1 /* SPDX-License-Identifier: GPL-2.0-only */
3 * Copyright (C) 2009-2010 IBM Corporation
6 * Mimi Zohar <zohar@us.ibm.com>
9 #include <linux/types.h>
10 #include <linux/integrity.h>
11 #include <crypto/sha.h>
12 #include <linux/key.h>
13 #include <linux/audit.h>
15 /* iint action cache flags */
16 #define IMA_MEASURE 0x00000001
17 #define IMA_MEASURED 0x00000002
18 #define IMA_APPRAISE 0x00000004
19 #define IMA_APPRAISED 0x00000008
20 /*#define IMA_COLLECT 0x00000010 do not use this flag */
21 #define IMA_COLLECTED 0x00000020
22 #define IMA_AUDIT 0x00000040
23 #define IMA_AUDITED 0x00000080
24 #define IMA_HASH 0x00000100
25 #define IMA_HASHED 0x00000200
27 /* iint cache flags */
28 #define IMA_ACTION_FLAGS 0xff000000
29 #define IMA_DIGSIG_REQUIRED 0x01000000
30 #define IMA_PERMIT_DIRECTIO 0x02000000
31 #define IMA_NEW_FILE 0x04000000
32 #define EVM_IMMUTABLE_DIGSIG 0x08000000
33 #define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000
35 #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
36 IMA_HASH | IMA_APPRAISE_SUBMASK)
37 #define IMA_DONE_MASK (IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED | \
38 IMA_HASHED | IMA_COLLECTED | \
39 IMA_APPRAISED_SUBMASK)
41 /* iint subaction appraise cache flags */
42 #define IMA_FILE_APPRAISE 0x00001000
43 #define IMA_FILE_APPRAISED 0x00002000
44 #define IMA_MMAP_APPRAISE 0x00004000
45 #define IMA_MMAP_APPRAISED 0x00008000
46 #define IMA_BPRM_APPRAISE 0x00010000
47 #define IMA_BPRM_APPRAISED 0x00020000
48 #define IMA_READ_APPRAISE 0x00040000
49 #define IMA_READ_APPRAISED 0x00080000
50 #define IMA_CREDS_APPRAISE 0x00100000
51 #define IMA_CREDS_APPRAISED 0x00200000
52 #define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
53 IMA_BPRM_APPRAISE | IMA_READ_APPRAISE | \
55 #define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \
56 IMA_BPRM_APPRAISED | IMA_READ_APPRAISED | \
59 /* iint cache atomic_flags */
60 #define IMA_CHANGE_XATTR 0
61 #define IMA_UPDATE_XATTR 1
62 #define IMA_CHANGE_ATTR 2
64 #define IMA_MUST_MEASURE 4
66 enum evm_ima_xattr_type {
67 IMA_XATTR_DIGEST = 0x01,
71 EVM_XATTR_PORTABLE_DIGSIG,
75 struct evm_ima_xattr_data {
80 /* Only used in the EVM HMAC code. */
82 struct evm_ima_xattr_data data;
83 u8 digest[SHA1_DIGEST_SIZE];
86 #define IMA_MAX_DIGEST_SIZE 64
88 struct ima_digest_data {
106 * signature format v2 - for using with asymmetric keys
108 struct signature_v2_hdr {
109 uint8_t type; /* xattr type */
110 uint8_t version; /* signature format version */
111 uint8_t hash_algo; /* Digest algorithm [enum hash_algo] */
112 __be32 keyid; /* IMA key identifier - not X509/PGP specific */
113 __be16 sig_size; /* signature size */
114 uint8_t sig[0]; /* signature payload */
117 /* integrity data associated with an inode */
118 struct integrity_iint_cache {
119 struct rb_node rb_node; /* rooted in integrity_iint_tree */
120 struct mutex mutex; /* protects: version, flags, digest */
121 struct inode *inode; /* back pointer to inode in question */
122 u64 version; /* track inode changes */
124 unsigned long measured_pcrs;
125 unsigned long atomic_flags;
126 enum integrity_status ima_file_status:4;
127 enum integrity_status ima_mmap_status:4;
128 enum integrity_status ima_bprm_status:4;
129 enum integrity_status ima_read_status:4;
130 enum integrity_status ima_creds_status:4;
131 enum integrity_status evm_status:4;
132 struct ima_digest_data *ima_hash;
135 /* rbtree tree calls to lookup, insert, delete
136 * integrity data associated with an inode.
138 struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
140 int integrity_kernel_read(struct file *file, loff_t offset,
141 void *addr, unsigned long count);
143 #define INTEGRITY_KEYRING_EVM 0
144 #define INTEGRITY_KEYRING_IMA 1
145 #define INTEGRITY_KEYRING_PLATFORM 2
146 #define INTEGRITY_KEYRING_MAX 3
148 extern struct dentry *integrity_dir;
150 #ifdef CONFIG_INTEGRITY_SIGNATURE
152 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
153 const char *digest, int digestlen);
155 int __init integrity_init_keyring(const unsigned int id);
156 int __init integrity_load_x509(const unsigned int id, const char *path);
157 int __init integrity_load_cert(const unsigned int id, const char *source,
158 const void *data, size_t len, key_perm_t perm);
161 static inline int integrity_digsig_verify(const unsigned int id,
162 const char *sig, int siglen,
163 const char *digest, int digestlen)
168 static inline int integrity_init_keyring(const unsigned int id)
173 static inline int __init integrity_load_cert(const unsigned int id,
175 const void *data, size_t len,
180 #endif /* CONFIG_INTEGRITY_SIGNATURE */
182 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
183 int asymmetric_verify(struct key *keyring, const char *sig,
184 int siglen, const char *data, int datalen);
186 static inline int asymmetric_verify(struct key *keyring, const char *sig,
187 int siglen, const char *data, int datalen)
193 #ifdef CONFIG_IMA_LOAD_X509
194 void __init ima_load_x509(void);
196 static inline void ima_load_x509(void)
201 #ifdef CONFIG_EVM_LOAD_X509
202 void __init evm_load_x509(void);
204 static inline void evm_load_x509(void)
209 #ifdef CONFIG_INTEGRITY_AUDIT
211 void integrity_audit_msg(int audit_msgno, struct inode *inode,
212 const unsigned char *fname, const char *op,
213 const char *cause, int result, int info);
215 static inline struct audit_buffer *
216 integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
218 return audit_log_start(ctx, gfp_mask, type);
222 static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
223 const unsigned char *fname,
224 const char *op, const char *cause,
225 int result, int info)
229 static inline struct audit_buffer *
230 integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
237 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
238 void __init add_to_platform_keyring(const char *source, const void *data,
241 static inline void __init add_to_platform_keyring(const char *source,
242 const void *data, size_t len)