fs-verity: add FS_IOC_READ_VERITY_METADATA ioctl
Add an ioctl FS_IOC_READ_VERITY_METADATA which will allow reading verity
metadata from a file that has fs-verity enabled, including:
- The Merkle tree
- The fsverity_descriptor (not including the signature if present)
- The built-in signature, if present
This ioctl has similar semantics to pread(). It is passed the type of
metadata to read (one of the above three), and a buffer, offset, and
size. It returns the number of bytes read or an error.
Separate patches will add support for each of the above metadata types.
This patch just adds the ioctl itself.
This ioctl doesn't make any assumption about where the metadata is
stored on-disk. It does assume the metadata is in a stable format, but
that's basically already the case:
- The Merkle tree and fsverity_descriptor are defined by how fs-verity
file digests are computed; see the "File digest computation" section
of Documentation/filesystems/fsverity.rst. Technically, the way in
which the levels of the tree are ordered relative to each other wasn't
previously specified, but it's logical to put the root level first.
- The built-in signature is the value passed to FS_IOC_ENABLE_VERITY.
This ioctl is useful because it allows writing a server program that
takes a verity file and serves it to a client program, such that the
client can do its own fs-verity compatible verification of the file.
This only makes sense if the client doesn't trust the server and if the
server needs to provide the storage for the client.
More concretely, there is interest in using this ability in Android to
export APK files (which are protected by fs-verity) to "protected VMs".
This would use Protected KVM (https://lwn.net/Articles/836693), which
provides an isolated execution environment without having to trust the
traditional "host". A "guest" VM can boot from a signed image and
perform specific tasks in a minimum trusted environment using files that
have fs-verity enabled on the host, without trusting the host or
requiring that the guest has its own trusted storage.
Technically, it would be possible to duplicate the metadata and store it
in separate files for serving. However, that would be less efficient
and would require extra care in userspace to maintain file consistency.
In addition to the above, the ability to read the built-in signatures is
useful because it allows a system that is using the in-kernel signature
verification to migrate to userspace signature verification.
Link: https://lore.kernel.org/r/20210115181819.34732-4-ebiggers@kernel.org
Reviewed-by: Victor Hsieh <victorhsieh@google.com>
Acked-by: Jaegeuk Kim <jaegeuk@kernel.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2021-01-16 02:18:16 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
/*
|
|
|
|
* Ioctl to read verity metadata
|
|
|
|
*
|
|
|
|
* Copyright 2021 Google LLC
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "fsverity_private.h"
|
|
|
|
|
2021-01-16 02:18:17 +08:00
|
|
|
#include <linux/backing-dev.h>
|
|
|
|
#include <linux/highmem.h>
|
|
|
|
#include <linux/sched/signal.h>
|
fs-verity: add FS_IOC_READ_VERITY_METADATA ioctl
Add an ioctl FS_IOC_READ_VERITY_METADATA which will allow reading verity
metadata from a file that has fs-verity enabled, including:
- The Merkle tree
- The fsverity_descriptor (not including the signature if present)
- The built-in signature, if present
This ioctl has similar semantics to pread(). It is passed the type of
metadata to read (one of the above three), and a buffer, offset, and
size. It returns the number of bytes read or an error.
Separate patches will add support for each of the above metadata types.
This patch just adds the ioctl itself.
This ioctl doesn't make any assumption about where the metadata is
stored on-disk. It does assume the metadata is in a stable format, but
that's basically already the case:
- The Merkle tree and fsverity_descriptor are defined by how fs-verity
file digests are computed; see the "File digest computation" section
of Documentation/filesystems/fsverity.rst. Technically, the way in
which the levels of the tree are ordered relative to each other wasn't
previously specified, but it's logical to put the root level first.
- The built-in signature is the value passed to FS_IOC_ENABLE_VERITY.
This ioctl is useful because it allows writing a server program that
takes a verity file and serves it to a client program, such that the
client can do its own fs-verity compatible verification of the file.
This only makes sense if the client doesn't trust the server and if the
server needs to provide the storage for the client.
More concretely, there is interest in using this ability in Android to
export APK files (which are protected by fs-verity) to "protected VMs".
