diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2022-08-02 14:38:59 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2022-08-02 14:38:59 -0700 |
| commit | 6991a564f59742a0926be7421dff370135c44a97 (patch) | |
| tree | a3faa053ada66b81be66516e1f0a824a284164af /include/uapi | |
| parent | d7b767b5088d57ff9b5f9a0060c9ad0f9410b1c0 (diff) | |
| parent | 27603a606fda0806d7c08914bc976931aa42020e (diff) | |
| download | linux-stable-6991a564f59742a0926be7421dff370135c44a97.tar.gz linux-stable-6991a564f59742a0926be7421dff370135c44a97.tar.bz2 linux-stable-6991a564f59742a0926be7421dff370135c44a97.zip | |
Merge tag 'hardening-v5.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull hardening updates from Kees Cook:
- Fix Sparse warnings with randomizd kstack (GONG, Ruiqi)
- Replace uintptr_t with unsigned long in usercopy (Jason A. Donenfeld)
- Fix Clang -Wforward warning in LKDTM (Justin Stitt)
- Fix comment to correctly refer to STRICT_DEVMEM (Lukas Bulwahn)
- Introduce dm-verity binding logic to LoadPin LSM (Matthias Kaehlcke)
- Clean up warnings and overflow and KASAN tests (Kees Cook)
* tag 'hardening-v5.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
dm: verity-loadpin: Drop use of dm_table_get_num_targets()
kasan: test: Silence GCC 12 warnings
drivers: lkdtm: fix clang -Wformat warning
x86: mm: refer to the intended config STRICT_DEVMEM in a comment
dm: verity-loadpin: Use CONFIG_SECURITY_LOADPIN_VERITY for conditional compilation
LoadPin: Enable loading from trusted dm-verity devices
dm: Add verity helpers for LoadPin
stack: Declare {randomize_,}kstack_offset to fix Sparse warnings
lib: overflow: Do not define 64-bit tests on 32-bit
MAINTAINERS: Add a general "kernel hardening" section
usercopy: use unsigned long instead of uintptr_t
Diffstat (limited to 'include/uapi')
| -rw-r--r-- | include/uapi/linux/loadpin.h | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/include/uapi/linux/loadpin.h b/include/uapi/linux/loadpin.h new file mode 100644 index 000000000000..daa6dbb8bb02 --- /dev/null +++ b/include/uapi/linux/loadpin.h @@ -0,0 +1,22 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +/* + * Copyright (c) 2022, Google LLC + */ + +#ifndef _UAPI_LINUX_LOOP_LOADPIN_H +#define _UAPI_LINUX_LOOP_LOADPIN_H + +#define LOADPIN_IOC_MAGIC 'L' + +/** + * LOADPIN_IOC_SET_TRUSTED_VERITY_DIGESTS - Set up the root digests of verity devices + * that loadpin should trust. + * + * Takes a file descriptor from which to read the root digests of trusted verity devices. The file + * is expected to contain a list of digests in ASCII format, with one line per digest. The ioctl + * must be issued on the securityfs attribute 'loadpin/dm-verity' (which can be typically found + * under /sys/kernel/security/loadpin/dm-verity). + */ +#define LOADPIN_IOC_SET_TRUSTED_VERITY_DIGESTS _IOW(LOADPIN_IOC_MAGIC, 0x00, unsigned int) + +#endif /* _UAPI_LINUX_LOOP_LOADPIN_H */ |