On Fri, 30 Oct 2020 at 07:09, Chester Lin <clin@xxxxxxxx> wrote: > > Add arm64 IMA arch support. The code and arch policy is mainly inherited > from x86. > > Signed-off-by: Chester Lin <clin@xxxxxxxx> > --- > arch/arm64/Kconfig | 1 + > arch/arm64/kernel/Makefile | 2 ++ > arch/arm64/kernel/ima_arch.c | 43 ++++++++++++++++++++++++++++++++++++ > 3 files changed, 46 insertions(+) > create mode 100644 arch/arm64/kernel/ima_arch.c > > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > index a42e8d13cc88..496a4a26afc6 100644 > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -201,6 +201,7 @@ config ARM64 > select SWIOTLB > select SYSCTL_EXCEPTION_TRACE > select THREAD_INFO_IN_TASK > + imply IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI > help > ARM 64-bit (AArch64) Linux support. > > diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile > index bbaf0bc4ad60..0f6cbb50668c 100644 > --- a/arch/arm64/kernel/Makefile > +++ b/arch/arm64/kernel/Makefile > @@ -69,3 +69,5 @@ extra-y += $(head-y) vmlinux.lds > ifeq ($(CONFIG_DEBUG_EFI),y) > AFLAGS_head.o += -DVMLINUX_PATH="\"$(realpath $(objtree)/vmlinux)\"" > endif > + > +obj-$(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT) += ima_arch.o > diff --git a/arch/arm64/kernel/ima_arch.c b/arch/arm64/kernel/ima_arch.c > new file mode 100644 > index 000000000000..564236d77adc > --- /dev/null > +++ b/arch/arm64/kernel/ima_arch.c > @@ -0,0 +1,43 @@ > +// SPDX-License-Identifier: GPL-2.0+ > +/* > + * Copyright (C) 2018 IBM Corporation > + */ > +#include <linux/efi.h> > +#include <linux/module.h> > +#include <linux/ima.h> > + > +bool arch_ima_get_secureboot(void) > +{ > + static bool sb_enabled; > + static bool initialized; > + > + if (!initialized & efi_enabled(EFI_BOOT)) { > + sb_enabled = ima_get_efi_secureboot(); > + initialized = true; > + } > + > + return sb_enabled; > +} > + > +/* secure and trusted boot arch rules */ > +static const char * const sb_arch_rules[] = { > +#if !IS_ENABLED(CONFIG_KEXEC_SIG) > + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", > +#endif /* CONFIG_KEXEC_SIG */ > + "measure func=KEXEC_KERNEL_CHECK", > +#if !IS_ENABLED(CONFIG_MODULE_SIG) > + "appraise func=MODULE_CHECK appraise_type=imasig", > +#endif > + "measure func=MODULE_CHECK", > + NULL > +}; > + > +const char * const *arch_get_ima_policy(void) > +{ > + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { > + if (IS_ENABLED(CONFIG_MODULE_SIG)) > + set_module_sig_enforced(); > + return sb_arch_rules; > + } > + return NULL; > +} > -- > 2.28.0 > Can we move all this stuff into security/integrity/ima/ima_efi.c instead?