Commit 8203ca38 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'ipe-pr-20241018' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe

Pull ipe fixes from Fan Wu:
 "This addresses several issues identified by Luca when attempting to
  enable IPE on Debian and systemd:

   - address issues with IPE policy update errors and policy update
     version check, improving the clarity of error messages for better
     understanding by userspace programs.

   - enable IPE policies to be signed by secondary and platform
     keyrings, facilitating broader use across general Linux
     distributions like Debian.

   - updates the IPE entry in the MAINTAINERS file to reflect the new
     tree URL and my updated email from kernel.org"

* tag 'ipe-pr-20241018' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe:
  MAINTAINERS: update IPE tree url and Fan Wu's email
  ipe: fallback to platform keyring also if key in trusted keyring is rejected
  ipe: allow secondary and platform keyrings to install/update policies
  ipe: also reject policy updates with the same version
  ipe: return -ESTALE instead of -EINVAL on update when new policy has a lower version
parents f9e48255 917a15c3
......@@ -223,7 +223,10 @@ are signed through the PKCS#7 message format to enforce some level of
authorization of the policies (prohibiting an attacker from gaining
unconstrained root, and deploying an "allow all" policy). These
policies must be signed by a certificate that chains to the
``SYSTEM_TRUSTED_KEYRING``. With openssl, the policy can be signed by::
``SYSTEM_TRUSTED_KEYRING``, or to the secondary and/or platform keyrings if
``CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING`` and/or
``CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING`` are enabled, respectively.
With openssl, the policy can be signed by::
openssl smime -sign \
-in "$MY_POLICY" \
......@@ -266,7 +269,7 @@ in the kernel. This file is write-only and accepts a PKCS#7 signed
policy. Two checks will always be performed on this policy: First, the
``policy_names`` must match with the updated version and the existing
version. Second the updated policy must have a policy version greater than
or equal to the currently-running version. This is to prevent rollback attacks.
the currently-running version. This is to prevent rollback attacks.
The ``delete`` file is used to remove a policy that is no longer needed.
This file is write-only and accepts a value of ``1`` to delete the policy.
......
......@@ -11283,10 +11283,10 @@ F: security/integrity/
F: security/integrity/ima/
INTEGRITY POLICY ENFORCEMENT (IPE)
M: Fan Wu <wufan@linux.microsoft.com>
M: Fan Wu <wufan@kernel.org>
L: linux-security-module@vger.kernel.org
S: Supported
T: git https://github.com/microsoft/ipe.git
T: git git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe.git
F: Documentation/admin-guide/LSM/ipe.rst
F: Documentation/security/ipe.rst
F: scripts/ipe/
......
......@@ -31,6 +31,25 @@ config IPE_BOOT_POLICY
If unsure, leave blank.
config IPE_POLICY_SIG_SECONDARY_KEYRING
bool "IPE policy update verification with secondary keyring"
default y
depends on SECONDARY_TRUSTED_KEYRING
help
Also allow the secondary trusted keyring to verify IPE policy
updates.
If unsure, answer Y.
config IPE_POLICY_SIG_PLATFORM_KEYRING
bool "IPE policy update verification with platform keyring"
default y
depends on INTEGRITY_PLATFORM_KEYRING
help
Also allow the platform keyring to verify IPE policy updates.
If unsure, answer Y.
menu "IPE Trust Providers"
config IPE_PROP_DM_VERITY
......
......@@ -106,8 +106,8 @@ int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
goto err;
}
if (ver_to_u64(old) > ver_to_u64(new)) {
rc = -EINVAL;
if (ver_to_u64(old) >= ver_to_u64(new)) {
rc = -ESTALE;
goto err;
}
......@@ -169,9 +169,21 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
goto err;
}
rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, NULL,
rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
#ifdef CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING
VERIFY_USE_SECONDARY_KEYRING,
#else
NULL,
#endif
VERIFYING_UNSPECIFIED_SIGNATURE,
set_pkcs7_data, new);
#ifdef CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING
if (rc == -ENOKEY || rc == -EKEYREJECTED)
rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
VERIFY_USE_PLATFORM_KEYRING,
VERIFYING_UNSPECIFIED_SIGNATURE,
set_pkcs7_data, new);
#endif
if (rc)
goto err;
} else {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment