xref: /openbmc/linux/arch/powerpc/kernel/ima_arch.c (revision 76426e23)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Copyright (C) 2019 IBM Corporation
4  * Author: Nayna Jain
5  */
6 
7 #include <linux/ima.h>
8 #include <asm/secure_boot.h>
9 
10 bool arch_ima_get_secureboot(void)
11 {
12 	return is_ppc_secureboot_enabled();
13 }
14 
15 /*
16  * The "secure_rules" are enabled only on "secureboot" enabled systems.
17  * These rules verify the file signatures against known good values.
18  * The "appraise_type=imasig|modsig" option allows the known good signature
19  * to be stored as an xattr or as an appended signature.
20  *
21  * To avoid duplicate signature verification as much as possible, the IMA
22  * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
23  * is not enabled.
24  */
25 static const char *const secure_rules[] = {
26 	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
27 #ifndef CONFIG_MODULE_SIG_FORCE
28 	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
29 #endif
30 	NULL
31 };
32 
33 /*
34  * The "trusted_rules" are enabled only on "trustedboot" enabled systems.
35  * These rules add the kexec kernel image and kernel modules file hashes to
36  * the IMA measurement list.
37  */
38 static const char *const trusted_rules[] = {
39 	"measure func=KEXEC_KERNEL_CHECK",
40 	"measure func=MODULE_CHECK",
41 	NULL
42 };
43 
44 /*
45  * The "secure_and_trusted_rules" contains rules for both the secure boot and
46  * trusted boot. The "template=ima-modsig" option includes the appended
47  * signature, when available, in the IMA measurement list.
48  */
49 static const char *const secure_and_trusted_rules[] = {
50 	"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
51 	"measure func=MODULE_CHECK template=ima-modsig",
52 	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
53 #ifndef CONFIG_MODULE_SIG_FORCE
54 	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
55 #endif
56 	NULL
57 };
58 
59 /*
60  * Returns the relevant IMA arch-specific policies based on the system secure
61  * boot state.
62  */
63 const char *const *arch_get_ima_policy(void)
64 {
65 	if (is_ppc_secureboot_enabled()) {
66 		if (IS_ENABLED(CONFIG_MODULE_SIG))
67 			set_module_sig_enforced();
68 
69 		if (is_ppc_trustedboot_enabled())
70 			return secure_and_trusted_rules;
71 		else
72 			return secure_rules;
73 	} else if (is_ppc_trustedboot_enabled()) {
74 		return trusted_rules;
75 	}
76 
77 	return NULL;
78 }
79