CoCalc -- integrity.h

GitHub Repository: torvalds/linux
Path: blob/master/security/integrity/integrity.h
²⁶³⁷⁸ views
1
/* SPDX-License-Identifier: GPL-2.0-only */
2
/*
3
 * Copyright (C) 2009-2010 IBM Corporation
4
 *
5
 * Authors:
6
 * Mimi Zohar <[email protected]>
7
 */
8

9
#ifdef pr_fmt
10
#undef pr_fmt
11
#endif
12

13
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14

15
#include <linux/types.h>
16
#include <linux/integrity.h>
17
#include <crypto/sha1.h>
18
#include <crypto/hash.h>
19
#include <linux/key.h>
20
#include <linux/audit.h>
21
#include <linux/lsm_hooks.h>
22

23
enum evm_ima_xattr_type {
24
	IMA_XATTR_DIGEST = 0x01,
25
	EVM_XATTR_HMAC,
26
	EVM_IMA_XATTR_DIGSIG,
27
	IMA_XATTR_DIGEST_NG,
28
	EVM_XATTR_PORTABLE_DIGSIG,
29
	IMA_VERITY_DIGSIG,
30
	IMA_XATTR_LAST
31
};
32

33
struct evm_ima_xattr_data {
34
	/* New members must be added within the __struct_group() macro below. */
35
	__struct_group(evm_ima_xattr_data_hdr, hdr, __packed,
36
		u8 type;
37
	);
38
	u8 data[];
39
} __packed;
40
static_assert(offsetof(struct evm_ima_xattr_data, data) == sizeof(struct evm_ima_xattr_data_hdr),
41
	      "struct member likely outside of __struct_group()");
42

43
/* Only used in the EVM HMAC code. */
44
struct evm_xattr {
45
	struct evm_ima_xattr_data_hdr data;
46
	u8 digest[SHA1_DIGEST_SIZE];
47
} __packed;
48

49
#define IMA_MAX_DIGEST_SIZE	HASH_MAX_DIGESTSIZE
50

51
struct ima_digest_data {
52
	/* New members must be added within the __struct_group() macro below. */
53
	__struct_group(ima_digest_data_hdr, hdr, __packed,
54
	u8 algo;
55
	u8 length;
56
	union {
57
		struct {
58
			u8 unused;
59
			u8 type;
60
		} sha1;
61
		struct {
62
			u8 type;
63
			u8 algo;
64
		} ng;
65
		u8 data[2];
66
	} xattr;
67
	);
68
	u8 digest[];
69
} __packed;
70
static_assert(offsetof(struct ima_digest_data, digest) == sizeof(struct ima_digest_data_hdr),
71
	      "struct member likely outside of __struct_group()");
72

73
/*
74
 * Instead of wrapping the ima_digest_data struct inside a local structure
75
 * with the maximum hash size, define ima_max_digest_data struct.
76
 */
77
struct ima_max_digest_data {
78
	struct ima_digest_data_hdr hdr;
79
	u8 digest[HASH_MAX_DIGESTSIZE];
80
} __packed;
81

82
/*
83
 * signature header format v2 - for using with asymmetric keys
84
 *
85
 * The signature_v2_hdr struct includes a signature format version
86
 * to simplify defining new signature formats.
87
 *
88
 * signature format:
89
 * version 2: regular file data hash based signature
90
 * version 3: struct ima_file_id data based signature
91
 */
92
struct signature_v2_hdr {
93
	uint8_t type;		/* xattr type */
94
	uint8_t version;	/* signature format version */
95
	uint8_t	hash_algo;	/* Digest algorithm [enum hash_algo] */
96
	__be32 keyid;		/* IMA key identifier - not X509/PGP specific */
97
	__be16 sig_size;	/* signature size */
98
	uint8_t sig[];		/* signature payload */
99
} __packed;
100

101
/*
102
 * IMA signature version 3 disambiguates the data that is signed, by
103
 * indirectly signing the hash of the ima_file_id structure data,
104
 * containing either the fsverity_descriptor struct digest or, in the
105
 * future, the regular IMA file hash.
106
 *
107
 * (The hash of the ima_file_id structure is only of the portion used.)
108
 */
109
struct ima_file_id {
110
	__u8 hash_type;		/* xattr type [enum evm_ima_xattr_type] */
111
	__u8 hash_algorithm;	/* Digest algorithm [enum hash_algo] */
112
	__u8 hash[HASH_MAX_DIGESTSIZE];
113
} __packed;
114

