1 /*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <stdlib.h>
18 #include <sys/ioctl.h>
19 #include <sys/stat.h>
20
21 #include <ext4_utils/ext4_sb.h>
22 #include <squashfs_utils.h>
23
24 #if defined(__linux__)
25 #include <linux/fs.h>
26 #elif defined(__APPLE__)
27 #include <sys/disk.h>
28 #define BLKGETSIZE64 DKIOCGETBLOCKCOUNT
29 #define fdatasync(fd) fcntl((fd), F_FULLFSYNC)
30 #endif
31
32 #include "fec_private.h"
33
34 /* used by `find_offset'; returns metadata size for a file size `size' and
35 `roots' Reed-Solomon parity bytes */
36 using size_func = uint64_t (*)(uint64_t size, int roots);
37
38 /* performs a binary search to find a metadata offset from a file so that
39 the metadata size matches function `get_real_size(size, roots)', using
40 the approximate size returned by `get_appr_size' as a starting point */
find_offset(uint64_t file_size,int roots,uint64_t * offset,size_func get_appr_size,size_func get_real_size)41 static int find_offset(uint64_t file_size, int roots, uint64_t *offset,
42 size_func get_appr_size, size_func get_real_size)
43 {
44 check(offset);
45 check(get_appr_size);
46 check(get_real_size);
47
48 if (file_size % FEC_BLOCKSIZE) {
49 /* must be a multiple of block size */
50 error("file size not multiple of " stringify(FEC_BLOCKSIZE));
51 errno = EINVAL;
52 return -1;
53 }
54
55 uint64_t mi = get_appr_size(file_size, roots);
56 uint64_t lo = file_size - mi * 2;
57 uint64_t hi = file_size - mi / 2;
58
59 while (lo < hi) {
60 mi = ((hi + lo) / (2 * FEC_BLOCKSIZE)) * FEC_BLOCKSIZE;
61 uint64_t total = mi + get_real_size(mi, roots);
62
63 if (total < file_size) {
64 lo = mi + FEC_BLOCKSIZE;
65 } else if (total > file_size) {
66 hi = mi;
67 } else {
68 *offset = mi;
69 debug("file_size = %" PRIu64 " -> offset = %" PRIu64, file_size,
70 mi);
71 return 0;
72 }
73 }
74
75 warn("could not determine offset");
76 errno = ERANGE;
77 return -1;
78 }
79
80 /* returns verity metadata size for a `size' byte file */
get_verity_size(uint64_t size,int)81 static uint64_t get_verity_size(uint64_t size, int)
82 {
83 return VERITY_METADATA_SIZE + verity_get_size(size, NULL, NULL);
84 }
85
86 /* computes the verity metadata offset for a file with size `f->size' */
find_verity_offset(fec_handle * f,uint64_t * offset)87 static int find_verity_offset(fec_handle *f, uint64_t *offset)
88 {
89 check(f);
90 check(offset);
91
92 return find_offset(f->data_size, 0, offset, get_verity_size,
93 get_verity_size);
94 }
95
96 /* attempts to read and validate an ecc header from file position `offset' */
parse_ecc_header(fec_handle * f,uint64_t offset)97 static int parse_ecc_header(fec_handle *f, uint64_t offset)
98 {
99 check(f);
100 check(f->ecc.rsn > 0 && f->ecc.rsn < FEC_RSM);
101 check(f->size > sizeof(fec_header));
102
103 debug("offset = %" PRIu64, offset);
104
105 if (offset > f->size - sizeof(fec_header)) {
106 return -1;
107 }
108
109 fec_header header;
110
111 /* there's obviously no ecc data at this point, so there is no need to
112 call fec_pread to access this data */
113 if (!raw_pread(f, &header, sizeof(fec_header), offset)) {
114 error("failed to read: %s", strerror(errno));
115 return -1;
116 }
117
118 /* move offset back to the beginning of the block for validating header */
119 offset -= offset % FEC_BLOCKSIZE;
120
121 if (header.magic != FEC_MAGIC) {
122 return -1;
123 }
124 if (header.version != FEC_VERSION) {
125 error("unsupported ecc version: %u", header.version);
126 return -1;
127 }
128 if (header.size != sizeof(fec_header)) {
129 error("unexpected ecc header size: %u", header.size);
130 return -1;
131 }
132 if (header.roots == 0 || header.roots >= FEC_RSM) {
133 error("invalid ecc roots: %u", header.roots);
134 return -1;
135 }
136 if (f->ecc.roots != (int)header.roots) {
137 error("unexpected number of roots: %d vs %u", f->ecc.roots,
138 header.roots);
139 return -1;
140 }
141 if (header.fec_size % header.roots ||
142 header.fec_size % FEC_BLOCKSIZE) {
143 error("inconsistent ecc size %u", header.fec_size);
144 return -1;
145 }
146
147 f->data_size = header.inp_size;
148 f->ecc.blocks = fec_div_round_up(f->data_size, FEC_BLOCKSIZE);
149 f->ecc.rounds = fec_div_round_up(f->ecc.blocks, f->ecc.rsn);
150
151 if (header.fec_size !=
152 (uint32_t)f->ecc.rounds * f->ecc.roots * FEC_BLOCKSIZE) {
153 error("inconsistent ecc size %u", header.fec_size);
154 return -1;
155 }
156
157 f->ecc.size = header.fec_size;
158 f->ecc.start = header.inp_size;
159
160 /* validate encoding data; caller may opt not to use it if invalid */
161 SHA256_CTX ctx;
162 SHA256_Init(&ctx);
163
164 uint8_t buf[FEC_BLOCKSIZE];
165 uint32_t n = 0;
166 uint32_t len = FEC_BLOCKSIZE;
167
168 while (n < f->ecc.size) {
169 if (len > f->ecc.size - n) {
170 len = f->ecc.size - n;
171 }
172
173 if (!raw_pread(f, buf, len, f->ecc.start + n)) {
174 error("failed to read ecc: %s", strerror(errno));
175 return -1;
176 }
177
178 SHA256_Update(&ctx, buf, len);
179 n += len;
180 }
181
182 uint8_t hash[SHA256_DIGEST_LENGTH];
183 SHA256_Final(hash, &ctx);
184
185 f->ecc.valid = !memcmp(hash, header.hash, SHA256_DIGEST_LENGTH);
186
187 if (!f->ecc.valid) {
188 warn("ecc data not valid");
189 }
190
191 return 0;
192 }
193
194 /* attempts to read an ecc header from `offset', and checks for a backup copy
195 at the end of the block if the primary header is not valid */
parse_ecc(fec_handle * f,uint64_t offset)196 static int parse_ecc(fec_handle *f, uint64_t offset)
197 {
198 check(f);
199 check(offset % FEC_BLOCKSIZE == 0);
200 check(offset < UINT64_MAX - FEC_BLOCKSIZE);
201
202 /* check the primary header at the beginning of the block */
203 if (parse_ecc_header(f, offset) == 0) {
204 return 0;
205 }
206
207 /* check the backup header at the end of the block */
208 if (parse_ecc_header(f, offset + FEC_BLOCKSIZE - sizeof(fec_header)) == 0) {
209 warn("using backup ecc header");
210 return 0;
211 }
212
213 return -1;
214 }
215
216 /* reads the squashfs superblock and returns the size of the file system in
217 `offset' */
get_squashfs_size(fec_handle * f,uint64_t * offset)218 static int get_squashfs_size(fec_handle *f, uint64_t *offset)
219 {
220 check(f);
221 check(offset);
222
223 size_t sb_size = squashfs_get_sb_size();
224 check(sb_size <= SSIZE_MAX);
225
226 uint8_t buffer[sb_size];
227
228 if (fec_pread(f, buffer, sizeof(buffer), 0) != (ssize_t)sb_size) {
229 error("failed to read superblock: %s", strerror(errno));
230 return -1;
231 }
232
233 squashfs_info sq;
234
235 if (squashfs_parse_sb_buffer(buffer, &sq) < 0) {
236 error("failed to parse superblock: %s", strerror(errno));
237 return -1;
238 }
239
240 *offset = sq.bytes_used_4K_padded;
241 return 0;
242 }
243
244 /* reads the ext4 superblock and returns the size of the file system in
245 `offset' */
get_ext4_size(fec_handle * f,uint64_t * offset)246 static int get_ext4_size(fec_handle *f, uint64_t *offset)
247 {
248 check(f);
249 check(f->size > 1024 + sizeof(ext4_super_block));
250 check(offset);
251
252 ext4_super_block sb;
253
254 if (fec_pread(f, &sb, sizeof(sb), 1024) != sizeof(sb)) {
255 error("failed to read superblock: %s", strerror(errno));
256 return -1;
257 }
258
259 fs_info info;
260 info.len = 0; /* only len is set to 0 to ask the device for real size. */
261
262 if (ext4_parse_sb(&sb, &info) != 0) {
263 errno = EINVAL;
264 return -1;
265 }
266
267 *offset = info.len;
268 return 0;
269 }
270
271 /* attempts to determine file system size, if no fs type is specified in
272 `f->flags', tries all supported types, and returns the size in `offset' */
get_fs_size(fec_handle * f,uint64_t * offset)273 static int get_fs_size(fec_handle *f, uint64_t *offset)
274 {
275 check(f);
276 check(offset);
277
278 if (f->flags & FEC_FS_EXT4) {
279 return get_ext4_size(f, offset);
280 } else if (f->flags & FEC_FS_SQUASH) {
281 return get_squashfs_size(f, offset);
282 } else {
283 /* try all alternatives */
284 int rc = get_ext4_size(f, offset);
285
286 if (rc == 0) {
287 debug("found ext4fs");
288 return rc;
289 }
290
291 rc = get_squashfs_size(f, offset);
292
293 if (rc == 0) {
294 debug("found squashfs");
295 }
296
297 return rc;
298 }
299 }
300
301 /* locates, validates, and loads verity metadata from `f->fd' */
load_verity(fec_handle * f)302 static int load_verity(fec_handle *f)
303 {
304 check(f);
305 debug("size = %" PRIu64 ", flags = %d", f->data_size, f->flags);
306
307 uint64_t offset = f->data_size - VERITY_METADATA_SIZE;
308
309 /* verity header is at the end of the data area */
310 if (verity_parse_header(f, offset) == 0) {
311 debug("found at %" PRIu64 " (start %" PRIu64 ")", offset,
312 f->verity.hash_start);
313 return 0;
314 }
315
316 debug("trying legacy formats");
317
318 /* legacy format at the end of the partition */
319 if (find_verity_offset(f, &offset) == 0 &&
320 verity_parse_header(f, offset) == 0) {
321 debug("found at %" PRIu64 " (start %" PRIu64 ")", offset,
322 f->verity.hash_start);
323 return 0;
324 }
325
326 /* legacy format after the file system, but not at the end */
327 int rc = get_fs_size(f, &offset);
328 if (rc == 0) {
329 debug("file system size = %" PRIu64, offset);
330 /* Jump over the verity tree appended to the filesystem */
331 offset += verity_get_size(offset, NULL, NULL);
332 rc = verity_parse_header(f, offset);
333
334 if (rc == 0) {
335 debug("found at %" PRIu64 " (start %" PRIu64 ")", offset,
336 f->verity.hash_start);
337 }
338 }
339
340 return rc;
341 }
342
343 /* locates, validates, and loads ecc data from `f->fd' */
load_ecc(fec_handle * f)344 static int load_ecc(fec_handle *f)
345 {
346 check(f);
347 debug("size = %" PRIu64, f->data_size);
348
349 uint64_t offset = f->data_size - FEC_BLOCKSIZE;
350
351 if (parse_ecc(f, offset) == 0) {
352 debug("found at %" PRIu64 " (start %" PRIu64 ")", offset,
353 f->ecc.start);
354 return 0;
355 }
356
357 return -1;
358 }
359
360 /* sets `f->size' to the size of the file or block device */
get_size(fec_handle * f)361 static int get_size(fec_handle *f)
362 {
363 check(f);
364
365 struct stat st;
366
367 if (fstat(f->fd, &st) == -1) {
368 error("fstat failed: %s", strerror(errno));
369 return -1;
370 }
371
372 if (S_ISBLK(st.st_mode)) {
373 debug("block device");
374
375 if (ioctl(f->fd, BLKGETSIZE64, &f->size) == -1) {
376 error("ioctl failed: %s", strerror(errno));
377 return -1;
378 }
379 } else if (S_ISREG(st.st_mode)) {
380 debug("file");
381 f->size = st.st_size;
382 } else {
383 error("unsupported type %d", (int)st.st_mode);
384 errno = EACCES;
385 return -1;
386 }
387
388 return 0;
389 }
390
391 /* clears fec_handle fiels to safe values */
reset_handle(fec_handle * f)392 static void reset_handle(fec_handle *f)
393 {
394 f->fd = -1;
395 f->flags = 0;
396 f->mode = 0;
397 f->errors = 0;
398 f->data_size = 0;
399 f->pos = 0;
400 f->size = 0;
401
402 memset(&f->ecc, 0, sizeof(f->ecc));
403 memset(&f->verity, 0, sizeof(f->verity));
404 }
405
406 /* closes and flushes `f->fd' and releases any memory allocated for `f' */
fec_close(struct fec_handle * f)407 int fec_close(struct fec_handle *f)
408 {
409 check(f);
410
411 if (f->fd != -1) {
412 if (f->mode & O_RDWR && fdatasync(f->fd) == -1) {
413 warn("fdatasync failed: %s", strerror(errno));
414 }
415
416 close(f->fd);
417 }
418
419 if (f->verity.hash) {
420 delete[] f->verity.hash;
421 }
422 if (f->verity.salt) {
423 delete[] f->verity.salt;
424 }
425 if (f->verity.table) {
426 delete[] f->verity.table;
427 }
428
429 pthread_mutex_destroy(&f->mutex);
430
431 reset_handle(f);
432 delete f;
433
434 return 0;
435 }
436
437 /* populates `data' from the internal data in `f', returns a value <0 if verity
438 metadata is not available in `f->fd' */
fec_verity_get_metadata(struct fec_handle * f,struct fec_verity_metadata * data)439 int fec_verity_get_metadata(struct fec_handle *f, struct fec_verity_metadata *data)
440 {
441 check(f);
442 check(data);
443
444 if (!f->verity.metadata_start) {
445 return -1;
446 }
447
448 check(f->data_size < f->size);
449 check(f->data_size <= f->verity.hash_start);
450 check(f->data_size <= f->verity.metadata_start);
451 check(f->verity.table);
452
453 data->disabled = f->verity.disabled;
454 data->data_size = f->data_size;
455 memcpy(data->signature, f->verity.header.signature,
456 sizeof(data->signature));
457 memcpy(data->ecc_signature, f->verity.ecc_header.signature,
458 sizeof(data->ecc_signature));
459 data->table = f->verity.table;
460 data->table_length = f->verity.header.length;
461
462 return 0;
463 }
464
465 /* populates `data' from the internal data in `f', returns a value <0 if ecc
466 metadata is not available in `f->fd' */
fec_ecc_get_metadata(struct fec_handle * f,struct fec_ecc_metadata * data)467 int fec_ecc_get_metadata(struct fec_handle *f, struct fec_ecc_metadata *data)
468 {
469 check(f);
470 check(data);
471
472 if (!f->ecc.start) {
473 return -1;
474 }
475
476 check(f->data_size < f->size);
477 check(f->ecc.start >= f->data_size);
478 check(f->ecc.start < f->size);
479 check(f->ecc.start % FEC_BLOCKSIZE == 0)
480
481 data->valid = f->ecc.valid;
482 data->roots = f->ecc.roots;
483 data->blocks = f->ecc.blocks;
484 data->rounds = f->ecc.rounds;
485 data->start = f->ecc.start;
486
487 return 0;
488 }
489
490 /* populates `data' from the internal status in `f' */
fec_get_status(struct fec_handle * f,struct fec_status * s)491 int fec_get_status(struct fec_handle *f, struct fec_status *s)
492 {
493 check(f);
494 check(s);
495
496 s->flags = f->flags;
497 s->mode = f->mode;
498 s->errors = f->errors;
499 s->data_size = f->data_size;
500 s->size = f->size;
501
502 return 0;
503 }
504
505 /* opens `path' using given options and returns a fec_handle in `handle' if
506 successful */
fec_open(struct fec_handle ** handle,const char * path,int mode,int flags,int roots)507 int fec_open(struct fec_handle **handle, const char *path, int mode, int flags,
508 int roots)
509 {
510 check(path);
511 check(handle);
512 check(roots > 0 && roots < FEC_RSM);
513
514 debug("path = %s, mode = %d, flags = %d, roots = %d", path, mode, flags,
515 roots);
516
517 if (mode & (O_CREAT | O_TRUNC | O_EXCL | O_WRONLY)) {
518 /* only reading and updating existing files is supported */
519 error("failed to open '%s': (unsupported mode %d)", path, mode);
520 errno = EACCES;
521 return -1;
522 }
523
524 fec::handle f(new (std::nothrow) fec_handle, fec_close);
525
526 if (unlikely(!f)) {
527 error("failed to allocate file handle");
528 errno = ENOMEM;
529 return -1;
530 }
531
532 reset_handle(f.get());
533
534 f->mode = mode;
535 f->ecc.roots = roots;
536 f->ecc.rsn = FEC_RSM - roots;
537 f->flags = flags;
538
539 if (unlikely(pthread_mutex_init(&f->mutex, NULL) != 0)) {
540 error("failed to create a mutex: %s", strerror(errno));
541 return -1;
542 }
543
544 f->fd = TEMP_FAILURE_RETRY(open(path, mode | O_CLOEXEC));
545
546 if (f->fd == -1) {
547 error("failed to open '%s': %s", path, strerror(errno));
548 return -1;
549 }
550
551 if (get_size(f.get()) == -1) {
552 error("failed to get size for '%s': %s", path, strerror(errno));
553 return -1;
554 }
555
556 f->data_size = f->size; /* until ecc and/or verity are loaded */
557
558 if (load_ecc(f.get()) == -1) {
559 debug("error-correcting codes not found from '%s'", path);
560 }
561
562 if (load_verity(f.get()) == -1) {
563 debug("verity metadata not found from '%s'", path);
564 }
565
566 *handle = f.release();
567 return 0;
568 }
569