ANDROID: Incremental fs: Store fs-verity state in backing file

Now fsverity state is preserved across inode eviction. Added incfs.verity xattr to track when a file is fs-verity enabled. Bug: 160634504 Test: incfs_test passes Signed-off-by: Paul Lawrence <paullawrence@google.com> Change-Id: I41d90abd55527884d9eff642c9834ad837ff6918
2020-08-12 15:12:47 -07:00
parent ab19218f50
commit ab6055cb62
9 changed files with 301 additions and 7 deletions
--- a/fs/incfs/data_mgmt.c
+++ b/fs/incfs/data_mgmt.c
@@ -5,6 +5,7 @@
 #include <linux/crc32.h>
 #include <linux/delay.h>
 #include <linux/file.h>
 #include <linux/fsverity.h>
 #include <linux/gfp.h>
 #include <linux/ktime.h>
 #include <linux/lz4.h>
@@ -18,6 +19,7 @@
 #include "data_mgmt.h"
 #include "format.h"
 #include "integrity.h"
 #include "verity.h"
 static int incfs_scan_metadata_chain(struct data_file *df);
@@ -332,6 +334,7 @@ void incfs_free_data_file(struct data_file *df)
 	incfs_free_bfc(df->df_backing_file_context);
 	kfree(df->df_signature);
 	kfree(df->df_verity_file_digest.data);
 	kfree(df->df_verity_signature);
 	mutex_destroy(&df->df_enable_verity);
 	kfree(df);
 }
@@ -1471,7 +1474,31 @@ static int process_status_md(struct incfs_status *is,
 		   df->df_initial_hash_blocks_written);
 	df->df_status_offset = handler->md_record_offset;
 	return 0;
 }
 static int process_file_verity_signature_md(
 		struct incfs_file_verity_signature *vs,
 		struct metadata_handler *handler)
 {
 	struct data_file *df = handler->context;
 	struct incfs_df_verity_signature *verity_signature;
 	if (!df)
 		return -EFAULT;
 	verity_signature = kzalloc(sizeof(*verity_signature), GFP_NOFS);
 	if (!verity_signature)
 		return -ENOMEM;
 	verity_signature->offset = le64_to_cpu(vs->vs_offset);
 	verity_signature->size = le32_to_cpu(vs->vs_size);
 	if (verity_signature->size > FS_VERITY_MAX_SIGNATURE_SIZE) {
 		kfree(verity_signature);
 		return -EFAULT;
 	}
 	df->df_verity_signature = verity_signature;
 	return 0;
 }
@@ -1497,6 +1524,7 @@ static int incfs_scan_metadata_chain(struct data_file *df)
 	handler->handle_blockmap = process_blockmap_md;
 	handler->handle_signature = process_file_signature_md;
 	handler->handle_status = process_status_md;
 	handler->handle_verity_signature = process_file_verity_signature_md;
 	while (handler->md_record_offset > 0) {
 		error = incfs_read_next_metadata_record(bfc, handler);
--- a/fs/incfs/data_mgmt.h
+++ b/fs/incfs/data_mgmt.h
@@ -297,6 +297,8 @@ struct data_file {
 	 * been opened
 	 */
 	struct mem_range df_verity_file_digest;
 	struct incfs_df_verity_signature *df_verity_signature;
 };
 struct dir_file {
--- a/fs/incfs/format.c
+++ b/fs/incfs/format.c
@@ -324,9 +324,6 @@ static int write_new_status_to_backing_file(struct backing_file_context *bfc,
 		.is_hash_blocks_written = cpu_to_le32(hash_blocks_written),
 	};
 	if (!bfc)
 		return -EFAULT;
 	LOCK_REQUIRED(bfc->bc_mutex);
 	rollback_pos = incfs_get_end_offset(bfc->bc_file);
 	result = append_md_to_backing_file(bfc, &is.is_header);
@@ -344,6 +341,9 @@ int incfs_write_status_to_backing_file(struct backing_file_context *bfc,
 	struct incfs_status is;
 	int result;
 	if (!bfc)
 		return -EFAULT;
 	if (status_offset == 0)
 		return write_new_status_to_backing_file(bfc,
 				data_blocks_written, hash_blocks_written);
@@ -361,6 +361,46 @@ int incfs_write_status_to_backing_file(struct backing_file_context *bfc,
 	return 0;
 }
 int incfs_write_verity_signature_to_backing_file(
 		struct backing_file_context *bfc, struct mem_range signature,
 		loff_t *offset)
 {
 	struct incfs_file_verity_signature vs = {};
 	int result;
 	loff_t pos;
 	/* No verity signature section is equivalent to an empty section */
 	if (signature.data == NULL || signature.len == 0)
 		return 0;
 	pos = incfs_get_end_offset(bfc->bc_file);
 	vs = (struct incfs_file_verity_signature) {
 		.vs_header = (struct incfs_md_header) {
 			.h_md_entry_type = INCFS_MD_VERITY_SIGNATURE,
 			.h_record_size = cpu_to_le16(sizeof(vs)),
 			.h_next_md_offset = cpu_to_le64(0),
 		},
 		.vs_size = cpu_to_le32(signature.len),
 		.vs_offset = cpu_to_le64(pos),
 	};
 	result = write_to_bf(bfc, signature.data, signature.len, pos);
 	if (result)
 		goto err;
 	result = append_md_to_backing_file(bfc, &vs.vs_header);
 	if (result)
 		goto err;
 	*offset = pos;
 err:
 	if (result)
 		/* Error, rollback file changes */
 		truncate_backing_file(bfc, pos);
 	return result;
 }
 /*
 * Write a backing file header
 * It should always be called only on empty file.
@@ -660,6 +700,11 @@ int incfs_read_next_metadata_record(struct backing_file_context *bfc,
 			res = handler->handle_status(
 				&handler->md_buffer.status, handler);
 		break;
 	case INCFS_MD_VERITY_SIGNATURE:
 		if (handler->handle_verity_signature)
 			res = handler->handle_verity_signature(
 				&handler->md_buffer.verity_signature, handler);
 		break;
 	default:
 		res = -ENOTSUPP;
 		break;
--- a/fs/incfs/format.h
+++ b/fs/incfs/format.h
@@ -120,6 +120,7 @@ enum incfs_metadata_type {
 	INCFS_MD_FILE_ATTR = 2,
 	INCFS_MD_SIGNATURE = 3,
 	INCFS_MD_STATUS = 4,
 	INCFS_MD_VERITY_SIGNATURE = 5,
 };
 enum incfs_file_header_flags {
@@ -228,7 +229,14 @@ struct incfs_blockmap {
 	__le32 m_block_count;
 } __packed;
-/* Metadata record for file signature. Type = INCFS_MD_SIGNATURE */
+/*
 * Metadata record for file signature. Type = INCFS_MD_SIGNATURE
 *
 * The signature stored here is the APK V4 signature data blob. See the
 * definition of incfs_new_file_args::signature_info for an explanation of this
 * blob. Specifically, it contains the root hash, but it does *not* contain
 * anything that the kernel treats as a signature.
 */
 struct incfs_file_signature {
 	struct incfs_md_header sg_header;
@@ -259,6 +267,29 @@ struct incfs_status {
 	__le32 is_dummy[6]; /* Spare fields */
 } __packed;
 /*
 * Metadata record for verity signature. Type = INCFS_MD_VERITY_SIGNATURE
 *
 * This record will only exist for verity-enabled files with signatures. Verity
 * enabled files without signatures do not have this record. This signature is
 * checked by fs-verity identically to any other fs-verity signature.
 */
 struct incfs_file_verity_signature {
 	struct incfs_md_header vs_header;
 	 /* The size of the signature */
 	__le32 vs_size;
 	 /* Signature's offset in the backing file */
 	__le64 vs_offset;
 } __packed;
 /* In memory version of above */
 struct incfs_df_verity_signature {
 	u32 size;
 	u64 offset;
 };
 /* State of the backing file. */
 struct backing_file_context {
 	/* Protects writes to bc_file */
@@ -291,6 +322,7 @@ struct metadata_handler {
 		struct incfs_blockmap blockmap;
 		struct incfs_file_signature signature;
 		struct incfs_status status;
 		struct incfs_file_verity_signature verity_signature;
 	} md_buffer;
 	int (*handle_blockmap)(struct incfs_blockmap *bm,
@@ -299,6 +331,8 @@ struct metadata_handler {
 				 struct metadata_handler *handler);
 	int (*handle_status)(struct incfs_status *sig,
 				 struct metadata_handler *handler);
 	int (*handle_verity_signature)(struct incfs_file_verity_signature *s,
 					struct metadata_handler *handler);
 };
 #define INCFS_MAX_METADATA_RECORD_SIZE \
 	sizeof_field(struct metadata_handler, md_buffer)
@@ -339,6 +373,9 @@ int incfs_write_status_to_backing_file(struct backing_file_context *bfc,
 				       loff_t status_offset,
 				       u32 data_blocks_written,
 				       u32 hash_blocks_written);
 int incfs_write_verity_signature_to_backing_file(
 		struct backing_file_context *bfc, struct mem_range signature,
 		loff_t *offset);
 /* Reading stuff */
 int incfs_read_file_header(struct backing_file_context *bfc,
--- a/fs/incfs/verity.c
+++ b/fs/incfs/verity.c
@@ -49,6 +49,7 @@
 #include "verity.h"
 #include "data_mgmt.h"
 #include "format.h"
 #include "integrity.h"
 #include "vfs.h"
@@ -67,12 +68,59 @@ static int incfs_get_root_hash(struct file *filp, u8 *root_hash)
 	return 0;
 }
-static int incfs_end_enable_verity(struct file *filp)
+static int incfs_end_enable_verity(struct file *filp, u8 *sig, size_t sig_size)
 {
 	struct inode *inode = file_inode(filp);
 	struct mem_range signature = {
 		.data = sig,
 		.len = sig_size,
 	};
 	struct data_file *df = get_incfs_data_file(filp);
 	struct backing_file_context *bfc;
 	int error;
 	struct incfs_df_verity_signature *vs;
 	loff_t offset;
 	if (!df || !df->df_backing_file_context)
 		return -EFSCORRUPTED;
 	vs = kzalloc(sizeof(*vs), GFP_NOFS);
 	if (!vs)
 		return -ENOMEM;
 	bfc = df->df_backing_file_context;
 	error = mutex_lock_interruptible(&bfc->bc_mutex);
 	if (error)
 		goto out;
 	error = incfs_write_verity_signature_to_backing_file(bfc, signature,
 							     &offset);
 	mutex_unlock(&bfc->bc_mutex);
 	if (error)
 		goto out;
 	/*
 	 * Set verity xattr so we can set S_VERITY without opening backing file
 	 */
 	error = vfs_setxattr(bfc->bc_file->f_path.dentry,
 			     INCFS_XATTR_VERITY_NAME, NULL, 0, XATTR_CREATE);
 	if (error) {
 		pr_warn("incfs: error setting verity xattr: %d\n", error);
 		goto out;
 	}
 	*vs = (struct incfs_df_verity_signature) {
 		.size = signature.len,
 		.offset = offset,
 	};
 	df->df_verity_signature = vs;
 	vs = NULL;
 	inode_set_flags(inode, S_VERITY, S_VERITY);
-	return 0;
+
 out:
 	kfree(vs);
 	return error;
 }
 static int incfs_compute_file_digest(struct incfs_hash_alg *alg,
@@ -246,6 +294,11 @@ static int incfs_enable_verity(struct file *filp,
 	if (err)
 		return err;
 	if (IS_VERITY(inode)) {
 		err = -EEXIST;
 		goto out;
 	}
 	/* Get the signature if the user provided one */
 	if (arg->sig_size) {
 		signature = memdup_user(u64_to_user_ptr(arg->sig_ptr),
@@ -265,7 +318,7 @@ static int incfs_enable_verity(struct file *filp,
 		goto out;
 	}
-	err = incfs_end_enable_verity(filp);
+	err = incfs_end_enable_verity(filp, signature, arg->sig_size);
 	if (err)
 		goto out;
@@ -316,3 +369,94 @@ int incfs_ioctl_enable_verity(struct file *filp, const void __user *uarg)
 	return incfs_enable_verity(filp, &arg);
 }
 static u8 *incfs_get_verity_signature(struct file *filp, size_t *sig_size)
 {
 	struct data_file *df = get_incfs_data_file(filp);
 	struct incfs_df_verity_signature *vs;
 	u8 *signature;
 	int res;
 	if (!df || !df->df_backing_file_context)
 		return ERR_PTR(-EFSCORRUPTED);
 	vs = df->df_verity_signature;
 	if (!vs) {
 		*sig_size = 0;
 		return NULL;
 	}
 	signature = kzalloc(vs->size, GFP_KERNEL);
 	if (!signature)
 		return ERR_PTR(-ENOMEM);
 	res = incfs_kread(df->df_backing_file_context,
 			  signature, vs->size, vs->offset);
 	if (res < 0)
 		goto err_out;
 	if (res != vs->size) {
 		res = -EINVAL;
 		goto err_out;
 	}
 	*sig_size = vs->size;
 	return signature;
 err_out:
 	kfree(signature);
 	return ERR_PTR(res);
 }
 /* Ensure data_file->df_verity_file_digest is populated */
 static int ensure_verity_info(struct inode *inode, struct file *filp)
 {
 	struct mem_range verity_file_digest;
 	u8 *signature = NULL;
 	size_t sig_size;
 	int err = 0;
 	/* See if this file's verity file digest is already cached */
 	verity_file_digest = incfs_get_verity_digest(inode);
 	if (verity_file_digest.data)
 		return 0;
 	signature = incfs_get_verity_signature(filp, &sig_size);
 	if (IS_ERR(signature))
 		return PTR_ERR(signature);
 	verity_file_digest = incfs_calc_verity_digest(inode, filp, signature,
 						     sig_size,
 						     FS_VERITY_HASH_ALG_SHA256);
 	if (IS_ERR(verity_file_digest.data)) {
 		err = PTR_ERR(verity_file_digest.data);
 		goto out;
 	}
 	incfs_set_verity_digest(inode, verity_file_digest);
 out:
 	kfree(signature);
 	return err;
 }
 /**
 * incfs_fsverity_file_open() - prepare to open a file that may be
 * verity-enabled
 * @inode: the inode being opened
 * @filp: the struct file being set up
 *
 * When opening a verity file, set up data_file->df_verity_file_digest if not
 * already done. Note that incfs does not allow opening for writing, so there is
 * no need for that check.
 *
 * Return: 0 on success, -errno on failure
 */
 int incfs_fsverity_file_open(struct inode *inode, struct file *filp)
 {
 	if (IS_VERITY(inode))
 		return ensure_verity_info(inode, filp);
 	return 0;
 }
--- a/fs/incfs/verity.h
+++ b/fs/incfs/verity.h
@@ -6,10 +6,15 @@
 #ifndef _INCFS_VERITY_H
 #define _INCFS_VERITY_H
 /* Arbitrary limit to bound the kmalloc() size.  Can be changed. */
 #define FS_VERITY_MAX_SIGNATURE_SIZE	16128
 #ifdef CONFIG_FS_VERITY
 int incfs_ioctl_enable_verity(struct file *filp, const void __user *uarg);
 int incfs_fsverity_file_open(struct inode *inode, struct file *filp);
 #else /* !CONFIG_FS_VERITY */
 static inline int incfs_ioctl_enable_verity(struct file *filp,
@@ -18,6 +23,12 @@ static inline int incfs_ioctl_enable_verity(struct file *filp,
 	return -EOPNOTSUPP;
 }
 static inline int incfs_fsverity_file_open(struct inode *inode,
 					   struct file *filp)
 {
 	return -EOPNOTSUPP;
 }
 #endif /* !CONFIG_FS_VERITY */
 #endif
--- a/fs/incfs/vfs.c
+++ b/fs/incfs/vfs.c
@@ -159,6 +159,8 @@ struct inode_search {
 	struct dentry *backing_dentry;
 	size_t size;
 	bool verity;
 };
 enum parse_parameter {
@@ -255,6 +257,13 @@ static u64 read_size_attr(struct dentry *backing_dentry)
 	return le64_to_cpu(attr_value);
 }
 /* Read verity flag from the attribute. Quicker than reading the header */
 static bool read_verity_attr(struct dentry *backing_dentry)
 {
 	return vfs_getxattr(backing_dentry, INCFS_XATTR_VERITY_NAME, NULL, 0)
 		>= 0;
 }
 static int inode_test(struct inode *inode, void *opaque)
 {
 	struct inode_search *search = opaque;
@@ -285,6 +294,8 @@ static int inode_set(struct inode *inode, void *opaque)
 		inode->i_op = &incfs_file_inode_ops;
 		inode->i_fop = &incfs_file_ops;
 		inode->i_mode &= ~0222;
 		if (search->verity)
 			inode_set_flags(inode, S_VERITY, S_VERITY);
 	} else if (S_ISDIR(inode->i_mode)) {
 		inode->i_size = 0;
 		inode->i_blocks = 1;
@@ -319,6 +330,7 @@ static struct inode *fetch_regular_inode(struct super_block *sb,
 		.ino = backing_inode->i_ino,
 		.backing_dentry = backing_dentry,
 		.size = read_size_attr(backing_dentry),
 		.verity = read_verity_attr(backing_dentry),
 	};
 	struct inode *inode = iget5_locked(sb, search.ino, inode_test,
 				inode_set, &search);
@@ -1370,7 +1382,12 @@ static int file_open(struct inode *inode, struct file *file)
 		file->private_data = fd;
 		err = make_inode_ready_for_data_ops(mi, inode, backing_file);
 		if (err)
 			goto out;
 		err = incfs_fsverity_file_open(inode, file);
 		if (err)
 			goto out;
 	} else if (S_ISDIR(inode->i_mode)) {
 		struct dir_file *dir = NULL;
--- a/include/uapi/linux/incrementalfs.h
+++ b/include/uapi/linux/incrementalfs.h
@@ -36,6 +36,7 @@
 #define INCFS_XATTR_ID_NAME (XATTR_USER_PREFIX "incfs.id")
 #define INCFS_XATTR_SIZE_NAME (XATTR_USER_PREFIX "incfs.size")
 #define INCFS_XATTR_METADATA_NAME (XATTR_USER_PREFIX "incfs.metadata")
 #define INCFS_XATTR_VERITY_NAME (XATTR_USER_PREFIX "incfs.verity")
 #define INCFS_MAX_SIGNATURE_SIZE 8096
 #define INCFS_SIGNATURE_VERSION 2
--- a/tools/testing/selftests/filesystems/incfs/incfs_test.c
+++ b/tools/testing/selftests/filesystems/incfs/incfs_test.c
@@ -3929,6 +3929,15 @@ static int verity_test_optional_sigs(const char *mount_dir, bool use_signatures)
 			  0);
 	}
 	for (i = 0; i < file_num; i++)
 		TESTEQUAL(validate_verity(mount_dir, &test.files[i]), 0);
 	close(cmd_fd);
 	cmd_fd = -1;
 	TESTEQUAL(umount(mount_dir), 0);
 	TESTEQUAL(mount_fs_opt(mount_dir, backing_dir, "readahead=0", false),
 		  0);
 	for (i = 0; i < file_num; i++)
 		TESTEQUAL(validate_verity(mount_dir, &test.files[i]), 0);