~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/fs/f2fs/verity.c

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 // SPDX-License-Identifier: GPL-2.0
  2 /*
  3  * fs/f2fs/verity.c: fs-verity support for f2fs
  4  *
  5  * Copyright 2019 Google LLC
  6  */
  7 
  8 /*
  9  * Implementation of fsverity_operations for f2fs.
 10  *
 11  * Like ext4, f2fs stores the verity metadata (Merkle tree and
 12  * fsverity_descriptor) past the end of the file, starting at the first 64K
 13  * boundary beyond i_size.  This approach works because (a) verity files are
 14  * readonly, and (b) pages fully beyond i_size aren't visible to userspace but
 15  * can be read/written internally by f2fs with only some relatively small
 16  * changes to f2fs.  Extended attributes cannot be used because (a) f2fs limits
 17  * the total size of an inode's xattr entries to 4096 bytes, which wouldn't be
 18  * enough for even a single Merkle tree block, and (b) f2fs encryption doesn't
 19  * encrypt xattrs, yet the verity metadata *must* be encrypted when the file is
 20  * because it contains hashes of the plaintext data.
 21  *
 22  * Using a 64K boundary rather than a 4K one keeps things ready for
 23  * architectures with 64K pages, and it doesn't necessarily waste space on-disk
 24  * since there can be a hole between i_size and the start of the Merkle tree.
 25  */
 26 
 27 #include <linux/f2fs_fs.h>
 28 
 29 #include "f2fs.h"
 30 #include "xattr.h"
 31 
 32 #define F2FS_VERIFY_VER (1)
 33 
 34 static inline loff_t f2fs_verity_metadata_pos(const struct inode *inode)
 35 {
 36         return round_up(inode->i_size, 65536);
 37 }
 38 
 39 /*
 40  * Read some verity metadata from the inode.  __vfs_read() can't be used because
 41  * we need to read beyond i_size.
 42  */
 43 static int pagecache_read(struct inode *inode, void *buf, size_t count,
 44                           loff_t pos)
 45 {
 46         while (count) {
 47                 size_t n = min_t(size_t, count,
 48                                  PAGE_SIZE - offset_in_page(pos));
 49                 struct page *page;
 50 
 51                 page = read_mapping_page(inode->i_mapping, pos >> PAGE_SHIFT,
 52                                          NULL);
 53                 if (IS_ERR(page))
 54                         return PTR_ERR(page);
 55 
 56                 memcpy_from_page(buf, page, offset_in_page(pos), n);
 57 
 58                 put_page(page);
 59 
 60                 buf += n;
 61                 pos += n;
 62                 count -= n;
 63         }
 64         return 0;
 65 }
 66 
 67 /*
 68  * Write some verity metadata to the inode for FS_IOC_ENABLE_VERITY.
 69  * kernel_write() can't be used because the file descriptor is readonly.
 70  */
 71 static int pagecache_write(struct inode *inode, const void *buf, size_t count,
 72                            loff_t pos)
 73 {
 74         struct address_space *mapping = inode->i_mapping;
 75         const struct address_space_operations *aops = mapping->a_ops;
 76 
 77         if (pos + count > inode->i_sb->s_maxbytes)
 78                 return -EFBIG;
 79 
 80         while (count) {
 81                 size_t n = min_t(size_t, count,
 82                                  PAGE_SIZE - offset_in_page(pos));
 83                 struct page *page;
 84                 void *fsdata = NULL;
 85                 int res;
 86 
 87                 res = aops->write_begin(NULL, mapping, pos, n, &page, &fsdata);
 88                 if (res)
 89                         return res;
 90 
 91                 memcpy_to_page(page, offset_in_page(pos), buf, n);
 92 
 93                 res = aops->write_end(NULL, mapping, pos, n, n, page, fsdata);
 94                 if (res < 0)
 95                         return res;
 96                 if (res != n)
 97                         return -EIO;
 98 
 99                 buf += n;
100                 pos += n;
101                 count -= n;
102         }
103         return 0;
104 }
105 
106 /*
107  * Format of f2fs verity xattr.  This points to the location of the verity
108  * descriptor within the file data rather than containing it directly because
109  * the verity descriptor *must* be encrypted when f2fs encryption is used.  But,
110  * f2fs encryption does not encrypt xattrs.
