Re: [PATCH v7 2/8] powerpc: add support to initialize ima policy rules
From: Michael Ellerman
Date: Tue Oct 15 2019 - 07:29:30 EST
Nayna Jain <nayna@xxxxxxxxxxxxx> writes:
> PowerNV systems uses kernel based bootloader, thus its secure boot
> implementation uses kernel IMA security subsystem to verify the kernel
> before kexec. Since the verification policy might differ based on the
> secure boot mode of the system, the policies are defined at runtime.
>
> This patch implements the arch-specific support to define the IMA policy
> rules based on the runtime secure boot mode of the system.
>
> This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
> config is enabled.
...
> diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
> new file mode 100644
> index 000000000000..c22d82965eb4
> --- /dev/null
> +++ b/arch/powerpc/kernel/ima_arch.c
> @@ -0,0 +1,33 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) 2019 IBM Corporation
> + * Author: Nayna Jain
> + */
> +
> +#include <linux/ima.h>
> +#include <asm/secure_boot.h>
> +
> +bool arch_ima_get_secureboot(void)
> +{
> + return is_powerpc_os_secureboot_enabled();
> +}
> +
> +/* Defines IMA appraise rules for secureboot */
> +static const char *const arch_rules[] = {
> + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
> +#if !IS_ENABLED(CONFIG_MODULE_SIG_FORCE)
> + "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
> +#endif
This confuses me.
If I spell it out we get:
#if IS_ENABLED(CONFIG_MODULE_SIG_FORCE)
// nothing
#else
"appraise func=MODULE_CHECK appraise_type=imasig|modsig",
#endif
Which is just:
#ifdef CONFIG_MODULE_SIG_FORCE
// nothing
#else
"appraise func=MODULE_CHECK appraise_type=imasig|modsig",
#endif
But CONFIG_MODULE_SIG_FORCE enabled says that we *do* require modules to
have a valid signature. Isn't that the inverse of what the rules say?
Presumably I'm misunderstanding something :)
cheers