/src/cryptsetup/lib/verity/verity_hash.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * dm-verity volume handling |
3 | | * |
4 | | * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved. |
5 | | * |
6 | | * This file is free software; you can redistribute it and/or |
7 | | * modify it under the terms of the GNU Lesser General Public |
8 | | * License as published by the Free Software Foundation; either |
9 | | * version 2.1 of the License, or (at your option) any later version. |
10 | | * |
11 | | * This file is distributed in the hope that it will be useful, |
12 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
13 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
14 | | * Lesser General Public License for more details. |
15 | | * |
16 | | * You should have received a copy of the GNU Lesser General Public |
17 | | * License along with this file; if not, write to the Free Software |
18 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | | */ |
20 | | |
21 | | #include <errno.h> |
22 | | #include <stdio.h> |
23 | | #include <stdlib.h> |
24 | | #include <string.h> |
25 | | #include <stdint.h> |
26 | | |
27 | | #include "verity.h" |
28 | | #include "internal.h" |
29 | | |
30 | 0 | #define VERITY_MAX_LEVELS 63 |
31 | | #define VERITY_MAX_DIGEST_SIZE 1024 |
32 | | |
33 | | static unsigned get_bits_up(size_t u) |
34 | 0 | { |
35 | 0 | unsigned i = 0; |
36 | 0 | while ((1U << i) < u) |
37 | 0 | i++; |
38 | 0 | return i; |
39 | 0 | } |
40 | | |
41 | | static unsigned get_bits_down(size_t u) |
42 | 0 | { |
43 | 0 | unsigned i = 0; |
44 | 0 | while ((u >> i) > 1U) |
45 | 0 | i++; |
46 | 0 | return i; |
47 | 0 | } |
48 | | |
49 | | static int verify_zero(struct crypt_device *cd, FILE *wr, size_t bytes) |
50 | 0 | { |
51 | 0 | char *block = NULL; |
52 | 0 | size_t i; |
53 | 0 | int r; |
54 | |
|
55 | 0 | block = malloc(bytes); |
56 | 0 | if (!block) |
57 | 0 | return -ENOMEM; |
58 | | |
59 | 0 | if (fread(block, bytes, 1, wr) != 1) { |
60 | 0 | log_dbg(cd, "EIO while reading spare area."); |
61 | 0 | r = -EIO; |
62 | 0 | goto out; |
63 | 0 | } |
64 | 0 | for (i = 0; i < bytes; i++) |
65 | 0 | if (block[i]) { |
66 | 0 | log_err(cd, _("Spare area is not zeroed at position %" PRIu64 "."), |
67 | 0 | ftello(wr) - bytes); |
68 | 0 | r = -EPERM; |
69 | 0 | goto out; |
70 | 0 | } |
71 | 0 | r = 0; |
72 | 0 | out: |
73 | 0 | free(block); |
74 | 0 | return r; |
75 | 0 | } |
76 | | |
77 | | static int verify_hash_block(const char *hash_name, int version, |
78 | | char *hash, size_t hash_size, |
79 | | const char *data, size_t data_size, |
80 | | const char *salt, size_t salt_size) |
81 | 0 | { |
82 | 0 | struct crypt_hash *ctx = NULL; |
83 | 0 | int r; |
84 | |
|
85 | 0 | if (crypt_hash_init(&ctx, hash_name)) |
86 | 0 | return -EINVAL; |
87 | | |
88 | 0 | if (version == 1 && (r = crypt_hash_write(ctx, salt, salt_size))) |
89 | 0 | goto out; |
90 | | |
91 | 0 | if ((r = crypt_hash_write(ctx, data, data_size))) |
92 | 0 | goto out; |
93 | | |
94 | 0 | if (version == 0 && (r = crypt_hash_write(ctx, salt, salt_size))) |
95 | 0 | goto out; |
96 | | |
97 | 0 | r = crypt_hash_final(ctx, hash, hash_size); |
98 | 0 | out: |
99 | 0 | crypt_hash_destroy(ctx); |
100 | 0 | return r; |
101 | 0 | } |
102 | | |
103 | | static int hash_levels(size_t hash_block_size, size_t digest_size, |
104 | | uint64_t data_file_blocks, uint64_t *hash_position, int *levels, |
105 | | uint64_t *hash_level_block, uint64_t *hash_level_size) |
106 | 0 | { |
107 | 0 | size_t hash_per_block_bits; |
108 | 0 | uint64_t s, s_shift; |
109 | 0 | int i; |
110 | |
|
111 | 0 | if (!digest_size) |
112 | 0 | return -EINVAL; |
113 | | |
114 | 0 | hash_per_block_bits = get_bits_down(hash_block_size / digest_size); |
115 | 0 | if (!hash_per_block_bits) |
116 | 0 | return -EINVAL; |
117 | | |
118 | 0 | *levels = 0; |
119 | 0 | while (hash_per_block_bits * *levels < 64 && |
120 | 0 | (data_file_blocks - 1) >> (hash_per_block_bits * *levels)) |
121 | 0 | (*levels)++; |
122 | |
|
123 | 0 | if (*levels > VERITY_MAX_LEVELS) |
124 | 0 | return -EINVAL; |
125 | | |
126 | 0 | for (i = *levels - 1; i >= 0; i--) { |
127 | 0 | if (hash_level_block) |
128 | 0 | hash_level_block[i] = *hash_position; |
129 | | // verity position of block data_file_blocks at level i |
130 | 0 | s_shift = (i + 1) * hash_per_block_bits; |
131 | 0 | if (s_shift > 63) |
132 | 0 | return -EINVAL; |
133 | 0 | s = (data_file_blocks + ((uint64_t)1 << s_shift) - 1) >> ((i + 1) * hash_per_block_bits); |
134 | 0 | if (hash_level_size) |
135 | 0 | hash_level_size[i] = s; |
136 | 0 | if ((*hash_position + s) < *hash_position) |
137 | 0 | return -EINVAL; |
138 | 0 | *hash_position += s; |
139 | 0 | } |
140 | | |
141 | 0 | return 0; |
142 | 0 | } |
143 | | |
144 | | static int create_or_verify(struct crypt_device *cd, FILE *rd, FILE *wr, |
145 | | uint64_t data_block, size_t data_block_size, |
146 | | uint64_t hash_block, size_t hash_block_size, |
147 | | uint64_t blocks, int version, |
148 | | const char *hash_name, int verify, |
149 | | char *calculated_digest, size_t digest_size, |
150 | | const char *salt, size_t salt_size) |
151 | 0 | { |
152 | 0 | char *left_block, *data_buffer; |
153 | 0 | char read_digest[VERITY_MAX_DIGEST_SIZE]; |
154 | 0 | size_t hash_per_block = 1 << get_bits_down(hash_block_size / digest_size); |
155 | 0 | size_t digest_size_full = 1 << get_bits_up(digest_size); |
156 | 0 | uint64_t blocks_to_write = (blocks + hash_per_block - 1) / hash_per_block; |
157 | 0 | uint64_t seek_rd, seek_wr; |
158 | 0 | size_t left_bytes; |
159 | 0 | unsigned i; |
160 | 0 | int r; |
161 | |
|
162 | 0 | if (digest_size > sizeof(read_digest)) |
163 | 0 | return -EINVAL; |
164 | | |
165 | 0 | if (uint64_mult_overflow(&seek_rd, data_block, data_block_size) || |
166 | 0 | uint64_mult_overflow(&seek_wr, hash_block, hash_block_size)) { |
167 | 0 | log_err(cd, _("Device offset overflow.")); |
168 | 0 | return -EINVAL; |
169 | 0 | } |
170 | | |
171 | 0 | if (fseeko(rd, seek_rd, SEEK_SET)) { |
172 | 0 | log_dbg(cd, "Cannot seek to requested position in data device."); |
173 | 0 | return -EIO; |
174 | 0 | } |
175 | | |
176 | 0 | if (wr && fseeko(wr, seek_wr, SEEK_SET)) { |
177 | 0 | log_dbg(cd, "Cannot seek to requested position in hash device."); |
178 | 0 | return -EIO; |
179 | 0 | } |
180 | | |
181 | 0 | left_block = malloc(hash_block_size); |
182 | 0 | data_buffer = malloc(data_block_size); |
183 | 0 | if (!left_block || !data_buffer) { |
184 | 0 | r = -ENOMEM; |
185 | 0 | goto out; |
186 | 0 | } |
187 | | |
188 | 0 | memset(left_block, 0, hash_block_size); |
189 | 0 | while (blocks_to_write--) { |
190 | 0 | left_bytes = hash_block_size; |
191 | 0 | for (i = 0; i < hash_per_block; i++) { |
192 | 0 | if (!blocks) |
193 | 0 | break; |
194 | 0 | blocks--; |
195 | 0 | if (fread(data_buffer, data_block_size, 1, rd) != 1) { |
196 | 0 | log_dbg(cd, "Cannot read data device block."); |
197 | 0 | r = -EIO; |
198 | 0 | goto out; |
199 | 0 | } |
200 | | |
201 | 0 | if (verify_hash_block(hash_name, version, |
202 | 0 | calculated_digest, digest_size, |
203 | 0 | data_buffer, data_block_size, |
204 | 0 | salt, salt_size)) { |
205 | 0 | r = -EINVAL; |
206 | 0 | goto out; |
207 | 0 | } |
208 | | |
209 | 0 | if (!wr) |
210 | 0 | break; |
211 | 0 | if (verify) { |
212 | 0 | if (fread(read_digest, digest_size, 1, wr) != 1) { |
213 | 0 | log_dbg(cd, "Cannot read digest form hash device."); |
214 | 0 | r = -EIO; |
215 | 0 | goto out; |
216 | 0 | } |
217 | 0 | if (crypt_backend_memeq(read_digest, calculated_digest, digest_size)) { |
218 | 0 | log_err(cd, _("Verification failed at position %" PRIu64 "."), |
219 | 0 | ftello(rd) - data_block_size); |
220 | 0 | r = -EPERM; |
221 | 0 | goto out; |
222 | 0 | } |
223 | 0 | } else { |
224 | 0 | if (fwrite(calculated_digest, digest_size, 1, wr) != 1) { |
225 | 0 | log_dbg(cd, "Cannot write digest to hash device."); |
226 | 0 | r = -EIO; |
227 | 0 | goto out; |
228 | 0 | } |
229 | 0 | } |
230 | 0 | if (version == 0) { |
231 | 0 | left_bytes -= digest_size; |
232 | 0 | } else { |
233 | 0 | if (digest_size_full - digest_size) { |
234 | 0 | if (verify) { |
235 | 0 | r = verify_zero(cd, wr, digest_size_full - digest_size); |
236 | 0 | if (r) |
237 | 0 | goto out; |
238 | 0 | } else if (fwrite(left_block, digest_size_full - digest_size, 1, wr) != 1) { |
239 | 0 | log_dbg(cd, "Cannot write spare area to hash device."); |
240 | 0 | r = -EIO; |
241 | 0 | goto out; |
242 | 0 | } |
243 | 0 | } |
244 | 0 | left_bytes -= digest_size_full; |
245 | 0 | } |
246 | 0 | } |
247 | 0 | if (wr && left_bytes) { |
248 | 0 | if (verify) { |
249 | 0 | r = verify_zero(cd , wr, left_bytes); |
250 | 0 | if (r) |
251 | 0 | goto out; |
252 | 0 | } else if (fwrite(left_block, left_bytes, 1, wr) != 1) { |
253 | 0 | log_dbg(cd, "Cannot write remaining spare area to hash device."); |
254 | 0 | r = -EIO; |
255 | 0 | goto out; |
256 | 0 | } |
257 | 0 | } |
258 | 0 | } |
259 | 0 | r = 0; |
260 | 0 | out: |
261 | 0 | free(left_block); |
262 | 0 | free(data_buffer); |
263 | 0 | return r; |
264 | 0 | } |
265 | | |
266 | | static int VERITY_create_or_verify_hash(struct crypt_device *cd, bool verify, |
267 | | struct crypt_params_verity *params, |
268 | | char *root_hash, size_t digest_size) |
269 | 0 | { |
270 | 0 | char calculated_digest[VERITY_MAX_DIGEST_SIZE]; |
271 | 0 | FILE *data_file = NULL; |
272 | 0 | FILE *hash_file = NULL, *hash_file_2; |
273 | 0 | uint64_t hash_level_block[VERITY_MAX_LEVELS]; |
274 | 0 | uint64_t hash_level_size[VERITY_MAX_LEVELS]; |
275 | 0 | uint64_t data_file_blocks; |
276 | 0 | uint64_t data_device_offset_max = 0, hash_device_offset_max = 0; |
277 | 0 | uint64_t hash_position = VERITY_hash_offset_block(params); |
278 | 0 | uint64_t dev_size; |
279 | 0 | int levels, i, r; |
280 | |
|
281 | 0 | log_dbg(cd, "Hash %s %s, data device %s, data blocks %" PRIu64 |
282 | 0 | ", hash_device %s, offset %" PRIu64 ".", |
