);
		return false;
	}

	if (desc->version != 1) {
		fsverity_err(inode, "Unrecognized descriptor version: %u",
			     desc->version);
		return false;
	}

	if (memchr_inv(desc->__reserved, 0, sizeof(desc->__reserved))) {
		fsverity_err(inode, "Reserved bits set in descriptor");
		return false;
	}

	if (desc->salt_size > sizeof(desc->salt)) {
		fsverity_err(inode, "Invalid salt_size: %u", desc->salt_size);
		return false;
	}

	if (le64_to_cpu(desc->data_size) != inode->i_size) {
		fsverity_err(inode,
			     "Wrong data_size: %llu (desc) != %lld (inode)",
			     le64_to_cpu(desc->data_size), inode->i_size);
		return false;
	}

	if (le32_to_cpu(desc->sig_size) > desc_size - sizeof(*desc)) {
		fsverity_err(inode, "Signature overflows verity descriptor");
		return false;
	}

	return true;
}

/*
 * Read the inode's fsverity_descriptor (with optional appended signature) from
 * the filesystem, and do basic validation of it.
 */
int fsverity_get_descriptor(struct inode *inode,
			    struct fsverity_descriptor **desc_ret,
			    size_t *desc_size_ret)
{
	int res;
	struct fsverity_descriptor *desc;

	res = inode->i_sb->s_vop->get_verity_descriptor(inode, NULL, 0);
	if (res < 0) {
		fsverity_err(inode,
			     "Error %d getting verity descriptor size", res);
		return res;
	}
	if (res > FS_VERITY_MAX_DESCRIPTOR_SIZE) {
		fsverity_err(inode, "Verity descriptor is too large (%d bytes)",
			     res);
		return -EMSGSIZE;
	}
	desc = kmalloc(res, GFP_KERNEL);
	if (!desc)
		return -ENOMEM;
	res = inode->i_sb->s_vop->get_verity_descriptor(inode, desc, res);
	if (res < 0) {
		fsverity_err(inode, "Error %d reading verity descriptor", res);
		kfree(desc);
		return res;
	}

	if (!validate_fsverity_descriptor(inode, desc, res)) {
		kfree(desc);
		return -EINVAL;
	}

	*desc_ret = desc;
	*desc_size_ret = res;
	return 0;
}

/* Ensure the inode has an ->i_verity_info */
static int ensure_verity_info(struct inode *inode)
{
	struct fsverity_info *vi = fsverity_get_info(inode);
	struct fsverity_descriptor *desc;
	size_t desc_size;
	int err;

	if (vi)
		return 0;

	err = fsverity_get_descriptor(inode, &desc, &desc_size);
	if (err)
		return err;

	vi = fsverity_create_info(inode, desc, desc_size);
	if (IS_ERR(vi)) {
		err = PTR_ERR(vi);
		goto out_free_desc;
	}

	fsverity_set_info(inode, vi);
	err = 0;
out_free_desc:
	kfree(desc);
	return err;
}

/**
 * fsverity_file_open() - prepare to open a verity file
 * @inode: the inode being opened
 * @filp: the struct file being set up
 *
 * When opening a verity file, deny the open if it is for writing.  Otherwise,
 * set up the inode's ->i_verity_info if not already done.
 *
 * When combined with fscrypt, this must be called after fscrypt_file_open().
 * Otherwise, we won't have the key set up to decrypt the verity metadata.
 *
 * Return: 0 on success, -errno on failure
 */
int fsverity_file_open(struct inode *inode, struct file *filp)
{
	if (!IS_VERITY(inode))
		return 0;

	if (filp->f_mode & FMODE_WRITE) {
		pr_debug("Denying opening verity file (ino %lu) for write\n",
			 inode->i_ino);
		return -EPERM;
	}

	return ensure_verity_info(inode);
}
EXPORT_SYMBOL_GPL(fsverity_file_open);

/**
 * fsverity_prepare_setattr() - prepare to change a verity inode's attributes
 * @dentry: dentry through which the inode is being changed
 * @attr: attributes to change
 *
 * Verity files are immutable, so deny truncates.  This isn't covered by the
 * open-time check because sys_truncate() takes a path, not a file descriptor.
 *
 * Return: 0 on success, -errno on failure
 */
int fsverity_prepare_setattr(struct dentry *dentry, struct iattr *attr)
{
	if (IS_VERITY(d_inode(dentry)) && (attr->ia_valid & ATTR_SIZE)) {
		pr_debug("Denying truncate of verity file (ino %lu)\n",
			 d_inode(dentry)->i_ino);
		return -EPERM;
	}
	return 0;
}
EXPORT_SYMBOL_GPL(fsverity_prepare_setattr);

