summaryrefslogtreecommitdiff
path: root/arch/x86/kernel/ima_arch.c
blob: 6c248616ee57fbff2ae8f703ec42672d2bfe8b06 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
/* SPDX-License-Identifier: GPL-2.0+ */
/*
 * Copyright (C) 2018 IBM Corporation
 */
#include <linux/efi.h>
#include <linux/ima.h>

extern struct boot_params boot_params;

bool arch_ima_get_secureboot(void)
{
	if (efi_enabled(EFI_BOOT) &&
		(boot_params.secure_boot == efi_secureboot_mode_enabled))
		return true;
	else
		return false;
}

/* secureboot arch rules */
static const char * const sb_arch_rules[] = {
#if !IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG)
	"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
#endif /* CONFIG_KEXEC_VERIFY_SIG */
	"measure func=KEXEC_KERNEL_CHECK",
	NULL
};

const char * const *arch_get_ima_policy(void)
{
	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot())
		return sb_arch_rules;
	return NULL;
}