diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c index 65d6c6344d281daf91397f8b1a7493d6ac39c838..c31bc50d79b95d8b82aa9c3c301c6fa3c2c9769b 100644 --- a/fs/f2fs/data.c +++ b/fs/f2fs/data.c @@ -1021,8 +1021,8 @@ void f2fs_submit_page_write(struct f2fs_io_info *fio) static inline bool f2fs_need_verity(const struct inode *inode, pgoff_t idx) { - return fsverity_active(inode) && (idx < - DIV_ROUND_UP(fsverity_get_verified_data_size(inode), PAGE_SIZE)); + return fsverity_active(inode) && + idx < DIV_ROUND_UP(inode->i_size, PAGE_SIZE); } static struct bio *f2fs_grab_read_bio(struct inode *inode, block_t blkaddr, diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index e3ffe09ce39c62a476e546ba9f78c723fd4c667e..d56fcace182119702dc44044ac1bb3bf7a247bef 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -3358,7 +3358,7 @@ static int f2fs_ioc_resize_fs(struct file *filp, unsigned long arg) return f2fs_resize_fs(sbi, block_count); } -static inline int f2fs_has_feature_verity(struct file *filp) +static int f2fs_ioc_enable_verity(struct file *filp, unsigned long arg) { struct inode *inode = file_inode(filp); @@ -3370,29 +3370,10 @@ static inline int f2fs_has_feature_verity(struct file *filp) inode->i_ino); return -EOPNOTSUPP; } - return 0; -} - -static int f2fs_ioc_enable_verity(struct file *filp, unsigned long arg) -{ - int err = f2fs_has_feature_verity(filp); - - if (err) - return err; return fsverity_ioctl_enable(filp, (const void __user *)arg); } -static int f2fs_ioc_enable_code_sign(struct file *filp, unsigned long arg) -{ - int err = f2fs_has_feature_verity(filp); - - if (err) - return err; - - return fsverity_ioctl_enable_code_sign(filp, (const void __user *)arg); -} - static int f2fs_ioc_measure_verity(struct file *filp, unsigned long arg) { if (!f2fs_sb_has_verity(F2FS_I_SB(file_inode(filp)))) @@ -4059,8 +4040,6 @@ static long __f2fs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) return f2fs_ioc_enable_verity(filp, arg); case FS_IOC_MEASURE_VERITY: return f2fs_ioc_measure_verity(filp, arg); - case FS_IOC_ENABLE_CODE_SIGN: - return f2fs_ioc_enable_code_sign(filp, arg); case FS_IOC_GETFSLABEL: return f2fs_ioc_getfslabel(filp, arg); case FS_IOC_SETFSLABEL: @@ -4310,7 +4289,6 @@ long f2fs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) case F2FS_IOC_RESIZE_FS: case FS_IOC_ENABLE_VERITY: case FS_IOC_MEASURE_VERITY: - case FS_IOC_ENABLE_CODE_SIGN: case FS_IOC_GETFSLABEL: case FS_IOC_SETFSLABEL: case F2FS_IOC_GET_COMPRESS_BLOCKS: diff --git a/fs/verity/enable.c b/fs/verity/enable.c index a74b107dc87ef9c1bc7650ce5afa8b1cea0716a3..734862e608fd3d0a96c7f03ca564c5cfd763ac45 100644 --- a/fs/verity/enable.c +++ b/fs/verity/enable.c @@ -14,33 +14,6 @@ #include #include -static int check_file_and_enable_verity(struct file *filp, - const struct fsverity_enable_arg *arg); - -#ifdef CONFIG_SECURITY_CODE_SIGN - -static int code_sign_init_descriptor(struct inode *inode, - const struct fsverity_enable_arg *_arg, struct fsverity_descriptor *_desc); - -static int code_sign_copy_merkle_tree(struct file *filp, const void *_desc, - const struct merkle_tree_params *params); - -#else /* !CONFIG_SECURITY_CODE_SIGN */ - -static inline int code_sign_init_descriptor(struct inode *inode, - const struct fsverity_enable_arg *_arg, struct fsverity_descriptor *_desc) -{ - return 0; -} - -static int code_sign_copy_merkle_tree(struct file *filp, - const void *_desc, - const struct merkle_tree_params *params) -{ - return 0; -} -#endif /* !CONFIG_SECURITY_CODE_SIGN */ - /* * Read a file data page for Merkle tree construction. Do aggressive readahead, * since we're sequentially reading the entire file. @@ -177,8 +150,7 @@ static int build_merkle_tree_level(struct file *filp, unsigned int level, */ static int build_merkle_tree(struct file *filp, const struct merkle_tree_params *params, - u8 *root_hash, - size_t data_size) + u8 *root_hash) { struct inode *inode = file_inode(filp); u8 *pending_hashes; @@ -187,7 +159,7 @@ static int build_merkle_tree(struct file *filp, unsigned int level; int err = -ENOMEM; - if (data_size == 0) { + if (inode->i_size == 0) { /* Empty file is a special case; root hash is all 0's */ memset(root_hash, 0, params->digest_size); return 0; @@ -205,7 +177,7 @@ static int build_merkle_tree(struct file *filp, * (level 0) and ascending to the root node (level 'num_levels - 1'). * Then at the end (level 'num_levels'), calculate the root hash. */ - blocks = ((u64)data_size + params->block_size - 1) >> + blocks = ((u64)inode->i_size + params->block_size - 1) >> params->log_blocksize; for (level = 0; level <= params->num_levels; level++) { err = build_merkle_tree_level(filp, level, blocks, params, @@ -227,8 +199,11 @@ static int enable_verity(struct file *filp, const struct fsverity_enable_arg *arg) { struct inode *inode = file_inode(filp); + const struct fsverity_operations *vops = inode->i_sb->s_vop; + struct merkle_tree_params params = { }; struct fsverity_descriptor *desc; size_t desc_size = sizeof(*desc) + arg->sig_size; + struct fsverity_info *vi; int err; /* Start initializing the fsverity_descriptor */ @@ -259,34 +234,11 @@ static int enable_verity(struct file *filp, desc->data_size = cpu_to_le64(inode->i_size); - err = code_sign_init_descriptor(inode, arg, desc); - if (err) { - fsverity_err(inode, "Init code sign descriptor err: %u", err); - goto out; - } - - err = fsverity_enable_with_descriptor(filp, (void *)desc, desc_size); -out: - kfree(desc); - return err; -} - -int fsverity_enable_with_descriptor(struct file *filp, - void *_desc, size_t desc_size) -{ - struct inode *inode = file_inode(filp); - const struct fsverity_operations *vops = inode->i_sb->s_vop; - struct merkle_tree_params params = { }; - struct fsverity_descriptor *desc = (struct fsverity_descriptor *)_desc; - struct fsverity_info *vi; - int err; - /* Prepare the Merkle tree parameters */ err = fsverity_init_merkle_tree_params(¶ms, inode, - desc->hash_algorithm, + arg->hash_algorithm, desc->log_blocksize, - desc->salt, desc->salt_size, - desc->data_size); + desc->salt, desc->salt_size); if (err) goto out; @@ -303,13 +255,6 @@ int fsverity_enable_with_descriptor(struct file *filp, if (err) goto out; - err = code_sign_copy_merkle_tree(filp, _desc, ¶ms); - if (err < 0) { - fsverity_err(inode, "Error %d copying Merkle tree", err); - goto rollback; - } else if (err == 1) /* already copy merkle tree */ - goto skip_build; - /* * Build the Merkle tree. Don't hold the inode lock during this, since * on huge files this may take a very long time and we don't want to @@ -321,13 +266,11 @@ int fsverity_enable_with_descriptor(struct file *filp, */ pr_debug("Building Merkle tree...\n"); BUILD_BUG_ON(sizeof(desc->root_hash) < FS_VERITY_MAX_DIGEST_SIZE); - err = build_merkle_tree(filp, ¶ms, desc->root_hash, desc->data_size); + err = build_merkle_tree(filp, ¶ms, desc->root_hash); if (err) { fsverity_err(inode, "Error %d building Merkle tree", err); goto rollback; } - -skip_build: pr_debug("Done building Merkle tree. Root hash is %s:%*phN\n", params.hash_alg->name, params.digest_size, desc->root_hash); @@ -344,9 +287,9 @@ int fsverity_enable_with_descriptor(struct file *filp, goto rollback; } - if (desc->sig_size) + if (arg->sig_size) pr_debug("Storing a %u-byte PKCS#7 signature alongside the file\n", - desc->sig_size); + arg->sig_size); /* * Tell the filesystem to finish enabling verity on the file. @@ -374,6 +317,7 @@ int fsverity_enable_with_descriptor(struct file *filp, } out: kfree(params.hashstate); + kfree(desc); return err; rollback: @@ -382,7 +326,6 @@ int fsverity_enable_with_descriptor(struct file *filp, inode_unlock(inode); goto out; } -EXPORT_SYMBOL_GPL(fsverity_enable_with_descriptor); /** * fsverity_ioctl_enable() - enable verity on a file @@ -398,6 +341,7 @@ int fsverity_ioctl_enable(struct file *filp, const void __user *uarg) { struct inode *inode = file_inode(filp); struct fsverity_enable_arg arg; + int err; if (copy_from_user(&arg, uarg, sizeof(arg))) return -EFAULT; @@ -418,15 +362,6 @@ int fsverity_ioctl_enable(struct file *filp, const void __user *uarg) if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE) return -EMSGSIZE; - return check_file_and_enable_verity(filp, &arg); -} -EXPORT_SYMBOL_GPL(fsverity_ioctl_enable); - -static int check_file_and_enable_verity(struct file *filp, - const struct fsverity_enable_arg *arg) -{ - struct inode *inode = file_inode(filp); - int err; /* * Require a regular file with write access. But the actual fd must * still be readonly so that we can lock out all writers. This is @@ -455,7 +390,7 @@ static int check_file_and_enable_verity(struct file *filp, if (err) /* -ETXTBSY */ goto out_drop_write; - err = enable_verity(filp, arg); + err = enable_verity(filp, &arg); if (err) goto out_allow_write_access; @@ -480,152 +415,4 @@ static int check_file_and_enable_verity(struct file *filp, mnt_drop_write_file(filp); return err; } - -#ifdef CONFIG_SECURITY_CODE_SIGN -static int code_sign_copy_merkle_tree(struct file *filp, - const void *_desc, - const struct merkle_tree_params *params) -{ - struct inode *inode = file_inode(filp); - const struct fsverity_operations *vops = inode->i_sb->s_vop; - u8 *tree_data; - u64 blocks, i; - int err = -ENOMEM; - struct file_ra_state ra = { 0 }; - struct page *src_page; - void *addr; - u64 tree_offset, tree_start_index; - - if (!is_inside_tree_compact(_desc)) - return 0; - - tree_offset = get_tree_offset_compact(_desc); - - if (inode->i_size < tree_offset + params->tree_size) { - fsverity_err(inode, "File is too small to contain Merkle tree."); - return -EFAULT; - } - - tree_data = kmalloc(PAGE_SIZE, GFP_KERNEL); - if (!tree_data) - goto out; - - file_ra_state_init(&ra, filp->f_mapping); - - tree_start_index = tree_offset >> PAGE_SHIFT; - blocks = params->tree_size >> PAGE_SHIFT; - for (i = 0; i < blocks; i++) { - pr_debug("Copy Merkle tree page at %d\n", tree_start_index + i); - src_page = read_file_data_page(filp, tree_start_index + i, &ra, - blocks - i); - if (IS_ERR(src_page)) { - err = PTR_ERR(src_page); - fsverity_err(inode, - "Error %d reading Merkle tree page %llu", - err, tree_start_index + i); - goto out; - } - - addr = kmap_atomic(src_page); - memcpy(tree_data, addr, PAGE_SIZE); - kunmap_atomic(addr); - put_page(src_page); - err = vops->write_merkle_tree_block(inode, tree_data, i, - params->log_blocksize); - if (err) { - fsverity_err(inode, - "Error %d writing Merkle tree block %llu", - err, i); - goto out; - } - } - /* already copy merkle tree */ - err = 1; -out: - kfree(tree_data); - return err; -} - -static int code_sign_init_descriptor(struct inode *inode, - const struct fsverity_enable_arg *_arg, - struct fsverity_descriptor *_desc) -{ - struct code_sign_descriptor *desc = CAST_CODE_SIGN_DESC(_desc); - const struct code_sign_enable_arg *arg = (const struct code_sign_enable_arg *)_arg; - int algo_index; - - if (!arg->cs_version) - return 0; - - /* init extended fields */ - desc->flags = cpu_to_le32(arg->flags); - desc->data_size = cpu_to_le64(arg->data_size); - desc->tree_offset = cpu_to_le64(arg->tree_offset); - desc->cs_version = arg->cs_version; - - /* Get root hash if a Merkle tree carried in file */ - if (!IS_INSIDE_TREE(desc)) - return 0; - - /* Get size of root hash */ - algo_index = desc->hash_algorithm; - if (algo_index >= g_fsverity_hash_algs_num || - !fsverity_hash_algs[algo_index].name) { - fsverity_err(inode, "Unknown hash algorithm: %u", algo_index); - return -EINVAL; - } - - if (copy_from_user(desc->root_hash, u64_to_user_ptr(arg->root_hash_ptr), - fsverity_hash_algs[algo_index].digest_size)) { - return -EFAULT; - } - - return 0; -} - -/** - * fsverity_ioctl_enable_code_sign() - enable code signing on a file - * @filp: file to enable code signing on - * @uarg: user pointer to code_sign_enable_arg - * - * Enable fs-verity on a file with code signing features. - * - * Return: 0 on success, -errno on failure - */ -int fsverity_ioctl_enable_code_sign(struct file *filp, const void __user *uarg) -{ - struct inode *inode = file_inode(filp); - struct code_sign_enable_arg arg; - - if (copy_from_user(&arg, uarg, sizeof(arg))) - return -EFAULT; - - if (arg.version != 1) - return -EINVAL; - - if (arg.cs_version != 1) - return -EINVAL; - - if (arg.__reserved1 || - memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2))) - return -EINVAL; - - if (arg.data_size > inode->i_size) - return -EINVAL; - - if (arg.tree_offset % PAGE_SIZE != 0) - return -EINVAL; - - if (arg.block_size != PAGE_SIZE) - return -EINVAL; - - if (arg.salt_size > sizeof_field(struct code_sign_descriptor, salt)) - return -EMSGSIZE; - - if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE) - return -EMSGSIZE; - - return check_file_and_enable_verity(filp, (struct fsverity_enable_arg *)&arg); -} -EXPORT_SYMBOL_GPL(fsverity_ioctl_enable_code_sign); -#endif /* CONFIG_SECURITY_CODE_SIGN */ +EXPORT_SYMBOL_GPL(fsverity_ioctl_enable); diff --git a/fs/verity/fsverity_private.h b/fs/verity/fsverity_private.h index 6c329093327798b8f26af2ad3d72f7a566d7ad3f..e96d99d5145e1da25fe07f9e26650d57df28b2b6 100644 --- a/fs/verity/fsverity_private.h +++ b/fs/verity/fsverity_private.h @@ -17,7 +17,6 @@ #include #include #include -#include struct ahash_request; @@ -76,9 +75,6 @@ struct fsverity_info { u8 root_hash[FS_VERITY_MAX_DIGEST_SIZE]; u8 measurement[FS_VERITY_MAX_DIGEST_SIZE]; const struct inode *inode; -#ifdef CONFIG_SECURITY_CODE_SIGN - u64 verified_data_size; -#endif }; /* @@ -121,8 +117,6 @@ struct fsverity_signed_digest { extern struct fsverity_hash_alg fsverity_hash_algs[]; -extern int g_fsverity_hash_algs_num; - struct fsverity_hash_alg *fsverity_get_hash_alg(const struct inode *inode, unsigned int num); struct ahash_request *fsverity_alloc_hash_request(struct fsverity_hash_alg *alg, @@ -155,8 +149,7 @@ int fsverity_init_merkle_tree_params(struct merkle_tree_params *params, const struct inode *inode, unsigned int hash_algorithm, unsigned int log_blocksize, - const u8 *salt, size_t salt_size, - u64 data_size); + const u8 *salt, size_t salt_size); struct fsverity_info *fsverity_create_info(const struct inode *inode, void *desc, size_t desc_size); diff --git a/fs/verity/hash_algs.c b/fs/verity/hash_algs.c index 488d392b3cc4e5afdb716d9a597a6d47fe37eba0..c37e186ebeb6c455db68c6580a889d4378161fd7 100644 --- a/fs/verity/hash_algs.c +++ b/fs/verity/hash_algs.c @@ -24,8 +24,6 @@ struct fsverity_hash_alg fsverity_hash_algs[] = { }, }; -int g_fsverity_hash_algs_num = ARRAY_SIZE(fsverity_hash_algs); - static DEFINE_MUTEX(fsverity_hash_alg_init_mutex); /** diff --git a/fs/verity/open.c b/fs/verity/open.c index feae1845c9ddcf7627a5814d720817643b0de9c3..67d71f7b1b48350562f79f6a239b7cb95cdc7906 100644 --- a/fs/verity/open.c +++ b/fs/verity/open.c @@ -19,7 +19,6 @@ static struct kmem_cache *fsverity_info_cachep; * @log_blocksize: log base 2 of block size to use * @salt: pointer to salt (optional) * @salt_size: size of salt, possibly 0 - * @data_size: verified data size * * Validate the hash algorithm and block size, then compute the tree topology * (num levels, num blocks in each level, etc.) and initialize @params. @@ -30,8 +29,7 @@ int fsverity_init_merkle_tree_params(struct merkle_tree_params *params, const struct inode *inode, unsigned int hash_algorithm, unsigned int log_blocksize, - const u8 *salt, size_t salt_size, - u64 data_size) + const u8 *salt, size_t salt_size) { struct fsverity_hash_alg *hash_alg; int err; @@ -91,8 +89,8 @@ int fsverity_init_merkle_tree_params(struct merkle_tree_params *params, */ /* Compute number of levels and the number of blocks in each level */ - blocks = ((u64)data_size + params->block_size - 1) >> params->log_blocksize; - pr_debug("Data is %lld bytes (%llu blocks)\n", data_size, blocks); + blocks = ((u64)inode->i_size + params->block_size - 1) >> log_blocksize; + pr_debug("Data is %lld bytes (%llu blocks)\n", inode->i_size, blocks); while (blocks > 1) { if (params->num_levels >= FS_VERITY_MAX_LEVELS) { fsverity_err(inode, "Too many levels in Merkle tree"); @@ -134,13 +132,11 @@ static int compute_file_measurement(struct fsverity_hash_alg *hash_alg, u8 *measurement) { __le32 sig_size = desc->sig_size; - int err, cs_version; + int err; - cs_version = code_sign_before_measurement_hook(desc); desc->sig_size = 0; err = fsverity_hash_buffer(hash_alg, desc, sizeof(*desc), measurement); desc->sig_size = sig_size; - code_sign_after_measurement_hook(desc, cs_version); return err; } @@ -162,13 +158,6 @@ struct fsverity_info *fsverity_create_info(const struct inode *inode, return ERR_PTR(-EINVAL); } - err = code_sign_check_descriptor_hook(inode, _desc); - if (err < 0) { - fsverity_err(inode, "Invalid code sign descriptor."); - return ERR_PTR(err); - } else if (err == 1) - goto skip_part_check; - if (desc->version != 1) { fsverity_err(inode, "Unrecognized descriptor version: %u", desc->version); @@ -192,21 +181,15 @@ struct fsverity_info *fsverity_create_info(const struct inode *inode, return ERR_PTR(-EINVAL); } -skip_part_check: vi = kmem_cache_zalloc(fsverity_info_cachep, GFP_KERNEL); if (!vi) return ERR_PTR(-ENOMEM); vi->inode = inode; -#ifdef CONFIG_SECURITY_CODE_SIGN - vi->verified_data_size = le64_to_cpu(desc->data_size); -#endif - err = fsverity_init_merkle_tree_params(&vi->tree_params, inode, desc->hash_algorithm, desc->log_blocksize, - desc->salt, desc->salt_size, - le64_to_cpu(desc->data_size)); + desc->salt, desc->salt_size); if (err) { fsverity_err(inode, "Error %d initializing Merkle tree parameters", diff --git a/fs/verity/verify.c b/fs/verity/verify.c index e77c8b374139a7d2f6f5f565096eab24f800177b..a8b68c6f663d123c18ae1238dd3b1186ae846968 100644 --- a/fs/verity/verify.c +++ b/fs/verity/verify.c @@ -103,13 +103,6 @@ static bool verify_page(struct inode *inode, const struct fsverity_info *vi, pr_debug_ratelimited("Verifying data page %lu...\n", index); -#ifdef CONFIG_SECURITY_CODE_SIGN - if (index > (vi->verified_data_size >> PAGE_SHIFT)) { - pr_debug_ratelimited("Data out of verity range %lu\n", - vi->verified_data_size >> PAGE_SHIFT); - return true; - } -#endif /* * Starting at the leaf level, ascend the tree saving hash pages along * the way until we find a verified hash page, indicated by PageChecked; @@ -271,23 +264,6 @@ void fsverity_verify_bio(struct bio *bio) EXPORT_SYMBOL_GPL(fsverity_verify_bio); #endif /* CONFIG_BLOCK */ - -/** - * fsverity_get_verified_data_size() - get verified data size of a verity file - * @inode: the file's inode - * - * Return: verified data size - */ -u64 fsverity_get_verified_data_size(const struct inode *inode) -{ -#ifdef CONFIG_SECURITY_CODE_SIGN - return fsverity_get_info(inode)->verified_data_size; -#else - return inode->i_size; -#endif -} - - /** * fsverity_enqueue_verify_work() - enqueue work on the fs-verity workqueue * @work: the work to enqueue diff --git a/include/linux/code_sign.h b/include/linux/code_sign.h deleted file mode 100644 index c2264a1d6c37494cf03478097d2e600d5f7a11da..0000000000000000000000000000000000000000 --- a/include/linux/code_sign.h +++ /dev/null @@ -1,72 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-or-later */ -/* - * Copyright (c) 2023 Huawei Device Co., Ltd. - */ - -#ifndef LINUX_INCLUDE_CODE_SIGN_H -#define LINUX_INCLUDE_CODE_SIGN_H - -#include - -/* - * Merkle tree properties. The file measurement is the hash of this structure - * excluding the signature and with the sig_size field set to 0, while version - * is replaced by code sign version. - */ -struct code_sign_descriptor { - __u8 version; /* must be 1 */ - __u8 hash_algorithm; /* Merkle tree hash algorithm */ - __u8 log_blocksize; /* log2 of size of data and tree blocks */ - __u8 salt_size; /* size of salt in bytes; 0 if none */ - __le32 sig_size; /* size of signature in bytes; 0 if none */ - __le64 data_size; /* size of file the Merkle tree is built over */ - __u8 root_hash[64]; /* Merkle tree root hash */ - __u8 salt[32]; /* salt prepended to each hashed block */ - __u32 flags; - __u32 __reserved1; /* must be 0 */ - __u64 tree_offset; /* merkle tree offset in file */ - __u8 __reserved2[127]; /* must be 0's */ - __u8 cs_version; /* code sign version */ - __u8 signature[]; /* optional PKCS#7 signature */ -}; - -#define FLAG_INSIDE_TREE (1 << 0) /* Merkle tree in file */ -#define IS_INSIDE_TREE(desc) ((desc)->flags & FLAG_INSIDE_TREE) - -#define CONST_CAST_CODE_SIGN_DESC(desc) ((const struct code_sign_descriptor *)(desc)) -#define CAST_CODE_SIGN_DESC(desc) ((struct code_sign_descriptor *)(desc)) - -static inline u64 get_tree_offset_compact(const void *desc) -{ - return CONST_CAST_CODE_SIGN_DESC(desc)->tree_offset; -} - -static inline bool is_inside_tree_compact(const void *_desc) -{ - const struct code_sign_descriptor *desc = CONST_CAST_CODE_SIGN_DESC(_desc); - - return desc->cs_version && IS_INSIDE_TREE(desc); -} - -static inline int code_sign_check_descriptor_hook(const struct inode *inode, const void *desc) -{ - int ret = 0; - - CALL_HCK_LITE_HOOK(code_sign_check_descriptor_lhck, inode, desc, &ret); - return ret; -} - -static inline int code_sign_before_measurement_hook(void *desc) -{ - int ret = 0; - - CALL_HCK_LITE_HOOK(code_sign_before_measurement_lhck, desc, &ret); - return ret; -} - -static inline void code_sign_after_measurement_hook(void *desc, int version) -{ - CALL_HCK_LITE_HOOK(code_sign_after_measurement_lhck, desc, version); -} - -#endif /* LINUX_INCLUDE_CODE_SIGN_H */ diff --git a/include/linux/fsverity.h b/include/linux/fsverity.h index 713cd5df939497594350675145e66c08f029e8bc..c1144a4503920933cf13908c43d6882e8cf310e9 100644 --- a/include/linux/fsverity.h +++ b/include/linux/fsverity.h @@ -127,8 +127,6 @@ static inline struct fsverity_info *fsverity_get_info(const struct inode *inode) /* enable.c */ int fsverity_ioctl_enable(struct file *filp, const void __user *arg); -int fsverity_enable_with_descriptor(struct file *filp, - void *desc, size_t desc_size); /* measure.c */ @@ -145,7 +143,6 @@ void fsverity_cleanup_inode(struct inode *inode); bool fsverity_verify_page(struct page *page); void fsverity_verify_bio(struct bio *bio); void fsverity_enqueue_verify_work(struct work_struct *work); -u64 fsverity_get_verified_data_size(const struct inode *inode); #else /* !CONFIG_FS_VERITY */ @@ -162,12 +159,6 @@ static inline int fsverity_ioctl_enable(struct file *filp, return -EOPNOTSUPP; } -static inline int fsverity_enable_with_descriptor(struct file *filp, - void *desc, size_t desc_size) -{ - return -EOPNOTSUPP; -} - /* measure.c */ static inline int fsverity_ioctl_measure(struct file *filp, void __user *arg) @@ -210,29 +201,8 @@ static inline void fsverity_enqueue_verify_work(struct work_struct *work) WARN_ON(1); } -static inline u64 fsverity_get_verified_data_size(const struct inode *inode) -{ - WARN_ON(1); - return inode->i_size; -} - #endif /* !CONFIG_FS_VERITY */ -#ifdef CONFIG_SECURITY_CODE_SIGN - -/* enable.c */ - -int fsverity_ioctl_enable_code_sign(struct file *filp, const void __user *uarg); - -#else /* !CONFIG_SECURITY_CODE_SIGN */ - -static inline int fsverity_ioctl_enable_code_sign(struct file *filp, const void __user *uarg) -{ - return -EOPNOTSUPP; -} - -#endif /* !CONFIG_SECURITY_CODE_SIGN */ - /** * fsverity_active() - do reads from the inode need to go through fs-verity? * @inode: inode to check diff --git a/include/linux/hck/lite_hck_code_sign.h b/include/linux/hck/lite_hck_code_sign.h index 13d139fc5d6b64a446aeae3b0b2c4769938693e4..dc82ab61ad6d9571d3449ed0cce92ea6b46e582e 100644 --- a/include/linux/hck/lite_hck_code_sign.h +++ b/include/linux/hck/lite_hck_code_sign.h @@ -1,6 +1,8 @@ -/* SPDX-License-Identifier: GPL-2.0-or-later */ -/* - * Copyright (c) 2023 Huawei Device Co., Ltd. +//SPDX-License-Identifier: GPL-2.0-only +/*lite_hck_sample.h + * + *OpenHarmony Common Kernel Vendor Hook Smaple + * */ #ifndef LITE_HCK_CODE_SIGN_H @@ -20,18 +22,6 @@ DECLARE_HCK_LITE_HOOK(code_sign_verify_certchain_lhck, TP_PROTO(const void *raw_pkcs7, size_t pkcs7_len, int *ret), TP_ARGS(raw_pkcs7, pkcs7_len, ret)); -DECLARE_HCK_LITE_HOOK(code_sign_check_descriptor_lhck, - TP_PROTO(const struct inode *inode, const void *desc, int *ret), - TP_ARGS(inode, desc, ret)); - -DECLARE_HCK_LITE_HOOK(code_sign_before_measurement_lhck, - TP_PROTO(void *desc, int *ret), - TP_ARGS(desc, ret)); - -DECLARE_HCK_LITE_HOOK(code_sign_after_measurement_lhck, - TP_PROTO(void *desc, int version), - TP_ARGS(desc, version)); - #endif /* CONFIG_HCK */ #endif /* LITE_HCK_CODE_SIGN_H */ diff --git a/include/uapi/linux/fsverity.h b/include/uapi/linux/fsverity.h index ae44df1b1d1763a85761f4002b69ed8b9cde3113..da0daf6c193b4bd7f0d0e700ad74f5e639ada116 100644 --- a/include/uapi/linux/fsverity.h +++ b/include/uapi/linux/fsverity.h @@ -37,23 +37,4 @@ struct fsverity_digest { #define FS_IOC_ENABLE_VERITY _IOW('f', 133, struct fsverity_enable_arg) #define FS_IOC_MEASURE_VERITY _IOWR('f', 134, struct fsverity_digest) -struct code_sign_enable_arg { - __u32 version; - __u32 hash_algorithm; - __u32 block_size; - __u32 salt_size; - __u64 salt_ptr; - __u32 sig_size; - __u32 __reserved1; - __u64 sig_ptr; - __u64 __reserved2[7]; - __u64 tree_offset; - __u64 root_hash_ptr; - __u64 data_size; - __u32 flags; - __u32 cs_version; -}; - -#define FS_IOC_ENABLE_CODE_SIGN _IOW('f', 200, struct code_sign_enable_arg) - #endif /* _UAPI_LINUX_FSVERITY_H */