[HACK] fs-verity: add support for userspace signature verification
The existing Android application package (APK) format already has a
signature block in the middle of the file. To allow fs-verity to be
used on such files without making the kernel intimately aware of the APK
file format, we need userspace to do the signature verification. To
support this, add the following functionality:
- An ioctl FS_IOC_SET_VERITY_MEASUREMENT that allows a privileged
userspace process to provide the trusted measurement expected for a
file. This replaces getting the measurement from a PKCS#7 signature
in the fs-verity footer. This ioctl also pins the inode into memory,
since otherwise the trusted measurement would be lost on eviction.
- Elide extensions. An elision is a region of data that is not verified
at all, i.e. is omitted from the Merkle tree. This is needed to elide
the signature block.
- Patch extensions. A patch is a region of data that is not verified,
but has substitute data of the same length included in the Merkle
tree. This is needed to patch out the field that gives the offset to
the signature block.
Elisions and patches are stored as authenticated extension items, so
they are included in the file measurement and an attacker cannot simply
circumvent fs-verity by adding them. For simplicity of implementation,
elisions are required to be page-aligned, each page can have at most one
patch, and elisions and patches cannot overlap.
Userspace is responsible for verifying the signature block, generating
the expected list of elisions and patches, computing the
expected/trusted measurement, and calling FS_IOC_SET_VERITY_MEASUREMENT.
This is broken out from the rest of the fs-verity patchset, since we
plan for the need for these workarounds to go away and for them to be
excluded from the proposed upstream patchset.
Signed-off-by: Eric Biggers <ebiggers@google.com>
11 files changed
