lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Z5GdlKW09UhO9YYo@redbud>
Date: Wed, 22 Jan 2025 19:38:28 -0600
From: Tyler Hicks <code@...icks.com>
To: Fan Wu <wufan@...nel.org>
Cc: Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>,
	"Serge E. Hallyn" <serge@...lyn.com>,
	Deven Bowers <deven.desai@...ux.microsoft.com>,
	Shyam Saini <shyamsaini@...ux.microsoft.com>,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ipe: Search for the boot policy file in the source tree

On 2025-01-22 10:41:07, Fan Wu wrote:
> Thanks for the fix.
> 
> My only concern here is the use of wildcard. I'm not sure but if
> $(CONFIG_IPE_BOOT_POLICY) is a glob pattern it could match multiple
> files?

Ah, that's a great point. To be honest, I followed the example of
CONFIG_MODULE_SIG_KEY in scripts/Makefile.modinst and didn't consider this
possible issue.

I can reproduce your concern. It doesn't actually cause any problems because
only the first matched file is used for the boot policy but it is potentially
confusing and boot policy is not something that we want to be unsure about.

Let me think of something else. It might be a few days before I get a chance to
send out a v2.

> Other than that I think the doc of security/ipe/Kconfig needs to be
> updated as well to reflect the makefile change.

Were you thinking something like this?

          This option specifies a filepath to an IPE policy that is compiled
	  into the kernel. The filepath can be absolute or relative from either
	  the source tree or the object tree. This policy will be enforced
	  until a policy update is deployed via the
          $securityfs/ipe/policies/$policy_name/active interface.

          If unsure, leave blank.

I doubt any users actually want a relative path from the object tree but that
has been supported since IPE was initially merged so I think it is worth
keeping around.

Tyler

> 
> -Fan
> 
> On Tue, Jan 21, 2025 at 10:58 PM Tyler Hicks <code@...icks.com> wrote:
> >
> > Resolve CONFIG_IPE_BOOT_POLICY relative file paths in the source tree if
> > the file was not found within the object tree and is not an absolute path.
> >
> > This fixes an IPE build failure that occurs when using an output directory,
> > such as with the `O=/tmp/build` make option, during a build with the
> > CONFIG_IPE_BOOT_POLICY option set to a path that's relative to the kernel
> > source tree. For example,
> >
> >   $ grep CONFIG_IPE_BOOT_POLICY /tmp/build/.config
> >   CONFIG_IPE_BOOT_POLICY="ipe-boot-policy"
> >   $ touch ipe-boot-policy
> >   $ make O=/tmp/build
> >   make[1]: Entering directory '/tmp/build'
> >     GEN     Makefile
> >     UPD     include/config/kernel.release
> >     UPD     include/generated/utsrelease.h
> >     CALL    scripts/checksyscalls.sh
> >     CC      init/version.o
> >     AR      init/built-in.a
> >     CC      kernel/sys.o
> >     AR      kernel/built-in.a
> >     IPE_POL ipe-boot-policy
> >   An error occurred during policy conversion: : No such file or directory
> >   make[5]: *** [security/ipe/Makefile:14: security/ipe/boot_policy.c] Error 2
> >   make[4]: *** [scripts/Makefile.build:440: security/ipe] Error 2
> >   make[3]: *** [scripts/Makefile.build:440: security] Error 2
> >   make[2]: *** [Makefile:1989: .] Error 2
> >   make[1]: *** [Makefile:251: __sub-make] Error 2
> >   make[1]: Leaving directory '/tmp/build'
> >   make: *** [Makefile:251: __sub-make] Error 2
> >
> > Fixes: ba199dc909a2 ("scripts: add boot policy generation program")
> > Cc: stable@...r.kernel.org
> > Signed-off-by: Tyler Hicks <code@...icks.com>
> > ---
> >  security/ipe/Makefile | 6 ++++--
> >  1 file changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/security/ipe/Makefile b/security/ipe/Makefile
> > index 2ffabfa63fe9..b54d7b7c9e6d 100644
> > --- a/security/ipe/Makefile
> > +++ b/security/ipe/Makefile
> > @@ -10,8 +10,10 @@ quiet_cmd_polgen = IPE_POL $(2)
> >
> >  targets += boot_policy.c
> >
> > -$(obj)/boot_policy.c: scripts/ipe/polgen/polgen $(CONFIG_IPE_BOOT_POLICY) FORCE
> > -       $(call if_changed,polgen,$(CONFIG_IPE_BOOT_POLICY))
> > +boot-pol := $(if $(wildcard $(CONFIG_IPE_BOOT_POLICY)),,$(srctree)/)$(CONFIG_IPE_BOOT_POLICY)
> > +
> > +$(obj)/boot_policy.c: scripts/ipe/polgen/polgen $(boot-pol) FORCE
> > +       $(call if_changed,polgen,$(boot-pol))
> >
> >  obj-$(CONFIG_SECURITY_IPE) += \
> >         boot_policy.o \
> > --
> > 2.34.1
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