From: Nayna Jain <nayna@linux.ibm.com> To: linux-integrity@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-efi@vger.kernel.org, linux-s390@vger.kernel.org Cc: Ard Biesheuvel <ardb@kernel.org>, Martin Schwidefsky <schwidefsky@de.ibm.com>, Philipp Rudo <prudo@linux.ibm.com>, Michael Ellerman <mpe@ellerman.id.au>, zohar@linux.ibm.com, linux-kernel@vger.kernel.org, Nayna Jain <nayna@linux.ibm.com> Subject: [PATCH] ima: add a new CONFIG for loading arch-specific policies Date: Wed, 26 Feb 2020 14:10:07 -0500 [thread overview] Message-ID: <1582744207-25969-1-git-send-email-nayna@linux.ibm.com> (raw) Every time a new architecture defines the IMA architecture specific functions - arch_ima_get_secureboot() and arch_ima_get_policy(), the IMA include file needs to be updated. To avoid this "noise", this patch defines a new IMA Kconfig IMA_SECURE_AND_OR_TRUSTED_BOOT option, allowing the different architectures to select it. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Cc: Ard Biesheuvel <ardb@kernel.org> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Philipp Rudo <prudo@linux.ibm.com> Cc: Michael Ellerman <mpe@ellerman.id.au> --- arch/powerpc/Kconfig | 2 +- arch/s390/Kconfig | 1 + arch/x86/Kconfig | 1 + include/linux/ima.h | 3 +-- security/integrity/ima/Kconfig | 9 +++++++++ 5 files changed, 13 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 497b7d0b2d7e..b8ce1b995633 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -246,6 +246,7 @@ config PPC select SYSCTL_EXCEPTION_TRACE select THREAD_INFO_IN_TASK select VIRT_TO_BUS if !PPC64 + select IMA_SECURE_AND_OR_TRUSTED_BOOT if PPC_SECURE_BOOT # # Please keep this list sorted alphabetically. # @@ -978,7 +979,6 @@ config PPC_SECURE_BOOT prompt "Enable secure boot support" bool depends on PPC_POWERNV - depends on IMA_ARCH_POLICY help Systems with firmware secure boot enabled need to define security policies to extend secure boot to the OS. This config allows a user diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index 8abe77536d9d..90ff3633ade6 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -195,6 +195,7 @@ config S390 select ARCH_HAS_FORCE_DMA_UNENCRYPTED select SWIOTLB select GENERIC_ALLOCATOR + select IMA_SECURE_AND_OR_TRUSTED_BOOT config SCHED_OMIT_FRAME_POINTER diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index beea77046f9b..cafa66313fe2 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -230,6 +230,7 @@ config X86 select VIRT_TO_BUS select X86_FEATURE_NAMES if PROC_FS select PROC_PID_ARCH_STATUS if PROC_FS + select IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI config INSTRUCTION_DECODER def_bool y diff --git a/include/linux/ima.h b/include/linux/ima.h index 1659217e9b60..aefe758f4466 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -30,8 +30,7 @@ extern void ima_kexec_cmdline(const void *buf, int size); extern void ima_add_kexec_buffer(struct kimage *image); #endif -#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \ - || defined(CONFIG_PPC_SECURE_BOOT) +#ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT extern bool arch_ima_get_secureboot(void); extern const char * const *arch_get_ima_policy(void); #else diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 3f3ee4e2eb0d..d17972aa413a 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -327,3 +327,12 @@ config IMA_QUEUE_EARLY_BOOT_KEYS depends on IMA_MEASURE_ASYMMETRIC_KEYS depends on SYSTEM_TRUSTED_KEYRING default y + +config IMA_SECURE_AND_OR_TRUSTED_BOOT + bool + depends on IMA + depends on IMA_ARCH_POLICY + default n + help + This option is selected by architectures to enable secure and/or + trusted boot based on IMA runtime policies. -- 2.18.1
WARNING: multiple messages have this Message-ID (diff)
From: Nayna Jain <nayna@linux.ibm.com> To: linux-integrity@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-efi@vger.kernel.org, linux-s390@vger.kernel.org Cc: Nayna Jain <nayna@linux.ibm.com>, linux-kernel@vger.kernel.org, zohar@linux.ibm.com, Philipp Rudo <prudo@linux.ibm.com>, Martin Schwidefsky <schwidefsky@de.ibm.com>, Ard Biesheuvel <ardb@kernel.org> Subject: [PATCH] ima: add a new CONFIG for loading arch-specific policies Date: Wed, 26 Feb 2020 14:10:07 -0500 [thread overview] Message-ID: <1582744207-25969-1-git-send-email-nayna@linux.ibm.com> (raw) Every time a new architecture defines the IMA architecture specific functions - arch_ima_get_secureboot() and arch_ima_get_policy(), the IMA include file needs to be updated. To avoid this "noise", this patch defines a new IMA Kconfig IMA_SECURE_AND_OR_TRUSTED_BOOT option, allowing the different architectures to select it. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Cc: Ard Biesheuvel <ardb@kernel.org> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Philipp Rudo <prudo@linux.ibm.com> Cc: Michael Ellerman <mpe@ellerman.id.au> --- arch/powerpc/Kconfig | 2 +- arch/s390/Kconfig | 1 + arch/x86/Kconfig | 1 + include/linux/ima.h | 3 +-- security/integrity/ima/Kconfig | 9 +++++++++ 5 files changed, 13 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 497b7d0b2d7e..b8ce1b995633 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -246,6 +246,7 @@ config PPC select SYSCTL_EXCEPTION_TRACE select THREAD_INFO_IN_TASK select VIRT_TO_BUS if !PPC64 + select IMA_SECURE_AND_OR_TRUSTED_BOOT if PPC_SECURE_BOOT # # Please keep this list sorted alphabetically. # @@ -978,7 +979,6 @@ config PPC_SECURE_BOOT prompt "Enable secure boot support" bool depends on PPC_POWERNV - depends on IMA_ARCH_POLICY help Systems with firmware secure boot enabled need to define security policies to extend secure boot to the OS. This config allows a user diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index 8abe77536d9d..90ff3633ade6 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -195,6 +195,7 @@ config S390 select ARCH_HAS_FORCE_DMA_UNENCRYPTED select SWIOTLB select GENERIC_ALLOCATOR + select IMA_SECURE_AND_OR_TRUSTED_BOOT config SCHED_OMIT_FRAME_POINTER diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index beea77046f9b..cafa66313fe2 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -230,6 +230,7 @@ config X86 select VIRT_TO_BUS select X86_FEATURE_NAMES if PROC_FS select PROC_PID_ARCH_STATUS if PROC_FS + select IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI config INSTRUCTION_DECODER def_bool y diff --git a/include/linux/ima.h b/include/linux/ima.h index 1659217e9b60..aefe758f4466 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -30,8 +30,7 @@ extern void ima_kexec_cmdline(const void *buf, int size); extern void ima_add_kexec_buffer(struct kimage *image); #endif -#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \ - || defined(CONFIG_PPC_SECURE_BOOT) +#ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT extern bool arch_ima_get_secureboot(void); extern const char * const *arch_get_ima_policy(void); #else diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 3f3ee4e2eb0d..d17972aa413a 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -327,3 +327,12 @@ config IMA_QUEUE_EARLY_BOOT_KEYS depends on IMA_MEASURE_ASYMMETRIC_KEYS depends on SYSTEM_TRUSTED_KEYRING default y + +config IMA_SECURE_AND_OR_TRUSTED_BOOT + bool + depends on IMA + depends on IMA_ARCH_POLICY + default n + help + This option is selected by architectures to enable secure and/or + trusted boot based on IMA runtime policies. -- 2.18.1
next reply other threads:[~2020-02-26 19:10 UTC|newest] Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-02-26 19:10 Nayna Jain [this message] 2020-02-26 19:10 ` [PATCH] ima: add a new CONFIG for loading arch-specific policies Nayna Jain 2020-02-26 19:21 ` Lakshmi Ramasubramanian 2020-02-26 19:21 ` Lakshmi Ramasubramanian 2020-02-26 20:36 ` Mimi Zohar 2020-02-26 20:36 ` Mimi Zohar 2020-02-27 19:38 ` Mimi Zohar 2020-02-27 19:38 ` Mimi Zohar 2020-03-02 14:48 ` Mimi Zohar 2020-03-02 14:48 ` Mimi Zohar 2020-03-02 14:52 ` Ard Biesheuvel 2020-03-02 14:52 ` Ard Biesheuvel 2020-03-02 14:56 ` Mimi Zohar 2020-03-02 14:56 ` Mimi Zohar 2020-03-02 21:21 ` Heiko Carstens 2020-03-02 21:21 ` Heiko Carstens 2020-03-02 21:21 ` Heiko Carstens 2020-03-02 23:23 ` Michael Ellerman 2020-03-02 23:23 ` Michael Ellerman
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1582744207-25969-1-git-send-email-nayna@linux.ibm.com \ --to=nayna@linux.ibm.com \ --cc=ardb@kernel.org \ --cc=linux-efi@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-s390@vger.kernel.org \ --cc=linuxppc-dev@lists.ozlabs.org \ --cc=mpe@ellerman.id.au \ --cc=prudo@linux.ibm.com \ --cc=schwidefsky@de.ibm.com \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.