On Mon, Sep 30, 2024 at 11:27 AM Mikulas Patocka <mpatocka@xxxxxxxxxx> wrote: > > > > On Mon, 30 Sep 2024, Will Drewry wrote: > > > > The dm-verity behavior was reported as a security bug, so by default, it > > > should behave in the secure way - i.e. restart or panic on I/O error. > > > > > > Do you intend to use dm-verity in Android and ChromeOS in the less-secure > > > way where it returns -EIO? Have you audited the Android and ChromeOS > > > codebase so that -EIO can't cause security breach? If yes, I can make a > > > configuration switch for you that will enable the old behavior. > > > > tl;dr don't change the default behavior, but adding a reboot-on-eio is nice. > > OK, so I can revert it if you want it. That or an argument so the old behavior can remain for those who are using it (I can send a patch for that if it's easier too). > I'd like to ask - there is another change in that patch - I changed > kernel_restart("dm-verity device corrupted"); > to > pr_emerg("dm-verity device corrupted\n"); > emergency_restart(); > > Because kernel_restart calls reboot notifiers and they may in theory wait > for the bio that caused the restart, resulting in deadlock. > > Do you want to have this part of the patch reverted too? IMHO, that's a good change! If the policy is to restart on corruption, then it makes sense to avoid the reboot notifiers. Thanks! will