14238fad3SNayna Jain // SPDX-License-Identifier: GPL-2.0 24238fad3SNayna Jain /* 34238fad3SNayna Jain * Copyright (C) 2019 IBM Corporation 44238fad3SNayna Jain * Author: Nayna Jain 54238fad3SNayna Jain */ 64238fad3SNayna Jain 74238fad3SNayna Jain #include <linux/ima.h> 84238fad3SNayna Jain #include <asm/secure_boot.h> 94238fad3SNayna Jain 104238fad3SNayna Jain bool arch_ima_get_secureboot(void) 114238fad3SNayna Jain { 124238fad3SNayna Jain return is_ppc_secureboot_enabled(); 134238fad3SNayna Jain } 144238fad3SNayna Jain 154238fad3SNayna Jain /* 164238fad3SNayna Jain * The "secure_rules" are enabled only on "secureboot" enabled systems. 174238fad3SNayna Jain * These rules verify the file signatures against known good values. 184238fad3SNayna Jain * The "appraise_type=imasig|modsig" option allows the known good signature 194238fad3SNayna Jain * to be stored as an xattr or as an appended signature. 204238fad3SNayna Jain * 214238fad3SNayna Jain * To avoid duplicate signature verification as much as possible, the IMA 224238fad3SNayna Jain * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE 234238fad3SNayna Jain * is not enabled. 244238fad3SNayna Jain */ 254238fad3SNayna Jain static const char *const secure_rules[] = { 264238fad3SNayna Jain "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", 274238fad3SNayna Jain #ifndef CONFIG_MODULE_SIG_FORCE 284238fad3SNayna Jain "appraise func=MODULE_CHECK appraise_type=imasig|modsig", 294238fad3SNayna Jain #endif 304238fad3SNayna Jain NULL 314238fad3SNayna Jain }; 324238fad3SNayna Jain 334238fad3SNayna Jain /* 341917855fSNayna Jain * The "trusted_rules" are enabled only on "trustedboot" enabled systems. 351917855fSNayna Jain * These rules add the kexec kernel image and kernel modules file hashes to 361917855fSNayna Jain * the IMA measurement list. 371917855fSNayna Jain */ 381917855fSNayna Jain static const char *const trusted_rules[] = { 391917855fSNayna Jain "measure func=KEXEC_KERNEL_CHECK", 401917855fSNayna Jain "measure func=MODULE_CHECK", 411917855fSNayna Jain NULL 421917855fSNayna Jain }; 431917855fSNayna Jain 441917855fSNayna Jain /* 451917855fSNayna Jain * The "secure_and_trusted_rules" contains rules for both the secure boot and 461917855fSNayna Jain * trusted boot. The "template=ima-modsig" option includes the appended 471917855fSNayna Jain * signature, when available, in the IMA measurement list. 481917855fSNayna Jain */ 491917855fSNayna Jain static const char *const secure_and_trusted_rules[] = { 501917855fSNayna Jain "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", 511917855fSNayna Jain "measure func=MODULE_CHECK template=ima-modsig", 521917855fSNayna Jain "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", 531917855fSNayna Jain #ifndef CONFIG_MODULE_SIG_FORCE 541917855fSNayna Jain "appraise func=MODULE_CHECK appraise_type=imasig|modsig", 551917855fSNayna Jain #endif 561917855fSNayna Jain NULL 571917855fSNayna Jain }; 581917855fSNayna Jain 591917855fSNayna Jain /* 604238fad3SNayna Jain * Returns the relevant IMA arch-specific policies based on the system secure 614238fad3SNayna Jain * boot state. 624238fad3SNayna Jain */ 634238fad3SNayna Jain const char *const *arch_get_ima_policy(void) 644238fad3SNayna Jain { 654238fad3SNayna Jain if (is_ppc_secureboot_enabled()) 661917855fSNayna Jain if (is_ppc_trustedboot_enabled()) 671917855fSNayna Jain return secure_and_trusted_rules; 681917855fSNayna Jain else 694238fad3SNayna Jain return secure_rules; 701917855fSNayna Jain else if (is_ppc_trustedboot_enabled()) 711917855fSNayna Jain return trusted_rules; 724238fad3SNayna Jain 734238fad3SNayna Jain return NULL; 744238fad3SNayna Jain } 75