Merge tag 'ipe-pr-20241018' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe

Pull ipe fixes from Fan Wu: "This addresses several issues identified by Luca when attempting to enable IPE on Debian and systemd: - address issues with IPE policy update errors and policy update version check, improving the clarity of error messages for better understanding by userspace programs. - enable IPE policies to be signed by secondary and platform keyrings, facilitating broader use across general Linux distributions like Debian. - updates the IPE entry in the MAINTAINERS file to reflect the new tree URL and my updated email from kernel.org" * tag 'ipe-pr-20241018' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe: MAINTAINERS: update IPE tree url and Fan Wu's email ipe: fallback to platform keyring also if key in trusted keyring is rejected ipe: allow secondary and platform keyrings to install/update policies ipe: also reject policy updates with the same version ipe: return -ESTALE instead of -EINVAL on update when new policy has a lower version

Merge tag 'ipe-pr-20241018' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe
Pull ipe fixes from Fan Wu: "This addresses several issues identified by Luca when attempting to enable IPE on Debian and systemd: - address issues with IPE policy update errors and policy update version check, improving the clarity of error messages for better understanding by userspace programs. - enable IPE policies to be signed by secondary and platform keyrings, facilitating broader use across general Linux distributions like Debian. - updates the IPE entry in the MAINTAINERS file to reflect the new tree URL and my updated email from kernel.org" * tag 'ipe-pr-20241018' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe: MAINTAINERS: update IPE tree url and Fan Wu's email ipe: fallback to platform keyring also if key in trusted keyring is rejected ipe: allow secondary and platform keyrings to install/update policies ipe: also reject policy updates with the same version ipe: return -ESTALE instead of -EINVAL on update when new policy has a lower version
8203ca38 · Linus Torvalds · f9e48255 · 917a15c3 · 8203ca38 · 8203ca38
Commit 8203ca38 authored Oct 19, 2024 by Linus Torvalds
Showing with 41 additions and 7 deletions

Documentation/admin-guide/LSM/ipe.rst Documentation/admin-guide/LSM/ipe.rst +5 -2

MAINTAINERS MAINTAINERS +2 -2

security/ipe/Kconfig security/ipe/Kconfig +19 -0

security/ipe/policy.c security/ipe/policy.c +15 -3

No files found.
--- a/Documentation/admin-guide/LSM/ipe.rst
+++ b/Documentation/admin-guide/LSM/ipe.rst
@@ -223,7 +223,10 @@ are signed through the PKCS#7 message format to enforce some level of
 authorization of the policies (prohibiting an attacker from gaining
 unconstrained root, and deploying an "allow all" policy). These
 policies must be signed by a certificate that chains to the
-``SYSTEM_TRUSTED_KEYRING``. With openssl, the policy can be signed by::
+``SYSTEM_TRUSTED_KEYRING``, or to the secondary and/or platform keyrings if
+``CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING`` and/or
+``CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING`` are enabled, respectively.
+With openssl, the policy can be signed by::
   openssl smime -sign \
      -in "$MY_POLICY" \
@@ -266,7 +269,7 @@ in the kernel. This file is write-only and accepts a PKCS#7 signed
 policy. Two checks will always be performed on this policy: First, the
 ``policy_names`` must match with the updated version and the existing
 version. Second the updated policy must have a policy version greater than
-or equal to the currently-running version. This is to prevent rollback attacks.
+the currently-running version. This is to prevent rollback attacks.
 The ``delete`` file is used to remove a policy that is no longer needed.
 This file is write-only and accepts a value of ``1`` to delete the policy.

--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11283,10 +11283,10 @@ F:	security/integrity/
 F:	security/integrity/ima/
 INTEGRITY POLICY ENFORCEMENT (IPE)
-M:	Fan Wu <wufan@linux.microsoft.com>
+M:	Fan Wu <wufan@kernel.org>
 L:	linux-security-module@vger.kernel.org
 S:	Supported
-T:	git https://github.com/microsoft/ipe.git
+T:	git git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe.git
 F:	Documentation/admin-guide/LSM/ipe.rst
 F:	Documentation/security/ipe.rst
 F:	scripts/ipe/

--- a/security/ipe/Kconfig
+++ b/security/ipe/Kconfig
@@ -31,6 +31,25 @@ config IPE_BOOT_POLICY
 	  If unsure, leave blank.
+config IPE_POLICY_SIG_SECONDARY_KEYRING
+	bool "IPE policy update verification with secondary keyring"
+	default y
+	depends on SECONDARY_TRUSTED_KEYRING
+	help
+	  Also allow the secondary trusted keyring to verify IPE policy
+	  updates.
+	  If unsure, answer Y.
+config IPE_POLICY_SIG_PLATFORM_KEYRING
+	bool "IPE policy update verification with platform keyring"
+	default y
+	depends on INTEGRITY_PLATFORM_KEYRING
+	help
+	  Also allow the platform keyring to verify IPE policy updates.
+	  If unsure, answer Y.
 menu "IPE Trust Providers"
 config IPE_PROP_DM_VERITY

--- a/security/ipe/policy.c
+++ b/security/ipe/policy.c
@@ -106,8 +106,8 @@ int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
 		goto err;
 	}
-	if (ver_to_u64(old) > ver_to_u64(new)) {
+	if (ver_to_u64(old) >= ver_to_u64(new)) {
-		rc = -EINVAL;
+		rc = -ESTALE;
 		goto err;
 	}
@@ -169,9 +169,21 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
 			goto err;
 		}
-		rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, NULL,
+		rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
+#ifdef CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING
+					    VERIFY_USE_SECONDARY_KEYRING,
+#else
+					    NULL,
+#endif
 					    VERIFYING_UNSPECIFIED_SIGNATURE,
 					    set_pkcs7_data, new);
+#ifdef CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING
+		if (rc == -ENOKEY || rc == -EKEYREJECTED)
+			rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
+						    VERIFY_USE_PLATFORM_KEYRING,
+						    VERIFYING_UNSPECIFIED_SIGNATURE,
+						    set_pkcs7_data, new);
+#endif
 		if (rc)
 			goto err;
 	} else {