1// SPDX-License-Identifier: GPL-2.0 2/* 3 * fs/verity/enable.c: ioctl to enable verity on a file 4 * 5 * Copyright 2019 Google LLC 6 */ 7 8#include "fsverity_private.h" 9 10#include <crypto/hash.h> 11#include <linux/backing-dev.h> 12#include <linux/mount.h> 13#include <linux/pagemap.h> 14#include <linux/sched/signal.h> 15#include <linux/uaccess.h> 16 17static int check_file_and_enable_verity(struct file *filp, 18 const struct fsverity_enable_arg *arg); 19 20#ifdef CONFIG_SECURITY_CODE_SIGN 21 22static int code_sign_init_descriptor(struct inode *inode, 23 const struct fsverity_enable_arg *_arg, struct fsverity_descriptor *_desc); 24 25static int code_sign_copy_merkle_tree(struct file *filp, const void *_desc, 26 const struct merkle_tree_params *params); 27 28#else /* !CONFIG_SECURITY_CODE_SIGN */ 29 30static inline int code_sign_init_descriptor(struct inode *inode, 31 const struct fsverity_enable_arg *_arg, struct fsverity_descriptor *_desc) 32{ 33 return 0; 34} 35 36static int code_sign_copy_merkle_tree(struct file *filp, 37 const void *_desc, 38 const struct merkle_tree_params *params) 39{ 40 return 0; 41} 42#endif /* !CONFIG_SECURITY_CODE_SIGN */ 43 44/* 45 * Read a file data page for Merkle tree construction. Do aggressive readahead, 46 * since we're sequentially reading the entire file. 47 */ 48static struct page *read_file_data_page(struct file *filp, pgoff_t index, 49 struct file_ra_state *ra, 50 unsigned long remaining_pages) 51{ 52 struct page *page; 53 54 page = find_get_page_flags(filp->f_mapping, index, FGP_ACCESSED); 55 if (!page || !PageUptodate(page)) { 56 if (page) 57 put_page(page); 58 else 59 page_cache_sync_readahead(filp->f_mapping, ra, filp, 60 index, remaining_pages); 61 page = read_mapping_page(filp->f_mapping, index, NULL); 62 if (IS_ERR(page)) 63 return page; 64 } 65 if (PageReadahead(page)) 66 page_cache_async_readahead(filp->f_mapping, ra, filp, page, 67 index, remaining_pages); 68 return page; 69} 70 71static int build_merkle_tree_level(struct file *filp, unsigned int level, 72 u64 num_blocks_to_hash, 73 const struct merkle_tree_params *params, 74 u8 *pending_hashes, 75 struct ahash_request *req) 76{ 77 struct inode *inode = file_inode(filp); 78 const struct fsverity_operations *vops = inode->i_sb->s_vop; 79 struct file_ra_state ra = { 0 }; 80 unsigned int pending_size = 0; 81 u64 dst_block_num; 82 u64 i; 83 int err; 84 85 if (WARN_ON(params->block_size != PAGE_SIZE)) /* checked earlier too */ 86 return -EINVAL; 87 88 if (level < params->num_levels) { 89 dst_block_num = params->level_start[level]; 90 } else { 91 if (WARN_ON(num_blocks_to_hash != 1)) 92 return -EINVAL; 93 dst_block_num = 0; /* unused */ 94 } 95 96 file_ra_state_init(&ra, filp->f_mapping); 97 98 for (i = 0; i < num_blocks_to_hash; i++) { 99 struct page *src_page; 100 101 if ((pgoff_t)i % 10000 == 0 || i + 1 == num_blocks_to_hash) 102 pr_debug("Hashing block %llu of %llu for level %u\n", 103 i + 1, num_blocks_to_hash, level); 104 105 if (level == 0) { 106 /* Leaf: hashing a data block */ 107 src_page = read_file_data_page(filp, i, &ra, 108 num_blocks_to_hash - i); 109 if (IS_ERR(src_page)) { 110 err = PTR_ERR(src_page); 111 fsverity_err(inode, 112 "Error %d reading data page %llu", 113 err, i); 114 return err; 115 } 116 } else { 117 unsigned long num_ra_pages = 118 min_t(unsigned long, num_blocks_to_hash - i, 119 inode->i_sb->s_bdi->io_pages); 120 121 /* Non-leaf: hashing hash block from level below */ 122 src_page = vops->read_merkle_tree_page(inode, 123 params->level_start[level - 1] + i, 124 num_ra_pages); 125 if (IS_ERR(src_page)) { 126 err = PTR_ERR(src_page); 127 fsverity_err(inode, 128 "Error %d reading Merkle tree page %llu", 129 err, params->level_start[level - 1] + i); 130 return err; 131 } 132 } 133 134 err = fsverity_hash_page(params, inode, req, src_page, 135 &pending_hashes[pending_size]); 136 put_page(src_page); 