Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp5791828ybp; Tue, 15 Oct 2019 05:13:42 -0700 (PDT) X-Google-Smtp-Source: APXvYqxUUPSYpyS7N2AUzzzw67LGLMTnfarcKVqvJIfxTc5LF3Le3v9Bg6DywCPDHchWPknSvmOe X-Received: by 2002:aa7:cb5a:: with SMTP id w26mr33826564edt.188.1571141622575; Tue, 15 Oct 2019 05:13:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571141622; cv=none; d=google.com; s=arc-20160816; b=KS8bG5XgtsGv1lrWguRaFbqFEfRz07UgCMZxRt064xxQgtNk9/FgAIymGoFBbgS5iY d+HqoK8yT3cN4g+L+1pPkEo3mwlsv3/uBzZrwVLpn3thw6ciz5itQMbKPJ4RDlrZiZ+w +TPQQD/Z4KoYDo1wfGWxG+i3zJ8vzk8ITI4svqK7jaKZMA/vtVxDD/RmoMr4SubciX3r 3ICbiyhcWU5yJig0xWFqB0O4Tjn2x2aPLqG5n1dtCoGjYZLNlIBBA0CWejYr75rGaSZ8 golqFC6hkXU1Kq2kNvZkDAg9eBZus2nTNOFa9OdBMzn0wNp4N7g0LAvg8AUUpARoc/nc 0R0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:dkim-signature; bh=cUYWX9nsQAW8winOSrGqbvUgj0xZjzFe+OFeCdHtFY8=; b=i2eq6VPGTs/DAyBJwgnKnR3K5baKb/2tzkXX+B2EELjZKA+6KzNi9BxBJ7rMTUHy88 GiL4gC8URzx4ienmLKLq76P3ZYU4CGJe+O4oV4lYbRADLR8l/GGbqfsLcREgNuiE02ms +ATcoW5Q5hzY4ZMqlApUXoIHdleC8wULc6TfcqNbKBj2MnP1CvEANl6QhuFuZJg/fqyK xNojXz3Km7mPQ/th7PhctzU05ra19ZrIIx+VoA7WS59k83r0B7emnkKJzBz7C4N41CpH IfeR5TivK6fjfFKC7iNetEY4hh1XiF9bjJcPa6Kx+mFeTVXYGYlnLk+auQ+cSjnQlDOi mUOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ellerman.id.au header.s=201909 header.b=n2ZMZZbY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id jx20si12699499ejb.291.2019.10.15.05.13.18; Tue, 15 Oct 2019 05:13:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ellerman.id.au header.s=201909 header.b=n2ZMZZbY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727730AbfJOL33 (ORCPT + 99 others); Tue, 15 Oct 2019 07:29:29 -0400 Received: from ozlabs.org ([203.11.71.1]:42177 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726430AbfJOL32 (ORCPT ); Tue, 15 Oct 2019 07:29:28 -0400 Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.ozlabs.org (Postfix) with ESMTPSA id 46stVs0wDCz9sPF; Tue, 15 Oct 2019 22:29:25 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ellerman.id.au; s=201909; t=1571138965; bh=+qtiJDQHIVgW7tXXW/HVWZwkwKeRnLqlcLW63HvWG/8=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=n2ZMZZbYotjEqToIdWSDZdwaKWnLHNlsJPwlSUVmj99HeC6ZdGjDKDvUs/cwgt0Hn vYakpTyPLYfphaVNY/WHGsfKOzAaEmhE2MLHXPs9xOyjsLS38W92Z9Z/nV0QLW0XKO MPCyiPjD1l5WpY57Tc3IYGR0dDrAqXrQKwNNfQrzjLsE1LA8PDoJZ11f6nfQxx3RY1 NAdcTD8pn7sErX1DiAQbjCT4y0ED4W5ENyy/QVO+Ik+pltUfFd06yJN2zx26+4yiiR XksLrhtxVT4qp9Gt8HS42o2ZCZ0zAoDVqpPmxXeAcDKBh9UnHAW6vxnaYXlMnXEw30 yUDS05LhJQScQ== From: Michael Ellerman To: Nayna Jain , linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Benjamin Herrenschmidt , Paul Mackerras , Ard Biesheuvel , Jeremy Kerr , Matthew Garret , Mimi Zohar , Greg Kroah-Hartman , Claudio Carvalho , George Wilson , Elaine Palmer , Eric Ricther , Oliver O'Halloran , Nayna Jain Subject: Re: [PATCH v7 2/8] powerpc: add support to initialize ima policy rules In-Reply-To: <1570497267-13672-3-git-send-email-nayna@linux.ibm.com> References: <1570497267-13672-1-git-send-email-nayna@linux.ibm.com> <1570497267-13672-3-git-send-email-nayna@linux.ibm.com> Date: Tue, 15 Oct 2019 22:29:17 +1100 Message-ID: <871rveuu0i.fsf@mpe.ellerman.id.au> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Nayna Jain writes: > PowerNV systems uses kernel based bootloader, thus its secure boot > implementation uses kernel IMA security subsystem to verify the kernel > before kexec. Since the verification policy might differ based on the > secure boot mode of the system, the policies are defined at runtime. > > This patch implements the arch-specific support to define the IMA policy > rules based on the runtime secure boot mode of the system. > > This patch provides arch-specific IMA policies if PPC_SECURE_BOOT > config is enabled. ... > diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c > new file mode 100644 > index 000000000000..c22d82965eb4 > --- /dev/null > +++ b/arch/powerpc/kernel/ima_arch.c > @@ -0,0 +1,33 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Copyright (C) 2019 IBM Corporation > + * Author: Nayna Jain > + */ > + > +#include > +#include > + > +bool arch_ima_get_secureboot(void) > +{ > + return is_powerpc_os_secureboot_enabled(); > +} > + > +/* Defines IMA appraise rules for secureboot */ > +static const char *const arch_rules[] = { > + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", > +#if !IS_ENABLED(CONFIG_MODULE_SIG_FORCE) > + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", > +#endif This confuses me. If I spell it out we get: #if IS_ENABLED(CONFIG_MODULE_SIG_FORCE) // nothing #else "appraise func=MODULE_CHECK appraise_type=imasig|modsig", #endif Which is just: #ifdef CONFIG_MODULE_SIG_FORCE // nothing #else "appraise func=MODULE_CHECK appraise_type=imasig|modsig", #endif But CONFIG_MODULE_SIG_FORCE enabled says that we *do* require modules to have a valid signature. Isn't that the inverse of what the rules say? Presumably I'm misunderstanding something :) cheers