14238fad3SNayna Jain // SPDX-License-Identifier: GPL-2.0 24238fad3SNayna Jain /* 34238fad3SNayna Jain * Copyright (C) 2019 IBM Corporation 44238fad3SNayna Jain * Author: Nayna Jain 54238fad3SNayna Jain */ 64238fad3SNayna Jain 74238fad3SNayna Jain #include <linux/ima.h> 84238fad3SNayna Jain #include <asm/secure_boot.h> 94238fad3SNayna Jain 104238fad3SNayna Jain bool arch_ima_get_secureboot(void) 114238fad3SNayna Jain { 124238fad3SNayna Jain return is_ppc_secureboot_enabled(); 134238fad3SNayna Jain } 144238fad3SNayna Jain 154238fad3SNayna Jain /* 164238fad3SNayna Jain * The "secure_rules" are enabled only on "secureboot" enabled systems. 174238fad3SNayna Jain * These rules verify the file signatures against known good values. 184238fad3SNayna Jain * The "appraise_type=imasig|modsig" option allows the known good signature 194238fad3SNayna Jain * to be stored as an xattr or as an appended signature. 204238fad3SNayna Jain * 214238fad3SNayna Jain * To avoid duplicate signature verification as much as possible, the IMA 22fa4f3f56SNayna Jain * policy rule for module appraisal is added only if CONFIG_MODULE_SIG 234238fad3SNayna Jain * is not enabled. 244238fad3SNayna Jain */ 254238fad3SNayna Jain static const char *const secure_rules[] = { 26dc87f186SNayna Jain "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", 27fa4f3f56SNayna Jain #ifndef CONFIG_MODULE_SIG 28dc87f186SNayna Jain "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", 294238fad3SNayna Jain #endif 304238fad3SNayna Jain NULL 314238fad3SNayna Jain }; 324238fad3SNayna Jain 334238fad3SNayna Jain /* 341917855fSNayna Jain * The "trusted_rules" are enabled only on "trustedboot" enabled systems. 351917855fSNayna Jain * These rules add the kexec kernel image and kernel modules file hashes to 361917855fSNayna Jain * the IMA measurement list. 371917855fSNayna Jain */ 381917855fSNayna Jain static const char *const trusted_rules[] = { 391917855fSNayna Jain "measure func=KEXEC_KERNEL_CHECK", 401917855fSNayna Jain "measure func=MODULE_CHECK", 411917855fSNayna Jain NULL 421917855fSNayna Jain }; 431917855fSNayna Jain 441917855fSNayna Jain /* 451917855fSNayna Jain * The "secure_and_trusted_rules" contains rules for both the secure boot and 461917855fSNayna Jain * trusted boot. The "template=ima-modsig" option includes the appended 471917855fSNayna Jain * signature, when available, in the IMA measurement list. 481917855fSNayna Jain */ 491917855fSNayna Jain static const char *const secure_and_trusted_rules[] = { 501917855fSNayna Jain "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", 511917855fSNayna Jain "measure func=MODULE_CHECK template=ima-modsig", 52dc87f186SNayna Jain "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", 53fa4f3f56SNayna Jain #ifndef CONFIG_MODULE_SIG 54dc87f186SNayna Jain "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", 551917855fSNayna Jain #endif 561917855fSNayna Jain NULL 571917855fSNayna Jain }; 581917855fSNayna Jain 591917855fSNayna Jain /* 604238fad3SNayna Jain * Returns the relevant IMA arch-specific policies based on the system secure 614238fad3SNayna Jain * boot state. 624238fad3SNayna Jain */ 634238fad3SNayna Jain const char *const *arch_get_ima_policy(void) 644238fad3SNayna Jain { 65d72ea491SMimi Zohar if (is_ppc_secureboot_enabled()) { 66d72ea491SMimi Zohar if (IS_ENABLED(CONFIG_MODULE_SIG)) 67d72ea491SMimi Zohar set_module_sig_enforced(); 68d72ea491SMimi Zohar 691917855fSNayna Jain if (is_ppc_trustedboot_enabled()) 701917855fSNayna Jain return secure_and_trusted_rules; 711917855fSNayna Jain else 724238fad3SNayna Jain return secure_rules; 73d72ea491SMimi Zohar } else if (is_ppc_trustedboot_enabled()) { 741917855fSNayna Jain return trusted_rules; 75d72ea491SMimi Zohar } 764238fad3SNayna Jain 774238fad3SNayna Jain return NULL; 784238fad3SNayna Jain } 79