Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3304709yba; Mon, 8 Apr 2019 15:58:52 -0700 (PDT) X-Google-Smtp-Source: APXvYqwVgFKyqjC9xU3UrGVPD8tkuhrNvUmi1D4VNc23hFyfUEAQpGkr2SGaT+dJuC+4qHdFs4j5 X-Received: by 2002:a62:1795:: with SMTP id 143mr33263333pfx.104.1554764332617; Mon, 08 Apr 2019 15:58:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554764332; cv=none; d=google.com; s=arc-20160816; b=hOLWU9nFudixe0ik4JpDwmEf0usirp4b8z6cW+V7WSFjP63XrrBBESCPVagkqlJCuT uPsm7lNkwlL9SEj0m3qdIsWHnPHQIEyMIjafYWy+NSv7TcSMC2aVtQ+Wt5oYwK9ZYUx5 4L9CjT4/+ZCnyu51WIJ0jrEVIfMkEv2YOO/jsgFqT0UydnFPbeXi9sjOBUMLU6uQaadW dX8TEl0lKCp1oeopGyRCivr73Z89C2LJRmBO4YaAdu6JuLVaZUjaD3hFhh3U+/1NEqeD OtzmVijxMaLZx6HkV3DBiIXFmjqqS3/apMzYxxg3b5LMIMa1c+7wTqGr2Dry5WqMNeog qRrQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from; bh=9ph5wCREyh6v6QnbCLB8h7TAm4RXrUjYggvdm8gyIkg=; b=jNyqQuji1y6nYWvARXYh0/1+dW0wNVRYFrvfJx1eVhQt6Lzob/mrZgP9FyIHt83+Ma JcbHx9JuXj7jlKmPKkWpDThNdNVdcd8csP0tjZ6X5nEGVkQpJUOD8rzQ49uNkRnvUC1f gOXwuZ8SdLb5utECAkd4IZgHcW+m2gOE+fKa8TmFI3md2TwovWO4lL+CrMPsqTWAB/qt oV2Kk0PtSW6OaGJydcLRvOM49e/+WVx1flA1WvGbmgSEJkEjvCi8QI0rrLeBlPfjA2OO 8tWQBiL/hQr1c6EMCZxjWf5ubT2vUtr2SdYDMa8EhTfqAhwl38qb9jA3I0lU+19Vvv5T mS3w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v7si27266724plp.191.2019.04.08.15.58.37; Mon, 08 Apr 2019 15:58:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728716AbfDHWxI (ORCPT + 99 others); Mon, 8 Apr 2019 18:53:08 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:58372 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728690AbfDHWxH (ORCPT ); Mon, 8 Apr 2019 18:53:07 -0400 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x38MnBv5041577 for ; Mon, 8 Apr 2019 18:53:06 -0400 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0a-001b2d01.pphosted.com with ESMTP id 2rreyegxwx-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 08 Apr 2019 18:53:06 -0400 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 8 Apr 2019 23:53:03 +0100 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp01.uk.ibm.com (192.168.101.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 8 Apr 2019 23:52:59 +0100 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x38MqwdX56492210 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Apr 2019 22:52:58 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5A3E54C040; Mon, 8 Apr 2019 22:52:58 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9C90A4C044; Mon, 8 Apr 2019 22:52:56 +0000 (GMT) Received: from swastik.ibm.com (unknown [9.85.157.39]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 8 Apr 2019 22:52:56 +0000 (GMT) From: Nayna Jain To: linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Michael Ellerman , Paul Mackerras , Benjamin Herrenschmidt , Ard Biesheuvel , Jeremy Kerr , Matthew Garret , Mimi Zohar , Claudio Carvalho , Nayna Jain Subject: [PATCH v2 3/3] powerpc: Add support to initialize ima policy rules Date: Mon, 8 Apr 2019 18:52:34 -0400 X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1554763954-11795-1-git-send-email-nayna@linux.ibm.com> References: <1554763954-11795-1-git-send-email-nayna@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19040822-4275-0000-0000-00000325B113 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19040822-4276-0000-0000-00003834C80D Message-Id: <1554763954-11795-4-git-send-email-nayna@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-04-08_10:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904080164 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org PowerNV secure boot relies on the kernel IMA security subsystem to perform the OS kernel image signature verification. Since each secure boot mode has different IMA policy