137 if (err) 138 return err; 139 pending_size += params->digest_size; 140 141 if (level == params->num_levels) /* Root hash? */ 142 return 0; 143 144 if (pending_size + params->digest_size > params->block_size || 145 i + 1 == num_blocks_to_hash) { 146 /* Flush the pending hash block */ 147 memset(&pending_hashes[pending_size], 0, 148 params->block_size - pending_size); 149 err = vops->write_merkle_tree_block(inode, 150 pending_hashes, 151 dst_block_num, 152 params->log_blocksize); 153 if (err) { 154 fsverity_err(inode, 155 "Error %d writing Merkle tree block %llu", 156 err, dst_block_num); 157 return err; 158 } 159 dst_block_num++; 160 pending_size = 0; 161 } 162 163 if (fatal_signal_pending(current)) 164 return -EINTR; 165 cond_resched(); 166 } 167 return 0; 168} 169 170/* 171 * Build the Merkle tree for the given file using the given parameters, and 172 * return the root hash in @root_hash. 173 * 174 * The tree is written to a filesystem-specific location as determined by the 175 * ->write_merkle_tree_block() method. However, the blocks that comprise the 176 * tree are the same for all filesystems. 177 */ 178static int build_merkle_tree(struct file *filp, 179 const struct merkle_tree_params *params, 180 u8 *root_hash, 181 size_t data_size) 182{ 183 struct inode *inode = file_inode(filp); 184 u8 *pending_hashes; 185 struct ahash_request *req; 186 u64 blocks; 187 unsigned int level; 188 int err = -ENOMEM; 189 190 if (data_size == 0) { 191 /* Empty file is a special case; root hash is all 0's */ 192 memset(root_hash, 0, params->digest_size); 193 return 0; 194 } 195 196 /* This allocation never fails, since it's mempool-backed. */ 197 req = fsverity_alloc_hash_request(params->hash_alg, GFP_KERNEL); 198 199 pending_hashes = kmalloc(params->block_size, GFP_KERNEL); 200 if (!pending_hashes) 201 goto out; 202 203 /* 204 * Build each level of the Merkle tree, starting at the leaf level 205 * (level 0) and ascending to the root node (level 'num_levels - 1'). 206 * Then at the end (level 'num_levels'), calculate the root hash. 207 */ 208 blocks = ((u64)data_size + params->block_size - 1) >> 209 params->log_blocksize; 210 for (level = 0; level <= params->num_levels; level++) { 211 err = build_merkle_tree_level(filp, level, blocks, params, 212 pending_hashes, req); 213 if (err) 214 goto out; 215 blocks = (blocks + params->hashes_per_block - 1) >> 216 params->log_arity; 217 } 218 memcpy(root_hash, pending_hashes, params->digest_size); 219 err = 0; 220out: 221 kfree(pending_hashes); 222 fsverity_free_hash_request(params->hash_alg, req); 223 return err; 224} 225 226static int enable_verity(struct file *filp, 227 const struct fsverity_enable_arg *arg) 228{ 229 struct inode *inode = file_inode(filp); 230 struct fsverity_descriptor *desc; 231 size_t desc_size = sizeof(*desc) + arg->sig_size; 232 int err; 233 234 /* Start initializing the fsverity_descriptor */ 235 desc = kzalloc(desc_size, GFP_KERNEL); 236 if (!desc) 237 return -ENOMEM; 238 desc->version = 1; 239 desc->hash_algorithm = arg->hash_algorithm; 240 desc->log_blocksize = ilog2(arg->block_size); 241 242 /* Get the salt if the user provided one */ 243 if (arg->salt_size && 244 copy_from_user(desc->salt, u64_to_user_ptr(arg->salt_ptr), 245 arg->salt_size)) { 246 err = -EFAULT; 247 goto out; 248 } 249 desc->salt_size = arg->salt_size; 250 251 /* Get the signature if the user provided one */ 252 if (arg->sig_size && 253 copy_from_user(desc->signature, u64_to_user_ptr(arg->sig_ptr), 254 arg->sig_size)) { 255 err = -EFAULT; 256 goto out; 257 } 258 desc->sig_size = cpu_to_le32(arg->sig_size); 259 260 desc->data_size = cpu_to_le64(inode->i_size); 261 262 err = code_sign_init_descriptor(inode, arg, desc); 263 if (err) { 264 fsverity_err(inode, "Init code sign descriptor err: %u", err); 265 goto out; 266 } 267 268 err = fsverity_enable_with_descriptor(filp, (void *)desc, desc_size); 269out: 270 kfree(desc); 271 return err; 272} 273 274int fsverity_enable_with_descriptor(struct file *filp, 275 void *_desc, size_t desc_size) 276{ 277 struct inode *inode = file_inode(filp); 278 const struct fsverity_operations *vops = inode->i_sb->s_vop; 279 struct merkle_tree_params params = { }; 280 struct fsverity_descriptor *desc = (struct fsverity_descriptor *)_desc; 281 struct fsverity_info *vi; 282 int err; 283 284 if (vops == NULL) { 285 fsverity_err(inode, "current filesystem doesn't support fs-verity."); 286 return -ENOTTY; 287 } 288 289 /* Prepare the Merkle tree parameters */ 290 err = fsverity_init_merkle_tree_params(¶ms, inode, 291 desc->hash_algorithm, 292 desc->log_blocksize, 293 desc->salt, desc->salt_size, 294 desc->data_size); 295 if (err) 296 goto out; 297 298 /* 299 * Start enabling verity on this file, serialized by the inode lock. 300 * Fail if verity is already enabled or is already being enabled. 301 */ 302 inode_lock(inode); 303 if (IS_VERITY(inode)) 304 err = -EEXIST; 305 else 306 err = vops->begin_enable_verity(filp); 307 inode_unlock(inode); 308 if (err) 309 goto out; 310 311 err = code_sign_copy_merkle_tree(filp, _desc, ¶ms); 312 if (err < 0) { 313 fsverity_err(inode, "Error %d copying Merkle tree", err); 314 goto rollback; 315 } else if (err == 1) /* already copy merkle tree */ 316 goto skip_build; 317 318 /* 319 * Build the Merkle tree. Don't hold the inode lock during this, since 320 * on huge files this may take a very long time and we don't want to 321 * force unrelated syscalls like chown() to block forever. We don't 322 * need the inode lock here because deny_write_access() already prevents 323 * the file from being written to or truncated, and we still serialize 324 * ->begin_enable_verity() and ->end_enable_verity() using the inode 325 * lock and only allow one process to be here at a time on a given file. 326 */ 327 pr_debug("Building Merkle tree...\n"); 328 BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE); 329 err = build_merkle_tree(filp, ¶ms, desc->root_hash, desc->data_size); 330 if (err) { 331 fsverity_err(inode, "Error %d building Merkle tree", err); 332 goto rollback; 333 } 334 335skip_build: 336 pr_debug("Done building Merkle tree. Root hash is %s:%*phN\n", 337 params.hash_alg->name, params.digest_size, desc->root_hash); 338 339 /* 340 * Create the fsverity_info. Don't bother trying to save work by 341 * reusing the merkle_tree_params from above. Instead, just create the 342 * fsverity_info from the fsverity_descriptor as if it were just loaded 343 * from disk. This is simpler, and it serves as an extra check that the 344 * metadata we're writing is valid before actually enabling verity. 345 */ 346 vi = fsverity_create_info(inode, desc, desc_size); 347 if (IS_ERR(vi)) { 348 err = PTR_ERR(vi); 349 goto rollback; 350 } 351 352 if (desc->sig_size) 353 pr_debug("Storing a %u-byte PKCS#7 signature alongside the file\n", 354 desc->sig_size); 355 356 /* 357 * Tell the filesystem to finish enabling verity on the file. 358 * Serialized with ->begin_enable_verity() by the inode lock. 359 */ 360 inode_lock(inode); 361 err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size); 362 inode_unlock(inode); 363 if (err) { 364 fsverity_err(inode, "%ps() failed with err %d", 365 vops->end_enable_verity, err); 366 fsverity_free_info(vi); 367 } else if (WARN_ON(!IS_VERITY(inode))) { 368 err = -EINVAL; 369 fsverity_free_info(vi); 370 } else { 371 /* Successfully enabled verity */ 372 373 /* 374 * Readers can start using ->i_verity_info immediately, so it 375 * can't be rolled back once set. So don't set it until just 376 * after the filesystem has successfully enabled verity. 377 */ 378 fsverity_set_info(inode, vi); 379 } 380out: 381 kfree(params.hashstate); 382 return err; 383 384rollback: 385 inode_lock(inode); 386 (void)vops->end_enable_verity(filp, NULL, 0, params.tree_size); 387 inode_unlock(inode); 388 goto out; 389} 390EXPORT_SYMBOL_GPL(fsverity_enable_with_descriptor); 391 392/** 393 * fsverity_ioctl_enable() - enable verity on a file 394 * @filp: file to enable verity on 395 * @uarg: user pointer to fsverity_enable_arg 396 * 397 * Enable fs-verity on a file. See the "FS_IOC_ENABLE_VERITY" section of 398 * Documentation/filesystems/fsverity.rst for the documentation. 399 * 400 * Return: 0 on success, -errno on failure 401 */ 402int fsverity_ioctl_enable(struct file *filp, const void __user *uarg) 403{ 404 struct inode *inode = file_inode(filp); 405 struct fsverity_enable_arg arg; 406 407 if (copy_from_user(&arg, uarg, sizeof(arg))) 408 return -EFAULT; 409 410 if (arg.version != 1) 411 return -EINVAL; 412 413 if (arg.__reserved1 || 414 memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2))) 415 return -EINVAL; 416 417 if (arg.block_size != PAGE_SIZE) 418 return -EINVAL; 419 420 if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt)) 421 return -EMSGSIZE; 422 423 if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE) 424 return -EMSGSIZE; 425 426 return check_file_and_enable_verity(filp, &arg); 427} 428EXPORT_SYMBOL_GPL(fsverity_ioctl_enable); 429 430static int check_file_and_enable_verity(struct file *filp, 431 const struct fsverity_enable_arg *arg) 432{ 433 struct inode *inode = file_inode(filp); 434 int err; 435 /* 436 * Require a regular file with write access. But the actual fd must 437 * still be readonly so that we can lock out all writers. This is 438 * needed to guarantee that no writable fds exist to the file once it 439 * has verity enabled, and to stabilize the data being hashed. 440 */ 441 442 err = inode_permission(inode, MAY_WRITE); 443 if (err) 444 return err; 445 446 if (IS_APPEND(inode)) 447 return -EPERM; 448 449 if (S_ISDIR(inode->i_mode)) 450 return -EISDIR; 451 452 if (!S_ISREG(inode->i_mode)) 453 return -EINVAL; 454 455 err = mnt_want_write_file(filp); 456 if (err) /* -EROFS */ 457 return err; 458 459 err = deny_write_access(filp); 460 if (err) /* -ETXTBSY */ 461 goto out_drop_write; 462 463 err = enable_verity(filp, arg); 464 465 /* 466 * We no longer drop the inode's pagecache after enabling verity. This 467 * used to be done to try to avoid a race condition where pages could be 468 * evicted after being used in the Merkle tree construction, then 469 * re-instantiated by a concurrent read. Such pages are unverified, and 470 * the backing storage could have filled them with different content, so 471 * they shouldn't be used to fulfill reads once verity is enabled. 472 * 473 * But, dropping the pagecache has a big performance impact, and it 474 * doesn't fully solve the race condition anyway. So for those reasons, 475 * and also because this race condition isn't very important relatively 476 * speaking (especially for small-ish files, where the chance of a page 477 * being used, evicted, *and* re-instantiated all while enabling verity 478 * is quite small), we no longer drop the inode's pagecache. 479 */ 480 481 /* 482 * allow_write_access() is needed to pair with deny_write_access(). 483 * Regardless, the filesystem won't allow writing to verity files. 484 */ 485 allow_write_access(filp); 486out_drop_write: 487 mnt_drop_write_file(filp); 488 return err; 489} 490 491#ifdef CONFIG_SECURITY_CODE_SIGN 492static int code_sign_copy_merkle_tree(struct file *filp, 493 const void *_desc, 494 const struct merkle_tree_params *params) 495{ 496 struct inode *inode = file_inode(filp); 497 const struct fsverity_operations *vops = inode->i_sb->s_vop; 498 u8 *tree_data; 499 u64 blocks, i; 500 int err = -ENOMEM; 501 struct file_ra_state ra = { 0 }; 502 struct page *src_page; 503 void *addr; 504 u64 tree_offset, tree_start_index; 505 506 if (!is_inside_tree_compact(_desc)) 507 return 0; 508 509 tree_offset = get_tree_offset_compact(_desc); 510 511 if (inode->i_size < tree_offset + params->tree_size) { 512 fsverity_err(inode, "File is too small to contain Merkle tree."); 513 return -EFAULT; 514 } 515 516 tree_data = kmalloc(PAGE_SIZE, GFP_KERNEL); 517 if (!tree_data) 518 goto out; 519 520 file_ra_state_init(&ra, filp->f_mapping); 521 522 tree_start_index = tree_offset >> PAGE_SHIFT; 523 blocks = params->tree_size >> PAGE_SHIFT; 524 for (i = 0; i < blocks; i++) { 525 pr_debug("Copy Merkle tree page at %d\n", tree_start_index + i); 526 src_page = read_file_data_page(filp, tree_start_index + i, &ra, 527 blocks - i); 528 if (IS_ERR(src_page)) { 529 err = PTR_ERR(src_page); 530 fsverity_err(inode, 531 "Error %d reading Merkle tree page %llu", 532 err, tree_start_index + i); 533 goto out; 534 } 535 536 addr = kmap_atomic(src_page); 537 memcpy(tree_data, addr, PAGE_SIZE); 538 kunmap_atomic(addr); 539 put_page(src_page); 540 err = vops->write_merkle_tree_block(inode, tree_data, i, 541 params->log_blocksize); 542 if (err) { 543 fsverity_err(inode, 544 "Error %d writing Merkle tree block %llu", 545 err, i); 546 goto out; 547 } 548 } 549 /* already copy merkle tree */ 550 err = 1; 551out: 552 kfree(tree_data); 553 return err; 554} 555 556static int code_sign_init_descriptor(struct inode *inode, 557 const struct fsverity_enable_arg *_arg, 558 struct fsverity_descriptor *_desc) 559{ 560 struct code_sign_descriptor *desc = CAST_CODE_SIGN_DESC(_desc); 561 const struct code_sign_enable_arg *arg = (const struct code_sign_enable_arg *)_arg; 562 int algo_index; 563 564 if (!arg->cs_version) 565 return 0; 566 567 /* init extended fields */ 568 desc->flags = cpu_to_le32(arg->flags); 569 desc->data_size = cpu_to_le64(arg->data_size); 570 desc->tree_offset = cpu_to_le64(arg->tree_offset); 571 desc->cs_version = arg->cs_version; 572 desc->pgtypeinfo_size = cpu_to_le32(arg->pgtypeinfo_size); 573 desc->pgtypeinfo_off = cpu_to_le64(arg->pgtypeinfo_off); 574 575 /* Get root hash if a Merkle tree carried in file */ 576 if (!IS_INSIDE_TREE(desc)) 577 return 0; 578 579 /* Get size of root hash */ 580 algo_index = desc->hash_algorithm; 581 if (algo_index >= g_fsverity_hash_algs_num || 582 !fsverity_hash_algs[algo_index].name) { 583 fsverity_err(inode, "Unknown hash algorithm: %u", algo_index); 584 return -EINVAL; 585 } 586 587 if (copy_from_user(desc->root_hash, u64_to_user_ptr(arg->root_hash_ptr), 588 fsverity_hash_algs[algo_index].digest_size)) { 589 return -EFAULT; 590 } 591 592 return 0; 593} 594 595/** 596 * fsverity_ioctl_enable_code_sign() - enable code signing on a file 597 * @filp: file to enable code signing on 598 * @uarg: user pointer to code_sign_enable_arg 599 * 600 * Enable fs-verity on a file with code signing features. 601 * 602 * Return: 0 on success, -errno on failure 603 */ 604int fsverity_ioctl_enable_code_sign(struct file *filp, const void __user *uarg) 605{ 606 struct inode *inode = file_inode(filp); 607 struct code_sign_enable_arg arg; 608 609 if (copy_from_user(&arg, uarg, sizeof(arg))) 610 return -EFAULT; 611 612 if (arg.version != 1) 613 return -EINVAL; 614 615 if (arg.__reserved1 || 616 memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2))) 617 return -EINVAL; 618 619 if (arg.data_size > inode->i_size) 620 return -EINVAL; 621 622 if (arg.tree_offset % PAGE_SIZE != 0) 623 return -EINVAL; 624 625 if (arg.block_size != PAGE_SIZE) 626 return -EINVAL; 627 628 if (arg.salt_size > sizeof_field(struct code_sign_descriptor, salt)) 629 return -EMSGSIZE; 630 631 if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE) 632 return -EMSGSIZE; 633 634 // when calc pgtypeinfo_size trans bit size to byte size 635 if (arg.pgtypeinfo_off > arg.data_size - arg.pgtypeinfo_size / 8) 636 return -EINVAL; 637 638 return check_file_and_enable_verity(filp, (struct fsverity_enable_arg *)&arg); 639} 640EXPORT_SYMBOL_GPL(fsverity_ioctl_enable_code_sign); 641#endif /* CONFIG_SECURITY_CODE_SIGN */ 642