From patchwork Mon Aug 19 12:35:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 11100833 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E7D9414DE for ; Mon, 19 Aug 2019 12:35:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D89C0212DB for ; Mon, 19 Aug 2019 12:35:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CC071287C2; Mon, 19 Aug 2019 12:35:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 47C40287E3 for ; Mon, 19 Aug 2019 12:35:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726852AbfHSMfb (ORCPT ); Mon, 19 Aug 2019 08:35:31 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:19174 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726755AbfHSMfb (ORCPT ); Mon, 19 Aug 2019 08:35:31 -0400 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x7JCXODp006202 for ; Mon, 19 Aug 2019 08:35:29 -0400 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 2ufuepha8y-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 19 Aug 2019 08:35:29 -0400 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 19 Aug 2019 13:35:27 +0100 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 19 Aug 2019 13:35:23 +0100 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x7JCZMM751773480 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 19 Aug 2019 12:35:22 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4C49A11C054; Mon, 19 Aug 2019 12:35:22 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F354311C05B; Mon, 19 Aug 2019 12:35:19 +0000 (GMT) Received: from swastik.ibm.com (unknown [9.80.231.242]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 19 Aug 2019 12:35:19 +0000 (GMT) From: Nayna Jain To: linuxppc-dev@ozlabs.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Michael Ellerman , Paul Mackerras , Benjamin Herrenschmidt , Ard Biesheuvel , Jeremy Kerr , Matthew Garret , Mimi Zohar , Claudio Carvalho , Elaine Palmer , George Wilson , Eric Ricther , Nayna Jain Subject: [PATCH v5 1/2] powerpc: detect the secure boot mode of the system Date: Mon, 19 Aug 2019 08:35:07 -0400 X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1566218108-12705-1-git-send-email-nayna@linux.ibm.com> References: <1566218108-12705-1-git-send-email-nayna@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19081912-0012-0000-0000-000003405B8D X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19081912-0013-0000-0000-0000217A7B9C Message-Id: <1566218108-12705-2-git-send-email-nayna@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-08-19_03:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1908190142 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Secure boot on POWER defines different IMA policies based on the secure boot state of the system. This patch defines a function to detect the secure boot state of the system. The PPC_SECURE_BOOT config represents the base enablement of secureboot on POWER. Signed-off-by: Nayna Jain --- arch/powerpc/Kconfig | 11 +++++ arch/powerpc/include/asm/secboot.h | 27 ++++++++++++ arch/powerpc/kernel/Makefile | 2 + arch/powerpc/kernel/secboot.c | 71 ++++++++++++++++++++++++++++++ 4 files changed, 111 insertions(+) create mode 100644 arch/powerpc/include/asm/secboot.h create mode 100644 arch/powerpc/kernel/secboot.c diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 77f6ebf97113..c902a39124dc 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -912,6 +912,17 @@ config PPC_MEM_KEYS If unsure, say y. +config PPC_SECURE_BOOT + prompt "Enable PowerPC Secure Boot" + bool + default n + depends on PPC64 + help + Linux on POWER with firmware secure boot enabled needs to define + security policies to extend secure boot to the OS.This config + allows user to enable OS Secure Boot on PowerPC systems that + have firmware secure boot support. + endmenu config ISA_DMA_API diff --git a/arch/powerpc/include/asm/secboot.h b/arch/powerpc/include/asm/secboot.h new file mode 100644 index 000000000000..e726261bb00b --- /dev/null +++ b/arch/powerpc/include/asm/secboot.h @@ -0,0 +1,27 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * PowerPC secure boot definitions + * + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + * + */ +#ifndef POWERPC_SECBOOT_H +#define POWERPC_SECBOOT_H + +#ifdef CONFIG_PPC_SECURE_BOOT +extern struct device_node *is_powerpc_secvar_supported(void); +extern bool get_powerpc_secureboot(void); +#else +static inline struct device_node *is_powerpc_secvar_supported(void) +{ + return NULL; +} + +static inline bool get_powerpc_secureboot(void) +{ + return false; +} + +#endif +#endif diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile index ea0c69236789..d310ebb4e526 100644 --- a/arch/powerpc/kernel/Makefile +++ b/arch/powerpc/kernel/Makefile @@ -157,6 +157,8 @@ endif obj-$(CONFIG_EPAPR_PARAVIRT) += epapr_paravirt.o epapr_hcalls.o obj-$(CONFIG_KVM_GUEST) += kvm.o kvm_emul.o +obj-$(CONFIG_PPC_SECURE_BOOT) += secboot.o + # Disable GCOV, KCOV & sanitizers in odd or sensitive code GCOV_PROFILE_prom_init.o := n KCOV_INSTRUMENT_prom_init.o := n diff --git a/arch/powerpc/kernel/secboot.c b/arch/powerpc/kernel/secboot.c new file mode 100644 index 000000000000..5ea0d52d64ef --- /dev/null +++ b/arch/powerpc/kernel/secboot.c @@ -0,0 +1,71 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + * + * secboot.c + * - util function to get powerpc secboot state + */ +#include +#include +#include + +struct device_node *is_powerpc_secvar_supported(void) +{ + struct device_node *np; + int status; + + np = of_find_node_by_name(NULL, "ibm,secureboot"); + if (!np) { + pr_info("secureboot node is not found\n"); + return NULL; + } + + status = of_device_is_compatible(np, "ibm,secureboot-v3"); + if (!status) { + pr_info("Secure variables are not supported by this firmware\n"); + return NULL; + } + + return np; +} + +bool get_powerpc_secureboot(void) +{ + struct device_node *np; + struct device_node *secvar_np; + const u64 *psecboot; + u64 secboot = 0; + + np = is_powerpc_secvar_supported(); + if (!np) + goto disabled; + + /* Fail-safe for any failure related to secvar */ + secvar_np = of_get_child_by_name(np, "secvar"); + if (!secvar_np) { + pr_err("Expected secure variables support, fail-safe\n"); + goto enabled; + } + + if (!of_device_is_available(secvar_np)) { + pr_err("Secure variables support is in error state, fail-safe\n"); + goto enabled; + } + + psecboot = of_get_property(secvar_np, "secure-mode", NULL); + if (!psecboot) + goto enabled; + + secboot = be64_to_cpup((__be64 *)psecboot); + if (!(secboot & (~0x0))) + goto disabled; + +enabled: + pr_info("secureboot mode enabled\n"); + return true; + +disabled: + pr_info("secureboot mode disabled\n"); + return false; +} From patchwork Mon Aug 19 12:35:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 11100835 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4C4F414DE for ; Mon, 19 Aug 2019 12:35:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3A111283BB for ; Mon, 19 Aug 2019 12:35:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2DD5C287CB; Mon, 19 Aug 2019 12:35:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9D250287B5 for ; Mon, 19 Aug 2019 12:35:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727503AbfHSMfe (ORCPT ); Mon, 19 Aug 2019 08:35:34 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:63456 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726755AbfHSMfe (ORCPT ); Mon, 19 Aug 2019 08:35:34 -0400 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x7JCXOau006221 for ; Mon, 19 Aug 2019 08:35:32 -0400 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 2ufuephabr-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 19 Aug 2019 08:35:32 -0400 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 19 Aug 2019 13:35:30 +0100 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 19 Aug 2019 13:35:27 +0100 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x7JCZQoF61341756 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 19 Aug 2019 12:35:26 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1759011C054; Mon, 19 Aug 2019 12:35:26 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C62AE11C04C; Mon, 19 Aug 2019 12:35:23 +0000 (GMT) Received: from swastik.ibm.com (unknown [9.80.231.242]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 19 Aug 2019 12:35:23 +0000 (GMT) From: Nayna Jain To: linuxppc-dev@ozlabs.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Michael Ellerman , Paul Mackerras , Benjamin Herrenschmidt , Ard Biesheuvel , Jeremy Kerr , Matthew Garret , Mimi Zohar , Claudio Carvalho , Elaine Palmer , George Wilson , Eric Ricther , Nayna Jain Subject: [PATCH v5 2/2] powerpc: Add support to initialize ima policy rules Date: Mon, 19 Aug 2019 08:35:08 -0400 X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1566218108-12705-1-git-send-email-nayna@linux.ibm.com> References: <1566218108-12705-1-git-send-email-nayna@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19081912-0008-0000-0000-0000030AB4FA X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19081912-0009-0000-0000-00004A28D845 Message-Id: <1566218108-12705-3-git-send-email-nayna@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-08-19_03:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1908190142 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP POWER secure boot relies on the kernel IMA security subsystem to perform the OS kernel image signature verification. Since each secure boot mode has different IMA policy requirements, dynamic definition of the policy rules based on the runtime secure boot mode of the system is required. On systems that support secure boot, but have it disabled, only measurement policy rules of the kernel image and modules are defined. This patch defines the arch-specific implementation to retrieve the secure boot mode of the system and accordingly configures the IMA policy rules. This patch provides arch-specific IMA policies if PPC_SECURE_BOOT config is enabled. Signed-off-by: Nayna Jain --- arch/powerpc/Kconfig | 2 ++ arch/powerpc/kernel/Makefile | 2 +- arch/powerpc/kernel/ima_arch.c | 50 ++++++++++++++++++++++++++++++++++ include/linux/ima.h | 3 +- 4 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 arch/powerpc/kernel/ima_arch.c diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index c902a39124dc..42109682b727 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -917,6 +917,8 @@ config PPC_SECURE_BOOT bool default n depends on PPC64 + depends on IMA + depends on IMA_ARCH_POLICY help Linux on POWER with firmware secure boot enabled needs to define security policies to extend secure boot to the OS.This config diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile index d310ebb4e526..520b1c814197 100644 --- a/arch/powerpc/kernel/Makefile +++ b/arch/powerpc/kernel/Makefile @@ -157,7 +157,7 @@ endif obj-$(CONFIG_EPAPR_PARAVIRT) += epapr_paravirt.o epapr_hcalls.o obj-$(CONFIG_KVM_GUEST) += kvm.o kvm_emul.o -obj-$(CONFIG_PPC_SECURE_BOOT) += secboot.o +obj-$(CONFIG_PPC_SECURE_BOOT) += secboot.o ima_arch.o # Disable GCOV, KCOV & sanitizers in odd or sensitive code GCOV_PROFILE_prom_init.o := n diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c new file mode 100644 index 000000000000..ac90fac83338 --- /dev/null +++ b/arch/powerpc/kernel/ima_arch.c @@ -0,0 +1,50 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + * + * ima_arch.c + * - initialize ima policies for PowerPC Secure Boot + */ + +#include +#include + +bool arch_ima_get_secureboot(void) +{ + return get_powerpc_secureboot(); +} + +/* + * File signature verification is not needed, include only measurements + */ +static const char *const default_arch_rules[] = { + "measure func=KEXEC_KERNEL_CHECK", + "measure func=MODULE_CHECK", + NULL +}; + +/* Both file signature verification and measurements are needed */ +static const char *const sb_arch_rules[] = { + "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", +#if IS_ENABLED(CONFIG_MODULE_SIG) + "measure func=MODULE_CHECK", +#else + "measure func=MODULE_CHECK template=ima-modsig", + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", +#endif + NULL +}; + +/* + * On PowerPC, file measurements are to be added to the IMA measurement list + * irrespective of the secure boot state of the system. Signature verification + * is conditionally enabled based on the secure boot state. + */ +const char *const *arch_get_ima_policy(void) +{ + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) + return sb_arch_rules; + return default_arch_rules; +} diff --git a/include/linux/ima.h b/include/linux/ima.h index a20ad398d260..10af09b5b478 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -29,7 +29,8 @@ extern void ima_kexec_cmdline(const void *buf, int size); extern void ima_add_kexec_buffer(struct kimage *image); #endif -#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) +#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \ + || defined(CONFIG_PPC_SECURE_BOOT) extern bool arch_ima_get_secureboot(void); extern const char * const *arch_get_ima_policy(void); #else