security/integrity/integrity.h at v6.11-rc1 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / security / integrity / integrity.h
at v6.11-rc1 264 lines 6.7 kB view raw
  1/* SPDX-License-Identifier: GPL-2.0-only */
  2/*
  3 * Copyright (C) 2009-2010 IBM Corporation
  4 *
  5 * Authors:
  6 * Mimi Zohar <zohar@us.ibm.com>
  7 */
  8
  9#ifdef pr_fmt
 10#undef pr_fmt
 11#endif
 12
 13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 14
 15#include <linux/types.h>
 16#include <linux/integrity.h>
 17#include <crypto/sha1.h>
 18#include <crypto/hash.h>
 19#include <linux/key.h>
 20#include <linux/audit.h>
 21#include <linux/lsm_hooks.h>
 22
 23enum evm_ima_xattr_type {
 24	IMA_XATTR_DIGEST = 0x01,
 25	EVM_XATTR_HMAC,
 26	EVM_IMA_XATTR_DIGSIG,
 27	IMA_XATTR_DIGEST_NG,
 28	EVM_XATTR_PORTABLE_DIGSIG,
 29	IMA_VERITY_DIGSIG,
 30	IMA_XATTR_LAST
 31};
 32
 33struct evm_ima_xattr_data {
 34	/* New members must be added within the __struct_group() macro below. */
 35	__struct_group(evm_ima_xattr_data_hdr, hdr, __packed,
 36		u8 type;
 37	);
 38	u8 data[];
 39} __packed;
 40
 41/* Only used in the EVM HMAC code. */
 42struct evm_xattr {
 43	struct evm_ima_xattr_data_hdr data;
 44	u8 digest[SHA1_DIGEST_SIZE];
 45} __packed;
 46
 47#define IMA_MAX_DIGEST_SIZE	HASH_MAX_DIGESTSIZE
 48
 49struct ima_digest_data {
 50	/* New members must be added within the __struct_group() macro below. */
 51	__struct_group(ima_digest_data_hdr, hdr, __packed,
 52	u8 algo;
 53	u8 length;
 54	union {
 55		struct {
 56			u8 unused;
 57			u8 type;
 58		} sha1;
 59		struct {
 60			u8 type;
 61			u8 algo;
 62		} ng;
 63		u8 data[2];
 64	} xattr;
 65	);
 66	u8 digest[];
 67} __packed;
 68
 69/*
 70 * Instead of wrapping the ima_digest_data struct inside a local structure
 71 * with the maximum hash size, define ima_max_digest_data struct.
 72 */
 73struct ima_max_digest_data {
 74	struct ima_digest_data_hdr hdr;
 75	u8 digest[HASH_MAX_DIGESTSIZE];
 76} __packed;
 77
 78/*
 79 * signature header format v2 - for using with asymmetric keys
 80 *
 81 * The signature_v2_hdr struct includes a signature format version
 82 * to simplify defining new signature formats.
 83 *
 84 * signature format:
 85 * version 2: regular file data hash based signature
 86 * version 3: struct ima_file_id data based signature
 87 */
 88struct signature_v2_hdr {
 89	uint8_t type;		/* xattr type */
 90	uint8_t version;	/* signature format version */
 91	uint8_t	hash_algo;	/* Digest algorithm [enum hash_algo] */
 92	__be32 keyid;		/* IMA key identifier - not X509/PGP specific */
 93	__be16 sig_size;	/* signature size */
 94	uint8_t sig[];		/* signature payload */
 95} __packed;
 96
 97/*
 98 * IMA signature version 3 disambiguates the data that is signed, by
 99 * indirectly signing the hash of the ima_file_id structure data,
100 * containing either the fsverity_descriptor struct digest or, in the
101 * future, the regular IMA file hash.
102 *
103 * (The hash of the ima_file_id structure is only of the portion used.)
104 */
105struct ima_file_id {
106	__u8 hash_type;		/* xattr type [enum evm_ima_xattr_type] */
107	__u8 hash_algorithm;	/* Digest algorithm [enum hash_algo] */
108	__u8 hash[HASH_MAX_DIGESTSIZE];
109} __packed;
110
111int integrity_kernel_read(struct file *file, loff_t offset,
112			  void *addr, unsigned long count);
113
114#define INTEGRITY_KEYRING_EVM		0
115#define INTEGRITY_KEYRING_IMA		1
116#define INTEGRITY_KEYRING_PLATFORM	2
117#define INTEGRITY_KEYRING_MACHINE	3
118#define INTEGRITY_KEYRING_MAX		4
119
120extern struct dentry *integrity_dir;
121
122struct modsig;
123
124#ifdef CONFIG_INTEGRITY_SIGNATURE
125
126int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
127			    const char *digest, int digestlen);
128int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
129
130int __init integrity_init_keyring(const unsigned int id);
131int __init integrity_load_x509(const unsigned int id, const char *path);
132int __init integrity_load_cert(const unsigned int id, const char *source,
133			       const void *data, size_t len, key_perm_t perm);
134#else
135
136static inline int integrity_digsig_verify(const unsigned int id,
137					  const char *sig, int siglen,
138					  const char *digest, int digestlen)
139{
140	return -EOPNOTSUPP;
141}
142
143static inline int integrity_modsig_verify(unsigned int id,
144					  const struct modsig *modsig)
145{
146	return -EOPNOTSUPP;
147}
148
149static inline int integrity_init_keyring(const unsigned int id)
150{
151	return 0;
152}
153
154static inline int __init integrity_load_cert(const unsigned int id,
155					     const char *source,
156					     const void *data, size_t len,
157					     key_perm_t perm)
158{
159	return 0;
160}
161#endif /* CONFIG_INTEGRITY_SIGNATURE */
162
163#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
164int asymmetric_verify(struct key *keyring, const char *sig,
165		      int siglen, const char *data, int datalen);
166#else
167static inline int asymmetric_verify(struct key *keyring, const char *sig,
168				    int siglen, const char *data, int datalen)
169{
170	return -EOPNOTSUPP;
171}
172#endif
173
174#ifdef CONFIG_IMA_APPRAISE_MODSIG
175int ima_modsig_verify(struct key *keyring, const struct modsig *modsig);
176#else
177static inline int ima_modsig_verify(struct key *keyring,
178				    const struct modsig *modsig)
179{
180	return -EOPNOTSUPP;
181}
182#endif
183
184#ifdef CONFIG_IMA_LOAD_X509
185void __init ima_load_x509(void);
186#else
187static inline void ima_load_x509(void)
188{
189}
190#endif
191
192#ifdef CONFIG_EVM_LOAD_X509
193void __init evm_load_x509(void);
194#else
195static inline void evm_load_x509(void)
196{
197}
198#endif
199
200#ifdef CONFIG_INTEGRITY_AUDIT
201/* declarations */
202void integrity_audit_msg(int audit_msgno, struct inode *inode,
203			 const unsigned char *fname, const char *op,
204			 const char *cause, int result, int info);
205
206void integrity_audit_message(int audit_msgno, struct inode *inode,
207			     const unsigned char *fname, const char *op,
208			     const char *cause, int result, int info,
209			     int errno);
210
211static inline struct audit_buffer *
212integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
213{
214	return audit_log_start(ctx, gfp_mask, type);
215}
216
217#else
218static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
219				       const unsigned char *fname,
220				       const char *op, const char *cause,
221				       int result, int info)
222{
223}
224
225static inline void integrity_audit_message(int audit_msgno,
226					   struct inode *inode,
227					   const unsigned char *fname,
228					   const char *op, const char *cause,
229					   int result, int info, int errno)
230{
231}
232
233static inline struct audit_buffer *
234integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
235{
236	return NULL;
237}
238
239#endif
240
241#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
242void __init add_to_platform_keyring(const char *source, const void *data,
243				    size_t len);
244#else
245static inline void __init add_to_platform_keyring(const char *source,
246						  const void *data, size_t len)
247{
248}
249#endif
250
251#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
252void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
253bool __init imputed_trust_enabled(void);
254#else
255static inline void __init add_to_machine_keyring(const char *source,
256						  const void *data, size_t len)
257{
258}
259
260static inline bool __init imputed_trust_enabled(void)
261{
262	return false;
263}
264#endif