[v3,3/3] arm64/ima: add ima_arch support

Message ID	20201030060840.1810-4-clin@suse.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=b0TY=EF=vger.kernel.org=linux-security-module-owner@kernel.org> From: Chester Lin <clin@suse.com> To: ardb@kernel.org, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, dmitry.kasatkin@gmail.com, catalin.marinas@arm.com, will@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, hpa@zytor.com CC: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, x86@kernel.org, jlee@suse.com, clin@suse.com Subject: [PATCH v3 3/3] arm64/ima: add ima_arch support Date: Fri, 30 Oct 2020 14:08:40 +0800 Message-ID: <20201030060840.1810-4-clin@suse.com> In-Reply-To: <20201030060840.1810-1-clin@suse.com> References: <20201030060840.1810-1-clin@suse.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Precedence: bulk
Series	add ima_arch support for ARM64 \| expand [v3,0/3] add ima_arch support for ARM64 [v3,1/3] efi: generalize efi_get_secureboot [v3,2/3] ima: replace arch-specific get_sb_mode() with a common helper ima_get_efi_secureboot() [v3,3/3] arm64/ima: add ima_arch support

Message ID

20201030060840.1810-4-clin@suse.com (mailing list archive)

State

New, archived

Headers

From: Chester Lin <clin@suse.com>
To: ardb@kernel.org, zohar@linux.ibm.com, jmorris@namei.org,
        serge@hallyn.com, dmitry.kasatkin@gmail.com,
        catalin.marinas@arm.com, will@kernel.org, tglx@linutronix.de,
        mingo@redhat.com, bp@alien8.de, hpa@zytor.com
CC: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
        linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org, x86@kernel.org,
        jlee@suse.com, clin@suse.com
Subject: [PATCH v3 3/3] arm64/ima: add ima_arch support
Date: Fri, 30 Oct 2020 14:08:40 +0800
Message-ID: <20201030060840.1810-4-clin@suse.com>
In-Reply-To: <20201030060840.1810-1-clin@suse.com>
References: <20201030060840.1810-1-clin@suse.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost.localdomain (36.225.26.227) by
 HK0PR01CA0049.apcprd01.prod.exchangelabs.com (2603:1096:203:a6::13) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.19 via Frontend
 Transport; Fri, 30 Oct 2020 06:09:21 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 8253d210-0609-42e3-bd2e-08d87c9a5ae4
X-MS-TrafficTypeDiagnostic: AS8PR04MB7943:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: 
 <AS8PR04MB7943E5B99EB78B1313EDF531AD150@AS8PR04MB7943.eurprd04.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:126;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 oBxNZPHidJ5iVU5YzXPKxXQ+jG+XTFBy+T6bFGg3LJQbSc4InuT0UVN0n+Qf5fYStA/UtSyXF9DjSflG7uGPJEHQfr/OG5ktVcbhxYo6f8SOyrxIO4CC3tn8ZQPwZ0D/tCfY1MK2UhzAWty68QvPxyDBVQUiwx9MmSTLHYrcK2p575BqfT8dCF+r6Q/7G7JCk++tkEZcUYtecG9sYYvcJEvzJtwvMZp+X6ArZW9kwtrcS+YAo+dmFBcnfhDVmcJmOuVRNrVezw1Rb8+crKCLq4adVvgIRkojCHbIpXf/sid8E37OgOl5w3/9J45mRd0HRzq6/qpNqp+EeqETz9K2BtG3QsxRz66bMGCWHlfWQmiYp0cgV6FjRkSdOllPnezEJRL9SYNDO5nnePao6kcXhQ==
X-Forefront-Antispam-Report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM6PR04MB4919.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(136003)(39860400002)(346002)(376002)(366004)(396003)(4326008)(186003)(2906002)(7416002)(36756003)(2616005)(16526019)(1076003)(956004)(5660300002)(52116002)(6486002)(8676002)(6512007)(66556008)(66476007)(66946007)(86362001)(6506007)(26005)(69590400008)(8936002)(316002)(478600001)(107886003)(6666004)(921003);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: 
 fWZIAVkb+eePpvRiUG6vjqF0th33lRsw5HAqhUwaDxdKaSqdkp4lw/tbyykUduw1cOjms8Si0QnEsrY/1OSl0px83DHCh1zCDFLvVoJNkdxJHsJ37HbBpnCLpC/LCtjyWMiM6y8L+fLiV2jX83ZY7E865dqazj/VbnqGlptDUWASbO4jle1ezKM40m3rPbYsu9Cj2uP1lzjY2CcKK8IaYE4vdL6R2szYjP+e+z+qVOjF7ZCz+kE/6LUjZcIUb7b4qPzZy922C4bT+4+r0tkstqdobOFbyDHJjCPra8fjBdAXJcm+YF/ebtukI2E0Z7+kVbnnNU75Ol2xUtBV7N67nmCKLWWN7EBpasBFtOeXDWvZDng3wF9u2TUS71k2GgVNvKfYYYPwlgvGQyfLga+R4HBmYEs+wVGy5dGIyiKRkdbMpQZbg2tCLx0UDUMUJvv5WuK94awQsAxRIKNvh+Y+6ZqhPpllG4aVrH6nAIQ41kfRSUHwvdFD3qDUh9DL3C/9uDUPvNDWmFAWUG1lpjTLerV/1UXsHwRk0nDS1KRcj5oP4tFY2etOzoRuKu93vY6h0Y4a7gx5PG+1AWbP3fM4ON0DUm8UbPQ2Quvg8/Bb8KAF2C+URI7wlXjUq9QuINJJNoqexKrgUUektg1M/b7jbA==
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 8253d210-0609-42e3-bd2e-08d87c9a5ae4
X-MS-Exchange-CrossTenant-AuthSource: AM6PR04MB4919.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Oct 2020 06:09:26.7851
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 C/snX50CcrA1A1vy7A7TwHCIOlNxNlLv3bXAAkr7IFX6gU2u/T+TbOLHNpqr87V6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR04MB7943
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>

Series

add ima_arch support for ARM64 | expand

Commit Message

Chester Lin Oct. 30, 2020, 6:08 a.m. UTC

Add arm64 IMA arch support. The code and arch policy is mainly inherited
from x86.

Signed-off-by: Chester Lin <clin@suse.com>
---
 arch/arm64/Kconfig           |  1 +
 arch/arm64/kernel/Makefile   |  2 ++
 arch/arm64/kernel/ima_arch.c | 43 ++++++++++++++++++++++++++++++++++++
 3 files changed, 46 insertions(+)
 create mode 100644 arch/arm64/kernel/ima_arch.c

Comments

Ard Biesheuvel Oct. 30, 2020, 11:53 a.m. UTC | #1

On Fri, 30 Oct 2020 at 07:09, Chester Lin <clin@suse.com> wrote:
>
> Add arm64 IMA arch support. The code and arch policy is mainly inherited
> from x86.
>
> Signed-off-by: Chester Lin <clin@suse.com>
> ---
>  arch/arm64/Kconfig           |  1 +
>  arch/arm64/kernel/Makefile   |  2 ++
>  arch/arm64/kernel/ima_arch.c | 43 ++++++++++++++++++++++++++++++++++++
>  3 files changed, 46 insertions(+)
>  create mode 100644 arch/arm64/kernel/ima_arch.c
>
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index a42e8d13cc88..496a4a26afc6 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -201,6 +201,7 @@ config ARM64
>         select SWIOTLB
>         select SYSCTL_EXCEPTION_TRACE
>         select THREAD_INFO_IN_TASK
> +       imply IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI
>         help
>           ARM 64-bit (AArch64) Linux support.
>
> diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
> index bbaf0bc4ad60..0f6cbb50668c 100644
> --- a/arch/arm64/kernel/Makefile
> +++ b/arch/arm64/kernel/Makefile
> @@ -69,3 +69,5 @@ extra-y                                       += $(head-y) vmlinux.lds
>  ifeq ($(CONFIG_DEBUG_EFI),y)
>  AFLAGS_head.o += -DVMLINUX_PATH="\"$(realpath $(objtree)/vmlinux)\""
>  endif
> +
> +obj-$(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT)   += ima_arch.o
> diff --git a/arch/arm64/kernel/ima_arch.c b/arch/arm64/kernel/ima_arch.c
> new file mode 100644
> index 000000000000..564236d77adc
> --- /dev/null
> +++ b/arch/arm64/kernel/ima_arch.c
> @@ -0,0 +1,43 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * Copyright (C) 2018 IBM Corporation
> + */
> +#include <linux/efi.h>
> +#include <linux/module.h>
> +#include <linux/ima.h>
> +
> +bool arch_ima_get_secureboot(void)
> +{
> +       static bool sb_enabled;
> +       static bool initialized;
> +
> +       if (!initialized & efi_enabled(EFI_BOOT)) {
> +               sb_enabled = ima_get_efi_secureboot();
> +               initialized = true;
> +       }
> +
> +       return sb_enabled;
> +}
> +
> +/* secure and trusted boot arch rules */
> +static const char * const sb_arch_rules[] = {
> +#if !IS_ENABLED(CONFIG_KEXEC_SIG)
> +       "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
> +#endif /* CONFIG_KEXEC_SIG */
> +       "measure func=KEXEC_KERNEL_CHECK",
> +#if !IS_ENABLED(CONFIG_MODULE_SIG)
> +       "appraise func=MODULE_CHECK appraise_type=imasig",
> +#endif
> +       "measure func=MODULE_CHECK",
> +       NULL
> +};
> +
> +const char * const *arch_get_ima_policy(void)
> +{
> +       if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
> +               if (IS_ENABLED(CONFIG_MODULE_SIG))
> +                       set_module_sig_enforced();
> +               return sb_arch_rules;
> +       }
> +       return NULL;
> +}
> --
> 2.28.0
>

Can we move all this stuff into security/integrity/ima/ima_efi.c instead?

Chester Lin Nov. 2, 2020, 7:20 a.m. UTC | #2

On Fri, Oct 30, 2020 at 12:53:25PM +0100, Ard Biesheuvel wrote:
> On Fri, 30 Oct 2020 at 07:09, Chester Lin <clin@suse.com> wrote:
> >
> > Add arm64 IMA arch support. The code and arch policy is mainly inherited
> > from x86.
> >
> > Signed-off-by: Chester Lin <clin@suse.com>
> > ---
> >  arch/arm64/Kconfig           |  1 +
> >  arch/arm64/kernel/Makefile   |  2 ++
> >  arch/arm64/kernel/ima_arch.c | 43 ++++++++++++++++++++++++++++++++++++
> >  3 files changed, 46 insertions(+)
> >  create mode 100644 arch/arm64/kernel/ima_arch.c
> >
> > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> > index a42e8d13cc88..496a4a26afc6 100644
> > --- a/arch/arm64/Kconfig
> > +++ b/arch/arm64/Kconfig
> > @@ -201,6 +201,7 @@ config ARM64
> >         select SWIOTLB
> >         select SYSCTL_EXCEPTION_TRACE
> >         select THREAD_INFO_IN_TASK
> > +       imply IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI
> >         help
> >           ARM 64-bit (AArch64) Linux support.
> >
> > diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
> > index bbaf0bc4ad60..0f6cbb50668c 100644
> > --- a/arch/arm64/kernel/Makefile
> > +++ b/arch/arm64/kernel/Makefile
> > @@ -69,3 +69,5 @@ extra-y                                       += $(head-y) vmlinux.lds
> >  ifeq ($(CONFIG_DEBUG_EFI),y)
> >  AFLAGS_head.o += -DVMLINUX_PATH="\"$(realpath $(objtree)/vmlinux)\""
> >  endif
> > +
> > +obj-$(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT)   += ima_arch.o
> > diff --git a/arch/arm64/kernel/ima_arch.c b/arch/arm64/kernel/ima_arch.c
> > new file mode 100644
> > index 000000000000..564236d77adc
> > --- /dev/null
> > +++ b/arch/arm64/kernel/ima_arch.c
> > @@ -0,0 +1,43 @@
> > +// SPDX-License-Identifier: GPL-2.0+
> > +/*
> > + * Copyright (C) 2018 IBM Corporation
> > + */
> > +#include <linux/efi.h>
> > +#include <linux/module.h>
> > +#include <linux/ima.h>
> > +
> > +bool arch_ima_get_secureboot(void)
> > +{
> > +       static bool sb_enabled;
> > +       static bool initialized;
> > +
> > +       if (!initialized & efi_enabled(EFI_BOOT)) {
> > +               sb_enabled = ima_get_efi_secureboot();
> > +               initialized = true;
> > +       }
> > +
> > +       return sb_enabled;
> > +}
> > +
> > +/* secure and trusted boot arch rules */
> > +static const char * const sb_arch_rules[] = {
> > +#if !IS_ENABLED(CONFIG_KEXEC_SIG)
> > +       "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
> > +#endif /* CONFIG_KEXEC_SIG */
> > +       "measure func=KEXEC_KERNEL_CHECK",
> > +#if !IS_ENABLED(CONFIG_MODULE_SIG)
> > +       "appraise func=MODULE_CHECK appraise_type=imasig",
> > +#endif
> > +       "measure func=MODULE_CHECK",
> > +       NULL
> > +};
> > +
> > +const char * const *arch_get_ima_policy(void)
> > +{
> > +       if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
> > +               if (IS_ENABLED(CONFIG_MODULE_SIG))
> > +                       set_module_sig_enforced();
> > +               return sb_arch_rules;
> > +       }
> > +       return NULL;
> > +}
> > --
> > 2.28.0
> >
> 
> Can we move all this stuff into security/integrity/ima/ima_efi.c instead?
>
Actually I hesitated to move all this stuff into ima_efi.c when coding v3
because I haven't figured out a clear picture to achieve it. Since each
architecture could still have different details to trigger secure boot detection
and define their arch-specific rules [e.g. Having boot_params in x86_64 creates
more conditions that need to be determined before calling get_sb_mode()], moving
all this stuff seems to decrease the flexibility. Besides, it might also affect
the consistency of ima_arch as well, for example, ppc and s390 still use these
function prototypes defined in ima.h. Since these functions are already referred
by non-EFI architectures, why don't we still reuse these prototypes? For example,
we could remain a smaller arch_ima_get_secureboot() and the arch-specific rules
but move the major part of arch_get_ima_policy() into ima_efi.c. For example,
we could implement an efi_ima_policy() for arch_get_ima_policy() to call so that
the arch_get_ima_policy() doesn't have to know some details such as checking
conditions or calling set_module_sig_enforced().

Please feel free to let me know if any suggestions.

Mimi Zohar Nov. 2, 2020, 12:13 p.m. UTC | #3

On Mon, 2020-11-02 at 15:20 +0800, Chester Lin wrote:
> On Fri, Oct 30, 2020 at 12:53:25PM +0100, Ard Biesheuvel wrote:
> > On Fri, 30 Oct 2020 at 07:09, Chester Lin <clin@suse.com> wrote:
> > >
> > > Add arm64 IMA arch support. The code and arch policy is mainly inherited
> > > from x86.
> > >
> > > Signed-off-by: Chester Lin <clin@suse.com>
> > > ---
> > >  arch/arm64/Kconfig           |  1 +
> > >  arch/arm64/kernel/Makefile   |  2 ++
> > >  arch/arm64/kernel/ima_arch.c | 43 ++++++++++++++++++++++++++++++++++++
> > >  3 files changed, 46 insertions(+)
> > >  create mode 100644 arch/arm64/kernel/ima_arch.c
> > >
> > > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> > > index a42e8d13cc88..496a4a26afc6 100644
> > > --- a/arch/arm64/Kconfig
> > > +++ b/arch/arm64/Kconfig
> > > @@ -201,6 +201,7 @@ config ARM64
> > >         select SWIOTLB
> > >         select SYSCTL_EXCEPTION_TRACE
> > >         select THREAD_INFO_IN_TASK
> > > +       imply IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI
> > >         help
> > >           ARM 64-bit (AArch64) Linux support.
> > >
> > > diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
> > > index bbaf0bc4ad60..0f6cbb50668c 100644
> > > --- a/arch/arm64/kernel/Makefile
> > > +++ b/arch/arm64/kernel/Makefile
> > > @@ -69,3 +69,5 @@ extra-y                                       += $(head-y) vmlinux.lds
> > >  ifeq ($(CONFIG_DEBUG_EFI),y)
> > >  AFLAGS_head.o += -DVMLINUX_PATH="\"$(realpath $(objtree)/vmlinux)\""
> > >  endif
> > > +
> > > +obj-$(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT)   += ima_arch.o
> > > diff --git a/arch/arm64/kernel/ima_arch.c b/arch/arm64/kernel/ima_arch.c
> > > new file mode 100644
> > > index 000000000000..564236d77adc
> > > --- /dev/null
> > > +++ b/arch/arm64/kernel/ima_arch.c
> > > @@ -0,0 +1,43 @@
> > > +// SPDX-License-Identifier: GPL-2.0+
> > > +/*
> > > + * Copyright (C) 2018 IBM Corporation
> > > + */
> > > +#include <linux/efi.h>
> > > +#include <linux/module.h>
> > > +#include <linux/ima.h>
> > > +
> > > +bool arch_ima_get_secureboot(void)
> > > +{
> > > +       static bool sb_enabled;
> > > +       static bool initialized;
> > > +
> > > +       if (!initialized & efi_enabled(EFI_BOOT)) {
> > > +               sb_enabled = ima_get_efi_secureboot();
> > > +               initialized = true;
> > > +       }
> > > +
> > > +       return sb_enabled;
> > > +}
> > > +
> > > +/* secure and trusted boot arch rules */
> > > +static const char * const sb_arch_rules[] = {
> > > +#if !IS_ENABLED(CONFIG_KEXEC_SIG)
> > > +       "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
> > > +#endif /* CONFIG_KEXEC_SIG */
> > > +       "measure func=KEXEC_KERNEL_CHECK",
> > > +#if !IS_ENABLED(CONFIG_MODULE_SIG)
> > > +       "appraise func=MODULE_CHECK appraise_type=imasig",
> > > +#endif
> > > +       "measure func=MODULE_CHECK",
> > > +       NULL
> > > +};
> > > +
> > > +const char * const *arch_get_ima_policy(void)
> > > +{
> > > +       if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
> > > +               if (IS_ENABLED(CONFIG_MODULE_SIG))
> > > +                       set_module_sig_enforced();
> > > +               return sb_arch_rules;
> > > +       }
> > > +       return NULL;
> > > +}
> > > --
> > > 2.28.0
> > >
> > 
> > Can we move all this stuff into security/integrity/ima/ima_efi.c instead?
> >
> Actually I hesitated to move all this stuff into ima_efi.c when coding v3
> because I haven't figured out a clear picture to achieve it. Since each
> architecture could still have different details to trigger secure boot detection
> and define their arch-specific rules [e.g. Having boot_params in x86_64 creates
> more conditions that need to be determined before calling get_sb_mode()], moving
> all this stuff seems to decrease the flexibility. Besides, it might also affect
> the consistency of ima_arch as well, for example, ppc and s390 still use these
> function prototypes defined in ima.h. Since these functions are already referred
> by non-EFI architectures, why don't we still reuse these prototypes? For example,
> we could remain a smaller arch_ima_get_secureboot() and the arch-specific rules
> but move the major part of arch_get_ima_policy() into ima_efi.c. For example,
> we could implement an efi_ima_policy() for arch_get_ima_policy() to call so that
> the arch_get_ima_policy() doesn't have to know some details such as checking
> conditions or calling set_module_sig_enforced().
> 
> Please feel free to let me know if any suggestions.

Yes, that is the point and the reason for defining ima_efi.c and
conditionally including it only for EFI systems.  The existing ppc and
s390 code should remain unaffected by this change.

thanks,

Mimi

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index a42e8d13cc88..496a4a26afc6 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -201,6 +201,7 @@  config ARM64
 	select SWIOTLB
 	select SYSCTL_EXCEPTION_TRACE
 	select THREAD_INFO_IN_TASK
+	imply IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI
 	help
 	  ARM 64-bit (AArch64) Linux support.
 
diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
index bbaf0bc4ad60..0f6cbb50668c 100644
--- a/arch/arm64/kernel/Makefile
+++ b/arch/arm64/kernel/Makefile
@@ -69,3 +69,5 @@  extra-y					+= $(head-y) vmlinux.lds
 ifeq ($(CONFIG_DEBUG_EFI),y)
 AFLAGS_head.o += -DVMLINUX_PATH="\"$(realpath $(objtree)/vmlinux)\""
 endif
+
+obj-$(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT)	+= ima_arch.o
diff --git a/arch/arm64/kernel/ima_arch.c b/arch/arm64/kernel/ima_arch.c
new file mode 100644
index 000000000000..564236d77adc
--- /dev/null
+++ b/arch/arm64/kernel/ima_arch.c
@@ -0,0 +1,43 @@ 
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (C) 2018 IBM Corporation
+ */
+#include <linux/efi.h>
+#include <linux/module.h>
+#include <linux/ima.h>
+
+bool arch_ima_get_secureboot(void)
+{
+	static bool sb_enabled;
+	static bool initialized;
+
+	if (!initialized & efi_enabled(EFI_BOOT)) {
+		sb_enabled = ima_get_efi_secureboot();
+		initialized = true;
+	}
+
+	return sb_enabled;
+}
+
+/* secure and trusted boot arch rules */
+static const char * const sb_arch_rules[] = {
+#if !IS_ENABLED(CONFIG_KEXEC_SIG)
+	"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
+#endif /* CONFIG_KEXEC_SIG */
+	"measure func=KEXEC_KERNEL_CHECK",
+#if !IS_ENABLED(CONFIG_MODULE_SIG)
+	"appraise func=MODULE_CHECK appraise_type=imasig",
+#endif
+	"measure func=MODULE_CHECK",
+	NULL
+};
+
+const char * const *arch_get_ima_policy(void)
+{
+	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
+		if (IS_ENABLED(CONFIG_MODULE_SIG))
+			set_module_sig_enforced();
+		return sb_arch_rules;
+	}
+	return NULL;
+}

[v3,3/3] arm64/ima: add ima_arch support

Commit Message

Comments

Patch