/**
 * fsverity_cleanup_inode() - free the inode's verity info, if present
 * @inode: an inode being evicted
 *
 * Filesystems must call this on inode eviction to free ->i_verity_info.
 */
void fsverity_cleanup_inode(struct inode *inode)
{
	fsverity_free_info(inode->i_verity_info);
	inode->i_verity_info = NULL;
}
EXPORT_SYMBOL_GPL(fsverity_cleanup_inode);

int __init fsverity_init_info_cache(void)
{
	fsverity_info_cachep = KMEM_CACHE_USERCOPY(fsverity_info,
						   SLAB_RECLAIM_ACCOUNT,
						   file_digest);
	if (!fsverity_info_cachep)
		return -ENOMEM;
	return 0;
}

void __init fsverity_exit_info_cache(void)
{
	kmem_cache_destroy(fsverity_info_cachep);
	fsverity_info_cachep = NULL;
}
Commit	Line	Data
fd2d1acf EB	1	// SPDX-License-Identifier: GPL-2.0
fd2d1acf EB	2	/*
7bf765dd	3	* Opening fs-verity files
fd2d1acf EB	4	*
	5	* Copyright 2019 Google LLC
	6	*/
	7
	8	#include "fsverity_private.h"
	9
	10	#include <linux/slab.h>
	11
	12	static struct kmem_cache *fsverity_info_cachep;
	13
	14	/**
	15	* fsverity_init_merkle_tree_params() - initialize Merkle tree parameters
	16	* @params: the parameters struct to initialize
	17	* @inode: the inode for which the Merkle tree is being built
	18	* @hash_algorithm: number of hash algorithm to use
	19	* @log_blocksize: log base 2 of block size to use
	20	* @salt: pointer to salt (optional)
	21	* @salt_size: size of salt, possibly 0
	22	*
	23	* Validate the hash algorithm and block size, then compute the tree topology
	24	* (num levels, num blocks in each level, etc.) and initialize @params.
	25	*
	26	* Return: 0 on success, -errno on failure
	27	*/
	28	int fsverity_init_merkle_tree_params(struct merkle_tree_params *params,
	29	const struct inode *inode,
	30	unsigned int hash_algorithm,
	31	unsigned int log_blocksize,
	32	const u8 *salt, size_t salt_size)
	33	{
439bea10	34	struct fsverity_hash_alg *hash_alg;
fd2d1acf EB	35	int err;
	36	u64 blocks;
	37	u64 offset;
	38	int level;
	39
	40	memset(params, 0, sizeof(*params));
	41
	42	hash_alg = fsverity_get_hash_alg(inode, hash_algorithm);
	43	if (IS_ERR(hash_alg))
	44	return PTR_ERR(hash_alg);
	45	params->hash_alg = hash_alg;
	46	params->digest_size = hash_alg->digest_size;
	47
	48	params->hashstate = fsverity_prepare_hash_state(hash_alg, salt,
	49	salt_size);
	50	if (IS_ERR(params->hashstate)) {
	51	err = PTR_ERR(params->hashstate);
	52	params->hashstate = NULL;
	53	fsverity_err(inode, "Error %d preparing hash state", err);
	54	goto out_err;
	55	}
	56
	57	if (log_blocksize != PAGE_SHIFT) {
	58	fsverity_warn(inode, "Unsupported log_blocksize: %u",
	59	log_blocksize);
	60	err = -EINVAL;
	61	goto out_err;
	62	}
	63	params->log_blocksize = log_blocksize;
	64	params->block_size = 1 << log_blocksize;
	65
	66	if (WARN_ON(!is_power_of_2(params->digest_size))) {
	67	err = -EINVAL;
	68	goto out_err;
	69	}
	70	if (params->block_size < 2 * params->digest_size) {
	71	fsverity_warn(inode,
	72	"Merkle tree block size (%u) too small for hash algorithm \"%s\"",
	73	params->block_size, hash_alg->name);
	74	err = -EINVAL;
	75	goto out_err;
	76	}
	77	params->log_arity = params->log_blocksize - ilog2(params->digest_size);
	78	params->hashes_per_block = 1 << params->log_arity;
	79
	80	pr_debug("Merkle tree uses %s with %u-byte blocks (%u hashes/block), salt=%*phN\n",
	81	hash_alg->name, params->block_size, params->hashes_per_block,
	82	(int)salt_size, salt);
	83
	84	/*
	85	* Compute the number of levels in the Merkle tree and create a map from
