1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright 2020 Google LLC
4 */
5
6 /*
7 * fs-verity integration into incfs
8 *
9 * Since incfs has its own merkle tree implementation, most of fs/verity/ is not
10 * needed. incfs also only needs to support the case where
11 * CONFIG_FS_VERITY_BUILTIN_SIGNATURES=n. Therefore, the integration consists of
12 * the following modifications:
13 *
14 * 1. Add the (optional) verity signature to the incfs file format. (Not really
15 * needed anymore, but this is kept around since this is the behavior of
16 * fs/verity/ even when CONFIG_FS_VERITY_BUILTIN_SIGNATURES=n.)
17 * 2. Add a pointer to the digest of the fs-verity descriptor struct to the
18 * data_file struct that incfs attaches to each file inode.
19 * 3. Add the following ioclts:
20 * - FS_IOC_ENABLE_VERITY
21 * - FS_IOC_GETFLAGS
22 * - FS_IOC_MEASURE_VERITY
23 * 4. When FS_IOC_ENABLE_VERITY is called on a non-verity file, the
24 * fs-verity descriptor struct is populated and digested. Then the S_VERITY
25 * flag is set and the xattr incfs.verity is set. If the signature is
26 * non-NULL, an INCFS_MD_VERITY_SIGNATURE is added to the backing file
27 * containing the signature.
28 * 5. When a file with an incfs.verity xattr's inode is initialized, the
29 * inode’s S_VERITY flag is set.
30 * 6. When a file with the S_VERITY flag set on its inode is opened, the
31 * data_file is checked for its verity digest. If the file doesn’t have a
32 * digest, the file’s digest is calculated as above, checked, and set, or the
33 * open is denied if it is not valid.
34 * 7. FS_IOC_GETFLAGS simply returns the value of the S_VERITY flag
35 * 8. FS_IOC_MEASURE_VERITY simply returns the cached digest
36 * 9. The final complication is that if FS_IOC_ENABLE_VERITY is called on a file
37 * which doesn’t have a merkle tree, the merkle tree is calculated before the
38 * rest of the process is completed.
39 */
40
41 #include <crypto/hash.h>
42 #include <crypto/sha2.h>
43 #include <linux/fsverity.h>
44 #include <linux/mount.h>
45
46 #include "verity.h"
47
48 #include "data_mgmt.h"
49 #include "format.h"
50 #include "integrity.h"
51 #include "vfs.h"
52
53 #define FS_VERITY_MAX_SIGNATURE_SIZE 16128
54
incfs_get_root_hash(struct file * filp,u8 * root_hash)55 static int incfs_get_root_hash(struct file *filp, u8 *root_hash)
56 {
57 struct data_file *df = get_incfs_data_file(filp);
58
59 if (!df)
60 return -EINVAL;
61
62 memcpy(root_hash, df->df_hash_tree->root_hash,
63 df->df_hash_tree->alg->digest_size);
64
65 return 0;
66 }
67
incfs_end_enable_verity(struct file * filp,u8 * sig,size_t sig_size)68 static int incfs_end_enable_verity(struct file *filp, u8 *sig, size_t sig_size)
69 {
70 struct inode *inode = file_inode(filp);
71 struct mem_range signature = {
72 .data = sig,
73 .len = sig_size,
74 };
75 struct data_file *df = get_incfs_data_file(filp);
76 struct backing_file_context *bfc;
77 int error;
78 struct incfs_df_verity_signature *vs = NULL;
79 loff_t offset;
80
81 if (!df || !df->df_backing_file_context)
82 return -EFSCORRUPTED;
83
84 if (sig) {
85 vs = kzalloc(sizeof(*vs), GFP_NOFS);
86 if (!vs)
87 return -ENOMEM;
88 }
89
90 bfc = df->df_backing_file_context;
91 error = mutex_lock_interruptible(&bfc->bc_mutex);
92 if (error)
93 goto out;
94
95 error = incfs_write_verity_signature_to_backing_file(bfc, signature,
96 &offset);
97 mutex_unlock(&bfc->bc_mutex);
98 if (error)
99 goto out;
100
101 /*
102 * Set verity xattr so we can set S_VERITY without opening backing file
103 */
104 error = vfs_setxattr(&nop_mnt_idmap, bfc->bc_file->f_path.dentry,
105 INCFS_XATTR_VERITY_NAME, NULL, 0, XATTR_CREATE);
106 if (error) {
107 pr_warn("incfs: error setting verity xattr: %d\n", error);
108 goto out;
109 }
110
111 if (sig) {
112 *vs = (struct incfs_df_verity_signature) {
113 .size = signature.len,
114 .offset = offset,
115 };
116
117 df->df_verity_signature = vs;
118 vs = NULL;
119 }
120
121 inode_set_flags(inode, S_VERITY, S_VERITY);
122
123 out:
124 kfree(vs);
125 return error;
126 }
127
incfs_compute_file_digest(struct incfs_hash_alg * alg,struct fsverity_descriptor * desc,u8 * digest)128 static int incfs_compute_file_digest(struct incfs_hash_alg *alg,
129 struct fsverity_descriptor *desc,
130 u8 *digest)
131 {
132 SHASH_DESC_ON_STACK(d, alg->shash);
133
134 d->tfm = alg->shash;
135 return crypto_shash_digest(d, (u8 *)desc, sizeof(*desc), digest);
136 }
137
incfs_convert_fsverity_hash_alg(int hash_alg)138 static enum incfs_hash_tree_algorithm incfs_convert_fsverity_hash_alg(
139 int hash_alg)
140 {
141 switch (hash_alg) {
142 case FS_VERITY_HASH_ALG_SHA256:
143 return INCFS_HASH_TREE_SHA256;
144 default:
145 return -EINVAL;
146 }
147 }
148
incfs_get_verity_digest(struct inode * inode)149 static struct mem_range incfs_get_verity_digest(struct inode *inode)
150 {
151 struct inode_info *node = get_incfs_node(inode);
152 struct data_file *df;
153 struct mem_range verity_file_digest;
154
155 if (!node) {
156 pr_warn("Invalid inode\n");
157 return range(NULL, 0);
158 }
159
160 df = node->n_file;
161
162 /*
163 * Pairs with the cmpxchg_release() in incfs_set_verity_digest().
164 * I.e., another task may publish ->df_verity_file_digest concurrently,
165 * executing a RELEASE barrier. We need to use smp_load_acquire() here
166 * to safely ACQUIRE the memory the other task published.
167 */
168 verity_file_digest.data = smp_load_acquire(
169 &df->df_verity_file_digest.data);
170 verity_file_digest.len = df->df_verity_file_digest.len;
171 return verity_file_digest;
172 }
173
incfs_set_verity_digest(struct inode * inode,struct mem_range verity_file_digest)174 static void incfs_set_verity_digest(struct inode *inode,
175 struct mem_range verity_file_digest)
176 {
177 struct inode_info *node = get_incfs_node(inode);
178 struct data_file *df;
179
180 if (!node) {
181 pr_warn("Invalid inode\n");
182 kfree(verity_file_digest.data);
183 return;
184 }
185
186 df = node->n_file;
187 df->df_verity_file_digest.len = verity_file_digest.len;
188
189 /*
190 * Multiple tasks may race to set ->df_verity_file_digest.data, so use
191 * cmpxchg_release(). This pairs with the smp_load_acquire() in
192 * incfs_get_verity_digest(). I.e., here we publish
193 * ->df_verity_file_digest.data, with a RELEASE barrier so that other
194 * tasks can ACQUIRE it.
