From: Nayna Jain <nayna@linux.ibm.com> To: linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Michael Ellerman <mpe@ellerman.id.au>, Benjamin Herrenschmidt <benh@kernel.crashing.org>, Paul Mackerras <paulus@samba.org>, Ard Biesheuvel <ard.biesheuvel@linaro.org>, Jeremy Kerr <jk@ozlabs.org>, Matthew Garret <matthew.garret@nebula.com>, Mimi Zohar <zohar@linux.ibm.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Claudio Carvalho <cclaudio@linux.ibm.com>, George Wilson <gcwilson@linux.ibm.com>, Elaine Palmer <erpalmer@us.ibm.com>, Eric Ricther <erichte@linux.ibm.com>, "Oliver O'Halloran" <oohall@gmail.com>, Nayna Jain <nayna@linux.ibm.com>, Prakhar Srivastava <prsriva02@gmail.com>, Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Subject: [PATCH v8 2/8] powerpc/ima: add support to initialize ima policy rules Date: Sat, 19 Oct 2019 14:06:11 -0400 [thread overview] Message-ID: <1571508377-23603-3-git-send-email-nayna@linux.ibm.com> (raw) In-Reply-To: <1571508377-23603-1-git-send-email-nayna@linux.ibm.com> PowerNV system use a Linux-based bootloader, which relies on the IMA subsystem to enforce different secure boot modes. Since the verification policy may differ based on the secure boot mode of the system, the policies must be defined at runtime. This patch implements arch-specific support to define IMA policy rules based on the runtime secure boot mode of the system. This patch provides arch-specific IMA policies if PPC_SECURE_BOOT config is enabled. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- arch/powerpc/Kconfig | 1 + arch/powerpc/kernel/Makefile | 2 +- arch/powerpc/kernel/ima_arch.c | 39 ++++++++++++++++++++++++++++++++++ include/linux/ima.h | 3 ++- 4 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 arch/powerpc/kernel/ima_arch.c diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 56ea0019b616..c795039bdc73 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -938,6 +938,7 @@ config PPC_SECURE_BOOT prompt "Enable secure boot support" bool depends on PPC_POWERNV + depends on IMA_ARCH_POLICY help Systems with firmware secure boot enabled need to define security policies to extend secure boot to the OS. This config allows a user diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile index e2a54fa240ac..e8eb2955b7d5 100644 --- a/arch/powerpc/kernel/Makefile +++ b/arch/powerpc/kernel/Makefile @@ -161,7 +161,7 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),) obj-y += ucall.o endif -obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o +obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o # Disable GCOV, KCOV & sanitizers in odd or sensitive code GCOV_PROFILE_prom_init.o := n diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c new file mode 100644 index 000000000000..65d82ee74ea4 --- /dev/null +++ b/arch/powerpc/kernel/ima_arch.c @@ -0,0 +1,39 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + */ + +#include <linux/ima.h> +#include <asm/secure_boot.h> + +bool arch_ima_get_secureboot(void) +{ + return is_ppc_secureboot_enabled(); +} + +/* + * The "secure_rules" are enabled only on "secureboot" enabled systems. + * These rules verify the file signatures against known good values. + * The "appraise_type=imasig|modsig" option allows the known good signature + * to be stored as an xattr or as an appended signature. + */ +static const char *const secure_rules[] = { + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", +#ifndef CONFIG_MODULE_SIG_FORCE + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", +#endif + NULL +}; + +/* + * Returns the relevant IMA arch-specific policies based on the system secure + * boot state. + */ +const char *const *arch_get_ima_policy(void) +{ + if (is_ppc_secureboot_enabled()) + return secure_rules; + + return NULL; +} diff --git a/include/linux/ima.h b/include/linux/ima.h index 1c37f17f7203..6d904754d858 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -29,7 +29,8 @@ extern void ima_kexec_cmdline(const void *buf, int size); extern void ima_add_kexec_buffer(struct kimage *image); #endif -#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) +#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \ + || defined(CONFIG_PPC_SECURE_BOOT) extern bool arch_ima_get_secureboot(void); extern const char * const *arch_get_ima_policy(void); #else -- 2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Nayna Jain <nayna@linux.ibm.com> To: linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Cc: Prakhar Srivastava <prsriva02@gmail.com>, Ard Biesheuvel <ard.biesheuvel@linaro.org>, Eric Ricther <erichte@linux.ibm.com>, Nayna Jain <nayna@linux.ibm.com>, linux-kernel@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>, Claudio Carvalho <cclaudio@linux.ibm.com>, Matthew Garret <matthew.garret@nebula.com>, Lakshmi Ramasubramanian <nramas@linux.microsoft.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Paul Mackerras <paulus@samba.org>, Jeremy Kerr <jk@ozlabs.org>, Elaine Palmer <erpalmer@us.ibm.com>, Oliver O'Halloran <oohall@gmail.com>, George Wilson <gcwilson@linux.ibm.com> Subject: [PATCH v8 2/8] powerpc/ima: add support to initialize ima policy rules Date: Sat, 19 Oct 2019 14:06:11 -0400 [thread overview] Message-ID: <1571508377-23603-3-git-send-email-nayna@linux.ibm.com> (raw) In-Reply-To: <1571508377-23603-1-git-send-email-nayna@linux.ibm.com> PowerNV system use a Linux-based bootloader, which relies on the IMA subsystem to enforce different secure boot modes. Since the verification policy may differ based on the secure boot mode of the system, the policies must be defined at runtime. This patch implements arch-specific support to define IMA policy rules based on the runtime secure boot mode of the system. This patch provides arch-specific IMA policies if PPC_SECURE_BOOT config is enabled. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- arch/powerpc/Kconfig | 1 + arch/powerpc/kernel/Makefile | 2 +- arch/powerpc/kernel/ima_arch.c | 39 ++++++++++++++++++++++++++++++++++ include/linux/ima.h | 3 ++- 4 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 arch/powerpc/kernel/ima_arch.c diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 56ea0019b616..c795039bdc73 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -938,6 +938,7 @@ config PPC_SECURE_BOOT prompt "Enable secure boot support" bool depends on PPC_POWERNV + depends on IMA_ARCH_POLICY help Systems with firmware secure boot enabled need to define security policies to extend secure boot to the OS. This config allows a user diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile index e2a54fa240ac..e8eb2955b7d5 100644 --- a/arch/powerpc/kernel/Makefile +++ b/arch/powerpc/kernel/Makefile @@ -161,7 +161,7 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),) obj-y += ucall.o endif -obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o +obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o # Disable GCOV, KCOV & sanitizers in odd or sensitive code GCOV_PROFILE_prom_init.o := n diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c new file mode 100644 index 000000000000..65d82ee74ea4 --- /dev/null +++ b/arch/powerpc/kernel/ima_arch.c @@ -0,0 +1,39 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + */ + +#include <linux/ima.h> +#include <asm/secure_boot.h> + +bool arch_ima_get_secureboot(void) +{ + return is_ppc_secureboot_enabled(); +} + +/* + * The "secure_rules" are enabled only on "secureboot" enabled systems. + * These rules verify the