Re: [RFC PATCH v9 11/16] ipe: add support for dm-verity as a trust provider

From: Paul Moore
Date: Thu Mar 02 2023 - 14:08:30 EST


On Mon, Jan 30, 2023 at 5:58 PM Fan Wu <wufan@xxxxxxxxxxxxxxxxxxx> wrote:
>
> From: Deven Bowers <deven.desai@xxxxxxxxxxxxxxxxxxx>
>
> Allows author of IPE policy to indicate trust for a singular dm-verity
> volume, identified by roothash, through "dmverity_roothash" and all
> signed dm-verity volumes, through "dmverity_signature".
>
> Signed-off-by: Deven Bowers <deven.desai@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Fan Wu <wufan@xxxxxxxxxxxxxxxxxxx>

...

> ---
> security/ipe/Kconfig | 20 +++++
> security/ipe/Makefile | 2 +
> security/ipe/audit.c | 24 ++++++
> security/ipe/digest.c | 144 +++++++++++++++++++++++++++++++++++
> security/ipe/digest.h | 26 +++++++
> security/ipe/eval.c | 103 +++++++++++++++++++++++++
> security/ipe/eval.h | 13 ++++
> security/ipe/hooks.c | 51 +++++++++++++
> security/ipe/hooks.h | 8 ++
> security/ipe/ipe.c | 15 ++++
> security/ipe/ipe.h | 4 +
> security/ipe/policy.h | 3 +
> security/ipe/policy_parser.c | 16 ++++
> 13 files changed, 429 insertions(+)
> create mode 100644 security/ipe/digest.c
> create mode 100644 security/ipe/digest.h
>
> diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
> index ac4d558e69d5..16e835ce61b0 100644
> --- a/security/ipe/Kconfig
> +++ b/security/ipe/Kconfig
> @@ -15,3 +15,23 @@ menuconfig SECURITY_IPE
> admins to reconfigure trust requirements on the fly.
>
> If unsure, answer N.
> +
> +if SECURITY_IPE
> +menu "IPE Trust Providers"
> +
> +config IPE_PROP_DM_VERITY
> + bool "Enable support for dm-verity volumes"
> + depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
> + default Y
> + help
> + This option enables the properties 'dmverity_signature' and
> + 'dmverity_roothash' in IPE policy. These properties evaluates
> + to TRUE when a file is evaluated against a dm-verity volume
> + that was mounted with a signed root-hash or the volume's
> + root hash matches the supplied value in the policy.
> +
> + If unsure, answer Y.

If you had both IPE and dm-verity enabled in your kernel build, is
there ever a case where you wouldn't want IPE_PROP_DM_VERITY? I
suspect you can just have IPE and dm-verity select IPE_PROP_DM_VERITY
and not bother the user/admin with the additional Kconfig knob.

> +endmenu
> +
> +endif

--
paul-moore.com