This would use Protected KVM (https://lwn.net/Articles/836693), which
provides an isolated execution environment without having to trust the
traditional "host". A "guest" VM can boot from a signed image and
perform specific tasks in a minimum trusted environment using files that
have fs-verity enabled on the host, without trusting the host or
requiring that the guest has its own trusted storage.
Technically, it would be possible to duplicate the metadata and store it
in separate files for serving. However, that would be less efficient
and would require extra care in userspace to maintain file consistency.
In addition to the above, the ability to read the built-in signatures is
useful because it allows a system that is using the in-kernel signature
verification to migrate to userspace signature verification.
Link: https://lore.kernel.org/r/20210115181819.34732-4-ebiggers@kernel.org
Reviewed-by: Victor Hsieh <victorhsieh@google.com>
Acked-by: Jaegeuk Kim <jaegeuk@kernel.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2021-01-16 02:18:16 +08:00
|
|
|
#include <linux/uaccess.h>
|
|
|
|
|
2021-01-16 02:18:17 +08:00
|
|
|
static int fsverity_read_merkle_tree(struct inode *inode,
|
|
|
|
const struct fsverity_info *vi,
|
|
|
|
void __user *buf, u64 offset, int length)
|
|
|
|
{
|
|
|
|
const struct fsverity_operations *vops = inode->i_sb->s_vop;
|
|
|
|
u64 end_offset;
|
|
|
|
unsigned int offs_in_page;
|
|
|
|
pgoff_t index, last_index;
|
|
|
|
int retval = 0;
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
end_offset = min(offset + length, vi->tree_params.tree_size);
|
|
|
|
if (offset >= end_offset)
|
|
|
|
return 0;
|
|
|
|
offs_in_page = offset_in_page(offset);
|
|
|
|
last_index = (end_offset - 1) >> PAGE_SHIFT;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Iterate through each Merkle tree page in the requested range and copy
|
|
|
|
* the requested portion to userspace. Note that the Merkle tree block
|
|
|
|
* size isn't important here, as we are returning a byte stream; i.e.,
|
|
|
|
* we can just work with pages even if the tree block size != PAGE_SIZE.
|
|
|
|
*/
|
|
|
|
for (index = offset >> PAGE_SHIFT; index <= last_index; index++) {
|
|
|
|
unsigned long num_ra_pages =
|
|
|
|
min_t(unsigned long, last_index - index + 1,
|
|
|
|
inode->i_sb->s_bdi->io_pages);
|
|
|
|
unsigned int bytes_to_copy = min_t(u64, end_offset - offset,
|
|
|
|
PAGE_SIZE - offs_in_page);
|
|
|
|
struct page *page;
|
|
|
|
const void *virt;
|
|
|
|
|
|
|
|
page = vops->read_merkle_tree_page(inode, index, num_ra_pages);
|
|
|
|
if (IS_ERR(page)) {
|
|
|
|
err = PTR_ERR(page);
|
|
|
|
fsverity_err(inode,
|
|
|
|
"Error %d reading Merkle tree page %lu",
|
|
|
|
err, index);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2022-08-19 06:40:10 +08:00
|
|
|
virt = kmap_local_page(page);
|
2021-01-16 02:18:17 +08:00
|
|
|
if (copy_to_user(buf, virt + offs_in_page, bytes_to_copy)) {
|
2022-08-19 06:40:10 +08:00
|
|
|
kunmap_local(virt);
|
2021-01-16 02:18:17 +08:00
|
|
|
put_page(page);
|
|
|
|
err = -EFAULT;
|
|
|
|
break;
|
|
|
|
}
|
2022-08-19 06:40:10 +08:00
|
|
|
kunmap_local(virt);
|
2021-01-16 02:18:17 +08:00
|
|
|
put_page(page);
|
|
|
|
|
|
|
|
retval += bytes_to_copy;
|
|
|
|
buf += bytes_to_copy;
|
|
|
|
offset += bytes_to_copy;
|
|
|
|
|
|
|
|
if (fatal_signal_pending(current)) {
|
|
|
|
err = -EINTR;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
cond_resched();
|
|
|
|
offs_in_page = 0;
|
|
|
|
}
|
|
|
|
return retval ? retval : err;
|
|
|
|
}
|
2021-01-16 02:18:18 +08:00
|
|
|
|
|
|
|
/* Copy the requested portion of the buffer to userspace. */
|
|
|
|
static int fsverity_read_buffer(void __user *dst, u64 offset, int length,
|
|
|
|
const void *src, size_t src_length)
|
|
|
|
{
|
|
|
|
if (offset >= src_length)
|
|
|
|
return 0;
|
|
|
|
src += offset;
|
|
|
|
src_length -= offset;
|
|
|
|
|
|
|
|
length = min_t(size_t, length, src_length);
|
|
|
|
|
|
|
|
if (copy_to_user(dst, src, length))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
return length;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int fsverity_read_descriptor(struct inode *inode,
|
|
|
|
void __user *buf, u64 offset, int length)
|
|
|
|
{
|
|
|
|
struct fsverity_descriptor *desc;
|
|
|
|
size_t desc_size;
|
|
|
|
int res;
|
|
|
|
|
2022-05-18 21:22:56 +08:00
|
|
|
res = fsverity_get_descriptor(inode, &desc);
|
2021-01-16 02:18:18 +08:00
|
|
|
if (res)
|
|
|
|
return res;
|
|
|
|
|
fsverity: improve documentation for builtin signature support
fsverity builtin signatures (CONFIG_FS_VERITY_BUILTIN_SIGNATURES) aren't
the only way to do signatures with fsverity, and they have some major
limitations. Yet, more users have tried to use them, e.g. recently by
https://github.com/ostreedev/ostree/pull/2640. In most cases this seems
to be because users aren't sufficiently familiar with the limitations of
this feature and what the alternatives are.
Therefore, make some updates to the documentation to try to clarify the
properties of this feature and nudge users in the right direction.
Note that the Integrity Policy Enforcement (IPE) LSM, which is not yet
upstream, is planned to use the builtin signatures. (This differs from
IMA, which uses its own signature mechanism.) For that reason, my
earlier patch "fsverity: mark builtin signatures as deprecated"
(https://lore.kernel.org/r/20221208033548.122704-1-ebiggers@kernel.org),
which marked builtin signatures as "deprecated", was controversial.
This patch therefore stops short of marking the feature as deprecated.
I've also revised the language to focus on better explaining the feature
and what its alternatives are.
Link: https://lore.kernel.org/r/20230620041937.5809-1-ebiggers@kernel.org
Reviewed-by: Colin Walters <walters@verbum.org>
Reviewed-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2023-06-20 12:19:37 +08:00
|
|
|
/* don't include the builtin signature */
|
2021-01-16 02:18:18 +08:00
|
|
|
desc_size = offsetof(struct fsverity_descriptor, signature);
|
|
|
|
desc->sig_size = 0;
|
|
|
|
|
|
|
|
res = fsverity_read_buffer(buf, offset, length, desc, desc_size);
|
|
|
|
|
|
|
|
kfree(desc);
|
|
|
|
return res;
|
|
|
|
}
|
2021-01-16 02:18:19 +08:00
|
|
|
|
|
|
|
static int fsverity_read_signature(struct inode *inode,
|
|
|
|
void __user *buf, u64 offset, int length)
|
|
|
|
{
|
|
|
|
struct fsverity_descriptor *desc;
|
|
|
|
int res;
|
|
|
|
|
2022-05-18 21:22:56 +08:00
|
|
|
res = fsverity_get_descriptor(inode, &desc);
|
2021-01-16 02:18:19 +08:00
|
|
|
if (res)
|
|
|
|
return res;
|
|
|
|
|
|
|
|
if (desc->sig_size == 0) {
|
|
|
|
res = -ENODATA;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
fsverity: improve documentation for builtin signature support
fsverity builtin signatures (CONFIG_FS_VERITY_BUILTIN_SIGNATURES) aren't
the only way to do signatures with fsverity, and they have some major
limitations. Yet, more users have tried to use them, e.g. recently by
https://github.com/ostreedev/ostree/pull/2640. In most cases this seems
to be because users aren't sufficiently familiar with the limitations of
this feature and what the alternatives are.
Therefore, make some updates to the documentation to try to clarify the
properties of this feature and nudge users in the right direction.
Note that the Integrity Policy Enforcement (IPE) LSM, which is not yet
upstream, is planned to use the builtin signatures. (This differs from
IMA, which uses its own signature mechanism.) For that reason, my
earlier patch "fsverity: mark builtin signatures as deprecated"
(https://lore.kernel.org/r/20221208033548.122704-1-ebiggers@kernel.org),
which marked builtin signatures as "deprecated", was controversial.
This patch therefore stops short of marking the feature as deprecated.
I've also revised the language to focus on better explaining the feature
and what its alternatives are.
Link: https://lore.kernel.org/r/20230620041937.5809-1-ebiggers@kernel.org
Reviewed-by: Colin Walters <walters@verbum.org>
Reviewed-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2023-06-20 12:19:37 +08:00
|
|
|
* Include only the builtin signature. fsverity_get_descriptor()
|
2021-01-16 02:18:19 +08:00
|
|
|
* already verified that sig_size is in-bounds.
|
|
|
|
*/
|
|
|
|
res = fsverity_read_buffer(buf, offset, length, desc->signature,
|
|
|
|
le32_to_cpu(desc->sig_size));
|
|
|
|
out:
|
|
|
|
kfree(desc);
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
fs-verity: add FS_IOC_READ_VERITY_METADATA ioctl
Add an ioctl FS_IOC_READ_VERITY_METADATA which will allow reading verity
metadata from a file that has fs-verity enabled, including:
- The Merkle tree
- The fsverity_descriptor (not including the signature if present)
- The built-in signature, if present
This ioctl has similar semantics to pread(). It is passed the type of
metadata to read (one of the above three), and a buffer, offset, and
size. It returns the number of bytes read or an error.
Separate patches will add support for each of the above metadata types.
This patch just adds the ioctl itself.
This ioctl doesn't make any assumption about where the metadata is
stored on-disk. It does assume the metadata is in a stable format, but
that's basically already the case:
- The Merkle tree and fsverity_descriptor are defined by how fs-verity
file digests are computed; see the "File digest computation" section
of Documentation/filesystems/fsverity.rst. Technically, the way in
which the levels of the tree are ordered relative to each other wasn't
previously specified, but it's logical to put the root level first.
- The built-in signature is the value passed to FS_IOC_ENABLE_VERITY.
This ioctl is useful because it allows writing a server program that
takes a verity file and serves it to a client program, such that the
client can do its own fs-verity compatible verification of the file.
This only makes sense if the client doesn't trust the server and if the
server needs to provide the storage for the client.
More concretely, there is interest in using this ability in Android to
export APK files (which are protected by fs-verity) to "protected VMs".
This would use Protected KVM (https://lwn.net/Articles/836693), which
provides an isolated execution environment without having to trust the
traditional "host". A "guest" VM can boot from a signed image and
perform specific tasks in a minimum trusted environment using files that
have fs-verity enabled on the host, without trusting the host or
requiring that the guest has its own trusted storage.
Technically, it would be possible to duplicate the metadata and store it
in separate files for serving. However, that would be less efficient
and would require extra care in userspace to maintain file consistency.
In addition to the above, the ability to read the built-in signatures is
useful because it allows a system that is using the in-kernel signature
verification to migrate to userspace signature verification.
Link: https://lore.kernel.org/r/20210115181819.34732-4-ebiggers@kernel.org
Reviewed-by: Victor Hsieh <victorhsieh@google.com>
Acked-by: Jaegeuk Kim <jaegeuk@kernel.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2021-01-16 02:18:16 +08:00
|
|
|
/**
|
|
|
|
* fsverity_ioctl_read_metadata() - read verity metadata from a file
|
|
|
|
* @filp: file to read the metadata from
|
|
|
|
* @uarg: user pointer to fsverity_read_metadata_arg
|
|
|
|
*
|
|
|
|
* Return: length read on success, 0 on EOF, -errno on failure
|
|
|
|
*/
|
|
|
|
int fsverity_ioctl_read_metadata(struct file *filp, const void __user *uarg)
|
|
|
|
{
|
|
|
|
struct inode *inode = file_inode(filp);
|
|
|
|
const struct fsverity_info *vi;
|
|
|
|
struct fsverity_read_metadata_arg arg;
|
|
|
|
int length;
|
|
|
|
void __user *buf;
|
|
|
|
|
|
|
|
vi = fsverity_get_info(inode);
|
|
|
|
if (!vi)
|
|
|
|
return -ENODATA; /* not a verity file */
|
|
|
|
/*
|
|
|
|
* Note that we don't have to explicitly check that the file is open for
|
|
|
|
* reading, since verity files can only be opened for reading.
