summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuca Boccassi <bluca@debian.org>2024-09-27 10:23:44 +0200
committerFan Wu <wufan@kernel.org>2024-10-18 12:14:53 -0700
commitf40998a8e6bbf0314b8416350183a537f9b59ca9 (patch)
tree809dbfcdc3e1e76f035ad63b5a44b7d1989aa8a7
parent02e2f9aa33e461468de02e35ad977bd7233960ae (diff)
ipe: fallback to platform keyring also if key in trusted keyring is rejected
If enabled, we fallback to the platform keyring if the trusted keyring doesn't have the key used to sign the ipe policy. But if pkcs7_verify() rejects the key for other reasons, such as usage restrictions, we do not fallback. Do so, following the same change in dm-verity. Signed-off-by: Luca Boccassi <bluca@debian.org> Suggested-by: Serge Hallyn <serge@hallyn.com> [FW: fixed some line length issues and a typo in the commit message] Signed-off-by: Fan Wu <wufan@kernel.org>
-rw-r--r--security/ipe/policy.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/ipe/policy.c b/security/ipe/policy.c
index 45f7d6a0ed23..b628f696e32b 100644
--- a/security/ipe/policy.c
+++ b/security/ipe/policy.c
@@ -178,7 +178,7 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
VERIFYING_UNSPECIFIED_SIGNATURE,
set_pkcs7_data, new);
#ifdef CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING
- if (rc == -ENOKEY)
+ if (rc == -ENOKEY || rc == -EKEYREJECTED)
rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
VERIFY_USE_PLATFORM_KEYRING,
VERIFYING_UNSPECIFIED_SIGNATURE,