integrity.h source code [linux/security/integrity/integrity.h]

1	/ SPDX-License-Identifier: GPL-2.0-only /
2	/*
3	* Copyright (C) 2009-2010 IBM Corporation
4	*
5	* Authors:
6	* Mimi Zohar <zohar@us.ibm.com>
7	*/
8
9	#ifdef pr_fmt
10	#undef pr_fmt
11	#endif
12
13	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14
15	#include <linux/types.h>
16	#include <linux/integrity.h>
17	#include <crypto/sha1.h>
18	#include <crypto/hash.h>
19	#include <linux/key.h>
20	#include <linux/audit.h>
21	#include <linux/lsm_hooks.h>
22
23	enum evm_ima_xattr_type {
24	IMA_XATTR_DIGEST = `0x01`,
25	EVM_XATTR_HMAC,
26	EVM_IMA_XATTR_DIGSIG,
27	IMA_XATTR_DIGEST_NG,
28	EVM_XATTR_PORTABLE_DIGSIG,
29	IMA_VERITY_DIGSIG,
30	IMA_XATTR_LAST
31	};
32
33	struct evm_ima_xattr_data {
34	u8 type;
35	u8 data[];
36	} __packed;
37
38	/ Only used in the EVM HMAC code. /
39	struct evm_xattr {
40	struct evm_ima_xattr_data data;
41	u8 digest[SHA1_DIGEST_SIZE];
42	} __packed;
43
44	#define IMA_MAX_DIGEST_SIZE HASH_MAX_DIGESTSIZE
45
46	struct ima_digest_data {
47	u8 algo;
48	u8 length;
49	union {
50	struct {
51	u8 unused;
52	u8 type;
53	} sha1;
54	struct {
55	u8 type;
56	u8 algo;
57	} ng;
58	u8 data[`2`];
59	} xattr;
60	u8 digest[];
61	} __packed;
62
63	/*
64	* Instead of wrapping the ima_digest_data struct inside a local structure
65	* with the maximum hash size, define ima_max_digest_data struct.
66	*/
67	struct ima_max_digest_data {
68	struct ima_digest_data hdr;
69	u8 digest[HASH_MAX_DIGESTSIZE];
70	} __packed;
71
72	/*
73	* signature header format v2 - for using with asymmetric keys
74	*
75	* The signature_v2_hdr struct includes a signature format version
76	* to simplify defining new signature formats.
77	*
78	* signature format:
79	* version 2: regular file data hash based signature
80	* version 3: struct ima_file_id data based signature
81	*/
82	struct signature_v2_hdr {
83	uint8_t type; / xattr type /
84	uint8_t version; / signature format version /
85	uint8_t hash_algo; / Digest algorithm [enum hash_algo] /
86	__be32 keyid; / IMA key identifier - not X509/PGP specific /
87	__be16 sig_size; / signature size /
88	uint8_t sig[]; / signature payload /
89	} __packed;
90
91	/*
92	* IMA signature version 3 disambiguates the data that is signed, by
93	* indirectly signing the hash of the ima_file_id structure data,
94	* containing either the fsverity_descriptor struct digest or, in the
95	* future, the regular IMA file hash.
96	*
97	* (The hash of the ima_file_id structure is only of the portion used.)
98	*/
99	struct ima_file_id {
100	__u8 hash_type; / xattr type [enum evm_ima_xattr_type] /
101	__u8 hash_algorithm; / Digest algorithm [enum hash_algo] /
102	__u8 hash[HASH_MAX_DIGESTSIZE];
103	} __packed;
104
105	int integrity_kernel_read(struct file *file, loff_t offset,
106	void addr, unsigned* long count);
107
108	#define INTEGRITY_KEYRING_EVM 0
109	#define INTEGRITY_KEYRING_IMA 1
110	#define INTEGRITY_KEYRING_PLATFORM 2
111	#define INTEGRITY_KEYRING_MACHINE 3
112	#define INTEGRITY_KEYRING_MAX 4
113
114	extern struct dentry *integrity_dir;
115
116	struct modsig;
117
118	#ifdef CONFIG_INTEGRITY_SIGNATURE
119
120	int integrity_digsig_verify(const unsigned int id, const char sig, int* siglen,
121	const char digest, int* digestlen);
122	int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
123
124	int __init integrity_init_keyring(const unsigned int id);
125	int __init integrity_load_x509(const unsigned int id, const char *path);
126	int __init integrity_load_cert(const unsigned int id, const char *source,
127	const void *data, size_t len, key_perm_t perm);
128	#else
129
130	static inline int integrity_digsig_verify(const unsigned int id,
131	const char sig, int* siglen,
132	const char digest, int* digestlen)
133	{
134	return -EOPNOTSUPP;
135	}
136
137	static inline int integrity_modsig_verify(unsigned int id,
138	const struct modsig *modsig)
139	{
140	return -EOPNOTSUPP;
141	}
142
143	static inline int integrity_init_keyring(const unsigned int id)
144	{
145	return `0`;
146	}
147
148	static inline int __init integrity_load_cert(const unsigned int id,
149	const char *source,
150	const void *data, size_t len,
151	key_perm_t perm)
152	{
153	return `0`;
154	}
155	#endif /* CONFIG_INTEGRITY_SIGNATURE */
156
157	#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
158	int asymmetric_verify(struct key keyring, const* char *sig,
159	int siglen, const char data, int* datalen);
160	#else
161	static inline int asymmetric_verify(struct key keyring, const* char *sig,
162	int siglen, const char data, int* datalen)
163	{
164	return -EOPNOTSUPP;
165	}
166	#endif
167
168	#ifdef CONFIG_IMA_APPRAISE_MODSIG
169	int ima_modsig_verify(struct key keyring, const* struct modsig *modsig);
170	#else
171	static inline int ima_modsig_verify(struct key *keyring,
172	const struct modsig *modsig)
173	{
174	return -EOPNOTSUPP;
175	}
176	#endif
177
178	#ifdef CONFIG_IMA_LOAD_X509
179	void __init ima_load_x509(void);
180	#else
181	static inline void ima_load_x509(void)
182	{
183	}
184	#endif
185
186	#ifdef CONFIG_EVM_LOAD_X509
187	void __init evm_load_x509(void);
188	#else
189	static inline void evm_load_x509(void)
190	{
191	}
192	#endif
193
194	#ifdef CONFIG_INTEGRITY_AUDIT
195	/ declarations /
196	void integrity_audit_msg(int audit_msgno, struct inode *inode,
197	const unsigned char fname, const* char *op,
198	const char cause, int* result, int info);
199
200	void integrity_audit_message(int audit_msgno, struct inode *inode,
201	const unsigned char fname, const* char *op,
202	const char cause, int* result, int info,
203	int errno);
204
205	static inline struct audit_buffer *
206	integrity_audit_log_start(struct audit_context ctx, gfp_t gfp_mask, int* type)
207	{
208	return audit_log_start(ctx, gfp_mask, type);
209	}
210
211	#else
212	static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
213	const unsigned char *fname,
214	const char op, const* char *cause,
215	int result, int info)
216	{
217	}
218
219	static inline void integrity_audit_message(int audit_msgno,
220	struct inode *inode,
221	const unsigned char *fname,
222	const char op, const* char *cause,
223	int result, int info, int errno)
224	{
225	}
226
227	static inline struct audit_buffer *
228	integrity_audit_log_start(struct audit_context ctx, gfp_t gfp_mask, int* type)
229	{
230	return NULL;
231	}
232
233	#endif
234
235	#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
236	void __init add_to_platform_keyring(const char source, const* void *data,
237	size_t len);
238	#else
239	static inline void __init add_to_platform_keyring(const char *source,
240	const void *data, size_t len)
241	{
242	}
243	#endif
244
245	#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
246	void __init add_to_machine_keyring(const char source, const* void *data, size_t len);
247	bool __init imputed_trust_enabled(void);
248	#else
249	static inline void __init add_to_machine_keyring(const char *source,
250	const void *data, size_t len)
251	{
252	}
253
254	static inline bool __init imputed_trust_enabled(void)
255	{
256	return false;
257	}
258	#endif
259

source code of linux/security/integrity/integrity.h