1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2012 Red Hat, Inc. 4 * 5 * Author: Mikulas Patocka <mpatocka@redhat.com> 6 * 7 * Based on Chromium dm-verity driver (C) 2011 The Chromium OS Authors 8 * 9 * In the file "/sys/module/dm_verity/parameters/prefetch_cluster" you can set 10 * default prefetch value. Data are read in "prefetch_cluster" chunks from the 11 * hash device. Setting this greatly improves performance when data and hash 12 * are on the same disk on different partitions on devices with poor random 13 * access behavior. 14 */ 15 16 #include "dm-verity.h" 17 #include "dm-verity-fec.h" 18 #include "dm-verity-verify-sig.h" 19 #include "dm-audit.h" 20 #include <linux/module.h> 21 #include <linux/reboot.h> 22 #include <linux/string.h> 23 #include <linux/jump_label.h> 24 #include <linux/security.h> 25 26 #define DM_MSG_PREFIX "verity" 27 28 #define DM_VERITY_ENV_LENGTH 42 29 #define DM_VERITY_ENV_VAR_NAME "DM_VERITY_ERR_BLOCK_NR" 30 31 #define DM_VERITY_DEFAULT_PREFETCH_SIZE 262144 32 #define DM_VERITY_USE_BH_DEFAULT_BYTES 8192 33 34 #define DM_VERITY_MAX_CORRUPTED_ERRS 100 35 36 #define DM_VERITY_OPT_LOGGING "ignore_corruption" 37 #define DM_VERITY_OPT_RESTART "restart_on_corruption" 38 #define DM_VERITY_OPT_PANIC "panic_on_corruption" 39 #define DM_VERITY_OPT_ERROR_RESTART "restart_on_error" 40 #define DM_VERITY_OPT_ERROR_PANIC "panic_on_error" 41 #define DM_VERITY_OPT_IGN_ZEROES "ignore_zero_blocks" 42 #define DM_VERITY_OPT_AT_MOST_ONCE "check_at_most_once" 43 #define DM_VERITY_OPT_TASKLET_VERIFY "try_verify_in_tasklet" 44 45 #define DM_VERITY_OPTS_MAX (5 + DM_VERITY_OPTS_FEC + \ 46 DM_VERITY_ROOT_HASH_VERIFICATION_OPTS) 47 48 static unsigned int dm_verity_prefetch_cluster = DM_VERITY_DEFAULT_PREFETCH_SIZE; 49 50 module_param_named(prefetch_cluster, dm_verity_prefetch_cluster, uint, 0644); 51 52 static unsigned int dm_verity_use_bh_bytes[4] = { 53 DM_VERITY_USE_BH_DEFAULT_BYTES, // IOPRIO_CLASS_NONE 54 DM_VERITY_USE_BH_DEFAULT_BYTES, // IOPRIO_CLASS_RT 55 DM_VERITY_USE_BH_DEFAULT_BYTES, // IOPRIO_CLASS_BE 56 0 // IOPRIO_CLASS_IDLE 57 }; 58 59 module_param_array_named(use_bh_bytes, dm_verity_use_bh_bytes, uint, NULL, 0644); 60 61 static DEFINE_STATIC_KEY_FALSE(use_bh_wq_enabled); 62 63 struct dm_verity_prefetch_work { 64 struct work_struct work; 65 struct dm_verity *v; 66 unsigned short ioprio; 67 sector_t block; 68 unsigned int n_blocks; 69 }; 70 71 /* 72 * Auxiliary structure appended to each dm-bufio buffer. If the value 73 * hash_verified is nonzero, hash of the block has been verified. 74 * 75 * The variable hash_verified is set to 0 when allocating the buffer, then 76 * it can be changed to 1 and it is never reset to 0 again. 77 * 78 * There is no lock around this value, a race condition can at worst cause 79 * that multiple processes verify the hash of the same buffer simultaneously 80 * and write 1 to hash_verified simultaneously. 81 * This condition is harmless, so we don't need locking. 82 */ 83 struct buffer_aux { 84 int hash_verified; 85 }; 86 87 /* 88 * Initialize struct buffer_aux for a freshly created buffer. 89 */ 90 static void dm_bufio_alloc_callback(struct dm_buffer *buf) 91 { 92 struct buffer_aux *aux = dm_bufio_get_aux_data(buf); 93 94 aux->hash_verified = 0; 95 } 96 97 /* 98 * Translate input sector number to the sector number on the target device. 99 */ 100 static sector_t verity_map_sector(struct dm_verity *v, sector_t bi_sector) 101 { 102 return dm_target_offset(v->ti, bi_sector); 103 } 104 105 /* 106 * Return hash position of a specified block at a specified tree level 107 * (0 is the lowest level). 108 * The lowest "hash_per_block_bits"-bits of the result denote hash position 109 * inside a hash block. The remaining bits denote location of the hash block. 110 */ 111 static sector_t verity_position_at_level(struct dm_verity *v, sector_t block, 112 int level) 113 { 114 return block >> (level * v->hash_per_block_bits); 115 } 116 117 int verity_hash(struct dm_verity *v, struct dm_verity_io *io, 118 const u8 *data, size_t len, u8 *digest) 119 { 120 struct shash_desc *desc; 121 int r; 122 123 if (likely(v->use_sha256_lib)) { 124 struct sha256_ctx *ctx = &io->hash_ctx.sha256; 125 126 /* 127 * Fast path using SHA-256 library. This is enabled only for 128 * verity version 1, where the salt is at the beginning. 129 */ 130 *ctx = *v->initial_hashstate.sha256; 131 sha256_update(ctx, data, len); 132 sha256_final(ctx, digest); 133 return 0; 134 } 135 136 desc = &io->hash_ctx.shash; 137 desc->tfm = v->shash_tfm; 138 if (unlikely(v->initial_hashstate.shash == NULL)) { 139 /* Version 0: salt at end */ 140 r = crypto_shash_init(desc) ?: 141 crypto_shash_update(desc, data, len) ?: 142 crypto_shash_update(desc, v->salt, v->salt_size) ?: 143 crypto_shash_final(desc, digest); 144 } else { 145 /* Version 1: salt at beginning */ 146 r = crypto_shash_import(desc, v->initial_hashstate.shash) ?: 147 crypto_shash_finup(desc, data, len, digest); 148 } 149 if (unlikely(r)) 150 DMERR("Error hashing block: %d", r); 151 return r; 152 } 153 154 static void verity_hash_at_level(struct dm_verity *v, sector_t block, int level, 155 sector_t *hash_block, unsigned int *offset) 156 { 157 sector_t position = verity_position_at_level(v, block, level); 158 unsigned int idx; 159 160 *hash_block = v->hash_level_block[level] + (position >> v->hash_per_block_bits); 161 162 if (!offset) 163 return; 164 165 idx = position & ((1 << v->hash_per_block_bits) - 1); 166 if (!v->version) 167 *offset = idx * v->digest_size; 168 else 169 *offset = idx << (v->hash_dev_block_bits - v->hash_per_block_bits); 170 } 171 172 /* 173 * Handle verification errors. 174 */ 175 static int verity_handle_err(struct dm_verity *v, enum verity_block_type type, 176 unsigned long long block) 177 { 178 char verity_env[DM_VERITY_ENV_LENGTH]; 179 char *envp[] = { verity_env, NULL }; 180 const char *type_str = ""; 181 struct mapped_device *md = dm_table_get_md(v->ti->table); 182 183 /* Corruption should be visible in device status in all modes */ 184 v->hash_failed = true; 185 186 if (v->corrupted_errs >= DM_VERITY_MAX_CORRUPTED_ERRS) 187 goto out; 188 189 v->corrupted_errs++; 190 191 switch (type) { 192 case DM_VERITY_BLOCK_TYPE_DATA: 193 type_str = "data"; 194 break; 195 case DM_VERITY_BLOCK_TYPE_METADATA: 196 type_str = "metadata"; 197 break; 198 default: 199 BUG(); 200 } 201 202 DMERR_LIMIT("%s: %s block %llu is corrupted", v->data_dev->name, 203 type_str, block); 204 205 if (v->corrupted_errs == DM_VERITY_MAX_CORRUPTED_ERRS) { 206 DMERR("%s: reached maximum errors", v->data_dev->name); 207 dm_audit_log_target(DM_MSG_PREFIX, "max-corrupted-errors", v->ti, 0); 208 } 209 210 snprintf(verity_env, DM_VERITY_ENV_LENGTH, "%s=%d,%llu", 211 DM_VERITY_ENV_VAR_NAME, type, block); 212 213 kobject_uevent_env(&disk_to_dev(dm_disk(md))->kobj, KOBJ_CHANGE, envp); 214 215 out: 216 if (v->mode == DM_VERITY_MODE_LOGGING) 217 return 0; 218 219 if (v->mode == DM_VERITY_MODE_RESTART) 220 kernel_restart("dm-verity device corrupted"); 221 222 if (v->mode == DM_VERITY_MODE_PANIC) 223 panic("dm-verity device corrupted"); 224 225 return 1; 226 } 227 228 /* 229 * Verify hash of a metadata block pertaining to the specified data block 230 * ("block" argument) at a specified level ("level" argument). 231 * 232 * On successful return, want_digest contains the hash value for a lower tree 233 * level or for the data block (if we're at the lowest level). 234 * 235 * If "skip_unverified" is true, unverified buffer is skipped and 1 is returned. 236 * If "skip_unverified" is false, unverified buffer is hashed and verified 237 * against current value of want_digest. 238 */ 239 static int verity_verify_level(struct dm_verity *v, struct dm_verity_io *io, 240 sector_t block, int level, bool skip_unverified, 241 u8 *want_digest) 242 { 243 struct dm_buffer *buf; 244 struct buffer_aux *aux; 245 u8 *data; 246 int r; 247 sector_t hash_block; 248 unsigned int offset; 249 struct bio *bio = dm_bio_from_per_bio_data(io, v->ti->per_io_data_size); 250 251 verity_hash_at_level(v, block, level, &hash_block, &offset); 252 253 if (static_branch_unlikely(&use_bh_wq_enabled) && io->in_bh) { 254 data = dm_bufio_get(v->bufio, hash_block, &buf); 255 if (IS_ERR_OR_NULL(data)) { 256 /* 257 * In softirq and the hash was not in the bufio cache. 258 * Return early and resume execution from a kworker to 259 * read the hash from disk. 260 */ 261 return -EAGAIN; 262 } 263 } else { 264 data = dm_bufio_read_with_ioprio(v->bufio, hash_block, 265 &buf, bio->bi_ioprio); 266 } 267 268 if (IS_ERR(data)) { 269 if (skip_unverified) 270 return 1; 271 r = PTR_ERR(data); 272 data = dm_bufio_new(v->bufio, hash_block, &buf); 273 if (IS_ERR(data)) 274 return r; 275 if (verity_fec_decode(v, io, DM_VERITY_BLOCK_TYPE_METADATA, 276 want_digest, hash_block, data) == 0) { 277 aux = dm_bufio_get_aux_data(buf); 278 aux->hash_verified = 1; 279 goto release_ok; 280 } else { 281 dm_bufio_release(buf); 282 dm_bufio_forget(v->bufio, hash_block); 283 return r; 284 } 285 } 286 287 aux = dm_bufio_get_aux_data(buf); 288 289 if (!aux->hash_verified) { 290 if (skip_unverified) { 291 r = 1; 292 goto release_ret_r; 293 } 294 295 r = verity_hash(v, io, data, 1 << v->hash_dev_block_bits, 296 io->tmp_digest); 297 if (unlikely(r < 0)) 298 goto release_ret_r; 299 300 if (likely(memcmp(io->tmp_digest, want_digest, 301 v->digest_size) == 0)) 302 aux->hash_verified = 1; 303 else if (static_branch_unlikely(&use_bh_wq_enabled) && io->in_bh) { 304 /* 305 * Error handling code (FEC included) cannot be run in a 306 * softirq since it may sleep, so fallback to a kworker. 307 */ 308 r = -EAGAIN; 309 goto release_ret_r; 310 } else if (verity_fec_decode(v, io, DM_VERITY_BLOCK_TYPE_METADATA, 311 want_digest, hash_block, data) == 0) 312 aux->hash_verified = 1; 313 else if (verity_handle_err(v, 314 DM_VERITY_BLOCK_TYPE_METADATA, 315 hash_block)) { 316 struct bio *bio; 317 io->had_mismatch = true; 318 bio = dm_bio_from_per_bio_data(io, v->ti->per_io_data_size); 319 dm_audit_log_bio(DM_MSG_PREFIX, "verify-metadata", bio, 320 block, 0); 321 r = -EIO; 322 goto release_ret_r; 323 } 324 } 325 326 release_ok: 327 data += offset; 328 memcpy(want_digest, data, v->digest_size); 329 r = 0; 330 331 release_ret_r: 332 dm_bufio_release(buf); 333 return r; 334 } 335 336 /* 337 * Find a hash for a given block, write it to digest and verify the integrity 338 * of the hash tree if necessary. 339 */ 340 int verity_hash_for_block(struct dm_verity *v, struct dm_verity_io *io, 341 sector_t block, u8 *digest, bool *is_zero) 342 { 343 int r = 0, i; 344 345 if (likely(v->levels)) { 346 /* 347 * First, we try to get the requested hash for 348 * the current block. If the hash block itself is 349 * verified, zero is returned. If it isn't, this 350 * function returns 1 and we fall back to whole 351 * chain verification. 352 */ 353 r = verity_verify_level(v, io, block, 0, true, digest); 354 if (likely(r <= 0)) 355 goto out; 356 } 357 358 memcpy(digest, v->root_digest, v->digest_size); 359 360 for (i = v->levels - 1; i >= 0; i--) { 361 r = verity_verify_level(v, io, block, i, false, digest); 362 if (unlikely(r)) 363 goto out; 364 } 365 out: 366 if (!r && v->zero_digest) 367 *is_zero = !memcmp(v->zero_digest, digest, v->digest_size); 368 else 369 *is_zero = false; 370 371 return r; 372 } 373 374 static noinline int verity_recheck(struct dm_verity *v, struct dm_verity_io *io, 375 const u8 *want_digest, sector_t cur_block, 376 u8 *dest) 377 { 378 struct page *page; 379 void *buffer; 380 int r; 381 struct dm_io_request io_req; 382 struct dm_io_region io_loc; 383 384 page = mempool_alloc(&v->recheck_pool, GFP_NOIO); 385 buffer = page_to_virt(page); 386 387 io_req.bi_opf = REQ_OP_READ; 388 io_req.mem.type = DM_IO_KMEM; 389 io_req.mem.ptr.addr = buffer; 390 io_req.notify.fn = NULL; 391 io_req.client = v->io; 392 io_loc.bdev = v->data_dev->bdev; 393 io_loc.sector = cur_block << (v->data_dev_block_bits - SECTOR_SHIFT); 394 io_loc.count = 1 << (v->data_dev_block_bits - SECTOR_SHIFT); 395 r = dm_io(&io_req, 1, &io_loc, NULL, IOPRIO_DEFAULT); 396 if (unlikely(r)) 397 goto free_ret; 398 399 r = verity_hash(v, io, buffer, 1 << v->data_dev_block_bits, 400 io->tmp_digest); 401 if (unlikely(r)) 402 goto free_ret; 403 404 if (memcmp(io->tmp_digest, want_digest, v->digest_size)) { 405 r = -EIO; 406 goto free_ret; 407 } 408 409 memcpy(dest, buffer, 1 << v->data_dev_block_bits); 410 r = 0; 411 free_ret: 412 mempool_free(page, &v->recheck_pool); 413 414 return r; 415 } 416 417 static int verity_handle_data_hash_mismatch(struct dm_verity *v, 418 struct dm_verity_io *io, 419 struct bio *bio, 420 struct pending_block *block) 421 { 422 const u8 *want_digest = block->want_digest; 423 sector_t blkno = block->blkno; 424 u8 *data = block->data; 425 426 if (static_branch_unlikely(&use_bh_wq_enabled) && io->in_bh) { 427 /* 428 * Error handling code (FEC included) cannot be run in a 429 * softirq since it may sleep, so fallback to a kworker. 430 */ 431 return -EAGAIN; 432 } 433 if (verity_recheck(v, io, want_digest, blkno, data) == 0) { 434 if (v->validated_blocks) 435 set_bit(blkno, v->validated_blocks); 436 return 0; 437 } 438 if (verity_fec_decode(v, io, DM_VERITY_BLOCK_TYPE_DATA, want_digest, 439 blkno, data) == 0) 440 return 0; 441 if (bio->bi_status) 442 return -EIO; /* Error correction failed; Just return error */ 443 444 if (verity_handle_err(v, DM_VERITY_BLOCK_TYPE_DATA, blkno)) { 445 io->had_mismatch = true; 446 dm_audit_log_bio(DM_MSG_PREFIX, "verify-data", bio, blkno, 0); 447 return -EIO; 448 } 449 return 0; 450 } 451 452 static void verity_clear_pending_blocks(struct dm_verity_io *io) 453 { 454 int i; 455 456 for (i = io->num_pending - 1; i >= 0; i--) { 457 kunmap_local(io->pending_blocks[i].data); 458 io->pending_blocks[i].data = NULL; 459 } 460 io->num_pending = 0; 461 } 462 463 static int verity_verify_pending_blocks(struct dm_verity *v, 464 struct dm_verity_io *io, 465 struct bio *bio) 466 { 467 const unsigned int block_size = 1 << v->data_dev_block_bits; 468 int i, r; 469 470 if (io->num_pending == 2) { 471 /* num_pending == 2 implies that the algorithm is SHA-256 */ 472 sha256_finup_2x(v->initial_hashstate.sha256, 473 io->pending_blocks[0].data, 474 io->pending_blocks[1].data, block_size, 475 io->pending_blocks[0].real_digest, 476 io->pending_blocks[1].real_digest); 477 } else { 478 for (i = 0; i < io->num_pending; i++) { 479 r = verity_hash(v, io, io->pending_blocks[i].data, 480 block_size, 481 io->pending_blocks[i].real_digest); 482 if (unlikely(r)) 483 return r; 484 } 485 } 486 487 for (i = 0; i < io->num_pending; i++) { 488 struct pending_block *block = &io->pending_blocks[i]; 489 490 if (likely(memcmp(block->real_digest, block->want_digest, 491 v->digest_size) == 0)) { 492 if (v->validated_blocks) 493 set_bit(block->blkno, v->validated_blocks); 494 } else { 495 r = verity_handle_data_hash_mismatch(v, io, bio, block); 496 if (unlikely(r)) 497 return r; 498 } 499 } 500 verity_clear_pending_blocks(io); 501 return 0; 502 } 503 504 /* 505 * Verify one "dm_verity_io" structure. 506 */ 507 static int verity_verify_io(struct dm_verity_io *io) 508 { 509 struct dm_verity *v = io->v; 510 const unsigned int block_size = 1 << v->data_dev_block_bits; 511 const int max_pending = v->use_sha256_finup_2x ? 2 : 1; 512 struct bvec_iter iter_copy; 513 struct bvec_iter *iter; 514 struct bio *bio = dm_bio_from_per_bio_data(io, v->ti->per_io_data_size); 515 unsigned int b; 516 int r; 517 518 io->num_pending = 0; 519 520 if (static_branch_unlikely(&use_bh_wq_enabled) && io->in_bh) { 521 /* 522 * Copy the iterator in case we need to restart verification in 523 * a kworker. 524 */ 525 iter_copy = io->iter; 526 iter = &iter_copy; 527 } else 528 iter = &io->iter; 529 530 for (b = 0; b < io->n_blocks; 531 b++, bio_advance_iter_single(bio, iter, block_size)) { 532 sector_t blkno = io->block + b; 533 struct pending_block *block; 534 bool is_zero; 535 struct bio_vec bv; 536 void *data; 537 538 if (v->validated_blocks && bio->bi_status == BLK_STS_OK && 539 likely(test_bit(blkno, v->validated_blocks))) 540 continue; 541 542 block = &io->pending_blocks[io->num_pending]; 543 544 r = verity_hash_for_block(v, io, blkno, block->want_digest, 545 &is_zero); 546 if (unlikely(r < 0)) 547 goto error; 548 549 bv = bio_iter_iovec(bio, *iter); 550 if (unlikely(bv.bv_len < block_size)) { 551 /* 552 * Data block spans pages. This should not happen, 553 * since dm-verity sets dma_alignment to the data block 554 * size minus 1, and dm-verity also doesn't allow the 555 * data block size to be greater than PAGE_SIZE. 556 */ 557 DMERR_LIMIT("unaligned io (data block spans pages)"); 558 r = -EIO; 559 goto error; 560 } 561 562 data = bvec_kmap_local(&bv); 563 564 if (is_zero) { 565 /* 566 * If we expect a zero block, don't validate, just 567 * return zeros. 568 */ 569 memset(data, 0, block_size); 570 kunmap_local(data); 571 continue; 572 } 573 block->data = data; 574 block->blkno = blkno; 575 if (++io->num_pending == max_pending) { 576 r = verity_verify_pending_blocks(v, io, bio); 577 if (unlikely(r)) 578 goto error; 579 } 580 } 581 582 if (io->num_pending) { 583 r = verity_verify_pending_blocks(v, io, bio); 584 if (unlikely(r)) 585 goto error; 586 } 587 588 return 0; 589 590 error: 591 verity_clear_pending_blocks(io); 592 return r; 593 } 594 595 /* 596 * Skip verity work in response to I/O error when system is shutting down. 597 */ 598 static inline bool verity_is_system_shutting_down(void) 599 { 600 return system_state == SYSTEM_HALT || system_state == SYSTEM_POWER_OFF 601 || system_state == SYSTEM_RESTART; 602 } 603 604 static void restart_io_error(struct work_struct *w) 605 { 606 kernel_restart("dm-verity device has I/O error"); 607 } 608 609 /* 610 * End one "io" structure with a given error. 611 */ 612 static void verity_finish_io(struct dm_verity_io *io, blk_status_t status) 613 { 614 struct dm_verity *v = io->v; 615 struct bio *bio = dm_bio_from_per_bio_data(io, v->ti->per_io_data_size); 616 617 bio->bi_end_io = io->orig_bi_end_io; 618 bio->bi_status = status; 619 620 verity_fec_finish_io(io); 621 622 if (unlikely(status != BLK_STS_OK) && 623 unlikely(!(bio->bi_opf & REQ_RAHEAD)) && 624 !io->had_mismatch && 625 !verity_is_system_shutting_down()) { 626 if (v->error_mode == DM_VERITY_MODE_PANIC) { 627 panic("dm-verity device has I/O error"); 628 } 629 if (v->error_mode == DM_VERITY_MODE_RESTART) { 630 static DECLARE_WORK(restart_work, restart_io_error); 631 queue_work(v->verify_wq, &restart_work); 632 /* 633 * We deliberately don't call bio_endio here, because 634 * the machine will be restarted anyway. 635 */ 636 return; 637 } 638 } 639 640 bio_endio(bio); 641 } 642 643 static void verity_work(struct work_struct *w) 644 { 645 struct dm_verity_io *io = container_of(w, struct dm_verity_io, work); 646 647 io->in_bh = false; 648 649 verity_finish_io(io, errno_to_blk_status(verity_verify_io(io))); 650 } 651 652 static void verity_bh_work(struct work_struct *w) 653 { 654 struct dm_verity_io *io = container_of(w, struct dm_verity_io, work); 655 int err; 656 657 io->in_bh = true; 658 err = verity_verify_io(io); 659 if (err == -EAGAIN || err == -ENOMEM) { 660 /* fallback to retrying in a kworker */ 661 INIT_WORK(&io->work, verity_work); 662 queue_work(io->v->verify_wq, &io->work); 663 return; 664 } 665 666 verity_finish_io(io, errno_to_blk_status(err)); 667 } 668 669 static inline bool verity_use_bh(unsigned int bytes, unsigned short ioprio) 670 { 671 return ioprio <= IOPRIO_CLASS_IDLE && 672 bytes <= READ_ONCE(dm_verity_use_bh_bytes[ioprio]) && 673 !need_resched(); 674 } 675 676 static void verity_end_io(struct bio *bio) 677 { 678 struct dm_verity_io *io = bio->bi_private; 679 unsigned short ioprio = IOPRIO_PRIO_CLASS(bio->bi_ioprio); 680 unsigned int bytes = io->n_blocks << io->v->data_dev_block_bits; 681 682 if (bio->bi_status && 683 (!verity_fec_is_enabled(io->v) || 684 verity_is_system_shutting_down() || 685 (bio->bi_opf & REQ_RAHEAD))) { 686 verity_finish_io(io, bio->bi_status); 687 return; 688 } 689 690 if (static_branch_unlikely(&use_bh_wq_enabled) && io->v->use_bh_wq && 691 verity_use_bh(bytes, ioprio)) { 692 if (in_hardirq() || irqs_disabled()) { 693 INIT_WORK(&io->work, verity_bh_work); 694 queue_work(system_bh_wq, &io->work); 695 } else { 696 verity_bh_work(&io->work); 697 } 698 } else { 699 INIT_WORK(&io->work, verity_work); 700 queue_work(io->v->verify_wq, &io->work); 701 } 702 } 703 704 /* 705 * Prefetch buffers for the specified io. 706 * The root buffer is not prefetched, it is assumed that it will be cached 707 * all the time. 708 */ 709 static void verity_prefetch_io(struct work_struct *work) 710 { 711 struct dm_verity_prefetch_work *pw = 712 container_of(work, struct dm_verity_prefetch_work, work); 713 struct dm_verity *v = pw->v; 714 int i; 715 716 for (i = v->levels - 2; i >= 0; i--) { 717 sector_t hash_block_start; 718 sector_t hash_block_end; 719 720 verity_hash_at_level(v, pw->block, i, &hash_block_start, NULL); 721 verity_hash_at_level(v, pw->block + pw->n_blocks - 1, i, &hash_block_end, NULL); 722 723 if (!i) { 724 unsigned int cluster = READ_ONCE(dm_verity_prefetch_cluster); 725 726 cluster >>= v->data_dev_block_bits; 727 if (unlikely(!cluster)) 728 goto no_prefetch_cluster; 729 730 if (unlikely(cluster & (cluster - 1))) 731 cluster = 1 << __fls(cluster); 732 733 hash_block_start &= ~(sector_t)(cluster - 1); 734 hash_block_end |= cluster - 1; 735 if (unlikely(hash_block_end >= v->hash_blocks)) 736 hash_block_end = v->hash_blocks - 1; 737 } 738 no_prefetch_cluster: 739 dm_bufio_prefetch_with_ioprio(v->bufio, hash_block_start, 740 hash_block_end - hash_block_start + 1, 741 pw->ioprio); 742 } 743 744 kfree(pw); 745 } 746 747 static void verity_submit_prefetch(struct dm_verity *v, struct dm_verity_io *io, 748 unsigned short ioprio) 749 { 750 sector_t block = io->block; 751 unsigned int n_blocks = io->n_blocks; 752 struct dm_verity_prefetch_work *pw; 753 754 if (v->validated_blocks) { 755 while (n_blocks && test_bit(block, v->validated_blocks)) { 756 block++; 757 n_blocks--; 758 } 759 while (n_blocks && test_bit(block + n_blocks - 1, 760 v->validated_blocks)) 761 n_blocks--; 762 if (!n_blocks) 763 return; 764 } 765 766 pw = kmalloc(sizeof(struct dm_verity_prefetch_work), 767 GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN); 768 769 if (!pw) 770 return; 771 772 INIT_WORK(&pw->work, verity_prefetch_io); 773 pw->v = v; 774 pw->block = block; 775 pw->n_blocks = n_blocks; 776 pw->ioprio = ioprio; 777 queue_work(v->verify_wq, &pw->work); 778 } 779 780 /* 781 * Bio map function. It allocates dm_verity_io structure and bio vector and 782 * fills them. Then it issues prefetches and the I/O. 783 */ 784 static int verity_map(struct dm_target *ti, struct bio *bio) 785 { 786 struct dm_verity *v = ti->private; 787 struct dm_verity_io *io; 788 789 bio_set_dev(bio, v->data_dev->bdev); 790 bio->bi_iter.bi_sector = verity_map_sector(v, bio->bi_iter.bi_sector); 791 792 if (((unsigned int)bio->bi_iter.bi_sector | bio_sectors(bio)) & 793 ((1 << (v->data_dev_block_bits - SECTOR_SHIFT)) - 1)) { 794 DMERR_LIMIT("unaligned io"); 795 return DM_MAPIO_KILL; 796 } 797 798 if (bio_end_sector(bio) >> 799 (v->data_dev_block_bits - SECTOR_SHIFT) > v->data_blocks) { 800 DMERR_LIMIT("io out of range"); 801 return DM_MAPIO_KILL; 802 } 803 804 if (bio_data_dir(bio) == WRITE) 805 return DM_MAPIO_KILL; 806 807 io = dm_per_bio_data(bio, ti->per_io_data_size); 808 io->v = v; 809 io->orig_bi_end_io = bio->bi_end_io; 810 io->block = bio->bi_iter.bi_sector >> (v->data_dev_block_bits - SECTOR_SHIFT); 811 io->n_blocks = bio->bi_iter.bi_size >> v->data_dev_block_bits; 812 io->had_mismatch = false; 813 814 bio->bi_end_io = verity_end_io; 815 bio->bi_private = io; 816 io->iter = bio->bi_iter; 817 818 verity_fec_init_io(io); 819 820 verity_submit_prefetch(v, io, bio->bi_ioprio); 821 822 submit_bio_noacct(bio); 823 824 return DM_MAPIO_SUBMITTED; 825 } 826 827 static void verity_postsuspend(struct dm_target *ti) 828 { 829 struct dm_verity *v = ti->private; 830 flush_workqueue(v->verify_wq); 831 dm_bufio_client_reset(v->bufio); 832 } 833 834 /* 835 * Status: V (valid) or C (corruption found) 836 */ 837 static void verity_status(struct dm_target *ti, status_type_t type, 838 unsigned int status_flags, char *result, unsigned int maxlen) 839 { 840 struct dm_verity *v = ti->private; 841 unsigned int args = 0; 842 unsigned int sz = 0; 843 unsigned int x; 844 845 switch (type) { 846 case STATUSTYPE_INFO: 847 DMEMIT("%c", v->hash_failed ? 'C' : 'V'); 848 if (verity_fec_is_enabled(v)) 849 DMEMIT(" %lld", atomic64_read(&v->fec->corrected)); 850 else 851 DMEMIT(" -"); 852 break; 853 case STATUSTYPE_TABLE: 854 DMEMIT("%u %s %s %u %u %llu %llu %s ", 855 v->version, 856 v->data_dev->name, 857 v->hash_dev->name, 858 1 << v->data_dev_block_bits, 859 1 << v->hash_dev_block_bits, 860 (unsigned long long)v->data_blocks, 861 (unsigned long long)v->hash_start, 862 v->alg_name 863 ); 864 for (x = 0; x < v->digest_size; x++) 865 DMEMIT("%02x", v->root_digest[x]); 866 DMEMIT(" "); 867 if (!v->salt_size) 868 DMEMIT("-"); 869 else 870 for (x = 0; x < v->salt_size; x++) 871 DMEMIT("%02x", v->salt[x]); 872 if (v->mode != DM_VERITY_MODE_EIO) 873 args++; 874 if (v->error_mode != DM_VERITY_MODE_EIO) 875 args++; 876 if (verity_fec_is_enabled(v)) 877 args += DM_VERITY_OPTS_FEC; 878 if (v->zero_digest) 879 args++; 880 if (v->validated_blocks) 881 args++; 882 if (v->use_bh_wq) 883 args++; 884 if (v->signature_key_desc) 885 args += DM_VERITY_ROOT_HASH_VERIFICATION_OPTS; 886 if (!args) 887 return; 888 DMEMIT(" %u", args); 889 if (v->mode != DM_VERITY_MODE_EIO) { 890 DMEMIT(" "); 891 switch (v->mode) { 892 case DM_VERITY_MODE_LOGGING: 893 DMEMIT(DM_VERITY_OPT_LOGGING); 894 