tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'ipe-pr-20250728' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe

Pull ipe update from Fan Wu:
"A single commit from Eric Biggers to simplify the IPE (Integrity
Policy Enforcement) policy audit with the SHA-256 library API"

* tag 'ipe-pr-20250728' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe:
ipe: use SHA-256 library API instead of crypto_shash API

Linus Torvalds b4efd625 b1cce984

+6 -28
+1
security/ipe/Kconfig
··· 6 6 menuconfig SECURITY_IPE 7 7 bool "Integrity Policy Enforcement (IPE)" 8 8 depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL 9 + select CRYPTO_LIB_SHA256 9 10 select PKCS7_MESSAGE_PARSER 10 11 select SYSTEM_DATA_VERIFICATION 11 12 select IPE_PROP_DM_VERITY if DM_VERITY
+5 -28
security/ipe/audit.c
··· 6 6 #include <linux/slab.h> 7 7 #include <linux/audit.h> 8 8 #include <linux/types.h> 9 - #include <crypto/hash.h> 9 + #include <crypto/sha2.h> 10 10 11 11 #include "ipe.h" 12 12 #include "eval.h" ··· 17 17 18 18 #define ACTSTR(x) ((x) == IPE_ACTION_ALLOW ? "ALLOW" : "DENY") 19 19 20 - #define IPE_AUDIT_HASH_ALG "sha256" 20 + #define IPE_AUDIT_HASH_ALG "sha256" /* keep in sync with audit_policy() */ 21 21 22 22 #define AUDIT_POLICY_LOAD_FMT "policy_name=\"%s\" policy_version=%hu.%hu.%hu "\ 23 23 "policy_digest=" IPE_AUDIT_HASH_ALG ":" ··· 182 182 const char *audit_format, 183 183 const struct ipe_policy *const p) 184 184 { 185 - SHASH_DESC_ON_STACK(desc, tfm); 186 - struct crypto_shash *tfm; 187 - u8 *digest = NULL; 185 + u8 digest[SHA256_DIGEST_SIZE]; 188 186 189 - tfm = crypto_alloc_shash(IPE_AUDIT_HASH_ALG, 0, 0); 190 - if (IS_ERR(tfm)) 191 - return; 192 - 193 - desc->tfm = tfm; 194 - 195 - digest = kzalloc(crypto_shash_digestsize(tfm), GFP_KERNEL); 196 - if (!digest) 197 - goto out; 198 - 199 - if (crypto_shash_init(desc)) 200 - goto out; 201 - 202 - if (crypto_shash_update(desc, p->pkcs7, p->pkcs7len)) 203 - goto out; 204 - 205 - if (crypto_shash_final(desc, digest)) 206 - goto out; 187 + sha256(p->pkcs7, p->pkcs7len, digest); 207 188 208 189 audit_log_format(ab, audit_format, p->parsed->name, 209 190 p->parsed->version.major, p->parsed->version.minor, 210 191 p->parsed->version.rev); 211 - audit_log_n_hex(ab, digest, crypto_shash_digestsize(tfm)); 212 - 213 - out: 214 - kfree(digest); 215 - crypto_free_shash(tfm); 192 + audit_log_n_hex(ab, digest, sizeof(digest)); 216 193 } 217 194 218 195 /**