From: Michael Ellerman Date: Tue, 12 Nov 2019 13:32:03 +0000 (+1100) Subject: Merge branch 'topic/ima' into topic/secureboot X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=26b1959f85afad2215c7ba42cf830ed469644382;p=openwrt%2Fstaging%2Fblogic.git Merge branch 'topic/ima' into topic/secureboot From Nayna's cover letter: The IMA subsystem supports custom, built-in, arch-specific policies to define the files to be measured and appraised. These policies are honored based on priority, where arch-specific policy is the highest and custom is the lowest. PowerNV systems use a Linux-based bootloader to kexec the OS. The bootloader kernel relies on IMA for signature verification of the OS kernel before doing the kexec. This patchset adds support for powerpc arch-specific IMA policies that are conditionally defined based on a system's secure boot and trusted boot states. The OS secure boot and trusted boot states are determined via device-tree properties. The verification needs to be performed only for binaries that are not blacklisted. The kernel currently only checks against the blacklist of keys. However, doing so results in blacklisting all the binaries that are signed by the same key. In order to prevent just one particular binary from being loaded, it must be checked against a blacklist of binary hashes. This patchset also adds support to IMA for checking against a hash blacklist for files. signed by appended signature. --- 26b1959f85afad2215c7ba42cf830ed469644382