requirements, dynamic definition of the policy rules based on the runtime secure boot mode of the system is required. On systems that support secure boot, but have it disabled, only measurement policy rules of the kernel image and modules are defined. This patch defines the arch-specific implementation to retrieve the secure boot mode of the system and accordingly configures the IMA policy rules. This patch provides arch-specific IMA policies if PPC_SECURE_BOOT config is enabled. Signed-off-by: Nayna Jain --- arch/powerpc/Kconfig | 14 +++++++++ arch/powerpc/kernel/Makefile | 1 + arch/powerpc/kernel/ima_arch.c | 54 ++++++++++++++++++++++++++++++++++ include/linux/ima.h | 3 +- 4 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 arch/powerpc/kernel/ima_arch.c diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 2d0be82c3061..7407af79ed8a 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -901,6 +901,20 @@ config PPC_MEM_KEYS If unsure, say y. +config PPC_SECURE_BOOT + prompt "Enable PowerPC Secure Boot" + bool + default n + depends on PPC64 + depends on OPAL_SECVAR + depends on IMA + depends on IMA_ARCH_POLICY + help + Linux on POWER with firmware secure boot enabled needs to define + security policies to extend secure boot to the OS. + This config allows user to enable OS Secure Boot on PowerPC systems + that have firmware secure boot support. + endmenu config ISA_DMA_API diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile index cddadccf551d..fcbc7a94888b 100644 --- a/arch/powerpc/kernel/Makefile +++ b/arch/powerpc/kernel/Makefile @@ -119,6 +119,7 @@ ifdef CONFIG_IMA obj-y += ima_kexec.o endif endif +obj-$(CONFIG_PPC_SECURE_BOOT) += ima_arch.o obj-$(CONFIG_AUDIT) += audit.o obj64-$(CONFIG_AUDIT) += compat_audit.o diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c new file mode 100644 index 000000000000..871b321656fb --- /dev/null +++ b/arch/powerpc/kernel/ima_arch.c @@ -0,0 +1,54 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + * + * ima_arch.c + * - initialize ima policies for PowerPC Secure Boot + */ + +#include +#include + +bool arch_ima_get_secureboot(void) +{ + bool sb_mode; + + sb_mode = get_powerpc_sb_mode(); + if (sb_mode) + return true; + else + return false; +} + +/* + * File signature verification is not needed, include only measurements + */ +static const char *const default_arch_rules[] = { + "measure func=KEXEC_KERNEL_CHECK", + "measure func=MODULE_CHECK", + NULL +}; + +/* Both file signature verification and measurements are needed */ +static const char *const sb_arch_rules[] = { + "measure func=KEXEC_KERNEL_CHECK", + "measure func=MODULE_CHECK", + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", +#if !IS_ENABLED(CONFIG_MODULE_SIG) + "appraise func=MODULE_CHECK appraise_type=imasig", +#endif + NULL +}; + +/* + * On PowerPC, file measurements are to be added to the IMA measurement list + * irrespective of the secure boot state of the system. Signature verification + * is conditionally enabled based on the secure boot state. + */ +const char *const *arch_get_ima_policy(void) +{ + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) + return sb_arch_rules; + return default_arch_rules; +} diff --git a/include/linux/ima.h b/include/linux/ima.h index dc12fbcf484c..ab81a204cf4c 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -31,7 +31,8 @@ extern void ima_post_path_mknod(struct dentry *dentry); extern void ima_add_kexec_buffer(struct kimage *image); #endif -#if defined(CONFIG_X86) && defined(CONFIG_EFI) +#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) \ + || defined(CONFIG_PPC_SECURE_BOOT) extern bool arch_ima_get_secureboot(void); extern const char * const *arch_get_ima_policy(void); #else -- 2.20.1