1 /*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <stdlib.h>
18 #include <sys/ioctl.h>
19 #include <sys/stat.h>
20
21 extern "C" {
22 #include <squashfs_utils.h>
23 #include <ext4_sb.h>
24 }
25
26 #if defined(__linux__)
27 #include <linux/fs.h>
28 #elif defined(__APPLE__)
29 #include <sys/disk.h>
30 #define BLKGETSIZE64 DKIOCGETBLOCKCOUNT
31 #define fdatasync(fd) fcntl((fd), F_FULLFSYNC)
32 #endif
33
34 #include "fec_private.h"
35
36 /* used by `find_offset'; returns metadata size for a file size `size' and
37 `roots' Reed-Solomon parity bytes */
38 using size_func = uint64_t (*)(uint64_t size, int roots);
39
40 /* performs a binary search to find a metadata offset from a file so that
41 the metadata size matches function `get_real_size(size, roots)', using
42 the approximate size returned by `get_appr_size' as a starting point */
find_offset(uint64_t file_size,int roots,uint64_t * offset,size_func get_appr_size,size_func get_real_size)43 static int find_offset(uint64_t file_size, int roots, uint64_t *offset,
44 size_func get_appr_size, size_func get_real_size)
45 {
46 check(offset);
47 check(get_appr_size);
48 check(get_real_size);
49
50 if (file_size % FEC_BLOCKSIZE) {
51 /* must be a multiple of block size */
52 error("file size not multiple of " stringify(FEC_BLOCKSIZE));
53 errno = EINVAL;
54 return -1;
55 }
56
57 uint64_t mi = get_appr_size(file_size, roots);
58 uint64_t lo = file_size - mi * 2;
59 uint64_t hi = file_size - mi / 2;
60
61 while (lo < hi) {
62 mi = ((hi + lo) / (2 * FEC_BLOCKSIZE)) * FEC_BLOCKSIZE;
63 uint64_t total = mi + get_real_size(mi, roots);
64
65 if (total < file_size) {
66 lo = mi + FEC_BLOCKSIZE;
67 } else if (total > file_size) {
68 hi = mi;
69 } else {
70 *offset = mi;
71 debug("file_size = %" PRIu64 " -> offset = %" PRIu64, file_size,
72 mi);
73 return 0;
74 }
75 }
76
77 warn("could not determine offset");
78 errno = ERANGE;
79 return -1;
80 }
81
82 /* returns verity metadata size for a `size' byte file */
get_verity_size(uint64_t size,int)83 static uint64_t get_verity_size(uint64_t size, int)
84 {
85 return VERITY_METADATA_SIZE + verity_get_size(size, NULL, NULL);
86 }
87
88 /* computes the verity metadata offset for a file with size `f->size' */
find_verity_offset(fec_handle * f,uint64_t * offset)89 static int find_verity_offset(fec_handle *f, uint64_t *offset)
90 {
91 check(f);
92 check(offset);
93
94 return find_offset(f->data_size, 0, offset, get_verity_size,
95 get_verity_size);
96 }
97
98 /* attempts to read and validate an ecc header from file position `offset' */
parse_ecc_header(fec_handle * f,uint64_t offset)99 static int parse_ecc_header(fec_handle *f, uint64_t offset)
100 {
101 check(f);
102 check(f->ecc.rsn > 0 && f->ecc.rsn < FEC_RSM);
103 check(f->size > sizeof(fec_header));
104
105 debug("offset = %" PRIu64, offset);
106
107 if (offset > f->size - sizeof(fec_header)) {
108 return -1;
109 }
110
111 fec_header header;
112
113 /* there's obviously no ecc data at this point, so there is no need to
114 call fec_pread to access this data */
115 if (!raw_pread(f, &header, sizeof(fec_header), offset)) {
116 error("failed to read: %s", strerror(errno));
117 return -1;
118 }
119
120 /* move offset back to the beginning of the block for validating header */
121 offset -= offset % FEC_BLOCKSIZE;
122
123 if (header.magic != FEC_MAGIC) {
124 return -1;
125 }
126 if (header.version != FEC_VERSION) {
127 error("unsupported ecc version: %u", header.version);
128 return -1;
129 }
130 if (header.size != sizeof(fec_header)) {
131 error("unexpected ecc header size: %u", header.size);
132 return -1;
133 }
134 if (header.roots == 0 || header.roots >= FEC_RSM) {
135 error("invalid ecc roots: %u", header.roots);
136 return -1;
137 }
138 if (f->ecc.roots != (int)header.roots) {
139 error("unexpected number of roots: %d vs %u", f->ecc.roots,
