Merge branch 'topic/ima' into topic/secureboot

			lsm:	[[subj_user=] [subj_role=] [subj_type=]

				 [obj_user=] [obj_role=] [obj_type=]]

			option:	[[appraise_type=]] [template=] [permit_directio]

				[appraise_flag=]

		base: 	func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]

				[FIRMWARE_CHECK]

				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]

			fowner:= decimal value

		lsm:  	are LSM specific

		option:	appraise_type:= [imasig] [imasig|modsig]

			appraise_flag:= [check_blacklist]

			Currently, blacklist check is only for files signed with appended

			signature.

			template:= name of a defined IMA template type

			(eg, ima-ng). Only valid when action is "measure".

			pcr:= decimal value

	  If unsure, say y.

config PPC_SECURE_BOOT

	prompt "Enable secure boot support"

	bool

	depends on PPC_POWERNV

	depends on IMA_ARCH_POLICY

	help

	  Systems with firmware secure boot enabled need to define security

	  policies to extend secure boot to the OS. This config allows a user

	  to enable OS secure boot on systems that have firmware support for

	  it. If in doubt say N.

endmenu

config ISA_DMA_API

/* SPDX-License-Identifier: GPL-2.0 */

/*

 * Secure boot definitions

 *

 * Copyright (C) 2019 IBM Corporation

 * Author: Nayna Jain

 */

#ifndef _ASM_POWER_SECURE_BOOT_H

#define _ASM_POWER_SECURE_BOOT_H

#ifdef CONFIG_PPC_SECURE_BOOT

bool is_ppc_secureboot_enabled(void);

bool is_ppc_trustedboot_enabled(void);

#else

static inline bool is_ppc_secureboot_enabled(void)

{

	return false;

}

static inline bool is_ppc_trustedboot_enabled(void)

{

	return false;

}

#endif

#endif

obj-y				+= ucall.o

endif

obj-$(CONFIG_PPC_SECURE_BOOT)	+= secure_boot.o ima_arch.o

# Disable GCOV, KCOV & sanitizers in odd or sensitive code

GCOV_PROFILE_prom_init.o := n

KCOV_INSTRUMENT_prom_init.o := n

// SPDX-License-Identifier: GPL-2.0

/*

 * Copyright (C) 2019 IBM Corporation

 * Author: Nayna Jain

 */

#include <linux/ima.h>

#include <asm/secure_boot.h>

bool arch_ima_get_secureboot(void)

{

	return is_ppc_secureboot_enabled();

}

/*

 * The "secure_rules" are enabled only on "secureboot" enabled systems.

 * These rules verify the file signatures against known good values.

 * The "appraise_type=imasig|modsig" option allows the known good signature

 * to be stored as an xattr or as an appended signature.

 *

 * To avoid duplicate signature verification as much as possible, the IMA

 * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE

 * is not enabled.

 */

static const char *const secure_rules[] = {

	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",

#ifndef CONFIG_MODULE_SIG_FORCE

	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",

#endif

	NULL

};

/*

 * The "trusted_rules" are enabled only on "trustedboot" enabled systems.

 * These rules add the kexec kernel image and kernel modules file hashes to

 * the IMA measurement list.

 */

static const char *const trusted_rules[] = {

	"measure func=KEXEC_KERNEL_CHECK",

	"measure func=MODULE_CHECK",

	NULL

};

/*

 * The "secure_and_trusted_rules" contains rules for both the secure boot and

 * trusted boot. The "template=ima-modsig" option includes the appended

 * signature, when available, in the IMA measurement list.

 */

static const char *const secure_and_trusted_rules[] = {

	"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",

	"measure func=MODULE_CHECK template=ima-modsig",

	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",

#ifndef CONFIG_MODULE_SIG_FORCE

	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",

#endif

	NULL

};

/*

 * Returns the relevant IMA arch-specific policies based on the system secure

 * boot state.

 */

const char *const *arch_get_ima_policy(void)

{

	if (is_ppc_secureboot_enabled()) {

		if (IS_ENABLED(CONFIG_MODULE_SIG))

			set_module_sig_enforced();

		if (is_ppc_trustedboot_enabled())

			return secure_and_trusted_rules;

		else

			return secure_rules;

	} else if (is_ppc_trustedboot_enabled()) {

		return trusted_rules;

	}

	return NULL;

}