From: Nayna Jain <nayna@linux.ibm.com>
To: linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org,
linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Jeremy Kerr <jk@ozlabs.org>,
Matthew Garret <matthew.garret@nebula.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Claudio Carvalho <cclaudio@linux.ibm.com>,
George Wilson <gcwilson@linux.ibm.com>,
Elaine Palmer <erpalmer@us.ibm.com>,
Eric Ricther <erichte@linux.ibm.com>,
"Oliver O'Halloran" <oohall@gmail.com>,
Nayna Jain <nayna@linux.ibm.com>,
Prakhar Srivastava <prsriva02@gmail.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Subject: [PATCH v8 4/8] powerpc/ima: add measurement rules to ima arch specific policy
Date: Sat, 19 Oct 2019 14:06:13 -0400 [thread overview]
Message-ID: <1571508377-23603-5-git-send-email-nayna@linux.ibm.com> (raw)
In-Reply-To: <1571508377-23603-1-git-send-email-nayna@linux.ibm.com>
This patch adds the measurement rules to the arch specific policies on
trusted boot enabled systems.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
arch/powerpc/kernel/ima_arch.c | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
index 65d82ee74ea4..710872ea8f35 100644
--- a/arch/powerpc/kernel/ima_arch.c
+++ b/arch/powerpc/kernel/ima_arch.c
@@ -26,6 +26,32 @@ static const char *const secure_rules[] = {
NULL
};
+/*
+ * The "measure_rules" are enabled only on "trustedboot" enabled systems.
+ * These rules add the kexec kernel image and kernel modules file hashes to
+ * the IMA measurement list.
+ */
+static const char *const trusted_rules[] = {
+ "measure func=KEXEC_KERNEL_CHECK",
+ "measure func=MODULE_CHECK",
+ NULL
+};
+
+/*
+ * The "secure_and_trusted_rules" contains rules for both the secure boot and
+ * trusted boot. The "template=ima-modsig" option includes the appended
+ * signature, when available, in the IMA measurement list.
+ */
+static const char *const secure_and_trusted_rules[] = {
+ "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
+ "measure func=MODULE_CHECK template=ima-modsig",
+ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
+#ifndef CONFIG_MODULE_SIG_FORCE
+ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
+#endif
+ NULL
+};
+
/*
* Returns the relevant IMA arch-specific policies based on the system secure
* boot state.
@@ -33,7 +59,13 @@ static const char *const secure_rules[] = {
const char *const *arch_get_ima_policy(void)
{
if (is_ppc_secureboot_enabled())
- return secure_rules;
+ if (is_ppc_trustedboot_enabled())
+ return secure_and_trusted_rules;
+ else
+ return secure_rules;
+ else
+ if (is_ppc_trustedboot_enabled())
+ return trusted_rules;
return NULL;
}
--
2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Nayna Jain <nayna@linux.ibm.com>
To: linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org,
linux-integrity@vger.kernel.org
Cc: Prakhar Srivastava <prsriva02@gmail.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Eric Ricther <erichte@linux.ibm.com>,
Nayna Jain <nayna@linux.ibm.com>,
linux-kernel@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
Claudio Carvalho <cclaudio@linux.ibm.com>,
Matthew Garret <matthew.garret@nebula.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Paul Mackerras <paulus@samba.org>, Jeremy Kerr <jk@ozlabs.org>,
Elaine Palmer <erpalmer@us.ibm.com>,
Oliver O'Halloran <oohall@gmail.com>,
George Wilson <gcwilson@linux.ibm.com>
Subject: [PATCH v8 4/8] powerpc/ima: add measurement rules to ima arch specific policy
Date: Sat, 19 Oct 2019 14:06:13 -0400 [thread overview]
Message-ID: <1571508377-23603-5-git-send-email-nayna@linux.ibm.com> (raw)
In-Reply-To: <1571508377-23603-1-git-send-email-nayna@linux.ibm.com>
This patch adds the measurement rules to the arch specific policies on
trusted boot enabled systems.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
arch/powerpc/kernel/ima_arch.c | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
index 65d82ee74ea4..710872ea8f35 100644
--- a/arch/powerpc/kernel/ima_arch.c
+++ b/arch/powerpc/kernel/ima_arch.c
@@ -26,6 +26,32 @@ static const char *const secure_rules[] = {
NULL
};
+/*
+ * The "measure_rules" are enabled only on "trustedboot" enabled systems.
+ * These rules add the kexec kernel image and kernel modules file hashes to
+ * the IMA measurement list.
+ */
+static const char *const trusted_rules[] = {
+ "measure func=KEXEC_KERNEL_CHECK",
+ "measure func=MODULE_CHECK",
+ NULL
+};
+
+/*
+ * The "secure_and_trusted_rules" contains rules for both the secure boot and
+ * trusted boot. The "template=ima-modsig" option includes the appended
+ * signature, when available, in the IMA measurement list.
+ */
+static const char *const secure_and_trusted_rules[] = {
+ "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
+ "measure func=MODULE_CHECK template=ima-modsig",
+ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
+#ifndef CONFIG_MODULE_SIG_FORCE
+ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
+#endif
+ NULL
+};
+
/*
* Returns the relevant IMA arch-specific policies based on the system secure
* boot state.
@@ -33,7 +59,13 @@ static const char *const secure_rules[] = {
const char *const *arch_get_ima_policy(void)
{
if (is_ppc_secureboot_enabled())
- return secure_rules;
+ if (is_ppc_trustedboot_enabled())
+ return secure_and_trusted_rules;
+ else
+ return secure_rules;
+ else
+ if (is_ppc_trustedboot_enabled())
+ return trusted_rules;
return NULL;
}
--
2.20.1
next prev parent reply other threads:[~2019-10-19 18:06 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-19 18:06 [PATCH v8 0/8] powerpc: Enabling IMA arch specific secure boot policies Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-19 18:06 ` [PATCH v8 1/8] powerpc: detect the secure boot mode of the system Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-22 23:37 ` Michael Ellerman
2019-10-22 23:37 ` Michael Ellerman
2019-10-19 18:06 ` [PATCH v8 2/8] powerpc/ima: add support to initialize ima policy rules Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-20 0:16 ` Mimi Zohar
2019-10-20 0:16 ` Mimi Zohar
2019-10-19 18:06 ` [PATCH v8 3/8] powerpc: detect the trusted boot state of the system Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-20 12:48 ` Mimi Zohar
2019-10-20 12:48 ` Mimi Zohar
2019-10-22 23:38 ` Michael Ellerman
2019-10-22 23:38 ` Michael Ellerman
2019-10-19 18:06 ` Nayna Jain [this message]
2019-10-19 18:06 ` [PATCH v8 4/8] powerpc/ima: add measurement rules to ima arch specific policy Nayna Jain
2019-10-20 0:16 ` Mimi Zohar
2019-10-20 0:16 ` Mimi Zohar
2019-10-19 18:06 ` [PATCH v8 5/8] ima: make process_buffer_measurement() generic Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-20 1:21 ` Mimi Zohar
2019-10-20 1:21 ` Mimi Zohar
2019-10-19 18:06 ` [PATCH v8 6/8] certs: add wrapper function to check blacklisted binary hash Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-19 18:06 ` [PATCH v8 7/8] ima: check against blacklisted hashes for files with modsig Nayna Jain
2019-10-19 18:06 ` Nayna Jain
2019-10-20 0:58 ` Mimi Zohar
2019-10-20 0:58 ` Mimi Zohar
2019-10-20 16:06 ` Mimi Zohar
2019-10-20 16:06 ` Mimi Zohar
2019-10-20 16:09 ` Mimi Zohar
2019-10-20 16:09 ` Mimi Zohar
2019-10-19 18:06 ` [PATCH v8 8/8] powerpc/ima: update ima arch policy to check for blacklist Nayna Jain
2019-10-19 18:06 ` Nayna Jain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1571508377-23603-5-git-send-email-nayna@linux.ibm.com \
--to=nayna@linux.ibm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=benh@kernel.crashing.org \
--cc=cclaudio@linux.ibm.com \
--cc=erichte@linux.ibm.com \
--cc=erpalmer@us.ibm.com \
--cc=gcwilson@linux.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=jk@ozlabs.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=matthew.garret@nebula.com \
--cc=mpe@ellerman.id.au \
--cc=nramas@linux.microsoft.com \
--cc=oohall@gmail.com \
--cc=paulus@samba.org \
--cc=prsriva02@gmail.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.