linux-stable/Documentation
Luca Boccassi 02e2f9aa33 ipe: allow secondary and platform keyrings to install/update policies
The current policy management makes it impossible to use IPE
in a general purpose distribution. In such cases the users are not
building the kernel, the distribution is, and access to the private
key included in the trusted keyring is, for obvious reason, not
available.
This means that users have no way to enable IPE, since there will
be no built-in generic policy, and no access to the key to sign
updates validated by the trusted keyring.

Just as we do for dm-verity, kernel modules and more, allow the
secondary and platform keyrings to also validate policies. This
allows users enrolling their own keys in UEFI db or MOK to also
sign policies, and enroll them. This makes it sensible to enable
IPE in general purpose distributions, as it becomes usable by
any user wishing to do so. Keys in these keyrings can already
load kernels and kernel modules, so there is no security
downgrade.

Add a kconfig each, like dm-verity does, but default to enabled if
the dependencies are available.

Signed-off-by: Luca Boccassi <bluca@debian.org>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
[FW: fixed some style issues]
Signed-off-by: Fan Wu <wufan@kernel.org>
2024-10-17 11:46:10 -07:00
..
ABI Char/Misc and other driver changes for 6.12-rc1 2024-09-26 10:13:08 -07:00
accel drm next for 6.12-rc1 2024-09-19 10:18:15 +02:00
accounting
admin-guide ipe: allow secondary and platform keyrings to install/update policies 2024-10-17 11:46:10 -07:00
arch arm64 fixes for 6.12-rc2: 2024-10-04 12:20:09 -07:00
block docs: block: Fix grammar and spelling mistakes in bfq-iosched.rst 2024-09-05 14:38:10 -06:00
bpf docs/bpf: Add missing BPF program types to docs 2024-09-12 10:56:41 -07:00
cdrom
core-api vfs-6.12-rc2.fixes.2 2024-10-03 09:22:50 -07:00
cpu-freq
crypto
dev-tools The core clk framework is left largely untouched this time around except for 2024-09-23 15:01:48 -07:00
devicetree Devicetree fixes for v6.12, part 1: 2024-10-11 16:07:15 -07:00
doc-guide doc-guide: add help documentation checktransupdate.rst 2024-07-30 07:56:22 -06:00
driver-api platform/x86: wmi: Update WMI driver API documentation 2024-10-06 12:48:52 +02:00
fault-injection Fix typo "allocateed" to allocated 2024-08-26 15:37:25 -06:00
fb
features x86: remove PG_uncached 2024-09-03 21:15:46 -07:00
filesystems USB/Thunderbolt update for 6.12-rc1 2024-09-26 09:45:36 -07:00
firmware_class
firmware-guide
fpga
gpu Short summary of fixes pull: 2024-10-01 08:15:55 +10:00
hid Documentation: hid: intel-ish-hid: Add vendor custom firmware loading 2024-08-19 21:12:27 +02:00
hwmon hwmon: Remove devm_hwmon_device_unregister() API function 2024-09-13 07:27:36 -07:00
i2c i2c: testunit: add SMBusAlert trigger 2024-08-26 15:15:48 +02:00
iio doc: iio: ad4695: update for calibration support 2024-09-03 18:49:43 +01:00
images
infiniband
input
isdn
kbuild kbuild: doc: replace "gcc" in external module description 2024-09-24 03:07:21 +09:00
kernel-hacking
leds - Limited LED current based on thermal conditions in the QCOM flash LED driver. 2024-09-23 14:20:11 -07:00
litmus-tests
livepatch Documentation: livepatch: Correct release locks antonym 2024-09-04 13:42:27 +02:00
locking
maintainer
mhi
misc-devices
mm ALong with the usual shower of singleton patches, notable patch series in 2024-09-21 07:29:05 -07:00
netlabel
netlink Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-09-12 17:11:24 -07:00
networking Documentation: networking/tcp_ao: typo and grammar fixes 2024-10-03 16:38:48 -07:00
nvdimm
nvme Remove duplicate "and" in 'Linux NVMe docs. 2024-09-10 15:44:20 -06:00
PCI Documentation: PCI: fix typo in pci.rst 2024-09-10 15:30:42 -06:00
pcmcia
peci
power Documentation: PM: Discourage use of deprecated macros 2024-09-04 14:37:57 +02:00
process docs: netdev: document guidance on cleanup patches 2024-10-10 08:35:20 -07:00
RCU Merge branches 'context_tracking.15.08.24a', 'csd.lock.15.08.24a', 'nocb.09.09.24a', 'rcutorture.14.08.24a', 'rcustall.09.09.24a', 'srcu.12.08.24a', 'rcu.tasks.14.08.24a', 'rcu_scaling_tests.15.08.24a', 'fixes.12.08.24a' and 'misc.11.08.24a' into next.09.09.24a 2024-09-09 00:09:47 +05:30
rust Rust changes for v6.12 2024-09-25 10:25:40 -07:00
scheduler sched_ext: Documentation: Update instructions for running example schedulers 2024-10-08 08:49:18 -10:00
scsi
security documentation: add IPE documentation 2024-08-20 14:03:47 -04:00
sound Docs/sound: Add documentation for userspace-driven ALSA timers 2024-08-18 09:55:54 +02:00
sphinx docs: kerneldoc-preamble.sty: Suppress extra spaces in CJK literal blocks 2024-09-05 14:16:41 -06:00
sphinx-static
spi spi: Enable controllers to extend the SPI protocol with MOSI idle configuration 2024-07-29 01:19:51 +01:00
staging xz: remove XZ_EXTERN and extern from functions 2024-09-01 20:43:27 -07:00
target
tee
timers treewide: Fix wrong singular form of jiffies in comments 2024-09-08 20:47:40 +02:00
tools
trace tracing/Documentation: Start a document on how to debug with tracing 2024-08-26 13:54:08 -04:00
translations move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
usb usb: gadget: f_uac1: Change volume name and remove alt names 2024-08-13 18:11:35 +02:00
userspace-api Landlock updates for v6.12-rc1 2024-09-24 10:40:11 -07:00
virt x86: 2024-09-28 09:20:14 -07:00
w1
watchdog [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
wmi platform/x86: dell-ddv: Fix typo in documentation 2024-10-06 12:47:40 +02:00
.gitignore
atomic_bitops.txt
atomic_t.txt
Changes
CodingStyle
conf.py
docutils.conf
dontdiff Kbuild updates for v6.12 2024-09-24 13:02:06 -07:00
index.rst
Kconfig
Makefile
memory-barriers.txt docs/memory-barriers.txt: Remove left-over references to "CACHE COHERENCY" 2024-09-13 23:56:44 -07:00
SubmittingPatches
subsystem-apis.rst