[RFC] CHROMIUM: Two patches for comments: EFI GUID boot for dm-verity

drivers/md/dm-verity.c

 /*
  * Originally based on dm-crypt.c,
  * Copyright (C) 2003 Christophe Saout <christophe@saout.de>
  * Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2006-2008 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2010 The Chromium OS Authors <chromium-os-dev@chromium.org>
  *                    All Rights Reserved.
  *
  * This file is released under the GPL.
  *
  * Implements a verifying transparent block device.
  * See Documentation/device-mapper/dm-verity.txt
  */
+#include <linux/async.h>
 #include <linux/backing-dev.h>
 #include <linux/bio.h>
 #include <linux/blkdev.h>
 #include <linux/completion.h>
 #include <linux/crypto.h>
 #include <linux/delay.h>
+#include <linux/device.h>
+#ifdef CONFIG_EFI_PARTITION
+#       include <linux/efi.h>
+#endif
 #include <linux/err.h>
+#include <linux/genhd.h>
 #include <linux/init.h>
 #include <linux/kernel.h>
 #include <linux/mempool.h>
 #include <linux/module.h>
 #include <linux/slab.h>
 #include <linux/workqueue.h>
 #include <linux/reboot.h>
 #include <asm/atomic.h>
 #include <linux/scatterlist.h>
 #include <asm/page.h>
@@ skipping 83 matching lines @@
 static int error_behavior = DM_VERITY_EIO;
 module_param(error_behavior, int, 0444);
 MODULE_PARM_DESC(error_behavior, "Behavior on error");
 
 
 /* Control whether the reads are optimized for sequential access by pre-reading
  * entries in the bht.
  */
 static int bht_readahead;
 module_param(bht_readahead, int, 0644);
-MODULE_PARM_DESC(bht_readahead, "number of entries to readahead in the bht");
+MODULE_PARM_DESC(bht_readahead, "Number of entries to readahead in the bht");
+
+/* Controls whether verity_get_device will wait forever for a device. */
+static int dev_wait;
+module_param(dev_wait, bool, 0444);
+MODULE_PARM_DESC(dev_wait, "Wait forever for a backing device")
 
 /* Used for tracking pending bios as well as for exporting information via
  * STATUSTYPE_INFO.
  */
 struct verity_stats {
         unsigned int pending_bio;
         unsigned int io_queue;
         unsigned int verify_queue;
         unsigned int average_requeues;
         unsigned int total_requeues;
@@ skipping 399 matching lines @@
                         /* IO errors have to be propagated. */
                         if (error != -EIO && io)
                                 io->error = 0;
                 }
                 return;
         default:
                 break;
         }
 }
 
