security/integrity/digsig.c
Source file repositories/reference/linux-study-clean/security/integrity/digsig.c
File Facts
- System
- Linux kernel
- Corpus path
security/integrity/digsig.c- Extension
.c- Size
- 5579 bytes
- Lines
- 229
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/err.hlinux/sched.hlinux/slab.hlinux/cred.hlinux/kernel_read_file.hlinux/key-type.hlinux/digsig.hlinux/vmalloc.hcrypto/public_key.hkeys/system_keyring.hintegrity.h
Detected Declarations
function integrity_digsig_verifyfunction integrity_modsig_verifyfunction __integrity_init_keyringfunction integrity_init_keyringfunction integrity_add_keyfunction integrity_load_x509function integrity_load_cert
Annotated Snippet
if (IS_ERR(keyring[id])) {
int err = PTR_ERR(keyring[id]);
pr_err("no %s keyring: %d\n", keyring_name[id], err);
keyring[id] = NULL;
return ERR_PTR(err);
}
}
return keyring[id];
}
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen, u8 algo)
{
struct key *keyring;
if (siglen < 2)
return -EINVAL;
keyring = integrity_keyring_from_id(id);
if (IS_ERR(keyring))
return PTR_ERR(keyring);
switch (sig[1]) {
case 1:
/* v1 API expect signature without xattr type */
return digsig_verify(keyring, sig + 1, siglen - 1, digest,
digestlen);
case 2: /* regular file data hash based signature */
return asymmetric_verify(keyring, sig, siglen, digest,
digestlen);
case 3: /* struct ima_file_id data based signature */
return asymmetric_verify_v3(keyring, sig, siglen, digest,
digestlen, algo);
}
return -EOPNOTSUPP;
}
int integrity_modsig_verify(const unsigned int id, const struct modsig *modsig)
{
struct key *keyring;
keyring = integrity_keyring_from_id(id);
if (IS_ERR(keyring))
return PTR_ERR(keyring);
return ima_modsig_verify(keyring, modsig);
}
static int __init __integrity_init_keyring(const unsigned int id,
key_perm_t perm,
struct key_restriction *restriction)
{
const struct cred *cred = current_cred();
int err = 0;
keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
KGIDT_INIT(0), cred, perm,
KEY_ALLOC_NOT_IN_QUOTA, restriction, NULL);
if (IS_ERR(keyring[id])) {
err = PTR_ERR(keyring[id]);
pr_info("Can't allocate %s keyring (%d)\n",
keyring_name[id], err);
keyring[id] = NULL;
} else {
if (id == INTEGRITY_KEYRING_PLATFORM)
set_platform_trusted_keys(keyring[id]);
if (id == INTEGRITY_KEYRING_MACHINE && imputed_trust_enabled())
set_machine_trusted_keys(keyring[id]);
if (id == INTEGRITY_KEYRING_IMA)
load_module_cert(keyring[id]);
}
return err;
}
int __init integrity_init_keyring(const unsigned int id)
{
struct key_restriction *restriction;
key_perm_t perm;
int ret;
perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW
| KEY_USR_READ | KEY_USR_SEARCH;
if (id == INTEGRITY_KEYRING_PLATFORM ||
(id == INTEGRITY_KEYRING_MACHINE &&
!IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING))) {
restriction = NULL;
Annotation
- Immediate include surface: `linux/err.h`, `linux/sched.h`, `linux/slab.h`, `linux/cred.h`, `linux/kernel_read_file.h`, `linux/key-type.h`, `linux/digsig.h`, `linux/vmalloc.h`.
- Detected declarations: `function integrity_digsig_verify`, `function integrity_modsig_verify`, `function __integrity_init_keyring`, `function integrity_init_keyring`, `function integrity_add_key`, `function integrity_load_x509`, `function integrity_load_cert`.
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: source implementation candidate.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.