diff options
| author | Deven Bowers <deven.desai@linux.microsoft.com> | 2024-08-03 08:08:27 +0200 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2024-08-20 20:02:45 +0200 |
| commit | e155858dd99523d4afe0f74e9c26e4f4499eb5af (patch) | |
| tree | 4e9034938934ccc58d6f10aff42616140392afe2 /security/ipe/policy_parser.c | |
| parent | dm-verity: expose root hash digest and signature data to LSMs (diff) | |
| download | linux-e155858dd99523d4afe0f74e9c26e4f4499eb5af.tar.xz linux-e155858dd99523d4afe0f74e9c26e4f4499eb5af.zip | |
ipe: add support for dm-verity as a trust provider
Allows author of IPE policy to indicate trust for a singular dm-verity
volume, identified by roothash, through "dmverity_roothash" and all
signed and validated dm-verity volumes, through "dmverity_signature".
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
[PM: fixed some line length issues in the comments]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/ipe/policy_parser.c')
| -rw-r--r-- | security/ipe/policy_parser.c | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/security/ipe/policy_parser.c b/security/ipe/policy_parser.c index 67e3fc48f7a6..c3b7639df532 100644 --- a/security/ipe/policy_parser.c +++ b/security/ipe/policy_parser.c @@ -11,6 +11,7 @@ #include "policy.h" #include "policy_parser.h" +#include "digest.h" #define START_COMMENT '#' #define IPE_POLICY_DELIM " \t" @@ -221,6 +222,7 @@ static void free_rule(struct ipe_rule *r) list_for_each_entry_safe(p, t, &r->props, next) { list_del(&p->next); + ipe_digest_free(p->value); kfree(p); } @@ -273,6 +275,9 @@ static enum ipe_action_type parse_action(char *t) static const match_table_t property_tokens = { {IPE_PROP_BOOT_VERIFIED_FALSE, "boot_verified=FALSE"}, {IPE_PROP_BOOT_VERIFIED_TRUE, "boot_verified=TRUE"}, + {IPE_PROP_DMV_ROOTHASH, "dmverity_roothash=%s"}, + {IPE_PROP_DMV_SIG_FALSE, "dmverity_signature=FALSE"}, + {IPE_PROP_DMV_SIG_TRUE, "dmverity_signature=TRUE"}, {IPE_PROP_INVALID, NULL} }; @@ -295,6 +300,7 @@ static int parse_property(char *t, struct ipe_rule *r) struct ipe_prop *p = NULL; int rc = 0; int token; + char *dup = NULL; p = kzalloc(sizeof(*p), GFP_KERNEL); if (!p) @@ -303,8 +309,22 @@ static int parse_property(char *t, struct ipe_rule *r) token = match_token(t, property_tokens, args); switch (token) { + case IPE_PROP_DMV_ROOTHASH: + dup = match_strdup(&args[0]); + if (!dup) { + rc = -ENOMEM; + goto err; + } + p->value = ipe_digest_parse(dup); + if (IS_ERR(p->value)) { + rc = PTR_ERR(p->value); + goto err; + } + fallthrough; case IPE_PROP_BOOT_VERIFIED_FALSE: case IPE_PROP_BOOT_VERIFIED_TRUE: + case IPE_PROP_DMV_SIG_FALSE: + case IPE_PROP_DMV_SIG_TRUE: p->type = token; break; default: @@ -315,10 +335,12 @@ static int parse_property(char *t, struct ipe_rule *r) goto err; list_add_tail(&p->next, &r->props); +out: + kfree(dup); return rc; err: kfree(p); - return rc; + goto out; } /** |