fs/verity/hash_algs.c

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  * fs-verity hash algorithms
0004  *
0005  * Copyright 2019 Google LLC
0006  */
0007
0008 #include "fsverity_private.h"
0009
0010 #include <crypto/hash.h>
0011 #include <linux/scatterlist.h>
0012
0013 /* The hash algorithms supported by fs-verity */
0014 struct fsverity_hash_alg fsverity_hash_algs[] = {
0015     [FS_VERITY_HASH_ALG_SHA256] = {
0016         .name = "sha256",
0017         .digest_size = SHA256_DIGEST_SIZE,
0018         .block_size = SHA256_BLOCK_SIZE,
0019     },
0020     [FS_VERITY_HASH_ALG_SHA512] = {
0021         .name = "sha512",
0022         .digest_size = SHA512_DIGEST_SIZE,
0023         .block_size = SHA512_BLOCK_SIZE,
0024     },
0025 };
0026
0027 static DEFINE_MUTEX(fsverity_hash_alg_init_mutex);
0028
0029 /**
0030  * fsverity_get_hash_alg() - validate and prepare a hash algorithm
0031  * @inode: optional inode for logging purposes
0032  * @num: the hash algorithm number
0033  *
0034  * Get the struct fsverity_hash_alg for the given hash algorithm number, and
0035  * ensure it has a hash transform ready to go.  The hash transforms are
0036  * allocated on-demand so that we don't waste resources unnecessarily, and
0037  * because the crypto modules may be initialized later than fs/verity/.
0038  *
0039  * Return: pointer to the hash alg on success, else an ERR_PTR()
0040  */
0041 struct fsverity_hash_alg *fsverity_get_hash_alg(const struct inode *inode,
0042                         unsigned int num)
0043 {
0044     struct fsverity_hash_alg *alg;
0045     struct crypto_ahash *tfm;
0046     int err;
0047
0048     if (num >= ARRAY_SIZE(fsverity_hash_algs) ||
0049         !fsverity_hash_algs[num].name) {
0050         fsverity_warn(inode, "Unknown hash algorithm number: %u", num);
0051         return ERR_PTR(-EINVAL);
0052     }
0053     alg = &fsverity_hash_algs[num];
0054
0055     /* pairs with smp_store_release() below */
0056     if (likely(smp_load_acquire(&alg->tfm) != NULL))
0057         return alg;
0058
0059     mutex_lock(&fsverity_hash_alg_init_mutex);
0060
0061     if (alg->tfm != NULL)
0062         goto out_unlock;
0063
0064     /*
0065      * Using the shash API would make things a bit simpler, but the ahash
0066      * API is preferable as it allows the use of crypto accelerators.
0067      */
0068     tfm = crypto_alloc_ahash(alg->name, 0, 0);
0069     if (IS_ERR(tfm)) {
0070         if (PTR_ERR(tfm) == -ENOENT) {
0071             fsverity_warn(inode,
0072                       "Missing crypto API support for hash algorithm \"%s\"",
0073                       alg->name);
0074             alg = ERR_PTR(-ENOPKG);
0075             goto out_unlock;
0076         }
0077         fsverity_err(inode,
0078                  "Error allocating hash algorithm \"%s\": %ld",
0079                  alg->name, PTR_ERR(tfm));
0080         alg = ERR_CAST(tfm);
0081         goto out_unlock;
0082     }
0083
0084     err = -EINVAL;
0085     if (WARN_ON(alg->digest_size != crypto_ahash_digestsize(tfm)))
0086         goto err_free_tfm;
0087     if (WARN_ON(alg->block_size != crypto_ahash_blocksize(tfm)))
0088         goto err_free_tfm;
0089
0090     err = mempool_init_kmalloc_pool(&alg->req_pool, 1,
0091                     sizeof(struct ahash_request) +
0092                     crypto_ahash_reqsize(tfm));
0093     if (err)
0094         goto err_free_tfm;
0095
0096     pr_info("%s using implementation \"%s\"\n",
0097         alg->name, crypto_ahash_driver_name(tfm));
0098
0099     /* pairs with smp_load_acquire() above */
0100     smp_store_release(&alg->tfm, tfm);
0101     goto out_unlock;
0102
0103 err_free_tfm:
0104     crypto_free_ahash(tfm);
0105     alg = ERR_PTR(err);
0106 out_unlock:
0107     mutex_unlock(&fsverity_hash_alg_init_mutex);
0108     return alg;
0109 }
0110
0111 /**
0112  * fsverity_alloc_hash_request() - allocate a hash request object
0113  * @alg: the hash algorithm for which to allocate the request
0114  * @gfp_flags: memory allocation flags
0115  *
0116  * This is mempool-backed, so this never fails if __GFP_DIRECT_RECLAIM is set in
0117  * @gfp_flags.  However, in that case this might need to wait for all
0118  * previously-allocated requests to be freed.  So to avoid deadlocks, callers
0119  * must never need multiple requests at a time to make forward progress.
