powerpc/ima: Indicate kernel modules appended signatures are enforced

The arch specific kernel module policy rule requires kernel modules to be signed, either as an IMA signature, stored as an xattr, or as an appended signature. As a result, kernel modules appended signatures could be enforced without "sig_enforce" being set or reflected in /sys/module/module/parameters/sig_enforce. This patch sets "sig_enforce". Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/1572492694-6520-10-git-send-email-zohar@linux.ibm.com
2019-10-30 23:31:34 -04:00 · 2019-10-30 23:31:34 -04:00 · d72ea4915c
--- a/arch/powerpc/kernel/ima_arch.c
+++ b/arch/powerpc/kernel/ima_arch.c
@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = {
 */
 const char *const *arch_get_ima_policy(void)
 {
-	if (is_ppc_secureboot_enabled())
+	if (is_ppc_secureboot_enabled()) {
+		if (IS_ENABLED(CONFIG_MODULE_SIG))
+			set_module_sig_enforced();
+
 		if (is_ppc_trustedboot_enabled())
 			return secure_and_trusted_rules;
 		else
 			return secure_rules;
-	else if (is_ppc_trustedboot_enabled())
+	} else if (is_ppc_trustedboot_enabled()) {
 		return trusted_rules;
+	}

 	return NULL;
 }