tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'tags/upstream-4.20-rc1' of git://git.infradead.org/linux-ubifs

Pull UBIFS updates from Richard Weinberger:

- Full filesystem authentication feature, UBIFS is now able to have the
whole filesystem structure authenticated plus user data encrypted and
authenticated.

- Minor cleanups

* tag 'tags/upstream-4.20-rc1' of git://git.infradead.org/linux-ubifs: (26 commits)
ubifs: Remove unneeded semicolon
Documentation: ubifs: Add authentication whitepaper
ubifs: Enable authentication support
ubifs: Do not update inode size in-place in authenticated mode
ubifs: Add hashes and HMACs to default filesystem
ubifs: authentication: Authenticate super block node
ubifs: Create hash for default LPT
ubfis: authentication: Authenticate master node
ubifs: authentication: Authenticate LPT
ubifs: Authenticate replayed journal
ubifs: Add auth nodes to garbage collector journal head
ubifs: Add authentication nodes to journal
ubifs: authentication: Add hashes to index nodes
ubifs: Add hashes to the tree node cache
ubifs: Create functions to embed a HMAC in a node
ubifs: Add helper functions for authentication support
ubifs: Add separate functions to init/crc a node
ubifs: Format changes for authentication support
ubifs: Store read superblock node
ubifs: Drop write_node
...

Linus Torvalds 42bd06e9 4710e789

options
unified split
Changed files
+2436 -310
Documentation
filesystems
ubifs-authentication.md
ubifs.txt
drivers
mtd
ubi
attach.c
build.c
fs
ubifs
Kconfig
Makefile
auth.c
debug.c
gc.c
io.c
journal.c
log.c
lpt.c
lpt_commit.c
master.c
misc.h
recovery.c
replay.c
sb.c
super.c
tnc.c
tnc_commit.c
tnc_misc.c
ubifs-media.h
ubifs.h
+426
Documentation/filesystems/ubifs-authentication.md
··· 1 + % UBIFS Authentication 2 + % sigma star gmbh 3 + % 2018 4 + 5 + # Introduction 6 + 7 + UBIFS utilizes the fscrypt framework to provide confidentiality for file 8 + contents and file names. This prevents attacks where an attacker is able to 9 + read contents of the filesystem on a single point in time. A classic example 10 + is a lost smartphone where the attacker is unable to read personal data stored 11 + on the device without the filesystem decryption key. 12 + 13 + At the current state, UBIFS encryption however does not prevent attacks where 14 + the attacker is able to modify the filesystem contents and the user uses the 15 + device afterwards. In such a scenario an attacker can modify filesystem 16 + contents arbitrarily without the user noticing. One example is to modify a 17 + binary to perform a malicious action when executed [DMC-CBC-ATTACK]. Since 18 + most of the filesystem metadata of UBIFS is stored in plain, this makes it 19 + fairly easy to swap files and replace their contents. 20 + 21 + Other full disk encryption systems like dm-crypt cover all filesystem metadata, 22 + which makes such kinds of attacks more complicated, but not impossible. 23 + Especially, if the attacker is given access to the device multiple points in 24 + time. For dm-crypt and other filesystems that build upon the Linux block IO 25 + layer, the dm-integrity or dm-verity subsystems [DM-INTEGRITY, DM-VERITY] 26 + can be used to get full data authentication at the block layer. 27 + These can also be combined with dm-crypt [CRYPTSETUP2]. 28 + 29 + This document describes an approach to get file contents _and_ full metadata 30 + authentication for UBIFS. Since UBIFS uses fscrypt for file contents and file 31 + name encryption, the authentication system could be tied into fscrypt such that 32 + existing features like key derivation can be utilized. It should however also 33 + be possible to use UBIFS authentication without using encryption. 34 + 35 + 36 + ## MTD, UBI & UBIFS 37 + 38 + On Linux, the MTD (Memory Technology Devices) subsystem provides a uniform 39 + interface to access raw flash devices. One of the more prominent subsystems that 40 + work on top of MTD is UBI (Unsorted Block Images). It provides volume management 41 + for flash devices and is thus somewhat similar to LVM for block devices. In 42 + addition, it deals with flash-specific wear-leveling and transparent I/O error 43 + handling. UBI offers logical erase blocks (LEBs) to the layers on top of it 44 + and maps them transparently to physical erase blocks (PEBs) on the flash. 45 + 46 + UBIFS is a filesystem for raw flash which operates on top of UBI. Thus, wear 47 + leveling and some flash specifics are left to UBI, while UBIFS focuses on 48 + scalability, performance and recoverability. 49 + 50 + 51 + 52 + +------------+ +*******+ +-----------+ +-----+ 53 + | | * UBIFS * | UBI-BLOCK | | ... | 54 + | JFFS/JFFS2 | +*******+ +-----------+ +-----+ 55 + | | +-----------------------------+ +-----------+ +-----+ 56 + | | | UBI | | MTD-BLOCK | | ... | 57 + +------------+ +-----------------------------+ +-----------+ +-----+ 58 + +------------------------------------------------------------------+ 59 + | MEMORY TECHNOLOGY DEVICES (MTD) | 60 + +------------------------------------------------------------------+ 61 + +-----------------------------+ +--------------------------+ +-----+ 62 + | NAND DRIVERS | | NOR DRIVERS | | ... | 63 + +-----------------------------+ +--------------------------+ +-----+ 64 + 65 + Figure 1: Linux kernel subsystems for dealing with raw flash 66 + 67 + 68 + 69 + Internally, UBIFS maintains multiple data structures which are persisted on 70 + the flash: 71 + 72 + - *Index*: an on-flash B+ tree where the leaf nodes contain filesystem data 73 + - *Journal*: an additional data structure to collect FS changes before updating 74 + the on-flash index and reduce flash wear. 75 + - *Tree Node Cache (TNC)*: an in-memory B+ tree that reflects the current FS 76 + state to avoid frequent flash reads. It is basically the in-memory 77 + representation of the index, but contains additional attributes. 78 + - *LEB property tree (LPT)*: an on-flash B+ tree for free space accounting per 79 + UBI LEB. 80 + 81 + In the remainder of this section we will cover the on-flash UBIFS data 82 + structures in more detail. The TNC is of less importance here since it is never 83 + persisted onto the flash directly. More details on UBIFS can also be found in 84 + [UBIFS-WP]. 85 + 86 + 87 + ### UBIFS Index & Tree Node Cache 88 + 89 + Basic on-flash UBIFS entities are called *nodes*. UBIFS knows different types 90 + of nodes. Eg. data nodes (`struct ubifs_data_node`) which store chunks of file 91 + contents or inode nodes (`struct ubifs_ino_node`) which represent VFS inodes. 92 + Almost all types of nodes share a common header (`ubifs_ch`) containing basic 93 + information like node type, node length, a sequence number, etc. (see 94 + `fs/ubifs/ubifs-media.h`in kernel source). Exceptions are entries of the LPT 95 + and some less important node types like padding nodes which are used to pad 96 + unusable content at the end of LEBs. 97 + 98 + To avoid re-writing the whole B+ tree on every single change, it is implemented 99 + as *wandering tree*, where only the changed nodes are re-written and previous 100 + versions of them are obsoleted without erasing them right away. As a result, 101 + the index is not stored in a single place on the flash, but *wanders* around 102 + and there are obsolete parts on the flash as long as the LEB containing them is 103 + not reused by UBIFS. To find the most recent version of the index, UBIFS stores 104 + a special node called *master node* into UBI LEB 1 which always points to the 105 + most recent root node of the UBIFS index. For recoverability, the master node 106 + is additionally duplicated to LEB 2. Mounting UBIFS is thus a simple read of 107 + LEB 1 and 2 to get the current master node and from there get the location of 108 + the most recent on-flash index. 109 + 110 + The TNC is the in-memory representation of the on-flash index. It contains some 111 + additional runtime attributes per node which are not persisted. One of these is 112 + a dirty-flag which marks nodes that have to be persisted the next time the 113 + index is written onto the flash. The TNC acts as a write-back cache and all 114 + modifications of the on-flash index are done through the TNC. Like other caches, 115 + the TNC does not have to mirror the full index into memory, but reads parts of 116 + it from flash whenever needed. A *commit* is the UBIFS operation of updating the 117 + on-flash filesystem structures like the index. On every commit, the TNC nodes 118 + marked as dirty are written to the flash to update the persisted index. 119 + 120 + 121 + ### Journal 122 + 123 + To avoid wearing out the flash, the index is only persisted (*commited*) when 124 + certain conditions are met (eg. `fsync(2)`). The journal is used to record 125 + any changes (in form of inode nodes, data nodes etc.) between commits 126 + of the index. During mount, the journal is read from the flash and replayed 127 + onto the TNC (which will be created on-demand from the on-flash index). 128 + 129 + UBIFS reserves a bunch of LEBs just for the journal called *log area*. The 130 + amount of log area LEBs is configured on filesystem creation (using 131 + `mkfs.ubifs`) and stored in the superblock node. The log area contains only 132 + two types of nodes: *reference nodes* and *commit start nodes*. A commit start 133 + node is written whenever an index commit is performed. Reference nodes are 134 + written on every journal update. Each reference node points to the position of 135 + other nodes (inode nodes, data nodes etc.) on the flash that are part of this 136 + journal entry. These nodes are called *buds* and describe the actual filesystem 137 + changes including their data. 138 + 139 + The log area is maintained as a ring. Whenever the journal is almost full, 140 + a commit is initiated. This also writes a commit start node so that during 141 + mount, UBIFS will seek for the most recent commit start node and just replay 142 + every reference node after that. Every reference node before the commit start 143 + node will be ignored as they are already part of the on-flash index. 144 + 145 + When writing a journal entry, UBIFS first ensures that enough space is 146 + available to write the reference node and buds part of this entry. Then, the 147 + reference node is written and afterwards the buds describing the file changes. 148 + On replay, UBIFS will record every reference node and inspect the location of 149 + the referenced LEBs to discover the buds. If these are corrupt or missing, 150 + UBIFS will attempt to recover them by re-reading the LEB. This is however only 151 + done for the last referenced LEB of the journal. Only this can become corrupt 152 + because of a power cut. If the recovery fails, UBIFS will not mount. An error 153 + for every other LEB will directly cause UBIFS to fail the mount operation. 154 + 155 + 156 + | ---- LOG AREA ---- | ---------- MAIN AREA ------------ | 157 + 158 + -----+------+-----+--------+---- ------+-----+-----+--------------- 159 + \ | | | | / / | | | \ 160 + / CS | REF | REF | | \ \ DENT | INO | INO | / 161 + \ | | | | / / | | | \ 162 + ----+------+-----+--------+--- -------+-----+-----+---------------- 163 + | | ^ ^ 164 + | | | | 165 + +------------------------+ | 166 + | | 167 + +-------------------------------+ 168 + 169 + 170 + Figure 2: UBIFS flash layout of log area with commit start nodes 171 + (CS) and reference nodes (REF) pointing to main area 172 + containing their buds 173 + 174 + 175 + ### LEB Property Tree/Table 176 + 177 + The LEB property tree is used to store per-LEB information. This includes the 178 + LEB type and amount of free and *dirty* (old, obsolete content) space [1] on 179 + the LEB. The type is important, because UBIFS never mixes index nodes with data 180 + nodes on a single LEB and thus each LEB has a specific purpose. This again is 181 + useful for free space calculations. See [UBIFS-WP] for more details. 182 + 183 + The LEB property tree again is a B+ tree, but it is much smaller than the 184 + index. Due to its smaller size it is always written as one chunk on every 185 + commit. Thus, saving the LPT is an atomic operation. 186 + 187 + 188 + [1] Since LEBs can only be appended and never overwritten, there is a 189 + difference between free space ie. the remaining space left on the LEB to be 190 + written to without erasing it and previously written content that is obsolete 191 + but can't be overwritten without erasing the full LEB. 192 + 193 + 194 + # UBIFS Authentication 195 + 196 + This chapter introduces UBIFS authentication which enables UBIFS to verify 197 + the authenticity and integrity of metadata and file contents stored on flash. 198 + 199 + 200 + ## Threat Model 201 + 202 + UBIFS authentication enables detection of offline data modification. While it 203 + does not prevent it, it enables (trusted) code to check the integrity and 204 + authenticity of on-flash file contents and filesystem metadata. This covers 205 + attacks where file contents are swapped. 206 + 207 + UBIFS authentication will not protect against rollback of full flash contents. 208 + Ie. an attacker can still dump the flash and restore it at a later time without 209 + detection. It will also not protect against partial rollback of individual 210 + index commits. That means that an attacker is able to partially undo changes. 211 + This is possible because UBIFS does not immediately overwrites obsolete 212 + versions of the index tree or the journal, but instead marks them as obsolete 213 + and garbage collection erases them at a later time. An attacker can use this by 214 + erasing parts of the current tree and restoring old versions that are still on 215 + the flash and have not yet been erased. This is possible, because every commit 216 + will always write a new version of the index root node and the master node 217 + without overwriting the previous version. This is further helped by the 218 + wear-leveling operations of UBI which copies contents from one physical 219 + eraseblock to another and does not atomically erase the first eraseblock. 220 + 221 + UBIFS authentication does not cover attacks where an attacker is able to 222 + execute code on the device after the authentication key was provided. 223 + Additional measures like secure boot and trusted boot have to be taken to 224 + ensure that only trusted code is executed on a device. 225 + 226 + 227 + ## Authentication 228 + 229 + To be able to fully trust data read from flash, all UBIFS data structures 230 + stored on flash are authenticated. That is: 231 + 232 + - The index which includes file contents, file metadata like extended 233 + attributes, file length etc. 234 + - The journal which also contains file contents and metadata by recording changes 235 + to the filesystem 236 + - The LPT which stores UBI LEB metadata which UBIFS uses for free space accounting 237 + 238 + 239 + ### Index Authentication 240 + 241 + Through UBIFS' concept of a wandering tree, it already takes care of only 242 + updating and persisting changed parts from leaf node up to the root node 243 + of the full B+ tree. This enables us to augment the index nodes of the tree 244 + with a hash over each node's child nodes. As a result, the index basically also 245 + a Merkle tree. Since the leaf nodes of the index contain the actual filesystem 246 + data, the hashes of their parent index nodes thus cover all the file contents 247 + and file metadata. When a file changes, the UBIFS index is updated accordingly 248 + from the leaf nodes up to the root node including the master node. This process 249 + can be hooked to recompute the hash only for each changed node at the same time. 250 + Whenever a file is read, UBIFS can verify the hashes from each leaf node up to 251 + the root node to ensure the node's integrity. 252 + 253 + To ensure the authenticity of the whole index, the UBIFS master node stores a 254 + keyed hash (HMAC) over its own contents and a hash of the root node of the index 255 + tree. As mentioned above, the master node is always written to the flash whenever 256 + the index is persisted (ie. on index commit). 257 + 258 + Using this approach only UBIFS index nodes and the master node are changed to 259 + include a hash. All other types of nodes will remain unchanged. This reduces 260 + the storage overhead which is precious for users of UBIFS (ie. embedded 261 + devices). 262 + 263 + 264 + +---------------+ 265 + | Master Node | 266 + | (hash) | 267 + +---------------+ 268 + | 269 + v 270 + +-------------------+ 271 + | Index Node #1 | 272 + | | 273 + | branch0 branchn | 274 + | (hash) (hash) | 275 + +-------------------+ 276 + | ... | (fanout: 8) 277 + | | 278 + +-------+ +------+ 279 + | | 280 + v v 281 + +-------------------+ +-------------------+ 282 + | Index Node #2 | | Index Node #3 | 283 + | | | | 284 + | branch0 branchn | | branch0 branchn | 285 + | (hash) (hash) | | (hash) (hash) | 286 + +-------------------+ +-------------------+ 287 + | ... | ... | 288 + v v v 289 + +-----------+ +----------+ +-----------+ 290 + | Data Node | | INO Node | | DENT Node | 291 + +-----------+ +----------+ +-----------+ 292 + 293 + 294 + Figure 3: Coverage areas of index node hash and master node HMAC 295 + 296 + 297 + 298 + The most important part for robustness and power-cut safety is to atomically 299 + persist the hash and file contents. Here the existing UBIFS logic for how 300 + changed nodes are persisted is already designed for this purpose such that 301 + UBIFS can safely recover if a power-cut occurs while persisting. Adding 302 + hashes to index nodes does not change this since each hash will be persisted 303 + atomically together with its respective node. 304 + 305 + 306 + ### Journal Authentication 307 + 308 + The journal is authenticated too. Since the journal is continuously written 309 + it is necessary to also add authentication information frequently to the 310 + journal so that in case of a powercut not too much data can't be authenticated. 311 + This is done by creating a continuous hash beginning from the commit start node 312 + over the previous reference nodes, the current reference node, and the bud 313 + nodes. From time to time whenever it is suitable authentication nodes are added 314 + between the bud nodes. This new node type contains a HMAC over the current state 315 + of the hash chain. That way a journal can be authenticated up to the last 316 + authentication node. The tail of the journal which may not have a authentication 317 + node cannot be authenticated and is skipped during journal replay. 318 + 319 + We get this picture for journal authentication: 320 + 321 + ,,,,,,,, 322 + ,......,........................................... 323 + ,. CS , hash1.----. hash2.----. 324 + ,. | , . |hmac . |hmac 325 + ,. v , . v . v 326 + ,.REF#0,-> bud -> bud -> bud.-> auth -> bud -> bud.-> auth ... 327 + ,..|...,........................................... 328 + , | , 329 + , | ,,,,,,,,,,,,,,, 330 + . | hash3,----. 331 + , | , |hmac 332 + , v , v 333 + , REF#1 -> bud -> bud,-> auth ... 334 + ,,,|,,,,,,,,,,,,,,,,,, 335 + v 336 + REF#2 -> ... 337 + | 338 + V 339 + ... 340 + 341 + Since the hash also includes the reference nodes an attacker cannot reorder or 342 + skip any journal heads for replay. An attacker can only remove bud nodes or 343 + reference nodes from the end of the journal, effectively rewinding the 344 + filesystem at maximum back to the last commit. 345 + 346 + The location of the log area is stored in the master node. Since the master 347 + node is authenticated with a HMAC as described above, it is not possible to 348 + tamper with that without detection. The size of the log area is specified when 349 + the filesystem is created using `mkfs.ubifs` and stored in the superblock node. 350 + To avoid tampering with this and other values stored there, a HMAC is added to 351 + the superblock struct. The superblock node is stored in LEB 0 and is only 352 + modified on feature flag or similar changes, but never on file changes. 353 + 354 + 355 + ### LPT Authentication 356 + 357 + The location of the LPT root node on the flash is stored in the UBIFS master 358 + node. Since the LPT is written and read atomically on every commit, there is 359 + no need to authenticate individual nodes of the tree. It suffices to 360 + protect the integrity of the full LPT by a simple hash stored in the master 361 + node. Since the master node itself is authenticated, the LPTs authenticity can 362 + be verified by verifying the authenticity of the master node and comparing the 363 + LTP hash stored there with the hash computed from the read on-flash LPT. 364 + 365 + 366 + ## Key Management 367 + 368 + For simplicity, UBIFS authentication uses a single key to compute the HMACs 369 + of superblock, master, commit start and reference nodes. This key has to be 370 + available on creation of the filesystem (`mkfs.ubifs`) to authenticate the 371 + superblock node. Further, it has to be available on mount of the filesystem 372 + to verify authenticated nodes and generate new HMACs for changes. 373 + 374 + UBIFS authentication is intended to operate side-by-side with UBIFS encryption 375 + (fscrypt) to provide confidentiality and authenticity. Since UBIFS encryption 376 + has a different approach of encryption policies per directory, there can be 377 + multiple fscrypt master keys and there might be folders without encryption. 378 + UBIFS authentication on the other hand has an all-or-nothing approach in the 379 + sense that it either authenticates everything of the filesystem or nothing. 380 + Because of this and because UBIFS authentication should also be usable without 381 + encryption, it does not share the same master key with fscrypt, but manages 382 + a dedicated authentication key. 383 + 384 + The API for providing the authentication key has yet to be defined, but the 385 + key can eg. be provided by userspace through a keyring similar to the way it 386 + is currently done in fscrypt. It should however be noted that the current 387 + fscrypt approach has shown its flaws and the userspace API will eventually 388 + change [FSCRYPT-POLICY2]. 389 + 390 + Nevertheless, it will be possible for a user to provide a single passphrase 391 + or key in userspace that covers UBIFS authentication and encryption. This can 392 + be solved by the corresponding userspace tools which derive a second key for 393 + authentication in addition to the derived fscrypt master key used for 394 + encryption. 395 + 396 + To be able to check if the proper key is available on mount, the UBIFS 397 + superblock node will additionally store a hash of the authentication key. This 398 + approach is similar to the approach proposed for fscrypt encryption policy v2 399 + [FSCRYPT-POLICY2]. 400 + 401 + 402 + # Future Extensions 403 + 404 + In certain cases where a vendor wants to provide an authenticated filesystem 405 + image to customers, it should be possible to do so without sharing the secret 406 + UBIFS authentication key. Instead, in addition the each HMAC a digital 407 + signature could be stored where the vendor shares the public key alongside the 408 + filesystem image. In case this filesystem has to be modified afterwards, 409 + UBIFS can exchange all digital signatures with HMACs on first mount similar 410 + to the way the IMA/EVM subsystem deals with such situations. The HMAC key 411 + will then have to be provided beforehand in the normal way. 412 + 413 + 414 + # References 415 + 416 + [CRYPTSETUP2] http://www.saout.de/pipermail/dm-crypt/2017-November/005745.html 417 + 418 + [DMC-CBC-ATTACK] http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/ 419 + 420 + [DM-INTEGRITY] https://www.kernel.org/doc/Documentation/device-mapper/dm-integrity.txt 421 + 422 + [DM-VERITY] https://www.kernel.org/doc/Documentation/device-mapper/verity.txt 423 + 424 + [FSCRYPT-POLICY2] https://www.spinics.net/lists/linux-ext4/msg58710.html 425 + 426 + [UBIFS-WP] http://www.linux-mtd.infradead.org/doc/ubifs_whitepaper.pdf
+7
Documentation/filesystems/ubifs.txt
··· 91 91 compr=none override default compressor and set it to "none" 92 92 compr=lzo override default compressor and set it to "lzo" 93 93 compr=zlib override default compressor and set it to "zlib" 94 + auth_key= specify the key used for authenticating the filesystem. 95 + Passing this option makes authentication mandatory. 96 + The passed key must be present in the kernel keyring 97 + and must be of type 'logon' 98 + auth_hash_name= The hash algorithm used for authentication. Used for 99 + both hashing and for creating HMACs. Typical values 100 + include "sha256" or "sha512" 94 101 95 102 96 103 Quick usage instructions
+1
drivers/mtd/ubi/attach.c
··· 1072 1072 * be a result of power cut during erasure. 1073 1073 */ 1074 1074 ai->maybe_bad_peb_count += 1; 1075 + /* fall through */ 1075 1076 case UBI_IO_BAD_HDR: 1076 1077 /* 1077 1078 * If we're facing a bad VID header we have to drop *all*
+2
drivers/mtd/ubi/build.c
··· 1334 1334 switch (*endp) { 1335 1335 case 'G': 1336 1336 result *= 1024; 1337 + /* fall through */ 1337 1338 case 'M': 1338 1339 result *= 1024; 1340 + /* fall through */ 1339 1341 case 'K': 1340 1342 result *= 1024; 1341 1343 if (endp[1] == 'i' && endp[2] == 'B')
+11
fs/ubifs/Kconfig
··· 7 7 select CRYPTO if UBIFS_FS_ZLIB 8 8 select CRYPTO_LZO if UBIFS_FS_LZO 9 9 select CRYPTO_DEFLATE if UBIFS_FS_ZLIB 10 + select CRYPTO_HASH_INFO 10 11 depends on MTD_UBI 11 12 help 12 13 UBIFS is a file system for flash devices which works on top of UBI. ··· 86 85 the extended attribute support in advance. 87 86 88 87 If you are not using a security module, say N. 88 + 89 + config UBIFS_FS_AUTHENTICATION 90 + bool "UBIFS authentication support" 91 + select CRYPTO_HMAC 92 + help 93 + Enable authentication support for UBIFS. This feature offers protection 94 + against offline changes for both data and metadata of the filesystem. 95 + If you say yes here you should also select a hashing algorithm such as 96 + sha256, these are not selected automatically since there are many 97 + different options.