0120  *
0121  * Return: the request object on success; NULL on failure (but see above)
0122  */
0123 struct ahash_request *fsverity_alloc_hash_request(struct fsverity_hash_alg *alg,
0124                           gfp_t gfp_flags)
0125 {
0126     struct ahash_request *req = mempool_alloc(&alg->req_pool, gfp_flags);
0127
0128     if (req)
0129         ahash_request_set_tfm(req, alg->tfm);
0130     return req;
0131 }
0132
0133 /**
0134  * fsverity_free_hash_request() - free a hash request object
0135  * @alg: the hash algorithm
0136  * @req: the hash request object to free
0137  */
0138 void fsverity_free_hash_request(struct fsverity_hash_alg *alg,
0139                 struct ahash_request *req)
0140 {
0141     if (req) {
0142         ahash_request_zero(req);
0143         mempool_free(req, &alg->req_pool);
0144     }
0145 }
0146
0147 /**
0148  * fsverity_prepare_hash_state() - precompute the initial hash state
0149  * @alg: hash algorithm
0150  * @salt: a salt which is to be prepended to all data to be hashed
0151  * @salt_size: salt size in bytes, possibly 0
0152  *
0153  * Return: NULL if the salt is empty, otherwise the kmalloc()'ed precomputed
0154  *     initial hash state on success or an ERR_PTR() on failure.
0155  */
0156 const u8 *fsverity_prepare_hash_state(struct fsverity_hash_alg *alg,
0157                       const u8 *salt, size_t salt_size)
0158 {
0159     u8 *hashstate = NULL;
0160     struct ahash_request *req = NULL;
0161     u8 *padded_salt = NULL;
0162     size_t padded_salt_size;
0163     struct scatterlist sg;
0164     DECLARE_CRYPTO_WAIT(wait);
0165     int err;
0166
0167     if (salt_size == 0)
0168         return NULL;
0169
0170     hashstate = kmalloc(crypto_ahash_statesize(alg->tfm), GFP_KERNEL);
0171     if (!hashstate)
0172         return ERR_PTR(-ENOMEM);
0173
0174     /* This allocation never fails, since it's mempool-backed. */
0175     req = fsverity_alloc_hash_request(alg, GFP_KERNEL);
0176
0177     /*
0178      * Zero-pad the salt to the next multiple of the input size of the hash
0179      * algorithm's compression function, e.g. 64 bytes for SHA-256 or 128
0180      * bytes for SHA-512.  This ensures that the hash algorithm won't have
0181      * any bytes buffered internally after processing the salt, thus making
0182      * salted hashing just as fast as unsalted hashing.
0183      */
0184     padded_salt_size = round_up(salt_size, alg->block_size);
0185     padded_salt = kzalloc(padded_salt_size, GFP_KERNEL);
0186     if (!padded_salt) {
0187         err = -ENOMEM;
0188         goto err_free;
0189     }
0190     memcpy(padded_salt, salt, salt_size);
0191
0192     sg_init_one(&sg, padded_salt, padded_salt_size);
0193     ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP |
0194                     CRYPTO_TFM_REQ_MAY_BACKLOG,
0195                    crypto_req_done, &wait);
0196     ahash_request_set_crypt(req, &sg, NULL, padded_salt_size);
0197
0198     err = crypto_wait_req(crypto_ahash_init(req), &wait);
0199     if (err)
0200         goto err_free;
0201
0202     err = crypto_wait_req(crypto_ahash_update(req), &wait);
0203     if (err)
0204         goto err_free;
0205
0206     err = crypto_ahash_export(req, hashstate);
0207     if (err)
0208         goto err_free;
0209 out:
0210     fsverity_free_hash_request(alg, req);
0211     kfree(padded_salt);
0212     return hashstate;
0213
0214 err_free:
0215     kfree(hashstate);
0216     hashstate = ERR_PTR(err);
0217     goto out;
0218 }
0219
0220 /**
0221  * fsverity_hash_page() - hash a single data or hash page
0222  * @params: the Merkle tree's parameters
0223  * @inode: inode for which the hashing is being done
0224  * @req: preallocated hash request
0225  * @page: the page to hash
0226  * @out: output digest, size 'params->digest_size' bytes
0227  *
0228  * Hash a single data or hash block, assuming block_size == PAGE_SIZE.
0229  * The hash is salted if a salt is specified in the Merkle tree parameters.
0230  *
0231  * Return: 0 on success, -errno on failure
0232  */
0233 int fsverity_hash_page(const struct merkle_tree_params *params,
0234                const struct inode *inode,
0235                struct ahash_request *req, struct page *page, u8 *out)
0236 {
0237     struct scatterlist sg;
0238     DECLARE_CRYPTO_WAIT(wait);
0239     int err;
0240
0241     if (WARN_ON(params->block_size != PAGE_SIZE))
0242         return -EINVAL;
0243
0244     sg_init_table(&sg, 1);
0245     sg_set_page(&sg, page, PAGE_SIZE, 0);
0246     ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP |
0247                     CRYPTO_TFM_REQ_MAY_BACKLOG,
0248                    crypto_req_done, &wait);
0249     ahash_request_set_crypt(req, &sg, out, PAGE_SIZE);
0250
0251     if (params->hashstate) {
0252         err = crypto_ahash_import(req, params->hashstate);
0253         if (err) {
0254             fsverity_err(inode,
0255                      "Error %d importing hash state", err);
0256             return err;
0257         }
0258         err = crypto_ahash_finup(req);
0259     } else {
0260         err = crypto_ahash_digest(req);
0261     }
0262
0263     err = crypto_wait_req(err, &wait);
0264     if (err)
0265         fsverity_err(inode, "Error %d computing page hash", err);
0266     return err;
0267 }
0268
0269 /**
0270  * fsverity_hash_buffer() - hash some data
0271  * @alg: the hash algorithm to use
0272  * @data: the data to hash
0273  * @size: size of data to hash, in bytes
0274  * @out: output digest, size 'alg->digest_size' bytes
0275  *
0276  * Hash some data which is located in physically contiguous memory (i.e. memory
0277  * allocated by kmalloc(), not by vmalloc()).  No salt is used.
0278  *
0279  * Return: 0 on success, -errno on failure
0280  */
0281 int fsverity_hash_buffer(struct fsverity_hash_alg *alg,
0282              const void *data, size_t size, u8 *out)
0283 {
0284     struct ahash_request *req;
0285     struct scatterlist sg;
0286     DECLARE_CRYPTO_WAIT(wait);
0287     int err;
0288
0289     /* This allocation never fails, since it's mempool-backed. */
0290     req = fsverity_alloc_hash_request(alg, GFP_KERNEL);
0291
0292     sg_init_one(&sg, data, size);
0293     ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP |
0294                     CRYPTO_TFM_REQ_MAY_BACKLOG,
0295                    crypto_req_done, &wait);
0296     ahash_request_set_crypt(req, &sg, out, size);
0297
0298     err = crypto_wait_req(crypto_ahash_digest(req), &wait);
0299
0300     fsverity_free_hash_request(alg, req);
0301     return err;
0302 }
0303
0304 void __init fsverity_check_hash_algs(void)
0305 {
0306     size_t i;
0307
0308     /*
0309      * Sanity check the hash algorithms (could be a build-time check, but
0310      * they're in an array)
0311      */
0312     for (i = 0; i < ARRAY_SIZE(fsverity_hash_algs); i++) {
0313         const struct fsverity_hash_alg *alg = &fsverity_hash_algs[i];
0314
0315         if (!alg->name)
0316             continue;
0317
0318         BUG_ON(alg->digest_size > FS_VERITY_MAX_DIGEST_SIZE);
0319
0320         /*
0321          * For efficiency, the implementation currently assumes the
0322          * digest and block sizes are powers of 2.  This limitation can
0323          * be lifted if the code is updated to handle other values.
0324          */
0325         BUG_ON(!is_power_of_2(alg->digest_size));
0326         BUG_ON(!is_power_of_2(alg->block_size));
0327     }
0328 }