lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200623202640.4936-2-bmeneg@redhat.com>
Date:   Tue, 23 Jun 2020 17:26:39 -0300
From:   Bruno Meneguele <bmeneg@...hat.com>
To:     linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:     zohar@...ux.ibm.com, erichte@...ux.ibm.com, nayna@...ux.ibm.com,
        Bruno Meneguele <bmeneg@...hat.com>
Subject: [PATCH v3 1/2] arch/ima: extend secure boot check to include trusted boot

ima_get_secureboot() has been used for checking platform's secure boot
state for enabling different arch specific IMA policies where available.
However, for powerpc there also is the concept of Trusted Boot, which is
also relevant to the check code.

This patch extend the code or'ing the Trusted Boot state in PowerPC arch
while leaving the other arches (x86 and s390) unchanged. The only changes
performed in the other arches is related to the function name change.

Signed-off-by: Bruno Meneguele <bmeneg@...hat.com>
---
 arch/powerpc/kernel/ima_arch.c    | 5 +++--
 arch/s390/kernel/ima_arch.c       | 2 +-
 arch/x86/kernel/ima_arch.c        | 5 +++--
 include/linux/ima.h               | 4 ++--
 security/integrity/ima/ima_main.c | 2 +-
 5 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
index 957abd592075..32b26b491c07 100644
--- a/arch/powerpc/kernel/ima_arch.c
+++ b/arch/powerpc/kernel/ima_arch.c
@@ -7,9 +7,10 @@
 #include <linux/ima.h>
 #include <asm/secure_boot.h>
 
-bool arch_ima_get_secureboot(void)
+bool arch_ima_secure_or_trusted_boot(void)
 {
-	return is_ppc_secureboot_enabled();
+	return (is_ppc_secureboot_enabled() ||
+		is_ppc_trustedboot_enabled());
 }
 
 /*
diff --git a/arch/s390/kernel/ima_arch.c b/arch/s390/kernel/ima_arch.c
index f3c3e6e1c5d3..9cf823cf2b79 100644
--- a/arch/s390/kernel/ima_arch.c
+++ b/arch/s390/kernel/ima_arch.c
@@ -3,7 +3,7 @@
 #include <linux/ima.h>
 #include <asm/boot_data.h>
 
-bool arch_ima_get_secureboot(void)
+bool arch_ima_secure_or_trusted_boot(void)
 {
 	return ipl_secure_flag;
 }
diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
index 7dfb1e808928..168393d399ba 100644
--- a/arch/x86/kernel/ima_arch.c
+++ b/arch/x86/kernel/ima_arch.c
@@ -51,7 +51,7 @@ static enum efi_secureboot_mode get_sb_mode(void)
 	return efi_secureboot_mode_enabled;
 }
 
-bool arch_ima_get_secureboot(void)
+bool arch_ima_secure_or_trusted_boot(void)
 {
 	static enum efi_secureboot_mode sb_mode;
 	static bool initialized;
@@ -85,7 +85,8 @@ static const char * const sb_arch_rules[] = {
 
 const char * const *arch_get_ima_policy(void)
 {
-	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
+	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) &&
+	    arch_ima_secure_or_tusted_boot()) {
 		if (IS_ENABLED(CONFIG_MODULE_SIG))
 			set_module_sig_enforced();
 		return sb_arch_rules;
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 9164e1534ec9..839b5c376ed6 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -32,10 +32,10 @@ extern void ima_add_kexec_buffer(struct kimage *image);
 #endif
 
 #ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
-extern bool arch_ima_get_secureboot(void);
+extern bool arch_ima_secure_or_trusted_boot(void);
 extern const char * const *arch_get_ima_policy(void);
 #else
-static inline bool arch_ima_get_secureboot(void)
+static inline bool arch_ima_secure_or_trusted_boot(void)
 {
 	return false;
 }
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index c1583d98c5e5..a760094e8f8d 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -694,7 +694,7 @@ int ima_load_data(enum kernel_load_data_id id)
 	switch (id) {
 	case LOADING_KEXEC_IMAGE:
 		if (IS_ENABLED(CONFIG_KEXEC_SIG)
-		    && arch_ima_get_secureboot()) {
+		    && arch_ima_secure_or_trusted_boot()) {
 			pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
 			return -EACCES;
 		}
-- 
2.26.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