140 header.roots);
141 return -1;
142 }
143 if (header.fec_size % header.roots ||
144 header.fec_size % FEC_BLOCKSIZE) {
145 error("inconsistent ecc size %u", header.fec_size);
146 return -1;
147 }
148
149 f->data_size = header.inp_size;
150 f->ecc.blocks = fec_div_round_up(f->data_size, FEC_BLOCKSIZE);
151 f->ecc.rounds = fec_div_round_up(f->ecc.blocks, f->ecc.rsn);
152
153 if (header.fec_size !=
154 (uint32_t)f->ecc.rounds * f->ecc.roots * FEC_BLOCKSIZE) {
155 error("inconsistent ecc size %u", header.fec_size);
156 return -1;
157 }
158
159 f->ecc.size = header.fec_size;
160 f->ecc.start = header.inp_size;
161
162 /* validate encoding data; caller may opt not to use it if invalid */
163 SHA256_CTX ctx;
164 SHA256_Init(&ctx);
165
166 uint8_t buf[FEC_BLOCKSIZE];
167 uint32_t n = 0;
168 uint32_t len = FEC_BLOCKSIZE;
169
170 while (n < f->ecc.size) {
171 if (len > f->ecc.size - n) {
172 len = f->ecc.size - n;
173 }
174
175 if (!raw_pread(f, buf, len, f->ecc.start + n)) {
176 error("failed to read ecc: %s", strerror(errno));
177 return -1;
178 }
179
180 SHA256_Update(&ctx, buf, len);
181 n += len;
182 }
183
184 uint8_t hash[SHA256_DIGEST_LENGTH];
185 SHA256_Final(hash, &ctx);
186
187 f->ecc.valid = !memcmp(hash, header.hash, SHA256_DIGEST_LENGTH);
188
189 if (!f->ecc.valid) {
190 warn("ecc data not valid");
191 }
192
193 return 0;
194 }
195
196 /* attempts to read an ecc header from `offset', and checks for a backup copy
197 at the end of the block if the primary header is not valid */
parse_ecc(fec_handle * f,uint64_t offset)198 static int parse_ecc(fec_handle *f, uint64_t offset)
199 {
200 check(f);
201 check(offset % FEC_BLOCKSIZE == 0);
202 check(offset < UINT64_MAX - FEC_BLOCKSIZE);
203
204 /* check the primary header at the beginning of the block */
205 if (parse_ecc_header(f, offset) == 0) {
206 return 0;
207 }
208
209 /* check the backup header at the end of the block */
210 if (parse_ecc_header(f, offset + FEC_BLOCKSIZE - sizeof(fec_header)) == 0) {
211 warn("using backup ecc header");
212 return 0;
213 }
214
215 return -1;
216 }
217
218 /* reads the squashfs superblock and returns the size of the file system in
219 `offset' */
get_squashfs_size(fec_handle * f,uint64_t * offset)220 static int get_squashfs_size(fec_handle *f, uint64_t *offset)
221 {
222 check(f);
223 check(offset);
224
225 size_t sb_size = squashfs_get_sb_size();
226 check(sb_size <= SSIZE_MAX);
227
228 uint8_t buffer[sb_size];
229
230 if (fec_pread(f, buffer, sizeof(buffer), 0) != (ssize_t)sb_size) {
231 error("failed to read superblock: %s", strerror(errno));
232 return -1;
233 }
234
235 squashfs_info sq;
236
237 if (squashfs_parse_sb_buffer(buffer, &sq) < 0) {
238 error("failed to parse superblock: %s", strerror(errno));
239 return -1;
240 }
241
242 *offset = sq.bytes_used_4K_padded;
243 return 0;
244 }
245
246 /* reads the ext4 superblock and returns the size of the file system in
247 `offset' */
get_ext4_size(fec_handle * f,uint64_t * offset)248 static int get_ext4_size(fec_handle *f, uint64_t *offset)
249 {
250 check(f);
251 check(f->size > 1024 + sizeof(ext4_super_block));
252 check(offset);
253
254 ext4_super_block sb;
255
256 if (fec_pread(f, &sb, sizeof(sb), 1024) != sizeof(sb)) {
257 error("failed to read superblock: %s", strerror(errno));
258 return -1;
259 }
260
261 fs_info info;
262 info.len = 0; /* only len is set to 0 to ask the device for real size. */
263
264 if (ext4_parse_sb(&sb, &info) != 0) {
265 errno = EINVAL;
266 return -1;
267 }
268
269 *offset = info.len;
270 return 0;
271 }
272
273 /* attempts to determine file system size, if no fs type is specified in
274 `f->flags', tries all supported types, and returns the size in `offset' */
get_fs_size(fec_handle * f,uint64_t * offset)275 static int get_fs_size(fec_handle *f, uint64_t *offset)
276 {
277 check(f);
278 check(offset);
279
280 if (f->flags & FEC_FS_EXT4) {
281 return get_ext4_size(f, offset);
282 } else if (f->flags & FEC_FS_SQUASH) {
283 return get_squashfs_size(f, offset);
284 } else {
285 /* try all alternatives */
286 int rc = get_ext4_size(f, offset);
287
288 if (rc == 0) {
289 debug("found ext4fs");
290 return rc;
291 }
292
293 rc = get_squashfs_size(f, offset);
294
295 if (rc == 0) {
296 debug("found squashfs");
297 }
298
299 return rc;
300 }
301 }
302
303 /* locates, validates, and loads verity metadata from `f->fd' */
load_verity(fec_handle * f)304 static int load_verity(fec_handle *f)
305 {
306 check(f);
307 debug("size = %" PRIu64 ", flags = %d", f->data_size, f->flags);
308
309 uint64_t offset = f->data_size - VERITY_METADATA_SIZE;
310
311 /* verity header is at the end of the data area */
312 if (verity_parse_header(f, offset) == 0) {
313 debug("found at %" PRIu64 " (start %" PRIu64 ")", offset,
314 f->verity.hash_start);
315 return 0;
316 }
317
318 debug("trying legacy formats");
319
320 /* legacy format at the end of the partition */
321 if (find_verity_offset(f, &offset) == 0 &&
322 verity_parse_header(f, offset) == 0) {
323 debug("found at %" PRIu64 " (start %" PRIu64 ")", offset,
324 f->verity.hash_start);
325 return 0;
326 }
327
328 /* legacy format after the file system, but not at the end */
329 int rc = get_fs_size(f, &offset);
330
331 if (rc == 0) {
332 debug("file system size = %" PRIu64, offset);
333 rc = verity_parse_header(f, offset);
334
335 if (rc == 0) {
336 debug("found at %" PRIu64 " (start %" PRIu64 ")", offset,
337 f->verity.hash_start);
338 }
339 }
340
341 return rc;
342 }
343
344 /* locates, validates, and loads ecc data from `f->fd' */
load_ecc(fec_handle * f)345 static int load_ecc(fec_handle *f)
346 {
347 check(f);
348 debug("size = %" PRIu64, f->data_size);
349
350 uint64_t offset = f->data_size - FEC_BLOCKSIZE;
351
352 if (parse_ecc(f, offset) == 0) {
353 debug("found at %" PRIu64 " (start %" PRIu64 ")", offset,
354 f->ecc.start);
355 return 0;
356 }
357
358 return -1;
359 }
360
361 /* sets `f->size' to the size of the file or block device */
get_size(fec_handle * f)362 static int get_size(fec_handle *f)
363 {
364 check(f);
365
366 struct stat st;
367
368 if (fstat(f->fd, &st) == -1) {
369 error("fstat failed: %s", strerror(errno));
370 return -1;
371 }
372
373 if (S_ISBLK(st.st_mode)) {
374 debug("block device");
375
376 if (ioctl(f->fd, BLKGETSIZE64, &f->size) == -1) {
377 error("ioctl failed: %s", strerror(errno));
378 return -1;
379 }
380 } else if (S_ISREG(st.st_mode)) {
381 debug("file");
382 f->size = st.st_size;
383 } else {
384 error("unsupported type %d", (int)st.st_mode);
385 errno = EACCES;
386 return -1;
387 }
388
389 return 0;
390 }
391
392 /* clears fec_handle fiels to safe values */
reset_handle(fec_handle * f)393 static void reset_handle(fec_handle *f)
394 {
395 f->fd = -1;
396 f->flags = 0;
397 f->mode = 0;
398 f->errors = 0;
399 f->data_size = 0;
400 f->pos = 0;
401 f->size = 0;
402
403 memset(&f->ecc, 0, sizeof(f->ecc));
404 memset(&f->verity, 0, sizeof(f->verity));
405 }
406
407 /* closes and flushes `f->fd' and releases any memory allocated for `f' */
fec_close(struct fec_handle * f)408 int fec_close(struct fec_handle *f)
409 {
410 check(f);
411
412 if (f->fd != -1) {
413 if (f->mode & O_RDWR && fdatasync(f->fd) == -1) {
414 warn("fdatasync failed: %s", strerror(errno));
415 }
416
417 TEMP_FAILURE_RETRY(close(f->fd));
418 }
419
420 if (f->verity.hash) {
421 delete[] f->verity.hash;
422 }
423 if (f->verity.salt) {
424 delete[] f->verity.salt;
425 }
426 if (f->verity.table) {
427 delete[] f->verity.table;
428 }
429
430 pthread_mutex_destroy(&f->mutex);
431
432 reset_handle(f);
433 delete f;
434
435 return 0;
436 }
437
