On Wed, 2023-02-01 at 15:26 -0800, Fan Wu wrote: > On Tue, Jan 31, 2023 at 02:22:01PM +0100, Roberto Sassu wrote: > > On Mon, 2023-01-30 at 14:57 -0800, Fan Wu wrote: > > > From: Deven Bowers <deven.desai@xxxxxxxxxxxxxxxxxxx> > > > > > > dm-verity provides a strong guarantee of a block device's integrity. As > > > a generic way to check the integrity of a block device, it provides > > > those integrity guarantees to its higher layers, including the filesystem > > > level. > > > > I think you could reuse most of is_trusted_verity_target(), in > > particular dm_verity_get_root_digest(). > > > > And probably, the previous patch is not necessary. > > > > Roberto > > > Thanks for the info. This function seems could be used to get the roothash > but for saving the signature we still need the hook function in the previous > patch. Uhm, look at the LoadPin case. It does not need to temporarily store the root digest in a security blob. It evaluates it directly. Well, ok, dm_verity_loadpin_is_bdev_trusted() looks for trusted digests in the dm_verity_loadpin_trusted_root_digests list. So, something equivalent needs to be made for IPE (or you just get the digest). However, I find not introducing new hooks and evaluating the information directly more efficient. Roberto
