torvalds/linux
torvalds/linux
2
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00
Code

ipe/stable-6.17 PR 20250728

Browse Source 
-----BEGIN PGP SIGNATURE-----
 
 iIcEABYIAC8WIQQzmBmZPBN6m/hUJmnyomI6a/yO7QUCaIgqhBEcd3VmYW5Aa2Vy
 bmVsLm9yZwAKCRDyomI6a/yO7RS6AQDikpH4iYfC5PNOcPRvYrl85SvZdDVdJoyD
 0r+DyNddqQEA5iWbIo18rz7usj62uqZd5yFXLmUNfgX+/SvpLLDeXQ4=
 =B34A
 -----END PGP SIGNATURE-----

Merge tag 'ipe-pr-20250728' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe

Pull ipe update from Fan Wu:
 "A single commit from Eric Biggers to simplify the IPE (Integrity
  Policy Enforcement) policy audit with the SHA-256 library API"

* tag 'ipe-pr-20250728' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe:
  ipe: use SHA-256 library API instead of crypto_shash API
This commit is contained in:
Linus Torvalds 2025-07-31 09:42:20 -07:00
commit b4efd62564
2 changed files with 6 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
security/ipe/Kconfig
View File

@ -6,6 +6,7 @@
menuconfig SECURITY_IPE menuconfig SECURITY_IPE
bool "Integrity Policy Enforcement (IPE)" bool "Integrity Policy Enforcement (IPE)"
depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL
select CRYPTO_LIB_SHA256
select PKCS7_MESSAGE_PARSER select PKCS7_MESSAGE_PARSER
select SYSTEM_DATA_VERIFICATION select SYSTEM_DATA_VERIFICATION
select IPE_PROP_DM_VERITY if DM_VERITY select IPE_PROP_DM_VERITY if DM_VERITY

33
security/ipe/audit.c
View File

@ -6,7 +6,7 @@
#include <linux/slab.h> #include <linux/slab.h>
#include <linux/audit.h> #include <linux/audit.h>
#include <linux/types.h> #include <linux/types.h>
#include <crypto/hash.h> #include <crypto/sha2.h>
#include "ipe.h" #include "ipe.h"
#include "eval.h" #include "eval.h"
@ -17,7 +17,7 @@
#define ACTSTR(x) ((x) == IPE_ACTION_ALLOW ? "ALLOW" : "DENY") #define ACTSTR(x) ((x) == IPE_ACTION_ALLOW ? "ALLOW" : "DENY")
#define IPE_AUDIT_HASH_ALG "sha256" #define IPE_AUDIT_HASH_ALG "sha256" /* keep in sync with audit_policy() */
#define AUDIT_POLICY_LOAD_FMT "policy_name=\"%s\" policy_version=%hu.%hu.%hu "\ #define AUDIT_POLICY_LOAD_FMT "policy_name=\"%s\" policy_version=%hu.%hu.%hu "\
"policy_digest=" IPE_AUDIT_HASH_ALG ":" "policy_digest=" IPE_AUDIT_HASH_ALG ":"
@ -182,37 +182,14 @@ static void audit_policy(struct audit_buffer *ab,
const char *audit_format, const char *audit_format,
const struct ipe_policy *const p) const struct ipe_policy *const p)
{ {
SHASH_DESC_ON_STACK(desc, tfm); u8 digest[SHA256_DIGEST_SIZE];
struct crypto_shash *tfm;
u8 *digest = NULL;
tfm = crypto_alloc_shash(IPE_AUDIT_HASH_ALG, 0, 0); sha256(p->pkcs7, p->pkcs7len, digest);
if (IS_ERR(tfm))
return;
desc->tfm = tfm;
digest = kzalloc(crypto_shash_digestsize(tfm), GFP_KERNEL);
if (!digest)
goto out;
if (crypto_shash_init(desc))
goto out;
if (crypto_shash_update(desc, p->pkcs7, p->pkcs7len))
goto out;
if (crypto_shash_final(desc, digest))
goto out;
audit_log_format(ab, audit_format, p->parsed->name, audit_log_format(ab, audit_format, p->parsed->name,
p->parsed->version.major, p->parsed->version.minor, p->parsed->version.major, p->parsed->version.minor,
p->parsed->version.rev); p->parsed->version.rev);
audit_log_n_hex(ab, digest, crypto_shash_digestsize(tfm)); audit_log_n_hex(ab, digest, sizeof(digest));
out:
kfree(digest);
crypto_free_shash(tfm);
} }
/** /**