1085771ecSEric Biggers /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2085771ecSEric Biggers /* 3085771ecSEric Biggers * fs-verity user API 4085771ecSEric Biggers * 5085771ecSEric Biggers * These ioctls can be used on filesystems that support fs-verity. See the 6085771ecSEric Biggers * "User API" section of Documentation/filesystems/fsverity.rst. 7085771ecSEric Biggers * 8085771ecSEric Biggers * Copyright 2019 Google LLC 9085771ecSEric Biggers */ 10085771ecSEric Biggers #ifndef _UAPI_LINUX_FSVERITY_H 11085771ecSEric Biggers #define _UAPI_LINUX_FSVERITY_H 12085771ecSEric Biggers 13085771ecSEric Biggers #include <linux/ioctl.h> 14085771ecSEric Biggers #include <linux/types.h> 15085771ecSEric Biggers 16085771ecSEric Biggers #define FS_VERITY_HASH_ALG_SHA256 1 17add890c9SEric Biggers #define FS_VERITY_HASH_ALG_SHA512 2 18085771ecSEric Biggers 19085771ecSEric Biggers struct fsverity_enable_arg { 20085771ecSEric Biggers __u32 version; 21085771ecSEric Biggers __u32 hash_algorithm; 22085771ecSEric Biggers __u32 block_size; 23085771ecSEric Biggers __u32 salt_size; 24085771ecSEric Biggers __u64 salt_ptr; 25085771ecSEric Biggers __u32 sig_size; 26085771ecSEric Biggers __u32 __reserved1; 27085771ecSEric Biggers __u64 sig_ptr; 28085771ecSEric Biggers __u64 __reserved2[11]; 29085771ecSEric Biggers }; 30085771ecSEric Biggers 31085771ecSEric Biggers struct fsverity_digest { 32085771ecSEric Biggers __u16 digest_algorithm; 33085771ecSEric Biggers __u16 digest_size; /* input/output */ 34085771ecSEric Biggers __u8 digest[]; 35085771ecSEric Biggers }; 36085771ecSEric Biggers 37bde49334SEric Biggers /* 38bde49334SEric Biggers * Struct containing a file's Merkle tree properties. The fs-verity file digest 39bde49334SEric Biggers * is the hash of this struct. A userspace program needs this struct only if it 40bde49334SEric Biggers * needs to compute fs-verity file digests itself, e.g. in order to sign files. 41bde49334SEric Biggers * It isn't needed just to enable fs-verity on a file. 42bde49334SEric Biggers * 43bde49334SEric Biggers * Note: when computing the file digest, 'sig_size' and 'signature' must be left 44bde49334SEric Biggers * zero and empty, respectively. These fields are present only because some 45bde49334SEric Biggers * filesystems reuse this struct as part of their on-disk format. 46bde49334SEric Biggers */ 47bde49334SEric Biggers struct fsverity_descriptor { 48bde49334SEric Biggers __u8 version; /* must be 1 */ 49bde49334SEric Biggers __u8 hash_algorithm; /* Merkle tree hash algorithm */ 50bde49334SEric Biggers __u8 log_blocksize; /* log2 of size of data and tree blocks */ 51bde49334SEric Biggers __u8 salt_size; /* size of salt in bytes; 0 if none */ 52bde49334SEric Biggers #ifdef __KERNEL__ 53bde49334SEric Biggers __le32 sig_size; 54bde49334SEric Biggers #else 55bde49334SEric Biggers __le32 __reserved_0x04; /* must be 0 */ 56bde49334SEric Biggers #endif 57bde49334SEric Biggers __le64 data_size; /* size of file the Merkle tree is built over */ 58bde49334SEric Biggers __u8 root_hash[64]; /* Merkle tree root hash */ 59bde49334SEric Biggers __u8 salt[32]; /* salt prepended to each hashed block */ 60bde49334SEric Biggers __u8 __reserved[144]; /* must be 0's */ 61bde49334SEric Biggers #ifdef __KERNEL__ 62bde49334SEric Biggers __u8 signature[]; 63bde49334SEric Biggers #endif 64bde49334SEric Biggers }; 65bde49334SEric Biggers 66bde49334SEric Biggers /* 67bde49334SEric Biggers * Format in which fs-verity file digests are signed in built-in signatures. 68bde49334SEric Biggers * This is the same as 'struct fsverity_digest', except here some magic bytes 69bde49334SEric Biggers * are prepended to provide some context about what is being signed in case the 70bde49334SEric Biggers * same key is used for non-fsverity purposes, and here the fields have fixed 71bde49334SEric Biggers * endianness. 72bde49334SEric Biggers * 73bde49334SEric Biggers * This struct is specific to the built-in signature verification support, which 74bde49334SEric Biggers * is optional. fs-verity users may also verify signatures in userspace, in 75bde49334SEric Biggers * which case userspace is responsible for deciding on what bytes are signed. 76bde49334SEric Biggers * This struct may still be used, but it doesn't have to be. For example, 77bde49334SEric Biggers * userspace could instead use a string like "sha256:$digest_as_hex_string". 78bde49334SEric Biggers */ 79bde49334SEric Biggers struct fsverity_formatted_digest { 80bde49334SEric Biggers char magic[8]; /* must be "FSVerity" */ 81bde49334SEric Biggers __le16 digest_algorithm; 82bde49334SEric Biggers __le16 digest_size; 83bde49334SEric Biggers __u8 digest[]; 84bde49334SEric Biggers }; 85bde49334SEric Biggers 86622699cfSEric Biggers #define FS_VERITY_METADATA_TYPE_MERKLE_TREE 1 87947191acSEric Biggers #define FS_VERITY_METADATA_TYPE_DESCRIPTOR 2 88*07c99001SEric Biggers #define FS_VERITY_METADATA_TYPE_SIGNATURE 3 89622699cfSEric Biggers 90e17fe657SEric Biggers struct fsverity_read_metadata_arg { 91e17fe657SEric Biggers __u64 metadata_type; 92e17fe657SEric Biggers __u64 offset; 93e17fe657SEric Biggers __u64 length; 94e17fe657SEric Biggers __u64 buf_ptr; 95e17fe657SEric Biggers __u64 __reserved; 96e17fe657SEric Biggers }; 97e17fe657SEric Biggers 98085771ecSEric Biggers #define FS_IOC_ENABLE_VERITY _IOW('f', 133, struct fsverity_enable_arg) 99085771ecSEric Biggers #define FS_IOC_MEASURE_VERITY _IOWR('f', 134, struct fsverity_digest) 100e17fe657SEric Biggers #define FS_IOC_READ_VERITY_METADATA \ 101e17fe657SEric Biggers _IOWR('f', 135, struct fsverity_read_metadata_arg) 102085771ecSEric Biggers 103085771ecSEric Biggers #endif /* _UAPI_LINUX_FSVERITY_H */ 104