forked from torvalds/linux
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fs-verity: add FS_IOC_READ_VERITY_METADATA ioctl
Add an ioctl FS_IOC_READ_VERITY_METADATA which will allow reading verity metadata from a file that has fs-verity enabled, including: - The Merkle tree - The fsverity_descriptor (not including the signature if present) - The built-in signature, if present This ioctl has similar semantics to pread(). It is passed the type of metadata to read (one of the above three), and a buffer, offset, and size. It returns the number of bytes read or an error. Separate patches will add support for each of the above metadata types. This patch just adds the ioctl itself. This ioctl doesn't make any assumption about where the metadata is stored on-disk. It does assume the metadata is in a stable format, but that's basically already the case: - The Merkle tree and fsverity_descriptor are defined by how fs-verity file digests are computed; see the "File digest computation" section of Documentation/filesystems/fsverity.rst. Technically, the way in which the levels of the tree are ordered relative to each other wasn't previously specified, but it's logical to put the root level first. - The built-in signature is the value passed to FS_IOC_ENABLE_VERITY. This ioctl is useful because it allows writing a server program that takes a verity file and serves it to a client program, such that the client can do its own fs-verity compatible verification of the file. This only makes sense if the client doesn't trust the server and if the server needs to provide the storage for the client. More concretely, there is interest in using this ability in Android to export APK files (which are protected by fs-verity) to "protected VMs". This would use Protected KVM (https://lwn.net/Articles/836693), which provides an isolated execution environment without having to trust the traditional "host". A "guest" VM can boot from a signed image and perform specific tasks in a minimum trusted environment using files that have fs-verity enabled on the host, without trusting the host or requiring that the guest has its own trusted storage. Technically, it would be possible to duplicate the metadata and store it in separate files for serving. However, that would be less efficient and would require extra care in userspace to maintain file consistency. In addition to the above, the ability to read the built-in signatures is useful because it allows a system that is using the in-kernel signature verification to migrate to userspace signature verification. Link: https://lore.kernel.org/r/[email protected] Reviewed-by: Victor Hsieh <[email protected]> Acked-by: Jaegeuk Kim <[email protected]> Reviewed-by: Chao Yu <[email protected]> Signed-off-by: Eric Biggers <[email protected]>
- Loading branch information
Showing
7 changed files
with
153 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
// SPDX-License-Identifier: GPL-2.0-only | ||
/* | ||
* Ioctl to read verity metadata | ||
* | ||
* Copyright 2021 Google LLC | ||
*/ | ||
|
||
#include "fsverity_private.h" | ||
|
||
#include <linux/uaccess.h> | ||
|
||
/** | ||
* fsverity_ioctl_read_metadata() - read verity metadata from a file | ||
* @filp: file to read the metadata from | ||
* @uarg: user pointer to fsverity_read_metadata_arg | ||
* | ||
* Return: length read on success, 0 on EOF, -errno on failure | ||
*/ | ||
int fsverity_ioctl_read_metadata(struct file *filp, const void __user *uarg) | ||
{ | ||
struct inode *inode = file_inode(filp); | ||
const struct fsverity_info *vi; | ||
struct fsverity_read_metadata_arg arg; | ||
int length; | ||
void __user *buf; | ||
|
||
vi = fsverity_get_info(inode); | ||
if (!vi) | ||
return -ENODATA; /* not a verity file */ | ||
/* | ||
* Note that we don't have to explicitly check that the file is open for | ||
* reading, since verity files can only be opened for reading. | ||
*/ | ||
|
||
if (copy_from_user(&arg, uarg, sizeof(arg))) | ||
return -EFAULT; | ||
|
||
if (arg.__reserved) | ||
return -EINVAL; | ||
|
||
/* offset + length must not overflow. */ | ||
if (arg.offset + arg.length < arg.offset) | ||
return -EINVAL; | ||
|
||
/* Ensure that the return value will fit in INT_MAX. */ | ||
length = min_t(u64, arg.length, INT_MAX); | ||
|
||
buf = u64_to_user_ptr(arg.buf_ptr); | ||
|
||
switch (arg.metadata_type) { | ||
default: | ||
return -EINVAL; | ||
} | ||
} | ||
EXPORT_SYMBOL_GPL(fsverity_ioctl_read_metadata); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters