tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'ipe-pr-20241018' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe

Pull ipe fixes from Fan Wu:
"This addresses several issues identified by Luca when attempting to
enable IPE on Debian and systemd:

- address issues with IPE policy update errors and policy update
version check, improving the clarity of error messages for better
understanding by userspace programs.

- enable IPE policies to be signed by secondary and platform
keyrings, facilitating broader use across general Linux
distributions like Debian.

- updates the IPE entry in the MAINTAINERS file to reflect the new
tree URL and my updated email from kernel.org"

* tag 'ipe-pr-20241018' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe:
MAINTAINERS: update IPE tree url and Fan Wu's email
ipe: fallback to platform keyring also if key in trusted keyring is rejected
ipe: allow secondary and platform keyrings to install/update policies
ipe: also reject policy updates with the same version
ipe: return -ESTALE instead of -EINVAL on update when new policy has a lower version

Linus Torvalds 8203ca38 f9e48255

+41 -7
+5 -2
Documentation/admin-guide/LSM/ipe.rst
··· 223 223 authorization of the policies (prohibiting an attacker from gaining 224 224 unconstrained root, and deploying an "allow all" policy). These 225 225 policies must be signed by a certificate that chains to the 226 - ``SYSTEM_TRUSTED_KEYRING``. With openssl, the policy can be signed by:: 226 + ``SYSTEM_TRUSTED_KEYRING``, or to the secondary and/or platform keyrings if 227 + ``CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING`` and/or 228 + ``CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING`` are enabled, respectively. 229 + With openssl, the policy can be signed by:: 227 230 228 231 openssl smime -sign \ 229 232 -in "$MY_POLICY" \ ··· 269 266 policy. Two checks will always be performed on this policy: First, the 270 267 ``policy_names`` must match with the updated version and the existing 271 268 version. Second the updated policy must have a policy version greater than 272 - or equal to the currently-running version. This is to prevent rollback attacks. 269 + the currently-running version. This is to prevent rollback attacks. 273 270 274 271 The ``delete`` file is used to remove a policy that is no longer needed. 275 272 This file is write-only and accepts a value of ``1`` to delete the policy.
+2 -2
MAINTAINERS
··· 11283 11283 F: security/integrity/ima/ 11284 11284 11285 11285 INTEGRITY POLICY ENFORCEMENT (IPE) 11286 - M: Fan Wu <wufan@linux.microsoft.com> 11286 + M: Fan Wu <wufan@kernel.org> 11287 11287 L: linux-security-module@vger.kernel.org 11288 11288 S: Supported 11289 - T: git https://github.com/microsoft/ipe.git 11289 + T: git git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe.git 11290 11290 F: Documentation/admin-guide/LSM/ipe.rst 11291 11291 F: Documentation/security/ipe.rst 11292 11292 F: scripts/ipe/
+19
security/ipe/Kconfig
··· 31 31 32 32 If unsure, leave blank. 33 33 34 + config IPE_POLICY_SIG_SECONDARY_KEYRING 35 + bool "IPE policy update verification with secondary keyring" 36 + default y 37 + depends on SECONDARY_TRUSTED_KEYRING 38 + help 39 + Also allow the secondary trusted keyring to verify IPE policy 40 + updates. 41 + 42 + If unsure, answer Y. 43 + 44 + config IPE_POLICY_SIG_PLATFORM_KEYRING 45 + bool "IPE policy update verification with platform keyring" 46 + default y 47 + depends on INTEGRITY_PLATFORM_KEYRING 48 + help 49 + Also allow the platform keyring to verify IPE policy updates. 50 + 51 + If unsure, answer Y. 52 + 34 53 menu "IPE Trust Providers" 35 54 36 55 config IPE_PROP_DM_VERITY
+15 -3
security/ipe/policy.c
··· 106 106 goto err; 107 107 } 108 108 109 - if (ver_to_u64(old) > ver_to_u64(new)) { 110 - rc = -EINVAL; 109 + if (ver_to_u64(old) >= ver_to_u64(new)) { 110 + rc = -ESTALE; 111 111 goto err; 112 112 } 113 113 ··· 169 169 goto err; 170 170 } 171 171 172 - rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, NULL, 172 + rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, 173 + #ifdef CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING 174 + VERIFY_USE_SECONDARY_KEYRING, 175 + #else 176 + NULL, 177 + #endif 173 178 VERIFYING_UNSPECIFIED_SIGNATURE, 174 179 set_pkcs7_data, new); 180 + #ifdef CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING 181 + if (rc == -ENOKEY || rc == -EKEYREJECTED) 182 + rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, 183 + VERIFY_USE_PLATFORM_KEYRING, 184 + VERIFYING_UNSPECIFIED_SIGNATURE, 185 + set_pkcs7_data, new); 186 + #endif 175 187 if (rc) 176 188 goto err; 177 189 } else {