On Thu, Oct 15 2020 at 11:05am -0400, Mickaël Salaün <m...@digikod.net> wrote:
> From: Mickaël Salaün <m...@linux.microsoft.com> > > Add a new configuration DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING > to enable dm-verity signatures to be verified against the secondary > trusted keyring. Instead of relying on the builtin trusted keyring > (with hard-coded certificates), the second trusted keyring can include > certificate authorities from the builtin trusted keyring and child > certificates loaded at run time. Using the secondary trusted keyring > enables to use dm-verity disks (e.g. loop devices) signed by keys which > did not exist at kernel build time, leveraging the certificate chain of > trust model. In practice, this makes it possible to update certificates > without kernel update and reboot, aligning with module and kernel > (kexec) signature verification which already use the secondary trusted > keyring. > > Cc: Alasdair Kergon <a...@redhat.com> > Cc: Andrew Morton <a...@linux-foundation.org> > Cc: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com> > Cc: Jaskaran Khurana <jaskarankhur...@linux.microsoft.com> > Cc: Mike Snitzer <snit...@redhat.com> > Cc: Milan Broz <gmazyl...@gmail.com> > Signed-off-by: Mickaël Salaün <m...@linux.microsoft.com> > --- > > Previous version: > https://lore.kernel.org/lkml/20201002071802.535023-1-...@digikod.net/ > > Changes since v1: > * Extend the commit message (asked by Jarkko Sakkinen). > * Rename the Kconfig "help" keyword according to commit 84af7a6194e4 > ("checkpatch: kconfig: prefer 'help' over '---help---'"). Can you please explain why you've decided to make this a Kconfig CONFIG knob? Why not either add: a dm-verity table argument? A dm-verity kernel module parameter? or both (to allow a particular default but then per-device override)? Otherwise, _all_ DM verity devices will be configured to use secondary keyring fallback. Is that really desirable? Regardless, I really don't see why a Kconfig knob is appropriate. Mike > --- > drivers/md/Kconfig | 13 ++++++++++++- > drivers/md/dm-verity-verify-sig.c | 9 +++++++-- > 2 files changed, 19 insertions(+), 3 deletions(-) > > diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig > index 30ba3573626c..1d68935e45ef 100644 > --- a/drivers/md/Kconfig > +++ b/drivers/md/Kconfig > @@ -530,11 +530,22 @@ config DM_VERITY_VERIFY_ROOTHASH_SIG > bool "Verity data device root hash signature verification support" > depends on DM_VERITY > select SYSTEM_DATA_VERIFICATION > - help > + help > Add ability for dm-verity device to be validated if the > pre-generated tree of cryptographic checksums passed has a pkcs#7 > signature file that can validate the roothash of the tree. > > + By default, rely on the builtin trusted keyring. > + > + If unsure, say N. > + > +config DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING > + bool "Verity data device root hash signature verification with > secondary keyring" > + depends on DM_VERITY_VERIFY_ROOTHASH_SIG > + depends on SECONDARY_TRUSTED_KEYRING > + help > + Rely on the secondary trusted keyring to verify dm-verity signatures. > + > If unsure, say N. > > config DM_VERITY_FEC > diff --git a/drivers/md/dm-verity-verify-sig.c > b/drivers/md/dm-verity-verify-sig.c > index 614e43db93aa..29385dc470d5 100644 > --- a/drivers/md/dm-verity-verify-sig.c > +++ b/drivers/md/dm-verity-verify-sig.c > @@ -119,8 +119,13 @@ int verity_verify_root_hash(const void *root_hash, > size_t root_hash_len, > } > > ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data, > - sig_len, NULL, VERIFYING_UNSPECIFIED_SIGNATURE, > - NULL, NULL); > + sig_len, > +#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING > + VERIFY_USE_SECONDARY_KEYRING, > +#else > + NULL, > +#endif > + VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL); > > return ret; > } > > base-commit: bbf5c979011a099af5dc76498918ed7df445635b > -- > 2.28.0 >
