On Sat, 8 Jun 2019, Milan Broz wrote: > > Adds DM_VERITY_VERIFY_ROOTHASH_SIG_FORCE: roothash signature *must* be > > specified for all dm verity volumes and verification must succeed prior > > to creation of device mapper block device. > > AFAIK there are tools that use dm-verity internally (some container > functions in systemd can recognize and check dm-verity partitions) and with > this option we will just kill possibility to use it without signature. > > Anyway, this is up to Mike and Mikulas, I guess generic distros will not > set this option. Right, I think this option would not be for a general purpose distro, but for embedded systems and other cases where the user may want a more tightly locked-down system. -- James Morris <jmorris@xxxxxxxxx>
