1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Ioctl to enable verity on a file 4 * 5 * Copyright 2019 Google LLC 6 */ 7 8 #include "fsverity_private.h" 9 10 #include <crypto/hash.h> 11 #include <linux/backing-dev.h> 12 #include <linux/mount.h> 13 #include <linux/pagemap.h> 14 #include <linux/sched/signal.h> 15 #include <linux/uaccess.h> 16 17 /* 18 * Read a file data page for Merkle tree construction. Do aggressive readahead, 19 * since we're sequentially reading the entire file. 20 */ 21 static struct page *read_file_data_page(struct file *file, pgoff_t index, 22 struct file_ra_state *ra, 23 unsigned long remaining_pages) 24 { 25 DEFINE_READAHEAD(ractl, file, ra, file->f_mapping, index); 26 struct folio *folio; 27 28 folio = __filemap_get_folio(ractl.mapping, index, FGP_ACCESSED, 0); 29 if (!folio || !folio_test_uptodate(folio)) { 30 if (folio) 31 folio_put(folio); 32 else 33 page_cache_sync_ra(&ractl, remaining_pages); 34 folio = read_cache_folio(ractl.mapping, index, NULL, file); 35 if (IS_ERR(folio)) 36 return &folio->page; 37 } 38 if (folio_test_readahead(folio)) 39 page_cache_async_ra(&ractl, folio, remaining_pages); 40 return folio_file_page(folio, index); 41 } 42 43 static int build_merkle_tree_level(struct file *filp, unsigned int level, 44 u64 num_blocks_to_hash, 45 const struct merkle_tree_params *params, 46 u8 *pending_hashes, 47 struct ahash_request *req) 48 { 49 struct inode *inode = file_inode(filp); 50 const struct fsverity_operations *vops = inode->i_sb->s_vop; 51 struct file_ra_state ra = { 0 }; 52 unsigned int pending_size = 0; 53 u64 dst_block_num; 54 u64 i; 55 int err; 56 57 if (WARN_ON(params->block_size != PAGE_SIZE)) /* checked earlier too */ 58 return -EINVAL; 59 60 if (level < params->num_levels) { 61 dst_block_num = params->level_start[level]; 62 } else { 63 if (WARN_ON(num_blocks_to_hash != 1)) 64 return -EINVAL; 65 dst_block_num = 0; /* unused */ 66 } 67 68 file_ra_state_init(&ra, filp->f_mapping); 69 70 for (i = 0; i < num_blocks_to_hash; i++) { 71 struct page *src_page; 72 73 if (level == 0) { 74 /* Leaf: hashing a data block */ 75 src_page = read_file_data_page(filp, i, &ra, 76 num_blocks_to_hash - i); 77 if (IS_ERR(src_page)) { 78 err = PTR_ERR(src_page); 79 fsverity_err(inode, 80 "Error %d reading data page %llu", 81 err, i); 82 return err; 83 } 84 } else { 85 unsigned long num_ra_pages = 86 min_t(unsigned long, num_blocks_to_hash - i, 87 inode->i_sb->s_bdi->io_pages); 88 89 /* Non-leaf: hashing hash block from level below */ 90 src_page = vops->read_merkle_tree_page(inode, 91 params->level_start[level - 1] + i, 92 num_ra_pages); 93 if (IS_ERR(src_page)) { 94 err = PTR_ERR(src_page); 95 fsverity_err(inode, 96 "Error %d reading Merkle tree page %llu", 97 err, params->level_start[level - 1] + i); 98 return err; 99 } 100 } 101 102 err = fsverity_hash_block(params, inode, req, src_page, 0, 103 &pending_hashes[pending_size]); 104 put_page(src_page); 105 if (err) 106 return err; 107 pending_size += params->digest_size; 108 109 if (level == params->num_levels) /* Root hash? */ 110 return 0; 111 112 if (pending_size + params->digest_size > params->block_size || 113 i + 1 == num_blocks_to_hash) { 114 /* Flush the pending hash block */ 115 memset(&pending_hashes[pending_size], 0, 116 params->block_size - pending_size); 117 err = vops->write_merkle_tree_block(inode, 118 pending_hashes, 119 dst_block_num << params->log_blocksize, 120 params->block_size); 121 if (err) { 122 fsverity_err(inode, 123 "Error %d writing Merkle tree block %llu", 124 err, dst_block_num); 125 return err; 126 } 127 dst_block_num++; 128 pending_size = 0; 129 } 130 131 if (fatal_signal_pending(current)) 132 return -EINTR; 133 cond_resched(); 134 } 135 return 0; 136 } 137 138 /* 139 * Build the Merkle tree for the given file using the given parameters, and 140 * return the root hash in @root_hash. 141 * 142 * The tree is written to a filesystem-specific location as determined by the 143 * ->write_merkle_tree_block() method. However, the blocks that comprise the 144 * tree are the same for all filesystems. 