1
linux/security/ipe/hooks.h
Fan Wu 31f8c8682f ipe: enable support for fs-verity as a trust provider
Enable IPE policy authors to indicate trust for a singular fsverity
file, identified by the digest information, through "fsverity_digest"
and all files using valid fsverity builtin signatures via
"fsverity_signature".

This enables file-level integrity claims to be expressed in IPE,
allowing individual files to be authorized, giving some flexibility
for policy authors. Such file-level claims are important to be expressed
for enforcing the integrity of packages, as well as address some of the
scalability issues in a sole dm-verity based solution (# of loop back
devices, etc).

This solution cannot be done in userspace as the minimum threat that
IPE should mitigate is an attacker downloads malicious payload with
all required dependencies. These dependencies can lack the userspace
check, bypassing the protection entirely. A similar attack succeeds if
the userspace component is replaced with a version that does not
perform the check. As a result, this can only be done in the common
entry point - the kernel.

Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-08-20 14:03:35 -04:00

53 lines
1.4 KiB
C

/* SPDX-License-Identifier: GPL-2.0 */
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#ifndef _IPE_HOOKS_H
#define _IPE_HOOKS_H
#include <linux/fs.h>
#include <linux/binfmts.h>
#include <linux/security.h>
#include <linux/blk_types.h>
#include <linux/fsverity.h>
enum ipe_hook_type {
IPE_HOOK_BPRM_CHECK = 0,
IPE_HOOK_MMAP,
IPE_HOOK_MPROTECT,
IPE_HOOK_KERNEL_READ,
IPE_HOOK_KERNEL_LOAD,
__IPE_HOOK_MAX
};
#define IPE_HOOK_INVALID __IPE_HOOK_MAX
int ipe_bprm_check_security(struct linux_binprm *bprm);
int ipe_mmap_file(struct file *f, unsigned long reqprot, unsigned long prot,
unsigned long flags);
int ipe_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
unsigned long prot);
int ipe_kernel_read_file(struct file *file, enum kernel_read_file_id id,
bool contents);
int ipe_kernel_load_data(enum kernel_load_data_id id, bool contents);
void ipe_unpack_initramfs(void);
#ifdef CONFIG_IPE_PROP_DM_VERITY
void ipe_bdev_free_security(struct block_device *bdev);
int ipe_bdev_setintegrity(struct block_device *bdev, enum lsm_integrity_type type,
const void *value, size_t len);
#endif /* CONFIG_IPE_PROP_DM_VERITY */
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
int ipe_inode_setintegrity(const struct inode *inode, enum lsm_integrity_type type,
const void *value, size_t size);
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
#endif /* _IPE_HOOKS_H */