115
int integrity_kernel_read(struct file *file, loff_t offset,
116
			  void *addr, unsigned long count);
117

118
#define INTEGRITY_KEYRING_EVM		0
119
#define INTEGRITY_KEYRING_IMA		1
120
#define INTEGRITY_KEYRING_PLATFORM	2
121
#define INTEGRITY_KEYRING_MACHINE	3
122
#define INTEGRITY_KEYRING_MAX		4
123

124
extern struct dentry *integrity_dir;
125

126
struct modsig;
127

128
#ifdef CONFIG_INTEGRITY_SIGNATURE
129

130
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
131
			    const char *digest, int digestlen);
132
int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
133

134
int __init integrity_init_keyring(const unsigned int id);
135
int __init integrity_load_x509(const unsigned int id, const char *path);
136
int __init integrity_load_cert(const unsigned int id, const char *source,
137
			       const void *data, size_t len, key_perm_t perm);
138
#else
139

140
static inline int integrity_digsig_verify(const unsigned int id,
141
					  const char *sig, int siglen,
142
					  const char *digest, int digestlen)
143
{
144
	return -EOPNOTSUPP;
145
}
146

147
static inline int integrity_modsig_verify(unsigned int id,
148
					  const struct modsig *modsig)
149
{
150
	return -EOPNOTSUPP;
151
}
152

153
static inline int integrity_init_keyring(const unsigned int id)
154
{
155
	return 0;
156
}
157

158
static inline int __init integrity_load_cert(const unsigned int id,
159
					     const char *source,
160
					     const void *data, size_t len,
161
					     key_perm_t perm)
162
{
163
	return 0;
164
}
165
#endif /* CONFIG_INTEGRITY_SIGNATURE */
166

167
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
168
int asymmetric_verify(struct key *keyring, const char *sig,
169
		      int siglen, const char *data, int datalen);
170
#else
171
static inline int asymmetric_verify(struct key *keyring, const char *sig,
172
				    int siglen, const char *data, int datalen)
173
{
174
	return -EOPNOTSUPP;
175
}
176
#endif
177

178
#ifdef CONFIG_IMA_APPRAISE_MODSIG
179
int ima_modsig_verify(struct key *keyring, const struct modsig *modsig);
180
#else
181
static inline int ima_modsig_verify(struct key *keyring,
182
				    const struct modsig *modsig)
183
{
184
	return -EOPNOTSUPP;
185
}
186
#endif
187

188
#ifdef CONFIG_IMA_LOAD_X509
189
void __init ima_load_x509(void);
190
#else
191
static inline void ima_load_x509(void)
192
{
193
}
194
#endif
195

196
#ifdef CONFIG_EVM_LOAD_X509
197
void __init evm_load_x509(void);
198
#else
199
static inline void evm_load_x509(void)
200
{
201
}
202
#endif
203

204
#ifdef CONFIG_INTEGRITY_AUDIT
205
/* declarations */
206
void integrity_audit_msg(int audit_msgno, struct inode *inode,
207
			 const unsigned char *fname, const char *op,
208
			 const char *cause, int result, int info);
209

210
void integrity_audit_message(int audit_msgno, struct inode *inode,
211
			     const unsigned char *fname, const char *op,
212
			     const char *cause, int result, int info,
213
			     int errno);
214

215
static inline struct audit_buffer *
216
integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
217
{
218
	return audit_log_start(ctx, gfp_mask, type);
219
}
220

221
#else
222
static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
223
				       const unsigned char *fname,
224
				       const char *op, const char *cause,
225
				       int result, int info)
226
{
227
}
228

229
static inline void integrity_audit_message(int audit_msgno,
230
					   struct inode *inode,
231
					   const unsigned char *fname,
232
					   const char *op, const char *cause,
233
					   int result, int info, int errno)
234
{
235
}
236

237
static inline struct audit_buffer *
238
integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
239
{
240
	return NULL;
241
}
242

243
#endif
244

245
#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
246
void __init add_to_platform_keyring(const char *source, const void *data,
247
				    size_t len);
248
#else
249
static inline void __init add_to_platform_keyring(const char *source,
250
						  const void *data, size_t len)
251
{
252
}
253
#endif
254

255
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
256
void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
257
bool __init imputed_trust_enabled(void);
258
#else
259
static inline void __init add_to_machine_keyring(const char *source,
260
						  const void *data, size_t len)
261
{
262
}
263

264
static inline bool __init imputed_trust_enabled(void)
265
{
266
	return false;
267
}
268
#endif
269

270
Product

Resources

Company
