Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp2600986ybg; Thu, 24 Oct 2019 12:11:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqyjwzlKTXRcbQVyMWrb24F3lG3k53sDiabP5e4erN+5BxbW19tZ2r6iPis55zH+FFZo8UES X-Received: by 2002:a05:6402:1687:: with SMTP id a7mr45405645edv.222.1571944313516; Thu, 24 Oct 2019 12:11:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571944313; cv=none; d=google.com; s=arc-20160816; b=XNsgHitnJGfwCoZmoco5Hph93NiofMxGF84u27OHx6KBdzaNpmOifCzwPkb9+Lw2Ak EcxRpWNXqe9VSWa8DixV3xjCjYnezgFhgsR3FRs2kikNauZpBJzbVLe7syhGSI6nsUHa PHh93IxPQ6Dgt5Umitz2+KzaobNpJ44EdhPbnqEx/5bLWC41me4J8whGIInbxoCcEkZv f/6ogt7QQsDI7j4ilIFDZpp1/MlhRGPgrMreWbPW+NZ7aHnm8X/IkvEV1xEyaX2rO5nx vuJzCIZYs77ZU6EUsj9Tmvmh68DWxzd0gcgT5iePmE+hi9k8/pwnrxu4pZ9bYXuOYAp+ e5sg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:subject:cc:to:from; bh=NR5NVUE59fs1eGDbT6hYE6nJ1K0cFQ7nuIoOushxoJs=; b=jrFRtiJqejimDQnauOxWwzNieUO01PxE/of+7LcwmdesygrTGLn09YGAtxrs1q8Pw0 goK/scMp9L7bsBmzKuO4StLiCSwV+OUo416TCKYllhf5xYR8Rlhf7yLjRs0Q3pNd5fjP VzCPLXeIQ+6cOcdrSJ4LlVHBwM9gi/VOSyVNl+2m5Orq+RVCUEVppyoELhbvSXvLjAnD dsap5lwH0k+pajbJF66N5K6aWRS3j0KXre674iGqba8SDH0QB6E7p76x+PezEcmW0sif Ii0GAih17KNHrXDp4Urz3LNOIkE30yFISLXcBFaKnmRmo7E+DAtD21zbOZ4t5JHXNQMW PSjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o3si11877397edi.374.2019.10.24.12.11.28; Thu, 24 Oct 2019 12:11:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2437385AbfJXDsE (ORCPT + 99 others); Wed, 23 Oct 2019 23:48:04 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:36156 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2392939AbfJXDsC (ORCPT ); Wed, 23 Oct 2019 23:48:02 -0400 Received: from pps.filterd (m0187473.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x9O3lqRl002916 for ; Wed, 23 Oct 2019 23:48:01 -0400 Received: from e06smtp05.uk.ibm.com (e06smtp05.uk.ibm.com [195.75.94.101]) by mx0a-001b2d01.pphosted.com with ESMTP id 2vt2943h2d-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 23 Oct 2019 23:48:01 -0400 Received: from localhost by e06smtp05.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 24 Oct 2019 04:47:55 +0100 Received: from b06avi18878370.portsmouth.uk.ibm.com (9.149.26.194) by e06smtp05.uk.ibm.com (192.168.101.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 24 Oct 2019 04:47:50 +0100 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06avi18878370.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x9O3lmYn43712986 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 24 Oct 2019 03:47:49 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E054CAE04D; Thu, 24 Oct 2019 03:47:48 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 203A2AE045; Thu, 24 Oct 2019 03:47:46 +0000 (GMT) Received: from localhost.localdomain (unknown [9.40.192.65]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 24 Oct 2019 03:47:45 +0000 (GMT) From: Nayna Jain To: linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Michael Ellerman , Benjamin Herrenschmidt , Paul Mackerras , Ard Biesheuvel , Jeremy Kerr , Matthew Garret , Mimi Zohar , Greg Kroah-Hartman , Claudio Carvalho , George Wilson , Elaine Palmer , Eric Ricther , "Oliver O'Halloran" , Nayna Jain , Prakhar Srivastava , Lakshmi Ramasubramanian Subject: [PATCH v9 4/8] powerpc/ima: define trusted boot policy Date: Wed, 23 Oct 2019 22:47:13 -0500 X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191024034717.70552-1-nayna@linux.ibm.com> References: <20191024034717.70552-1-nayna@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19102403-0020-0000-0000-0000037D810B X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19102403-0021-0000-0000-000021D3C52A Message-Id: <20191024034717.70552-5-nayna@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-10-24_02:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=910 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910240033 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch defines an arch-specific trusted boot only policy and a combined secure and trusted boot policy. Signed-off-by: Nayna Jain --- arch/powerpc/kernel/ima_arch.c | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c index d88913dc0da7..0ef5956c9753 100644 --- a/arch/powerpc/kernel/ima_arch.c +++ b/arch/powerpc/kernel/ima_arch.c @@ -30,6 +30,32 @@ static const char *const secure_rules[] = { NULL }; +/* + * The "trusted_rules" are enabled only on "trustedboot" enabled systems. + * These rules add the kexec kernel image and kernel modules file hashes to + * the IMA measurement list. + */ +static const char *const trusted_rules[] = { + "measure func=KEXEC_KERNEL_CHECK", + "measure func=MODULE_CHECK", + NULL +}; + +/* + * The "secure_and_trusted_rules" contains rules for both the secure boot and + * trusted boot. The "template=ima-modsig" option includes the appended + * signature, when available, in the IMA measurement list. + */ +static const char *const secure_and_trusted_rules[] = { + "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", + "measure func=MODULE_CHECK template=ima-modsig", + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", +#ifndef CONFIG_MODULE_SIG_FORCE + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", +#endif + NULL +}; + /* * Returns the relevant IMA arch-specific policies based on the system secure * boot state. @@ -37,7 +63,12 @@ static const char *const secure_rules[] = { const char *const *arch_get_ima_policy(void) { if (is_ppc_secureboot_enabled()) - return secure_rules; + if (is_ppc_trustedboot_enabled()) + return secure_and_trusted_rules; + else + return secure_rules; + else if (is_ppc_trustedboot_enabled()) + return trusted_rules; return NULL; } -- 2.20.1