Linux/security/integrity/ima/ima

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

1 /* SPDX-License-Identifier: GPL-2.0+ */ 2 /* 3 * Copyright (C) 2018 IBM Corporation 4 */ 5 #include <linux/efi.h> 6 #include <linux/module.h> 7 #include <linux/ima.h> 8 #include <asm/efi.h> 9 10 #ifndef arch_ima_efi_boot_mode 11 #define arch_ima_efi_boot_mode efi_secureboot_mode_unset 12 #endif 13 14 static enum efi_secureboot_mode get_sb_mode(void) 15 { 16 enum efi_secureboot_mode mode; 17 18 if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) { 19 pr_info("ima: secureboot mode unknown, no efi\n"); 20 return efi_secureboot_mode_unknown; 21 } 22 23 mode = efi_get_secureboot_mode(efi.get_variable); 24 if (mode == efi_secureboot_mode_disabled) 25 pr_info("ima: secureboot mode disabled\n"); 26 else if (mode == efi_secureboot_mode_unknown) 27 pr_info("ima: secureboot mode unknown\n"); 28 else 29 pr_info("ima: secureboot mode enabled\n"); 30 return mode; 31 } 32 33 bool arch_ima_get_secureboot(void) 34 { 35 static enum efi_secureboot_mode sb_mode; 36 static bool initialized; 37 38 if (!initialized && efi_enabled(EFI_BOOT)) { 39 sb_mode = arch_ima_efi_boot_mode; 40 41 if (sb_mode == efi_secureboot_mode_unset) 42 sb_mode = get_sb_mode(); 43 initialized = true; 44 } 45 46 if (sb_mode == efi_secureboot_mode_enabled) 47 return true; 48 else 49 return false; 50 } 51 52 /* secureboot arch rules */ 53 static const char * const sb_arch_rules[] = { 54 #if !IS_ENABLED(CONFIG_KEXEC_SIG) 55 "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", 56 #endif /* CONFIG_KEXEC_SIG */ 57 "measure func=KEXEC_KERNEL_CHECK", 58 #if !IS_ENABLED(CONFIG_MODULE_SIG) 59 "appraise func=MODULE_CHECK appraise_type=imasig", 60 #endif 61 #if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY) 62 "appraise func=POLICY_CHECK appraise_type=imasig", 63 #endif 64 "measure func=MODULE_CHECK", 65 NULL 66 }; 67 68 const char * const *arch_get_ima_policy(void) 69 { 70 if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { 71 if (IS_ENABLED(CONFIG_MODULE_SIG)) 72 set_module_sig_enforced(); 73 if (IS_ENABLED(CONFIG_KEXEC_SIG)) 74 set_kexec_sig_enforced(); 75 return sb_arch_rules; 76 } 77 return NULL; 78 } 79

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

TOMOYO Linux Cross Reference Linux/security/integrity/ima/ima_efi.c

TOMOYO Linux Cross Reference
Linux/security/integrity/ima/ima_efi.c