security/ipe/policy.h

   1 /* SPDX-License-Identifier: GPL-2.0 */
   2 /*
   3  * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
   4  */
   5 #ifndef _IPE_POLICY_H
   6 #define _IPE_POLICY_H
   7
   8 #include <linux/list.h>
   9 #include <linux/types.h>
  10 #include <linux/fs.h>
  11
  12 enum ipe_op_type {
  13         IPE_OP_EXEC = 0,
  14         IPE_OP_FIRMWARE,
  15         IPE_OP_KERNEL_MODULE,
  16         IPE_OP_KEXEC_IMAGE,
  17         IPE_OP_KEXEC_INITRAMFS,
  18         IPE_OP_POLICY,
  19         IPE_OP_X509,
  20         __IPE_OP_MAX,
  21 };
  22
  23 #define IPE_OP_INVALID __IPE_OP_MAX
  24
  25 enum ipe_action_type {
  26         IPE_ACTION_ALLOW = 0,
  27         IPE_ACTION_DENY,
  28         __IPE_ACTION_MAX
  29 };
  30
  31 #define IPE_ACTION_INVALID __IPE_ACTION_MAX
  32
  33 enum ipe_prop_type {
  34         IPE_PROP_BOOT_VERIFIED_FALSE,
  35         IPE_PROP_BOOT_VERIFIED_TRUE,
  36         IPE_PROP_DMV_ROOTHASH,
  37         IPE_PROP_DMV_SIG_FALSE,
  38         IPE_PROP_DMV_SIG_TRUE,
  39         IPE_PROP_FSV_DIGEST,
  40         IPE_PROP_FSV_SIG_FALSE,
  41         IPE_PROP_FSV_SIG_TRUE,
  42         __IPE_PROP_MAX
  43 };
  44
  45 #define IPE_PROP_INVALID __IPE_PROP_MAX
  46
  47 struct ipe_prop {
  48         struct list_head next;
  49         enum ipe_prop_type type;
  50         void *value;
  51 };
  52
  53 struct ipe_rule {
  54         enum ipe_op_type op;
  55         enum ipe_action_type action;
  56         struct list_head props;
  57         struct list_head next;
  58 };
  59
  60 struct ipe_op_table {
  61         struct list_head rules;
  62         enum ipe_action_type default_action;
  63 };
  64
  65 struct ipe_parsed_policy {
  66         const char *name;
  67         struct {
  68                 u16 major;
  69                 u16 minor;
  70                 u16 rev;
  71         } version;
  72
  73         enum ipe_action_type global_default_action;
  74
  75         struct ipe_op_table rules[__IPE_OP_MAX];
  76 };
  77
  78 struct ipe_policy {
  79         const char *pkcs7;
  80         size_t pkcs7len;
  81
  82         const char *text;
  83         size_t textlen;
  84
  85         struct ipe_parsed_policy *parsed;
  86
  87         struct dentry *policyfs;
  88 };
  89
  90 struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
  91                                   const char *pkcs7, size_t pkcs7len);
  92 void ipe_free_policy(struct ipe_policy *pol);
  93 int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
  94                       const char *pkcs7, size_t pkcs7len);
  95 int ipe_set_active_pol(const struct ipe_policy *p);
  96 extern struct mutex ipe_policy_lock;
  97
  98 #endif /* _IPE_POLICY_H */