Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3624001ybi; Mon, 10 Jun 2019 13:36:49 -0700 (PDT) X-Google-Smtp-Source: APXvYqz4WDy17P0DbRF9PtvLDsS45V7Qh1ER+8NYNai76VLAwsTbMtam40KEYC1ALByUS4wK7SzH X-Received: by 2002:a17:902:b18e:: with SMTP id s14mr11278697plr.229.1560199009061; Mon, 10 Jun 2019 13:36:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560199009; cv=none; d=google.com; s=arc-20160816; b=VpVcVZIXt/KBseDEyDLExE7bAjhk7D2BLxThQZ4xslfVIcP509KE+F/vn5vGCDBDO9 9wHYVYcBTAeSHModg1JnGqd4zc3EFdTby3y27LNAsE+F0nxQiiPzrVfXGG3iZrQ7IGrA w+2u+Z13BDVabdXyceT2oGlThQkozjeruHP4kQXYDHSULKoc+gK0gHe1+cw3J+mHoqNn mSc4a8XMdZwyM2AelSwT/aW7jnHrn+MM+eAu7sfZ9iEQAiaKtYx7uDAGXdK7z2JOHOJF cLNwpAfc/DAj5LjDGx7Mwj4RoI/ixcR8tNJud/E5Jg/PtxD4o7XkNgiThAi7Luf/Hpl4 nN9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from; bh=MEOl2GQNDllbKB6yFuARbBAsDqrC5X3beJ6L3EmYdpE=; b=Of7n5YL+KHiBfk1Yq4Fo5yHV22V65EiTvzZhZlJw126pffXPbs2KPwak+BzOvEotIh VRjxv9RZfj9A0F3Y3UxCqv2Id3bnggdtdX8Pdxc/dMeGwKmVl7rZIPqb7SPhwVcg539u Axc41zEXwGcjfZ8WP+BULgwwvHVFMfGNQoCMkhldMPnR5n9rgtirKSchkwAy0cmzaxK0 10LkEy0UAp4zKiRL6/yVwbuY6lfbC6AZ9WDIExr2/vKEjo3Eajojpu9VoEtDS6SbvAuc 0ffn23Wi5m8envimSIdv4fSdsGlDVjC5QxNZuK1ZhNbzHukkuaY7SM+UthoVMMMJSL9x thLQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c65si6355526pfa.134.2019.06.10.13.36.34; Mon, 10 Jun 2019 13:36:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389749AbfFJUeX (ORCPT + 99 others); Mon, 10 Jun 2019 16:34:23 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:53706 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2389714AbfFJUeW (ORCPT ); Mon, 10 Jun 2019 16:34:22 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x5AKWU2w063795 for ; Mon, 10 Jun 2019 16:34:20 -0400 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0b-001b2d01.pphosted.com with ESMTP id 2t1uapy57n-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 10 Jun 2019 16:34:20 -0400 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 10 Jun 2019 21:34:15 +0100 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 10 Jun 2019 21:34:11 +0100 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x5AKYAnG48889920 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 10 Jun 2019 20:34:10 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 48AB111C04A; Mon, 10 Jun 2019 20:34:10 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5753911C052; Mon, 10 Jun 2019 20:34:08 +0000 (GMT) Received: from swastik.ibm.com (unknown [9.85.139.99]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 10 Jun 2019 20:34:08 +0000 (GMT) From: Nayna Jain To: linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Michael Ellerman , Paul Mackerras , Benjamin Herrenschmidt , Ard Biesheuvel , Jeremy Kerr , Matthew Garret , Mimi Zohar , Claudio Carvalho , Nayna Jain Subject: [PATCH v3 3/3] powerpc: Add support to initialize ima policy rules Date: Mon, 10 Jun 2019 16:33:57 -0400 X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1560198837-18857-1-git-send-email-nayna@linux.ibm.com> References: <1560198837-18857-1-git-send-email-nayna@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19061020-0016-0000-0000-00000287D71C X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19061020-0017-0000-0000-000032E50167 Message-Id: <1560198837-18857-4-git-send-email-nayna@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-06-10_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906100139 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org PowerNV secure boot relies on the kernel IMA security subsystem to perform the OS kernel image signature verification. Since each secure boot mode has different IMA policy requirements, dynamic definition of the policy rules based on the runtime secure boot mode of the system is required. On systems that support secure boot, but have it disabled, only measurement policy rules of the kernel image and modules are defined. This patch defines the arch-specific implementation to retrieve the secure boot mode of the system and accordingly configures the IMA policy rules. This patch provides arch-specific IMA policies if PPC_SECURE_BOOT config is enabled. Signed-off-by: Nayna Jain --- arch/powerpc/Kconfig | 14 +++++++++ arch/powerpc/kernel/Makefile | 1 + arch/powerpc/kernel/ima_arch.c | 54 ++++++++++++++++++++++++++++++++++ include/linux/ima.h | 3 +- 4 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 arch/powerpc/kernel/ima_arch.c diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 8c1c636308c8..9de77bb14f54 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -902,6 +902,20 @@ config PPC_MEM_KEYS If unsure, say y. +config PPC_SECURE_BOOT + prompt "Enable PowerPC Secure Boot" + bool + default n + depends on PPC64 + depends on OPAL_SECVAR + depends on IMA + depends on IMA_ARCH_POLICY + help + Linux on POWER with firmware secure boot enabled needs to define + security policies to extend secure boot to the OS.This config + allows user to enable OS Secure Boot on PowerPC systems that + have firmware secure boot support. + endmenu config ISA_DMA_API diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile index 0ea6c4aa3a20..75c929b41341 100644 --- a/arch/powerpc/kernel/Makefile +++ b/arch/powerpc/kernel/Makefile @@ -131,6 +131,7 @@ ifdef CONFIG_IMA obj-y += ima_kexec.o endif endif +obj-$(CONFIG_PPC_SECURE_BOOT) += ima_arch.o obj-$(CONFIG_AUDIT) += audit.o obj64-$(CONFIG_AUDIT) += compat_audit.o diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c new file mode 100644 index 000000000000..1767bf6e6550 --- /dev/null +++ b/arch/powerpc/kernel/ima_arch.c @@ -0,0 +1,54 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + * + * ima_arch.c + * - initialize ima policies for PowerPC Secure Boot + */ + +#include +#include + +bool arch_ima_get_secureboot(void) +{ + bool sb_mode; + + sb_mode = get_powerpc_sb_mode(); + if (sb_mode) + return true; + else + return false; +} + +/* + * File signature verification is not needed, include only measurements + */ +static const char *const default_arch_rules[] = { + "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", + "measure func=MODULE_CHECK template=ima-modsig", + NULL +}; + +/* Both file signature verification and measurements are needed */ +static const char *const sb_arch_rules[] = { + "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", + "measure func=MODULE_CHECK template=ima-modsig", + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig template=ima-modsig", +#if !IS_ENABLED(CONFIG_MODULE_SIG) + "appraise func=MODULE_CHECK appraise_type=imasig|modsig template=ima-modsig", +#endif + NULL +}; + +/* + * On PowerPC, file measurements are to be added to the IMA measurement list + * irrespective of the secure boot state of the system. Signature verification + * is conditionally enabled based on the secure boot state. + */ +const char *const *arch_get_ima_policy(void) +{ + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) + return sb_arch_rules; + return default_arch_rules; +} diff --git a/include/linux/ima.h b/include/linux/ima.h index fd9f7cf4cdf5..a01df076ecae 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -31,7 +31,8 @@ extern void ima_post_path_mknod(struct dentry *dentry); extern void ima_add_kexec_buffer(struct kimage *image); #endif -#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) +#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \ + || defined(CONFIG_PPC_SECURE_BOOT) extern bool arch_ima_get_secureboot(void); extern const char * const *arch_get_ima_policy(void); #else -- 2.20.1