[GIT PULL] IPE fixes for 6.12-rc4

Fan Wu wufan at kernel.org
Fri Oct 18 21:26:01 UTC 2024


Hi Linus,

This PR addresses several issues identified by Luca when attempting to 
enable IPE on Debian [1] and systemd [2]. It includes four commits 
focused on enhancing functionality and resolving issues:

The first and second commits address issues with IPE policy update 
errors and policy update version check, improving the clarity of error 
messages for better understanding by userspace programs.
The third and fourth commits enable IPE policies to be signed by 
secondary and platform keyrings, facilitating broader use across general 
Linux distributions like Debian.
The final commit updates the IPE entry in the MAINTAINERS file to 
reflect the new tree URL and my updated email from kernel.org.

As this is my first PR submission to you, I apologize in advance for any 
mistakes. Could you please consider merging these changes into v6.12-rc4?

Thanks,
Fan

Link: https://salsa.debian.org/kernel-team/linux/-/merge_requests/1233 [1]
Link: 
https://github.com/systemd/systemd/commit/394c61416c19bcc3231d3f717b72ef9d90b89ee7 
[2]
--
The following changes since commit 8e929cb546ee42c9a61d24fae60605e9e3192354:

   Linux 6.12-rc3 (2024-10-13 14:33:32 -0700)

are available in the Git repository at:

   https://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe.git 
tags/ipe-pr-20241018

for you to fetch changes up to 917a15c37d371bc40b5ad13df366e29bd49c04a1:

   MAINTAINERS: update IPE tree url and Fan Wu's email (2024-10-18 
12:15:37 -0700)

----------------------------------------------------------------
ipe/stable-6.12 PR 20241018

----------------------------------------------------------------
Fan Wu (1):
       MAINTAINERS: update IPE tree url and Fan Wu's email

Luca Boccassi (4):
       ipe: return -ESTALE instead of -EINVAL on update when new policy 
has a lower version
       ipe: also reject policy updates with the same version
       ipe: allow secondary and platform keyrings to install/update policies
       ipe: fallback to platform keyring also if key in trusted keyring 
is rejected

  Documentation/admin-guide/LSM/ipe.rst |  7 +++++--
  MAINTAINERS                           |  4 ++--
  security/ipe/Kconfig                  | 19 +++++++++++++++++++
  security/ipe/policy.c                 | 18 +++++++++++++++---
  4 files changed, 41 insertions(+), 7 deletions(-)




More information about the Linux-security-module-archive mailing list