MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-07-05 13:25:20 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

ipe/stable-6.12 PR 20241018

Browse Source 
-----BEGIN PGP SIGNATURE-----
 
 iIcEABYIAC8WIQQzmBmZPBN6m/hUJmnyomI6a/yO7QUCZxK0IhEcd3VmYW5Aa2Vy
 bmVsLm9yZwAKCRDyomI6a/yO7bYaAP9RInzgnGtws5coddMT8vlsMsCGb+4EZegC
 Uhw/gqWO3gD/Ua/x97apb4SZesyto8fm3rP4Aw0CvtBL5FuyKGnBBAU=
 =CRIh
 -----END PGP SIGNATURE-----

Merge tag 'ipe-pr-20241018' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe

Pull ipe fixes from Fan Wu:
 "This addresses several issues identified by Luca when attempting to
  enable IPE on Debian and systemd:

   - address issues with IPE policy update errors and policy update
     version check, improving the clarity of error messages for better
     understanding by userspace programs.

   - enable IPE policies to be signed by secondary and platform
     keyrings, facilitating broader use across general Linux
     distributions like Debian.

   - updates the IPE entry in the MAINTAINERS file to reflect the new
     tree URL and my updated email from kernel.org"

* tag 'ipe-pr-20241018' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe:
  MAINTAINERS: update IPE tree url and Fan Wu's email
  ipe: fallback to platform keyring also if key in trusted keyring is rejected
  ipe: allow secondary and platform keyrings to install/update policies
  ipe: also reject policy updates with the same version
  ipe: return -ESTALE instead of -EINVAL on update when new policy has a lower version
This commit is contained in:
Linus Torvalds 2024-10-19 11:48:14 -07:00
commit 8203ca3809
4 changed files with 41 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Documentation/admin-guide/LSM/ipe.rst
View File

@ -223,7 +223,10 @@ are signed through the PKCS#7 message format to enforce some level of
authorization of the policies (prohibiting an attacker from gaining authorization of the policies (prohibiting an attacker from gaining
unconstrained root, and deploying an "allow all" policy). These unconstrained root, and deploying an "allow all" policy). These
policies must be signed by a certificate that chains to the policies must be signed by a certificate that chains to the
``SYSTEM_TRUSTED_KEYRING``. With openssl, the policy can be signed by:: ``SYSTEM_TRUSTED_KEYRING``, or to the secondary and/or platform keyrings if
``CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING`` and/or
``CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING`` are enabled, respectively.
With openssl, the policy can be signed by::
openssl smime -sign \ openssl smime -sign \
-in "$MY_POLICY" \ -in "$MY_POLICY" \
@ -266,7 +269,7 @@ in the kernel. This file is write-only and accepts a PKCS#7 signed
policy. Two checks will always be performed on this policy: First, the policy. Two checks will always be performed on this policy: First, the
``policy_names`` must match with the updated version and the existing ``policy_names`` must match with the updated version and the existing
version. Second the updated policy must have a policy version greater than version. Second the updated policy must have a policy version greater than
or equal to the currently-running version. This is to prevent rollback attacks. the currently-running version. This is to prevent rollback attacks.
The ``delete`` file is used to remove a policy that is no longer needed. The ``delete`` file is used to remove a policy that is no longer needed.
This file is write-only and accepts a value of ``1`` to delete the policy. This file is write-only and accepts a value of ``1`` to delete the policy.

4
MAINTAINERS
View File

@ -11283,10 +11283,10 @@ F: security/integrity/
F: security/integrity/ima/ F: security/integrity/ima/
INTEGRITY POLICY ENFORCEMENT (IPE) INTEGRITY POLICY ENFORCEMENT (IPE)
M: Fan Wu <wufan@linux.microsoft.com> M: Fan Wu <wufan@kernel.org>
L: linux-security-module@vger.kernel.org L: linux-security-module@vger.kernel.org
S: Supported S: Supported
T: git https://github.com/microsoft/ipe.git T: git git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe.git
F: Documentation/admin-guide/LSM/ipe.rst F: Documentation/admin-guide/LSM/ipe.rst
F: Documentation/security/ipe.rst F: Documentation/security/ipe.rst
F: scripts/ipe/ F: scripts/ipe/

19
security/ipe/Kconfig
View File

@ -31,6 +31,25 @@ config IPE_BOOT_POLICY
If unsure, leave blank. If unsure, leave blank.
config IPE_POLICY_SIG_SECONDARY_KEYRING
bool "IPE policy update verification with secondary keyring"
default y
depends on SECONDARY_TRUSTED_KEYRING
help
Also allow the secondary trusted keyring to verify IPE policy
updates.
If unsure, answer Y.
config IPE_POLICY_SIG_PLATFORM_KEYRING
bool "IPE policy update verification with platform keyring"
default y
depends on INTEGRITY_PLATFORM_KEYRING
help
Also allow the platform keyring to verify IPE policy updates.
If unsure, answer Y.
menu "IPE Trust Providers" menu "IPE Trust Providers"
config IPE_PROP_DM_VERITY config IPE_PROP_DM_VERITY

18
security/ipe/policy.c
View File

@ -106,8 +106,8 @@ int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
goto err; goto err;
} }
if (ver_to_u64(old) > ver_to_u64(new)) { if (ver_to_u64(old) >= ver_to_u64(new)) {
rc = -EINVAL; rc = -ESTALE;
goto err; goto err;
} }
@ -169,9 +169,21 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
goto err; goto err;
} }
rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, NULL, rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
#ifdef CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING
VERIFY_USE_SECONDARY_KEYRING,
#else
NULL,
#endif
VERIFYING_UNSPECIFIED_SIGNATURE, VERIFYING_UNSPECIFIED_SIGNATURE,
set_pkcs7_data, new); set_pkcs7_data, new);
#ifdef CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING
if (rc == -ENOKEY || rc == -EKEYREJECTED)
rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
VERIFY_USE_PLATFORM_KEYRING,
VERIFYING_UNSPECIFIED_SIGNATURE,
set_pkcs7_data, new);
#endif
if (rc) if (rc)
goto err; goto err;
} else { } else {