Re: [PATCH 13/29] xfs: add fs-verity support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2024-03-29 17:39:27, Darrick J. Wong wrote:
> From: Andrey Albershteyn <aalbersh@xxxxxxxxxx>
> 
> Add integration with fs-verity. The XFS store fs-verity metadata in
> the extended file attributes. The metadata consist of verity
> descriptor and Merkle tree blocks.
> 
> The descriptor is stored under "vdesc" extended attribute. The
> Merkle tree blocks are stored under binary indexes which are offsets
> into the Merkle tree.
> 
> When fs-verity is enabled on an inode, the XFS_IVERITY_CONSTRUCTION
> flag is set meaning that the Merkle tree is being build. The
> initialization ends with storing of verity descriptor and setting
> inode on-disk flag (XFS_DIFLAG2_VERITY).
> 
> The verification on read is done in read path of iomap.
> 
> Signed-off-by: Andrey Albershteyn <aalbersh@xxxxxxxxxx>
> Reviewed-by: Darrick J. Wong <djwong@xxxxxxxxxx>
> [djwong: replace caching implementation with an xarray, other cleanups]
> Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
> ---
>  fs/xfs/Makefile               |    2 
>  fs/xfs/libxfs/xfs_attr.c      |   41 +++
>  fs/xfs/libxfs/xfs_attr.h      |    1 
>  fs/xfs/libxfs/xfs_da_format.h |   14 +
>  fs/xfs/libxfs/xfs_ondisk.h    |    3 
>  fs/xfs/libxfs/xfs_verity.c    |   58 ++++
>  fs/xfs/libxfs/xfs_verity.h    |   13 +
>  fs/xfs/xfs_fsverity.c         |  559 +++++++++++++++++++++++++++++++++++++++++
>  fs/xfs/xfs_fsverity.h         |   20 +
>  fs/xfs/xfs_icache.c           |    4 
>  fs/xfs/xfs_inode.h            |    5 
>  fs/xfs/xfs_super.c            |   17 +
>  fs/xfs/xfs_trace.h            |   32 ++
>  13 files changed, 769 insertions(+)
>  create mode 100644 fs/xfs/libxfs/xfs_verity.c
>  create mode 100644 fs/xfs/libxfs/xfs_verity.h
>  create mode 100644 fs/xfs/xfs_fsverity.c
>  create mode 100644 fs/xfs/xfs_fsverity.h
> 
> 
> diff --git a/fs/xfs/Makefile b/fs/xfs/Makefile
> index 702f2ddc918a1..a4b2f54914a87 100644
> --- a/fs/xfs/Makefile
> +++ b/fs/xfs/Makefile
> @@ -57,6 +57,7 @@ xfs-y				+= $(addprefix libxfs/, \
>  				   xfs_trans_resv.o \
>  				   xfs_trans_space.o \
>  				   xfs_types.o \
> +				   xfs_verity.o \
>  				   )
>  # xfs_rtbitmap is shared with libxfs
>  xfs-$(CONFIG_XFS_RT)		+= $(addprefix libxfs/, \
> @@ -142,6 +143,7 @@ xfs-$(CONFIG_XFS_POSIX_ACL)	+= xfs_acl.o
>  xfs-$(CONFIG_SYSCTL)		+= xfs_sysctl.o
>  xfs-$(CONFIG_COMPAT)		+= xfs_ioctl32.o
>  xfs-$(CONFIG_EXPORTFS_BLOCK_OPS)	+= xfs_pnfs.o
> +xfs-$(CONFIG_FS_VERITY)		+= xfs_fsverity.o
>  
>  # notify failure
>  ifeq ($(CONFIG_MEMORY_FAILURE),y)
> diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c
> index 931ec563a7460..c3f686411e378 100644
> --- a/fs/xfs/libxfs/xfs_attr.c
> +++ b/fs/xfs/libxfs/xfs_attr.c
> @@ -27,6 +27,7 @@
>  #include "xfs_attr_item.h"
>  #include "xfs_xattr.h"
>  #include "xfs_parent.h"
> +#include "xfs_verity.h"
>  
>  struct kmem_cache		*xfs_attr_intent_cache;
>  
> @@ -1262,6 +1263,43 @@ xfs_attr_removename(
>  	goto out_unlock;
>  }
>  
> +/*
> + * Retrieve the value stored in the xattr structure under @args->name.
> + *
> + * The caller must have initialized @args and must not hold any ILOCKs.
> + *
> + * Returns -ENOATTR if the name did not already exist.
