• Luca Boccassi's avatar
    ipe: allow secondary and platform keyrings to install/update policies · 02e2f9aa
    Luca Boccassi authored
    The current policy management makes it impossible to use IPE
    in a general purpose distribution. In such cases the users are not
    building the kernel, the distribution is, and access to the private
    key included in the trusted keyring is, for obvious reason, not
    available.
    This means that users have no way to enable IPE, since there will
    be no built-in generic policy, and no access to the key to sign
    updates validated by the trusted keyring.
    
    Just as we do for dm-verity, kernel modules and more, allow the
    secondary and platform keyrings to also validate policies. This
    allows users enrolling their own keys in UEFI db or MOK to also
    sign policies, and enroll them. This makes it sensible to enable
    IPE in general purpose distributions, as it becomes usable by
    any user wishing to do so. Keys in these keyrings can already
    load kernels and kernel modules, so there is no security
    downgrade.
    
    Add a kconfig each, like dm-verity does, but default to enabled if
    the dependencies are available.
    Signed-off-by: default avatarLuca Boccassi <bluca@debian.org>
    Reviewed-by: default avatarSerge Hallyn <serge@hallyn.com>
    [FW: fixed some style issues]
    Signed-off-by: default avatarFan Wu <wufan@kernel.org>
    02e2f9aa
policy.c 5.56 KB