1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Copyright (C) 2019 IBM Corporation 4 * Author: Nayna Jain 5 */ 6 7 #include <linux/ima.h> 8 #include <asm/secure_boot.h> 9 10 bool arch_ima_get_secureboot(void) 11 { 12 return is_ppc_secureboot_enabled(); 13 } 14 15 /* 16 * The "secure_rules" are enabled only on "secureboot" enabled systems. 17 * These rules verify the file signatures against known good values. 18 * The "appraise_type=imasig|modsig" option allows the known good signature 19 * to be stored as an xattr or as an appended signature. 20 * 21 * To avoid duplicate signature verification as much as possible, the IMA 22 * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE 23 * is not enabled. 24 */ 25 static const char *const secure_rules[] = { 26 "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", 27 #ifndef CONFIG_MODULE_SIG_FORCE 28 "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", 29 #endif 30 NULL 31 }; 32 33 /* 34 * The "trusted_rules" are enabled only on "trustedboot" enabled systems. 35 * These rules add the kexec kernel image and kernel modules file hashes to 36 * the IMA measurement list. 37 */ 38 static const char *const trusted_rules[] = { 39 "measure func=KEXEC_KERNEL_CHECK", 40 "measure func=MODULE_CHECK", 41 NULL 42 }; 43 44 /* 45 * The "secure_and_trusted_rules" contains rules for both the secure boot and 46 * trusted boot. The "template=ima-modsig" option includes the appended 47 * signature, when available, in the IMA measurement list. 48 */ 49 static const char *const secure_and_trusted_rules[] = { 50 "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", 51 "measure func=MODULE_CHECK template=ima-modsig", 52 "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", 53 #ifndef CONFIG_MODULE_SIG_FORCE 54 "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", 55 #endif 56 NULL 57 }; 58 59 /* 60 * Returns the relevant IMA arch-specific policies based on the system secure 61 * boot state. 62 */ 63 const char *const *arch_get_ima_policy(void) 64 { 65 if (is_ppc_secureboot_enabled()) { 66 if (IS_ENABLED(CONFIG_MODULE_SIG)) 67 set_module_sig_enforced(); 68 69 if (is_ppc_trustedboot_enabled()) 70 return secure_and_trusted_rules; 71 else 72 return secure_rules; 73 } else if (is_ppc_trustedboot_enabled()) { 74 return trusted_rules; 75 } 76 77 return NULL; 78 } 79