linux.git/security/ipe, branch v6.18.21 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Merge tag 'ipe-pr-20250728' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe 2025-07-31T16:42:20+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-07-31T16:42:20+00:00 b4efd62564e96d1edb99eb00dd0ff620dbd1afab Pull ipe update from Fan Wu: "A single commit from Eric Biggers to simplify the IPE (Integrity Policy Enforcement) policy audit with the SHA-256 library API" * tag 'ipe-pr-20250728' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe: ipe: use SHA-256 library API instead of crypto_shash API 
Pull ipe update from Fan Wu:
 "A single commit from Eric Biggers to simplify the IPE (Integrity
  Policy Enforcement) policy audit with the SHA-256 library API"

* tag 'ipe-pr-20250728' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe:
  ipe: use SHA-256 library API instead of crypto_shash API
ipe: use SHA-256 library API instead of crypto_shash API 2025-07-29T01:54:18+00:00 Eric Biggers ebiggers@google.com 2025-05-14T05:05:46+00:00 b90bb6dbf1d60d70969f8f8f2f30033f49711594 audit_policy() does not support any other algorithm, so the crypto_shash abstraction provides no value. Just use the SHA-256 library API instead, which is much simpler and easier to use. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Fan Wu <wufan@kernel.org> 
audit_policy() does not support any other algorithm, so the crypto_shash
abstraction provides no value.  Just use the SHA-256 library API
instead, which is much simpler and easier to use.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Fan Wu <wufan@kernel.org>
ipe: don't bother with removal of files in directory we'll be removing 2025-06-17T22:10:53+00:00 Al Viro viro@zeniv.linux.org.uk 2025-06-11T23:08:12+00:00 5be998a218f7db74bcb26accdfcb9fe2d0c18b75 ... and use securityfs_remove() instead of securityfs_recursive_remove() Acked-by: Fan Wu <wufan@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
... and use securityfs_remove() instead of securityfs_recursive_remove()

Acked-by: Fan Wu <wufan@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
ipe: add errno field to IPE policy load auditing 2025-05-28T01:08:51+00:00 Jasjiv Singh jasjivsingh@linux.microsoft.com 2025-03-13T21:51:01+00:00 1d887d6f810dbf908da9709393c95ae1a649d587 Users of IPE require a way to identify when and why an operation fails, allowing them to both respond to violations of policy and be notified of potentially malicious actions on their systems with respect to IPE. This patch introduces a new error field to the AUDIT_IPE_POLICY_LOAD event to log policy loading failures. Currently, IPE only logs successful policy loads, but not failures. Tracking failures is crucial to detect malicious attempts and ensure a complete audit trail for security events. The new error field will capture the following error codes: * -ENOKEY: Key used to sign the IPE policy not found in the keyring * -ESTALE: Attempting to update an IPE policy with an older version * -EKEYREJECTED: IPE signature verification failed * -ENOENT: Policy was deleted while updating * -EEXIST: Same name policy already deployed * -ERANGE: Policy version number overflow * -EINVAL: Policy version parsing error * -EPERM: Insufficient permission * -ENOMEM: Out of memory (OOM) * -EBADMSG: Policy is invalid Here are some examples of the updated audit record types: AUDIT_IPE_POLICY_LOAD(1422): audit: AUDIT1422 policy_name="Test_Policy" policy_version=0.0.1 policy_digest=sha256:84EFBA8FA71E62AE0A537FAB962F8A2BD1053964C4299DCA 92BFFF4DB82E86D3 auid=1000 ses=3 lsm=ipe res=1 errno=0 The above record shows a new policy has been successfully loaded into the kernel with the policy name, version, and hash with the errno=0. AUDIT_IPE_POLICY_LOAD(1422) with error: audit: AUDIT1422 policy_name=? policy_version=? policy_digest=? auid=1000 ses=3 lsm=ipe res=0 errno=-74 The above record shows a policy load failure due to an invalid policy (-EBADMSG). By adding this error field, we ensure that all policy load attempts, whether successful or failed, are logged, providing a comprehensive audit trail for IPE policy management. Signed-off-by: Jasjiv Singh <jasjivsingh@linux.microsoft.com> Signed-off-by: Fan Wu <wufan@kernel.org> 
Users of IPE require a way to identify when and why an operation fails,
allowing them to both respond to violations of policy and be notified
of potentially malicious actions on their systems with respect to IPE.

This patch introduces a new error field to the AUDIT_IPE_POLICY_LOAD event
to log policy loading failures. Currently, IPE only logs successful policy
loads, but not failures. Tracking failures is crucial to detect malicious
attempts and ensure a complete audit trail for security events.

The new error field will capture the following error codes:

* -ENOKEY: Key used to sign the IPE policy not found in the keyring
* -ESTALE: Attempting to update an IPE policy with an older version
* -EKEYREJECTED: IPE signature verification failed
* -ENOENT: Policy was deleted while updating
* -EEXIST: Same name policy already deployed
* -ERANGE: Policy version number overflow
* -EINVAL: Policy version parsing error
* -EPERM: Insufficient permission
* -ENOMEM: Out of memory (OOM)
* -EBADMSG: Policy is invalid

Here are some examples of the updated audit record types:

AUDIT_IPE_POLICY_LOAD(1422):
audit:  AUDIT1422 policy_name="Test_Policy" policy_version=0.0.1
policy_digest=sha256:84EFBA8FA71E62AE0A537FAB962F8A2BD1053964C4299DCA
92BFFF4DB82E86D3 auid=1000 ses=3 lsm=ipe res=1 errno=0

The above record shows a new policy has been successfully loaded into
the kernel with the policy name, version, and hash with the errno=0.

AUDIT_IPE_POLICY_LOAD(1422) with error:

audit: AUDIT1422 policy_name=? policy_version=? policy_digest=?
auid=1000 ses=3 lsm=ipe res=0 errno=-74

The above record shows a policy load failure due to an invalid policy
(-EBADMSG).

By adding this error field, we ensure that all policy load attempts,
whether successful or failed, are logged, providing a comprehensive
audit trail for IPE policy management.

Signed-off-by: Jasjiv Singh <jasjivsingh@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@kernel.org>
ipe: policy_fs: fix kernel-doc warnings 2025-03-24T20:36:00+00:00 Randy Dunlap rdunlap@infradead.org 2025-01-11T06:33:18+00:00 6df401a2ee4a91f4fd1095507d6f461f1082d814 Use the "struct" keyword in kernel-doc when describing struct ipefs_file. Add kernel-doc for the struct members also. Don't use kernel-doc notation for 'policy_subdir'. kernel-doc does not support documentation comments for data definitions. This eliminates multiple kernel-doc warnings: security/ipe/policy_fs.c:21: warning: cannot understand function prototype: 'struct ipefs_file ' security/ipe/policy_fs.c:407: warning: cannot understand function prototype: 'const struct ipefs_file policy_subdir[] = ' Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Cc: Fan Wu <wufan@kernel.org> Cc: Paul Moore <paul@paul-moore.com> Cc: James Morris <jmorris@namei.org> Cc: Serge E. Hallyn <serge@hallyn.com> Cc: linux-security-module@vger.kernel.org Signed-off-by: Fan Wu <wufan@kernel.org> 
Use the "struct" keyword in kernel-doc when describing struct
ipefs_file. Add kernel-doc for the struct members also.

Don't use kernel-doc notation for 'policy_subdir'. kernel-doc does
not support documentation comments for data definitions.

This eliminates multiple kernel-doc warnings:

security/ipe/policy_fs.c:21: warning: cannot understand function prototype: 'struct ipefs_file '
security/ipe/policy_fs.c:407: warning: cannot understand function prototype: 'const struct ipefs_file policy_subdir[] = '

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Fan Wu <wufan@kernel.org>
Cc: Paul Moore <paul@paul-moore.com>
Cc: James Morris <jmorris@namei.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Fan Wu <wufan@kernel.org>
ipe: fallback to platform keyring also if key in trusted keyring is rejected 2024-10-18T19:14:53+00:00 Luca Boccassi bluca@debian.org 2024-09-27T08:23:44+00:00 f40998a8e6bbf0314b8416350183a537f9b59ca9 If enabled, we fallback to the platform keyring if the trusted keyring doesn't have the key used to sign the ipe policy. But if pkcs7_verify() rejects the key for other reasons, such as usage restrictions, we do not fallback. Do so, following the same change in dm-verity. Signed-off-by: Luca Boccassi <bluca@debian.org> Suggested-by: Serge Hallyn <serge@hallyn.com> [FW: fixed some line length issues and a typo in the commit message] Signed-off-by: Fan Wu <wufan@kernel.org> 
If enabled, we fallback to the platform keyring if the trusted keyring
doesn't have the key used to sign the ipe policy. But if pkcs7_verify()
rejects the key for other reasons, such as usage restrictions, we do not
fallback. Do so, following the same change in dm-verity.

