From: Eric Biggers <ebiggers@xxxxxxxxxx>
An issue that arises when migrating from builtin signatures to userspace
signatures is that existing files that have builtin signatures cannot be
opened unless either CONFIG_FS_VERITY_BUILTIN_SIGNATURES is disabled or
the signing certificate is left in the .fs-verity keyring.
Since builtin signatures provide no security benefit when
fs.verity.require_signatures=0 anyway, let's just skip the signature
verification in this case.
Fixes: 432434c9f8e1 ("fs-verity: support builtin file signatures")
Cc: <stable@xxxxxxxxxxxxxxx> # v5.4+
Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
---
fs/verity/signature.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/fs/verity/signature.c b/fs/verity/signature.c
index 143a530a80088..dc6935701abda 100644
--- a/fs/verity/signature.c
+++ b/fs/verity/signature.c
@@ -13,8 +13,8 @@
#include <linux/verification.h>
/*
- * /proc/sys/fs/verity/require_signatures
- * If 1, all verity files must have a valid builtin signature.
+ * /proc/sys/fs/verity/require_signatures. If 1, then builtin signatures are
+ * verified and all verity files must have a valid builtin signature.
*/
static int fsverity_require_signatures;
@@ -54,6 +54,20 @@ int fsverity_verify_signature(const struct fsverity_info *vi,
return 0;
}
+ /*
+ * If require_signatures=0, don't verify builtin signatures.
+ * Originally, builtin signatures were verified opportunistically in
+ * this case. However, no security property is possible when
+ * require_signatures=0 anyway. Skipping the builtin signature
+ * verification makes it easier to migrate existing files from builtin
+ * signature verification to userspace signature verification.
+ */
+ if (!fsverity_require_signatures) {
+ fsverity_warn(inode,
+ "Not checking builtin signature due to require_signatures=0");
+ return 0;
+ }
+
d = kzalloc(sizeof(*d) + hash_alg->digest_size, GFP_KERNEL);
if (!d)
return -ENOMEM;
base-commit: 479174d402bcf60789106eedc4def3957c060bad
--
2.38.1
