1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Ioctl to enable verity on a file 4 * 5 * Copyright 2019 Google LLC 6 */ 7 8 #include "fsverity_private.h" 9 10 #include <crypto/hash.h> 11 #include <linux/backing-dev.h> 12 #include <linux/mount.h> 13 #include <linux/pagemap.h> 14 #include <linux/sched/signal.h> 15 #include <linux/uaccess.h> 16 17 /* 18 * Read a file data page for Merkle tree construction. Do aggressive readahead, 19 * since we're sequentially reading the entire file. 20 */ 21 static struct page *read_file_data_page(struct file *filp, pgoff_t index, 22 struct file_ra_state *ra, 23 unsigned long remaining_pages) 24 { 25 struct page *page; 26 27 page = find_get_page_flags(filp->f_mapping, index, FGP_ACCESSED); 28 if (!page || !PageUptodate(page)) { 29 if (page) 30 put_page(page); 31 else 32 page_cache_sync_readahead(filp->f_mapping, ra, filp, 33 index, remaining_pages); 34 page = read_mapping_page(filp->f_mapping, index, NULL); 35 if (IS_ERR(page)) 36 return page; 37 } 38 if (PageReadahead(page)) 39 page_cache_async_readahead(filp->f_mapping, ra, filp, page, 40 index, remaining_pages); 41 return page; 42 } 43 44 static int build_merkle_tree_level(struct file *filp, unsigned int level, 45 u64 num_blocks_to_hash, 46 const struct merkle_tree_params *params, 47 u8 *pending_hashes, 48 struct ahash_request *req) 49 { 50 struct inode *inode = file_inode(filp); 51 const struct fsverity_operations *vops = inode->i_sb->s_vop; 52 struct file_ra_state ra = { 0 }; 53 unsigned int pending_size = 0; 54 u64 dst_block_num; 55 u64 i; 56 int err; 57 58 if (WARN_ON(params->block_size != PAGE_SIZE)) /* checked earlier too */ 59 return -EINVAL; 60 61 if (level < params->num_levels) { 62 dst_block_num = params->level_start[level]; 63 } else { 64 if (WARN_ON(num_blocks_to_hash != 1)) 65 return -EINVAL; 66 dst_block_num = 0; /* unused */ 67 } 68 69 file_ra_state_init(&ra, filp->f_mapping); 70 71 for (i = 0; i < num_blocks_to_hash; i++) { 72 struct page *src_page; 73 74 if ((pgoff_t)i % 10000 == 0 || i + 1 == num_blocks_to_hash) 75 pr_debug("Hashing block %llu of %llu for level %u\n", 76 i + 1, num_blocks_to_hash, level); 77 78 if (level == 0) { 79 /* Leaf: hashing a data block */ 80 src_page = read_file_data_page(filp, i, &ra, 81 num_blocks_to_hash - i); 82 if (IS_ERR(src_page)) { 83 err = PTR_ERR(src_page); 84 fsverity_err(inode, 85 "Error %d reading data page %llu", 86 err, i); 87 return err; 88 } 89 } else { 90 unsigned long num_ra_pages = 91 min_t(unsigned long, num_blocks_to_hash - i, 92 inode->i_sb->s_bdi->io_pages); 93 94 /* Non-leaf: hashing hash block from level below */ 95 src_page = vops->read_merkle_tree_page(inode, 96 params->level_start[level - 1] + i, 97 num_ra_pages); 98 if (IS_ERR(src_page)) { 99 err = PTR_ERR(src_page); 100 fsverity_err(inode, 101 "Error %d reading Merkle tree page %llu", 102 err, params->level_start[level - 1] + i); 103 return err; 104 } 105 } 106 107 err = fsverity_hash_page(params, inode, req, src_page, 108 &pending_hashes[pending_size]); 109 put_page(src_page); 110 if (err) 111 return err; 112 pending_size += params->digest_size; 113 114 if (level == params->num_levels) /* Root hash? */ 115 return 0; 116 117 if (pending_size + params->digest_size > params->block_size || 118 i + 1 == num_blocks_to_hash) { 119 /* Flush the pending hash block */ 120 memset(&pending_hashes[pending_size], 0, 121 params->block_size - pending_size); 122 err = vops->write_merkle_tree_block(inode, 123 pending_hashes, 124 dst_block_num, 125 params->log_blocksize); 126 if (err) { 127 fsverity_err(inode, 128 "Error %d writing Merkle tree block %llu", 129 err, dst_block_num); 130 return err; 131 } 132 dst_block_num++; 133 pending_size = 0; 134 } 135 136 if (fatal_signal_pending(current)) 137 return -EINTR; 138 cond_resched(); 139 } 140 return 0; 141 } 142 143 /* 144 * Build the Merkle tree for the given file using the given parameters, and 145 * return the root hash in @root_hash. 146 * 147 * The tree is written to a filesystem-specific location as determined by the 148 * ->write_merkle_tree_block() method. However, the blocks that comprise the 149 * tree are the same for all filesystems. 