	86	* level to the starting block of that level. Level 'num_levels - 1' is
	87	* the root and is stored first. Level 0 is the level directly "above"
	88	* the data blocks and is stored last.
	89	*/
	90
	91	/* Compute number of levels and the number of blocks in each level */
80f6e308	92	blocks = ((u64)inode->i_size + params->block_size - 1) >> log_blocksize;
fd2d1acf EB	93	pr_debug("Data is %lld bytes (%llu blocks)\n", inode->i_size, blocks);
	94	while (blocks > 1) {
	95	if (params->num_levels >= FS_VERITY_MAX_LEVELS) {
	96	fsverity_err(inode, "Too many levels in Merkle tree");
	97	err = -EINVAL;
	98	goto out_err;
	99	}
	100	blocks = (blocks + params->hashes_per_block - 1) >>
	101	params->log_arity;
	102	/* temporarily using level_start[] to store blocks in level */
	103	params->level_start[params->num_levels++] = blocks;
	104	}
fd39073d	105	params->level0_blocks = params->level_start[0];
fd2d1acf EB	106
	107	/* Compute the starting block of each level */
	108	offset = 0;
	109	for (level = (int)params->num_levels - 1; level >= 0; level--) {
	110	blocks = params->level_start[level];
	111	params->level_start[level] = offset;
	112	pr_debug("Level %d is %llu blocks starting at index %llu\n",
	113	level, blocks, offset);
	114	offset += blocks;
	115	}
	116
	117	params->tree_size = offset << log_blocksize;
	118	return 0;
	119
	120	out_err:
	121	kfree(params->hashstate);
	122	memset(params, 0, sizeof(*params));
	123	return err;
	124	}
	125
432434c9	126	/*
ed45e201	127	* Compute the file digest by hashing the fsverity_descriptor excluding the
432434c9 EB	128	* signature and with the sig_size field set to 0.
432434c9 EB	129	*/
ed45e201 EB	130	static int compute_file_digest(struct fsverity_hash_alg *hash_alg,
	131	struct fsverity_descriptor *desc,
	132	u8 *file_digest)
fd2d1acf	133	{
432434c9 EB	134	__le32 sig_size = desc->sig_size;
	135	int err;
	136
	137	desc->sig_size = 0;
ed45e201	138	err = fsverity_hash_buffer(hash_alg, desc, sizeof(*desc), file_digest);
432434c9 EB	139	desc->sig_size = sig_size;
	140
	141	return err;
fd2d1acf EB	142	}
	143
	144	/*
c2c82611 EB	145	* Create a new fsverity_info from the given fsverity_descriptor (with optional
	146	* appended signature), and check the signature if present. The
	147	* fsverity_descriptor must have already undergone basic validation.
fd2d1acf EB	148	*/
fd2d1acf EB	149	struct fsverity_info fsverity_create_info(const struct inode inode,
c2c82611 EB	150	struct fsverity_descriptor *desc,
c2c82611 EB	151	size_t desc_size)
fd2d1acf	152	{
fd2d1acf EB	153	struct fsverity_info *vi;
	154	int err;
	155
fd2d1acf EB	156	vi = kmem_cache_zalloc(fsverity_info_cachep, GFP_KERNEL);
	157	if (!vi)
	158	return ERR_PTR(-ENOMEM);
	159	vi->inode = inode;
	160
	161	err = fsverity_init_merkle_tree_params(&vi->tree_params, inode,
	162	desc->hash_algorithm,
	163	desc->log_blocksize,
	164	desc->salt, desc->salt_size);
	165	if (err) {
	166	fsverity_err(inode,
	167	"Error %d initializing Merkle tree parameters",
	168	err);
	169	goto out;
	170	}
	171
	172	memcpy(vi->root_hash, desc->root_hash, vi->tree_params.digest_size);
	173
ed45e201 EB	174	err = compute_file_digest(vi->tree_params.hash_alg, desc,
ed45e201 EB	175	vi->file_digest);
fd2d1acf	176	if (err) {
ed45e201	177	fsverity_err(inode, "Error %d computing file digest", err);
fd2d1acf EB	178	goto out;
fd2d1acf EB	179	}
ed45e201	180	pr_debug("Computed file digest: %s:%*phN\n",
fd2d1acf	181	vi->tree_params.hash_alg->name,
ed45e201	182	vi->tree_params.digest_size, vi->file_digest);
