1 /* SPDX-License-Identifier: GPL-2.0+ */
3 * Copyright (C) 2018 IBM Corporation
6 #include <linux/module.h>
9 extern struct boot_params boot_params;
11 static enum efi_secureboot_mode get_sb_mode(void)
13 efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
14 efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
19 size = sizeof(secboot);
21 if (!efi_enabled(EFI_RUNTIME_SERVICES)) {
22 pr_info("ima: secureboot mode unknown, no efi\n");
23 return efi_secureboot_mode_unknown;
26 /* Get variable contents into buffer */
27 status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid,
28 NULL, &size, &secboot);
29 if (status == EFI_NOT_FOUND) {
30 pr_info("ima: secureboot mode disabled\n");
31 return efi_secureboot_mode_disabled;
34 if (status != EFI_SUCCESS) {
35 pr_info("ima: secureboot mode unknown\n");
36 return efi_secureboot_mode_unknown;
40 pr_info("ima: secureboot mode disabled\n");
41 return efi_secureboot_mode_disabled;
44 pr_info("ima: secureboot mode enabled\n");
45 return efi_secureboot_mode_enabled;
48 bool arch_ima_get_secureboot(void)
50 static enum efi_secureboot_mode sb_mode;
51 static bool initialized;
53 if (!initialized && efi_enabled(EFI_BOOT)) {
54 sb_mode = boot_params.secure_boot;
56 if (sb_mode == efi_secureboot_mode_unset)
57 sb_mode = get_sb_mode();
61 if (sb_mode == efi_secureboot_mode_enabled)
67 /* secureboot arch rules */
68 static const char * const sb_arch_rules[] = {
69 #if !IS_ENABLED(CONFIG_KEXEC_SIG)
70 "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
71 #endif /* CONFIG_KEXEC_SIG */
72 "measure func=KEXEC_KERNEL_CHECK",
73 #if !IS_ENABLED(CONFIG_MODULE_SIG)
74 "appraise func=MODULE_CHECK appraise_type=imasig",
76 "measure func=MODULE_CHECK",
80 const char * const *arch_get_ima_policy(void)
82 if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
83 if (IS_ENABLED(CONFIG_MODULE_SIG))
84 set_module_sig_enforced();