Re: [RFC PATCH v5 1/1] Add dm verity root hash pkcs7 sig validation.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Hello Mike,
On Tue, 25 Jun 2019, Mike Snitzer wrote:

On Wed, Jun 19 2019 at  3:10pm -0400,
Jaskaran Khurana <jaskarankhurana@xxxxxxxxxxxxxxxxxxx> wrote:

The verification is to support cases where the roothash is not secured by
Trusted Boot, UEFI Secureboot or similar technologies.
One of the use cases for this is for dm-verity volumes mounted after boot,
the root hash provided during the creation of the dm-verity volume has to
be secure and thus in-kernel validation implemented here will be used
before we trust the root hash and allow the block device to be created.

The signature being provided for verification must verify the root hash and
must be trusted by the builtin keyring for verification to succeed.

The hash is added as a key of type "user" and the description is passed to
the kernel so it can look it up and use it for verification.

Kernel commandline parameter will indicate whether to check (only if
specified) or force (for all dm verity volumes) roothash signature
verification.

Kernel commandline: dm_verity.verify_sig=1 or 2 for check/force root hash
signature validation respectively.

Signed-off-by: Jaskaran Khurana <jaskarankhurana@xxxxxxxxxxxxxxxxxxx>

Milan and/or others: could you please provide review and if you're OK
with this patch respond accordingly?


The v7 of this patch was Reviewed and Tested by Milan Broz. Could you tell me when this will be merged/next steps, if required I can post the patches again.

Thanks,
Mike

Regards,
Jaskaran



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux