Re: [PATCH 03/11] dm: verity: Add transparent integrity checking target

[Sascha Hauer <s.hauer@pengutronix.de>]

On Thu, Sep 18, 2025 at 09:43:13AM +0200, Tobias Waldekranz wrote:
> Add the dm-verity target, which is compatible with the Linux
> implementation. This means that we can now create dm-verity devices on
> top of partitions containing read-only filesystems and transparently
> verify the integrity of all data is associated the verity root hash.
> 
> CRUCIALLY: The root hash still has be validated by some other means,
> which is outside of the scope of this implementation. Future changes
> will add support for validation of the root hash using a PKCS#7
> signature, again compatible with the Linux kernel implementation.
> 
> Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
> ---
>  drivers/block/dm/Kconfig     |   7 +
>  drivers/block/dm/Makefile    |   1 +
>  drivers/block/dm/dm-target.h |  14 ++
>  drivers/block/dm/dm-verity.c | 463 +++++++++++++++++++++++++++++++++++
>  4 files changed, 485 insertions(+)
>  create mode 100644 drivers/block/dm/dm-verity.c
> 
> +static int dm_verity_create(struct dm_target *ti, unsigned int argc, char **argv)
> +{
> +	struct dm_verity *v;
> +	unsigned int ver;
> +	int err;
> +
> +	if (argc != 10) {
> +		dm_target_err(ti, "Expected 10 arguments, got %u\n", argc);
> +		return -EINVAL;
> +	}

For the sake of readablity, can you do a

	const char *verity_version = argv[0];
	const char *verity_device = argv[1];
	...

and use these instead of argv[x] directly?


> +
> +	if (kstrtouint(argv[0], 0, &ver) || ver != 1) {
> +		dm_target_err(ti, "Only version 1 is supported, not \"%s\"\n", argv[0]);
> +		return -EINVAL;
> +	}
> +
> +	v = xzalloc(sizeof(*v));
> +	ti->private = v;
> +
> +	err = dm_verity_cdev_init(ti, &v->ddev, argv[1], argv[3], argv[5], NULL);
> +	if (err)
> +		goto err;
> +
> +	err = dm_verity_cdev_init(ti, &v->hdev, argv[2], argv[4], NULL, argv[6]);
> +	if (err)
> +		goto err;
> +
> +	v->digest_algo = digest_alloc(argv[7]);
> +	if (!v->digest_algo) {
> +		dm_target_err(ti, "Unknown digest \"%s\"\n", argv[7]);
> +		err = -EINVAL;
> +		goto err;
> +	}
> +
> +	v->digest_len = digest_length(v->digest_algo);
> +	if ((1 << v->hdev.blk.bits) < v->digest_len * 2) {
> +		dm_target_err(ti, "Digest size too big\n");
> +		err = -EINVAL;
> +		goto err;
> +	}
> +
> +	v->root_digest = xmalloc(v->digest_len);
> +	if (strlen(argv[8]) != v->digest_len * 2 ||
> +	    hex2bin(v->root_digest, argv[8], v->digest_len)) {
> +		dm_target_err(ti, "Invalid root digest \"%s\"\n", argv[8]);
> +		err = -EINVAL;
> +		goto err;
> +	}
> +
> +	if (strcmp(argv[9], "-")) {
> +		v->salt_size = strlen(argv[9]) / 2;
> +		v->salt = xmalloc(v->salt_size);
> +
> +		if (strlen(argv[9]) != v->salt_size * 2 ||
> +		    hex2bin(v->salt, argv[9], v->salt_size)) {
> +			dm_target_err(ti, "Invalid salt \"%s\"\n", argv[9]);
> +			err = -EINVAL;
> +			goto err;
> +		}
> +	}
> +
> +	err = dm_verity_measure(ti);
> +	if (err)
> +		goto err;
> +
> +	/* Initialize this to a value larger than the largest possible
> +	 * hash block lba to make sure that the first hash block read
> +	 * in dm_verity_verify() always misses the cache.
> +	 */
> +	v->verify.hblock.block = v->hdev.blk.num;
> +	v->verify.hblock.data = xmalloc(1 << v->hdev.blk.bits);
> +
> +	v->verify.digest = xmalloc(v->digest_len);
> +	v->verify.trusted = bitmap_xzalloc(v->hdev.blk.num);
> +	return 0;
> +
> +err:
> +	if (v->salt)
> +		free(v->salt);
> +	if (v->root_digest)
> +		free(v->root_digest);

No need to check. free() handles NULL pointers.

Sascha

> +	if (v->digest_algo)
> +		digest_free(v->digest_algo);
> +	if (v->hdev.cdev)
> +		cdev_close(v->hdev.cdev);
> +	if (v->ddev.cdev)
> +		cdev_close(v->ddev.cdev);
> +
> +	free(v);
> +	return err;
> +}
> +

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |