| Message ID | 1572492694-6520-10-git-send-email-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | powerpc: Enabling IMA arch specific secure boot policies | expand |
On Thu, 2019-10-31 at 03:31:34 UTC, Mimi Zohar wrote: > The arch specific kernel module policy rule requires kernel modules to > be signed, either as an IMA signature, stored as an xattr, or as an > appended signature. As a result, kernel modules appended signatures > could be enforced without "sig_enforce" being set or reflected in > /sys/module/module/parameters/sig_enforce. This patch sets > "sig_enforce". > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > Cc: Jessica Yu <jeyu@kernel.org> Applied to powerpc next, thanks. https://git.kernel.org/powerpc/c/d72ea4915c7e6fa5e7b9022a34df66e375bfe46c cheers
diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c index b9de0fb45bb9..e34116255ced 100644 --- a/arch/powerpc/kernel/ima_arch.c +++ b/arch/powerpc/kernel/ima_arch.c @@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = { */ const char *const *arch_get_ima_policy(void) { - if (is_ppc_secureboot_enabled()) + if (is_ppc_secureboot_enabled()) { + if (IS_ENABLED(CONFIG_MODULE_SIG)) + set_module_sig_enforced(); + if (is_ppc_trustedboot_enabled()) return secure_and_trusted_rules; else return secure_rules; - else if (is_ppc_trustedboot_enabled()) + } else if (is_ppc_trustedboot_enabled()) { return trusted_rules; + } return NULL; }
The arch specific kernel module policy rule requires kernel modules to be signed, either as an IMA signature, stored as an xattr, or as an appended signature. As a result, kernel modules appended signatures could be enforced without "sig_enforce" being set or reflected in /sys/module/module/parameters/sig_enforce. This patch sets "sig_enforce". Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Cc: Jessica Yu <jeyu@kernel.org> --- arch/powerpc/kernel/ima_arch.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)