1 /*
2 * Copyright (c) 2022 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
11 *
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
18 * under the License.
19 *
20 * @APPLE_LICENSE_HEADER_END@
21 */
22
23 #ifndef _SYS_CODE_SIGNING_H_
24 #define _SYS_CODE_SIGNING_H_
25
26 #include <sys/cdefs.h>
27 __BEGIN_DECLS
28
29 #pragma GCC diagnostic push
30 #pragma GCC diagnostic ignored "-Wnullability-completeness"
31 #pragma GCC diagnostic ignored "-Wnullability-completeness-on-arrays"
32
33 typedef uint32_t code_signing_monitor_type_t;
34 typedef uint32_t code_signing_config_t;
35
36 /* Monitor Types */
37 #define CS_MONITOR_TYPE_NONE (0)
38 #define CS_MONITOR_TYPE_PPL (1)
39 #define CS_MONITOR_TYPE_TXM (2)
40
41 /* Config - Exemptions */
42 #define CS_CONFIG_UNRESTRICTED_DEBUGGING (1 << 0)
43 #define CS_CONFIG_ALLOW_ANY_SIGNATURE (1 << 1)
44 #define CS_CONFIG_ENFORCEMENT_DISABLED (1 << 2)
45 #define CS_CONFIG_GET_OUT_OF_MY_WAY (1 << 3)
46 #define CS_CONFIG_INTEGRITY_SKIP (1 << 4)
47 #define CS_CONFIG_RELAX_PROFILE_TRUST (1 << 5)
48
49 /* Config - Features */
50 #define CS_CONFIG_REM_SUPPORTED (1 << 25)
51 #define CS_CONFIG_MAP_JIT (1 << 26)
52 #define CS_CONFIG_DEVELOPER_MODE_SUPPORTED (1 << 27)
53 #define CS_CONFIG_COMPILATION_SERVICE (1 << 28)
54 #define CS_CONFIG_LOCAL_SIGNING (1 << 29)
55 #define CS_CONFIG_OOP_JIT (1 << 30)
56 #define CS_CONFIG_CSM_ENABLED (1 << 31)
57
58 #ifdef KERNEL_PRIVATE
59 /* All definitions for XNU and kernel extensions */
60
61 #include <mach/boolean.h>
62 #include <mach/kern_return.h>
63 #include <img4/firmware.h>
64
65 #if !XNU_KERNEL_PRIVATE
66 /*
67 * This header file is shared across the SDK and the KDK. When we're compiling code
68 * for the kernel, but not for XNU, such as a kernel extension, the code signing
69 * traps information is found through <image4/cs/traps.h>. When we're within XNU
70 * proper, this header shouldn't be directory included and instead we should include
71 * <libkern/image4/dlxk.h> instead, which is what we do within XNU_KERNEL_PRIVATE
72 * down below.
73 */
74 #if __has_include(<image4/cs/traps.h>)
75 #include <image4/cs/traps.h>
76 #else
77 typedef uint64_t image4_cs_trap_t;
78 #endif /* __has_include(<image4/cs/traps.h>) */
79 #endif /* !XNU_KERNEL_PRIVATE */
80
81 /* Availability macros for KPI functions */
82 #define XNU_SUPPORTS_CSM_TYPE 1
83 #define XNU_SUPPORTS_CSM_APPLE_IMAGE4 1
84 #define XNU_SUPPORTS_PROFILE_GARBAGE_COLLECTION 1
85 #define XNU_SUPPORTS_COMPILATION_SERVICE 1
86 #define XNU_SUPPORTS_LOCAL_SIGNING 1
87 #define XNU_SUPPORTS_CE_ACCELERATION 1
88 #define XNU_SUPPORTS_DISABLE_CODE_SIGNING_FEATURE 1
89 #define XNU_SUPPORTS_IMAGE4_MONITOR_TRAP 1
90 #define XNU_SUPPORTS_RESTRICTED_EXECUTION_MODE 1
91 #define XNU_SUPPORTS_SECURE_CHANNEL_SHARED_PAGE 1
92 #define XNU_SUPPORTS_CSM_DEVICE_STATE 1
93 #define XNU_SUPPORTS_REGISTER_PROFILE 1
94
95 /* Forward declarations */
96 struct cs_blob;
97
98 /* Local signing public key size */
99 #define XNU_LOCAL_SIGNING_KEY_SIZE 97
100
101 typedef struct _cs_profile_register_t {
102 /*
103 * The kernel performs duduplication of registered provisioning profiles
104 * in order to optimize the profile loading code-path. The profile Uuid
105 * is used as the identifier.
