Commit f40998a8 authored by Luca Boccassi's avatar Luca Boccassi Committed by Fan Wu
Browse files

ipe: fallback to platform keyring also if key in trusted keyring is rejected 



If enabled, we fallback to the platform keyring if the trusted keyring
doesn't have the key used to sign the ipe policy. But if pkcs7_verify()
rejects the key for other reasons, such as usage restrictions, we do not
fallback. Do so, following the same change in dm-verity.

Signed-off-by: default avatarLuca Boccassi <bluca@debian.org>
Suggested-by: default avatarSerge Hallyn <serge@hallyn.com>
[FW: fixed some line length issues and a typo in the commit message]
Signed-off-by: default avatarFan Wu <wufan@kernel.org>
parent 02e2f9aa

security/ipe/policy.c

+1 −1
Original line number Diff line number Diff line
@@ -178,7 +178,7 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen, 
					    VERIFYING_UNSPECIFIED_SIGNATURE,

					    set_pkcs7_data, new);

#ifdef CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING

		if (rc == -ENOKEY)

		if (rc == -ENOKEY || rc == -EKEYREJECTED)

			rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,

						    VERIFY_USE_PLATFORM_KEYRING,

						    VERIFYING_UNSPECIFIED_SIGNATURE,