Re: [PATCH v4 0/3] LoadPin: Enable loading from trusted dm-verity devices

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, May 18 2022 at  3:23P -0400,
Kees Cook <keescook@xxxxxxxxxxxx> wrote:

> On Tue, May 17, 2022 at 04:34:54PM -0700, Matthias Kaehlcke wrote:
> > As of now LoadPin restricts loading of kernel files to a single pinned
> > filesystem, typically the rootfs. This works for many systems, however it
> > can result in a bloated rootfs (and OTA updates) on platforms where
> > multiple boards with different hardware configurations use the same rootfs
> > image. Especially when 'optional' files are large it may be preferable to
> > download/install them only when they are actually needed by a given board.
> > Chrome OS uses Downloadable Content (DLC) [1] to deploy certain 'packages'
> > at runtime. As an example a DLC package could contain firmware for a
> > peripheral that is not present on all boards. DLCs use dm-verity [2] to
> > verify the integrity of the DLC content.
> 
> For the coming v5 (which will fix the 0-day reports), if I can get some
> Acks from the dm folks, I can carry this with other loadpin changes in
> my tree. Though I'm fine with this going via the dm tree, too:
> 
> Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>

I'll review it once it's posted.

But I'm going to reply to v4's 1/3 now.

--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/dm-devel




[Index of Archives]     [DM Crypt]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite Discussion]     [KDE Users]     [Fedora Docs]

  Powered by Linux