• Eric Biggers's avatar
    fs-verity: add FS_IOC_READ_VERITY_METADATA ioctl · e17fe657
    Eric Biggers authored
    Add an ioctl FS_IOC_READ_VERITY_METADATA which will allow reading verity
    metadata from a file that has fs-verity enabled, including:
    
    - The Merkle tree
    - The fsverity_descriptor (not including the signature if present)
    - The built-in signature, if present
    
    This ioctl has similar semantics to pread().  It is passed the type of
    metadata to read (one of the above three), and a buffer, offset, and
    size.  It returns the number of bytes read or an error.
    
    Separate patches will add support for each of the above metadata types.
    This patch just adds the ioctl itself.
    
    This ioctl doesn't make any assumption about where the metadata is
    stored on-disk.  It does assume the metadata is in a stable format, but
    that's basically already the case:
    
    - The Merkle tree and fsverity_descriptor are defined by how fs-verity
      file digests are computed; see the "File digest computation" section
      of Documentation/filesystems/fsverity.rst.  Technically, the way in
      which the levels of the tree are ordered relative to each other wasn't
      previously specified, but it's logical to put the root level first.
    
    - The built-in signature is the value passed to FS_IOC_ENABLE_VERITY.
    
    This ioctl is useful because it allows writing a server program that
    takes a verity file and serves it to a client program, such that the
    client can do its own fs-verity compatible verification of the file.
    This only makes sense if the client doesn't trust the server and if the
    server needs to provide the storage for the client.
    
    More concretely, there is interest in using this ability in Android to
    export APK files (which are protected by fs-verity) to "protected VMs".
    This would use Protected KVM (https://lwn.net/Articles/836693), which
    provides an isolated execution environment without having to trust the
    traditional "host".  A "guest" VM can boot from a signed image and
    perform specific tasks in a minimum trusted environment using files that
    have fs-verity enabled on the host, without trusting the host or
    requiring that the guest has its own trusted storage.
    
    Technically, it would be possible to duplicate the metadata and store it
    in separate files for serving.  However, that would be less efficient
    and would require extra care in userspace to maintain file consistency.
    
    In addition to the above, the ability to read the built-in signatures is
    useful because it allows a system that is using the in-kernel signature
    verification to migrate to userspace signature verification.
    
    Link: https://lore.kernel.org/r/20210115181819.34732-4-ebiggers@kernel.orgReviewed-by: default avatarVictor Hsieh <victorhsieh@google.com>
    Acked-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
    Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    e17fe657
file.c 107 KB