openpower/linux/0013-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch - premsjha/op-build - Gitiles

 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Mimi Zohar <zohar@linux.ibm.com>
 Date: Wed, 30 Oct 2019 23:31:34 -0400
 Subject: [PATCH 13/17] powerpc/ima: Indicate kernel modules appended
  signatures are enforced

 The arch specific kernel module policy rule requires kernel modules to
 be signed, either as an IMA signature, stored as an xattr, or as an
 appended signature. As a result, kernel modules appended signatures
 could be enforced without "sig_enforce" being set or reflected in
 /sys/module/module/parameters/sig_enforce. This patch sets
 "sig_enforce".

 Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
 Link: https://lore.kernel.org/r/1572492694-6520-10-git-send-email-zohar@linux.ibm.com
 (cherry picked from commit d72ea4915c7e6fa5e7b9022a34df66e375bfe46c)
 Signed-off-by: Joel Stanley <joel@jms.id.au>
 ---
  arch/powerpc/kernel/ima_arch.c | 8 ++++++--
  1 file changed, 6 insertions(+), 2 deletions(-)

 diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
 index b9de0fb45bb9..e34116255ced 100644
 --- a/arch/powerpc/kernel/ima_arch.c
 +++ b/arch/powerpc/kernel/ima_arch.c
 @@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = {
   */
  const char *const *arch_get_ima_policy(void)
  {
 -	if (is_ppc_secureboot_enabled())
 +	if (is_ppc_secureboot_enabled()) {
 +		if (IS_ENABLED(CONFIG_MODULE_SIG))
 +			set_module_sig_enforced();
 +
  		if (is_ppc_trustedboot_enabled())
  			return secure_and_trusted_rules;
  		else
  			return secure_rules;
 -	else if (is_ppc_trustedboot_enabled())
 +	} else if (is_ppc_trustedboot_enabled()) {
  		return trusted_rules;
 +	}

  	return NULL;
  }
	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	From: Mimi Zohar <zohar@linux.ibm.com>
	Date: Wed, 30 Oct 2019 23:31:34 -0400
	Subject: [PATCH 13/17] powerpc/ima: Indicate kernel modules appended
	signatures are enforced

	The arch specific kernel module policy rule requires kernel modules to
	be signed, either as an IMA signature, stored as an xattr, or as an
	appended signature. As a result, kernel modules appended signatures
	could be enforced without "sig_enforce" being set or reflected in
	/sys/module/module/parameters/sig_enforce. This patch sets
	"sig_enforce".

	Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
	Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
	Link: https://lore.kernel.org/r/1572492694-6520-10-git-send-email-zohar@linux.ibm.com
	(cherry picked from commit d72ea4915c7e6fa5e7b9022a34df66e375bfe46c)
	Signed-off-by: Joel Stanley <joel@jms.id.au>
	---
	arch/powerpc/kernel/ima_arch.c \| 8 ++++++--
	1 file changed, 6 insertions(+), 2 deletions(-)

	diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
	index b9de0fb45bb9..e34116255ced 100644
	--- a/arch/powerpc/kernel/ima_arch.c
	+++ b/arch/powerpc/kernel/ima_arch.c
	@@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = {
	*/
	const char const arch_get_ima_policy(void)
	{
	- if (is_ppc_secureboot_enabled())
	+ if (is_ppc_secureboot_enabled()) {
	+ if (IS_ENABLED(CONFIG_MODULE_SIG))
	+ set_module_sig_enforced();
	+
	if (is_ppc_trustedboot_enabled())
	return secure_and_trusted_rules;
	else
	return secure_rules;
	- else if (is_ppc_trustedboot_enabled())
	+ } else if (is_ppc_trustedboot_enabled()) {
	return trusted_rules;
	+ }

	return NULL;
	}