security/integrity/integrity.h at master · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / security / integrity / integrity.h
at master 7.1 kB view raw
  1/* SPDX-License-Identifier: GPL-2.0-only */
  2/*
  3 * Copyright (C) 2009-2010 IBM Corporation
  4 *
  5 * Authors:
  6 * Mimi Zohar <zohar@us.ibm.com>
  7 */
  8
  9#ifdef pr_fmt
 10#undef pr_fmt
 11#endif
 12
 13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 14
 15#include <linux/types.h>
 16#include <linux/integrity.h>
 17#include <crypto/sha1.h>
 18#include <crypto/hash.h>
 19#include <linux/key.h>
 20#include <linux/audit.h>
 21#include <linux/lsm_hooks.h>
 22
 23enum evm_ima_xattr_type {
 24	IMA_XATTR_DIGEST = 0x01,
 25	EVM_XATTR_HMAC,
 26	EVM_IMA_XATTR_DIGSIG,
 27	IMA_XATTR_DIGEST_NG,
 28	EVM_XATTR_PORTABLE_DIGSIG,
 29	IMA_VERITY_DIGSIG,
 30	IMA_XATTR_LAST
 31};
 32
 33struct evm_ima_xattr_data {
 34	/* New members must be added within the __struct_group() macro below. */
 35	__struct_group(evm_ima_xattr_data_hdr, hdr, __packed,
 36		u8 type;
 37	);
 38	u8 data[];
 39} __packed;
 40static_assert(offsetof(struct evm_ima_xattr_data, data) == sizeof(struct evm_ima_xattr_data_hdr),
 41	      "struct member likely outside of __struct_group()");
 42
 43/* Only used in the EVM HMAC code. */
 44struct evm_xattr {
 45	struct evm_ima_xattr_data_hdr data;
 46	u8 digest[SHA1_DIGEST_SIZE];
 47} __packed;
 48
 49#define IMA_MAX_DIGEST_SIZE	HASH_MAX_DIGESTSIZE
 50
 51struct ima_digest_data {
 52	/* New members must be added within the __struct_group() macro below. */
 53	__struct_group(ima_digest_data_hdr, hdr, __packed,
 54	u8 algo;
 55	u8 length;
 56	union {
 57		struct {
 58			u8 unused;
 59			u8 type;
 60		} sha1;
 61		struct {
 62			u8 type;
 63			u8 algo;
 64		} ng;
 65		u8 data[2];
 66	} xattr;
 67	);
 68	u8 digest[];
 69} __packed;
 70static_assert(offsetof(struct ima_digest_data, digest) == sizeof(struct ima_digest_data_hdr),
 71	      "struct member likely outside of __struct_group()");
 72
 73/*
 74 * Instead of wrapping the ima_digest_data struct inside a local structure
 75 * with the maximum hash size, define ima_max_digest_data struct.
 76 */
 77struct ima_max_digest_data {
 78	struct ima_digest_data_hdr hdr;
 79	u8 digest[HASH_MAX_DIGESTSIZE];
 80} __packed;
 81
 82/*
 83 * signature header format v2 - for using with asymmetric keys
 84 *
 85 * The signature_v2_hdr struct includes a signature format version
 86 * to simplify defining new signature formats.
 87 *
 88 * signature format:
 89 * version 2: regular file data hash based signature
 90 * version 3: struct ima_file_id data based signature
 91 */
 92struct signature_v2_hdr {
 93	uint8_t type;		/* xattr type */
 94	uint8_t version;	/* signature format version */
 95	uint8_t	hash_algo;	/* Digest algorithm [enum hash_algo] */
 96	__be32 keyid;		/* IMA key identifier - not X509/PGP specific */
 97	__be16 sig_size;	/* signature size */
 98	uint8_t sig[];		/* signature payload */
 99} __packed;
100
101/*
102 * IMA signature version 3 disambiguates the data that is signed, by
103 * indirectly signing the hash of the ima_file_id structure data,
104 * containing either the fsverity_descriptor struct digest or, in the
105 * future, the regular IMA file hash.
106 *
107 * (The hash of the ima_file_id structure is only of the portion used.)
