summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Documentation/admin-guide/LSM/ipe.rst5
-rw-r--r--security/ipe/Kconfig19
-rw-r--r--security/ipe/policy.c14
3 files changed, 36 insertions, 2 deletions
diff --git a/Documentation/admin-guide/LSM/ipe.rst b/Documentation/admin-guide/LSM/ipe.rst
index fcb3c493104b..f93a467db628 100644
--- a/Documentation/admin-guide/LSM/ipe.rst
+++ b/Documentation/admin-guide/LSM/ipe.rst
@@ -223,7 +223,10 @@ are signed through the PKCS#7 message format to enforce some level of
authorization of the policies (prohibiting an attacker from gaining
unconstrained root, and deploying an "allow all" policy). These
policies must be signed by a certificate that chains to the
-``SYSTEM_TRUSTED_KEYRING``. With openssl, the policy can be signed by::
+``SYSTEM_TRUSTED_KEYRING``, or to the secondary and/or platform keyrings if
+``CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING`` and/or
+``CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING`` are enabled, respectively.
+With openssl, the policy can be signed by::
openssl smime -sign \
-in "$MY_POLICY" \
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
index 3ab582606ed2..3c75bf267da4 100644
--- a/security/ipe/Kconfig
+++ b/security/ipe/Kconfig
@@ -31,6 +31,25 @@ config IPE_BOOT_POLICY
If unsure, leave blank.
+config IPE_POLICY_SIG_SECONDARY_KEYRING
+ bool "IPE policy update verification with secondary keyring"
+ default y
+ depends on SECONDARY_TRUSTED_KEYRING
+ help
+ Also allow the secondary trusted keyring to verify IPE policy
+ updates.
+
+ If unsure, answer Y.
+
+config IPE_POLICY_SIG_PLATFORM_KEYRING
+ bool "IPE policy update verification with platform keyring"
+ default y
+ depends on INTEGRITY_PLATFORM_KEYRING
+ help
+ Also allow the platform keyring to verify IPE policy updates.
+
+ If unsure, answer Y.
+
menu "IPE Trust Providers"
config IPE_PROP_DM_VERITY
diff --git a/security/ipe/policy.c b/security/ipe/policy.c
index 4cea067adf6a..45f7d6a0ed23 100644
--- a/security/ipe/policy.c
+++ b/security/ipe/policy.c
@@ -169,9 +169,21 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
goto err;
}
- rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len, NULL,
+ rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
+#ifdef CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING
+ VERIFY_USE_SECONDARY_KEYRING,
+#else
+ NULL,
+#endif
VERIFYING_UNSPECIFIED_SIGNATURE,
set_pkcs7_data, new);
+#ifdef CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING
+ if (rc == -ENOKEY)
+ rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
+ VERIFY_USE_PLATFORM_KEYRING,
+ VERIFYING_UNSPECIFIED_SIGNATURE,
+ set_pkcs7_data, new);
+#endif
if (rc)
goto err;
} else {