1. 07 Feb, 2021 5 commits
    • Eric Biggers's avatar
      fs-verity: support reading descriptor with ioctl · 947191ac
      Eric Biggers authored
      Add support for FS_VERITY_METADATA_TYPE_DESCRIPTOR to
      FS_IOC_READ_VERITY_METADATA.  This allows a userspace server program to
      retrieve the fs-verity descriptor of a file for serving to a client
      which implements fs-verity compatible verification.  See the patch which
      introduced FS_IOC_READ_VERITY_METADATA for more details.
      
      "fs-verity descriptor" here means only the part that userspace cares
      about because it is hashed to produce the file digest.  It doesn't
      include the signature which ext4 and f2fs append to the
      fsverity_descriptor struct when storing it on-disk, since that way of
      storing the signature is an implementation detail.  The next patch adds
      a separate metadata_type value for retrieving the signature separately.
      
      This has been tested using a new xfstest which calls this ioctl via a
      new subcommand for the 'fsverity' program from fsverity-utils.
      
      Link: https://lore.kernel.org/r/20210115181819.34732-6-ebiggers@kernel.orgReviewed-by: default avatarVictor Hsieh <victorhsieh@google.com>
      Reviewed-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      947191ac
    • Eric Biggers's avatar
      fs-verity: support reading Merkle tree with ioctl · 622699cf
      Eric Biggers authored
      Add support for FS_VERITY_METADATA_TYPE_MERKLE_TREE to
      FS_IOC_READ_VERITY_METADATA.  This allows a userspace server program to
      retrieve the Merkle tree of a verity file for serving to a client which
      implements fs-verity compatible verification.  See the patch which
      introduced FS_IOC_READ_VERITY_METADATA for more details.
      
      This has been tested using a new xfstest which calls this ioctl via a
      new subcommand for the 'fsverity' program from fsverity-utils.
      
      Link: https://lore.kernel.org/r/20210115181819.34732-5-ebiggers@kernel.orgReviewed-by: default avatarVictor Hsieh <victorhsieh@google.com>
      Reviewed-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      622699cf
    • Eric Biggers's avatar
      fs-verity: add FS_IOC_READ_VERITY_METADATA ioctl · e17fe657
      Eric Biggers authored
      Add an ioctl FS_IOC_READ_VERITY_METADATA which will allow reading verity
      metadata from a file that has fs-verity enabled, including:
      
      - The Merkle tree
      - The fsverity_descriptor (not including the signature if present)
      - The built-in signature, if present
      
      This ioctl has similar semantics to pread().  It is passed the type of
      metadata to read (one of the above three), and a buffer, offset, and
      size.  It returns the number of bytes read or an error.
      
      Separate patches will add support for each of the above metadata types.
      This patch just adds the ioctl itself.
      
      This ioctl doesn't make any assumption about where the metadata is
      stored on-disk.  It does assume the metadata is in a stable format, but
      that's basically already the case:
      
      - The Merkle tree and fsverity_descriptor are defined by how fs-verity
        file digests are computed; see the "File digest computation" section
        of Documentation/filesystems/fsverity.rst.  Technically, the way in
        which the levels of the tree are ordered relative to each other wasn't
        previously specified, but it's logical to put the root level first.
      
      - The built-in signature is the value passed to FS_IOC_ENABLE_VERITY.
      
      This ioctl is useful because it allows writing a server program that
      takes a verity file and serves it to a client program, such that the
      client can do its own fs-verity compatible verification of the file.
      This only makes sense if the client doesn't trust the server and if the
      server needs to provide the storage for the client.
      
      More concretely, there is interest in using this ability in Android to
      export APK files (which are protected by fs-verity) to "protected VMs".
      This would use Protected KVM (https://lwn.net/Articles/836693), which
      provides an isolated execution environment without having to trust the
      traditional "host".  A "guest" VM can boot from a signed image and
      perform specific tasks in a minimum trusted environment using files that
      have fs-verity enabled on the host, without trusting the host or
      requiring that the guest has its own trusted storage.
      
      Technically, it would be possible to duplicate the metadata and store it
      in separate files for serving.  However, that would be less efficient
      and would require extra care in userspace to maintain file consistency.
      
      In addition to the above, the ability to read the built-in signatures is
      useful because it allows a system that is using the in-kernel signature
      verification to migrate to userspace signature verification.
      
      Link: https://lore.kernel.org/r/20210115181819.34732-4-ebiggers@kernel.orgReviewed-by: default avatarVictor Hsieh <victorhsieh@google.com>
      Acked-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      e17fe657
    • Eric Biggers's avatar
      fs-verity: don't pass whole descriptor to fsverity_verify_signature() · fab634c4
      Eric Biggers authored
      Now that fsverity_get_descriptor() validates the sig_size field,
      fsverity_verify_signature() doesn't need to do it.
      
      Just change the prototype of fsverity_verify_signature() to take the
      signature directly rather than take a fsverity_descriptor.
      
      Link: https://lore.kernel.org/r/20210115181819.34732-3-ebiggers@kernel.orgReviewed-by: default avatarVictor Hsieh <victorhsieh@google.com>
      Reviewed-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Reviewed-by: default avatarAmy Parker <enbyamy@gmail.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      fab634c4
    • Eric Biggers's avatar
      fs-verity: factor out fsverity_get_descriptor() · c2c82611
      Eric Biggers authored
      The FS_IOC_READ_VERITY_METADATA ioctl will need to return the fs-verity
      descriptor (and signature) to userspace.
      
      There are a few ways we could implement this:
      
      - Save a copy of the descriptor (and signature) in the fsverity_info
        struct that hangs off of the in-memory inode.  However, this would
        waste memory since most of the time it wouldn't be needed.
      
      - Regenerate the descriptor from the merkle_tree_params in the
        fsverity_info.  However, this wouldn't work for the signature, nor for
        the salt which the merkle_tree_params only contains indirectly as part
        of the 'hashstate'.  It would also be error-prone.
      
      - Just get them from the filesystem again.  The disadvantage is that in
        general we can't trust that they haven't been maliciously changed
        since the file has opened.  However, the use cases for
        FS_IOC_READ_VERITY_METADATA don't require that it verifies the chain
        of trust.  So this is okay as long as we do some basic validation.
      
      In preparation for implementing the third option, factor out a helper
      function fsverity_get_descriptor() which gets the descriptor (and
      appended signature) from the filesystem and does some basic validation.
      
      As part of this, start checking the sig_size field for overflow.
      Currently fsverity_verify_signature() does this.  But the new ioctl will
      need this too, so do it earlier.
      
      Link: https://lore.kernel.org/r/20210115181819.34732-2-ebiggers@kernel.orgReviewed-by: default avatarVictor Hsieh <victorhsieh@google.com>
      Reviewed-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      c2c82611
  2. 25 Jan, 2021 1 commit
  3. 24 Jan, 2021 34 commits