1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * fs/f2fs/verity.c: fs-verity support for f2fs 4 * 5 * Copyright 2019 Google LLC 6 */ 7 8 /* 9 * Implementation of fsverity_operations for f2fs. 10 * 11 * Like ext4, f2fs stores the verity metadata (Merkle tree and 12 * fsverity_descriptor) past the end of the file, starting at the first 64K 13 * boundary beyond i_size. This approach works because (a) verity files are 14 * readonly, and (b) pages fully beyond i_size aren't visible to userspace but 15 * can be read/written internally by f2fs with only some relatively small 16 * changes to f2fs. Extended attributes cannot be used because (a) f2fs limits 17 * the total size of an inode's xattr entries to 4096 bytes, which wouldn't be 18 * enough for even a single Merkle tree block, and (b) f2fs encryption doesn't 19 * encrypt xattrs, yet the verity metadata *must* be encrypted when the file is 20 * because it contains hashes of the plaintext data. 21 * 22 * Using a 64K boundary rather than a 4K one keeps things ready for 23 * architectures with 64K pages, and it doesn't necessarily waste space on-disk 24 * since there can be a hole between i_size and the start of the Merkle tree. 25 */ 26 27 #include <linux/f2fs_fs.h> 28 29 #include "f2fs.h" 30 #include "xattr.h" 31 32 #define F2FS_VERIFY_VER (1) 33 34 static inline loff_t f2fs_verity_metadata_pos(const struct inode *inode) 35 { 36 return round_up(inode->i_size, 65536); 37 } 38 39 /* 40 * Read some verity metadata from the inode. __vfs_read() can't be used because 41 * we need to read beyond i_size. 42 */ 43 static int pagecache_read(struct inode *inode, void *buf, size_t count, 44 loff_t pos) 45 { 46 while (count) { 47 size_t n = min_t(size_t, count, 48 PAGE_SIZE - offset_in_page(pos)); 49 struct page *page; 50 51 page = read_mapping_page(inode->i_mapping, pos >> PAGE_SHIFT, 52 NULL); 53 if (IS_ERR(page)) 54 return PTR_ERR(page); 55 56 memcpy_from_page(buf, page, offset_in_page(pos), n); 57 58 put_page(page); 59 60 buf += n; 61 pos += n; 62 count -= n; 63 } 64 return 0; 65 } 66 67 /* 68 * Write some verity metadata to the inode for FS_IOC_ENABLE_VERITY. 69 * kernel_write() can't be used because the file descriptor is readonly. 70 */ 71 static int pagecache_write(struct inode *inode, const void *buf, size_t count, 72 loff_t pos) 73 { 74 struct address_space *mapping = inode->i_mapping; 75 const struct address_space_operations *aops = mapping->a_ops; 76 77 if (pos + count > inode->i_sb->s_maxbytes) 78 return -EFBIG; 79 80 while (count) { 81 size_t n = min_t(size_t, count, 82 PAGE_SIZE - offset_in_page(pos)); 83 struct page *page; 84 void *fsdata = NULL; 85 int res; 86 87 res = aops->write_begin(NULL, mapping, pos, n, &page, &fsdata); 88 if (res) 89 return res; 90 91 memcpy_to_page(page, offset_in_page(pos), buf, n); 92 93 res = aops->write_end(NULL, mapping, pos, n, n, page, fsdata); 94 if (res < 0) 95 return res; 96 if (res != n) 97 return -EIO; 98 99 buf += n; 100 pos += n; 101 count -= n; 102 } 103 return 0; 104 } 105 106 /* 107 * Format of f2fs verity xattr. This points to the location of the verity 108 * descriptor within the file data rather than containing it directly because 109 * the verity descriptor *must* be encrypted when f2fs encryption is used. But, 110 * f2fs encryption does not encrypt xattrs. 111 */ 112 struct fsverity_descriptor_location { 113 __le32 version; 114 __le32 size; 115 __le64 pos; 116 }; 117 118 static int f2fs_begin_enable_verity(struct file *filp) 119 { 120 struct inode *inode = file_inode(filp); 121 int err; 122 123 if (f2fs_verity_in_progress(inode)) 124 return -EBUSY; 125 126 if (f2fs_is_atomic_file(inode)) 127 return -EOPNOTSUPP; 128 129 /* 130 * Since the file was opened readonly, we have to initialize the quotas 131 * here and not rely on ->open() doing it. This must be done before 132 * evicting the inline data. 133 */ 134 err = f2fs_dquot_initialize(inode); 135 if (err) 136 return err; 137 138 err = f2fs_convert_inline_inode(inode); 139 if (err) 140 return err; 141 142 set_inode_flag(inode, FI_VERITY_IN_PROGRESS); 143 return 0; 144 } 145 146 static int f2fs_end_enable_verity(struct file *filp, const void *desc, 147 size_t desc_size, u64 merkle_tree_size) 148 { 149 struct inode *inode = file_inode(filp); 150 struct f2fs_sb_info *sbi = F2FS_I_SB(inode); 151 u64 desc_pos = f2fs_verity_metadata_pos(inode) + merkle_tree_size; 152 struct fsverity_descriptor_location dloc = { 153 .version = cpu_to_le32(F2FS_VERIFY_VER), 154 .size = cpu_to_le32(desc_size), 155 .pos = cpu_to_le64(desc_pos), 156 }; 157 int err = 0, err2 = 0; 158 159 /* 160 * If an error already occurred (which fs/verity/ signals by passing 161 * desc == NULL), then only clean-up is needed. 162 */ 163 if (desc == NULL) 164 goto cleanup; 165 166 /* Append the verity descriptor. */ 167 err = pagecache_write(inode, desc, desc_size, desc_pos); 168 if (err) 169 goto cleanup; 170 171 /* 172 * Write all pages (both data and verity metadata). Note that this must 173 * happen before clearing FI_VERITY_IN_PROGRESS; otherwise pages beyond 174 * i_size won't be written properly. For crash consistency, this also 175 * must happen before the verity inode flag gets persisted. 176 */ 177 err = filemap_write_and_wait(inode->i_mapping); 178 if (err) 179 goto cleanup; 180 181 /* Set the verity xattr. */ 182 err = f2fs_setxattr(inode, F2FS_XATTR_INDEX_VERITY, 183 F2FS_XATTR_NAME_VERITY, &dloc, sizeof(dloc), 184 NULL, XATTR_CREATE); 185 if (err) 186 goto cleanup; 187 188 /* Finally, set the verity inode flag. */ 189 file_set_verity(inode); 190 f2fs_set_inode_flags(inode); 191 f2fs_mark_inode_dirty_sync(inode, true); 192 193 clear_inode_flag(inode, FI_VERITY_IN_PROGRESS); 194 return 0; 195 196 cleanup: 197 /* 198 * Verity failed to be enabled, so clean up by truncating any verity 199 * metadata that was written beyond i_size (both from cache and from 200 * disk) and clearing FI_VERITY_IN_PROGRESS. 201 * 202 * Taking i_gc_rwsem[WRITE] is needed to stop f2fs garbage collection 203 * from re-instantiating cached pages we are truncating (since unlike 204 * normal file accesses, garbage collection isn't limited by i_size). 205 */ 206 f2fs_down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); 207 truncate_inode_pages(inode->i_mapping, inode->i_size); 208 err2 = f2fs_truncate(inode); 209 if (err2) { 210 f2fs_err(sbi, "Truncating verity metadata failed (errno=%d)", 211 err2); 212 set_sbi_flag(sbi, SBI_NEED_FSCK); 213 } 214 f2fs_up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); 215 clear_inode_flag(inode, FI_VERITY_IN_PROGRESS); 216 return err ?: err2; 217 } 218 219 static int f2fs_get_verity_descriptor(struct inode *inode, void *buf, 220 size_t buf_size) 221 { 222 struct fsverity_descriptor_location dloc; 223 int res; 224 u32 size; 225 u64 pos; 226 227 /* Get the descriptor location */ 228 res = f2fs_getxattr(inode, F2FS_XATTR_INDEX_VERITY, 229 F2FS_XATTR_NAME_VERITY, &dloc, sizeof(dloc), NULL); 230 if (res < 0 && res != -ERANGE) 231 return res; 232 if (res != sizeof(dloc) || dloc.version != cpu_to_le32(F2FS_VERIFY_VER)) { 233 f2fs_warn(F2FS_I_SB(inode), "unknown verity xattr format"); 234 return -EINVAL; 235 } 236 size = le32_to_cpu(dloc.size); 237 pos = le64_to_cpu(dloc.pos); 238 239 /* Get the descriptor */ 240 if (pos + size < pos || pos + size > inode->i_sb->s_maxbytes || 241 pos < f2fs_verity_metadata_pos(inode) || size > INT_MAX) { 242 f2fs_warn(F2FS_I_SB(inode), "invalid verity xattr"); 243 f2fs_handle_error(F2FS_I_SB(inode), 244 ERROR_CORRUPTED_VERITY_XATTR); 245 return -EFSCORRUPTED; 246 } 247 if (buf_size) { 248 if (size > buf_size) 249 return -ERANGE; 250 res = pagecache_read(inode, buf, size, pos); 251 if (res) 252 return res; 253 } 254 return size; 255 } 256 257 static struct page *f2fs_read_merkle_tree_page(struct inode *inode, 258 pgoff_t index, 259 unsigned long num_ra_pages) 260 { 261 struct folio *folio; 262 263 index += f2fs_verity_metadata_pos(inode) >> PAGE_SHIFT; 264 265 folio = __filemap_get_folio(inode->i_mapping, index, FGP_ACCESSED, 0); 266 if (IS_ERR(folio) || !folio_test_uptodate(folio)) { 267 DEFINE_READAHEAD(ractl, NULL, NULL, inode->i_mapping, index); 268 269 if (!IS_ERR(folio)) 270 folio_put(folio); 271 else if (num_ra_pages > 1) 272 page_cache_ra_unbounded(&ractl, num_ra_pages, 0); 273 folio = read_mapping_folio(inode->i_mapping, index, NULL); 274 if (IS_ERR(folio)) 275 return ERR_CAST(folio); 276 } 277 return folio_file_page(folio, index); 278 } 279 280 static int f2fs_write_merkle_tree_block(struct inode *inode, const void *buf, 281 u64 pos, unsigned int size) 282 { 283 pos += f2fs_verity_metadata_pos(inode); 284 285 return pagecache_write(inode, buf, size, pos); 286 } 287 288 const struct fsverity_operations f2fs_verityops = { 289 .begin_enable_verity = f2fs_begin_enable_verity, 290 .end_enable_verity = f2fs_end_enable_verity, 291 .get_verity_descriptor = f2fs_get_verity_descriptor, 292 .read_merkle_tree_page = f2fs_read_merkle_tree_page, 293 .write_merkle_tree_block = f2fs_write_merkle_tree_block, 294 }; 295
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.