1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (C) 2012 Red Hat, Inc.
7 * Based on Chromium dm-verity driver (C) 2011 The Chromium OS Authors
9 * In the file "/sys/module/dm_verity/parameters/prefetch_cluster" you can set
10 * default prefetch value. Data are read in "prefetch_cluster" chunks from the
11 * hash device. Setting this greatly improves performance when data and hash
12 * are on the same disk on different partitions on devices with poor random
16 #include "dm-verity.h"
17 #include "dm-verity-fec.h"
18 #include "dm-verity-verify-sig.h"
20 #include <linux/module.h>
21 #include <linux/reboot.h>
22 #include <linux/scatterlist.h>
23 #include <linux/string.h>
24 #include <linux/jump_label.h>
26 #define DM_MSG_PREFIX "verity"
28 #define DM_VERITY_ENV_LENGTH 42
29 #define DM_VERITY_ENV_VAR_NAME "DM_VERITY_ERR_BLOCK_NR"
31 #define DM_VERITY_DEFAULT_PREFETCH_SIZE 262144
33 #define DM_VERITY_MAX_CORRUPTED_ERRS 100
35 #define DM_VERITY_OPT_LOGGING "ignore_corruption"
36 #define DM_VERITY_OPT_RESTART "restart_on_corruption"
37 #define DM_VERITY_OPT_PANIC "panic_on_corruption"
38 #define DM_VERITY_OPT_IGN_ZEROES "ignore_zero_blocks"
39 #define DM_VERITY_OPT_AT_MOST_ONCE "check_at_most_once"
40 #define DM_VERITY_OPT_TASKLET_VERIFY "try_verify_in_tasklet"
42 #define DM_VERITY_OPTS_MAX (4 + DM_VERITY_OPTS_FEC + \
43 DM_VERITY_ROOT_HASH_VERIFICATION_OPTS)
45 static unsigned int dm_verity_prefetch_cluster = DM_VERITY_DEFAULT_PREFETCH_SIZE;
47 module_param_named(prefetch_cluster, dm_verity_prefetch_cluster, uint, 0644);
49 static DEFINE_STATIC_KEY_FALSE(use_bh_wq_enabled);
51 /* Is at least one dm-verity instance using ahash_tfm instead of shash_tfm? */
52 static DEFINE_STATIC_KEY_FALSE(ahash_enabled);
54 struct dm_verity_prefetch_work {
55 struct work_struct work;
57 unsigned short ioprio;
59 unsigned int n_blocks;
63 * Auxiliary structure appended to each dm-bufio buffer. If the value
64 * hash_verified is nonzero, hash of the block has been verified.
66 * The variable hash_verified is set to 0 when allocating the buffer, then
67 * it can be changed to 1 and it is never reset to 0 again.
69 * There is no lock around this value, a race condition can at worst cause
70 * that multiple processes verify the hash of the same buffer simultaneously
71 * and write 1 to hash_verified simultaneously.
72 * This condition is harmless, so we don't need locking.
79 * Initialize struct buffer_aux for a freshly created buffer.
81 static void dm_bufio_alloc_callback(struct dm_buffer *buf)
83 struct buffer_aux *aux = dm_bufio_get_aux_data(buf);
85 aux->hash_verified = 0;
89 * Translate input sector number to the sector number on the target device.
91 static sector_t verity_map_sector(struct dm_verity *v, sector_t bi_sector)
93 return v->data_start + dm_target_offset(v->ti, bi_sector);
97 * Return hash position of a specified block at a specified tree level
98 * (0 is the lowest level).
99 * The lowest "hash_per_block_bits"-bits of the result denote hash position
100 * inside a hash block. The remaining bits denote location of the hash block.
102 static sector_t verity_position_at_level(struct dm_verity *v, sector_t block,
105 return block >> (level * v->hash_per_block_bits);
108 static int verity_ahash_update(struct dm_verity *v, struct ahash_request *req,
109 const u8 *data, size_t len,
110 struct crypto_wait *wait)
112 struct scatterlist sg;
114 if (likely(!is_vmalloc_addr(data))) {
115 sg_init_one(&sg, data, len);
116 ahash_request_set_crypt(req, &sg, NULL, len);
117 return crypto_wait_req(crypto_ahash_update(req), wait);
122 size_t this_step = min_t(size_t, len, PAGE_SIZE - offset_in_page(data));
124 flush_kernel_vmap_range((void *)data, this_step);
125 sg_init_table(&sg, 1);
126 sg_set_page(&sg, vmalloc_to_page(data), this_step, offset_in_page(data));
127 ahash_request_set_crypt(req, &sg, NULL, this_step);
128 r = crypto_wait_req(crypto_ahash_update(req), wait);
139 * Wrapper for crypto_ahash_init, which handles verity salting.
141 static int verity_ahash_init(struct dm_verity *v, struct ahash_request *req,
142 struct crypto_wait *wait, bool may_sleep)
146 ahash_request_set_tfm(req, v->ahash_tfm);
147 ahash_request_set_callback(req,
148 may_sleep ? CRYPTO_TFM_REQ_MAY_SLEEP | CRYPTO_TFM_REQ_MAY_BACKLOG : 0,
149 crypto_req_done, (void *)wait);
150 crypto_init_wait(wait);
152 r = crypto_wait_req(crypto_ahash_init(req), wait);
154 if (unlikely(r < 0)) {
156 DMERR("crypto_ahash_init failed: %d", r);
160 if (likely(v->salt_size && (v->version >= 1)))
161 r = verity_ahash_update(v, req, v->salt, v->salt_size, wait);
166 static int verity_ahash_final(struct dm_verity *v, struct ahash_request *req,
167 u8 *digest, struct crypto_wait *wait)
171 if (unlikely(v->salt_size && (!v->version))) {
172 r = verity_ahash_update(v, req, v->salt, v->salt_size, wait);
175 DMERR("%s failed updating salt: %d", __func__, r);
180 ahash_request_set_crypt(req, NULL, digest, 0);
181 r = crypto_wait_req(crypto_ahash_final(req), wait);
186 int verity_hash(struct dm_verity *v, struct dm_verity_io *io,
187 const u8 *data, size_t len, u8 *digest, bool may_sleep)
191 if (static_branch_unlikely(&ahash_enabled) && !v->shash_tfm) {
192 struct ahash_request *req = verity_io_hash_req(v, io);
193 struct crypto_wait wait;
195 r = verity_ahash_init(v, req, &wait, may_sleep) ?:
196 verity_ahash_update(v, req, data, len, &wait) ?:
197 verity_ahash_final(v, req, digest, &wait);
199 struct shash_desc *desc = verity_io_hash_req(v, io);
201 desc->tfm = v->shash_tfm;
202 r = crypto_shash_import(desc, v->initial_hashstate) ?:
203 crypto_shash_finup(desc, data, len, digest);
206 DMERR("Error hashing block: %d", r);
210 static void verity_hash_at_level(struct dm_verity *v, sector_t block, int level,
211 sector_t *hash_block, unsigned int *offset)
213 sector_t position = verity_position_at_level(v, block, level);
216 *hash_block = v->hash_level_block[level] + (position >> v->hash_per_block_bits);
221 idx = position & ((1 << v->hash_per_block_bits) - 1);
223 *offset = idx * v->digest_size;
225 *offset = idx << (v->hash_dev_block_bits - v->hash_per_block_bits);
229 * Handle verification errors.
231 static int verity_handle_err(struct dm_verity *v, enum verity_block_type type,
232 unsigned long long block)
234 char verity_env[DM_VERITY_ENV_LENGTH];
235 char *envp[] = { verity_env, NULL };
236 const char *type_str = "";
237 struct mapped_device *md = dm_table_get_md(v->ti->table);
239 /* Corruption should be visible in device status in all modes */
240 v->hash_failed = true;
242 if (v->corrupted_errs >= DM_VERITY_MAX_CORRUPTED_ERRS)
248 case DM_VERITY_BLOCK_TYPE_DATA:
251 case DM_VERITY_BLOCK_TYPE_METADATA:
252 type_str = "metadata";
258 DMERR_LIMIT("%s: %s block %llu is corrupted", v->data_dev->name,
261 if (v->corrupted_errs == DM_VERITY_MAX_CORRUPTED_ERRS) {
262 DMERR("%s: reached maximum errors", v->data_dev->name);
263 dm_audit_log_target(DM_MSG_PREFIX, "max-corrupted-errors", v->ti, 0);
266 snprintf(verity_env, DM_VERITY_ENV_LENGTH, "%s=%d,%llu",
267 DM_VERITY_ENV_VAR_NAME, type, block);
269 kobject_uevent_env(&disk_to_dev(dm_disk(md))->kobj, KOBJ_CHANGE, envp);
272 if (v->mode == DM_VERITY_MODE_LOGGING)
275 if (v->mode == DM_VERITY_MODE_RESTART)
276 kernel_restart("dm-verity device corrupted");
278 if (v->mode == DM_VERITY_MODE_PANIC)
279 panic("dm-verity device corrupted");
285 * Verify hash of a metadata block pertaining to the specified data block
286 * ("block" argument) at a specified level ("level" argument).
288 * On successful return, verity_io_want_digest(v, io) contains the hash value
289 * for a lower tree level or for the data block (if we're at the lowest level).
291 * If "skip_unverified" is true, unverified buffer is skipped and 1 is returned.
292 * If "skip_unverified" is false, unverified buffer is hashed and verified
293 * against current value of verity_io_want_digest(v, io).
295 static int verity_verify_level(struct dm_verity *v, struct dm_verity_io *io,
296 sector_t block, int level, bool skip_unverified,
299 struct dm_buffer *buf;
300 struct buffer_aux *aux;
305 struct bio *bio = dm_bio_from_per_bio_data(io, v->ti->per_io_data_size);
307 verity_hash_at_level(v, block, level, &hash_block, &offset);
309 if (static_branch_unlikely(&use_bh_wq_enabled) && io->in_bh) {
310 data = dm_bufio_get(v->bufio, hash_block, &buf);
313 * In tasklet and the hash was not in the bufio cache.
314 * Return early and resume execution from a work-queue
315 * to read the hash from disk.
320 data = dm_bufio_read_with_ioprio(v->bufio, hash_block,
321 &buf, bio_prio(bio));
325 return PTR_ERR(data);
327 aux = dm_bufio_get_aux_data(buf);
329 if (!aux->hash_verified) {
330 if (skip_unverified) {
335 r = verity_hash(v, io, data, 1 << v->hash_dev_block_bits,
336 verity_io_real_digest(v, io), !io->in_bh);
340 if (likely(memcmp(verity_io_real_digest(v, io), want_digest,
341 v->digest_size) == 0))
342 aux->hash_verified = 1;
343 else if (static_branch_unlikely(&use_bh_wq_enabled) && io->in_bh) {
345 * Error handling code (FEC included) cannot be run in a
346 * tasklet since it may sleep, so fallback to work-queue.
350 } else if (verity_fec_decode(v, io, DM_VERITY_BLOCK_TYPE_METADATA,
351 hash_block, data) == 0)
352 aux->hash_verified = 1;
353 else if (verity_handle_err(v,
354 DM_VERITY_BLOCK_TYPE_METADATA,
357 dm_bio_from_per_bio_data(io,
358 v->ti->per_io_data_size);
359 dm_audit_log_bio(DM_MSG_PREFIX, "verify-metadata", bio,
367 memcpy(want_digest, data, v->digest_size);
371 dm_bufio_release(buf);
376 * Find a hash for a given block, write it to digest and verify the integrity
377 * of the hash tree if necessary.
379 int verity_hash_for_block(struct dm_verity *v, struct dm_verity_io *io,
380 sector_t block, u8 *digest, bool *is_zero)
384 if (likely(v->levels)) {
386 * First, we try to get the requested hash for
387 * the current block. If the hash block itself is
388 * verified, zero is returned. If it isn't, this
389 * function returns 1 and we fall back to whole
390 * chain verification.
392 r = verity_verify_level(v, io, block, 0, true, digest);
397 memcpy(digest, v->root_digest, v->digest_size);
399 for (i = v->levels - 1; i >= 0; i--) {
400 r = verity_verify_level(v, io, block, i, false, digest);
405 if (!r && v->zero_digest)
406 *is_zero = !memcmp(v->zero_digest, digest, v->digest_size);
413 static noinline int verity_recheck(struct dm_verity *v, struct dm_verity_io *io,
414 sector_t cur_block, u8 *dest)
419 struct dm_io_request io_req;
420 struct dm_io_region io_loc;
422 page = mempool_alloc(&v->recheck_pool, GFP_NOIO);
423 buffer = page_to_virt(page);
425 io_req.bi_opf = REQ_OP_READ;
426 io_req.mem.type = DM_IO_KMEM;
427 io_req.mem.ptr.addr = buffer;
428 io_req.notify.fn = NULL;
429 io_req.client = v->io;
430 io_loc.bdev = v->data_dev->bdev;
431 io_loc.sector = cur_block << (v->data_dev_block_bits - SECTOR_SHIFT);
432 io_loc.count = 1 << (v->data_dev_block_bits - SECTOR_SHIFT);
433 r = dm_io(&io_req, 1, &io_loc, NULL, IOPRIO_DEFAULT);
437 r = verity_hash(v, io, buffer, 1 << v->data_dev_block_bits,
438 verity_io_real_digest(v, io), true);
442 if (memcmp(verity_io_real_digest(v, io),
443 verity_io_want_digest(v, io), v->digest_size)) {
448 memcpy(dest, buffer, 1 << v->data_dev_block_bits);
451 mempool_free(page, &v->recheck_pool);
456 static int verity_handle_data_hash_mismatch(struct dm_verity *v,
457 struct dm_verity_io *io,
458 struct bio *bio, sector_t blkno,
461 if (static_branch_unlikely(&use_bh_wq_enabled) && io->in_bh) {
463 * Error handling code (FEC included) cannot be run in the
464 * BH workqueue, so fallback to a standard workqueue.
468 if (verity_recheck(v, io, blkno, data) == 0) {
469 if (v->validated_blocks)
470 set_bit(blkno, v->validated_blocks);
473 #if defined(CONFIG_DM_VERITY_FEC)
474 if (verity_fec_decode(v, io, DM_VERITY_BLOCK_TYPE_DATA, blkno,
479 return -EIO; /* Error correction failed; Just return error */
481 if (verity_handle_err(v, DM_VERITY_BLOCK_TYPE_DATA, blkno)) {
482 dm_audit_log_bio(DM_MSG_PREFIX, "verify-data", bio, blkno, 0);
489 * Verify one "dm_verity_io" structure.
491 static int verity_verify_io(struct dm_verity_io *io)
493 struct dm_verity *v = io->v;
494 const unsigned int block_size = 1 << v->data_dev_block_bits;
495 struct bvec_iter iter_copy;
496 struct bvec_iter *iter;
497 struct bio *bio = dm_bio_from_per_bio_data(io, v->ti->per_io_data_size);
500 if (static_branch_unlikely(&use_bh_wq_enabled) && io->in_bh) {
502 * Copy the iterator in case we need to restart
503 * verification in a work-queue.
505 iter_copy = io->iter;
510 for (b = 0; b < io->n_blocks;
511 b++, bio_advance_iter(bio, iter, block_size)) {
513 sector_t cur_block = io->block + b;
518 if (v->validated_blocks && bio->bi_status == BLK_STS_OK &&
519 likely(test_bit(cur_block, v->validated_blocks)))
522 r = verity_hash_for_block(v, io, cur_block,
523 verity_io_want_digest(v, io),
528 bv = bio_iter_iovec(bio, *iter);
529 if (unlikely(bv.bv_len < block_size)) {
531 * Data block spans pages. This should not happen,
532 * since dm-verity sets dma_alignment to the data block
533 * size minus 1, and dm-verity also doesn't allow the
534 * data block size to be greater than PAGE_SIZE.
536 DMERR_LIMIT("unaligned io (data block spans pages)");
540 data = bvec_kmap_local(&bv);
544 * If we expect a zero block, don't validate, just
547 memset(data, 0, block_size);
552 r = verity_hash(v, io, data, block_size,
553 verity_io_real_digest(v, io), !io->in_bh);
554 if (unlikely(r < 0)) {
559 if (likely(memcmp(verity_io_real_digest(v, io),
560 verity_io_want_digest(v, io), v->digest_size) == 0)) {
561 if (v->validated_blocks)
562 set_bit(cur_block, v->validated_blocks);
566 r = verity_handle_data_hash_mismatch(v, io, bio, cur_block,
577 * Skip verity work in response to I/O error when system is shutting down.
579 static inline bool verity_is_system_shutting_down(void)
581 return system_state == SYSTEM_HALT || system_state == SYSTEM_POWER_OFF
582 || system_state == SYSTEM_RESTART;
586 * End one "io" structure with a given error.
588 static void verity_finish_io(struct dm_verity_io *io, blk_status_t status)
590 struct dm_verity *v = io->v;
591 struct bio *bio = dm_bio_from_per_bio_data(io, v->ti->per_io_data_size);
593 bio->bi_end_io = io->orig_bi_end_io;
594 bio->bi_status = status;
596 if (!static_branch_unlikely(&use_bh_wq_enabled) || !io->in_bh)
597 verity_fec_finish_io(io);
602 static void verity_work(struct work_struct *w)
604 struct dm_verity_io *io = container_of(w, struct dm_verity_io, work);
608 verity_finish_io(io, errno_to_blk_status(verity_verify_io(io)));
611 static void verity_bh_work(struct work_struct *w)
613 struct dm_verity_io *io = container_of(w, struct dm_verity_io, bh_work);
617 err = verity_verify_io(io);
618 if (err == -EAGAIN || err == -ENOMEM) {
619 /* fallback to retrying with work-queue */
620 INIT_WORK(&io->work, verity_work);
621 queue_work(io->v->verify_wq, &io->work);
625 verity_finish_io(io, errno_to_blk_status(err));
628 static void verity_end_io(struct bio *bio)
630 struct dm_verity_io *io = bio->bi_private;
632 if (bio->bi_status &&
633 (!verity_fec_is_enabled(io->v) ||
634 verity_is_system_shutting_down() ||
635 (bio->bi_opf & REQ_RAHEAD))) {
636 verity_finish_io(io, bio->bi_status);
640 if (static_branch_unlikely(&use_bh_wq_enabled) && io->v->use_bh_wq) {
641 INIT_WORK(&io->bh_work, verity_bh_work);
642 queue_work(system_bh_wq, &io->bh_work);
644 INIT_WORK(&io->work, verity_work);
645 queue_work(io->v->verify_wq, &io->work);
650 * Prefetch buffers for the specified io.
651 * The root buffer is not prefetched, it is assumed that it will be cached
654 static void verity_prefetch_io(struct work_struct *work)
656 struct dm_verity_prefetch_work *pw =
657 container_of(work, struct dm_verity_prefetch_work, work);
658 struct dm_verity *v = pw->v;
661 for (i = v->levels - 2; i >= 0; i--) {
662 sector_t hash_block_start;
663 sector_t hash_block_end;
665 verity_hash_at_level(v, pw->block, i, &hash_block_start, NULL);
666 verity_hash_at_level(v, pw->block + pw->n_blocks - 1, i, &hash_block_end, NULL);
669 unsigned int cluster = READ_ONCE(dm_verity_prefetch_cluster);
671 cluster >>= v->data_dev_block_bits;
672 if (unlikely(!cluster))
673 goto no_prefetch_cluster;
675 if (unlikely(cluster & (cluster - 1)))
676 cluster = 1 << __fls(cluster);
678 hash_block_start &= ~(sector_t)(cluster - 1);
679 hash_block_end |= cluster - 1;
680 if (unlikely(hash_block_end >= v->hash_blocks))
681 hash_block_end = v->hash_blocks - 1;
684 dm_bufio_prefetch_with_ioprio(v->bufio, hash_block_start,
685 hash_block_end - hash_block_start + 1,
692 static void verity_submit_prefetch(struct dm_verity *v, struct dm_verity_io *io,
693 unsigned short ioprio)
695 sector_t block = io->block;
696 unsigned int n_blocks = io->n_blocks;
697 struct dm_verity_prefetch_work *pw;
699 if (v->validated_blocks) {
700 while (n_blocks && test_bit(block, v->validated_blocks)) {
704 while (n_blocks && test_bit(block + n_blocks - 1,
705 v->validated_blocks))
711 pw = kmalloc(sizeof(struct dm_verity_prefetch_work),
712 GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
717 INIT_WORK(&pw->work, verity_prefetch_io);
720 pw->n_blocks = n_blocks;
722 queue_work(v->verify_wq, &pw->work);
726 * Bio map function. It allocates dm_verity_io structure and bio vector and
727 * fills them. Then it issues prefetches and the I/O.
729 static int verity_map(struct dm_target *ti, struct bio *bio)
731 struct dm_verity *v = ti->private;
732 struct dm_verity_io *io;
734 bio_set_dev(bio, v->data_dev->bdev);
735 bio->bi_iter.bi_sector = verity_map_sector(v, bio->bi_iter.bi_sector);
737 if (((unsigned int)bio->bi_iter.bi_sector | bio_sectors(bio)) &
738 ((1 << (v->data_dev_block_bits - SECTOR_SHIFT)) - 1)) {
739 DMERR_LIMIT("unaligned io");
740 return DM_MAPIO_KILL;
743 if (bio_end_sector(bio) >>
744 (v->data_dev_block_bits - SECTOR_SHIFT) > v->data_blocks) {
745 DMERR_LIMIT("io out of range");
746 return DM_MAPIO_KILL;
749 if (bio_data_dir(bio) == WRITE)
750 return DM_MAPIO_KILL;
752 io = dm_per_bio_data(bio, ti->per_io_data_size);
754 io->orig_bi_end_io = bio->bi_end_io;
755 io->block = bio->bi_iter.bi_sector >> (v->data_dev_block_bits - SECTOR_SHIFT);
756 io->n_blocks = bio->bi_iter.bi_size >> v->data_dev_block_bits;
758 bio->bi_end_io = verity_end_io;
759 bio->bi_private = io;
760 io->iter = bio->bi_iter;
762 verity_fec_init_io(io);
764 verity_submit_prefetch(v, io, bio_prio(bio));
766 submit_bio_noacct(bio);
768 return DM_MAPIO_SUBMITTED;
772 * Status: V (valid) or C (corruption found)
774 static void verity_status(struct dm_target *ti, status_type_t type,
775 unsigned int status_flags, char *result, unsigned int maxlen)
777 struct dm_verity *v = ti->private;
778 unsigned int args = 0;
783 case STATUSTYPE_INFO:
784 DMEMIT("%c", v->hash_failed ? 'C' : 'V');
786 case STATUSTYPE_TABLE:
787 DMEMIT("%u %s %s %u %u %llu %llu %s ",
791 1 << v->data_dev_block_bits,
792 1 << v->hash_dev_block_bits,
793 (unsigned long long)v->data_blocks,
794 (unsigned long long)v->hash_start,
797 for (x = 0; x < v->digest_size; x++)
798 DMEMIT("%02x", v->root_digest[x]);
803 for (x = 0; x < v->salt_size; x++)
804 DMEMIT("%02x", v->salt[x]);
805 if (v->mode != DM_VERITY_MODE_EIO)
807 if (verity_fec_is_enabled(v))
808 args += DM_VERITY_OPTS_FEC;
811 if (v->validated_blocks)
815 if (v->signature_key_desc)
816 args += DM_VERITY_ROOT_HASH_VERIFICATION_OPTS;
820 if (v->mode != DM_VERITY_MODE_EIO) {
823 case DM_VERITY_MODE_LOGGING:
824 DMEMIT(DM_VERITY_OPT_LOGGING);
826 case DM_VERITY_MODE_RESTART:
827 DMEMIT(DM_VERITY_OPT_RESTART);
829 case DM_VERITY_MODE_PANIC:
830 DMEMIT(DM_VERITY_OPT_PANIC);
837 DMEMIT(" " DM_VERITY_OPT_IGN_ZEROES);
838 if (v->validated_blocks)
839 DMEMIT(" " DM_VERITY_OPT_AT_MOST_ONCE);
841 DMEMIT(" " DM_VERITY_OPT_TASKLET_VERIFY);
842 sz = verity_fec_status_table(v, sz, result, maxlen);
843 if (v->signature_key_desc)
844 DMEMIT(" " DM_VERITY_ROOT_HASH_VERIFICATION_OPT_SIG_KEY
845 " %s", v->signature_key_desc);
849 DMEMIT_TARGET_NAME_VERSION(ti->type);
850 DMEMIT(",hash_failed=%c", v->hash_failed ? 'C' : 'V');
851 DMEMIT(",verity_version=%u", v->version);
852 DMEMIT(",data_device_name=%s", v->data_dev->name);
853 DMEMIT(",hash_device_name=%s", v->hash_dev->name);
854 DMEMIT(",verity_algorithm=%s", v->alg_name);
856 DMEMIT(",root_digest=");
857 for (x = 0; x < v->digest_size; x++)
858 DMEMIT("%02x", v->root_digest[x]);
864 for (x = 0; x < v->salt_size; x++)
865 DMEMIT("%02x", v->salt[x]);
867 DMEMIT(",ignore_zero_blocks=%c", v->zero_digest ? 'y' : 'n');
868 DMEMIT(",check_at_most_once=%c", v->validated_blocks ? 'y' : 'n');
869 if (v->signature_key_desc)
870 DMEMIT(",root_hash_sig_key_desc=%s", v->signature_key_desc);
872 if (v->mode != DM_VERITY_MODE_EIO) {
873 DMEMIT(",verity_mode=");
875 case DM_VERITY_MODE_LOGGING:
876 DMEMIT(DM_VERITY_OPT_LOGGING);
878 case DM_VERITY_MODE_RESTART:
879 DMEMIT(DM_VERITY_OPT_RESTART);
881 case DM_VERITY_MODE_PANIC:
882 DMEMIT(DM_VERITY_OPT_PANIC);
893 static int verity_prepare_ioctl(struct dm_target *ti, struct block_device **bdev)
895 struct dm_verity *v = ti->private;
897 *bdev = v->data_dev->bdev;
899 if (v->data_start || ti->len != bdev_nr_sectors(v->data_dev->bdev))
904 static int verity_iterate_devices(struct dm_target *ti,
905 iterate_devices_callout_fn fn, void *data)
907 struct dm_verity *v = ti->private;
909 return fn(ti, v->data_dev, v->data_start, ti->len, data);
912 static void verity_io_hints(struct dm_target *ti, struct queue_limits *limits)
914 struct dm_verity *v = ti->private;
916 if (limits->logical_block_size < 1 << v->data_dev_block_bits)
917 limits->logical_block_size = 1 << v->data_dev_block_bits;
919 if (limits->physical_block_size < 1 << v->data_dev_block_bits)
920 limits->physical_block_size = 1 << v->data_dev_block_bits;
922 limits->io_min = limits->logical_block_size;
925 * Similar to what dm-crypt does, opt dm-verity out of support for
926 * direct I/O that is aligned to less than the traditional direct I/O
927 * alignment requirement of logical_block_size. This prevents dm-verity
928 * data blocks from crossing pages, eliminating various edge cases.
930 limits->dma_alignment = limits->logical_block_size - 1;
933 static void verity_dtr(struct dm_target *ti)
935 struct dm_verity *v = ti->private;
938 destroy_workqueue(v->verify_wq);
940 mempool_exit(&v->recheck_pool);
942 dm_io_client_destroy(v->io);
945 dm_bufio_client_destroy(v->bufio);
947 kvfree(v->validated_blocks);
949 kfree(v->initial_hashstate);
950 kfree(v->root_digest);
951 kfree(v->zero_digest);
954 static_branch_dec(&ahash_enabled);
955 crypto_free_ahash(v->ahash_tfm);
957 crypto_free_shash(v->shash_tfm);
963 dm_put_device(ti, v->hash_dev);
966 dm_put_device(ti, v->data_dev);
970 kfree(v->signature_key_desc);
973 static_branch_dec(&use_bh_wq_enabled);
977 dm_audit_log_dtr(DM_MSG_PREFIX, ti, 1);
980 static int verity_alloc_most_once(struct dm_verity *v)
982 struct dm_target *ti = v->ti;
984 /* the bitset can only handle INT_MAX blocks */
985 if (v->data_blocks > INT_MAX) {
986 ti->error = "device too large to use check_at_most_once";
990 v->validated_blocks = kvcalloc(BITS_TO_LONGS(v->data_blocks),
991 sizeof(unsigned long),
993 if (!v->validated_blocks) {
994 ti->error = "failed to allocate bitset for check_at_most_once";
1001 static int verity_alloc_zero_digest(struct dm_verity *v)
1004 struct dm_verity_io *io;
1007 v->zero_digest = kmalloc(v->digest_size, GFP_KERNEL);
1009 if (!v->zero_digest)
1012 io = kmalloc(sizeof(*io) + v->hash_reqsize, GFP_KERNEL);
1015 return r; /* verity_dtr will free zero_digest */
1017 zero_data = kzalloc(1 << v->data_dev_block_bits, GFP_KERNEL);
1022 r = verity_hash(v, io, zero_data, 1 << v->data_dev_block_bits,
1023 v->zero_digest, true);
1032 static inline bool verity_is_verity_mode(const char *arg_name)
1034 return (!strcasecmp(arg_name, DM_VERITY_OPT_LOGGING) ||
1035 !strcasecmp(arg_name, DM_VERITY_OPT_RESTART) ||
1036 !strcasecmp(arg_name, DM_VERITY_OPT_PANIC));
1039 static int verity_parse_verity_mode(struct dm_verity *v, const char *arg_name)
1044 if (!strcasecmp(arg_name, DM_VERITY_OPT_LOGGING))
1045 v->mode = DM_VERITY_MODE_LOGGING;
1046 else if (!strcasecmp(arg_name, DM_VERITY_OPT_RESTART))
1047 v->mode = DM_VERITY_MODE_RESTART;
1048 else if (!strcasecmp(arg_name, DM_VERITY_OPT_PANIC))
1049 v->mode = DM_VERITY_MODE_PANIC;
1054 static int verity_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v,
1055 struct dm_verity_sig_opts *verify_args,
1056 bool only_modifier_opts)
1060 struct dm_target *ti = v->ti;
1061 const char *arg_name;
1063 static const struct dm_arg _args[] = {
1064 {0, DM_VERITY_OPTS_MAX, "Invalid number of feature args"},
1067 r = dm_read_arg_group(_args, as, &argc, &ti->error);
1075 arg_name = dm_shift_arg(as);
1078 if (verity_is_verity_mode(arg_name)) {
1079 if (only_modifier_opts)
1081 r = verity_parse_verity_mode(v, arg_name);
1083 ti->error = "Conflicting error handling parameters";
1088 } else if (!strcasecmp(arg_name, DM_VERITY_OPT_IGN_ZEROES)) {
1089 if (only_modifier_opts)
1091 r = verity_alloc_zero_digest(v);
1093 ti->error = "Cannot allocate zero digest";
1098 } else if (!strcasecmp(arg_name, DM_VERITY_OPT_AT_MOST_ONCE)) {
1099 if (only_modifier_opts)
1101 r = verity_alloc_most_once(v);
1106 } else if (!strcasecmp(arg_name, DM_VERITY_OPT_TASKLET_VERIFY)) {
1107 v->use_bh_wq = true;
1108 static_branch_inc(&use_bh_wq_enabled);
1111 } else if (verity_is_fec_opt_arg(arg_name)) {
1112 if (only_modifier_opts)
1114 r = verity_fec_parse_opt_args(as, v, &argc, arg_name);
1119 } else if (verity_verify_is_sig_opt_arg(arg_name)) {
1120 if (only_modifier_opts)
1122 r = verity_verify_sig_parse_opt_args(as, v,
1129 } else if (only_modifier_opts) {
1131 * Ignore unrecognized opt, could easily be an extra
1132 * argument to an option whose parsing was skipped.
1133 * Normal parsing (@only_modifier_opts=false) will
1134 * properly parse all options (and their extra args).
1139 DMERR("Unrecognized verity feature request: %s", arg_name);
1140 ti->error = "Unrecognized verity feature request";
1142 } while (argc && !r);
1147 static int verity_setup_hash_alg(struct dm_verity *v, const char *alg_name)
1149 struct dm_target *ti = v->ti;
1150 struct crypto_ahash *ahash;
1151 struct crypto_shash *shash = NULL;
1152 const char *driver_name;
1154 v->alg_name = kstrdup(alg_name, GFP_KERNEL);
1156 ti->error = "Cannot allocate algorithm name";
1161 * Allocate the hash transformation object that this dm-verity instance
1162 * will use. The vast majority of dm-verity users use CPU-based
1163 * hashing, so when possible use the shash API to minimize the crypto
1164 * API overhead. If the ahash API resolves to a different driver
1165 * (likely an off-CPU hardware offload), use ahash instead. Also use
1166 * ahash if the obsolete dm-verity format with the appended salt is
1167 * being used, so that quirk only needs to be handled in one place.
1169 ahash = crypto_alloc_ahash(alg_name, 0,
1170 v->use_bh_wq ? CRYPTO_ALG_ASYNC : 0);
1171 if (IS_ERR(ahash)) {
1172 ti->error = "Cannot initialize hash function";
1173 return PTR_ERR(ahash);
1175 driver_name = crypto_ahash_driver_name(ahash);
1176 if (v->version >= 1 /* salt prepended, not appended? */) {
1177 shash = crypto_alloc_shash(alg_name, 0, 0);
1178 if (!IS_ERR(shash) &&
1179 strcmp(crypto_shash_driver_name(shash), driver_name) != 0) {
1181 * ahash gave a different driver than shash, so probably
1182 * this is a case of real hardware offload. Use ahash.
1184 crypto_free_shash(shash);
1188 if (!IS_ERR_OR_NULL(shash)) {
1189 crypto_free_ahash(ahash);
1191 v->shash_tfm = shash;
1192 v->digest_size = crypto_shash_digestsize(shash);
1193 v->hash_reqsize = sizeof(struct shash_desc) +
1194 crypto_shash_descsize(shash);
1195 DMINFO("%s using shash \"%s\"", alg_name, driver_name);
1197 v->ahash_tfm = ahash;
1198 static_branch_inc(&ahash_enabled);
1199 v->digest_size = crypto_ahash_digestsize(ahash);
1200 v->hash_reqsize = sizeof(struct ahash_request) +
1201 crypto_ahash_reqsize(ahash);
1202 DMINFO("%s using ahash \"%s\"", alg_name, driver_name);
1204 if ((1 << v->hash_dev_block_bits) < v->digest_size * 2) {
1205 ti->error = "Digest size too big";
1211 static int verity_setup_salt_and_hashstate(struct dm_verity *v, const char *arg)
1213 struct dm_target *ti = v->ti;
1215 if (strcmp(arg, "-") != 0) {
1216 v->salt_size = strlen(arg) / 2;
1217 v->salt = kmalloc(v->salt_size, GFP_KERNEL);
1219 ti->error = "Cannot allocate salt";
1222 if (strlen(arg) != v->salt_size * 2 ||
1223 hex2bin(v->salt, arg, v->salt_size)) {
1224 ti->error = "Invalid salt";
1229 SHASH_DESC_ON_STACK(desc, v->shash_tfm);
1233 * Compute the pre-salted hash state that can be passed to
1234 * crypto_shash_import() for each block later.
1236 v->initial_hashstate = kmalloc(
1237 crypto_shash_statesize(v->shash_tfm), GFP_KERNEL);
1238 if (!v->initial_hashstate) {
1239 ti->error = "Cannot allocate initial hash state";
1242 desc->tfm = v->shash_tfm;
1243 r = crypto_shash_init(desc) ?:
1244 crypto_shash_update(desc, v->salt, v->salt_size) ?:
1245 crypto_shash_export(desc, v->initial_hashstate);
1247 ti->error = "Cannot set up initial hash state";
1255 * Target parameters:
1256 * <version> The current format is version 1.
1257 * Vsn 0 is compatible with original Chromium OS releases.
1262 * <the number of data blocks>
1263 * <hash start block>
1266 * <salt> Hex string or "-" if no salt.
1268 static int verity_ctr(struct dm_target *ti, unsigned int argc, char **argv)
1270 struct dm_verity *v;
1271 struct dm_verity_sig_opts verify_args = {0};
1272 struct dm_arg_set as;
1274 unsigned long long num_ll;
1277 sector_t hash_position;
1279 char *root_hash_digest_to_validate;
1281 v = kzalloc(sizeof(struct dm_verity), GFP_KERNEL);
1283 ti->error = "Cannot allocate verity structure";
1289 r = verity_fec_ctr_alloc(v);
1293 if ((dm_table_get_mode(ti->table) & ~BLK_OPEN_READ)) {
1294 ti->error = "Device must be readonly";
1300 ti->error = "Not enough arguments";
1305 /* Parse optional parameters that modify primary args */
1307 as.argc = argc - 10;
1308 as.argv = argv + 10;
1309 r = verity_parse_opt_args(&as, v, &verify_args, true);
1314 if (sscanf(argv[0], "%u%c", &num, &dummy) != 1 ||
1316 ti->error = "Invalid version";
1322 r = dm_get_device(ti, argv[1], BLK_OPEN_READ, &v->data_dev);
1324 ti->error = "Data device lookup failed";
1328 r = dm_get_device(ti, argv[2], BLK_OPEN_READ, &v->hash_dev);
1330 ti->error = "Hash device lookup failed";
1334 if (sscanf(argv[3], "%u%c", &num, &dummy) != 1 ||
1335 !num || (num & (num - 1)) ||
1336 num < bdev_logical_block_size(v->data_dev->bdev) ||
1338 ti->error = "Invalid data device block size";
1342 v->data_dev_block_bits = __ffs(num);
1344 if (sscanf(argv[4], "%u%c", &num, &dummy) != 1 ||
1345 !num || (num & (num - 1)) ||
1346 num < bdev_logical_block_size(v->hash_dev->bdev) ||
1348 ti->error = "Invalid hash device block size";
1352 v->hash_dev_block_bits = __ffs(num);
1354 if (sscanf(argv[5], "%llu%c", &num_ll, &dummy) != 1 ||
1355 (sector_t)(num_ll << (v->data_dev_block_bits - SECTOR_SHIFT))
1356 >> (v->data_dev_block_bits - SECTOR_SHIFT) != num_ll) {
1357 ti->error = "Invalid data blocks";
1361 v->data_blocks = num_ll;
1363 if (ti->len > (v->data_blocks << (v->data_dev_block_bits - SECTOR_SHIFT))) {
1364 ti->error = "Data device is too small";
1369 if (sscanf(argv[6], "%llu%c", &num_ll, &dummy) != 1 ||
1370 (sector_t)(num_ll << (v->hash_dev_block_bits - SECTOR_SHIFT))
1371 >> (v->hash_dev_block_bits - SECTOR_SHIFT) != num_ll) {
1372 ti->error = "Invalid hash start";
1376 v->hash_start = num_ll;
1378 r = verity_setup_hash_alg(v, argv[7]);
1382 v->root_digest = kmalloc(v->digest_size, GFP_KERNEL);
1383 if (!v->root_digest) {
1384 ti->error = "Cannot allocate root digest";
1388 if (strlen(argv[8]) != v->digest_size * 2 ||
1389 hex2bin(v->root_digest, argv[8], v->digest_size)) {
1390 ti->error = "Invalid root digest";
1394 root_hash_digest_to_validate = argv[8];
1396 r = verity_setup_salt_and_hashstate(v, argv[9]);
1403 /* Optional parameters */
1407 r = verity_parse_opt_args(&as, v, &verify_args, false);
1412 /* Root hash signature is a optional parameter*/
1413 r = verity_verify_root_hash(root_hash_digest_to_validate,
1414 strlen(root_hash_digest_to_validate),
1416 verify_args.sig_size);
1418 ti->error = "Root hash verification failed";
1421 v->hash_per_block_bits =
1422 __fls((1 << v->hash_dev_block_bits) / v->digest_size);
1426 while (v->hash_per_block_bits * v->levels < 64 &&
1427 (unsigned long long)(v->data_blocks - 1) >>
1428 (v->hash_per_block_bits * v->levels))
1431 if (v->levels > DM_VERITY_MAX_LEVELS) {
1432 ti->error = "Too many tree levels";
1437 hash_position = v->hash_start;
1438 for (i = v->levels - 1; i >= 0; i--) {
1441 v->hash_level_block[i] = hash_position;
1442 s = (v->data_blocks + ((sector_t)1 << ((i + 1) * v->hash_per_block_bits)) - 1)
1443 >> ((i + 1) * v->hash_per_block_bits);
1444 if (hash_position + s < hash_position) {
1445 ti->error = "Hash device offset overflow";
1451 v->hash_blocks = hash_position;
1453 r = mempool_init_page_pool(&v->recheck_pool, 1, 0);
1455 ti->error = "Cannot allocate mempool";
1459 v->io = dm_io_client_create();
1460 if (IS_ERR(v->io)) {
1463 ti->error = "Cannot allocate dm io";
1467 v->bufio = dm_bufio_client_create(v->hash_dev->bdev,
1468 1 << v->hash_dev_block_bits, 1, sizeof(struct buffer_aux),
1469 dm_bufio_alloc_callback, NULL,
1470 v->use_bh_wq ? DM_BUFIO_CLIENT_NO_SLEEP : 0);
1471 if (IS_ERR(v->bufio)) {
1472 ti->error = "Cannot initialize dm-bufio";
1473 r = PTR_ERR(v->bufio);
1478 if (dm_bufio_get_device_size(v->bufio) < v->hash_blocks) {
1479 ti->error = "Hash device is too small";
1485 * Using WQ_HIGHPRI improves throughput and completion latency by
1486 * reducing wait times when reading from a dm-verity device.
1488 * Also as required for the "try_verify_in_tasklet" feature: WQ_HIGHPRI
1489 * allows verify_wq to preempt softirq since verification in BH workqueue
1490 * will fall-back to using it for error handling (or if the bufio cache
1491 * doesn't have required hashes).
1493 v->verify_wq = alloc_workqueue("kverityd", WQ_MEM_RECLAIM | WQ_HIGHPRI, 0);
1494 if (!v->verify_wq) {
1495 ti->error = "Cannot allocate workqueue";
1500 ti->per_io_data_size = sizeof(struct dm_verity_io) + v->hash_reqsize;
1502 r = verity_fec_ctr(v);
1506 ti->per_io_data_size = roundup(ti->per_io_data_size,
1507 __alignof__(struct dm_verity_io));
1509 verity_verify_sig_opts_cleanup(&verify_args);
1511 dm_audit_log_ctr(DM_MSG_PREFIX, ti, 1);
1517 verity_verify_sig_opts_cleanup(&verify_args);
1518 dm_audit_log_ctr(DM_MSG_PREFIX, ti, 0);
1525 * Get the verity mode (error behavior) of a verity target.
1527 * Returns the verity mode of the target, or -EINVAL if 'ti' is not a verity
1530 int dm_verity_get_mode(struct dm_target *ti)
1532 struct dm_verity *v = ti->private;
1534 if (!dm_is_verity_target(ti))
1541 * Get the root digest of a verity target.
1543 * Returns a copy of the root digest, the caller is responsible for
1544 * freeing the memory of the digest.
1546 int dm_verity_get_root_digest(struct dm_target *ti, u8 **root_digest, unsigned int *digest_size)
1548 struct dm_verity *v = ti->private;
1550 if (!dm_is_verity_target(ti))
1553 *root_digest = kmemdup(v->root_digest, v->digest_size, GFP_KERNEL);
1554 if (*root_digest == NULL)
1557 *digest_size = v->digest_size;
1562 static struct target_type verity_target = {
1564 .features = DM_TARGET_SINGLETON | DM_TARGET_IMMUTABLE,
1565 .version = {1, 10, 0},
1566 .module = THIS_MODULE,
1570 .status = verity_status,
1571 .prepare_ioctl = verity_prepare_ioctl,
1572 .iterate_devices = verity_iterate_devices,
1573 .io_hints = verity_io_hints,
1578 * Check whether a DM target is a verity target.
1580 bool dm_is_verity_target(struct dm_target *ti)
1582 return ti->type == &verity_target;
1588 MODULE_DESCRIPTION(DM_NAME " target for transparent disk integrity checking");
1589 MODULE_LICENSE("GPL");
projects / linux.git / blob