CoCalc -- integrity.h

GitHub Repository: torvalds/linux
Path: blob/master/security/integrity/integrity.h
⁴⁹⁵⁶⁸ views
1
/* SPDX-License-Identifier: GPL-2.0-only */
2
/*
3
 * Copyright (C) 2009-2010 IBM Corporation
4
 *
5
 * Authors:
6
 * Mimi Zohar <[email protected]>
7
 */
8

9
#ifdef pr_fmt
10
#undef pr_fmt
11
#endif
12

13
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14

15
#include <linux/types.h>
16
#include <linux/integrity.h>
17
#include <crypto/sha1.h>
18
#include <crypto/hash.h>
19
#include <linux/key.h>
20
#include <linux/audit.h>
21
#include <linux/lsm_hooks.h>
22

23
enum evm_ima_xattr_type {
24
	IMA_XATTR_DIGEST = 0x01,
25
	EVM_XATTR_HMAC,
26
	EVM_IMA_XATTR_DIGSIG,
27
	IMA_XATTR_DIGEST_NG,
28
	EVM_XATTR_PORTABLE_DIGSIG,
29
	IMA_VERITY_DIGSIG,
30
	IMA_XATTR_LAST
31
};
32

33
struct evm_ima_xattr_data {
34
	/* New members must be added within the __struct_group() macro below. */
35
	__struct_group(evm_ima_xattr_data_hdr, hdr, __packed,
36
		u8 type;
37
	);
38
	u8 data[];
39
} __packed;
40
static_assert(offsetof(struct evm_ima_xattr_data, data) == sizeof(struct evm_ima_xattr_data_hdr),
41
	      "struct member likely outside of __struct_group()");
42

43
/* Only used in the EVM HMAC code. */
44
struct evm_xattr {
45
	struct evm_ima_xattr_data_hdr data;
46
	u8 digest[SHA1_DIGEST_SIZE];
47
} __packed;
48

49
#define IMA_MAX_DIGEST_SIZE	HASH_MAX_DIGESTSIZE
50

51
struct ima_digest_data {
52
	/* New members must be added within the __struct_group() macro below. */
53
	__struct_group(ima_digest_data_hdr, hdr, __packed,
54
	u8 algo;
55
	u8 length;
56
	union {
57
		struct {
58
			u8 unused;
59
			u8 type;
60
		} sha1;
61
		struct {
62
			u8 type;
63
			u8 algo;
64
		} ng;
65
		u8 data[2];
66
	} xattr;
67
	);
68
	u8 digest[];
69
} __packed;
70
static_assert(offsetof(struct ima_digest_data, digest) == sizeof(struct ima_digest_data_hdr),
71
	      "struct member likely outside of __struct_group()");
72

73
/*
74
 * Instead of wrapping the ima_digest_data struct inside a local structure
75
 * with the maximum hash size, define ima_max_digest_data struct.
76
 */
77
struct ima_max_digest_data {
78
	struct ima_digest_data_hdr hdr;
79
	u8 digest[HASH_MAX_DIGESTSIZE];
80
} __packed;
81

82
/*
83
 * signature header format v2 - for using with asymmetric keys
84
 *
85
 * The signature_v2_hdr struct includes a signature format version
86
 * to simplify defining new signature formats.
87
 *
88
 * signature format:
89
 * version 2: regular file data hash based signature
90
 * version 3: struct ima_file_id data based signature
91
 */
92
struct signature_v2_hdr {
93
	uint8_t type;		/* xattr type */
94
	uint8_t version;	/* signature format version */
95
	uint8_t	hash_algo;	/* Digest algorithm [enum hash_algo] */
96
	__be32 keyid;		/* IMA key identifier - not X509/PGP specific */
97
	__be16 sig_size;	/* signature size */
98
	uint8_t sig[];		/* signature payload */
99
} __packed;
100

101
/*
102
 * IMA signature version 3 disambiguates the data that is signed, by
103
 * indirectly signing the hash of the ima_file_id structure data,
104
 * containing either the fsverity_descriptor struct digest or, in the
105
 * future, the regular IMA file hash.
106
 *
107
 * (The hash of the ima_file_id structure is only of the portion used.)
108
 */
109
struct ima_file_id {
110
	__u8 hash_type;		/* xattr type [enum evm_ima_xattr_type] */
111
	__u8 hash_algorithm;	/* Digest algorithm [enum hash_algo] */
112
	__u8 hash[HASH_MAX_DIGESTSIZE];
113
} __packed;
114

115
int integrity_kernel_read(struct file *file, loff_t offset,
116
			  void *addr, unsigned long count);
117
int __init integrity_fs_init(void);
118
void __init integrity_fs_fini(void);
119

120
#define INTEGRITY_KEYRING_EVM		0
121
#define INTEGRITY_KEYRING_IMA		1
122
#define INTEGRITY_KEYRING_PLATFORM	2
123
#define INTEGRITY_KEYRING_MACHINE	3
124
#define INTEGRITY_KEYRING_MAX		4
125

126
extern struct dentry *integrity_dir;
127

128
struct modsig;
129

130
#ifdef CONFIG_INTEGRITY_SIGNATURE
131

132
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
133
			    const char *digest, int digestlen);
134
int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
135

136
int __init integrity_init_keyring(const unsigned int id);
137
int __init integrity_load_x509(const unsigned int id, const char *path);
138
int __init integrity_load_cert(const unsigned int id, const char *source,
139
			       const void *data, size_t len, key_perm_t perm);
140
#else
141

142
static inline int integrity_digsig_verify(const unsigned int id,
143
					  const char *sig, int siglen,
144
					  const char *digest, int digestlen)
145
{
146
	return -EOPNOTSUPP;
147
}
148

149
static inline int integrity_modsig_verify(unsigned int id,
150
					  const struct modsig *modsig)
151
{
152
	return -EOPNOTSUPP;
153
}
154

155
static inline int integrity_init_keyring(const unsigned int id)
156
{
157
	return 0;
158
}
159

160
static inline int __init integrity_load_cert(const unsigned int id,
161
					     const char *source,
162
					     const void *data, size_t len,
163
					     key_perm_t perm)
164
{
165
	return 0;
166
}
167
#endif /* CONFIG_INTEGRITY_SIGNATURE */
168

169
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
170
int asymmetric_verify(struct key *keyring, const char *sig,
171
		      int siglen, const char *data, int datalen);
172
#else
173
static inline int asymmetric_verify(struct key *keyring, const char *sig,
174
				    int siglen, const char *data, int datalen)
175
{
176
	return -EOPNOTSUPP;
177
}
178
#endif
179

180
#ifdef CONFIG_IMA_APPRAISE_MODSIG
181
int ima_modsig_verify(struct key *keyring, const struct modsig *modsig);
182
#else
183
static inline int ima_modsig_verify(struct key *keyring,
184
				    const struct modsig *modsig)
185
{
186
	return -EOPNOTSUPP;
187
}
188
#endif
189

190
#ifdef CONFIG_IMA_LOAD_X509
191
void __init ima_load_x509(void);
192
#else
193
static inline void ima_load_x509(void)
194
{
195
}
196
#endif
197

198
#ifdef CONFIG_EVM_LOAD_X509
199
void __init evm_load_x509(void);
200
#else
201
static inline void evm_load_x509(void)
202
{
203
}
204
#endif
205

206
#ifdef CONFIG_INTEGRITY_AUDIT
207
/* declarations */
208
void integrity_audit_msg(int audit_msgno, struct inode *inode,
209
			 const unsigned char *fname, const char *op,
210
			 const char *cause, int result, int info);
211

212
void integrity_audit_message(int audit_msgno, struct inode *inode,
213
			     const unsigned char *fname, const char *op,
214
			     const char *cause, int result, int info,
215
			     int errno);
216

217
static inline struct audit_buffer *
218
integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
219
{
220
	return audit_log_start(ctx, gfp_mask, type);
221
}
222

223
#else
224
static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
225
				       const unsigned char *fname,
226
				       const char *op, const char *cause,
227
				       int result, int info)
228
{
229
}
230

231
static inline void integrity_audit_message(int audit_msgno,
232
					   struct inode *inode,
233
					   const unsigned char *fname,
234
					   const char *op, const char *cause,
235
					   int result, int info, int errno)
236
{
237
}
238

239
static inline struct audit_buffer *
240
integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
241
{
242
	return NULL;
243
}
244

245
#endif
246

247
#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
248
void __init add_to_platform_keyring(const char *source, const void *data,
249
				    size_t len);
250
#else
251
static inline void __init add_to_platform_keyring(const char *source,
252
						  const void *data, size_t len)
253
{
254
}
255
#endif
256

257
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
258
void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
259
bool __init imputed_trust_enabled(void);
260
#else
261
static inline void __init add_to_machine_keyring(const char *source,
262
						  const void *data, size_t len)
263
{
264
}
265

266
static inline bool __init imputed_trust_enabled(void)
267
{
268
	return false;
269
}
270
#endif
271

272
Product

Resources

Company
