Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

[sfrench/cifs-2.6.git] / arch / x86 / kernel / ima_arch.c

/* SPDX-License-Identifier: GPL-2.0+ */
/*
 * Copyright (C) 2018 IBM Corporation
 */
#include <linux/efi.h>
#include <linux/module.h>
#include <linux/ima.h>

extern struct boot_params boot_params;

static enum efi_secureboot_mode get_sb_mode(void)
{
        efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
        efi_char16_t efi_SetupMode_name[] = L"SecureBoot";
        efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
        efi_status_t status;
        unsigned long size;
        u8 secboot, setupmode;

        size = sizeof(secboot);

        if (!efi_enabled(EFI_RUNTIME_SERVICES)) {
                pr_info("ima: secureboot mode unknown, no efi\n");
                return efi_secureboot_mode_unknown;
        }

        /* Get variable contents into buffer */
        status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid,
                                  NULL, &size, &secboot);
        if (status == EFI_NOT_FOUND) {
                pr_info("ima: secureboot mode disabled\n");
                return efi_secureboot_mode_disabled;
        }

        if (status != EFI_SUCCESS) {
                pr_info("ima: secureboot mode unknown\n");
                return efi_secureboot_mode_unknown;
        }

        size = sizeof(setupmode);
        status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid,
                                  NULL, &size, &setupmode);

        if (status != EFI_SUCCESS)      /* ignore unknown SetupMode */
                setupmode = 0;

        if (secboot == 0 || setupmode == 1) {
                pr_info("ima: secureboot mode disabled\n");
                return efi_secureboot_mode_disabled;
        }

        pr_info("ima: secureboot mode enabled\n");
        return efi_secureboot_mode_enabled;
}

bool arch_ima_get_secureboot(void)
{
        static enum efi_secureboot_mode sb_mode;
        static bool initialized;

        if (!initialized && efi_enabled(EFI_BOOT)) {
                sb_mode = boot_params.secure_boot;

                if (sb_mode == efi_secureboot_mode_unset)
                        sb_mode = get_sb_mode();
                initialized = true;
        }

        if (sb_mode == efi_secureboot_mode_enabled)
                return true;
        else
                return false;
}

/* secureboot arch rules */
static const char * const sb_arch_rules[] = {
#if !IS_ENABLED(CONFIG_KEXEC_SIG)
        "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
#endif /* CONFIG_KEXEC_SIG */
        "measure func=KEXEC_KERNEL_CHECK",
#if !IS_ENABLED(CONFIG_MODULE_SIG)
        "appraise func=MODULE_CHECK appraise_type=imasig",
#endif
        "measure func=MODULE_CHECK",
        NULL
};

const char * const *arch_get_ima_policy(void)
{
        if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
                if (IS_ENABLED(CONFIG_MODULE_SIG))
                        set_module_sig_enforced();
                return sb_arch_rules;
        }
        return NULL;
}