108 */
109struct ima_file_id {
110	__u8 hash_type;		/* xattr type [enum evm_ima_xattr_type] */
111	__u8 hash_algorithm;	/* Digest algorithm [enum hash_algo] */
112	__u8 hash[HASH_MAX_DIGESTSIZE];
113} __packed;
114
115int integrity_kernel_read(struct file *file, loff_t offset,
116			  void *addr, unsigned long count);
117int __init integrity_fs_init(void);
118void __init integrity_fs_fini(void);
119
120#define INTEGRITY_KEYRING_EVM		0
121#define INTEGRITY_KEYRING_IMA		1
122#define INTEGRITY_KEYRING_PLATFORM	2
123#define INTEGRITY_KEYRING_MACHINE	3
124#define INTEGRITY_KEYRING_MAX		4
125
126extern struct dentry *integrity_dir;
127
128struct modsig;
129
130#ifdef CONFIG_INTEGRITY_SIGNATURE
131
132int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
133			    const char *digest, int digestlen);
134int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
135
136int __init integrity_init_keyring(const unsigned int id);
137int __init integrity_load_x509(const unsigned int id, const char *path);
138int __init integrity_load_cert(const unsigned int id, const char *source,
139			       const void *data, size_t len, key_perm_t perm);
140#else
141
142static inline int integrity_digsig_verify(const unsigned int id,
143					  const char *sig, int siglen,
144					  const char *digest, int digestlen)
145{
146	return -EOPNOTSUPP;
147}
148
149static inline int integrity_modsig_verify(unsigned int id,
150					  const struct modsig *modsig)
151{
152	return -EOPNOTSUPP;
153}
154
155static inline int integrity_init_keyring(const unsigned int id)
156{
157	return 0;
158}
159
160static inline int __init integrity_load_cert(const unsigned int id,
161					     const char *source,
162					     const void *data, size_t len,
163					     key_perm_t perm)
164{
165	return 0;
166}
167#endif /* CONFIG_INTEGRITY_SIGNATURE */
168
169#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
170int asymmetric_verify(struct key *keyring, const char *sig,
171		      int siglen, const char *data, int datalen);
172#else
173static inline int asymmetric_verify(struct key *keyring, const char *sig,
174				    int siglen, const char *data, int datalen)
175{
176	return -EOPNOTSUPP;
177}
178#endif
179
180#ifdef CONFIG_IMA_APPRAISE_MODSIG
181int ima_modsig_verify(struct key *keyring, const struct modsig *modsig);
182#else
183static inline int ima_modsig_verify(struct key *keyring,
184				    const struct modsig *modsig)
185{
186	return -EOPNOTSUPP;
187}
188#endif
189
190#ifdef CONFIG_IMA_LOAD_X509
191void __init ima_load_x509(void);
192#else
193static inline void ima_load_x509(void)
194{
195}
196#endif
197
198#ifdef CONFIG_EVM_LOAD_X509
199void __init evm_load_x509(void);
200#else
201static inline void evm_load_x509(void)
202{
203}
204#endif
205
206#ifdef CONFIG_INTEGRITY_AUDIT
207/* declarations */
208void integrity_audit_msg(int audit_msgno, struct inode *inode,
209			 const unsigned char *fname, const char *op,
210			 const char *cause, int result, int info);
211
212void integrity_audit_message(int audit_msgno, struct inode *inode,
213			     const unsigned char *fname, const char *op,
214			     const char *cause, int result, int info,
215			     int errno);
216
217static inline struct audit_buffer *
218integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
219{
220	return audit_log_start(ctx, gfp_mask, type);
221}
222
223#else
224static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
225				       const unsigned char *fname,
226				       const char *op, const char *cause,
227				       int result, int info)
228{
229}
230
231static inline void integrity_audit_message(int audit_msgno,
232					   struct inode *inode,
233					   const unsigned char *fname,
234					   const char *op, const char *cause,
235					   int result, int info, int errno)
236{
237}
238
239static inline struct audit_buffer *
240integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
241{
242	return NULL;
243}
244
245#endif
246
247#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
248void __init add_to_platform_keyring(const char *source, const void *data,
249				    size_t len);
250#else
251static inline void __init add_to_platform_keyring(const char *source,
252						  const void *data, size_t len)
253{
254}
255#endif
256
257#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
258void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
259bool __init imputed_trust_enabled(void);
260#else
261static inline void __init add_to_machine_keyring(const char *source,
262						  const void *data, size_t len)
263{
264}
265
266static inline bool __init imputed_trust_enabled(void)
267{
268	return false;
269}
270#endif