mirror of
https://github.com/physwizz/a155-U-u1.git
synced 2024-11-19 13:27:49 +00:00
852 lines
21 KiB
C
852 lines
21 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
||
/*
|
||
* Copyright 2020 Google LLC
|
||
*/
|
||
|
||
/*
|
||
* fs-verity integration into incfs
|
||
*
|
||
* Since incfs has its own merkle tree implementation, most of fs-verity code
|
||
* is not needed. The key part that is needed is the signature check, since
|
||
* that is based on the private /proc/sys/fs/verity/require_signatures value
|
||
* and a private keyring. Thus the first change is to modify verity code to
|
||
* export a version of fsverity_verify_signature.
|
||
*
|
||
* fs-verity integration then consists of the following modifications:
|
||
*
|
||
* 1. Add the (optional) verity signature to the incfs file format
|
||
* 2. Add a pointer to the digest of the fs-verity descriptor struct to the
|
||
* data_file struct that incfs attaches to each file inode.
|
||
* 3. Add the following ioclts:
|
||
* - FS_IOC_ENABLE_VERITY
|
||
* - FS_IOC_GETFLAGS
|
||
* - FS_IOC_MEASURE_VERITY
|
||
* 4. When FS_IOC_ENABLE_VERITY is called on a non-verity file, the
|
||
* fs-verity descriptor struct is populated and digested. If it passes the
|
||
* signature check or the signature is NULL and
|
||
* fs.verity.require_signatures=0, then the S_VERITY flag is set and the
|
||
* xattr incfs.verity is set. If the signature is non-NULL, an
|
||
* INCFS_MD_VERITY_SIGNATURE is added to the backing file containing the
|
||
* signature.
|
||
* 5. When a file with an incfs.verity xattr's inode is initialized, the
|
||
* inode’s S_VERITY flag is set.
|
||
* 6. When a file with the S_VERITY flag set on its inode is opened, the
|
||
* data_file is checked for its verity digest. If the file doesn’t have a
|
||
* digest, the file’s digest is calculated as above, checked, and set, or the
|
||
* open is denied if it is not valid.
|
||
* 7. FS_IOC_GETFLAGS simply returns the value of the S_VERITY flag
|
||
* 8. FS_IOC_MEASURE_VERITY simply returns the cached digest
|
||
* 9. The final complication is that if FS_IOC_ENABLE_VERITY is called on a file
|
||
* which doesn’t have a merkle tree, the merkle tree is calculated before the
|
||
* rest of the process is completed.
|
||
*/
|
||
|
||
#include <crypto/hash.h>
|
||
#include <crypto/sha.h>
|
||
#include <linux/fsverity.h>
|
||
#include <linux/mount.h>
|
||
|
||
#include "verity.h"
|
||
|
||
#include "data_mgmt.h"
|
||
#include "format.h"
|
||
#include "integrity.h"
|
||
#include "vfs.h"
|
||
|
||
#define FS_VERITY_MAX_SIGNATURE_SIZE 16128
|
||
|
||
static int incfs_get_root_hash(struct file *filp, u8 *root_hash)
|
||
{
|
||
struct data_file *df = get_incfs_data_file(filp);
|
||
|
||
if (!df)
|
||
return -EINVAL;
|
||
|
||
memcpy(root_hash, df->df_hash_tree->root_hash,
|
||
df->df_hash_tree->alg->digest_size);
|
||
|
||
return 0;
|
||
}
|
||
|
||
static int incfs_end_enable_verity(struct file *filp, u8 *sig, size_t sig_size)
|
||
{
|
||
struct inode *inode = file_inode(filp);
|
||
struct mem_range signature = {
|
||
.data = sig,
|
||
.len = sig_size,
|
||
};
|
||
struct data_file *df = get_incfs_data_file(filp);
|
||
struct backing_file_context *bfc;
|
||
int error;
|
||
struct incfs_df_verity_signature *vs = NULL;
|
||
loff_t offset;
|
||
|
||
if (!df || !df->df_backing_file_context)
|
||
return -EFSCORRUPTED;
|
||
|
||
if (sig) {
|
||
vs = kzalloc(sizeof(*vs), GFP_NOFS);
|
||
if (!vs)
|
||
return -ENOMEM;
|
||
}
|
||
|
||
bfc = df->df_backing_file_context;
|
||
error = mutex_lock_interruptible(&bfc->bc_mutex);
|
||
if (error)
|
||
goto out;
|
||
|
||
error = incfs_write_verity_signature_to_backing_file(bfc, signature,
|
||
&offset);
|
||
mutex_unlock(&bfc->bc_mutex);
|
||
if (error)
|
||
goto out;
|
||
|
||
/*
|
||
* Set verity xattr so we can set S_VERITY without opening backing file
|
||
*/
|
||
error = vfs_setxattr(bfc->bc_file->f_path.dentry,
|
||
INCFS_XATTR_VERITY_NAME, NULL, 0, XATTR_CREATE);
|
||
if (error) {
|
||
pr_warn("incfs: error setting verity xattr: %d\n", error);
|
||
goto out;
|
||
}
|
||
|
||
if (sig) {
|
||
*vs = (struct incfs_df_verity_signature) {
|
||
.size = signature.len,
|
||
.offset = offset,
|
||
};
|
||
|
||
df->df_verity_signature = vs;
|
||
vs = NULL;
|
||
}
|
||
|
||
inode_set_flags(inode, S_VERITY, S_VERITY);
|
||
|
||
out:
|
||
kfree(vs);
|
||
return error;
|
||
}
|
||
|
||
static int incfs_compute_file_digest(struct incfs_hash_alg *alg,
|
||
struct fsverity_descriptor *desc,
|
||
u8 *digest)
|
||
{
|
||
SHASH_DESC_ON_STACK(d, alg->shash);
|
||
|
||
d->tfm = alg->shash;
|
||
return crypto_shash_digest(d, (u8 *)desc, sizeof(*desc), digest);
|
||
}
|
||
|
||
static enum incfs_hash_tree_algorithm incfs_convert_fsverity_hash_alg(
|
||
int hash_alg)
|
||
{
|
||
switch (hash_alg) {
|
||
case FS_VERITY_HASH_ALG_SHA256:
|
||
return INCFS_HASH_TREE_SHA256;
|
||
default:
|
||
return -EINVAL;
|
||
}
|
||
}
|
||
|
||
static struct mem_range incfs_get_verity_digest(struct inode *inode)
|
||
{
|
||
struct inode_info *node = get_incfs_node(inode);
|
||
struct data_file *df;
|
||
struct mem_range verity_file_digest;
|
||
|
||
if (!node) {
|
||
pr_warn("Invalid inode\n");
|
||
return range(NULL, 0);
|
||
}
|
||
|
||
df = node->n_file;
|
||
|
||
/*
|
||
* Pairs with the cmpxchg_release() in incfs_set_verity_digest().
|
||
* I.e., another task may publish ->df_verity_file_digest concurrently,
|
||
* executing a RELEASE barrier. We need to use smp_load_acquire() here
|
||
* to safely ACQUIRE the memory the other task published.
|
||
*/
|
||
verity_file_digest.data = smp_load_acquire(
|
||
&df->df_verity_file_digest.data);
|
||
verity_file_digest.len = df->df_verity_file_digest.len;
|
||
return verity_file_digest;
|
||
}
|
||
|
||
static void incfs_set_verity_digest(struct inode *inode,
|
||
struct mem_range verity_file_digest)
|
||
{
|
||
struct inode_info *node = get_incfs_node(inode);
|
||
struct data_file *df;
|
||
|
||
if (!node) {
|
||
pr_warn("Invalid inode\n");
|
||
kfree(verity_file_digest.data);
|
||
return;
|
||
}
|
||
|
||
df = node->n_file;
|
||
df->df_verity_file_digest.len = verity_file_digest.len;
|
||
|
||
/*
|
||
* Multiple tasks may race to set ->df_verity_file_digest.data, so use
|
||
* cmpxchg_release(). This pairs with the smp_load_acquire() in
|
||
* incfs_get_verity_digest(). I.e., here we publish
|
||
* ->df_verity_file_digest.data, with a RELEASE barrier so that other
|
||
* tasks can ACQUIRE it.
|
||
*/
|
||
if (cmpxchg_release(&df->df_verity_file_digest.data, NULL,
|
||
verity_file_digest.data) != NULL)
|
||
/* Lost the race, so free the file_digest we allocated. */
|
||
kfree(verity_file_digest.data);
|
||
}
|
||
|
||
/*
|
||
* Calculate the digest of the fsverity_descriptor. The signature (if present)
|
||
* is also checked.
|
||
*/
|
||
static struct mem_range incfs_calc_verity_digest_from_desc(
|
||
const struct inode *inode,
|
||
struct fsverity_descriptor *desc,
|
||
u8 *signature, size_t sig_size)
|
||
{
|
||
enum incfs_hash_tree_algorithm incfs_hash_alg;
|
||
struct mem_range verity_file_digest;
|
||
int err;
|
||
struct incfs_hash_alg *hash_alg;
|
||
|
||
incfs_hash_alg = incfs_convert_fsverity_hash_alg(desc->hash_algorithm);
|
||
if (incfs_hash_alg < 0)
|
||
return range(ERR_PTR(incfs_hash_alg), 0);
|
||
|
||
hash_alg = incfs_get_hash_alg(incfs_hash_alg);
|
||
if (IS_ERR(hash_alg))
|
||
return range((u8 *)hash_alg, 0);
|
||
|
||
verity_file_digest = range(kzalloc(hash_alg->digest_size, GFP_KERNEL),
|
||
hash_alg->digest_size);
|
||
if (!verity_file_digest.data)
|
||
return range(ERR_PTR(-ENOMEM), 0);
|
||
|
||
err = incfs_compute_file_digest(hash_alg, desc,
|
||
verity_file_digest.data);
|
||
if (err) {
|
||
pr_err("Error %d computing file digest", err);
|
||
goto out;
|
||
}
|
||
pr_debug("Computed file digest: %s:%*phN\n",
|
||
hash_alg->name, (int) verity_file_digest.len,
|
||
verity_file_digest.data);
|
||
|
||
err = __fsverity_verify_signature(inode, signature, sig_size,
|
||
verity_file_digest.data,
|
||
desc->hash_algorithm);
|
||
out:
|
||
if (err) {
|
||
kfree(verity_file_digest.data);
|
||
verity_file_digest = range(ERR_PTR(err), 0);
|
||
}
|
||
return verity_file_digest;
|
||
}
|
||
|
||
static struct fsverity_descriptor *incfs_get_fsverity_descriptor(
|
||
struct file *filp, int hash_algorithm)
|
||
{
|
||
struct inode *inode = file_inode(filp);
|
||
struct fsverity_descriptor *desc = kzalloc(sizeof(*desc), GFP_KERNEL);
|
||
int err;
|
||
|
||
if (!desc)
|
||
return ERR_PTR(-ENOMEM);
|
||
|
||
*desc = (struct fsverity_descriptor) {
|
||
.version = 1,
|
||
.hash_algorithm = hash_algorithm,
|
||
.log_blocksize = ilog2(INCFS_DATA_FILE_BLOCK_SIZE),
|
||
.data_size = cpu_to_le64(inode->i_size),
|
||
};
|
||
|
||
err = incfs_get_root_hash(filp, desc->root_hash);
|
||
if (err) {
|
||
kfree(desc);
|
||
return ERR_PTR(err);
|
||
}
|
||
|
||
return desc;
|
||
}
|
||
|
||
static struct mem_range incfs_calc_verity_digest(
|
||
struct inode *inode, struct file *filp,
|
||
u8 *signature, size_t signature_size,
|
||
int hash_algorithm)
|
||
{
|
||
struct fsverity_descriptor *desc = incfs_get_fsverity_descriptor(filp,
|
||
hash_algorithm);
|
||
struct mem_range verity_file_digest;
|
||
|
||
if (IS_ERR(desc))
|
||
return range((u8 *)desc, 0);
|
||
verity_file_digest = incfs_calc_verity_digest_from_desc(inode, desc,
|
||
signature, signature_size);
|
||
kfree(desc);
|
||
return verity_file_digest;
|
||
}
|
||
|
||
static int incfs_build_merkle_tree(struct file *f, struct data_file *df,
|
||
struct backing_file_context *bfc,
|
||
struct mtree *hash_tree, loff_t hash_offset,
|
||
struct incfs_hash_alg *alg, struct mem_range hash)
|
||
{
|
||
int error = 0;
|
||
int limit, lvl, i, result;
|
||
struct mem_range buf = {.len = INCFS_DATA_FILE_BLOCK_SIZE};
|
||
struct mem_range tmp = {.len = 2 * INCFS_DATA_FILE_BLOCK_SIZE};
|
||
|
||
buf.data = (u8 *)__get_free_pages(GFP_NOFS, get_order(buf.len));
|
||
tmp.data = (u8 *)__get_free_pages(GFP_NOFS, get_order(tmp.len));
|
||
if (!buf.data || !tmp.data) {
|
||
error = -ENOMEM;
|
||
goto out;
|
||
}
|
||
|
||
/*
|
||
* lvl - 1 is the level we are reading, lvl the level we are writing
|
||
* lvl == -1 means actual blocks
|
||
* lvl == hash_tree->depth means root hash
|
||
*/
|
||
limit = df->df_data_block_count;
|
||
for (lvl = 0; lvl <= hash_tree->depth; lvl++) {
|
||
for (i = 0; i < limit; ++i) {
|
||
loff_t hash_level_offset;
|
||
struct mem_range partial_buf = buf;
|
||
|
||
if (lvl == 0)
|
||
result = incfs_read_data_file_block(partial_buf,
|
||
f, i, tmp, NULL, NULL);
|
||
else {
|
||
hash_level_offset = hash_offset +
|
||
hash_tree->hash_level_suboffset[lvl - 1];
|
||
|
||
result = incfs_kread(bfc, partial_buf.data,
|
||
partial_buf.len,
|
||
hash_level_offset + i *
|
||
INCFS_DATA_FILE_BLOCK_SIZE);
|
||
}
|
||
|
||
if (result < 0) {
|
||
error = result;
|
||
goto out;
|
||
}
|
||
|
||
partial_buf.len = result;
|
||
error = incfs_calc_digest(alg, partial_buf, hash);
|
||
if (error)
|
||
goto out;
|
||
|
||
/*
|
||
* last level - only one hash to take and it is stored
|
||
* in the incfs signature record
|
||
*/
|
||
if (lvl == hash_tree->depth)
|
||
break;
|
||
|
||
hash_level_offset = hash_offset +
|
||
hash_tree->hash_level_suboffset[lvl];
|
||
|
||
result = incfs_kwrite(bfc, hash.data, hash.len,
|
||
hash_level_offset + hash.len * i);
|
||
|
||
if (result < 0) {
|
||
error = result;
|
||
goto out;
|
||
}
|
||
|
||
if (result != hash.len) {
|
||
error = -EIO;
|
||
goto out;
|
||
}
|
||
}
|
||
limit = DIV_ROUND_UP(limit,
|
||
INCFS_DATA_FILE_BLOCK_SIZE / hash.len);
|
||
}
|
||
|
||
out:
|
||
free_pages((unsigned long)tmp.data, get_order(tmp.len));
|
||
free_pages((unsigned long)buf.data, get_order(buf.len));
|
||
return error;
|
||
}
|
||
|
||
/*
|
||
* incfs files have a signature record that is separate from the
|
||
* verity_signature record. The signature record does not actually contain a
|
||
* signature, rather it contains the size/offset of the hash tree, and a binary
|
||
* blob which contains the root hash and potentially a signature.
|
||
*
|
||
* If the file was created with a signature record, then this function simply
|
||
* returns.
|
||
*
|
||
* Otherwise it will create a signature record with a minimal binary blob as
|
||
* defined by the structure below, create space for the hash tree and then
|
||
* populate it using incfs_build_merkle_tree
|
||
*/
|
||
static int incfs_add_signature_record(struct file *f)
|
||
{
|
||
/* See incfs_parse_signature */
|
||
struct {
|
||
__le32 version;
|
||
__le32 size_of_hash_info_section;
|
||
struct {
|
||
__le32 hash_algorithm;
|
||
u8 log2_blocksize;
|
||
__le32 salt_size;
|
||
u8 salt[0];
|
||
__le32 hash_size;
|
||
u8 root_hash[32];
|
||
} __packed hash_section;
|
||
__le32 size_of_signing_info_section;
|
||
u8 signing_info_section[0];
|
||
} __packed sig = {
|
||
.version = cpu_to_le32(INCFS_SIGNATURE_VERSION),
|
||
.size_of_hash_info_section =
|
||
cpu_to_le32(sizeof(sig.hash_section)),
|
||
.hash_section = {
|
||
.hash_algorithm = cpu_to_le32(INCFS_HASH_TREE_SHA256),
|
||
.log2_blocksize = ilog2(INCFS_DATA_FILE_BLOCK_SIZE),
|
||
.hash_size = cpu_to_le32(SHA256_DIGEST_SIZE),
|
||
},
|
||
};
|
||
|
||
struct data_file *df = get_incfs_data_file(f);
|
||
struct mtree *hash_tree = NULL;
|
||
struct backing_file_context *bfc;
|
||
int error;
|
||
loff_t hash_offset, sig_offset;
|
||
struct incfs_hash_alg *alg = incfs_get_hash_alg(INCFS_HASH_TREE_SHA256);
|
||
u8 hash_buf[INCFS_MAX_HASH_SIZE];
|
||
int hash_size = alg->digest_size;
|
||
struct mem_range hash = range(hash_buf, hash_size);
|
||
int result;
|
||
struct incfs_df_signature *signature = NULL;
|
||
|
||
if (!df)
|
||
return -EINVAL;
|
||
|
||
if (df->df_header_flags & INCFS_FILE_MAPPED)
|
||
return -EINVAL;
|
||
|
||
/* Already signed? */
|
||
if (df->df_signature && df->df_hash_tree)
|
||
return 0;
|
||
|
||
if (df->df_signature || df->df_hash_tree)
|
||
return -EFSCORRUPTED;
|
||
|
||
/* Add signature metadata record to file */
|
||
hash_tree = incfs_alloc_mtree(range((u8 *)&sig, sizeof(sig)),
|
||
df->df_data_block_count);
|
||
if (IS_ERR(hash_tree))
|
||
return PTR_ERR(hash_tree);
|
||
|
||
bfc = df->df_backing_file_context;
|
||
if (!bfc) {
|
||
error = -EFSCORRUPTED;
|
||
goto out;
|
||
}
|
||
|
||
error = mutex_lock_interruptible(&bfc->bc_mutex);
|
||
if (error)
|
||
goto out;
|
||
|
||
error = incfs_write_signature_to_backing_file(bfc,
|
||
range((u8 *)&sig, sizeof(sig)),
|
||
hash_tree->hash_tree_area_size,
|
||
&hash_offset, &sig_offset);
|
||
mutex_unlock(&bfc->bc_mutex);
|
||
if (error)
|
||
goto out;
|
||
|
||
/* Populate merkle tree */
|
||
error = incfs_build_merkle_tree(f, df, bfc, hash_tree, hash_offset, alg,
|
||
hash);
|
||
if (error)
|
||
goto out;
|
||
|
||
/* Update signature metadata record */
|
||
memcpy(sig.hash_section.root_hash, hash.data, alg->digest_size);
|
||
result = incfs_kwrite(bfc, &sig, sizeof(sig), sig_offset);
|
||
if (result < 0) {
|
||
error = result;
|
||
goto out;
|
||
}
|
||
|
||
if (result != sizeof(sig)) {
|
||
error = -EIO;
|
||
goto out;
|
||
}
|
||
|
||
/* Update in-memory records */
|
||
memcpy(hash_tree->root_hash, hash.data, alg->digest_size);
|
||
signature = kzalloc(sizeof(*signature), GFP_NOFS);
|
||
if (!signature) {
|
||
