1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Copyright (C) 2019 IBM Corporation 4 * Author: Nayna Jain 5 */ 6 7 #include <linux/ima.h> 8 #include <asm/secure_boot.h> 9 10 /* 11 * The "secure_rules" are enabled only on "secureboot" enabled systems. 12 * These rules verify the file signatures against known good values. 13 * The "appraise_type=imasig|modsig" option allows the known good signature 14 * to be stored as an xattr or as an appended signature. 15 * 16 * To avoid duplicate signature verification as much as possible, the IMA 17 * policy rule for module appraisal is added only if CONFIG_MODULE_SIG 18 * is not enabled. 19 */ 20 static const char *const secure_rules[] = { 21 "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", 22 #ifndef CONFIG_MODULE_SIG 23 "appraise func=MODULE_CHECK appraise_type=imasig|modsig", 24 #endif 25 NULL 26 }; 27 28 /* 29 * The "trusted_rules" are enabled only on "trustedboot" enabled systems. 30 * These rules add the kexec kernel image and kernel modules file hashes to 31 * the IMA measurement list. 32 */ 33 static const char *const trusted_rules[] = { 34 "measure func=KEXEC_KERNEL_CHECK", 35 "measure func=MODULE_CHECK", 36 NULL 37 }; 38 39 /* 40 * The "secure_and_trusted_rules" contains rules for both the secure boot and 41 * trusted boot. The "template=ima-modsig" option includes the appended 42 * signature, when available, in the IMA measurement list. 43 */ 44 static const char *const secure_and_trusted_rules[] = { 45 "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", 46 "measure func=MODULE_CHECK template=ima-modsig", 47 "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", 48 #ifndef CONFIG_MODULE_SIG 49 "appraise func=MODULE_CHECK appraise_type=imasig|modsig", 50 #endif 51 NULL 52 }; 53 54 /* 55 * Returns the relevant IMA arch-specific policies based on the system secure 56 * boot state. 57 */ 58 const char *const *arch_get_ima_policy(void) 59 { 60 if (is_ppc_secureboot_enabled()) { 61 if (IS_ENABLED(CONFIG_MODULE_SIG)) 62 set_module_sig_enforced(); 63 64 if (is_ppc_trustedboot_enabled()) 65 return secure_and_trusted_rules; 66 else 67 return secure_rules; 68 } else if (is_ppc_trustedboot_enabled()) { 69 return trusted_rules; 70 } 71 72 return NULL; 73 } 74