korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-16 16:54:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

powerpc/ima: Indicate kernel modules appended signatures are enforced

Browse Source 
The arch specific kernel module policy rule requires kernel modules to
be signed, either as an IMA signature, stored as an xattr, or as an
appended signature. As a result, kernel modules appended signatures
could be enforced without "sig_enforce" being set or reflected in
/sys/module/module/parameters/sig_enforce. This patch sets
"sig_enforce".

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/1572492694-6520-10-git-send-email-zohar@linux.ibm.com
This commit is contained in:
Mimi Zohar 2019-10-30 23:31:34 -04:00 committed by Michael Ellerman
parent dc87f18615
commit d72ea4915c
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
arch/powerpc/kernel/ima_arch.c
View File

@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = {
*/
const char *const *arch_get_ima_policy(void)
{
if (is_ppc_secureboot_enabled())
if (is_ppc_secureboot_enabled()) {
if (IS_ENABLED(CONFIG_MODULE_SIG))
set_module_sig_enforced();
if (is_ppc_trustedboot_enabled())
return secure_and_trusted_rules;
else
return secure_rules;
else if (is_ppc_trustedboot_enabled())
} else if (is_ppc_trustedboot_enabled()) {
return trusted_rules;
}
return NULL;
}