1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Ioctl to enable verity on a file 4 * 5 * Copyright 2019 Google LLC 6 */ 7 8 #include "fsverity_private.h" 9 10 #include <crypto/hash.h> 11 #include <linux/backing-dev.h> 12 #include <linux/mount.h> 13 #include <linux/pagemap.h> 14 #include <linux/sched/signal.h> 15 #include <linux/uaccess.h> 16 17 /* 18 * Read a file data page for Merkle tree construction. Do aggressive readahead, 19 * since we're sequentially reading the entire file. 20 */ 21 static struct page *read_file_data_page(struct file *file, pgoff_t index, 22 struct file_ra_state *ra, 23 unsigned long remaining_pages) 24 { 25 DEFINE_READAHEAD(ractl, file, ra, file->f_mapping, index); 26 struct folio *folio; 27 28 folio = __filemap_get_folio(ractl.mapping, index, FGP_ACCESSED, 0); 29 if (!folio || !folio_test_uptodate(folio)) { 30 if (folio) 31 folio_put(folio); 32 else 33 page_cache_sync_ra(&ractl, remaining_pages); 34 folio = read_cache_folio(ractl.mapping, index, NULL, file); 35 if (IS_ERR(folio)) 36 return &folio->page; 37 } 38 if (folio_test_readahead(folio)) 39 page_cache_async_ra(&ractl, folio, remaining_pages); 40 return folio_file_page(folio, index); 41 } 42 43 static int build_merkle_tree_level(struct file *filp, unsigned int level, 44 u64 num_blocks_to_hash, 45 const struct merkle_tree_params *params, 46 u8 *pending_hashes, 47 struct ahash_request *req) 48 { 49 struct inode *inode = file_inode(filp); 50 const struct fsverity_operations *vops = inode->i_sb->s_vop; 51 struct file_ra_state ra = { 0 }; 52 unsigned int pending_size = 0; 53 u64 dst_block_num; 54 u64 i; 55 int err; 56 57 if (WARN_ON(params->block_size != PAGE_SIZE)) /* checked earlier too */ 58 return -EINVAL; 59 60 if (level < params->num_levels) { 61 dst_block_num = params->level_start[level]; 62 } else { 63 if (WARN_ON(num_blocks_to_hash != 1)) 64 return -EINVAL; 65 dst_block_num = 0; /* unused */ 66 } 67 68 file_ra_state_init(&ra, filp->f_mapping); 69 70 for (i = 0; i < num_blocks_to_hash; i++) { 71 struct page *src_page; 72 73 if ((pgoff_t)i % 10000 == 0 || i + 1 == num_blocks_to_hash) 74 pr_debug("Hashing block %llu of %llu for level %u\n", 75 i + 1, num_blocks_to_hash, level); 76 77 if (level == 0) { 78 /* Leaf: hashing a data block */ 79 src_page = read_file_data_page(filp, i, &ra, 80 num_blocks_to_hash - i); 81 if (IS_ERR(src_page)) { 82 err = PTR_ERR(src_page); 83 fsverity_err(inode, 84 "Error %d reading data page %llu", 85 err, i); 86 return err; 87 } 88 } else { 89 unsigned long num_ra_pages = 90 min_t(unsigned long, num_blocks_to_hash - i, 91 inode->i_sb->s_bdi->io_pages); 92 93 /* Non-leaf: hashing hash block from level below */ 94 src_page = vops->read_merkle_tree_page(inode, 95 params->level_start[level - 1] + i, 96 num_ra_pages); 97 if (IS_ERR(src_page)) { 98 err = PTR_ERR(src_page); 99 fsverity_err(inode, 100 "Error %d reading Merkle tree page %llu", 101 err, params->level_start[level - 1] + i); 102 return err; 103 } 104 } 105 106 err = fsverity_hash_page(params, inode, req, src_page, 107 &pending_hashes[pending_size]); 108 put_page(src_page); 109 if (err) 110 return err; 111 pending_size += params->digest_size; 112 113 if (level == params->num_levels) /* Root hash? */ 114 return 0; 115 116 if (pending_size + params->digest_size > params->block_size || 117 i + 1 == num_blocks_to_hash) { 118 /* Flush the pending hash block */ 119 memset(&pending_hashes[pending_size], 0, 120 params->block_size - pending_size); 121 err = vops->write_merkle_tree_block(inode, 122 pending_hashes, 123 dst_block_num, 124 params->log_blocksize); 125 if (err) { 126 fsverity_err(inode, 127 "Error %d writing Merkle tree block %llu", 128 err, dst_block_num); 129 return err; 130 } 131 dst_block_num++; 132 pending_size = 0; 133 } 134 135 if (fatal_signal_pending(current)) 136 return -EINTR; 137 cond_resched(); 138 } 139 return 0; 140 } 141 142 /* 143 * Build the Merkle tree for the given file using the given parameters, and 144 * return the root hash in @root_hash. 145 * 146 * The tree is written to a filesystem-specific location as determined by the 147 * ->write_merkle_tree_block() method. However, the blocks that comprise the 148 * tree are the same for all filesystems. 