Joel Stanley | a1fccbf | 2020-06-23 17:25:56 +0930 | [diff] [blame] | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| 2 | From: Nayna Jain <nayna@linux.ibm.com> |
| 3 | Date: Wed, 30 Oct 2019 23:31:29 -0400 |
Joel Stanley | cb9bf57 | 2020-09-29 16:18:12 +0930 | [diff] [blame] | 4 | Subject: [PATCH 05/19] powerpc/ima: Define trusted boot policy |
Joel Stanley | a1fccbf | 2020-06-23 17:25:56 +0930 | [diff] [blame] | 5 | |
| 6 | This patch defines an arch-specific trusted boot only policy and a |
| 7 | combined secure and trusted boot policy. |
| 8 | |
| 9 | Signed-off-by: Nayna Jain <nayna@linux.ibm.com> |
| 10 | Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> |
| 11 | Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> |
| 12 | Link: https://lore.kernel.org/r/1572492694-6520-5-git-send-email-zohar@linux.ibm.com |
| 13 | (cherry picked from commit 1917855f4e0658c313e280671ad87774dbfb7b24) |
| 14 | Signed-off-by: Joel Stanley <joel@jms.id.au> |
| 15 | --- |
| 16 | arch/powerpc/kernel/ima_arch.c | 33 ++++++++++++++++++++++++++++++++- |
| 17 | 1 file changed, 32 insertions(+), 1 deletion(-) |
| 18 | |
| 19 | diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c |
| 20 | index d88913dc0da7..0ef5956c9753 100644 |
| 21 | --- a/arch/powerpc/kernel/ima_arch.c |
| 22 | +++ b/arch/powerpc/kernel/ima_arch.c |
| 23 | @@ -30,6 +30,32 @@ static const char *const secure_rules[] = { |
| 24 | NULL |
| 25 | }; |
| 26 | |
| 27 | +/* |
| 28 | + * The "trusted_rules" are enabled only on "trustedboot" enabled systems. |
| 29 | + * These rules add the kexec kernel image and kernel modules file hashes to |
| 30 | + * the IMA measurement list. |
| 31 | + */ |
| 32 | +static const char *const trusted_rules[] = { |
| 33 | + "measure func=KEXEC_KERNEL_CHECK", |
| 34 | + "measure func=MODULE_CHECK", |
| 35 | + NULL |
| 36 | +}; |
| 37 | + |
| 38 | +/* |
| 39 | + * The "secure_and_trusted_rules" contains rules for both the secure boot and |
| 40 | + * trusted boot. The "template=ima-modsig" option includes the appended |
| 41 | + * signature, when available, in the IMA measurement list. |
| 42 | + */ |
| 43 | +static const char *const secure_and_trusted_rules[] = { |
| 44 | + "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", |
| 45 | + "measure func=MODULE_CHECK template=ima-modsig", |
| 46 | + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", |
| 47 | +#ifndef CONFIG_MODULE_SIG_FORCE |
| 48 | + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", |
| 49 | +#endif |
| 50 | + NULL |
| 51 | +}; |
| 52 | + |
| 53 | /* |
| 54 | * Returns the relevant IMA arch-specific policies based on the system secure |
| 55 | * boot state. |
| 56 | @@ -37,7 +63,12 @@ static const char *const secure_rules[] = { |
| 57 | const char *const *arch_get_ima_policy(void) |
| 58 | { |
| 59 | if (is_ppc_secureboot_enabled()) |
| 60 | - return secure_rules; |
| 61 | + if (is_ppc_trustedboot_enabled()) |
| 62 | + return secure_and_trusted_rules; |
| 63 | + else |
| 64 | + return secure_rules; |
| 65 | + else if (is_ppc_trustedboot_enabled()) |
| 66 | + return trusted_rules; |
| 67 | |
| 68 | return NULL; |
| 69 | } |