]>
Commit | Line | Data |
---|---|---|
4238fad3 NJ |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* | |
3 | * Copyright (C) 2019 IBM Corporation | |
4 | * Author: Nayna Jain | |
5 | */ | |
6 | ||
7 | #include <linux/ima.h> | |
8 | #include <asm/secure_boot.h> | |
9 | ||
10 | bool arch_ima_get_secureboot(void) | |
11 | { | |
12 | return is_ppc_secureboot_enabled(); | |
13 | } | |
14 | ||
15 | /* | |
16 | * The "secure_rules" are enabled only on "secureboot" enabled systems. | |
17 | * These rules verify the file signatures against known good values. | |
18 | * The "appraise_type=imasig|modsig" option allows the known good signature | |
19 | * to be stored as an xattr or as an appended signature. | |
20 | * | |
21 | * To avoid duplicate signature verification as much as possible, the IMA | |
fa4f3f56 | 22 | * policy rule for module appraisal is added only if CONFIG_MODULE_SIG |
4238fad3 NJ |
23 | * is not enabled. |
24 | */ | |
25 | static const char *const secure_rules[] = { | |
dc87f186 | 26 | "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
fa4f3f56 | 27 | #ifndef CONFIG_MODULE_SIG |
dc87f186 | 28 | "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
4238fad3 NJ |
29 | #endif |
30 | NULL | |
31 | }; | |
32 | ||
1917855f NJ |
33 | /* |
34 | * The "trusted_rules" are enabled only on "trustedboot" enabled systems. | |
35 | * These rules add the kexec kernel image and kernel modules file hashes to | |
36 | * the IMA measurement list. | |
37 | */ | |
38 | static const char *const trusted_rules[] = { | |
39 | "measure func=KEXEC_KERNEL_CHECK", | |
40 | "measure func=MODULE_CHECK", | |
41 | NULL | |
42 | }; | |
43 | ||
44 | /* | |
45 | * The "secure_and_trusted_rules" contains rules for both the secure boot and | |
46 | * trusted boot. The "template=ima-modsig" option includes the appended | |
47 | * signature, when available, in the IMA measurement list. | |
48 | */ | |
49 | static const char *const secure_and_trusted_rules[] = { | |
50 | "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", | |
51 | "measure func=MODULE_CHECK template=ima-modsig", | |
dc87f186 | 52 | "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
fa4f3f56 | 53 | #ifndef CONFIG_MODULE_SIG |
dc87f186 | 54 | "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
1917855f NJ |
55 | #endif |
56 | NULL | |
57 | }; | |
58 | ||
4238fad3 NJ |
59 | /* |
60 | * Returns the relevant IMA arch-specific policies based on the system secure | |
61 | * boot state. | |
62 | */ | |
63 | const char *const *arch_get_ima_policy(void) | |
64 | { | |
d72ea491 MZ |
65 | if (is_ppc_secureboot_enabled()) { |
66 | if (IS_ENABLED(CONFIG_MODULE_SIG)) | |
67 | set_module_sig_enforced(); | |
68 | ||
1917855f NJ |
69 | if (is_ppc_trustedboot_enabled()) |
70 | return secure_and_trusted_rules; | |
71 | else | |
72 | return secure_rules; | |
d72ea491 | 73 | } else if (is_ppc_trustedboot_enabled()) { |
1917855f | 74 | return trusted_rules; |
d72ea491 | 75 | } |
4238fad3 NJ |
76 | |
77 | return NULL; | |
78 | } |