error = -ENOMEM;
|
||
goto out;
|
||
}
|
||
*signature = (struct incfs_df_signature) {
|
||
.hash_offset = hash_offset,
|
||
.hash_size = hash_tree->hash_tree_area_size,
|
||
.sig_offset = sig_offset,
|
||
.sig_size = sizeof(sig),
|
||
};
|
||
df->df_signature = signature;
|
||
signature = NULL;
|
||
|
||
/*
|
||
* Use memory barrier to prevent readpage seeing the hash tree until
|
||
* it's fully there
|
||
*/
|
||
smp_store_release(&df->df_hash_tree, hash_tree);
|
||
hash_tree = NULL;
|
||
|
||
out:
|
||
kfree(signature);
|
||
kfree(hash_tree);
|
||
return error;
|
||
}
|
||
|
||
static int incfs_enable_verity(struct file *filp,
|
||
const struct fsverity_enable_arg *arg)
|
||
{
|
||
struct inode *inode = file_inode(filp);
|
||
struct data_file *df = get_incfs_data_file(filp);
|
||
u8 *signature = NULL;
|
||
struct mem_range verity_file_digest = range(NULL, 0);
|
||
int err;
|
||
|
||
if (!df)
|
||
return -EFSCORRUPTED;
|
||
|
||
err = mutex_lock_interruptible(&df->df_enable_verity);
|
||
if (err)
|
||
return err;
|
||
|
||
if (IS_VERITY(inode)) {
|
||
err = -EEXIST;
|
||
goto out;
|
||
}
|
||
|
||
err = incfs_add_signature_record(filp);
|
||
if (err)
|
||
goto out;
|
||
|
||
/* Get the signature if the user provided one */
|
||
if (arg->sig_size) {
|
||
signature = memdup_user(u64_to_user_ptr(arg->sig_ptr),
|
||
arg->sig_size);
|
||
if (IS_ERR(signature)) {
|
||
err = PTR_ERR(signature);
|
||
signature = NULL;
|
||
goto out;
|
||
}
|
||
}
|
||
|
||
verity_file_digest = incfs_calc_verity_digest(inode, filp, signature,
|
||
arg->sig_size, arg->hash_algorithm);
|
||
if (IS_ERR(verity_file_digest.data)) {
|
||
err = PTR_ERR(verity_file_digest.data);
|
||
verity_file_digest.data = NULL;
|
||
goto out;
|
||
}
|
||
|
||
err = incfs_end_enable_verity(filp, signature, arg->sig_size);
|
||
if (err)
|
||
goto out;
|
||
|
||
/* Successfully enabled verity */
|
||
incfs_set_verity_digest(inode, verity_file_digest);
|
||
verity_file_digest.data = NULL;
|
||
out:
|
||
mutex_unlock(&df->df_enable_verity);
|
||
kfree(signature);
|
||
kfree(verity_file_digest.data);
|
||
if (err)
|
||
pr_err("%s failed with err %d\n", __func__, err);
|
||
return err;
|
||
}
|
||
|
||
int incfs_ioctl_enable_verity(struct file *filp, const void __user *uarg)
|
||
{
|
||
struct inode *inode = file_inode(filp);
|
||
struct fsverity_enable_arg arg;
|
||
|
||
if (copy_from_user(&arg, uarg, sizeof(arg)))
|
||
return -EFAULT;
|
||
|
||
if (arg.version != 1)
|
||
return -EINVAL;
|
||
|
||
if (arg.__reserved1 ||
|
||
memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2)))
|
||
return -EINVAL;
|
||
|
||
if (arg.hash_algorithm != FS_VERITY_HASH_ALG_SHA256)
|
||
return -EINVAL;
|
||
|
||
if (arg.block_size != PAGE_SIZE)
|
||
return -EINVAL;
|
||
|
||
if (arg.salt_size)
|
||
return -EINVAL;
|
||
|
||
if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE)
|
||
return -EMSGSIZE;
|
||
|
||
if (S_ISDIR(inode->i_mode))
|
||
return -EISDIR;
|
||
|
||
if (!S_ISREG(inode->i_mode))
|
||
return -EINVAL;
|
||
|
||
return incfs_enable_verity(filp, &arg);
|
||
}
|
||
|
||
static u8 *incfs_get_verity_signature(struct file *filp, size_t *sig_size)
