1*b13c0e40SEric Biggers /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2*b13c0e40SEric Biggers /* 3*b13c0e40SEric Biggers * fs-verity user API 4*b13c0e40SEric Biggers * 5*b13c0e40SEric Biggers * These ioctls can be used on filesystems that support fs-verity. See the 6*b13c0e40SEric Biggers * "User API" section of Documentation/filesystems/fsverity.rst. 7*b13c0e40SEric Biggers * 8*b13c0e40SEric Biggers * Copyright 2019 Google LLC 9*b13c0e40SEric Biggers */ 10*b13c0e40SEric Biggers #ifndef _UAPI_LINUX_FSVERITY_H 11*b13c0e40SEric Biggers #define _UAPI_LINUX_FSVERITY_H 12*b13c0e40SEric Biggers 13*b13c0e40SEric Biggers #ifndef _WIN32 14*b13c0e40SEric Biggers #include <linux/ioctl.h> 15*b13c0e40SEric Biggers #include <linux/types.h> 16*b13c0e40SEric Biggers #endif /* !_WIN32 */ 17*b13c0e40SEric Biggers 18*b13c0e40SEric Biggers #define FS_VERITY_HASH_ALG_SHA256 1 19*b13c0e40SEric Biggers #define FS_VERITY_HASH_ALG_SHA512 2 20*b13c0e40SEric Biggers 21*b13c0e40SEric Biggers struct fsverity_enable_arg { 22*b13c0e40SEric Biggers __u32 version; 23*b13c0e40SEric Biggers __u32 hash_algorithm; 24*b13c0e40SEric Biggers __u32 block_size; 25*b13c0e40SEric Biggers __u32 salt_size; 26*b13c0e40SEric Biggers __u64 salt_ptr; 27*b13c0e40SEric Biggers __u32 sig_size; 28*b13c0e40SEric Biggers __u32 __reserved1; 29*b13c0e40SEric Biggers __u64 sig_ptr; 30*b13c0e40SEric Biggers __u64 __reserved2[11]; 31*b13c0e40SEric Biggers }; 32*b13c0e40SEric Biggers 33*b13c0e40SEric Biggers struct fsverity_digest { 34*b13c0e40SEric Biggers __u16 digest_algorithm; 35*b13c0e40SEric Biggers __u16 digest_size; /* input/output */ 36*b13c0e40SEric Biggers __u8 digest[]; 37*b13c0e40SEric Biggers }; 38*b13c0e40SEric Biggers 39*b13c0e40SEric Biggers /* 40*b13c0e40SEric Biggers * Struct containing a file's Merkle tree properties. The fs-verity file digest 41*b13c0e40SEric Biggers * is the hash of this struct. A userspace program needs this struct only if it 42*b13c0e40SEric Biggers * needs to compute fs-verity file digests itself, e.g. in order to sign files. 43*b13c0e40SEric Biggers * It isn't needed just to enable fs-verity on a file. 44*b13c0e40SEric Biggers * 45*b13c0e40SEric Biggers * Note: when computing the file digest, 'sig_size' and 'signature' must be left 46*b13c0e40SEric Biggers * zero and empty, respectively. These fields are present only because some 47*b13c0e40SEric Biggers * filesystems reuse this struct as part of their on-disk format. 48*b13c0e40SEric Biggers */ 49*b13c0e40SEric Biggers struct fsverity_descriptor { 50*b13c0e40SEric Biggers __u8 version; /* must be 1 */ 51*b13c0e40SEric Biggers __u8 hash_algorithm; /* Merkle tree hash algorithm */ 52*b13c0e40SEric Biggers __u8 log_blocksize; /* log2 of size of data and tree blocks */ 53*b13c0e40SEric Biggers __u8 salt_size; /* size of salt in bytes; 0 if none */ 54*b13c0e40SEric Biggers #ifdef __KERNEL__ 55*b13c0e40SEric Biggers __le32 sig_size; 56*b13c0e40SEric Biggers #else 57*b13c0e40SEric Biggers __le32 __reserved_0x04; /* must be 0 */ 58*b13c0e40SEric Biggers #endif 59*b13c0e40SEric Biggers __le64 data_size; /* size of file the Merkle tree is built over */ 60*b13c0e40SEric Biggers __u8 root_hash[64]; /* Merkle tree root hash */ 61*b13c0e40SEric Biggers __u8 salt[32]; /* salt prepended to each hashed block */ 62*b13c0e40SEric Biggers __u8 __reserved[144]; /* must be 0's */ 63*b13c0e40SEric Biggers #ifdef __KERNEL__ 64*b13c0e40SEric Biggers __u8 signature[]; 65*b13c0e40SEric Biggers #endif 66*b13c0e40SEric Biggers }; 67*b13c0e40SEric Biggers 68*b13c0e40SEric Biggers /* 69*b13c0e40SEric Biggers * Format in which fs-verity file digests are signed in built-in signatures. 70*b13c0e40SEric Biggers * This is the same as 'struct fsverity_digest', except here some magic bytes 71*b13c0e40SEric Biggers * are prepended to provide some context about what is being signed in case the 72*b13c0e40SEric Biggers * same key is used for non-fsverity purposes, and here the fields have fixed 73*b13c0e40SEric Biggers * endianness. 74*b13c0e40SEric Biggers * 75*b13c0e40SEric Biggers * This struct is specific to the built-in signature verification support, which 76*b13c0e40SEric Biggers * is optional. fs-verity users may also verify signatures in userspace, in 77*b13c0e40SEric Biggers * which case userspace is responsible for deciding on what bytes are signed. 78*b13c0e40SEric Biggers * This struct may still be used, but it doesn't have to be. For example, 79*b13c0e40SEric Biggers * userspace could instead use a string like "sha256:$digest_as_hex_string". 80*b13c0e40SEric Biggers */ 81*b13c0e40SEric Biggers struct fsverity_formatted_digest { 82*b13c0e40SEric Biggers char magic[8]; /* must be "FSVerity" */ 83*b13c0e40SEric Biggers __le16 digest_algorithm; 84*b13c0e40SEric Biggers __le16 digest_size; 85*b13c0e40SEric Biggers __u8 digest[]; 86*b13c0e40SEric Biggers }; 87*b13c0e40SEric Biggers 88*b13c0e40SEric Biggers #define FS_VERITY_METADATA_TYPE_MERKLE_TREE 1 89*b13c0e40SEric Biggers #define FS_VERITY_METADATA_TYPE_DESCRIPTOR 2 90*b13c0e40SEric Biggers #define FS_VERITY_METADATA_TYPE_SIGNATURE 3 91*b13c0e40SEric Biggers 92*b13c0e40SEric Biggers struct fsverity_read_metadata_arg { 93*b13c0e40SEric Biggers __u64 metadata_type; 94*b13c0e40SEric Biggers __u64 offset; 95*b13c0e40SEric Biggers __u64 length; 96*b13c0e40SEric Biggers __u64 buf_ptr; 97*b13c0e40SEric Biggers __u64 __reserved; 98*b13c0e40SEric Biggers }; 99*b13c0e40SEric Biggers 100*b13c0e40SEric Biggers #define FS_IOC_ENABLE_VERITY _IOW('f', 133, struct fsverity_enable_arg) 101*b13c0e40SEric Biggers #define FS_IOC_MEASURE_VERITY _IOWR('f', 134, struct fsverity_digest) 102*b13c0e40SEric Biggers #define FS_IOC_READ_VERITY_METADATA \ 103*b13c0e40SEric Biggers _IOWR('f', 135, struct fsverity_read_metadata_arg) 104*b13c0e40SEric Biggers 105*b13c0e40SEric Biggers #endif /* _UAPI_LINUX_FSVERITY_H */ 106