25 Commits

Author SHA1 Message Date
fundavid 786fce4e10 upgrade to v1.6 ee7d74d75a727463046bf380b3de9e602a6e2b40
Signed-off-by: fundavid <fangjiawei8@huawei.com>
2025-03-04 11:03:27 +08:00
Eric Biggers 61493fd18b Clarify the purpose of built-in signatures
Signed-off-by: Eric Biggers <ebiggers@google.com>
2022-01-18 14:38:50 -08:00
Aleksander Adamowski 66b1d8a276 Implement PKCS#11 opaque keys support through OpenSSL pkcs11 engine
PKCS#11 API allows us to use opaque keys confined in hardware security
modules (HSMs) and similar hardware tokens without direct access to the
key material, providing logical separation of the keys from the
cryptographic operations performed using them.

This commit allows using the popular libp11 pkcs11 module for the
OpenSSL library with `fsverity` so that direct access to a private key
file isn't necessary to sign files.

The user needs to supply the path to the engine shared library
(typically the libp11 shared object file) and the PKCS#11 module library
(a shared object file specific to the given hardware token).  The user
may also supply a token-specific key identifier.

Test evidence with a hardware PKCS#11 token:

  $ echo test > dummy
  $ ./fsverity sign dummy dummy.sig \
    --pkcs11-engine=/usr/lib64/engines-1.1/libpkcs11.so \
    --pkcs11-module=/usr/local/lib64/pkcs11_module.so \
    --cert=test-pkcs11-cert.pem && echo OK;
  Signed file 'dummy'
  (sha256:c497326752e21b3992b57f7eff159102d474a97d972dc2c2d99d23e0f5fbdb65)
  OK

Test evidence for regression check (checking that regular file-based key
signing still works):

  $ ./fsverity sign dummy dummy.sig --key=key.pem --cert=cert.pem && \
    echo  OK;
  Signed file 'dummy'
  (sha256:c497326752e21b3992b57f7eff159102d474a97d972dc2c2d99d23e0f5fbdb65)
  OK

Signed-off-by: Aleksander Adamowski <olo@fb.com>
[EB: Avoided overloading the --key option and keyfile field, clarified
 the documentation, removed logic from cmd_sign.c that libfsverity
 already handles, and many other improvements.]
Link: https://lore.kernel.org/r/20210909212731.1151190-1-olo@fb.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
2021-09-13 10:36:47 -07:00
Eric Biggers 6f64dde651 programs/fsverity: add --out-merkle-tree and --out-descriptor options
Make 'fsverity digest' and 'fsverity sign' support writing the Merkle
tree and fs-verity descriptor to files, using new options
'--out-merkle-tree=FILE' and '--out-descriptor=FILE'.

Normally these new options aren't useful, but they can be needed in
cases where the fs-verity metadata needs to be consumed by something
other than one of the native Linux kernel implementations of fs-verity.

This is different from 'fsverity dump_metadata' in that
'fsverity dump_metadata' only works on a file with fs-verity enabled,
whereas these new options are for the userspace file digest computation.

Link: https://lore.kernel.org/r/20210603195812.50838-5-ebiggers@kernel.org
Reviewed-by: Victor Hsieh <victorhsieh@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2021-06-08 15:33:46 -07:00
Eric Biggers 1690cc2c74 programs/utils: add full_pwrite() and preallocate_file()
These helper functions will be used by the implementation of the
--out-merkle-tree option for 'fsverity digest' and 'fsverity sign'.

Link: https://lore.kernel.org/r/20210603195812.50838-4-ebiggers@kernel.org
Reviewed-by: Victor Hsieh <victorhsieh@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2021-06-08 15:33:44 -07:00
Eric Biggers 3b7ac7d54a programs/test_compute_digest: test the metadata callbacks
Test that the libfsverity_metadata_callbacks support seems to be working
correctly.

Link: https://lore.kernel.org/r/20210603195812.50838-3-ebiggers@kernel.org
Reviewed-by: Victor Hsieh <victorhsieh@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2021-06-08 15:33:42 -07:00
Eric Biggers cf8fa5e5a7 programs/fsverity: Add dump_metadata subcommand
Add a 'fsverity dump_metadata' subcommand which calls
FS_IOC_READ_VERITY_METADATA on a file and prints the returned metadata
to stdout.  There are three subsubcommands, one for each type of
metadata that can be read using the ioctl:

	fsverity dump_metadata merkle_tree FILE
	fsverity dump_metadata descriptor FILE
	fsverity dump_metadata signature FILE

By default the whole metadata item is dumped.  --length and --offset can
be specified to dump only a particular range of the item.

This subcommand will be used by xfstests to test the
FS_IOC_READ_VERITY_METADATA ioctl.

Link: https://lore.kernel.org/r/20210115182402.35691-3-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
2021-02-24 13:32:36 -08:00
Eric Biggers 362db17b5b Fix some #endif comments
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-12-28 10:35:07 -08:00
Luca Boccassi 160bff5fa2 Allow to build and run sign/digest on Windows
Add some minimal compat type defs, and omit the enable/measure
sources. Also add a way to handle the fact that mingw adds a
.exe extension automatically in the Makefile install rules.

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Link: https://lore.kernel.org/r/20201222001033.302274-3-bluca@debian.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-12-22 00:10:39 -08:00
Luca Boccassi 3cd5a384ab Remove unneeded include
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Link: https://lore.kernel.org/r/20201217192516.3683371-1-luca.boccassi@gmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-12-21 13:30:08 -08:00
Eric Biggers c7e0612deb Rename "file measurement" to "file digest"
As was done in the kernel, rename "file measurement" to "file digest".
"File digest" has ended up being the more intuitive name, and it avoids
using multiple names for the same thing.

Acked-by: Luca Boccassi <luca.boccassi@microsoft.com>
Link: https://lore.kernel.org/r/20201113213314.73616-3-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-11-25 17:41:23 -08:00
Eric Biggers 39194220bc Upgrade to latest fsverity_uapi.h
The latest UAPI header includes the declarations of fsverity_descriptor
and fsverity_formatted_digest (previously fsverity_signed_digest).
Therefore they no longer need to be declared in other files.

Acked-by: Luca Boccassi <luca.boccassi@microsoft.com>
Link: https://lore.kernel.org/r/20201113213314.73616-2-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-11-25 17:41:23 -08:00
Eric Biggers df3723acda programs/fsverity: share code to parse tree parameters
The "digest", "enable", and "sign" commands all parse the --hash-alg,
--block-size, and --salt options and initialize a struct
libfsverity_merkle_tree_params, so share the code that does this.

Acked-by: Luca Boccassi <luca.boccassi@microsoft.com>
Link: https://lore.kernel.org/r/20201116205628.262173-5-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-11-17 08:42:50 -08:00
Eric Biggers f76d01b8ce lib: add libfsverity_enable() and libfsverity_enable_with_sig()
Add convenience functions that wrap FS_IOC_ENABLE_VERITY but take a
'struct libfsverity_merkle_tree_params' instead of
'struct fsverity_enable_arg'.  This is useful because it allows
libfsverity users to deal with one common struct, and also get the
default parameter handling that libfsverity_compute_digest() does.

Acked-by: Luca Boccassi <luca.boccassi@microsoft.com>
Link: https://lore.kernel.org/r/20201116205628.262173-4-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-11-17 08:42:39 -08:00
Eric Biggers ecac40ae0f lib/compute_digest: add default hash_algorithm and block_size
If hash_algorithm is left 0, default it to FS_VERITY_HASH_ALG_SHA256;
and if block_size is left 0, default it to 4096 bytes.

While it's nice to be explicit, having defaults makes things easier for
library users.

Acked-by: Luca Boccassi <luca.boccassi@microsoft.com>
Link: https://lore.kernel.org/r/20201116205628.262173-3-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-11-17 08:42:31 -08:00
Eric Biggers 26a583224a programs/fsverity: change default block size from PAGE_SIZE to 4096
Even though the kernel currently only supports PAGE_SIZE == Merkle tree
block size, PAGE_SIZE isn't a good default Merkle tree block size for
fsverity-utils, since it means that if someone doesn't explicitly
specify the block size, then the results of 'fsverity sign' and
'fsverity enable' will differ between different architectures.

So change the default Merkle tree block size to 4096, which is the most
common PAGE_SIZE.  This will break anyone using the fsverity program
without the --block-size option on an architecture with a non-4K page
size.  But I don't think anyone is actually doing that yet anyway.

Acked-by: Luca Boccassi <luca.boccassi@microsoft.com>
Link: https://lore.kernel.org/r/20201116205628.262173-2-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-11-17 08:42:29 -08:00
Luca Boccassi 97bc1aa377 programs/fsverity: Add digest subcommand
Add a 'fsverity digest' subcommand that prints the hex-encoded digest of
the specified file(s), ready to be signed offline.  By default the
output is like 'fsverity measure', but if the --for-builtin-sig option
is given, the output is the hex-encoded "struct fsverity_signed_digest"
that the kernel expects to be signed for builtin signatures.

This subcommand is useful in case the integrated signing mechanism with
local cert/key cannot be used.

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Link: https://lore.kernel.org/r/20201026191839.3329948-1-luca.boccassi@gmail.com
[EB: commit message, comment, and whitespace tweaks]
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-10-26 13:30:11 -07:00
Eric Biggers a00024e8d7 Move libfsverity.h to its own directory
libfsverity.h is the public API, but the other headers in common/ are
private headers for fsverity-utils.  Move libfsverity.h to its own
directory to make this clear.  This is also needed for Android's build
system in order to restrict the exported headers to libfsverity.h.

This doesn't affect users who are using 'make install', since
'make install' still installs libfsverity.h to the same place,
and it doesn't install any private headers.

Link: https://lore.kernel.org/r/20200923202328.16310-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-09-24 10:36:35 -07:00
Eric Biggers ab794fd565 Switch to MIT license
This allows libfsverity to be used by software with other common
licenses, e.g. LGPL, MIT, BSD, and Apache 2.0.  It also avoids the
incompatibility that some people perceive between OpenSSL and the GPL.

See discussion at
https://lkml.kernel.org/linux-fscrypt/20200211000037.189180-1-Jes.Sorensen@gmail.com/T/#u

Link: https://lkml.kernel.org/linux-fscrypt/20200731191156.22602-1-ebiggers@kernel.org
Acked-by: Chris Mason <clm@fb.com> # FB copyrighted material
Acked-by: Jes Sorensen <jsorensen@fb.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-08-01 09:59:46 -07:00
Eric Biggers 7e41d9f20a test_compute_digest: add more test cases
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-06-14 23:18:44 -07:00
Eric Biggers dcdb253f01 programs: make the test programs show libfsverity error messages
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-06-14 23:18:44 -07:00
Eric Biggers f81f77709a Move version number to libfsverity.h
Other library users might need it.

Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-06-05 17:29:10 -07:00
Eric Biggers d38875c097 programs: be compatible with -fsanitize=unsigned-integer-overflow
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-06-05 16:51:47 -07:00
Eric Biggers e5979668e5 Add some basic test programs for libfsverity
Add three test programs: 'test_hash_algs', 'test_compute_digest', and
'test_sign_digest'.  Nothing fancy yet, just some basic tests to test
each library function.

With the new Makefile, these get run by 'make check'.

Reviewed-by: Jes Sorensen <jsorensen@fb.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-05-25 13:45:31 -07:00
Eric Biggers 5cd90ca608 Introduce libfsverity
From the 'fsverity' program, split out a library 'libfsverity'.
Currently it supports computing file measurements ("digests"), and
signing those file measurements for use with the fs-verity builtin
signature verification feature.

Rewritten from patches by Jes Sorensen <jsorensen@fb.com>.
I made a lot of improvements, e.g.:

- Separated library and program source into different directories.
- Drastically improved the Makefile.
- Added 'make check' target and rules to build test programs.
- In the shared lib, only export the functions intended to be public.
- Prefixed global functions with "libfsverity_" so that they don't cause
  conflicts when the library is built as a static library.
- Made library error messages be sent to a user-specified callback
  rather than always be printed to stderr.
- Keep showing OpenSSL error messages.
- Stopped abort()ing in library code, when possible.
- Made libfsverity_digest use native endianness.
- Moved file_size into the merkle_tree_params.
- Made libfsverity_get_hash_name() just return the static strings.
- Made some variables in the API uint32_t instead of uint16_t.
- Shared parse_hash_alg_option() between cmd_enable and cmd_sign.
- Lots of other fixes.

(Folded in a couple Makefile fixes from Jes.)

Reviewed-by: Jes Sorensen <jsorensen@fb.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-05-25 13:45:31 -07:00