1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * fs/verity/enable.c: ioctl to enable verity on a file 4 * 5 * Copyright 2019 Google LLC 6 */ 7 8 #include "fsverity_private.h" 9 10 #include <crypto/hash.h> 11 #include <linux/mount.h> 12 #include <linux/pagemap.h> 13 #include <linux/sched/signal.h> 14 #include <linux/uaccess.h> 15 16 static int build_merkle_tree_level(struct inode *inode, unsigned int level, 17 u64 num_blocks_to_hash, 18 const struct merkle_tree_params *params, 19 u8 *pending_hashes, 20 struct ahash_request *req) 21 { 22 const struct fsverity_operations *vops = inode->i_sb->s_vop; 23 unsigned int pending_size = 0; 24 u64 dst_block_num; 25 u64 i; 26 int err; 27 28 if (WARN_ON(params->block_size != PAGE_SIZE)) /* checked earlier too */ 29 return -EINVAL; 30 31 if (level < params->num_levels) { 32 dst_block_num = params->level_start[level]; 33 } else { 34 if (WARN_ON(num_blocks_to_hash != 1)) 35 return -EINVAL; 36 dst_block_num = 0; /* unused */ 37 } 38 39 for (i = 0; i < num_blocks_to_hash; i++) { 40 struct page *src_page; 41 42 if ((pgoff_t)i % 10000 == 0 || i + 1 == num_blocks_to_hash) 43 pr_debug("Hashing block %llu of %llu for level %u\n", 44 i + 1, num_blocks_to_hash, level); 45 46 if (level == 0) { 47 /* Leaf: hashing a data block */ 48 src_page = read_mapping_page(inode->i_mapping, i, NULL); 49 if (IS_ERR(src_page)) { 50 err = PTR_ERR(src_page); 51 fsverity_err(inode, 52 "Error %d reading data page %llu", 53 err, i); 54 return err; 55 } 56 } else { 57 /* Non-leaf: hashing hash block from level below */ 58 src_page = vops->read_merkle_tree_page(inode, 59 params->level_start[level - 1] + i); 60 if (IS_ERR(src_page)) { 61 err = PTR_ERR(src_page); 62 fsverity_err(inode, 63 "Error %d reading Merkle tree page %llu", 64 err, params->level_start[level - 1] + i); 65 return err; 66 } 67 } 68 69 err = fsverity_hash_page(params, inode, req, src_page, 70 &pending_hashes[pending_size]); 71 put_page(src_page); 72 if (err) 73 return err; 74 pending_size += params->digest_size; 75 76 if (level == params->num_levels) /* Root hash? */ 77 return 0; 78 79 if (pending_size + params->digest_size > params->block_size || 80 i + 1 == num_blocks_to_hash) { 81 /* Flush the pending hash block */ 82 memset(&pending_hashes[pending_size], 0, 83 params->block_size - pending_size); 84 err = vops->write_merkle_tree_block(inode, 85 pending_hashes, 86 dst_block_num, 87 params->log_blocksize); 88 if (err) { 89 fsverity_err(inode, 90 "Error %d writing Merkle tree block %llu", 91 err, dst_block_num); 92 return err; 93 } 94 dst_block_num++; 95 pending_size = 0; 96 } 97 98 if (fatal_signal_pending(current)) 99 return -EINTR; 100 cond_resched(); 101 } 102 return 0; 103 } 104 105 /* 106 * Build the Merkle tree for the given inode using the given parameters, and 107 * return the root hash in @root_hash. 108 * 109 * The tree is written to a filesystem-specific location as determined by the 110 * ->write_merkle_tree_block() method. However, the blocks that comprise the 111 * tree are the same for all filesystems. 112 */ 113 static int build_merkle_tree(struct inode *inode, 114 const struct merkle_tree_params *params, 115 u8 *root_hash) 116 { 117 u8 *pending_hashes; 118 struct ahash_request *req; 119 u64 blocks; 120 unsigned int level; 121 int err = -ENOMEM; 122 123 if (inode->i_size == 0) { 124 /* Empty file is a special case; root hash is all 0's */ 125 memset(root_hash, 0, params->digest_size); 126 return 0; 127 } 128 129 pending_hashes = kmalloc(params->block_size, GFP_KERNEL); 130 req = ahash_request_alloc(params->hash_alg->tfm, GFP_KERNEL); 131 if (!pending_hashes || !req) 132 goto out; 133 134 /* 135 * Build each level of the Merkle tree, starting at the leaf level 136 * (level 0) and ascending to the root node (level 'num_levels - 1'). 137 * Then at the end (level 'num_levels'), calculate the root hash. 138 */ 139 blocks = (inode->i_size + params->block_size - 1) >> 140 params->log_blocksize; 141 for (level = 0; level <= params->num_levels; level++) { 142 err = build_merkle_tree_level(inode, level, blocks, params, 143 pending_hashes, req); 144 if (err) 145 goto out; 146 blocks = (blocks + params->hashes_per_block - 1) >> 147 params->log_arity; 148 } 149 memcpy(root_hash, pending_hashes, params->digest_size); 150 err = 0; 151 out: 152 kfree(pending_hashes); 153 ahash_request_free(req); 154 return err; 155 } 156 157 static int enable_verity(struct file *filp, 158 const struct fsverity_enable_arg *arg) 159 { 160 struct inode *inode = file_inode(filp); 161 const struct fsverity_operations *vops = inode->i_sb->s_vop; 162 struct merkle_tree_params params = { }; 163 struct fsverity_descriptor *desc; 164 size_t desc_size = sizeof(*desc) + arg->sig_size; 165 struct fsverity_info *vi; 166 int err; 167 168 /* Start initializing the fsverity_descriptor */ 169 desc = kzalloc(desc_size, GFP_KERNEL); 170 if (!desc) 171 return -ENOMEM; 172 desc->version = 1; 173 desc->hash_algorithm = arg->hash_algorithm; 174 desc->log_blocksize = ilog2(arg->block_size); 175 176 /* Get the salt if the user provided one */ 177 if (arg->salt_size && 178 copy_from_user(desc->salt, 179 (const u8 __user *)(uintptr_t)arg->salt_ptr, 180 arg->salt_size)) { 181 err = -EFAULT; 182 goto out; 183 } 184 desc->salt_size = arg->salt_size; 185 186 /* Get the signature if the user provided one */ 187 if (arg->sig_size && 188 copy_from_user(desc->signature, 189 (const u8 __user *)(uintptr_t)arg->sig_ptr, 190 arg->sig_size)) { 191 err = -EFAULT; 192 goto out; 193 } 194 desc->sig_size = cpu_to_le32(arg->sig_size); 195 196 desc->data_size = cpu_to_le64(inode->i_size); 197 198 /* Prepare the Merkle tree parameters */ 199 err = fsverity_init_merkle_tree_params(¶ms, inode, 200 arg->hash_algorithm, 201 desc->log_blocksize, 202 desc->salt, desc->salt_size); 203 if (err) 204 goto out; 205 206 /* 207 * Start enabling verity on this file, serialized by the inode lock. 208 * Fail if verity is already enabled or is already being enabled. 209 */ 210 inode_lock(inode); 211 if (IS_VERITY(inode)) 212 err = -EEXIST; 213 else 214 err = vops->begin_enable_verity(filp); 215 inode_unlock(inode); 216 if (err) 217 goto out; 218 219 /* 220 * Build the Merkle tree. Don't hold the inode lock during this, since 221 * on huge files this may take a very long time and we don't want to 222 * force unrelated syscalls like chown() to block forever. We don't 223 * need the inode lock here because deny_write_access() already prevents 224 * the file from being written to or truncated, and we still serialize 225 * ->begin_enable_verity() and ->end_enable_verity() using the inode 226 * lock and only allow one process to be here at a time on a given file. 227 */ 228 pr_debug("Building Merkle tree...\n"); 229 BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE); 230 err = build_merkle_tree(inode, ¶ms, desc->root_hash); 231 if (err) { 232 fsverity_err(inode, "Error %d building Merkle tree", err); 233 goto rollback; 234 } 235 pr_debug("Done building Merkle tree. Root hash is %s:%*phN\n", 236 params.hash_alg->name, params.digest_size, desc->root_hash); 237 238 /* 239 * Create the fsverity_info. Don't bother trying to save work by 240 * reusing the merkle_tree_params from above. Instead, just create the 241 * fsverity_info from the fsverity_descriptor as if it were just loaded 242 * from disk. This is simpler, and it serves as an extra check that the 243 * metadata we're writing is valid before actually enabling verity. 244 */ 245 vi = fsverity_create_info(inode, desc, desc_size); 246 if (IS_ERR(vi)) { 247 err = PTR_ERR(vi); 248 goto rollback; 249 } 250 251 if (arg->sig_size) 252 pr_debug("Storing a %u-byte PKCS#7 signature alongside the file\n", 253 arg->sig_size); 254 255 /* 256 * Tell the filesystem to finish enabling verity on the file. 257 * Serialized with ->begin_enable_verity() by the inode lock. 258 */ 259 inode_lock(inode); 260 err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size); 261 inode_unlock(inode); 262 if (err) { 263 fsverity_err(inode, "%ps() failed with err %d", 264 vops->end_enable_verity, err); 265 fsverity_free_info(vi); 266 } else if (WARN_ON(!IS_VERITY(inode))) { 267 err = -EINVAL; 268 fsverity_free_info(vi); 269 } else { 270 /* Successfully enabled verity */ 271 272 /* 273 * Readers can start using ->i_verity_info immediately, so it 274 * can't be rolled back once set. So don't set it until just 275 * after the filesystem has successfully enabled verity. 276 */ 277 fsverity_set_info(inode, vi); 278 } 279 out: 280 kfree(params.hashstate); 281 kfree(desc); 282 return err; 283 284 rollback: 285 inode_lock(inode); 286 (void)vops->end_enable_verity(filp, NULL, 0, params.tree_size); 287 inode_unlock(inode); 288 goto out; 289 } 290 291 /** 292 * fsverity_ioctl_enable() - enable verity on a file 293 * 294 * Enable fs-verity on a file. See the "FS_IOC_ENABLE_VERITY" section of 295 * Documentation/filesystems/fsverity.rst for the documentation. 296 * 297 * Return: 0 on success, -errno on failure 298 */ 299 int fsverity_ioctl_enable(struct file *filp, const void __user *uarg) 300 { 301 struct inode *inode = file_inode(filp); 302 struct fsverity_enable_arg arg; 303 int err; 304 305 if (copy_from_user(&arg, uarg, sizeof(arg))) 306 return -EFAULT; 307 308 if (arg.version != 1) 309 return -EINVAL; 310 311 if (arg.__reserved1 || 312 memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2))) 313 return -EINVAL; 314 315 if (arg.block_size != PAGE_SIZE) 316 return -EINVAL; 317 318 if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt)) 319 return -EMSGSIZE; 320 321 if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE) 322 return -EMSGSIZE; 323 324 /* 325 * Require a regular file with write access. But the actual fd must 326 * still be readonly so that we can lock out all writers. This is 327 * needed to guarantee that no writable fds exist to the file once it 328 * has verity enabled, and to stabilize the data being hashed. 329 */ 330 331 err = inode_permission(inode, MAY_WRITE); 332 if (err) 333 return err; 334 335 if (IS_APPEND(inode)) 336 return -EPERM; 337 338 if (S_ISDIR(inode->i_mode)) 339 return -EISDIR; 340 341 if (!S_ISREG(inode->i_mode)) 342 return -EINVAL; 343 344 err = mnt_want_write_file(filp); 345 if (err) /* -EROFS */ 346 return err; 347 348 err = deny_write_access(filp); 349 if (err) /* -ETXTBSY */ 350 goto out_drop_write; 351 352 err = enable_verity(filp, &arg); 353 if (err) 354 goto out_allow_write_access; 355 356 /* 357 * Some pages of the file may have been evicted from pagecache after 358 * being used in the Merkle tree construction, then read into pagecache 359 * again by another process reading from the file concurrently. Since 360 * these pages didn't undergo verification against the file measurement 361 * which fs-verity now claims to be enforcing, we have to wipe the 362 * pagecache to ensure that all future reads are verified. 363 */ 364 filemap_write_and_wait(inode->i_mapping); 365 invalidate_inode_pages2(inode->i_mapping); 366 367 /* 368 * allow_write_access() is needed to pair with deny_write_access(). 369 * Regardless, the filesystem won't allow writing to verity files. 370 */ 371 out_allow_write_access: 372 allow_write_access(filp); 373 out_drop_write: 374 mnt_drop_write_file(filp); 375 return err; 376 } 377 EXPORT_SYMBOL_GPL(fsverity_ioctl_enable); 378