summaryrefslogtreecommitdiff
path: root/arch/powerpc/kernel
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.ibm.com>2019-10-31 06:31:34 +0300
committerMichael Ellerman <mpe@ellerman.id.au>2019-11-12 04:25:50 +0300
commitd72ea4915c7e6fa5e7b9022a34df66e375bfe46c (patch)
treeede50dc372aaae6c783e2dc43cbfee9c238ddaaf /arch/powerpc/kernel
parentdc87f18615db9dc74a75cfb4a57ed33b07a3903a (diff)
downloadlinux-d72ea4915c7e6fa5e7b9022a34df66e375bfe46c.tar.xz
powerpc/ima: Indicate kernel modules appended signatures are enforced
The arch specific kernel module policy rule requires kernel modules to be signed, either as an IMA signature, stored as an xattr, or as an appended signature. As a result, kernel modules appended signatures could be enforced without "sig_enforce" being set or reflected in /sys/module/module/parameters/sig_enforce. This patch sets "sig_enforce". Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/1572492694-6520-10-git-send-email-zohar@linux.ibm.com
Diffstat (limited to 'arch/powerpc/kernel')
-rw-r--r--arch/powerpc/kernel/ima_arch.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
index b9de0fb45bb9..e34116255ced 100644
--- a/arch/powerpc/kernel/ima_arch.c
+++ b/arch/powerpc/kernel/ima_arch.c
@@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = {
*/
const char *const *arch_get_ima_policy(void)
{
- if (is_ppc_secureboot_enabled())
+ if (is_ppc_secureboot_enabled()) {
+ if (IS_ENABLED(CONFIG_MODULE_SIG))
+ set_module_sig_enforced();
+
if (is_ppc_trustedboot_enabled())
return secure_and_trusted_rules;
else
return secure_rules;
- else if (is_ppc_trustedboot_enabled())
+ } else if (is_ppc_trustedboot_enabled()) {
return trusted_rules;
+ }
return NULL;
}
generated by cgit v1.2.3 (git 2.39.0) at 2025-02-17 00:02:07 +0300