On Mon, Jan 30, 2023 at 5:58 PM Fan Wu <wufan(a)linux.microsoft.com> wrote:
From: Deven Bowers <deven.desai(a)linux.microsoft.com>
Allows author of IPE policy to indicate trust for a singular dm-verity
volume, identified by roothash, through "dmverity_roothash" and all
signed dm-verity volumes, through "dmverity_signature".
Signed-off-by: Deven Bowers <deven.desai(a)linux.microsoft.com>
Signed-off-by: Fan Wu <wufan(a)linux.microsoft.com>
...
---
security/ipe/Kconfig | 20 +++++
security/ipe/Makefile | 2 +
security/ipe/audit.c | 24 ++++++
security/ipe/digest.c | 144 +++++++++++++++++++++++++++++++++++
security/ipe/digest.h | 26 +++++++
security/ipe/eval.c | 103 +++++++++++++++++++++++++
security/ipe/eval.h | 13 ++++
security/ipe/hooks.c | 51 +++++++++++++
security/ipe/hooks.h | 8 ++
security/ipe/ipe.c | 15 ++++
security/ipe/ipe.h | 4 +
security/ipe/policy.h | 3 +
security/ipe/policy_parser.c | 16 ++++
13 files changed, 429 insertions(+)
create mode 100644 security/ipe/digest.c
create mode 100644 security/ipe/digest.h
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
index ac4d558e69d5..16e835ce61b0 100644
--- a/security/ipe/Kconfig
+++ b/security/ipe/Kconfig
@@ -15,3 +15,23 @@ menuconfig SECURITY_IPE
admins to reconfigure trust requirements on the fly.
If unsure, answer N.
+
+if SECURITY_IPE
+menu "IPE Trust Providers"
+
+config IPE_PROP_DM_VERITY
+ bool "Enable support for dm-verity volumes"
+ depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
+ default Y
+ help
+ This option enables the properties 'dmverity_signature' and
+ 'dmverity_roothash' in IPE policy. These properties evaluates
+ to TRUE when a file is evaluated against a dm-verity volume
+ that was mounted with a signed root-hash or the volume's
+ root hash matches the supplied value in the policy.
+
+ If unsure, answer Y.
If you had both IPE and dm-verity enabled in your kernel build, is
there ever a case where you wouldn't want IPE_PROP_DM_VERITY? I
suspect you can just have IPE and dm-verity select IPE_PROP_DM_VERITY
and not bother the user/admin with the additional Kconfig knob.
+endmenu
+
+endif
--
paul-moore.com