mirror of
https://github.com/torvalds/linux.git
synced 2026-03-08 01:24:47 +01:00
45a43ac5ac
Please consider pulling these changes from the signed vfs-7.0-rc1.misc.2 tag.
Thanks!
Christian
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCaZMOCwAKCRCRxhvAZXjc
oswrAP9r1zjzMimjX2J0hBoMnYjNzQfLLew8+IRygImQ+yaqWgD9Fiw/cQ9eE1Hm
TMLqck/ky588ywSDaBzfztrXAY3ISgg=
=4yr2
-----END PGP SIGNATURE-----
Merge tag 'vfs-7.0-rc1.misc.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
Pull more misc vfs updates from Christian Brauner:
"Features:
- Optimize close_range() from O(range size) to O(active FDs) by using
find_next_bit() on the open_fds bitmap instead of linearly scanning
the entire requested range. This is a significant improvement for
large-range close operations on sparse file descriptor tables.
- Add FS_XFLAG_VERITY file attribute for fs-verity files, retrievable
via FS_IOC_FSGETXATTR and file_getattr(). The flag is read-only.
Add tracepoints for fs-verity enable and verify operations,
replacing the previously removed debug printk's.
- Prevent nfsd from exporting special kernel filesystems like pidfs
and nsfs. These filesystems have custom ->open() and ->permission()
export methods that are designed for open_by_handle_at(2) only and
are incompatible with nfsd. Update the exportfs documentation
accordingly.
Fixes:
- Fix KMSAN uninit-value in ovl_fill_real() where strcmp() was used
on a non-null-terminated decrypted directory entry name from
fscrypt. This triggered on encrypted lower layers when the
decrypted name buffer contained uninitialized tail data.
The fix also adds VFS-level name_is_dot(), name_is_dotdot(), and
name_is_dot_dotdot() helpers, replacing various open-coded "." and
".." checks across the tree.
- Fix read-only fsflags not being reset together with xflags in
vfs_fileattr_set(). Currently harmless since no read-only xflags
overlap with flags, but this would cause inconsistencies for any
future shared read-only flag
- Return -EREMOTE instead of -ESRCH from PIDFD_GET_INFO when the
target process is in a different pid namespace. This lets userspace
distinguish "process exited" from "process in another namespace",
matching glibc's pidfd_getpid() behavior
Cleanups:
- Use C-string literals in the Rust seq_file bindings, replacing the
kernel::c_str!() macro (available since Rust 1.77)
- Fix typo in d_walk_ret enum comment, add porting notes for the
readlink_copy() calling convention change"
* tag 'vfs-7.0-rc1.misc.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
fs: add porting notes about readlink_copy()
pidfs: return -EREMOTE when PIDFD_GET_INFO is called on another ns
nfsd: do not allow exporting of special kernel filesystems
exportfs: clarify the documentation of open()/permission() expotrfs ops
fsverity: add tracepoints
fs: add FS_XFLAG_VERITY for fs-verity files
rust: seq_file: replace `kernel::c_str!` with C-Strings
fs: dcache: fix typo in enum d_walk_ret comment
ovl: use name_is_dot* helpers in readdir code
fs: add helpers name_is_dot{,dot,_dotdot}
ovl: Fix uninit-value in ovl_fill_real
fs: reset read-only fsflags together with xflags
fs/file: optimize close_range() complexity from O(N) to O(Sparse)
168 lines
5.2 KiB
C
168 lines
5.2 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* fs-verity: read-only file-based authenticity protection
|
|
*
|
|
* Copyright 2019 Google LLC
|
|
*/
|
|
|
|
#ifndef _FSVERITY_PRIVATE_H
|
|
#define _FSVERITY_PRIVATE_H
|
|
|
|
#define pr_fmt(fmt) "fs-verity: " fmt
|
|
|
|
#include <linux/fsverity.h>
|
|
#include <linux/rhashtable.h>
|
|
|
|
/*
|
|
* Implementation limit: maximum depth of the Merkle tree. For now 8 is plenty;
|
|
* it's enough for over U64_MAX bytes of data using SHA-256 and 4K blocks.
|
|
*/
|
|
#define FS_VERITY_MAX_LEVELS 8
|
|
|
|
/* A hash algorithm supported by fs-verity */
|
|
struct fsverity_hash_alg {
|
|
const char *name; /* crypto API name, e.g. sha256 */
|
|
unsigned int digest_size; /* digest size in bytes, e.g. 32 for SHA-256 */
|
|
unsigned int block_size; /* block size in bytes, e.g. 64 for SHA-256 */
|
|
/*
|
|
* The HASH_ALGO_* constant for this algorithm. This is different from
|
|
* FS_VERITY_HASH_ALG_*, which uses a different numbering scheme.
|
|
*/
|
|
enum hash_algo algo_id;
|
|
};
|
|
|
|
union fsverity_hash_ctx {
|
|
struct sha256_ctx sha256;
|
|
struct sha512_ctx sha512;
|
|
};
|
|
|
|
/* Merkle tree parameters: hash algorithm, initial hash state, and topology */
|
|
struct merkle_tree_params {
|
|
const struct fsverity_hash_alg *hash_alg; /* the hash algorithm */
|
|
/* initial hash state if salted, NULL if unsalted */
|
|
const union fsverity_hash_ctx *hashstate;
|
|
unsigned int digest_size; /* same as hash_alg->digest_size */
|
|
unsigned int block_size; /* size of data and tree blocks */
|
|
unsigned int hashes_per_block; /* number of hashes per tree block */
|
|
unsigned int blocks_per_page; /* PAGE_SIZE / block_size */
|
|
u8 log_digestsize; /* log2(digest_size) */
|
|
u8 log_blocksize; /* log2(block_size) */
|
|
u8 log_arity; /* log2(hashes_per_block) */
|
|
u8 log_blocks_per_page; /* log2(blocks_per_page) */
|
|
unsigned int num_levels; /* number of levels in Merkle tree */
|
|
u64 tree_size; /* Merkle tree size in bytes */
|
|
unsigned long tree_pages; /* Merkle tree size in pages */
|
|
|
|
/*
|
|
* Starting block index for each tree level, ordered from leaf level (0)
|
|
* to root level ('num_levels - 1')
|
|
*/
|
|
unsigned long level_start[FS_VERITY_MAX_LEVELS];
|
|
};
|
|
|
|
/*
|
|
* fsverity_info - cached verity metadata for an inode
|
|
*
|
|
* When a verity file is first opened, an instance of this struct is allocated
|
|
* and a pointer to it is stored in the global hash table, indexed by the inode
|
|
* pointer value. It remains alive until the inode is evicted. It caches
|
|
* information about the Merkle tree that's needed to efficiently verify data
|
|
* read from the file. It also caches the file digest. The Merkle tree pages
|
|
* themselves are not cached here, but the filesystem may cache them.
|
|
*/
|
|
struct fsverity_info {
|
|
struct rhash_head rhash_head;
|
|
struct merkle_tree_params tree_params;
|
|
u8 root_hash[FS_VERITY_MAX_DIGEST_SIZE];
|
|
u8 file_digest[FS_VERITY_MAX_DIGEST_SIZE];
|
|
struct inode *inode;
|
|
unsigned long *hash_block_verified;
|
|
};
|
|
|
|
#define FS_VERITY_MAX_SIGNATURE_SIZE (FS_VERITY_MAX_DESCRIPTOR_SIZE - \
|
|
sizeof(struct fsverity_descriptor))
|
|
|
|
/* hash_algs.c */
|
|
|
|
extern const struct fsverity_hash_alg fsverity_hash_algs[];
|
|
|
|
const struct fsverity_hash_alg *fsverity_get_hash_alg(const struct inode *inode,
|
|
unsigned int num);
|
|
union fsverity_hash_ctx *
|
|
fsverity_prepare_hash_state(const struct fsverity_hash_alg *alg,
|
|
const u8 *salt, size_t salt_size);
|
|
void fsverity_hash_block(const struct merkle_tree_params *params,
|
|
const void *data, u8 *out);
|
|
void fsverity_hash_buffer(const struct fsverity_hash_alg *alg,
|
|
const void *data, size_t size, u8 *out);
|
|
void __init fsverity_check_hash_algs(void);
|
|
|
|
/* init.c */
|
|
|
|
void __printf(3, 4) __cold
|
|
fsverity_msg(const struct inode *inode, const char *level,
|
|
const char *fmt, ...);
|
|
|
|
#define fsverity_warn(inode, fmt, ...) \
|
|
fsverity_msg((inode), KERN_WARNING, fmt, ##__VA_ARGS__)
|
|
#define fsverity_err(inode, fmt, ...) \
|
|
fsverity_msg((inode), KERN_ERR, fmt, ##__VA_ARGS__)
|
|
|
|
/* measure.c */
|
|
|
|
#ifdef CONFIG_BPF_SYSCALL
|
|
void __init fsverity_init_bpf(void);
|
|
#else
|
|
static inline void fsverity_init_bpf(void)
|
|
{
|
|
}
|
|
#endif
|
|
|
|
/* open.c */
|
|
|
|
int fsverity_init_merkle_tree_params(struct merkle_tree_params *params,
|
|
const struct inode *inode,
|
|
unsigned int hash_algorithm,
|
|
unsigned int log_blocksize,
|
|
const u8 *salt, size_t salt_size);
|
|
|
|
struct fsverity_info *fsverity_create_info(struct inode *inode,
|
|
struct fsverity_descriptor *desc);
|
|
|
|
int fsverity_set_info(struct fsverity_info *vi);
|
|
void fsverity_free_info(struct fsverity_info *vi);
|
|
void fsverity_remove_info(struct fsverity_info *vi);
|
|
|
|
int fsverity_get_descriptor(struct inode *inode,
|
|
struct fsverity_descriptor **desc_ret);
|
|
|
|
void __init fsverity_init_info_cache(void);
|
|
|
|
/* signature.c */
|
|
|
|
#ifdef CONFIG_FS_VERITY_BUILTIN_SIGNATURES
|
|
extern int fsverity_require_signatures;
|
|
int fsverity_verify_signature(const struct fsverity_info *vi,
|
|
const u8 *signature, size_t sig_size);
|
|
|
|
void __init fsverity_init_signature(void);
|
|
#else /* !CONFIG_FS_VERITY_BUILTIN_SIGNATURES */
|
|
static inline int
|
|
fsverity_verify_signature(const struct fsverity_info *vi,
|
|
const u8 *signature, size_t sig_size)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static inline void fsverity_init_signature(void)
|
|
{
|
|
}
|
|
#endif /* !CONFIG_FS_VERITY_BUILTIN_SIGNATURES */
|
|
|
|
/* verify.c */
|
|
|
|
void __init fsverity_init_workqueue(void);
|
|
|
|
#include <trace/events/fsverity.h>
|
|
|
|
#endif /* _FSVERITY_PRIVATE_H */
|