projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: dc87f18)
powerpc/ima: Indicate kernel modules appended signatures are enforced
authorMimi Zohar <zohar@linux.ibm.com>
Thu, 31 Oct 2019 03:31:34 +0000 (23:31 -0400)
committerMichael Ellerman <mpe@ellerman.id.au>
Tue, 12 Nov 2019 01:25:50 +0000 (12:25 +1100)
The arch specific kernel module policy rule requires kernel modules to
be signed, either as an IMA signature, stored as an xattr, or as an
appended signature. As a result, kernel modules appended signatures
could be enforced without "sig_enforce" being set or reflected in
/sys/module/module/parameters/sig_enforce. This patch sets
"sig_enforce".

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/1572492694-6520-10-git-send-email-zohar@linux.ibm.com
arch/powerpc/kernel/ima_arch.c patch | blob | history

diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
index b9de0fb45bb92533048cfd3534677a8d0a28b227..e34116255ced819eeb2c936c7dd6d8e743dca7da 100644 (file)
--- a/arch/powerpc/kernel/ima_arch.c
+++ b/arch/powerpc/kernel/ima_arch.c
@@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = {
  */
 const char *const *arch_get_ima_policy(void)
 {
-       if (is_ppc_secureboot_enabled())
+       if (is_ppc_secureboot_enabled()) {
+               if (IS_ENABLED(CONFIG_MODULE_SIG))
+                       set_module_sig_enforced();
+
                if (is_ppc_trustedboot_enabled())
                        return secure_and_trusted_rules;
                else
                        return secure_rules;
-       else if (is_ppc_trustedboot_enabled())
+       } else if (is_ppc_trustedboot_enabled()) {
                return trusted_rules;
+       }
 
        return NULL;
 }
John Crispins staging tree