Re: [PATCH v7 2/8] powerpc: add support to initialize ima policy rules

From: Nayna
Date: Thu Oct 17 2019 - 08:59:25 EST

Next message: Manivannan Sadhasivam: "Re: [PATCH -next 28/30] pinctrl: actions: use devm_platform_ioremap_resource() to simplify code"
Previous message: James Bottomley: "Re: [PATCH] KEYS: asym_tpm: Switch to get_random_bytes()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/15/2019 07:29 AM, Michael Ellerman wrote:

Nayna Jain <nayna@xxxxxxxxxxxxx> writes:

PowerNV systems uses kernel based bootloader, thus its secure boot
implementation uses kernel IMA security subsystem to verify the kernel
before kexec. Since the verification policy might differ based on the
secure boot mode of the system, the policies are defined at runtime.

This patch implements the arch-specific support to define the IMA policy
rules based on the runtime secure boot mode of the system.

This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
config is enabled.

...

diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
new file mode 100644
index 000000000000..c22d82965eb4
--- /dev/null
+++ b/arch/powerpc/kernel/ima_arch.c
@@ -0,0 +1,33 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2019 IBM Corporation
+ * Author: Nayna Jain
+ */
+
+#include <linux/ima.h>
+#include <asm/secure_boot.h>
+
+bool arch_ima_get_secureboot(void)
+{
+ return is_powerpc_os_secureboot_enabled();
+}
+
+/* Defines IMA appraise rules for secureboot */
+static const char *const arch_rules[] = {
+ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
+#if !IS_ENABLED(CONFIG_MODULE_SIG_FORCE)
+ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
+#endif

This confuses me.

If I spell it out we get:

#if IS_ENABLED(CONFIG_MODULE_SIG_FORCE)
// nothing
#else
"appraise func=MODULE_CHECK appraise_type=imasig|modsig",
#endif

Which is just:

#ifdef CONFIG_MODULE_SIG_FORCE
// nothing
#else
"appraise func=MODULE_CHECK appraise_type=imasig|modsig",
#endif

But CONFIG_MODULE_SIG_FORCE enabled says that we *do* require modules to
have a valid signature. Isn't that the inverse of what the rules say?

Presumably I'm misunderstanding something :)

To avoid duplicate signature verification as much as possible, the IMA policy rule is added only if CONFIG_MODULE_SIG_FORCE is not enabled. CONFIG_MODULE_SIG_FORCE is part of modules support. IMA signature verification is based on policy.

Thanks & Regards,
ÂÂÂÂ - Nayna

Next message: Manivannan Sadhasivam: "Re: [PATCH -next 28/30] pinctrl: actions: use devm_platform_ioremap_resource() to simplify code"
Previous message: James Bottomley: "Re: [PATCH] KEYS: asym_tpm: Switch to get_random_bytes()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]