Re: [PATCH] dm verity: fallback to platform keyring also if key in trusted keyring is rejected

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed Sep 25, 2024 at 3:57 PM EEST, Serge E. Hallyn wrote:
> On Wed, Sep 25, 2024 at 12:05:59PM +0300, Jarkko Sakkinen wrote:
> > On Wed Sep 25, 2024 at 11:03 AM EEST, Milan Broz wrote:
> > > >> Doesn't dm-verity have a maintainer?
> > >
> > > (This reminds me of a nice comment from Neil about "little walled
> > > gardens" between MD & DM.  Apparently it applies to other subsystems
> > > as well. Sorry, I couldn't resist to mention it :-)
> > 
> > Np, it's just that last and only time I've ever read anything about
> > dm-verity was 2011 article :-)
> > 
> > I will rephrase question: does dm-verity have a user? ;-)
>
> It gets used for integrity guarantees in certain containers, where
> the layers of tarballs are replaced by layers of squashfs, with the
> dmverity root hash for each layer listed in the signed manifest, e.g.
>
> github.com/project-stacker/stacker
> github.com/project-machine/atomfs
>
> This is used of course to verify container integrity, and also gets used by
> some projects and products to create an RFS from such images during initrd
>
> github.com/project-machine/mos

OK got it!

I did some studying and query and to put short it is a merkle tree
for rootfs for devices like phones and tablets for instance. I.e.
when you modify only on "system update". 

So... let's check the mainatainers list:

❯ scripts/get_maintainer.pl drivers/md/dm-verity-verify-sig.c
Alasdair Kergon <agk@xxxxxxxxxx> (maintainer:DEVICE-MAPPER  (LVM))
Mike Snitzer <snitzer@xxxxxxxxxx> (maintainer:DEVICE-MAPPER  (LVM))
Mikulas Patocka <mpatocka@xxxxxxxxxx> (maintainer:DEVICE-MAPPER  (LVM))
dm-devel@xxxxxxxxxxxxxxx (open list:DEVICE-MAPPER  (LVM))
linux-kernel@xxxxxxxxxxxxxxx (open list)

Mikulas, I guess you take care of this if I just ack the return value?

If that holds, and given that I actually know what verify_pkcs7_signature()
does, I think the code patch makes sense to me, and thus:

Acked-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>

I.e. I think it uses API correctly.

>
> -serge

BR, Jarkko





[Index of Archives]     [DM Crypt]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite Discussion]     [KDE Users]     [Fedora Docs]

  Powered by Linux