integrity.h source code [linux/security/integrity/integrity.h]

1	/ SPDX-License-Identifier: GPL-2.0-only /
2	/*
3	* Copyright (C) 2009-2010 IBM Corporation
4	*
5	* Authors:
6	* Mimi Zohar <zohar@us.ibm.com>
7	*/
8
9	#ifdef pr_fmt
10	#undef pr_fmt
11	#endif
12
13	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14
15	#include <linux/types.h>
16	#include <linux/integrity.h>
17	#include <crypto/sha1.h>
18	#include <crypto/hash.h>
19	#include <linux/key.h>
20	#include <linux/audit.h>
21	#include <linux/lsm_hooks.h>
22
23	enum evm_ima_xattr_type {
24	IMA_XATTR_DIGEST = `0x01`,
25	EVM_XATTR_HMAC,
26	EVM_IMA_XATTR_DIGSIG,
27	IMA_XATTR_DIGEST_NG,
28	EVM_XATTR_PORTABLE_DIGSIG,
29	IMA_VERITY_DIGSIG,
30	IMA_XATTR_LAST
31	};
32
33	struct evm_ima_xattr_data {
34	/ New members must be added within the __struct_group() macro below. /
35	__struct_group(evm_ima_xattr_data_hdr, hdr, __packed,
36	u8 type;
37	);
38	u8 data[];
39	} __packed;
40	static_assert(offsetof(struct evm_ima_xattr_data, data) == sizeof(struct evm_ima_xattr_data_hdr),
41	"struct member likely outside of __struct_group()");
42
43	/ Only used in the EVM HMAC code. /
44	struct evm_xattr {
45	struct evm_ima_xattr_data_hdr data;
46	u8 digest[SHA1_DIGEST_SIZE];
47	} __packed;
48
49	#define IMA_MAX_DIGEST_SIZE HASH_MAX_DIGESTSIZE
50
51	struct ima_digest_data {
52	/ New members must be added within the __struct_group() macro below. /
53	__struct_group(ima_digest_data_hdr, hdr, __packed,
54	u8 algo;
55	u8 length;
56	union {
57	struct {
58	u8 unused;
59	u8 type;
60	} sha1;
61	struct {
62	u8 type;
63	u8 algo;
64	} ng;
65	u8 data[`2`];
66	} xattr;
67	);
68	u8 digest[];
69	} __packed;
70	static_assert(offsetof(struct ima_digest_data, digest) == sizeof(struct ima_digest_data_hdr),
71	"struct member likely outside of __struct_group()");
72
73	/*
74	* Instead of wrapping the ima_digest_data struct inside a local structure
75	* with the maximum hash size, define ima_max_digest_data struct.
76	*/
77	struct ima_max_digest_data {
78	struct ima_digest_data_hdr hdr;
79	u8 digest[HASH_MAX_DIGESTSIZE];
80	} __packed;
81
82	/*
83	* signature header format v2 - for using with asymmetric keys
84	*
85	* The signature_v2_hdr struct includes a signature format version
86	* to simplify defining new signature formats.
87	*
88	* signature format:
89	* version 2: regular file data hash based signature
90	* version 3: struct ima_file_id data based signature
91	*/
92	struct signature_v2_hdr {
93	uint8_t type; / xattr type /
94	uint8_t version; / signature format version /
95	uint8_t hash_algo; / Digest algorithm [enum hash_algo] /
96	__be32 keyid; / IMA key identifier - not X509/PGP specific /
97	__be16 sig_size; / signature size /
98	uint8_t sig[]; / signature payload /
99	} __packed;
100
101	/*
102	* IMA signature version 3 disambiguates the data that is signed, by
103	* indirectly signing the hash of the ima_file_id structure data,
104	* containing either the fsverity_descriptor struct digest or, in the
105	* future, the regular IMA file hash.
106	*
107	* (The hash of the ima_file_id structure is only of the portion used.)
108	*/
109	struct ima_file_id {
110	__u8 hash_type; / xattr type [enum evm_ima_xattr_type] /
111	__u8 hash_algorithm; / Digest algorithm [enum hash_algo] /
112	__u8 hash[HASH_MAX_DIGESTSIZE];
113	} __packed;
114
115	int integrity_kernel_read(struct file *file, loff_t offset,
116	void addr, unsigned* long count);
117	int __init integrity_fs_init(void);
118	void __init integrity_fs_fini(void);
119
120	#define INTEGRITY_KEYRING_EVM 0
121	#define INTEGRITY_KEYRING_IMA 1
122	#define INTEGRITY_KEYRING_PLATFORM 2
123	#define INTEGRITY_KEYRING_MACHINE 3
124	#define INTEGRITY_KEYRING_MAX 4
125
126	extern struct dentry *integrity_dir;
127
128	struct modsig;
129
130	#ifdef CONFIG_INTEGRITY_SIGNATURE
131
132	int integrity_digsig_verify(const unsigned int id, const char sig, int* siglen,
133	const char digest, int* digestlen);
134	int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
135
136	int __init integrity_init_keyring(const unsigned int id);
137	int __init integrity_load_x509(const unsigned int id, const char *path);
138	int __init integrity_load_cert(const unsigned int id, const char *source,
139	const void *data, size_t len, key_perm_t perm);
140	#else
141
142	static inline int integrity_digsig_verify(const unsigned int id,
143	const char sig, int* siglen,
144	const char digest, int* digestlen)
145	{
146	return -EOPNOTSUPP;
147	}
148
149	static inline int integrity_modsig_verify(unsigned int id,
150	const struct modsig *modsig)
151	{
152	return -EOPNOTSUPP;
153	}
154
155	static inline int integrity_init_keyring(const unsigned int id)
156	{
157	return `0`;
158	}
159
160	static inline int __init integrity_load_cert(const unsigned int id,
161	const char *source,
162	const void *data, size_t len,
163	key_perm_t perm)
164	{
165	return `0`;
166	}
167	#endif /* CONFIG_INTEGRITY_SIGNATURE */
168
169	#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
170	int asymmetric_verify(struct key keyring, const* char *sig,
171	int siglen, const char data, int* datalen);
172	#else
173	static inline int asymmetric_verify(struct key keyring, const* char *sig,
174	int siglen, const char data, int* datalen)
175	{
176	return -EOPNOTSUPP;
177	}
178	#endif
179
180	#ifdef CONFIG_IMA_APPRAISE_MODSIG
181	int ima_modsig_verify(struct key keyring, const* struct modsig *modsig);
182	#else
183	static inline int ima_modsig_verify(struct key *keyring,
184	const struct modsig *modsig)
185	{
186	return -EOPNOTSUPP;
187	}
188	#endif
189
190	#ifdef CONFIG_IMA_LOAD_X509
191	void __init ima_load_x509(void);
192	#else
193	static inline void ima_load_x509(void)
194	{
195	}
196	#endif
197
198	#ifdef CONFIG_EVM_LOAD_X509
199	void __init evm_load_x509(void);
200	#else
201	static inline void evm_load_x509(void)
202	{
203	}
204	#endif
205
206	#ifdef CONFIG_INTEGRITY_AUDIT
207	/ declarations /
208	void integrity_audit_msg(int audit_msgno, struct inode *inode,
209	const unsigned char fname, const* char *op,
210	const char cause, int* result, int info);
211
212	void integrity_audit_message(int audit_msgno, struct inode *inode,
213	const unsigned char fname, const* char *op,
214	const char cause, int* result, int info,
215	int errno);
216
217	static inline struct audit_buffer *
218	integrity_audit_log_start(struct audit_context ctx, gfp_t gfp_mask, int* type)
219	{
220	return audit_log_start(ctx, gfp_mask, type);
221	}
222
223	#else
224	static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
225	const unsigned char *fname,
226	const char op, const* char *cause,
227	int result, int info)
228	{
229	}
230
231	static inline void integrity_audit_message(int audit_msgno,
232	struct inode *inode,
233	const unsigned char *fname,
234	const char op, const* char *cause,
235	int result, int info, int errno)
236	{
237	}
238
239	static inline struct audit_buffer *
240	integrity_audit_log_start(struct audit_context ctx, gfp_t gfp_mask, int* type)
241	{
242	return NULL;
243	}
244
245	#endif
246
247	#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
248	void __init add_to_platform_keyring(const char source, const* void *data,
249	size_t len);
250	#else
251	static inline void __init add_to_platform_keyring(const char *source,
252	const void *data, size_t len)
253	{
254	}
255	#endif
256
257	#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
258	void __init add_to_machine_keyring(const char source, const* void *data, size_t len);
259	bool __init imputed_trust_enabled(void);
260	#else
261	static inline void __init add_to_machine_keyring(const char *source,
262	const void *data, size_t len)
263	{
264	}
265
266	static inline bool __init imputed_trust_enabled(void)
267	{
268	return false;
269	}
270	#endif
271

source code of linux/security/integrity/integrity.h