ima: add support for measuring and appraising firmware

The "security: introduce kernel_fw_from_file hook" patch defined a
new security hook to evaluate any loaded firmware that wasn't built
into the kernel.

This patch defines ima_fw_from_file(), which is called from the new
security hook, to measure and/or appraise the loaded firmware's
integrity.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Kees Cook <keescook@chromium.org>

1 files changed, 3 insertions, 1 deletions

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 4c3efe434806..d0d0c578324c 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -26,6 +26,7 @@ Description:
                         option: [[appraise_type=]] [permit_directio]
 
                 base:   func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
+                                [FIRMWARE_CHECK]
                         mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
                         fsmagic:= hex value
                         fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
@@ -57,7 +58,8 @@ Description:
                         measure func=BPRM_CHECK
                         measure func=FILE_MMAP mask=MAY_EXEC
                         measure func=FILE_CHECK mask=MAY_READ uid=0
-                        measure func=MODULE_CHECK uid=0
+                        measure func=MODULE_CHECK
+                        measure func=FIRMWARE_CHECK
                         appraise fowner=0
 
                 The default policy measures all executables in bprm_check,