powerpc/ima: Add support to initialize ima policy rules

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

PowerNV systems use a Linux-based bootloader, which rely on the IMA
subsystem to enforce different secure boot modes. Since the
verification policy may differ based on the secure boot mode of the
system, the policies must be defined at runtime.

This patch implements arch-specific support to define IMA policy rules
based on the runtime secure boot mode of the system.

This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
config is enabled.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/1572492694-6520-3-git-send-email-zohar@linux.ibm.com

authored by

Nayna Jain and committed by

Michael Ellerman 6 years ago 4238fad3 1a8916ee

+47 -2

4 changed files

expand all

arch

powerpc

Kconfig

kernel

Makefile

ima_arch.c

include

linux

ima.h

arch/powerpc/Kconfig

··· 938 938 prompt "Enable secure boot support" 939 939 bool 940 940 depends on PPC_POWERNV 941 + depends on IMA_ARCH_POLICY 941 942 help 942 943 Systems with firmware secure boot enabled need to define security 943 944 policies to extend secure boot to the OS. This config allows a user

+1 -1

arch/powerpc/kernel/Makefile

··· 161 161 obj-y += ucall.o 162 162 endif 163 163 164 - obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o 164 + obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o 165 165 166 166 # Disable GCOV, KCOV & sanitizers in odd or sensitive code 167 167 GCOV_PROFILE_prom_init.o := n

+43

arch/powerpc/kernel/ima_arch.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Copyright (C) 2019 IBM Corporation 4 + * Author: Nayna Jain 5 + */ 6 + 7 + #include <linux/ima.h> 8 + #include <asm/secure_boot.h> 9 + 10 + bool arch_ima_get_secureboot(void) 11 + { 12 + return is_ppc_secureboot_enabled(); 13 + } 14 + 15 + /* 16 + * The "secure_rules" are enabled only on "secureboot" enabled systems. 17 + * These rules verify the file signatures against known good values. 18 + * The "appraise_type=imasig|modsig" option allows the known good signature 19 + * to be stored as an xattr or as an appended signature. 20 + * 21 + * To avoid duplicate signature verification as much as possible, the IMA 22 + * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE 23 + * is not enabled. 24 + */ 25 + static const char *const secure_rules[] = { 26 + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", 27 + #ifndef CONFIG_MODULE_SIG_FORCE 28 + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", 29 + #endif 30 + NULL 31 + }; 32 + 33 + /* 34 + * Returns the relevant IMA arch-specific policies based on the system secure 35 + * boot state. 36 + */ 37 + const char *const *arch_get_ima_policy(void) 38 + { 39 + if (is_ppc_secureboot_enabled()) 40 + return secure_rules; 41 + 42 + return NULL; 43 + }

+2 -1

include/linux/ima.h

··· 29 29 extern void ima_add_kexec_buffer(struct kimage *image); 30 30 #endif 31 31 32 - #if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) 32 + #if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \ 33 + || defined(CONFIG_PPC_SECURE_BOOT) 33 34 extern bool arch_ima_get_secureboot(void); 34 35 extern const char * const *arch_get_ima_policy(void); 35 36 #else