Re: [RFC PATCH v3 1/1] Add dm verity root hash pkcs7 sig validation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Sat, 8 Jun 2019, Milan Broz wrote:

On 08/06/2019 00:31, Jaskaran Khurana wrote:
Why is this different from existing FEC extension?
FEC uses ifdefs in header to blind functions if config is not set.

ifeq ($(CONFIG_DM_VERITY_FEC),y)
dm-verity-objs                  += dm-verity-fec.o
endif

...


The reasoning for doing it this way is that there might be scripts that create a device mapper device and then mount and use it, with the signature verification enabled in kernel the scripts would be passing the signature like:

veritysetup open params... --roothash-sig=<sig.p7>

If later due to some reason the DM_VERITY_VERIFY_ROOTHASH_SIG is disabled if we do not recognize the parameter then the scripts need to be changed or else they will fail with INVALID argument,
in current implementation the parameter for signature is always parsed but
enforced based on the config being set, so the scripts need not be changed. Let me know if you still feel I should be changing this and I will be happy to make the change, just wanted to share my reasoning for this.


Thanks,
Milan

Regards,
Jaskaran

--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel



[Index of Archives]     [DM Crypt]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite Discussion]     [KDE Users]     [Fedora Docs]

  Powered by Linux