432434c9	183
fab634c4 EB	184	err = fsverity_verify_signature(vi, desc->signature,
fab634c4 EB	185	le32_to_cpu(desc->sig_size));
fd2d1acf EB	186	out:
	187	if (err) {
	188	fsverity_free_info(vi);
	189	vi = ERR_PTR(err);
	190	}
	191	return vi;
	192	}
	193
	194	void fsverity_set_info(struct inode inode, struct fsverity_info vi)
	195	{
	196	/*
f3db0bed EB	197	* Multiple tasks may race to set ->i_verity_info, so use
	198	* cmpxchg_release(). This pairs with the smp_load_acquire() in
	199	* fsverity_get_info(). I.e., here we publish ->i_verity_info with a
	200	* RELEASE barrier so that other tasks can ACQUIRE it.
fd2d1acf	201	*/
f3db0bed EB	202	if (cmpxchg_release(&inode->i_verity_info, NULL, vi) != NULL) {
f3db0bed EB	203	/* Lost the race, so free the fsverity_info we allocated. */
fd2d1acf	204	fsverity_free_info(vi);
f3db0bed EB	205	/*
	206	* Afterwards, the caller may access ->i_verity_info directly,
	207	* so make sure to ACQUIRE the winning fsverity_info.
	208	*/
	209	(void)fsverity_get_info(inode);
	210	}
fd2d1acf EB	211	}
	212
	213	void fsverity_free_info(struct fsverity_info *vi)
	214	{
	215	if (!vi)
	216	return;
	217	kfree(vi->tree_params.hashstate);
	218	kmem_cache_free(fsverity_info_cachep, vi);
	219	}
	220
c2c82611 EB	221	static bool validate_fsverity_descriptor(struct inode *inode,
	222	const struct fsverity_descriptor *desc,
	223	size_t desc_size)
fd2d1acf	224	{
c2c82611 EB	225	if (desc_size < sizeof(*desc)) {
	226	fsverity_err(inode, "Unrecognized descriptor size: %zu bytes",
	227	desc_size);
	228	return false;
	229	}
fd2d1acf	230
c2c82611 EB	231	if (desc->version != 1) {
	232	fsverity_err(inode, "Unrecognized descriptor version: %u",
	233	desc->version);
	234	return false;
	235	}
	236
	237	if (memchr_inv(desc->__reserved, 0, sizeof(desc->__reserved))) {
	238	fsverity_err(inode, "Reserved bits set in descriptor");
	239	return false;
	240	}
	241
	242	if (desc->salt_size > sizeof(desc->salt)) {
	243	fsverity_err(inode, "Invalid salt_size: %u", desc->salt_size);
	244	return false;
	245	}
	246
	247	if (le64_to_cpu(desc->data_size) != inode->i_size) {
	248	fsverity_err(inode,
	249	"Wrong data_size: %llu (desc) != %lld (inode)",
	250	le64_to_cpu(desc->data_size), inode->i_size);
	251	return false;
	252	}
	253
	254	if (le32_to_cpu(desc->sig_size) > desc_size - sizeof(*desc)) {
	255	fsverity_err(inode, "Signature overflows verity descriptor");
	256	return false;
	257	}
	258
	259	return true;
	260	}
	261
	262	/*
	263	* Read the inode's fsverity_descriptor (with optional appended signature) from
	264	* the filesystem, and do basic validation of it.
	265	*/
	266	int fsverity_get_descriptor(struct inode *inode,
	267	struct fsverity_descriptor **desc_ret,
	268	size_t *desc_size_ret)
	269	{
	270	int res;
	271	struct fsverity_descriptor *desc;
fd2d1acf EB	272
	273	res = inode->i_sb->s_vop->get_verity_descriptor(inode, NULL, 0);
	274	if (res < 0) {
	275	fsverity_err(inode,
	276	"Error %d getting verity descriptor size", res);
	277	return res;
	278	}
	279	if (res > FS_VERITY_MAX_DESCRIPTOR_SIZE) {
	280	fsverity_err(inode, "Verity descriptor is too large (%d bytes)",
	281	res);
	282	return -EMSGSIZE;
	283	}
	284	desc = kmalloc(res, GFP_KERNEL);
	285	if (!desc)
	286	return -ENOMEM;
	287	res = inode->i_sb->s_vop->get_verity_descriptor(inode, desc, res);
	288	if (res < 0) {
	289	fsverity_err(inode, "Error %d reading verity descriptor", res);
c2c82611 EB	290	kfree(desc);
	291	return res;
	292	}
	293
