1*25519d68SChester Lin /* SPDX-License-Identifier: GPL-2.0+ */ 2*25519d68SChester Lin /* 3*25519d68SChester Lin * Copyright (C) 2018 IBM Corporation 4*25519d68SChester Lin */ 5*25519d68SChester Lin #include <linux/efi.h> 6*25519d68SChester Lin #include <linux/module.h> 7*25519d68SChester Lin #include <linux/ima.h> 8*25519d68SChester Lin #include <asm/efi.h> 9*25519d68SChester Lin 10*25519d68SChester Lin #ifndef arch_ima_efi_boot_mode 11*25519d68SChester Lin #define arch_ima_efi_boot_mode efi_secureboot_mode_unset 12*25519d68SChester Lin #endif 13*25519d68SChester Lin 14*25519d68SChester Lin static enum efi_secureboot_mode get_sb_mode(void) 15*25519d68SChester Lin { 16*25519d68SChester Lin enum efi_secureboot_mode mode; 17*25519d68SChester Lin 18*25519d68SChester Lin if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) { 19*25519d68SChester Lin pr_info("ima: secureboot mode unknown, no efi\n"); 20*25519d68SChester Lin return efi_secureboot_mode_unknown; 21*25519d68SChester Lin } 22*25519d68SChester Lin 23*25519d68SChester Lin mode = efi_get_secureboot_mode(efi.get_variable); 24*25519d68SChester Lin if (mode == efi_secureboot_mode_disabled) 25*25519d68SChester Lin pr_info("ima: secureboot mode disabled\n"); 26*25519d68SChester Lin else if (mode == efi_secureboot_mode_unknown) 27*25519d68SChester Lin pr_info("ima: secureboot mode unknown\n"); 28*25519d68SChester Lin else 29*25519d68SChester Lin pr_info("ima: secureboot mode enabled\n"); 30*25519d68SChester Lin return mode; 31*25519d68SChester Lin } 32*25519d68SChester Lin 33*25519d68SChester Lin bool arch_ima_get_secureboot(void) 34*25519d68SChester Lin { 35*25519d68SChester Lin static enum efi_secureboot_mode sb_mode; 36*25519d68SChester Lin static bool initialized; 37*25519d68SChester Lin 38*25519d68SChester Lin if (!initialized && efi_enabled(EFI_BOOT)) { 39*25519d68SChester Lin sb_mode = arch_ima_efi_boot_mode; 40*25519d68SChester Lin 41*25519d68SChester Lin if (sb_mode == efi_secureboot_mode_unset) 42*25519d68SChester Lin sb_mode = get_sb_mode(); 43*25519d68SChester Lin initialized = true; 44*25519d68SChester Lin } 45*25519d68SChester Lin 46*25519d68SChester Lin if (sb_mode == efi_secureboot_mode_enabled) 47*25519d68SChester Lin return true; 48*25519d68SChester Lin else 49*25519d68SChester Lin return false; 50*25519d68SChester Lin } 51*25519d68SChester Lin 52*25519d68SChester Lin /* secureboot arch rules */ 53*25519d68SChester Lin static const char * const sb_arch_rules[] = { 54*25519d68SChester Lin #if !IS_ENABLED(CONFIG_KEXEC_SIG) 55*25519d68SChester Lin "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", 56*25519d68SChester Lin #endif /* CONFIG_KEXEC_SIG */ 57*25519d68SChester Lin "measure func=KEXEC_KERNEL_CHECK", 58*25519d68SChester Lin #if !IS_ENABLED(CONFIG_MODULE_SIG) 59*25519d68SChester Lin "appraise func=MODULE_CHECK appraise_type=imasig", 60*25519d68SChester Lin #endif 61*25519d68SChester Lin "measure func=MODULE_CHECK", 62*25519d68SChester Lin NULL 63*25519d68SChester Lin }; 64*25519d68SChester Lin 65*25519d68SChester Lin const char * const *arch_get_ima_policy(void) 66*25519d68SChester Lin { 67*25519d68SChester Lin if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { 68*25519d68SChester Lin if (IS_ENABLED(CONFIG_MODULE_SIG)) 69*25519d68SChester Lin set_module_sig_enforced(); 70*25519d68SChester Lin return sb_arch_rules; 71*25519d68SChester Lin } 72*25519d68SChester Lin return NULL; 73*25519d68SChester Lin } 74