Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/fs/ext4/verity.c 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) // SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3)  * fs/ext4/verity.c: fs-verity support for ext4
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5)  * Copyright 2019 Google LLC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9)  * Implementation of fsverity_operations for ext4.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11)  * ext4 stores the verity metadata (Merkle tree and fsverity_descriptor) past
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12)  * the end of the file, starting at the first 64K boundary beyond i_size.  This
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13)  * approach works because (a) verity files are readonly, and (b) pages fully
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14)  * beyond i_size aren't visible to userspace but can be read/written internally
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15)  * by ext4 with only some relatively small changes to ext4.  This approach
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16)  * avoids having to depend on the EA_INODE feature and on rearchitecturing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17)  * ext4's xattr support to support paging multi-gigabyte xattrs into memory, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18)  * to support encrypting xattrs.  Note that the verity metadata *must* be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19)  * encrypted when the file is, since it contains hashes of the plaintext data.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21)  * Using a 64K boundary rather than a 4K one keeps things ready for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22)  * architectures with 64K pages, and it doesn't necessarily waste space on-disk
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23)  * since there can be a hole between i_size and the start of the Merkle tree.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26) #include <linux/quotaops.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28) #include "ext4.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) #include "ext4_extents.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) #include "ext4_jbd2.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32) static inline loff_t ext4_verity_metadata_pos(const struct inode *inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34) 	return round_up(inode->i_size, 65536);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38)  * Read some verity metadata from the inode.  __vfs_read() can't be used because
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39)  * we need to read beyond i_size.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) static int pagecache_read(struct inode *inode, void *buf, size_t count,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) 			  loff_t pos)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44) 	while (count) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) 		size_t n = min_t(size_t, count,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) 				 PAGE_SIZE - offset_in_page(pos));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47) 		struct page *page;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48) 		void *addr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50) 		page = read_mapping_page(inode->i_mapping, pos >> PAGE_SHIFT,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51) 					 NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52) 		if (IS_ERR(page))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) 			return PTR_ERR(page);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) 		addr = kmap_atomic(page);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) 		memcpy(buf, addr + offset_in_page(pos), n);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) 		kunmap_atomic(addr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) 		put_page(page);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) 		buf += n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62) 		pos += n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) 		count -= n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69)  * Write some verity metadata to the inode for FS_IOC_ENABLE_VERITY.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70)  * kernel_write() can't be used because the file descriptor is readonly.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72) static int pagecache_write(struct inode *inode, const void *buf, size_t count,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73) 			   loff_t pos)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) 	if (pos + count > inode->i_sb->s_maxbytes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) 		return -EFBIG;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78) 	while (count) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) 		size_t n = min_t(size_t, count,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) 				 PAGE_SIZE - offset_in_page(pos));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81) 		struct page *page;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82) 		void *fsdata;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83) 		void *addr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) 		int res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) 		res = pagecache_write_begin(NULL, inode->i_mapping, pos, n, 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87) 					    &page, &fsdata);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) 		if (res)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) 			return res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) 		addr = kmap_atomic(page);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) 		memcpy(addr + offset_in_page(pos), buf, n);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) 		kunmap_atomic(addr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) 		res = pagecache_write_end(NULL, inode->i_mapping, pos, n, n,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) 					  page, fsdata);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97) 		if (res < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98) 			return res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99) 		if (res != n)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) 			return -EIO;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) 		buf += n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) 		pos += n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) 		count -= n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) static int ext4_begin_enable_verity(struct file *filp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) 	struct inode *inode = file_inode(filp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) 	const int credits = 2; /* superblock and inode for ext4_orphan_add() */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) 	handle_t *handle;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) 	int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) 	if (IS_DAX(inode) || ext4_test_inode_flag(inode, EXT4_INODE_DAX))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) 	if (ext4_verity_in_progress(inode))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) 		return -EBUSY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) 	 * Since the file was opened readonly, we have to initialize the jbd
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) 	 * inode and quotas here and not rely on ->open() doing it.  This must
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) 	 * be done before evicting the inline data.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) 	err = ext4_inode_attach_jinode(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) 		return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) 	err = dquot_initialize(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) 		return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) 	err = ext4_convert_inline_data(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) 		return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) 	if (!ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) 		ext4_warning_inode(inode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) 				   "verity is only allowed on extent-based files");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) 		return -EOPNOTSUPP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) 	 * ext4 uses the last allocated block to find the verity descriptor, so
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) 	 * we must remove any other blocks past EOF which might confuse things.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) 	err = ext4_truncate(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) 		return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) 	handle = ext4_journal_start(inode, EXT4_HT_INODE, credits);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) 	if (IS_ERR(handle))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) 		return PTR_ERR(handle);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) 	err = ext4_orphan_add(handle, inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) 	if (err == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) 		ext4_set_inode_state(inode, EXT4_STATE_VERITY_IN_PROGRESS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) 	ext4_journal_stop(handle);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) 	return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167)  * ext4 stores the verity descriptor beginning on the next filesystem block
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168)  * boundary after the Merkle tree.  Then, the descriptor size is stored in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169)  * last 4 bytes of the last allocated filesystem block --- which is either the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170)  * block in which the descriptor ends, or the next block after that if there
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171)  * weren't at least 4 bytes remaining.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173)  * We can't simply store the descriptor in an xattr because it *must* be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174)  * encrypted when ext4 encryption is used, but ext4 encryption doesn't encrypt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175)  * xattrs.  Also, if the descriptor includes a large signature blob it may be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176)  * too large to store in an xattr without the EA_INODE feature.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) static int ext4_write_verity_descriptor(struct inode *inode, const void *desc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) 					size_t desc_size, u64 merkle_tree_size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) 	const u64 desc_pos = round_up(ext4_verity_metadata_pos(inode) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) 				      merkle_tree_size, i_blocksize(inode));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) 	const u64 desc_end = desc_pos + desc_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) 	const __le32 desc_size_disk = cpu_to_le32(desc_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) 	const u64 desc_size_pos = round_up(desc_end + sizeof(desc_size_disk),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) 					   i_blocksize(inode)) -
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) 				  sizeof(desc_size_disk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) 	int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) 	err = pagecache_write(inode, desc, desc_size, desc_pos);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) 		return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) 	return pagecache_write(inode, &desc_size_disk, sizeof(desc_size_disk),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) 			       desc_size_pos);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) static int ext4_end_enable_verity(struct file *filp, const void *desc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) 				  size_t desc_size, u64 merkle_tree_size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) 	struct inode *inode = file_inode(filp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) 	const int credits = 2; /* superblock and inode for ext4_orphan_del() */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) 	handle_t *handle;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) 	struct ext4_iloc iloc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) 	int err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) 	 * If an error already occurred (which fs/verity/ signals by passing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) 	 * desc == NULL), then only clean-up is needed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) 	if (desc == NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) 		goto cleanup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) 	/* Append the verity descriptor. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) 	err = ext4_write_verity_descriptor(inode, desc, desc_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) 					   merkle_tree_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) 		goto cleanup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) 	 * Write all pages (both data and verity metadata).  Note that this must
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) 	 * happen before clearing EXT4_STATE_VERITY_IN_PROGRESS; otherwise pages
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) 	 * beyond i_size won't be written properly.  For crash consistency, this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) 	 * also must happen before the verity inode flag gets persisted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) 	err = filemap_write_and_wait(inode->i_mapping);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) 		goto cleanup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) 	 * Finally, set the verity inode flag and remove the inode from the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) 	 * orphan list (in a single transaction).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) 	handle = ext4_journal_start(inode, EXT4_HT_INODE, credits);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) 	if (IS_ERR(handle)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) 		err = PTR_ERR(handle);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) 		goto cleanup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) 	err = ext4_orphan_del(handle, inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) 		goto stop_and_cleanup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) 	err = ext4_reserve_inode_write(handle, inode, &iloc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) 		goto stop_and_cleanup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) 	ext4_set_inode_flag(inode, EXT4_INODE_VERITY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) 	ext4_set_inode_flags(inode, false);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) 	err = ext4_mark_iloc_dirty(handle, inode, &iloc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) 		goto stop_and_cleanup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) 	ext4_journal_stop(handle);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) 	ext4_clear_inode_state(inode, EXT4_STATE_VERITY_IN_PROGRESS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) stop_and_cleanup:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) 	ext4_journal_stop(handle);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) cleanup:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) 	 * Verity failed to be enabled, so clean up by truncating any verity
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) 	 * metadata that was written beyond i_size (both from cache and from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) 	 * disk), removing the inode from the orphan list (if it wasn't done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) 	 * already), and clearing EXT4_STATE_VERITY_IN_PROGRESS.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) 	truncate_inode_pages(inode->i_mapping, inode->i_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) 	ext4_truncate(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) 	ext4_orphan_del(NULL, inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) 	ext4_clear_inode_state(inode, EXT4_STATE_VERITY_IN_PROGRESS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) 	return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) static int ext4_get_verity_descriptor_location(struct inode *inode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) 					       size_t *desc_size_ret,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) 					       u64 *desc_pos_ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) 	struct ext4_ext_path *path;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) 	struct ext4_extent *last_extent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) 	u32 end_lblk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) 	u64 desc_size_pos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) 	__le32 desc_size_disk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) 	u32 desc_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) 	u64 desc_pos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) 	int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) 	 * Descriptor size is in last 4 bytes of last allocated block.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) 	 * See ext4_write_verity_descriptor().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) 	if (!ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) 		EXT4_ERROR_INODE(inode, "verity file doesn't use extents");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) 		return -EFSCORRUPTED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) 	path = ext4_find_extent(inode, EXT_MAX_BLOCKS - 1, NULL, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) 	if (IS_ERR(path))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) 		return PTR_ERR(path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) 	last_extent = path[path->p_depth].p_ext;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) 	if (!last_extent) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) 		EXT4_ERROR_INODE(inode, "verity file has no extents");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) 		ext4_ext_drop_refs(path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) 		kfree(path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) 		return -EFSCORRUPTED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) 	end_lblk = le32_to_cpu(last_extent->ee_block) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) 		   ext4_ext_get_actual_len(last_extent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) 	desc_size_pos = (u64)end_lblk << inode->i_blkbits;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) 	ext4_ext_drop_refs(path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) 	kfree(path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) 	if (desc_size_pos < sizeof(desc_size_disk))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) 		goto bad;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) 	desc_size_pos -= sizeof(desc_size_disk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) 	err = pagecache_read(inode, &desc_size_disk, sizeof(desc_size_disk),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) 			     desc_size_pos);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) 		return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) 	desc_size = le32_to_cpu(desc_size_disk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) 	 * The descriptor is stored just before the desc_size_disk, but starting
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) 	 * on a filesystem block boundary.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) 	if (desc_size > INT_MAX || desc_size > desc_size_pos)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) 		goto bad;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) 	desc_pos = round_down(desc_size_pos - desc_size, i_blocksize(inode));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) 	if (desc_pos < ext4_verity_metadata_pos(inode))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) 		goto bad;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) 	*desc_size_ret = desc_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) 	*desc_pos_ret = desc_pos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) bad:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) 	EXT4_ERROR_INODE(inode, "verity file corrupted; can't find descriptor");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) 	return -EFSCORRUPTED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) static int ext4_get_verity_descriptor(struct inode *inode, void *buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) 				      size_t buf_size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) 	size_t desc_size = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) 	u64 desc_pos = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) 	int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) 	err = ext4_get_verity_descriptor_location(inode, &desc_size, &desc_pos);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) 		return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) 	if (buf_size) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) 		if (desc_size > buf_size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) 			return -ERANGE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) 		err = pagecache_read(inode, buf, desc_size, desc_pos);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) 		if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) 			return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) 	return desc_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) static struct page *ext4_read_merkle_tree_page(struct inode *inode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) 					       pgoff_t index,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) 					       unsigned long num_ra_pages)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) 	DEFINE_READAHEAD(ractl, NULL, inode->i_mapping, index);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) 	struct page *page;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) 	index += ext4_verity_metadata_pos(inode) >> PAGE_SHIFT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) 	page = find_get_page_flags(inode->i_mapping, index, FGP_ACCESSED);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) 	if (!page || !PageUptodate(page)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) 		if (page)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) 			put_page(page);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) 		else if (num_ra_pages > 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) 			page_cache_ra_unbounded(&ractl, num_ra_pages, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) 		page = read_mapping_page(inode->i_mapping, index, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) 	return page;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) static int ext4_write_merkle_tree_block(struct inode *inode, const void *buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) 					u64 index, int log_blocksize)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) 	loff_t pos = ext4_verity_metadata_pos(inode) + (index << log_blocksize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) 	return pagecache_write(inode, buf, 1 << log_blocksize, pos);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) const struct fsverity_operations ext4_verityops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) 	.begin_enable_verity	= ext4_begin_enable_verity,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) 	.end_enable_verity	= ext4_end_enable_verity,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) 	.get_verity_descriptor	= ext4_get_verity_descriptor,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) 	.read_merkle_tree_page	= ext4_read_merkle_tree_page,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) 	.write_merkle_tree_block = ext4_write_merkle_tree_block,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) };
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.