2019-07-22 16:26:20 +00:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
|
|
|
|
|
/*
|
|
|
|
|
* fs-verity user API
|
|
|
|
|
*
|
|
|
|
|
* These ioctls can be used on filesystems that support fs-verity. See the
|
|
|
|
|
* "User API" section of Documentation/filesystems/fsverity.rst.
|
|
|
|
|
*
|
|
|
|
|
* Copyright 2019 Google LLC
|
|
|
|
|
*/
|
|
|
|
|
#ifndef _UAPI_LINUX_FSVERITY_H
|
|
|
|
|
#define _UAPI_LINUX_FSVERITY_H
|
|
|
|
|
|
|
|
|
|
#include <linux/ioctl.h>
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
|
|
|
|
|
|
#define FS_VERITY_HASH_ALG_SHA256 1
|
2019-07-22 16:26:23 +00:00
|
|
|
#define FS_VERITY_HASH_ALG_SHA512 2
|
2019-07-22 16:26:20 +00:00
|
|
|
|
|
|
|
|
struct fsverity_enable_arg {
|
|
|
|
|
__u32 version;
|
|
|
|
|
__u32 hash_algorithm;
|
|
|
|
|
__u32 block_size;
|
|
|
|
|
__u32 salt_size;
|
|
|
|
|
__u64 salt_ptr;
|
|
|
|
|
__u32 sig_size;
|
|
|
|
|
__u32 __reserved1;
|
|
|
|
|
__u64 sig_ptr;
|
|
|
|
|
__u64 __reserved2[11];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct fsverity_digest {
|
|
|
|
|
__u16 digest_algorithm;
|
|
|
|
|
__u16 digest_size; /* input/output */
|
|
|
|
|
__u8 digest[];
|
|
|
|
|
};
|
|
|
|
|
|
2020-11-13 21:19:18 +00:00
|
|
|
/*
|
|
|
|
|
* Struct containing a file's Merkle tree properties. The fs-verity file digest
|
|
|
|
|
* is the hash of this struct. A userspace program needs this struct only if it
|
|
|
|
|
* needs to compute fs-verity file digests itself, e.g. in order to sign files.
|
|
|
|
|
* It isn't needed just to enable fs-verity on a file.
|
|
|
|
|
*
|
|
|
|
|
* Note: when computing the file digest, 'sig_size' and 'signature' must be left
|
|
|
|
|
* zero and empty, respectively. These fields are present only because some
|
|
|
|
|
* filesystems reuse this struct as part of their on-disk format.
|
|
|
|
|
*/
|
|
|
|
|
struct fsverity_descriptor {
|
|
|
|
|
__u8 version; /* must be 1 */
|
|
|
|
|
__u8 hash_algorithm; /* Merkle tree hash algorithm */
|
|
|
|
|
__u8 log_blocksize; /* log2 of size of data and tree blocks */
|
|
|
|
|
__u8 salt_size; /* size of salt in bytes; 0 if none */
|
|
|
|
|
#ifdef __KERNEL__
|
|
|
|
|
__le32 sig_size;
|
|
|
|
|
#else
|
|
|
|
|
__le32 __reserved_0x04; /* must be 0 */
|
|
|
|
|
#endif
|
|
|
|
|
__le64 data_size; /* size of file the Merkle tree is built over */
|
|
|
|
|
__u8 root_hash[64]; /* Merkle tree root hash */
|
|
|
|
|
__u8 salt[32]; /* salt prepended to each hashed block */
|
|
|
|
|
__u8 __reserved[144]; /* must be 0's */
|
|
|
|
|
#ifdef __KERNEL__
|
|
|
|
|
__u8 signature[];
|
|
|
|
|
#endif
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Format in which fs-verity file digests are signed in built-in signatures.
|
|
|
|
|
* This is the same as 'struct fsverity_digest', except here some magic bytes
|
|
|
|
|
* are prepended to provide some context about what is being signed in case the
|
|
|
|
|
* same key is used for non-fsverity purposes, and here the fields have fixed
|
|
|
|
|
* endianness.
|
|
|
|
|
*
|
|
|
|
|
* This struct is specific to the built-in signature verification support, which
|
|
|
|
|
* is optional. fs-verity users may also verify signatures in userspace, in
|
|
|
|
|
* which case userspace is responsible for deciding on what bytes are signed.
|
|
|
|
|
* This struct may still be used, but it doesn't have to be. For example,
|
|
|
|
|
* userspace could instead use a string like "sha256:$digest_as_hex_string".
|
|
|
|
|
*/
|
|
|
|
|
struct fsverity_formatted_digest {
|
|
|
|
|
char magic[8]; /* must be "FSVerity" */
|
|
|
|
|
__le16 digest_algorithm;
|
|
|
|
|
__le16 digest_size;
|
|
|
|
|
__u8 digest[];
|
|
|
|
|
};
|
|
|
|
|
|
2021-01-15 18:18:17 +00:00
|
|
|
#define FS_VERITY_METADATA_TYPE_MERKLE_TREE 1
|
2021-01-15 18:18:18 +00:00
|
|
|
#define FS_VERITY_METADATA_TYPE_DESCRIPTOR 2
|
2021-01-15 18:18:19 +00:00
|
|
|
#define FS_VERITY_METADATA_TYPE_SIGNATURE 3
|
2021-01-15 18:18:17 +00:00
|
|
|
|
fs-verity: add FS_IOC_READ_VERITY_METADATA ioctl
Add an ioctl FS_IOC_READ_VERITY_METADATA which will allow reading verity
metadata from a file that has fs-verity enabled, including:
- The Merkle tree
- The fsverity_descriptor (not including the signature if present)
- The built-in signature, if present
This ioctl has similar semantics to pread(). It is passed the type of
metadata to read (one of the above three), and a buffer, offset, and
size. It returns the number of bytes read or an error.
