openpower/linux/0014-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch - premsjha/op-build - Gitiles

 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nayna Jain <nayna@linux.ibm.com>
 Date: Fri, 1 May 2020 10:16:52 -0400
 Subject: [PATCH 14/17] powerpc/ima: Fix secure boot rules in ima arch policy

 To prevent verifying the kernel module appended signature
 twice (finit_module), once by the module_sig_check() and again by IMA,
 powerpc secure boot rules define an IMA architecture specific policy
 rule only if CONFIG_MODULE_SIG_FORCE is not enabled. This,
 unfortunately, does not take into account the ability of enabling
 "sig_enforce" on the boot command line (module.sig_enforce=1).

 Including the IMA module appraise rule results in failing the
 finit_module syscall, unless the module signing public key is loaded
 onto the IMA keyring.

 This patch fixes secure boot policy rules to be based on
 CONFIG_MODULE_SIG instead.

 Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules")
 Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
 Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
 Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 Link: https://lore.kernel.org/r/1588342612-14532-1-git-send-email-nayna@linux.ibm.com
 (cherry picked from commit fa4f3f56ccd28ac031ab275e673ed4098855fed4)
 Signed-off-by: Joel Stanley <joel@jms.id.au>
 ---
  arch/powerpc/kernel/ima_arch.c | 6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)

 diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
 index e34116255ced..957abd592075 100644
 --- a/arch/powerpc/kernel/ima_arch.c
 +++ b/arch/powerpc/kernel/ima_arch.c
 @@ -19,12 +19,12 @@ bool arch_ima_get_secureboot(void)
   * to be stored as an xattr or as an appended signature.
   *
   * To avoid duplicate signature verification as much as possible, the IMA
 - * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
 + * policy rule for module appraisal is added only if CONFIG_MODULE_SIG
   * is not enabled.
   */
  static const char *const secure_rules[] = {
  	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
 -#ifndef CONFIG_MODULE_SIG_FORCE
 +#ifndef CONFIG_MODULE_SIG
  	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
  #endif
  	NULL
 @@ -50,7 +50,7 @@ static const char *const secure_and_trusted_rules[] = {
  	"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
  	"measure func=MODULE_CHECK template=ima-modsig",
  	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
 -#ifndef CONFIG_MODULE_SIG_FORCE
 +#ifndef CONFIG_MODULE_SIG
  	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
  #endif
  	NULL
	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	From: Nayna Jain <nayna@linux.ibm.com>
	Date: Fri, 1 May 2020 10:16:52 -0400
	Subject: [PATCH 14/17] powerpc/ima: Fix secure boot rules in ima arch policy

	To prevent verifying the kernel module appended signature
	twice (finit_module), once by the module_sig_check() and again by IMA,
	powerpc secure boot rules define an IMA architecture specific policy
	rule only if CONFIG_MODULE_SIG_FORCE is not enabled. This,
	unfortunately, does not take into account the ability of enabling
	"sig_enforce" on the boot command line (module.sig_enforce=1).

	Including the IMA module appraise rule results in failing the
	finit_module syscall, unless the module signing public key is loaded
	onto the IMA keyring.

	This patch fixes secure boot policy rules to be based on
	CONFIG_MODULE_SIG instead.

	Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules")
	Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
	Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
	Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
	Link: https://lore.kernel.org/r/1588342612-14532-1-git-send-email-nayna@linux.ibm.com
	(cherry picked from commit fa4f3f56ccd28ac031ab275e673ed4098855fed4)
	Signed-off-by: Joel Stanley <joel@jms.id.au>
	---
	arch/powerpc/kernel/ima_arch.c \| 6 +++---
	1 file changed, 3 insertions(+), 3 deletions(-)

	diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
	index e34116255ced..957abd592075 100644
	--- a/arch/powerpc/kernel/ima_arch.c
	+++ b/arch/powerpc/kernel/ima_arch.c
	@@ -19,12 +19,12 @@ bool arch_ima_get_secureboot(void)
	* to be stored as an xattr or as an appended signature.
	*
	* To avoid duplicate signature verification as much as possible, the IMA
	- * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
	+ * policy rule for module appraisal is added only if CONFIG_MODULE_SIG
	* is not enabled.
	*/
	static const char *const secure_rules[] = {
	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig\|modsig",
	-#ifndef CONFIG_MODULE_SIG_FORCE
	+#ifndef CONFIG_MODULE_SIG
	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig\|modsig",
	#endif
	NULL
	@@ -50,7 +50,7 @@ static const char *const secure_and_trusted_rules[] = {
	"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
	"measure func=MODULE_CHECK template=ima-modsig",
	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig\|modsig",
	-#ifndef CONFIG_MODULE_SIG_FORCE
	+#ifndef CONFIG_MODULE_SIG
	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig\|modsig",
	#endif
	NULL