1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * fs-verity hash algorithms
4 *
5 * Copyright 2019 Google LLC
6 */
7
8 #include "fsverity_private.h"
9
10 #include <crypto/hash.h>
11
12 /* The hash algorithms supported by fs-verity */
13 struct fsverity_hash_alg fsverity_hash_algs[] = {
14 [FS_VERITY_HASH_ALG_SHA256] = {
15 .name = "sha256",
16 .digest_size = SHA256_DIGEST_SIZE,
17 .block_size = SHA256_BLOCK_SIZE,
18 .algo_id = HASH_ALGO_SHA256,
19 },
20 [FS_VERITY_HASH_ALG_SHA512] = {
21 .name = "sha512",
22 .digest_size = SHA512_DIGEST_SIZE,
23 .block_size = SHA512_BLOCK_SIZE,
24 .algo_id = HASH_ALGO_SHA512,
25 },
26 };
27
28 int g_fsverity_hash_algs_num = ARRAY_SIZE(fsverity_hash_algs);
29
30 static DEFINE_MUTEX(fsverity_hash_alg_init_mutex);
31
32 /**
33 * fsverity_get_hash_alg() - validate and prepare a hash algorithm
34 * @inode: optional inode for logging purposes
35 * @num: the hash algorithm number
36 *
37 * Get the struct fsverity_hash_alg for the given hash algorithm number, and
38 * ensure it has a hash transform ready to go. The hash transforms are
39 * allocated on-demand so that we don't waste resources unnecessarily, and
40 * because the crypto modules may be initialized later than fs/verity/.
41 *
42 * Return: pointer to the hash alg on success, else an ERR_PTR()
43 */
fsverity_get_hash_alg(const struct inode *inode, unsigned int num)44 const struct fsverity_hash_alg *fsverity_get_hash_alg(const struct inode *inode,
45 unsigned int num)
46 {
47 struct fsverity_hash_alg *alg;
48 struct crypto_shash *tfm;
49 int err;
50
51 if (num >= ARRAY_SIZE(fsverity_hash_algs) ||
52 !fsverity_hash_algs[num].name) {
53 fsverity_warn(inode, "Unknown hash algorithm number: %u", num);
54 return ERR_PTR(-EINVAL);
55 }
56 alg = &fsverity_hash_algs[num];
57
58 /* pairs with smp_store_release() below */
59 if (likely(smp_load_acquire(&alg->tfm) != NULL))
60 return alg;
61
62 mutex_lock(&fsverity_hash_alg_init_mutex);
63
64 if (alg->tfm != NULL)
65 goto out_unlock;
66
67 tfm = crypto_alloc_shash(alg->name, 0, 0);
68 if (IS_ERR(tfm)) {
69 if (PTR_ERR(tfm) == -ENOENT) {
70 fsverity_warn(inode,
71 "Missing crypto API support for hash algorithm \"%s\"",
72 alg->name);
73 alg = ERR_PTR(-ENOPKG);
74 goto out_unlock;
75 }
76 fsverity_err(inode,
77 "Error allocating hash algorithm \"%s\": %ld",
78 alg->name, PTR_ERR(tfm));
79 alg = ERR_CAST(tfm);
80 goto out_unlock;
81 }
82
83 err = -EINVAL;
84 if (WARN_ON_ONCE(alg->digest_size != crypto_shash_digestsize(tfm)))
85 goto err_free_tfm;
86 if (WARN_ON_ONCE(alg->block_size != crypto_shash_blocksize(tfm)))
87 goto err_free_tfm;
88
89 pr_info("%s using implementation \"%s\"\n",
90 alg->name, crypto_shash_driver_name(tfm));
91
92 /* pairs with smp_load_acquire() above */
93 smp_store_release(&alg->tfm, tfm);
94 goto out_unlock;
95
96 err_free_tfm:
97 crypto_free_shash(tfm);
98 alg = ERR_PTR(err);
99 out_unlock:
100 mutex_unlock(&fsverity_hash_alg_init_mutex);
101 return alg;
102 }
103
104 /**
105 * fsverity_prepare_hash_state() - precompute the initial hash state
106 * @alg: hash algorithm
107 * @salt: a salt which is to be prepended to all data to be hashed
108 * @salt_size: salt size in bytes, possibly 0
109 *
110 * Return: NULL if the salt is empty, otherwise the kmalloc()'ed precomputed
111 * initial hash state on success or an ERR_PTR() on failure.
112 */
fsverity_prepare_hash_state(const struct fsverity_hash_alg *alg, const u8 *salt, size_t salt_size)113 const u8 *fsverity_prepare_hash_state(const struct fsverity_hash_alg *alg,
114 const u8 *salt, size_t salt_size)
115 {
116 u8 *hashstate = NULL;
117 SHASH_DESC_ON_STACK(desc, alg->tfm);
118 u8 *padded_salt = NULL;
119 size_t padded_salt_size;
120 int err;
121
122 desc->tfm = alg->tfm;
123
124 if (salt_size == 0)
125 return NULL;
126
127 hashstate = kmalloc(crypto_shash_statesize(alg->tfm), GFP_KERNEL);
128 if (!hashstate)
129 return ERR_PTR(-ENOMEM);
130
131 /*
132 * Zero-pad the salt to the next multiple of the input size of the hash
133 * algorithm's compression function, e.g. 64 bytes for SHA-256 or 128
134 * bytes for SHA-512. This ensures that the hash algorithm won't have
135 * any bytes buffered internally after processing the salt, thus making
136 * salted hashing just as fast as unsalted hashing.
137 */
138 padded_salt_size = round_up(salt_size, alg->block_size);
139 padded_salt = kzalloc(padded_salt_size, GFP_KERNEL);
140 if (!padded_salt) {
141 err = -ENOMEM;
142 goto err_free;
143 }
144 memcpy(padded_salt, salt, salt_size);
145 err = crypto_shash_init(desc);
146 if (err)
147 goto err_free;
148
149 err = crypto_shash_update(desc, padded_salt, padded_salt_size);
150 if (err)
151 goto err_free;
152
153 err = crypto_shash_export(desc, hashstate);
154 if (err)
155 goto err_free;
156 out:
157 kfree(padded_salt);
158 return hashstate;
159
160 err_free:
161 kfree(hashstate);
162 hashstate = ERR_PTR(err);
163 goto out;
164 }
165
166 /**
167 * fsverity_hash_block() - hash a single data or hash block
168 * @params: the Merkle tree's parameters
169 * @inode: inode for which the hashing is being done
170 * @data: virtual address of a buffer containing the block to hash
171 * @out: output digest, size 'params->digest_size' bytes
172 *
173 * Hash a single data or hash block. The hash is salted if a salt is specified
174 * in the Merkle tree parameters.
175 *
176 * Return: 0 on success, -errno on failure
177 */
fsverity_hash_block(const struct merkle_tree_params *params, const struct inode *inode, const void *data, u8 *out)178 int fsverity_hash_block(const struct merkle_tree_params *params,
179 const struct inode *inode, const void *data, u8 *out)
180 {
181 SHASH_DESC_ON_STACK(desc, params->hash_alg->tfm);
182 int err;
183
184 desc->tfm = params->hash_alg->tfm;
185
186 if (params->hashstate) {
187 err = crypto_shash_import(desc, params->hashstate);
188 if (err) {
189 fsverity_err(inode,
190 "Error %d importing hash state", err);
191 return err;
192 }
193 err = crypto_shash_finup(desc, data, params->block_size, out);
194 } else {
195 err = crypto_shash_digest(desc, data, params->block_size, out);
196 }
197 if (err)
198 fsverity_err(inode, "Error %d computing block hash", err);
199 return err;
200 }
201
202 /**
203 * fsverity_hash_buffer() - hash some data
204 * @alg: the hash algorithm to use
205 * @data: the data to hash
206 * @size: size of data to hash, in bytes
207 * @out: output digest, size 'alg->digest_size' bytes
208 *
209 * Return: 0 on success, -errno on failure
210 */
fsverity_hash_buffer(const struct fsverity_hash_alg *alg, const void *data, size_t size, u8 *out)211 int fsverity_hash_buffer(const struct fsverity_hash_alg *alg,
212 const void *data, size_t size, u8 *out)
213 {
214 return crypto_shash_tfm_digest(alg->tfm, data, size, out);
215 }
216
fsverity_check_hash_algs(void)217 void __init fsverity_check_hash_algs(void)
218 {
219 size_t i;
220
221 /*
222 * Sanity check the hash algorithms (could be a build-time check, but
223 * they're in an array)
224 */
225 for (i = 0; i < ARRAY_SIZE(fsverity_hash_algs); i++) {
226 const struct fsverity_hash_alg *alg = &fsverity_hash_algs[i];
227
228 if (!alg->name)
229 continue;
230
231 /*
232 * 0 must never be allocated as an FS_VERITY_HASH_ALG_* value,
233 * as it is reserved for users that use 0 to mean unspecified or
234 * a default value. fs/verity/ itself doesn't care and doesn't
235 * have a default algorithm, but some users make use of this.
236 */
237 BUG_ON(i == 0);
238
239 BUG_ON(alg->digest_size > FS_VERITY_MAX_DIGEST_SIZE);
240
241 /*
242 * For efficiency, the implementation currently assumes the
243 * digest and block sizes are powers of 2. This limitation can
244 * be lifted if the code is updated to handle other values.
245 */
246 BUG_ON(!is_power_of_2(alg->digest_size));
247 BUG_ON(!is_power_of_2(alg->block_size));
248
249 /* Verify that there is a valid mapping to HASH_ALGO_*. */
250 BUG_ON(alg->algo_id == 0);
251 BUG_ON(alg->digest_size != hash_digest_size[alg->algo_id]);
252 }
253 }
254