xref: /openbmc/linux/fs/verity/enable.c (revision c1d3fb8a)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * fs/verity/enable.c: ioctl to enable verity on a file
4  *
5  * Copyright 2019 Google LLC
6  */
7 
8 #include "fsverity_private.h"
9 
10 #include <crypto/hash.h>
11 #include <linux/mount.h>
12 #include <linux/pagemap.h>
13 #include <linux/sched/signal.h>
14 #include <linux/uaccess.h>
15 
16 static int build_merkle_tree_level(struct inode *inode, unsigned int level,
17 				   u64 num_blocks_to_hash,
18 				   const struct merkle_tree_params *params,
19 				   u8 *pending_hashes,
20 				   struct ahash_request *req)
21 {
22 	const struct fsverity_operations *vops = inode->i_sb->s_vop;
23 	unsigned int pending_size = 0;
24 	u64 dst_block_num;
25 	u64 i;
26 	int err;
27 
28 	if (WARN_ON(params->block_size != PAGE_SIZE)) /* checked earlier too */
29 		return -EINVAL;
30 
31 	if (level < params->num_levels) {
32 		dst_block_num = params->level_start[level];
33 	} else {
34 		if (WARN_ON(num_blocks_to_hash != 1))
35 			return -EINVAL;
36 		dst_block_num = 0; /* unused */
37 	}
38 
39 	for (i = 0; i < num_blocks_to_hash; i++) {
40 		struct page *src_page;
41 
42 		if ((pgoff_t)i % 10000 == 0 || i + 1 == num_blocks_to_hash)
43 			pr_debug("Hashing block %llu of %llu for level %u\n",
44 				 i + 1, num_blocks_to_hash, level);
45 
46 		if (level == 0) {
47 			/* Leaf: hashing a data block */
48 			src_page = read_mapping_page(inode->i_mapping, i, NULL);
49 			if (IS_ERR(src_page)) {
50 				err = PTR_ERR(src_page);
51 				fsverity_err(inode,
52 					     "Error %d reading data page %llu",
53 					     err, i);
54 				return err;
55 			}
56 		} else {
57 			/* Non-leaf: hashing hash block from level below */
58 			src_page = vops->read_merkle_tree_page(inode,
59 					params->level_start[level - 1] + i);
60 			if (IS_ERR(src_page)) {
61 				err = PTR_ERR(src_page);
62 				fsverity_err(inode,
63 					     "Error %d reading Merkle tree page %llu",
64 					     err, params->level_start[level - 1] + i);
65 				return err;
66 			}
67 		}
68 
69 		err = fsverity_hash_page(params, inode, req, src_page,
70 					 &pending_hashes[pending_size]);
71 		put_page(src_page);
72 		if (err)
73 			return err;
74 		pending_size += params->digest_size;
75 
76 		if (level == params->num_levels) /* Root hash? */
77 			return 0;
78 
79 		if (pending_size + params->digest_size > params->block_size ||
80 		    i + 1 == num_blocks_to_hash) {
81 			/* Flush the pending hash block */
82 			memset(&pending_hashes[pending_size], 0,
83 			       params->block_size - pending_size);
84 			err = vops->write_merkle_tree_block(inode,
85 					pending_hashes,
86 					dst_block_num,
87 					params->log_blocksize);
88 			if (err) {
89 				fsverity_err(inode,
90 					     "Error %d writing Merkle tree block %llu",
91 					     err, dst_block_num);
92 				return err;
93 			}
94 			dst_block_num++;
95 			pending_size = 0;
96 		}
97 
98 		if (fatal_signal_pending(current))
99 			return -EINTR;
100 		cond_resched();
101 	}
102 	return 0;
103 }
104 
105 /*
106  * Build the Merkle tree for the given inode using the given parameters, and
107  * return the root hash in @root_hash.
108  *
109  * The tree is written to a filesystem-specific location as determined by the
110  * ->write_merkle_tree_block() method.  However, the blocks that comprise the
111  * tree are the same for all filesystems.
112  */
113 static int build_merkle_tree(struct inode *inode,
114 			     const struct merkle_tree_params *params,
115 			     u8 *root_hash)
116 {
117 	u8 *pending_hashes;
118 	struct ahash_request *req;
119 	u64 blocks;
120 	unsigned int level;
121 	int err = -ENOMEM;
122 
123 	if (inode->i_size == 0) {
124 		/* Empty file is a special case; root hash is all 0's */
125 		memset(root_hash, 0, params->digest_size);
126 		return 0;
127 	}
128 
129 	pending_hashes = kmalloc(params->block_size, GFP_KERNEL);
130 	req = ahash_request_alloc(params->hash_alg->tfm, GFP_KERNEL);
131 	if (!pending_hashes || !req)
132 		goto out;
133 
134 	/*
135 	 * Build each level of the Merkle tree, starting at the leaf level
136 	 * (level 0) and ascending to the root node (level 'num_levels - 1').