438 /* populates `data' from the internal data in `f', returns a value <0 if verity
439 metadata is not available in `f->fd' */
fec_verity_get_metadata(struct fec_handle * f,struct fec_verity_metadata * data)440 int fec_verity_get_metadata(struct fec_handle *f, struct fec_verity_metadata *data)
441 {
442 check(f);
443 check(data);
444
445 if (!f->verity.metadata_start) {
446 return -1;
447 }
448
449 check(f->data_size < f->size);
450 check(f->data_size <= f->verity.hash_start);
451 check(f->data_size <= f->verity.metadata_start);
452 check(f->verity.table);
453
454 data->disabled = f->verity.disabled;
455 data->data_size = f->data_size;
456 memcpy(data->signature, f->verity.header.signature,
457 sizeof(data->signature));
458 memcpy(data->ecc_signature, f->verity.ecc_header.signature,
459 sizeof(data->ecc_signature));
460 data->table = f->verity.table;
461 data->table_length = f->verity.header.length;
462
463 return 0;
464 }
465
466 /* populates `data' from the internal data in `f', returns a value <0 if ecc
467 metadata is not available in `f->fd' */
fec_ecc_get_metadata(struct fec_handle * f,struct fec_ecc_metadata * data)468 int fec_ecc_get_metadata(struct fec_handle *f, struct fec_ecc_metadata *data)
469 {
470 check(f);
471 check(data);
472
473 if (!f->ecc.start) {
474 return -1;
475 }
476
477 check(f->data_size < f->size);
478 check(f->ecc.start >= f->data_size);
479 check(f->ecc.start < f->size);
480 check(f->ecc.start % FEC_BLOCKSIZE == 0)
481
482 data->valid = f->ecc.valid;
483 data->roots = f->ecc.roots;
484 data->blocks = f->ecc.blocks;
485 data->rounds = f->ecc.rounds;
486 data->start = f->ecc.start;
487
488 return 0;
489 }
490
491 /* populates `data' from the internal status in `f' */
fec_get_status(struct fec_handle * f,struct fec_status * s)492 int fec_get_status(struct fec_handle *f, struct fec_status *s)
493 {
494 check(f);
495 check(s);
496
497 s->flags = f->flags;
498 s->mode = f->mode;
499 s->errors = f->errors;
500 s->data_size = f->data_size;
501 s->size = f->size;
502
503 return 0;
504 }
505
506 /* opens `path' using given options and returns a fec_handle in `handle' if
507 successful */
fec_open(struct fec_handle ** handle,const char * path,int mode,int flags,int roots)508 int fec_open(struct fec_handle **handle, const char *path, int mode, int flags,
509 int roots)
510 {
511 check(path);
512 check(handle);
513 check(roots > 0 && roots < FEC_RSM);
514
515 debug("path = %s, mode = %d, flags = %d, roots = %d", path, mode, flags,
516 roots);
517
518 if (mode & (O_CREAT | O_TRUNC | O_EXCL | O_WRONLY)) {
519 /* only reading and updating existing files is supported */
520 error("failed to open '%s': (unsupported mode %d)", path, mode);
521 errno = EACCES;
522 return -1;
523 }
524
525 fec::handle f(new (std::nothrow) fec_handle, fec_close);
526
527 if (unlikely(!f)) {
528 error("failed to allocate file handle");
529 errno = ENOMEM;
530 return -1;
531 }
532
533 reset_handle(f.get());
534
535 f->mode = mode;
536 f->ecc.roots = roots;
537 f->ecc.rsn = FEC_RSM - roots;
538 f->flags = flags;
539
540 if (unlikely(pthread_mutex_init(&f->mutex, NULL) != 0)) {
541 error("failed to create a mutex: %s", strerror(errno));
542 return -1;
543 }
544
545 f->fd = TEMP_FAILURE_RETRY(open(path, mode | O_CLOEXEC));
546
547 if (f->fd == -1) {
548 error("failed to open '%s': %s", path, strerror(errno));
549 return -1;
550 }
551
552 if (get_size(f.get()) == -1) {
553 error("failed to get size for '%s': %s", path, strerror(errno));
554 return -1;
555 }
556
557 f->data_size = f->size; /* until ecc and/or verity are loaded */
558
559 if (load_ecc(f.get()) == -1) {
560 debug("error-correcting codes not found from '%s'", path);
561 }
562
563 if (load_verity(f.get()) == -1) {
564 debug("verity metadata not found from '%s'", path);
565 }
566
567 *handle = f.release();
568 return 0;
569 }
570