On Mon, Sep 30, 2024 at 11:27 AM Mikulas Patocka <mpatocka@xxxxxxxxxx> wrote:
>
>
>
> On Mon, 30 Sep 2024, Will Drewry wrote:
>
> > > The dm-verity behavior was reported as a security bug, so by default, it
> > > should behave in the secure way - i.e. restart or panic on I/O error.
> > >
> > > Do you intend to use dm-verity in Android and ChromeOS in the less-secure
> > > way where it returns -EIO? Have you audited the Android and ChromeOS
> > > codebase so that -EIO can't cause security breach? If yes, I can make a
> > > configuration switch for you that will enable the old behavior.
> >
> > tl;dr don't change the default behavior, but adding a reboot-on-eio is nice.
>
> OK, so I can revert it if you want it.
That or an argument so the old behavior can remain for those who are using it
(I can send a patch for that if it's easier too).
> I'd like to ask - there is another change in that patch - I changed
> kernel_restart("dm-verity device corrupted");
> to
> pr_emerg("dm-verity device corrupted\n");
> emergency_restart();
>
> Because kernel_restart calls reboot notifiers and they may in theory wait
> for the bio that caused the restart, resulting in deadlock.
>
> Do you want to have this part of the patch reverted too?
IMHO, that's a good change! If the policy is to restart on corruption, then
it makes sense to avoid the reboot notifiers.
Thanks!
will
