ipe/stable-6.17 PR 20250728

-----BEGIN PGP SIGNATURE----- iIcEABYIAC8WIQQzmBmZPBN6m/hUJmnyomI6a/yO7QUCaIgqhBEcd3VmYW5Aa2Vy bmVsLm9yZwAKCRDyomI6a/yO7RS6AQDikpH4iYfC5PNOcPRvYrl85SvZdDVdJoyD 0r+DyNddqQEA5iWbIo18rz7usj62uqZd5yFXLmUNfgX+/SvpLLDeXQ4= =B34A -----END PGP SIGNATURE----- Merge tag 'ipe-pr-20250728' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe Pull ipe update from Fan Wu: "A single commit from Eric Biggers to simplify the IPE (Integrity Policy Enforcement) policy audit with the SHA-256 library API" * tag 'ipe-pr-20250728' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe: ipe: use SHA-256 library API instead of crypto_shash API
2025-09-04 20:19:47 +08:00 · 2025-07-31 09:42:20 -07:00 · 2025-07-31 09:42:20 -07:00 · b4efd62564
commit b4efd62564
parent b1cce98493 b90bb6dbf1
2 changed files with 6 additions and 28 deletions
--- a/security/ipe/Kconfig
+++ b/security/ipe/Kconfig
@ -6,6 +6,7 @@
 menuconfig SECURITY_IPE
 	bool "Integrity Policy Enforcement (IPE)"
 	depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL
+	select CRYPTO_LIB_SHA256
 	select PKCS7_MESSAGE_PARSER
 	select SYSTEM_DATA_VERIFICATION
 	select IPE_PROP_DM_VERITY if DM_VERITY
--- a/security/ipe/audit.c
+++ b/security/ipe/audit.c
@ -6,7 +6,7 @@
 #include <linux/slab.h>
 #include <linux/audit.h>
 #include <linux/types.h>
-#include <crypto/hash.h>
+#include <crypto/sha2.h>

 #include "ipe.h"
 #include "eval.h"
@ -17,7 +17,7 @@

 #define ACTSTR(x) ((x) == IPE_ACTION_ALLOW ? "ALLOW" : "DENY")

-#define IPE_AUDIT_HASH_ALG "sha256"
+#define IPE_AUDIT_HASH_ALG "sha256" /* keep in sync with audit_policy() */

 #define AUDIT_POLICY_LOAD_FMT "policy_name=\"%s\" policy_version=%hu.%hu.%hu "\
 			      "policy_digest=" IPE_AUDIT_HASH_ALG ":"
@ -182,37 +182,14 @@ static void audit_policy(struct audit_buffer *ab,
 			 const char *audit_format,
 			 const struct ipe_policy *const p)
 {
-	SHASH_DESC_ON_STACK(desc, tfm);
-	struct crypto_shash *tfm;
-	u8 *digest = NULL;
+	u8 digest[SHA256_DIGEST_SIZE];

-	tfm = crypto_alloc_shash(IPE_AUDIT_HASH_ALG, 0, 0);
-	if (IS_ERR(tfm))
-		return;
-
-	desc->tfm = tfm;
-
-	digest = kzalloc(crypto_shash_digestsize(tfm), GFP_KERNEL);
-	if (!digest)
-		goto out;
-
-	if (crypto_shash_init(desc))
-		goto out;
-
-	if (crypto_shash_update(desc, p->pkcs7, p->pkcs7len))
-		goto out;
-
-	if (crypto_shash_final(desc, digest))
-		goto out;
+	sha256(p->pkcs7, p->pkcs7len, digest);

 	audit_log_format(ab, audit_format, p->parsed->name,
 			 p->parsed->version.major, p->parsed->version.minor,
 			 p->parsed->version.rev);
-	audit_log_n_hex(ab, digest, crypto_shash_digestsize(tfm));
-
-out:
-	kfree(digest);
-	crypto_free_shash(tfm);
+	audit_log_n_hex(ab, digest, sizeof(digest));
 }

 /**