111  */
112 struct fsverity_descriptor_location {
113         __le32 version;
114         __le32 size;
115         __le64 pos;
116 };
117 
118 static int f2fs_begin_enable_verity(struct file *filp)
119 {
120         struct inode *inode = file_inode(filp);
121         int err;
122 
123         if (f2fs_verity_in_progress(inode))
124                 return -EBUSY;
125 
126         if (f2fs_is_atomic_file(inode))
127                 return -EOPNOTSUPP;
128 
129         /*
130          * Since the file was opened readonly, we have to initialize the quotas
131          * here and not rely on ->open() doing it.  This must be done before
132          * evicting the inline data.
133          */
134         err = f2fs_dquot_initialize(inode);
135         if (err)
136                 return err;
137 
138         err = f2fs_convert_inline_inode(inode);
139         if (err)
140                 return err;
141 
142         set_inode_flag(inode, FI_VERITY_IN_PROGRESS);
143         return 0;
144 }
145 
146 static int f2fs_end_enable_verity(struct file *filp, const void *desc,
147                                   size_t desc_size, u64 merkle_tree_size)
148 {
149         struct inode *inode = file_inode(filp);
150         struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
151         u64 desc_pos = f2fs_verity_metadata_pos(inode) + merkle_tree_size;
152         struct fsverity_descriptor_location dloc = {
153                 .version = cpu_to_le32(F2FS_VERIFY_VER),
154                 .size = cpu_to_le32(desc_size),
155                 .pos = cpu_to_le64(desc_pos),
156         };
157         int err = 0, err2 = 0;
158 
159         /*
160          * If an error already occurred (which fs/verity/ signals by passing
161          * desc == NULL), then only clean-up is needed.
162          */
163         if (desc == NULL)
164                 goto cleanup;
165 
166         /* Append the verity descriptor. */
167         err = pagecache_write(inode, desc, desc_size, desc_pos);
168         if (err)
169                 goto cleanup;
170 
171         /*
172          * Write all pages (both data and verity metadata).  Note that this must
173          * happen before clearing FI_VERITY_IN_PROGRESS; otherwise pages beyond
174          * i_size won't be written properly.  For crash consistency, this also
175          * must happen before the verity inode flag gets persisted.
176          */
177         err = filemap_write_and_wait(inode->i_mapping);
178         if (err)
179                 goto cleanup;
180 
181         /* Set the verity xattr. */
182         err = f2fs_setxattr(inode, F2FS_XATTR_INDEX_VERITY,
183                             F2FS_XATTR_NAME_VERITY, &dloc, sizeof(dloc),
184                             NULL, XATTR_CREATE);
185         if (err)
186                 goto cleanup;
187 
188         /* Finally, set the verity inode flag. */
189         file_set_verity(inode);
190         f2fs_set_inode_flags(inode);
191         f2fs_mark_inode_dirty_sync(inode, true);
192 
193         clear_inode_flag(inode, FI_VERITY_IN_PROGRESS);
194         return 0;
195 
196 cleanup:
197         /*
198          * Verity failed to be enabled, so clean up by truncating any verity
199          * metadata that was written beyond i_size (both from cache and from
200          * disk) and clearing FI_VERITY_IN_PROGRESS.
201          *
202          * Taking i_gc_rwsem[WRITE] is needed to stop f2fs garbage collection
203          * from re-instantiating cached pages we are truncating (since unlike
204          * normal file accesses, garbage collection isn't limited by i_size).
