linux/fs/verity/measure.c

// SPDX-License-Identifier: GPL-2.0
/*
 * Ioctl to get a verity file's digest
 *
 * Copyright 2019 Google LLC
 */

#include "fsverity_private.h"

#include <linux/uaccess.h>

/**
 * fsverity_ioctl_measure() - get a verity file's digest
 * @filp: file to get digest of
 * @_uarg: user pointer to fsverity_digest
 *
 * Retrieve the file digest that the kernel is enforcing for reads from a verity
 * file.  See the "FS_IOC_MEASURE_VERITY" section of
 * Documentation/filesystems/fsverity.rst for the documentation.
 *
 * Return: 0 on success, -errno on failure
 */
int fsverity_ioctl_measure(struct file *filp, void __user *_uarg)
{
	const struct inode *inode = file_inode(filp);
	struct fsverity_digest __user *uarg = _uarg;
	const struct fsverity_info *vi;
	const struct fsverity_hash_alg *hash_alg;
	struct fsverity_digest arg;

	vi = fsverity_get_info(inode);
	if (!vi)
		return -ENODATA; /* not a verity file */
	hash_alg = vi->tree_params.hash_alg;

	/*
	 * The user specifies the digest_size their buffer has space for; we can
	 * return the digest if it fits in the available space.  We write back
	 * the actual size, which may be shorter than the user-specified size.
	 */

	if (get_user(arg.digest_size, &uarg->digest_size))
		return -EFAULT;
	if (arg.digest_size < hash_alg->digest_size)
		return -EOVERFLOW;

	memset(&arg, 0, sizeof(arg));
	arg.digest_algorithm = hash_alg - fsverity_hash_algs;
	arg.digest_size = hash_alg->digest_size;

	if (copy_to_user(uarg, &arg, sizeof(arg)))
		return -EFAULT;

	if (copy_to_user(uarg->digest, vi->file_digest, hash_alg->digest_size))
		return -EFAULT;

	return 0;
}
EXPORT_SYMBOL_GPL(fsverity_ioctl_measure);

/**
 * fsverity_get_digest() - get a verity file's digest
 * @inode: inode to get digest of
 * @digest: (out) pointer to the digest
 * @alg: (out) pointer to the hash algorithm enumeration
 *
 * Return the file hash algorithm and digest of an fsverity protected file.
 * Assumption: before calling fsverity_get_digest(), the file must have been
 * opened.
 *
 * Return: 0 on success, -errno on failure
 */
int fsverity_get_digest(struct inode *inode,
			u8 digest[FS_VERITY_MAX_DIGEST_SIZE],
			enum hash_algo *alg)
{
	const struct fsverity_info *vi;
	const struct fsverity_hash_alg *hash_alg;
	int i;

	vi = fsverity_get_info(inode);
	if (!vi)
		return -ENODATA; /* not a verity file */

	hash_alg = vi->tree_params.hash_alg;
	memset(digest, 0, FS_VERITY_MAX_DIGEST_SIZE);

	/* convert the verity hash algorithm name to a hash_algo_name enum */
	i = match_string(hash_algo_name, HASH_ALGO__LAST, hash_alg->name);
	if (i < 0)
		return -EINVAL;
	*alg = i;

	if (WARN_ON_ONCE(hash_alg->digest_size != hash_digest_size[*alg]))
		return -EINVAL;
	memcpy(digest, vi->file_digest, hash_alg->digest_size);

	pr_debug("file digest %s:%*phN\n", hash_algo_name[*alg],
		 hash_digest_size[*alg], digest);

	return 0;
}
fs-verity: implement FS_IOC_MEASURE_VERITY ioctl Add a function for filesystems to call to implement the FS_IOC_MEASURE_VERITY ioctl. This ioctl retrieves the file measurement that fs-verity calculated for the given file and is enforcing for reads; i.e., reads that don't match this hash will fail. This ioctl can be used for authentication or logging of file measurements in userspace. See the "FS_IOC_MEASURE_VERITY" section of Documentation/filesystems/fsverity.rst for the documentation. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Eric Biggers <ebiggers@google.com> 2019-07-22 09:26:23 -07:00			`// SPDX-License-Identifier: GPL-2.0`
			`/*`
fs-verity: rename "file measurement" to "file digest" I originally chose the name "file measurement" to refer to the fs-verity file digest to avoid confusion with traditional full-file digests or with the bare root hash of the Merkle tree. But the name "file measurement" hasn't caught on, and usually people are calling it something else, usually the "file digest". E.g. see "struct fsverity_digest" and "struct fsverity_formatted_digest", the libfsverity_compute_digest() and libfsverity_sign_digest() functions in libfsverity, and the "fsverity digest" command. Having multiple names for the same thing is always confusing. So to hopefully avoid confusion in the future, rename "fs-verity file measurement" to "fs-verity file digest". This leaves FS_IOC_MEASURE_VERITY as the only reference to "measure" in the kernel, which makes some amount of sense since the ioctl is actively "measuring" the file. I'll be renaming this in fsverity-utils too (though similarly the 'fsverity measure' command, which is a wrapper for FS_IOC_MEASURE_VERITY, will stay). Acked-by: Luca Boccassi <luca.boccassi@microsoft.com> Link: https://lore.kernel.org/r/20201113211918.71883-4-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> 2020-11-13 13:19:17 -08:00			`* Ioctl to get a verity file's digest`
fs-verity: implement FS_IOC_MEASURE_VERITY ioctl Add a function for filesystems to call to implement the FS_IOC_MEASURE_VERITY ioctl. This ioctl retrieves the file measurement that fs-verity calculated for the given file and is enforcing for reads; i.e., reads that don't match this hash will fail. This ioctl can be used for authentication or logging of file measurements in userspace. See the "FS_IOC_MEASURE_VERITY" section of Documentation/filesystems/fsverity.rst for the documentation. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Eric Biggers <ebiggers@google.com> 2019-07-22 09:26:23 -07:00			`*`
			`* Copyright 2019 Google LLC`
			`*/`

