1
2
3
4
5
6
7
8
9#ifdef pr_fmt
10#undef pr_fmt
11#endif
12
13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14
15#include <linux/types.h>
16#include <linux/integrity.h>
17#include <crypto/sha1.h>
18#include <crypto/hash.h>
19#include <linux/key.h>
20#include <linux/audit.h>
21
22
23#define IMA_MEASURE 0x00000001
24#define IMA_MEASURED 0x00000002
25#define IMA_APPRAISE 0x00000004
26#define IMA_APPRAISED 0x00000008
27
28#define IMA_COLLECTED 0x00000020
29#define IMA_AUDIT 0x00000040
30#define IMA_AUDITED 0x00000080
31#define IMA_HASH 0x00000100
32#define IMA_HASHED 0x00000200
33
34
35#define IMA_NONACTION_FLAGS 0xff000000
36#define IMA_DIGSIG_REQUIRED 0x01000000
37#define IMA_PERMIT_DIRECTIO 0x02000000
38#define IMA_NEW_FILE 0x04000000
39#define EVM_IMMUTABLE_DIGSIG 0x08000000
40#define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000
41#define IMA_MODSIG_ALLOWED 0x20000000
42#define IMA_CHECK_BLACKLIST 0x40000000
43#define IMA_VERITY_REQUIRED 0x80000000
44
45#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
46 IMA_HASH | IMA_APPRAISE_SUBMASK)
47#define IMA_DONE_MASK (IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED | \
48 IMA_HASHED | IMA_COLLECTED | \
49 IMA_APPRAISED_SUBMASK)
50
51
52#define IMA_FILE_APPRAISE 0x00001000
53#define IMA_FILE_APPRAISED 0x00002000
54#define IMA_MMAP_APPRAISE 0x00004000
55#define IMA_MMAP_APPRAISED 0x00008000
56#define IMA_BPRM_APPRAISE 0x00010000
57#define IMA_BPRM_APPRAISED 0x00020000
58#define IMA_READ_APPRAISE 0x00040000
59#define IMA_READ_APPRAISED 0x00080000
60#define IMA_CREDS_APPRAISE 0x00100000
61#define IMA_CREDS_APPRAISED 0x00200000
62#define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
63 IMA_BPRM_APPRAISE | IMA_READ_APPRAISE | \
64 IMA_CREDS_APPRAISE)
65#define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \
66 IMA_BPRM_APPRAISED | IMA_READ_APPRAISED | \
67 IMA_CREDS_APPRAISED)
68
69
70#define IMA_CHANGE_XATTR 0
71#define IMA_UPDATE_XATTR 1
72#define IMA_CHANGE_ATTR 2
73#define IMA_DIGSIG 3
74#define IMA_MUST_MEASURE 4
75
76enum evm_ima_xattr_type {
77 IMA_XATTR_DIGEST = 0x01,
78 EVM_XATTR_HMAC,
79 EVM_IMA_XATTR_DIGSIG,
80 IMA_XATTR_DIGEST_NG,
81 EVM_XATTR_PORTABLE_DIGSIG,
82 IMA_VERITY_DIGSIG,
83 IMA_XATTR_LAST
84};
85
86struct evm_ima_xattr_data {
87 u8 type;
88 u8 data[];
89} __packed;
90
91
92struct evm_xattr {
93 struct evm_ima_xattr_data data;
94 u8 digest[SHA1_DIGEST_SIZE];
95} __packed;
96
97#define IMA_MAX_DIGEST_SIZE HASH_MAX_DIGESTSIZE
98
99struct ima_digest_data {
100 u8 algo;
101 u8 length;
102 union {
103 struct {
104 u8 unused;
105 u8 type;
106 } sha1;
107 struct {
108 u8 type;
109 u8 algo;
110 } ng;
111 u8 data[2];
112 } xattr;
113 u8 digest[];
114} __packed;
115
116
117
118
119
120struct ima_max_digest_data {
121 struct ima_digest_data hdr;
122 u8 digest[HASH_MAX_DIGESTSIZE];
123} __packed;
124
125
126
127
128
129
130
131
132
133
134
135struct signature_v2_hdr {
136 uint8_t type;
137 uint8_t version;
138 uint8_t hash_algo;
139 __be32 keyid;
140 __be16 sig_size;
141 uint8_t sig[];
142} __packed;
143
144
145
146
147
148
149
150
151
152struct ima_file_id {
153 __u8 hash_type;
154 __u8 hash_algorithm;
155 __u8 hash[HASH_MAX_DIGESTSIZE];
156} __packed;
157
158
159struct integrity_iint_cache {
160 struct rb_node rb_node;
161 struct mutex mutex;
162 struct inode *inode;
163 u64 version;
164 unsigned long flags;
165 unsigned long measured_pcrs;
166 unsigned long atomic_flags;
167 enum integrity_status ima_file_status:4;
168 enum integrity_status ima_mmap_status:4;
169 enum integrity_status ima_bprm_status:4;
170 enum integrity_status ima_read_status:4;
171 enum integrity_status ima_creds_status:4;
172 enum integrity_status evm_status:4;
173 struct ima_digest_data *ima_hash;
174};
175
176
177
178
179struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
180
181int integrity_kernel_read(struct file *file, loff_t offset,
182 void *addr, unsigned long count);
183
184#define INTEGRITY_KEYRING_EVM 0
