1 /* SPDX-License-Identifier: GPL-2.0-only */
3 * Copyright (C) 2009-2010 IBM Corporation
6 * Mimi Zohar <zohar@us.ibm.com>
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15 #include <linux/types.h>
16 #include <linux/integrity.h>
17 #include <crypto/sha1.h>
18 #include <crypto/hash.h>
19 #include <linux/key.h>
20 #include <linux/audit.h>
21 #include <linux/lsm_hooks.h>
23 enum evm_ima_xattr_type {
24 IMA_XATTR_DIGEST = 0x01,
28 EVM_XATTR_PORTABLE_DIGSIG,
33 struct evm_ima_xattr_data {
34 /* New members must be added within the __struct_group() macro below. */
35 __struct_group(evm_ima_xattr_data_hdr, hdr, __packed,
41 /* Only used in the EVM HMAC code. */
43 struct evm_ima_xattr_data_hdr data;
44 u8 digest[SHA1_DIGEST_SIZE];
47 #define IMA_MAX_DIGEST_SIZE HASH_MAX_DIGESTSIZE
49 struct ima_digest_data {
50 /* New members must be added within the __struct_group() macro below. */
51 __struct_group(ima_digest_data_hdr, hdr, __packed,
70 * Instead of wrapping the ima_digest_data struct inside a local structure
71 * with the maximum hash size, define ima_max_digest_data struct.
73 struct ima_max_digest_data {
74 struct ima_digest_data_hdr hdr;
75 u8 digest[HASH_MAX_DIGESTSIZE];
79 * signature header format v2 - for using with asymmetric keys
81 * The signature_v2_hdr struct includes a signature format version
82 * to simplify defining new signature formats.
85 * version 2: regular file data hash based signature
86 * version 3: struct ima_file_id data based signature
88 struct signature_v2_hdr {
89 uint8_t type; /* xattr type */
90 uint8_t version; /* signature format version */
91 uint8_t hash_algo; /* Digest algorithm [enum hash_algo] */
92 __be32 keyid; /* IMA key identifier - not X509/PGP specific */
93 __be16 sig_size; /* signature size */
94 uint8_t sig[]; /* signature payload */
98 * IMA signature version 3 disambiguates the data that is signed, by
99 * indirectly signing the hash of the ima_file_id structure data,
100 * containing either the fsverity_descriptor struct digest or, in the
101 * future, the regular IMA file hash.
103 * (The hash of the ima_file_id structure is only of the portion used.)
106 __u8 hash_type; /* xattr type [enum evm_ima_xattr_type] */
107 __u8 hash_algorithm; /* Digest algorithm [enum hash_algo] */
108 __u8 hash[HASH_MAX_DIGESTSIZE];
111 int integrity_kernel_read(struct file *file, loff_t offset,
112 void *addr, unsigned long count);
114 #define INTEGRITY_KEYRING_EVM 0
115 #define INTEGRITY_KEYRING_IMA 1
116 #define INTEGRITY_KEYRING_PLATFORM 2
117 #define INTEGRITY_KEYRING_MACHINE 3
118 #define INTEGRITY_KEYRING_MAX 4
120 extern struct dentry *integrity_dir;
124 #ifdef CONFIG_INTEGRITY_SIGNATURE
126 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
127 const char *digest, int digestlen);
128 int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
130 int __init integrity_init_keyring(const unsigned int id);
131 int __init integrity_load_x509(const unsigned int id, const char *path);
132 int __init integrity_load_cert(const unsigned int id, const char *source,
133 const void *data, size_t len, key_perm_t perm);
136 static inline int integrity_digsig_verify(const unsigned int id,
137 const char *sig, int siglen,
138 const char *digest, int digestlen)
143 static inline int integrity_modsig_verify(unsigned int id,
144 const struct modsig *modsig)
149 static inline int integrity_init_keyring(const unsigned int id)
154 static inline int __init integrity_load_cert(const unsigned int id,
156 const void *data, size_t len,
161 #endif /* CONFIG_INTEGRITY_SIGNATURE */
163 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
164 int asymmetric_verify(struct key *keyring, const char *sig,
165 int siglen, const char *data, int datalen);
167 static inline int asymmetric_verify(struct key *keyring, const char *sig,
168 int siglen, const char *data, int datalen)
174 #ifdef CONFIG_IMA_APPRAISE_MODSIG
175 int ima_modsig_verify(struct key *keyring, const struct modsig *modsig);
177 static inline int ima_modsig_verify(struct key *keyring,
178 const struct modsig *modsig)
184 #ifdef CONFIG_IMA_LOAD_X509
185 void __init ima_load_x509(void);
187 static inline void ima_load_x509(void)
192 #ifdef CONFIG_EVM_LOAD_X509
193 void __init evm_load_x509(void);
195 static inline void evm_load_x509(void)
200 #ifdef CONFIG_INTEGRITY_AUDIT
202 void integrity_audit_msg(int audit_msgno, struct inode *inode,
203 const unsigned char *fname, const char *op,
204 const char *cause, int result, int info);
206 void integrity_audit_message(int audit_msgno, struct inode *inode,
207 const unsigned char *fname, const char *op,
208 const char *cause, int result, int info,
211 static inline struct audit_buffer *
212 integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
214 return audit_log_start(ctx, gfp_mask, type);
218 static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
219 const unsigned char *fname,
220 const char *op, const char *cause,
221 int result, int info)
225 static inline void integrity_audit_message(int audit_msgno,
227 const unsigned char *fname,
228 const char *op, const char *cause,
229 int result, int info, int errno)
233 static inline struct audit_buffer *
234 integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
241 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
242 void __init add_to_platform_keyring(const char *source, const void *data,
245 static inline void __init add_to_platform_keyring(const char *source,
246 const void *data, size_t len)
251 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
252 void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
253 bool __init imputed_trust_enabled(void);
255 static inline void __init add_to_machine_keyring(const char *source,
256 const void *data, size_t len)
260 static inline bool __init imputed_trust_enabled(void)