[PATCH v7 4/8] powerpc/ima: add measurement rules to ima arch specific policy

Mon, 07 Oct 2019 18:22:12 -0700 

This patch adds the measurement rules to the arch specific policies on
trusted boot enabled systems.

Signed-off-by: Nayna Jain <na...@linux.ibm.com>
Reviewed-by: Mimi Zohar <zo...@linux.ibm.com>
---
 arch/powerpc/kernel/ima_arch.c | 45 +++++++++++++++++++++++++++++++---
 1 file changed, 42 insertions(+), 3 deletions(-)

diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
index c22d82965eb4..88bfe4a1a9a5 100644
--- a/arch/powerpc/kernel/ima_arch.c
+++ b/arch/powerpc/kernel/ima_arch.c
@@ -12,8 +12,19 @@ bool arch_ima_get_secureboot(void)
        return is_powerpc_os_secureboot_enabled();
 }
 
-/* Defines IMA appraise rules for secureboot */
+/*
+ * The "arch_rules" contains both the securebot and trustedboot rules for 
adding
+ * the kexec kernel image and kernel modules file hashes to the IMA measurement
+ * list and verifying the file signatures against known good values.
+ *
+ * The "appraise_type=imasig|modsig" option allows the good signature to be
+ * stored as an xattr or as an appended signature. The "template=ima-modsig"
+ * option includes the appended signature, when available, in the IMA
+ * measurement list.
+ */
 static const char *const arch_rules[] = {
+       "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
+       "measure func=MODULE_CHECK template=ima-modsig",
        "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
 #if !IS_ENABLED(CONFIG_MODULE_SIG_FORCE)
        "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
@@ -22,12 +33,40 @@ static const char *const arch_rules[] = {
 };
 
 /*
- * Returns the relevant IMA arch policies based on the system secureboot state.
+ * The "measure_rules" are enabled only on "trustedboot" enabled systems.
+ * These rules add the kexec kernel image and kernel modules file hashes to
+ * the IMA measurement list.
+ */
+static const char *const measure_rules[] = {
+       "measure func=KEXEC_KERNEL_CHECK",
+       "measure func=MODULE_CHECK",
+       NULL
+};
+
+/*
+ * Returns the relevant IMA arch policies based on the system secureboot
+ * and trustedboot state.
  */
 const char *const *arch_get_ima_policy(void)
 {
-       if (is_powerpc_os_secureboot_enabled())
+       const char *const *rules;
+       int offset = 0;
+
+       for (rules = arch_rules; *rules != NULL; rules++) {
+               if (strncmp(*rules, "appraise", 8) == 0)
+                       break;
+               offset++;
+       }
+
+       if (is_powerpc_os_secureboot_enabled()
+           && is_powerpc_trustedboot_enabled())
                return arch_rules;
 
+       if (is_powerpc_os_secureboot_enabled())
+               return arch_rules + offset;
+
+       if (is_powerpc_trustedboot_enabled())
+               return measure_rules;
+
        return NULL;
 }
-- 
2.20.1

Reply via email to