ima.h - cachepc-linux - Fork of AMDESE/linux with modifications for CachePC side-channel attack

	cachepc-linux Fork of AMDESE/linux with modifications for CachePC side-channel attack
	git clone https://git.sinitax.com/sinitax/cachepc-linux
	Log \| Files \| Refs \| README \| LICENSE \| sfeed.txt
ima.h (14174B)
      1/* SPDX-License-Identifier: GPL-2.0-only */
      2/*
      3 * Copyright (C) 2005,2006,2007,2008 IBM Corporation
      4 *
      5 * Authors:
      6 * Reiner Sailer <sailer@watson.ibm.com>
      7 * Mimi Zohar <zohar@us.ibm.com>
      8 *
      9 * File: ima.h
     10 *	internal Integrity Measurement Architecture (IMA) definitions
     11 */
     12
     13#ifndef __LINUX_IMA_H
     14#define __LINUX_IMA_H
     15
     16#include <linux/types.h>
     17#include <linux/crypto.h>
     18#include <linux/fs.h>
     19#include <linux/security.h>
     20#include <linux/hash.h>
     21#include <linux/tpm.h>
     22#include <linux/audit.h>
     23#include <crypto/hash_info.h>
     24
     25#include "../integrity.h"
     26
     27enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN,
     28		     IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII };
     29enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8, TPM_PCR10 = 10 };
     30
     31/* digest size for IMA, fits SHA1 or MD5 */
     32#define IMA_DIGEST_SIZE		SHA1_DIGEST_SIZE
     33#define IMA_EVENT_NAME_LEN_MAX	255
     34
     35#define IMA_HASH_BITS 10
     36#define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS)
     37
     38#define IMA_TEMPLATE_FIELD_ID_MAX_LEN	16
     39#define IMA_TEMPLATE_NUM_FIELDS_MAX	15
     40
     41#define IMA_TEMPLATE_IMA_NAME "ima"
     42#define IMA_TEMPLATE_IMA_FMT "d|n"
     43
     44#define NR_BANKS(chip) ((chip != NULL) ? chip->nr_allocated_banks : 0)
     45
     46/* current content of the policy */
     47extern int ima_policy_flag;
     48
     49/* bitset of digests algorithms allowed in the setxattr hook */
     50extern atomic_t ima_setxattr_allowed_hash_algorithms;
     51
     52/* set during initialization */
     53extern int ima_hash_algo __ro_after_init;
     54extern int ima_sha1_idx __ro_after_init;
     55extern int ima_hash_algo_idx __ro_after_init;
     56extern int ima_extra_slots __ro_after_init;
     57extern int ima_appraise;
     58extern struct tpm_chip *ima_tpm_chip;
     59extern const char boot_aggregate_name[];
     60
     61/* IMA event related data */
     62struct ima_event_data {
     63	struct integrity_iint_cache *iint;
     64	struct file *file;
     65	const unsigned char *filename;
     66	struct evm_ima_xattr_data *xattr_value;
     67	int xattr_len;
     68	const struct modsig *modsig;
     69	const char *violation;
     70	const void *buf;
     71	int buf_len;
     72};
     73
     74/* IMA template field data definition */
     75struct ima_field_data {
     76	u8 *data;
     77	u32 len;
     78};
     79
     80/* IMA template field definition */
     81struct ima_template_field {
     82	const char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
     83	int (*field_init)(struct ima_event_data *event_data,
     84			  struct ima_field_data *field_data);
     85	void (*field_show)(struct seq_file *m, enum ima_show_type show,
     86			   struct ima_field_data *field_data);
     87};
     88
     89/* IMA template descriptor definition */
     90struct ima_template_desc {
     91	struct list_head list;
     92	char *name;
     93	char *fmt;
     94	int num_fields;
     95	const struct ima_template_field **fields;
     96};
     97
     98struct ima_template_entry {
     99	int pcr;
    100	struct tpm_digest *digests;
    101	struct ima_template_desc *template_desc; /* template descriptor */
    102	u32 template_data_len;
    103	struct ima_field_data template_data[];	/* template related data */
    104};
    105
    106struct ima_queue_entry {
    107	struct hlist_node hnext;	/* place in hash collision list */
    108	struct list_head later;		/* place in ima_measurements list */
    109	struct ima_template_entry *entry;
    110};
    111extern struct list_head ima_measurements;	/* list of all measurements */
    112
    113/* Some details preceding the binary serialized measurement list */
    114struct ima_kexec_hdr {
    115	u16 version;
    116	u16 _reserved0;
    117	u32 _reserved1;
    118	u64 buffer_size;
    119	u64 count;
    120};
    121
    122extern const int read_idmap[];
    123
    124#ifdef CONFIG_HAVE_IMA_KEXEC
    125void ima_load_kexec_buffer(void);
    126#else
    127static inline void ima_load_kexec_buffer(void) {}
    128#endif /* CONFIG_HAVE_IMA_KEXEC */
    129
    130/*
    131 * The default binary_runtime_measurements list format is defined as the
    132 * platform native format.  The canonical format is defined as little-endian.
    133 */
    134extern bool ima_canonical_fmt;
    135
    136/* Internal IMA function definitions */
    137int ima_init(void);
    138int ima_fs_init(void);
    139int ima_add_template_entry(struct ima_template_entry *entry, int violation,
    140			   const char *op, struct inode *inode,
    141			   const unsigned char *filename);
    142int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
    143int ima_calc_buffer_hash(const void *buf, loff_t len,
    144			 struct ima_digest_data *hash);
    145int ima_calc_field_array_hash(struct ima_field_data *field_data,
    146			      struct ima_template_entry *entry);
    147int ima_calc_boot_aggregate(struct ima_digest_data *hash);
    148void ima_add_violation(struct file *file, const unsigned char *filename,
    149		       struct integrity_iint_cache *iint,
    150		       const char *op, const char *cause);
    151int ima_init_crypto(void);
    152void ima_putc(struct seq_file *m, void *data, int datalen);
    153void ima_print_digest(struct seq_file *m, u8 *digest, u32 size);
    154int template_desc_init_fields(const char *template_fmt,
    155			      const struct ima_template_field ***fields,
    156			      int *num_fields);
    157struct ima_template_desc *ima_template_desc_current(void);
    158struct ima_template_desc *ima_template_desc_buf(void);
    159struct ima_template_desc *lookup_template_desc(const char *name);
    160bool ima_template_has_modsig(const struct ima_template_desc *ima_template);
    161int ima_restore_measurement_entry(struct ima_template_entry *entry);
    162int ima_restore_measurement_list(loff_t bufsize, void *buf);
    163int ima_measurements_show(struct seq_file *m, void *v);
    164unsigned long ima_get_binary_runtime_size(void);
    165int ima_init_template(void);
    166void ima_init_template_list(void);
    167int __init ima_init_digests(void);
    168int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
    169			  void *lsm_data);
    170
    171/*
    172 * used to protect h_table and sha_table
    173 */
    174extern spinlock_t ima_queue_lock;
    175
    176struct ima_h_table {
    177	atomic_long_t len;	/* number of stored measurements in the list */
    178	atomic_long_t violations;
    179	struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
    180};
    181extern struct ima_h_table ima_htable;
    182
    183static inline unsigned int ima_hash_key(u8 *digest)
    184{
    185	/* there is no point in taking a hash of part of a digest */
    186	return (digest[0] | digest[1] << 8) % IMA_MEASURE_HTABLE_SIZE;
    187}
    188
    189#define __ima_hooks(hook)				\
    190	hook(NONE, none)				\
    191	hook(FILE_CHECK, file)				\
    192	hook(MMAP_CHECK, mmap)				\
    193	hook(BPRM_CHECK, bprm)				\
    194	hook(CREDS_CHECK, creds)			\
    195	hook(POST_SETATTR, post_setattr)		\
    196	hook(MODULE_CHECK, module)			\
    197	hook(FIRMWARE_CHECK, firmware)			\
    198	hook(KEXEC_KERNEL_CHECK, kexec_kernel)		\
    199	hook(KEXEC_INITRAMFS_CHECK, kexec_initramfs)	\
    200	hook(POLICY_CHECK, policy)			\
    201	hook(KEXEC_CMDLINE, kexec_cmdline)		\
    202	hook(KEY_CHECK, key)				\
    203	hook(CRITICAL_DATA, critical_data)		\
    204	hook(SETXATTR_CHECK, setxattr_check)		\
    205	hook(MAX_CHECK, none)
    206
    207#define __ima_hook_enumify(ENUM, str)	ENUM,
    208#define __ima_stringify(arg) (#arg)
    209#define __ima_hook_measuring_stringify(ENUM, str) \
    210		(__ima_stringify(measuring_ ##str)),
    211
    212enum ima_hooks {
    213	__ima_hooks(__ima_hook_enumify)
    214};
    215
    216static const char * const ima_hooks_measure_str[] = {
    217	__ima_hooks(__ima_hook_measuring_stringify)
    218};
    219
    220static inline const char *func_measure_str(enum ima_hooks func)
    221{
    222	if (func >= MAX_CHECK)
    223		return ima_hooks_measure_str[NONE];
    224
    225	return ima_hooks_measure_str[func];
    226}
    227
    228extern const char *const func_tokens[];
    229
    230struct modsig;
    231
    232#ifdef CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS
    233/*
    234 * To track keys that need to be measured.
    235 */
    236struct ima_key_entry {
    237	struct list_head list;
    238	void *payload;
    239	size_t payload_len;
    240	char *keyring_name;
    241};
    242void ima_init_key_queue(void);
    243bool ima_should_queue_key(void);
    244bool ima_queue_key(struct key *keyring, const void *payload,
    245		   size_t payload_len);
    246void ima_process_queued_keys(void);
    247#else
    248static inline void ima_init_key_queue(void) {}
    249static inline bool ima_should_queue_key(void) { return false; }
    250static inline bool ima_queue_key(struct key *keyring,
    251				 const void *payload,
    252				 size_t payload_len) { return false; }
    253static inline void ima_process_queued_keys(void) {}
    254#endif /* CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS */
    255
    256/* LIM API function definitions */
    257int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode,
    258		   const struct cred *cred, u32 secid, int mask,
    259		   enum ima_hooks func, int *pcr,
    260		   struct ima_template_desc **template_desc,
    261		   const char *func_data, unsigned int *allowed_algos);
    262int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
    263int ima_collect_measurement(struct integrity_iint_cache *iint,
    264			    struct file *file, void *buf, loff_t size,
    265			    enum hash_algo algo, struct modsig *modsig);
    266void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
    267			   const unsigned char *filename,
    268			   struct evm_ima_xattr_data *xattr_value,
    269			   int xattr_len, const struct modsig *modsig, int pcr,
    270			   struct ima_template_desc *template_desc);
    271int process_buffer_measurement(struct user_namespace *mnt_userns,
    272			       struct inode *inode, const void *buf, int size,
    273			       const char *eventname, enum ima_hooks func,
    274			       int pcr, const char *func_data,
    275			       bool buf_hash, u8 *digest, size_t digest_len);
    276void ima_audit_measurement(struct integrity_iint_cache *iint,
    277			   const unsigned char *filename);
    278int ima_alloc_init_template(struct ima_event_data *event_data,
    279			    struct ima_template_entry **entry,
    280			    struct ima_template_desc *template_desc);
    281int ima_store_template(struct ima_template_entry *entry, int violation,
    282		       struct inode *inode,
    283		       const unsigned char *filename, int pcr);
    284void ima_free_template_entry(struct ima_template_entry *entry);
    285const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);
    286
    287/* IMA policy related functions */
    288int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode,
    289		     const struct cred *cred, u32 secid, enum ima_hooks func,
    290		     int mask, int flags, int *pcr,
    291		     struct ima_template_desc **template_desc,
    292		     const char *func_data, unsigned int *allowed_algos);
    293void ima_init_policy(void);
    294void ima_update_policy(void);
    295void ima_update_policy_flags(void);
    296ssize_t ima_parse_add_rule(char *);
    297void ima_delete_rules(void);
    298int ima_check_policy(void);
    299void *ima_policy_start(struct seq_file *m, loff_t *pos);
    300void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
    301void ima_policy_stop(struct seq_file *m, void *v);
    302int ima_policy_show(struct seq_file *m, void *v);
    303
    304/* Appraise integrity measurements */
    305#define IMA_APPRAISE_ENFORCE	0x01
    306#define IMA_APPRAISE_FIX	0x02
    307#define IMA_APPRAISE_LOG	0x04
    308#define IMA_APPRAISE_MODULES	0x08
    309#define IMA_APPRAISE_FIRMWARE	0x10
    310#define IMA_APPRAISE_POLICY	0x20
    311#define IMA_APPRAISE_KEXEC	0x40
    312
    313#ifdef CONFIG_IMA_APPRAISE
    314int ima_check_blacklist(struct integrity_iint_cache *iint,
    315			const struct modsig *modsig, int pcr);
    316int ima_appraise_measurement(enum ima_hooks func,
    317			     struct integrity_iint_cache *iint,
    318			     struct file *file, const unsigned char *filename,
    319			     struct evm_ima_xattr_data *xattr_value,
    320			     int xattr_len, const struct modsig *modsig);
    321int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode,
    322		      int mask, enum ima_hooks func);
    323void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
    324enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
    325					   enum ima_hooks func);
    326enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,
    327				 int xattr_len);
    328int ima_read_xattr(struct dentry *dentry,
    329		   struct evm_ima_xattr_data **xattr_value);
    330
    331#else
    332static inline int ima_check_blacklist(struct integrity_iint_cache *iint,
    333				      const struct modsig *modsig, int pcr)
    334{
    335	return 0;
    336}
    337
    338static inline int ima_appraise_measurement(enum ima_hooks func,
    339					   struct integrity_iint_cache *iint,
    340					   struct file *file,
    341					   const unsigned char *filename,
    342					   struct evm_ima_xattr_data *xattr_value,
    343					   int xattr_len,
    344					   const struct modsig *modsig)
    345{
    346	return INTEGRITY_UNKNOWN;
    347}
    348
    349static inline int ima_must_appraise(struct user_namespace *mnt_userns,
    350				    struct inode *inode, int mask,
    351				    enum ima_hooks func)
    352{
    353	return 0;
    354}
    355
    356static inline void ima_update_xattr(struct integrity_iint_cache *iint,
    357				    struct file *file)
    358{
    359}
    360
    361static inline enum integrity_status ima_get_cache_status(struct integrity_iint_cache
    362							 *iint,
    363							 enum ima_hooks func)
    364{
    365	return INTEGRITY_UNKNOWN;
    366}
    367
    368static inline enum hash_algo
    369ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len)
    370{
    371	return ima_hash_algo;
    372}
    373
    374static inline int ima_read_xattr(struct dentry *dentry,
    375				 struct evm_ima_xattr_data **xattr_value)
    376{
    377	return 0;
    378}
    379
    380#endif /* CONFIG_IMA_APPRAISE */
    381
    382#ifdef CONFIG_IMA_APPRAISE_MODSIG
    383int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
    384		    struct modsig **modsig);
    385void ima_collect_modsig(struct modsig *modsig, const void *buf, loff_t size);
    386int ima_get_modsig_digest(const struct modsig *modsig, enum hash_algo *algo,
    387			  const u8 **digest, u32 *digest_size);
    388int ima_get_raw_modsig(const struct modsig *modsig, const void **data,
    389		       u32 *data_len);
    390void ima_free_modsig(struct modsig *modsig);
    391#else
    392static inline int ima_read_modsig(enum ima_hooks func, const void *buf,
    393				  loff_t buf_len, struct modsig **modsig)
    394{
    395	return -EOPNOTSUPP;
    396}
    397
    398static inline void ima_collect_modsig(struct modsig *modsig, const void *buf,
    399				      loff_t size)
    400{
    401}
    402
    403static inline int ima_get_modsig_digest(const struct modsig *modsig,
    404					enum hash_algo *algo, const u8 **digest,
    405					u32 *digest_size)
    406{
    407	return -EOPNOTSUPP;
    408}
    409
    410static inline int ima_get_raw_modsig(const struct modsig *modsig,
    411				     const void **data, u32 *data_len)
    412{
    413	return -EOPNOTSUPP;
    414}
    415
    416static inline void ima_free_modsig(struct modsig *modsig)
    417{
    418}
    419#endif /* CONFIG_IMA_APPRAISE_MODSIG */
    420
    421/* LSM based policy rules require audit */
    422#ifdef CONFIG_IMA_LSM_RULES
    423
    424#define ima_filter_rule_init security_audit_rule_init
    425#define ima_filter_rule_free security_audit_rule_free
    426#define ima_filter_rule_match security_audit_rule_match
    427
    428#else
    429
    430static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
    431				       void **lsmrule)
    432{
    433	return -EINVAL;
    434}
    435
    436static inline void ima_filter_rule_free(void *lsmrule)
    437{
    438}
    439
    440static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
    441					void *lsmrule)
    442{
    443	return -EINVAL;
    444}
    445#endif /* CONFIG_IMA_LSM_RULES */
    446
    447#ifdef	CONFIG_IMA_READ_POLICY
    448#define	POLICY_FILE_FLAGS	(S_IWUSR | S_IRUSR)
    449#else
    450#define	POLICY_FILE_FLAGS	S_IWUSR
    451#endif /* CONFIG_IMA_READ_POLICY */
    452
    453#endif /* __LINUX_IMA_H */