mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git
synced 2026-04-18 03:23:53 -04:00
31f8c8682f
Enable IPE policy authors to indicate trust for a singular fsverity file, identified by the digest information, through "fsverity_digest" and all files using valid fsverity builtin signatures via "fsverity_signature". This enables file-level integrity claims to be expressed in IPE, allowing individual files to be authorized, giving some flexibility for policy authors. Such file-level claims are important to be expressed for enforcing the integrity of packages, as well as address some of the scalability issues in a sole dm-verity based solution (# of loop back devices, etc). This solution cannot be done in userspace as the minimum threat that IPE should mitigate is an attacker downloads malicious payload with all required dependencies. These dependencies can lack the userspace check, bypassing the protection entirely. A similar attack succeeds if the userspace component is replaced with a version that does not perform the check. As a result, this can only be done in the common entry point - the kernel. Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com> Signed-off-by: Fan Wu <wufan@linux.microsoft.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
71 lines
2.4 KiB
Plaintext
71 lines
2.4 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
#
|
|
# Integrity Policy Enforcement (IPE) configuration
|
|
#
|
|
|
|
menuconfig SECURITY_IPE
|
|
bool "Integrity Policy Enforcement (IPE)"
|
|
depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL
|
|
select PKCS7_MESSAGE_PARSER
|
|
select SYSTEM_DATA_VERIFICATION
|
|
select IPE_PROP_DM_VERITY if DM_VERITY
|
|
select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
|
|
select IPE_PROP_FS_VERITY if FS_VERITY
|
|
select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
|
|
help
|
|
This option enables the Integrity Policy Enforcement LSM
|
|
allowing users to define a policy to enforce a trust-based access
|
|
control. A key feature of IPE is a customizable policy to allow
|
|
admins to reconfigure trust requirements on the fly.
|
|
|
|
If unsure, answer N.
|
|
|
|
if SECURITY_IPE
|
|
menu "IPE Trust Providers"
|
|
|
|
config IPE_PROP_DM_VERITY
|
|
bool "Enable support for dm-verity based on root hash"
|
|
depends on DM_VERITY
|
|
help
|
|
This option enables the 'dmverity_roothash' property within IPE
|
|
policies. The property evaluates to TRUE when a file from a dm-verity
|
|
volume is evaluated, and the volume's root hash matches the value
|
|
supplied in the policy.
|
|
|
|
config IPE_PROP_DM_VERITY_SIGNATURE
|
|
bool "Enable support for dm-verity based on root hash signature"
|
|
depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
|
|
help
|
|
This option enables the 'dmverity_signature' property within IPE
|
|
policies. The property evaluates to TRUE when a file from a dm-verity
|
|
volume, which has been mounted with a valid signed root hash,
|
|
is evaluated.
|
|
|
|
If unsure, answer Y.
|
|
|
|
config IPE_PROP_FS_VERITY
|
|
bool "Enable support for fs-verity based on file digest"
|
|
depends on FS_VERITY
|
|
help
|
|
This option enables the 'fsverity_digest' property within IPE
|
|
policies. The property evaluates to TRUE when a file is fsverity
|
|
enabled and its digest matches the supplied digest value in the
|
|
policy.
|
|
|
|
if unsure, answer Y.
|
|
|
|
config IPE_PROP_FS_VERITY_BUILTIN_SIG
|
|
bool "Enable support for fs-verity based on builtin signature"
|
|
depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
|
|
help
|
|
This option enables the 'fsverity_signature' property within IPE
|
|
policies. The property evaluates to TRUE when a file is fsverity
|
|
enabled and it has a valid builtin signature whose signing cert
|
|
is in the .fs-verity keyring.
|
|
|
|
if unsure, answer Y.
|
|
|
|
endmenu
|
|
|
|
endif
|