145 */ 146 static int build_merkle_tree(struct file *filp, 147 const struct merkle_tree_params *params, 148 u8 *root_hash) 149 { 150 struct inode *inode = file_inode(filp); 151 u8 *pending_hashes; 152 struct ahash_request *req; 153 u64 blocks; 154 unsigned int level; 155 int err = -ENOMEM; 156 157 if (inode->i_size == 0) { 158 /* Empty file is a special case; root hash is all 0's */ 159 memset(root_hash, 0, params->digest_size); 160 return 0; 161 } 162 163 /* This allocation never fails, since it's mempool-backed. */ 164 req = fsverity_alloc_hash_request(params->hash_alg, GFP_KERNEL); 165 166 pending_hashes = kmalloc(params->block_size, GFP_KERNEL); 167 if (!pending_hashes) 168 goto out; 169 170 /* 171 * Build each level of the Merkle tree, starting at the leaf level 172 * (level 0) and ascending to the root node (level 'num_levels - 1'). 173 * Then at the end (level 'num_levels'), calculate the root hash. 174 */ 175 blocks = ((u64)inode->i_size + params->block_size - 1) >> 176 params->log_blocksize; 177 for (level = 0; level <= params->num_levels; level++) { 178 err = build_merkle_tree_level(filp, level, blocks, params, 179 pending_hashes, req); 180 if (err) 181 goto out; 182 blocks = (blocks + params->hashes_per_block - 1) >> 183 params->log_arity; 184 } 185 memcpy(root_hash, pending_hashes, params->digest_size); 186 err = 0; 187 out: 188 kfree(pending_hashes); 189 fsverity_free_hash_request(params->hash_alg, req); 190 return err; 191 } 192 193 static int enable_verity(struct file *filp, 194 const struct fsverity_enable_arg *arg) 195 { 196 struct inode *inode = file_inode(filp); 197 const struct fsverity_operations *vops = inode->i_sb->s_vop; 198 struct merkle_tree_params params = { }; 199 struct fsverity_descriptor *desc; 200 size_t desc_size = struct_size(desc, signature, arg->sig_size); 201 struct fsverity_info *vi; 202 int err; 203 204 /* Start initializing the fsverity_descriptor */ 205 desc = kzalloc(desc_size, GFP_KERNEL); 206 if (!desc) 207 return -ENOMEM; 208 desc->version = 1; 209 desc->hash_algorithm = arg->hash_algorithm; 210 desc->log_blocksize = ilog2(arg->block_size); 211 212 /* Get the salt if the user provided one */ 213 if (arg->salt_size && 214 copy_from_user(desc->salt, u64_to_user_ptr(arg->salt_ptr), 215 arg->salt_size)) { 216 err = -EFAULT; 217 goto out; 218 } 219 desc->salt_size = arg->salt_size; 220 221 /* Get the signature if the user provided one */ 222 if (arg->sig_size && 223 copy_from_user(desc->signature, u64_to_user_ptr(arg->sig_ptr), 224 arg->sig_size)) { 225 err = -EFAULT; 226 goto out; 227 } 228 desc->sig_size = cpu_to_le32(arg->sig_size); 229 230 desc->data_size = cpu_to_le64(inode->i_size); 231 232 /* Prepare the Merkle tree parameters */ 233 err = fsverity_init_merkle_tree_params(¶ms, inode, 234 arg->hash_algorithm, 235 desc->log_blocksize, 236 desc->salt, desc->salt_size); 237 if (err) 238 goto out; 239 240 /* 241 * Start enabling verity on this file, serialized by the inode lock. 242 * Fail if verity is already enabled or is already being enabled. 243 */ 244 inode_lock(inode); 245 if (IS_VERITY(inode)) 246 err = -EEXIST; 247 else 248 err = vops->begin_enable_verity(filp); 249 inode_unlock(inode); 250 if (err) 251 goto out; 252 253 /* 254 * Build the Merkle tree. Don't hold the inode lock during this, since 255 * on huge files this may take a very long time and we don't want to 256 * force unrelated syscalls like chown() to block forever. We don't 257 * need the inode lock here because deny_write_access() already prevents 258 * the file from being written to or truncated, and we still serialize 259 * ->begin_enable_verity() and ->end_enable_verity() using the inode 260 * lock and only allow one process to be here at a time on a given file. 261 */ 262 BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE); 263 err = build_merkle_tree(filp, ¶ms, desc->root_hash); 264 if (err) { 265 fsverity_err(inode, "Error %d building Merkle tree", err); 266 goto rollback; 267 } 268 269 /* 270 * Create the fsverity_info. Don't bother trying to save work by 271 * reusing the merkle_tree_params from above. Instead, just create the 272 * fsverity_info from the fsverity_descriptor as if it were just loaded 273 * from disk. This is simpler, and it serves as an extra check that the 274 * metadata we're writing is valid before actually enabling verity. 