Re: [PATCH] dm verity: fallback to platform keyring also if key in trusted keyring is rejected

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 25 Sept 2024 at 17:38, Mikulas Patocka <mpatocka@xxxxxxxxxx> wrote:
>
>
>
> On Sun, 22 Sep 2024, luca.boccassi@xxxxxxxxx wrote:
>
> > From: Luca Boccassi <bluca@xxxxxxxxxx>
> >
> > If enabled, we fallback to the platform keyring if the trusted keyring doesn't have
> > the key used to sign the roothash. But if pkcs7_verify() rejects the key for other
> > reasons, such as usage restrictions, we do not fallback. Do so.
> >
> > Follow-up for 6fce1f40e95182ebbfe1ee3096b8fc0b37903269
> >
> > Suggested-by: Serge Hallyn <serge@xxxxxxxxxx>
> > Signed-off-by: Luca Boccassi <bluca@xxxxxxxxxx>
> > ---
> >  drivers/md/dm-verity-verify-sig.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
> > index d351d7d39c60..a9e2c6c0a33c 100644
> > --- a/drivers/md/dm-verity-verify-sig.c
> > +++ b/drivers/md/dm-verity-verify-sig.c
> > @@ -127,7 +127,7 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
> >  #endif
> >                               VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
> >  #ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
> > -     if (ret == -ENOKEY)
> > +     if (ret == -ENOKEY || ret == -EKEYREJECTED)
> >               ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
> >                                       sig_len,
> >                                       VERIFY_USE_PLATFORM_KEYRING,
> > --
> > 2.39.5
>
> Hi
>
> Please describe what problem does this patch solve. I.e. why would anyone
> put a key into the trusted keyring that could sign the roothash and
> restrict its usage so that it can't be used to sign the roothash?
>
> In the other places of the kernel, only -ENOKEY is tested:
> kexec_kernel_verify_pe_sig:
> if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
> s390_verify_sig:
> if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
> do they need to be converted to -EKEYREJECTED too?

To be perfectly honest, I do not have a use case for the EKEYREJECTED
fallback - it was suggested by Serge when I was working on the IPE
keyrings usage:

https://lore.kernel.org/all/20240920020217.GA528455@xxxxxxxxxxxxxxx/

I would like to maintain the usage of keyrings in sync between the two
components given they are used together, for consistency, so I
counter-proposed to send the change to dmverity first. I am following
up on that promise with this patch.
If there are reasons not to take this change, or if there are no
convincing reasons to take it, I do not have strong opinions either
way so I don't mind what the outcome is either way, as I am just
following up on that review comment. I'll let Serge explain the
reasoning for the request, if he wants to do it.

If this change is accepted, I will send the same for IPE. If not, I
won't. I do not directly use other subsystems that use these keyrings,
so I will not send changes for those even if this goes in.




[Index of Archives]     [DM Crypt]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite Discussion]     [KDE Users]     [Fedora Docs]

  Powered by Linux