283 | 0 | verify ? "verification" : "creation", params->hash_name, |
284 | 0 | device_path(crypt_data_device(cd)), params->data_size, |
285 | 0 | device_path(crypt_metadata_device(cd)), hash_position); |
286 | |
|
287 | 0 | if (digest_size > sizeof(calculated_digest)) |
288 | 0 | return -EINVAL; |
289 | | |
290 | 0 | if (!params->data_size) { |
291 | 0 | r = device_size(crypt_data_device(cd), &dev_size); |
292 | 0 | if (r < 0) |
293 | 0 | return r; |
294 | | |
295 | 0 | data_file_blocks = dev_size / params->data_block_size; |
296 | 0 | } else |
297 | 0 | data_file_blocks = params->data_size; |
298 | | |
299 | 0 | if (uint64_mult_overflow(&data_device_offset_max, params->data_size, params->data_block_size)) { |
300 | 0 | log_err(cd, _("Device offset overflow.")); |
301 | 0 | return -EINVAL; |
302 | 0 | } |
303 | 0 | log_dbg(cd, "Data device size required: %" PRIu64 " bytes.", data_device_offset_max); |
304 | |
|
305 | 0 | if (hash_levels(params->hash_block_size, digest_size, data_file_blocks, &hash_position, |
306 | 0 | &levels, &hash_level_block[0], &hash_level_size[0])) { |
307 | 0 | log_err(cd, _("Hash area overflow.")); |
308 | 0 | return -EINVAL; |
309 | 0 | } |
310 | 0 | if (uint64_mult_overflow(&hash_device_offset_max, hash_position, params->hash_block_size)) { |
311 | 0 | log_err(cd, _("Device offset overflow.")); |
312 | 0 | return -EINVAL; |
313 | 0 | } |
314 | 0 | log_dbg(cd, "Hash device size required: %" PRIu64 " bytes.", |
315 | 0 | hash_device_offset_max - params->hash_area_offset); |
316 | 0 | log_dbg(cd, "Using %d hash levels.", levels); |
317 | |
|
318 | 0 | data_file = fopen(device_path(crypt_data_device(cd)), "r"); |
319 | 0 | if (!data_file) { |
320 | 0 | log_err(cd, _("Cannot open device %s."), |
321 | 0 | device_path(crypt_data_device(cd)) |
322 | 0 | ); |
323 | 0 | r = -EIO; |
324 | 0 | goto out; |
325 | 0 | } |
326 | | |
327 | 0 | hash_file = fopen(device_path(crypt_metadata_device(cd)), verify ? "r" : "r+"); |
328 | 0 | if (!hash_file) { |
329 | 0 | log_err(cd, _("Cannot open device %s."), |
330 | 0 | device_path(crypt_metadata_device(cd))); |
331 | 0 | r = -EIO; |
332 | 0 | goto out; |
333 | 0 | } |
334 | | |
335 | 0 | memset(calculated_digest, 0, digest_size); |
336 | |
|
337 | 0 | for (i = 0; i < levels; i++) { |
338 | 0 | if (!i) { |
339 | 0 | r = create_or_verify(cd, data_file, hash_file, |
340 | 0 | 0, params->data_block_size, |
341 | 0 | hash_level_block[i], params->hash_block_size, |
342 | 0 | data_file_blocks, params->hash_type, params->hash_name, verify, |
343 | 0 | calculated_digest, digest_size, params->salt, params->salt_size); |
344 | 0 | if (r) |
345 | 0 | goto out; |
346 | 0 | } else { |
347 | 0 | hash_file_2 = fopen(device_path(crypt_metadata_device(cd)), "r"); |
348 | 0 | if (!hash_file_2) { |
349 | 0 | log_err(cd, _("Cannot open device %s."), |
350 | 0 | device_path(crypt_metadata_device(cd))); |
351 | 0 | r = -EIO; |
352 | 0 | goto out; |
353 | 0 | } |
354 | 0 | r = create_or_verify(cd, hash_file_2, hash_file, |
355 | 0 | hash_level_block[i - 1], params->hash_block_size, |
356 | 0 | hash_level_block[i], params->hash_block_size, |
357 | 0 | hash_level_size[i - 1], params->hash_type, params->hash_name, verify, |
358 | 0 | calculated_digest, digest_size, params->salt, params->salt_size); |
