fs/verity/enable.c

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  * Ioctl to enable verity on a file
0004  *
0005  * Copyright 2019 Google LLC
0006  */
0007
0008 #include "fsverity_private.h"
0009
0010 #include <crypto/hash.h>
0011 #include <linux/backing-dev.h>
0012 #include <linux/mount.h>
0013 #include <linux/pagemap.h>
0014 #include <linux/sched/signal.h>
0015 #include <linux/uaccess.h>
0016
0017 /*
0018  * Read a file data page for Merkle tree construction.  Do aggressive readahead,
0019  * since we're sequentially reading the entire file.
0020  */
0021 static struct page *read_file_data_page(struct file *file, pgoff_t index,
0022                     struct file_ra_state *ra,
0023                     unsigned long remaining_pages)
0024 {
0025     DEFINE_READAHEAD(ractl, file, ra, file->f_mapping, index);
0026     struct folio *folio;
0027
0028     folio = __filemap_get_folio(ractl.mapping, index, FGP_ACCESSED, 0);
0029     if (!folio || !folio_test_uptodate(folio)) {
0030         if (folio)
0031             folio_put(folio);
0032         else
0033             page_cache_sync_ra(&ractl, remaining_pages);
0034         folio = read_cache_folio(ractl.mapping, index, NULL, file);
0035         if (IS_ERR(folio))
0036             return &folio->page;
0037     }
0038     if (folio_test_readahead(folio))
0039         page_cache_async_ra(&ractl, folio, remaining_pages);
0040     return folio_file_page(folio, index);
0041 }
0042
0043 static int build_merkle_tree_level(struct file *filp, unsigned int level,
0044                    u64 num_blocks_to_hash,
0045                    const struct merkle_tree_params *params,
0046                    u8 *pending_hashes,
0047                    struct ahash_request *req)
0048 {
0049     struct inode *inode = file_inode(filp);
0050     const struct fsverity_operations *vops = inode->i_sb->s_vop;
0051     struct file_ra_state ra = { 0 };
0052     unsigned int pending_size = 0;
0053     u64 dst_block_num;
0054     u64 i;
0055     int err;
0056
0057     if (WARN_ON(params->block_size != PAGE_SIZE)) /* checked earlier too */
0058         return -EINVAL;
0059
0060     if (level < params->num_levels) {
0061         dst_block_num = params->level_start[level];
0062     } else {
0063         if (WARN_ON(num_blocks_to_hash != 1))
0064             return -EINVAL;
0065         dst_block_num = 0; /* unused */
0066     }
0067
0068     file_ra_state_init(&ra, filp->f_mapping);
0069
0070     for (i = 0; i < num_blocks_to_hash; i++) {
0071         struct page *src_page;
0072
0073         if ((pgoff_t)i % 10000 == 0 || i + 1 == num_blocks_to_hash)
0074             pr_debug("Hashing block %llu of %llu for level %u\n",
0075                  i + 1, num_blocks_to_hash, level);
0076
0077         if (level == 0) {
0078             /* Leaf: hashing a data block */
0079             src_page = read_file_data_page(filp, i, &ra,
0080                                num_blocks_to_hash - i);
0081             if (IS_ERR(src_page)) {
0082                 err = PTR_ERR(src_page);
0083                 fsverity_err(inode,
0084                          "Error %d reading data page %llu",
0085                          err, i);
0086                 return err;
0087             }
0088         } else {
0089             unsigned long num_ra_pages =
0090                 min_t(unsigned long, num_blocks_to_hash - i,
0091                       inode->i_sb->s_bdi->io_pages);
0092
0093             /* Non-leaf: hashing hash block from level below */
0094             src_page = vops->read_merkle_tree_page(inode,
0095                     params->level_start[level - 1] + i,
0096                     num_ra_pages);
0097             if (IS_ERR(src_page)) {
0098                 err = PTR_ERR(src_page);
0099                 fsverity_err(inode,
0100                          "Error %d reading Merkle tree page %llu",
0101                          err, params->level_start[level - 1] + i);
0102                 return err;
0103             }
0104         }
0105
0106         err = fsverity_hash_page(params, inode, req, src_page,
0107                      &pending_hashes[pending_size]);
0108         put_page(src_page);
0109         if (err)
0110             return err;
0111         pending_size += params->digest_size;
0112
0113         if (level == params->num_levels) /* Root hash? */
0114             return 0;
0115
0116         if (pending_size + params->digest_size > params->block_size ||
0117             i + 1 == num_blocks_to_hash) {
0118             /* Flush the pending hash block */
0119             memset(&pending_hashes[pending_size], 0,
0120                    params->block_size - pending_size);
0121             err = vops->write_merkle_tree_block(inode,
0122                     pending_hashes,
0123                     dst_block_num,
0124                     params->log_blocksize);
0125             if (err) {
0126                 fsverity_err(inode,
0127                          "Error %d writing Merkle tree block %llu",
0128                          err, dst_block_num);
0129                 return err;
0130             }
0131             dst_block_num++;
0132             pending_size = 0;
0133         }
0134
0135         if (fatal_signal_pending(current))
0136             return -EINTR;
0137         cond_resched();
0138     }
0139     return 0;
0140 }
0141
0142 /*
0143  * Build the Merkle tree for the given file using the given parameters, and
0144  * return the root hash in @root_hash.
0145  *
0146  * The tree is written to a filesystem-specific location as determined by the
0147  * ->write_merkle_tree_block() method.  However, the blocks that comprise the
0148  * tree are the same for all filesystems.
0149  */
0150 static int build_merkle_tree(struct file *filp,
0151                  const struct merkle_tree_params *params,
0152                  u8 *root_hash)
0153 {
0154     struct inode *inode = file_inode(filp);
0155     u8 *pending_hashes;
0156     struct ahash_request *req;
0157     u64 blocks;
0158     unsigned int level;
0159     int err = -ENOMEM;
0160
0161     if (inode->i_size == 0) {
0162         /* Empty file is a special case; root hash is all 0's */
0163         memset(root_hash, 0, params->digest_size);
0164         return 0;
0165     }
0166
0167     /* This allocation never fails, since it's mempool-backed. */
0168     req = fsverity_alloc_hash_request(params->hash_alg, GFP_KERNEL);
0169
0170     pending_hashes = kmalloc(params->block_size, GFP_KERNEL);
0171     if (!pending_hashes)
0172         goto out;
0173
0174     /*
0175      * Build each level of the Merkle tree, starting at the leaf level
0176      * (level 0) and ascending to the root node (level 'num_levels - 1').
0177      * Then at the end (level 'num_levels'), calculate the root hash.
0178      */
0179     blocks = ((u64)inode->i_size + params->block_size - 1) >>
0180          params->log_blocksize;
0181     for (level = 0; level <= params->num_levels; level++) {
0182         err = build_merkle_tree_level(filp, level, blocks, params,
0183                           pending_hashes, req);
0184         if (err)
0185             goto out;
0186         blocks = (blocks + params->hashes_per_block - 1) >>
0187              params->log_arity;
0188     }
0189     memcpy(root_hash, pending_hashes, params->digest_size);
0190     err = 0;
0191 out:
0192     kfree(pending_hashes);
0193     fsverity_free_hash_request(params->hash_alg, req);
0194     return err;
0195 }
0196
0197 static int enable_verity(struct file *filp,
0198              const struct fsverity_enable_arg *arg)
0199 {
0200     struct inode *inode = file_inode(filp);
0201     const struct fsverity_operations *vops = inode->i_sb->s_vop;
0202     struct merkle_tree_params params = { };
0203     struct fsverity_descriptor *desc;
0204     size_t desc_size = struct_size(desc, signature, arg->sig_size);
0205     struct fsverity_info *vi;
0206     int err;
0207
0208     /* Start initializing the fsverity_descriptor */
0209     desc = kzalloc(desc_size, GFP_KERNEL);
0210     if (!desc)
0211         return -ENOMEM;
0212     desc->version = 1;
0213     desc->hash_algorithm = arg->hash_algorithm;
0214     desc->log_blocksize = ilog2(arg->block_size);
0215
0216     /* Get the salt if the user provided one */
0217     if (arg->salt_size &&
0218         copy_from_user(desc->salt, u64_to_user_ptr(arg->salt_ptr),
0219                arg->salt_size)) {
0220         err = -EFAULT;
0221         goto out;
0222     }
0223     desc->salt_size = arg->salt_size;
0224
0225     /* Get the signature if the user provided one */
0226     if (arg->sig_size &&
0227         copy_from_user(desc->signature, u64_to_user_ptr(arg->sig_ptr),
0228                arg->sig_size)) {
0229         err = -EFAULT;
0230         goto out;
0231     }
0232     desc->sig_size = cpu_to_le32(arg->sig_size);
0233
0234     desc->data_size = cpu_to_le64(inode->i_size);
0235
0236     /* Prepare the Merkle tree parameters */
0237     err = fsverity_init_merkle_tree_params(&params, inode,
0238                            arg->hash_algorithm,
0239                            desc->log_blocksize,
0240                            desc->salt, desc->salt_size);
0241     if (err)
0242         goto out;
0243
0244     /*
0245      * Start enabling verity on this file, serialized by the inode lock.
0246      * Fail if verity is already enabled or is already being enabled.
0247      */
0248     inode_lock(inode);
0249     if (IS_VERITY(inode))
0250         err = -EEXIST;
0251     else
0252         err = vops->begin_enable_verity(filp);
0253     inode_unlock(inode);
0254     if (err)
0255         goto out;
0256
0257     /*
0258      * Build the Merkle tree.  Don't hold the inode lock during this, since
0259      * on huge files this may take a very long time and we don't want to
0260      * force unrelated syscalls like chown() to block forever.  We don't
0261      * need the inode lock here because deny_write_access() already prevents
0262      * the file from being written to or truncated, and we still serialize
0263      * ->begin_enable_verity() and ->end_enable_verity() using the inode
0264      * lock and only allow one process to be here at a time on a given file.
0265      */
0266     pr_debug("Building Merkle tree...\n");
0267     BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE);
0268     err = build_merkle_tree(filp, &params, desc->root_hash);
0269     if (err) {
0270         fsverity_err(inode, "Error %d building Merkle tree", err);
0271         goto rollback;
0272     }
0273     pr_debug("Done building Merkle tree.  Root hash is %s:%*phN\n",
0274          params.hash_alg->name, params.digest_size, desc->root_hash);
0275
0276     /*
0277      * Create the fsverity_info.  Don't bother trying to save work by
0278      * reusing the merkle_tree_params from above.  Instead, just create the
0279      * fsverity_info from the fsverity_descriptor as if it were just loaded
0280      * from disk.  This is simpler, and it serves as an extra check that the
0281      * metadata we're writing is valid before actually enabling verity.
0282      */
0283     vi = fsverity_create_info(inode, desc);
0284     if (IS_ERR(vi)) {
0285         err = PTR_ERR(vi);
0286         goto rollback;
0287     }
0288
0289     if (arg->sig_size)
0290         pr_debug("Storing a %u-byte PKCS#7 signature alongside the file\n",
0291              arg->sig_size);
0292
0293     /*
0294      * Tell the filesystem to finish enabling verity on the file.
0295      * Serialized with ->begin_enable_verity() by the inode lock.
0296      */
0297     inode_lock(inode);
0298     err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size);
0299     inode_unlock(inode);
0300     if (err) {
0301         fsverity_err(inode, "%ps() failed with err %d",
0302                  vops->end_enable_verity, err);
0303         fsverity_free_info(vi);
0304     } else if (WARN_ON(!IS_VERITY(inode))) {
0305         err = -EINVAL;
0306         fsverity_free_info(vi);
0307     } else {
0308         /* Successfully enabled verity */
0309
0310         /*
0311          * Readers can start using ->i_verity_info immediately, so it
0312          * can't be rolled back once set.  So don't set it until just
0313          * after the filesystem has successfully enabled verity.
0314          */
0315         fsverity_set_info(inode, vi);
0316     }
0317 out:
0318     kfree(params.hashstate);
0319     kfree(desc);
0320     return err;
0321
0322 rollback:
0323     inode_lock(inode);
0324     (void)vops->end_enable_verity(filp, NULL, 0, params.tree_size);
0325     inode_unlock(inode);
0326     goto out;
0327 }
0328
0329 /**
0330  * fsverity_ioctl_enable() - enable verity on a file
0331  * @filp: file to enable verity on
0332  * @uarg: user pointer to fsverity_enable_arg
0333  *
0334  * Enable fs-verity on a file.  See the "FS_IOC_ENABLE_VERITY" section of
0335  * Documentation/filesystems/fsverity.rst for the documentation.
0336  *
0337  * Return: 0 on success, -errno on failure
0338  */
0339 int fsverity_ioctl_enable(struct file *filp, const void __user *uarg)
0340 {
0341     struct inode *inode = file_inode(filp);
0342     struct fsverity_enable_arg arg;
0343     int err;
0344
0345     if (copy_from_user(&arg, uarg, sizeof(arg)))
0346         return -EFAULT;
0347
0348     if (arg.version != 1)
0349         return -EINVAL;
0350
0351     if (arg.__reserved1 ||
0352         memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2)))
0353         return -EINVAL;
0354
0355     if (arg.block_size != PAGE_SIZE)
0356         return -EINVAL;
0357
0358     if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt))
0359         return -EMSGSIZE;
0360
0361     if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE)
0362         return -EMSGSIZE;
0363
0364     /*
0365      * Require a regular file with write access.  But the actual fd must
0366      * still be readonly so that we can lock out all writers.  This is
0367      * needed to guarantee that no writable fds exist to the file once it
0368      * has verity enabled, and to stabilize the data being hashed.
0369      */
0370
0371     err = file_permission(filp, MAY_WRITE);
0372     if (err)
0373         return err;
0374
0375     if (IS_APPEND(inode))
0376         return -EPERM;
0377
0378     if (S_ISDIR(inode->i_mode))
0379         return -EISDIR;
0380
0381     if (!S_ISREG(inode->i_mode))
0382         return -EINVAL;
0383
0384     err = mnt_want_write_file(filp);
0385     if (err) /* -EROFS */
0386         return err;
0387
0388     err = deny_write_access(filp);
0389     if (err) /* -ETXTBSY */
0390         goto out_drop_write;
0391
0392     err = enable_verity(filp, &arg);
0393     if (err)
0394         goto out_allow_write_access;
0395
0396     /*
0397      * Some pages of the file may have been evicted from pagecache after
0398      * being used in the Merkle tree construction, then read into pagecache
0399      * again by another process reading from the file concurrently.  Since
0400      * these pages didn't undergo verification against the file digest which
0401      * fs-verity now claims to be enforcing, we have to wipe the pagecache
0402      * to ensure that all future reads are verified.
0403      */
0404     filemap_write_and_wait(inode->i_mapping);
0405     invalidate_inode_pages2(inode->i_mapping);
0406
0407     /*
0408      * allow_write_access() is needed to pair with deny_write_access().
0409      * Regardless, the filesystem won't allow writing to verity files.
0410      */
0411 out_allow_write_access:
0412     allow_write_access(filp);
0413 out_drop_write:
0414     mnt_drop_write_file(filp);
0415     return err;
0416 }
0417 EXPORT_SYMBOL_GPL(fsverity_ioctl_enable);