| Joel Stanley | a1fccbf | 2020-06-23 17:25:56 +0930 | [diff] [blame] | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| 2 | From: Mimi Zohar <zohar@linux.ibm.com> |
| 3 | Date: Wed, 30 Oct 2019 23:31:34 -0400 |
| Joel Stanley | 2070d28 | 2021-07-15 17:27:03 +0930 | [diff] [blame^] | 4 | Subject: [PATCH 13/17] powerpc/ima: Indicate kernel modules appended |
| Joel Stanley | a1fccbf | 2020-06-23 17:25:56 +0930 | [diff] [blame] | 5 | signatures are enforced |
| 6 | |
| 7 | The arch specific kernel module policy rule requires kernel modules to |
| 8 | be signed, either as an IMA signature, stored as an xattr, or as an |
| 9 | appended signature. As a result, kernel modules appended signatures |
| 10 | could be enforced without "sig_enforce" being set or reflected in |
| 11 | /sys/module/module/parameters/sig_enforce. This patch sets |
| 12 | "sig_enforce". |
| 13 | |
| 14 | Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> |
| 15 | Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> |
| 16 | Link: https://lore.kernel.org/r/1572492694-6520-10-git-send-email-zohar@linux.ibm.com |
| 17 | (cherry picked from commit d72ea4915c7e6fa5e7b9022a34df66e375bfe46c) |
| 18 | Signed-off-by: Joel Stanley <joel@jms.id.au> |
| 19 | --- |
| 20 | arch/powerpc/kernel/ima_arch.c | 8 ++++++-- |
| 21 | 1 file changed, 6 insertions(+), 2 deletions(-) |
| 22 | |
| 23 | diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c |
| 24 | index b9de0fb45bb9..e34116255ced 100644 |
| 25 | --- a/arch/powerpc/kernel/ima_arch.c |
| 26 | +++ b/arch/powerpc/kernel/ima_arch.c |
| 27 | @@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = { |
| 28 | */ |
| 29 | const char *const *arch_get_ima_policy(void) |
| 30 | { |
| 31 | - if (is_ppc_secureboot_enabled()) |
| 32 | + if (is_ppc_secureboot_enabled()) { |
| 33 | + if (IS_ENABLED(CONFIG_MODULE_SIG)) |
| 34 | + set_module_sig_enforced(); |
| 35 | + |
| 36 | if (is_ppc_trustedboot_enabled()) |
| 37 | return secure_and_trusted_rules; |
| 38 | else |
| 39 | return secure_rules; |
| 40 | - else if (is_ppc_trustedboot_enabled()) |
| 41 | + } else if (is_ppc_trustedboot_enabled()) { |
| 42 | return trusted_rules; |
| 43 | + } |
| 44 | |
| 45 | return NULL; |
| 46 | } |