tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'fsverity-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/fscrypt
Pull fsverity updates from Eric Biggers:
"Some cleanups for fs-verity:
- Rename some names that have been causing confusion
- Move structs needed for file signing to the UAPI header"
* tag 'fsverity-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/fscrypt:
fs-verity: move structs needed for file signing to UAPI header
fs-verity: rename "file measurement" to "file digest"
fs-verity: rename fsverity_signed_digest to fsverity_formatted_digest
fs-verity: remove filenames from file comments
+116
-101
+32
-36
Documentation/filesystems/fsverity.rst
+32
-36
Documentation/filesystems/fsverity.rst
···
27
27
corrupted data, including mmap reads, will fail.
28
28
29
29
Userspace can use another ioctl to retrieve the root hash (actually
30
-
the "file measurement", which is a hash that includes the root hash)
31
-
that fs-verity is enforcing for the file. This ioctl executes in
32
-
constant time, regardless of the file size.
30
+
the "fs-verity file digest", which is a hash that includes the Merkle
31
+
tree root hash) that fs-verity is enforcing for the file. This ioctl
32
+
executes in constant time, regardless of the file size.
33
33
34
34
fs-verity is essentially a way to hash a file in constant time,
35
35
subject to the caveat that reads which would violate the hash will
···
177
177
FS_IOC_MEASURE_VERITY
178
178
---------------------
179
179
180
-
The FS_IOC_MEASURE_VERITY ioctl retrieves the measurement of a verity
181
-
file. The file measurement is a digest that cryptographically
182
-
identifies the file contents that are being enforced on reads.
180
+
The FS_IOC_MEASURE_VERITY ioctl retrieves the digest of a verity file.
181
+
The fs-verity file digest is a cryptographic digest that identifies
182
+
the file contents that are being enforced on reads; it is computed via
183
+
a Merkle tree and is different from a traditional full-file digest.
183
184
184
185
This ioctl takes in a pointer to a variable-length structure::
185
186
···
198
197
follows:
199
198
200
199
- ``digest_algorithm`` will be the hash algorithm used for the file
201
-
measurement. It will match ``fsverity_enable_arg::hash_algorithm``.
200
+
digest. It will match ``fsverity_enable_arg::hash_algorithm``.
202
201
- ``digest_size`` will be the size of the digest in bytes, e.g. 32
203
202
for SHA-256. (This can be redundant with ``digest_algorithm``.)
204
203
- ``digest`` will be the actual bytes of the digest.
···
258
257
with EIO (for read()) or SIGBUS (for mmap() reads).
259
258
260
259
- If the sysctl "fs.verity.require_signatures" is set to 1 and the
261
-
file's verity measurement is not signed by a key in the fs-verity
262
-
keyring, then opening the file will fail. See `Built-in signature
263
-
verification`_.
260
+
file is not signed by a key in the fs-verity keyring, then opening
261
+
the file will fail. See `Built-in signature verification`_.
264
262
265
263
Direct access to the Merkle tree is not supported. Therefore, if a
266
264
verity file is copied, or is backed up and restored, then it will lose
267
265
its "verity"-ness. fs-verity is primarily meant for files like
268
266
executables that are managed by a package manager.
269
267
270
-
File measurement computation
271
-
============================
268
+
File digest computation
269
+
=======================
272
270
273
271
This section describes how fs-verity hashes the file contents using a
274
-
Merkle tree to produce the "file measurement" which cryptographically
275
-
identifies the file contents. This algorithm is the same for all
276
-
filesystems that support fs-verity.
272
+
Merkle tree to produce the digest which cryptographically identifies
273
+
the file contents. This algorithm is the same for all filesystems
274
+
that support fs-verity.
277
275
278
276
Userspace only needs to be aware of this algorithm if it needs to
279
-
compute the file measurement itself, e.g. in order to sign the file.
277
+
compute fs-verity file digests itself, e.g. in order to sign files.
280
278
281
279
.. _fsverity_merkle_tree:
282
280
···
325
325
is exactly the top-level hash block of the first file. Ambiguities
326
326
also arise from the convention of padding to the next block boundary.
327
327
328
-
To solve this problem, the verity file measurement is actually
329
-
computed as a hash of the following structure, which contains the
330
-
Merkle tree root hash as well as other fields such as the file size::
328
+
To solve this problem, the fs-verity file digest is actually computed
329
+
as a hash of the following structure, which contains the Merkle tree
330
+
root hash as well as other fields such as the file size::
331
331
332
332
struct fsverity_descriptor {
333
333
__u8 version; /* must be 1 */
334
334
__u8 hash_algorithm; /* Merkle tree hash algorithm */
335
335
__u8 log_blocksize; /* log2 of size of data and tree blocks */
336
336
__u8 salt_size; /* size of salt in bytes; 0 if none */
337
-
__le32 sig_size; /* must be 0 */
337
+
__le32 __reserved_0x04; /* must be 0 */
338
338
__le64 data_size; /* size of file the Merkle tree is built over */
339
339
__u8 root_hash[64]; /* Merkle tree root hash */
340
340
__u8 salt[32]; /* salt prepended to each hashed block */
341
341
__u8 __reserved[144]; /* must be 0's */
342
342
};
343
-
344
-
Note that the ``sig_size`` field must be set to 0 for the purpose of
345
-
computing the file measurement, even if a signature was provided (or
346
-
will be provided) to `FS_IOC_ENABLE_VERITY`_.
347
343
348
344
Built-in signature verification
349
345
===============================
···
355
359
certificates from being added.
356
360
357
361
2. `FS_IOC_ENABLE_VERITY`_ accepts a pointer to a PKCS#7 formatted
358
-
detached signature in DER format of the file measurement. On
359
-
success, this signature is persisted alongside the Merkle tree.
362
+
detached signature in DER format of the file's fs-verity digest.
363
+
On success, this signature is persisted alongside the Merkle tree.
360
364
Then, any time the file is opened, the kernel will verify the
361
-
file's actual measurement against this signature, using the
362
-
certificates in the ".fs-verity" keyring.
365
+
file's actual digest against this signature, using the certificates
366
+
in the ".fs-verity" keyring.
363
367
364
368
3. A new sysctl "fs.verity.require_signatures" is made available.
365
369
When set to 1, the kernel requires that all verity files have a
366
-
correctly signed file measurement as described in (2).
370
+
correctly signed digest as described in (2).
367
371
368
-
File measurements must be signed in the following format, which is
369
-
similar to the structure used by `FS_IOC_MEASURE_VERITY`_::
372
+
fs-verity file digests must be signed in the following format, which
373
+
is similar to the structure used by `FS_IOC_MEASURE_VERITY`_::
370
374
371
-
struct fsverity_signed_digest {
375
+
struct fsverity_formatted_digest {
372
376
char magic[8]; /* must be "FSVerity" */
373
377
__le16 digest_algorithm;
374
378
__le16 digest_size;
···
417
421
418
422
ext4 also supports encryption, which can be used simultaneously with
419
423
fs-verity. In this case, the plaintext data is verified rather than
420
-
the ciphertext. This is necessary in order to make the file
421
-
measurement meaningful, since every file is encrypted differently.
424
+
the ciphertext. This is necessary in order to make the fs-verity file
425
+
digest meaningful, since every file is encrypted differently.
422
426
423
427
ext4 stores the verity metadata (Merkle tree and fsverity_descriptor)
424
428
past the end of the file, starting at the first 64K boundary beyond
···
588
592
:Q: Isn't fs-verity useless because the attacker can just modify the
589
593
hashes in the Merkle tree, which is stored on-disk?
590
594
:A: To verify the authenticity of an fs-verity file you must verify
591
-
the authenticity of the "file measurement", which is basically the
592
-
root hash of the Merkle tree. See `Use cases`_.
595
+
the authenticity of the "fs-verity file digest", which
596
+
incorporates the root hash of the Merkle tree. See `Use cases`_.
593
597
594
598
:Q: Isn't fs-verity useless because the attacker can just replace a
595
599
verity file with a non-verity one?
+4
-4
fs/verity/enable.c
+4
-4
fs/verity/enable.c
···
1
1
// SPDX-License-Identifier: GPL-2.0
2
2
/*
3
-
* fs/verity/enable.c: ioctl to enable verity on a file
3
+
* Ioctl to enable verity on a file
4
4
*
5
5
* Copyright 2019 Google LLC
6
6
*/
···
398
398
* Some pages of the file may have been evicted from pagecache after
399
399
* being used in the Merkle tree construction, then read into pagecache
400
400
* again by another process reading from the file concurrently. Since
401
-
* these pages didn't undergo verification against the file measurement
402
-
* which fs-verity now claims to be enforcing, we have to wipe the
403
-
* pagecache to ensure that all future reads are verified.
401
+
* these pages didn't undergo verification against the file digest which
402
+
* fs-verity now claims to be enforcing, we have to wipe the pagecache
403
+
* to ensure that all future reads are verified.
404
404
*/
405
405
filemap_write_and_wait(inode->i_mapping);
406
406
invalidate_inode_pages2(inode->i_mapping);
+3
-33
fs/verity/fsverity_private.h
+3
-33
fs/verity/fsverity_private.h
···
67
67
* When a verity file is first opened, an instance of this struct is allocated
68
68
* and stored in ->i_verity_info; it remains until the inode is evicted. It
69
69
* caches information about the Merkle tree that's needed to efficiently verify
70
-
* data read from the file. It also caches the file measurement. The Merkle
71
-
* tree pages themselves are not cached here, but the filesystem may cache them.
70
+
* data read from the file. It also caches the file digest. The Merkle tree
71
+
* pages themselves are not cached here, but the filesystem may cache them.
72
72
*/
73
73
struct fsverity_info {
74
74
struct merkle_tree_params tree_params;
75
75
u8 root_hash[FS_VERITY_MAX_DIGEST_SIZE];
76
-
u8 measurement[FS_VERITY_MAX_DIGEST_SIZE];
76
+
u8 file_digest[FS_VERITY_MAX_DIGEST_SIZE];
77
77
const struct inode *inode;
78
-
};
79
-
80
-
/*
81
-
* Merkle tree properties. The file measurement is the hash of this structure
82
-
* excluding the signature and with the sig_size field set to 0.
83
-
*/
84
-
struct fsverity_descriptor {
85
-
__u8 version; /* must be 1 */
86
-
__u8 hash_algorithm; /* Merkle tree hash algorithm */
87
-
__u8 log_blocksize; /* log2 of size of data and tree blocks */
88
-
__u8 salt_size; /* size of salt in bytes; 0 if none */
89
-
__le32 sig_size; /* size of signature in bytes; 0 if none */
90
-
__le64 data_size; /* size of file the Merkle tree is built over */
91
-
__u8 root_hash[64]; /* Merkle tree root hash */
92
-
__u8 salt[32]; /* salt prepended to each hashed block */
93
-
__u8 __reserved[144]; /* must be 0's */
94
-
__u8 signature[]; /* optional PKCS#7 signature */
95
78
};
96
79
97
80
/* Arbitrary limit to bound the kmalloc() size. Can be changed. */
···
82
99
83
100
#define FS_VERITY_MAX_SIGNATURE_SIZE (FS_VERITY_MAX_DESCRIPTOR_SIZE - \
84
101
sizeof(struct fsverity_descriptor))
85
-
86
-
/*
87
-
* Format in which verity file measurements are signed. This is the same as
88
-
* 'struct fsverity_digest', except here some magic bytes are prepended to
89
-
* provide some context about what is being signed in case the same key is used
90
-
* for non-fsverity purposes, and here the fields have fixed endianness.
91
-
*/
92
-
struct fsverity_signed_digest {
93
-
char magic[8]; /* must be "FSVerity" */
94
-
__le16 digest_algorithm;
95
-
__le16 digest_size;
96
-
__u8 digest[];
97
-
};
98
102
99
103
/* hash_algs.c */
100
104
+1
-1
fs/verity/hash_algs.c
+1
-1
fs/verity/hash_algs.c
+1
-1
fs/verity/init.c
+1
-1
fs/verity/init.c
+6
-6
fs/verity/measure.c
+6
-6
fs/verity/measure.c
···
1
1
// SPDX-License-Identifier: GPL-2.0
2
2
/*
3
-
* fs/verity/measure.c: ioctl to get a verity file's measurement
3
+
* Ioctl to get a verity file's digest
4
4
*
5
5
* Copyright 2019 Google LLC
6
6
*/
···
10
10
#include <linux/uaccess.h>
11
11
12
12
/**
13
-
* fsverity_ioctl_measure() - get a verity file's measurement
14
-
* @filp: file to get measurement of
13
+
* fsverity_ioctl_measure() - get a verity file's digest
14
+
* @filp: file to get digest of
15
15
* @_uarg: user pointer to fsverity_digest
16
16
*
17
-
* Retrieve the file measurement that the kernel is enforcing for reads from a
18
-
* verity file. See the "FS_IOC_MEASURE_VERITY" section of
17
+
* Retrieve the file digest that the kernel is enforcing for reads from a verity
18
+
* file. See the "FS_IOC_MEASURE_VERITY" section of
19
19
* Documentation/filesystems/fsverity.rst for the documentation.
20
20
*
21
21
* Return: 0 on success, -errno on failure
···
51
51
if (copy_to_user(uarg, &arg, sizeof(arg)))
52
52
return -EFAULT;
53
53
54
-
if (copy_to_user(uarg->digest, vi->measurement, hash_alg->digest_size))
54
+
if (copy_to_user(uarg->digest, vi->file_digest, hash_alg->digest_size))
55
55
return -EFAULT;
56
56
57
57
return 0;
+12
-12
fs/verity/open.c
+12
-12
fs/verity/open.c
···
1
1
// SPDX-License-Identifier: GPL-2.0
2
2
/*
3
-
* fs/verity/open.c: opening fs-verity files
3
+
* Opening fs-verity files
4
4
*
5
5
* Copyright 2019 Google LLC
6
6
*/
···
124
124
}
125
125
126
126
/*
127
-
* Compute the file measurement by hashing the fsverity_descriptor excluding the
127
+
* Compute the file digest by hashing the fsverity_descriptor excluding the
128
128
* signature and with the sig_size field set to 0.
129
129
*/
130
-
static int compute_file_measurement(struct fsverity_hash_alg *hash_alg,
131
-
struct fsverity_descriptor *desc,
132
-
u8 *measurement)
130
+
static int compute_file_digest(struct fsverity_hash_alg *hash_alg,
131
+
struct fsverity_descriptor *desc,
132
+
u8 *file_digest)
133
133
{
134
134
__le32 sig_size = desc->sig_size;
135
135
int err;
136
136
137
137
desc->sig_size = 0;
138
-
err = fsverity_hash_buffer(hash_alg, desc, sizeof(*desc), measurement);
138
+
err = fsverity_hash_buffer(hash_alg, desc, sizeof(*desc), file_digest);
139
139
desc->sig_size = sig_size;
140
140
141
141
return err;
···
199
199
200
200
memcpy(vi->root_hash, desc->root_hash, vi->tree_params.digest_size);
201
201
202
-
err = compute_file_measurement(vi->tree_params.hash_alg, desc,
203
-
vi->measurement);
202
+
err = compute_file_digest(vi->tree_params.hash_alg, desc,
203
+
vi->file_digest);
204
204
if (err) {
205
-
fsverity_err(inode, "Error %d computing file measurement", err);
205
+
fsverity_err(inode, "Error %d computing file digest", err);
206
206
goto out;
207
207
}
208
-
pr_debug("Computed file measurement: %s:%*phN\n",
208
+
pr_debug("Computed file digest: %s:%*phN\n",
209
209
vi->tree_params.hash_alg->name,
210
-
vi->tree_params.digest_size, vi->measurement);
210
+
vi->tree_params.digest_size, vi->file_digest);
211
211
212
212
err = fsverity_verify_signature(vi, desc, desc_size);
213
213
out:
···
354
354
{
355
355
fsverity_info_cachep = KMEM_CACHE_USERCOPY(fsverity_info,
356
356
SLAB_RECLAIM_ACCOUNT,
357
-
measurement);
357
+
file_digest);
358
358
if (!fsverity_info_cachep)
359
359
return -ENOMEM;
360
360
return 0;
+7
-7
fs/verity/signature.c
+7
-7
fs/verity/signature.c
···
1
1
// SPDX-License-Identifier: GPL-2.0
2
2
/*
3
-
* fs/verity/signature.c: verification of builtin signatures
3
+
* Verification of builtin signatures
4
4
*
5
5
* Copyright 2019 Google LLC
6
6
*/
···
32
32
* @desc: the file's fsverity_descriptor
33
33
* @desc_size: size of @desc
34
34
*
35
-
* If the file's fs-verity descriptor includes a signature of the file
36
-
* measurement, verify it against the certificates in the fs-verity keyring.
35
+
* If the file's fs-verity descriptor includes a signature of the file digest,
36
+
* verify it against the certificates in the fs-verity keyring.
37
37
*
38
38
* Return: 0 on success (signature valid or not required); -errno on failure
39
39
*/
···
44
44
const struct inode *inode = vi->inode;
45
45
const struct fsverity_hash_alg *hash_alg = vi->tree_params.hash_alg;
46
46
const u32 sig_size = le32_to_cpu(desc->sig_size);
47
-
struct fsverity_signed_digest *d;
47
+
struct fsverity_formatted_digest *d;
48
48
int err;
49
49
50
50
if (sig_size == 0) {
···
67
67
memcpy(d->magic, "FSVerity", 8);
68
68
d->digest_algorithm = cpu_to_le16(hash_alg - fsverity_hash_algs);
69
69
d->digest_size = cpu_to_le16(hash_alg->digest_size);
70
-
memcpy(d->digest, vi->measurement, hash_alg->digest_size);
70
+
memcpy(d->digest, vi->file_digest, hash_alg->digest_size);
71
71
72
72
err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size,
73
73
desc->signature, sig_size,
···
90
90
return err;
91
91
}
92
92
93
-
pr_debug("Valid signature for file measurement %s:%*phN\n",
94
-
hash_alg->name, hash_alg->digest_size, vi->measurement);
93
+
pr_debug("Valid signature for file digest %s:%*phN\n",
94
+
hash_alg->name, hash_alg->digest_size, vi->file_digest);
95
95
return 0;
96
96
}
97
97
+1
-1
fs/verity/verify.c
+1
-1
fs/verity/verify.c
+49
include/uapi/linux/fsverity.h
+49
include/uapi/linux/fsverity.h
···
34
34
__u8 digest[];
35
35
};
36
36
37
+
/*
38
+
* Struct containing a file's Merkle tree properties. The fs-verity file digest
39
+
* is the hash of this struct. A userspace program needs this struct only if it
40
+
* needs to compute fs-verity file digests itself, e.g. in order to sign files.
41
+
* It isn't needed just to enable fs-verity on a file.
42
+
*
43
+
* Note: when computing the file digest, 'sig_size' and 'signature' must be left
44
+
* zero and empty, respectively. These fields are present only because some
45
+
* filesystems reuse this struct as part of their on-disk format.
46
+
*/
47
+
struct fsverity_descriptor {
48
+
__u8 version; /* must be 1 */
49
+
__u8 hash_algorithm; /* Merkle tree hash algorithm */
50
+
__u8 log_blocksize; /* log2 of size of data and tree blocks */
51
+
__u8 salt_size; /* size of salt in bytes; 0 if none */
52
+
#ifdef __KERNEL__
53
+
__le32 sig_size;
54
+
#else
55
+
__le32 __reserved_0x04; /* must be 0 */
56
+
#endif
57
+
__le64 data_size; /* size of file the Merkle tree is built over */
58
+
__u8 root_hash[64]; /* Merkle tree root hash */
59
+
__u8 salt[32]; /* salt prepended to each hashed block */
60
+
__u8 __reserved[144]; /* must be 0's */
61
+
#ifdef __KERNEL__
62
+
__u8 signature[];
63
+
#endif
64
+
};
65
+
66
+
/*
67
+
* Format in which fs-verity file digests are signed in built-in signatures.
68
+
* This is the same as 'struct fsverity_digest', except here some magic bytes
69
+
* are prepended to provide some context about what is being signed in case the
70
+
* same key is used for non-fsverity purposes, and here the fields have fixed
71
+
* endianness.
72
+
*
73
+
* This struct is specific to the built-in signature verification support, which
74
+
* is optional. fs-verity users may also verify signatures in userspace, in
75
+
* which case userspace is responsible for deciding on what bytes are signed.
76
+
* This struct may still be used, but it doesn't have to be. For example,
77
+
* userspace could instead use a string like "sha256:$digest_as_hex_string".
78
+
*/
79
+
struct fsverity_formatted_digest {
80
+
char magic[8]; /* must be "FSVerity" */
81
+
__le16 digest_algorithm;
82
+
__le16 digest_size;
83
+
__u8 digest[];
84
+
};
85
+
37
86
#define FS_IOC_ENABLE_VERITY _IOW('f', 133, struct fsverity_enable_arg)
38
87
#define FS_IOC_MEASURE_VERITY _IOWR('f', 134, struct fsverity_digest)
39
88