break; 895 case DM_VERITY_MODE_RESTART: 896 DMEMIT(DM_VERITY_OPT_RESTART); 897 break; 898 case DM_VERITY_MODE_PANIC: 899 DMEMIT(DM_VERITY_OPT_PANIC); 900 break; 901 default: 902 BUG(); 903 } 904 } 905 if (v->error_mode != DM_VERITY_MODE_EIO) { 906 DMEMIT(" "); 907 switch (v->error_mode) { 908 case DM_VERITY_MODE_RESTART: 909 DMEMIT(DM_VERITY_OPT_ERROR_RESTART); 910 break; 911 case DM_VERITY_MODE_PANIC: 912 DMEMIT(DM_VERITY_OPT_ERROR_PANIC); 913 break; 914 default: 915 BUG(); 916 } 917 } 918 if (v->zero_digest) 919 DMEMIT(" " DM_VERITY_OPT_IGN_ZEROES); 920 if (v->validated_blocks) 921 DMEMIT(" " DM_VERITY_OPT_AT_MOST_ONCE); 922 if (v->use_bh_wq) 923 DMEMIT(" " DM_VERITY_OPT_TASKLET_VERIFY); 924 sz = verity_fec_status_table(v, sz, result, maxlen); 925 if (v->signature_key_desc) 926 DMEMIT(" " DM_VERITY_ROOT_HASH_VERIFICATION_OPT_SIG_KEY 927 " %s", v->signature_key_desc); 928 break; 929 930 case STATUSTYPE_IMA: 931 DMEMIT_TARGET_NAME_VERSION(ti->type); 932 DMEMIT(",hash_failed=%c", v->hash_failed ? 'C' : 'V'); 933 DMEMIT(",verity_version=%u", v->version); 934 DMEMIT(",data_device_name=%s", v->data_dev->name); 935 DMEMIT(",hash_device_name=%s", v->hash_dev->name); 936 DMEMIT(",verity_algorithm=%s", v->alg_name); 937 938 DMEMIT(",root_digest="); 939 for (x = 0; x < v->digest_size; x++) 940 DMEMIT("%02x", v->root_digest[x]); 941 942 DMEMIT(",salt="); 943 if (!v->salt_size) 944 DMEMIT("-"); 945 else 946 for (x = 0; x < v->salt_size; x++) 947 DMEMIT("%02x", v->salt[x]); 948 949 DMEMIT(",ignore_zero_blocks=%c", v->zero_digest ? 'y' : 'n'); 950 DMEMIT(",check_at_most_once=%c", v->validated_blocks ? 'y' : 'n'); 951 if (v->signature_key_desc) 952 DMEMIT(",root_hash_sig_key_desc=%s", v->signature_key_desc); 953 954 if (v->mode != DM_VERITY_MODE_EIO) { 955 DMEMIT(",verity_mode="); 956 switch (v->mode) { 957 case DM_VERITY_MODE_LOGGING: 958 DMEMIT(DM_VERITY_OPT_LOGGING); 959 break; 960 case DM_VERITY_MODE_RESTART: 961 DMEMIT(DM_VERITY_OPT_RESTART); 962 break; 963 case DM_VERITY_MODE_PANIC: 964 DMEMIT(DM_VERITY_OPT_PANIC); 965 break; 966 default: 967 DMEMIT("invalid"); 968 } 969 } 970 if (v->error_mode != DM_VERITY_MODE_EIO) { 971 DMEMIT(",verity_error_mode="); 972 switch (v->error_mode) { 973 case DM_VERITY_MODE_RESTART: 974 DMEMIT(DM_VERITY_OPT_ERROR_RESTART); 975 break; 976 case DM_VERITY_MODE_PANIC: 977 DMEMIT(DM_VERITY_OPT_ERROR_PANIC); 978 break; 979 default: 980 DMEMIT("invalid"); 981 } 982 } 983 DMEMIT(";"); 984 break; 985 } 986 } 987 988 static int verity_prepare_ioctl(struct dm_target *ti, struct block_device **bdev, 989 unsigned int cmd, unsigned long arg, 990 bool *forward) 991 { 992 struct dm_verity *v = ti->private; 993 994 *bdev = v->data_dev->bdev; 995 996 if (ti->len != bdev_nr_sectors(v->data_dev->bdev)) 997 return 1; 998 return 0; 999 } 1000 1001 static int verity_iterate_devices(struct dm_target *ti, 1002 iterate_devices_callout_fn fn, void *data) 1003 { 1004 struct dm_verity *v = ti->private; 1005 1006 return fn(ti, v->data_dev, 0, ti->len, data); 1007 } 1008 1009 static void verity_io_hints(struct dm_target *ti, struct queue_limits *limits) 1010 { 1011 struct dm_verity *v = ti->private; 1012 1013 if (limits->logical_block_size < 1 << v->data_dev_block_bits) 1014 limits->logical_block_size = 1 << v->data_dev_block_bits; 1015 1016 if (limits->physical_block_size < 1 << v->data_dev_block_bits) 1017 limits->physical_block_size = 1 << v->data_dev_block_bits; 1018 1019 limits->io_min = limits->logical_block_size; 1020 1021 /* 1022 * Similar to what dm-crypt does, opt dm-verity out of support for 1023 * direct I/O that is aligned to less than the traditional direct I/O 1024 * alignment requirement of logical_block_size. This prevents dm-verity 1025 * data blocks from crossing pages, eliminating various edge cases. 1026 */ 1027 limits->dma_alignment = limits->logical_block_size - 1; 1028 } 1029 1030 #ifdef CONFIG_SECURITY 1031 1032 static int verity_init_sig(struct dm_verity *v, const void *sig, 1033 size_t sig_size) 1034 { 1035 v->sig_size = sig_size; 1036 1037 if (sig) { 1038 v->root_digest_sig = kmemdup(sig, v->sig_size, GFP_KERNEL); 1039 if (!v->root_digest_sig) 1040 return -ENOMEM; 1041 } 1042 1043 return 0; 1044 } 1045 1046 static void verity_free_sig(struct dm_verity *v) 1047 { 1048 kfree(v->root_digest_sig); 1049 } 1050 1051 #else 1052 1053 static inline int verity_init_sig(struct dm_verity *v, const void *sig, 1054 size_t sig_size) 1055 { 1056 return 0; 1057 } 1058 1059 static inline void verity_free_sig(struct dm_verity *v) 1060 { 1061 } 1062 1063 #endif /* CONFIG_SECURITY */ 1064 1065 static void verity_dtr(struct dm_target *ti) 1066 { 1067 struct dm_verity *v = ti->private; 1068 1069 if (v->verify_wq) 1070 destroy_workqueue(v->verify_wq); 1071 1072 mempool_exit(&v->recheck_pool); 1073 if (v->io) 1074 dm_io_client_destroy(v->io); 1075 1076 if (v->bufio) 1077 dm_bufio_client_destroy(v->bufio); 1078 1079 kvfree(v->validated_blocks); 1080 kfree(v->salt); 1081 kfree(v->initial_hashstate.shash); 1082 kfree(v->root_digest); 1083 kfree(v->zero_digest); 1084 verity_free_sig(v); 1085 1086 crypto_free_shash(v->shash_tfm); 1087 1088 kfree(v->alg_name); 1089 1090 if (v->hash_dev) 1091 dm_put_device(ti, v->hash_dev); 1092 1093 if (v->data_dev) 1094 dm_put_device(ti, v->data_dev); 1095 1096 verity_fec_dtr(v); 1097 1098 kfree(v->signature_key_desc); 1099 1100 if (v->use_bh_wq) 1101 static_branch_dec(&use_bh_wq_enabled); 1102 1103 kfree(v); 1104 1105 dm_audit_log_dtr(DM_MSG_PREFIX, ti, 1); 1106 } 1107 1108 static int verity_alloc_most_once(struct dm_verity *v) 1109 { 1110 struct dm_target *ti = v->ti; 1111 1112 if (v->validated_blocks) 1113 return 0; 1114 1115 /* the bitset can only handle INT_MAX blocks */ 1116 if (v->data_blocks > INT_MAX) { 1117 ti->error = "device too large to use check_at_most_once"; 1118 return -E2BIG; 1119 } 1120 1121 v->validated_blocks = kvcalloc(BITS_TO_LONGS(v->data_blocks), 1122 sizeof(unsigned long), 1123 GFP_KERNEL); 1124 if (!v->validated_blocks) { 1125 ti->error = "failed to allocate bitset for check_at_most_once"; 1126 return -ENOMEM; 1127 } 1128 1129 return 0; 1130 } 1131 1132 static int verity_alloc_zero_digest(struct dm_verity *v) 1133 { 1134 int r = -ENOMEM; 1135 struct dm_verity_io *io; 1136 u8 *zero_data; 1137 1138 if (v->zero_digest) 1139 return 0; 1140 1141 v->zero_digest = kmalloc(v->digest_size, GFP_KERNEL); 1142 1143 if (!v->zero_digest) 1144 return r; 1145 1146 io = kmalloc(v->ti->per_io_data_size, GFP_KERNEL); 1147 1148 if (!io) 1149 return r; /* verity_dtr will free zero_digest */ 1150 1151 zero_data = kzalloc(1 << v->data_dev_block_bits, GFP_KERNEL); 1152 1153 if (!zero_data) 1154 goto out; 1155 1156 r = verity_hash(v, io, zero_data, 1 << v->data_dev_block_bits, 1157 v->zero_digest); 1158 1159 out: 1160 kfree(io); 1161 kfree(zero_data); 1162 1163 return r; 1164 } 1165 1166 static inline bool verity_is_verity_mode(const char *arg_name) 1167 { 1168 return (!strcasecmp(arg_name, DM_VERITY_OPT_LOGGING) || 1169 !strcasecmp(arg_name, DM_VERITY_OPT_RESTART) || 1170 !strcasecmp(arg_name, DM_VERITY_OPT_PANIC)); 1171 } 1172 1173 static int verity_parse_verity_mode(struct dm_verity *v, const char *arg_name) 1174 { 1175 if (v->mode) 1176 return -EINVAL; 1177 1178 if (!strcasecmp(arg_name, DM_VERITY_OPT_LOGGING)) 1179 v->mode = DM_VERITY_MODE_LOGGING; 1180 else if (!strcasecmp(arg_name, DM_VERITY_OPT_RESTART)) 1181 v->mode = DM_VERITY_MODE_RESTART; 1182 else if (!strcasecmp(arg_name, DM_VERITY_OPT_PANIC)) 1183 v->mode = DM_VERITY_MODE_PANIC; 1184 1185 return 0; 1186 } 1187 1188 static inline bool verity_is_verity_error_mode(const char *arg_name) 1189 { 1190 return (!strcasecmp(arg_name, DM_VERITY_OPT_ERROR_RESTART) || 1191 !strcasecmp(arg_name, DM_VERITY_OPT_ERROR_PANIC)); 1192 } 1193 1194 static int verity_parse_verity_error_mode(struct dm_verity *v, const char *arg_name) 1195 { 1196 if (v->error_mode) 1197 return -EINVAL; 1198 1199 if (!strcasecmp(arg_name, DM_VERITY_OPT_ERROR_RESTART)) 1200 v->error_mode = DM_VERITY_MODE_RESTART; 1201 else if (!strcasecmp(arg_name, DM_VERITY_OPT_ERROR_PANIC)) 1202 v->error_mode = DM_VERITY_MODE_PANIC; 1203 1204 return 0; 1205 } 1206 1207 static int verity_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v, 1208 struct dm_verity_sig_opts *verify_args, 1209 bool only_modifier_opts) 1210 { 1211 int r = 0; 1212 unsigned int argc; 1213 struct dm_target *ti = v->ti; 1214 const char *arg_name; 1215 1216 static const struct dm_arg _args[] = { 1217 {0, DM_VERITY_OPTS_MAX, "Invalid number of feature args"}, 1218 }; 1219 1220 r = dm_read_arg_group(_args, as, &argc, &ti->error); 1221 if (r) 1222 return -EINVAL; 1223 1224 if (!argc) 1225 return 0; 1226 1227 do { 1228 arg_name = dm_shift_arg(as); 1229 argc--; 1230 1231 if (verity_is_verity_mode(arg_name)) { 1232 if (only_modifier_opts) 1233 continue; 1234 r = verity_parse_verity_mode(v, arg_name); 1235 if (r) { 1236 ti->error = "Conflicting error handling parameters"; 1237 return r; 1238 } 1239 continue; 1240 1241 } else if (verity_is_verity_error_mode(arg_name)) { 1242 if (only_modifier_opts) 1243 continue; 1244 r = verity_parse_verity_error_mode(v, arg_name); 1245 if (r) { 1246 ti->error = "Conflicting error handling parameters"; 1247 return r; 1248 } 1249 continue; 1250 1251 } else if (!strcasecmp(arg_name, DM_VERITY_OPT_IGN_ZEROES)) { 1252 if (only_modifier_opts) 1253 continue; 1254 r = verity_alloc_zero_digest(v); 1255 if (r) { 1256 ti->error = "Cannot allocate zero digest"; 1257 return r; 1258 } 1259 continue; 1260 1261 } else if (!strcasecmp(arg_name, DM_VERITY_OPT_AT_MOST_ONCE)) { 1262 if (only_modifier_opts) 1263 continue; 1264 r = verity_alloc_most_once(v); 1265 if (r) 1266 return r; 1267 continue; 1268 1269 } else if (!strcasecmp(arg_name, DM_VERITY_OPT_TASKLET_VERIFY)) { 1270 v->use_bh_wq = true; 1271 static_branch_inc(&use_bh_wq_enabled); 1272 continue; 1273 1274 } else if (verity_is_fec_opt_arg(arg_name)) { 1275 if (only_modifier_opts) 1276 continue; 1277 r = verity_fec_parse_opt_args(as, v, &argc, arg_name); 1278 if (r) 1279 return r; 1280 continue; 1281 1282 } else if (verity_verify_is_sig_opt_arg(arg_name)) { 1283 if (only_modifier_opts) 1284 continue; 1285 r = verity_verify_sig_parse_opt_args(as, v, 1286 verify_args, 1287 &argc, arg_name); 1288 if (r) 1289 return r; 1290 continue; 1291 1292 } else if (only_modifier_opts) { 1293 /* 1294 * Ignore unrecognized opt, could easily be an extra 1295 * argument to an option whose parsing was skipped. 1296 * Normal parsing (@only_modifier_opts=false) will 1297 * properly parse all options (and their extra args). 1298 */ 1299 continue; 1300 } 1301 1302 DMERR("Unrecognized verity feature request: %s", arg_name); 1303 ti->error = "Unrecognized verity feature request"; 1304 return -EINVAL; 1305 } while (argc && !r); 1306 1307 return r; 1308 } 1309 1310 static int verity_setup_hash_alg(struct dm_verity *v, const char *alg_name) 1311 { 1312 struct dm_target *ti = v->ti; 1313 struct crypto_shash *shash; 1314 1315 v->alg_name = kstrdup(alg_name, GFP_KERNEL); 1316 if (!v->alg_name) { 1317 ti->error = "Cannot allocate algorithm name"; 1318 return -ENOMEM; 1319 } 1320 1321 shash = crypto_alloc_shash(alg_name, 0, 0); 1322 if (IS_ERR(shash)) { 1323 ti->error = "Cannot initialize hash function"; 1324 return PTR_ERR(shash); 1325 } 1326 v->shash_tfm = shash; 1327 v->digest_size = crypto_shash_digestsize(shash); 1328 if ((1 << v->hash_dev_block_bits) < v->digest_size * 2) { 1329 ti->error = "Digest size too big"; 1330 return -EINVAL; 1331 } 1332 if (likely(v->version && strcmp(alg_name, "sha256") == 0)) { 1333 /* 1334 * Fast path: use the library API for reduced overhead and 1335 * interleaved hashing support. 1336 */ 1337 v->use_sha256_lib = true; 1338 if (sha256_finup_2x_is_optimized()) 1339 v->use_sha256_finup_2x = true; 1340 ti->per_io_data_size = 1341 offsetofend(struct dm_verity_io, hash_ctx.sha256); 1342 } else { 1343 /* Fallback case: use the generic crypto API. */ 1344 ti->per_io_data_size = 1345 offsetofend(struct dm_verity_io, hash_ctx.shash) + 1346 crypto_shash_descsize(shash); 1347 } 1348 return 0; 1349 } 1350 1351 static int verity_setup_salt_and_hashstate(struct dm_verity *v, const char *arg) 1352 { 1353 struct dm_target *ti = v->ti; 1354 1355 if (strcmp(arg, "-") != 0) { 1356 v->salt_size = strlen(arg) / 2; 1357 v->salt = kmalloc(v->salt_size, GFP_KERNEL); 1358 if (!v->salt) { 1359 ti->error = "Cannot allocate salt"; 1360 return -ENOMEM; 1361 } 1362 if (strlen(arg) != v->salt_size * 2 || 1363 hex2bin(v->salt, arg, v->salt_size)) { 1364 ti->error = "Invalid salt"; 1365 return -EINVAL; 1366 } 1367 } 1368 if (likely(v->use_sha256_lib)) { 1369 /* Implies version 1: salt at beginning */ 1370 v->initial_hashstate.sha256 = 1371 kmalloc(sizeof(struct sha256_ctx), GFP_KERNEL); 1372 if (!v->initial_hashstate.sha256) { 1373 ti->error = "Cannot allocate initial hash state"; 1374 return -ENOMEM; 1375 } 1376 sha256_init(v->initial_hashstate.sha256); 1377 sha256_update(v->initial_hashstate.sha256, 1378 v->salt, v->salt_size); 1379 } else if (v->version) { /* Version 1: salt at beginning */ 1380 SHASH_DESC_ON_STACK(desc, v->shash_tfm); 1381 int r; 1382 1383 /* 1384 * Compute the pre-salted hash state that can be passed to 1385 * crypto_shash_import() for each block later. 