	294	if (!validate_fsverity_descriptor(inode, desc, res)) {
	295	kfree(desc);
	296	return -EINVAL;
fd2d1acf EB	297	}
fd2d1acf EB	298
c2c82611 EB	299	*desc_ret = desc;
	300	*desc_size_ret = res;
	301	return 0;
	302	}
	303
	304	/* Ensure the inode has an ->i_verity_info */
	305	static int ensure_verity_info(struct inode *inode)
	306	{
	307	struct fsverity_info *vi = fsverity_get_info(inode);
	308	struct fsverity_descriptor *desc;
	309	size_t desc_size;
	310	int err;
	311
	312	if (vi)
	313	return 0;
	314
	315	err = fsverity_get_descriptor(inode, &desc, &desc_size);
	316	if (err)
	317	return err;
	318
	319	vi = fsverity_create_info(inode, desc, desc_size);
fd2d1acf	320	if (IS_ERR(vi)) {
c2c82611	321	err = PTR_ERR(vi);
fd2d1acf EB	322	goto out_free_desc;
	323	}
	324
	325	fsverity_set_info(inode, vi);
c2c82611	326	err = 0;
fd2d1acf EB	327	out_free_desc:
fd2d1acf EB	328	kfree(desc);
c2c82611	329	return err;
fd2d1acf EB	330	}
	331
	332	/**
	333	* fsverity_file_open() - prepare to open a verity file
	334	* @inode: the inode being opened
	335	* @filp: the struct file being set up
	336	*
	337	* When opening a verity file, deny the open if it is for writing. Otherwise,
	338	* set up the inode's ->i_verity_info if not already done.
	339	*
	340	* When combined with fscrypt, this must be called after fscrypt_file_open().
	341	* Otherwise, we won't have the key set up to decrypt the verity metadata.
	342	*
	343	* Return: 0 on success, -errno on failure
	344	*/
	345	int fsverity_file_open(struct inode inode, struct file filp)
	346	{
	347	if (!IS_VERITY(inode))
	348	return 0;
	349
	350	if (filp->f_mode & FMODE_WRITE) {
	351	pr_debug("Denying opening verity file (ino %lu) for write\n",
	352	inode->i_ino);
	353	return -EPERM;
	354	}
	355
	356	return ensure_verity_info(inode);
	357	}
	358	EXPORT_SYMBOL_GPL(fsverity_file_open);
	359
c1d9b584 EB	360	/**
	361	* fsverity_prepare_setattr() - prepare to change a verity inode's attributes
	362	* @dentry: dentry through which the inode is being changed
	363	* @attr: attributes to change
	364	*
	365	* Verity files are immutable, so deny truncates. This isn't covered by the
	366	* open-time check because sys_truncate() takes a path, not a file descriptor.
	367	*
	368	* Return: 0 on success, -errno on failure
	369	*/
	370	int fsverity_prepare_setattr(struct dentry dentry, struct iattr attr)
	371	{
	372	if (IS_VERITY(d_inode(dentry)) && (attr->ia_valid & ATTR_SIZE)) {
	373	pr_debug("Denying truncate of verity file (ino %lu)\n",
	374	d_inode(dentry)->i_ino);
	375	return -EPERM;
	376	}
	377	return 0;
	378	}
	379	EXPORT_SYMBOL_GPL(fsverity_prepare_setattr);
	380
fd2d1acf EB	381	/**
fd2d1acf EB	382	* fsverity_cleanup_inode() - free the inode's verity info, if present
6377a38b	383	* @inode: an inode being evicted
fd2d1acf EB	384	*
	385	* Filesystems must call this on inode eviction to free ->i_verity_info.
	386	*/
	387	void fsverity_cleanup_inode(struct inode *inode)
	388	{
	389	fsverity_free_info(inode->i_verity_info);
	390	inode->i_verity_info = NULL;
	391	}
	392	EXPORT_SYMBOL_GPL(fsverity_cleanup_inode);
	393
	394	int __init fsverity_init_info_cache(void)
	395	{
	396	fsverity_info_cachep = KMEM_CACHE_USERCOPY(fsverity_info,
	397	SLAB_RECLAIM_ACCOUNT,
ed45e201	398	file_digest);
fd2d1acf EB	399	if (!fsverity_info_cachep)
	400	return -ENOMEM;
	401	return 0;
	402	}
8a1d0f9c EB	403
	404	void __init fsverity_exit_info_cache(void)
	405	{
	406	kmem_cache_destroy(fsverity_info_cachep);
	407	fsverity_info_cachep = NULL;
	408	}