blob: b2ffe5cee3d8b54c9189db359f7b2684c5dbae08 [file] [log] [blame]
Joel Stanleya1fccbf2020-06-23 17:25:56 +09301From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2From: Mimi Zohar <zohar@linux.ibm.com>
3Date: Wed, 30 Oct 2019 23:31:34 -0400
4Subject: [PATCH 15/18] powerpc/ima: Indicate kernel modules appended
5 signatures are enforced
6
7The arch specific kernel module policy rule requires kernel modules to
8be signed, either as an IMA signature, stored as an xattr, or as an
9appended signature. As a result, kernel modules appended signatures
10could be enforced without "sig_enforce" being set or reflected in
11/sys/module/module/parameters/sig_enforce. This patch sets
12"sig_enforce".
13
14Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
15Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
16Link: https://lore.kernel.org/r/1572492694-6520-10-git-send-email-zohar@linux.ibm.com
17(cherry picked from commit d72ea4915c7e6fa5e7b9022a34df66e375bfe46c)
18Signed-off-by: Joel Stanley <joel@jms.id.au>
19---
20 arch/powerpc/kernel/ima_arch.c | 8 ++++++--
21 1 file changed, 6 insertions(+), 2 deletions(-)
22
23diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
24index b9de0fb45bb9..e34116255ced 100644
25--- a/arch/powerpc/kernel/ima_arch.c
26+++ b/arch/powerpc/kernel/ima_arch.c
27@@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = {
28 */
29 const char *const *arch_get_ima_policy(void)
30 {
31- if (is_ppc_secureboot_enabled())
32+ if (is_ppc_secureboot_enabled()) {
33+ if (IS_ENABLED(CONFIG_MODULE_SIG))
34+ set_module_sig_enforced();
35+
36 if (is_ppc_trustedboot_enabled())
37 return secure_and_trusted_rules;
38 else
39 return secure_rules;
40- else if (is_ppc_trustedboot_enabled())
41+ } else if (is_ppc_trustedboot_enabled()) {
42 return trusted_rules;
43+ }
44
45 return NULL;
46 }