|
|
|
|
*/
|
|
|
|
|
|
|
|
if (copy_from_user(&arg, uarg, sizeof(arg)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
if (arg.__reserved)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
/* offset + length must not overflow. */
|
|
|
|
if (arg.offset + arg.length < arg.offset)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
/* Ensure that the return value will fit in INT_MAX. */
|
|
|
|
length = min_t(u64, arg.length, INT_MAX);
|
|
|
|
|
|
|
|
buf = u64_to_user_ptr(arg.buf_ptr);
|
|
|
|
|
|
|
|
switch (arg.metadata_type) {
|
2021-01-16 02:18:17 +08:00
|
|
|
case FS_VERITY_METADATA_TYPE_MERKLE_TREE:
|
|
|
|
return fsverity_read_merkle_tree(inode, vi, buf, arg.offset,
|
|
|
|
length);
|
2021-01-16 02:18:18 +08:00
|
|
|
case FS_VERITY_METADATA_TYPE_DESCRIPTOR:
|
|
|
|
return fsverity_read_descriptor(inode, buf, arg.offset, length);
|
2021-01-16 02:18:19 +08:00
|
|
|
case FS_VERITY_METADATA_TYPE_SIGNATURE:
|
|
|
|
return fsverity_read_signature(inode, buf, arg.offset, length);
|
fs-verity: add FS_IOC_READ_VERITY_METADATA ioctl
Add an ioctl FS_IOC_READ_VERITY_METADATA which will allow reading verity
metadata from a file that has fs-verity enabled, including:
- The Merkle tree
- The fsverity_descriptor (not including the signature if present)
- The built-in signature, if present
This ioctl has similar semantics to pread(). It is passed the type of
metadata to read (one of the above three), and a buffer, offset, and
size. It returns the number of bytes read or an error.
Separate patches will add support for each of the above metadata types.
This patch just adds the ioctl itself.
This ioctl doesn't make any assumption about where the metadata is
stored on-disk. It does assume the metadata is in a stable format, but
that's basically already the case:
- The Merkle tree and fsverity_descriptor are defined by how fs-verity
file digests are computed; see the "File digest computation" section
of Documentation/filesystems/fsverity.rst. Technically, the way in
which the levels of the tree are ordered relative to each other wasn't
previously specified, but it's logical to put the root level first.
- The built-in signature is the value passed to FS_IOC_ENABLE_VERITY.
This ioctl is useful because it allows writing a server program that
takes a verity file and serves it to a client program, such that the
client can do its own fs-verity compatible verification of the file.
This only makes sense if the client doesn't trust the server and if the
server needs to provide the storage for the client.
More concretely, there is interest in using this ability in Android to
export APK files (which are protected by fs-verity) to "protected VMs".
This would use Protected KVM (https://lwn.net/Articles/836693), which
provides an isolated execution environment without having to trust the
traditional "host". A "guest" VM can boot from a signed image and
perform specific tasks in a minimum trusted environment using files that
have fs-verity enabled on the host, without trusting the host or
requiring that the guest has its own trusted storage.
Technically, it would be possible to duplicate the metadata and store it
in separate files for serving. However, that would be less efficient
and would require extra care in userspace to maintain file consistency.
In addition to the above, the ability to read the built-in signatures is
useful because it allows a system that is using the in-kernel signature
verification to migrate to userspace signature verification.
Link: https://lore.kernel.org/r/20210115181819.34732-4-ebiggers@kernel.org
Reviewed-by: Victor Hsieh <victorhsieh@google.com>
Acked-by: Jaegeuk Kim <jaegeuk@kernel.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2021-01-16 02:18:16 +08:00
|
|
|
default:
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(fsverity_ioctl_read_metadata);
|