On Wed, May 18 2022 at 3:23P -0400, Kees Cook <keescook@xxxxxxxxxxxx> wrote: > On Tue, May 17, 2022 at 04:34:54PM -0700, Matthias Kaehlcke wrote: > > As of now LoadPin restricts loading of kernel files to a single pinned > > filesystem, typically the rootfs. This works for many systems, however it > > can result in a bloated rootfs (and OTA updates) on platforms where > > multiple boards with different hardware configurations use the same rootfs > > image. Especially when 'optional' files are large it may be preferable to > > download/install them only when they are actually needed by a given board. > > Chrome OS uses Downloadable Content (DLC) [1] to deploy certain 'packages' > > at runtime. As an example a DLC package could contain firmware for a > > peripheral that is not present on all boards. DLCs use dm-verity [2] to > > verify the integrity of the DLC content. > > For the coming v5 (which will fix the 0-day reports), if I can get some > Acks from the dm folks, I can carry this with other loadpin changes in > my tree. Though I'm fine with this going via the dm tree, too: > > Acked-by: Kees Cook <keescook@xxxxxxxxxxxx> I'll review it once it's posted. But I'm going to reply to v4's 1/3 now.
