arch/powerpc/kernel/ima_arch.c - linux - Git at Google

 // SPDX-License-Identifier: GPL-2.0
 /*
  * Copyright (C) 2019 IBM Corporation
  * Author: Nayna Jain
  */

 #include <linux/ima.h>
 #include <asm/secure_boot.h>

 bool arch_ima_get_secureboot(void)
 {
 	return is_ppc_secureboot_enabled();
 }

 /*
  * The "secure_rules" are enabled only on "secureboot" enabled systems.
  * These rules verify the file signatures against known good values.
  * The "appraise_type=imasig|modsig" option allows the known good signature
  * to be stored as an xattr or as an appended signature.
  *
  * To avoid duplicate signature verification as much as possible, the IMA
  * policy rule for module appraisal is added only if CONFIG_MODULE_SIG
  * is not enabled.
  */
 static const char *const secure_rules[] = {
 	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
 #ifndef CONFIG_MODULE_SIG
 	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
 #endif
 	NULL
 };

 /*
  * The "trusted_rules" are enabled only on "trustedboot" enabled systems.
  * These rules add the kexec kernel image and kernel modules file hashes to
  * the IMA measurement list.
  */
 static const char *const trusted_rules[] = {
 	"measure func=KEXEC_KERNEL_CHECK",
 	"measure func=MODULE_CHECK",
 	NULL
 };

 /*
  * The "secure_and_trusted_rules" contains rules for both the secure boot and
  * trusted boot. The "template=ima-modsig" option includes the appended
  * signature, when available, in the IMA measurement list.
  */
 static const char *const secure_and_trusted_rules[] = {
 	"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
 	"measure func=MODULE_CHECK template=ima-modsig",
 	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
 #ifndef CONFIG_MODULE_SIG
 	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
 #endif
 	NULL
 };

 /*
  * Returns the relevant IMA arch-specific policies based on the system secure
  * boot state.
  */
 const char *const *arch_get_ima_policy(void)
 {
 	if (is_ppc_secureboot_enabled()) {
 		if (IS_ENABLED(CONFIG_MODULE_SIG))
 			set_module_sig_enforced();

 		if (is_ppc_trustedboot_enabled())
 			return secure_and_trusted_rules;
 		else
 			return secure_rules;
 	} else if (is_ppc_trustedboot_enabled()) {
 		return trusted_rules;
 	}

 	return NULL;
 }
	// SPDX-License-Identifier: GPL-2.0
	/*
	* Copyright (C) 2019 IBM Corporation
	* Author: Nayna Jain
	*/

	#include <linux/ima.h>
	#include <asm/secure_boot.h>

	bool arch_ima_get_secureboot(void)
	{
	return is_ppc_secureboot_enabled();
	}

	/*
	* The "secure_rules" are enabled only on "secureboot" enabled systems.
	* These rules verify the file signatures against known good values.
	* The "appraise_type=imasig\|modsig" option allows the known good signature
	* to be stored as an xattr or as an appended signature.
	*
	* To avoid duplicate signature verification as much as possible, the IMA
	* policy rule for module appraisal is added only if CONFIG_MODULE_SIG
	* is not enabled.
	*/
	static const char *const secure_rules[] = {
	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig\|modsig",
	#ifndef CONFIG_MODULE_SIG
	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig\|modsig",
	#endif
	NULL
	};

	/*
	* The "trusted_rules" are enabled only on "trustedboot" enabled systems.
	* These rules add the kexec kernel image and kernel modules file hashes to
	* the IMA measurement list.
	*/
	static const char *const trusted_rules[] = {
	"measure func=KEXEC_KERNEL_CHECK",
	"measure func=MODULE_CHECK",
	NULL
	};

	/*
	* The "secure_and_trusted_rules" contains rules for both the secure boot and
	* trusted boot. The "template=ima-modsig" option includes the appended
	* signature, when available, in the IMA measurement list.
	*/
	static const char *const secure_and_trusted_rules[] = {
	"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
	"measure func=MODULE_CHECK template=ima-modsig",
	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig\|modsig",
	#ifndef CONFIG_MODULE_SIG
	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig\|modsig",
	#endif
	NULL
	};

	/*
	* Returns the relevant IMA arch-specific policies based on the system secure
	* boot state.
	*/
	const char const arch_get_ima_policy(void)
	{
	if (is_ppc_secureboot_enabled()) {
	if (IS_ENABLED(CONFIG_MODULE_SIG))
	set_module_sig_enforced();

	if (is_ppc_trustedboot_enabled())
	return secure_and_trusted_rules;
	else
	return secure_rules;
	} else if (is_ppc_trustedboot_enabled()) {
	return trusted_rules;
	}

	return NULL;
	}