| From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| From: Nayna Jain <nayna@linux.ibm.com> |
| Date: Wed, 30 Oct 2019 23:31:27 -0400 |
| Subject: [PATCH 03/18] powerpc/ima: Add support to initialize ima policy rules |
| |
| PowerNV systems use a Linux-based bootloader, which rely on the IMA |
| subsystem to enforce different secure boot modes. Since the |
| verification policy may differ based on the secure boot mode of the |
| system, the policies must be defined at runtime. |
| |
| This patch implements arch-specific support to define IMA policy rules |
| based on the runtime secure boot mode of the system. |
| |
| This patch provides arch-specific IMA policies if PPC_SECURE_BOOT |
| config is enabled. |
| |
| Signed-off-by: Nayna Jain <nayna@linux.ibm.com> |
| Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> |
| Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> |
| Link: https://lore.kernel.org/r/1572492694-6520-3-git-send-email-zohar@linux.ibm.com |
| (cherry picked from commit 4238fad366a660cbc6499ca1ea4be42bd4d1ac5b) |
| Signed-off-by: Joel Stanley <joel@jms.id.au> |
| --- |
| arch/powerpc/Kconfig | 1 + |
| arch/powerpc/kernel/Makefile | 2 +- |
| arch/powerpc/kernel/ima_arch.c | 43 ++++++++++++++++++++++++++++++++++ |
| include/linux/ima.h | 3 ++- |
| 4 files changed, 47 insertions(+), 2 deletions(-) |
| create mode 100644 arch/powerpc/kernel/ima_arch.c |
| |
| diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig |
| index bdf584b85199..eea6c358b86c 100644 |
| --- a/arch/powerpc/Kconfig |
| +++ b/arch/powerpc/Kconfig |
| @@ -938,6 +938,7 @@ config PPC_SECURE_BOOT |
| prompt "Enable secure boot support" |
| bool |
| depends on PPC_POWERNV |
| + depends on IMA_ARCH_POLICY |
| help |
| Systems with firmware secure boot enabled need to define security |
| policies to extend secure boot to the OS. This config allows a user |
| diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile |
| index 40170ee52178..b82f7f5e5121 100644 |
| --- a/arch/powerpc/kernel/Makefile |
| +++ b/arch/powerpc/kernel/Makefile |
| @@ -158,7 +158,7 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),) |
| obj-y += ucall.o |
| endif |
| |
| -obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o |
| +obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o |
| |
| # Disable GCOV, KCOV & sanitizers in odd or sensitive code |
| GCOV_PROFILE_prom_init.o := n |
| diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c |
| new file mode 100644 |
| index 000000000000..d88913dc0da7 |
| --- /dev/null |
| +++ b/arch/powerpc/kernel/ima_arch.c |
| @@ -0,0 +1,43 @@ |
| +// SPDX-License-Identifier: GPL-2.0 |
| +/* |
| + * Copyright (C) 2019 IBM Corporation |
| + * Author: Nayna Jain |
| + */ |
| + |
| +#include <linux/ima.h> |
| +#include <asm/secure_boot.h> |
| + |
| +bool arch_ima_get_secureboot(void) |
| +{ |
| + return is_ppc_secureboot_enabled(); |
| +} |
| + |
| +/* |
| + * The "secure_rules" are enabled only on "secureboot" enabled systems. |
| + * These rules verify the file signatures against known good values. |
| + * The "appraise_type=imasig|modsig" option allows the known good signature |
| + * to be stored as an xattr or as an appended signature. |
| + * |
| + * To avoid duplicate signature verification as much as possible, the IMA |
| + * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE |
| + * is not enabled. |
| + */ |
| +static const char *const secure_rules[] = { |
| + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", |
| +#ifndef CONFIG_MODULE_SIG_FORCE |
| + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", |
| +#endif |
| + NULL |
| +}; |
| + |
| +/* |
| + * Returns the relevant IMA arch-specific policies based on the system secure |
| + * boot state. |
| + */ |
| +const char *const *arch_get_ima_policy(void) |
| +{ |
| + if (is_ppc_secureboot_enabled()) |
| + return secure_rules; |
| + |
| + return NULL; |
| +} |
| diff --git a/include/linux/ima.h b/include/linux/ima.h |
| index 1c37f17f7203..6d904754d858 100644 |
| --- a/include/linux/ima.h |
| +++ b/include/linux/ima.h |
| @@ -29,7 +29,8 @@ extern void ima_kexec_cmdline(const void *buf, int size); |
| extern void ima_add_kexec_buffer(struct kimage *image); |
| #endif |
| |
| -#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) |
| +#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \ |
| + || defined(CONFIG_PPC_SECURE_BOOT) |
| extern bool arch_ima_get_secureboot(void); |
| extern const char * const *arch_get_ima_policy(void); |
| #else |