linux/arch/powerpc/kernel/ima_arch.c
<<
>>
Prefs 
   1// SPDX-License-Identifier: GPL-2.0
   2/*
   3 * Copyright (C) 2019 IBM Corporation
   4 * Author: Nayna Jain
   5 */
   6
   7#include <linux/ima.h>
   8#include <asm/secure_boot.h>
   9
  10bool arch_ima_get_secureboot(void)
  11{
  12        return is_ppc_secureboot_enabled();
  13}
  14
  15/*
  16 * The "secure_rules" are enabled only on "secureboot" enabled systems.
  17 * These rules verify the file signatures against known good values.
  18 * The "appraise_type=imasig|modsig" option allows the known good signature
  19 * to be stored as an xattr or as an appended signature.
  20 *
  21 * To avoid duplicate signature verification as much as possible, the IMA
  22 * policy rule for module appraisal is added only if CONFIG_MODULE_SIG
  23 * is not enabled.
  24 */
  25static const char *const secure_rules[] = {
  26        "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
  27#ifndef CONFIG_MODULE_SIG
  28        "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
  29#endif
  30        NULL
  31};
  32
  33/*
  34 * The "trusted_rules" are enabled only on "trustedboot" enabled systems.
  35 * These rules add the kexec kernel image and kernel modules file hashes to
  36 * the IMA measurement list.
  37 */
  38static const char *const trusted_rules[] = {
  39        "measure func=KEXEC_KERNEL_CHECK",
  40        "measure func=MODULE_CHECK",
  41        NULL
  42};
  43
  44/*
  45 * The "secure_and_trusted_rules" contains rules for both the secure boot and
  46 * trusted boot. The "template=ima-modsig" option includes the appended
  47 * signature, when available, in the IMA measurement list.
  48 */
  49static const char *const secure_and_trusted_rules[] = {
  50        "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
  51        "measure func=MODULE_CHECK template=ima-modsig",
  52        "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
  53#ifndef CONFIG_MODULE_SIG
  54        "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
  55#endif
  56        NULL
  57};
  58
  59/*
  60 * Returns the relevant IMA arch-specific policies based on the system secure
  61 * boot state.
  62 */
  63const char *const *arch_get_ima_policy(void)
  64{
  65        if (is_ppc_secureboot_enabled()) {
  66                if (IS_ENABLED(CONFIG_MODULE_SIG))
  67                        set_module_sig_enforced();
  68
  69                if (is_ppc_trustedboot_enabled())
  70                        return secure_and_trusted_rules;
  71                else
  72                        return secure_rules;
  73        } else if (is_ppc_trustedboot_enabled()) {
  74                return trusted_rules;
  75        }
  76
  77        return NULL;
  78}
  79
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.