275 */ 276 vi = fsverity_create_info(inode, desc); 277 if (IS_ERR(vi)) { 278 err = PTR_ERR(vi); 279 goto rollback; 280 } 281 282 /* 283 * Tell the filesystem to finish enabling verity on the file. 284 * Serialized with ->begin_enable_verity() by the inode lock. 285 */ 286 inode_lock(inode); 287 err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size); 288 inode_unlock(inode); 289 if (err) { 290 fsverity_err(inode, "%ps() failed with err %d", 291 vops->end_enable_verity, err); 292 fsverity_free_info(vi); 293 } else if (WARN_ON(!IS_VERITY(inode))) { 294 err = -EINVAL; 295 fsverity_free_info(vi); 296 } else { 297 /* Successfully enabled verity */ 298 299 /* 300 * Readers can start using ->i_verity_info immediately, so it 301 * can't be rolled back once set. So don't set it until just 302 * after the filesystem has successfully enabled verity. 303 */ 304 fsverity_set_info(inode, vi); 305 } 306 out: 307 kfree(params.hashstate); 308 kfree(desc); 309 return err; 310 311 rollback: 312 inode_lock(inode); 313 (void)vops->end_enable_verity(filp, NULL, 0, params.tree_size); 314 inode_unlock(inode); 315 goto out; 316 } 317 318 /** 319 * fsverity_ioctl_enable() - enable verity on a file 320 * @filp: file to enable verity on 321 * @uarg: user pointer to fsverity_enable_arg 322 * 323 * Enable fs-verity on a file. See the "FS_IOC_ENABLE_VERITY" section of 324 * Documentation/filesystems/fsverity.rst for the documentation. 325 * 326 * Return: 0 on success, -errno on failure 327 */ 328 int fsverity_ioctl_enable(struct file *filp, const void __user *uarg) 329 { 330 struct inode *inode = file_inode(filp); 331 struct fsverity_enable_arg arg; 332 int err; 333 334 if (copy_from_user(&arg, uarg, sizeof(arg))) 335 return -EFAULT; 336 337 if (arg.version != 1) 338 return -EINVAL; 339 340 if (arg.__reserved1 || 341 memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2))) 342 return -EINVAL; 343 344 if (arg.block_size != PAGE_SIZE) 345 return -EINVAL; 346 347 if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt)) 348 return -EMSGSIZE; 349 350 if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE) 351 return -EMSGSIZE; 352 353 /* 354 * Require a regular file with write access. But the actual fd must 355 * still be readonly so that we can lock out all writers. This is 356 * needed to guarantee that no writable fds exist to the file once it 357 * has verity enabled, and to stabilize the data being hashed. 358 */ 359 360 err = file_permission(filp, MAY_WRITE); 361 if (err) 362 return err; 363 364 if (IS_APPEND(inode)) 365 return -EPERM; 366 367 if (S_ISDIR(inode->i_mode)) 368 return -EISDIR; 369 370 if (!S_ISREG(inode->i_mode)) 371 return -EINVAL; 372 373 err = mnt_want_write_file(filp); 374 if (err) /* -EROFS */ 375 return err; 376 377 err = deny_write_access(filp); 378 if (err) /* -ETXTBSY */ 379 goto out_drop_write; 380 381 err = enable_verity(filp, &arg); 382 if (err) 383 goto out_allow_write_access; 384 385 /* 386 * Some pages of the file may have been evicted from pagecache after 387 * being used in the Merkle tree construction, then read into pagecache 388 * again by another process reading from the file concurrently. Since 389 * these pages didn't undergo verification against the file digest which 390 * fs-verity now claims to be enforcing, we have to wipe the pagecache 391 * to ensure that all future reads are verified. 392 */ 393 filemap_write_and_wait(inode->i_mapping); 394 invalidate_inode_pages2(inode->i_mapping); 395 396 /* 397 * allow_write_access() is needed to pair with deny_write_access(). 398 * Regardless, the filesystem won't allow writing to verity files. 399 */ 400 out_allow_write_access: 401 allow_write_access(filp); 402 out_drop_write: 403 mnt_drop_write_file(filp); 404 return err; 405 } 406 EXPORT_SYMBOL_GPL(fsverity_ioctl_enable); 407