137 	 * Then at the end (level 'num_levels'), calculate the root hash.
138 	 */
139 	blocks = (inode->i_size + params->block_size - 1) >>
140 		 params->log_blocksize;
141 	for (level = 0; level <= params->num_levels; level++) {
142 		err = build_merkle_tree_level(inode, level, blocks, params,
143 					      pending_hashes, req);
144 		if (err)
145 			goto out;
146 		blocks = (blocks + params->hashes_per_block - 1) >>
147 			 params->log_arity;
148 	}
149 	memcpy(root_hash, pending_hashes, params->digest_size);
150 	err = 0;
151 out:
152 	kfree(pending_hashes);
153 	ahash_request_free(req);
154 	return err;
155 }
156 
157 static int enable_verity(struct file *filp,
158 			 const struct fsverity_enable_arg *arg)
159 {
160 	struct inode *inode = file_inode(filp);
161 	const struct fsverity_operations *vops = inode->i_sb->s_vop;
162 	struct merkle_tree_params params = { };
163 	struct fsverity_descriptor *desc;
164 	size_t desc_size = sizeof(*desc) + arg->sig_size;
165 	struct fsverity_info *vi;
166 	int err;
167 
168 	/* Start initializing the fsverity_descriptor */
169 	desc = kzalloc(desc_size, GFP_KERNEL);
170 	if (!desc)
171 		return -ENOMEM;
172 	desc->version = 1;
173 	desc->hash_algorithm = arg->hash_algorithm;
174 	desc->log_blocksize = ilog2(arg->block_size);
175 
176 	/* Get the salt if the user provided one */
177 	if (arg->salt_size &&
178 	    copy_from_user(desc->salt,
179 			   (const u8 __user *)(uintptr_t)arg->salt_ptr,
180 			   arg->salt_size)) {
181 		err = -EFAULT;
182 		goto out;
183 	}
184 	desc->salt_size = arg->salt_size;
185 
186 	/* Get the signature if the user provided one */
187 	if (arg->sig_size &&
188 	    copy_from_user(desc->signature,
189 			   (const u8 __user *)(uintptr_t)arg->sig_ptr,
190 			   arg->sig_size)) {
191 		err = -EFAULT;
192 		goto out;
193 	}
194 	desc->sig_size = cpu_to_le32(arg->sig_size);
195 
196 	desc->data_size = cpu_to_le64(inode->i_size);
197 
198 	/* Prepare the Merkle tree parameters */
199 	err = fsverity_init_merkle_tree_params(&params, inode,
200 					       arg->hash_algorithm,
201 					       desc->log_blocksize,
202 					       desc->salt, desc->salt_size);
203 	if (err)
204 		goto out;
205 
206 	/*
207 	 * Start enabling verity on this file, serialized by the inode lock.
208 	 * Fail if verity is already enabled or is already being enabled.
209 	 */
210 	inode_lock(inode);
211 	if (IS_VERITY(inode))
212 		err = -EEXIST;
213 	else
214 		err = vops->begin_enable_verity(filp);
215 	inode_unlock(inode);
216 	if (err)
217 		goto out;
218 
219 	/*
220 	 * Build the Merkle tree.  Don't hold the inode lock during this, since
221 	 * on huge files this may take a very long time and we don't want to
222 	 * force unrelated syscalls like chown() to block forever.  We don't
223 	 * need the inode lock here because deny_write_access() already prevents
224 	 * the file from being written to or truncated, and we still serialize
225 	 * ->begin_enable_verity() and ->end_enable_verity() using the inode
226 	 * lock and only allow one process to be here at a time on a given file.
227 	 */
228 	pr_debug("Building Merkle tree...\n");
229 	BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE);
230 	err = build_merkle_tree(inode, &params, desc->root_hash);
231 	if (err) {
232 		fsverity_err(inode, "Error %d building Merkle tree", err);
233 		goto rollback;
234 	}
235 	pr_debug("Done building Merkle tree.  Root hash is %s:%*phN\n",
236 		 params.hash_alg->name, params.digest_size, desc->root_hash);
237 
238 	/*
239 	 * Create the fsverity_info.  Don't bother trying to save work by
240 	 * reusing the merkle_tree_params from above.  Instead, just create the
241 	 * fsverity_info from the fsverity_descriptor as if it were just loaded
242 	 * from disk.  This is simpler, and it serves as an extra check that the
243 	 * metadata we're writing is valid before actually enabling verity.
244 	 */
245 	vi = fsverity_create_info(inode, desc, desc_size);
246 	if (IS_ERR(vi)) {
247 		err = PTR_ERR(vi);
248 		goto rollback;
249 	}
250 
251 	if (arg->sig_size)
252 		pr_debug("Storing a %u-byte PKCS#7 signature alongside the file\n",
253 			 arg->sig_size);
254 
255 	/*
256 	 * Tell the filesystem to finish enabling verity on the file.
257 	 * Serialized with ->begin_enable_verity() by the inode lock.
258 	 */
259 	inode_lock(inode);
260 	err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size);
261 	inode_unlock(inode);
262 	if (err) {
263 		fsverity_err(inode, "%ps() failed with err %d",
264 			     vops->end_enable_verity, err);
265 		fsverity_free_info(vi);
266 	} else if (WARN_ON(!IS_VERITY(inode))) {
267 		err = -EINVAL;
268 		fsverity_free_info(vi);
269 	} else {
270 		/* Successfully enabled verity */
271 
272 		/*
273 		 * Readers can start using ->i_verity_info immediately, so it
274 		 * can't be rolled back once set.  So don't set it until just
275 		 * after the filesystem has successfully enabled verity.
276 		 */
277 		fsverity_set_info(inode, vi);
278 	}
279 out:
280 	kfree(params.hashstate);
281 	kfree(desc);
282 	return err;
283 
284 rollback:
285 	inode_lock(inode);
286 	(void)vops->end_enable_verity(filp, NULL, 0, params.tree_size);
287 	inode_unlock(inode);
288 	goto out;
289 }
290 
291 /**
292  * fsverity_ioctl_enable() - enable verity on a file
293  *
294  * Enable fs-verity on a file.  See the "FS_IOC_ENABLE_VERITY" section of
295  * Documentation/filesystems/fsverity.rst for the documentation.
296  *
297  * Return: 0 on success, -errno on failure
298  */
299 int fsverity_ioctl_enable(struct file *filp, const void __user *uarg)
300 {
301 	struct inode *inode = file_inode(filp);
302 	struct fsverity_enable_arg arg;
303 	int err;
304 
305 	if (copy_from_user(&arg, uarg, sizeof(arg)))
306 		return -EFAULT;
307 
308 	if (arg.version != 1)
309 		return -EINVAL;
310 
311 	if (arg.__reserved1 ||
312 	    memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2)))
313 		return -EINVAL;
314 
315 	if (arg.block_size != PAGE_SIZE)
316 		return -EINVAL;
317 
318 	if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt))
319 		return -EMSGSIZE;
320 
321 	if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE)
322 		return -EMSGSIZE;
323 
324 	/*
325 	 * Require a regular file with write access.  But the actual fd must
326 	 * still be readonly so that we can lock out all writers.  This is
327 	 * needed to guarantee that no writable fds exist to the file once it
328 	 * has verity enabled, and to stabilize the data being hashed.
329 	 */
330 
331 	err = inode_permission(inode, MAY_WRITE);
332 	if (err)
333 		return err;
334 
335 	if (IS_APPEND(inode))
336 		return -EPERM;
337 
338 	if (S_ISDIR(inode->i_mode))
339 		return -EISDIR;
340 
341 	if (!S_ISREG(inode->i_mode))
342 		return -EINVAL;
343 
344 	err = mnt_want_write_file(filp);
345 	if (err) /* -EROFS */
346 		return err;
347 
348 	err = deny_write_access(filp);
349 	if (err) /* -ETXTBSY */
350 		goto out_drop_write;
351 
352 	err = enable_verity(filp, &arg);
353 	if (err)
354 		goto out_allow_write_access;
355 
356 	/*
357 	 * Some pages of the file may have been evicted from pagecache after
358 	 * being used in the Merkle tree construction, then read into pagecache
359 	 * again by another process reading from the file concurrently.  Since
360 	 * these pages didn't undergo verification against the file measurement
361 	 * which fs-verity now claims to be enforcing, we have to wipe the
362 	 * pagecache to ensure that all future reads are verified.
363 	 */
364 	filemap_write_and_wait(inode->i_mapping);
365 	invalidate_inode_pages2(inode->i_mapping);
366 
367 	/*
368 	 * allow_write_access() is needed to pair with deny_write_access().
369 	 * Regardless, the filesystem won't allow writing to verity files.
370 	 */
371 out_allow_write_access:
372 	allow_write_access(filp);
373 out_drop_write:
374 	mnt_drop_write_file(filp);
375 	return err;
376 }
377 EXPORT_SYMBOL_GPL(fsverity_ioctl_enable);
378