From: Eric Biggers <ebiggers@kernel.org>
To: Roberto Sassu <roberto.sassu@huawei.com>
Cc: tytso@mit.edu, corbet@lwn.net, viro@zeniv.linux.org.uk,
hughd@google.com, akpm@linux-foundation.org,
linux-fscrypt@vger.kernel.org, linux-doc@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC][PATCH 2/5] fsverity: Revalidate built-in signatures at file open
Date: Fri, 12 Nov 2021 11:15:01 -0800 [thread overview]
Message-ID: <YY69NaucW+0t474Q@gmail.com> (raw)
In-Reply-To: <20211112124411.1948809-3-roberto.sassu@huawei.com>
On Fri, Nov 12, 2021 at 01:44:08PM +0100, Roberto Sassu wrote:
> Fsverity signatures are validated only upon request by the user by setting
> the requirement through procfs or sysctl.
>
> However, signatures are validated only when the fsverity-related
> initialization is performed on the file. If the initialization happened
> while the signature requirement was disabled, the signature is not
> validated again.
I'm not sure this really matters. If someone has started using a verity file
before the require_signatures sysctl was set, then there is already a race
condition; this patch doesn't fix that. Don't you need to set the
require_signatures sysctl early enough anyway?
- Eric
next prev parent reply other threads:[~2021-11-12 19:15 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-12 12:44 [RFC][PATCH 0/5] shmem/fsverity: Prepare for mandatory integrity enforcement Roberto Sassu
2021-11-12 12:44 ` [RFC][PATCH 1/5] fsverity: Introduce fsverity_get_file_digest() Roberto Sassu
2021-11-16 14:32 ` kernel test robot
2021-11-12 12:44 ` [RFC][PATCH 2/5] fsverity: Revalidate built-in signatures at file open Roberto Sassu
2021-11-12 19:15 ` Eric Biggers [this message]
2021-11-15 9:42 ` Roberto Sassu
2021-11-12 12:44 ` [RFC][PATCH 3/5] fsverity: Do initialization earlier Roberto Sassu
2021-11-12 12:44 ` [RFC][PATCH 4/5] shmem: Avoid segfault in shmem_read_mapping_page_gfp() Roberto Sassu
2021-11-12 12:53 ` Ajay Garg
2021-11-12 12:56 ` Roberto Sassu
2021-11-12 18:56 ` Eric Biggers
2021-11-15 8:02 ` Roberto Sassu
2021-11-12 12:44 ` [RFC][PATCH 5/5] shmem: Add fsverity support Roberto Sassu
2021-11-12 19:12 ` Eric Biggers
2021-11-15 8:49 ` Roberto Sassu
2021-11-15 19:05 ` Eric Biggers
2021-11-16 10:43 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YY69NaucW+0t474Q@gmail.com \
--to=ebiggers@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=corbet@lwn.net \
--cc=hughd@google.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=roberto.sassu@huawei.com \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.