Linux/arch/powerpc/kernel/ima

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Copyright (C) 2019 IBM Corporation 4 * Author: Nayna Jain 5 */ 6 7 #include <linux/ima.h> 8 #include <asm/secure_boot.h> 9 10 bool arch_ima_get_secureboot(void) 11 { 12 return is_ppc_secureboot_enabled(); 13 } 14 15 /* 16 * The "secure_rules" are enabled only on "secureboot" enabled systems. 17 * These rules verify the file signatures against known good values. 18 * The "appraise_type=imasig|modsig" option allows the known good signature 19 * to be stored as an xattr or as an appended signature. 20 * 21 * To avoid duplicate signature verification as much as possible, the IMA 22 * policy rule for module appraisal is added only if CONFIG_MODULE_SIG 23 * is not enabled. 24 */ 25 static const char *const secure_rules[] = { 26 "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", 27 #ifndef CONFIG_MODULE_SIG 28 "appraise func=MODULE_CHECK appraise_type=imasig|modsig", 29 #endif 30 NULL 31 }; 32 33 /* 34 * The "trusted_rules" are enabled only on "trustedboot" enabled systems. 35 * These rules add the kexec kernel image and kernel modules file hashes to 36 * the IMA measurement list. 37 */ 38 static const char *const trusted_rules[] = { 39 "measure func=KEXEC_KERNEL_CHECK", 40 "measure func=MODULE_CHECK", 41 NULL 42 }; 43 44 /* 45 * The "secure_and_trusted_rules" contains rules for both the secure boot and 46 * trusted boot. The "template=ima-modsig" option includes the appended 47 * signature, when available, in the IMA measurement list. 48 */ 49 static const char *const secure_and_trusted_rules[] = { 50 "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", 51 "measure func=MODULE_CHECK template=ima-modsig", 52 "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", 53 #ifndef CONFIG_MODULE_SIG 54 "appraise func=MODULE_CHECK appraise_type=imasig|modsig", 55 #endif 56 NULL 57 }; 58 59 /* 60 * Returns the relevant IMA arch-specific policies based on the system secure 61 * boot state. 62 */ 63 const char *const *arch_get_ima_policy(void) 64 { 65 if (is_ppc_secureboot_enabled()) { 66 if (IS_ENABLED(CONFIG_MODULE_SIG)) 67 set_module_sig_enforced(); 68 69 if (is_ppc_trustedboot_enabled()) 70 return secure_and_trusted_rules; 71 else 72 return secure_rules; 73 } else if (is_ppc_trustedboot_enabled()) { 74 return trusted_rules; 75 } 76 77 return NULL; 78 } 79

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

TOMOYO Linux Cross Reference Linux/arch/powerpc/kernel/ima_arch.c

TOMOYO Linux Cross Reference
Linux/arch/powerpc/kernel/ima_arch.c