Re: [PATCH v7 2/8] powerpc: add support to initialize ima policy rules
From: Mimi Zohar
Date: Fri Oct 11 2019 - 09:13:14 EST
On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote:
> PowerNV systems uses kernel based bootloader, thus its secure boot
> implementation uses kernel IMA security subsystem to verify the kernel
> before kexec.
^use a Linux based bootloader, which rely on the IMA subsystem to
enforce different secure boot modes.
> Since the verification policy might differ based on the
> secure boot mode of the system, the policies are defined at runtime.
^the policies need to be defined at runtime.
>
> This patch implements the arch-specific support to define the IMA policy
> rules based on the runtime secure boot mode of the system.
>
> This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
> config is enabled.
>
> Signed-off-by: Nayna Jain <nayna@xxxxxxxxxxxxx>
> ---
> arch/powerpc/Kconfig | 2 ++
> arch/powerpc/kernel/Makefile | 2 +-
> arch/powerpc/kernel/ima_arch.c | 33 +++++++++++++++++++++++++++++++++
> include/linux/ima.h | 3 ++-
> 4 files changed, 38 insertions(+), 2 deletions(-)
> create mode 100644 arch/powerpc/kernel/ima_arch.c
>
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index b4a221886fcf..deb19ec6ba3d 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -938,6 +938,8 @@ config PPC_SECURE_BOOT
> prompt "Enable secure boot support"
> bool
> depends on PPC_POWERNV
> + depends on IMA
> + depends on IMA_ARCH_POLICY
As IMA_ARCH_POLICY is dependent on IMA, I don't see a need for
depending on both IMA and IMA_ARCH_POLICY.
Mimi