1 /* SPDX-License-Identifier: GPL-2.0+ */
3 * Copyright (C) 2018 IBM Corporation
6 #include <linux/module.h>
10 #ifndef arch_ima_efi_boot_mode
11 #define arch_ima_efi_boot_mode efi_secureboot_mode_unset
14 static enum efi_secureboot_mode get_sb_mode(void)
16 enum efi_secureboot_mode mode;
18 if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) {
19 pr_info("ima: secureboot mode unknown, no efi\n");
20 return efi_secureboot_mode_unknown;
23 mode = efi_get_secureboot_mode(efi.get_variable);
24 if (mode == efi_secureboot_mode_disabled)
25 pr_info("ima: secureboot mode disabled\n");
26 else if (mode == efi_secureboot_mode_unknown)
27 pr_info("ima: secureboot mode unknown\n");
29 pr_info("ima: secureboot mode enabled\n");
33 bool arch_ima_get_secureboot(void)
35 static enum efi_secureboot_mode sb_mode;
36 static bool initialized;
38 if (!initialized && efi_enabled(EFI_BOOT)) {
39 sb_mode = arch_ima_efi_boot_mode;
41 if (sb_mode == efi_secureboot_mode_unset)
42 sb_mode = get_sb_mode();
46 if (sb_mode == efi_secureboot_mode_enabled)
52 /* secureboot arch rules */
53 static const char * const sb_arch_rules[] = {
54 #if !IS_ENABLED(CONFIG_KEXEC_SIG)
55 "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
56 #endif /* CONFIG_KEXEC_SIG */
57 "measure func=KEXEC_KERNEL_CHECK",
58 #if !IS_ENABLED(CONFIG_MODULE_SIG)
59 "appraise func=MODULE_CHECK appraise_type=imasig",
61 "measure func=MODULE_CHECK",
65 const char * const *arch_get_ima_policy(void)
67 if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
68 if (IS_ENABLED(CONFIG_MODULE_SIG))
69 set_module_sig_enforced();
projects / linux-2.6-microblaze.git / blob