cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

ima_arch.c (2307B)

      1// SPDX-License-Identifier: GPL-2.0
      2/*
      3 * Copyright (C) 2019 IBM Corporation
      4 * Author: Nayna Jain
      5 */
      6
      7#include <linux/ima.h>
      8#include <asm/secure_boot.h>
      9
     10bool arch_ima_get_secureboot(void)
     11{
     12	return is_ppc_secureboot_enabled();
     13}
     14
     15/*
     16 * The "secure_rules" are enabled only on "secureboot" enabled systems.
     17 * These rules verify the file signatures against known good values.
     18 * The "appraise_type=imasig|modsig" option allows the known good signature
     19 * to be stored as an xattr or as an appended signature.
     20 *
     21 * To avoid duplicate signature verification as much as possible, the IMA
     22 * policy rule for module appraisal is added only if CONFIG_MODULE_SIG
     23 * is not enabled.
     24 */
     25static const char *const secure_rules[] = {
     26	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
     27#ifndef CONFIG_MODULE_SIG
     28	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
     29#endif
     30	NULL
     31};
     32
     33/*
     34 * The "trusted_rules" are enabled only on "trustedboot" enabled systems.
     35 * These rules add the kexec kernel image and kernel modules file hashes to
     36 * the IMA measurement list.
     37 */
     38static const char *const trusted_rules[] = {
     39	"measure func=KEXEC_KERNEL_CHECK",
     40	"measure func=MODULE_CHECK",
     41	NULL
     42};
     43
     44/*
     45 * The "secure_and_trusted_rules" contains rules for both the secure boot and
     46 * trusted boot. The "template=ima-modsig" option includes the appended
     47 * signature, when available, in the IMA measurement list.
     48 */
     49static const char *const secure_and_trusted_rules[] = {
     50	"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
     51	"measure func=MODULE_CHECK template=ima-modsig",
     52	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
     53#ifndef CONFIG_MODULE_SIG
     54	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
     55#endif
     56	NULL
     57};
     58
     59/*
     60 * Returns the relevant IMA arch-specific policies based on the system secure
     61 * boot state.
     62 */
     63const char *const *arch_get_ima_policy(void)
     64{
     65	if (is_ppc_secureboot_enabled()) {
     66		if (IS_ENABLED(CONFIG_MODULE_SIG))
     67			set_module_sig_enforced();
     68
     69		if (is_ppc_trustedboot_enabled())
     70			return secure_and_trusted_rules;
     71		else
     72			return secure_rules;
     73	} else if (is_ppc_trustedboot_enabled()) {
     74		return trusted_rules;
     75	}
     76
     77	return NULL;
     78}