ANDROID: Incremental fs: Add FS_IOC_MEASURE_VERITY
Add ioctl to return the verity file digest, compatible with the identical
ioctl in fs/verity/.
Bug: 160634504
Test: incfs_test passes
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I1bc2dc975b9be122e1c831a25a1d44f27a360f3c
diff --git a/fs/incfs/verity.c b/fs/incfs/verity.c
index 54930c7..3d801ee 100644
--- a/fs/incfs/verity.c
+++ b/fs/incfs/verity.c
@@ -460,3 +460,38 @@ int incfs_fsverity_file_open(struct inode *inode, struct file *filp)
return 0;
}
+
+int incfs_ioctl_measure_verity(struct file *filp, void __user *_uarg)
+{
+ struct inode *inode = file_inode(filp);
+ struct mem_range verity_file_digest = incfs_get_verity_digest(inode);
+ struct fsverity_digest __user *uarg = _uarg;
+ struct fsverity_digest arg;
+
+ if (!verity_file_digest.data || !verity_file_digest.len)
+ return -ENODATA; /* not a verity file */
+
+ /*
+ * The user specifies the digest_size their buffer has space for; we can
+ * return the digest if it fits in the available space. We write back
+ * the actual size, which may be shorter than the user-specified size.
+ */
+
+ if (get_user(arg.digest_size, &uarg->digest_size))
+ return -EFAULT;
+ if (arg.digest_size < verity_file_digest.len)
+ return -EOVERFLOW;
+
+ memset(&arg, 0, sizeof(arg));
+ arg.digest_algorithm = FS_VERITY_HASH_ALG_SHA256;
+ arg.digest_size = verity_file_digest.len;
+
+ if (copy_to_user(uarg, &arg, sizeof(arg)))
+ return -EFAULT;
+
+ if (copy_to_user(uarg->digest, verity_file_digest.data,
+ verity_file_digest.len))
+ return -EFAULT;
+
+ return 0;
+}
diff --git a/fs/incfs/verity.h b/fs/incfs/verity.h
index b569ff42..3ba2306 100644
--- a/fs/incfs/verity.h
+++ b/fs/incfs/verity.h
@@ -12,6 +12,7 @@
#ifdef CONFIG_FS_VERITY
int incfs_ioctl_enable_verity(struct file *filp, const void __user *uarg);
+int incfs_ioctl_measure_verity(struct file *filp, void __user *_uarg);
int incfs_fsverity_file_open(struct inode *inode, struct file *filp);
@@ -23,6 +24,12 @@ static inline int incfs_ioctl_enable_verity(struct file *filp,
return -EOPNOTSUPP;
}
+static inline int incfs_ioctl_measure_verity(struct file *filp,
+ void __user *_uarg)
+{
+ return -EOPNOTSUPP;
+}
+
static inline int incfs_fsverity_file_open(struct inode *inode,
struct file *filp)
{
diff --git a/fs/incfs/vfs.c b/fs/incfs/vfs.c
index 31cdb9d..72754fa 100644
--- a/fs/incfs/vfs.c
+++ b/fs/incfs/vfs.c
@@ -848,6 +848,8 @@ static long dispatch_ioctl(struct file *f, unsigned int req, unsigned long arg)
return incfs_ioctl_enable_verity(f, (const void __user *)arg);
case FS_IOC_GETFLAGS:
return incfs_ioctl_get_flags(f, (void __user *) arg);
+ case FS_IOC_MEASURE_VERITY:
+ return incfs_ioctl_measure_verity(f, (void __user *)arg);
default:
return -EINVAL;
}
@@ -866,6 +868,7 @@ static long incfs_compat_ioctl(struct file *file, unsigned int cmd,
case INCFS_IOC_GET_FILLED_BLOCKS:
case INCFS_IOC_GET_BLOCK_COUNT:
case FS_IOC_ENABLE_VERITY:
+ case FS_IOC_MEASURE_VERITY:
break;
default:
return -ENOIOCTLCMD;
diff --git a/tools/testing/selftests/filesystems/incfs/incfs_test.c b/tools/testing/selftests/filesystems/incfs/incfs_test.c
index a138a0b..0a86d9a 100644
--- a/tools/testing/selftests/filesystems/incfs/incfs_test.c
+++ b/tools/testing/selftests/filesystems/incfs/incfs_test.c
@@ -3859,16 +3859,24 @@ static int validate_verity(const char *mount_dir, struct test_file *file)
char *filename = concat_file_name(mount_dir, file->name);
int fd = -1;
uint64_t flags;
+ struct fsverity_digest *digest;
+ TEST(digest = malloc(sizeof(struct fsverity_digest) +
+ INCFS_MAX_HASH_SIZE), digest != NULL);
TEST(filename = concat_file_name(mount_dir, file->name), filename);
TEST(fd = open(filename, O_RDONLY | O_CLOEXEC), fd != -1);
TESTEQUAL(ioctl(fd, FS_IOC_GETFLAGS, &flags), 0);
TESTEQUAL(flags & FS_VERITY_FL, FS_VERITY_FL);
+ digest->digest_size = INCFS_MAX_HASH_SIZE;
+ TESTEQUAL(ioctl(fd, FS_IOC_MEASURE_VERITY, digest), 0);
+ TESTEQUAL(digest->digest_algorithm, FS_VERITY_HASH_ALG_SHA256);
+ TESTEQUAL(digest->digest_size, 32);
result = TEST_SUCCESS;
out:
close(fd);
free(filename);
+ free(digest);
return result;
}