|
||
{
|
||
struct data_file *df = get_incfs_data_file(filp);
|
||
struct incfs_df_verity_signature *vs;
|
||
u8 *signature;
|
||
int res;
|
||
|
||
if (!df || !df->df_backing_file_context)
|
||
return ERR_PTR(-EFSCORRUPTED);
|
||
|
||
vs = df->df_verity_signature;
|
||
if (!vs) {
|
||
*sig_size = 0;
|
||
return NULL;
|
||
}
|
||
|
||
if (!vs->size) {
|
||
*sig_size = 0;
|
||
return ERR_PTR(-EFSCORRUPTED);
|
||
}
|
||
|
||
signature = kzalloc(vs->size, GFP_KERNEL);
|
||
if (!signature)
|
||
return ERR_PTR(-ENOMEM);
|
||
|
||
res = incfs_kread(df->df_backing_file_context,
|
||
signature, vs->size, vs->offset);
|
||
|
||
if (res < 0)
|
||
goto err_out;
|
||
|
||
if (res != vs->size) {
|
||
res = -EINVAL;
|
||
goto err_out;
|
||
}
|
||
|
||
*sig_size = vs->size;
|
||
return signature;
|
||
|
||
err_out:
|
||
kfree(signature);
|
||
return ERR_PTR(res);
|
||
}
|
||
|
||
/* Ensure data_file->df_verity_file_digest is populated */
|
||
static int ensure_verity_info(struct inode *inode, struct file *filp)
|
||
{
|
||
struct mem_range verity_file_digest;
|
||
u8 *signature = NULL;
|
||
size_t sig_size;
|
||
int err = 0;
|
||
|
||
/* See if this file's verity file digest is already cached */
|
||
verity_file_digest = incfs_get_verity_digest(inode);
|
||
if (verity_file_digest.data)
|
||
return 0;
|
||
|
||
signature = incfs_get_verity_signature(filp, &sig_size);
|
||
if (IS_ERR(signature))
|
||
return PTR_ERR(signature);
|
||
|
||
verity_file_digest = incfs_calc_verity_digest(inode, filp, signature,
|
||
sig_size,
|
||
FS_VERITY_HASH_ALG_SHA256);
|
||
if (IS_ERR(verity_file_digest.data)) {
|
||
err = PTR_ERR(verity_file_digest.data);
|
||
goto out;
|
||
}
|
||
|
||
incfs_set_verity_digest(inode, verity_file_digest);
|
||
|
||
out:
|
||
kfree(signature);
|
||
return err;
|
||
}
|
||
|
||
/**
|
||
* incfs_fsverity_file_open() - prepare to open a file that may be
|
||
* verity-enabled
|
||
* @inode: the inode being opened
|
||
* @filp: the struct file being set up
|
||
*
|
||
* When opening a verity file, set up data_file->df_verity_file_digest if not
|
||
* already done. Note that incfs does not allow opening for writing, so there is
|
||
* no need for that check.
|
||
*
|
||
* Return: 0 on success, -errno on failure
|
||
*/
|
||
int incfs_fsverity_file_open(struct inode *inode, struct file *filp)
|
||
{
|
||
if (IS_VERITY(inode))
|
||
return ensure_verity_info(inode, filp);
|
||
|
||
return 0;
|
||
}
|
||
|
||
int incfs_ioctl_measure_verity(struct file *filp, void __user *_uarg)
|
||
{
|
||
struct inode *inode = file_inode(filp);
|
||
struct mem_range verity_file_digest = incfs_get_verity_digest(inode);
|
||
struct fsverity_digest __user *uarg = _uarg;
|
||
struct fsverity_digest arg;
|
||
|
||
if (!verity_file_digest.data || !verity_file_digest.len)
|
||
return -ENODATA; /* not a verity file */
|
||
|
||
/*
|
||
* The user specifies the digest_size their buffer has space for; we can
|
||
* return the digest if it fits in the available space. We write back
|
||
* the actual size, which may be shorter than the user-specified size.