185#define INTEGRITY_KEYRING_IMA 1
186#define INTEGRITY_KEYRING_PLATFORM 2
187#define INTEGRITY_KEYRING_MACHINE 3
188#define INTEGRITY_KEYRING_MAX 4
189
190extern struct dentry *integrity_dir;
191
192struct modsig;
193
194#ifdef CONFIG_INTEGRITY_SIGNATURE
195
196int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
197 const char *digest, int digestlen);
198int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
199
200int __init integrity_init_keyring(const unsigned int id);
201int __init integrity_load_x509(const unsigned int id, const char *path);
202int __init integrity_load_cert(const unsigned int id, const char *source,
203 const void *data, size_t len, key_perm_t perm);
204#else
205
206static inline int integrity_digsig_verify(const unsigned int id,
207 const char *sig, int siglen,
208 const char *digest, int digestlen)
209{
210 return -EOPNOTSUPP;
211}
212
213static inline int integrity_modsig_verify(unsigned int id,
214 const struct modsig *modsig)
215{
216 return -EOPNOTSUPP;
217}
218
219static inline int integrity_init_keyring(const unsigned int id)
220{
221 return 0;
222}
223
224static inline int __init integrity_load_cert(const unsigned int id,
225 const char *source,
226 const void *data, size_t len,
227 key_perm_t perm)
228{
229 return 0;
230}
231#endif
232
233#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
234int asymmetric_verify(struct key *keyring, const char *sig,
235 int siglen, const char *data, int datalen);
236#else
237static inline int asymmetric_verify(struct key *keyring, const char *sig,
238 int siglen, const char *data, int datalen)
239{
240 return -EOPNOTSUPP;
241}
242#endif
243
244#ifdef CONFIG_IMA_APPRAISE_MODSIG
245int ima_modsig_verify(struct key *keyring, const struct modsig *modsig);
246#else
247static inline int ima_modsig_verify(struct key *keyring,
248 const struct modsig *modsig)
249{
250 return -EOPNOTSUPP;
251}
252#endif
253
254#ifdef CONFIG_IMA_LOAD_X509
255void __init ima_load_x509(void);
256#else
257static inline void ima_load_x509(void)
258{
259}
260#endif
261
262#ifdef CONFIG_EVM_LOAD_X509
263void __init evm_load_x509(void);
264#else
265static inline void evm_load_x509(void)
266{
267}
268#endif
269
270#ifdef CONFIG_INTEGRITY_AUDIT
271
272void integrity_audit_msg(int audit_msgno, struct inode *inode,
273 const unsigned char *fname, const char *op,
274 const char *cause, int result, int info);
275
276void integrity_audit_message(int audit_msgno, struct inode *inode,
277 const unsigned char *fname, const char *op,
278 const char *cause, int result, int info,
279 int errno);
280
281static inline struct audit_buffer *
282integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
283{
284 return audit_log_start(ctx, gfp_mask, type);
285}
286
287#else
288static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
289 const unsigned char *fname,
290 const char *op, const char *cause,
291 int result, int info)
292{
293}
294
295static inline void integrity_audit_message(int audit_msgno,
296 struct inode *inode,
297 const unsigned char *fname,
298 const char *op, const char *cause,
299 int result, int info, int errno)
300{
301}
302
303static inline struct audit_buffer *
304integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
305{
306 return NULL;
307}
308
309#endif
310
311#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
312void __init add_to_platform_keyring(const char *source, const void *data,
313 size_t len);
314#else
315static inline void __init add_to_platform_keyring(const char *source,
316 const void *data, size_t len)
317{
318}
319#endif
320
321#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
322void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
323bool __init trust_moklist(void);
324#else
325static inline void __init add_to_machine_keyring(const char *source,
326 const void *data, size_t len)
327{
328}
329static inline bool __init trust_moklist(void)
330{
331 return false;
332}
333#endif
334