Signed-off-by: Luca Boccassi <bluca@debian.org>
Suggested-by: Serge Hallyn <serge@hallyn.com>
[FW: fixed some line length issues and a typo in the commit message]
Signed-off-by: Fan Wu <wufan@kernel.org>
ipe: allow secondary and platform keyrings to install/update policies 2024-10-17T18:46:10+00:00 Luca Boccassi bluca@debian.org 2024-09-15T09:11:19+00:00 02e2f9aa33e461468de02e35ad977bd7233960ae The current policy management makes it impossible to use IPE in a general purpose distribution. In such cases the users are not building the kernel, the distribution is, and access to the private key included in the trusted keyring is, for obvious reason, not available. This means that users have no way to enable IPE, since there will be no built-in generic policy, and no access to the key to sign updates validated by the trusted keyring. Just as we do for dm-verity, kernel modules and more, allow the secondary and platform keyrings to also validate policies. This allows users enrolling their own keys in UEFI db or MOK to also sign policies, and enroll them. This makes it sensible to enable IPE in general purpose distributions, as it becomes usable by any user wishing to do so. Keys in these keyrings can already load kernels and kernel modules, so there is no security downgrade. Add a kconfig each, like dm-verity does, but default to enabled if the dependencies are available. Signed-off-by: Luca Boccassi <bluca@debian.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> [FW: fixed some style issues] Signed-off-by: Fan Wu <wufan@kernel.org> 
The current policy management makes it impossible to use IPE
in a general purpose distribution. In such cases the users are not
building the kernel, the distribution is, and access to the private
key included in the trusted keyring is, for obvious reason, not
available.
This means that users have no way to enable IPE, since there will
be no built-in generic policy, and no access to the key to sign
updates validated by the trusted keyring.

Just as we do for dm-verity, kernel modules and more, allow the
secondary and platform keyrings to also validate policies. This
allows users enrolling their own keys in UEFI db or MOK to also
sign policies, and enroll them. This makes it sensible to enable
IPE in general purpose distributions, as it becomes usable by
any user wishing to do so. Keys in these keyrings can already
load kernels and kernel modules, so there is no security
downgrade.

Add a kconfig each, like dm-verity does, but default to enabled if
the dependencies are available.

Signed-off-by: Luca Boccassi <bluca@debian.org>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
[FW: fixed some style issues]
Signed-off-by: Fan Wu <wufan@kernel.org>
ipe: also reject policy updates with the same version 2024-10-17T18:38:15+00:00 Luca Boccassi bluca@debian.org 2024-09-25T21:01:34+00:00 5ceecb301e50e933c1e621fbeea5ec239fbff858 Currently IPE accepts an update that has the same version as the policy being updated, but it doesn't make it a no-op nor it checks that the old and new policyes are the same. So it is possible to change the content of a policy, without changing its version. This is very confusing from userspace when managing policies. Instead change the update logic to reject updates that have the same version with ESTALE, as that is much clearer and intuitive behaviour. Signed-off-by: Luca Boccassi <bluca@debian.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Fan Wu <wufan@kernel.org> 
Currently IPE accepts an update that has the same version as the policy
being updated, but it doesn't make it a no-op nor it checks that the
old and new policyes are the same. So it is possible to change the
content of a policy, without changing its version. This is very
confusing from userspace when managing policies.
Instead change the update logic to reject updates that have the same
version with ESTALE, as that is much clearer and intuitive behaviour.

Signed-off-by: Luca Boccassi <bluca@debian.org>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Fan Wu <wufan@kernel.org>
ipe: return -ESTALE instead of -EINVAL on update when new policy has a lower version 2024-10-17T18:37:13+00:00 Luca Boccassi bluca@debian.org 2024-09-25T21:01:33+00:00 579941899db4f972507df3bf783518e606bb095a When loading policies in userspace we want a recognizable error when an update attempts to use an old policy, as that is an error that needs to be treated differently from an invalid policy. Use -ESTALE as it is clear enough for an update mechanism. Signed-off-by: Luca Boccassi <bluca@debian.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Fan Wu <wufan@kernel.org> 
When loading policies in userspace we want a recognizable error when an
update attempts to use an old policy, as that is an error that needs
to be treated differently from an invalid policy. Use -ESTALE as it is
clear enough for an update mechanism.

Signed-off-by: Luca Boccassi <bluca@debian.org>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Fan Wu <wufan@kernel.org>
ipe: Add missing terminator to list of unit tests 2024-09-23T19:53:37+00:00 Guenter Roeck linux@roeck-us.net 2024-09-22T14:52:26+00:00 f89722faa31466ff41aed21bdeb9cf34c2312858 Add missing terminator to list of unit tests to avoid random crashes seen when running the test. Fixes: 10ca05a76065 ("ipe: kunit test for parser") Cc: Deven Bowers <deven.desai@linux.microsoft.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Fan Wu <wufan@linux.microsoft.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Acked-by: Fan Wu <wufan@linux.microsoft.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
Add missing terminator to list of unit tests to avoid random crashes seen
when running the test.

Fixes: 10ca05a76065 ("ipe: kunit test for parser")
Cc: Deven Bowers <deven.desai@linux.microsoft.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Fan Wu <wufan@linux.microsoft.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Fan Wu <wufan@linux.microsoft.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>