On Sun, 22 Sep 2024, luca.boccassi@xxxxxxxxx wrote: > From: Luca Boccassi <bluca@xxxxxxxxxx> > > If enabled, we fallback to the platform keyring if the trusted keyring doesn't have > the key used to sign the roothash. But if pkcs7_verify() rejects the key for other > reasons, such as usage restrictions, we do not fallback. Do so. > > Follow-up for 6fce1f40e95182ebbfe1ee3096b8fc0b37903269 > > Suggested-by: Serge Hallyn <serge@xxxxxxxxxx> > Signed-off-by: Luca Boccassi <bluca@xxxxxxxxxx> > --- > drivers/md/dm-verity-verify-sig.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c > index d351d7d39c60..a9e2c6c0a33c 100644 > --- a/drivers/md/dm-verity-verify-sig.c > +++ b/drivers/md/dm-verity-verify-sig.c > @@ -127,7 +127,7 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len, > #endif > VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL); > #ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING > - if (ret == -ENOKEY) > + if (ret == -ENOKEY || ret == -EKEYREJECTED) > ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data, > sig_len, > VERIFY_USE_PLATFORM_KEYRING, > -- > 2.39.5 Hi Please describe what problem does this patch solve. I.e. why would anyone put a key into the trusted keyring that could sign the roothash and restrict its usage so that it can't be used to sign the roothash? In the other places of the kernel, only -ENOKEY is tested: kexec_kernel_verify_pe_sig: if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) s390_verify_sig: if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) do they need to be converted to -EKEYREJECTED too? Mikulas