149 */ 150 static int build_merkle_tree(struct file *filp, 151 const struct merkle_tree_params *params, 152 u8 *root_hash) 153 { 154 struct inode *inode = file_inode(filp); 155 u8 *pending_hashes; 156 struct ahash_request *req; 157 u64 blocks; 158 unsigned int level; 159 int err = -ENOMEM; 160 161 if (inode->i_size == 0) { 162 /* Empty file is a special case; root hash is all 0's */ 163 memset(root_hash, 0, params->digest_size); 164 return 0; 165 } 166 167 /* This allocation never fails, since it's mempool-backed. */ 168 req = fsverity_alloc_hash_request(params->hash_alg, GFP_KERNEL); 169 170 pending_hashes = kmalloc(params->block_size, GFP_KERNEL); 171 if (!pending_hashes) 172 goto out; 173 174 /* 175 * Build each level of the Merkle tree, starting at the leaf level 176 * (level 0) and ascending to the root node (level 'num_levels - 1'). 177 * Then at the end (level 'num_levels'), calculate the root hash. 178 */ 179 blocks = ((u64)inode->i_size + params->block_size - 1) >> 180 params->log_blocksize; 181 for (level = 0; level <= params->num_levels; level++) { 182 err = build_merkle_tree_level(filp, level, blocks, params, 183 pending_hashes, req); 184 if (err) 185 goto out; 186 blocks = (blocks + params->hashes_per_block - 1) >> 187 params->log_arity; 188 } 189 memcpy(root_hash, pending_hashes, params->digest_size); 190 err = 0; 191 out: 192 kfree(pending_hashes); 193 fsverity_free_hash_request(params->hash_alg, req); 194 return err; 195 } 196 197 static int enable_verity(struct file *filp, 198 const struct fsverity_enable_arg *arg) 199 { 200 struct inode *inode = file_inode(filp); 201 const struct fsverity_operations *vops = inode->i_sb->s_vop; 202 struct merkle_tree_params params = { }; 203 struct fsverity_descriptor *desc; 204 size_t desc_size = struct_size(desc, signature, arg->sig_size); 205 struct fsverity_info *vi; 206 int err; 207 208 /* Start initializing the fsverity_descriptor */ 209 desc = kzalloc(desc_size, GFP_KERNEL); 210 if (!desc) 211 return -ENOMEM; 212 desc->version = 1; 213 desc->hash_algorithm = arg->hash_algorithm; 214 desc->log_blocksize = ilog2(arg->block_size); 215 216 /* Get the salt if the user provided one */ 217 if (arg->salt_size && 218 copy_from_user(desc->salt, u64_to_user_ptr(arg->salt_ptr), 219 arg->salt_size)) { 220 err = -EFAULT; 221 goto out; 222 } 223 desc->salt_size = arg->salt_size; 224 225 /* Get the signature if the user provided one */ 226 if (arg->sig_size && 227 copy_from_user(desc->signature, u64_to_user_ptr(arg->sig_ptr), 228 arg->sig_size)) { 229 err = -EFAULT; 230 goto out; 231 } 232 desc->sig_size = cpu_to_le32(arg->sig_size); 233 234 desc->data_size = cpu_to_le64(inode->i_size); 235 236 /* Prepare the Merkle tree parameters */ 237 err = fsverity_init_merkle_tree_params(¶ms, inode, 238 arg->hash_algorithm, 239 desc->log_blocksize, 240 desc->salt, desc->salt_size); 241 if (err) 242 goto out; 243 244 /* 245 * Start enabling verity on this file, serialized by the inode lock. 246 * Fail if verity is already enabled or is already being enabled. 247 */ 248 inode_lock(inode); 249 if (IS_VERITY(inode)) 250 err = -EEXIST; 251 else 252 err = vops->begin_enable_verity(filp); 253 inode_unlock(inode); 254 if (err) 255 goto out; 256 257 /* 258 * Build the Merkle tree. Don't hold the inode lock during this, since 259 * on huge files this may take a very long time and we don't want to 260 * force unrelated syscalls like chown() to block forever. We don't 261 * need the inode lock here because deny_write_access() already prevents 262 * the file from being written to or truncated, and we still serialize 263 * ->begin_enable_verity() and ->end_enable_verity() using the inode 264 * lock and only allow one process to be here at a time on a given file. 265 */ 266 pr_debug("Building Merkle tree...\n"); 267 BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE); 268 err = build_merkle_tree(filp, ¶ms, desc->root_hash); 269 if (err) { 270 fsverity_err(inode, "Error %d building Merkle tree", err); 271 goto rollback; 272 } 273 pr_debug("Done building Merkle tree. Root hash is %s:%*phN\n", 274 params.hash_alg->name, params.digest_size, desc->root_hash); 275 276 /* 277 * Create the fsverity_info. Don't bother trying to save work by 278 * reusing the merkle_tree_params from above. Instead, just create the 279 * fsverity_info from the fsverity_descriptor as if it were just loaded 280 * from disk. This is simpler, and it serves as an extra check that the 281 * metadata we're writing is valid before actually enabling verity. 