> + */
> +int
> +xfs_attr_getname(
> +	struct xfs_da_args	*args)
> +{
> +	unsigned int		lock_mode;
> +	int			error;
> +
> +	ASSERT(!args->trans);
> +
> +	error = xfs_trans_alloc_empty(args->dp->i_mount, &args->trans);
> +	if (error)
> +		return error;
> +
> +	lock_mode = xfs_ilock_attr_map_shared(args->dp);
> +
> +	/* Make sure the attr fork iext tree is loaded */
> +	if (xfs_inode_hasattr(args->dp)) {
> +		error = xfs_iread_extents(args->trans, args->dp, XFS_ATTR_FORK);
> +		if (error)
> +			goto out_unlock;
> +	}
> +
> +	error = xfs_attr_get_ilocked(args);
> +out_unlock:
> +	xfs_iunlock(args->dp, lock_mode);
> +	xfs_trans_cancel(args->trans);
> +	args->trans = NULL;
> +	return error;
> +}
> +
>  /*========================================================================
>   * External routines when attribute list is inside the inode
>   *========================================================================*/
> @@ -1743,6 +1781,9 @@ xfs_attr_namecheck(
>  	if (!xfs_attr_check_namespace(attr_flags))
>  		return false;
>  
> +	if (attr_flags & XFS_ATTR_VERITY)
> +		return xfs_verity_namecheck(attr_flags, name, length);
> +
>  	/*
>  	 * MAXNAMELEN includes the trailing null, but (name/length) leave it
>  	 * out, so use >= for the length check.
> diff --git a/fs/xfs/libxfs/xfs_attr.h b/fs/xfs/libxfs/xfs_attr.h
> index 958bb9e41ddb3..3e43d715bcdd2 100644
> --- a/fs/xfs/libxfs/xfs_attr.h
> +++ b/fs/xfs/libxfs/xfs_attr.h
> @@ -561,6 +561,7 @@ void xfs_init_attr_trans(struct xfs_da_args *args, struct xfs_trans_res *tres,
>  
>  int xfs_attr_setname(struct xfs_da_args *args, bool rsvd);
>  int xfs_attr_removename(struct xfs_da_args *args, bool rsvd);
> +int xfs_attr_getname(struct xfs_da_args *args);
>  
>  /*
>   * Check to see if the attr should be upgraded from non-existent or shortform to
> diff --git a/fs/xfs/libxfs/xfs_da_format.h b/fs/xfs/libxfs/xfs_da_format.h
> index 8cbda181c2f48..679cf5b4ad4be 100644
> --- a/fs/xfs/libxfs/xfs_da_format.h
> +++ b/fs/xfs/libxfs/xfs_da_format.h
> @@ -922,4 +922,18 @@ struct xfs_parent_rec {
>  	__be32	p_gen;
>  } __packed;
>  
> +/*
> + * fs-verity attribute name format
> + *
> + * Merkle tree blocks are stored under extended attributes of the inode. The
> + * name of the attributes are byte offsets into merkle tree.
> + */
> +struct xfs_merkle_key {
> +	__be64	mk_offset;
> +};
> +
> +/* ondisk xattr name used for the fsverity descriptor */
> +#define XFS_VERITY_DESCRIPTOR_NAME	"vdesc"
> +#define XFS_VERITY_DESCRIPTOR_NAME_LEN	(sizeof(XFS_VERITY_DESCRIPTOR_NAME) - 1)
> +
>  #endif /* __XFS_DA_FORMAT_H__ */
> diff --git a/fs/xfs/libxfs/xfs_ondisk.h b/fs/xfs/libxfs/xfs_ondisk.h
> index d46352d60d645..e927bb778ffdc 100644
> --- a/fs/xfs/libxfs/xfs_ondisk.h
> +++ b/fs/xfs/libxfs/xfs_ondisk.h
> @@ -208,6 +208,9 @@ xfs_check_ondisk_structs(void)
>  	XFS_CHECK_VALUE(XFS_DQ_BIGTIME_EXPIRY_MAX << XFS_DQ_BIGTIME_SHIFT,
>  			16299260424LL);
>  
> +	/* fs-verity xattrs */
> +	XFS_CHECK_STRUCT_SIZE(struct xfs_merkle_key,		8);
> +	XFS_CHECK_VALUE(sizeof(XFS_VERITY_DESCRIPTOR_NAME),	6);
>  }
>  
>  #endif /* __XFS_ONDISK_H */
> diff --git a/fs/xfs/libxfs/xfs_verity.c b/fs/xfs/libxfs/xfs_verity.c
> new file mode 100644
> index 0000000000000..bda38b3c19698
> --- /dev/null
> +++ b/fs/xfs/libxfs/xfs_verity.c
> @@ -0,0 +1,58 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Copyright (C) 2023 Red Hat, Inc.
> + */
> +#include "xfs.h"
> +#include "xfs_shared.h"
> +#include "xfs_format.h"
> +#include "xfs_da_format.h"
> +#include "xfs_da_btree.h"
> +#include "xfs_trans_resv.h"
> +#include "xfs_mount.h"
> +#include "xfs_inode.h"
> +#include "xfs_log_format.h"
> +#include "xfs_attr.h"
> +#include "xfs_verity.h"
> +
> +/* Set a merkle tree offset in preparation for setting merkle tree attrs. */
> +void
> +xfs_merkle_key_to_disk(
> +	struct xfs_merkle_key	*key,
> +	uint64_t		offset)
> +{
> +	key->mk_offset = cpu_to_be64(offset);
> +}
> +
> +/* Retrieve the merkle tree offset from the attr data. */
> +uint64_t
> +xfs_merkle_key_from_disk(
> +	const void		*attr_name,
> +	int			namelen)
> +{
> +	const struct xfs_merkle_key *key = attr_name;
> +
> +	ASSERT(namelen == sizeof(struct xfs_merkle_key));
> +
> +	return be64_to_cpu(key->mk_offset);
> +}
> +
> +/* Return true if verity attr name is valid. */
> +bool
> +xfs_verity_namecheck(
> +	unsigned int		attr_flags,
> +	const void		*name,
> +	int			namelen)
> +{
> +	if (!(attr_flags & XFS_ATTR_VERITY))
> +		return false;
> +
> +	/*
> +	 * Merkle tree pages are stored under u64 indexes; verity descriptor
> +	 * blocks are held in a named attribute.
> +	 */
> +	if (namelen != sizeof(struct xfs_merkle_key) &&
> +	    namelen != XFS_VERITY_DESCRIPTOR_NAME_LEN)
> +		return false;
> +
> +	return true;
> +}
> diff --git a/fs/xfs/libxfs/xfs_verity.h b/fs/xfs/libxfs/xfs_verity.h
> new file mode 100644
> index 0000000000000..c01cc0678bc04
> --- /dev/null
> +++ b/fs/xfs/libxfs/xfs_verity.h
> @@ -0,0 +1,13 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Copyright (C) 2022 Red Hat, Inc.
> + */
> +#ifndef __XFS_VERITY_H__
> +#define __XFS_VERITY_H__
> +
> +void xfs_merkle_key_to_disk(struct xfs_merkle_key *key, uint64_t offset);
> +uint64_t xfs_merkle_key_from_disk(const void *attr_name, int namelen);
> +bool xfs_verity_namecheck(unsigned int attr_flags, const void *name,
> +		int namelen);
> +
> +#endif	/* __XFS_VERITY_H__ */
> diff --git a/fs/xfs/xfs_fsverity.c b/fs/xfs/xfs_fsverity.c
> new file mode 100644
> index 0000000000000..a4a52575fb3d5
> --- /dev/null
> +++ b/fs/xfs/xfs_fsverity.c
> @@ -0,0 +1,559 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Copyright (C) 2023 Red Hat, Inc.
> + */
> +#include "xfs.h"
> +#include "xfs_shared.h"
> +#include "xfs_format.h"
> +#include "xfs_da_format.h"
> +#include "xfs_da_btree.h"
> +#include "xfs_trans_resv.h"
> +#include "xfs_mount.h"
> +#include "xfs_inode.h"
> +#include "xfs_log_format.h"
> +#include "xfs_attr.h"
> +#include "xfs_verity.h"
> +#include "xfs_bmap_util.h"
> +#include "xfs_log_format.h"
> +#include "xfs_trans.h"
> +#include "xfs_attr_leaf.h"
> +#include "xfs_trace.h"
> +#include "xfs_quota.h"
> +#include "xfs_fsverity.h"
> +#include <linux/fsverity.h>
> +
> +/*
> + * Merkle Tree Block Cache
> + * =======================
> + *
> + * fsverity requires that the filesystem implement caching of ondisk merkle
> + * tree blocks.  XFS stores merkle tree blocks in the extended attribute data,
> + * which makes it important to keep copies in memory for as long as possible.
> + * This is performed by allocating the data blob structure defined below,
> + * passing the data portion of the blob to xfs_attr_get, and later adding the
> + * data blob to an xarray embedded in the xfs_inode structure.
> + *
> + * The xarray structure indexes merkle tree blocks by the offset given to us by
> + * fsverity, which drastically reduces lookups.  First, it eliminating the need
> + * to walk the xattr structure to find the remote block containing the merkle
> + * tree block.  Second, access to each block in the xattr structure requires a
> + * lookup in the incore extent btree.
> + */
> +struct xfs_merkle_blob {
> +	/* refcount of this item; the cache holds its own ref */
> +	refcount_t		refcount;
> +
> +	unsigned long		flags;
> +
> +	/* Pointer to the merkle tree block, which is power-of-2 sized */
> +	void			*data;
> +};
> +
> +#define XFS_MERKLE_BLOB_VERIFIED_BIT	(0) /* fsverity validated this */
> +
> +/*
> + * Allocate a merkle tree blob object to prepare for reading a merkle tree
> + * object from disk.
> + */
> +static inline struct xfs_merkle_blob *
> +xfs_merkle_blob_alloc(
> +	unsigned int		blocksize)
> +{
> +	struct xfs_merkle_blob	*mk;
> +
> +	mk = kmalloc(sizeof(struct xfs_merkle_blob), GFP_KERNEL);
> +	if (!mk)
> +		return NULL;
> +
> +	mk->data = kvzalloc(blocksize, GFP_KERNEL);
> +	if (!mk->data) {
> +		kfree(mk);
> +		return NULL;
> +	}
> +
> +	/* Caller owns this refcount. */
> +	refcount_set(&mk->refcount, 1);
> +	mk->flags = 0;
> +	return mk;
> +}
> +
> +/* Free a merkle tree blob. */
> +static inline void
> +xfs_merkle_blob_rele(
> +	struct xfs_merkle_blob	*mk)
> +{
> +	if (refcount_dec_and_test(&mk->refcount)) {
> +		kvfree(mk->data);
> +		kfree(mk);
> +	}
> +}
> +
> +/* Initialize the merkle tree block cache */
> +void
> +xfs_fsverity_cache_init(
> +	struct xfs_inode	*ip)
> +{
> +	xa_init(&ip->i_merkle_blocks);
> +}
> +
> +/*
> + * Drop all the merkle tree blocks out of the cache.  Caller must ensure that
> + * there are no active references to cache items.
