^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Copyright (C) 2019 IBM Corporation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) * Author: Nayna Jain
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) #include <linux/ima.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) #include <asm/secure_boot.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) bool arch_ima_get_secureboot(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) return is_ppc_secureboot_enabled();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) * The "secure_rules" are enabled only on "secureboot" enabled systems.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) * These rules verify the file signatures against known good values.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) * The "appraise_type=imasig|modsig" option allows the known good signature
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) * to be stored as an xattr or as an appended signature.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) * To avoid duplicate signature verification as much as possible, the IMA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) * policy rule for module appraisal is added only if CONFIG_MODULE_SIG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) * is not enabled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) static const char *const secure_rules[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) #ifndef CONFIG_MODULE_SIG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) * The "trusted_rules" are enabled only on "trustedboot" enabled systems.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) * These rules add the kexec kernel image and kernel modules file hashes to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) * the IMA measurement list.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) static const char *const trusted_rules[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) "measure func=KEXEC_KERNEL_CHECK",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) "measure func=MODULE_CHECK",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) * The "secure_and_trusted_rules" contains rules for both the secure boot and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) * trusted boot. The "template=ima-modsig" option includes the appended
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) * signature, when available, in the IMA measurement list.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) static const char *const secure_and_trusted_rules[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) "measure func=MODULE_CHECK template=ima-modsig",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) #ifndef CONFIG_MODULE_SIG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) * Returns the relevant IMA arch-specific policies based on the system secure
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) * boot state.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) const char *const *arch_get_ima_policy(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) if (is_ppc_secureboot_enabled()) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) if (IS_ENABLED(CONFIG_MODULE_SIG))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) set_module_sig_enforced();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) if (is_ppc_trustedboot_enabled())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) return secure_and_trusted_rules;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) return secure_rules;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) } else if (is_ppc_trustedboot_enabled()) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) return trusted_rules;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) }
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags