1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Copyright (C) 2019 IBM Corporation 4 * Author: Nayna Jain 5 */ 6 7 #include <linux/ima.h> 8 #include <asm/secure_boot.h> 9 10 bool arch_ima_get_secureboot(void) 11 { 12 return is_ppc_secureboot_enabled(); 13 } 14 15 /* 16 * The "secure_rules" are enabled only on "secureboot" enabled systems. 17 * These rules verify the file signatures against known good values. 18 * The "appraise_type=imasig|modsig" option allows the known good signature 19 * to be stored as an xattr or as an appended signature. 20 * 21 * To avoid duplicate signature verification as much as possible, the IMA 22 * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE 23 * is not enabled. 24 */ 25 static const char *const secure_rules[] = { 26 "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", 27 #ifndef CONFIG_MODULE_SIG_FORCE 28 "appraise func=MODULE_CHECK appraise_type=imasig|modsig", 29 #endif 30 NULL 31 }; 32 33 /* 34 * Returns the relevant IMA arch-specific policies based on the system secure 35 * boot state. 36 */ 37 const char *const *arch_get_ima_policy(void) 38 { 39 if (is_ppc_secureboot_enabled()) 40 return secure_rules; 41 42 return NULL; 43 } 44