|
||
*/
|
||
|
||
if (get_user(arg.digest_size, &uarg->digest_size))
|
||
return -EFAULT;
|
||
if (arg.digest_size < verity_file_digest.len)
|
||
return -EOVERFLOW;
|
||
|
||
memset(&arg, 0, sizeof(arg));
|
||
arg.digest_algorithm = FS_VERITY_HASH_ALG_SHA256;
|
||
arg.digest_size = verity_file_digest.len;
|
||
|
||
if (copy_to_user(uarg, &arg, sizeof(arg)))
|
||
return -EFAULT;
|
||
|
||
if (copy_to_user(uarg->digest, verity_file_digest.data,
|
||
verity_file_digest.len))
|
||
return -EFAULT;
|
||
|
||
return 0;
|
||
}
|
||
|
||
static int incfs_read_merkle_tree(struct file *filp, void __user *buf,
|
||
u64 start_offset, int length)
|
||
{
|
||
struct mem_range tmp_buf;
|
||
size_t offset;
|
||
int retval = 0;
|
||
int err = 0;
|
||
struct data_file *df = get_incfs_data_file(filp);
|
||
|
||
if (!df)
|
||
return -EINVAL;
|
||
|
||
tmp_buf = (struct mem_range) {
|
||
.data = kzalloc(INCFS_DATA_FILE_BLOCK_SIZE, GFP_NOFS),
|
||
.len = INCFS_DATA_FILE_BLOCK_SIZE,
|
||
};
|
||
if (!tmp_buf.data)
|
||
return -ENOMEM;
|
||
|
||
for (offset = start_offset; offset < start_offset + length;
|
||
offset += tmp_buf.len) {
|
||
err = incfs_read_merkle_tree_blocks(tmp_buf, df, offset);
|
||
|
||
if (err < 0)
|
||
break;
|
||
|
||
if (err != tmp_buf.len)
|
||
break;
|
||
|
||
if (copy_to_user(buf, tmp_buf.data, tmp_buf.len))
|
||
break;
|
||
|
||
buf += tmp_buf.len;
|
||
retval += tmp_buf.len;
|
||
}
|
||
|
||
kfree(tmp_buf.data);
|
||
return retval ? retval : err;
|
||
}
|
||
|
||
static int incfs_read_descriptor(struct file *filp,
|
||
void __user *buf, u64 offset, int length)
|
||
{
|
||
int err;
|
||
struct fsverity_descriptor *desc = incfs_get_fsverity_descriptor(filp,
|
||
FS_VERITY_HASH_ALG_SHA256);
|
||
|
||
if (IS_ERR(desc))
|
||
return PTR_ERR(desc);
|
||
length = min_t(u64, length, sizeof(*desc));
|
||
err = copy_to_user(buf, desc, length);
|
||
kfree(desc);
|
||
return err ? err : length;
|
||
}
|
||
|
||
static int incfs_read_signature(struct file *filp,
|
||
void __user *buf, u64 offset, int length)
|
||
{
|
||
size_t sig_size;
|
||
static u8 *signature;
|
||
int err;
|
||
|
||
signature = incfs_get_verity_signature(filp, &sig_size);
|
||
if (IS_ERR(signature))
|
||
return PTR_ERR(signature);
|
||
|
||
if (!signature)
|
||
return -ENODATA;
|
||
|
||
length = min_t(u64, length, sig_size);
|
||
err = copy_to_user(buf, signature, length);
|
||
kfree(signature);
|
||
return err ? err : length;
|
||
}
|
||
|
||
int incfs_ioctl_read_verity_metadata(struct file *filp,
|
||
const void __user *uarg)
|
||
{
|
||
struct fsverity_read_metadata_arg arg;
|
||
int length;
|
||
void __user *buf;
|
||
|
||
if (copy_from_user(&arg, uarg, sizeof(arg)))
|
||
return -EFAULT;
|
||
|
||
if (arg.__reserved)
|
||
return -EINVAL;
|
||
|
||
/* offset + length must not overflow. */
|
||
if (arg.offset + arg.length < arg.offset)
|
||
return -EINVAL;
|
||
|
||
/* Ensure that the return value will fit in INT_MAX. */
|
||
length = min_t(u64, arg.length, INT_MAX);
|
||
|
||
buf = u64_to_user_ptr(arg.buf_ptr);
|
||
|
||
switch (arg.metadata_type) {
|
||
case FS_VERITY_METADATA_TYPE_MERKLE_TREE:
|
||
return incfs_read_merkle_tree(filp, buf, arg.offset, length);
|
||
case FS_VERITY_METADATA_TYPE_DESCRIPTOR:
|
||
return incfs_read_descriptor(filp, buf, arg.offset, length);
|
||
case FS_VERITY_METADATA_TYPE_SIGNATURE:
|
||
return incfs_read_signature(filp, buf, arg.offset, length);
|
||
default:
|
||
return -EINVAL;
|
||
}
|
||
}
|