1386 */ 1387 v->initial_hashstate.shash = kmalloc( 1388 crypto_shash_statesize(v->shash_tfm), GFP_KERNEL); 1389 if (!v->initial_hashstate.shash) { 1390 ti->error = "Cannot allocate initial hash state"; 1391 return -ENOMEM; 1392 } 1393 desc->tfm = v->shash_tfm; 1394 r = crypto_shash_init(desc) ?: 1395 crypto_shash_update(desc, v->salt, v->salt_size) ?: 1396 crypto_shash_export(desc, v->initial_hashstate.shash); 1397 if (r) { 1398 ti->error = "Cannot set up initial hash state"; 1399 return r; 1400 } 1401 } 1402 return 0; 1403 } 1404 1405 /* 1406 * Target parameters: 1407 * <version> The current format is version 1. 1408 * Vsn 0 is compatible with original Chromium OS releases. 1409 * <data device> 1410 * <hash device> 1411 * <data block size> 1412 * <hash block size> 1413 * <the number of data blocks> 1414 * <hash start block> 1415 * <algorithm> 1416 * <digest> 1417 * <salt> Hex string or "-" if no salt. 1418 */ 1419 static int verity_ctr(struct dm_target *ti, unsigned int argc, char **argv) 1420 { 1421 struct dm_verity *v; 1422 struct dm_verity_sig_opts verify_args = {0}; 1423 struct dm_arg_set as; 1424 unsigned int num; 1425 unsigned long long num_ll; 1426 int r; 1427 int i; 1428 sector_t hash_position; 1429 char dummy; 1430 char *root_hash_digest_to_validate; 1431 1432 v = kzalloc(sizeof(struct dm_verity), GFP_KERNEL); 1433 if (!v) { 1434 ti->error = "Cannot allocate verity structure"; 1435 return -ENOMEM; 1436 } 1437 ti->private = v; 1438 v->ti = ti; 1439 1440 r = verity_fec_ctr_alloc(v); 1441 if (r) 1442 goto bad; 1443 1444 if ((dm_table_get_mode(ti->table) & ~BLK_OPEN_READ)) { 1445 ti->error = "Device must be readonly"; 1446 r = -EINVAL; 1447 goto bad; 1448 } 1449 1450 if (argc < 10) { 1451 ti->error = "Not enough arguments"; 1452 r = -EINVAL; 1453 goto bad; 1454 } 1455 1456 /* Parse optional parameters that modify primary args */ 1457 if (argc > 10) { 1458 as.argc = argc - 10; 1459 as.argv = argv + 10; 1460 r = verity_parse_opt_args(&as, v, &verify_args, true); 1461 if (r < 0) 1462 goto bad; 1463 } 1464 1465 if (sscanf(argv[0], "%u%c", &num, &dummy) != 1 || 1466 num > 1) { 1467 ti->error = "Invalid version"; 1468 r = -EINVAL; 1469 goto bad; 1470 } 1471 v->version = num; 1472 1473 r = dm_get_device(ti, argv[1], BLK_OPEN_READ, &v->data_dev); 1474 if (r) { 1475 ti->error = "Data device lookup failed"; 1476 goto bad; 1477 } 1478 1479 r = dm_get_device(ti, argv[2], BLK_OPEN_READ, &v->hash_dev); 1480 if (r) { 1481 ti->error = "Hash device lookup failed"; 1482 goto bad; 1483 } 1484 1485 if (sscanf(argv[3], "%u%c", &num, &dummy) != 1 || 1486 !num || (num & (num - 1)) || 1487 num < bdev_logical_block_size(v->data_dev->bdev) || 1488 num > PAGE_SIZE) { 1489 ti->error = "Invalid data device block size"; 1490 r = -EINVAL; 1491 goto bad; 1492 } 1493 v->data_dev_block_bits = __ffs(num); 1494 1495 if (sscanf(argv[4], "%u%c", &num, &dummy) != 1 || 1496 !num || (num & (num - 1)) || 1497 num < bdev_logical_block_size(v->hash_dev->bdev) || 1498 num > INT_MAX) { 1499 ti->error = "Invalid hash device block size"; 1500 r = -EINVAL; 1501 goto bad; 1502 } 1503 v->hash_dev_block_bits = __ffs(num); 1504 1505 if (sscanf(argv[5], "%llu%c", &num_ll, &dummy) != 1 || 1506 (sector_t)(num_ll << (v->data_dev_block_bits - SECTOR_SHIFT)) 1507 >> (v->data_dev_block_bits - SECTOR_SHIFT) != num_ll) { 1508 ti->error = "Invalid data blocks"; 1509 r = -EINVAL; 1510 goto bad; 1511 } 1512 v->data_blocks = num_ll; 1513 1514 if (ti->len > (v->data_blocks << (v->data_dev_block_bits - SECTOR_SHIFT))) { 1515 ti->error = "Data device is too small"; 1516 r = -EINVAL; 1517 goto bad; 1518 } 1519 1520 if (sscanf(argv[6], "%llu%c", &num_ll, &dummy) != 1 || 1521 (sector_t)(num_ll << (v->hash_dev_block_bits - SECTOR_SHIFT)) 1522 >> (v->hash_dev_block_bits - SECTOR_SHIFT) != num_ll) { 1523 ti->error = "Invalid hash start"; 1524 r = -EINVAL; 1525 goto bad; 1526 } 1527 v->hash_start = num_ll; 1528 1529 r = verity_setup_hash_alg(v, argv[7]); 1530 if (r) 1531 goto bad; 1532 1533 v->root_digest = kmalloc(v->digest_size, GFP_KERNEL); 1534 if (!v->root_digest) { 1535 ti->error = "Cannot allocate root digest"; 1536 r = -ENOMEM; 1537 goto bad; 1538 } 1539 if (strlen(argv[8]) != v->digest_size * 2 || 1540 hex2bin(v->root_digest, argv[8], v->digest_size)) { 1541 ti->error = "Invalid root digest"; 1542 r = -EINVAL; 1543 goto bad; 1544 } 1545 root_hash_digest_to_validate = argv[8]; 1546 1547 r = verity_setup_salt_and_hashstate(v, argv[9]); 1548 if (r) 1549 goto bad; 1550 1551 argv += 10; 1552 argc -= 10; 1553 1554 /* Optional parameters */ 1555 if (argc) { 1556 as.argc = argc; 1557 as.argv = argv; 1558 r = verity_parse_opt_args(&as, v, &verify_args, false); 1559 if (r < 0) 1560 goto bad; 1561 } 1562 1563 /* Root hash signature is an optional parameter */ 1564 r = verity_verify_root_hash(root_hash_digest_to_validate, 1565 strlen(root_hash_digest_to_validate), 1566 verify_args.sig, 1567 verify_args.sig_size); 1568 if (r < 0) { 1569 ti->error = "Root hash verification failed"; 1570 goto bad; 1571 } 1572 1573 r = verity_init_sig(v, verify_args.sig, verify_args.sig_size); 1574 if (r < 0) { 1575 ti->error = "Cannot allocate root digest signature"; 1576 goto bad; 1577 } 1578 1579 v->hash_per_block_bits = 1580 __fls((1 << v->hash_dev_block_bits) / v->digest_size); 1581 1582 v->levels = 0; 1583 if (v->data_blocks) 1584 while (v->hash_per_block_bits * v->levels < 64 && 1585 (unsigned long long)(v->data_blocks - 1) >> 1586 (v->hash_per_block_bits * v->levels)) 1587 v->levels++; 1588 1589 if (v->levels > DM_VERITY_MAX_LEVELS) { 1590 ti->error = "Too many tree levels"; 1591 r = -E2BIG; 1592 goto bad; 1593 } 1594 1595 hash_position = v->hash_start; 1596 for (i = v->levels - 1; i >= 0; i--) { 1597 sector_t s; 1598 1599 v->hash_level_block[i] = hash_position; 1600 s = (v->data_blocks + ((sector_t)1 << ((i + 1) * v->hash_per_block_bits)) - 1) 1601 >> ((i + 1) * v->hash_per_block_bits); 1602 if (hash_position + s < hash_position) { 1603 ti->error = "Hash device offset overflow"; 1604 r = -E2BIG; 1605 goto bad; 1606 } 1607 hash_position += s; 1608 } 1609 v->hash_blocks = hash_position; 1610 1611 r = mempool_init_page_pool(&v->recheck_pool, 1, 0); 1612 if (unlikely(r)) { 1613 ti->error = "Cannot allocate mempool"; 1614 goto bad; 1615 } 1616 1617 v->io = dm_io_client_create(); 1618 if (IS_ERR(v->io)) { 1619 r = PTR_ERR(v->io); 1620 v->io = NULL; 1621 ti->error = "Cannot allocate dm io"; 1622 goto bad; 1623 } 1624 1625 v->bufio = dm_bufio_client_create(v->hash_dev->bdev, 1626 1 << v->hash_dev_block_bits, 1, sizeof(struct buffer_aux), 1627 dm_bufio_alloc_callback, NULL, 1628 v->use_bh_wq ? DM_BUFIO_CLIENT_NO_SLEEP : 0); 1629 if (IS_ERR(v->bufio)) { 1630 ti->error = "Cannot initialize dm-bufio"; 1631 r = PTR_ERR(v->bufio); 1632 v->bufio = NULL; 1633 goto bad; 1634 } 1635 1636 if (dm_bufio_get_device_size(v->bufio) < v->hash_blocks) { 1637 ti->error = "Hash device is too small"; 1638 r = -E2BIG; 1639 goto bad; 1640 } 1641 1642 /* 1643 * Using WQ_HIGHPRI improves throughput and completion latency by 1644 * reducing wait times when reading from a dm-verity device. 1645 * 1646 * Also as required for the "try_verify_in_tasklet" feature: WQ_HIGHPRI 1647 * allows verify_wq to preempt softirq since verification in softirq 1648 * will fall-back to using it for error handling (or if the bufio cache 1649 * doesn't have required hashes). 1650 */ 1651 v->verify_wq = alloc_workqueue("kverityd", 1652 WQ_MEM_RECLAIM | WQ_HIGHPRI | WQ_PERCPU, 1653 0); 1654 if (!v->verify_wq) { 1655 ti->error = "Cannot allocate workqueue"; 1656 r = -ENOMEM; 1657 goto bad; 1658 } 1659 1660 r = verity_fec_ctr(v); 1661 if (r) 1662 goto bad; 1663 1664 ti->per_io_data_size = roundup(ti->per_io_data_size, 1665 __alignof__(struct dm_verity_io)); 1666 1667 verity_verify_sig_opts_cleanup(&verify_args); 1668 1669 dm_audit_log_ctr(DM_MSG_PREFIX, ti, 1); 1670 1671 return 0; 1672 1673 bad: 1674 1675 verity_verify_sig_opts_cleanup(&verify_args); 1676 dm_audit_log_ctr(DM_MSG_PREFIX, ti, 0); 1677 verity_dtr(ti); 1678 1679 return r; 1680 } 1681 1682 /* 1683 * Get the verity mode (error behavior) of a verity target. 1684 * 1685 * Returns the verity mode of the target, or -EINVAL if 'ti' is not a verity 1686 * target. 1687 */ 1688 int dm_verity_get_mode(struct dm_target *ti) 1689 { 1690 struct dm_verity *v = ti->private; 1691 1692 if (!dm_is_verity_target(ti)) 1693 return -EINVAL; 1694 1695 return v->mode; 1696 } 1697 1698 /* 1699 * Get the root digest of a verity target. 1700 * 1701 * Returns a copy of the root digest, the caller is responsible for 1702 * freeing the memory of the digest. 1703 */ 1704 int dm_verity_get_root_digest(struct dm_target *ti, u8 **root_digest, unsigned int *digest_size) 1705 { 1706 struct dm_verity *v = ti->private; 1707 1708 if (!dm_is_verity_target(ti)) 1709 return -EINVAL; 1710 1711 *root_digest = kmemdup(v->root_digest, v->digest_size, GFP_KERNEL); 1712 if (*root_digest == NULL) 1713 return -ENOMEM; 1714 1715 *digest_size = v->digest_size; 1716 1717 return 0; 1718 } 1719 1720 #ifdef CONFIG_SECURITY 1721 1722 #ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG 1723 1724 static int verity_security_set_signature(struct block_device *bdev, 1725 struct dm_verity *v) 1726 { 1727 /* 1728 * if the dm-verity target is unsigned, v->root_digest_sig will 1729 * be NULL, and the hook call is still required to let LSMs mark 1730 * the device as unsigned. This information is crucial for LSMs to 1731 * block operations such as execution on unsigned files 1732 */ 1733 return security_bdev_setintegrity(bdev, 1734 LSM_INT_DMVERITY_SIG_VALID, 1735 v->root_digest_sig, 1736 v->sig_size); 1737 } 1738 1739 #else 1740 1741 static inline int verity_security_set_signature(struct block_device *bdev, 1742 struct dm_verity *v) 1743 { 1744 return 0; 1745 } 1746 1747 #endif /* CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG */ 1748 1749 /* 1750 * Expose verity target's root hash and signature data to LSMs before resume. 1751 * 1752 * Returns 0 on success, or -ENOMEM if the system is out of memory. 1753 */ 1754 static int verity_preresume(struct dm_target *ti) 1755 { 1756 struct block_device *bdev; 1757 struct dm_verity_digest root_digest; 1758 struct dm_verity *v; 1759 int r; 1760 1761 v = ti->private; 1762 bdev = dm_disk(dm_table_get_md(ti->table))->part0; 1763 root_digest.digest = v->root_digest; 1764 root_digest.digest_len = v->digest_size; 1765 root_digest.alg = crypto_shash_alg_name(v->shash_tfm); 1766 1767 r = security_bdev_setintegrity(bdev, LSM_INT_DMVERITY_ROOTHASH, &root_digest, 1768 sizeof(root_digest)); 1769 if (r) 1770 return r; 1771 1772 r = verity_security_set_signature(bdev, v); 1773 if (r) 1774 goto bad; 1775 1776 return 0; 1777 1778 bad: 1779 1780 security_bdev_setintegrity(bdev, LSM_INT_DMVERITY_ROOTHASH, NULL, 0); 1781 1782 return r; 1783 } 1784 1785 #endif /* CONFIG_SECURITY */ 1786 1787 static struct target_type verity_target = { 1788 .name = "verity", 1789 /* Note: the LSMs depend on the singleton and immutable features */ 1790 .features = DM_TARGET_SINGLETON | DM_TARGET_IMMUTABLE, 1791 .version = {1, 13, 0}, 1792 .module = THIS_MODULE, 1793 .ctr = verity_ctr, 1794 .dtr = verity_dtr, 1795 .map = verity_map, 1796 .postsuspend = verity_postsuspend, 1797 .status = verity_status, 1798 .prepare_ioctl = verity_prepare_ioctl, 1799 .iterate_devices = verity_iterate_devices, 1800 .io_hints = verity_io_hints, 1801 #ifdef CONFIG_SECURITY 1802 .preresume = verity_preresume, 1803 #endif /* CONFIG_SECURITY */ 1804 }; 1805 1806 static int __init dm_verity_init(void) 1807 { 1808 int r; 1809 1810 r = dm_verity_verify_sig_init(); 1811 if (r) 1812 return r; 1813 1814 r = dm_register_target(&verity_target); 1815 if (r) { 1816 dm_verity_verify_sig_exit(); 1817 return r; 1818 } 1819 1820 return 0; 1821 } 1822 module_init(dm_verity_init); 1823 1824 static void __exit dm_verity_exit(void) 1825 { 1826 dm_unregister_target(&verity_target); 1827 dm_verity_verify_sig_exit(); 1828 } 1829 module_exit(dm_verity_exit); 1830 1831 /* 1832 * Check whether a DM target is a verity target. 1833 */ 1834 bool dm_is_verity_target(struct dm_target *ti) 1835 { 1836 return ti->type == &verity_target; 1837 } 1838 1839 MODULE_AUTHOR("Mikulas Patocka <mpatocka@redhat.com>"); 1840 MODULE_AUTHOR("Mandeep Baines <msb@chromium.org>"); 1841 MODULE_AUTHOR("Will Drewry <wad@chromium.org>"); 1842 MODULE_DESCRIPTION(DM_NAME " target for transparent disk integrity checking"); 1843 MODULE_LICENSE("GPL"); 1844