~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/arch/powerpc/kernel/ima_arch.c

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 // SPDX-License-Identifier: GPL-2.0
  2 /*
  3  * Copyright (C) 2019 IBM Corporation
  4  * Author: Nayna Jain
  5  */
  6 
  7 #include <linux/ima.h>
  8 #include <asm/secure_boot.h>
  9 
 10 bool arch_ima_get_secureboot(void)
 11 {
 12         return is_ppc_secureboot_enabled();
 13 }
 14 
 15 /*
 16  * The "secure_rules" are enabled only on "secureboot" enabled systems.
 17  * These rules verify the file signatures against known good values.
 18  * The "appraise_type=imasig|modsig" option allows the known good signature
 19  * to be stored as an xattr or as an appended signature.
 20  *
 21  * To avoid duplicate signature verification as much as possible, the IMA
 22  * policy rule for module appraisal is added only if CONFIG_MODULE_SIG
 23  * is not enabled.
 24  */
 25 static const char *const secure_rules[] = {
 26         "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
 27 #ifndef CONFIG_MODULE_SIG
 28         "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
 29 #endif
 30         NULL
 31 };
 32 
 33 /*
 34  * The "trusted_rules" are enabled only on "trustedboot" enabled systems.
 35  * These rules add the kexec kernel image and kernel modules file hashes to
 36  * the IMA measurement list.
 37  */
 38 static const char *const trusted_rules[] = {
 39         "measure func=KEXEC_KERNEL_CHECK",
 40         "measure func=MODULE_CHECK",
 41         NULL
 42 };
 43 
 44 /*
 45  * The "secure_and_trusted_rules" contains rules for both the secure boot and
 46  * trusted boot. The "template=ima-modsig" option includes the appended
 47  * signature, when available, in the IMA measurement list.
 48  */
 49 static const char *const secure_and_trusted_rules[] = {
 50         "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
 51         "measure func=MODULE_CHECK template=ima-modsig",
 52         "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
 53 #ifndef CONFIG_MODULE_SIG
 54         "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
 55 #endif
 56         NULL
 57 };
 58 
 59 /*
 60  * Returns the relevant IMA arch-specific policies based on the system secure
 61  * boot state.
 62  */
 63 const char *const *arch_get_ima_policy(void)
 64 {
 65         if (is_ppc_secureboot_enabled()) {
 66                 if (IS_ENABLED(CONFIG_MODULE_SIG))
 67                         set_module_sig_enforced();
 68 
 69                 if (is_ppc_trustedboot_enabled())
 70                         return secure_and_trusted_rules;
 71                 else
 72                         return secure_rules;
 73         } else if (is_ppc_trustedboot_enabled()) {
 74                 return trusted_rules;
 75         }
 76 
 77         return NULL;
 78 }
 79 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php