1 /* SPDX-License-Identifier: GPL-2.0+ */ 2 /* 3 * Copyright (C) 2018 IBM Corporation 4 */ 5 #include <linux/module.h> 6 #include <linux/ima.h> 7 #include <linux/secure_boot.h> 8 9 /* secureboot arch rules */ 10 static const char * const sb_arch_rules[] = { 11 #if !IS_ENABLED(CONFIG_KEXEC_SIG) 12 "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", 13 #endif /* CONFIG_KEXEC_SIG */ 14 "measure func=KEXEC_KERNEL_CHECK", 15 #if !IS_ENABLED(CONFIG_MODULE_SIG) 16 "appraise func=MODULE_CHECK appraise_type=imasig", 17 #endif 18 #if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY) 19 "appraise func=POLICY_CHECK appraise_type=imasig", 20 #endif 21 "measure func=MODULE_CHECK", 22 NULL 23 }; 24 25 const char * const *arch_get_ima_policy(void) 26 { 27 if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_get_secureboot()) { 28 if (IS_ENABLED(CONFIG_MODULE_SIG)) 29 set_module_sig_enforced(); 30 if (IS_ENABLED(CONFIG_KEXEC_SIG)) 31 set_kexec_sig_enforced(); 32 return sb_arch_rules; 33 } 34 return NULL; 35 } 36