On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote: > This patch adds the measurement rules to the arch specific policies on > trusted boot enabled systems. This version does not add rules to the existing arch specific policy, but defines an arch specific trusted boot only policy and a combined secure and trusted boot policy. > > Signed-off-by: Nayna Jain <nayna@xxxxxxxxxxxxx> > --- > arch/powerpc/kernel/ima_arch.c | 34 +++++++++++++++++++++++++++++++++- > 1 file changed, 33 insertions(+), 1 deletion(-) > > diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c > index 65d82ee74ea4..710872ea8f35 100644 > --- a/arch/powerpc/kernel/ima_arch.c > +++ b/arch/powerpc/kernel/ima_arch.c > @@ -26,6 +26,32 @@ static const char *const secure_rules[] = { > NULL > }; > > +/* > + * The "measure_rules" are enabled only on "trustedboot" enabled systems. Please update the policy name to reflect the new "trusted_rules" name. > + * These rules add the kexec kernel image and kernel modules file hashes to > + * the IMA measurement list. > + */ > +static const char *const trusted_rules[] = { > + "measure func=KEXEC_KERNEL_CHECK", > + "measure func=MODULE_CHECK", > + NULL > +}; > + > +/* > + * The "secure_and_trusted_rules" contains rules for both the secure boot and > + * trusted boot. The "template=ima-modsig" option includes the appended > + * signature, when available, in the IMA measurement list. > + */ > +static const char *const secure_and_trusted_rules[] = { > + "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", > + "measure func=MODULE_CHECK template=ima-modsig", > + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", > +#ifndef CONFIG_MODULE_SIG_FORCE > + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", > +#endif > + NULL > +}; > + > /* > * Returns the relevant IMA arch-specific policies based on the system secure > * boot state. > @@ -33,7 +59,13 @@ static const char *const secure_rules[] = { > const char *const *arch_get_ima_policy(void) > { > if (is_ppc_secureboot_enabled()) > - return secure_rules; > + if (is_ppc_trustedboot_enabled()) > + return secure_and_trusted_rules; > + else > + return secure_rules; > + else > + if (is_ppc_trustedboot_enabled()) No need for the "if" statement to be on a separate line. Please combine the "else" and "if" statements. Mimi > + return trusted_rules; > > return NULL; > }