Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
From: Bruno Meneguele <bmeneg@redhat.com>
To: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: zohar@linux.ibm.com, erichte@linux.ibm.com, nayna@linux.ibm.com,
	Bruno Meneguele <bmeneg@redhat.com>
Subject: [PATCH v3 1/2] arch/ima: extend secure boot check to include trusted boot
Date: Tue, 23 Jun 2020 17:26:39 -0300
Message-ID: <20200623202640.4936-2-bmeneg@redhat.com> (raw)
In-Reply-To: <20200623202640.4936-1-bmeneg@redhat.com>

ima_get_secureboot() has been used for checking platform's secure boot
state for enabling different arch specific IMA policies where available.
However, for powerpc there also is the concept of Trusted Boot, which is
also relevant to the check code.

This patch extend the code or'ing the Trusted Boot state in PowerPC arch
while leaving the other arches (x86 and s390) unchanged. The only changes
performed in the other arches is related to the function name change.

Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
---
 arch/powerpc/kernel/ima_arch.c    | 5 +++--
 arch/s390/kernel/ima_arch.c       | 2 +-
 arch/x86/kernel/ima_arch.c        | 5 +++--
 include/linux/ima.h               | 4 ++--
 security/integrity/ima/ima_main.c | 2 +-
 5 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
index 957abd592075..32b26b491c07 100644
--- a/arch/powerpc/kernel/ima_arch.c
+++ b/arch/powerpc/kernel/ima_arch.c
@@ -7,9 +7,10 @@
 #include <linux/ima.h>
 #include <asm/secure_boot.h>
 
-bool arch_ima_get_secureboot(void)
+bool arch_ima_secure_or_trusted_boot(void)
 {
-	return is_ppc_secureboot_enabled();
+	return (is_ppc_secureboot_enabled() ||
+		is_ppc_trustedboot_enabled());
 }
 
 /*
diff --git a/arch/s390/kernel/ima_arch.c b/arch/s390/kernel/ima_arch.c
index f3c3e6e1c5d3..9cf823cf2b79 100644
--- a/arch/s390/kernel/ima_arch.c
+++ b/arch/s390/kernel/ima_arch.c
@@ -3,7 +3,7 @@
 #include <linux/ima.h>
 #include <asm/boot_data.h>
 
-bool arch_ima_get_secureboot(void)
+bool arch_ima_secure_or_trusted_boot(void)
 {
 	return ipl_secure_flag;
 }
diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
index 7dfb1e808928..168393d399ba 100644
--- a/arch/x86/kernel/ima_arch.c
+++ b/arch/x86/kernel/ima_arch.c
@@ -51,7 +51,7 @@ static enum efi_secureboot_mode get_sb_mode(void)
 	return efi_secureboot_mode_enabled;
 }
 
-bool arch_ima_get_secureboot(void)
+bool arch_ima_secure_or_trusted_boot(void)
 {
 	static enum efi_secureboot_mode sb_mode;
 	static bool initialized;
@@ -85,7 +85,8 @@ static const char * const sb_arch_rules[] = {
 
 const char * const *arch_get_ima_policy(void)
 {
-	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
+	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) &&
+	    arch_ima_secure_or_tusted_boot()) {
 		if (IS_ENABLED(CONFIG_MODULE_SIG))
 			set_module_sig_enforced();
 		return sb_arch_rules;
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 9164e1534ec9..839b5c376ed6 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -32,10 +32,10 @@ extern void ima_add_kexec_buffer(struct kimage *image);
 #endif
 
 #ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
-extern bool arch_ima_get_secureboot(void);
+extern bool arch_ima_secure_or_trusted_boot(void);
 extern const char * const *arch_get_ima_policy(void);
 #else
-static inline bool arch_ima_get_secureboot(void)
+static inline bool arch_ima_secure_or_trusted_boot(void)
 {
 	return false;
 }
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index c1583d98c5e5..a760094e8f8d 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -694,7 +694,7 @@ int ima_load_data(enum kernel_load_data_id id)
 	switch (id) {
 	case LOADING_KEXEC_IMAGE:
 		if (IS_ENABLED(CONFIG_KEXEC_SIG)
-		    && arch_ima_get_secureboot()) {
+		    && arch_ima_secure_or_trusted_boot()) {
 			pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
 			return -EACCES;
 		}
-- 
2.26.2


  reply index

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-23 20:26 [PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot Bruno Meneguele
2020-06-23 20:26 ` Bruno Meneguele [this message]
2020-06-26 20:23   ` [PATCH v3 1/2] arch/ima: extend secure boot check to include trusted boot Mimi Zohar
2020-06-29 23:52     ` Bruno Meneguele
2020-06-23 20:26 ` [PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Bruno Meneguele
2020-06-26 20:40   ` Mimi Zohar
2020-06-29 23:47     ` Bruno Meneguele
2020-06-30 11:00       ` Mimi Zohar
2020-06-30 17:00         ` Bruno Meneguele
2020-07-02 19:12           ` Bruno Meneguele
2020-06-26 14:46 ` [PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot Bruno Meneguele

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200623202640.4936-2-bmeneg@redhat.com \
    --to=bmeneg@redhat.com \
    --cc=erichte@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nayna@linux.ibm.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git