file signatures against known good values. + * The "appraise_type=imasig|modsig" option allows the known good signature + * to be stored as an xattr or as an appended signature. + */ +static const char *const secure_rules[] = { + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", +#ifndef CONFIG_MODULE_SIG_FORCE + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", +#endif + NULL +}; + +/* + * Returns the relevant IMA arch-specific policies based on the system secure + * boot state. + */ +const char *const *arch_get_ima_policy(void) +{ + if (is_ppc_secureboot_enabled()) + return secure_rules; + + return NULL; +} diff --git a/include/linux/ima.h b/include/linux/ima.h index 1c37f17f7203..6d904754d858 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -29,7 +29,8 @@ extern void ima_kexec_cmdline(const void *buf, int size); extern void ima_add_kexec_buffer(struct kimage *image); #endif -#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) +#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \ + || defined(CONFIG_PPC_SECURE_BOOT) extern bool arch_ima_get_secureboot(void); extern const char * const *arch_get_ima_policy(void); #else -- 2.20.1
next prev parent reply other threads:[~2019-10-19 18:07 UTC|newest] Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-10-19 18:06 [PATCH v8 0/8] powerpc: Enabling IMA arch specific secure boot policies Nayna Jain 2019-10-19 18:06 ` Nayna Jain 2019-10-19 18:06 ` [PATCH v8 1/8] powerpc: detect the secure boot mode of the system Nayna Jain 2019-10-19 18:06 ` Nayna Jain 2019-10-22 23:37 ` Michael Ellerman 2019-10-22 23:37 ` Michael Ellerman 2019-10-19 18:06 ` Nayna Jain [this message] 2019-10-19 18:06 ` [PATCH v8 2/8] powerpc/ima: add support to initialize ima policy rules Nayna Jain 2019-10-20 0:16 ` Mimi Zohar 2019-10-20 0:16 ` Mimi Zohar 2019-10-19 18:06 ` [PATCH v8 3/8] powerpc: detect the trusted boot state of the system Nayna Jain 2019-10-19 18:06 ` Nayna Jain 2019-10-20 12:48 ` Mimi Zohar 2019-10-20 12:48 ` Mimi Zohar 2019-10-22 23:38 ` Michael Ellerman 2019-10-22 23:38 ` Michael Ellerman 2019-10-19 18:06 ` [PATCH v8 4/8] powerpc/ima: add measurement rules to ima arch specific policy Nayna Jain 2019-10-19 18:06 ` Nayna Jain 2019-10-20 0:16 ` Mimi Zohar 2019-10-20 0:16 ` Mimi Zohar 2019-10-19 18:06 ` [PATCH v8 5/8] ima: make process_buffer_measurement() generic Nayna Jain 2019-10-19 18:06 ` Nayna Jain 2019-10-20 1:21 ` Mimi Zohar 2019-10-20 1:21 ` Mimi Zohar 2019-10-19 18:06 ` [PATCH v8 6/8] certs: add wrapper function to check blacklisted binary hash Nayna Jain 2019-10-19 18:06 ` Nayna Jain 2019-10-19 18:06 ` [PATCH v8 7/8] ima: check against blacklisted hashes for files with modsig Nayna Jain 2019-10-19 18:06 ` Nayna Jain 2019-10-20 0:58 ` Mimi Zohar 2019-10-20 0:58 ` Mimi Zohar 2019-10-20 16:06 ` Mimi Zohar 2019-10-20 16:06 ` Mimi Zohar 2019-10-20 16:09 ` Mimi Zohar 2019-10-20 16:09 ` Mimi Zohar 2019-10-19 18:06 ` [PATCH v8 8/8] powerpc/ima: update ima arch policy to check for blacklist Nayna Jain 2019-10-19 18:06 ` Nayna Jain
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1571508377-23603-3-git-send-email-nayna@linux.ibm.com \ --to=nayna@linux.ibm.com \ --cc=ard.biesheuvel@linaro.org \ --cc=benh@kernel.crashing.org \ --cc=cclaudio@linux.ibm.com \ --cc=erichte@linux.ibm.com \ --cc=erpalmer@us.ibm.com \ --cc=gcwilson@linux.ibm.com \ --cc=gregkh@linuxfoundation.org \ --cc=jk@ozlabs.org \ --cc=linux-efi@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linuxppc-dev@ozlabs.org \ --cc=matthew.garret@nebula.com \ --cc=mpe@ellerman.id.au \ --cc=nramas@linux.microsoft.com \ --cc=oohall@gmail.com \ --cc=paulus@samba.org \ --cc=prsriva02@gmail.com \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.