| Message ID | 1571508377-23603-5-git-send-email-nayna@linux.ibm.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | powerpc: Enabling IMA arch specific secure boot policies | expand |
| Context | Check | Description |
|---|---|---|
| snowpatch_ozlabs/apply_patch | success | Successfully applied on branch next (600802af9049be799465b24d14162918545634bf) |
| snowpatch_ozlabs/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 46 lines checked |
On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote: > This patch adds the measurement rules to the arch specific policies on > trusted boot enabled systems. This version does not add rules to the existing arch specific policy, but defines an arch specific trusted boot only policy and a combined secure and trusted boot policy. > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > --- > arch/powerpc/kernel/ima_arch.c | 34 +++++++++++++++++++++++++++++++++- > 1 file changed, 33 insertions(+), 1 deletion(-) > > diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c > index 65d82ee74ea4..710872ea8f35 100644 > --- a/arch/powerpc/kernel/ima_arch.c > +++ b/arch/powerpc/kernel/ima_arch.c > @@ -26,6 +26,32 @@ static const char *const secure_rules[] = { > NULL > }; > > +/* > + * The "measure_rules" are enabled only on "trustedboot" enabled systems. Please update the policy name to reflect the new "trusted_rules" name. > + * These rules add the kexec kernel image and kernel modules file hashes to > + * the IMA measurement list. > + */ > +static const char *const trusted_rules[] = { > + "measure func=KEXEC_KERNEL_CHECK", > + "measure func=MODULE_CHECK", > + NULL > +}; > + > +/* > + * The "secure_and_trusted_rules" contains rules for both the secure boot and > + * trusted boot. The "template=ima-modsig" option includes the appended > + * signature, when available, in the IMA measurement list. > + */ > +static const char *const secure_and_trusted_rules[] = { > + "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", > + "measure func=MODULE_CHECK template=ima-modsig", > + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", > +#ifndef CONFIG_MODULE_SIG_FORCE > + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", > +#endif > + NULL > +}; > + > /* > * Returns the relevant IMA arch-specific policies based on the system secure > * boot state. > @@ -33,7 +59,13 @@ static const char *const secure_rules[] = { > const char *const *arch_get_ima_policy(void) > { > if (is_ppc_secureboot_enabled()) > - return secure_rules; > + if (is_ppc_trustedboot_enabled()) > + return secure_and_trusted_rules; > + else > + return secure_rules; > + else > + if (is_ppc_trustedboot_enabled()) No need for the "if" statement to be on a separate line. Please combine the "else" and "if" statements. Mimi > + return trusted_rules; > > return NULL; > }
diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c index 65d82ee74ea4..710872ea8f35 100644 --- a/arch/powerpc/kernel/ima_arch.c +++ b/arch/powerpc/kernel/ima_arch.c @@ -26,6 +26,32 @@ static const char *const secure_rules[] = { NULL }; +/* + * The "measure_rules" are enabled only on "trustedboot" enabled systems. + * These rules add the kexec kernel image and kernel modules file hashes to + * the IMA measurement list. + */ +static const char *const trusted_rules[] = { + "measure func=KEXEC_KERNEL_CHECK", + "measure func=MODULE_CHECK", + NULL +}; + +/* + * The "secure_and_trusted_rules" contains rules for both the secure boot and + * trusted boot. The "template=ima-modsig" option includes the appended + * signature, when available, in the IMA measurement list. + */ +static const char *const secure_and_trusted_rules[] = { + "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", + "measure func=MODULE_CHECK template=ima-modsig", + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", +#ifndef CONFIG_MODULE_SIG_FORCE + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", +#endif + NULL +}; + /* * Returns the relevant IMA arch-specific policies based on the system secure * boot state. @@ -33,7 +59,13 @@ static const char *const secure_rules[] = { const char *const *arch_get_ima_policy(void) { if (is_ppc_secureboot_enabled()) - return secure_rules; + if (is_ppc_trustedboot_enabled()) + return secure_and_trusted_rules; + else + return secure_rules; + else + if (is_ppc_trustedboot_enabled()) + return trusted_rules; return NULL; }
This patch adds the measurement rules to the arch specific policies on trusted boot enabled systems. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- arch/powerpc/kernel/ima_arch.c | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-)