Message ID | 20180914080005.6138-7-nayna@linux.vnet.ibm.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Add support for architecture specific IMA policies | expand |
Hi Eric, Thank you for the patch! Yet something to improve: [auto build test ERROR on integrity/next-integrity] [also build test ERROR on v4.19-rc3 next-20180913] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Nayna-Jain/Add-support-for-architecture-specific-IMA-policies/20180914-202254 base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity config: i386-randconfig-s1-201836 (attached as .config) compiler: gcc-6 (Debian 6.4.0-9) 6.4.0 20171026 reproduce: # save the attached .config to linux build tree make ARCH=i386 All errors (new ones prefixed by >>): >> arch/x86//kernel/ima_arch.c:28:21: error: redefinition of 'arch_get_ima_policy' const char * const *arch_get_ima_policy(void) ^~~~~~~~~~~~~~~~~~~ In file included from arch/x86//kernel/ima_arch.c:6:0: include/linux/ima.h:45:35: note: previous definition of 'arch_get_ima_policy' was here static inline const char * const *arch_get_ima_policy(void) ^~~~~~~~~~~~~~~~~~~ vim +/arch_get_ima_policy +28 arch/x86//kernel/ima_arch.c 27 > 28 const char * const *arch_get_ima_policy(void) --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c index bb5a88d2b271..6615321b833c 100644 --- a/arch/x86/kernel/ima_arch.c +++ b/arch/x86/kernel/ima_arch.c @@ -15,3 +15,19 @@ bool arch_ima_get_secureboot(void) else return false; } + +/* arch rules for audit and user mode */ +static const char * const sb_arch_rules[] = { +#ifndef CONFIG_KEXEC_VERIFY_SIG + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", +#endif /* CONFIG_KEXEC_VERIFY_SIG */ + "measure func=KEXEC_KERNEL_CHECK", + NULL +}; + +const char * const *arch_get_ima_policy(void) +{ + if (arch_ima_get_secureboot()) + return sb_arch_rules; + return NULL; +} diff --git a/include/linux/ima.h b/include/linux/ima.h index 350fa957f8a6..dabd3abdf671 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -39,10 +39,14 @@ static inline bool arch_ima_get_secureboot(void) } #endif +#if defined(CONFIG_X86) && defined(CONFIG_IMA_ARCH_POLICY) +extern const char * const *arch_get_ima_policy(void); +#else static inline const char * const *arch_get_ima_policy(void) { return NULL; } +#endif #else static inline int ima_bprm_check(struct linux_binprm *bprm) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 13b446328dda..97609a76aa14 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -157,6 +157,14 @@ config IMA_APPRAISE <http://linux-ima.sourceforge.net> If unsure, say N. +config IMA_ARCH_POLICY + bool "Enable loading an IMA architecture specific policy" + depends on KEXEC_VERIFY_SIG || IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS + default n + help + This option enables loading an IMA architecture specific policy + based on run time secure boot flags. + config IMA_APPRAISE_BUILD_POLICY bool "IMA build time configured policy rules" depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS