提交 9e2b4be3 编写于 作者: N Nayna Jain 提交者: Mimi Zohar

ima: add a new CONFIG for loading arch-specific policies

Every time a new architecture defines the IMA architecture specific
functions - arch_ima_get_secureboot() and arch_ima_get_policy(), the IMA
include file needs to be updated. To avoid this "noise", this patch
defines a new IMA Kconfig IMA_SECURE_AND_OR_TRUSTED_BOOT option, allowing
the different architectures to select it.
Suggested-by: NLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: NNayna Jain <nayna@linux.ibm.com>
Acked-by: NArd Biesheuvel <ardb@kernel.org>
Acked-by: Philipp Rudo <prudo@linux.ibm.com> (s390)
Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
上级 96c82175
...@@ -979,6 +979,7 @@ config PPC_SECURE_BOOT ...@@ -979,6 +979,7 @@ config PPC_SECURE_BOOT
bool bool
depends on PPC_POWERNV depends on PPC_POWERNV
depends on IMA_ARCH_POLICY depends on IMA_ARCH_POLICY
imply IMA_SECURE_AND_OR_TRUSTED_BOOT
help help
Systems with firmware secure boot enabled need to define security Systems with firmware secure boot enabled need to define security
policies to extend secure boot to the OS. This config allows a user policies to extend secure boot to the OS. This config allows a user
......
...@@ -195,6 +195,7 @@ config S390 ...@@ -195,6 +195,7 @@ config S390
select ARCH_HAS_FORCE_DMA_UNENCRYPTED select ARCH_HAS_FORCE_DMA_UNENCRYPTED
select SWIOTLB select SWIOTLB
select GENERIC_ALLOCATOR select GENERIC_ALLOCATOR
imply IMA_SECURE_AND_OR_TRUSTED_BOOT
config SCHED_OMIT_FRAME_POINTER config SCHED_OMIT_FRAME_POINTER
......
...@@ -70,7 +70,7 @@ obj-$(CONFIG_JUMP_LABEL) += jump_label.o ...@@ -70,7 +70,7 @@ obj-$(CONFIG_JUMP_LABEL) += jump_label.o
obj-$(CONFIG_KEXEC_FILE) += machine_kexec_file.o kexec_image.o obj-$(CONFIG_KEXEC_FILE) += machine_kexec_file.o kexec_image.o
obj-$(CONFIG_KEXEC_FILE) += kexec_elf.o obj-$(CONFIG_KEXEC_FILE) += kexec_elf.o
obj-$(CONFIG_IMA) += ima_arch.o obj-$(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT) += ima_arch.o
obj-$(CONFIG_PERF_EVENTS) += perf_event.o perf_cpum_cf_common.o obj-$(CONFIG_PERF_EVENTS) += perf_event.o perf_cpum_cf_common.o
obj-$(CONFIG_PERF_EVENTS) += perf_cpum_cf.o perf_cpum_sf.o obj-$(CONFIG_PERF_EVENTS) += perf_cpum_cf.o perf_cpum_sf.o
......
...@@ -230,6 +230,7 @@ config X86 ...@@ -230,6 +230,7 @@ config X86
select VIRT_TO_BUS select VIRT_TO_BUS
select X86_FEATURE_NAMES if PROC_FS select X86_FEATURE_NAMES if PROC_FS
select PROC_PID_ARCH_STATUS if PROC_FS select PROC_PID_ARCH_STATUS if PROC_FS
imply IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI
config INSTRUCTION_DECODER config INSTRUCTION_DECODER
def_bool y def_bool y
......
...@@ -154,6 +154,4 @@ ifeq ($(CONFIG_X86_64),y) ...@@ -154,6 +154,4 @@ ifeq ($(CONFIG_X86_64),y)
obj-y += vsmp_64.o obj-y += vsmp_64.o
endif endif
ifdef CONFIG_EFI obj-$(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT) += ima_arch.o
obj-$(CONFIG_IMA) += ima_arch.o
endif
...@@ -30,8 +30,7 @@ extern void ima_kexec_cmdline(const void *buf, int size); ...@@ -30,8 +30,7 @@ extern void ima_kexec_cmdline(const void *buf, int size);
extern void ima_add_kexec_buffer(struct kimage *image); extern void ima_add_kexec_buffer(struct kimage *image);
#endif #endif
#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \ #ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
|| defined(CONFIG_PPC_SECURE_BOOT)
extern bool arch_ima_get_secureboot(void); extern bool arch_ima_get_secureboot(void);
extern const char * const *arch_get_ima_policy(void); extern const char * const *arch_get_ima_policy(void);
#else #else
......
...@@ -327,3 +327,10 @@ config IMA_QUEUE_EARLY_BOOT_KEYS ...@@ -327,3 +327,10 @@ config IMA_QUEUE_EARLY_BOOT_KEYS
depends on IMA_MEASURE_ASYMMETRIC_KEYS depends on IMA_MEASURE_ASYMMETRIC_KEYS
depends on SYSTEM_TRUSTED_KEYRING depends on SYSTEM_TRUSTED_KEYRING
default y default y
config IMA_SECURE_AND_OR_TRUSTED_BOOT
bool
depends on IMA_ARCH_POLICY
help
This option is selected by architectures to enable secure and/or
trusted boot based on IMA runtime policies.
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册