Commit 51895d58 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'fsverity-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/fscrypt

Pull fsverity updates from Eric Biggers:
 "Some cleanups for fs-verity:

   - Rename some names that have been causing confusion

   - Move structs needed for file signing to the UAPI header"

* tag 'fsverity-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/fscrypt:
  fs-verity: move structs needed for file signing to UAPI header
  fs-verity: rename "file measurement" to "file digest"
  fs-verity: rename fsverity_signed_digest to fsverity_formatted_digest
  fs-verity: remove filenames from file comments
parents 7c7fdaf6 bde49334
...@@ -27,9 +27,9 @@ automatically verified against the file's Merkle tree. Reads of any ...@@ -27,9 +27,9 @@ automatically verified against the file's Merkle tree. Reads of any
corrupted data, including mmap reads, will fail. corrupted data, including mmap reads, will fail.
Userspace can use another ioctl to retrieve the root hash (actually Userspace can use another ioctl to retrieve the root hash (actually
the "file measurement", which is a hash that includes the root hash) the "fs-verity file digest", which is a hash that includes the Merkle
that fs-verity is enforcing for the file. This ioctl executes in tree root hash) that fs-verity is enforcing for the file. This ioctl
constant time, regardless of the file size. executes in constant time, regardless of the file size.
fs-verity is essentially a way to hash a file in constant time, fs-verity is essentially a way to hash a file in constant time,
subject to the caveat that reads which would violate the hash will subject to the caveat that reads which would violate the hash will
...@@ -177,9 +177,10 @@ FS_IOC_ENABLE_VERITY can fail with the following errors: ...@@ -177,9 +177,10 @@ FS_IOC_ENABLE_VERITY can fail with the following errors:
FS_IOC_MEASURE_VERITY FS_IOC_MEASURE_VERITY
--------------------- ---------------------
The FS_IOC_MEASURE_VERITY ioctl retrieves the measurement of a verity The FS_IOC_MEASURE_VERITY ioctl retrieves the digest of a verity file.
file. The file measurement is a digest that cryptographically The fs-verity file digest is a cryptographic digest that identifies
identifies the file contents that are being enforced on reads. the file contents that are being enforced on reads; it is computed via
a Merkle tree and is different from a traditional full-file digest.
This ioctl takes in a pointer to a variable-length structure:: This ioctl takes in a pointer to a variable-length structure::
...@@ -197,7 +198,7 @@ On success, 0 is returned and the kernel fills in the structure as ...@@ -197,7 +198,7 @@ On success, 0 is returned and the kernel fills in the structure as
follows: follows:
- ``digest_algorithm`` will be the hash algorithm used for the file - ``digest_algorithm`` will be the hash algorithm used for the file
measurement. It will match ``fsverity_enable_arg::hash_algorithm``. digest. It will match ``fsverity_enable_arg::hash_algorithm``.
- ``digest_size`` will be the size of the digest in bytes, e.g. 32 - ``digest_size`` will be the size of the digest in bytes, e.g. 32
for SHA-256. (This can be redundant with ``digest_algorithm``.) for SHA-256. (This can be redundant with ``digest_algorithm``.)
- ``digest`` will be the actual bytes of the digest. - ``digest`` will be the actual bytes of the digest.
...@@ -257,25 +258,24 @@ non-verity one, with the following exceptions: ...@@ -257,25 +258,24 @@ non-verity one, with the following exceptions:
with EIO (for read()) or SIGBUS (for mmap() reads). with EIO (for read()) or SIGBUS (for mmap() reads).
- If the sysctl "fs.verity.require_signatures" is set to 1 and the - If the sysctl "fs.verity.require_signatures" is set to 1 and the
file's verity measurement is not signed by a key in the fs-verity file is not signed by a key in the fs-verity keyring, then opening
keyring, then opening the file will fail. See `Built-in signature the file will fail. See `Built-in signature verification`_.
verification`_.
Direct access to the Merkle tree is not supported. Therefore, if a Direct access to the Merkle tree is not supported. Therefore, if a
verity file is copied, or is backed up and restored, then it will lose verity file is copied, or is backed up and restored, then it will lose
its "verity"-ness. fs-verity is primarily meant for files like its "verity"-ness. fs-verity is primarily meant for files like
executables that are managed by a package manager. executables that are managed by a package manager.
File measurement computation File digest computation
============================ =======================
This section describes how fs-verity hashes the file contents using a This section describes how fs-verity hashes the file contents using a
Merkle tree to produce the "file measurement" which cryptographically Merkle tree to produce the digest which cryptographically identifies
identifies the file contents. This algorithm is the same for all the file contents. This algorithm is the same for all filesystems
filesystems that support fs-verity. that support fs-verity.
Userspace only needs to be aware of this algorithm if it needs to Userspace only needs to be aware of this algorithm if it needs to
compute the file measurement itself, e.g. in order to sign the file. compute fs-verity file digests itself, e.g. in order to sign files.
.. _fsverity_merkle_tree: .. _fsverity_merkle_tree:
...@@ -325,26 +325,22 @@ can't a distinguish a large file from a small second file whose data ...@@ -325,26 +325,22 @@ can't a distinguish a large file from a small second file whose data
is exactly the top-level hash block of the first file. Ambiguities is exactly the top-level hash block of the first file. Ambiguities
also arise from the convention of padding to the next block boundary. also arise from the convention of padding to the next block boundary.
To solve this problem, the verity file measurement is actually To solve this problem, the fs-verity file digest is actually computed
computed as a hash of the following structure, which contains the as a hash of the following structure, which contains the Merkle tree
Merkle tree root hash as well as other fields such as the file size:: root hash as well as other fields such as the file size::
struct fsverity_descriptor { struct fsverity_descriptor {
__u8 version; /* must be 1 */ __u8 version; /* must be 1 */
__u8 hash_algorithm; /* Merkle tree hash algorithm */ __u8 hash_algorithm; /* Merkle tree hash algorithm */
__u8 log_blocksize; /* log2 of size of data and tree blocks */ __u8 log_blocksize; /* log2 of size of data and tree blocks */
__u8 salt_size; /* size of salt in bytes; 0 if none */ __u8 salt_size; /* size of salt in bytes; 0 if none */
__le32 sig_size; /* must be 0 */ __le32 __reserved_0x04; /* must be 0 */
__le64 data_size; /* size of file the Merkle tree is built over */ __le64 data_size; /* size of file the Merkle tree is built over */
__u8 root_hash[64]; /* Merkle tree root hash */ __u8 root_hash[64]; /* Merkle tree root hash */
__u8 salt[32]; /* salt prepended to each hashed block */ __u8 salt[32]; /* salt prepended to each hashed block */
__u8 __reserved[144]; /* must be 0's */ __u8 __reserved[144]; /* must be 0's */
}; };
Note that the ``sig_size`` field must be set to 0 for the purpose of
computing the file measurement, even if a signature was provided (or
will be provided) to `FS_IOC_ENABLE_VERITY`_.
Built-in signature verification Built-in signature verification
=============================== ===============================
...@@ -359,20 +355,20 @@ kernel. Specifically, it adds support for: ...@@ -359,20 +355,20 @@ kernel. Specifically, it adds support for:
certificates from being added. certificates from being added.
2. `FS_IOC_ENABLE_VERITY`_ accepts a pointer to a PKCS#7 formatted 2. `FS_IOC_ENABLE_VERITY`_ accepts a pointer to a PKCS#7 formatted
detached signature in DER format of the file measurement. On detached signature in DER format of the file's fs-verity digest.
success, this signature is persisted alongside the Merkle tree. On success, this signature is persisted alongside the Merkle tree.
Then, any time the file is opened, the kernel will verify the Then, any time the file is opened, the kernel will verify the
file's actual measurement against this signature, using the file's actual digest against this signature, using the certificates
certificates in the ".fs-verity" keyring. in the ".fs-verity" keyring.
3. A new sysctl "fs.verity.require_signatures" is made available. 3. A new sysctl "fs.verity.require_signatures" is made available.
When set to 1, the kernel requires that all verity files have a When set to 1, the kernel requires that all verity files have a
correctly signed file measurement as described in (2). correctly signed digest as described in (2).
File measurements must be signed in the following format, which is fs-verity file digests must be signed in the following format, which
similar to the structure used by `FS_IOC_MEASURE_VERITY`_:: is similar to the structure used by `FS_IOC_MEASURE_VERITY`_::
struct fsverity_signed_digest { struct fsverity_formatted_digest {
char magic[8]; /* must be "FSVerity" */ char magic[8]; /* must be "FSVerity" */
__le16 digest_algorithm; __le16 digest_algorithm;
__le16 digest_size; __le16 digest_size;
...@@ -421,8 +417,8 @@ can only be set by `FS_IOC_ENABLE_VERITY`_, and it cannot be cleared. ...@@ -421,8 +417,8 @@ can only be set by `FS_IOC_ENABLE_VERITY`_, and it cannot be cleared.
ext4 also supports encryption, which can be used simultaneously with ext4 also supports encryption, which can be used simultaneously with
fs-verity. In this case, the plaintext data is verified rather than fs-verity. In this case, the plaintext data is verified rather than
the ciphertext. This is necessary in order to make the file the ciphertext. This is necessary in order to make the fs-verity file
measurement meaningful, since every file is encrypted differently. digest meaningful, since every file is encrypted differently.
ext4 stores the verity metadata (Merkle tree and fsverity_descriptor) ext4 stores the verity metadata (Merkle tree and fsverity_descriptor)
past the end of the file, starting at the first 64K boundary beyond past the end of the file, starting at the first 64K boundary beyond
...@@ -592,8 +588,8 @@ weren't already directly answered in other parts of this document. ...@@ -592,8 +588,8 @@ weren't already directly answered in other parts of this document.
:Q: Isn't fs-verity useless because the attacker can just modify the :Q: Isn't fs-verity useless because the attacker can just modify the
hashes in the Merkle tree, which is stored on-disk? hashes in the Merkle tree, which is stored on-disk?
:A: To verify the authenticity of an fs-verity file you must verify :A: To verify the authenticity of an fs-verity file you must verify
the authenticity of the "file measurement", which is basically the the authenticity of the "fs-verity file digest", which
root hash of the Merkle tree. See `Use cases`_. incorporates the root hash of the Merkle tree. See `Use cases`_.
:Q: Isn't fs-verity useless because the attacker can just replace a :Q: Isn't fs-verity useless because the attacker can just replace a
verity file with a non-verity one? verity file with a non-verity one?
......
// SPDX-License-Identifier: GPL-2.0 // SPDX-License-Identifier: GPL-2.0
/* /*
* fs/verity/enable.c: ioctl to enable verity on a file * Ioctl to enable verity on a file
* *
* Copyright 2019 Google LLC * Copyright 2019 Google LLC
*/ */
...@@ -398,9 +398,9 @@ int fsverity_ioctl_enable(struct file *filp, const void __user *uarg) ...@@ -398,9 +398,9 @@ int fsverity_ioctl_enable(struct file *filp, const void __user *uarg)
* Some pages of the file may have been evicted from pagecache after * Some pages of the file may have been evicted from pagecache after
* being used in the Merkle tree construction, then read into pagecache * being used in the Merkle tree construction, then read into pagecache
* again by another process reading from the file concurrently. Since * again by another process reading from the file concurrently. Since
* these pages didn't undergo verification against the file measurement * these pages didn't undergo verification against the file digest which
* which fs-verity now claims to be enforcing, we have to wipe the * fs-verity now claims to be enforcing, we have to wipe the pagecache
* pagecache to ensure that all future reads are verified. * to ensure that all future reads are verified.
*/ */
filemap_write_and_wait(inode->i_mapping); filemap_write_and_wait(inode->i_mapping);
invalidate_inode_pages2(inode->i_mapping); invalidate_inode_pages2(inode->i_mapping);
......
...@@ -67,52 +67,22 @@ struct merkle_tree_params { ...@@ -67,52 +67,22 @@ struct merkle_tree_params {
* When a verity file is first opened, an instance of this struct is allocated * When a verity file is first opened, an instance of this struct is allocated
* and stored in ->i_verity_info; it remains until the inode is evicted. It * and stored in ->i_verity_info; it remains until the inode is evicted. It
* caches information about the Merkle tree that's needed to efficiently verify * caches information about the Merkle tree that's needed to efficiently verify
* data read from the file. It also caches the file measurement. The Merkle * data read from the file. It also caches the file digest. The Merkle tree
* tree pages themselves are not cached here, but the filesystem may cache them. * pages themselves are not cached here, but the filesystem may cache them.
*/ */
struct fsverity_info { struct fsverity_info {
struct merkle_tree_params tree_params; struct merkle_tree_params tree_params;
u8 root_hash[FS_VERITY_MAX_DIGEST_SIZE]; u8 root_hash[FS_VERITY_MAX_DIGEST_SIZE];
u8 measurement[FS_VERITY_MAX_DIGEST_SIZE]; u8 file_digest[FS_VERITY_MAX_DIGEST_SIZE];
const struct inode *inode; const struct inode *inode;
}; };
/*
* Merkle tree properties. The file measurement is the hash of this structure
* excluding the signature and with the sig_size field set to 0.
*/
struct fsverity_descriptor {
__u8 version; /* must be 1 */
__u8 hash_algorithm; /* Merkle tree hash algorithm */
__u8 log_blocksize; /* log2 of size of data and tree blocks */
__u8 salt_size; /* size of salt in bytes; 0 if none */
__le32 sig_size; /* size of signature in bytes; 0 if none */
__le64 data_size; /* size of file the Merkle tree is built over */
__u8 root_hash[64]; /* Merkle tree root hash */
__u8 salt[32]; /* salt prepended to each hashed block */
__u8 __reserved[144]; /* must be 0's */
__u8 signature[]; /* optional PKCS#7 signature */
};
/* Arbitrary limit to bound the kmalloc() size. Can be changed. */ /* Arbitrary limit to bound the kmalloc() size. Can be changed. */
#define FS_VERITY_MAX_DESCRIPTOR_SIZE 16384 #define FS_VERITY_MAX_DESCRIPTOR_SIZE 16384
#define FS_VERITY_MAX_SIGNATURE_SIZE (FS_VERITY_MAX_DESCRIPTOR_SIZE - \ #define FS_VERITY_MAX_SIGNATURE_SIZE (FS_VERITY_MAX_DESCRIPTOR_SIZE - \
sizeof(struct fsverity_descriptor)) sizeof(struct fsverity_descriptor))
/*
* Format in which verity file measurements are signed. This is the same as
* 'struct fsverity_digest', except here some magic bytes are prepended to
* provide some context about what is being signed in case the same key is used
* for non-fsverity purposes, and here the fields have fixed endianness.
*/
struct fsverity_signed_digest {
char magic[8]; /* must be "FSVerity" */
__le16 digest_algorithm;
__le16 digest_size;
__u8 digest[];
};
/* hash_algs.c */ /* hash_algs.c */
extern struct fsverity_hash_alg fsverity_hash_algs[]; extern struct fsverity_hash_alg fsverity_hash_algs[];
......
// SPDX-License-Identifier: GPL-2.0 // SPDX-License-Identifier: GPL-2.0
/* /*
* fs/verity/hash_algs.c: fs-verity hash algorithms * fs-verity hash algorithms
* *
* Copyright 2019 Google LLC * Copyright 2019 Google LLC
*/ */
......
