Accueil Explorer Aide
Connexion
samsung-sm8650
/
android_kernel_samsung_sm8650_ksu
2
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Aborescence: 822abd0dda
Branches Tags
android_kernel_...
/
arch
/
powerpc
/
kernel
/
ima_arch.c

ima_arch.c 2.3 KB
Historique Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778 
  1. // SPDX-License-Identifier: GPL-2.0
    2. 

  2. /*
    3. 

  3.  * Copyright (C) 2019 IBM Corporation
    4. 

  4.  * Author: Nayna Jain
    5. 

  5.  */
    6. 

  6. 

  7. #include <linux/ima.h>
    8. 

  8. #include <asm/secure_boot.h>
    9. 

  9. 

  10. bool arch_ima_get_secureboot(void)
    11. 

  11. {
    12. 

  12. 	return is_ppc_secureboot_enabled();
    13. 

  13. }
    14. 

  14. 

  15. /*
    16. 

  16.  * The "secure_rules" are enabled only on "secureboot" enabled systems.
    17. 

  17.  * These rules verify the file signatures against known good values.
    18. 

  18.  * The "appraise_type=imasig|modsig" option allows the known good signature
    19. 

  19.  * to be stored as an xattr or as an appended signature.
    20. 

  20.  *
    21. 

  21.  * To avoid duplicate signature verification as much as possible, the IMA
    22. 

  22.  * policy rule for module appraisal is added only if CONFIG_MODULE_SIG
    23. 

  23.  * is not enabled.
    24. 

  24.  */
    25. 

  25. static const char *const secure_rules[] = {
    26. 

  26. 	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
    27. 

  27. #ifndef CONFIG_MODULE_SIG
    28. 

  28. 	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
    29. 

  29. #endif
    30. 

  30. 	NULL
    31. 

  31. };
    32. 

  32. 

  33. /*
    34. 

  34.  * The "trusted_rules" are enabled only on "trustedboot" enabled systems.
    35. 

  35.  * These rules add the kexec kernel image and kernel modules file hashes to
    36. 

  36.  * the IMA measurement list.
    37. 

  37.  */
    38. 

  38. static const char *const trusted_rules[] = {
    39. 

  39. 	"measure func=KEXEC_KERNEL_CHECK",
    40. 

  40. 	"measure func=MODULE_CHECK",
    41. 

  41. 	NULL
    42. 

  42. };
    43. 

  43. 

  44. /*
    45. 

  45.  * The "secure_and_trusted_rules" contains rules for both the secure boot and
    46. 

  46.  * trusted boot. The "template=ima-modsig" option includes the appended
    47. 

  47.  * signature, when available, in the IMA measurement list.
    48. 

  48.  */
    49. 

  49. static const char *const secure_and_trusted_rules[] = {
    50. 

  50. 	"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
    51. 

  51. 	"measure func=MODULE_CHECK template=ima-modsig",
    52. 

  52. 	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
    53. 

  53. #ifndef CONFIG_MODULE_SIG
    54. 

  54. 	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
    55. 

  55. #endif
    56. 

  56. 	NULL
    57. 

  57. };
    58. 

  58. 

  59. /*
    60. 

  60.  * Returns the relevant IMA arch-specific policies based on the system secure
    61. 

  61.  * boot state.
    62. 

  62.  */
    63. 

  63. const char *const *arch_get_ima_policy(void)
    64. 

  64. {
    65. 

  65. 	if (is_ppc_secureboot_enabled()) {
    66. 

  66. 		if (IS_ENABLED(CONFIG_MODULE_SIG))
    67. 

  67. 			set_module_sig_enforced();
    68. 

  68. 

  69. 		if (is_ppc_trustedboot_enabled())
    70. 

  70. 			return secure_and_trusted_rules;
    71. 

  71. 		else
    72. 

  72. 			return secure_rules;
    73. 

  73. 	} else if (is_ppc_trustedboot_enabled()) {
    74. 

  74. 		return trusted_rules;
    75. 

  75. 	}
    76. 

  76. 

  77. 	return NULL;
    78. 

  78. }
    79.