diff mbox series

ipe: fallback to platform keyring also if key in trusted keyring is rejected

Message ID 20240927082343.553258-1-luca.boccassi@gmail.com (mailing list archive)
State Handled Elsewhere
Headers show
Series ipe: fallback to platform keyring also if key in trusted keyring is rejected | expand

Commit Message

Luca Boccassi Sept. 27, 2024, 8:23 a.m. UTC 
From: Luca Boccassi <bluca@debian.org>

If enabled, we fallback to the platform keyring if the trusted keyring doesn't have
the key used to sign the roothash. But if pkcs7_verify() rejects the key for other
reasons, such as usage restrictions, we do not fallback. Do so, following the same
change in dm-verity.

Signed-off-by: Luca Boccassi <bluca@debian.org>
Suggested-by: Serge Hallyn <serge@hallyn.com>
---
The equivalent change in dm-verity was accepted, so apply it to IPE as well:
https://lore.kernel.org/all/63220688-ac55-e1fc-300d-c93a948801e3@redhat.com/

 security/ipe/policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Fan Wu Sept. 27, 2024, 5:50 p.m. UTC | #1 
On 9/27/2024 1:23 AM, luca.boccassi@gmail.com wrote:
> From: Luca Boccassi <bluca@debian.org>
> 
> If enabled, we fallback to the platform keyring if the trusted keyring doesn't have
> the key used to sign the roothash. But if pkcs7_verify() rejects the key for other
> reasons, such as usage restrictions, we do not fallback. Do so, following the same
> change in dm-verity.
> 
> Signed-off-by: Luca Boccassi <bluca@debian.org>
> Suggested-by: Serge Hallyn <serge@hallyn.com>
> ---
> The equivalent change in dm-verity was accepted, so apply it to IPE as well:
> https://lore.kernel.org/all/63220688-ac55-e1fc-300d-c93a948801e3@redhat.com/
> 
>   security/ipe/policy.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/ipe/policy.c b/security/ipe/policy.c
> index 45f7d6a0ed23..b628f696e32b 100644
> --- a/security/ipe/policy.c
> +++ b/security/ipe/policy.c
> @@ -178,7 +178,7 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
>   					    VERIFYING_UNSPECIFIED_SIGNATURE,
>   					    set_pkcs7_data, new);
>   #ifdef CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING
> -		if (rc == -ENOKEY)
> +		if (rc == -ENOKEY || rc == -EKEYREJECTED)
>   			rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
>   						    VERIFY_USE_PLATFORM_KEYRING,
>   						    VERIFYING_UNSPECIFIED_SIGNATURE,
Acked-by: Fan Wu <wufan@linux.microsoft.com>
diff mbox series

Patch

diff --git a/security/ipe/policy.c b/security/ipe/policy.c
index 45f7d6a0ed23..b628f696e32b 100644
--- a/security/ipe/policy.c
+++ b/security/ipe/policy.c
@@ -178,7 +178,7 @@  struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
 					    VERIFYING_UNSPECIFIED_SIGNATURE,
 					    set_pkcs7_data, new);
 #ifdef CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING
-		if (rc == -ENOKEY)
+		if (rc == -ENOKEY || rc == -EKEYREJECTED)
 			rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
 						    VERIFY_USE_PLATFORM_KEYRING,
 						    VERIFYING_UNSPECIFIED_SIGNATURE,