195 */
196 if (cmpxchg_release(&df->df_verity_file_digest.data, NULL,
197 verity_file_digest.data) != NULL)
198 /* Lost the race, so free the file_digest we allocated. */
199 kfree(verity_file_digest.data);
200 }
201
202 /* Calculate the digest of the fsverity_descriptor. */
incfs_calc_verity_digest_from_desc(const struct inode * inode,struct fsverity_descriptor * desc)203 static struct mem_range incfs_calc_verity_digest_from_desc(
204 const struct inode *inode,
205 struct fsverity_descriptor *desc)
206 {
207 enum incfs_hash_tree_algorithm incfs_hash_alg;
208 struct mem_range verity_file_digest;
209 int err;
210 struct incfs_hash_alg *hash_alg;
211
212 incfs_hash_alg = incfs_convert_fsverity_hash_alg(desc->hash_algorithm);
213 if (incfs_hash_alg < 0)
214 return range(ERR_PTR(incfs_hash_alg), 0);
215
216 hash_alg = incfs_get_hash_alg(incfs_hash_alg);
217 if (IS_ERR(hash_alg))
218 return range((u8 *)hash_alg, 0);
219
220 verity_file_digest = range(kzalloc(hash_alg->digest_size, GFP_KERNEL),
221 hash_alg->digest_size);
222 if (!verity_file_digest.data)
223 return range(ERR_PTR(-ENOMEM), 0);
224
225 err = incfs_compute_file_digest(hash_alg, desc,
226 verity_file_digest.data);
227 if (err) {
228 pr_err("Error %d computing file digest", err);
229 kfree(verity_file_digest.data);
230 return range(ERR_PTR(err), 0);
231 }
232 pr_debug("Computed file digest: %s:%*phN\n",
233 hash_alg->name, (int) verity_file_digest.len,
234 verity_file_digest.data);
235 return verity_file_digest;
236 }
237
incfs_get_fsverity_descriptor(struct file * filp,int hash_algorithm)238 static struct fsverity_descriptor *incfs_get_fsverity_descriptor(
239 struct file *filp, int hash_algorithm)
240 {
241 struct inode *inode = file_inode(filp);
242 struct fsverity_descriptor *desc = kzalloc(sizeof(*desc), GFP_KERNEL);
243 int err;
244
245 if (!desc)
246 return ERR_PTR(-ENOMEM);
247
248 *desc = (struct fsverity_descriptor) {
249 .version = 1,
250 .hash_algorithm = hash_algorithm,
251 .log_blocksize = ilog2(INCFS_DATA_FILE_BLOCK_SIZE),
252 .data_size = cpu_to_le64(inode->i_size),
253 };
254
255 err = incfs_get_root_hash(filp, desc->root_hash);
256 if (err) {
257 kfree(desc);
258 return ERR_PTR(err);
259 }
260
261 return desc;
262 }
263
incfs_calc_verity_digest(struct inode * inode,struct file * filp,int hash_algorithm)264 static struct mem_range incfs_calc_verity_digest(
265 struct inode *inode, struct file *filp,
266 int hash_algorithm)
267 {
268 struct fsverity_descriptor *desc = incfs_get_fsverity_descriptor(filp,
269 hash_algorithm);
270 struct mem_range verity_file_digest;
271
272 if (IS_ERR(desc))
273 return range((u8 *)desc, 0);
274 verity_file_digest = incfs_calc_verity_digest_from_desc(inode, desc);
275 kfree(desc);
276 return verity_file_digest;
277 }
278
incfs_build_merkle_tree(struct file * f,struct data_file * df,struct backing_file_context * bfc,struct mtree * hash_tree,loff_t hash_offset,struct incfs_hash_alg * alg,struct mem_range hash)279 static int incfs_build_merkle_tree(struct file *f, struct data_file *df,
280 struct backing_file_context *bfc,
281 struct mtree *hash_tree, loff_t hash_offset,
282 struct incfs_hash_alg *alg, struct mem_range hash)
283 {
284 int error = 0;
285 int limit, lvl, i, result;
286 struct mem_range buf = {.len = INCFS_DATA_FILE_BLOCK_SIZE};
287 struct mem_range tmp = {.len = 2 * INCFS_DATA_FILE_BLOCK_SIZE};
288
289 buf.data = (u8 *)kzalloc(buf.len, GFP_NOFS);
290 tmp.data = (u8 *)kzalloc(tmp.len, GFP_NOFS);
291 if (!buf.data || !tmp.data) {
292 error = -ENOMEM;
293 goto out;
294 }
295
296 /*
297 * lvl - 1 is the level we are reading, lvl the level we are writing
298 * lvl == -1 means actual blocks
299 * lvl == hash_tree->depth means root hash
300 */
301 limit = df->df_data_block_count;
302 for (lvl = 0; lvl <= hash_tree->depth; lvl++) {
303 for (i = 0; i < limit; ++i) {
304 loff_t hash_level_offset;
305 struct mem_range partial_buf = buf;
306
307 if (lvl == 0)
308 result = incfs_read_data_file_block(partial_buf,
309 f, i, tmp, NULL, NULL);
310 else {
311 hash_level_offset = hash_offset +
312 hash_tree->hash_level_suboffset[lvl - 1];
313
314 result = incfs_kread(bfc, partial_buf.data,
315 partial_buf.len,
316 hash_level_offset + i *
317 INCFS_DATA_FILE_BLOCK_SIZE);
318 }
319
320 if (result < 0) {
321 error = result;
322 goto out;
323 }
324
325 partial_buf.len = result;
326 error = incfs_calc_digest(alg, partial_buf, hash);
327 if (error)
328 goto out;
329
330 /*
331 * last level - only one hash to take and it is stored
332 * in the incfs signature record
333 */
334 if (lvl == hash_tree->depth)
335 break;
336
337 hash_level_offset = hash_offset +
338 hash_tree->hash_level_suboffset[lvl];
339
340 result = incfs_kwrite(bfc, hash.data, hash.len,
341 hash_level_offset + hash.len * i);
342
343 if (result < 0) {
344 error = result;
345 goto out;
346 }
347
348 if (result != hash.len) {
349 error = -EIO;
350 goto out;
351 }
352 }
353 limit = DIV_ROUND_UP(limit,
354 INCFS_DATA_FILE_BLOCK_SIZE / hash.len);
355 }
356
357 out:
358 kfree(tmp.data);
359 kfree(buf.data);
360 return error;
361 }
362
363 /*
364 * incfs files have a signature record that is separate from the
365 * verity_signature record. The signature record does not actually contain a
366 * signature, rather it contains the size/offset of the hash tree, and a binary
367 * blob which contains the root hash and potentially a signature.
368 *
369 * If the file was created with a signature record, then this function simply
370 * returns.
371 *
372 * Otherwise it will create a signature record with a minimal binary blob as
373 * defined by the structure below, create space for the hash tree and then
374 * populate it using incfs_build_merkle_tree
375 */
incfs_add_signature_record(struct file * f)376 static int incfs_add_signature_record(struct file *f)
377 {
378 /* See incfs_parse_signature */
379 struct {
380 __le32 version;
381 __le32 size_of_hash_info_section;
382 struct {
383 __le32 hash_algorithm;
384 u8 log2_blocksize;
385 __le32 salt_size;
386 u8 salt[0];
387 __le32 hash_size;
388 u8 root_hash[32];
389 } __packed hash_section;
390 __le32 size_of_signing_info_section;
391 u8 signing_info_section[0];
392 } __packed sig = {
393 .version = cpu_to_le32(INCFS_SIGNATURE_VERSION),
394 .size_of_hash_info_section =
395 cpu_to_le32(sizeof(sig.hash_section)),
396 .hash_section = {
397 .hash_algorithm = cpu_to_le32(INCFS_HASH_TREE_SHA256),
398 .log2_blocksize = ilog2(INCFS_DATA_FILE_BLOCK_SIZE),
399 .hash_size = cpu_to_le32(SHA256_DIGEST_SIZE),
400 },
401 };
402
403 struct data_file *df = get_incfs_data_file(f);
404 struct mtree *hash_tree = NULL;
405 struct backing_file_context *bfc;
406 int error;
407 loff_t hash_offset, sig_offset;
408 struct incfs_hash_alg *alg = incfs_get_hash_alg(INCFS_HASH_TREE_SHA256);
409 u8 hash_buf[INCFS_MAX_HASH_SIZE];
410 int hash_size = alg->digest_size;
411 struct mem_range hash = range(hash_buf, hash_size);
412 int result;
413 struct incfs_df_signature *signature = NULL;
414
415 if (!df)
416 return -EINVAL;
417
418 if (df->df_header_flags & INCFS_FILE_MAPPED)
419 return -EINVAL;
420
421 /* Already signed? */
422 if (df->df_signature && df->df_hash_tree)
423 return 0;
424
425 if (df->df_signature || df->df_hash_tree)
426 return -EFSCORRUPTED;
427
428 /* Add signature metadata record to file */
429 hash_tree = incfs_alloc_mtree(range((u8 *)&sig, sizeof(sig)),
430 df->df_data_block_count);
431 if (IS_ERR(hash_tree))
432 return PTR_ERR(hash_tree);
433
434 bfc = df->df_backing_file_context;
435 if (!bfc) {
436 error = -EFSCORRUPTED;
437 goto out;
438 }
439
440 error = mutex_lock_interruptible(&bfc->bc_mutex);
441 if (error)
442 goto out;
443
444 error = incfs_write_signature_to_backing_file(bfc,
445 range((u8 *)&sig, sizeof(sig)),
446 hash_tree->hash_tree_area_size,
447 &hash_offset, &sig_offset);
448 mutex_unlock(&bfc->bc_mutex);
449 if (error)
450 goto out;
451
452 /* Populate merkle tree */
453 error = incfs_build_merkle_tree(f, df, bfc, hash_tree, hash_offset, alg,
454 hash);
455 if (error)
456 goto out;
457
458 /* Update signature metadata record */
459 memcpy(sig.hash_section.root_hash, hash.data, alg->digest_size);
460 result = incfs_kwrite(bfc, &sig, sizeof(sig), sig_offset);
461 if (result < 0) {
462 error = result;
463 goto out;
464 }
465
466 if (result != sizeof(sig)) {
467 error = -EIO;
468 goto out;
469 }
470
471 /* Update in-memory records */
472 memcpy(hash_tree->root_hash, hash.data, alg->digest_size);
473 signature = kzalloc(sizeof(*signature), GFP_NOFS);
474 if (!signature) {
475 error = -ENOMEM;
476 goto out;
477 }
478 *signature = (struct incfs_df_signature) {
479 .hash_offset = hash_offset,
480 .hash_size = hash_tree->hash_tree_area_size,
481 .sig_offset = sig_offset,
482 .sig_size = sizeof(sig),
483 };
484 df->df_signature = signature;
485 signature = NULL;
486
487 /*
488 * Use memory barrier to prevent readpage seeing the hash tree until
489 * it's fully there
490 */
491 smp_store_release(&df->df_hash_tree, hash_tree);
492 hash_tree = NULL;
493
494 out:
495 kfree(signature);
496 kfree(hash_tree);
497 return error;
498 }
499
incfs_enable_verity(struct file * filp,const struct fsverity_enable_arg * arg)500 static int incfs_enable_verity(struct file *filp,
501 const struct fsverity_enable_arg *arg)
502 {
503 struct inode *inode = file_inode(filp);
504 struct data_file *df = get_incfs_data_file(filp);
505 u8 *signature = NULL;
506 struct mem_range verity_file_digest = range(NULL, 0);
507 int err;
508
509 if (!df)
510 return -EFSCORRUPTED;
511
512 err = mutex_lock_interruptible(&df->df_enable_verity);
513 if (err)
514 return err;
515
516 if (IS_VERITY(inode)) {
517 err = -EEXIST;
518 goto out;
519 }
520
521 err = incfs_add_signature_record(filp);
522 if (err)
523 goto out;
524
525 /* Get the signature if the user provided one */
526 if (arg->sig_size) {
527 signature = memdup_user(u64_to_user_ptr(arg->sig_ptr),
528 arg->sig_size);
529 if (IS_ERR(signature)) {
530 err = PTR_ERR(signature);
531 signature = NULL;
532 goto out;
533 }
534 }
535
536 verity_file_digest = incfs_calc_verity_digest(inode, filp,
537 arg->hash_algorithm);
538 if (IS_ERR(verity_file_digest.data)) {
539 err = PTR_ERR(verity_file_digest.data);
540 verity_file_digest.data = NULL;
541 goto out;
542 }
543
544 err = incfs_end_enable_verity(filp, signature, arg->sig_size);
545 if (err)
546 goto out;
547
548 /* Successfully enabled verity */
549 incfs_set_verity_digest(inode, verity_file_digest);
550 verity_file_digest.data = NULL;
551 out:
552 mutex_unlock(&df->df_enable_verity);
553 kfree(signature);
554 kfree(verity_file_digest.data);
555 if (err)
556 pr_err("%s failed with err %d\n", __func__, err);
557 return err;
558 }
559
incfs_ioctl_enable_verity(struct file * filp,const void __user * uarg)560 int incfs_ioctl_enable_verity(struct file *filp, const void __user *uarg)
561 {
562 struct inode *inode = file_inode(filp);
563 struct fsverity_enable_arg arg;
564
565 if (copy_from_user(&arg, uarg, sizeof(arg)))