150 */ 151 static int build_merkle_tree(struct file *filp, 152 const struct merkle_tree_params *params, 153 u8 *root_hash) 154 { 155 struct inode *inode = file_inode(filp); 156 u8 *pending_hashes; 157 struct ahash_request *req; 158 u64 blocks; 159 unsigned int level; 160 int err = -ENOMEM; 161 162 if (inode->i_size == 0) { 163 /* Empty file is a special case; root hash is all 0's */ 164 memset(root_hash, 0, params->digest_size); 165 return 0; 166 } 167 168 /* This allocation never fails, since it's mempool-backed. */ 169 req = fsverity_alloc_hash_request(params->hash_alg, GFP_KERNEL); 170 171 pending_hashes = kmalloc(params->block_size, GFP_KERNEL); 172 if (!pending_hashes) 173 goto out; 174 175 /* 176 * Build each level of the Merkle tree, starting at the leaf level 177 * (level 0) and ascending to the root node (level 'num_levels - 1'). 178 * Then at the end (level 'num_levels'), calculate the root hash. 179 */ 180 blocks = ((u64)inode->i_size + params->block_size - 1) >> 181 params->log_blocksize; 182 for (level = 0; level <= params->num_levels; level++) { 183 err = build_merkle_tree_level(filp, level, blocks, params, 184 pending_hashes, req); 185 if (err) 186 goto out; 187 blocks = (blocks + params->hashes_per_block - 1) >> 188 params->log_arity; 189 } 190 memcpy(root_hash, pending_hashes, params->digest_size); 191 err = 0; 192 out: 193 kfree(pending_hashes); 194 fsverity_free_hash_request(params->hash_alg, req); 195 return err; 196 } 197 198 static int enable_verity(struct file *filp, 199 const struct fsverity_enable_arg *arg) 200 { 201 struct inode *inode = file_inode(filp); 202 const struct fsverity_operations *vops = inode->i_sb->s_vop; 203 struct merkle_tree_params params = { }; 204 struct fsverity_descriptor *desc; 205 size_t desc_size = sizeof(*desc) + arg->sig_size; 206 struct fsverity_info *vi; 207 int err; 208 209 /* Start initializing the fsverity_descriptor */ 210 desc = kzalloc(desc_size, GFP_KERNEL); 211 if (!desc) 212 return -ENOMEM; 213 desc->version = 1; 214 desc->hash_algorithm = arg->hash_algorithm; 215 desc->log_blocksize = ilog2(arg->block_size); 216 217 /* Get the salt if the user provided one */ 218 if (arg->salt_size && 219 copy_from_user(desc->salt, u64_to_user_ptr(arg->salt_ptr), 220 arg->salt_size)) { 221 err = -EFAULT; 222 goto out; 223 } 224 desc->salt_size = arg->salt_size; 225 226 /* Get the signature if the user provided one */ 227 if (arg->sig_size && 228 copy_from_user(desc->signature, u64_to_user_ptr(arg->sig_ptr), 229 arg->sig_size)) { 230 err = -EFAULT; 231 goto out; 232 } 233 desc->sig_size = cpu_to_le32(arg->sig_size); 234 235 desc->data_size = cpu_to_le64(inode->i_size); 236 237 /* Prepare the Merkle tree parameters */ 238 err = fsverity_init_merkle_tree_params(¶ms, inode, 239 arg->hash_algorithm, 240 desc->log_blocksize, 241 desc->salt, desc->salt_size); 242 if (err) 243 goto out; 244 245 /* 246 * Start enabling verity on this file, serialized by the inode lock. 247 * Fail if verity is already enabled or is already being enabled. 248 */ 249 inode_lock(inode); 250 if (IS_VERITY(inode)) 251 err = -EEXIST; 252 else 253 err = vops->begin_enable_verity(filp); 254 inode_unlock(inode); 255 if (err) 256 goto out; 257 258 /* 259 * Build the Merkle tree. Don't hold the inode lock during this, since 260 * on huge files this may take a very long time and we don't want to 261 * force unrelated syscalls like chown() to block forever. We don't 262 * need the inode lock here because deny_write_access() already prevents 263 * the file from being written to or truncated, and we still serialize 264 * ->begin_enable_verity() and ->end_enable_verity() using the inode 265 * lock and only allow one process to be here at a time on a given file. 266 */ 267 pr_debug("Building Merkle tree...\n"); 268 BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE); 269 err = build_merkle_tree(filp, ¶ms, desc->root_hash); 270 if (err) { 271 fsverity_err(inode, "Error %d building Merkle tree", err); 272 goto rollback; 273 } 274 pr_debug("Done building Merkle tree. Root hash is %s:%*phN\n", 275 params.hash_alg->name, params.digest_size, desc->root_hash); 276 277 /* 278 * Create the fsverity_info. Don't bother trying to save work by 279 * reusing the merkle_tree_params from above. Instead, just create the 280 * fsverity_info from the fsverity_descriptor as if it were just loaded 281 * from disk. This is simpler, and it serves as an extra check that the 282 * metadata we're writing is valid before actually enabling verity. 