/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
/*
* fs-verity user API
*
* These ioctls can be used on filesystems that support fs-verity. See the
* "User API" section of Documentation/filesystems/fsverity.rst.
*
* Copyright 2019 Google LLC
*/
#ifndef _UAPI_LINUX_FSVERITY_H
#define _UAPI_LINUX_FSVERITY_H
#include <linux/ioctl.h>
#include <linux/types.h>
#define FS_VERITY_HASH_ALG_SHA256 1
#define FS_VERITY_HASH_ALG_SHA512 2
struct fsverity_enable_arg {
__u32 version;
__u32 hash_algorithm;
__u32 block_size;
__u32 salt_size;
__u64 salt_ptr;
__u32 sig_size;
__u32 __reserved1;
__u64 sig_ptr;
__u64 __reserved2[11];
};
struct fsverity_digest {
__u16 digest_algorithm;
__u16 digest_size; /* input/output */
__u8 digest[];
};
/*
* Struct containing a file's Merkle tree properties. The fs-verity file digest
* is the hash of this struct. A userspace program needs this struct only if it
* needs to compute fs-verity file digests itself, e.g. in order to sign files.
* It isn't needed just to enable fs-verity on a file.
*
* Note: when computing the file digest, 'sig_size' and 'signature' must be left
* zero and empty, respectively. These fields are present only because some
* filesystems reuse this struct as part of their on-disk format.
*/
struct fsverity_descriptor {
__u8 version; /* must be 1 */
__u8 hash_algorithm; /* Merkle tree hash algorithm */
__u8 log_blocksize; /* log2 of size of data and tree blocks */
__u8 salt_size; /* size of salt in bytes; 0 if none */
#ifdef __KERNEL__
__le32 sig_size;
#else
__le32 __reserved_0x04; /* must be 0 */
#endif
__le64 data_size; /* size of file the Merkle tree is built over */
__u8 root_hash[64]; /* Merkle tree root hash */
__u8 salt[32]; /* salt prepended to each hashed block */
__u8 __reserved[144]; /* must be 0's */
#ifdef __KERNEL__
__u8 signature[];
#endif
};
/*
* Format in which fs-verity file digests are signed in built-in signatures.
* This is the same as 'struct fsverity_digest', except here some magic bytes
* are prepended to provide some context about what is being signed in case the
* same key is used for non-fsverity purposes, and here the fields have fixed
* endianness.
*
* This struct is specific to the built-in signature verification support, which
* is optional. fs-verity users may also verify signatures in userspace, in
* which case userspace is responsible for deciding on what bytes are signed.
* This struct may still be used, but it doesn't have to be. For example,
* userspace could instead use a string like "sha256:$digest_as_hex_string".
*/
struct fsverity_formatted_digest {
char magic[8]; /* must be "FSVerity" */
__le16 digest_algorithm;
__le16 digest_size;
__u8 digest[];
};
#define FS_VERITY_METADATA_TYPE_MERKLE_TREE 1
#define FS_VERITY_METADATA_TYPE_DESCRIPTOR 2
#define FS_VERITY_METADATA_TYPE_SIGNATURE 3
struct fsverity_read_metadata_arg {
__u64 metadata_type;
__u64 offset;
__u64 length;
__u64 buf_ptr;
__u64 __reserved;
};
#define FS_IOC_ENABLE_VERITY _IOW('f', 133, struct fsverity_enable_arg)
#define FS_IOC_MEASURE_VERITY _IOWR('f', 134, struct fsverity_digest)
#define FS_IOC_READ_VERITY_METADATA \
_IOWR('f', 135, struct fsverity_read_metadata_arg)
#endif /* _UAPI_LINUX_FSVERITY_H */