359 | 0 | fclose(hash_file_2); |
360 | 0 | if (r) |
361 | 0 | goto out; |
362 | 0 | } |
363 | 0 | } |
364 | | |
365 | 0 | if (levels) |
366 | 0 | r = create_or_verify(cd, hash_file, NULL, |
367 | 0 | hash_level_block[levels - 1], params->hash_block_size, |
368 | 0 | 0, params->hash_block_size, |
369 | 0 | 1, params->hash_type, params->hash_name, verify, |
370 | 0 | calculated_digest, digest_size, params->salt, params->salt_size); |
371 | 0 | else |
372 | 0 | r = create_or_verify(cd, data_file, NULL, |
373 | 0 | 0, params->data_block_size, |
374 | 0 | 0, params->hash_block_size, |
375 | 0 | data_file_blocks, params->hash_type, params->hash_name, verify, |
376 | 0 | calculated_digest, digest_size, params->salt, params->salt_size); |
377 | 0 | out: |
378 | 0 | if (verify) { |
379 | 0 | if (r) |
380 | 0 | log_err(cd, _("Verification of data area failed.")); |
381 | 0 | else { |
382 | 0 | log_dbg(cd, "Verification of data area succeeded."); |
383 | 0 | r = crypt_backend_memeq(root_hash, calculated_digest, digest_size) ? -EFAULT : 0; |
384 | 0 | if (r) |
385 | 0 | log_err(cd, _("Verification of root hash failed.")); |
386 | 0 | else |
387 | 0 | log_dbg(cd, "Verification of root hash succeeded."); |
388 | 0 | } |
389 | 0 | } else { |
390 | 0 | if (r == -EIO) |
391 | 0 | log_err(cd, _("Input/output error while creating hash area.")); |
392 | 0 | else if (r) |
393 | 0 | log_err(cd, _("Creation of hash area failed.")); |
394 | 0 | else { |
395 | 0 | fsync(fileno(hash_file)); |
396 | 0 | memcpy(root_hash, calculated_digest, digest_size); |
397 | 0 | } |
398 | 0 | } |
399 | |
|
400 | 0 | if (data_file) |
401 | 0 | fclose(data_file); |
402 | 0 | if (hash_file) |
403 | 0 | fclose(hash_file); |
404 | 0 | return r; |
405 | 0 | } |
406 | | |
407 | | /* Verify verity device using userspace crypto backend */ |
408 | | int VERITY_verify(struct crypt_device *cd, |
409 | | struct crypt_params_verity *verity_hdr, |
410 | | const char *root_hash, |
411 | | size_t root_hash_size) |
412 | 0 | { |
413 | 0 | return VERITY_create_or_verify_hash(cd, 1, verity_hdr, CONST_CAST(char*)root_hash, root_hash_size); |
414 | 0 | } |
415 | | |
416 | | /* Create verity hash */ |
417 | | int VERITY_create(struct crypt_device *cd, |
418 | | struct crypt_params_verity *verity_hdr, |
419 | | const char *root_hash, |
420 | | size_t root_hash_size) |
421 | 0 | { |
422 | 0 | unsigned pgsize = (unsigned)crypt_getpagesize(); |
423 | |
|
424 | 0 | if (verity_hdr->salt_size > 256) |
425 | 0 | return -EINVAL; |
426 | | |
427 | 0 | if (verity_hdr->data_block_size > pgsize) |
428 | 0 | log_err(cd, _("WARNING: Kernel cannot activate device if data " |
429 | 0 | "block size exceeds page size (%u)."), pgsize); |
430 | |
|
431 | 0 | return VERITY_create_or_verify_hash(cd, 0, verity_hdr, CONST_CAST(char*)root_hash, root_hash_size); |
432 | 0 | } |
433 | | |
434 | | uint64_t VERITY_hash_blocks(struct crypt_device *cd, struct crypt_params_verity *params) |
435 | 0 | { |
436 | 0 | uint64_t hash_position = 0; |
437 | 0 | int levels = 0; |
438 | |
|
439 | 0 | if (hash_levels(params->hash_block_size, crypt_get_volume_key_size(cd), |
440 | 0 | params->data_size, &hash_position, &levels, NULL, NULL)) |
441 | 0 | return 0; |
442 | | |
443 | 0 | return (uint64_t)hash_position; |
444 | 0 | } |