openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch - premsjha/op-build - Gitiles

 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nayna Jain <nayna@linux.ibm.com>
 Date: Wed, 30 Oct 2019 23:31:27 -0400
 Subject: [PATCH 03/19] powerpc/ima: Add support to initialize ima policy rules

 PowerNV systems use a Linux-based bootloader, which rely on the IMA
 subsystem to enforce different secure boot modes. Since the
 verification policy may differ based on the secure boot mode of the
 system, the policies must be defined at runtime.

 This patch implements arch-specific support to define IMA policy rules
 based on the runtime secure boot mode of the system.

 This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
 config is enabled.

 Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
 Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
 Link: https://lore.kernel.org/r/1572492694-6520-3-git-send-email-zohar@linux.ibm.com
 (cherry picked from commit 4238fad366a660cbc6499ca1ea4be42bd4d1ac5b)
 Signed-off-by: Joel Stanley <joel@jms.id.au>
 ---
  arch/powerpc/Kconfig           |  1 +
  arch/powerpc/kernel/Makefile   |  2 +-
  arch/powerpc/kernel/ima_arch.c | 43 ++++++++++++++++++++++++++++++++++
  include/linux/ima.h            |  3 ++-
  4 files changed, 47 insertions(+), 2 deletions(-)
  create mode 100644 arch/powerpc/kernel/ima_arch.c

 diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
 index d654bdc9e4dc..32ce6c0b43f1 100644
 --- a/arch/powerpc/Kconfig
 +++ b/arch/powerpc/Kconfig
 @@ -939,6 +939,7 @@ config PPC_SECURE_BOOT
  	prompt "Enable secure boot support"
  	bool
  	depends on PPC_POWERNV
 +	depends on IMA_ARCH_POLICY
  	help
  	  Systems with firmware secure boot enabled need to define security
  	  policies to extend secure boot to the OS. This config allows a user
 diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
 index 40170ee52178..b82f7f5e5121 100644
 --- a/arch/powerpc/kernel/Makefile
 +++ b/arch/powerpc/kernel/Makefile
 @@ -158,7 +158,7 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),)
  obj-y				+= ucall.o
  endif

 -obj-$(CONFIG_PPC_SECURE_BOOT)	+= secure_boot.o
 +obj-$(CONFIG_PPC_SECURE_BOOT)	+= secure_boot.o ima_arch.o

  # Disable GCOV, KCOV & sanitizers in odd or sensitive code
  GCOV_PROFILE_prom_init.o := n
 diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
 new file mode 100644
 index 000000000000..d88913dc0da7
 --- /dev/null
 +++ b/arch/powerpc/kernel/ima_arch.c
 @@ -0,0 +1,43 @@
 +// SPDX-License-Identifier: GPL-2.0
 +/*
 + * Copyright (C) 2019 IBM Corporation
 + * Author: Nayna Jain
 + */
 +
 +#include <linux/ima.h>
 +#include <asm/secure_boot.h>
 +
 +bool arch_ima_get_secureboot(void)
 +{
 +	return is_ppc_secureboot_enabled();
 +}
 +
 +/*
 + * The "secure_rules" are enabled only on "secureboot" enabled systems.
 + * These rules verify the file signatures against known good values.
 + * The "appraise_type=imasig|modsig" option allows the known good signature
 + * to be stored as an xattr or as an appended signature.
 + *
 + * To avoid duplicate signature verification as much as possible, the IMA
 + * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
 + * is not enabled.
 + */
 +static const char *const secure_rules[] = {
 +	"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
 +#ifndef CONFIG_MODULE_SIG_FORCE
 +	"appraise func=MODULE_CHECK appraise_type=imasig|modsig",
 +#endif
 +	NULL
 +};
 +
 +/*
 + * Returns the relevant IMA arch-specific policies based on the system secure
 + * boot state.
 + */
 +const char *const *arch_get_ima_policy(void)
 +{
 +	if (is_ppc_secureboot_enabled())
 +		return secure_rules;
 +
 +	return NULL;
 +}
 diff --git a/include/linux/ima.h b/include/linux/ima.h
 index 1c37f17f7203..6d904754d858 100644
 --- a/include/linux/ima.h
 +++ b/include/linux/ima.h
 @@ -29,7 +29,8 @@ extern void ima_kexec_cmdline(const void *buf, int size);
  extern void ima_add_kexec_buffer(struct kimage *image);
  #endif

 -#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390)
 +#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \
 +	|| defined(CONFIG_PPC_SECURE_BOOT)
  extern bool arch_ima_get_secureboot(void);
  extern const char * const *arch_get_ima_policy(void);
  #else
	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	From: Nayna Jain <nayna@linux.ibm.com>
	Date: Wed, 30 Oct 2019 23:31:27 -0400
	Subject: [PATCH 03/19] powerpc/ima: Add support to initialize ima policy rules

	PowerNV systems use a Linux-based bootloader, which rely on the IMA
	subsystem to enforce different secure boot modes. Since the
	verification policy may differ based on the secure boot mode of the
	system, the policies must be defined at runtime.

	This patch implements arch-specific support to define IMA policy rules
	based on the runtime secure boot mode of the system.

	This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
	config is enabled.

	Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
	Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
	Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
	Link: https://lore.kernel.org/r/1572492694-6520-3-git-send-email-zohar@linux.ibm.com
	(cherry picked from commit 4238fad366a660cbc6499ca1ea4be42bd4d1ac5b)
	Signed-off-by: Joel Stanley <joel@jms.id.au>
	---
	arch/powerpc/Kconfig \| 1 +
	arch/powerpc/kernel/Makefile \| 2 +-
	arch/powerpc/kernel/ima_arch.c \| 43 ++++++++++++++++++++++++++++++++++
	include/linux/ima.h \| 3 ++-
	4 files changed, 47 insertions(+), 2 deletions(-)
	create mode 100644 arch/powerpc/kernel/ima_arch.c

	diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
	index d654bdc9e4dc..32ce6c0b43f1 100644
	--- a/arch/powerpc/Kconfig
	+++ b/arch/powerpc/Kconfig
	@@ -939,6 +939,7 @@ config PPC_SECURE_BOOT
	prompt "Enable secure boot support"
	bool
	depends on PPC_POWERNV
	+ depends on IMA_ARCH_POLICY
	help
	Systems with firmware secure boot enabled need to define security
	policies to extend secure boot to the OS. This config allows a user
	diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
	index 40170ee52178..b82f7f5e5121 100644
	--- a/arch/powerpc/kernel/Makefile
	+++ b/arch/powerpc/kernel/Makefile
	@@ -158,7 +158,7 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),)
	obj-y += ucall.o
	endif

	-obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o
	+obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o

	# Disable GCOV, KCOV & sanitizers in odd or sensitive code
	GCOV_PROFILE_prom_init.o := n
	diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
	new file mode 100644
	index 000000000000..d88913dc0da7
	--- /dev/null
	+++ b/arch/powerpc/kernel/ima_arch.c
	@@ -0,0 +1,43 @@
	+// SPDX-License-Identifier: GPL-2.0
	+/*
	+ * Copyright (C) 2019 IBM Corporation
	+ * Author: Nayna Jain
	+ */
	+
	+#include <linux/ima.h>
	+#include <asm/secure_boot.h>
	+
	+bool arch_ima_get_secureboot(void)
	+{
	+ return is_ppc_secureboot_enabled();
	+}
	+
	+/*
	+ * The "secure_rules" are enabled only on "secureboot" enabled systems.
	+ * These rules verify the file signatures against known good values.
	+ * The "appraise_type=imasig\|modsig" option allows the known good signature
	+ * to be stored as an xattr or as an appended signature.
	+ *
	+ * To avoid duplicate signature verification as much as possible, the IMA
	+ * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
	+ * is not enabled.
	+ */
	+static const char *const secure_rules[] = {
	+ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig\|modsig",
	+#ifndef CONFIG_MODULE_SIG_FORCE
	+ "appraise func=MODULE_CHECK appraise_type=imasig\|modsig",
	+#endif
	+ NULL
	+};
	+
	+/*
	+ * Returns the relevant IMA arch-specific policies based on the system secure
	+ * boot state.
	+ */
	+const char const arch_get_ima_policy(void)
	+{
	+ if (is_ppc_secureboot_enabled())
	+ return secure_rules;
	+
	+ return NULL;
	+}
	diff --git a/include/linux/ima.h b/include/linux/ima.h
	index 1c37f17f7203..6d904754d858 100644
	--- a/include/linux/ima.h
	+++ b/include/linux/ima.h
	@@ -29,7 +29,8 @@ extern void ima_kexec_cmdline(const void *buf, int size);
	extern void ima_add_kexec_buffer(struct kimage *image);
	#endif

	-#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) \|\| defined(CONFIG_S390)
	+#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) \|\| defined(CONFIG_S390) \
	+ \|\| defined(CONFIG_PPC_SECURE_BOOT)
	extern bool arch_ima_get_secureboot(void);
	extern const char * const *arch_get_ima_policy(void);
	#else