> + */
> +void
> +xfs_fsverity_cache_drop(
> +	struct xfs_inode	*ip)
> +{
> +	XA_STATE(xas, &ip->i_merkle_blocks, 0);
> +	struct xfs_merkle_blob	*mk;
> +	unsigned long		flags;
> +
> +	xas_lock_irqsave(&xas, flags);
> +	xas_for_each(&xas, mk, ULONG_MAX) {
> +		ASSERT(refcount_read(&mk->refcount) == 1);
> +
> +		trace_xfs_fsverity_cache_drop(ip, xas.xa_index, _RET_IP_);
> +
> +		xas_store(&xas, NULL);
> +		xfs_merkle_blob_rele(mk);
> +	}
> +	xas_unlock_irqrestore(&xas, flags);
> +}
> +
> +/* Destroy the merkle tree block cache */
> +void
> +xfs_fsverity_cache_destroy(
> +	struct xfs_inode	*ip)
> +{
> +	ASSERT(xa_empty(&ip->i_merkle_blocks));
> +
> +	/*
> +	 * xa_destroy calls xas_lock from rcu freeing softirq context, so
> +	 * we must use xa*_lock_irqsave.
> +	 */
> +	xa_destroy(&ip->i_merkle_blocks);
> +}
> +
> +/* Return a cached merkle tree block, or NULL. */
> +static struct xfs_merkle_blob *
> +xfs_fsverity_cache_load(
> +	struct xfs_inode	*ip,
> +	unsigned long		key)
> +{
> +	XA_STATE(xas, &ip->i_merkle_blocks, key);
> +	struct xfs_merkle_blob	*mk;
> +
> +	/* Look up the cached item and try to get an active ref. */
> +	rcu_read_lock();
> +	do {
> +		mk = xas_load(&xas);
> +		if (xa_is_zero(mk))
> +			mk = NULL;
> +	} while (xas_retry(&xas, mk) ||
> +		 (mk && !refcount_inc_not_zero(&mk->refcount)));
> +	rcu_read_unlock();
> +
> +	if (!mk)
> +		return NULL;
> +
> +	trace_xfs_fsverity_cache_load(ip, key, _RET_IP_);
> +	return mk;
> +}
> +
> +/*
> + * Try to store a merkle tree block in the cache with the given key.
> + *
> + * If the merkle tree block is not already in the cache, the given block @mk
> + * will be added to the cache and returned.  The caller retains its active
> + * reference to @mk.
> + *
> + * If there was already a merkle block in the cache, it will be returned to
> + * the caller with an active reference.  @mk will be untouched.
> + */
> +static struct xfs_merkle_blob *
> +xfs_fsverity_cache_store(
> +	struct xfs_inode	*ip,
> +	unsigned long		key,
> +	struct xfs_merkle_blob	*mk)
> +{
> +	struct xfs_merkle_blob	*old;
> +	unsigned long		flags;
> +
> +	trace_xfs_fsverity_cache_store(ip, key, _RET_IP_);
> +
> +	/*
> +	 * Either replace a NULL entry with mk, or take an active ref to
> +	 * whatever's currently there.
> +	 */
> +	xa_lock_irqsave(&ip->i_merkle_blocks, flags);
> +	do {
> +		old = __xa_cmpxchg(&ip->i_merkle_blocks, key, NULL, mk,
> +				GFP_KERNEL);
> +	} while (old && !refcount_inc_not_zero(&old->refcount));
> +	xa_unlock_irqrestore(&ip->i_merkle_blocks, flags);
> +
> +	if (old == NULL) {
> +		/*
> +		 * There was no previous value.  @mk is now live in the cache.
> +		 * Bump the active refcount to transfer ownership to the cache
> +		 * and return @mk to the caller.
> +		 */
> +		refcount_inc(&mk->refcount);
> +		return mk;
> +	}
> +
> +	/*
> +	 * We obtained an active reference to a previous value in the cache.
> +	 * Return it to the caller.
> +	 */
> +	return old;
> +}
> +
> +/*
> + * Initialize an args structure to load or store the fsverity descriptor.
> + * Caller must ensure @args is zeroed except for value and valuelen.
> + */
> +static inline void
> +xfs_fsverity_init_vdesc_args(
> +	struct xfs_inode	*ip,
> +	struct xfs_da_args	*args)
> +{
> +	args->geo = ip->i_mount->m_attr_geo;
> +	args->whichfork = XFS_ATTR_FORK,
> +	args->attr_filter = XFS_ATTR_VERITY;
> +	args->op_flags = XFS_DA_OP_OKNOENT;
> +	args->dp = ip;
> +	args->owner = ip->i_ino;
> +	args->name = XFS_VERITY_DESCRIPTOR_NAME;
> +	args->namelen = XFS_VERITY_DESCRIPTOR_NAME_LEN;
> +	xfs_attr_sethash(args);
> +}
> +
> +/*
> + * Initialize an args structure to load or store a merkle tree block.
> + * Caller must ensure @args is zeroed except for value and valuelen.
> + */
> +static inline void
> +xfs_fsverity_init_merkle_args(
> +	struct xfs_inode	*ip,
> +	struct xfs_merkle_key	*key,
> +	uint64_t		merkleoff,
> +	struct xfs_da_args	*args)
> +{
> +	xfs_merkle_key_to_disk(key, merkleoff);
> +	args->geo = ip->i_mount->m_attr_geo;
> +	args->whichfork = XFS_ATTR_FORK,
> +	args->attr_filter = XFS_ATTR_VERITY;
> +	args->op_flags = XFS_DA_OP_OKNOENT;
> +	args->dp = ip;
> +	args->owner = ip->i_ino;
> +	args->name = (const uint8_t *)key;
> +	args->namelen = sizeof(struct xfs_merkle_key);
> +	xfs_attr_sethash(args);
> +}
> +
> +/* Delete the verity descriptor. */
> +static int
> +xfs_fsverity_delete_descriptor(
> +	struct xfs_inode	*ip)
> +{
> +	struct xfs_da_args	args = { };
> +
> +	xfs_fsverity_init_vdesc_args(ip, &args);
> +	return xfs_attr_removename(&args, false);
> +}
> +
> +/* Delete a merkle tree block. */
> +static int
> +xfs_fsverity_delete_merkle_block(
> +	struct xfs_inode	*ip,
> +	u64			offset)
> +{
> +	struct xfs_merkle_key	name;
> +	struct xfs_da_args	args = { };
> +
> +	xfs_fsverity_init_merkle_args(ip, &name, offset, &args);
> +	return xfs_attr_removename(&args, false);
> +}
> +
> +/* Retrieve the verity descriptor. */
> +static int
> +xfs_fsverity_get_descriptor(
> +	struct inode		*inode,
> +	void			*buf,
> +	size_t			buf_size)
> +{
> +	struct xfs_inode	*ip = XFS_I(inode);
> +	struct xfs_da_args	args = {
> +		.value		= buf,
> +		.valuelen	= buf_size,
> +	};
> +	int			error = 0;
> +
> +	/*
> +	 * The fact that (returned attribute size) == (provided buf_size) is
> +	 * checked by xfs_attr_copy_value() (returns -ERANGE).  No descriptor
> +	 * is treated as a short read so that common fsverity code will
> +	 * complain.
> +	 */
> +	xfs_fsverity_init_vdesc_args(ip, &args);
> +	error = xfs_attr_getname(&args);
> +	if (error == -ENOATTR)
> +		return 0;
> +	if (error)
> +		return error;
> +
> +	return args.valuelen;
> +}
> +
> +/*
> + * Clear out old fsverity metadata before we start building a new one.  This
> + * could happen if, say, we crashed while building fsverity data.
> + */
> +static int
> +xfs_fsverity_delete_stale_metadata(
> +	struct xfs_inode	*ip,
> +	u64			new_tree_size,
> +	unsigned int		tree_blocksize)
> +{
> +	u64			offset;
> +	int			error = 0;
> +
> +	/*
> +	 * Delete as many merkle tree blocks in increasing blkno order until we
> +	 * don't find any more.  That ought to be good enough for avoiding
> +	 * dead bloat without excessive runtime.
> +	 */
> +	for (offset = new_tree_size; !error; offset += tree_blocksize) {
> +		if (fatal_signal_pending(current))
> +			return -EINTR;
> +		error = xfs_fsverity_delete_merkle_block(ip, offset);
> +		if (error)
> +			break;
> +	}
> +
> +	return error != -ENOATTR ? error : 0;
> +}
> +
> +/* Prepare to enable fsverity by clearing old metadata. */
> +static int
> +xfs_fsverity_begin_enable(
> +	struct file		*filp,
> +	u64			merkle_tree_size,
> +	unsigned int		tree_blocksize)
> +{
> +	struct inode		*inode = file_inode(filp);
> +	struct xfs_inode	*ip = XFS_I(inode);
> +	int			error;
> +
> +	xfs_assert_ilocked(ip, XFS_IOLOCK_EXCL);
> +
> +	if (IS_DAX(inode))
> +		return -EINVAL;
> +
> +	if (xfs_iflags_test_and_set(ip, XFS_VERITY_CONSTRUCTION))
> +		return -EBUSY;
> +
> +	error = xfs_qm_dqattach(ip);
> +	if (error)
> +		return error;
> +
> +	return xfs_fsverity_delete_stale_metadata(ip, merkle_tree_size,
> +			tree_blocksize);
> +}
> +
> +/* Try to remove all the fsverity metadata after a failed enablement. */
> +static int
> +xfs_fsverity_delete_metadata(
> +	struct xfs_inode	*ip,
> +	u64			merkle_tree_size,
> +	unsigned int		tree_blocksize)
> +{
> +	u64			offset;
> +	int			error;
> +
> +	if (!merkle_tree_size)
> +		return 0;
> +
> +	for (offset = 0; offset < merkle_tree_size; offset += tree_blocksize) {
> +		if (fatal_signal_pending(current))
> +			return -EINTR;
> +		error = xfs_fsverity_delete_merkle_block(ip, offset);
> +		if (error == -ENOATTR)
> +			error = 0;
> +		if (error)
> +			return error;
> +	}
> +
> +	error = xfs_fsverity_delete_descriptor(ip);
> +	return error != -ENOATTR ? error : 0;
> +}
> +
> +/* Complete (or fail) the process of enabling fsverity. */
> +static int
> +xfs_fsverity_end_enable(
> +	struct file		*filp,
> +	const void		*desc,
> +	size_t			desc_size,
> +	u64			merkle_tree_size,
> +	unsigned int		tree_blocksize)
> +{
> +	struct xfs_da_args	args = {
> +		.value		= (void *)desc,
> +		.valuelen	= desc_size,
> +	};
> +	struct inode		*inode = file_inode(filp);
> +	struct xfs_inode	*ip = XFS_I(inode);
> +	struct xfs_mount	*mp = ip->i_mount;
> +	struct xfs_trans	*tp;
> +	int			error = 0;
> +
> +	xfs_assert_ilocked(ip, XFS_IOLOCK_EXCL);
> +
> +	/* fs-verity failed, just cleanup */
> +	if (desc == NULL)
> +		goto out;
> +
> +	xfs_fsverity_init_vdesc_args(ip, &args);
> +	error = xfs_attr_setname(&args, false);
> +	if (error)
> +		goto out;
> +
> +	/* Set fsverity inode flag */
> +	error = xfs_trans_alloc_inode(ip, &M_RES(mp)->tr_ichange,
> +			0, 0, false, &tp);
> +	if (error)
> +		goto out;
> +
> +	/*
> +	 * Ensure that we've persisted the verity information before we enable
> +	 * it on the inode and tell the caller we have sealed the inode.
> +	 */
> +	ip->i_diflags2 |= XFS_DIFLAG2_VERITY;
> +
> +	xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE);
> +	xfs_trans_set_sync(tp);
> +
> +	error = xfs_trans_commit(tp);
> +	xfs_iunlock(ip, XFS_ILOCK_EXCL);
> +
> +	if (!error)
> +		inode->i_flags |= S_VERITY;
> +
> +out:
> +	if (error) {
> +		int	error2;
> +
> +		error2 = xfs_fsverity_delete_metadata(ip,
> +				merkle_tree_size, tree_blocksize);
> +		if (error2)
> +			xfs_alert(ip->i_mount,
> + "ino 0x%llx failed to clean up new fsverity metadata, err %d",
> +					ip->i_ino, error2);
> +	}
> +
> +	xfs_iflags_clear(ip, XFS_VERITY_CONSTRUCTION);
> +	return error;
> +}
> +
> +/* Retrieve a merkle tree block. */
> +static int
> +xfs_fsverity_read_merkle(
> +	const struct fsverity_readmerkle *req,
> +	struct fsverity_blockbuf	*block)
> +{
> +	struct xfs_inode		*ip = XFS_I(req->inode);
> +	struct xfs_merkle_key		name;
> +	struct xfs_da_args		args = {
> +		.valuelen		= block->size,
> +	};
> +	struct xfs_merkle_blob		*mk, *new_mk;
> +	unsigned long			key = block->offset >> req->log_blocksize;
> +	int				error;
> +
> +	ASSERT(block->offset >> req->log_blocksize <= ULONG_MAX);
> +
> +	/* Is the block already cached? */
> +	mk = xfs_fsverity_cache_load(ip, key);
> +	if (mk)
> +		goto out_hit;
> +
> +	new_mk = xfs_merkle_blob_alloc(block->size);
> +	if (!new_mk)
> +		return -ENOMEM;
> +	args.value = new_mk->data;
> +
> +	/* Read the block in from disk and try to store it in the cache. */
> +	xfs_fsverity_init_merkle_args(ip, &name, block->offset, &args);
> +	error = xfs_attr_getname(&args);
> +	if (error)
> +		goto out_new_mk;
> +
> +	if (!args.valuelen) {
> +		error = -ENODATA;
> +		goto out_new_mk;
> +	}
> +
> +	mk = xfs_fsverity_cache_store(ip, key, new_mk);
> +	if (mk != new_mk) {
> +		/*
> +		 * We raced with another thread to populate the cache and lost.
> +		 * Free the new cache blob and continue with the existing one.
> +		 */
> +		xfs_merkle_blob_rele(new_mk);
> +	}
> +
> +out_hit:
> +	block->kaddr   = (void *)mk->data;
> +	block->context = mk;
> +	block->verified = test_bit(XFS_MERKLE_BLOB_VERIFIED_BIT, &mk->flags);
> +
> +	return 0;
> +
> +out_new_mk:
> +	xfs_merkle_blob_rele(new_mk);
> +	return error;
> +}
> +
> +/* Write a merkle tree block. */
> +static int
> +xfs_fsverity_write_merkle(
> +	const struct fsverity_writemerkle *req,
> +	const void			*buf,
> +	u64				pos,
> +	unsigned int			size)
> +{
> +	struct inode			*inode = req->inode;
> +	struct xfs_inode		*ip = XFS_I(inode);
> +	struct xfs_merkle_key		name;
> +	struct xfs_da_args		args = {
> +		.value			= (void *)buf,
> +		.valuelen		= size,
> +	};
> +
> +	xfs_fsverity_init_merkle_args(ip, &name, pos, &args);
> +	return xfs_attr_setname(&args, false);
> +}
> +
> +/* Drop a cached merkle tree block.. */
> +static void
> +xfs_fsverity_drop_merkle(
> +	struct fsverity_blockbuf	*block)
> +{
> +	struct xfs_merkle_blob		*mk = block->context;
> +
> +	if (block->verified)
> +		set_bit(XFS_MERKLE_BLOB_VERIFIED_BIT, &mk->flags);
> +	xfs_merkle_blob_rele(mk);
> +	block->kaddr = NULL;
> +	block->context = NULL;
> +}
> +
> +const struct fsverity_operations xfs_fsverity_ops = {
> +	.begin_enable_verity		= xfs_fsverity_begin_enable,
> +	.end_enable_verity		= xfs_fsverity_end_enable,
> +	.get_verity_descriptor		= xfs_fsverity_get_descriptor,
> +	.read_merkle_tree_block		= xfs_fsverity_read_merkle,
> +	.write_merkle_tree_block	= xfs_fsverity_write_merkle,
> +	.drop_merkle_tree_block		= xfs_fsverity_drop_merkle,
> +};
> diff --git a/fs/xfs/xfs_fsverity.h b/fs/xfs/xfs_fsverity.h
> new file mode 100644
> index 0000000000000..277a9f856f518
> --- /dev/null
> +++ b/fs/xfs/xfs_fsverity.h
> @@ -0,0 +1,20 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Copyright (C) 2022 Red Hat, Inc.
> + */
> +#ifndef __XFS_FSVERITY_H__
> +#define __XFS_FSVERITY_H__
> +
> +#ifdef CONFIG_FS_VERITY
> +void xfs_fsverity_cache_init(struct xfs_inode *ip);
> +void xfs_fsverity_cache_drop(struct xfs_inode *ip);
> +void xfs_fsverity_cache_destroy(struct xfs_inode *ip);
> +
> +extern const struct fsverity_operations xfs_fsverity_ops;
> +#else
> +# define xfs_fsverity_cache_init(ip)		((void)0)
> +# define xfs_fsverity_cache_drop(ip)		((void)0)
> +# define xfs_fsverity_cache_destroy(ip)		((void)0)
> +#endif	/* CONFIG_FS_VERITY */
> +
> +#endif	/* __XFS_FSVERITY_H__ */
> diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c
> index 01bbdbec6663f..0757062c318d0 100644
> --- a/fs/xfs/xfs_icache.c
> +++ b/fs/xfs/xfs_icache.c
> @@ -28,6 +28,7 @@
>  #include "xfs_da_format.h"
>  #include "xfs_dir2.h"
>  #include "xfs_imeta.h"
> +#include "xfs_fsverity.h"
>  
>  #include <linux/iversion.h>
>  
> @@ -118,6 +119,7 @@ xfs_inode_alloc(
>  	spin_lock_init(&ip->i_ioend_lock);
>  	ip->i_next_unlinked = NULLAGINO;
>  	ip->i_prev_unlinked = 0;
> +	xfs_fsverity_cache_init(ip);
>  
>  	return ip;
>  }
> @@ -129,6 +131,8 @@ xfs_inode_free_callback(
>  	struct inode		*inode = container_of(head, struct inode, i_rcu);
>  	struct xfs_inode	*ip = XFS_I(inode);
>  
> +	xfs_fsverity_cache_destroy(ip);
> +
>  	switch (VFS_I(ip)->i_mode & S_IFMT) {
>  	case S_IFREG:
>  	case S_IFDIR:
> diff --git a/fs/xfs/xfs_inode.h b/fs/xfs/xfs_inode.h
> index 5a202706fc4a4..70c5700132b3e 100644
> --- a/fs/xfs/xfs_inode.h
> +++ b/fs/xfs/xfs_inode.h
> @@ -96,6 +96,9 @@ typedef struct xfs_inode {
>  	spinlock_t		i_ioend_lock;
>  	struct work_struct	i_ioend_work;
>  	struct list_head	i_ioend_list;
> +#ifdef CONFIG_FS_VERITY
> +	struct xarray		i_merkle_blocks;
> +#endif

So, is this fine like this or do you plan to change it to per-ag
mapping? I suppose Christoph against adding it to inodes [1]

[1]: https://lore.kernel.org/linux-xfs/ZfecSzBoVDW5328l@xxxxxxxxxxxxx/

>  } xfs_inode_t;
>  
>  static inline bool xfs_inode_on_unlinked_list(const struct xfs_inode *ip)
> @@ -391,6 +394,8 @@ static inline bool xfs_inode_needs_cow_around(struct xfs_inode *ip)
>   */
>  #define XFS_IREMAPPING		(1U << 15)
>  
> +#define XFS_VERITY_CONSTRUCTION	(1U << 16) /* merkle tree construction */
> +
>  /* All inode state flags related to inode reclaim. */
>  #define XFS_ALL_IRECLAIM_FLAGS	(XFS_IRECLAIMABLE | \
>  				 XFS_IRECLAIM | \
> diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
> index 42a1e1f23d3b3..4e398884c46ae 100644
> --- a/fs/xfs/xfs_super.c
> +++ b/fs/xfs/xfs_super.c
> @@ -30,6 +30,7 @@
>  #include "xfs_filestream.h"
>  #include "xfs_quota.h"
>  #include "xfs_sysfs.h"
> +#include "xfs_fsverity.h"
>  #include "xfs_ondisk.h"
>  #include "xfs_rmap_item.h"
>  #include "xfs_refcount_item.h"
> @@ -53,6 +54,7 @@
>  #include <linux/fs_context.h>
>  #include <linux/fs_parser.h>
>  #include <linux/fsverity.h>
> +#include <linux/iomap.h>
>  
>  static const struct super_operations xfs_super_operations;
>  
> @@ -672,6 +674,8 @@ xfs_fs_destroy_inode(
>  	ASSERT(!rwsem_is_locked(&inode->i_rwsem));
>  	XFS_STATS_INC(ip->i_mount, vn_rele);
>  	XFS_STATS_INC(ip->i_mount, vn_remove);
> +	if (fsverity_active(inode))
> +		xfs_fsverity_cache_drop(ip);
>  	fsverity_cleanup_inode(inode);
>  	xfs_inode_mark_reclaimable(ip);
>  }
> @@ -1534,6 +1538,9 @@ xfs_fs_fill_super(
>  	sb->s_quota_types = QTYPE_MASK_USR | QTYPE_MASK_GRP | QTYPE_MASK_PRJ;
>  #endif
>  	sb->s_op = &xfs_super_operations;
> +#ifdef CONFIG_FS_VERITY
> +	sb->s_vop = &xfs_fsverity_ops;
> +#endif
>  
>  	/*
>  	 * Delay mount work if the debug hook is set. This is debug
> @@ -1775,10 +1782,20 @@ xfs_fs_fill_super(
>  		xfs_warn(mp,
>  	"EXPERIMENTAL parent pointer feature enabled. Use at your own risk!");
>  
> +	if (xfs_has_verity(mp))
> +		xfs_alert(mp,
> +	"EXPERIMENTAL fsverity feature in use. Use at your own risk!");
> +
>  	error = xfs_mountfs(mp);
>  	if (error)
>  		goto out_filestream_unmount;
>  
> +#ifdef CONFIG_FS_VERITY
> +	error = iomap_init_fsverity(mp->m_super);
> +	if (error)
> +		goto out_unmount;
> +#endif
> +
>  	root = igrab(VFS_I(mp->m_rootip));
>  	if (!root) {
>  		error = -ENOENT;
> diff --git a/fs/xfs/xfs_trace.h b/fs/xfs/xfs_trace.h
> index e2992b0115ad2..86a8702c1e27c 100644
> --- a/fs/xfs/xfs_trace.h
> +++ b/fs/xfs/xfs_trace.h
> @@ -5908,6 +5908,38 @@ TRACE_EVENT(xfs_growfs_check_rtgeom,
>  );
>  #endif /* CONFIG_XFS_RT */
>  
> +#ifdef CONFIG_FS_VERITY
> +DECLARE_EVENT_CLASS(xfs_fsverity_cache_class,
> +	TP_PROTO(struct xfs_inode *ip, unsigned long key, unsigned long caller_ip),
> +	TP_ARGS(ip, key, caller_ip),
> +	TP_STRUCT__entry(
> +		__field(dev_t, dev)
> +		__field(xfs_ino_t, ino)
> +		__field(unsigned long, key)
> +		__field(void *, caller_ip)
> +	),
> +	TP_fast_assign(
> +		__entry->dev = ip->i_mount->m_super->s_dev;
> +		__entry->ino = ip->i_ino;
> +		__entry->key = key;
> +		__entry->caller_ip = (void *)caller_ip;
> +	),
> +	TP_printk("dev %d:%d ino 0x%llx key 0x%lx caller %pS",
> +		  MAJOR(__entry->dev), MINOR(__entry->dev),
> +		  __entry->ino,
> +		  __entry->key,
> +		  __entry->caller_ip)
> +)
> +
> +#define DEFINE_XFS_FSVERITY_CACHE_EVENT(name) \
> +DEFINE_EVENT(xfs_fsverity_cache_class, name, \
> +	TP_PROTO(struct xfs_inode *ip, unsigned long key, unsigned long caller_ip), \
> +	TP_ARGS(ip, key, caller_ip))
> +DEFINE_XFS_FSVERITY_CACHE_EVENT(xfs_fsverity_cache_load);
> +DEFINE_XFS_FSVERITY_CACHE_EVENT(xfs_fsverity_cache_store);
> +DEFINE_XFS_FSVERITY_CACHE_EVENT(xfs_fsverity_cache_drop);
> +#endif /* CONFIG_XFS_VERITY */
> +
>  #endif /* _TRACE_XFS_H */
>  
>  #undef TRACE_INCLUDE_PATH
> 

-- 
- Andrey





[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux