From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: "Alasdair Kergon" <agk@redhat.com>,
"Mike Snitzer" <snitzer@redhat.com>,
"Deven Bowers" <deven.desai@linux.microsoft.com>,
"Jaskaran Khurana" <jaskarankhurana@linux.microsoft.com>,
"Milan Broz" <gmazyland@gmail.com>,
dm-devel@redhat.com, linux-integrity@vger.kernel.org,
linux-kernel@vger.kernel.org,
"Mickaël Salaün" <mic@linux.microsoft.com>
Subject: Re: [PATCH v1] dm verity: Add support for signature verification with 2nd keyring
Date: Tue, 13 Oct 2020 02:55:02 +0300 [thread overview]
Message-ID: <20201012235502.GA36149@linux.intel.com> (raw)
In-Reply-To: <bda2ffd7-3b7c-33a4-667f-a3435e112fc1@digikod.net>
On Fri, Oct 09, 2020 at 11:50:03AM +0200, Mickaël Salaün wrote:
> Hi,
>
> What do you think about this patch?
>
> Regards,
> Mickaël
>
> On 02/10/2020 09:18, Mickaël Salaün wrote:
> > From: Mickaël Salaün <mic@linux.microsoft.com>
> >
> > Add a new DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING configuration
> > to enable dm-verity signatures to be verified against the secondary
> > trusted keyring. This allows certificate updates without kernel update
> > and reboot, aligning with module and kernel (kexec) signature
> > verifications.
I'd prefer a bit more verbose phrasing, not least because I have never
really even peeked at dm-verity, but it is also a good practice.
You have the middle part of the story missing - explaining the semantics
of how the feature leads to the aimed solution.
/Jarkko
WARNING: multiple messages have this Message-ID (diff)
From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: "Mike Snitzer" <snitzer@redhat.com>,
"Deven Bowers" <deven.desai@linux.microsoft.com>,
linux-kernel@vger.kernel.org,
"Mickaël Salaün" <mic@linux.microsoft.com>,
dm-devel@redhat.com, linux-integrity@vger.kernel.org,
"Milan Broz" <gmazyland@gmail.com>,
"Alasdair Kergon" <agk@redhat.com>,
"Jaskaran Khurana" <jaskarankhurana@linux.microsoft.com>
Subject: Re: [dm-devel] [PATCH v1] dm verity: Add support for signature verification with 2nd keyring
Date: Tue, 13 Oct 2020 02:55:02 +0300 [thread overview]
Message-ID: <20201012235502.GA36149@linux.intel.com> (raw)
Message-ID: <20201012235502.gE6wi5e5wP3uYNrY3JCW1uJ4FcoHj-g9Q2cSUr9FmU0@z> (raw)
In-Reply-To: <bda2ffd7-3b7c-33a4-667f-a3435e112fc1@digikod.net>
On Fri, Oct 09, 2020 at 11:50:03AM +0200, Mickaël Salaün wrote:
> Hi,
>
> What do you think about this patch?
>
> Regards,
> Mickaël
>
> On 02/10/2020 09:18, Mickaël Salaün wrote:
> > From: Mickaël Salaün <mic@linux.microsoft.com>
> >
> > Add a new DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING configuration
> > to enable dm-verity signatures to be verified against the secondary
> > trusted keyring. This allows certificate updates without kernel update
> > and reboot, aligning with module and kernel (kexec) signature
> > verifications.
I'd prefer a bit more verbose phrasing, not least because I have never
really even peeked at dm-verity, but it is also a good practice.
You have the middle part of the story missing - explaining the semantics
of how the feature leads to the aimed solution.
/Jarkko
--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2020-10-12 23:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-02 7:18 [PATCH v1] dm verity: Add support for signature verification with 2nd keyring Mickaël Salaün
2020-10-09 9:50 ` Mickaël Salaün
2020-10-12 23:55 ` Jarkko Sakkinen [this message]
2020-10-12 23:55 ` [dm-devel] " Jarkko Sakkinen
2020-10-13 8:51 ` Mickaël Salaün
2020-10-13 8:51 ` [dm-devel] " Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201012235502.GA36149@linux.intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=agk@redhat.com \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@redhat.com \
--cc=gmazyland@gmail.com \
--cc=jaskarankhurana@linux.microsoft.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mic@digikod.net \
--cc=mic@linux.microsoft.com \
--cc=snitzer@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.