On 2/29/2024 11:42 AM, Eric Biggers wrote:
On Thu, Feb 29, 2024 at 10:59:21AM -0800, Fan Wu wrote:So IPE is interested in whether a file has an fsverity builtin signature, but it doesn't care what the signature is or whether it has been checked. What is the point? - EricIt does make sure the signature is checked. This hook call can only be triggered after fsverity_verify_signature() succeed. Therefore, for files that are marked with the security blob inode_sec->fs_verity_sign as true, they must successfully pass the fsverity_verify_signature() check. Regarding the other question, the current version does not support defining policies to trust files based on the inner content of their signatures because the current patch set is already too large. We plan to introduce new policy grammars to enable the policy to define which certificate of the signature can be trusted after this version is accepted.Ah, I see, you're relying on the fact that fsverity_verify_signature() verifies the signature (if present) even if fs.verity.require_signatures hasn't been set. That does happen to be its behavior, but this isn't clearly documented since there previously wasn't really a use case for the builtin signatures without setting fs.verity.require_signatures. Can you please make sure this behavior is documented properly in Documentation/filesystems/fsverity.rst and in function comments? Otherwise I worry that it could get changed and break your code. - Eric
Thanks for the suggestion. I will add this info in the next version. -Fan
|