			`#include "fsverity_private.h"`

			`#include <linux/uaccess.h>`

			`/**`
fs-verity: rename "file measurement" to "file digest" I originally chose the name "file measurement" to refer to the fs-verity file digest to avoid confusion with traditional full-file digests or with the bare root hash of the Merkle tree. But the name "file measurement" hasn't caught on, and usually people are calling it something else, usually the "file digest". E.g. see "struct fsverity_digest" and "struct fsverity_formatted_digest", the libfsverity_compute_digest() and libfsverity_sign_digest() functions in libfsverity, and the "fsverity digest" command. Having multiple names for the same thing is always confusing. So to hopefully avoid confusion in the future, rename "fs-verity file measurement" to "fs-verity file digest". This leaves FS_IOC_MEASURE_VERITY as the only reference to "measure" in the kernel, which makes some amount of sense since the ioctl is actively "measuring" the file. I'll be renaming this in fsverity-utils too (though similarly the 'fsverity measure' command, which is a wrapper for FS_IOC_MEASURE_VERITY, will stay). Acked-by: Luca Boccassi <luca.boccassi@microsoft.com> Link: https://lore.kernel.org/r/20201113211918.71883-4-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> 2020-11-13 13:19:17 -08:00			`* fsverity_ioctl_measure() - get a verity file's digest`
			`* @filp: file to get digest of`
fs-verity: fix all kerneldoc warnings Fix all kerneldoc warnings in fs/verity/ and include/linux/fsverity.h. Most of these were due to missing documentation for function parameters. Detected with: scripts/kernel-doc -v -none fs/verity/*.{c,h} include/linux/fsverity.h This cleanup makes it possible to check new patches for kerneldoc warnings without having to filter out all the existing ones. Link: https://lore.kernel.org/r/20200511192118.71427-2-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> 2020-05-11 12:21:17 -07:00			`* @_uarg: user pointer to fsverity_digest`
fs-verity: implement FS_IOC_MEASURE_VERITY ioctl Add a function for filesystems to call to implement the FS_IOC_MEASURE_VERITY ioctl. This ioctl retrieves the file measurement that fs-verity calculated for the given file and is enforcing for reads; i.e., reads that don't match this hash will fail. This ioctl can be used for authentication or logging of file measurements in userspace. See the "FS_IOC_MEASURE_VERITY" section of Documentation/filesystems/fsverity.rst for the documentation. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Eric Biggers <ebiggers@google.com> 2019-07-22 09:26:23 -07:00			`*`
fs-verity: rename "file measurement" to "file digest" I originally chose the name "file measurement" to refer to the fs-verity file digest to avoid confusion with traditional full-file digests or with the bare root hash of the Merkle tree. But the name "file measurement" hasn't caught on, and usually people are calling it something else, usually the "file digest". E.g. see "struct fsverity_digest" and "struct fsverity_formatted_digest", the libfsverity_compute_digest() and libfsverity_sign_digest() functions in libfsverity, and the "fsverity digest" command. Having multiple names for the same thing is always confusing. So to hopefully avoid confusion in the future, rename "fs-verity file measurement" to "fs-verity file digest". This leaves FS_IOC_MEASURE_VERITY as the only reference to "measure" in the kernel, which makes some amount of sense since the ioctl is actively "measuring" the file. I'll be renaming this in fsverity-utils too (though similarly the 'fsverity measure' command, which is a wrapper for FS_IOC_MEASURE_VERITY, will stay). Acked-by: Luca Boccassi <luca.boccassi@microsoft.com> Link: https://lore.kernel.org/r/20201113211918.71883-4-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> 2020-11-13 13:19:17 -08:00			`* Retrieve the file digest that the kernel is enforcing for reads from a verity`
			`* file. See the "FS_IOC_MEASURE_VERITY" section of`
fs-verity: implement FS_IOC_MEASURE_VERITY ioctl Add a function for filesystems to call to implement the FS_IOC_MEASURE_VERITY ioctl. This ioctl retrieves the file measurement that fs-verity calculated for the given file and is enforcing for reads; i.e., reads that don't match this hash will fail. This ioctl can be used for authentication or logging of file measurements in userspace. See the "FS_IOC_MEASURE_VERITY" section of Documentation/filesystems/fsverity.rst for the documentation. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Eric Biggers <ebiggers@google.com> 2019-07-22 09:26:23 -07:00			`* Documentation/filesystems/fsverity.rst for the documentation.`
			`*`
			`* Return: 0 on success, -errno on failure`
			`*/`
			`int fsverity_ioctl_measure(struct file filp, void __user _uarg)`
			`{`
			`const struct inode *inode = file_inode(filp);`
			`struct fsverity_digest __user *uarg = _uarg;`
			`const struct fsverity_info *vi;`
			`const struct fsverity_hash_alg *hash_alg;`
			`struct fsverity_digest arg;`

			`vi = fsverity_get_info(inode);`
			`if (!vi)`
			`return -ENODATA; /* not a verity file */`
			`hash_alg = vi->tree_params.hash_alg;`

			`/*`
			`* The user specifies the digest_size their buffer has space for; we can`
			`* return the digest if it fits in the available space. We write back`
			`* the actual size, which may be shorter than the user-specified size.`
			`*/`

			`if (get_user(arg.digest_size, &uarg->digest_size))`
			`return -EFAULT;`
			`if (arg.digest_size < hash_alg->digest_size)`
			`return -EOVERFLOW;`

			`memset(&arg, 0, sizeof(arg));`
			`arg.digest_algorithm = hash_alg - fsverity_hash_algs;`
			`arg.digest_size = hash_alg->digest_size;`

			`if (copy_to_user(uarg, &arg, sizeof(arg)))`
			`return -EFAULT;`

fs-verity: rename "file measurement" to "file digest" I originally chose the name "file measurement" to refer to the fs-verity file digest to avoid confusion with traditional full-file digests or with the bare root hash of the Merkle tree. But the name "file measurement" hasn't caught on, and usually people are calling it something else, usually the "file digest". E.g. see "struct fsverity_digest" and "struct fsverity_formatted_digest", the libfsverity_compute_digest() and libfsverity_sign_digest() functions in libfsverity, and the "fsverity digest" command. Having multiple names for the same thing is always confusing. So to hopefully avoid confusion in the future, rename "fs-verity file measurement" to "fs-verity file digest". This leaves FS_IOC_MEASURE_VERITY as the only reference to "measure" in the kernel, which makes some amount of sense since the ioctl is actively "measuring" the file. I'll be renaming this in fsverity-utils too (though similarly the 'fsverity measure' command, which is a wrapper for FS_IOC_MEASURE_VERITY, will stay). Acked-by: Luca Boccassi <luca.boccassi@microsoft.com> Link: https://lore.kernel.org/r/20201113211918.71883-4-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> 2020-11-13 13:19:17 -08:00			`if (copy_to_user(uarg->digest, vi->file_digest, hash_alg->digest_size))`
fs-verity: implement FS_IOC_MEASURE_VERITY ioctl Add a function for filesystems to call to implement the FS_IOC_MEASURE_VERITY ioctl. This ioctl retrieves the file measurement that fs-verity calculated for the given file and is enforcing for reads; i.e., reads that don't match this hash will fail. This ioctl can be used for authentication or logging of file measurements in userspace. See the "FS_IOC_MEASURE_VERITY" section of Documentation/filesystems/fsverity.rst for the documentation. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Eric Biggers <ebiggers@google.com> 2019-07-22 09:26:23 -07:00			`return -EFAULT;`

			`return 0;`
			`}`
			`EXPORT_SYMBOL_GPL(fsverity_ioctl_measure);`
fs-verity: define a function to return the integrity protected file digest Define a function named fsverity_get_digest() to return the verity file digest and the associated hash algorithm (enum hash_algo). This assumes that before calling fsverity_get_digest() the file must have been opened, which is even true for the IMA measure/appraise on file open policy rule use case (func=FILE_CHECK). do_open() calls vfs_open() immediately prior to ima_file_check(). Acked-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-11-23 13:37:52 -05:00
			`/**`
			`* fsverity_get_digest() - get a verity file's digest`
			`* @inode: inode to get digest of`
			`* @digest: (out) pointer to the digest`
			`* @alg: (out) pointer to the hash algorithm enumeration`
			`*`
			`* Return the file hash algorithm and digest of an fsverity protected file.`
			`* Assumption: before calling fsverity_get_digest(), the file must have been`
			`* opened.`
			`*`
			`* Return: 0 on success, -errno on failure`
			`*/`
			`int fsverity_get_digest(struct inode *inode,`
			`u8 digest[FS_VERITY_MAX_DIGEST_SIZE],`
			`enum hash_algo *alg)`
			`{`
			`const struct fsverity_info *vi;`
			`const struct fsverity_hash_alg *hash_alg;`
			`int i;`

			`vi = fsverity_get_info(inode);`
			`if (!vi)`
			`return -ENODATA; /* not a verity file */`

			`hash_alg = vi->tree_params.hash_alg;`
			`memset(digest, 0, FS_VERITY_MAX_DIGEST_SIZE);`

			`/* convert the verity hash algorithm name to a hash_algo_name enum */`
			`i = match_string(hash_algo_name, HASH_ALGO__LAST, hash_alg->name);`
			`if (i < 0)`
			`return -EINVAL;`
			`*alg = i;`

			`if (WARN_ON_ONCE(hash_alg->digest_size != hash_digest_size[*alg]))`
			`return -EINVAL;`
			`memcpy(digest, vi->file_digest, hash_alg->digest_size);`

			`pr_debug("file digest %s:%phN\n", hash_algo_name[alg],`
			`hash_digest_size[*alg], digest);`

			`return 0;`
			`}`