diff mbox series

[v3] btrfs: send: add support for fs-verity

Message ID 7ac3a01572a872f8779f357598215e0e07d191bd.1659379913.git.boris@bur.io (mailing list archive)
State New, archived
Headers show
Series [v3] btrfs: send: add support for fs-verity | expand

Commit Message

Boris Burkov Aug. 1, 2022, 6:54 p.m. UTC
Preserve the fs-verity status of a btrfs file across send/recv.

There is no facility for installing the Merkle tree contents directly on
the receiving filesystem, so we package up the parameters used to enable
verity found in the verity descriptor. This gives the receive side
enough information to properly enable verity again. Note that this means
that receive will have to re-compute the whole Merkle tree, similar to
how compression worked before encoded_write.

Since the file becomes read-only after verity is enabled, it is
important that verity is added to the send stream after any file writes.
Therefore, when we process a verity item, merely note that it happened,
then actually create the command in the send stream during
'finish_inode_if_needed'.

This also creates V3 of the send stream format, without any format
changes besides adding the new commands and attributes.

Signed-off-by: Boris Burkov <boris@bur.io>

--
Changes in v3:
- Fixed build failure when CONFIG_FS_VERITY was not set. This required a
  kludge to avoid a build warning as well.
Changes in v2:
- Allocate 16K with kvmalloc and keep it around till the end of send
  instead of re-allocating on each file with fs-verity.
- Use unsigned literal for bitshift.
---
 fs/btrfs/send.c              | 114 +++++++++++++++++++++++++++++++++++
 fs/btrfs/send.h              |  15 ++++-
 fs/verity/fsverity_private.h |   2 -
 include/linux/fsverity.h     |   3 +
 4 files changed, 129 insertions(+), 5 deletions(-)

Comments

Eric Biggers Aug. 2, 2022, 8:38 p.m. UTC | #1
On Mon, Aug 01, 2022 at 11:54:40AM -0700, Boris Burkov wrote:
> +#ifdef CONFIG_FS_VERITY
> +static int send_verity(struct send_ctx *sctx, struct fs_path *path,
> +		       struct fsverity_descriptor *desc)
> +{
> +	int ret;
> +
> +	ret = begin_cmd(sctx, BTRFS_SEND_C_ENABLE_VERITY);
> +	if (ret < 0)
> +		goto out;
> +
> +	TLV_PUT_PATH(sctx, BTRFS_SEND_A_PATH, path);
> +	TLV_PUT_U8(sctx, BTRFS_SEND_A_VERITY_ALGORITHM, desc->hash_algorithm);
> +	TLV_PUT_U32(sctx, BTRFS_SEND_A_VERITY_BLOCK_SIZE, 1U << desc->log_blocksize);
> +	TLV_PUT(sctx, BTRFS_SEND_A_VERITY_SALT_DATA, desc->salt, desc->salt_size);
> +	TLV_PUT(sctx, BTRFS_SEND_A_VERITY_SIG_DATA, desc->signature, (int)desc->sig_size);

le32_to_cpu(desc->sig_size)

> +
> +	ret = send_cmd(sctx);
> +
> +tlv_put_failure:
> +out:
> +	return ret;
> +}

The 'out' label is unnecessary.

> +
> +static int process_new_verity(struct send_ctx *sctx)

What does "new verity" mean in this context?  The other functions called by
finish_inode_if_needed() have names like send_chown(), send_chmod(), etc., so
this name seems inconsistent (although I'm not familiar with this code).

> +
> +	ret = send_verity(sctx, p, sctx->verity_descriptor);
> +	if (ret < 0)
> +		goto free_path;
> +
> +free_path:
> +	fs_path_free(p);

The goto above is unnecessary.

> +static int process_new_verity(struct send_ctx *sctx)
> +{
> +	int ret = 0;
> +	struct send_ctx tmp;
> +
> +	return -EPERM;
> +	/* avoid unused TLV_PUT_U8 build warning without CONFIG_FS_VERITY */
> +	TLV_PUT_U8(&tmp, 0, 0);
> +tlv_put_failure:
> +	return -EPERM;
> +}
> +#endif

How about adding __maybe_unused to tlv_put_u##bits instead?

> @@ -8036,6 +8148,8 @@ long btrfs_ioctl_send(struct inode *inode, struct btrfs_ioctl_send_args *arg)
>  		kvfree(sctx->clone_roots);
>  		kfree(sctx->send_buf_pages);
>  		kvfree(sctx->send_buf);
> +		if (sctx->verity_descriptor)
> +			kvfree(sctx->verity_descriptor);

There's no need to check for NULL before calling kvfree().

- Eric
kernel test robot Aug. 3, 2022, 8:07 a.m. UTC | #2
Hi Boris,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on kdave/for-next]
[also build test WARNING on next-20220802]
[cannot apply to fscrypt/fsverity linus/master v5.19]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Boris-Burkov/btrfs-send-add-support-for-fs-verity/20220802-025522
base:   https://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux.git for-next
config: loongarch-randconfig-s042-20220803 (https://download.01.org/0day-ci/archive/20220803/202208031528.55Suyci3-lkp@intel.com/config)
compiler: loongarch64-linux-gcc (GCC) 12.1.0
reproduce:
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # apt-get install sparse
        # sparse version: v0.6.4-39-gce1a6720-dirty
        # https://github.com/intel-lab-lkp/linux/commit/7edb074602581840675f2c1d8fafb6a16f4a1f47
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Boris-Burkov/btrfs-send-add-support-for-fs-verity/20220802-025522
        git checkout 7edb074602581840675f2c1d8fafb6a16f4a1f47
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=loongarch SHELL=/bin/bash fs/btrfs/

If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>

sparse warnings: (new ones prefixed by >>)
>> fs/btrfs/send.c:4907:9: sparse: sparse: cast from restricted __le32
   fs/btrfs/send.c: note: in included file (through include/linux/uaccess.h, include/linux/sched/task.h, include/linux/sched/signal.h, ...):
   arch/loongarch/include/asm/uaccess.h:232:32: sparse: sparse: incorrect type in argument 2 (different address spaces) @@     expected void const *from @@     got void const [noderef] __user *from @@
   arch/loongarch/include/asm/uaccess.h:232:32: sparse:     expected void const *from
   arch/loongarch/include/asm/uaccess.h:232:32: sparse:     got void const [noderef] __user *from

vim +4907 fs/btrfs/send.c

  4892	
  4893	#ifdef CONFIG_FS_VERITY
  4894	static int send_verity(struct send_ctx *sctx, struct fs_path *path,
  4895			       struct fsverity_descriptor *desc)
  4896	{
  4897		int ret;
  4898	
  4899		ret = begin_cmd(sctx, BTRFS_SEND_C_ENABLE_VERITY);
  4900		if (ret < 0)
  4901			goto out;
  4902	
  4903		TLV_PUT_PATH(sctx, BTRFS_SEND_A_PATH, path);
  4904		TLV_PUT_U8(sctx, BTRFS_SEND_A_VERITY_ALGORITHM, desc->hash_algorithm);
  4905		TLV_PUT_U32(sctx, BTRFS_SEND_A_VERITY_BLOCK_SIZE, 1U << desc->log_blocksize);
  4906		TLV_PUT(sctx, BTRFS_SEND_A_VERITY_SALT_DATA, desc->salt, desc->salt_size);
> 4907		TLV_PUT(sctx, BTRFS_SEND_A_VERITY_SIG_DATA, desc->signature, (int)desc->sig_size);
  4908	
  4909		ret = send_cmd(sctx);
  4910	
  4911	tlv_put_failure:
  4912	out:
  4913		return ret;
  4914	}
  4915
David Sterba Aug. 4, 2022, 2:25 p.m. UTC | #3
On Tue, Aug 02, 2022 at 01:38:37PM -0700, Eric Biggers wrote:
> On Mon, Aug 01, 2022 at 11:54:40AM -0700, Boris Burkov wrote:
> > +#ifdef CONFIG_FS_VERITY
> > +static int send_verity(struct send_ctx *sctx, struct fs_path *path,
> > +		       struct fsverity_descriptor *desc)
> > +{
> > +	int ret;
> > +
> > +	ret = begin_cmd(sctx, BTRFS_SEND_C_ENABLE_VERITY);
> > +	if (ret < 0)
> > +		goto out;
> > +
> > +	TLV_PUT_PATH(sctx, BTRFS_SEND_A_PATH, path);
> > +	TLV_PUT_U8(sctx, BTRFS_SEND_A_VERITY_ALGORITHM, desc->hash_algorithm);
> > +	TLV_PUT_U32(sctx, BTRFS_SEND_A_VERITY_BLOCK_SIZE, 1U << desc->log_blocksize);
> > +	TLV_PUT(sctx, BTRFS_SEND_A_VERITY_SALT_DATA, desc->salt, desc->salt_size);
> > +	TLV_PUT(sctx, BTRFS_SEND_A_VERITY_SIG_DATA, desc->signature, (int)desc->sig_size);
> 
> le32_to_cpu(desc->sig_size)

Don't all the members of desc need the le/cpu helpers? The whole
structure is read from disk directly to the memory buffer, there's no
conversion to a cpu-native order structure, so this must be done when
the members are accessed.

While the first four are of type __u8 so there's no endianness
conversion needed, I'd rather do it for clarity that the structure needs
special handling.

> > +	ret = send_cmd(sctx);
> > +
> > +tlv_put_failure:
> > +out:
> > +	return ret;
> > +}
> 
> The 'out' label is unnecessary.

It's a common pattern in send callbacks to have out: label next to
tlv_put_failure.

> > +static int process_new_verity(struct send_ctx *sctx)
> 
> What does "new verity" mean in this context?  The other functions called by
> finish_inode_if_needed() have names like send_chown(), send_chmod(), etc., so
> this name seems inconsistent (although I'm not familiar with this code).

Yeah I think process_verity or process_verity_desc will be better.

> > +	ret = send_verity(sctx, p, sctx->verity_descriptor);
> > +	if (ret < 0)
> > +		goto free_path;
> > +
> > +free_path:
> > +	fs_path_free(p);
> 
> The goto above is unnecessary.
> 
> > +static int process_new_verity(struct send_ctx *sctx)
> > +{
> > +	int ret = 0;
> > +	struct send_ctx tmp;
> > +
> > +	return -EPERM;
> > +	/* avoid unused TLV_PUT_U8 build warning without CONFIG_FS_VERITY */
> > +	TLV_PUT_U8(&tmp, 0, 0);
> > +tlv_put_failure:
> > +	return -EPERM;
> > +}
> > +#endif
> 
> How about adding __maybe_unused to tlv_put_u##bits instead?

Or it could use U16 or U32 type, it's not strictly necessary to use the
same type width as the in-memory structures.
David Sterba Aug. 4, 2022, 2:27 p.m. UTC | #4
On Mon, Aug 01, 2022 at 11:54:40AM -0700, Boris Burkov wrote:
> +static int process_new_verity(struct send_ctx *sctx)
> +{
> +	int ret = 0;
> +	struct btrfs_fs_info *fs_info = sctx->send_root->fs_info;
> +	struct inode *inode;
> +	struct fs_path *p;
> +
> +	inode = btrfs_iget(fs_info->sb, sctx->cur_ino, sctx->send_root);
> +	if (IS_ERR(inode))
> +		return PTR_ERR(inode);
> +
> +	ret = fs_info->sb->s_vop->get_verity_descriptor(inode, NULL, 0);

This is a long way to call btrfs_get_verity_descriptor from
fs/btrfs/verity.c , is there a reason we can't call it directly?

> +	if (ret < 0)
> +		goto iput;
> +
> +	if (ret > FS_VERITY_MAX_DESCRIPTOR_SIZE) {
> +		ret = -EMSGSIZE;
> +		goto iput;
> +	}
> +	if (!sctx->verity_descriptor) {
> +		sctx->verity_descriptor = kvmalloc(FS_VERITY_MAX_DESCRIPTOR_SIZE, GFP_KERNEL);
> +		if (!sctx->verity_descriptor) {
> +			ret = -ENOMEM;
> +			goto iput;
> +		}
> +	}
> +
> +	ret = fs_info->sb->s_vop->get_verity_descriptor(inode, sctx->verity_descriptor, ret);
> +	if (ret < 0)
> +		goto iput;
> +
> +	p = fs_path_alloc();
> +	if (!p) {
> +		ret = -ENOMEM;
> +		goto iput;
> +	}
> +	ret = get_cur_path(sctx, sctx->cur_ino, sctx->cur_inode_gen, p);
> +	if (ret < 0)
> +		goto free_path;
> +
> +	ret = send_verity(sctx, p, sctx->verity_descriptor);
> +	if (ret < 0)
> +		goto free_path;
> +
> +free_path:
> +	fs_path_free(p);
> +iput:
> +	iput(inode);
> +	return ret;
> +}
diff mbox series

Patch

diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index e7671afcee4f..084f19d39218 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -15,6 +15,7 @@ 
 #include <linux/string.h>
 #include <linux/compat.h>
 #include <linux/crc32c.h>
+#include <linux/fsverity.h>
 
 #include "send.h"
 #include "ctree.h"
@@ -127,6 +128,8 @@  struct send_ctx {
 	bool cur_inode_new_gen;
 	bool cur_inode_deleted;
 	bool ignore_cur_inode;
+	bool cur_inode_needs_verity;
+	void *verity_descriptor;
 
 	u64 send_progress;
 
@@ -624,6 +627,7 @@  static int tlv_put(struct send_ctx *sctx, u16 attr, const void *data, int len)
 		return tlv_put(sctx, attr, &__tmp, sizeof(__tmp));	\
 	}
 
+TLV_PUT_DEFINE_INT(8)
 TLV_PUT_DEFINE_INT(32)
 TLV_PUT_DEFINE_INT(64)
 
@@ -4886,6 +4890,94 @@  static int process_all_new_xattrs(struct send_ctx *sctx)
 	return ret;
 }
 
+#ifdef CONFIG_FS_VERITY
+static int send_verity(struct send_ctx *sctx, struct fs_path *path,
+		       struct fsverity_descriptor *desc)
+{
+	int ret;
+
+	ret = begin_cmd(sctx, BTRFS_SEND_C_ENABLE_VERITY);
+	if (ret < 0)
+		goto out;
+
+	TLV_PUT_PATH(sctx, BTRFS_SEND_A_PATH, path);
+	TLV_PUT_U8(sctx, BTRFS_SEND_A_VERITY_ALGORITHM, desc->hash_algorithm);
+	TLV_PUT_U32(sctx, BTRFS_SEND_A_VERITY_BLOCK_SIZE, 1U << desc->log_blocksize);
+	TLV_PUT(sctx, BTRFS_SEND_A_VERITY_SALT_DATA, desc->salt, desc->salt_size);
+	TLV_PUT(sctx, BTRFS_SEND_A_VERITY_SIG_DATA, desc->signature, (int)desc->sig_size);
+
+	ret = send_cmd(sctx);
+
+tlv_put_failure:
+out:
+	return ret;
+}
+
+static int process_new_verity(struct send_ctx *sctx)
+{
+	int ret = 0;
+	struct btrfs_fs_info *fs_info = sctx->send_root->fs_info;
+	struct inode *inode;
+	struct fs_path *p;
+
+	inode = btrfs_iget(fs_info->sb, sctx->cur_ino, sctx->send_root);
+	if (IS_ERR(inode))
+		return PTR_ERR(inode);
+
+	ret = fs_info->sb->s_vop->get_verity_descriptor(inode, NULL, 0);
+	if (ret < 0)
+		goto iput;
+
+	if (ret > FS_VERITY_MAX_DESCRIPTOR_SIZE) {
+		ret = -EMSGSIZE;
+		goto iput;
+	}
+	if (!sctx->verity_descriptor) {
+		sctx->verity_descriptor = kvmalloc(FS_VERITY_MAX_DESCRIPTOR_SIZE, GFP_KERNEL);
+		if (!sctx->verity_descriptor) {
+			ret = -ENOMEM;
+			goto iput;
+		}
+	}
+
+	ret = fs_info->sb->s_vop->get_verity_descriptor(inode, sctx->verity_descriptor, ret);
+	if (ret < 0)
+		goto iput;
+
+	p = fs_path_alloc();
+	if (!p) {
+		ret = -ENOMEM;
+		goto iput;
+	}
+	ret = get_cur_path(sctx, sctx->cur_ino, sctx->cur_inode_gen, p);
+	if (ret < 0)
+		goto free_path;
+
+	ret = send_verity(sctx, p, sctx->verity_descriptor);
+	if (ret < 0)
+		goto free_path;
+
+free_path:
+	fs_path_free(p);
+iput:
+	iput(inode);
+	return ret;
+}
+#else
+static int process_new_verity(struct send_ctx *sctx)
+{
+	int ret = 0;
+	struct send_ctx tmp;
+
+	return -EPERM;
+	/* avoid unused TLV_PUT_U8 build warning without CONFIG_FS_VERITY */
+	TLV_PUT_U8(&tmp, 0, 0);
+tlv_put_failure:
+	return -EPERM;
+}
+#endif
+
+
 static inline u64 max_send_read_size(const struct send_ctx *sctx)
 {
 	return sctx->send_max_size - SZ_16K;
@@ -6377,6 +6469,11 @@  static int finish_inode_if_needed(struct send_ctx *sctx, int at_end)
 		if (ret < 0)
 			goto out;
 	}
+	if (sctx->cur_inode_needs_verity) {
+		ret = process_new_verity(sctx);
+		if (ret < 0)
+			goto out;
+	}
 
 	ret = send_capabilities(sctx);
 	if (ret < 0)
@@ -6785,6 +6882,18 @@  static int changed_extent(struct send_ctx *sctx,
 	return ret;
 }
 
+static int changed_verity(struct send_ctx *sctx,
+			  enum btrfs_compare_tree_result result)
+{
+	int ret = 0;
+
+	if (!sctx->cur_inode_new_gen && !sctx->cur_inode_deleted) {
+		if (result == BTRFS_COMPARE_TREE_NEW)
+			sctx->cur_inode_needs_verity = true;
+	}
+	return ret;
+}
+
 static int dir_changed(struct send_ctx *sctx, u64 dir)
 {
 	u64 orig_gen, new_gen;
@@ -6939,6 +7048,9 @@  static int changed_cb(struct btrfs_path *left_path,
 			ret = changed_xattr(sctx, result);
 		else if (key->type == BTRFS_EXTENT_DATA_KEY)
 			ret = changed_extent(sctx, result);
+		else if (key->type == BTRFS_VERITY_DESC_ITEM_KEY &&
+			 key->offset == 0)
+			ret = changed_verity(sctx, result);
 	}
 
 out:
@@ -8036,6 +8148,8 @@  long btrfs_ioctl_send(struct inode *inode, struct btrfs_ioctl_send_args *arg)
 		kvfree(sctx->clone_roots);
 		kfree(sctx->send_buf_pages);
 		kvfree(sctx->send_buf);
+		if (sctx->verity_descriptor)
+			kvfree(sctx->verity_descriptor);
 
 		name_cache_free(sctx);
 
diff --git a/fs/btrfs/send.h b/fs/btrfs/send.h
index 4bb4e6a638cb..0a4537775e0c 100644
--- a/fs/btrfs/send.h
+++ b/fs/btrfs/send.h
@@ -92,8 +92,11 @@  enum btrfs_send_cmd {
 	BTRFS_SEND_C_ENCODED_WRITE	= 25,
 	BTRFS_SEND_C_MAX_V2		= 25,
 
+	/* Version 3 */
+	BTRFS_SEND_C_ENABLE_VERITY	= 26,
+	BTRFS_SEND_C_MAX_V3		= 26,
 	/* End */
-	BTRFS_SEND_C_MAX		= 25,
+	BTRFS_SEND_C_MAX		= 26,
 };
 
 /* attributes in send stream */
@@ -160,8 +163,14 @@  enum {
 	BTRFS_SEND_A_ENCRYPTION		= 31,
 	BTRFS_SEND_A_MAX_V2		= 31,
 
-	/* End */
-	BTRFS_SEND_A_MAX		= 31,
+	/* Version 3 */
+	BTRFS_SEND_A_VERITY_ALGORITHM	= 32,
+	BTRFS_SEND_A_VERITY_BLOCK_SIZE	= 33,
+	BTRFS_SEND_A_VERITY_SALT_DATA	= 34,
+	BTRFS_SEND_A_VERITY_SIG_DATA	= 35,
+	BTRFS_SEND_A_MAX_V3		= 35,
+
+	__BTRFS_SEND_A_MAX		= 35,
 };
 
 long btrfs_ioctl_send(struct inode *inode, struct btrfs_ioctl_send_args *arg);
diff --git a/fs/verity/fsverity_private.h b/fs/verity/fsverity_private.h
index 629785c95007..dbe1ce5b450a 100644
--- a/fs/verity/fsverity_private.h
+++ b/fs/verity/fsverity_private.h
@@ -70,8 +70,6 @@  struct fsverity_info {
 	const struct inode *inode;
 };
 
-/* Arbitrary limit to bound the kmalloc() size.  Can be changed. */
-#define FS_VERITY_MAX_DESCRIPTOR_SIZE	16384
 
 #define FS_VERITY_MAX_SIGNATURE_SIZE	(FS_VERITY_MAX_DESCRIPTOR_SIZE - \
 					 sizeof(struct fsverity_descriptor))
diff --git a/include/linux/fsverity.h b/include/linux/fsverity.h
index 7af030fa3c36..40f14e5fed9d 100644
--- a/include/linux/fsverity.h
+++ b/include/linux/fsverity.h
@@ -22,6 +22,9 @@ 
  */
 #define FS_VERITY_MAX_DIGEST_SIZE	SHA512_DIGEST_SIZE
 
+/* Arbitrary limit to bound the kmalloc() size.  Can be changed. */
+#define FS_VERITY_MAX_DESCRIPTOR_SIZE	16384
+
 /* Verity operations for filesystems */
 struct fsverity_operations {