106 */
107 uuid_t uuid;
108
109 /*
110 * Counter-signature of the profile used for verifying that the user has
111 * opted to trust the profile. This is only required for certain kinds of
112 * profiles.
113 */
114 const void *sig_data;
115 size_t sig_size;
116
117 /* The profile data itself -- only DER profiles supported */
118 const void *data;
119 size_t size;
120 } cs_profile_register_t;
121
122 #if XNU_KERNEL_PRIVATE
123
124 #include <sys/code_signing_internal.h>
125 #include <libkern/img4/interface.h>
126 #include <libkern/image4/dlxk.h>
127
128 #if PMAP_CS_INCLUDE_CODE_SIGNING
129 #if XNU_LOCAL_SIGNING_KEY_SIZE != PMAP_CS_LOCAL_SIGNING_KEY_SIZE
130 #error "XNU local signing key size and PMAP_CS local signing key size differ!"
131 #endif
132 #endif /* PMAP_CS_INCLUDE_CODE_SIGNING */
133
134 /* Common developer mode state variable */
135 extern bool *developer_mode_enabled;
136
137 /**
138 * This function is used to allocate code signing data which in some cases needs to
139 * align to a page length. This is a frequent operation, and as a result, a common
140 * helper is very useful.
141 */
142 vm_address_t
143 code_signing_allocate(
144 size_t alloc_size);
145
146 /**
147 * This function is used to deallocate data received from code_signing_allocate.
148 */
149 void
150 code_signing_deallocate(
151 vm_address_t *alloc_addr,
152 size_t alloc_size);
153
154 /**
155 * AppleImage4 does not provide an API to convert an object specification index to an
156 * actual object specification. Since this particular function is used across different
157 * places, it makes sense to keep it in a shared header file.
158 *
159 * This function may be called in contexts where printing is not possible, so do NOT
160 * leave a print statement here under any ciscumstances.
161 */
162 static inline const img4_runtime_object_spec_t*
image4_get_object_spec_from_index(img4_runtime_object_spec_index_t obj_spec_index)163 image4_get_object_spec_from_index(
164 img4_runtime_object_spec_index_t obj_spec_index)
165 {
166 const img4_runtime_object_spec_t *__single obj_spec = NULL;
167
168 switch (obj_spec_index) {
169 case IMG4_RUNTIME_OBJECT_SPEC_INDEX_SUPPLEMENTAL_ROOT:
170 obj_spec = IMG4_RUNTIME_OBJECT_SPEC_SUPPLEMENTAL_ROOT;
171 break;
172
173 case IMG4_RUNTIME_OBJECT_SPEC_INDEX_LOCAL_POLICY:
174 obj_spec = IMG4_RUNTIME_OBJECT_SPEC_LOCAL_POLICY;
175 break;
176
177 default:
178 break;
179 }
180
181 return obj_spec;
182 }
183
184 /**
185 * Perform any initialization required for managing code signing state on the system.
186 * This is called within XNU itself and doesn't need to be exported to anything external.
187 */
188 void
189 code_signing_init(void);
190
191 #endif /* XNU_KERNEL_PRIVATE */
192
193 /**
194 * Query the system to understand the code signing configuration of the system. This
195 * includes information on what monitor environment is available on the system as well
196 * as what the state of the system looks like with the provided boot-args.
197 */
198 void
199 code_signing_configuration(
200 code_signing_monitor_type_t *monitor_type,
201 code_signing_config_t *config);
202
203 /**
204 * This function can be called by a component to disable a particular code signing
205 * feature on the system. For instance, code_signing_configuration is initialized in
206 * early boot, where some kernel extensions which affect code signing aren't online.
207 * When these extensions come online, they may choose to call this function to affect
208 * the state which was previously initialized within code_signing_configuration.
209 */
210 void
211 disable_code_signing_feature(
212 code_signing_config_t feature);
213
214 /**
215 * AppleSEPManager uses this API to obtain the physical page which must be mapped as
216 * the secure channel within the SEP. This API is only supported on systems which have
217 * the Trusted Execution Monitor system monitor.
218 */
219 kern_return_t
220 secure_channel_shared_page(
221 uint64_t *secure_channel_phys,
222 size_t *secure_channel_size);
223
224 /**
225 * Enable developer mode on the system. When the system contains a monitor environment,
226 * developer mode is turned on by trapping into the appropriate monitor environment.
227 */
228 void
229 enable_developer_mode(void);
230
231 /**
232 * Disable developer mode on the system. When the system contains a monitor environment,
233 * developer mode is turned off by trapping into the appropriate monitor environment.
234 */
235 void
236 disable_developer_mode(void);
237
238 /**
239 * Query the current state of developer mode on the system. This call never traps into
240 * the monitor environment because XNU can directly read the monitors memory.
241 */
242 bool
243 developer_mode_state(void);
244
245 /**
246 * Attempt to enable restricted execution mode on the system. Not all systems support
247 * restricted execution mode. If the call is successful, KERN_SUCCESS is returned, or
248 * an error.
249 */
250 kern_return_t
251 restricted_execution_mode_enable(void);
252
253 /**
254 * Query the current state of restricted execution mode on the system. Not all systems
255 * support restricted execution mode. If REM is enabled, KERN_SUCCESS is returned. If
256 * REM is disabled, KERN_DENIED is returned. If REM is not supported on this platform,
257 * then KERN_NOT_SUPPORTED is returned.
258 */
259 kern_return_t
260 restricted_execution_mode_state(void);
261
262 /**
263 * This function is called whem the kernel wants the code-signing monitor to update its
264 * device state which is provided by the SEP using an OOB buffer.
265 */
266 void
267 update_csm_device_state(void);
268
269 /*
270 * This function called when the kernel wants the code-signing monitor to complete the
271 * functionality of a security boot mode.
272 */
273 void
274 complete_security_boot_mode(
275 uint32_t security_boot_mode);
276
277 /*
278 * Register and attempt to associate a provisioning profile with the code signature
279 * attached to the csblob. This call is only relevant for systems which have a code
280 * signing monitor, but it is exported to kernel extensions since AMFI is the primary
281 * consumer.
282 */
283 int
284 csblob_register_profile(
285 struct cs_blob *csblob,
286 cs_profile_register_t *profile);
287
288 /**
289 * Wrapper function which is exposed to kernel extensions. This can be used to trigger
290 * a call to the garbage collector for going through and unregistring all unused profiles
291 * on the system.
292 */
293 void
294 garbage_collect_provisioning_profiles(void);
295
296 /**
297 * Set the CDHash which is currently being used by the compilation service. This CDHash
298 * is compared against when validating the signature of a compilation service library.
299 */
300 void
301 set_compilation_service_cdhash(
302 const uint8_t *cdhash);
303
304 /**
305 * Match a CDHash against the currently stored CDHash for the compilation service.
306 */
307 bool
308 match_compilation_service_cdhash(
309 const uint8_t *cdhash);
310
311 /**
312 * Set the local signing key which is currently being used on the system. This key is used
313 * to validate any signatures which are signed on device.
314 */
315 void
316 set_local_signing_public_key(
317 const uint8_t public_key[XNU_LOCAL_SIGNING_KEY_SIZE]);
318
319 /**
320 * Get the local signing key which is currently being used on the system. This API is
321 * mostly used by kernel extensions which validate code signatures on the platform.
322 */
323 uint8_t*
324 get_local_signing_public_key(void);
325
326 /**
327 * Unrestrict a particular CDHash for local signing, allowing it to be loaded and run on
328 * the system. This is only required to be done for main binaries, since libraries do not
329 * need to be unrestricted.
330 */
331 void
332 unrestrict_local_signing_cdhash(
333 const uint8_t *cdhash);
334
335 /**
336 * The kernel or the monitor environments allocate some data which is used by AppleImage4
337 * for storing critical system information such as nonces. AppleImage4 uses this API to
338 * get access to this data while abstracting the implementation underneath.
339 */
340 void*
341 kernel_image4_storage_data(
342 size_t *allocated_size);
343
344 /**
345 * AppleImage4 uses this API to store the specified nonce into the nonce storage. This API
346 * abstracts away the kernel or monitor implementation used.
347 */
348 void
349 kernel_image4_set_nonce(
350 const img4_nonce_domain_index_t ndi,
351 const img4_nonce_t *nonce);
352
353 /**
354 * AppleImage4 uses this API to roll a specified nonce on the next boot. This API abstracts
355 * away the kernel or monitor implementation used.
356 */
357 void
358 kernel_image4_roll_nonce(
359 const img4_nonce_domain_index_t ndi);
360
361 /**
362 * AppleImage4 uses this API to copy a specified nonce from the nonce storage. This API
363 * abstracts away the kernel or monitor implementation used.
364 *
365 * We need this API since the nonces use a lock to protect against concurrency, and the
366 * lock can only be taken within the monitor environment, if any.
367 */
368 errno_t
369 kernel_image4_copy_nonce(
370 const img4_nonce_domain_index_t ndi,
371 img4_nonce_t *nonce_out);
372
373 /**
374 * AppleImage4 uses this API to perform object execution on a particular object type. This
375 * API abstracts away the kernel or monitor implementation used.
376 */
377 errno_t
378 kernel_image4_execute_object(
379 img4_runtime_object_spec_index_t obj_spec_index,
380 const img4_buff_t *payload,
381 const img4_buff_t *manifest);
382
383 /**
384 * AppleImage4 uses this API to copy the contents of an executed object. This API abstracts
385 * away the kernel or monitor implementation used.
386 */
387 errno_t
388 kernel_image4_copy_object(
389 img4_runtime_object_spec_index_t obj_spec_index,
390 vm_address_t object_out,
391 size_t *object_length);
392
393 /**
394 * AppleImage4 uses this API to get a pointer to the structure which is used for exporting
395 * monitor locked down data to the rest of the system.
396 */
397 const void*
398 kernel_image4_get_monitor_exports(void);
399
400 /**
401 * AppleImage4 uses this API to let the monitor environment know the release type for the
402 * the current boot. Under some circumstances, the monitor isn't able to gauge this on its
403 * own.
404 */
405 errno_t
406 kernel_image4_set_release_type(
407 const char *release_type);
408
409 /**
410 * AppleImage4 uses this API to let the monitor know when a nonce domain is shadowing the
411 * AP boot nonce. Since this information is queried from the NVRAM, the monitor cant know
412 * this on its own.
413 */
414 errno_t
415 kernel_image4_set_bnch_shadow(
416 const img4_nonce_domain_index_t ndi);
417
418 /**
419 * AppleImage4 uses this API to trap into the code signing monitor on the platform for
420 * the image4 dispatch routines. A single entry point is multiplexed into a whole dispatch
421 * table.
422 */
423 errno_t
424 kernel_image4_monitor_trap(
425 image4_cs_trap_t selector,
426 const void *input_data,
427 size_t input_size,
428 void *output_data,
429 size_t *output_size);
430
431 /**
432 * AMFI uses this API to obtain the OSEntitlements object which is associated with the
433 * main binary mapped in for a process.
434 *
435 * This API is considered safer for resolving the OSEntitlements than through the cred
436 * structure on the process because the system maintains a strong binding in the linkage
437 * chain from the process structure through the pmap, which ultimately contains the
438 * code signing monitors address space information for the process.