+/**
+ * efi_parse_hexbyte - Convert a ASCII hex number to a byte
+ * @src:  Pointer to at least 2 characters to convert.
+ *
+ * Convert a two character ASCII hex string to a number.
+ * From ldm.c.
+ *
+ * Return:  0-255  Success, the byte was parsed correctly
+ *          -1     Error, an invalid character was supplied
+ */
+static int efi_hexbyte (const u8 *src)
+{
+        unsigned int x;         /* For correct wrapping */
+        int h;
+
+        /* high part */
+        if      ((x = src[0] - '0') <= '9'-'0') h = x;
+        else if ((x = src[0] - 'a') <= 'f'-'a') h = x+10;
+        else if ((x = src[0] - 'A') <= 'F'-'A') h = x+10;
+        else return -1;
+        h <<= 4;
+
+        /* low part */
+        if ((x = src[1] - '0') <= '9'-'0') return h | x;
+        if ((x = src[1] - 'a') <= 'f'-'a') return h | (x+10);
+        if ((x = src[1] - 'A') <= 'F'-'A') return h | (x+10);
+        return -1;
+}
+
+/**
+ * efi_parse_guid - Convert GUID from ASCII to binary
+ * @src:   36 char string of the form fa50ff2b-f2e8-45de-83fa-65417f2f49ba
+ * @dest:  Memory block to hold binary GUID (16 bytes)
+ *
+ * N.B. The GUID need not be NULL terminated and no safety checks are performed.
+ *
+ * Return:  'true'   @dest contains binary GUID
+ *          'false'  @dest contents are undefined
+ */
+static bool efi_parse_guid(const u8 *src, u8 *dest)
+{
+        dest[3] = efi_hexbyte(src); src += 2;
+        dest[2] = efi_hexbyte(src); src += 2;
+        dest[1] = efi_hexbyte(src); src += 2;
+        dest[0] = efi_hexbyte(src); src += 2;
+        src += 1;  /* - */
+        dest[5] = efi_hexbyte(src); src += 2;
+        dest[4] = efi_hexbyte(src); src += 2;
+        src += 1;  /* - */
+        dest[7] = efi_hexbyte(src); src += 2;
+        dest[6] = efi_hexbyte(src); src += 2;
+        src += 1;  /* - */
+        dest[8] = efi_hexbyte(src); src += 2;
+        dest[9] = efi_hexbyte(src); src += 2;
+        src += 1;  /* - */
+        dest[10] = efi_hexbyte(src); src += 2;
+        dest[11] = efi_hexbyte(src); src += 2;
+        dest[12] = efi_hexbyte(src); src += 2;
+        dest[13] = efi_hexbyte(src); src += 2;
+        dest[14] = efi_hexbyte(src); src += 2;
+        dest[15] = efi_hexbyte(src); src += 2;
+        return true;
+}
+
+/**
+ * dm_get_efi_device: claim a device using its unique GUID
+ * @ti:                 current dm_target
+ * @guid_string:        36 byte GUID
+ *                      (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
+ * @dev_start:          offset in sectors passed to dm_get_device
+ * @dev_len:            length in sectors passed to dm_get_device
+ * @dm_dev:             dm_dev to populate
+ *
+ * Wraps dm_get_device allowing it to use a unique partition GUID to
+ * find a given partition on any drive. This code is based on
+ * printk_all_partitions in that it walks all of the register block devices.
+ *
+ * N.B., guid_string is not checked for safety.
+ */
+static int dm_get_efi_device(struct dm_target *ti,
+                             const char *guid_string,
+                             sector_t dev_start,
+                             sector_t dev_len,
+                             struct dm_dev **dm_dev)
+{
+#ifdef CONFIG_EFI_PARTITION
+        int part = 0;
+        efi_guid_t guid;
+        struct class_dev_iter iter;
+        struct device *dev;
+        dev_t devt = 0;
+        char devt_buf[BDEVT_SIZE];
+
+        DMDEBUG("dm_get_efi_device called");
+        if (!efi_parse_guid(guid_string, guid.b))
+                goto bad_guid;
+        DMDEBUG("GUID parsed");
+
+        /* Walks the block_class. Since we can't access gendisk's
+         * device_type, we just filter out entries with no devnode below.
+         */
+        class_dev_iter_init(&iter, &block_class, NULL, NULL);
+        while ((dev = class_dev_iter_next(&iter))) {
+                struct gendisk *disk = dev_to_disk(dev);
+                struct block_device *bdev = NULL;
+
+                DMDEBUG("Walking %u:%u", MAJOR(dev->devt), MINOR(dev->devt));
+
+                /*
+                 * Don't show empty devices or things that have been
+                 * surpressed
+                 */
+                if (!disk || get_capacity(disk) == 0 ||
+                    (disk->flags & GENHD_FL_SUPPRESS_PARTITION_INFO))
+                        continue;
+
+                if (!disk->part_tbl) {
+                        DMDEBUG("No partition table for %u:%u",
+                                MAJOR(disk_devt(disk)),
+                                MINOR(disk_devt(disk)));
+                        continue;
+                }
+
+                /* We're walking all disk and partitions so just grab disks. */
+                bdev = bdget_disk(disk, 0);
+                if (!bdev) {
+                        DMDEBUG("No bdev for %u:%u. Skipping",
+                                MAJOR(dev->devt), MINOR(dev->devt));
+                        continue;
+                }
+
+                /* Ensure we have a bd_disk. If nothing else has it opened,
+                 * there's no guarantee it'll be populated.
+                 */
+                int err = blkdev_get(bdev, FMODE_READ);
+                if (err < 0) {
+                        DMDEBUG("Failed to blkdev_get: %d", err);
+                        bdput(bdev);
+                        continue;
+                }
+
+                DMDEBUG("find_efi_partition called for disk: %u:%u",
+                                MAJOR(dev->devt), MINOR(dev->devt));
+                part = efi_find_partition(&guid, bdev);
+                /* Nb, it seems that calling bdput after blkdev_put
+                 * isn't common.  If the inode was only in use here,
+                 * then it will end up I_CLEAR'd when bdput gets to it.
+                 */
+                blkdev_put(bdev, FMODE_READ);
+                /* On match, create the dev node if possible.*/
+                if (part > 0) {
+                        devt = MKDEV(MAJOR(dev->devt),
+                                     MINOR(dev->devt) + part);
+                        DMDEBUG("found a part! (%d %u:%u)", part,
+                                MAJOR(devt), MINOR(devt));
+                        break;
+                }
+        }
+        class_dev_iter_exit(&iter);
+
+        if (part <= 0)
+                goto found_nothing;
+
+        /* Construct the dev name to pass to dm_get_device. This is roundabout
+         * EFI partition scanning isn't exactly fast so it doesn't seem like a
+         * bad tradeoff.
+         */
+        snprintf(devt_buf, sizeof(devt_buf), "%u:%u", MAJOR(devt), MINOR(devt));
+
+        /* TODO(wad) to make this generic we could also pass in the mode. */
+        if (dm_get_device(ti, devt_buf, dev_start, dev_len,
+                          dm_table_get_mode(ti->table), dm_dev) == 0)
+                return 0;
+
+        ti->error = "Failed to acquire device";
+        DMDEBUG("Failed to acquire discovered device %s", devt_buf);
+        return -1;
+bad_guid:
+        ti->error = "Bad GUID";
+        DMDEBUG("Supplied value '%s' is an invalid GUID", guid_string);
+        return -1;
+found_nothing:
+        DMDEBUG("No matching partition for GUID: %s", guid_string);
+        ti->error = "No matching GUID";
+#endif
+        return -1;
+}
+
+static int verity_get_device(struct dm_target *ti, const char *devname,
+                             sector_t dev_start, sector_t dev_len,
+                             struct dm_dev **dm_dev)
+{
+        do {
+                /* Try the normal path first since if everything is ready, it
+                 * will be the fastest.
+                 */
+                if (!dm_get_device(ti, devname, dev_start, dev_len,
+                                  dm_table_get_mode(ti->table), dm_dev))
+                        return 0;
+
+                /* Try the device by EFI GUID */
+                if (!dm_get_efi_device(ti, devname, dev_start, dev_len, dm_dev))
+                        return 0;
+
+                /* No need to be too aggressive since this is a slow path. */
+                msleep(500);
+        } while (dev_wait && (driver_probe_done() != 0 || *dm_dev == NULL));
+        async_synchronize_full();
+        return -1;
+}
+
+
 /*-----------------------------------------------------------------
  * Reverse flow of requests into the device.
  *
  * (Start at the bottom with verity_map and work your way upward).
  *-----------------------------------------------------------------*/
 
 static void verity_inc_pending(struct dm_verity_io *io);
 
 /* verity_dec_pending manages the lifetime of all dm_verity_io structs.
  * Non-bug error handling is centralized through this interface and
@@ skipping 695 matching lines @@
         if (dm_bht_set_root_hexdigest(&vc->bht, argv[5])) {
                 DMERR("root hexdigest error");
                 goto bad_root_hexdigest;
         }
         dm_bht_set_read_cb(&vc->bht, kverityd_bht_read_callback);
         dm_bht_set_entry_readahead(&vc->bht, bht_readahead);
 
         /* arg0: device to verify */
         vc->start = 0;  /* TODO: should this support a starting offset? */
         /* We only ever grab the device in read-only mode. */
-        ret = dm_get_device(ti, argv[0], vc->start, ti->len,
-                            dm_table_get_mode(ti->table), &vc->dev);
+        ret = verity_get_device(ti, argv[0], vc->start, ti->len, &vc->dev);
         if (ret) {
                 DMERR("Failed to acquire device '%s': %d", argv[0], ret);
                 ti->error = "Device lookup failed";
                 goto bad_verity_dev;
         }
 
         if (PAGE_ALIGN(vc->start) != vc->start ||
             PAGE_ALIGN(to_bytes(ti->len)) != to_bytes(ti->len)) {
                 ti->error = "Device must be PAGE_SIZE divisble/aligned";
                 goto bad_hash_start;
         }
 
         /* arg2: offset to hash on the hash device */
         if (sscanf(argv[2], "%llu", &tmpull) != 1) {
                 ti->error =
                         "Invalid hash_start supplied";
                 goto bad_hash_start;
         }
         vc->hash_start = (sector_t)(tmpull);
 
         /* arg1: device with hashes.
          * Note, arg1 == arg0 is okay as long as the size of
          *       ti->len passed to device mapper does not include
          *       the hashes.
          */
-        if (dm_get_device(ti, argv[1], vc->hash_start, dm_bht_sectors(&vc->bht),
-                          dm_table_get_mode(ti->table), &vc->hash_dev)) {
+        if (verity_get_device(ti, argv[1], vc->hash_start,
+                              dm_bht_sectors(&vc->bht), &vc->hash_dev)) {
                 ti->error = "Hash device lookup failed";
                 goto bad_hash_dev;
         }
 
         /* We leave the validity on the hash device open until the
          * next arg.  Then we go ahead and try to read in all the bundle
          * hashes which live after the block hashes.  If it fails, then
          * the hash offset was wrong.
          */
 
@@ skipping 251 matching lines @@
         dm_unregister_target(&verity_target);
         kmem_cache_destroy(_verity_io_pool);
 }
 
 module_init(dm_verity_init);
 module_exit(dm_verity_exit);
 
 MODULE_AUTHOR("The Chromium OS Authors <chromium-os-dev@chromium.org>");
 MODULE_DESCRIPTION(DM_NAME " target for transparent disk integrity checking");
 MODULE_LICENSE("GPL");