On 2/29/2024 11:42 AM, Eric Biggers wrote:
On Thu, Feb 29, 2024 at 10:59:21AM -0800, Fan Wu wrote:
So IPE is interested in whether a file has an fsverity builtin signature, but it
doesn't care what the signature is or whether it has been checked. What is the
point?
- Eric
It does make sure the signature is checked. This hook call can only be
triggered after fsverity_verify_signature() succeed. Therefore, for files
that are marked with the security blob inode_sec->fs_verity_sign as true,
they must successfully pass the fsverity_verify_signature() check.
Regarding the other question, the current version does not support defining
policies to trust files based on the inner content of their signatures
because the current patch set is already too large.
We plan to introduce new policy grammars to enable the policy to define
which certificate of the signature can be trusted after this version is
accepted.
Ah, I see, you're relying on the fact that fsverity_verify_signature() verifies
the signature (if present) even if fs.verity.require_signatures hasn't been set.
That does happen to be its behavior, but this isn't clearly documented since
there previously wasn't really a use case for the builtin signatures without
setting fs.verity.require_signatures. Can you please make sure this behavior is
documented properly in Documentation/filesystems/fsverity.rst and in function
comments? Otherwise I worry that it could get changed and break your code.
- Eric
Thanks for the suggestion. I will add this info in the next version.
-Fan