Skip to content

Commit

Permalink
powerpc/ima: Fix secure boot rules in ima arch policy
Browse files Browse the repository at this point in the history 
To prevent verifying the kernel module appended signature
twice (finit_module), once by the module_sig_check() and again by IMA,
powerpc secure boot rules define an IMA architecture specific policy
rule only if CONFIG_MODULE_SIG_FORCE is not enabled. This,
unfortunately, does not take into account the ability of enabling
"sig_enforce" on the boot command line (module.sig_enforce=1).

Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.

This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.

Fixes: 4238fad ("powerpc/ima: Add support to initialize ima policy rules")
Signed-off-by: Nayna Jain <[email protected]>
Signed-off-by: Michael Ellerman <[email protected]>
Signed-off-by: Mimi Zohar <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
  • Loading branch information
@naynajain @mpe
naynajain authored and mpe committed May 7, 2020
1 parent c44dc63 commit fa4f3f5
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions arch/powerpc/kernel/ima_arch.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,12 @@ bool arch_ima_get_secureboot(void)
* to be stored as an xattr or as an appended signature.
*
* To avoid duplicate signature verification as much as possible, the IMA
* policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
* policy rule for module appraisal is added only if CONFIG_MODULE_SIG
* is not enabled.
*/
static const char *const secure_rules[] = {
"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
#ifndef CONFIG_MODULE_SIG_FORCE
#ifndef CONFIG_MODULE_SIG
"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
#endif
NULL
Expand All @@ -50,7 +50,7 @@ static const char *const secure_and_trusted_rules[] = {
"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
"measure func=MODULE_CHECK template=ima-modsig",
"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
#ifndef CONFIG_MODULE_SIG_FORCE
#ifndef CONFIG_MODULE_SIG
"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
#endif
NULL
Expand Down

0 comments on commit fa4f3f5

Please sign in to comment.