xref: /linux/security/integrity/integrity.h (revision 45e2472e67bf66f794d507b52e82af92e0614e49) 
1 /*
2  * Copyright (C) 2009-2010 IBM Corporation
3  *
4  * Authors:
5  * Mimi Zohar <zohar@us.ibm.com>
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU General Public License as
9  * published by the Free Software Foundation, version 2 of the
10  * License.
11  *
12  */
13 
14 #include <linux/types.h>
15 #include <linux/integrity.h>
16 #include <crypto/sha.h>
17 
18 /* iint action cache flags */
19 #define IMA_MEASURE		0x0001
20 #define IMA_MEASURED		0x0002
21 #define IMA_APPRAISE		0x0004
22 #define IMA_APPRAISED		0x0008
23 /*#define IMA_COLLECT		0x0010  do not use this flag */
24 #define IMA_COLLECTED		0x0020
25 
26 /* iint cache flags */
27 #define IMA_DIGSIG		0x0100
28 
29 #define IMA_DO_MASK		(IMA_MEASURE | IMA_APPRAISE)
30 #define IMA_DONE_MASK		(IMA_MEASURED | IMA_APPRAISED | IMA_COLLECTED)
31 
32 enum evm_ima_xattr_type {
33 	IMA_XATTR_DIGEST = 0x01,
34 	EVM_XATTR_HMAC,
35 	EVM_IMA_XATTR_DIGSIG,
36 };
37 
38 struct evm_ima_xattr_data {
39 	u8 type;
40 	u8 digest[SHA1_DIGEST_SIZE];
41 }  __attribute__((packed));
42 
43 /* integrity data associated with an inode */
44 struct integrity_iint_cache {
45 	struct rb_node rb_node; /* rooted in integrity_iint_tree */
46 	struct inode *inode;	/* back pointer to inode in question */
47 	u64 version;		/* track inode changes */
48 	unsigned char flags;
49 	struct evm_ima_xattr_data ima_xattr;
50 	enum integrity_status ima_status;
51 	enum integrity_status evm_status;
52 };
53 
54 /* rbtree tree calls to lookup, insert, delete
55  * integrity data associated with an inode.
56  */
57 struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
58 struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
59 
60 #define INTEGRITY_KEYRING_EVM		0
61 #define INTEGRITY_KEYRING_MODULE	1
62 #define INTEGRITY_KEYRING_IMA		2
63 #define INTEGRITY_KEYRING_MAX		3
64 
65 #ifdef CONFIG_INTEGRITY_SIGNATURE
66 
67 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
68 					const char *digest, int digestlen);
69 
70 #else
71 
72 static inline int integrity_digsig_verify(const unsigned int id,
73 					  const char *sig, int siglen,
74 					  const char *digest, int digestlen)
75 {
76 	return -EOPNOTSUPP;
77 }
78 
79 #endif /* CONFIG_INTEGRITY_SIGNATURE */
80 
81 /* set during initialization */
82 extern int iint_initialized;
83