Separate patches will add support for each of the above metadata types.
This patch just adds the ioctl itself.
This ioctl doesn't make any assumption about where the metadata is
stored on-disk. It does assume the metadata is in a stable format, but
that's basically already the case:
- The Merkle tree and fsverity_descriptor are defined by how fs-verity
file digests are computed; see the "File digest computation" section
of Documentation/filesystems/fsverity.rst. Technically, the way in
which the levels of the tree are ordered relative to each other wasn't
previously specified, but it's logical to put the root level first.
- The built-in signature is the value passed to FS_IOC_ENABLE_VERITY.
This ioctl is useful because it allows writing a server program that
takes a verity file and serves it to a client program, such that the
client can do its own fs-verity compatible verification of the file.
This only makes sense if the client doesn't trust the server and if the
server needs to provide the storage for the client.
More concretely, there is interest in using this ability in Android to
export APK files (which are protected by fs-verity) to "protected VMs".
This would use Protected KVM (https://lwn.net/Articles/836693), which
provides an isolated execution environment without having to trust the
traditional "host". A "guest" VM can boot from a signed image and
perform specific tasks in a minimum trusted environment using files that
have fs-verity enabled on the host, without trusting the host or
requiring that the guest has its own trusted storage.
Technically, it would be possible to duplicate the metadata and store it
in separate files for serving. However, that would be less efficient
and would require extra care in userspace to maintain file consistency.
In addition to the above, the ability to read the built-in signatures is
useful because it allows a system that is using the in-kernel signature
verification to migrate to userspace signature verification.
Link: https://lore.kernel.org/r/20210115181819.34732-4-ebiggers@kernel.org
Reviewed-by: Victor Hsieh <victorhsieh@google.com>
Acked-by: Jaegeuk Kim <jaegeuk@kernel.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2021-01-15 18:18:16 +00:00
|
|
|
struct fsverity_read_metadata_arg {
|
|
|
|
|
__u64 metadata_type;
|
|
|
|
|
__u64 offset;
|
|
|
|
|
__u64 length;
|
|
|
|
|
__u64 buf_ptr;
|
|
|
|
|
__u64 __reserved;
|
|
|
|
|
};
|
|
|
|
|
|
2019-07-22 16:26:20 +00:00
|
|
|
#define FS_IOC_ENABLE_VERITY _IOW('f', 133, struct fsverity_enable_arg)
|
|
|
|
|
#define FS_IOC_MEASURE_VERITY _IOWR('f', 134, struct fsverity_digest)
|
fs-verity: add FS_IOC_READ_VERITY_METADATA ioctl
Add an ioctl FS_IOC_READ_VERITY_METADATA which will allow reading verity
metadata from a file that has fs-verity enabled, including:
- The Merkle tree
- The fsverity_descriptor (not including the signature if present)
- The built-in signature, if present
This ioctl has similar semantics to pread(). It is passed the type of
metadata to read (one of the above three), and a buffer, offset, and
size. It returns the number of bytes read or an error.
Separate patches will add support for each of the above metadata types.
This patch just adds the ioctl itself.
This ioctl doesn't make any assumption about where the metadata is
stored on-disk. It does assume the metadata is in a stable format, but
that's basically already the case:
- The Merkle tree and fsverity_descriptor are defined by how fs-verity
file digests are computed; see the "File digest computation" section
of Documentation/filesystems/fsverity.rst. Technically, the way in
which the levels of the tree are ordered relative to each other wasn't
previously specified, but it's logical to put the root level first.
- The built-in signature is the value passed to FS_IOC_ENABLE_VERITY.
This ioctl is useful because it allows writing a server program that
takes a verity file and serves it to a client program, such that the
client can do its own fs-verity compatible verification of the file.
This only makes sense if the client doesn't trust the server and if the
server needs to provide the storage for the client.
More concretely, there is interest in using this ability in Android to
export APK files (which are protected by fs-verity) to "protected VMs".
This would use Protected KVM (https://lwn.net/Articles/836693), which
provides an isolated execution environment without having to trust the
traditional "host". A "guest" VM can boot from a signed image and
perform specific tasks in a minimum trusted environment using files that
have fs-verity enabled on the host, without trusting the host or
requiring that the guest has its own trusted storage.
Technically, it would be possible to duplicate the metadata and store it
in separate files for serving. However, that would be less efficient
and would require extra care in userspace to maintain file consistency.
In addition to the above, the ability to read the built-in signatures is
useful because it allows a system that is using the in-kernel signature
verification to migrate to userspace signature verification.
Link: https://lore.kernel.org/r/20210115181819.34732-4-ebiggers@kernel.org
Reviewed-by: Victor Hsieh <victorhsieh@google.com>
Acked-by: Jaegeuk Kim <jaegeuk@kernel.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2021-01-15 18:18:16 +00:00
|
|
|
#define FS_IOC_READ_VERITY_METADATA \
|
|
|
|
|
_IOWR('f', 135, struct fsverity_read_metadata_arg)
|
2019-07-22 16:26:20 +00:00
|
|
|
|
|
|
|
|
#endif /* _UAPI_LINUX_FSVERITY_H */
|