xref: /linux/arch/powerpc/kernel/ima_arch.c (revision 31a6a07eefeb4c84bd6730fbe9e95fd9221712cf) 
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Copyright (C) 2019 IBM Corporation
4  * Author: Nayna Jain
5  */
6 
7 #include <linux/ima.h>
8 #include <asm/secure_boot.h>
9 
10 /*
11  * The "secure_rules" are enabled only on "secureboot" enabled systems.
12  * These rules verify the file signatures against known good values.
13  * The "appraise_type=imasig|modsig" option allows the known good signature
14  * to be stored as an xattr or as an appended signature.
15  *
16  * To avoid duplicate signature verification as much as possible, the IMA
17  * policy rule for module appraisal is added only if CONFIG_MODULE_SIG
18  * is not enabled.
19  */
20 static const char *const secure_rules[] = {
21 	"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
22 #ifndef CONFIG_MODULE_SIG
23 	"appraise func=MODULE_CHECK appraise_type=imasig|modsig",
24 #endif
25 	NULL
26 };
27 
28 /*
29  * The "trusted_rules" are enabled only on "trustedboot" enabled systems.
30  * These rules add the kexec kernel image and kernel modules file hashes to
31  * the IMA measurement list.
32  */
33 static const char *const trusted_rules[] = {
34 	"measure func=KEXEC_KERNEL_CHECK",
35 	"measure func=MODULE_CHECK",
36 	NULL
37 };
38 
39 /*
40  * The "secure_and_trusted_rules" contains rules for both the secure boot and
41  * trusted boot. The "template=ima-modsig" option includes the appended
42  * signature, when available, in the IMA measurement list.
43  */
44 static const char *const secure_and_trusted_rules[] = {
45 	"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
46 	"measure func=MODULE_CHECK template=ima-modsig",
47 	"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
48 #ifndef CONFIG_MODULE_SIG
49 	"appraise func=MODULE_CHECK appraise_type=imasig|modsig",
50 #endif
51 	NULL
52 };
53 
54 /*
55  * Returns the relevant IMA arch-specific policies based on the system secure
56  * boot state.
57  */
58 const char *const *arch_get_ima_policy(void)
59 {
60 	if (is_ppc_secureboot_enabled()) {
61 		if (IS_ENABLED(CONFIG_MODULE_SIG))
62 			set_module_sig_enforced();
63 
64 		if (is_ppc_trustedboot_enabled())
65 			return secure_and_trusted_rules;
66 		else
67 			return secure_rules;
68 	} else if (is_ppc_trustedboot_enabled()) {
69 		return trusted_rules;
70 	}
71 
72 	return NULL;
73 }
74