Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp186719pxb; Fri, 15 Jan 2021 10:22:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJw2qd0EgFGhqoC7H24qj76hxK/S1G4V8DCl5Y+Z4kM5hbz/vZcDQX1mTC7pzrMItr5i0ULv X-Received: by 2002:aa7:d5d5:: with SMTP id d21mr9419265eds.252.1610734960368; Fri, 15 Jan 2021 10:22:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610734960; cv=none; d=google.com; s=arc-20160816; b=S9t87DUgD3CqU4SucnFfVSDNEFkhMnczmHuBeTTYfTWgJz3QrMFtJQNAmNajudE9Qg O11l6T1Asn+daZbEXjvoCJ4FMcgo7jupLBj8aHLqaxB0kglTKaCmvow3Wn5jnq7HL+sX 3pGJlG5XeucbCGJi8nT5rNRdpJabd6MD/fissWi4A2i8yADElcuh2DQsEo8y8uRTK3MU hHZKCD2KYmDqecDXA+fosJgUsuqam5vP1GDqkGHEDwPDoKToNceg0UAzRQ5k2fvlSQ3P N5mTNsSSb/obCjmytC20sbQij/C8i9quzp49i5+g2P6zN8HmUII0+LRWeBntunFMhlfU YF7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=HpfEbhiJqQaa5V9MGL8bKK8lJunaM7qGUqzg+0d9QQg=; b=lsIZbDDIhd5oZINanR6iPHJS4s9fg8QKGQXLNSvZzeLMDYEBV2SjeNpj1SCx7IIe1q gLGWy1mZv0IcVQjbXT+XBUa29MtB9Lt2DYd0vpccXJgab/Q1jq07DxRm6M1y5ffI0/vn FwJHkuTYDJB6kP8GekPbRxqq+obJ4PR5BwOSClQE6ZADU2Sj4OV679F5tLU4Z2zZbPyl 6872ICh1eJphoJInJ9F27fLOecjPsyVkRK1RB+iOAic2VGezUQ643l6KYi+vF3E9i3pm oseCVG8uI+k8dL0WixOo8yhXnzv7ThlqlYmupGO/TqDfvlK7FnaQT8ofFVhHC2j67o+/ sXNg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=OLgSi9dX; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id re20si175954ejb.277.2021.01.15.10.22.16; Fri, 15 Jan 2021 10:22:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=OLgSi9dX; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388436AbhAOSUZ (ORCPT + 99 others); Fri, 15 Jan 2021 13:20:25 -0500 Received: from mail.kernel.org ([198.145.29.99]:42808 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388218AbhAOSUN (ORCPT ); Fri, 15 Jan 2021 13:20:13 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3550423A58; Fri, 15 Jan 2021 18:19:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1610734772; bh=7HZGCsiZfKx7k8RTP6gegLOEC7SUZGN0WL2KEa1MIqw=; h=From:To:Cc:Subject:Date:From; b=OLgSi9dXP1/YkA9HyFOY/X6hDj3RaQ6Ohe7A5+afoRqJVi76p4BsVaWFg67i7xPN+ 6tZ+JGUzOYkAc4C6Sqpk7z0yCXnts0hnTQUE9wijYEKFxyXOS+SYpEz0qXShSdLEMS IeVxDBKO7PWFFEmTKsOKfgQW8p3OWYonyQJLlena81DsNsqLA9MvUbaXw3qdaBVUFQ RlvnXyxdljEpWdHSNlQ0ZgoJ6VenS6b64yLhH9TfUezjo6pSp27OciWtK9MAPSrZ7P yat9Uam8Fm2+YLYUl4HU+10eRYuebg0aC9S/umMOtp6WfZpH/R0zghGYgHcWvoPGz3 P26n77xWu0DGw== From: Eric Biggers To: linux-fscrypt@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-api@vger.kernel.org, Theodore Ts'o , Jaegeuk Kim , Victor Hsieh Subject: [PATCH 0/6] fs-verity: add an ioctl to read verity metadata Date: Fri, 15 Jan 2021 10:18:13 -0800 Message-Id: <20210115181819.34732-1-ebiggers@kernel.org> X-Mailer: git-send-email 2.30.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org [This patchset applies to v5.11-rc3] Add an ioctl FS_IOC_READ_VERITY_METADATA which allows reading verity metadata from a file that has fs-verity enabled, including: - The Merkle tree - The fsverity_descriptor (not including the signature if present) - The built-in signature, if present This ioctl has similar semantics to pread(). It is passed the type of metadata to read (one of the above three), and a buffer, offset, and size. It returns the number of bytes read or an error. This ioctl doesn't make any assumption about where the metadata is stored on-disk. It does assume the metadata is in a stable format, but that's basically already the case: - The Merkle tree and fsverity_descriptor are defined by how fs-verity file digests are computed; see the "File digest computation" section of Documentation/filesystems/fsverity.rst. Technically, the way in which the levels of the tree are ordered relative to each other wasn't previously specified, but it's logical to put the root level first. - The built-in signature is the value passed to FS_IOC_ENABLE_VERITY. This ioctl is useful because it allows writing a server program that takes a verity file and serves it to a client program, such that the client can do its own fs-verity compatible verification of the file. This only makes sense if the client doesn't trust the server and if the server needs to provide the storage for the client. More concretely, there is interest in using this ability in Android to export APK files (which are protected by fs-verity) to "protected VMs". This would use Protected KVM (https://lwn.net/Articles/836693), which provides an isolated execution environment without having to trust the traditional "host". A "guest" VM can boot from a signed image and perform specific tasks in a minimum trusted environment using files that have fs-verity enabled on the host, without trusting the host or requiring that the guest has its own trusted storage. Technically, it would be possible to duplicate the metadata and store it in separate files for serving. However, that would be less efficient and would require extra care in userspace to maintain file consistency. In addition to the above, the ability to read the built-in signatures is useful because it allows a system that is using the in-kernel signature verification to migrate to userspace signature verification. This patchset has been tested by new xfstests which call this new ioctl via a new subcommand for the 'fsverity' program from fsverity-utils. Eric Biggers (6): fs-verity: factor out fsverity_get_descriptor() fs-verity: don't pass whole descriptor to fsverity_verify_signature() fs-verity: add FS_IOC_READ_VERITY_METADATA ioctl fs-verity: support reading Merkle tree with ioctl fs-verity: support reading descriptor with ioctl fs-verity: support reading signature with ioctl Documentation/filesystems/fsverity.rst | 76 ++++++++++ fs/ext4/ioctl.c | 7 + fs/f2fs/file.c | 11 ++ fs/verity/Makefile | 1 + fs/verity/fsverity_private.h | 13 +- fs/verity/open.c | 133 +++++++++++------ fs/verity/read_metadata.c | 195 +++++++++++++++++++++++++ fs/verity/signature.c | 20 +-- include/linux/fsverity.h | 12 ++ include/uapi/linux/fsverity.h | 14 ++ 10 files changed, 417 insertions(+), 65 deletions(-) create mode 100644 fs/verity/read_metadata.c base-commit: 7c53f6b671f4aba70ff15e1b05148b10d58c2837 -- 2.30.0