From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "Mikulas Patocka" <mpatocka@redhat.com>, <luca.boccassi@gmail.com>
Cc: <dm-devel@lists.linux.dev>, <snitzer@kernel.org>,
<serge@hallyn.com>, <wufan@linux.microsoft.com>,
"David Howells" <dhowells@redhat.com>, <keyrings@vger.kernel.org>,
<linux-integrity@vger.kernel.org>,
"Mimi Zohar" <zohar@linux.ibm.com>
Subject: Re: [PATCH] dm verity: fallback to platform keyring also if key in trusted keyring is rejected
Date: Tue, 24 Sep 2024 18:54:21 +0300 [thread overview]
Message-ID: <D4EMWUMBIM94.3PM88QAV6LG6B@kernel.org> (raw)
In-Reply-To: <6b3e0e45-5efe-3032-62b8-75dcd45c879c@redhat.com>
On Mon Sep 23, 2024 at 5:04 PM EEST, Mikulas Patocka wrote:
>
>
> On Sun, 22 Sep 2024, luca.boccassi@gmail.com wrote:
>
> > From: Luca Boccassi <bluca@debian.org>
> >
> > If enabled, we fallback to the platform keyring if the trusted keyring doesn't have
> > the key used to sign the roothash. But if pkcs7_verify() rejects the key for other
> > reasons, such as usage restrictions, we do not fallback. Do so.
> >
> > Follow-up for 6fce1f40e95182ebbfe1ee3096b8fc0b37903269
> >
> > Suggested-by: Serge Hallyn <serge@hallyn.com>
> > Signed-off-by: Luca Boccassi <bluca@debian.org>
>
> Hi
>
> I'm not an expert in keyrings.
>
> I added keyring maintainers to the CC. Please review this patch and
> Ack/Nack it.
>
> Mikulas
>
> > ---
> > drivers/md/dm-verity-verify-sig.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
> > index d351d7d39c60..a9e2c6c0a33c 100644
> > --- a/drivers/md/dm-verity-verify-sig.c
> > +++ b/drivers/md/dm-verity-verify-sig.c
> > @@ -127,7 +127,7 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
> > #endif
> > VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
> > #ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
> > - if (ret == -ENOKEY)
> > + if (ret == -ENOKEY || ret == -EKEYREJECTED)
> > ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
> > sig_len,
> > VERIFY_USE_PLATFORM_KEYRING,
> > --
> > 2.39.5
> >
I know nothing about dm-verity. What does it even do?
BR, Jarkko
next prev parent reply other threads:[~2024-09-24 15:54 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-22 16:17 [PATCH] dm verity: fallback to platform keyring also if key in trusted keyring is rejected luca.boccassi
2024-09-23 14:04 ` Mikulas Patocka
2024-09-24 15:54 ` Jarkko Sakkinen [this message]
2024-09-24 18:27 ` Mikulas Patocka
2024-09-24 21:36 ` Jarkko Sakkinen
2024-09-24 21:59 ` Eric Biggers
2024-09-25 7:51 ` Jarkko Sakkinen
2024-09-25 8:03 ` Milan Broz
2024-09-25 9:05 ` Jarkko Sakkinen
2024-09-25 12:57 ` Serge E. Hallyn
2024-09-25 14:50 ` Jarkko Sakkinen
2024-09-25 16:53 ` Eric Biggers
2024-09-25 17:15 ` Jarkko Sakkinen
2024-09-25 21:28 ` Luca Boccassi
2024-09-27 7:12 ` Milan Broz
2024-09-25 15:37 ` Mikulas Patocka
2024-09-25 21:37 ` Luca Boccassi
2024-09-26 15:02 ` Mikulas Patocka
2024-09-26 15:41 ` Luca Boccassi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D4EMWUMBIM94.3PM88QAV6LG6B@kernel.org \
--to=jarkko@kernel.org \
--cc=dhowells@redhat.com \
--cc=dm-devel@lists.linux.dev \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=luca.boccassi@gmail.com \
--cc=mpatocka@redhat.com \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=wufan@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.