566 return -EFAULT;
567
568 if (arg.version != 1)
569 return -EINVAL;
570
571 if (arg.__reserved1 ||
572 memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2)))
573 return -EINVAL;
574
575 if (arg.hash_algorithm != FS_VERITY_HASH_ALG_SHA256)
576 return -EINVAL;
577
578 if (arg.block_size != PAGE_SIZE)
579 return -EINVAL;
580
581 if (arg.salt_size)
582 return -EINVAL;
583
584 if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE)
585 return -EMSGSIZE;
586
587 if (S_ISDIR(inode->i_mode))
588 return -EISDIR;
589
590 if (!S_ISREG(inode->i_mode))
591 return -EINVAL;
592
593 return incfs_enable_verity(filp, &arg);
594 }
595
incfs_get_verity_signature(struct file * filp,size_t * sig_size)596 static u8 *incfs_get_verity_signature(struct file *filp, size_t *sig_size)
597 {
598 struct data_file *df = get_incfs_data_file(filp);
599 struct incfs_df_verity_signature *vs;
600 u8 *signature;
601 int res;
602
603 if (!df || !df->df_backing_file_context)
604 return ERR_PTR(-EFSCORRUPTED);
605
606 vs = df->df_verity_signature;
607 if (!vs) {
608 *sig_size = 0;
609 return NULL;
610 }
611
612 if (!vs->size) {
613 *sig_size = 0;
614 return ERR_PTR(-EFSCORRUPTED);
615 }
616
617 signature = kzalloc(vs->size, GFP_KERNEL);
618 if (!signature)
619 return ERR_PTR(-ENOMEM);
620
621 res = incfs_kread(df->df_backing_file_context,
622 signature, vs->size, vs->offset);
623
624 if (res < 0)
625 goto err_out;
626
627 if (res != vs->size) {
628 res = -EINVAL;
629 goto err_out;
630 }
631
632 *sig_size = vs->size;
633 return signature;
634
635 err_out:
636 kfree(signature);
637 return ERR_PTR(res);
638 }
639
640 /* Ensure data_file->df_verity_file_digest is populated */
ensure_verity_info(struct inode * inode,struct file * filp)641 static int ensure_verity_info(struct inode *inode, struct file *filp)
642 {
643 struct mem_range verity_file_digest;
644
645 /* See if this file's verity file digest is already cached */
646 verity_file_digest = incfs_get_verity_digest(inode);
647 if (verity_file_digest.data)
648 return 0;
649
650 verity_file_digest = incfs_calc_verity_digest(inode, filp,
651 FS_VERITY_HASH_ALG_SHA256);
652 if (IS_ERR(verity_file_digest.data))
653 return PTR_ERR(verity_file_digest.data);
654
655 incfs_set_verity_digest(inode, verity_file_digest);
656 return 0;
657 }
658
659 /**
660 * incfs_fsverity_file_open() - prepare to open a file that may be
661 * verity-enabled
662 * @inode: the inode being opened
663 * @filp: the struct file being set up
664 *
665 * When opening a verity file, set up data_file->df_verity_file_digest if not
666 * already done. Note that incfs does not allow opening for writing, so there is
667 * no need for that check.
668 *
669 * Return: 0 on success, -errno on failure
670 */
incfs_fsverity_file_open(struct inode * inode,struct file * filp)671 int incfs_fsverity_file_open(struct inode *inode, struct file *filp)
672 {
673 if (IS_VERITY(inode))
674 return ensure_verity_info(inode, filp);
675
676 return 0;
677 }
678
incfs_ioctl_measure_verity(struct file * filp,void __user * _uarg)679 int incfs_ioctl_measure_verity(struct file *filp, void __user *_uarg)
680 {
681 struct inode *inode = file_inode(filp);
682 struct mem_range verity_file_digest = incfs_get_verity_digest(inode);
683 struct fsverity_digest __user *uarg = _uarg;
684 struct fsverity_digest arg;
685
686 if (!verity_file_digest.data || !verity_file_digest.len)
687 return -ENODATA; /* not a verity file */
688
689 /*
690 * The user specifies the digest_size their buffer has space for; we can
691 * return the digest if it fits in the available space. We write back
692 * the actual size, which may be shorter than the user-specified size.
