ipe: fallback to platform keyring also if key in trusted keyring is rejected

If enabled, we fallback to the platform keyring if the trusted keyring
doesn't have the key used to sign the ipe policy. But if pkcs7_verify()
rejects the key for other reasons, such as usage restrictions, we do not
fallback. Do so, following the same change in dm-verity.

Signed-off-by: Luca Boccassi <bluca@debian.org>
Suggested-by: Serge Hallyn <serge@hallyn.com>
[FW: fixed some line length issues and a typo in the commit message]
Signed-off-by: Fan Wu <wufan@kernel.org>

diff --git a/security/ipe/policy.c b/security/ipe/policy.c
index 45f7d6a0ed2391f429ec50e3658f9715586abffd..b628f696e32be42e49177fb146a5b63ce08207cf 100644 (file)
--- a/security/ipe/policy.c
+++ b/security/ipe/policy.c
@@ -178,7 +178,7 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
                                            VERIFYING_UNSPECIFIED_SIGNATURE,
                                            set_pkcs7_data, new);
 #ifdef CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING
-               if (rc == -ENOKEY)
+               if (rc == -ENOKEY || rc == -EKEYREJECTED)
                        rc = verify_pkcs7_signature(NULL, 0, new->pkcs7, pkcs7len,
                                                    VERIFY_USE_PLATFORM_KEYRING,
                                                    VERIFYING_UNSPECIFIED_SIGNATURE,