diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2011-07-27 22:26:38 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-07-27 22:26:38 -0400 |
commit | 95b6886526bb510b8370b625a49bc0ab3b8ff10f (patch) | |
tree | 2862606224820d200be12d2092dcd26df1654b80 /include/linux | |
parent | 22712200e175e0df5c7f9edfe6c6bf5c94c23b83 (diff) | |
parent | 29412f0f6a19e34336368f13eab848091c343952 (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (54 commits)
tpm_nsc: Fix bug when loading multiple TPM drivers
tpm: Move tpm_tis_reenable_interrupts out of CONFIG_PNP block
tpm: Fix compilation warning when CONFIG_PNP is not defined
TOMOYO: Update kernel-doc.
tpm: Fix a typo
tpm_tis: Probing function for Intel iTPM bug
tpm_tis: Fix the probing for interrupts
tpm_tis: Delay ACPI S3 suspend while the TPM is busy
tpm_tis: Re-enable interrupts upon (S3) resume
tpm: Fix display of data in pubek sysfs entry
tpm_tis: Add timeouts sysfs entry
tpm: Adjust interface timeouts if they are too small
tpm: Use interface timeouts returned from the TPM
tpm_tis: Introduce durations sysfs entry
tpm: Adjust the durations if they are too small
tpm: Use durations returned from TPM
TOMOYO: Enable conditional ACL.
TOMOYO: Allow using argv[]/envp[] of execve() as conditions.
TOMOYO: Allow using executable's realpath and symlink's target as conditions.
TOMOYO: Allow using owner/group etc. of file objects as conditions.
...
Fix up trivial conflict in security/tomoyo/realpath.c
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/ecryptfs.h | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/include/linux/ecryptfs.h b/include/linux/ecryptfs.h new file mode 100644 index 000000000000..2224a8c0cb64 --- /dev/null +++ b/include/linux/ecryptfs.h | |||
@@ -0,0 +1,113 @@ | |||
1 | #ifndef _LINUX_ECRYPTFS_H | ||
2 | #define _LINUX_ECRYPTFS_H | ||
3 | |||
4 | /* Version verification for shared data structures w/ userspace */ | ||
5 | #define ECRYPTFS_VERSION_MAJOR 0x00 | ||
6 | #define ECRYPTFS_VERSION_MINOR 0x04 | ||
7 | #define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03 | ||
8 | /* These flags indicate which features are supported by the kernel | ||
9 | * module; userspace tools such as the mount helper read | ||
10 | * ECRYPTFS_VERSIONING_MASK from a sysfs handle in order to determine | ||
11 | * how to behave. */ | ||
12 | #define ECRYPTFS_VERSIONING_PASSPHRASE 0x00000001 | ||
13 | #define ECRYPTFS_VERSIONING_PUBKEY 0x00000002 | ||
14 | #define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004 | ||
15 | #define ECRYPTFS_VERSIONING_POLICY 0x00000008 | ||
16 | #define ECRYPTFS_VERSIONING_XATTR 0x00000010 | ||
17 | #define ECRYPTFS_VERSIONING_MULTKEY 0x00000020 | ||
18 | #define ECRYPTFS_VERSIONING_DEVMISC 0x00000040 | ||
19 | #define ECRYPTFS_VERSIONING_HMAC 0x00000080 | ||
20 | #define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION 0x00000100 | ||
21 | #define ECRYPTFS_VERSIONING_GCM 0x00000200 | ||
22 | #define ECRYPTFS_VERSIONING_MASK (ECRYPTFS_VERSIONING_PASSPHRASE \ | ||
23 | | ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH \ | ||
24 | | ECRYPTFS_VERSIONING_PUBKEY \ | ||
25 | | ECRYPTFS_VERSIONING_XATTR \ | ||
26 | | ECRYPTFS_VERSIONING_MULTKEY \ | ||
27 | | ECRYPTFS_VERSIONING_DEVMISC \ | ||
28 | | ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION) | ||
29 | #define ECRYPTFS_MAX_PASSWORD_LENGTH 64 | ||
30 | #define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH | ||
31 | #define ECRYPTFS_SALT_SIZE 8 | ||
32 | #define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2) | ||
33 | /* The original signature size is only for what is stored on disk; all | ||
34 | * in-memory representations are expanded hex, so it better adapted to | ||
35 | * be passed around or referenced on the command line */ | ||
36 | #define ECRYPTFS_SIG_SIZE 8 | ||
37 | #define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2) | ||
38 | #define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX | ||
39 | #define ECRYPTFS_MAX_KEY_BYTES 64 | ||
40 | #define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512 | ||
41 | #define ECRYPTFS_FILE_VERSION 0x03 | ||
42 | #define ECRYPTFS_MAX_PKI_NAME_BYTES 16 | ||
43 | |||
44 | #define RFC2440_CIPHER_DES3_EDE 0x02 | ||
45 | #define RFC2440_CIPHER_CAST_5 0x03 | ||
46 | #define RFC2440_CIPHER_BLOWFISH 0x04 | ||
47 | #define RFC2440_CIPHER_AES_128 0x07 | ||
48 | #define RFC2440_CIPHER_AES_192 0x08 | ||
49 | #define RFC2440_CIPHER_AES_256 0x09 | ||
50 | #define RFC2440_CIPHER_TWOFISH 0x0a | ||
51 | #define RFC2440_CIPHER_CAST_6 0x0b | ||
52 | |||
53 | #define RFC2440_CIPHER_RSA 0x01 | ||
54 | |||
55 | /** | ||
56 | * For convenience, we may need to pass around the encrypted session | ||
57 | * key between kernel and userspace because the authentication token | ||
58 | * may not be extractable. For example, the TPM may not release the | ||
59 | * private key, instead requiring the encrypted data and returning the | ||
60 | * decrypted data. | ||
61 | */ | ||
62 | struct ecryptfs_session_key { | ||
63 | #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001 | ||
64 | #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002 | ||
65 | #define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004 | ||
66 | #define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008 | ||
67 | u32 flags; | ||
68 | u32 encrypted_key_size; | ||
69 | u32 decrypted_key_size; | ||
70 | u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES]; | ||
71 | u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES]; | ||
72 | }; | ||
73 | |||
74 | struct ecryptfs_password { | ||
75 | u32 password_bytes; | ||
76 | s32 hash_algo; | ||
77 | u32 hash_iterations; | ||
78 | u32 session_key_encryption_key_bytes; | ||
79 | #define ECRYPTFS_PERSISTENT_PASSWORD 0x01 | ||
80 | #define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02 | ||
81 | u32 flags; | ||
82 | /* Iterated-hash concatenation of salt and passphrase */ | ||
83 | u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES]; | ||
84 | u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1]; | ||
85 | /* Always in expanded hex */ | ||
86 | u8 salt[ECRYPTFS_SALT_SIZE]; | ||
87 | }; | ||
88 | |||
89 | enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY}; | ||
90 | |||
91 | struct ecryptfs_private_key { | ||
92 | u32 key_size; | ||
93 | u32 data_len; | ||
94 | u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1]; | ||
95 | char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1]; | ||
96 | u8 data[]; | ||
97 | }; | ||
98 | |||
99 | /* May be a password or a private key */ | ||
100 | struct ecryptfs_auth_tok { | ||
101 | u16 version; /* 8-bit major and 8-bit minor */ | ||
102 | u16 token_type; | ||
103 | #define ECRYPTFS_ENCRYPT_ONLY 0x00000001 | ||
104 | u32 flags; | ||
105 | struct ecryptfs_session_key session_key; | ||
106 | u8 reserved[32]; | ||
107 | union { | ||
108 | struct ecryptfs_password password; | ||
109 | struct ecryptfs_private_key private_key; | ||
110 | } token; | ||
111 | } __attribute__ ((packed)); | ||
112 | |||
113 | #endif /* _LINUX_ECRYPTFS_H */ | ||