| Olivier Deprez | 157378f | 2022-04-04 15:47:50 +0200 | [diff] [blame^] | 1 | // SPDX-License-Identifier: GPL-2.0 |
| 2 | /* |
| 3 | * Copyright (C) 2019 IBM Corporation |
| 4 | * Author: Nayna Jain |
| 5 | */ |
| 6 | |
| 7 | #include <linux/ima.h> |
| 8 | #include <asm/secure_boot.h> |
| 9 | |
| 10 | bool arch_ima_get_secureboot(void) |
| 11 | { |
| 12 | return is_ppc_secureboot_enabled(); |
| 13 | } |
| 14 | |
| 15 | /* |
| 16 | * The "secure_rules" are enabled only on "secureboot" enabled systems. |
| 17 | * These rules verify the file signatures against known good values. |
| 18 | * The "appraise_type=imasig|modsig" option allows the known good signature |
| 19 | * to be stored as an xattr or as an appended signature. |
| 20 | * |
| 21 | * To avoid duplicate signature verification as much as possible, the IMA |
| 22 | * policy rule for module appraisal is added only if CONFIG_MODULE_SIG |
| 23 | * is not enabled. |
| 24 | */ |
| 25 | static const char *const secure_rules[] = { |
| 26 | "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
| 27 | #ifndef CONFIG_MODULE_SIG |
| 28 | "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
| 29 | #endif |
| 30 | NULL |
| 31 | }; |
| 32 | |
| 33 | /* |
| 34 | * The "trusted_rules" are enabled only on "trustedboot" enabled systems. |
| 35 | * These rules add the kexec kernel image and kernel modules file hashes to |
| 36 | * the IMA measurement list. |
| 37 | */ |
| 38 | static const char *const trusted_rules[] = { |
| 39 | "measure func=KEXEC_KERNEL_CHECK", |
| 40 | "measure func=MODULE_CHECK", |
| 41 | NULL |
| 42 | }; |
| 43 | |
| 44 | /* |
| 45 | * The "secure_and_trusted_rules" contains rules for both the secure boot and |
| 46 | * trusted boot. The "template=ima-modsig" option includes the appended |
| 47 | * signature, when available, in the IMA measurement list. |
| 48 | */ |
| 49 | static const char *const secure_and_trusted_rules[] = { |
| 50 | "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", |
| 51 | "measure func=MODULE_CHECK template=ima-modsig", |
| 52 | "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
| 53 | #ifndef CONFIG_MODULE_SIG |
| 54 | "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", |
| 55 | #endif |
| 56 | NULL |
| 57 | }; |
| 58 | |
| 59 | /* |
| 60 | * Returns the relevant IMA arch-specific policies based on the system secure |
| 61 | * boot state. |
| 62 | */ |
| 63 | const char *const *arch_get_ima_policy(void) |
| 64 | { |
| 65 | if (is_ppc_secureboot_enabled()) { |
| 66 | if (IS_ENABLED(CONFIG_MODULE_SIG)) |
| 67 | set_module_sig_enforced(); |
| 68 | |
| 69 | if (is_ppc_trustedboot_enabled()) |
| 70 | return secure_and_trusted_rules; |
| 71 | else |
| 72 | return secure_rules; |
| 73 | } else if (is_ppc_trustedboot_enabled()) { |
| 74 | return trusted_rules; |
| 75 | } |
| 76 | |
| 77 | return NULL; |
| 78 | } |