205          */
206         f2fs_down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
207         truncate_inode_pages(inode->i_mapping, inode->i_size);
208         err2 = f2fs_truncate(inode);
209         if (err2) {
210                 f2fs_err(sbi, "Truncating verity metadata failed (errno=%d)",
211                          err2);
212                 set_sbi_flag(sbi, SBI_NEED_FSCK);
213         }
214         f2fs_up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
215         clear_inode_flag(inode, FI_VERITY_IN_PROGRESS);
216         return err ?: err2;
217 }
218 
219 static int f2fs_get_verity_descriptor(struct inode *inode, void *buf,
220                                       size_t buf_size)
221 {
222         struct fsverity_descriptor_location dloc;
223         int res;
224         u32 size;
225         u64 pos;
226 
227         /* Get the descriptor location */
228         res = f2fs_getxattr(inode, F2FS_XATTR_INDEX_VERITY,
229                             F2FS_XATTR_NAME_VERITY, &dloc, sizeof(dloc), NULL);
230         if (res < 0 && res != -ERANGE)
231                 return res;
232         if (res != sizeof(dloc) || dloc.version != cpu_to_le32(F2FS_VERIFY_VER)) {
233                 f2fs_warn(F2FS_I_SB(inode), "unknown verity xattr format");
234                 return -EINVAL;
235         }
236         size = le32_to_cpu(dloc.size);
237         pos = le64_to_cpu(dloc.pos);
238 
239         /* Get the descriptor */
240         if (pos + size < pos || pos + size > inode->i_sb->s_maxbytes ||
241             pos < f2fs_verity_metadata_pos(inode) || size > INT_MAX) {
242                 f2fs_warn(F2FS_I_SB(inode), "invalid verity xattr");
243                 f2fs_handle_error(F2FS_I_SB(inode),
244                                 ERROR_CORRUPTED_VERITY_XATTR);
245                 return -EFSCORRUPTED;
246         }
247         if (buf_size) {
248                 if (size > buf_size)
249                         return -ERANGE;
250                 res = pagecache_read(inode, buf, size, pos);
251                 if (res)
252                         return res;
253         }
254         return size;
255 }
256 
257 static struct page *f2fs_read_merkle_tree_page(struct inode *inode,
258                                                pgoff_t index,
259                                                unsigned long num_ra_pages)
260 {
261         struct folio *folio;
262 
263         index += f2fs_verity_metadata_pos(inode) >> PAGE_SHIFT;
264 
265         folio = __filemap_get_folio(inode->i_mapping, index, FGP_ACCESSED, 0);
266         if (IS_ERR(folio) || !folio_test_uptodate(folio)) {
267                 DEFINE_READAHEAD(ractl, NULL, NULL, inode->i_mapping, index);
268 
269                 if (!IS_ERR(folio))
270                         folio_put(folio);
271                 else if (num_ra_pages > 1)
272                         page_cache_ra_unbounded(&ractl, num_ra_pages, 0);
273                 folio = read_mapping_folio(inode->i_mapping, index, NULL);
274                 if (IS_ERR(folio))
275                         return ERR_CAST(folio);
276         }
277         return folio_file_page(folio, index);
278 }
279 
280 static int f2fs_write_merkle_tree_block(struct inode *inode, const void *buf,
281                                         u64 pos, unsigned int size)
282 {
283         pos += f2fs_verity_metadata_pos(inode);
284 
285         return pagecache_write(inode, buf, size, pos);
286 }
287 
288 const struct fsverity_operations f2fs_verityops = {
289         .begin_enable_verity    = f2fs_begin_enable_verity,
290         .end_enable_verity      = f2fs_end_enable_verity,
291         .get_verity_descriptor  = f2fs_get_verity_descriptor,
292         .read_merkle_tree_page  = f2fs_read_merkle_tree_page,
293         .write_merkle_tree_block = f2fs_write_merkle_tree_block,
294 };
295 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php