in get_powerpc_sb_mode() function.
* Added dependency for PPC_SECURE_BOOT on configs PPC64 and OPAL_SECVAR
* Replaced obj-$(CONFIG_IMA) with obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
Claudio Carvalho (1):
powerpc/powernv: Add support for OPAL_SECVAR_GET
Nayna Jain (2
From: Claudio Carvalho
The X.509 certificates trusted by the platform and other information
required to secure boot the OS kernel are wrapped in secure variables,
which are controlled by OPAL.
This patch adds support to read OPAL secure variables through
OPAL_SECVAR_GET call. It returns the data
PowerNV secure boot defines different IMA policies based on the secure
boot state of the system.
This patch defines a function to detect the secure boot state of the
system.
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/secboot.h | 21 +
arch/powerpc/platforms/powernv
-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 14 +
arch/powerpc/kernel/Makefile | 1 +
arch/powerpc/kernel/ima_arch.c | 54 ++
include/linux/ima.h| 3 +-
4 files
different architectures to select it.
Suggested-by: Linus Torvalds
Signed-off-by: Nayna Jain
Cc: Ard Biesheuvel
Cc: Philipp Rudo
Cc: Michael Ellerman
---
v2:
* Fixed the issue identified by Mimi. Thanks Mimi, Ard, Heiko and Michael for
discussing the fix.
arch/powerpc/Kconfig | 1 +
different architectures to select it.
Suggested-by: Linus Torvalds
Signed-off-by: Nayna Jain
Cc: Ard Biesheuvel
Cc: Philipp Rudo
Cc: Michael Ellerman
---
v3:
* Updated and tested the patch with improvements suggested by Michael.
It now uses "imply" instead of "select".
From: Nayna Jain
Every time a new architecture defines the IMA architecture specific
functions - arch_ima_get_secureboot() and arch_ima_get_policy(), the IMA
include file needs to be updated. To avoid this "noise", this patch
defines a new IMA Kconfig IMA_SECURE_AND_OR_TRUSTED_B
powerpc_sb_mode() function.
* Added dependency for PPC_SECURE_BOOT on configs PPC64 and OPAL_SECVAR
* Replaced obj-$(CONFIG_IMA) with obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
Nayna Jain (8):
powerpc: detect the secure boot mode of the system
powerpc/ima: add support to initia
This patch defines a function to detect the secure boot state of a
PowerNV system.
The PPC_SECURE_BOOT config represents the base enablement of secure boot
for powerpc.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 10 +
arch/powerpc/include/asm/secure_boot.h
state
is used to conditionally enable additional measurement rules in the IMA
arch-specific policies.
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/secure_boot.h | 6 ++
arch/powerpc/kernel/secure_boot.c | 24
2 files changed, 30 insertions(+)
diff
This patch adds the measurement rules to the arch specific policies on
trusted boot enabled systems.
Signed-off-by: Nayna Jain
---
arch/powerpc/kernel/ima_arch.c | 34 +-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/ima_arch.c
retrieve the policy
defined pcr and template based on the func.
Signed-off-by: Nayna Jain
---
security/integrity/ima/ima.h | 3 ++
security/integrity/ima/ima_main.c | 51 ---
2 files changed, 36 insertions(+), 18 deletions(-)
diff --git a/security/integrity/ima/ima.h b
The -EKEYREJECTED error returned by existing is_hash_blacklisted() is
misleading when called for checking against blacklisted hash of a
binary.
This patch adds a wrapper function is_binary_blacklisted() to return
-EPERM error if binary is blacklisted.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi
policy option
"appraise_flag=check_blacklist".
Signed-off-by: Nayna Jain
---
Documentation/ABI/testing/ima_policy | 1 +
security/integrity/ima/ima.h | 8 +++
security/integrity/ima/ima_appraise.c | 31 +++
security/integrity/ima/ima_main.
This patch updates the arch-specific policies for PowerNV system to make
sure that the binary hash is not blacklisted.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
arch/powerpc/kernel/ima_arch.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc
define IMA policy
rules based on the runtime secure boot mode of the system.
This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 1 +
arch/powerpc/kernel/Makefile | 2 +-
arch/powerpc/kernel
ECVAR
* Replaced obj-$(CONFIG_IMA) with obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
Nayna Jain (8):
powerpc: detect the secure boot mode of the system
powerpc/ima: add support to initialize ima policy rules
powerpc: detect the trusted boot state of the system
powerpc/ima: define
This patch defines a function to detect the secure boot state of a
PowerNV system.
The PPC_SECURE_BOOT config represents the base enablement of secure boot
for powerpc.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 10
arch/powerpc/include/asm/secure_boot.h
define IMA policy
rules based on the runtime secure boot mode of the system.
This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 1 +
arch/powerpc/kernel/Makefile | 2 +-
arch/powerpc/kernel
state of a PowerNV system. The state
is used to conditionally enable additional measurement rules in the IMA
arch-specific policies.
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/secure_boot.h | 6 ++
arch/powerpc/kernel/secure_boot.c | 26 ++
2 files
This patch defines an arch-specific trusted boot only policy and a
combined secure and trusted boot policy.
Signed-off-by: Nayna Jain
---
arch/powerpc/kernel/ima_arch.c | 33 -
1 file changed, 32 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel
an IMA
hook or as an auxiliary measurement record. In both cases the buffer
measurement is based on policy. This patch modifies the function to
conditionally retrieve the policy defined PCR and template for the IMA
hook case.
Signed-off-by: Nayna Jain
---
security/integrity/ima/ima.h | 3
The -EKEYREJECTED error returned by existing is_hash_blacklisted() is
misleading when called for checking against blacklisted hash of a
binary.
This patch adds a wrapper function is_binary_blacklisted() to return
-EPERM error if binary is blacklisted.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi
217cc1152b44b134ce2cd68f12dfb71acb3 ima-buf
sha256:8b58427fedcf8f4b20bc8dc007f2e232bf7285d7b93a66476321f9c2a3aa132
b blacklisted-hash
77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
Signed-off-by: Nayna Jain
---
Documentation/ABI/testing/ima_policy | 4
security/integrity/ima/ima.h | 8 +
This patch updates the arch-specific policies for PowerNV system to make
sure that the binary hash is not blacklisted.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
arch/powerpc/kernel/ima_arch.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc
s feedbacks:
* adds sysfs documentation
* moves sysfs code to arch/powerpc
* other code related feedbacks.
* adds two new patches to load keys to .platform and .blacklist keyring.
These patches are added to this series as they are also dependent on
OPAL APIs.
Nayna Jain (4):
powerpc/powernv: A
CONFIG_OPAL_SECVAR.
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/opal-api.h | 5 +-
arch/powerpc/include/asm/opal.h | 7 +
arch/powerpc/include/asm/secvar.h| 35 +
arch/powerpc/kernel/Makefile | 2
. The users shall use this interface for manipulating
the keys stored in the secure variables.
Signed-off-by: Nayna Jain
Reviewed-by: Greg Kroah-Hartman
---
Documentation/ABI/testing/sysfs-secvar | 39 +
arch/powerpc/Kconfig | 11 ++
arch/powerpc/kernel/Makefile
The handlers to add the keys to the .platform keyring and blacklisted
hashes to the .blacklist keyring is common for both the uefi and powerpc
mechanisms of loading the keys/hashes from the firmware.
This patch moves the common code from load_uefi.c to keyring_handler.c
Signed-off-by: Nayna Jain
trusted by firmware.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
arch/powerpc/Kconfig | 1 +
security/integrity/Kconfig| 8 ++
security/integrity/Makefile | 4 +-
.../integrity/platform_certs/load_powerpc.c | 86
On 10/24/19 12:38 PM, Lakshmi Ramasubramanian wrote:
On 10/23/2019 8:47 PM, Nayna Jain wrote:
+bool is_ppc_trustedboot_enabled(void)
+{
+ struct device_node *node;
+ bool enabled = false;
+
+ node = get_ppc_fw_sb_node();
+ enabled = of_property_read_bool(node, "trusted-en
On 10/24/19 12:26 PM, Lakshmi Ramasubramanian wrote:
On 10/23/2019 8:47 PM, Nayna Jain wrote:
This patch defines a function to detect the secure boot state of a
PowerNV system.
+bool is_ppc_secureboot_enabled(void)
+{
+ struct device_node *node;
+ bool enabled = false;
+
+ node
On 10/24/19 12:35 PM, Lakshmi Ramasubramanian wrote:
On 10/23/2019 8:47 PM, Nayna Jain wrote:
+/*
+ * The "secure_rules" are enabled only on "secureboot" enabled systems.
+ * These rules verify the file signatures against known good values.
+ * The "appraise_type=ima
On 10/24/19 10:20 AM, Lakshmi Ramasubramanian wrote:
On 10/23/19 8:47 PM, Nayna Jain wrote:
Hi Nayna,
+void process_buffer_measurement(const void *buf, int size,
+ const char *eventname, enum ima_hooks func,
+ int pcr)
{
int ret = 0;
struct
On 10/24/19 12:48 PM, Lakshmi Ramasubramanian wrote:
On 10/23/2019 8:47 PM, Nayna Jain wrote:
+/*
+ * ima_check_blacklist - determine if the binary is blacklisted.
+ *
+ * Add the hash of the blacklisted binary to the measurement list,
based
+ * on policy.
+ *
+ * Returns -EPERM if the
* removes complete efi-sms from the sysfs implementation and is simplified
* includes Greg's and Oliver's feedbacks:
* adds sysfs documentation
* moves sysfs code to arch/powerpc
* other code related feedbacks.
* adds two new patches to load keys to .platform and .blacklist keyring.
Thes
CONFIG_OPAL_SECVAR.
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
Signed-off-by: Eric Richter
---
arch/powerpc/include/asm/opal-api.h | 5 +-
arch/powerpc/include/asm/opal.h | 7 +
arch/powerpc/include/asm/secvar.h| 35 +
arch/powerpc/kernel
. The users shall use this interface for manipulating
the keys stored in the secure variables.
Signed-off-by: Nayna Jain
Reviewed-by: Greg Kroah-Hartman
Signed-off-by: Eric Richter
---
Documentation/ABI/testing/sysfs-secvar | 46 +
arch/powerpc/Kconfig | 11 ++
arch
The handlers to add the keys to the .platform keyring and blacklisted
hashes to the .blacklist keyring is common for both the uefi and powerpc
mechanisms of loading the keys/hashes from the firmware.
This patch moves the common code from load_uefi.c to keyring_handler.c
Signed-off-by: Nayna Jain
trusted by firmware.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Signed-off-by: Eric Richter
---
security/integrity/Kconfig| 9 ++
security/integrity/Makefile | 4 +-
.../integrity/platform_certs/load_powerpc.c | 98 +++
3 files changed
secvar_sysfs_init()
* fixes spaces
v2:
* removes complete efi-sms from the sysfs implementation and is simplified
* includes Greg's and Oliver's feedbacks:
* adds sysfs documentation
* moves sysfs code to arch/powerpc
* other code related feedbacks.
* adds two new patches t
CONFIG_OPAL_SECVAR.
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
Signed-off-by: Eric Richter
---
arch/powerpc/include/asm/opal-api.h | 5 +-
arch/powerpc/include/asm/opal.h | 7 ++
arch/powerpc/include/asm/secvar.h| 35 +++
arch/powerpc
. The users shall use this interface for manipulating
the keys stored in the secure variables.
Signed-off-by: Nayna Jain
Reviewed-by: Greg Kroah-Hartman
Signed-off-by: Eric Richter
---
Documentation/ABI/testing/sysfs-secvar | 46 ++
arch/powerpc/Kconfig | 11 ++
arch
The handlers to add the keys to the .platform keyring and blacklisted
hashes to the .blacklist keyring is common for both the uefi and powerpc
mechanisms of loading the keys/hashes from the firmware.
This patch moves the common code from load_uefi.c to keyring_handler.c
Signed-off-by: Nayna Jain
trusted by firmware.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Signed-off-by: Eric Richter
---
security/integrity/Kconfig | 9 +++
security/integrity/Makefile | 4 +-
security/integrity/platform_certs/load_powerpc.c | 99
account the ability of enabling "sig_enforce" on the boot
command line (module.sig_enforce=1).
This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG
instead.
Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules")
Signed-off-by: N
e based on CONFIG_MODULE_SIG
instead.
Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules")
Signed-off-by: Nayna Jain
---
v2:
* Fixes the patch description to specify the problem more clearly as asked
by Michael Ellerman.
arch/powerpc/kernel/ima_arch.c | 6 ++
specific patches[2].
[1]https://patchwork.kernel.org/cover/10882149/
[2]https://lkml.org/lkml/2019/6/11/868
[3]https://patchwork.ozlabs.org/project/skiboot/list/?series=112868
Claudio Carvalho (1):
powerpc/powernv: add OPAL APIs for secure variables
Nayna Jain (1):
powerpc: expose secure
. Variable updates cannot be be processed right
away because the variable storage is write locked at runtime.
OPAL_SECVAR_GET_SIZE:
Returns size information about the variable.
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/opal-api.h | 3 +
arch
the the existing efi defined hooks and backend in
order to maintain the compatibility with the userspace tools.
Though it reuses a great deal of efi, POWER platforms do not use EFI.
A new config, POWER_SECVAR_SYSFS, is defined to enable this new sysfs
interface.
Signed-off-by: Nayna Jain
kernel panic during boot.
This patch moves the pcr allocation outside the auto startup function
into tpm_chip_register. This ensures that allocated banks are initialized
in any case.
Fixes: 879b589210a9 ("tpm: retrieve digest size of unknown algorithms with
PCR read")
Signed-off-by:
l Suchanek
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Tested-by: Sachin Sant
Tested-by: Michal Suchánek
---
Changelog:
v2:
* Includes Jarkko's feedbacks
* fixes the function name to tpm_get_pcr_allocation()
* adds new function tpm1_get_pcr_allocation()
* updates patch summary
l Suchanek
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Tested-by: Sachin Sant
Tested-by: Michal Suchánek
---
Changelog:
v3:
* Includes Stefan's feedback correctly:
* Fixed handling of rc > 0 error
* Includes Jarkko's feedback related to comment and the function.
v2:
* Incl
different architectures to select it.
Suggested-by: Linus Torvalds
Signed-off-by: Nayna Jain
Cc: Ard Biesheuvel
Cc: Martin Schwidefsky
Cc: Philipp Rudo
Cc: Michael Ellerman
---
arch/powerpc/Kconfig | 2 +-
arch/s390/Kconfig | 1 +
arch/x86/Kconfig | 1
Secure boot on POWER defines different IMA policies based on the secure
boot state of the system.
This patch defines a function to detect the secure boot state of the
system.
The PPC_SECURE_BOOT config represents the base enablement of secureboot
on POWER.
Signed-off-by: Nayna Jain
---
arch
-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 2 ++
arch/powerpc/kernel/Makefile | 2 +-
arch/powerpc/kernel/ima_arch.c | 50 ++
include/linux/ima.h| 3 +-
4 files changed
ECVAR
* Replaced obj-$(CONFIG_IMA) with obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
Nayna Jain (2):
powerpc: detect the secure boot mode of the system
powerpc: Add support to initialize ima policy rules
arch/powerpc/Kconfig | 13 ++
arch/powerpc/include/asm/secb
x27;s feedbacks:
* adds sysfs documentation
* moves sysfs code to arch/powerpc
* other code related feedbacks.
* adds two new patches to load keys to .platform and .blacklist keyring.
These patches are added to this series as they are also dependent on
OPAL APIs.
Nayna Jain (4):
powerpc/powernv: Ad
CONFIG_OPAL_SECVAR.
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/opal-api.h | 5 +-
arch/powerpc/include/asm/opal.h | 6 ++
arch/powerpc/include/asm/secvar.h| 55 ++
arch/powerpc/kernel/Makefile
. The users shall use this interface for manipulating
the keys stored in the secure variables.
Signed-off-by: Nayna Jain
---
Documentation/ABI/testing/sysfs-secvar | 27
arch/powerpc/Kconfig | 9 ++
arch/powerpc/kernel/Makefile | 1 +
arch/powerpc/kernel
This patch moves the common code to keyring_handler.c
Signed-off-by: Nayna Jain
---
security/integrity/Makefile | 3 +-
.../platform_certs/keyring_handler.c | 80 +++
.../platform_certs/keyring_handler.h | 35
security/integrity
firmware.
Signed-off-by: Nayna Jain
---
security/integrity/Kconfig| 9 ++
security/integrity/Makefile | 3 +
.../integrity/platform_certs/load_powerpc.c | 94 +++
3 files changed, 106 insertions(+)
create mode 100644 security/integrity
platform and .blacklist keyring.
These patches are added to this series as they are also dependent on
OPAL APIs.
Nayna Jain (4):
powerpc/powernv: Add OPAL API interface to access secure variable
powerpc: expose secure variables to userspace via sysfs
x86/efi: move common keyring handler func
CONFIG_OPAL_SECVAR.
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/opal-api.h | 5 +-
arch/powerpc/include/asm/opal.h | 7 +-
arch/powerpc/include/asm/powernv.h | 2 +
arch/powerpc/include/asm/secvar.h| 35
. The users shall use this interface for manipulating
the keys stored in the secure variables.
Signed-off-by: Nayna Jain
---
Documentation/ABI/testing/sysfs-secvar | 37 +
arch/powerpc/Kconfig | 10 ++
arch/powerpc/kernel/Makefile | 1 +
arch/powerpc/kernel
The handlers to add the keys to the .platform keyring and blacklisted
hashes to the .blacklist keyring is common for both the uefi and powerpc
mechanisms of loading the keys/hashes from the firmware.
This patch moves the common code from load_uefi.c to keyring_handler.c
Signed-off-by: Nayna Jain
trusted by firmware.
Signed-off-by: Nayna Jain
---
security/integrity/Kconfig| 8 ++
security/integrity/Makefile | 3 +
.../integrity/platform_certs/load_powerpc.c | 88 +++
3 files changed, 99 insertions(+)
create mode 100644 security
h obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
Nayna Jain (9):
dt-bindings: ibm,secureboot: secure boot specific properties for
PowerNV
powerpc: detect the secure boot mode of the system
powerpc: add support to initialize ima policy rules
powerpc: detect the trusted boot state o
PowerNV represents both the firmware and Host OS secureboot state of the
system via device tree. This patch adds the documentation to give
the definition of the nodes and the properties.
Signed-off-by: Nayna Jain
---
.../bindings/powerpc/ibm,secureboot.rst | 76
Secure boot on PowerNV defines different IMA policies based on the secure
boot state of the system.
This patch defines a function to detect the secure boot state of the
system.
The PPC_SECURE_BOOT config represents the base enablement of secureboot
on POWER.
Signed-off-by: Nayna Jain
---
arch
implements the arch-specific support to define the IMA policy
rules based on the runtime secure boot mode of the system.
This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 2 ++
arch/powerpc/kernel/Makefile
PowerNV systems enables the IMA measurement rules only if the
trusted boot is enabled on the system.
This patch adds the function to detect if the system has trusted
boot enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/secure_boot.h | 6 ++
arch/powerpc/kernel
This patch adds the measurement rules to the arch specific policies for the
systems with trusted boot.
Signed-off-by: Nayna Jain
---
arch/powerpc/kernel/ima_arch.c | 44 +++---
1 file changed, 41 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/kernel
handle more than just the KEXEC_CMDLINE.
Signed-off-by: Nayna Jain
---
security/integrity/ima/ima.h | 3 +++
security/integrity/ima/ima_main.c | 29 ++---
2 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security
ned-off-by: Nayna Jain
---
Documentation/ABI/testing/ima_policy | 1 +
security/integrity/ima/ima.h | 12 +
security/integrity/ima/ima_appraise.c | 35 +++
security/integrity/ima/ima_main.c | 8 --
security/integrity/ima/ima_policy.c | 10 ++--
This patch deprecates the existing permit_directio flag, instead adds
it as possible value to appraise_flag parameter.
For eg.
appraise_flag=permit_directio
Signed-off-by: Nayna Jain
---
Documentation/ABI/testing/ima_policy | 4 ++--
security/integrity/ima/ima_policy.c | 2 ++
2 files changed
This patch updates the arch specific policies for PowernV systems
to add check against blacklisted hashes before doing the verification.
Signed-off-by: Nayna Jain
---
arch/powerpc/kernel/ima_arch.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel
This patch fixes the size and write parameter for the macro
__BIN_ATTR_WO().
Fixes: 7f905761e15a8 ("sysfs: add BIN_ATTR_WO() macro")
Signed-off-by: Nayna Jain
---
include/linux/sysfs.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/sysfs.h b/inc
umentation
* moves sysfs code to arch/powerpc
* other code related feedbacks.
* adds two new patches to load keys to .platform and .blacklist keyring.
These patches are added to this series as they are also dependent on
OPAL APIs.
Nayna Jain (4):
powerpc/powernv: Add OPAL API interface to
CONFIG_OPAL_SECVAR.
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/opal-api.h | 5 +-
arch/powerpc/include/asm/opal.h | 8 ++
arch/powerpc/include/asm/powernv.h | 2 +
arch/powerpc/include/asm/secvar.h| 35
. The users shall use this interface for manipulating
the keys stored in the secure variables.
Signed-off-by: Nayna Jain
Reviewed-by: Greg Kroah-Hartman
---
Documentation/ABI/testing/sysfs-secvar | 37 +
arch/powerpc/Kconfig | 10 ++
arch/powerpc/kernel/Makefile
The handlers to add the keys to the .platform keyring and blacklisted
hashes to the .blacklist keyring is common for both the uefi and powerpc
mechanisms of loading the keys/hashes from the firmware.
This patch moves the common code from load_uefi.c to keyring_handler.c
Signed-off-by: Nayna Jain
trusted by firmware.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
security/integrity/Kconfig| 8 ++
security/integrity/Makefile | 3 +
.../integrity/platform_certs/load_powerpc.c | 86 +++
3 files changed, 97 insertions(+)
create
h obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
*** BLURB HERE ***
Nayna Jain (8):
powerpc: detect the secure boot mode of the system
powerpc: add support to initialize ima policy rules
powerpc: detect the trusted boot state of the system
powerpc/ima: add measurement rules to ima arch spe
implements the arch-specific support to define the IMA policy
rules based on the runtime secure boot mode of the system.
This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 2 ++
arch/powerpc/kernel/Makefile
Secure boot on PowerNV defines different IMA policies based on the secure
boot state of the system.
This patch defines a function to detect the secure boot state of the
system.
The PPC_SECURE_BOOT config represents the base enablement of secureboot
on POWER.
Signed-off-by: Nayna Jain
---
arch
PowerNV systems enables the IMA measurement rules only if the
trusted boot is enabled on the system.
This patch adds the function to detect if the system has trusted
boot enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/secure_boot.h | 6 +
arch/powerpc/kernel/secure_boot.c
This patch adds the measurement rules to the arch specific policies on
trusted boot enabled systems.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
arch/powerpc/kernel/ima_arch.c | 45 +++---
1 file changed, 42 insertions(+), 3 deletions(-)
diff --git a/arch
KEXEC_CMDLINE.
Signed-off-by: Nayna Jain
---
security/integrity/ima/ima.h | 3 +++
security/integrity/ima/ima_main.c | 29 ++---
2 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index
The existing is_hash_blacklisted() function returns -EKEYREJECTED
error code for both the blacklisted keys and binaries.
This patch adds a wrapper function is_binary_blacklisted() to check
against binary hashes and returns -EPERM.
Signed-off-by: Nayna Jain
---
certs/blacklist.c | 9
ned-off-by: Nayna Jain
---
Documentation/ABI/testing/ima_policy | 1 +
security/integrity/ima/ima.h | 9 +++
security/integrity/ima/ima_appraise.c | 39 +++
security/integrity/ima/ima_main.c | 12 ++---
security/integrity/ima/ima_policy.c | 10 +--
This patch updates the arch specific policies for PowernV systems
to add check against blacklisted binary hashes before doing the
verification.
Signed-off-by: Nayna Jain
---
arch/powerpc/kernel/ima_arch.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc
local and third party
code signing keys on PowerVM.
Nayna Jain (6):
integrity: PowerVM support for loading CA keys on machine keyring
integrity: ignore keys failing CA restrictions on non-UEFI platform
integrity: remove global variable from machine_keyring.c
integrity: check whether impute
On non-UEFI platforms, handle restrict_link_by_ca failures differently.
Certificates which do not satisfy CA restrictions on non-UEFI platforms
are ignored.
Signed-off-by: Nayna Jain
---
security/integrity/platform_certs/machine_keyring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion
s platform
dependent.
Load keys stored in the variable trustedcadb onto the .machine keyring
on PowerVM platform.
Signed-off-by: Nayna Jain
---
.../integrity/platform_certs/keyring_handler.c | 8
.../integrity/platform_certs/keyring_handler.h | 5 +
.../integrity/platform_certs/load
trust_mok variable is accessed within a single function locally.
Change trust_mok from global to local static variable.
Signed-off-by: Nayna Jain
---
security/integrity/platform_certs/machine_keyring.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/integrity
trust_moklist() is specific to UEFI enabled systems. Other platforms
rely only on the Kconfig.
Define a generic wrapper named imputed_trust_enabled().
Signed-off-by: Nayna Jain
---
security/integrity/digsig.c | 2 +-
security/integrity/integrity.h| 5
Update Kconfig to enable machine keyring and limit to CA certificates
on PowerVM.
Signed-off-by: Nayna Jain
---
security/integrity/Kconfig | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index ec6e0d789da1
.
Signed-off-by: Nayna Jain
---
Jarkko, this patch is based on Linus master tree branch, which does
not contain the following commits yet:
c9d004712300 integrity: Enforce digitalSignature usage in the ima and
evm keyrings
59b656eb58fe KEYS: DigitalSignature link restriction
certs/system_keyring.c
a95 because of build failure due to
this commit.
Nayna Jain (6):
integrity: PowerVM support for loading CA keys on machine keyring
integrity: ignore keys failing CA restrictions on non-UEFI platform
integrity: remove global variable from machine_keyring.c
integrity: check whether imputed trust is
1 - 100 of 164 matches
Mail list logo