693 */
694
695 if (get_user(arg.digest_size, &uarg->digest_size))
696 return -EFAULT;
697 if (arg.digest_size < verity_file_digest.len)
698 return -EOVERFLOW;
699
700 memset(&arg, 0, sizeof(arg));
701 arg.digest_algorithm = FS_VERITY_HASH_ALG_SHA256;
702 arg.digest_size = verity_file_digest.len;
703
704 if (copy_to_user(uarg, &arg, sizeof(arg)))
705 return -EFAULT;
706
707 if (copy_to_user(uarg->digest, verity_file_digest.data,
708 verity_file_digest.len))
709 return -EFAULT;
710
711 return 0;
712 }
713
incfs_read_merkle_tree(struct file * filp,void __user * buf,u64 start_offset,int length)714 static int incfs_read_merkle_tree(struct file *filp, void __user *buf,
715 u64 start_offset, int length)
716 {
717 struct mem_range tmp_buf;
718 size_t offset;
719 int retval = 0;
720 int err = 0;
721 struct data_file *df = get_incfs_data_file(filp);
722
723 if (!df)
724 return -EINVAL;
725
726 tmp_buf = (struct mem_range) {
727 .data = kzalloc(INCFS_DATA_FILE_BLOCK_SIZE, GFP_NOFS),
728 .len = INCFS_DATA_FILE_BLOCK_SIZE,
729 };
730 if (!tmp_buf.data)
731 return -ENOMEM;
732
733 for (offset = start_offset; offset < start_offset + length;
734 offset += tmp_buf.len) {
735 err = incfs_read_merkle_tree_blocks(tmp_buf, df, offset);
736
737 if (err < 0)
738 break;
739
740 if (err != tmp_buf.len)
741 break;
742
743 if (copy_to_user(buf, tmp_buf.data, tmp_buf.len))
744 break;
745
746 buf += tmp_buf.len;
747 retval += tmp_buf.len;
748 }
749
750 kfree(tmp_buf.data);
751 return retval ? retval : err;
752 }
753
incfs_read_descriptor(struct file * filp,void __user * buf,u64 offset,int length)754 static int incfs_read_descriptor(struct file *filp,
755 void __user *buf, u64 offset, int length)
756 {
757 int err;
758 struct fsverity_descriptor *desc = incfs_get_fsverity_descriptor(filp,
759 FS_VERITY_HASH_ALG_SHA256);
760
761 if (IS_ERR(desc))
762 return PTR_ERR(desc);
763 length = min_t(u64, length, sizeof(*desc));
764 err = copy_to_user(buf, desc, length);
765 kfree(desc);
766 return err ? err : length;
767 }
768
incfs_read_signature(struct file * filp,void __user * buf,u64 offset,int length)769 static int incfs_read_signature(struct file *filp,
770 void __user *buf, u64 offset, int length)
771 {
772 size_t sig_size;
773 static u8 *signature;
774 int err;
775
776 signature = incfs_get_verity_signature(filp, &sig_size);
777 if (IS_ERR(signature))
778 return PTR_ERR(signature);
779
780 if (!signature)
781 return -ENODATA;
782
783 length = min_t(u64, length, sig_size);
784 err = copy_to_user(buf, signature, length);
785 kfree(signature);
786 return err ? err : length;
787 }
788
incfs_ioctl_read_verity_metadata(struct file * filp,const void __user * uarg)789 int incfs_ioctl_read_verity_metadata(struct file *filp,
790 const void __user *uarg)
791 {
792 struct fsverity_read_metadata_arg arg;
793 int length;
794 void __user *buf;
795
796 if (copy_from_user(&arg, uarg, sizeof(arg)))
797 return -EFAULT;
798
799 if (arg.__reserved)
800 return -EINVAL;
801
802 /* offset + length must not overflow. */
803 if (arg.offset + arg.length < arg.offset)
804 return -EINVAL;
805
806 /* Ensure that the return value will fit in INT_MAX. */
807 length = min_t(u64, arg.length, INT_MAX);
808
809 buf = u64_to_user_ptr(arg.buf_ptr);
810
811 switch (arg.metadata_type) {
812 case FS_VERITY_METADATA_TYPE_MERKLE_TREE:
813 return incfs_read_merkle_tree(filp, buf, arg.offset, length);
814 case FS_VERITY_METADATA_TYPE_DESCRIPTOR:
815 return incfs_read_descriptor(filp, buf, arg.offset, length);
816 case FS_VERITY_METADATA_TYPE_SIGNATURE:
817 return incfs_read_signature(filp, buf, arg.offset, length);
818 default:
819 return -EINVAL;
820 }
821 }
822