On Mon, 17 Jun 2024 at 23:00, <luca.boccassi@xxxxxxxxx> wrote: > > From: Luca Boccassi <bluca@xxxxxxxxxx> > > Add a new configuration CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING > that enables verifying dm-verity signatures using the platform keyring, > which is populated using the UEFI DB certificates. This is useful for > self-enrolled systems that do not use MOK, as the secondary keyring which > is already used for verification, if the relevant kconfig is enabled, is > linked to the machine keyring, which gets its certificates loaded from MOK. > On datacenter/virtual/cloud deployments it is more common to deploy one's > own certificate chain directly in DB on first boot in unattended mode, > rather than relying on MOK, as the latter typically requires interactive > authentication to enroll, and is more suited for personal machines. > > Default to the same value as DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING > if not otherwise specified, as it is likely that if one wants to use > MOK certificates to verify dm-verity volumes, DB certificates are > going to be used too. Keys in DB are allowed to load a full kernel > already anyway, so they are already highly privileged. > > Signed-off-by: Luca Boccassi <bluca@xxxxxxxxxx> > --- > drivers/md/Kconfig | 10 ++++++++++ > drivers/md/dm-verity-verify-sig.c | 7 +++++++ > 2 files changed, 17 insertions(+) > > diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig > index 35b1080752cd..1e9db8e4acdf 100644 > --- a/drivers/md/Kconfig > +++ b/drivers/md/Kconfig > @@ -540,6 +540,16 @@ config DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING > > If unsure, say N. > > +config DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING > + bool "Verity data device root hash signature verification with platform keyring" > + default DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING > + depends on DM_VERITY_VERIFY_ROOTHASH_SIG > + depends on INTEGRITY_PLATFORM_KEYRING > + help > + Rely also on the platform keyring to verify dm-verity signatures. > + > + If unsure, say N. > + > config DM_VERITY_FEC > bool "Verity forward error correction support" > depends on DM_VERITY > diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c > index 4836508ea50c..d351d7d39c60 100644 > --- a/drivers/md/dm-verity-verify-sig.c > +++ b/drivers/md/dm-verity-verify-sig.c > @@ -126,6 +126,13 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len, > NULL, > #endif > VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL); > +#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING > + if (ret == -ENOKEY) > + ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data, > + sig_len, > + VERIFY_USE_PLATFORM_KEYRING, > + VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL); > +#endif > > return ret; > } Gentle ping. Anything I can do to help move this patch forward? It fixes a gap in our dm-verity story that I'd really like to see sorted for the next release. We will use this in systemd, among other things. Thanks!