// SPDX-License-Identifier: GPL-2.0 // SPDX-License-Identifier: GPL-2.0
/* /*
* fs/verity/init.c: fs-verity module initialization and logging * fs-verity module initialization and logging
* *
* Copyright 2019 Google LLC * Copyright 2019 Google LLC
*/ */
......
// SPDX-License-Identifier: GPL-2.0 // SPDX-License-Identifier: GPL-2.0
/* /*
* fs/verity/measure.c: ioctl to get a verity file's measurement * Ioctl to get a verity file's digest
* *
* Copyright 2019 Google LLC * Copyright 2019 Google LLC
*/ */
...@@ -10,12 +10,12 @@ ...@@ -10,12 +10,12 @@
#include <linux/uaccess.h> #include <linux/uaccess.h>
/** /**
* fsverity_ioctl_measure() - get a verity file's measurement * fsverity_ioctl_measure() - get a verity file's digest
* @filp: file to get measurement of * @filp: file to get digest of
* @_uarg: user pointer to fsverity_digest * @_uarg: user pointer to fsverity_digest
* *
* Retrieve the file measurement that the kernel is enforcing for reads from a * Retrieve the file digest that the kernel is enforcing for reads from a verity
* verity file. See the "FS_IOC_MEASURE_VERITY" section of * file. See the "FS_IOC_MEASURE_VERITY" section of
* Documentation/filesystems/fsverity.rst for the documentation. * Documentation/filesystems/fsverity.rst for the documentation.
* *
* Return: 0 on success, -errno on failure * Return: 0 on success, -errno on failure
...@@ -51,7 +51,7 @@ int fsverity_ioctl_measure(struct file *filp, void __user *_uarg) ...@@ -51,7 +51,7 @@ int fsverity_ioctl_measure(struct file *filp, void __user *_uarg)
if (copy_to_user(uarg, &arg, sizeof(arg))) if (copy_to_user(uarg, &arg, sizeof(arg)))
return -EFAULT; return -EFAULT;
if (copy_to_user(uarg->digest, vi->measurement, hash_alg->digest_size)) if (copy_to_user(uarg->digest, vi->file_digest, hash_alg->digest_size))
return -EFAULT; return -EFAULT;
return 0; return 0;
......
// SPDX-License-Identifier: GPL-2.0 // SPDX-License-Identifier: GPL-2.0
/* /*
* fs/verity/open.c: opening fs-verity files * Opening fs-verity files
* *
* Copyright 2019 Google LLC * Copyright 2019 Google LLC
*/ */
...@@ -124,18 +124,18 @@ int fsverity_init_merkle_tree_params(struct merkle_tree_params *params, ...@@ -124,18 +124,18 @@ int fsverity_init_merkle_tree_params(struct merkle_tree_params *params,
} }
/* /*
* Compute the file measurement by hashing the fsverity_descriptor excluding the * Compute the file digest by hashing the fsverity_descriptor excluding the
* signature and with the sig_size field set to 0. * signature and with the sig_size field set to 0.
