Commit 8203ca38 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'ipe-pr-20241018' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe 

Pull ipe fixes from Fan Wu:
 "This addresses several issues identified by Luca when attempting to
  enable IPE on Debian and systemd:

   - address issues with IPE policy update errors and policy update
     version check, improving the clarity of error messages for better
     understanding by userspace programs.

   - enable IPE policies to be signed by secondary and platform
     keyrings, facilitating broader use across general Linux
     distributions like Debian.

   - updates the IPE entry in the MAINTAINERS file to reflect the new
     tree URL and my updated email from kernel.org"

* tag 'ipe-pr-20241018' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe:
  MAINTAINERS: update IPE tree url and Fan Wu's email
  ipe: fallback to platform keyring also if key in trusted keyring is rejected
  ipe: allow secondary and platform keyrings to install/update policies
  ipe: also reject policy updates with the same version
  ipe: return -ESTALE instead of -EINVAL on update when new policy has a lower version
parents f9e48255 917a15c3

Documentation/admin-guide/LSM/ipe.rst

+5 −2
Original line number Diff line number Diff line
@@ -223,7 +223,10 @@ are signed through the PKCS#7 message format to enforce some level of 
authorization of the policies (prohibiting an attacker from gaining

unconstrained root, and deploying an "allow all" policy). These

policies must be signed by a certificate that chains to the

``SYSTEM_TRUSTED_KEYRING``. With openssl, the policy can be signed by::

``SYSTEM_TRUSTED_KEYRING``, or to the secondary and/or platform keyrings if

``CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING`` and/or

``CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING`` are enabled, respectively.

With openssl, the policy can be signed by::



   openssl smime -sign \

      -in "$MY_POLICY" \
@@ -266,7 +269,7 @@ in the kernel. This file is write-only and accepts a PKCS#7 signed 
policy. Two checks will always be performed on this policy: First, the

``policy_names`` must match with the updated version and the existing

version. Second the updated policy must have a policy version greater than

or equal to the currently-running version. This is to prevent rollback attacks.

the currently-running version. This is to prevent rollback attacks.



The ``delete`` file is used to remove a policy that is no longer needed.

This file is write-only and accepts a value of ``1`` to delete the policy.

MAINTAINERS

+2 −2
Original line number Diff line number Diff line
@@ -11283,10 +11283,10 @@ F: security/integrity/ 
F:	security/integrity/ima/









INTEGRITY POLICY ENFORCEMENT (IPE)









M:	Fan Wu <wufan@linux.microsoft.com>









M:	Fan Wu <wufan@kernel.org>









L:	linux-security-module@vger.kernel.org









S:	Supported









T:	git https://github.com/microsoft/ipe.git









T:	git git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe.git









F:	Documentation/admin-guide/LSM/ipe.rst









F:	Documentation/security/ipe.rst









F:	scripts/ipe/
































security/ipe/Kconfig



+19
−0






























Original line number
Diff line number
Diff line







@@ -31,6 +31,25 @@ config IPE_BOOT_POLICY

















	  If unsure, leave blank.



















config IPE_POLICY_SIG_SECONDARY_KEYRING









	bool "IPE policy update verification with secondary keyring"









	default y









	depends on SECONDARY_TRUSTED_KEYRING









	help









	  Also allow the secondary trusted keyring to verify IPE policy









	  updates.



















	  If unsure, answer Y.



















config IPE_POLICY_SIG_PLATFORM_KEYRING









	bool "IPE policy update verification with platform keyring"









	default y









	depends on INTEGRITY_PLATFORM_KEYRING









	help









	  Also allow the platform keyring to verify IPE policy updates.



















	  If unsure, answer Y.



















menu "IPE Trust Providers"



















config IPE_PROP_DM_VERITY
































security/ipe/policy.c



+15
−3






























Original line number
Diff line number
Diff line







@@ -106,8 +106,8 @@ int ipe_update_policy(struct inode *root, const char *text, size_t textlen,







		goto err;









	}



















	if (ver_to_u64(old) > ver_to_u64(new)) {









		rc = -EINVAL;









	if (ver_to_u64(old) >= ver_to_u64(new)) {









		rc = -ESTALE;









		goto err;









	}


















@@ -169,9 +169,21 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,







			goto err;









		}



















		rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, NULL,









		rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,









#ifdef CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING









					    VERIFY_USE_SECONDARY_KEYRING,









#else









					    NULL,









#endif









					    VERIFYING_UNSPECIFIED_SIGNATURE,









					    set_pkcs7_data, new);









#ifdef CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING









		if (rc == -ENOKEY || rc == -EKEYREJECTED)









			rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,









						    VERIFY_USE_PLATFORM_KEYRING,









						    VERIFYING_UNSPECIFIED_SIGNATURE,









						    set_pkcs7_data, new);









#endif









		if (rc)









			goto err;









	} else {