| Joel Stanley | a1fccbf | 2020-06-23 17:25:56 +0930 | [diff] [blame] | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| 2 | From: Nayna Jain <nayna@linux.ibm.com> |
| 3 | Date: Fri, 1 May 2020 10:16:52 -0400 |
| Joel Stanley | cb9bf57 | 2020-09-29 16:18:12 +0930 | [diff] [blame] | 4 | Subject: [PATCH 16/19] powerpc/ima: Fix secure boot rules in ima arch policy |
| Joel Stanley | a1fccbf | 2020-06-23 17:25:56 +0930 | [diff] [blame] | 5 | |
| 6 | To prevent verifying the kernel module appended signature |
| 7 | twice (finit_module), once by the module_sig_check() and again by IMA, |
| 8 | powerpc secure boot rules define an IMA architecture specific policy |
| 9 | rule only if CONFIG_MODULE_SIG_FORCE is not enabled. This, |
| 10 | unfortunately, does not take into account the ability of enabling |
| 11 | "sig_enforce" on the boot command line (module.sig_enforce=1). |
| 12 | |
| 13 | Including the IMA module appraise rule results in failing the |
| 14 | finit_module syscall, unless the module signing public key is loaded |
| 15 | onto the IMA keyring. |
| 16 | |
| 17 | This patch fixes secure boot policy rules to be based on |
| 18 | CONFIG_MODULE_SIG instead. |
| 19 | |
| 20 | Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules") |
| 21 | Signed-off-by: Nayna Jain <nayna@linux.ibm.com> |
| 22 | Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> |
| 23 | Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> |
| 24 | Link: https://lore.kernel.org/r/1588342612-14532-1-git-send-email-nayna@linux.ibm.com |
| 25 | (cherry picked from commit fa4f3f56ccd28ac031ab275e673ed4098855fed4) |
| 26 | Signed-off-by: Joel Stanley <joel@jms.id.au> |
| 27 | --- |
| 28 | arch/powerpc/kernel/ima_arch.c | 6 +++--- |
| 29 | 1 file changed, 3 insertions(+), 3 deletions(-) |
| 30 | |
| 31 | diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c |
| 32 | index e34116255ced..957abd592075 100644 |
| 33 | --- a/arch/powerpc/kernel/ima_arch.c |
| 34 | +++ b/arch/powerpc/kernel/ima_arch.c |
| 35 | @@ -19,12 +19,12 @@ bool arch_ima_get_secureboot(void) |
| 36 | * to be stored as an xattr or as an appended signature. |
| 37 | * |
| 38 | * To avoid duplicate signature verification as much as possible, the IMA |
| 39 | - * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE |
| 40 | + * policy rule for module appraisal is added only if CONFIG_MODULE_SIG |
| 41 | * is not enabled. |
| 42 | */ |
| 43 | static const char *const secure_rules[] = { |
| 44 | "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
| 45 | -#ifndef CONFIG_MODULE_SIG_FORCE |
| 46 | +#ifndef CONFIG_MODULE_SIG |
| 47 | "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
| 48 | #endif |
| 49 | NULL |
| 50 | @@ -50,7 +50,7 @@ static const char *const secure_and_trusted_rules[] = { |
| 51 | "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", |
| 52 | "measure func=MODULE_CHECK template=ima-modsig", |
| 53 | "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
| 54 | -#ifndef CONFIG_MODULE_SIG_FORCE |
| 55 | +#ifndef CONFIG_MODULE_SIG |
| 56 | "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
| 57 | #endif |
| 58 | NULL |