*/ */
static int compute_file_measurement(struct fsverity_hash_alg *hash_alg, static int compute_file_digest(struct fsverity_hash_alg *hash_alg,
struct fsverity_descriptor *desc, struct fsverity_descriptor *desc,
u8 *measurement) u8 *file_digest)
{ {
__le32 sig_size = desc->sig_size; __le32 sig_size = desc->sig_size;
int err; int err;
desc->sig_size = 0; desc->sig_size = 0;
err = fsverity_hash_buffer(hash_alg, desc, sizeof(*desc), measurement); err = fsverity_hash_buffer(hash_alg, desc, sizeof(*desc), file_digest);
desc->sig_size = sig_size; desc->sig_size = sig_size;
return err; return err;
...@@ -199,15 +199,15 @@ struct fsverity_info *fsverity_create_info(const struct inode *inode, ...@@ -199,15 +199,15 @@ struct fsverity_info *fsverity_create_info(const struct inode *inode,
memcpy(vi->root_hash, desc->root_hash, vi->tree_params.digest_size); memcpy(vi->root_hash, desc->root_hash, vi->tree_params.digest_size);
err = compute_file_measurement(vi->tree_params.hash_alg, desc, err = compute_file_digest(vi->tree_params.hash_alg, desc,
vi->measurement); vi->file_digest);
if (err) { if (err) {
fsverity_err(inode, "Error %d computing file measurement", err); fsverity_err(inode, "Error %d computing file digest", err);
goto out; goto out;
} }
pr_debug("Computed file measurement: %s:%*phN\n", pr_debug("Computed file digest: %s:%*phN\n",
vi->tree_params.hash_alg->name, vi->tree_params.hash_alg->name,
vi->tree_params.digest_size, vi->measurement); vi->tree_params.digest_size, vi->file_digest);
err = fsverity_verify_signature(vi, desc, desc_size); err = fsverity_verify_signature(vi, desc, desc_size);
out: out:
...@@ -354,7 +354,7 @@ int __init fsverity_init_info_cache(void) ...@@ -354,7 +354,7 @@ int __init fsverity_init_info_cache(void)
{ {
fsverity_info_cachep = KMEM_CACHE_USERCOPY(fsverity_info, fsverity_info_cachep = KMEM_CACHE_USERCOPY(fsverity_info,
SLAB_RECLAIM_ACCOUNT, SLAB_RECLAIM_ACCOUNT,
measurement); file_digest);
if (!fsverity_info_cachep) if (!fsverity_info_cachep)
return -ENOMEM; return -ENOMEM;
return 0; return 0;
......
// SPDX-License-Identifier: GPL-2.0 // SPDX-License-Identifier: GPL-2.0
/* /*
* fs/verity/signature.c: verification of builtin signatures * Verification of builtin signatures
* *
* Copyright 2019 Google LLC * Copyright 2019 Google LLC
*/ */
...@@ -32,8 +32,8 @@ static struct key *fsverity_keyring; ...@@ -32,8 +32,8 @@ static struct key *fsverity_keyring;
* @desc: the file's fsverity_descriptor * @desc: the file's fsverity_descriptor
* @desc_size: size of @desc * @desc_size: size of @desc
* *
* If the file's fs-verity descriptor includes a signature of the file * If the file's fs-verity descriptor includes a signature of the file digest,
* measurement, verify it against the certificates in the fs-verity keyring. * verify it against the certificates in the fs-verity keyring.
* *
* Return: 0 on success (signature valid or not required); -errno on failure * Return: 0 on success (signature valid or not required); -errno on failure
*/ */
...@@ -44,7 +44,7 @@ int fsverity_verify_signature(const struct fsverity_info *vi, ...@@ -44,7 +44,7 @@ int fsverity_verify_signature(const struct fsverity_info *vi,
const struct inode *inode = vi->inode; const struct inode *inode = vi->inode;
const struct fsverity_hash_alg *hash_alg = vi->tree_params.hash_alg; const struct fsverity_hash_alg *hash_alg = vi->tree_params.hash_alg;
const u32 sig_size = le32_to_cpu(desc->sig_size); const u32 sig_size = le32_to_cpu(desc->sig_size);
struct fsverity_signed_digest *d; struct fsverity_formatted_digest *d;
int err; int err;
if (sig_size == 0) { if (sig_size == 0) {
...@@ -67,7 +67,7 @@ int fsverity_verify_signature(const struct fsverity_info *vi, ...@@ -67,7 +67,7 @@ int fsverity_verify_signature(const struct fsverity_info *vi,
memcpy(d->magic, "FSVerity", 8); memcpy(d->magic, "FSVerity", 8);
d->digest_algorithm = cpu_to_le16(hash_alg - fsverity_hash_algs); d->digest_algorithm = cpu_to_le16(hash_alg - fsverity_hash_algs);
d->digest_size = cpu_to_le16(hash_alg->digest_size); d->digest_size = cpu_to_le16(hash_alg->digest_size);
memcpy(d->digest, vi->measurement, hash_alg->digest_size); memcpy(d->digest, vi->file_digest, hash_alg->digest_size);
err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size, err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size,
desc->signature, sig_size, desc->signature, sig_size,
...@@ -90,8 +90,8 @@ int fsverity_verify_signature(const struct fsverity_info *vi, ...@@ -90,8 +90,8 @@ int fsverity_verify_signature(const struct fsverity_info *vi,
return err; return err;
} }
pr_debug("Valid signature for file measurement %s:%*phN\n", pr_debug("Valid signature for file digest %s:%*phN\n",
hash_alg->name, hash_alg->digest_size, vi->measurement); hash_alg->name, hash_alg->digest_size, vi->file_digest);
return 0; return 0;
} }
......
// SPDX-License-Identifier: GPL-2.0 // SPDX-License-Identifier: GPL-2.0
/* /*
* fs/verity/verify.c: data verification functions, i.e. hooks for ->readpages() * Data verification functions, i.e. hooks for ->readpages()
* *
* Copyright 2019 Google LLC * Copyright 2019 Google LLC
*/ */
......
...@@ -34,6 +34,55 @@ struct fsverity_digest { ...@@ -34,6 +34,55 @@ struct fsverity_digest {
__u8 digest[]; __u8 digest[];
}; };
/*
* Struct containing a file's Merkle tree properties. The fs-verity file digest
* is the hash of this struct. A userspace program needs this struct only if it
* needs to compute fs-verity file digests itself, e.g. in order to sign files.
* It isn't needed just to enable fs-verity on a file.
*
* Note: when computing the file digest, 'sig_size' and 'signature' must be left
* zero and empty, respectively. These fields are present only because some
* filesystems reuse this struct as part of their on-disk format.
*/
struct fsverity_descriptor {
__u8 version; /* must be 1 */
__u8 hash_algorithm; /* Merkle tree hash algorithm */
__u8 log_blocksize; /* log2 of size of data and tree blocks */
__u8 salt_size; /* size of salt in bytes; 0 if none */
#ifdef __KERNEL__
__le32 sig_size;
#else
__le32 __reserved_0x04; /* must be 0 */
#endif
__le64 data_size; /* size of file the Merkle tree is built over */
__u8 root_hash[64]; /* Merkle tree root hash */
__u8 salt[32]; /* salt prepended to each hashed block */
__u8 __reserved[144]; /* must be 0's */
#ifdef __KERNEL__
__u8 signature[];
#endif
};
/*
* Format in which fs-verity file digests are signed in built-in signatures.
* This is the same as 'struct fsverity_digest', except here some magic bytes
* are prepended to provide some context about what is being signed in case the
* same key is used for non-fsverity purposes, and here the fields have fixed
* endianness.
*
* This struct is specific to the built-in signature verification support, which
* is optional. fs-verity users may also verify signatures in userspace, in
* which case userspace is responsible for deciding on what bytes are signed.
* This struct may still be used, but it doesn't have to be. For example,
* userspace could instead use a string like "sha256:$digest_as_hex_string".
*/
struct fsverity_formatted_digest {
char magic[8]; /* must be "FSVerity" */
__le16 digest_algorithm;
__le16 digest_size;
__u8 digest[];
};
#define FS_IOC_ENABLE_VERITY _IOW('f', 133, struct fsverity_enable_arg) #define FS_IOC_ENABLE_VERITY _IOW('f', 133, struct fsverity_enable_arg)
#define FS_IOC_MEASURE_VERITY _IOWR('f', 134, struct fsverity_digest) #define FS_IOC_MEASURE_VERITY _IOWR('f', 134, struct fsverity_digest)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment