powerpc/ima: Add support to initialize ima policy rules

PowerNV systems use a Linux-based bootloader, which rely on the IMA subsystem to enforce different secure boot modes. Since the verification policy may differ based on the secure boot mode of the system, the policies must be defined at runtime. This patch implements arch-specific support to define IMA policy rules based on the runtime secure boot mode of the system. This patch provides arch-specific IMA policies if PPC_SECURE_BOOT config is enabled. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/1572492694-6520-3-git-send-email-zohar@linux.ibm.com
author: Nayna Jain <nayna@linux.ibm.com> 2019-10-30 23:31:27 -0400
committer: Michael Ellerman <mpe@ellerman.id.au> 2019-11-12 12:25:49 +1100
commit: 4238fad366a660cbc6499ca1ea4be42bd4d1ac5b (patch)
tree: ddfe3283dacee87a13c8191073b86d2b990c2a01 /include
parent: 1a8916ee3ac29054322cdac687d36e1b5894d272 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 1c37f17f7203..6d904754d858 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -29,7 +29,8 @@ extern void ima_kexec_cmdline(const void *buf, int size);
 extern void ima_add_kexec_buffer(struct kimage *image);
 #endif
 
-#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390)
+#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \
+	|| defined(CONFIG_PPC_SECURE_BOOT)
 extern bool arch_ima_get_secureboot(void);
 extern const char * const *arch_get_ima_policy(void);
 #else
author	Nayna Jain <nayna@linux.ibm.com>	2019-10-30 23:31:27 -0400
committer	Michael Ellerman <mpe@ellerman.id.au>	2019-11-12 12:25:49 +1100
commit	4238fad366a660cbc6499ca1ea4be42bd4d1ac5b (patch)
tree	ddfe3283dacee87a13c8191073b86d2b990c2a01 /include
parent	1a8916ee3ac29054322cdac687d36e1b5894d272 (diff)