1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3 * Copyright (C) 2009-2010 IBM Corporation
4 *
5 * Authors:
6 * Mimi Zohar <zohar@us.ibm.com>
7 */
8
9 #ifdef pr_fmt
10 #undef pr_fmt
11 #endif
12
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14
15 #include <linux/types.h>
16 #include <linux/integrity.h>
17 #include <crypto/sha1.h>
18 #include <crypto/hash.h>
19 #include <linux/key.h>
20 #include <linux/audit.h>
21 #include <linux/lsm_hooks.h>
22
23 enum evm_ima_xattr_type {
24 IMA_XATTR_DIGEST = 0x01,
25 EVM_XATTR_HMAC,
26 EVM_IMA_XATTR_DIGSIG,
27 IMA_XATTR_DIGEST_NG,
28 EVM_XATTR_PORTABLE_DIGSIG,
29 IMA_VERITY_DIGSIG,
30 IMA_XATTR_LAST
31 };
32
33 struct evm_ima_xattr_data {
34 /* New members must be added within the __struct_group() macro below. */
35 __struct_group(evm_ima_xattr_data_hdr, hdr, __packed,
36 u8 type;
37 );
38 u8 data[];
39 } __packed;
40 static_assert(offsetof(struct evm_ima_xattr_data, data) == sizeof(struct evm_ima_xattr_data_hdr),
41 "struct member likely outside of __struct_group()");
42
43 /* Only used in the EVM HMAC code. */
44 struct evm_xattr {
45 struct evm_ima_xattr_data_hdr data;
46 u8 digest[SHA1_DIGEST_SIZE];
47 } __packed;
48
49 #define IMA_MAX_DIGEST_SIZE HASH_MAX_DIGESTSIZE
50
51 struct ima_digest_data {
52 /* New members must be added within the __struct_group() macro below. */
53 __struct_group(ima_digest_data_hdr, hdr, __packed,
54 u8 algo;
55 u8 length;
56 union {
57 struct {
58 u8 unused;
59 u8 type;
60 } sha1;
61 struct {
62 u8 type;
63 u8 algo;
64 } ng;
65 u8 data[2];
66 } xattr;
67 );
68 u8 digest[];
69 } __packed;
70 static_assert(offsetof(struct ima_digest_data, digest) == sizeof(struct ima_digest_data_hdr),
71 "struct member likely outside of __struct_group()");
72
73 /*
74 * Instead of wrapping the ima_digest_data struct inside a local structure
75 * with the maximum hash size, define ima_max_digest_data struct.
76 */
77 struct ima_max_digest_data {
78 struct ima_digest_data_hdr hdr;
79 u8 digest[HASH_MAX_DIGESTSIZE];
80 } __packed;
81
82 /*
83 * signature header format v2 - for using with asymmetric keys
84 *
85 * The signature_v2_hdr struct includes a signature format version
86 * to simplify defining new signature formats.
87 *
88 * signature format:
89 * version 2: regular file data hash based signature
90 * version 3: struct ima_file_id data based signature
91 */
92 struct signature_v2_hdr {
93 uint8_t type; /* xattr type */
94 uint8_t version; /* signature format version */
95 uint8_t hash_algo; /* Digest algorithm [enum hash_algo] */
96 __be32 keyid; /* IMA key identifier - not X509/PGP specific */
97 __be16 sig_size; /* signature size */
98 uint8_t sig[]; /* signature payload */
99 } __packed;
100
101 /*
102 * IMA signature version 3 disambiguates the data that is signed, by
103 * indirectly signing the hash of the ima_file_id structure data,
104 * containing either the fsverity_descriptor struct digest or, in the
105 * future, the regular IMA file hash.
106 *
107 * (The hash of the ima_file_id structure is only of the portion used.)
108 */
109 struct ima_file_id {
110 __u8 hash_type; /* xattr type [enum evm_ima_xattr_type] */
111 __u8 hash_algorithm; /* Digest algorithm [enum hash_algo] */
112 __u8 hash[HASH_MAX_DIGESTSIZE];
113 } __packed;
114
115 int integrity_kernel_read(struct file *file, loff_t offset,
116 void *addr, unsigned long count);
117 int __init integrity_fs_init(void);
118 void __init integrity_fs_fini(void);
119
120 #define INTEGRITY_KEYRING_EVM 0
121 #define INTEGRITY_KEYRING_IMA 1
122 #define INTEGRITY_KEYRING_PLATFORM 2
123 #define INTEGRITY_KEYRING_MACHINE 3
124 #define INTEGRITY_KEYRING_MAX 4
125
126 extern struct dentry *integrity_dir;
127
128 struct modsig;
129
130 #ifdef CONFIG_INTEGRITY_SIGNATURE
131
132 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
133 const char *digest, int digestlen);
134 int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
135
136 int __init integrity_init_keyring(const unsigned int id);
137 int __init integrity_load_x509(const unsigned int id, const char *path);
138 int __init integrity_load_cert(const unsigned int id, const char *source,
139 const void *data, size_t len, key_perm_t perm);
140 #else
141
integrity_digsig_verify(const unsigned int id,const char * sig,int siglen,const char * digest,int digestlen)142 static inline int integrity_digsig_verify(const unsigned int id,
143 const char *sig, int siglen,
144 const char *digest, int digestlen)
145 {
146 return -EOPNOTSUPP;
147 }
148
integrity_modsig_verify(unsigned int id,const struct modsig * modsig)149 static inline int integrity_modsig_verify(unsigned int id,
150 const struct modsig *modsig)
151 {
152 return -EOPNOTSUPP;
153 }
154
integrity_init_keyring(const unsigned int id)155 static inline int integrity_init_keyring(const unsigned int id)
156 {
157 return 0;
158 }
159
integrity_load_cert(const unsigned int id,const char * source,const void * data,size_t len,key_perm_t perm)160 static inline int __init integrity_load_cert(const unsigned int id,
161 const char *source,
162 const void *data, size_t len,
163 key_perm_t perm)
164 {
165 return 0;
166 }
167 #endif /* CONFIG_INTEGRITY_SIGNATURE */
168
169 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
170 int asymmetric_verify(struct key *keyring, const char *sig,
171 int siglen, const char *data, int datalen);
172 #else
asymmetric_verify(struct key * keyring,const char * sig,int siglen,const char * data,int datalen)173 static inline int asymmetric_verify(struct key *keyring, const char *sig,
174 int siglen, const char *data, int datalen)
175 {
176 return -EOPNOTSUPP;
177 }
178 #endif
179
180 #ifdef CONFIG_IMA_APPRAISE_MODSIG
181 int ima_modsig_verify(struct key *keyring, const struct modsig *modsig);
182 #else
ima_modsig_verify(struct key * keyring,const struct modsig * modsig)183 static inline int ima_modsig_verify(struct key *keyring,
184 const struct modsig *modsig)
185 {
186 return -EOPNOTSUPP;
187 }
188 #endif
189
190 #ifdef CONFIG_IMA_LOAD_X509
191 void __init ima_load_x509(void);
192 #else
ima_load_x509(void)193 static inline void ima_load_x509(void)
194 {
195 }
196 #endif
197
198 #ifdef CONFIG_EVM_LOAD_X509
199 void __init evm_load_x509(void);
200 #else
evm_load_x509(void)201 static inline void evm_load_x509(void)
202 {
203 }
204 #endif
205
206 #ifdef CONFIG_INTEGRITY_AUDIT
207 /* declarations */
208 void integrity_audit_msg(int audit_msgno, struct inode *inode,
209 const unsigned char *fname, const char *op,
210 const char *cause, int result, int info);
211
212 void integrity_audit_message(int audit_msgno, struct inode *inode,
213 const unsigned char *fname, const char *op,
214 const char *cause, int result, int info,
215 int errno);
216
217 static inline struct audit_buffer *
integrity_audit_log_start(struct audit_context * ctx,gfp_t gfp_mask,int type)218 integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
219 {
220 return audit_log_start(ctx, gfp_mask, type);
221 }
222
223 #else
integrity_audit_msg(int audit_msgno,struct inode * inode,const unsigned char * fname,const char * op,const char * cause,int result,int info)224 static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
225 const unsigned char *fname,
226 const char *op, const char *cause,
227 int result, int info)
228 {
229 }
230
integrity_audit_message(int audit_msgno,struct inode * inode,const unsigned char * fname,const char * op,const char * cause,int result,int info,int errno)231 static inline void integrity_audit_message(int audit_msgno,
232 struct inode *inode,
233 const unsigned char *fname,
234 const char *op, const char *cause,
235 int result, int info, int errno)
236 {
237 }
238
239 static inline struct audit_buffer *
integrity_audit_log_start(struct audit_context * ctx,gfp_t gfp_mask,int type)240 integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
241 {
242 return NULL;
243 }
244
245 #endif
246
247 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
248 void __init add_to_platform_keyring(const char *source, const void *data,
249 size_t len);
250 #else
add_to_platform_keyring(const char * source,const void * data,size_t len)251 static inline void __init add_to_platform_keyring(const char *source,
252 const void *data, size_t len)
253 {
254 }
255 #endif
256
257 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
258 void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
259 bool __init imputed_trust_enabled(void);
260 #else
add_to_machine_keyring(const char * source,const void * data,size_t len)261 static inline void __init add_to_machine_keyring(const char *source,
262 const void *data, size_t len)
263 {
264 }
265
imputed_trust_enabled(void)266 static inline bool __init imputed_trust_enabled(void)
267 {
268 return false;
269 }
270 #endif
271