Commit d72ea491 authored by Mimi Zohar's avatar Mimi Zohar Committed by Michael Ellerman
Browse files

powerpc/ima: Indicate kernel modules appended signatures are enforced 



The arch specific kernel module policy rule requires kernel modules to
be signed, either as an IMA signature, stored as an xattr, or as an
appended signature. As a result, kernel modules appended signatures
could be enforced without "sig_enforce" being set or reflected in
/sys/module/module/parameters/sig_enforce. This patch sets
"sig_enforce".

Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/1572492694-6520-10-git-send-email-zohar@linux.ibm.com
parent dc87f186

arch/powerpc/kernel/ima_arch.c

+6 −2
Original line number Diff line number Diff line
@@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = { 
 */

const char *const *arch_get_ima_policy(void)

{

	if (is_ppc_secureboot_enabled())

	if (is_ppc_secureboot_enabled()) {

		if (IS_ENABLED(CONFIG_MODULE_SIG))

			set_module_sig_enforced();



		if (is_ppc_trustedboot_enabled())

			return secure_and_trusted_rules;

		else

			return secure_rules;

	else if (is_ppc_trustedboot_enabled())

	} else if (is_ppc_trustedboot_enabled()) {

		return trusted_rules;

	}



	return NULL;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE