Message ID | 1570497267-13672-9-git-send-email-nayna@linux.ibm.com (mailing list archive) |
---|---|
State | Changes Requested |
Headers | show |
Series | powerpc: Enabling IMA arch specific secure boot policies | expand |
Context | Check | Description |
---|---|---|
snowpatch_ozlabs/apply_patch | warning | Failed to apply on branch next (6edfc6487b474fe01857dc3f1a9cd701bb9b21c8) |
snowpatch_ozlabs/apply_patch | success | Successfully applied on branch merge (b05e997bf5d33f38e3fc6a66d52303eb109598ec) |
snowpatch_ozlabs/build-ppc64le | success | Build succeeded |
snowpatch_ozlabs/build-ppc64be | success | Build succeeded |
snowpatch_ozlabs/build-ppc64e | success | Build succeeded |
snowpatch_ozlabs/build-pmac32 | success | Build succeeded |
snowpatch_ozlabs/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 11 lines checked |
On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote: > This patch updates the arch specific policies for PowernV systems > to add check against blacklisted binary hashes before doing the > verification. This sentence explains how you're doing something. A simple tweak in the wording provides the motivation. ^to make sure that the binary hash is not blacklisted. > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > --- > arch/powerpc/kernel/ima_arch.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c > index 88bfe4a1a9a5..4fa41537b846 100644 > --- a/arch/powerpc/kernel/ima_arch.c > +++ b/arch/powerpc/kernel/ima_arch.c > @@ -25,9 +25,9 @@ bool arch_ima_get_secureboot(void) > static const char *const arch_rules[] = { > "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", > "measure func=MODULE_CHECK template=ima-modsig", > - "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", > + "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", > #if !IS_ENABLED(CONFIG_MODULE_SIG_FORCE) > - "appraise func=MODULE_CHECK appraise_type=imasig|modsig", > + "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", > #endif > NULL > };
diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c index 88bfe4a1a9a5..4fa41537b846 100644 --- a/arch/powerpc/kernel/ima_arch.c +++ b/arch/powerpc/kernel/ima_arch.c @@ -25,9 +25,9 @@ bool arch_ima_get_secureboot(void) static const char *const arch_rules[] = { "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", "measure func=MODULE_CHECK template=ima-modsig", - "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", + "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", #if !IS_ENABLED(CONFIG_MODULE_SIG_FORCE) - "appraise func=MODULE_CHECK appraise_type=imasig|modsig", + "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", #endif NULL };
This patch updates the arch specific policies for PowernV systems to add check against blacklisted binary hashes before doing the verification. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- arch/powerpc/kernel/ima_arch.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)