| Joel Stanley | a1fccbf | 2020-06-23 17:25:56 +0930 | [diff] [blame] | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| 2 | From: Nayna Jain <nayna@linux.ibm.com> |
| 3 | Date: Wed, 30 Oct 2019 23:31:33 -0400 |
| 4 | Subject: [PATCH 09/18] powerpc/ima: Update ima arch policy to check for |
| 5 | blacklist |
| 6 | |
| 7 | This patch updates the arch-specific policies for PowerNV system to |
| 8 | make sure that the binary hash is not blacklisted. |
| 9 | |
| 10 | Signed-off-by: Nayna Jain <nayna@linux.ibm.com> |
| 11 | Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> |
| 12 | Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> |
| 13 | Link: https://lore.kernel.org/r/1572492694-6520-9-git-send-email-zohar@linux.ibm.com |
| 14 | (cherry picked from commit dc87f18615db9dc74a75cfb4a57ed33b07a3903a) |
| 15 | Signed-off-by: Joel Stanley <joel@jms.id.au> |
| 16 | --- |
| 17 | arch/powerpc/kernel/ima_arch.c | 8 ++++---- |
| 18 | 1 file changed, 4 insertions(+), 4 deletions(-) |
| 19 | |
| 20 | diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c |
| 21 | index 0ef5956c9753..b9de0fb45bb9 100644 |
| 22 | --- a/arch/powerpc/kernel/ima_arch.c |
| 23 | +++ b/arch/powerpc/kernel/ima_arch.c |
| 24 | @@ -23,9 +23,9 @@ bool arch_ima_get_secureboot(void) |
| 25 | * is not enabled. |
| 26 | */ |
| 27 | static const char *const secure_rules[] = { |
| 28 | - "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", |
| 29 | + "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
| 30 | #ifndef CONFIG_MODULE_SIG_FORCE |
| 31 | - "appraise func=MODULE_CHECK appraise_type=imasig|modsig", |
| 32 | + "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
| 33 | #endif |
| 34 | NULL |
| 35 | }; |
| 36 | @@ -49,9 +49,9 @@ static const char *const trusted_rules[] = { |
| 37 | static const char *const secure_and_trusted_rules[] = { |
| 38 | "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", |
| 39 | "measure func=MODULE_CHECK template=ima-modsig", |
| 40 | - "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", |
| 41 | + "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
| 42 | #ifndef CONFIG_MODULE_SIG_FORCE |
| 43 | - "appraise func=MODULE_CHECK appraise_type=imasig|modsig", |
| 44 | + "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
| 45 | #endif |
| 46 | NULL |
| 47 | }; |