282 */ 283 vi = fsverity_create_info(inode, desc); 284 if (IS_ERR(vi)) { 285 err = PTR_ERR(vi); 286 goto rollback; 287 } 288 289 if (arg->sig_size) 290 pr_debug("Storing a %u-byte PKCS#7 signature alongside the file\n", 291 arg->sig_size); 292 293 /* 294 * Tell the filesystem to finish enabling verity on the file. 295 * Serialized with ->begin_enable_verity() by the inode lock. 296 */ 297 inode_lock(inode); 298 err = vops->end_enable_verity(filp, desc, desc_size, params.tree_size); 299 inode_unlock(inode); 300 if (err) { 301 fsverity_err(inode, "%ps() failed with err %d", 302 vops->end_enable_verity, err); 303 fsverity_free_info(vi); 304 } else if (WARN_ON(!IS_VERITY(inode))) { 305 err = -EINVAL; 306 fsverity_free_info(vi); 307 } else { 308 /* Successfully enabled verity */ 309 310 /* 311 * Readers can start using ->i_verity_info immediately, so it 312 * can't be rolled back once set. So don't set it until just 313 * after the filesystem has successfully enabled verity. 314 */ 315 fsverity_set_info(inode, vi); 316 } 317 out: 318 kfree(params.hashstate); 319 kfree(desc); 320 return err; 321 322 rollback: 323 inode_lock(inode); 324 (void)vops->end_enable_verity(filp, NULL, 0, params.tree_size); 325 inode_unlock(inode); 326 goto out; 327 } 328 329 /** 330 * fsverity_ioctl_enable() - enable verity on a file 331 * @filp: file to enable verity on 332 * @uarg: user pointer to fsverity_enable_arg 333 * 334 * Enable fs-verity on a file. See the "FS_IOC_ENABLE_VERITY" section of 335 * Documentation/filesystems/fsverity.rst for the documentation. 336 * 337 * Return: 0 on success, -errno on failure 338 */ 339 int fsverity_ioctl_enable(struct file *filp, const void __user *uarg) 340 { 341 struct inode *inode = file_inode(filp); 342 struct fsverity_enable_arg arg; 343 int err; 344 345 if (copy_from_user(&arg, uarg, sizeof(arg))) 346 return -EFAULT; 347 348 if (arg.version != 1) 349 return -EINVAL; 350 351 if (arg.__reserved1 || 352 memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2))) 353 return -EINVAL; 354 355 if (arg.block_size != PAGE_SIZE) 356 return -EINVAL; 357 358 if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt)) 359 return -EMSGSIZE; 360 361 if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE) 362 return -EMSGSIZE; 363 364 /* 365 * Require a regular file with write access. But the actual fd must 366 * still be readonly so that we can lock out all writers. This is 367 * needed to guarantee that no writable fds exist to the file once it 368 * has verity enabled, and to stabilize the data being hashed. 369 */ 370 371 err = file_permission(filp, MAY_WRITE); 372 if (err) 373 return err; 374 375 if (IS_APPEND(inode)) 376 return -EPERM; 377 378 if (S_ISDIR(inode->i_mode)) 379 return -EISDIR; 380 381 if (!S_ISREG(inode->i_mode)) 382 return -EINVAL; 383 384 err = mnt_want_write_file(filp); 385 if (err) /* -EROFS */ 386 return err; 387 388 err = deny_write_access(filp); 389 if (err) /* -ETXTBSY */ 390 goto out_drop_write; 391 392 err = enable_verity(filp, &arg); 393 if (err) 394 goto out_allow_write_access; 395 396 /* 397 * Some pages of the file may have been evicted from pagecache after 398 * being used in the Merkle tree construction, then read into pagecache 399 * again by another process reading from the file concurrently. Since 400 * these pages didn't undergo verification against the file digest which 401 * fs-verity now claims to be enforcing, we have to wipe the pagecache 402 * to ensure that all future reads are verified. 403 */ 404 filemap_write_and_wait(inode->i_mapping); 405 invalidate_inode_pages2(inode->i_mapping); 406 407 /* 408 * allow_write_access() is needed to pair with deny_write_access(). 409 * Regardless, the filesystem won't allow writing to verity files. 410 */ 411 out_allow_write_access: 412 allow_write_access(filp); 413 out_drop_write: 414 mnt_drop_write_file(filp); 415 return err; 416 } 417 EXPORT_SYMBOL_GPL(fsverity_ioctl_enable); 418