+1
fs/ubifs/Makefile
··· 8 8 ubifs-y += misc.o 9 9 ubifs-$(CONFIG_UBIFS_FS_ENCRYPTION) += crypto.o 10 10 ubifs-$(CONFIG_UBIFS_FS_XATTR) += xattr.o 11 + ubifs-$(CONFIG_UBIFS_FS_AUTHENTICATION) += auth.o
+502
fs/ubifs/auth.c
··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * This file is part of UBIFS. 4 + * 5 + * Copyright (C) 2018 Pengutronix, Sascha Hauer <s.hauer@pengutronix.de> 6 + */ 7 + 8 + /* 9 + * This file implements various helper functions for UBIFS authentication support 10 + */ 11 + 12 + #include <linux/crypto.h> 13 + #include <crypto/hash.h> 14 + #include <crypto/sha.h> 15 + #include <crypto/algapi.h> 16 + #include <keys/user-type.h> 17 + 18 + #include "ubifs.h" 19 + 20 + /** 21 + * ubifs_node_calc_hash - calculate the hash of a UBIFS node 22 + * @c: UBIFS file-system description object 23 + * @node: the node to calculate a hash for 24 + * @hash: the returned hash 25 + * 26 + * Returns 0 for success or a negative error code otherwise. 27 + */ 28 + int __ubifs_node_calc_hash(const struct ubifs_info *c, const void *node, 29 + u8 *hash) 30 + { 31 + const struct ubifs_ch *ch = node; 32 + SHASH_DESC_ON_STACK(shash, c->hash_tfm); 33 + int err; 34 + 35 + shash->tfm = c->hash_tfm; 36 + shash->flags = CRYPTO_TFM_REQ_MAY_SLEEP; 37 + 38 + err = crypto_shash_digest(shash, node, le32_to_cpu(ch->len), hash); 39 + if (err < 0) 40 + return err; 41 + return 0; 42 + } 43 + 44 + /** 45 + * ubifs_hash_calc_hmac - calculate a HMAC from a hash 46 + * @c: UBIFS file-system description object 47 + * @hash: the node to calculate a HMAC for 48 + * @hmac: the returned HMAC 49 + * 50 + * Returns 0 for success or a negative error code otherwise. 51 + */ 52 + static int ubifs_hash_calc_hmac(const struct ubifs_info *c, const u8 *hash, 53 + u8 *hmac) 54 + { 55 + SHASH_DESC_ON_STACK(shash, c->hmac_tfm); 56 + int err; 57 + 58 + shash->tfm = c->hmac_tfm; 59 + shash->flags = CRYPTO_TFM_REQ_MAY_SLEEP; 60 + 61 + err = crypto_shash_digest(shash, hash, c->hash_len, hmac); 62 + if (err < 0) 63 + return err; 64 + return 0; 65 + } 66 + 67 + /** 68 + * ubifs_prepare_auth_node - Prepare an authentication node 69 + * @c: UBIFS file-system description object 70 + * @node: the node to calculate a hash for 71 + * @hash: input hash of previous nodes 72 + * 73 + * This function prepares an authentication node for writing onto flash. 74 + * It creates a HMAC from the given input hash and writes it to the node. 75 + * 76 + * Returns 0 for success or a negative error code otherwise. 77 + */ 78 + int ubifs_prepare_auth_node(struct ubifs_info *c, void *node, 79 + struct shash_desc *inhash) 80 + { 81 + SHASH_DESC_ON_STACK(hash_desc, c->hash_tfm); 82 + struct ubifs_auth_node *auth = node; 83 + u8 *hash; 84 + int err; 85 + 86 + hash = kmalloc(crypto_shash_descsize(c->hash_tfm), GFP_NOFS); 87 + if (!hash) 88 + return -ENOMEM; 89 + 90 + hash_desc->tfm = c->hash_tfm; 91 + hash_desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; 92 + ubifs_shash_copy_state(c, inhash, hash_desc); 93 + 94 + err = crypto_shash_final(hash_desc, hash); 95 + if (err) 96 + goto out; 97 + 98 + err = ubifs_hash_calc_hmac(c, hash, auth->hmac); 99 + if (err) 100 + goto out; 101 + 102 + auth->ch.node_type = UBIFS_AUTH_NODE; 103 + ubifs_prepare_node(c, auth, ubifs_auth_node_sz(c), 0); 104 + 105 + err = 0; 106 + out: 107 + kfree(hash); 108 + 109 + return err; 110 + } 111 + 112 + static struct shash_desc *ubifs_get_desc(const struct ubifs_info *c, 113 + struct crypto_shash *tfm) 114 + { 115 + struct shash_desc *desc; 116 + int err; 117 + 118 + if (!ubifs_authenticated(c)) 119 + return NULL; 120 + 121 + desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL); 122 + if (!desc) 123 + return ERR_PTR(-ENOMEM); 124 + 125 + desc->tfm = tfm; 126 + desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; 127 + 128 + err = crypto_shash_init(desc); 129 + if (err) { 130 + kfree(desc); 131 + return ERR_PTR(err); 132 + } 133 + 134 + return desc; 135 + } 136 + 137 + /** 138 + * __ubifs_hash_get_desc - get a descriptor suitable for hashing a node 139 + * @c: UBIFS file-system description object 140 + * 141 + * This function returns a descriptor suitable for hashing a node. Free after use 142 + * with kfree. 143 + */ 144 + struct shash_desc *__ubifs_hash_get_desc(const struct ubifs_info *c) 145 + { 146 + return ubifs_get_desc(c, c->hash_tfm); 147 + } 148 + 149 + /** 150 + * __ubifs_shash_final - finalize shash 151 + * @c: UBIFS file-system description object 152 + * @desc: the descriptor 153 + * @out: the output hash 154 + * 155 + * Simple wrapper around crypto_shash_final(), safe to be called with 156 + * disabled authentication. 157 + */ 158 + int __ubifs_shash_final(const struct ubifs_info *c, struct shash_desc *desc, 159 + u8 *out) 160 + { 161 + if (ubifs_authenticated(c)) 162 + return crypto_shash_final(desc, out); 163 + 164 + return 0; 165 + } 166 + 167 + /** 168 + * ubifs_bad_hash - Report hash mismatches 169 + * @c: UBIFS file-system description object 170 + * @node: the node 171 + * @hash: the expected hash 172 + * @lnum: the LEB @node was read from 173 + * @offs: offset in LEB @node was read from 174 + * 175 + * This function reports a hash mismatch when a node has a different hash than 176 + * expected. 177 + */ 178 + void ubifs_bad_hash(const struct ubifs_info *c, const void *node, const u8 *hash, 179 + int lnum, int offs) 180 + { 181 + int len = min(c->hash_len, 20); 182 + int cropped = len != c->hash_len; 183 + const char *cont = cropped ? "..." : ""; 184 + 185 + u8 calc[UBIFS_HASH_ARR_SZ]; 186 + 187 + __ubifs_node_calc_hash(c, node, calc); 188 + 189 + ubifs_err(c, "hash mismatch on node at LEB %d:%d", lnum, offs); 190 + ubifs_err(c, "hash expected: %*ph%s", len, hash, cont); 191 + ubifs_err(c, "hash calculated: %*ph%s", len, calc, cont); 192 + } 193 + 194 + /** 195 + * __ubifs_node_check_hash - check the hash of a node against given hash 196 + * @c: UBIFS file-system description object 197 + * @node: the node 198 + * @expected: the expected hash 199 + * 200 + * This function calculates a hash over a node and compares it to the given hash. 201 + * Returns 0 if both hashes are equal or authentication is disabled, otherwise a 202 + * negative error code is returned. 203 + */ 204 + int __ubifs_node_check_hash(const struct ubifs_info *c, const void *node, 205 + const u8 *expected) 206 + { 207 + u8 calc[UBIFS_HASH_ARR_SZ]; 208 + int err; 209 + 210 + err = __ubifs_node_calc_hash(c, node, calc); 211 + if (err) 212 + return err; 213 + 214 + if (ubifs_check_hash(c, expected, calc)) 215 + return -EPERM; 216 + 217 + return 0; 218 + } 219 + 220 + /** 221 + * ubifs_init_authentication - initialize UBIFS authentication support 222 + * @c: UBIFS file-system description object 223 + * 224 + * This function returns 0 for success or a negative error code otherwise. 225 + */ 226 + int ubifs_init_authentication(struct ubifs_info *c) 227 + { 228 + struct key *keyring_key; 229 + const struct user_key_payload *ukp; 230 + int err; 231 + char hmac_name[CRYPTO_MAX_ALG_NAME]; 232 + 233 + if (!c->auth_hash_name) { 234 + ubifs_err(c, "authentication hash name needed with authentication"); 235 + return -EINVAL; 236 + } 237 + 238 + c->auth_hash_algo = match_string(hash_algo_name, HASH_ALGO__LAST, 239 + c->auth_hash_name); 240 + if ((int)c->auth_hash_algo < 0) { 241 + ubifs_err(c, "Unknown hash algo %s specified", 242 + c->auth_hash_name); 243 + return -EINVAL; 244 + } 245 + 246 + snprintf(hmac_name, CRYPTO_MAX_ALG_NAME, "hmac(%s)", 247 + c->auth_hash_name); 248 + 249 + keyring_key = request_key(&key_type_logon, c->auth_key_name, NULL); 250 + 251 + if (IS_ERR(keyring_key)) { 252 + ubifs_err(c, "Failed to request key: %ld", 253 + PTR_ERR(keyring_key)); 254 + return PTR_ERR(keyring_key); 255 + } 256 + 257 + down_read(&keyring_key->sem); 258 + 259 + if (keyring_key->type != &key_type_logon) { 260 + ubifs_err(c, "key type must be logon"); 261 + err = -ENOKEY; 262 + goto out; 263 + } 264 + 265 + ukp = user_key_payload_locked(keyring_key); 266 + if (!ukp) { 267 + /* key was revoked before we acquired its semaphore */ 268 + err = -EKEYREVOKED; 269 + goto out; 270 + } 271 + 272 + c->hash_tfm = crypto_alloc_shash(c->auth_hash_name, 0, 273 + CRYPTO_ALG_ASYNC); 274 + if (IS_ERR(c->hash_tfm)) { 275 + err = PTR_ERR(c->hash_tfm); 276 + ubifs_err(c, "Can not allocate %s: %d", 277 + c->auth_hash_name, err); 278 + goto out; 279 + } 280 + 281 + c->hash_len = crypto_shash_digestsize(c->hash_tfm); 282 + if (c->hash_len > UBIFS_HASH_ARR_SZ) { 283 + ubifs_err(c, "hash %s is bigger than maximum allowed hash size (%d > %d)", 284 + c->auth_hash_name, c->hash_len, UBIFS_HASH_ARR_SZ); 285 + err = -EINVAL; 286 + goto out_free_hash; 287 + } 288 + 289 + c->hmac_tfm = crypto_alloc_shash(hmac_name, 0, CRYPTO_ALG_ASYNC); 290 + if (IS_ERR(c->hmac_tfm)) { 291 + err = PTR_ERR(c->hmac_tfm); 292 + ubifs_err(c, "Can not allocate %s: %d", hmac_name, err); 293 + goto out_free_hash; 294 + } 295 + 296 + c->hmac_desc_len = crypto_shash_digestsize(c->hmac_tfm); 297 + if (c->hmac_desc_len > UBIFS_HMAC_ARR_SZ) { 298 + ubifs_err(c, "hmac %s is bigger than maximum allowed hmac size (%d > %d)", 299 + hmac_name, c->hmac_desc_len, UBIFS_HMAC_ARR_SZ); 300 + err = -EINVAL; 301 + goto out_free_hash; 302 + } 303 + 304 + err = crypto_shash_setkey(c->hmac_tfm, ukp->data, ukp->datalen); 305 + if (err) 306 + goto out_free_hmac; 307 + 308 + c->authenticated = true; 309 + 310 + c->log_hash = ubifs_hash_get_desc(c); 311 + if (IS_ERR(c->log_hash)) 312 + goto out_free_hmac; 313 + 314 + err = 0; 315 + 316 + out_free_hmac: 317 + if (err) 318 + crypto_free_shash(c->hmac_tfm); 319 + out_free_hash: 320 + if (err) 321 + crypto_free_shash(c->hash_tfm); 322 + out: 323 + up_read(&keyring_key->sem); 324 + key_put(keyring_key); 325 + 326 + return err; 327 + } 328 + 329 + /** 330 + * __ubifs_exit_authentication - release resource 331 + * @c: UBIFS file-system description object 332 + * 333 + * This function releases the authentication related resources. 334 + */ 335 + void __ubifs_exit_authentication(struct ubifs_info *c) 336 + { 337 + if (!ubifs_authenticated(c)) 338 + return; 339 + 340 + crypto_free_shash(c->hmac_tfm); 341 + crypto_free_shash(c->hash_tfm); 342 + kfree(c->log_hash); 343 + } 344 + 345 + /** 346 + * ubifs_node_calc_hmac - calculate the HMAC of a UBIFS node 347 + * @c: UBIFS file-system description object 348 + * @node: the node to insert a HMAC into. 349 + * @len: the length of the node 350 + * @ofs_hmac: the offset in the node where the HMAC is inserted 351 + * @hmac: returned HMAC 352 + * 353 + * This function calculates a HMAC of a UBIFS node. The HMAC is expected to be 354 + * embedded into the node, so this area is not covered by the HMAC. Also not 355 + * covered is the UBIFS_NODE_MAGIC and the CRC of the node. 356 + */ 357 + static int ubifs_node_calc_hmac(const struct ubifs_info *c, const void *node, 358 + int len, int ofs_hmac, void *hmac) 359 + { 360 + SHASH_DESC_ON_STACK(shash, c->hmac_tfm); 361 + int hmac_len = c->hmac_desc_len; 362 + int err; 363 + 364 + ubifs_assert(c, ofs_hmac > 8); 365 + ubifs_assert(c, ofs_hmac + hmac_len < len); 366 + 367 + shash->tfm = c->hmac_tfm; 368 + shash->flags = CRYPTO_TFM_REQ_MAY_SLEEP; 369 + 370 + err = crypto_shash_init(shash); 371 + if (err) 372 + return err; 373 + 374 + /* behind common node header CRC up to HMAC begin */ 375 + err = crypto_shash_update(shash, node + 8, ofs_hmac - 8); 376 + if (err < 0) 377 + return err; 378 + 379 + /* behind HMAC, if any */ 380 + if (len - ofs_hmac - hmac_len > 0) { 381 + err = crypto_shash_update(shash, node + ofs_hmac + hmac_len, 382 + len - ofs_hmac - hmac_len); 383 + if (err < 0) 384 + return err; 385 + } 386 + 387 + return crypto_shash_final(shash, hmac); 388 + } 389 + 390 + /** 391 + * __ubifs_node_insert_hmac - insert a HMAC into a UBIFS node 392 + * @c: UBIFS file-system description object 393 + * @node: the node to insert a HMAC into. 394 + * @len: the length of the node 395 + * @ofs_hmac: the offset in the node where the HMAC is inserted 396 + * 397 + * This function inserts a HMAC at offset @ofs_hmac into the node given in 398 + * @node. 399 + * 400 + * This function returns 0 for success or a negative error code otherwise. 401 + */ 402 + int __ubifs_node_insert_hmac(const struct ubifs_info *c, void *node, int len, 403 + int ofs_hmac) 404 + { 405 + return ubifs_node_calc_hmac(c, node, len, ofs_hmac, node + ofs_hmac); 406 + } 407 + 408 + /** 409 + * __ubifs_node_verify_hmac - verify the HMAC of UBIFS node 410 + * @c: UBIFS file-system description object 411 + * @node: the node to insert a HMAC into. 412 + * @len: the length of the node 413 + * @ofs_hmac: the offset in the node where the HMAC is inserted 414 + * 415 + * This function verifies the HMAC at offset @ofs_hmac of the node given in 416 + * @node. Returns 0 if successful or a negative error code otherwise. 417 + */ 418 + int __ubifs_node_verify_hmac(const struct ubifs_info *c, const void *node, 419 + int len, int ofs_hmac) 420 + { 421 + int hmac_len = c->hmac_desc_len; 422 + u8 *hmac; 423 + int err; 424 + 425 + hmac = kmalloc(hmac_len, GFP_NOFS); 426 + if (!hmac) 427 + return -ENOMEM; 428 + 429 + err = ubifs_node_calc_hmac(c, node, len, ofs_hmac, hmac); 430 + if (err) 431 + return err; 432 + 433 + err = crypto_memneq(hmac, node + ofs_hmac, hmac_len); 434 + 435 + kfree(hmac); 436 + 437 + if (!err) 438 + return 0; 439 + 440 + return -EPERM; 441 + } 442 + 443 + int __ubifs_shash_copy_state(const struct ubifs_info *c, struct shash_desc *src, 444 + struct shash_desc *target) 445 + { 446 + u8 *state; 447 + int err; 448 + 449 + state = kmalloc(crypto_shash_descsize(src->tfm), GFP_NOFS); 450 + if (!state) 451 + return -ENOMEM; 452 + 453 + err = crypto_shash_export(src, state); 454 + if (err) 455 + goto out; 456 + 457 + err = crypto_shash_import(target, state); 458 + 459 + out: 460 + kfree(state); 461 + 462 + return err; 463 + } 464 + 465 + /** 466 + * ubifs_hmac_wkm - Create a HMAC of the well known message 467 + * @c: UBIFS file-system description object 468 + * @hmac: The HMAC of the well known message 469 + * 470 + * This function creates a HMAC of a well known message. This is used 471 + * to check if the provided key is suitable to authenticate a UBIFS 472 + * image. This is only a convenience to the user to provide a better 473 + * error message when the wrong key is provided. 474 + * 475 + * This function returns 0 for success or a negative error code otherwise. 476 + */ 477 + int ubifs_hmac_wkm(struct ubifs_info *c, u8 *hmac) 478 + { 479 + SHASH_DESC_ON_STACK(shash, c->hmac_tfm); 480 + int err; 481 + const char well_known_message[] = "UBIFS"; 482 + 483 + if (!ubifs_authenticated(c)) 484 + return 0; 485 + 486 + shash->tfm = c->hmac_tfm; 487 + shash->flags = CRYPTO_TFM_REQ_MAY_SLEEP; 488 + 489 + err = crypto_shash_init(shash); 490 + if (err) 491 + return err; 492 + 493 + err = crypto_shash_update(shash, well_known_message, 494 + sizeof(well_known_message) - 1); 495 + if (err < 0) 496 + return err; 497 + 498 + err = crypto_shash_final(shash, hmac); 499 + if (err) 500 + return err; 501 + return 0; 502 + }
+6
fs/ubifs/debug.c
··· 165 165 return "commit start node"; 166 166 case UBIFS_ORPH_NODE: 167 167 return "orphan node"; 168 + case UBIFS_AUTH_NODE: 169 + return "auth node"; 168 170 default: 169 171 return "unknown node"; 170 172 } ··· 542 540 for (i = 0; i < n; i++) 543 541 pr_err("\t ino %llu\n", 544 542 (unsigned long long)le64_to_cpu(orph->inos[i])); 543 + break; 544 + } 545 + case UBIFS_AUTH_NODE: 546 + { 545 547 break; 546 548 } 547 549 default:
+45 -4
fs/ubifs/gc.c
··· 254 254 snod->type == UBIFS_DATA_NODE || 255 255 snod->type == UBIFS_DENT_NODE || 256 256 snod->type == UBIFS_XENT_NODE || 257 - snod->type == UBIFS_TRUN_NODE); 257 + snod->type == UBIFS_TRUN_NODE || 258 + snod->type == UBIFS_AUTH_NODE); 258 259 259 260 if (snod->type != UBIFS_INO_NODE && 260 261 snod->type != UBIFS_DATA_NODE && ··· 365 364 366 365 /* Write nodes to their new location. Use the first-fit strategy */ 367 366 while (1) { 368 - int avail; 367 + int avail, moved = 0; 369 368 struct ubifs_scan_node *snod, *tmp; 370 369 371 370 /* Move data nodes */ 372 371 list_for_each_entry_safe(snod, tmp, &sleb->nodes, list) { 373 - avail = c->leb_size - wbuf->offs - wbuf->used; 372 + avail = c->leb_size - wbuf->offs - wbuf->used - 373 + ubifs_auth_node_sz(c); 374 374 if (snod->len > avail) 375 375 /* 376 376 * Do not skip data nodes in order to optimize ··· 379 377 */ 380 378 break; 381 379 380 + err = ubifs_shash_update(c, c->jheads[GCHD].log_hash, 381 + snod->node, snod->len); 382 + if (err) 383 + goto out; 384 + 382 385 err = move_node(c, sleb, snod, wbuf); 383 386 if (err) 384 387 goto out; 388 + moved = 1; 385 389 } 386 390 387 391 /* Move non-data nodes */ 388 392 list_for_each_entry_safe(snod, tmp, &nondata, list) { 389 - avail = c->leb_size - wbuf->offs - wbuf->used; 393 + avail = c->leb_size - wbuf->offs - wbuf->used - 394 + ubifs_auth_node_sz(c); 390 395 if (avail < min) 391 396 break; 392 397 ··· 411 402 continue; 412 403 } 413 404 405 + err = ubifs_shash_update(c, c->jheads[GCHD].log_hash, 406 + snod->node, snod->len); 407 + if (err) 408 + goto out; 409 + 414 410 err = move_node(c, sleb, snod, wbuf); 415 411 if (err) 416 412 goto out; 413 + moved = 1; 414 + } 415 + 416 + if (ubifs_authenticated(c) && moved) { 417 + struct ubifs_auth_node *auth; 418 + 419 + auth = kmalloc(ubifs_auth_node_sz(c), GFP_NOFS); 420 + if (!auth) { 421 + err = -ENOMEM; 422 + goto out; 423 + } 424 + 425 + err = ubifs_prepare_auth_node(c, auth, 426 + c->jheads[GCHD].log_hash); 427 + if (err) { 428 + kfree(auth); 429 + goto out; 430 + } 431 + 432 + err = ubifs_wbuf_write_nolock(wbuf, auth, 433 + ubifs_auth_node_sz(c)); 434 + if (err) { 435 + kfree(auth); 436 + goto out; 437 + } 438 + 439 + ubifs_add_dirt(c, wbuf->lnum, ubifs_auth_node_sz(c)); 417 440 } 418 441 419 442 if (list_empty(&sleb->nodes) && list_empty(&nondata))
+110 -38
fs/ubifs/io.c
··· 365 365 return sqnum; 366 366 } 367 367 368 + void ubifs_init_node(struct ubifs_info *c, void *node, int len, int pad) 369 + { 370 + struct ubifs_ch *ch = node; 371 + unsigned long long sqnum = next_sqnum(c); 372 + 373 + ubifs_assert(c, len >= UBIFS_CH_SZ); 374 + 375 + ch->magic = cpu_to_le32(UBIFS_NODE_MAGIC); 376 + ch->len = cpu_to_le32(len); 377 + ch->group_type = UBIFS_NO_NODE_GROUP; 378 + ch->sqnum = cpu_to_le64(sqnum); 379 + ch->padding[0] = ch->padding[1] = 0; 380 + 381 + if (pad) { 382 + len = ALIGN(len, 8); 383 + pad = ALIGN(len, c->min_io_size) - len; 384 + ubifs_pad(c, node + len, pad); 385 + } 386 + } 387 + 388 + void ubifs_crc_node(struct ubifs_info *c, void *node, int len) 389 + { 390 + struct ubifs_ch *ch = node; 391 + uint32_t crc; 392 + 393 + crc = crc32(UBIFS_CRC32_INIT, node + 8, len - 8); 394 + ch->crc = cpu_to_le32(crc); 395 + } 396 + 397 + /** 398 + * ubifs_prepare_node_hmac - prepare node to be written to flash. 399 + * @c: UBIFS file-system description object 400 + * @node: the node to pad 401 + * @len: node length 402 + * @hmac_offs: offset of the HMAC in the node 403 + * @pad: if the buffer has to be padded 404 + * 405 + * This function prepares node at @node to be written to the media - it 406 + * calculates node CRC, fills the common header, and adds proper padding up to 407 + * the next minimum I/O unit if @pad is not zero. if @hmac_offs is positive then 408 + * a HMAC is inserted into the node at the given offset. 409 + * 410 + * This function returns 0 for success or a negative error code otherwise. 411 + */ 412 + int ubifs_prepare_node_hmac(struct ubifs_info *c, void *node, int len, 413 + int hmac_offs, int pad) 414 + { 415 + int err; 416 + 417 + ubifs_init_node(c, node, len, pad); 418 + 419 + if (hmac_offs > 0) { 420 + err = ubifs_node_insert_hmac(c, node, len, hmac_offs); 421 + if (err) 422 + return err; 423 + } 424 + 425 + ubifs_crc_node(c, node, len); 426 + 427 + return 0; 428 + } 429 + 368 430 /** 369 431 * ubifs_prepare_node - prepare node to be written to flash. 370 432 * @c: UBIFS file-system description object ··· 440 378 */ 441 379 void ubifs_prepare_node(struct ubifs_info *c, void *node, int len, int pad) 442 380 { 443 - uint32_t crc; 444 - struct ubifs_ch *ch = node; 445 - unsigned long long sqnum = next_sqnum(c); 446 - 447 - ubifs_assert(c, len >= UBIFS_CH_SZ); 448 - 449 - ch->magic = cpu_to_le32(UBIFS_NODE_MAGIC); 450 - ch->len = cpu_to_le32(len); 451 - ch->group_type = UBIFS_NO_NODE_GROUP; 452 - ch->sqnum = cpu_to_le64(sqnum); 453 - ch->padding[0] = ch->padding[1] = 0; 454 - crc = crc32(UBIFS_CRC32_INIT, node + 8, len - 8); 455 - ch->crc = cpu_to_le32(crc); 456 - 457 - if (pad) { 458 - len = ALIGN(len, 8); 459 - pad = ALIGN(len, c->min_io_size) - len; 460 - ubifs_pad(c, node + len, pad); 461 - } 381 + /* 382 + * Deliberately ignore return value since this function can only fail 383 + * when a hmac offset is given. 384 + */ 385 + ubifs_prepare_node_hmac(c, node, len, 0, pad); 462 386 } 463 387 464 388 /** ··· 897 849 } 898 850 899 851 /** 852 + * ubifs_write_node_hmac - write node to the media. 853 + * @c: UBIFS file-system description object 854 + * @buf: the node to write 855 + * @len: node length 856 + * @lnum: logical eraseblock number 857 + * @offs: offset within the logical eraseblock 858 + * @hmac_offs: offset of the HMAC within the node 859 + * 860 + * This function automatically fills node magic number, assigns sequence 861 + * number, and calculates node CRC checksum. The length of the @buf buffer has 862 + * to be aligned to the minimal I/O unit size. This function automatically 863 + * appends padding node and padding bytes if needed. Returns zero in case of 864 + * success and a negative error code in case of failure. 865 + */ 866 + int ubifs_write_node_hmac(struct ubifs_info *c, void *buf, int len, int lnum, 867 + int offs, int hmac_offs) 868 + { 869 + int err, buf_len = ALIGN(len, c->min_io_size); 870 + 871 + dbg_io("LEB %d:%d, %s, length %d (aligned %d)", 872 + lnum, offs, dbg_ntype(((struct ubifs_ch *)buf)->node_type), len, 873 + buf_len); 874 + ubifs_assert(c, lnum >= 0 && lnum < c->leb_cnt && offs >= 0); 875 + ubifs_assert(c, offs % c->min_io_size == 0 && offs < c->leb_size); 876 + ubifs_assert(c, !c->ro_media && !c->ro_mount); 877 + ubifs_assert(c, !c->space_fixup); 878 + 879 + if (c->ro_error) 880 + return -EROFS; 881 + 882 + err = ubifs_prepare_node_hmac(c, buf, len, hmac_offs, 1); 883 + if (err) 884 + return err; 885 + 886 + err = ubifs_leb_write(c, lnum, buf, offs, buf_len); 887 + if (err) 888 + ubifs_dump_node(c, buf); 889 + 890 + return err; 891 + } 892 + 893 + /** 900 894 * ubifs_write_node - write node to the media. 901 895 * @c: UBIFS file-system description object 902 896 * @buf: the node to write ··· 955 865 int ubifs_write_node(struct ubifs_info *c, void *buf, int len, int lnum, 956 866 int offs) 957 867 { 958 - int err, buf_len = ALIGN(len, c->min_io_size); 959 - 960 - dbg_io("LEB %d:%d, %s, length %d (aligned %d)", 961 - lnum, offs, dbg_ntype(((struct ubifs_ch *)buf)->node_type), len, 962 - buf_len); 963 - ubifs_assert(c, lnum >= 0 && lnum < c->leb_cnt && offs >= 0); 964 - ubifs_assert(c, offs % c->min_io_size == 0 && offs < c->leb_size); 965 - ubifs_assert(c, !c->ro_media && !c->ro_mount); 966 - ubifs_assert(c, !c->space_fixup); 967 - 968 - if (c->ro_error) 969 - return -EROFS; 970 - 971 - ubifs_prepare_node(c, buf, len, 1); 972 - err = ubifs_leb_write(c, lnum, buf, offs, buf_len); 973 - if (err) 974 - ubifs_dump_node(c, buf); 975 - 976 - return err; 868 + return ubifs_write_node_hmac(c, buf, len, lnum, offs, -1); 977 869 } 978 870 979 871 /**
+223 -66
fs/ubifs/journal.c
··· 90 90 memset(trun->padding, 0, 12); 91 91 } 92 92 93 + static void ubifs_add_auth_dirt(struct ubifs_info *c, int lnum) 94 + { 95 + if (ubifs_authenticated(c)) 96 + ubifs_add_dirt(c, lnum, ubifs_auth_node_sz(c)); 97 + } 98 + 93 99 /** 94 100 * reserve_space - reserve space in the journal. 95 101 * @c: UBIFS file-system description object ··· 234 228 return err; 235 229 } 236 230 237 - /** 238 - * write_node - write node to a journal head. 239 - * @c: UBIFS file-system description object 240 - * @jhead: journal head 241 - * @node: node to write 242 - * @len: node length 243 - * @lnum: LEB number written is returned here 244 - * @offs: offset written is returned here 245 - * 246 - * This function writes a node to reserved space of journal head @jhead. 247 - * Returns zero in case of success and a negative error code in case of 248 - * failure. 249 - */ 250 - static int write_node(struct ubifs_info *c, int jhead, void *node, int len, 251 - int *lnum, int *offs) 231 + static int ubifs_hash_nodes(struct ubifs_info *c, void *node, 232 + int len, struct shash_desc *hash) 252 233 { 253 - struct ubifs_wbuf *wbuf = &c->jheads[jhead].wbuf; 234 + int auth_node_size = ubifs_auth_node_sz(c); 235 + int err; 254 236 255 - ubifs_assert(c, jhead != GCHD); 237 + while (1) { 238 + const struct ubifs_ch *ch = node; 239 + int nodelen = le32_to_cpu(ch->len); 256 240 257 - *lnum = c->jheads[jhead].wbuf.lnum; 258 - *offs = c->jheads[jhead].wbuf.offs + c->jheads[jhead].wbuf.used; 241 + ubifs_assert(c, len >= auth_node_size); 259 242 260 - dbg_jnl("jhead %s, LEB %d:%d, len %d", 261 - dbg_jhead(jhead), *lnum, *offs, len); 262 - ubifs_prepare_node(c, node, len, 0); 243 + if (len == auth_node_size) 244 + break; 263 245 264 - return ubifs_wbuf_write_nolock(wbuf, node, len); 246 + ubifs_assert(c, len > nodelen); 247 + ubifs_assert(c, ch->magic == cpu_to_le32(UBIFS_NODE_MAGIC)); 248 + 249 + err = ubifs_shash_update(c, hash, (void *)node, nodelen); 250 + if (err) 251 + return err; 252 + 253 + node += ALIGN(nodelen, 8); 254 + len -= ALIGN(nodelen, 8); 255 + } 256 + 257 + return ubifs_prepare_auth_node(c, node, hash); 265 258 } 266 259 267 260 /** ··· 273 268 * @offs: offset written is returned here 274 269 * @sync: non-zero if the write-buffer has to by synchronized 275 270 * 276 - * This function is the same as 'write_node()' but it does not assume the 277 - * buffer it is writing is a node, so it does not prepare it (which means 278 - * initializing common header and calculating CRC). 271 + * This function writes data to the reserved space of journal head @jhead. 272 + * Returns zero in case of success and a negative error code in case of 273 + * failure. 279 274 */ 280 275 static int write_head(struct ubifs_info *c, int jhead, void *buf, int len, 281 276 int *lnum, int *offs, int sync) ··· 289 284 *offs = c->jheads[jhead].wbuf.offs + c->jheads[jhead].wbuf.used; 290 285 dbg_jnl("jhead %s, LEB %d:%d, len %d", 291 286 dbg_jhead(jhead), *lnum, *offs, len); 287 + 288 + if (ubifs_authenticated(c)) { 289 + err = ubifs_hash_nodes(c, buf, len, c->jheads[jhead].log_hash); 290 + if (err) 291 + return err; 292 + } 292 293 293 294 err = ubifs_wbuf_write_nolock(wbuf, buf, len); 294 295 if (err) ··· 559 548 struct ubifs_dent_node *dent; 560 549 struct ubifs_ino_node *ino; 561 550 union ubifs_key dent_key, ino_key; 551 + u8 hash_dent[UBIFS_HASH_ARR_SZ]; 552 + u8 hash_ino[UBIFS_HASH_ARR_SZ]; 553 + u8 hash_ino_host[UBIFS_HASH_ARR_SZ]; 562 554 563 555 ubifs_assert(c, mutex_is_locked(&host_ui->ui_mutex)); 564 556 ··· 584 570 585 571 len = aligned_dlen + aligned_ilen + UBIFS_INO_NODE_SZ; 586 572 /* Make sure to also account for extended attributes */ 587 - len += host_ui->data_len; 573 + if (ubifs_authenticated(c)) 574 + len += ALIGN(host_ui->data_len, 8) + ubifs_auth_node_sz(c); 575 + else 576 + len += host_ui->data_len; 588 577 589 578 dent = kzalloc(len, GFP_NOFS); 590 579 if (!dent) ··· 619 602 620 603 zero_dent_node_unused(dent); 621 604 ubifs_prep_grp_node(c, dent, dlen, 0); 605 + err = ubifs_node_calc_hash(c, dent, hash_dent); 606 + if (err) 607 + goto out_release; 622 608 623 609 ino = (void *)dent + aligned_dlen; 624 610 pack_inode(c, ino, inode, 0); 611 + err = ubifs_node_calc_hash(c, ino, hash_ino); 612 + if (err) 613 + goto out_release; 614 + 625 615 ino = (void *)ino + aligned_ilen; 626 616 pack_inode(c, ino, dir, 1); 617 + err = ubifs_node_calc_hash(c, ino, hash_ino_host); 618 + if (err) 619 + goto out_release; 627 620 628 621 if (last_reference) { 629 622 err = ubifs_add_orphan(c, inode->i_ino); ··· 655 628 } 656 629 release_head(c, BASEHD); 657 630 kfree(dent); 631 + ubifs_add_auth_dirt(c, lnum); 658 632 659 633 if (deletion) { 660 634 if (nm->hash) ··· 666 638 goto out_ro; 667 639 err = ubifs_add_dirt(c, lnum, dlen); 668 640 } else 669 - err = ubifs_tnc_add_nm(c, &dent_key, lnum, dent_offs, dlen, nm); 641 + err = ubifs_tnc_add_nm(c, &dent_key, lnum, dent_offs, dlen, 642 + hash_dent, nm); 670 643 if (err) 671 644 goto out_ro; 672 645 ··· 679 650 */ 680 651 ino_key_init(c, &ino_key, inode->i_ino); 681 652 ino_offs = dent_offs + aligned_dlen; 682 - err = ubifs_tnc_add(c, &ino_key, lnum, ino_offs, ilen); 653 + err = ubifs_tnc_add(c, &ino_key, lnum, ino_offs, ilen, hash_ino); 683 654 if (err) 684 655 goto out_ro; 685 656 686 657 ino_key_init(c, &ino_key, dir->i_ino); 687 658 ino_offs += aligned_ilen; 688 659 err = ubifs_tnc_add(c, &ino_key, lnum, ino_offs, 689 - UBIFS_INO_NODE_SZ + host_ui->data_len); 660 + UBIFS_INO_NODE_SZ + host_ui->data_len, hash_ino_host); 690 661 if (err) 691 662 goto out_ro; 692 663 ··· 735 706 const union ubifs_key *key, const void *buf, int len) 736 707 { 737 708 struct ubifs_data_node *data; 738 - int err, lnum, offs, compr_type, out_len, compr_len; 709 + int err, lnum, offs, compr_type, out_len, compr_len, auth_len; 739 710 int dlen = COMPRESSED_DATA_NODE_BUF_SZ, allocated = 1; 711 + int write_len; 740 712 struct ubifs_inode *ui = ubifs_inode(inode); 741 713 bool encrypted = ubifs_crypt_is_encrypted(inode); 714 + u8 hash[UBIFS_HASH_ARR_SZ]; 742 715 743 716 dbg_jnlk(key, "ino %lu, blk %u, len %d, key ", 744 717 (unsigned long)key_inum(c, key), key_block(c, key), len); ··· 749 718 if (encrypted) 750 719 dlen += UBIFS_CIPHER_BLOCK_SIZE; 751 720 752 - data = kmalloc(dlen, GFP_NOFS | __GFP_NOWARN); 721 + auth_len = ubifs_auth_node_sz(c); 722 + 723 + data = kmalloc(dlen + auth_len, GFP_NOFS | __GFP_NOWARN); 753 724 if (!data) { 754 725 /* 755 726 * Fall-back to the write reserve buffer. Note, we might be ··· 790 757 } 791 758 792 759 dlen = UBIFS_DATA_NODE_SZ + out_len; 760 + if (ubifs_authenticated(c)) 761 + write_len = ALIGN(dlen, 8) + auth_len; 762 + else 763 + write_len = dlen; 764 + 793 765 data->compr_type = cpu_to_le16(compr_type); 794 766 795 767 /* Make reservation before allocating sequence numbers */ 796 - err = make_reservation(c, DATAHD, dlen); 768 + err = make_reservation(c, DATAHD, write_len); 797 769 if (err) 798 770 goto out_free; 799 771 800 - err = write_node(c, DATAHD, data, dlen, &lnum, &offs); 772 + ubifs_prepare_node(c, data, dlen, 0); 773 + err = write_head(c, DATAHD, data, write_len, &lnum, &offs, 0); 801 774 if (err) 802 775 goto out_release; 776 + 777 + err = ubifs_node_calc_hash(c, data, hash); 778 + if (err) 779 + goto out_release; 780 + 803 781 ubifs_wbuf_add_ino_nolock(&c->jheads[DATAHD].wbuf, key_inum(c, key)); 804 782 release_head(c, DATAHD); 805 783 806 - err = ubifs_tnc_add(c, key, lnum, offs, dlen); 784 + ubifs_add_auth_dirt(c, lnum); 785 + 786 + err = ubifs_tnc_add(c, key, lnum, offs, dlen, hash); 807 787 if (err) 808 788 goto out_ro; 809 789 ··· 854 808 int err, lnum, offs; 855 809 struct ubifs_ino_node *ino; 856 810 struct ubifs_inode *ui = ubifs_inode(inode); 857 - int sync = 0, len = UBIFS_INO_NODE_SZ, last_reference = !inode->i_nlink; 811 + int sync = 0, write_len, ilen = UBIFS_INO_NODE_SZ; 812 + int last_reference = !inode->i_nlink; 813 + u8 hash[UBIFS_HASH_ARR_SZ]; 858 814 859 815 dbg_jnl("ino %lu, nlink %u", inode->i_ino, inode->i_nlink); 860 816 ··· 865 817 * need to synchronize the write-buffer either. 866 818 */ 867 819 if (!last_reference) { 868 - len += ui->data_len; 820 + ilen += ui->data_len; 869 821 sync = IS_SYNC(inode); 870 822 } 871 - ino = kmalloc(len, GFP_NOFS); 823 + 824 + if (ubifs_authenticated(c)) 825 + write_len = ALIGN(ilen, 8) + ubifs_auth_node_sz(c); 826 + else 827 + write_len = ilen; 828 + 829 + ino = kmalloc(write_len, GFP_NOFS); 872 830 if (!ino) 873 831 return -ENOMEM; 874 832 875 833 /* Make reservation before allocating sequence numbers */ 876 - err = make_reservation(c, BASEHD, len); 834 + err = make_reservation(c, BASEHD, write_len); 877 835 if (err) 878 836 goto out_free; 879 837 880 838 pack_inode(c, ino, inode, 1); 881 - err = write_head(c, BASEHD, ino, len, &lnum, &offs, sync); 839 + err = ubifs_node_calc_hash(c, ino, hash); 840 + if (err) 841 + goto out_release; 842 + 843 + err = write_head(c, BASEHD, ino, write_len, &lnum, &offs, sync); 882 844 if (err) 883 845 goto out_release; 884 846 if (!sync) ··· 896 838 inode->i_ino); 897 839 release_head(c, BASEHD); 898 840 841 + ubifs_add_auth_dirt(c, lnum); 842 + 899 843 if (last_reference) { 900 844 err = ubifs_tnc_remove_ino(c, inode->i_ino); 901 845 if (err) 902 846 goto out_ro; 903 847 ubifs_delete_orphan(c, inode->i_ino); 904 - err = ubifs_add_dirt(c, lnum, len); 848 + err = ubifs_add_dirt(c, lnum, ilen); 905 849 } else { 906 850 union ubifs_key key; 907 851 908 852 ino_key_init(c, &key, inode->i_ino); 909 - err = ubifs_tnc_add(c, &key, lnum, offs, len); 853 + err = ubifs_tnc_add(c, &key, lnum, offs, ilen, hash); 910 854 } 911 855 if (err) 912 856 goto out_ro; ··· 1018 958 int aligned_dlen1, aligned_dlen2; 1019 959 int twoparents = (fst_dir != snd_dir); 1020 960 void *p; 961 + u8 hash_dent1[UBIFS_HASH_ARR_SZ]; 962 + u8 hash_dent2[UBIFS_HASH_ARR_SZ]; 963 + u8 hash_p1[UBIFS_HASH_ARR_SZ]; 964 + u8 hash_p2[UBIFS_HASH_ARR_SZ]; 1021 965 1022 966 ubifs_assert(c, ubifs_inode(fst_dir)->data_len == 0); 1023 967 ubifs_assert(c, ubifs_inode(snd_dir)->data_len == 0); ··· 1036 972 len = aligned_dlen1 + aligned_dlen2 + ALIGN(plen, 8); 1037 973 if (twoparents) 1038 974 len += plen; 975 + 976 + len += ubifs_auth_node_sz(c); 1039 977 1040 978 dent1 = kzalloc(len, GFP_NOFS); 1041 979 if (!dent1) ··· 1059 993 set_dent_cookie(c, dent1); 1060 994 zero_dent_node_unused(dent1); 1061 995 ubifs_prep_grp_node(c, dent1, dlen1, 0); 996 + err = ubifs_node_calc_hash(c, dent1, hash_dent1); 997 + if (err) 998 + goto out_release; 1062 999 1063 1000 /* Make new dent for 2nd entry */ 1064 1001 dent2 = (void *)dent1 + aligned_dlen1; ··· 1075 1006 set_dent_cookie(c, dent2); 1076 1007 zero_dent_node_unused(dent2); 1077 1008 ubifs_prep_grp_node(c, dent2, dlen2, 0); 1009 + err = ubifs_node_calc_hash(c, dent2, hash_dent2); 1010 + if (err) 1011 + goto out_release; 1078 1012 1079 1013 p = (void *)dent2 + aligned_dlen2; 1080 - if (!twoparents) 1014 + if (!twoparents) { 1081 1015 pack_inode(c, p, fst_dir, 1); 1082 - else { 1016 + err = ubifs_node_calc_hash(c, p, hash_p1); 1017 + if (err) 1018 + goto out_release; 1019 + } else { 1083 1020 pack_inode(c, p, fst_dir, 0); 1021 + err = ubifs_node_calc_hash(c, p, hash_p1); 1022 + if (err) 1023 + goto out_release; 1084 1024 p += ALIGN(plen, 8); 1085 1025 pack_inode(c, p, snd_dir, 1); 1026 + err = ubifs_node_calc_hash(c, p, hash_p2); 1027 + if (err) 1028 + goto out_release; 1086 1029 } 1087 1030 1088 1031 err = write_head(c, BASEHD, dent1, len, &lnum, &offs, sync); ··· 1108 1027 } 1109 1028 release_head(c, BASEHD); 1110 1029 1030 + ubifs_add_auth_dirt(c, lnum); 1031 + 1111 1032 dent_key_init(c, &key, snd_dir->i_ino, snd_nm); 1112 - err = ubifs_tnc_add_nm(c, &key, lnum, offs, dlen1, snd_nm); 1033 + err = ubifs_tnc_add_nm(c, &key, lnum, offs, dlen1, hash_dent1, snd_nm); 1113 1034 if (err) 1114 1035 goto out_ro; 1115 1036 1116 1037 offs += aligned_dlen1; 1117 1038 dent_key_init(c, &key, fst_dir->i_ino, fst_nm); 1118 - err = ubifs_tnc_add_nm(c, &key, lnum, offs, dlen2, fst_nm); 1039 + err = ubifs_tnc_add_nm(c, &key, lnum, offs, dlen2, hash_dent2, fst_nm); 1119 1040 if (err) 1120 1041 goto out_ro; 1121 1042 1122 1043 offs += aligned_dlen2; 1123 1044 1124 1045 ino_key_init(c, &key, fst_dir->i_ino); 1125 - err = ubifs_tnc_add(c, &key, lnum, offs, plen); 1046 + err = ubifs_tnc_add(c, &key, lnum, offs, plen, hash_p1); 1126 1047 if (err) 1127 1048 goto out_ro; 1128 1049 1129 1050 if (twoparents) { 1130 1051 offs += ALIGN(plen, 8); 1131 1052 ino_key_init(c, &key, snd_dir->i_ino); 1132 - err = ubifs_tnc_add(c, &key, lnum, offs, plen); 1053 + err = ubifs_tnc_add(c, &key, lnum, offs, plen, hash_p2); 1133 1054 if (err) 1134 1055 goto out_ro; 1135 1056 } ··· 1184 1101 int last_reference = !!(new_inode && new_inode->i_nlink == 0); 1185 1102 int move = (old_dir != new_dir); 1186 1103 struct ubifs_inode *uninitialized_var(new_ui); 1104 + u8 hash_old_dir[UBIFS_HASH_ARR_SZ]; 1105 + u8 hash_new_dir[UBIFS_HASH_ARR_SZ]; 1106 + u8 hash_new_inode[UBIFS_HASH_ARR_SZ]; 1107 + u8 hash_dent1[UBIFS_HASH_ARR_SZ]; 1108 + u8 hash_dent2[UBIFS_HASH_ARR_SZ]; 1187 1109 1188 1110 ubifs_assert(c, ubifs_inode(old_dir)->data_len == 0); 1189 1111 ubifs_assert(c, ubifs_inode(new_dir)->data_len == 0); ··· 1211 1123 len = aligned_dlen1 + aligned_dlen2 + ALIGN(ilen, 8) + ALIGN(plen, 8); 1212 1124 if (move) 1213 1125 len += plen; 1126 + 1127 + len += ubifs_auth_node_sz(c); 1128 + 1214 1129 dent = kzalloc(len, GFP_NOFS); 1215 1130 if (!dent) 1216 1131 return -ENOMEM; ··· 1234 1143 set_dent_cookie(c, dent); 1235 1144 zero_dent_node_unused(dent); 1236 1145 ubifs_prep_grp_node(c, dent, dlen1, 0); 1146 + err = ubifs_node_calc_hash(c, dent, hash_dent1); 1147 + if (err) 1148 + goto out_release; 1237 1149 1238 1150 dent2 = (void *)dent + aligned_dlen1; 1239 1151 dent2->ch.node_type = UBIFS_DENT_NODE; ··· 1256 1162 set_dent_cookie(c, dent2); 1257 1163 zero_dent_node_unused(dent2); 1258 1164 ubifs_prep_grp_node(c, dent2, dlen2, 0); 1165 + err = ubifs_node_calc_hash(c, dent2, hash_dent2); 1166 + if (err) 1167 + goto out_release; 1259 1168 1260 1169 p = (void *)dent2 + aligned_dlen2; 1261 1170 if (new_inode) { 1262 1171 pack_inode(c, p, new_inode, 0); 1172 + err = ubifs_node_calc_hash(c, p, hash_new_inode); 1173 + if (err) 1174 + goto out_release; 1175 + 1263 1176 p += ALIGN(ilen, 8); 1264 1177 } 1265 1178 1266 - if (!move) 1179 + if (!move) { 1267 1180 pack_inode(c, p, old_dir, 1); 1268 - else { 1181 + err = ubifs_node_calc_hash(c, p, hash_old_dir); 1182 + if (err) 1183 + goto out_release; 1184 + } else { 1269 1185 pack_inode(c, p, old_dir, 0); 1186 + err = ubifs_node_calc_hash(c, p, hash_old_dir); 1187 + if (err) 1188 + goto out_release; 1189 + 1270 1190 p += ALIGN(plen, 8); 1271 1191 pack_inode(c, p, new_dir, 1); 1192 + err = ubifs_node_calc_hash(c, p, hash_new_dir); 1193 + if (err) 1194 + goto out_release; 1272 1195 } 1273 1196 1274 1197 if (last_reference) { ··· 1311 1200 } 1312 1201 release_head(c, BASEHD); 1313 1202 1203 + ubifs_add_auth_dirt(c, lnum); 1204 + 1314 1205 dent_key_init(c, &key, new_dir->i_ino, new_nm); 1315 - err = ubifs_tnc_add_nm(c, &key, lnum, offs, dlen1, new_nm); 1206 + err = ubifs_tnc_add_nm(c, &key, lnum, offs, dlen1, hash_dent1, new_nm); 1316 1207 if (err) 1317 1208 goto out_ro; 1318 1209 1319 1210 offs += aligned_dlen1; 1320 1211 if (whiteout) { 1321 1212 dent_key_init(c, &key, old_dir->i_ino, old_nm); 1322 - err = ubifs_tnc_add_nm(c, &key, lnum, offs, dlen2, old_nm); 1213 + err = ubifs_tnc_add_nm(c, &key, lnum, offs, dlen2, hash_dent2, old_nm); 1323 1214 if (err) 1324 1215 goto out_ro; 1325 1216 ··· 1340 1227 offs += aligned_dlen2; 1341 1228 if (new_inode) { 1342 1229 ino_key_init(c, &key, new_inode->i_ino); 1343 - err = ubifs_tnc_add(c, &key, lnum, offs, ilen); 1230 + err = ubifs_tnc_add(c, &key, lnum, offs, ilen, hash_new_inode); 1344 1231 if (err) 1345 1232 goto out_ro; 1346 1233 offs += ALIGN(ilen, 8); 1347 1234 } 1348 1235 1349 1236 ino_key_init(c, &key, old_dir->i_ino); 1350 - err = ubifs_tnc_add(c, &key, lnum, offs, plen); 1237 + err = ubifs_tnc_add(c, &key, lnum, offs, plen, hash_old_dir); 1351 1238 if (err) 1352 1239 goto out_ro; 1353 1240 1354 1241 if (move) { 1355 1242 offs += ALIGN(plen, 8); 1356 1243 ino_key_init(c, &key, new_dir->i_ino); 1357 - err = ubifs_tnc_add(c, &key, lnum, offs, plen); 1244 + err = ubifs_tnc_add(c, &key, lnum, offs, plen, hash_new_dir); 1358 1245 if (err) 1359 1246 goto out_ro; 1360 1247 } ··· 1473 1360 struct ubifs_inode *ui = ubifs_inode(inode); 1474 1361 ino_t inum = inode->i_ino; 1475 1362 unsigned int blk; 1363 + u8 hash_ino[UBIFS_HASH_ARR_SZ]; 1364 + u8 hash_dn[UBIFS_HASH_ARR_SZ]; 1476 1365 1477 1366 dbg_jnl("ino %lu, size %lld -> %lld", 1478 1367 (unsigned long)inum, old_size, new_size); ··· 1484 1369 1485 1370 sz = UBIFS_TRUN_NODE_SZ + UBIFS_INO_NODE_SZ + 1486 1371 UBIFS_MAX_DATA_NODE_SZ * WORST_COMPR_FACTOR; 1372 + 1373 + sz += ubifs_auth_node_sz(c); 1374 + 1487 1375 ino = kmalloc(sz, GFP_NOFS); 1488 1376 if (!ino) 1489 1377 return -ENOMEM; ··· 1532 1414 1533 1415 /* Must make reservation before allocating sequence numbers */ 1534 1416 len = UBIFS_TRUN_NODE_SZ + UBIFS_INO_NODE_SZ; 1535 - if (dlen) 1417 + 1418 + if (ubifs_authenticated(c)) 1419 + len += ALIGN(dlen, 8) + ubifs_auth_node_sz(c); 1420 + else 1536 1421 len += dlen; 1422 + 1537 1423 err = make_reservation(c, BASEHD, len); 1538 1424 if (err) 1539 1425 goto out_free; 1540 1426 1541 1427 pack_inode(c, ino, inode, 0); 1428 + err = ubifs_node_calc_hash(c, ino, hash_ino); 1429 + if (err) 1430 + goto out_release; 1431 + 1542 1432 ubifs_prep_grp_node(c, trun, UBIFS_TRUN_NODE_SZ, dlen ? 0 : 1); 1543 - if (dlen) 1433 + if (dlen) { 1544 1434 ubifs_prep_grp_node(c, dn, dlen, 1); 1435 + err = ubifs_node_calc_hash(c, dn, hash_dn); 1436 + if (err) 1437 + goto out_release; 1438 + } 1545 1439 1546 1440 err = write_head(c, BASEHD, ino, len, &lnum, &offs, sync); 1547 1441 if (err) ··· 1562 1432 ubifs_wbuf_add_ino_nolock(&c->jheads[BASEHD].wbuf, inum); 1563 1433 release_head(c, BASEHD); 1564 1434 1435 + ubifs_add_auth_dirt(c, lnum); 1436 + 1565 1437 if (dlen) { 1566 1438 sz = offs + UBIFS_INO_NODE_SZ + UBIFS_TRUN_NODE_SZ; 1567 - err = ubifs_tnc_add(c, &key, lnum, sz, dlen); 1439 + err = ubifs_tnc_add(c, &key, lnum, sz, dlen, hash_dn); 1568 1440 if (err) 1569 1441 goto out_ro; 1570 1442 } 1571 1443 1572 1444 ino_key_init(c, &key, inum); 1573 - err = ubifs_tnc_add(c, &key, lnum, offs, UBIFS_INO_NODE_SZ); 1445 + err = ubifs_tnc_add(c, &key, lnum, offs, UBIFS_INO_NODE_SZ, hash_ino); 1574 1446 if (err) 1575 1447 goto out_ro; 1576 1448 ··· 1627 1495 const struct inode *inode, 1628 1496 const struct fscrypt_name *nm) 1629 1497 { 1630 - int err, xlen, hlen, len, lnum, xent_offs, aligned_xlen; 1498 + int err, xlen, hlen, len, lnum, xent_offs, aligned_xlen, write_len; 1631 1499 struct ubifs_dent_node *xent; 1632 1500 struct ubifs_ino_node *ino; 1633 1501 union ubifs_key xent_key, key1, key2; 1634 1502 int sync = IS_DIRSYNC(host); 1635 1503 struct ubifs_inode *host_ui = ubifs_inode(host); 1504 + u8 hash[UBIFS_HASH_ARR_SZ]; 1636 1505 1637 1506 ubifs_assert(c, inode->i_nlink == 0); 1638 1507 ubifs_assert(c, mutex_is_locked(&host_ui->ui_mutex)); ··· 1647 1514 hlen = host_ui->data_len + UBIFS_INO_NODE_SZ; 1648 1515 len = aligned_xlen + UBIFS_INO_NODE_SZ + ALIGN(hlen, 8); 1649 1516 1650 - xent = kzalloc(len, GFP_NOFS); 1517 + write_len = len + ubifs_auth_node_sz(c); 1518 + 1519 + xent = kzalloc(write_len, GFP_NOFS); 1651 1520 if (!xent) 1652 1521 return -ENOMEM; 1653 1522 1654 1523 /* Make reservation before allocating sequence numbers */ 1655 - err = make_reservation(c, BASEHD, len); 1524 + err = make_reservation(c, BASEHD, write_len); 1656 1525 if (err) { 1657 1526 kfree(xent); 1658 1527 return err; ··· 1675 1540 pack_inode(c, ino, inode, 0); 1676 1541 ino = (void *)ino + UBIFS_INO_NODE_SZ; 1677 1542 pack_inode(c, ino, host, 1); 1543 + err = ubifs_node_calc_hash(c, ino, hash); 1544 + if (err) 1545 + goto out_release; 1678 1546 1679 - err = write_head(c, BASEHD, xent, len, &lnum, &xent_offs, sync); 1547 + err = write_head(c, BASEHD, xent, write_len, &lnum, &xent_offs, sync); 1680 1548 if (!sync && !err) 1681 1549 ubifs_wbuf_add_ino_nolock(&c->jheads[BASEHD].wbuf, host->i_ino); 1682 1550 release_head(c, BASEHD); 1551 + 1552 + ubifs_add_auth_dirt(c, lnum); 1683 1553 kfree(xent); 1684 1554 if (err) 1685 1555 goto out_ro; ··· 1712 1572 1713 1573 /* And update TNC with the new host inode position */ 1714 1574 ino_key_init(c, &key1, host->i_ino); 1715 - err = ubifs_tnc_add(c, &key1, lnum, xent_offs + len - hlen, hlen); 1575 + err = ubifs_tnc_add(c, &key1, lnum, xent_offs + len - hlen, hlen, hash); 1716 1576 if (err) 1717 1577 goto out_ro; 1718 1578 ··· 1723 1583 mark_inode_clean(c, host_ui); 1724 1584 return 0; 1725 1585 1586 + out_release: 1587 + kfree(xent); 1588 + release_head(c, BASEHD); 1726 1589 out_ro: 1727 1590 ubifs_ro_mode(c, err); 1728 1591 finish_reservation(c); ··· 1753 1610 struct ubifs_ino_node *ino; 1754 1611 union ubifs_key key; 1755 1612 int sync = IS_DIRSYNC(host); 1613 + u8 hash_host[UBIFS_HASH_ARR_SZ]; 1614 + u8 hash[UBIFS_HASH_ARR_SZ]; 1756 1615 1757 1616 dbg_jnl("ino %lu, ino %lu", host->i_ino, inode->i_ino); 1758 1617 ubifs_assert(c, host->i_nlink > 0); ··· 1766 1621 aligned_len1 = ALIGN(len1, 8); 1767 1622 aligned_len = aligned_len1 + ALIGN(len2, 8); 1768 1623 1624 + aligned_len += ubifs_auth_node_sz(c); 1625 + 1769 1626 ino = kzalloc(aligned_len, GFP_NOFS); 1770 1627 if (!ino) 1771 1628 return -ENOMEM; ··· 1778 1631 goto out_free; 1779 1632 1780 1633 pack_inode(c, ino, host, 0); 1634 + err = ubifs_node_calc_hash(c, ino, hash_host); 1635 + if (err) 1636 + goto out_release; 1781 1637 pack_inode(c, (void *)ino + aligned_len1, inode, 1); 1638 + err = ubifs_node_calc_hash(c, (void *)ino + aligned_len1, hash); 1639 + if (err) 1640 + goto out_release; 1782 1641 1783 1642 err = write_head(c, BASEHD, ino, aligned_len, &lnum, &offs, 0); 1784 1643 if (!sync && !err) { ··· 1797 1644 if (err) 1798 1645 goto out_ro; 1799 1646 1647 + ubifs_add_auth_dirt(c, lnum); 1648 + 1800 1649 ino_key_init(c, &key, host->i_ino); 1801 - err = ubifs_tnc_add(c, &key, lnum, offs, len1); 1650 + err = ubifs_tnc_add(c, &key, lnum, offs, len1, hash_host); 1802 1651 if (err) 1803 1652 goto out_ro; 1804 1653 1805 1654 ino_key_init(c, &key, inode->i_ino); 1806 - err = ubifs_tnc_add(c, &key, lnum, offs + aligned_len1, len2); 1655 + err = ubifs_tnc_add(c, &key, lnum, offs + aligned_len1, len2, hash); 1807 1656 if (err) 1808 1657 goto out_ro; 1809 1658 ··· 1817 1662 kfree(ino); 1818 1663 return 0; 1819 1664 1665 + out_release: 1666 + release_head(c, BASEHD); 1820 1667 out_ro: 1821 1668 ubifs_ro_mode(c, err); 1822 1669 finish_reservation(c);
+24
fs/ubifs/log.c
··· 236 236 bud->lnum = lnum; 237 237 bud->start = offs; 238 238 bud->jhead = jhead; 239 + bud->log_hash = NULL; 239 240 240 241 ref->ch.node_type = UBIFS_REF_NODE; 241 242 ref->lnum = cpu_to_le32(bud->lnum); ··· 273 272 c->lhead_lnum, c->lhead_offs); 274 273 err = ubifs_write_node(c, ref, UBIFS_REF_NODE_SZ, c->lhead_lnum, 275 274 c->lhead_offs); 275 + if (err) 276 + goto out_unlock; 277 + 278 + err = ubifs_shash_update(c, c->log_hash, ref, UBIFS_REF_NODE_SZ); 279 + if (err) 280 + goto out_unlock; 281 + 282 + err = ubifs_shash_copy_state(c, c->log_hash, c->jheads[jhead].log_hash); 276 283 if (err) 277 284 goto out_unlock; 278 285 ··· 386 377 cs->cmt_no = cpu_to_le64(c->cmt_no); 387 378 ubifs_prepare_node(c, cs, UBIFS_CS_NODE_SZ, 0); 388 379 380 + err = ubifs_shash_init(c, c->log_hash); 381 + if (err) 382 + goto out; 383 + 384 + err = ubifs_shash_update(c, c->log_hash, cs, UBIFS_CS_NODE_SZ); 385 + if (err < 0) 386 + goto out; 387 + 389 388 /* 390 389 * Note, we do not lock 'c->log_mutex' because this is the commit start 391 390 * phase and we are exclusively using the log. And we do not lock ··· 419 402 420 403 ubifs_prepare_node(c, ref, UBIFS_REF_NODE_SZ, 0); 421 404 len += UBIFS_REF_NODE_SZ; 405 + 406 + err = ubifs_shash_update(c, c->log_hash, ref, 407 + UBIFS_REF_NODE_SZ); 408 + if (err) 409 + goto out; 410 + ubifs_shash_copy_state(c, c->log_hash, c->jheads[i].log_hash); 422 411 } 423 412 424 413 ubifs_pad(c, buf + len, ALIGN(len, c->min_io_size) - len); ··· 539 516 if (err) 540 517 return err; 541 518 list_del(&bud->list); 519 + kfree(bud->log_hash); 542 520 kfree(bud); 543 521 } 544 522 mutex_lock(&c->log_mutex);
+174 -10
fs/ubifs/lpt.c
··· 604 604 * @lpt_first: LEB number of first LPT LEB 605 605 * @lpt_lebs: number of LEBs for LPT is passed and returned here 606 606 * @big_lpt: use big LPT model is passed and returned here 607 + * @hash: hash of the LPT is returned here 607 608 * 608 609 * This function returns %0 on success and a negative error code on failure. 609 610 */ 610 611 int ubifs_create_dflt_lpt(struct ubifs_info *c, int *main_lebs, int lpt_first, 611 - int *lpt_lebs, int *big_lpt) 612 + int *lpt_lebs, int *big_lpt, u8 *hash) 612 613 { 613 614 int lnum, err = 0, node_sz, iopos, i, j, cnt, len, alen, row; 614 615 int blnum, boffs, bsz, bcnt; ··· 618 617 void *buf = NULL, *p; 619 618 struct ubifs_lpt_lprops *ltab = NULL; 620 619 int *lsave = NULL; 620 + struct shash_desc *desc; 621 621 622 622 err = calc_dflt_lpt_geom(c, main_lebs, big_lpt); 623 623 if (err) ··· 631 629 c->lpt_last = lpt_first + c->lpt_lebs - 1; 632 630 /* Needed by 'ubifs_pack_lsave()' */ 633 631 c->main_first = c->leb_cnt - *main_lebs; 632 + 633 + desc = ubifs_hash_get_desc(c); 634 + if (IS_ERR(desc)) 635 + return PTR_ERR(desc); 634 636 635 637 lsave = kmalloc_array(c->lsave_cnt, sizeof(int), GFP_KERNEL); 636 638 pnode = kzalloc(sizeof(struct ubifs_pnode), GFP_KERNEL); ··· 683 677 684 678 /* Add first pnode */ 685 679 ubifs_pack_pnode(c, p, pnode); 680 + err = ubifs_shash_update(c, desc, p, c->pnode_sz); 681 + if (err) 682 + goto out; 683 + 686 684 p += c->pnode_sz; 687 685 len = c->pnode_sz; 688 686 pnode->num += 1; ··· 721 711 len = 0; 722 712 } 723 713 ubifs_pack_pnode(c, p, pnode); 714 + err = ubifs_shash_update(c, desc, p, c->pnode_sz); 715 + if (err) 716 + goto out; 717 + 724 718 p += c->pnode_sz; 725 719 len += c->pnode_sz; 726 720 /* ··· 844 830 if (err) 845 831 goto out; 846 832 833 + err = ubifs_shash_final(c, desc, hash); 834 + if (err) 835 + goto out; 836 + 847 837 c->nhead_lnum = lnum; 848 838 c->nhead_offs = ALIGN(len, c->min_io_size); 849 839 ··· 871 853 dbg_lp("LPT lsave is at %d:%d", c->lsave_lnum, c->lsave_offs); 872 854 out: 873 855 c->ltab = NULL; 856 + kfree(desc); 874 857 kfree(lsave); 875 858 vfree(ltab); 876 859 vfree(buf); ··· 1458 1439 } 1459 1440 1460 1441 /** 1461 - * ubifs_lpt_lookup - lookup LEB properties in the LPT. 1442 + * ubifs_pnode_lookup - lookup a pnode in the LPT. 1462 1443 * @c: UBIFS file-system description object 1463 - * @lnum: LEB number to lookup 1444 + * @i: pnode number (0 to (main_lebs - 1) / UBIFS_LPT_FANOUT) 1464 1445 * 1465 - * This function returns a pointer to the LEB properties on success or a 1466 - * negative error code on failure. 1446 + * This function returns a pointer to the pnode on success or a negative 1447 + * error code on failure. 1467 1448 */ 1468 - struct ubifs_lprops *ubifs_lpt_lookup(struct ubifs_info *c, int lnum) 1449 + struct ubifs_pnode *ubifs_pnode_lookup(struct ubifs_info *c, int i) 1469 1450 { 1470 - int err, i, h, iip, shft; 1451 + int err, h, iip, shft; 1471 1452 struct ubifs_nnode *nnode; 1472 - struct ubifs_pnode *pnode; 1473 1453 1474 1454 if (!c->nroot) { 1475 1455 err = ubifs_read_nnode(c, NULL, 0); 1476 1456 if (err) 1477 1457 return ERR_PTR(err); 1478 1458 } 1459 + i <<= UBIFS_LPT_FANOUT_SHIFT; 1479 1460 nnode = c->nroot; 1480 - i = lnum - c->main_first; 1481 1461 shft = c->lpt_hght * UBIFS_LPT_FANOUT_SHIFT; 1482 1462 for (h = 1; h < c->lpt_hght; h++) { 1483 1463 iip = ((i >> shft) & (UBIFS_LPT_FANOUT - 1)); ··· 1486 1468 return ERR_CAST(nnode); 1487 1469 } 1488 1470 iip = ((i >> shft) & (UBIFS_LPT_FANOUT - 1)); 1489 - pnode = ubifs_get_pnode(c, nnode, iip); 1471 + return ubifs_get_pnode(c, nnode, iip); 1472 + } 1473 + 1474 + /** 1475 + * ubifs_lpt_lookup - lookup LEB properties in the LPT. 1476 + * @c: UBIFS file-system description object 1477 + * @lnum: LEB number to lookup 1478 + * 1479 + * This function returns a pointer to the LEB properties on success or a 1480 + * negative error code on failure. 1481 + */ 1482 + struct ubifs_lprops *ubifs_lpt_lookup(struct ubifs_info *c, int lnum) 1483 + { 1484 + int i, iip; 1485 + struct ubifs_pnode *pnode; 1486 + 1487 + i = lnum - c->main_first; 1488 + pnode = ubifs_pnode_lookup(c, i >> UBIFS_LPT_FANOUT_SHIFT); 1490 1489 if (IS_ERR(pnode)) 1491 1490 return ERR_CAST(pnode); 1492 1491 iip = (i & (UBIFS_LPT_FANOUT - 1)); ··· 1655 1620 } 1656 1621 1657 1622 /** 1623 + * ubifs_lpt_calc_hash - Calculate hash of the LPT pnodes 1624 + * @c: UBIFS file-system description object 1625 + * @hash: the returned hash of the LPT pnodes 1626 + * 1627 + * This function iterates over the LPT pnodes and creates a hash over them. 1628 + * Returns 0 for success or a negative error code otherwise. 1629 + */ 1630 + int ubifs_lpt_calc_hash(struct ubifs_info *c, u8 *hash) 1631 + { 1632 + struct ubifs_nnode *nnode, *nn; 1633 + struct ubifs_cnode *cnode; 1634 + struct shash_desc *desc; 1635 + int iip = 0, i; 1636 + int bufsiz = max_t(int, c->nnode_sz, c->pnode_sz); 1637 + void *buf; 1638 + int err; 1639 + 1640 + if (!ubifs_authenticated(c)) 1641 + return 0; 1642 + 1643 + desc = ubifs_hash_get_desc(c); 1644 + if (IS_ERR(desc)) 1645 + return PTR_ERR(desc); 1646 + 1647 + buf = kmalloc(bufsiz, GFP_NOFS); 1648 + if (!buf) { 1649 + err = -ENOMEM; 1650 + goto out; 1651 + } 1652 + 1653 + if (!c->nroot) { 1654 + err = ubifs_read_nnode(c, NULL, 0); 1655 + if (err) 1656 + return err; 1657 + } 1658 + 1659 + cnode = (struct ubifs_cnode *)c->nroot; 1660 + 1661 + while (cnode) { 1662 + nnode = cnode->parent; 1663 + nn = (struct ubifs_nnode *)cnode; 1664 + if (cnode->level > 1) { 1665 + while (iip < UBIFS_LPT_FANOUT) { 1666 + if (nn->nbranch[iip].lnum == 0) { 1667 + /* Go right */ 1668 + iip++; 1669 + continue; 1670 + } 1671 + 1672 + nnode = ubifs_get_nnode(c, nn, iip); 1673 + if (IS_ERR(nnode)) { 1674 + err = PTR_ERR(nnode); 1675 + goto out; 1676 + } 1677 + 1678 + /* Go down */ 1679 + iip = 0; 1680 + cnode = (struct ubifs_cnode *)nnode; 1681 + break; 1682 + } 1683 + if (iip < UBIFS_LPT_FANOUT) 1684 + continue; 1685 + } else { 1686 + struct ubifs_pnode *pnode; 1687 + 1688 + for (i = 0; i < UBIFS_LPT_FANOUT; i++) { 1689 + if (nn->nbranch[i].lnum == 0) 1690 + continue; 1691 + pnode = ubifs_get_pnode(c, nn, i); 1692 + if (IS_ERR(pnode)) { 1693 + err = PTR_ERR(pnode); 1694 + goto out; 1695 + } 1696 + 1697 + ubifs_pack_pnode(c, buf, pnode); 1698 + err = ubifs_shash_update(c, desc, buf, 1699 + c->pnode_sz); 1700 + if (err) 1701 + goto out; 1702 + } 1703 + } 1704 + /* Go up and to the right */ 1705 + iip = cnode->iip + 1; 1706 + cnode = (struct ubifs_cnode *)nnode; 1707 + } 1708 + 1709 + err = ubifs_shash_final(c, desc, hash); 1710 + out: 1711 + kfree(desc); 1712 + kfree(buf); 1713 + 1714 + return err; 1715 + } 1716 + 1717 + /** 1718 + * lpt_check_hash - check the hash of the LPT. 1719 + * @c: UBIFS file-system description object 1720 + * 1721 + * This function calculates a hash over all pnodes in the LPT and compares it with 1722 + * the hash stored in the master node. Returns %0 on success and a negative error 1723 + * code on failure. 1724 + */ 1725 + static int lpt_check_hash(struct ubifs_info *c) 1726 + { 1727 + int err; 1728 + u8 hash[UBIFS_HASH_ARR_SZ]; 1729 + 1730 + if (!ubifs_authenticated(c)) 1731 + return 0; 1732 + 1733 + err = ubifs_lpt_calc_hash(c, hash); 1734 + if (err) 1735 + return err; 1736 + 1737 + if (ubifs_check_hash(c, c->mst_node->hash_lpt, hash)) { 1738 + err = -EPERM; 1739 + ubifs_err(c, "Failed to authenticate LPT"); 1740 + } else { 1741 + err = 0; 1742 + } 1743 + 1744 + return err; 1745 + } 1746 + 1747 + /** 1658 1748 * lpt_init_rd - initialize the LPT for reading. 1659 1749 * @c: UBIFS file-system description object 1660 1750 * ··· 1817 1657 c->dirty_idx.max_cnt = LPT_HEAP_SZ; 1818 1658 1819 1659 err = read_ltab(c); 1660 + if (err) 1661 + return err; 1662 + 1663 + err = lpt_check_hash(c); 1820 1664 if (err) 1821 1665 return err; 1822 1666
+8 -36
fs/ubifs/lpt_commit.c
··· 619 619 } 620 620 621 621 /** 622 - * pnode_lookup - lookup a pnode in the LPT. 623 - * @c: UBIFS file-system description object 624 - * @i: pnode number (0 to (main_lebs - 1) / UBIFS_LPT_FANOUT)) 625 - * 626 - * This function returns a pointer to the pnode on success or a negative 627 - * error code on failure. 628 - */ 629 - static struct ubifs_pnode *pnode_lookup(struct ubifs_info *c, int i) 630 - { 631 - int err, h, iip, shft; 632 - struct ubifs_nnode *nnode; 633 - 634 - if (!c->nroot) { 635 - err = ubifs_read_nnode(c, NULL, 0); 636 - if (err) 637 - return ERR_PTR(err); 638 - } 639 - i <<= UBIFS_LPT_FANOUT_SHIFT; 640 - nnode = c->nroot; 641 - shft = c->lpt_hght * UBIFS_LPT_FANOUT_SHIFT; 642 - for (h = 1; h < c->lpt_hght; h++) { 643 - iip = ((i >> shft) & (UBIFS_LPT_FANOUT - 1)); 644 - shft -= UBIFS_LPT_FANOUT_SHIFT; 645 - nnode = ubifs_get_nnode(c, nnode, iip); 646 - if (IS_ERR(nnode)) 647 - return ERR_CAST(nnode); 648 - } 649 - iip = ((i >> shft) & (UBIFS_LPT_FANOUT - 1)); 650 - return ubifs_get_pnode(c, nnode, iip); 651 - } 652 - 653 - /** 654 622 * add_pnode_dirt - add dirty space to LPT LEB properties. 655 623 * @c: UBIFS file-system description object 656 624 * @pnode: pnode for which to add dirt ··· 670 702 { 671 703 struct ubifs_pnode *pnode; 672 704 673 - pnode = pnode_lookup(c, 0); 705 + pnode = ubifs_pnode_lookup(c, 0); 674 706 if (IS_ERR(pnode)) 675 707 return PTR_ERR(pnode); 676 708 ··· 924 956 struct ubifs_pnode *pnode; 925 957 struct ubifs_nbranch *branch; 926 958 927 - pnode = pnode_lookup(c, node_num); 959 + pnode = ubifs_pnode_lookup(c, node_num); 928 960 if (IS_ERR(pnode)) 929 961 return PTR_ERR(pnode); 930 962 branch = &pnode->parent->nbranch[pnode->iip]; ··· 1247 1279 if (err) 1248 1280 goto out; 1249 1281 1282 + err = ubifs_lpt_calc_hash(c, c->mst_node->hash_lpt); 1283 + if (err) 1284 + goto out; 1285 + 1250 1286 /* Copy the LPT's own lprops for end commit to write */ 1251 1287 memcpy(c->ltab_cmt, c->ltab, 1252 1288 sizeof(struct ubifs_lpt_lprops) * c->lpt_lebs); ··· 1530 1558 struct ubifs_nbranch *branch; 1531 1559 1532 1560 cond_resched(); 1533 - pnode = pnode_lookup(c, i); 1561 + pnode = ubifs_pnode_lookup(c, i); 1534 1562 if (IS_ERR(pnode)) 1535 1563 return PTR_ERR(pnode); 1536 1564 branch = &pnode->parent->nbranch[pnode->iip]; ··· 1682 1710 for (i = 0; i < cnt; i++) { 1683 1711 struct ubifs_pnode *pnode; 1684 1712 1685 - pnode = pnode_lookup(c, i); 1713 + pnode = ubifs_pnode_lookup(c, i); 1686 1714 if (IS_ERR(pnode)) 1687 1715 return PTR_ERR(pnode); 1688 1716 cond_resched();
+58 -6
fs/ubifs/master.c
··· 25 25 #include "ubifs.h" 26 26 27 27 /** 28 + * ubifs_compare_master_node - compare two UBIFS master nodes 29 + * @c: UBIFS file-system description object 30 + * @m1: the first node 31 + * @m2: the second node 32 + * 33 + * This function compares two UBIFS master nodes. Returns 0 if they are equal 34 + * and nonzero if not. 35 + */ 36 + int ubifs_compare_master_node(struct ubifs_info *c, void *m1, void *m2) 37 + { 38 + int ret; 39 + int behind; 40 + int hmac_offs = offsetof(struct ubifs_mst_node, hmac); 41 + 42 + /* 43 + * Do not compare the common node header since the sequence number and 44 + * hence the CRC are different. 45 + */ 46 + ret = memcmp(m1 + UBIFS_CH_SZ, m2 + UBIFS_CH_SZ, 47 + hmac_offs - UBIFS_CH_SZ); 48 + if (ret) 49 + return ret; 50 + 51 + /* 52 + * Do not compare the embedded HMAC aswell which also must be different 53 + * due to the different common node header. 54 + */ 55 + behind = hmac_offs + UBIFS_MAX_HMAC_LEN; 56 + 57 + if (UBIFS_MST_NODE_SZ > behind) 58 + return memcmp(m1 + behind, m2 + behind, UBIFS_MST_NODE_SZ - behind); 59 + 60 + return 0; 61 + } 62 + 63 + /** 28 64 * scan_for_master - search the valid master node. 29 65 * @c: UBIFS file-system description object 30 66 * ··· 73 37 { 74 38 struct ubifs_scan_leb *sleb; 75 39 struct ubifs_scan_node *snod; 76 - int lnum, offs = 0, nodes_cnt; 40 + int lnum, offs = 0, nodes_cnt, err; 77 41 78 42 lnum = UBIFS_MST_LNUM; 79 43 ··· 105 69 goto out_dump; 106 70 if (snod->offs != offs) 107 71 goto out; 108 - if (memcmp((void *)c->mst_node + UBIFS_CH_SZ, 109 - (void *)snod->node + UBIFS_CH_SZ, 110 - UBIFS_MST_NODE_SZ - UBIFS_CH_SZ)) 72 + if (ubifs_compare_master_node(c, c->mst_node, snod->node)) 111 73 goto out; 74 + 112 75 c->mst_offs = offs; 113 76 ubifs_scan_destroy(sleb); 77 + 78 + if (!ubifs_authenticated(c)) 79 + return 0; 80 + 81 + err = ubifs_node_verify_hmac(c, c->mst_node, 82 + sizeof(struct ubifs_mst_node), 83 + offsetof(struct ubifs_mst_node, hmac)); 84 + if (err) { 85 + ubifs_err(c, "Failed to verify master node HMAC"); 86 + return -EPERM; 87 + } 88 + 114 89 return 0; 115 90 116 91 out: ··· 352 305 c->lst.total_dead = le64_to_cpu(c->mst_node->total_dead); 353 306 c->lst.total_dark = le64_to_cpu(c->mst_node->total_dark); 354 307 308 + ubifs_copy_hash(c, c->mst_node->hash_root_idx, c->zroot.hash); 309 + 355 310 c->calc_idx_sz = c->bi.old_idx_sz; 356 311 357 312 if (c->mst_node->flags & cpu_to_le32(UBIFS_MST_NO_ORPHS)) ··· 427 378 c->mst_offs = offs; 428 379 c->mst_node->highest_inum = cpu_to_le64(c->highest_inum); 429 380 430 - err = ubifs_write_node(c, c->mst_node, len, lnum, offs); 381 + ubifs_copy_hash(c, c->zroot.hash, c->mst_node->hash_root_idx); 382 + err = ubifs_write_node_hmac(c, c->mst_node, len, lnum, offs, 383 + offsetof(struct ubifs_mst_node, hmac)); 431 384 if (err) 432 385 return err; 433 386 ··· 440 389 if (err) 441 390 return err; 442 391 } 443 - err = ubifs_write_node(c, c->mst_node, len, lnum, offs); 392 + err = ubifs_write_node_hmac(c, c->mst_node, len, lnum, offs, 393 + offsetof(struct ubifs_mst_node, hmac)); 444 394 445 395 return err; 446 396 }
+3 -2
fs/ubifs/misc.h
··· 197 197 */ 198 198 static inline int ubifs_idx_node_sz(const struct ubifs_info *c, int child_cnt) 199 199 { 200 - return UBIFS_IDX_NODE_SZ + (UBIFS_BRANCH_SZ + c->key_len) * child_cnt; 200 + return UBIFS_IDX_NODE_SZ + (UBIFS_BRANCH_SZ + c->key_len + c->hash_len) 201 + * child_cnt; 201 202 } 202 203 203 204 /** ··· 213 212 int bnum) 214 213 { 215 214 return (struct ubifs_branch *)((void *)idx->branches + 216 - (UBIFS_BRANCH_SZ + c->key_len) * bnum); 215 + (UBIFS_BRANCH_SZ + c->key_len + c->hash_len) * bnum); 217 216 } 218 217 219 218 /**
+86 -30
fs/ubifs/recovery.c
··· 212 212 save_flags = mst->flags; 213 213 mst->flags |= cpu_to_le32(UBIFS_MST_RCVRY); 214 214 215 - ubifs_prepare_node(c, mst, UBIFS_MST_NODE_SZ, 1); 215 + err = ubifs_prepare_node_hmac(c, mst, UBIFS_MST_NODE_SZ, 216 + offsetof(struct ubifs_mst_node, hmac), 1); 217 + if (err) 218 + goto out; 216 219 err = ubifs_leb_change(c, lnum, mst, sz); 217 220 if (err) 218 221 goto out; ··· 267 264 offs2 = (void *)mst2 - buf2; 268 265 if (offs1 == offs2) { 269 266 /* Same offset, so must be the same */ 270 - if (memcmp((void *)mst1 + UBIFS_CH_SZ, 271 - (void *)mst2 + UBIFS_CH_SZ, 272 - UBIFS_MST_NODE_SZ - UBIFS_CH_SZ)) 267 + if (ubifs_compare_master_node(c, mst1, mst2)) 273 268 goto out_err; 274 269 mst = mst1; 275 270 } else if (offs2 + sz == offs1) { ··· 1463 1462 } 1464 1463 1465 1464 /** 1465 + * inode_fix_size - fix inode size 1466 + * @c: UBIFS file-system description object 1467 + * @e: inode size information for recovery 1468 + */ 1469 + static int inode_fix_size(struct ubifs_info *c, struct size_entry *e) 1470 + { 1471 + struct inode *inode; 1472 + struct ubifs_inode *ui; 1473 + int err; 1474 + 1475 + if (c->ro_mount) 1476 + ubifs_assert(c, !e->inode); 1477 + 1478 + if (e->inode) { 1479 + /* Remounting rw, pick up inode we stored earlier */ 1480 + inode = e->inode; 1481 + } else { 1482 + inode = ubifs_iget(c->vfs_sb, e->inum); 1483 + if (IS_ERR(inode)) 1484 + return PTR_ERR(inode); 1485 + 1486 + if (inode->i_size >= e->d_size) { 1487 + /* 1488 + * The original inode in the index already has a size 1489 + * big enough, nothing to do 1490 + */ 1491 + iput(inode); 1492 + return 0; 1493 + } 1494 + 1495 + dbg_rcvry("ino %lu size %lld -> %lld", 1496 + (unsigned long)e->inum, 1497 + inode->i_size, e->d_size); 1498 + 1499 + ui = ubifs_inode(inode); 1500 + 1501 + inode->i_size = e->d_size; 1502 + ui->ui_size = e->d_size; 1503 + ui->synced_i_size = e->d_size; 1504 + 1505 + e->inode = inode; 1506 + } 1507 + 1508 + /* 1509 + * In readonly mode just keep the inode pinned in memory until we go 1510 + * readwrite. In readwrite mode write the inode to the journal with the 1511 + * fixed size. 1512 + */ 1513 + if (c->ro_mount) 1514 + return 0; 1515 + 1516 + err = ubifs_jnl_write_inode(c, inode); 1517 + 1518 + iput(inode); 1519 + 1520 + if (err) 1521 + return err; 1522 + 1523 + rb_erase(&e->rb, &c->size_tree); 1524 + kfree(e); 1525 + 1526 + return 0; 1527 + } 1528 + 1529 + /** 1466 1530 * ubifs_recover_size - recover inode size. 1467 1531 * @c: UBIFS file-system description object 1532 + * @in_place: If true, do a in-place size fixup 1468 1533 * 1469 1534 * This function attempts to fix inode size discrepancies identified by the 1470 1535 * 'ubifs_recover_size_accum()' function. 1471 1536 * 1472 1537 * This functions returns %0 on success and a negative error code on failure. 1473 1538 */ 1474 - int ubifs_recover_size(struct ubifs_info *c) 1539 + int ubifs_recover_size(struct ubifs_info *c, bool in_place) 1475 1540 { 1476 1541 struct rb_node *this = rb_first(&c->size_tree); 1477 1542 ··· 1546 1479 int err; 1547 1480 1548 1481 e = rb_entry(this, struct size_entry, rb); 1482 + 1483 + this = rb_next(this); 1484 + 1549 1485 if (!e->exists) { 1550 1486 union ubifs_key key; 1551 1487 ··· 1572 1502 } 1573 1503 1574 1504 if (e->exists && e->i_size < e->d_size) { 1575 - if (c->ro_mount) { 1576 - /* Fix the inode size and pin it in memory */ 1577 - struct inode *inode; 1578 - struct ubifs_inode *ui; 1505 + ubifs_assert(c, !(c->ro_mount && in_place)); 1579 1506 1580 - ubifs_assert(c, !e->inode); 1507 + /* 1508 + * We found data that is outside the found inode size, 1509 + * fixup the inode size 1510 + */ 1581 1511 1582 - inode = ubifs_iget(c->vfs_sb, e->inum); 1583 - if (IS_ERR(inode)) 1584 - return PTR_ERR(inode); 1585 - 1586 - ui = ubifs_inode(inode); 1587 - if (inode->i_size < e->d_size) { 1588 - dbg_rcvry("ino %lu size %lld -> %lld", 1589 - (unsigned long)e->inum, 1590 - inode->i_size, e->d_size); 1591 - inode->i_size = e->d_size; 1592 - ui->ui_size = e->d_size; 1593 - ui->synced_i_size = e->d_size; 1594 - e->inode = inode; 1595 - this = rb_next(this); 1596 - continue; 1597 - } 1598 - iput(inode); 1599 - } else { 1600 - /* Fix the size in place */ 1512 + if (in_place) { 1601 1513 err = fix_size_in_place(c, e); 1602 1514 if (err) 1603 1515 return err; 1604 1516 iput(e->inode); 1517 + } else { 1518 + err = inode_fix_size(c, e); 1519 + if (err) 1520 + return err; 1521 + continue; 1605 1522 } 1606 1523 } 1607 1524 1608 - this = rb_next(this); 1609 1525 rb_erase(&e->rb, &c->size_tree); 1610 1526 kfree(e); 1611 1527 }
+164 -13
fs/ubifs/replay.c
··· 34 34 35 35 #include "ubifs.h" 36 36 #include <linux/list_sort.h> 37 + #include <crypto/hash.h> 38 + #include <crypto/algapi.h> 37 39 38 40 /** 39 41 * struct replay_entry - replay list entry. ··· 58 56 int lnum; 59 57 int offs; 60 58 int len; 59 + u8 hash[UBIFS_HASH_ARR_SZ]; 61 60 unsigned int deletion:1; 62 61 unsigned long long sqnum; 63 62 struct list_head list; ··· 231 228 err = ubifs_tnc_remove_nm(c, &r->key, &r->nm); 232 229 else 233 230 err = ubifs_tnc_add_nm(c, &r->key, r->lnum, r->offs, 234 - r->len, &r->nm); 231 + r->len, r->hash, &r->nm); 235 232 } else { 236 233 if (r->deletion) 237 234 switch (key_type(c, &r->key)) { ··· 251 248 } 252 249 else 253 250 err = ubifs_tnc_add(c, &r->key, r->lnum, r->offs, 254 - r->len); 251 + r->len, r->hash); 255 252 if (err) 256 253 return err; 257 254 ··· 355 352 * in case of success and a negative error code in case of failure. 356 353 */ 357 354 static int insert_node(struct ubifs_info *c, int lnum, int offs, int len, 358 - union ubifs_key *key, unsigned long long sqnum, 359 - int deletion, int *used, loff_t old_size, 360 - loff_t new_size) 355 + const u8 *hash, union ubifs_key *key, 356 + unsigned long long sqnum, int deletion, int *used, 357 + loff_t old_size, loff_t new_size) 361 358 { 362 359 struct replay_entry *r; 363 360 ··· 375 372 r->lnum = lnum; 376 373 r->offs = offs; 377 374 r->len = len; 375 + ubifs_copy_hash(c, hash, r->hash); 378 376 r->deletion = !!deletion; 379 377 r->sqnum = sqnum; 380 378 key_copy(c, key, &r->key); ··· 404 400 * negative error code in case of failure. 405 401 */ 406 402 static int insert_dent(struct ubifs_info *c, int lnum, int offs, int len, 407 - union ubifs_key *key, const char *name, int nlen, 408 - unsigned long long sqnum, int deletion, int *used) 403 + const u8 *hash, union ubifs_key *key, 404 + const char *name, int nlen, unsigned long long sqnum, 405 + int deletion, int *used) 409 406 { 410 407 struct replay_entry *r; 411 408 char *nbuf; ··· 430 425 r->lnum = lnum; 431 426 r->offs = offs; 432 427 r->len = len; 428 + ubifs_copy_hash(c, hash, r->hash); 433 429 r->deletion = !!deletion; 434 430 r->sqnum = sqnum; 435 431 key_copy(c, key, &r->key); ··· 534 528 } 535 529 536 530 /** 531 + * authenticate_sleb - authenticate one scan LEB 532 + * @c: UBIFS file-system description object 533 + * @sleb: the scan LEB to authenticate 534 + * @log_hash: 535 + * @is_last: if true, this is is the last LEB 536 + * 537 + * This function iterates over the buds of a single LEB authenticating all buds 538 + * with the authentication nodes on this LEB. Authentication nodes are written 539 + * after some buds and contain a HMAC covering the authentication node itself 540 + * and the buds between the last authentication node and the current 541 + * authentication node. It can happen that the last buds cannot be authenticated 542 + * because a powercut happened when some nodes were written but not the 543 + * corresponding authentication node. This function returns the number of nodes 544 + * that could be authenticated or a negative error code. 545 + */ 546 + static int authenticate_sleb(struct ubifs_info *c, struct ubifs_scan_leb *sleb, 547 + struct shash_desc *log_hash, int is_last) 548 + { 549 + int n_not_auth = 0; 550 + struct ubifs_scan_node *snod; 551 + int n_nodes = 0; 552 + int err; 553 + u8 *hash, *hmac; 554 + 555 + if (!ubifs_authenticated(c)) 556 + return sleb->nodes_cnt; 557 + 558 + hash = kmalloc(crypto_shash_descsize(c->hash_tfm), GFP_NOFS); 559 + hmac = kmalloc(c->hmac_desc_len, GFP_NOFS); 560 + if (!hash || !hmac) { 561 + err = -ENOMEM; 562 + goto out; 563 + } 564 + 565 + list_for_each_entry(snod, &sleb->nodes, list) { 566 + 567 + n_nodes++; 568 + 569 + if (snod->type == UBIFS_AUTH_NODE) { 570 + struct ubifs_auth_node *auth = snod->node; 571 + SHASH_DESC_ON_STACK(hash_desc, c->hash_tfm); 572 + SHASH_DESC_ON_STACK(hmac_desc, c->hmac_tfm); 573 + 574 + hash_desc->tfm = c->hash_tfm; 575 + hash_desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; 576 + 577 + ubifs_shash_copy_state(c, log_hash, hash_desc); 578 + err = crypto_shash_final(hash_desc, hash); 579 + if (err) 580 + goto out; 581 + 582 + hmac_desc->tfm = c->hmac_tfm; 583 + hmac_desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; 584 + err = crypto_shash_digest(hmac_desc, hash, c->hash_len, 585 + hmac); 586 + if (err) 587 + goto out; 588 + 589 + err = ubifs_check_hmac(c, auth->hmac, hmac); 590 + if (err) { 591 + err = -EPERM; 592 + goto out; 593 + } 594 + n_not_auth = 0; 595 + } else { 596 + err = crypto_shash_update(log_hash, snod->node, 597 + snod->len); 598 + if (err) 599 + goto out; 600 + n_not_auth++; 601 + } 602 + } 603 + 604 + /* 605 + * A powercut can happen when some nodes were written, but not yet 606 + * the corresponding authentication node. This may only happen on 607 + * the last bud though. 608 + */ 609 + if (n_not_auth) { 610 + if (is_last) { 611 + dbg_mnt("%d unauthenticated nodes found on LEB %d, Ignoring them", 612 + n_not_auth, sleb->lnum); 613 + err = 0; 614 + } else { 615 + dbg_mnt("%d unauthenticated nodes found on non-last LEB %d", 616 + n_not_auth, sleb->lnum); 617 + err = -EPERM; 618 + } 619 + } else { 620 + err = 0; 621 + } 622 + out: 623 + kfree(hash); 624 + kfree(hmac); 625 + 626 + return err ? err : n_nodes - n_not_auth; 627 + } 628 + 629 + /** 537 630 * replay_bud - replay a bud logical eraseblock. 538 631 * @c: UBIFS file-system description object 539 632 * @b: bud entry which describes the bud ··· 645 540 { 646 541 int is_last = is_last_bud(c, b->bud); 647 542 int err = 0, used = 0, lnum = b->bud->lnum, offs = b->bud->start; 543 + int n_nodes, n = 0; 648 544 struct ubifs_scan_leb *sleb; 649 545 struct ubifs_scan_node *snod; 650 546 ··· 664 558 sleb = ubifs_scan(c, lnum, offs, c->sbuf, 0); 665 559 if (IS_ERR(sleb)) 666 560 return PTR_ERR(sleb); 561 + 562 + n_nodes = authenticate_sleb(c, sleb, b->bud->log_hash, is_last); 563 + if (n_nodes < 0) { 564 + err = n_nodes; 565 + goto out; 566 + } 567 + 568 + ubifs_shash_copy_state(c, b->bud->log_hash, 569 + c->jheads[b->bud->jhead].log_hash); 667 570 668 571 /* 669 572 * The bud does not have to start from offset zero - the beginning of ··· 697 582 */ 698 583 699 584 list_for_each_entry(snod, &sleb->nodes, list) { 585 + u8 hash[UBIFS_HASH_ARR_SZ]; 700 586 int deletion = 0; 701 587 702 588 cond_resched(); ··· 706 590 ubifs_err(c, "file system's life ended"); 707 591 goto out_dump; 708 592 } 593 + 594 + ubifs_node_calc_hash(c, snod->node, hash); 709 595 710 596 if (snod->sqnum > c->max_sqnum) 711 597 c->max_sqnum = snod->sqnum; ··· 720 602 721 603 if (le32_to_cpu(ino->nlink) == 0) 722 604 deletion = 1; 723 - err = insert_node(c, lnum, snod->offs, snod->len, 605 + err = insert_node(c, lnum, snod->offs, snod->len, hash, 724 606 &snod->key, snod->sqnum, deletion, 725 607 &used, 0, new_size); 726 608 break; ··· 732 614 key_block(c, &snod->key) * 733 615 UBIFS_BLOCK_SIZE; 734 616 735 - err = insert_node(c, lnum, snod->offs, snod->len, 617 + err = insert_node(c, lnum, snod->offs, snod->len, hash, 736 618 &snod->key, snod->sqnum, deletion, 737 619 &used, 0, new_size); 738 620 break; ··· 746 628 if (err) 747 629 goto out_dump; 748 630 749 - err = insert_dent(c, lnum, snod->offs, snod->len, 631 + err = insert_dent(c, lnum, snod->offs, snod->len, hash, 750 632 &snod->key, dent->name, 751 633 le16_to_cpu(dent->nlen), snod->sqnum, 752 634 !le64_to_cpu(dent->inum), &used); ··· 772 654 * functions which expect nodes to have keys. 773 655 */ 774 656 trun_key_init(c, &key, le32_to_cpu(trun->inum)); 775 - err = insert_node(c, lnum, snod->offs, snod->len, 657 + err = insert_node(c, lnum, snod->offs, snod->len, hash, 776 658 &key, snod->sqnum, 1, &used, 777 659 old_size, new_size); 778 660 break; 779 661 } 662 + case UBIFS_AUTH_NODE: 663 + break; 780 664 default: 781 665 ubifs_err(c, "unexpected node type %d in bud LEB %d:%d", 782 666 snod->type, lnum, snod->offs); ··· 787 667 } 788 668 if (err) 789 669 goto out; 670 + 671 + n++; 672 + if (n == n_nodes) 673 + break; 790 674 } 791 675 792 676 ubifs_assert(c, ubifs_search_bud(c, lnum)); ··· 869 745 { 870 746 struct ubifs_bud *bud; 871 747 struct bud_entry *b; 748 + int err; 872 749 873 750 dbg_mnt("add replay bud LEB %d:%d, head %d", lnum, offs, jhead); 874 751 ··· 879 754 880 755 b = kmalloc(sizeof(struct bud_entry), GFP_KERNEL); 881 756 if (!b) { 882 - kfree(bud); 883 - return -ENOMEM; 757 + err = -ENOMEM; 758 + goto out; 884 759 } 885 760 886 761 bud->lnum = lnum; 887 762 bud->start = offs; 888 763 bud->jhead = jhead; 764 + bud->log_hash = ubifs_hash_get_desc(c); 765 + if (IS_ERR(bud->log_hash)) { 766 + err = PTR_ERR(bud->log_hash); 767 + goto out; 768 + } 769 + 770 + ubifs_shash_copy_state(c, c->log_hash, bud->log_hash); 771 + 889 772 ubifs_add_bud(c, bud); 890 773 891 774 b->bud = bud; ··· 901 768 list_add_tail(&b->list, &c->replay_buds); 902 769 903 770 return 0; 771 + out: 772 + kfree(bud); 773 + kfree(b); 774 + 775 + return err; 904 776 } 905 777 906 778 /** ··· 1011 873 1012 874 c->cs_sqnum = le64_to_cpu(node->ch.sqnum); 1013 875 dbg_mnt("commit start sqnum %llu", c->cs_sqnum); 876 + 877 + err = ubifs_shash_init(c, c->log_hash); 878 + if (err) 879 + goto out; 880 + 881 + err = ubifs_shash_update(c, c->log_hash, node, UBIFS_CS_NODE_SZ); 882 + if (err < 0) 883 + goto out; 1014 884 } 1015 885 1016 886 if (snod->sqnum < c->cs_sqnum) { ··· 1065 919 break; /* Already have this bud */ 1066 920 if (err) 1067 921 goto out_dump; 922 + 923 + err = ubifs_shash_update(c, c->log_hash, ref, 924 + UBIFS_REF_NODE_SZ); 925 + if (err) 926 + goto out; 1068 927 1069 928 err = add_replay_bud(c, le32_to_cpu(ref->lnum), 1070 929 le32_to_cpu(ref->offs),
+145 -66
fs/ubifs/sb.c
··· 82 82 int err, tmp, jnl_lebs, log_lebs, max_buds, main_lebs, main_first; 83 83 int lpt_lebs, lpt_first, orph_lebs, big_lpt, ino_waste, sup_flags = 0; 84 84 int min_leb_cnt = UBIFS_MIN_LEB_CNT; 85 + int idx_node_size; 85 86 long long tmp64, main_bytes; 86 87 __le64 tmp_le64; 87 88 __le32 tmp_le32; 88 89 struct timespec64 ts; 90 + u8 hash[UBIFS_HASH_ARR_SZ]; 91 + u8 hash_lpt[UBIFS_HASH_ARR_SZ]; 89 92 90 93 /* Some functions called from here depend on the @c->key_len filed */ 91 94 c->key_len = UBIFS_SK_LEN; ··· 150 147 c->lsave_cnt = DEFAULT_LSAVE_CNT; 151 148 c->max_leb_cnt = c->leb_cnt; 152 149 err = ubifs_create_dflt_lpt(c, &main_lebs, lpt_first, &lpt_lebs, 153 - &big_lpt); 150 + &big_lpt, hash_lpt); 154 151 if (err) 155 152 return err; 156 153 ··· 159 156 160 157 main_first = c->leb_cnt - main_lebs; 161 158 159 + sup = kzalloc(ALIGN(UBIFS_SB_NODE_SZ, c->min_io_size), GFP_KERNEL); 160 + mst = kzalloc(c->mst_node_alsz, GFP_KERNEL); 161 + idx_node_size = ubifs_idx_node_sz(c, 1); 162 + idx = kzalloc(ALIGN(tmp, c->min_io_size), GFP_KERNEL); 163 + ino = kzalloc(ALIGN(UBIFS_INO_NODE_SZ, c->min_io_size), GFP_KERNEL); 164 + cs = kzalloc(ALIGN(UBIFS_CS_NODE_SZ, c->min_io_size), GFP_KERNEL); 165 + 166 + if (!sup || !mst || !idx || !ino || !cs) { 167 + err = -ENOMEM; 168 + goto out; 169 + } 170 + 162 171 /* Create default superblock */ 163 - tmp = ALIGN(UBIFS_SB_NODE_SZ, c->min_io_size); 164 - sup = kzalloc(tmp, GFP_KERNEL); 165 - if (!sup) 166 - return -ENOMEM; 167 172 168 173 tmp64 = (long long)max_buds * c->leb_size; 169 174 if (big_lpt) 170 175 sup_flags |= UBIFS_FLG_BIGLPT; 171 176 sup_flags |= UBIFS_FLG_DOUBLE_HASH; 177 + 178 + if (ubifs_authenticated(c)) { 179 + sup_flags |= UBIFS_FLG_AUTHENTICATION; 180 + sup->hash_algo = cpu_to_le16(c->auth_hash_algo); 181 + err = ubifs_hmac_wkm(c, sup->hmac_wkm); 182 + if (err) 183 + goto out; 184 + } else { 185 + sup->hash_algo = 0xffff; 186 + } 172 187 173 188 sup->ch.node_type = UBIFS_SB_NODE; 174 189 sup->key_hash = UBIFS_KEY_HASH_R5; ··· 218 197 sup->rp_size = cpu_to_le64(tmp64); 219 198 sup->ro_compat_version = cpu_to_le32(UBIFS_RO_COMPAT_VERSION); 220 199 221 - err = ubifs_write_node(c, sup, UBIFS_SB_NODE_SZ, 0, 0); 222 - kfree(sup); 223 - if (err) 224 - return err; 225 - 226 200 dbg_gen("default superblock created at LEB 0:0"); 227 201 228 202 /* Create default master node */ 229 - mst = kzalloc(c->mst_node_alsz, GFP_KERNEL); 230 - if (!mst) 231 - return -ENOMEM; 232 203 233 204 mst->ch.node_type = UBIFS_MST_NODE; 234 205 mst->log_lnum = cpu_to_le32(UBIFS_LOG_LNUM); ··· 246 233 mst->empty_lebs = cpu_to_le32(main_lebs - 2); 247 234 mst->idx_lebs = cpu_to_le32(1); 248 235 mst->leb_cnt = cpu_to_le32(c->leb_cnt); 236 + ubifs_copy_hash(c, hash_lpt, mst->hash_lpt); 249 237 250 238 /* Calculate lprops statistics */ 251 239 tmp64 = main_bytes; ··· 267 253 268 254 mst->total_used = cpu_to_le64(UBIFS_INO_NODE_SZ); 269 255 270 - err = ubifs_write_node(c, mst, UBIFS_MST_NODE_SZ, UBIFS_MST_LNUM, 0); 271 - if (err) { 272 - kfree(mst); 273 - return err; 274 - } 275 - err = ubifs_write_node(c, mst, UBIFS_MST_NODE_SZ, UBIFS_MST_LNUM + 1, 276 - 0); 277 - kfree(mst); 278 - if (err) 279 - return err; 280 - 281 256 dbg_gen("default master node created at LEB %d:0", UBIFS_MST_LNUM); 282 257 283 258 /* Create the root indexing node */ 284 - tmp = ubifs_idx_node_sz(c, 1); 285 - idx = kzalloc(ALIGN(tmp, c->min_io_size), GFP_KERNEL); 286 - if (!idx) 287 - return -ENOMEM; 288 259 289 260 c->key_fmt = UBIFS_SIMPLE_KEY_FMT; 290 261 c->key_hash = key_r5_hash; ··· 281 282 key_write_idx(c, &key, &br->key); 282 283 br->lnum = cpu_to_le32(main_first + DEFAULT_DATA_LEB); 283 284 br->len = cpu_to_le32(UBIFS_INO_NODE_SZ); 284 - err = ubifs_write_node(c, idx, tmp, main_first + DEFAULT_IDX_LEB, 0); 285 - kfree(idx); 286 - if (err) 287 - return err; 288 285 289 286 dbg_gen("default root indexing node created LEB %d:0", 290 287 main_first + DEFAULT_IDX_LEB); 291 288 292 289 /* Create default root inode */ 293 - tmp = ALIGN(UBIFS_INO_NODE_SZ, c->min_io_size); 294 - ino = kzalloc(tmp, GFP_KERNEL); 295 - if (!ino) 296 - return -ENOMEM; 297 290 298 291 ino_key_init_flash(c, &ino->key, UBIFS_ROOT_INO); 299 292 ino->ch.node_type = UBIFS_INO_NODE; ··· 308 317 /* Set compression enabled by default */ 309 318 ino->flags = cpu_to_le32(UBIFS_COMPR_FL); 310 319 311 - err = ubifs_write_node(c, ino, UBIFS_INO_NODE_SZ, 312 - main_first + DEFAULT_DATA_LEB, 0); 313 - kfree(ino); 314 - if (err) 315 - return err; 316 - 317 320 dbg_gen("root inode created at LEB %d:0", 318 321 main_first + DEFAULT_DATA_LEB); 319 322 ··· 316 331 * always the case during normal file-system operation. Write a fake 317 332 * commit start node to the log. 318 333 */ 319 - tmp = ALIGN(UBIFS_CS_NODE_SZ, c->min_io_size); 320 - cs = kzalloc(tmp, GFP_KERNEL); 321 - if (!cs) 322 - return -ENOMEM; 323 334 324 335 cs->ch.node_type = UBIFS_CS_NODE; 325 - err = ubifs_write_node(c, cs, UBIFS_CS_NODE_SZ, UBIFS_LOG_LNUM, 0); 326 - kfree(cs); 336 + 337 + err = ubifs_write_node_hmac(c, sup, UBIFS_SB_NODE_SZ, 0, 0, 338 + offsetof(struct ubifs_sb_node, hmac)); 327 339 if (err) 328 - return err; 340 + goto out; 341 + 342 + err = ubifs_write_node(c, ino, UBIFS_INO_NODE_SZ, 343 + main_first + DEFAULT_DATA_LEB, 0); 344 + if (err) 345 + goto out; 346 + 347 + ubifs_node_calc_hash(c, ino, hash); 348 + ubifs_copy_hash(c, hash, ubifs_branch_hash(c, br)); 349 + 350 + err = ubifs_write_node(c, idx, idx_node_size, main_first + DEFAULT_IDX_LEB, 0); 351 + if (err) 352 + goto out; 353 + 354 + ubifs_node_calc_hash(c, idx, hash); 355 + ubifs_copy_hash(c, hash, mst->hash_root_idx); 356 + 357 + err = ubifs_write_node_hmac(c, mst, UBIFS_MST_NODE_SZ, UBIFS_MST_LNUM, 0, 358 + offsetof(struct ubifs_mst_node, hmac)); 359 + if (err) 360 + goto out; 361 + 362 + err = ubifs_write_node_hmac(c, mst, UBIFS_MST_NODE_SZ, UBIFS_MST_LNUM + 1, 363 + 0, offsetof(struct ubifs_mst_node, hmac)); 364 + if (err) 365 + goto out; 366 + 367 + err = ubifs_write_node(c, cs, UBIFS_CS_NODE_SZ, UBIFS_LOG_LNUM, 0); 368 + if (err) 369 + goto out; 329 370 330 371 ubifs_msg(c, "default file-system created"); 331 - return 0; 372 + 373 + err = 0; 374 + out: 375 + kfree(sup); 376 + kfree(mst); 377 + kfree(idx); 378 + kfree(ino); 379 + kfree(cs); 380 + 381 + return err; 332 382 } 333 383 334 384 /** ··· 518 498 * code. Note, the user of this function is responsible of kfree()'ing the 519 499 * returned superblock buffer. 520 500 */ 521 - struct ubifs_sb_node *ubifs_read_sb_node(struct ubifs_info *c) 501 + static struct ubifs_sb_node *ubifs_read_sb_node(struct ubifs_info *c) 522 502 { 523 503 struct ubifs_sb_node *sup; 524 504 int err; ··· 537 517 return sup; 538 518 } 539 519 520 + static int authenticate_sb_node(struct ubifs_info *c, 521 + const struct ubifs_sb_node *sup) 522 + { 523 + unsigned int sup_flags = le32_to_cpu(sup->flags); 524 + u8 hmac_wkm[UBIFS_HMAC_ARR_SZ]; 525 + int authenticated = !!(sup_flags & UBIFS_FLG_AUTHENTICATION); 526 + int hash_algo; 527 + int err; 528 + 529 + if (c->authenticated && !authenticated) { 530 + ubifs_err(c, "authenticated FS forced, but found FS without authentication"); 531 + return -EINVAL; 532 + } 533 + 534 + if (!c->authenticated && authenticated) { 535 + ubifs_err(c, "authenticated FS found, but no key given"); 536 + return -EINVAL; 537 + } 538 + 539 + ubifs_msg(c, "Mounting in %sauthenticated mode", 540 + c->authenticated ? "" : "un"); 541 + 542 + if (!c->authenticated) 543 + return 0; 544 + 545 + if (!IS_ENABLED(CONFIG_UBIFS_FS_AUTHENTICATION)) 546 + return -EOPNOTSUPP; 547 + 548 + hash_algo = le16_to_cpu(sup->hash_algo); 549 + if (hash_algo >= HASH_ALGO__LAST) { 550 + ubifs_err(c, "superblock uses unknown hash algo %d", 551 + hash_algo); 552 + return -EINVAL; 553 + } 554 + 555 + if (strcmp(hash_algo_name[hash_algo], c->auth_hash_name)) { 556 + ubifs_err(c, "This filesystem uses %s for hashing," 557 + " but %s is specified", hash_algo_name[hash_algo], 558 + c->auth_hash_name); 559 + return -EINVAL; 560 + } 561 + 562 + err = ubifs_hmac_wkm(c, hmac_wkm); 563 + if (err) 564 + return err; 565 + 566 + if (ubifs_check_hmac(c, hmac_wkm, sup->hmac_wkm)) { 567 + ubifs_err(c, "provided key does not fit"); 568 + return -ENOKEY; 569 + } 570 + 571 + err = ubifs_node_verify_hmac(c, sup, sizeof(*sup), 572 + offsetof(struct ubifs_sb_node, hmac)); 573 + if (err) 574 + ubifs_err(c, "Failed to authenticate superblock: %d", err); 575 + 576 + return err; 577 + } 578 + 540 579 /** 541 580 * ubifs_write_sb_node - write superblock node. 542 581 * @c: UBIFS file-system description object ··· 606 527 int ubifs_write_sb_node(struct ubifs_info *c, struct ubifs_sb_node *sup) 607 528 { 608 529 int len = ALIGN(UBIFS_SB_NODE_SZ, c->min_io_size); 530 + int err; 609 531 610 - ubifs_prepare_node(c, sup, UBIFS_SB_NODE_SZ, 1); 532 + err = ubifs_prepare_node_hmac(c, sup, UBIFS_SB_NODE_SZ, 533 + offsetof(struct ubifs_sb_node, hmac), 1); 534 + if (err) 535 + return err; 536 + 611 537 return ubifs_leb_change(c, UBIFS_SB_LNUM, sup, len); 612 538 } 613 539 ··· 638 554 sup = ubifs_read_sb_node(c); 639 555 if (IS_ERR(sup)) 640 556 return PTR_ERR(sup); 557 + 558 + c->sup_node = sup; 641 559 642 560 c->fmt_version = le32_to_cpu(sup->fmt_version); 643 561 c->ro_compat_version = le32_to_cpu(sup->ro_compat_version); ··· 689 603 c->key_hash = key_test_hash; 690 604 c->key_hash_type = UBIFS_KEY_HASH_TEST; 691 605 break; 692 - }; 606 + } 693 607 694 608 c->key_fmt = sup->key_fmt; 695 609 ··· 725 639 c->space_fixup = !!(sup_flags & UBIFS_FLG_SPACE_FIXUP); 726 640 c->double_hash = !!(sup_flags & UBIFS_FLG_DOUBLE_HASH); 727 641 c->encrypted = !!(sup_flags & UBIFS_FLG_ENCRYPTION); 642 + 643 + err = authenticate_sb_node(c, sup); 644 + if (err) 645 + goto out; 728 646 729 647 if ((sup_flags & ~UBIFS_FLG_MASK) != 0) { 730 648 ubifs_err(c, "Unknown feature flags found: %#x", ··· 776 686 777 687 err = validate_sb(c, sup); 778 688 out: 779 - kfree(sup); 780 689 return err; 781 690 } 782 691 ··· 904 815 int ubifs_fixup_free_space(struct ubifs_info *c) 905 816 { 906 817 int err; 907 - struct ubifs_sb_node *sup; 818 + struct ubifs_sb_node *sup = c->sup_node; 908 819 909 820 ubifs_assert(c, c->space_fixup); 910 821 ubifs_assert(c, !c->ro_mount); ··· 915 826 if (err) 916 827 return err; 917 828 918 - sup = ubifs_read_sb_node(c); 919 - if (IS_ERR(sup)) 920 - return PTR_ERR(sup); 921 - 922 829 /* Free-space fixup is no longer required */ 923 830 c->space_fixup = 0; 924 831 sup->flags &= cpu_to_le32(~UBIFS_FLG_SPACE_FIXUP); 925 832 926 833 err = ubifs_write_sb_node(c, sup); 927 - kfree(sup); 928 834 if (err) 929 835 return err; 930 836 ··· 930 846 int ubifs_enable_encryption(struct ubifs_info *c) 931 847 { 932 848 int err; 933 - struct ubifs_sb_node *sup; 849 + struct ubifs_sb_node *sup = c->sup_node; 934 850 935 851 if (c->encrypted) 936 852 return 0; ··· 943 859 return -EINVAL; 944 860 } 945 861 946 - sup = ubifs_read_sb_node(c); 947 - if (IS_ERR(sup)) 948 - return PTR_ERR(sup); 949 - 950 862 sup->flags |= cpu_to_le32(UBIFS_FLG_ENCRYPTION); 951 863 952 864 err = ubifs_write_sb_node(c, sup); 953 865 if (!err) 954 866 c->encrypted = 1; 955 - kfree(sup); 956 867 957 868 return err; 958 869 }
+75 -16
fs/ubifs/super.c
··· 579 579 c->ranges[UBIFS_REF_NODE].len = UBIFS_REF_NODE_SZ; 580 580 c->ranges[UBIFS_TRUN_NODE].len = UBIFS_TRUN_NODE_SZ; 581 581 c->ranges[UBIFS_CS_NODE].len = UBIFS_CS_NODE_SZ; 582 + c->ranges[UBIFS_AUTH_NODE].min_len = UBIFS_AUTH_NODE_SZ; 583 + c->ranges[UBIFS_AUTH_NODE].max_len = UBIFS_AUTH_NODE_SZ + 584 + UBIFS_MAX_HMAC_LEN; 582 585 583 586 c->ranges[UBIFS_INO_NODE].min_len = UBIFS_INO_NODE_SZ; 584 587 c->ranges[UBIFS_INO_NODE].max_len = UBIFS_MAX_INO_NODE_SZ; ··· 819 816 c->jheads[i].wbuf.sync_callback = &bud_wbuf_callback; 820 817 c->jheads[i].wbuf.jhead = i; 821 818 c->jheads[i].grouped = 1; 819 + c->jheads[i].log_hash = ubifs_hash_get_desc(c); 820 + if (IS_ERR(c->jheads[i].log_hash)) 821 + goto out; 822 822 } 823 823 824 824 /* ··· 832 826 c->jheads[GCHD].grouped = 0; 833 827 834 828 return 0; 829 + 830 + out: 831 + while (i--) 832 + kfree(c->jheads[i].log_hash); 833 + 834 + return err; 835 835 } 836 836 837 837 /** ··· 852 840 for (i = 0; i < c->jhead_cnt; i++) { 853 841 kfree(c->jheads[i].wbuf.buf); 854 842 kfree(c->jheads[i].wbuf.inodes); 843 + kfree(c->jheads[i].log_hash); 855 844 } 856 845 kfree(c->jheads); 857 846 c->jheads = NULL; ··· 937 924 * Opt_no_chk_data_crc: do not check CRCs when reading data nodes 938 925 * Opt_override_compr: override default compressor 939 926 * Opt_assert: set ubifs_assert() action 927 + * Opt_auth_key: The key name used for authentication 928 + * Opt_auth_hash_name: The hash type used for authentication 940 929 * Opt_err: just end of array marker 941 930 */ 942 931 enum { ··· 950 935 Opt_no_chk_data_crc, 951 936 Opt_override_compr, 952 937 Opt_assert, 938 + Opt_auth_key, 939 + Opt_auth_hash_name, 953 940 Opt_ignore, 954 941 Opt_err, 955 942 }; ··· 964 947 {Opt_chk_data_crc, "chk_data_crc"}, 965 948 {Opt_no_chk_data_crc, "no_chk_data_crc"}, 966 949 {Opt_override_compr, "compr=%s"}, 950 + {Opt_auth_key, "auth_key=%s"}, 951 + {Opt_auth_hash_name, "auth_hash_name=%s"}, 967 952 {Opt_ignore, "ubi=%s"}, 968 953 {Opt_ignore, "vol=%s"}, 969 954 {Opt_assert, "assert=%s"}, ··· 1089 1070 kfree(act); 1090 1071 break; 1091 1072 } 1073 + case Opt_auth_key: 1074 + c->auth_key_name = kstrdup(args[0].from, GFP_KERNEL); 1075 + if (!c->auth_key_name) 1076 + return -ENOMEM; 1077 + break; 1078 + case Opt_auth_hash_name: 1079 + c->auth_hash_name = kstrdup(args[0].from, GFP_KERNEL); 1080 + if (!c->auth_hash_name) 1081 + return -ENOMEM; 1082 + break; 1092 1083 case Opt_ignore: 1093 1084 break; 1094 1085 default: ··· 1278 1249 1279 1250 c->mounting = 1; 1280 1251 1252 + if (c->auth_key_name) { 1253 + if (IS_ENABLED(CONFIG_UBIFS_FS_AUTHENTICATION)) { 1254 + err = ubifs_init_authentication(c); 1255 + if (err) 1256 + goto out_free; 1257 + } else { 1258 + ubifs_err(c, "auth_key_name, but UBIFS is built without" 1259 + " authentication support"); 1260 + err = -EINVAL; 1261 + goto out_free; 1262 + } 1263 + } 1264 + 1281 1265 err = ubifs_read_superblock(c); 1282 1266 if (err) 1283 1267 goto out_free; ··· 1409 1367 } 1410 1368 1411 1369 if (c->need_recovery) { 1412 - err = ubifs_recover_size(c); 1413 - if (err) 1414 - goto out_orphans; 1370 + if (!ubifs_authenticated(c)) { 1371 + err = ubifs_recover_size(c, true); 1372 + if (err) 1373 + goto out_orphans; 1374 + } 1375 + 1415 1376 err = ubifs_rcvry_gc_commit(c); 1416 1377 if (err) 1417 1378 goto out_orphans; 1379 + 1380 + if (ubifs_authenticated(c)) { 1381 + err = ubifs_recover_size(c, false); 1382 + if (err) 1383 + goto out_orphans; 1384 + } 1418 1385 } else { 1419 1386 err = take_gc_lnum(c); 1420 1387 if (err) ··· 1442 1391 if (err) 1443 1392 goto out_orphans; 1444 1393 } else if (c->need_recovery) { 1445 - err = ubifs_recover_size(c); 1394 + err = ubifs_recover_size(c, false); 1446 1395 if (err) 1447 1396 goto out_orphans; 1448 1397 } else { ··· 1608 1557 free_wbufs(c); 1609 1558 free_orphans(c); 1610 1559 ubifs_lpt_free(c, 0); 1560 + ubifs_exit_authentication(c); 1611 1561 1562 + kfree(c->auth_key_name); 1563 + kfree(c->auth_hash_name); 1612 1564 kfree(c->cbuf); 1613 1565 kfree(c->rcvrd_mst_node); 1614 1566 kfree(c->mst_node); ··· 1659 1605 goto out; 1660 1606 1661 1607 if (c->old_leb_cnt != c->leb_cnt) { 1662 - struct ubifs_sb_node *sup; 1608 + struct ubifs_sb_node *sup = c->sup_node; 1663 1609 1664 - sup = ubifs_read_sb_node(c); 1665 - if (IS_ERR(sup)) { 1666 - err = PTR_ERR(sup); 1667 - goto out; 1668 - } 1669 1610 sup->leb_cnt = cpu_to_le32(c->leb_cnt); 1670 1611 err = ubifs_write_sb_node(c, sup); 1671 - kfree(sup); 1672 1612 if (err) 1673 1613 goto out; 1674 1614 } ··· 1672 1624 err = ubifs_write_rcvrd_mst_node(c); 1673 1625 if (err) 1674 1626 goto out; 1675 - err = ubifs_recover_size(c); 1676 - if (err) 1677 - goto out; 1627 + if (!ubifs_authenticated(c)) { 1628 + err = ubifs_recover_size(c, true); 1629 + if (err) 1630 + goto out; 1631 + } 1678 1632 err = ubifs_clean_lebs(c, c->sbuf); 1679 1633 if (err) 1680 1634 goto out; ··· 1742 1692 goto out; 1743 1693 } 1744 1694 1745 - if (c->need_recovery) 1695 + if (c->need_recovery) { 1746 1696 err = ubifs_rcvry_gc_commit(c); 1747 - else 1697 + if (err) 1698 + goto out; 1699 + 1700 + if (ubifs_authenticated(c)) { 1701 + err = ubifs_recover_size(c, false); 1702 + if (err) 1703 + goto out; 1704 + } 1705 + } else { 1748 1706 err = ubifs_leb_unmap(c, c->gc_lnum); 1707 + } 1749 1708 if (err) 1750 1709 goto out; 1751 1710
+27 -9
fs/ubifs/tnc.c
··· 35 35 #include "ubifs.h" 36 36 37 37 static int try_read_node(const struct ubifs_info *c, void *buf, int type, 38 - int len, int lnum, int offs); 38 + struct ubifs_zbranch *zbr); 39 39 static int fallible_read_node(struct ubifs_info *c, const union ubifs_key *key, 40 40 struct ubifs_zbranch *zbr, void *node); 41 41 ··· 433 433 * @c: UBIFS file-system description object 434 434 * @buf: buffer to read to 435 435 * @type: node type 436 - * @len: node length (not aligned) 437 - * @lnum: LEB number of node to read 438 - * @offs: offset of node to read 436 + * @zbr: the zbranch describing the node to read 439 437 * 440 438 * This function tries to read a node of known type and length, checks it and 441 439 * stores it in @buf. This function returns %1 if a node is present and %0 if ··· 451 453 * journal nodes may potentially be corrupted, so checking is required. 452 454 */ 453 455 static int try_read_node(const struct ubifs_info *c, void *buf, int type, 454 - int len, int lnum, int offs) 456 + struct ubifs_zbranch *zbr) 455 457 { 458 + int len = zbr->len; 459 + int lnum = zbr->lnum; 460 + int offs = zbr->offs; 456 461 int err, node_len; 457 462 struct ubifs_ch *ch = buf; 458 463 uint32_t crc, node_crc; ··· 488 487 if (crc != node_crc) 489 488 return 0; 490 489 490 + err = ubifs_node_check_hash(c, buf, zbr->hash); 491 + if (err) { 492 + ubifs_bad_hash(c, buf, zbr->hash, lnum, offs); 493 + return 0; 494 + } 495 + 491 496 return 1; 492 497 } 493 498 ··· 514 507 515 508 dbg_tnck(key, "LEB %d:%d, key ", zbr->lnum, zbr->offs); 516 509 517 - ret = try_read_node(c, node, key_type(c, key), zbr->len, zbr->lnum, 518 - zbr->offs); 510 + ret = try_read_node(c, node, key_type(c, key), zbr); 519 511 if (ret == 1) { 520 512 union ubifs_key node_key; 521 513 struct ubifs_dent_node *dent = node; ··· 1719 1713 goto out; 1720 1714 } 1721 1715 1716 + err = ubifs_node_check_hash(c, buf, zbr->hash); 1717 + if (err) { 1718 + ubifs_bad_hash(c, buf, zbr->hash, zbr->lnum, zbr->offs); 1719 + return err; 1720 + } 1721 + 1722 1722 len = le32_to_cpu(ch->len); 1723 1723 if (len != zbr->len) { 1724 1724 ubifs_err(c, "bad node length %d, expected %d", len, zbr->len); ··· 2272 2260 * @lnum: LEB number of node 2273 2261 * @offs: node offset 2274 2262 * @len: node length 2263 + * @hash: The hash over the node 2275 2264 * 2276 2265 * This function adds a node with key @key to TNC. The node may be new or it may 2277 2266 * obsolete some existing one. Returns %0 on success or negative error code on 2278 2267 * failure. 2279 2268 */ 2280 2269 int ubifs_tnc_add(struct ubifs_info *c, const union ubifs_key *key, int lnum, 2281 - int offs, int len) 2270 + int offs, int len, const u8 *hash) 2282 2271 { 2283 2272 int found, n, err = 0; 2284 2273 struct ubifs_znode *znode; ··· 2294 2281 zbr.lnum = lnum; 2295 2282 zbr.offs = offs; 2296 2283 zbr.len = len; 2284 + ubifs_copy_hash(c, hash, zbr.hash); 2297 2285 key_copy(c, key, &zbr.key); 2298 2286 err = tnc_insert(c, znode, &zbr, n + 1); 2299 2287 } else if (found == 1) { ··· 2305 2291 zbr->lnum = lnum; 2306 2292 zbr->offs = offs; 2307 2293 zbr->len = len; 2294 + ubifs_copy_hash(c, hash, zbr->hash); 2308 2295 } else 2309 2296 err = found; 2310 2297 if (!err) ··· 2407 2392 * @lnum: LEB number of node 2408 2393 * @offs: node offset 2409 2394 * @len: node length 2395 + * @hash: The hash over the node 2410 2396 * @nm: node name 2411 2397 * 2412 2398 * This is the same as 'ubifs_tnc_add()' but it should be used with keys which 2413 2399 * may have collisions, like directory entry keys. 2414 2400 */ 2415 2401 int ubifs_tnc_add_nm(struct ubifs_info *c, const union ubifs_key *key, 2416 - int lnum, int offs, int len, 2402 + int lnum, int offs, int len, const u8 *hash, 2417 2403 const struct fscrypt_name *nm) 2418 2404 { 2419 2405 int found, n, err = 0; ··· 2457 2441 zbr->lnum = lnum; 2458 2442 zbr->offs = offs; 2459 2443 zbr->len = len; 2444 + ubifs_copy_hash(c, hash, zbr->hash); 2460 2445 goto out_unlock; 2461 2446 } 2462 2447 } ··· 2469 2452 zbr.lnum = lnum; 2470 2453 zbr.offs = offs; 2471 2454 zbr.len = len; 2455 + ubifs_copy_hash(c, hash, zbr.hash); 2472 2456 key_copy(c, key, &zbr.key); 2473 2457 err = tnc_insert(c, znode, &zbr, n + 1); 2474 2458 if (err)
+27
fs/ubifs/tnc_commit.c
··· 38 38 struct ubifs_znode *znode, int lnum, int offs, int len) 39 39 { 40 40 struct ubifs_znode *zp; 41 + u8 hash[UBIFS_HASH_ARR_SZ]; 41 42 int i, err; 42 43 43 44 /* Make index node */ ··· 53 52 br->lnum = cpu_to_le32(zbr->lnum); 54 53 br->offs = cpu_to_le32(zbr->offs); 55 54 br->len = cpu_to_le32(zbr->len); 55 + ubifs_copy_hash(c, zbr->hash, ubifs_branch_hash(c, br)); 56 56 if (!zbr->lnum || !zbr->len) { 57 57 ubifs_err(c, "bad ref in znode"); 58 58 ubifs_dump_znode(c, znode); ··· 64 62 } 65 63 } 66 64 ubifs_prepare_node(c, idx, len, 0); 65 + ubifs_node_calc_hash(c, idx, hash); 67 66 68 67 znode->lnum = lnum; 69 68 znode->offs = offs; ··· 81 78 zbr->lnum = lnum; 82 79 zbr->offs = offs; 83 80 zbr->len = len; 81 + ubifs_copy_hash(c, hash, zbr->hash); 84 82 } else { 85 83 c->zroot.lnum = lnum; 86 84 c->zroot.offs = offs; 87 85 c->zroot.len = len; 86 + ubifs_copy_hash(c, hash, c->zroot.hash); 88 87 } 89 88 c->calc_idx_sz += ALIGN(len, 8); 90 89 ··· 652 647 znode->cnext = c->cnext; 653 648 break; 654 649 } 650 + znode->cparent = znode->parent; 651 + znode->ciip = znode->iip; 655 652 znode->cnext = cnext; 656 653 znode = cnext; 657 654 cnt += 1; ··· 847 840 } 848 841 849 842 while (1) { 843 + u8 hash[UBIFS_HASH_ARR_SZ]; 844 + 850 845 cond_resched(); 851 846 852 847 znode = cnext; ··· 866 857 br->lnum = cpu_to_le32(zbr->lnum); 867 858 br->offs = cpu_to_le32(zbr->offs); 868 859 br->len = cpu_to_le32(zbr->len); 860 + ubifs_copy_hash(c, zbr->hash, ubifs_branch_hash(c, br)); 869 861 if (!zbr->lnum || !zbr->len) { 870 862 ubifs_err(c, "bad ref in znode"); 871 863 ubifs_dump_znode(c, znode); ··· 878 868 } 879 869 len = ubifs_idx_node_sz(c, znode->child_cnt); 880 870 ubifs_prepare_node(c, idx, len, 0); 871 + ubifs_node_calc_hash(c, idx, hash); 872 + 873 + mutex_lock(&c->tnc_mutex); 874 + 875 + if (znode->cparent) 876 + ubifs_copy_hash(c, hash, 877 + znode->cparent->zbranch[znode->ciip].hash); 878 + 879 + if (znode->parent) { 880 + if (!ubifs_zn_obsolete(znode)) 881 + ubifs_copy_hash(c, hash, 882 + znode->parent->zbranch[znode->iip].hash); 883 + } else { 884 + ubifs_copy_hash(c, hash, c->zroot.hash); 885 + } 886 + 887 + mutex_unlock(&c->tnc_mutex); 881 888 882 889 /* Determine the index node position */ 883 890 if (lnum == -1) {
+20 -6
fs/ubifs/tnc_misc.c
··· 265 265 /** 266 266 * read_znode - read an indexing node from flash and fill znode. 267 267 * @c: UBIFS file-system description object 268 - * @lnum: LEB of the indexing node to read 269 - * @offs: node offset 270 - * @len: node length 268 + * @zzbr: the zbranch describing the node to read 271 269 * @znode: znode to read to 272 270 * 273 271 * This function reads an indexing node from the flash media and fills znode ··· 274 276 * is wrong with it, this function prints complaint messages and returns 275 277 * %-EINVAL. 276 278 */ 277 - static int read_znode(struct ubifs_info *c, int lnum, int offs, int len, 279 + static int read_znode(struct ubifs_info *c, struct ubifs_zbranch *zzbr, 278 280 struct ubifs_znode *znode) 279 281 { 282 + int lnum = zzbr->lnum; 283 + int offs = zzbr->offs; 284 + int len = zzbr->len; 280 285 int i, err, type, cmp; 281 286 struct ubifs_idx_node *idx; 282 287 ··· 290 289 err = ubifs_read_node(c, idx, UBIFS_IDX_NODE, len, lnum, offs); 291 290 if (err < 0) { 292 291 kfree(idx); 292 + return err; 293 + } 294 + 295 + err = ubifs_node_check_hash(c, idx, zzbr->hash); 296 + if (err) { 297 + ubifs_bad_hash(c, idx, zzbr->hash, lnum, offs); 293 298 return err; 294 299 } 295 300 ··· 315 308 } 316 309 317 310 for (i = 0; i < znode->child_cnt; i++) { 318 - const struct ubifs_branch *br = ubifs_idx_branch(c, idx, i); 311 + struct ubifs_branch *br = ubifs_idx_branch(c, idx, i); 319 312 struct ubifs_zbranch *zbr = &znode->zbranch[i]; 320 313 321 314 key_read(c, &br->key, &zbr->key); 322 315 zbr->lnum = le32_to_cpu(br->lnum); 323 316 zbr->offs = le32_to_cpu(br->offs); 324 317 zbr->len = le32_to_cpu(br->len); 318 + ubifs_copy_hash(c, ubifs_branch_hash(c, br), zbr->hash); 325 319 zbr->znode = NULL; 326 320 327 321 /* Validate branch */ ··· 433 425 if (!znode) 434 426 return ERR_PTR(-ENOMEM); 435 427 436 - err = read_znode(c, zbr->lnum, zbr->offs, zbr->len, znode); 428 + err = read_znode(c, zbr, znode); 437 429 if (err) 438 430 goto out; 439 431 ··· 502 494 dbg_tnck(&key1, "but found node's key "); 503 495 ubifs_dump_node(c, node); 504 496 return -EINVAL; 497 + } 498 + 499 + err = ubifs_node_check_hash(c, node, zbr->hash); 500 + if (err) { 501 + ubifs_bad_hash(c, node, zbr->hash, zbr->lnum, zbr->offs); 502 + return err; 505 503 } 506 504 507 505 return 0;
+43 -3
fs/ubifs/ubifs-media.h
··· 286 286 #define UBIFS_IDX_NODE_SZ sizeof(struct ubifs_idx_node) 287 287 #define UBIFS_CS_NODE_SZ sizeof(struct ubifs_cs_node) 288 288 #define UBIFS_ORPH_NODE_SZ sizeof(struct ubifs_orph_node) 289 + #define UBIFS_AUTH_NODE_SZ sizeof(struct ubifs_auth_node) 289 290 /* Extended attribute entry nodes are identical to directory entry nodes */ 290 291 #define UBIFS_XENT_NODE_SZ UBIFS_DENT_NODE_SZ 291 292 /* Only this does not have to be multiple of 8 bytes */ ··· 300 299 301 300 /* The largest UBIFS node */ 302 301 #define UBIFS_MAX_NODE_SZ UBIFS_MAX_INO_NODE_SZ 302 + 303 + /* The maxmimum size of a hash, enough for sha512 */ 304 + #define UBIFS_MAX_HASH_LEN 64 305 + 306 + /* The maxmimum size of a hmac, enough for hmac(sha512) */ 307 + #define UBIFS_MAX_HMAC_LEN 64 303 308 304 309 /* 305 310 * xattr name of UBIFS encryption context, we don't use a prefix ··· 372 365 * UBIFS_IDX_NODE: index node 373 366 * UBIFS_CS_NODE: commit start node 374 367 * UBIFS_ORPH_NODE: orphan node 368 + * UBIFS_AUTH_NODE: authentication node 375 369 * UBIFS_NODE_TYPES_CNT: count of supported node types 376 370 * 377 371 * Note, we index arrays by these numbers, so keep them low and contiguous. ··· 392 384 UBIFS_IDX_NODE, 393 385 UBIFS_CS_NODE, 394 386 UBIFS_ORPH_NODE, 387 + UBIFS_AUTH_NODE, 395 388 UBIFS_NODE_TYPES_CNT, 396 389 }; 397 390 ··· 430 421 * UBIFS_FLG_DOUBLE_HASH: store a 32bit cookie in directory entry nodes to 431 422 * support 64bit cookies for lookups by hash 432 423 * UBIFS_FLG_ENCRYPTION: this filesystem contains encrypted files 424 + * UBIFS_FLG_AUTHENTICATION: this filesystem contains hashes for authentication 433 425 */ 434 426 enum { 435 427 UBIFS_FLG_BIGLPT = 0x02, 436 428 UBIFS_FLG_SPACE_FIXUP = 0x04, 437 429 UBIFS_FLG_DOUBLE_HASH = 0x08, 438 430 UBIFS_FLG_ENCRYPTION = 0x10, 431 + UBIFS_FLG_AUTHENTICATION = 0x20, 439 432 }; 440 433 441 - #define UBIFS_FLG_MASK (UBIFS_FLG_BIGLPT|UBIFS_FLG_SPACE_FIXUP|UBIFS_FLG_DOUBLE_HASH|UBIFS_FLG_ENCRYPTION) 434 + #define UBIFS_FLG_MASK (UBIFS_FLG_BIGLPT | UBIFS_FLG_SPACE_FIXUP | \ 435 + UBIFS_FLG_DOUBLE_HASH | UBIFS_FLG_ENCRYPTION | \ 436 + UBIFS_FLG_AUTHENTICATION) 442 437 443 438 /** 444 439 * struct ubifs_ch - common header node. ··· 646 633 * @time_gran: time granularity in nanoseconds 647 634 * @uuid: UUID generated when the file system image was created 648 635 * @ro_compat_version: UBIFS R/O compatibility version 636 + * @hmac: HMAC to authenticate the superblock node 637 + * @hmac_wkm: HMAC of a well known message (the string "UBIFS") as a convenience 638 + * to the user to check if the correct key is passed. 639 + * @hash_algo: The hash algo used for this filesystem (one of enum hash_algo) 649 640 */ 650 641 struct ubifs_sb_node { 651 642 struct ubifs_ch ch; ··· 677 660 __le32 time_gran; 678 661 __u8 uuid[16]; 679 662 __le32 ro_compat_version; 680 - __u8 padding2[3968]; 663 + __u8 hmac[UBIFS_MAX_HMAC_LEN]; 664 + __u8 hmac_wkm[UBIFS_MAX_HMAC_LEN]; 665 + __le16 hash_algo; 666 + __u8 padding2[3838]; 681 667 } __packed; 682 668 683 669 /** ··· 715 695 * @empty_lebs: number of empty logical eraseblocks 716 696 * @idx_lebs: number of indexing logical eraseblocks 717 697 * @leb_cnt: count of LEBs used by file-system 698 + * @hash_root_idx: the hash of the root index node 699 + * @hash_lpt: the hash of the LPT 700 + * @hmac: HMAC to authenticate the master node 718 701 * @padding: reserved for future, zeroes 719 702 */ 720 703 struct ubifs_mst_node { ··· 750 727 __le32 empty_lebs; 751 728 __le32 idx_lebs; 752 729 __le32 leb_cnt; 753 - __u8 padding[344]; 730 + __u8 hash_root_idx[UBIFS_MAX_HASH_LEN]; 731 + __u8 hash_lpt[UBIFS_MAX_HASH_LEN]; 732 + __u8 hmac[UBIFS_MAX_HMAC_LEN]; 733 + __u8 padding[152]; 754 734 } __packed; 755 735 756 736 /** ··· 773 747 } __packed; 774 748 775 749 /** 750 + * struct ubifs_auth_node - node for authenticating other nodes 751 + * @ch: common header 752 + * @hmac: The HMAC 753 + */ 754 + struct ubifs_auth_node { 755 + struct ubifs_ch ch; 756 + __u8 hmac[]; 757 + } __packed; 758 + 759 + /** 776 760 * struct ubifs_branch - key/reference/length branch 777 761 * @lnum: LEB number of the target node 778 762 * @offs: offset within @lnum 779 763 * @len: target node length 780 764 * @key: key 765 + * 766 + * In an authenticated UBIFS we have the hash of the referenced node after @key. 767 + * This can't be added to the struct type definition because @key is a 768 + * dynamically sized element already. 781 769 */ 782 770 struct ubifs_branch { 783 771 __le32 lnum;
+248 -5
fs/ubifs/ubifs.h
··· 39 39 #include <linux/security.h> 40 40 #include <linux/xattr.h> 41 41 #include <linux/random.h> 42 + #include <crypto/hash_info.h> 43 + #include <crypto/hash.h> 44 + #include <crypto/algapi.h> 42 45 43 46 #define __FS_HAS_ENCRYPTION IS_ENABLED(CONFIG_UBIFS_FS_ENCRYPTION) 44 47 #include <linux/fscrypt.h> ··· 159 156 160 157 /* Maximum number of data nodes to bulk-read */ 161 158 #define UBIFS_MAX_BULK_READ 32 159 + 160 + #ifdef CONFIG_UBIFS_FS_AUTHENTICATION 161 + #define UBIFS_HASH_ARR_SZ UBIFS_MAX_HASH_LEN 162 + #define UBIFS_HMAC_ARR_SZ UBIFS_MAX_HMAC_LEN 163 + #else 164 + #define UBIFS_HASH_ARR_SZ 0 165 + #define UBIFS_HMAC_ARR_SZ 0 166 + #endif 162 167 163 168 /* 164 169 * Lockdep classes for UBIFS inode @ui_mutex. ··· 717 706 * @jhead: journal head number this bud belongs to 718 707 * @list: link in the list buds belonging to the same journal head 719 708 * @rb: link in the tree of all buds 709 + * @log_hash: the log hash from the commit start node up to this bud 720 710 */ 721 711 struct ubifs_bud { 722 712 int lnum; ··· 725 713 int jhead; 726 714 struct list_head list; 727 715 struct rb_node rb; 716 + struct shash_desc *log_hash; 728 717 }; 729 718 730 719 /** ··· 733 720 * @wbuf: head's write-buffer 734 721 * @buds_list: list of bud LEBs belonging to this journal head 735 722 * @grouped: non-zero if UBIFS groups nodes when writing to this journal head 723 + * @log_hash: the log hash from the commit start node up to this journal head 736 724 * 737 725 * Note, the @buds list is protected by the @c->buds_lock. 738 726 */ ··· 741 727 struct ubifs_wbuf wbuf; 742 728 struct list_head buds_list; 743 729 unsigned int grouped:1; 730 + struct shash_desc *log_hash; 744 731 }; 745 732 746 733 /** ··· 751 736 * @lnum: LEB number of the target node (indexing node or data node) 752 737 * @offs: target node offset within @lnum 753 738 * @len: target node length 739 + * @hash: the hash of the target node 754 740 */ 755 741 struct ubifs_zbranch { 756 742 union ubifs_key key; ··· 762 746 int lnum; 763 747 int offs; 764 748 int len; 749 + u8 hash[UBIFS_HASH_ARR_SZ]; 765 750 }; 766 751 767 752 /** 768 753 * struct ubifs_znode - in-memory representation of an indexing node. 769 754 * @parent: parent znode or NULL if it is the root 770 755 * @cnext: next znode to commit 756 + * @cparent: parent node for this commit 757 + * @ciip: index in cparent's zbranch array 771 758 * @flags: znode flags (%DIRTY_ZNODE, %COW_ZNODE or %OBSOLETE_ZNODE) 772 759 * @time: last access time (seconds) 773 760 * @level: level of the entry in the TNC tree ··· 788 769 struct ubifs_znode { 789 770 struct ubifs_znode *parent; 790 771 struct ubifs_znode *cnext; 772 + struct ubifs_znode *cparent; 773 + int ciip; 791 774 unsigned long flags; 792 775 time64_t time; 793 776 int level; ··· 1004 983 * struct ubifs_info - UBIFS file-system description data structure 1005 984 * (per-superblock). 1006 985 * @vfs_sb: VFS @struct super_block object 986 + * @sup_node: The super block node as read from the device 1007 987 * 1008 988 * @highest_inum: highest used inode number 1009 989 * @max_sqnum: current global sequence number ··· 1050 1028 * @default_compr: default compression algorithm (%UBIFS_COMPR_LZO, etc) 1051 1029 * @rw_incompat: the media is not R/W compatible 1052 1030 * @assert_action: action to take when a ubifs_assert() fails 1031 + * @authenticated: flag indigating the FS is mounted in authenticated mode 1053 1032 * 1054 1033 * @tnc_mutex: protects the Tree Node Cache (TNC), @zroot, @cnext, @enext, and 1055 1034 * @calc_idx_sz ··· 1098 1075 * @key_hash: direntry key hash function 1099 1076 * @key_fmt: key format 1100 1077 * @key_len: key length 1078 + * @hash_len: The length of the index node hashes 1101 1079 * @fanout: fanout of the index tree (number of links per indexing node) 1102 1080 * 1103 1081 * @min_io_size: minimal input/output unit size ··· 1234 1210 * @rp_uid: reserved pool user ID 1235 1211 * @rp_gid: reserved pool group ID 1236 1212 * 1213 + * @hash_tfm: the hash transformation used for hashing nodes 1214 + * @hmac_tfm: the HMAC transformation for this filesystem 1215 + * @hmac_desc_len: length of the HMAC used for authentication 1216 + * @auth_key_name: the authentication key name 1217 + * @auth_hash_name: the name of the hash algorithm used for authentication 1218 + * @auth_hash_algo: the authentication hash used for this fs 1219 + * @log_hash: the log hash from the commit start node up to the latest reference 1220 + * node. 1221 + * 1237 1222 * @empty: %1 if the UBI device is empty 1238 1223 * @need_recovery: %1 if the file-system needs recovery 1239 1224 * @replaying: %1 during journal replay ··· 1263 1230 */ 1264 1231 struct ubifs_info { 1265 1232 struct super_block *vfs_sb; 1233 + struct ubifs_sb_node *sup_node; 1266 1234 1267 1235 ino_t highest_inum; 1268 1236 unsigned long long max_sqnum; ··· 1304 1270 unsigned int default_compr:2; 1305 1271 unsigned int rw_incompat:1; 1306 1272 unsigned int assert_action:2; 1273 + unsigned int authenticated:1; 1307 1274 1308 1275 struct mutex tnc_mutex; 1309 1276 struct ubifs_zbranch zroot; ··· 1349 1314 uint32_t (*key_hash)(const char *str, int len); 1350 1315 int key_fmt; 1351 1316 int key_len; 1317 + int hash_len; 1352 1318 int fanout; 1353 1319 1354 1320 int min_io_size; ··· 1477 1441 kuid_t rp_uid; 1478 1442 kgid_t rp_gid; 1479 1443 1444 + struct crypto_shash *hash_tfm; 1445 + struct crypto_shash *hmac_tfm; 1446 + int hmac_desc_len; 1447 + char *auth_key_name; 1448 + char *auth_hash_name; 1449 + enum hash_algo auth_hash_algo; 1450 + 1451 + struct shash_desc *log_hash; 1452 + 1480 1453 /* The below fields are used only during mounting and re-mounting */ 1481 1454 unsigned int empty:1; 1482 1455 unsigned int need_recovery:1; ··· 1516 1471 extern const struct inode_operations ubifs_symlink_inode_operations; 1517 1472 extern struct ubifs_compressor *ubifs_compressors[UBIFS_COMPR_TYPES_CNT]; 1518 1473 1474 + /* auth.c */ 1475 + static inline int ubifs_authenticated(const struct ubifs_info *c) 1476 + { 1477 + return (IS_ENABLED(CONFIG_UBIFS_FS_AUTHENTICATION)) && c->authenticated; 1478 + } 1479 + 1480 + struct shash_desc *__ubifs_hash_get_desc(const struct ubifs_info *c); 1481 + static inline struct shash_desc *ubifs_hash_get_desc(const struct ubifs_info *c) 1482 + { 1483 + return ubifs_authenticated(c) ? __ubifs_hash_get_desc(c) : NULL; 1484 + } 1485 + 1486 + static inline int ubifs_shash_init(const struct ubifs_info *c, 1487 + struct shash_desc *desc) 1488 + { 1489 + if (ubifs_authenticated(c)) 1490 + return crypto_shash_init(desc); 1491 + else 1492 + return 0; 1493 + } 1494 + 1495 + static inline int ubifs_shash_update(const struct ubifs_info *c, 1496 + struct shash_desc *desc, const void *buf, 1497 + unsigned int len) 1498 + { 1499 + int err = 0; 1500 + 1501 + if (ubifs_authenticated(c)) { 1502 + err = crypto_shash_update(desc, buf, len); 1503 + if (err < 0) 1504 + return err; 1505 + } 1506 + 1507 + return 0; 1508 + } 1509 + 1510 + static inline int ubifs_shash_final(const struct ubifs_info *c, 1511 + struct shash_desc *desc, u8 *out) 1512 + { 1513 + return ubifs_authenticated(c) ? crypto_shash_final(desc, out) : 0; 1514 + } 1515 + 1516 + int __ubifs_node_calc_hash(const struct ubifs_info *c, const void *buf, 1517 + u8 *hash); 1518 + static inline int ubifs_node_calc_hash(const struct ubifs_info *c, 1519 + const void *buf, u8 *hash) 1520 + { 1521 + if (ubifs_authenticated(c)) 1522 + return __ubifs_node_calc_hash(c, buf, hash); 1523 + else 1524 + return 0; 1525 + } 1526 + 1527 + int ubifs_prepare_auth_node(struct ubifs_info *c, void *node, 1528 + struct shash_desc *inhash); 1529 + 1530 + /** 1531 + * ubifs_check_hash - compare two hashes 1532 + * @c: UBIFS file-system description object 1533 + * @expected: first hash 1534 + * @got: second hash 1535 + * 1536 + * Compare two hashes @expected and @got. Returns 0 when they are equal, a 1537 + * negative error code otherwise. 1538 + */ 1539 + static inline int ubifs_check_hash(const struct ubifs_info *c, 1540 + const u8 *expected, const u8 *got) 1541 + { 1542 + return crypto_memneq(expected, got, c->hash_len); 1543 + } 1544 + 1545 + /** 1546 + * ubifs_check_hmac - compare two HMACs 1547 + * @c: UBIFS file-system description object 1548 + * @expected: first HMAC 1549 + * @got: second HMAC 1550 + * 1551 + * Compare two hashes @expected and @got. Returns 0 when they are equal, a 1552 + * negative error code otherwise. 1553 + */ 1554 + static inline int ubifs_check_hmac(const struct ubifs_info *c, 1555 + const u8 *expected, const u8 *got) 1556 + { 1557 + return crypto_memneq(expected, got, c->hmac_desc_len); 1558 + } 1559 + 1560 + void ubifs_bad_hash(const struct ubifs_info *c, const void *node, 1561 + const u8 *hash, int lnum, int offs); 1562 + 1563 + int __ubifs_node_check_hash(const struct ubifs_info *c, const void *buf, 1564 + const u8 *expected); 1565 + static inline int ubifs_node_check_hash(const struct ubifs_info *c, 1566 + const void *buf, const u8 *expected) 1567 + { 1568 + if (ubifs_authenticated(c)) 1569 + return __ubifs_node_check_hash(c, buf, expected); 1570 + else 1571 + return 0; 1572 + } 1573 + 1574 + int ubifs_init_authentication(struct ubifs_info *c); 1575 + void __ubifs_exit_authentication(struct ubifs_info *c); 1576 + static inline void ubifs_exit_authentication(struct ubifs_info *c) 1577 + { 1578 + if (ubifs_authenticated(c)) 1579 + __ubifs_exit_authentication(c); 1580 + } 1581 + 1582 + /** 1583 + * ubifs_branch_hash - returns a pointer to the hash of a branch 1584 + * @c: UBIFS file-system description object 1585 + * @br: branch to get the hash from 1586 + * 1587 + * This returns a pointer to the hash of a branch. Since the key already is a 1588 + * dynamically sized object we cannot use a struct member here. 1589 + */ 1590 + static inline u8 *ubifs_branch_hash(struct ubifs_info *c, 1591 + struct ubifs_branch *br) 1592 + { 1593 + return (void *)br + sizeof(*br) + c->key_len; 1594 + } 1595 + 1596 + /** 1597 + * ubifs_copy_hash - copy a hash 1598 + * @c: UBIFS file-system description object 1599 + * @from: source hash 1600 + * @to: destination hash 1601 + * 1602 + * With authentication this copies a hash, otherwise does nothing. 1603 + */ 1604 + static inline void ubifs_copy_hash(const struct ubifs_info *c, const u8 *from, 1605 + u8 *to) 1606 + { 1607 + if (ubifs_authenticated(c)) 1608 + memcpy(to, from, c->hash_len); 1609 + } 1610 + 1611 + int __ubifs_node_insert_hmac(const struct ubifs_info *c, void *buf, 1612 + int len, int ofs_hmac); 1613 + static inline int ubifs_node_insert_hmac(const struct ubifs_info *c, void *buf, 1614 + int len, int ofs_hmac) 1615 + { 1616 + if (ubifs_authenticated(c)) 1617 + return __ubifs_node_insert_hmac(c, buf, len, ofs_hmac); 1618 + else 1619 + return 0; 1620 + } 1621 + 1622 + int __ubifs_node_verify_hmac(const struct ubifs_info *c, const void *buf, 1623 + int len, int ofs_hmac); 1624 + static inline int ubifs_node_verify_hmac(const struct ubifs_info *c, 1625 + const void *buf, int len, int ofs_hmac) 1626 + { 1627 + if (ubifs_authenticated(c)) 1628 + return __ubifs_node_verify_hmac(c, buf, len, ofs_hmac); 1629 + else 1630 + return 0; 1631 + } 1632 + 1633 + /** 1634 + * ubifs_auth_node_sz - returns the size of an authentication node 1635 + * @c: UBIFS file-system description object 1636 + * 1637 + * This function returns the size of an authentication node which can 1638 + * be 0 for unauthenticated filesystems or the real size of an auth node 1639 + * authentication is enabled. 1640 + */ 1641 + static inline int ubifs_auth_node_sz(const struct ubifs_info *c) 1642 + { 1643 + if (ubifs_authenticated(c)) 1644 + return sizeof(struct ubifs_auth_node) + c->hmac_desc_len; 1645 + else 1646 + return 0; 1647 + } 1648 + 1649 + int ubifs_hmac_wkm(struct ubifs_info *c, u8 *hmac); 1650 + 1651 + int __ubifs_shash_copy_state(const struct ubifs_info *c, struct shash_desc *src, 1652 + struct shash_desc *target); 1653 + static inline int ubifs_shash_copy_state(const struct ubifs_info *c, 1654 + struct shash_desc *src, 1655 + struct shash_desc *target) 1656 + { 1657 + if (ubifs_authenticated(c)) 1658 + return __ubifs_shash_copy_state(c, src, target); 1659 + else 1660 + return 0; 1661 + } 1662 + 1519 1663 /* io.c */ 1520 1664 void ubifs_ro_mode(struct ubifs_info *c, int err); 1521 1665 int ubifs_leb_read(const struct ubifs_info *c, int lnum, void *buf, int offs, ··· 1724 1490 int lnum, int offs); 1725 1491 int ubifs_write_node(struct ubifs_info *c, void *node, int len, int lnum, 1726 1492 int offs); 1493 + int ubifs_write_node_hmac(struct ubifs_info *c, void *buf, int len, int lnum, 1494 + int offs, int hmac_offs); 1727 1495 int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum, 1728 1496 int offs, int quiet, int must_chk_crc); 1497 + void ubifs_init_node(struct ubifs_info *c, void *buf, int len, int pad); 1498 + void ubifs_crc_node(struct ubifs_info *c, void *buf, int len); 1729 1499 void ubifs_prepare_node(struct ubifs_info *c, void *buf, int len, int pad); 1500 + int ubifs_prepare_node_hmac(struct ubifs_info *c, void *node, int len, 1501 + int hmac_offs, int pad); 1730 1502 void ubifs_prep_grp_node(struct ubifs_info *c, void *node, int len, int last); 1731 1503 int ubifs_io_init(struct ubifs_info *c); 1732 1504 void ubifs_pad(const struct ubifs_info *c, void *buf, int pad); ··· 1832 1592 int ubifs_tnc_locate(struct ubifs_info *c, const union ubifs_key *key, 1833 1593 void *node, int *lnum, int *offs); 1834 1594 int ubifs_tnc_add(struct ubifs_info *c, const union ubifs_key *key, int lnum, 1835 - int offs, int len); 1595 + int offs, int len, const u8 *hash); 1836 1596 int ubifs_tnc_replace(struct ubifs_info *c, const union ubifs_key *key, 1837 1597 int old_lnum, int old_offs, int lnum, int offs, int len); 1838 1598 int ubifs_tnc_add_nm(struct ubifs_info *c, const union ubifs_key *key, 1839 - int lnum, int offs, int len, const struct fscrypt_name *nm); 1599 + int lnum, int offs, int len, const u8 *hash, 1600 + const struct fscrypt_name *nm); 1840 1601 int ubifs_tnc_remove(struct ubifs_info *c, const union ubifs_key *key); 1841 1602 int ubifs_tnc_remove_nm(struct ubifs_info *c, const union ubifs_key *key, 1842 1603 const struct fscrypt_name *nm); ··· 1900 1659 void ubifs_wait_for_commit(struct ubifs_info *c); 1901 1660 1902 1661 /* master.c */ 1662 + int ubifs_compare_master_node(struct ubifs_info *c, void *m1, void *m2); 1903 1663 int ubifs_read_master(struct ubifs_info *c); 1904 1664 int ubifs_write_master(struct ubifs_info *c); 1905 1665 1906 1666 /* sb.c */ 1907 1667 int ubifs_read_superblock(struct ubifs_info *c); 1908 - struct ubifs_sb_node *ubifs_read_sb_node(struct ubifs_info *c); 1909 1668 int ubifs_write_sb_node(struct ubifs_info *c, struct ubifs_sb_node *sup); 1910 1669 int ubifs_fixup_free_space(struct ubifs_info *c); 1911 1670 int ubifs_enable_encryption(struct ubifs_info *c); ··· 1934 1693 /* lpt.c */ 1935 1694 int ubifs_calc_lpt_geom(struct ubifs_info *c); 1936 1695 int ubifs_create_dflt_lpt(struct ubifs_info *c, int *main_lebs, int lpt_first, 1937 - int *lpt_lebs, int *big_lpt); 1696 + int *lpt_lebs, int *big_lpt, u8 *hash); 1938 1697 int ubifs_lpt_init(struct ubifs_info *c, int rd, int wr); 1939 1698 struct ubifs_lprops *ubifs_lpt_lookup(struct ubifs_info *c, int lnum); 1940 1699 struct ubifs_lprops *ubifs_lpt_lookup_dirty(struct ubifs_info *c, int lnum); ··· 1953 1712 struct ubifs_nnode *parent, int iip); 1954 1713 struct ubifs_nnode *ubifs_get_nnode(struct ubifs_info *c, 1955 1714 struct ubifs_nnode *parent, int iip); 1715 + struct ubifs_pnode *ubifs_pnode_lookup(struct ubifs_info *c, int i); 1956 1716 int ubifs_read_nnode(struct ubifs_info *c, struct ubifs_nnode *parent, int iip); 1957 1717 void ubifs_add_lpt_dirt(struct ubifs_info *c, int lnum, int dirty); 1958 1718 void ubifs_add_nnode_dirt(struct ubifs_info *c, struct ubifs_nnode *nnode); ··· 1962 1720 /* Needed only in debugging code in lpt_commit.c */ 1963 1721 int ubifs_unpack_nnode(const struct ubifs_info *c, void *buf, 1964 1722 struct ubifs_nnode *nnode); 1723 + int ubifs_lpt_calc_hash(struct ubifs_info *c, u8 *hash); 1965 1724 1966 1725 /* lpt_commit.c */ 1967 1726 int ubifs_lpt_start_commit(struct ubifs_info *c); ··· 2050 1807 int ubifs_rcvry_gc_commit(struct ubifs_info *c); 2051 1808 int ubifs_recover_size_accum(struct ubifs_info *c, union ubifs_key *key, 2052 1809 int deletion, loff_t new_size); 2053 - int ubifs_recover_size(struct ubifs_info *c); 1810 + int ubifs_recover_size(struct ubifs_info *c, bool in_place); 2054 1811 void ubifs_destroy_size_tree(struct ubifs_info *c); 2055 1812 2056 1813 /* ioctl.c */