[PATCH] ipe: allow secondary and platform keyrings to install/update policies

Luca Boccassi luca.boccassi at gmail.com
Sun Sep 15 09:14:20 UTC 2024 

On Sun, 15 Sept 2024 at 06:27, Fan Wu <wufan at linux.microsoft.com> wrote:
>
>
>
> On 9/13/2024 4:48 PM, luca.boccassi at gmail.com wrote:
> > From: Luca Boccassi <bluca at debian.org>
> >
> ...
> >
> > Signed-off-by: Luca Boccassi <bluca at debian.org>
> > ---
> >   security/ipe/policy.c | 8 +++++++-
> >   1 file changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/security/ipe/policy.c b/security/ipe/policy.c
> > index d8e7db857a2e..cac304dc86c2 100644
> > --- a/security/ipe/policy.c
> > +++ b/security/ipe/policy.c
> > @@ -169,9 +169,15 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
> >                       goto err;
> >               }
> >
> > -             rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, NULL,
> > +             rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
> > +                                         VERIFY_USE_SECONDARY_KEYRING,
> >                                           VERIFYING_UNSPECIFIED_SIGNATURE,
> >                                           set_pkcs7_data, new);
> > +             if (rc == -ENOKEY)
> > +                     rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
> > +                                                 VERIFY_USE_PLATFORM_KEYRING,
> > +                                                 VERIFYING_UNSPECIFIED_SIGNATURE,
> > +                                                 set_pkcs7_data, new);
> >               if (rc)
> >                       goto err;
> >       } else {
>
> Hi Luca,
>
> This patch looks good to me. My only thought is, like what we currently
> have for dm-verity, should we also add two kconfigs to enable to use
> these two keyrings respectively?

Sure no problem, sent v2 with the added kconfigs.

Unlike dm-verity the default is "yes" for both though: it's been quite
a pain to get all distributions to enable the dm-verity kconfigs for
the keyrings, given they are quite hidden and a niche use case and
general distro maintainers don't go and look for these options, but
likewise it made signed dm-verity unusable on general purpose distros
without them. I'd like to avoid repeating the same plight. This way if
one doesn't want them they can disable them, but the default if IPE is
enabled is to use them.

More information about the Linux-security-module-archive mailing list