xref: /openbmc/linux/drivers/md/dm-verity-loadpin.c (revision 2612e3bbc0386368a850140a6c9b990cd496a5ec)

// SPDX-License-Identifier: GPL-2.0-only

#include <linux/list.h>
#include <linux/kernel.h>
#include <linux/dm-verity-loadpin.h>

#include "dm.h"
#include "dm-core.h"
#include "dm-verity.h"

#define DM_MSG_PREFIX	"verity-loadpin"

LIST_HEAD(dm_verity_loadpin_trusted_root_digests);

static bool is_trusted_verity_target(struct dm_target *ti)
{
	int verity_mode;
	u8 *root_digest;
	unsigned int digest_size;
	struct dm_verity_loadpin_trusted_root_digest *trd;
	bool trusted = false;

	if (!dm_is_verity_target(ti))
		return false;

	verity_mode = dm_verity_get_mode(ti);

	if ((verity_mode != DM_VERITY_MODE_EIO) &&
	    (verity_mode != DM_VERITY_MODE_RESTART) &&
	    (verity_mode != DM_VERITY_MODE_PANIC))
		return false;

	if (dm_verity_get_root_digest(ti, &root_digest, &digest_size))
		return false;

	list_for_each_entry(trd, &dm_verity_loadpin_trusted_root_digests, node) {
		if ((trd->len == digest_size) &&
		    !memcmp(trd->data, root_digest, digest_size)) {
			trusted = true;
			break;
		}
	}

	kfree(root_digest);

	return trusted;
}

/*
 * Determines whether the file system of a superblock is located on
 * a verity device that is trusted by LoadPin.
 */
bool dm_verity_loadpin_is_bdev_trusted(struct block_device *bdev)
{
	struct mapped_device *md;
	struct dm_table *table;
	struct dm_target *ti;
	int srcu_idx;
	bool trusted = false;

	if (bdev == NULL)
		return false;

	if (list_empty(&dm_verity_loadpin_trusted_root_digests))
		return false;

	md = dm_get_md(bdev->bd_dev);
	if (!md)
		return false;

	table = dm_get_live_table(md, &srcu_idx);

	if (table->num_targets != 1)
		goto out;

	ti = dm_table_get_target(table, 0);

	if (is_trusted_verity_target(ti))
		trusted = true;

out:
	dm_put_live_table(md, srcu_idx);
	dm_put(md);

	return trusted;
}