Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/arch/x86/kernel/ima_arch.c 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  1) /* SPDX-License-Identifier: GPL-2.0+ */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  3)  * Copyright (C) 2018 IBM Corporation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  4)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  5) #include <linux/efi.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  6) #include <linux/module.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  7) #include <linux/ima.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  8) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  9) extern struct boot_params boot_params;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) static enum efi_secureboot_mode get_sb_mode(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) 	efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) 	efi_status_t status;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) 	unsigned long size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) 	u8 secboot, setupmode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) 	size = sizeof(secboot);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) 	if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) 		pr_info("ima: secureboot mode unknown, no efi\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) 		return efi_secureboot_mode_unknown;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) 	/* Get variable contents into buffer */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) 	status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) 				  NULL, &size, &secboot);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) 	if (status == EFI_NOT_FOUND) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) 		pr_info("ima: secureboot mode disabled\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) 		return efi_secureboot_mode_disabled;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) 	if (status != EFI_SUCCESS) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) 		pr_info("ima: secureboot mode unknown\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) 		return efi_secureboot_mode_unknown;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) 	size = sizeof(setupmode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) 	status = efi.get_variable(L"SetupMode", &efi_variable_guid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) 				  NULL, &size, &setupmode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) 	if (status != EFI_SUCCESS)	/* ignore unknown SetupMode */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) 		setupmode = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) 	if (secboot == 0 || setupmode == 1) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) 		pr_info("ima: secureboot mode disabled\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) 		return efi_secureboot_mode_disabled;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) 	pr_info("ima: secureboot mode enabled\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) 	return efi_secureboot_mode_enabled;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) bool arch_ima_get_secureboot(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) 	static enum efi_secureboot_mode sb_mode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) 	static bool initialized;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) 	if (!initialized && efi_enabled(EFI_BOOT)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) 		sb_mode = boot_params.secure_boot;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) 		if (sb_mode == efi_secureboot_mode_unset)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) 			sb_mode = get_sb_mode();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) 		initialized = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) 	if (sb_mode == efi_secureboot_mode_enabled)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) 		return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) 	else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) 		return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) /* secureboot arch rules */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) static const char * const sb_arch_rules[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) #if !IS_ENABLED(CONFIG_KEXEC_SIG)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) 	"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) #endif /* CONFIG_KEXEC_SIG */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) 	"measure func=KEXEC_KERNEL_CHECK",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) #if !IS_ENABLED(CONFIG_MODULE_SIG)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) 	"appraise func=MODULE_CHECK appraise_type=imasig",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) 	"measure func=MODULE_CHECK",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) 	NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) const char * const *arch_get_ima_policy(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) 	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) 		if (IS_ENABLED(CONFIG_MODULE_SIG))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) 			set_module_sig_enforced();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) 		return sb_arch_rules;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) 	return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) }
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.