125519d68SChester Lin /* SPDX-License-Identifier: GPL-2.0+ */ 225519d68SChester Lin /* 325519d68SChester Lin * Copyright (C) 2018 IBM Corporation 425519d68SChester Lin */ 525519d68SChester Lin #include <linux/efi.h> 625519d68SChester Lin #include <linux/module.h> 725519d68SChester Lin #include <linux/ima.h> 825519d68SChester Lin #include <asm/efi.h> 925519d68SChester Lin 1025519d68SChester Lin #ifndef arch_ima_efi_boot_mode 1125519d68SChester Lin #define arch_ima_efi_boot_mode efi_secureboot_mode_unset 1225519d68SChester Lin #endif 1325519d68SChester Lin get_sb_mode(void)1425519d68SChester Linstatic enum efi_secureboot_mode get_sb_mode(void) 1525519d68SChester Lin { 1625519d68SChester Lin enum efi_secureboot_mode mode; 1725519d68SChester Lin 1825519d68SChester Lin if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) { 1925519d68SChester Lin pr_info("ima: secureboot mode unknown, no efi\n"); 2025519d68SChester Lin return efi_secureboot_mode_unknown; 2125519d68SChester Lin } 2225519d68SChester Lin 2325519d68SChester Lin mode = efi_get_secureboot_mode(efi.get_variable); 2425519d68SChester Lin if (mode == efi_secureboot_mode_disabled) 2525519d68SChester Lin pr_info("ima: secureboot mode disabled\n"); 2625519d68SChester Lin else if (mode == efi_secureboot_mode_unknown) 2725519d68SChester Lin pr_info("ima: secureboot mode unknown\n"); 2825519d68SChester Lin else 2925519d68SChester Lin pr_info("ima: secureboot mode enabled\n"); 3025519d68SChester Lin return mode; 3125519d68SChester Lin } 3225519d68SChester Lin arch_ima_get_secureboot(void)3325519d68SChester Linbool arch_ima_get_secureboot(void) 3425519d68SChester Lin { 3525519d68SChester Lin static enum efi_secureboot_mode sb_mode; 3625519d68SChester Lin static bool initialized; 3725519d68SChester Lin 3825519d68SChester Lin if (!initialized && efi_enabled(EFI_BOOT)) { 3925519d68SChester Lin sb_mode = arch_ima_efi_boot_mode; 4025519d68SChester Lin 4125519d68SChester Lin if (sb_mode == efi_secureboot_mode_unset) 4225519d68SChester Lin sb_mode = get_sb_mode(); 4325519d68SChester Lin initialized = true; 4425519d68SChester Lin } 4525519d68SChester Lin 4625519d68SChester Lin if (sb_mode == efi_secureboot_mode_enabled) 4725519d68SChester Lin return true; 4825519d68SChester Lin else 4925519d68SChester Lin return false; 5025519d68SChester Lin } 5125519d68SChester Lin 5225519d68SChester Lin /* secureboot arch rules */ 5325519d68SChester Lin static const char * const sb_arch_rules[] = { 5425519d68SChester Lin #if !IS_ENABLED(CONFIG_KEXEC_SIG) 5525519d68SChester Lin "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", 5625519d68SChester Lin #endif /* CONFIG_KEXEC_SIG */ 5725519d68SChester Lin "measure func=KEXEC_KERNEL_CHECK", 5825519d68SChester Lin #if !IS_ENABLED(CONFIG_MODULE_SIG) 5925519d68SChester Lin "appraise func=MODULE_CHECK appraise_type=imasig", 6025519d68SChester Lin #endif 61*56dc986aSCoiby Xu #if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY) 62*56dc986aSCoiby Xu "appraise func=POLICY_CHECK appraise_type=imasig", 63*56dc986aSCoiby Xu #endif 6425519d68SChester Lin "measure func=MODULE_CHECK", 6525519d68SChester Lin NULL 6625519d68SChester Lin }; 6725519d68SChester Lin arch_get_ima_policy(void)6825519d68SChester Linconst char * const *arch_get_ima_policy(void) 6925519d68SChester Lin { 7025519d68SChester Lin if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { 7125519d68SChester Lin if (IS_ENABLED(CONFIG_MODULE_SIG)) 7225519d68SChester Lin set_module_sig_enforced(); 73af16df54SCoiby Xu if (IS_ENABLED(CONFIG_KEXEC_SIG)) 74af16df54SCoiby Xu set_kexec_sig_enforced(); 7525519d68SChester Lin return sb_arch_rules; 7625519d68SChester Lin } 7725519d68SChester Lin return NULL; 7825519d68SChester Lin } 79