439 */
440 kern_return_t
441 csm_resolve_os_entitlements_from_proc(
442 const proc_t process,
443 const void **os_entitlements);
444
445 /**
446 * Wrapper function that calls csm_get_trust_level_kdp if there is a CODE_SIGNING_MONITOR
447 * or returns KERN_NOT_SUPPORTED if there isn't one.
448 */
449 kern_return_t
450 get_trust_level_kdp(
451 pmap_t pmap,
452 uint32_t *trust_level);
453
454 /**
455 * Wrapper function that calls csm_get_jit_address_range_kdp if there is a CODE_SIGNING_MONITOR
456 * or returns KERN_NOT_SUPPORTED if there isn't one.
457 */
458 kern_return_t
459 get_jit_address_range_kdp(
460 pmap_t pmap,
461 uintptr_t *jit_region_start,
462 uintptr_t *jit_region_end);
463
464 /**
465 * Check whether a particular proc is marked as debugged or not. For many use cases, this
466 * is a stronger check than simply checking for the enablement of developer mode since
467 * an address space can only be marked as debugged if developer mode is already enabled.
468 *
469 * When the system has a code signing monitor, this function acquires the state of the
470 * address space from the monitor.
471 */
472 kern_return_t
473 address_space_debugged_state(
474 const proc_t process);
475
476 /**
477 * Implements the same policy as address_space_debugged_state(), but returns
478 * with boolean semantics.
479 */
480 bool is_address_space_debugged(
481 const proc_t process);
482
483 #if CODE_SIGNING_MONITOR
484
485 struct vm_map_entry;
486
487 /**
488 * Check to see if the monitor is currently enforcing code signing protections or
489 * not. Even when this is disabled, certains artifacts are still protected by the
490 * monitor environment.
491 */
492 bool
493 csm_enabled(void);
494
495 /**
496 * Check and inform the code signing monitor that the system is entering lockdown mode.
497 * The code signing monitor then enforces policy based on this state. As part of this,
498 * we also update the code signing configuration of the system.
499 */
500 void
501 csm_check_lockdown_mode(void);
502
503 /**
504 * When a task incurs an unresolvable page fault with execute permissions, and is not
505 * being debugged, the task should receive a SIGKILL. This should only happen if the
506 * task isn't actively being debugged. This function abstracts all these details.
507 */
508 void
509 csm_code_signing_violation(
510 proc_t proc,
511 vm_offset_t addr);
512
513 /**
514 * This function is used to initialize the state of the locks for managing provisioning
515 * profiles on the system. It should be called by the kernel bootstrap thread during the
516 * early kernel initialization.
517 */
518 void
519 csm_initialize_provisioning_profiles(void);
520
521 /**
522 * Register a provisioning profile with the monitor environment available on the
523 * system. This function will allocate its own memory for managing the profile and
524 * the caller is allowed to free their own allocation.
525 */
526 kern_return_t
527 csm_register_provisioning_profile(
528 const uuid_t profile_uuid,
529 const void *profile,
530 const size_t profile_size);
531
532 /**
533 * Attempt to trust a provisioning profile with the monitor environment available on
534 * the system. The provided signature will be passed to the monitor as is, and the
535 * caller is responsible for de-allocation of the data, if required.
536 */
537 kern_return_t
538 csm_trust_provisioning_profile(
539 const uuid_t profile_uuid,
540 const void *sig_data,
541 size_t sig_size);
542
543 /**
544 * Associate a registered profile with a code signature object which is managed by
545 * the monitor environment. This incrementes the reference count on the profile object
546 * managed by the monitor, preventing the profile from being unregistered.
547 */
548 kern_return_t
549 csm_associate_provisioning_profile(
550 void *monitor_sig_obj,
551 const uuid_t profile_uuid);
552
553 /**
554 * Disassociate an associated profile with a code signature object which is managed by
555 * the monitor environment. This decrements the refernce count on the profile object
556 * managed by the monitor, potentially allowing it to be unregistered in case no other
557 * signatures hold a reference count to it.
558 */
559 kern_return_t
560 csm_disassociate_provisioning_profile(
561 void *monitor_sig_obj);
562
563 /**
564 * Trigger the provisioning profile garbage collector to go through each registered
565 * profile on the system and unregister it in case it isn't being used.
566 */
567 void
568 csm_free_provisioning_profiles(void);
569
570 /**
571 * Acquire the largest size for a code signature which the monitor will allocate on
572 * its own. Anything larger than this size needs to be page-allocated and aligned and
573 * will be locked down by the monitor upon registration.
574 */
575 vm_size_t
576 csm_signature_size_limit(void);
577
578 /**
579 * Register a code signature with the monitor environment. The monitor will either
580 * allocate its own memory for the code signature, or it will lockdown the memory which
581 * is given to it. In either case, the signature will be read-only for the kernel.
582 *
583 * If the monitor doesn't enforce code signing, then this function will return the
584 * KERN_SUCCESS condition.
585 */
586 kern_return_t
587 csm_register_code_signature(
588 const vm_address_t signature_addr,
589 const vm_size_t signature_size,
590 const vm_offset_t code_directory_offset,
591 const char *signature_path,
592 void **monitor_sig_obj,
593 vm_address_t *monitor_signature_addr);
594
595 /**
596 * Unregister a code signature previously registered with the monitor environment.
597 * This will free (or unlock) the signature memory held by the monitor.
598 *
599 * If the monitor doesn't enforce code signing, then this function will return the
600 * error KERN_NOT_SUPPORTED.
601 */
602 kern_return_t
603 csm_unregister_code_signature(
604 void *monitor_sig_obj);
605
606 /**
607 * Verify a code signature previously registered with the monitor. After verification,
608 * the signature can be used for making code signature associations with address spaces.
609 *
610 * If the monitor doesn't enforce code signing, then this function will return the
611 * KERN_SUCCESS condition.
612 */
613 kern_return_t
614 csm_verify_code_signature(
615 void *monitor_sig_obj,
616 uint32_t *trust_level);
617
618 /**
619 * Perform 2nd stage reconstitution through the monitor. This unlocks any unused parts
620 * of the code signature, which can then be freed by the kernel. This isn't strictly
621 * required, but it helps in conserving system memory.
622 *
623 * If the monitor doesn't enforce code signing, then this function will return the
624 * error KERN_NOT_SUPPORTED.
625 */
626 kern_return_t
627 csm_reconstitute_code_signature(
628 void *monitor_sig_obj,
629 vm_address_t *unneeded_addr,
630 vm_size_t *unneeded_size);
631
632 /**
633 * Associate a code signature with an address space for a specified region with the
634 * monitor environment. The code signature can only be associated if it has been
635 * verified before.
636 */
637 kern_return_t
638 csm_associate_code_signature(
639 pmap_t pmap,
640 void *monitor_sig_obj,
641 const vm_address_t region_addr,
642 const vm_size_t region_size,
643 const vm_offset_t region_offset);
644
645 /**
646 * Validate that an address space will allow mapping in a JIT region within the monitor
647 * environment. An address space can only have a single JIT region, and only when it
648 * has the appropriate JIT entitlement.
649 */
650 kern_return_t
651 csm_allow_jit_region(
652 pmap_t pmap);
653
654 /**
655 * Associate a JIT region with an address space in the monitor environment. An address
656 * space can only have a JIT region if it has the appropriate JIT entitlement.
657 */
658 kern_return_t
659 csm_associate_jit_region(
660 pmap_t pmap,
661 const vm_address_t region_addr,
662 const vm_size_t region_size);
663
664 /**
665 * Associate a debug region with an address space in the monitor environment. An address
666 * space can only have a debug region if it is currently being debugged.
667 */
668 kern_return_t
669 csm_associate_debug_region(
670 pmap_t pmap,
671 const vm_address_t region_addr,
672 const vm_size_t region_size);
673
674 /**
675 * Call out to the monitor to inform it that the address space needs to be debugged. The
676 * monitor will only allow the address space to be debugged if it has the appropriate
677 * entitlements.
678 */
679 kern_return_t
680 csm_allow_invalid_code(
681 pmap_t pmap);
682
683 /**
684 * Acquire the trust level which is placed on the address space within the monitor
685 * environment. There is no clear mapping of the 32-bit integer returned to the actual
686 * trust level because different code signing monitors use different trust levels.
687 *
688 * The code signing monitor itself does not depend on this value and instead uses
689 * other, more secure methods of checking for trust. In general, we only expect this
690 * function to be used for debugging purposes.
691 *
692 * This function should be careful that any code paths within it do not mutate the
693 * state of the system, and as a result, no code paths here should attempt to take
694 * locks of any kind.
695 */
696 kern_return_t
697 csm_get_trust_level_kdp(
698 pmap_t pmap,
699 uint32_t *trust_level);
700
701 /**
702 * Acquire the address range for the JIT region for this address space.
703 *
704 * We expect this function to only be used for debugging purposes, and not for
705 * enforcing any security policies.
706 * This function should be careful that any code paths within it do not mutate the
707 * state of the system, and as a result, no code paths here should attempt to take
708 * locks of any kind.
709 * KERN_SUCCESS is returned if the address space has JIT capability and an address range
710 * was returned in the output arguments.
711 * KERN_NOT_FOUND is returned if the address space does not have JIT, or on systems where
712 * the code signing monitor does not track the JIT range.
713 * KERN_NOT_SUPPORTED is returned for environments where this call is not supported.
714 */
715 kern_return_t
716 csm_get_jit_address_range_kdp(
717 pmap_t pmap,
718 uintptr_t *jit_region_start,
719 uintptr_t *jit_region_end);
720
721 /**
722 * Certain address spaces are exempt from code signing enforcement. This function can be
723 * used to check if the specified address space is such or not.
724 */
725 kern_return_t
726 csm_address_space_exempt(
727 const pmap_t pmap);
728
729 /**
730 * Instruct the monitor that an address space is about to be forked. The monitor can then
731 * do whatever it needs to do in order to prepare for the fork.
732 */
733 kern_return_t
734 csm_fork_prepare(
735 pmap_t old_pmap,
736 pmap_t new_pmap);
737
738 /**
739 * Get the signing identifier which is embedded within the code directory using the
740 * code signing monitor's abstract signature object.
741 */
742 kern_return_t
743 csm_acquire_signing_identifier(
744 const void *monitor_sig_obj,
745 const char **signing_id);
746
747 /**
748 * This API to associate an OSEntitlements objects with the code signing monitor's
749 * signature object. This binding is useful as it can be used to resolve the entitlement
750 * object which is used by the kernel for performing queries.
751 */
752 kern_return_t
753 csm_associate_os_entitlements(
754 void *monitor_sig_obj,
755 const void *os_entitlements);
756
757 /**
758 * Accelerate the CoreEntitlements context within the code signing monitor's memory
759 * in order to speed up all queries for entitlements going through CoreEntitlements.
760 */
761 kern_return_t
762 csm_accelerate_entitlements(
763 void *monitor_sig_obj,
764 CEQueryContext_t *ce_ctx);
765
766 kern_return_t
767 vm_map_entry_cs_associate(
768 vm_map_t map,
769 struct vm_map_entry *entry,
770 vm_map_kernel_flags_t vmk_flags);
771
772 kern_return_t
773 cs_associate_blob_with_mapping(
774 void *pmap,
775 vm_map_offset_t start,
776 vm_map_size_t size,
777 vm_object_offset_t offset,
778 void *blobs_p);
779
780 #endif /* CODE_SIGNING_MONITOR */
781
782 #endif /* KERNEL_PRIVATE */
783
784 #pragma GCC diagnostic pop
785
786 __END_DECLS
787 #endif /* _SYS_CODE_SIGNING_H_ */
788