Re: [PATCH v3 2/3] ima: replace arch-specific get_sb_mode() with a common helper ima_get_efi_secureboot()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 30 Oct 2020 at 07:09, Chester Lin <clin@xxxxxxxx> wrote:
>
> remove the get_sb_mode() from x86/kernel/ima_arch.c and create a common
> helper ima_get_efi_secureboot() in IMA so that all EFI-based architectures
> can refer to the same procedure.
>
> Signed-off-by: Chester Lin <clin@xxxxxxxx>
> ---
>  arch/x86/kernel/ima_arch.c       | 69 +++++++-------------------------
>  include/linux/ima.h              | 10 +++++
>  security/integrity/ima/Makefile  |  1 +
>  security/integrity/ima/ima_efi.c | 26 ++++++++++++
>  4 files changed, 51 insertions(+), 55 deletions(-)
>  create mode 100644 security/integrity/ima/ima_efi.c
>
> diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
> index 7dfb1e808928..2c773532ff0a 100644
> --- a/arch/x86/kernel/ima_arch.c
> +++ b/arch/x86/kernel/ima_arch.c
> @@ -8,69 +8,28 @@
>
>  extern struct boot_params boot_params;
>
> -static enum efi_secureboot_mode get_sb_mode(void)
> -{
> -       efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
> -       efi_status_t status;
> -       unsigned long size;
> -       u8 secboot, setupmode;
> -
> -       size = sizeof(secboot);
> -
> -       if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) {
> -               pr_info("ima: secureboot mode unknown, no efi\n");
> -               return efi_secureboot_mode_unknown;
> -       }
> -
> -       /* Get variable contents into buffer */
> -       status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
> -                                 NULL, &size, &secboot);
> -       if (status == EFI_NOT_FOUND) {
> -               pr_info("ima: secureboot mode disabled\n");
> -               return efi_secureboot_mode_disabled;
> -       }
> -
> -       if (status != EFI_SUCCESS) {
> -               pr_info("ima: secureboot mode unknown\n");
> -               return efi_secureboot_mode_unknown;
> -       }
> -
> -       size = sizeof(setupmode);
> -       status = efi.get_variable(L"SetupMode", &efi_variable_guid,
> -                                 NULL, &size, &setupmode);
> -
> -       if (status != EFI_SUCCESS)      /* ignore unknown SetupMode */
> -               setupmode = 0;
> -
> -       if (secboot == 0 || setupmode == 1) {
> -               pr_info("ima: secureboot mode disabled\n");
> -               return efi_secureboot_mode_disabled;
> -       }
> -
> -       pr_info("ima: secureboot mode enabled\n");
> -       return efi_secureboot_mode_enabled;
> -}
> -
>  bool arch_ima_get_secureboot(void)
>  {
> -       static enum efi_secureboot_mode sb_mode;
> -       static bool initialized;
> -
> -       if (!initialized && efi_enabled(EFI_BOOT)) {
> -               sb_mode = boot_params.secure_boot;
> +       static bool sb_enabled, initialized;
>
> -               if (sb_mode == efi_secureboot_mode_unset)
> -                       sb_mode = get_sb_mode();
> +       if (initialized) {
> +               return sb_enabled;
> +       } else if (efi_enabled(EFI_BOOT)) {
>                 initialized = true;
> +
> +               if (boot_params.secure_boot == efi_secureboot_mode_unset) {
> +                       sb_enabled = ima_get_efi_secureboot();
> +                       return sb_enabled;
> +               }
>         }
>
> -       if (sb_mode == efi_secureboot_mode_enabled)
> -               return true;
> -       else
> -               return false;
> +       if (boot_params.secure_boot == efi_secureboot_mode_enabled)
> +               sb_enabled = true;
> +
> +       return sb_enabled;
>  }
>
> -/* secureboot arch rules */
> +/* secure and trusted boot arch rules */
>  static const char * const sb_arch_rules[] = {
>  #if !IS_ENABLED(CONFIG_KEXEC_SIG)
>         "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 8fa7bcfb2da2..9f9699f017be 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -50,6 +50,16 @@ static inline const char * const *arch_get_ima_policy(void)
>  }
>  #endif
>
> +#if defined(CONFIG_EFI) && defined(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT)
> +extern bool ima_get_efi_secureboot(void);
> +#else
> +static inline bool ima_get_efi_secureboot(void)
> +{
> +       return false;
> +}
> +#endif
> +
> +
>  #else
>  static inline int ima_bprm_check(struct linux_binprm *bprm)
>  {
> diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
> index 67dabca670e2..32076b3fd292 100644
> --- a/security/integrity/ima/Makefile
> +++ b/security/integrity/ima/Makefile
> @@ -14,3 +14,4 @@ ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o
>  ima-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o
>  ima-$(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) += ima_asymmetric_keys.o
>  ima-$(CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS) += ima_queue_keys.o
> +ima-$(CONFIG_EFI) += ima_efi.o
> diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
> new file mode 100644
> index 000000000000..a78f66e19689
> --- /dev/null
> +++ b/security/integrity/ima/ima_efi.c
> @@ -0,0 +1,26 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/*
> + * Copyright (C) 2020 SUSE LLC
> + *
> + * Author:
> + * Chester Lin <clin@xxxxxxxx>
> + */
> +
> +#include <linux/efi.h>
> +#include <linux/ima.h>
> +
> +#ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
> +bool ima_get_efi_secureboot(void)
> +{
> +       enum efi_secureboot_mode sb_mode;
> +
> +       if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) {
> +               pr_info("ima: secureboot mode unknown, no efi\n");
> +               return false;
> +       }
> +
> +       sb_mode = efi_get_secureboot(efi.get_variable);
> +

As I mentioned in the other patch, these are not equivalent - you are
introducing a MokSbState check which doesn't make sense at runtime (or
at all perhaps)

> +       return (sb_mode == efi_secureboot_mode_enabled) ? true : false;
> +}
> +#endif
> --
> 2.28.0
>



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux