1 /*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <charconv>
18 #include <filesystem>
19 #include <map>
20 #include <span>
21 #include <string>
22 #include <vector>
23
24 #include <fcntl.h>
25 #include <linux/fs.h>
26 #include <sys/stat.h>
27 #include <sys/types.h>
28
29 #include "android-base/errors.h"
30 #include <android-base/file.h>
31 #include <android-base/logging.h>
32 #include <android-base/result.h>
33 #include <android-base/unique_fd.h>
34 #include <asm/byteorder.h>
35 #include <libfsverity.h>
36 #include <linux/fsverity.h>
37
38 #define FS_VERITY_MAX_DIGEST_SIZE 64
39
40 using android::base::ErrnoError;
41 using android::base::Error;
42 using android::base::Result;
43 using android::base::unique_fd;
44
45 static const char* kFsVerityProcPath = "/proc/sys/fs/verity";
46
SupportsFsVerity()47 bool SupportsFsVerity() {
48 return access(kFsVerityProcPath, F_OK) == 0;
49 }
50
toHex(std::span<const uint8_t> data)51 static std::string toHex(std::span<const uint8_t> data) {
52 std::stringstream ss;
53 for (auto it = data.begin(); it != data.end(); ++it) {
54 ss << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned>(*it);
55 }
56 return ss.str();
57 }
58
read_callback(void * file,void * buf,size_t count)59 static int read_callback(void* file, void* buf, size_t count) {
60 int* fd = (int*)file;
61 if (TEMP_FAILURE_RETRY(read(*fd, buf, count)) < 0) return errno ? -errno : -EIO;
62 return 0;
63 }
64
createDigest(int fd)65 static Result<std::vector<uint8_t>> createDigest(int fd) {
66 struct stat filestat;
67 int ret = fstat(fd, &filestat);
68 if (ret < 0) {
69 return ErrnoError() << "Failed to fstat";
70 }
71 struct libfsverity_merkle_tree_params params = {
72 .version = 1,
73 .hash_algorithm = FS_VERITY_HASH_ALG_SHA256,
74 .file_size = static_cast<uint64_t>(filestat.st_size),
75 .block_size = 4096,
76 };
77
78 struct libfsverity_digest* digest;
79 ret = libfsverity_compute_digest(&fd, &read_callback, ¶ms, &digest);
80 if (ret < 0) {
81 return ErrnoError() << "Failed to compute fs-verity digest";
82 }
83 int expected_digest_size = libfsverity_get_digest_size(FS_VERITY_HASH_ALG_SHA256);
84 if (digest->digest_size != expected_digest_size) {
85 return Error() << "Digest does not have expected size: " << expected_digest_size
86 << " actual: " << digest->digest_size;
87 }
88 std::vector<uint8_t> digestVector(&digest->digest[0], &digest->digest[expected_digest_size]);
89 free(digest);
90 return digestVector;
91 }
92
createDigest(const std::string & path)93 Result<std::vector<uint8_t>> createDigest(const std::string& path) {
94 unique_fd fd(TEMP_FAILURE_RETRY(open(path.c_str(), O_RDONLY | O_CLOEXEC)));
95 if (!fd.ok()) {
96 return ErrnoError() << "Unable to open";
97 }
98 return createDigest(fd.get());
99 }
100
101 namespace {
102 template <typename T> struct DeleteAsPODArray {
operator ()__anone6e9360d0111::DeleteAsPODArray103 void operator()(T* x) {
104 if (x) {
105 x->~T();
106 delete[](uint8_t*) x;
107 }
108 }
109 };
110
111 template <typename T> using trailing_unique_ptr = std::unique_ptr<T, DeleteAsPODArray<T>>;
112
113 template <typename T>
makeUniqueWithTrailingData(size_t trailing_data_size)114 static trailing_unique_ptr<T> makeUniqueWithTrailingData(size_t trailing_data_size) {
115 uint8_t* memory = new uint8_t[sizeof(T) + trailing_data_size];
116 T* ptr = new (memory) T;
117 return trailing_unique_ptr<T>{ptr};
118 }
119
measureFsVerity(int fd)120 static Result<std::string> measureFsVerity(int fd) {
121 auto d = makeUniqueWithTrailingData<fsverity_digest>(FS_VERITY_MAX_DIGEST_SIZE);
122 d->digest_size = FS_VERITY_MAX_DIGEST_SIZE;
123
124 if (ioctl(fd, FS_IOC_MEASURE_VERITY, d.get()) != 0) {
125 if (errno == ENODATA) {
126 return Error() << "File is not in fs-verity";
127 } else {
128 return ErrnoError() << "Failed to FS_IOC_MEASURE_VERITY";
129 }
130 }
131
132 return toHex({&d->digest[0], &d->digest[d->digest_size]});
133 }
134
measureFsVerity(const std::string & path)135 static Result<std::string> measureFsVerity(const std::string& path) {
136 unique_fd fd(TEMP_FAILURE_RETRY(open(path.c_str(), O_RDONLY | O_CLOEXEC)));
137 if (!fd.ok()) {
138 return ErrnoError() << "Failed to open " << path;
139 }
140
141 return measureFsVerity(fd.get());
142 }
143
144 } // namespace
145
enableFsVerity(int fd)146 static Result<void> enableFsVerity(int fd) {
147 struct fsverity_enable_arg arg = {.version = 1};
148
149 arg.hash_algorithm = FS_VERITY_HASH_ALG_SHA256;
150 arg.block_size = 4096;
151
152 int ret = ioctl(fd, FS_IOC_ENABLE_VERITY, &arg);
153
154 if (ret != 0) {
155 return ErrnoError() << "Failed to call FS_IOC_ENABLE_VERITY";
156 }
157
158 return {};
159 }
160
enableFsVerity(const std::string & path)161 Result<void> enableFsVerity(const std::string& path) {
162 unique_fd fd(TEMP_FAILURE_RETRY(open(path.c_str(), O_RDONLY | O_CLOEXEC)));
163 if (!fd.ok()) {
164 return Error() << "Can't open " << path;
165 }
166
167 return enableFsVerity(fd.get());
168 }
169
isFileInVerity(int fd)170 static Result<bool> isFileInVerity(int fd) {
171 unsigned int flags;
172 if (ioctl(fd, FS_IOC_GETFLAGS, &flags) < 0) {
173 return ErrnoError() << "ioctl(FS_IOC_GETFLAGS) failed";
174 }
175 return (flags & FS_VERITY_FL) != 0;
176 }
177
addFilesToVerityRecursive(const std::string & path)178 Result<std::map<std::string, std::string>> addFilesToVerityRecursive(const std::string& path) {
179 std::map<std::string, std::string> digests;
180
181 std::error_code ec;
182 auto it = std::filesystem::recursive_directory_iterator(path, ec);
183 for (auto end = std::filesystem::recursive_directory_iterator(); it != end; it.increment(ec)) {
184 if (it->is_regular_file()) {
185 unique_fd fd(TEMP_FAILURE_RETRY(open(it->path().c_str(), O_RDONLY | O_CLOEXEC)));
186 if (!fd.ok()) {
187 return ErrnoError() << "Failed to open " << path;
188 }
189 auto enabled = OR_RETURN(isFileInVerity(fd));
190 if (!enabled) {
191 LOG(INFO) << "Adding " << it->path() << " to fs-verity...";
192 OR_RETURN(enableFsVerity(fd));
193 } else {
194 LOG(INFO) << it->path() << " was already in fs-verity.";
195 }
196 auto digest = OR_RETURN(measureFsVerity(fd));
197 digests[it->path()] = digest;
198 }
199 }
200 if (ec) {
201 return Error() << "Failed to iterate " << path << ": " << ec.message();
202 }
203
204 return digests;
205 }
206
verifyAllFilesInVerity(const std::string & path)207 Result<std::map<std::string, std::string>> verifyAllFilesInVerity(const std::string& path) {
208 std::map<std::string, std::string> digests;
209 std::error_code ec;
210
211 auto it = std::filesystem::recursive_directory_iterator(path, ec);
212 auto end = std::filesystem::recursive_directory_iterator();
213
214 while (!ec && it != end) {
215 if (it->is_regular_file()) {
216 // Verify the file is in fs-verity
217 auto result = OR_RETURN(measureFsVerity(it->path()));
218 digests[it->path()] = result;
219 } else if (it->is_directory()) {
220 // These are fine to ignore
221 } else if (it->is_symlink()) {
222 return Error() << "Rejecting artifacts, symlink at " << it->path();
223 } else {
224 return Error() << "Rejecting artifacts, unexpected file type for " << it->path();
225 }
226 ++it;
227 }
228 if (ec) {
229 return Error() << "Failed to iterate " << path << ": " << ec;
230 }
231
232 return digests;
233 }
234
verifyAllFilesUsingCompOs(const std::string & directory_path,const std::map<std::string,std::string> & digests)235 Result<void> verifyAllFilesUsingCompOs(const std::string& directory_path,
236 const std::map<std::string, std::string>& digests) {
237 std::error_code ec;
238 size_t verified_count = 0;
239 auto it = std::filesystem::recursive_directory_iterator(directory_path, ec);
240 for (auto end = std::filesystem::recursive_directory_iterator(); it != end; it.increment(ec)) {
241 auto& path = it->path();
242 if (it->is_regular_file()) {
243 auto entry = digests.find(path);
244 if (entry == digests.end()) {
245 return Error() << "Unexpected file found: " << path;
246 }
247 auto& compos_digest = entry->second;
248
249 unique_fd fd(TEMP_FAILURE_RETRY(open(path.c_str(), O_RDONLY | O_CLOEXEC)));
250 if (!fd.ok()) {
251 return ErrnoError() << "Can't open " << path;
252 }
253
254 bool enabled = OR_RETURN(isFileInVerity(fd));
255 if (!enabled) {
256 LOG(INFO) << "Enabling fs-verity for " << path;
257 OR_RETURN(enableFsVerity(fd));
258 }
259
260 auto actual_digest = OR_RETURN(measureFsVerity(fd));
261 // Make sure the file's fs-verity digest matches the known value.
262 if (actual_digest == compos_digest) {
263 ++verified_count;
264 } else {
265 return Error() << "fs-verity digest does not match CompOS digest: " << path;
266 }
267 } else if (it->is_directory()) {
268 // These are fine to ignore
269 } else if (it->is_symlink()) {
270 return Error() << "Rejecting artifacts, symlink at " << path;
271 } else {
272 return Error() << "Rejecting artifacts, unexpected file type for " << path;
273 }
274 }
275 if (ec) {
276 return Error() << "Failed to iterate " << directory_path << ": " << ec.message();
277 }
278
279 // Make sure all the files we expected have been seen
280 if (verified_count != digests.size()) {
281 return Error() << "Verified " << verified_count << " files, but expected "
282 << digests.size();
283 }
284
285 return {};
286 }
287