On Mon, Jun 27 2022 at 11:35P -0400, Matthias Kaehlcke <mka@xxxxxxxxxxxx> wrote: > LoadPin limits loading of kernel modules, firmware and certain > other files to a 'pinned' file system (typically a read-only > rootfs). To provide more flexibility LoadPin is being extended > to also allow loading these files from trusted dm-verity > devices. For that purpose LoadPin can be provided with a list > of verity root digests that it should consider as trusted. > > Add a bunch of helpers to allow LoadPin to check whether a DM > device is a trusted verity device. The new functions broadly > fall in two categories: those that need access to verity > internals (like the root digest), and the 'glue' between > LoadPin and verity. The new file dm-verity-loadpin.c contains > the glue functions. > > Signed-off-by: Matthias Kaehlcke <mka@xxxxxxxxxxxx> > Acked-by: Kees Cook <keescook@xxxxxxxxxxxx> Acked-by: Mike Snitzer <snitzer@xxxxxxxxxx> -- dm-devel mailing list dm-devel@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/dm-devel
