diff options
| author | Fan Wu <wufan@linux.microsoft.com> | 2024-08-02 23:08:30 -0700 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2024-08-20 14:03:35 -0400 |
| commit | 31f8c8682f30720be25e9b1021caa43c64e8d9ce (patch) | |
| tree | 5c210c974594b30fc81a0857beae388e6b9cf6b8 /security/ipe/policy_parser.c | |
| parent | 7c373e4f1445263728d3eeab7e33e932c8f4a288 (diff) | |
ipe: enable support for fs-verity as a trust provider
Enable IPE policy authors to indicate trust for a singular fsverity
file, identified by the digest information, through "fsverity_digest"
and all files using valid fsverity builtin signatures via
"fsverity_signature".
This enables file-level integrity claims to be expressed in IPE,
allowing individual files to be authorized, giving some flexibility
for policy authors. Such file-level claims are important to be expressed
for enforcing the integrity of packages, as well as address some of the
scalability issues in a sole dm-verity based solution (# of loop back
devices, etc).
This solution cannot be done in userspace as the minimum threat that
IPE should mitigate is an attacker downloads malicious payload with
all required dependencies. These dependencies can lack the userspace
check, bypassing the protection entirely. A similar attack succeeds if
the userspace component is replaced with a version that does not
perform the check. As a result, this can only be done in the common
entry point - the kernel.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/ipe/policy_parser.c')
| -rw-r--r-- | security/ipe/policy_parser.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/security/ipe/policy_parser.c b/security/ipe/policy_parser.c index c3b7639df532..7f27e39931d6 100644 --- a/security/ipe/policy_parser.c +++ b/security/ipe/policy_parser.c @@ -278,6 +278,9 @@ static const match_table_t property_tokens = { {IPE_PROP_DMV_ROOTHASH, "dmverity_roothash=%s"}, {IPE_PROP_DMV_SIG_FALSE, "dmverity_signature=FALSE"}, {IPE_PROP_DMV_SIG_TRUE, "dmverity_signature=TRUE"}, + {IPE_PROP_FSV_DIGEST, "fsverity_digest=%s"}, + {IPE_PROP_FSV_SIG_FALSE, "fsverity_signature=FALSE"}, + {IPE_PROP_FSV_SIG_TRUE, "fsverity_signature=TRUE"}, {IPE_PROP_INVALID, NULL} }; @@ -310,6 +313,7 @@ static int parse_property(char *t, struct ipe_rule *r) switch (token) { case IPE_PROP_DMV_ROOTHASH: + case IPE_PROP_FSV_DIGEST: dup = match_strdup(&args[0]); if (!dup) { rc = -ENOMEM; @@ -325,6 +329,8 @@ static int parse_property(char *t, struct ipe_rule *r) case IPE_PROP_BOOT_VERIFIED_TRUE: case IPE_PROP_DMV_SIG_FALSE: case IPE_PROP_DMV_SIG_TRUE: + case IPE_PROP_FSV_SIG_FALSE: + case IPE_PROP_FSV_SIG_TRUE: p->type = token; break; default: |