283 */ 284 vi = fsverity_create_info(inode, desc, desc_size); 285 if (IS_ERR(vi)) { 286 err = PTR_ERR(vi); 287 goto rollback; 288 } 289 290 if (arg->sig_size) 291 pr_debug("Storing a %u-byte PKCS#7 signature alongside the file\n", 292 arg->sig_size); 293 294 /* 295 * Tell the filesystem to finish enabling verity on the file. 296 * Serialized with ->begin_enable_verity() by the inode lock. 297 */ 298 inode_lock(inode); 299 err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size); 300 inode_unlock(inode); 301 if (err) { 302 fsverity_err(inode, "%ps() failed with err %d", 303 vops->end_enable_verity, err); 304 fsverity_free_info(vi); 305 } else if (WARN_ON(!IS_VERITY(inode))) { 306 err = -EINVAL; 307 fsverity_free_info(vi); 308 } else { 309 /* Successfully enabled verity */ 310 311 /* 312 * Readers can start using ->i_verity_info immediately, so it 313 * can't be rolled back once set. So don't set it until just 314 * after the filesystem has successfully enabled verity. 315 */ 316 fsverity_set_info(inode, vi); 317 } 318 out: 319 kfree(params.hashstate); 320 kfree(desc); 321 return err; 322 323 rollback: 324 inode_lock(inode); 325 (void)vops->end_enable_verity(filp, NULL, 0, params.tree_size); 326 inode_unlock(inode); 327 goto out; 328 } 329 330 /** 331 * fsverity_ioctl_enable() - enable verity on a file 332 * @filp: file to enable verity on 333 * @uarg: user pointer to fsverity_enable_arg 334 * 335 * Enable fs-verity on a file. See the "FS_IOC_ENABLE_VERITY" section of 336 * Documentation/filesystems/fsverity.rst for the documentation. 337 * 338 * Return: 0 on success, -errno on failure 339 */ 340 int fsverity_ioctl_enable(struct file *filp, const void __user *uarg) 341 { 342 struct inode *inode = file_inode(filp); 343 struct fsverity_enable_arg arg; 344 int err; 345 346 if (copy_from_user(&arg, uarg, sizeof(arg))) 347 return -EFAULT; 348 349 if (arg.version != 1) 350 return -EINVAL; 351 352 if (arg.__reserved1 || 353 memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2))) 354 return -EINVAL; 355 356 if (arg.block_size != PAGE_SIZE) 357 return -EINVAL; 358 359 if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt)) 360 return -EMSGSIZE; 361 362 if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE) 363 return -EMSGSIZE; 364 365 /* 366 * Require a regular file with write access. But the actual fd must 367 * still be readonly so that we can lock out all writers. This is 368 * needed to guarantee that no writable fds exist to the file once it 369 * has verity enabled, and to stabilize the data being hashed. 370 */ 371 372 err = file_permission(filp, MAY_WRITE); 373 if (err) 374 return err; 375 376 if (IS_APPEND(inode)) 377 return -EPERM; 378 379 if (S_ISDIR(inode->i_mode)) 380 return -EISDIR; 381 382 if (!S_ISREG(inode->i_mode)) 383 return -EINVAL; 384 385 err = mnt_want_write_file(filp); 386 if (err) /* -EROFS */ 387 return err; 388 389 err = deny_write_access(filp); 390 if (err) /* -ETXTBSY */ 391 goto out_drop_write; 392 393 err = enable_verity(filp, &arg); 394 if (err) 395 goto out_allow_write_access; 396 397 /* 398 * Some pages of the file may have been evicted from pagecache after 399 * being used in the Merkle tree construction, then read into pagecache 400 * again by another process reading from the file concurrently. Since 401 * these pages didn't undergo verification against the file digest which 402 * fs-verity now claims to be enforcing, we have to wipe the pagecache 403 * to ensure that all future reads are verified. 404 */ 405 filemap_write_and_wait(inode->i_mapping); 406 invalidate_inode_pages2(inode->i_mapping); 407 408 /* 409 * allow_write_access() is needed to pair with deny_write_access(). 410 * Regardless, the filesystem won't allow writing to verity files. 411 */ 412 out_allow_write_access: 413 allow_write_access(filp); 414 out_drop_write: 415 mnt_drop_write_file(filp); 416 return err; 417 } 418 EXPORT_SYMBOL_GPL(fsverity_ioctl_enable); 419