Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp4223444ybf; Tue, 3 Mar 2020 23:15:19 -0800 (PST) X-Google-Smtp-Source: ADFU+vvOGHGWgESplvOsCo3OQ1u+E3O7PBzWxjPYU4sgocX++WBKiZgi9+WDpz3V/4yTWV3J1mga X-Received: by 2002:a05:6808:8fc:: with SMTP id d28mr844523oic.152.1583306119441; Tue, 03 Mar 2020 23:15:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583306119; cv=none; d=google.com; s=arc-20160816; b=wr+0O/Fec7zgu61mnkNoWiEMj4ocaEypYF/DxFdRETjw9UZ+V7TLkBA0nloZ41h/7o cP4lUrtTioY/Zl0bOktfEi2bns/TlAmH9H5Iheii/TCK4F75lXdv6WpMeWaLHiGJXT+m BVKxw5b9biiQPWoWCya/I8HqTeprHbvXT4XJBcSYc61aKzBCQ06YIDf73A8U1W8uXARu 12BXrAmMfIz82x+x0Ay5INReqZwd4GdWW9dgfexSyG57ys3YrHKU3+6sqjg2rQgVvzF9 7Z0tdOnbPsyW++oXQ60FPa3GaIKDKq/9NJBzvUEK6LTT3LI6+uBQvTHaV3Kk8CeDaOVl v3UQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=9mKIopgTjK2bpO3iTDRu3cfhI3nJ8DIqcsPnxjfvjgY=; b=o5bD4RWwClxaT5aKyBQV95Bh8PAJZLfGQhyhv743T09qpBGQKl9bRqsOldVT413eXt D9gk1RdPIf4AurOmcFfnxCmIfK/gSmDanTJGUBGX+f76YHQelKCYia+KtQWM0ncGCjh8 tXTwMKT57g3ACYHFzkN03nzfY1hMy+oadbdQhQbELU82GNpW9z/YhLNI6OMzEaupbEg0 mgCtquoSPANuiL6GkvjUR3h1i+4hymokjQzyJuYd0M8a8qgAm+d7r3qG6sfI3cCFTxEq On4X5NrJyBLTBiMq/b125e8+uAMS1v4h2lsxzuHykZlHKRxyTWcf992nlWbv+7v7OWoA /hlg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=frLZ0cOj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t25si674624otl.317.2020.03.03.23.15.07; Tue, 03 Mar 2020 23:15:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=frLZ0cOj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728387AbgCDHPB (ORCPT + 99 others); Wed, 4 Mar 2020 02:15:01 -0500 Received: from mail.kernel.org ([198.145.29.99]:35440 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728301AbgCDHPA (ORCPT ); Wed, 4 Mar 2020 02:15:00 -0500 Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D3DFB21741 for ; Wed, 4 Mar 2020 07:14:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1583306100; bh=y/uI56ETxOiF6to8G8JqcU7y5zIAtMZUIPSNK75yQaA=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=frLZ0cOjqoDMu/nKrqwr5M/2S0Lg54WCLE57WKjKfgOG4t8G2LcgVlMX8j6p634LX dnYDdohb3/f5iLpotWSgwS1JYAQxqB7eXsDCFLauTYZ55KdQM2AIrhB9CCbO6CK+mc uMtxUrMe7/de//Ec3ztgKeH/3lwWnQtU2/xq+juY= Received: by mail-wr1-f52.google.com with SMTP id z11so981294wro.9 for ; Tue, 03 Mar 2020 23:14:59 -0800 (PST) X-Gm-Message-State: ANhLgQ29AyMlaOqna+QBXcLFGBr2Fbu4tsUfqWDDBFZzmDfiDX5OxhbQ cI5dVg4fzac+/pwvV4L3ZfHUHjxY7epYnl99lP2SQQ== X-Received: by 2002:adf:f84a:: with SMTP id d10mr2585836wrq.208.1583306093565; Tue, 03 Mar 2020 23:14:53 -0800 (PST) MIME-Version: 1.0 References: <1583289211-5420-1-git-send-email-nayna@linux.ibm.com> In-Reply-To: <1583289211-5420-1-git-send-email-nayna@linux.ibm.com> From: Ard Biesheuvel Date: Wed, 4 Mar 2020 08:14:42 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2] ima: add a new CONFIG for loading arch-specific policies To: Nayna Jain Cc: linux-integrity , linuxppc-dev , linux-efi , linux-s390 , Philipp Rudo , Michael Ellerman , Mimi Zohar , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 4 Mar 2020 at 03:34, Nayna Jain wrote: > > Every time a new architecture defines the IMA architecture specific > functions - arch_ima_get_secureboot() and arch_ima_get_policy(), the IMA > include file needs to be updated. To avoid this "noise", this patch > defines a new IMA Kconfig IMA_SECURE_AND_OR_TRUSTED_BOOT option, allowing > the different architectures to select it. > > Suggested-by: Linus Torvalds > Signed-off-by: Nayna Jain > Cc: Ard Biesheuvel > Cc: Philipp Rudo > Cc: Michael Ellerman Acked-by: Ard Biesheuvel for the x86 bits, but I'm not an x86 maintainer. Also, you may need to split this if you want to permit arch maintainers to pick up their parts individually. > --- > v2: > * Fixed the issue identified by Mimi. Thanks Mimi, Ard, Heiko and Michael for > discussing the fix. > > arch/powerpc/Kconfig | 1 + > arch/s390/Kconfig | 1 + > arch/x86/Kconfig | 1 + > include/linux/ima.h | 3 +-- > security/integrity/ima/Kconfig | 9 +++++++++ > 5 files changed, 13 insertions(+), 2 deletions(-) > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index 497b7d0b2d7e..a5cfde432983 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -979,6 +979,7 @@ config PPC_SECURE_BOOT > bool > depends on PPC_POWERNV > depends on IMA_ARCH_POLICY > + select IMA_SECURE_AND_OR_TRUSTED_BOOT > help > Systems with firmware secure boot enabled need to define security > policies to extend secure boot to the OS. This config allows a user > diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig > index 8abe77536d9d..4a502fbcb800 100644 > --- a/arch/s390/Kconfig > +++ b/arch/s390/Kconfig > @@ -195,6 +195,7 @@ config S390 > select ARCH_HAS_FORCE_DMA_UNENCRYPTED > select SWIOTLB > select GENERIC_ALLOCATOR > + select IMA_SECURE_AND_OR_TRUSTED_BOOT if IMA_ARCH_POLICY > > > config SCHED_OMIT_FRAME_POINTER > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index beea77046f9b..7f5bfaf0cbd2 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -230,6 +230,7 @@ config X86 > select VIRT_TO_BUS > select X86_FEATURE_NAMES if PROC_FS > select PROC_PID_ARCH_STATUS if PROC_FS > + select IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI && IMA_ARCH_POLICY > > config INSTRUCTION_DECODER > def_bool y > diff --git a/include/linux/ima.h b/include/linux/ima.h > index 1659217e9b60..aefe758f4466 100644 > --- a/include/linux/ima.h > +++ b/include/linux/ima.h > @@ -30,8 +30,7 @@ extern void ima_kexec_cmdline(const void *buf, int size); > extern void ima_add_kexec_buffer(struct kimage *image); > #endif > > -#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \ > - || defined(CONFIG_PPC_SECURE_BOOT) > +#ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT > extern bool arch_ima_get_secureboot(void); > extern const char * const *arch_get_ima_policy(void); > #else > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig > index 3f3ee4e2eb0d..d17972aa413a 100644 > --- a/security/integrity/ima/Kconfig > +++ b/security/integrity/ima/Kconfig > @@ -327,3 +327,12 @@ config IMA_QUEUE_EARLY_BOOT_KEYS > depends on IMA_MEASURE_ASYMMETRIC_KEYS > depends on SYSTEM_TRUSTED_KEYRING > default y > + > +config IMA_SECURE_AND_OR_TRUSTED_BOOT > + bool > + depends on IMA > + depends on IMA_ARCH_POLICY Doesn't the latter already depend on the former? > + default n > + help > + This option is selected by architectures to enable secure and/or > + trusted boot based on IMA runtime policies. > -- > 2.13.6 >