From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7C1D236212F for ; Sat, 18 Jul 2026 19:15:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784402161; cv=none; b=HQ6+yTXyQ46jXu00cDTG0ymY2c6Aisr+ywNZ3KZtosV6E0mucB6Kwq+EWAMM8NkrcAYwlQh/Lpo1wHmRmUH088OXWmmkfkEprjw3AtOmlBSRqJ3czlfylEd3YspW4cVCjn/0WrtmCM4NfdMujLcZ39ymDEKBBg01QWifPw+gfhQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784402161; c=relaxed/simple; bh=JaIyalHpyLApnPkNPXoy+faaGxYp0kiUgkaXuqNN+a8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kI0TzRyaLF/cfa7AFRaiHR0SWPUygdlNm/vYTorTO69fV4eGo6tQcbmWK1db6ErBIPpR07pNBRZMtfHGFQTIj3MWJaxZSNgU8d6dr26bLgVSjGRgLhh4H6FNfmMuBAvZiROZbvstYN55qNqi53uxU9d6S5/i90zYWP0ns77IW5E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jQS5coay; arc=none smtp.client-ip=209.85.128.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jQS5coay" Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-495437bb891so17623405e9.1 for ; Sat, 18 Jul 2026 12:15:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1784402158; x=1785006958; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to:content-type; bh=n/RuzzR56AKowWPeBaHkPa2me5UyA+I6b2NoNXGG3tc=; b=jQS5coaylvMHpThtcAzmeg8WaIdOmTmVY+x9jWSw9pcTbiz4O90Yi65DXiU8GNKXQV +JrkUat+l5x7hMF7xdd9I7UB7iPYo2cXi41bRrW6fVM6MjJQdHA95H14fKJ1u3kqz9/k 415Ou+UdgXp9nByzJvn2nawDVLvpOQ/w8shuZD3wJEwBGM0t81pfpgI4IhpnpfgHkFpm hT2jdlxtPi+SFUwpe5o/Ax1ycItQGORx+upKo28n1u5VOTEiIwGAUvnPt2lXwqbwcRIm y03I+YBm//LsWtcuyExi+eCF+vP56e6NfvLEuYolrodRrxmFrEV8mH1P/a3DChoAbi84 MIGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1784402158; x=1785006958; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to:content-type; bh=n/RuzzR56AKowWPeBaHkPa2me5UyA+I6b2NoNXGG3tc=; b=Wfp/kC9wzM39kq8qhv9lcJkkW3/UJ8flQr4k+8uFug9HEEcBXZEnHJyWV/4bYBXdUu 6LbRoipWLLMuMd2gs49U//1f9UajCW6ySGc/WuhyczNHTQw2/EtnMaKL7OceCJe4IZKV vLWoNjHsn+4spjW7wEK+nJ9HDkQA0xMDnHslIWgLPSaoNe3E4rxcRaZkxKJG1FwrvkUZ ASUXTGFopqYR9JTqBGwU4sG1lZBBw+ya/hyyyK5z6d79uwxRt6wnD3mroh1hkroo4UYo zt8qoykQnd3gtjmQywdu/2sNO9RiyAXl6nVH5cbwldXdNSY2FUKB+F9sdBoghQVo1yfp 9Sng== X-Forwarded-Encrypted: i=1; AHgh+RrhoQ2wIHy/NxfBX62uxqmlpkCmAHV+OErMqw+mqUqKsUEi3nn9DleWHyUbAcOK7HGtnUJUn0WGKcs=@vger.kernel.org X-Gm-Message-State: AOJu0YyN++v6FlAQTR5i0UJ+9AQUVmREj5LiDM73+5eoNITwn05ljX7v HCcb2lP/NpS8sAJQQnD9EGysUKm88JNrN4XzkdiyEviD1Zni0n20n47+ X-Gm-Gg: AfdE7cllnFuYETkJAdY9MAxvDrABpBq27ar2z9Q2dyJzyCldUfwjS+22t/iEN/WyRYd 0ydk4katCRu+ZUBa2u1Xr7PxkHHEdp7NUuU9Axl3HGBR5CEDXYWCP18w3MqIxXoMot05KB+XaHM ePwbve2v0dz2vtSNIdWNDVoRMy4Iglm6owcnIS6mpl1lWY6OihXHd4O688GlzSBxX2L7sD2i2eM jSKUJyxwULvXcFJiw+bkHu0VFoeGCy/P1kHON6xnTSEGDdv7RfqeSGPJU/QwFQmj7L8/gFggBxn mnn0o3RFwGJI/vijg98Yt0wqjLjhY/E+l8blvdu8sRNdo7B9NM7xIPrDwRxdz4AcqkofvnARvZ4 hd4KOAWqlI65DSvzvK4136uG/+J/7mUHf1H5VSUb8VoepEH+fcMdbnYfEvImWLwx1O3EsqbnQuE iiHBGKnA== X-Received: by 2002:a05:600c:4e8b:b0:495:501a:fcf8 with SMTP id 5b1f17b1804b1-495501afdc8mr41543145e9.9.1784402157300; Sat, 18 Jul 2026 12:15:57 -0700 (PDT) Received: from spark.Home ([2001:8a0:7280:4000:c2b:a5ab:a31c:e0a5]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4954a2e8529sm140037005e9.11.2026.07.18.12.15.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 Jul 2026 12:15:56 -0700 (PDT) From: Eric Curtin To: Alexander Viro , Christian Brauner Cc: Jan Kara , Jonathan Corbet , Shuah Khan , Eric Biggers , "Theodore Y . Ts'o" , Gao Xiang , Chao Yu , fsverity@lists.linux.dev, linux-erofs@lists.ozlabs.org, linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Curtin Subject: [RFC PATCH 2/2] init: support pinning the root image's fsverity digest Date: Sat, 18 Jul 2026 20:15:51 +0100 Message-ID: <20260718191551.1703670-3-ericcurtin17@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260718191551.1703670-1-ericcurtin17@gmail.com> References: <20260718191551.1703670-1-ericcurtin17@gmail.com> Precedence: bulk X-Mailing-List: linux-doc@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit When the root filesystem is mounted from an image file with rootimage=, the carrier filesystem holding the image is typically writable and therefore untrusted. Systems that seal their root images with fsverity currently need an initramfs for the sole purpose of checking that the image carries the expected fsverity digest before mounting it. Add rootimageverity=:, which requires the rootimage= file to have fsverity enabled with exactly this file digest and fails the boot otherwise, using the same fsverity_get_digest() interface that IMA and overlayfs already use for digest pinning. Combined with a trusted kernel command line (e.g. a signed unified kernel image, or a TPM-measured bootloader configuration), this extends the chain of trust to every byte of the root filesystem without any userspace boot stage: the digest pins the image's Merkle tree, and fsverity keeps verifying all data read from the image against it at runtime, so post-boot tampering with the carrier filesystem is detected as well. It is the file-backed counterpart of setting up a dm-verity target for a partition-backed root via dm-mod.create=. Verification is done on the file the kernel is about to mount: it is opened before mounting (which also loads the fsverity information) and kept open across the mount, and no userspace exists yet that could race a replacement in between. Assisted-by: opencode:claude-fable-5 Signed-off-by: Eric Curtin --- .../admin-guide/kernel-parameters.txt | 13 ++++ init/do_mounts.c | 63 +++++++++++++++++++ 2 files changed, 76 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 5dbd56098..105ebb171 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -6728,6 +6728,19 @@ Kernel parameters root=) is moved to, instead of detaching it. Used together with rootimage=. + rootimageverity= [KNL] Require the root image specified by + rootimage= to have fsverity enabled with this file + digest, given as :, + e.g. sha256:dd1b3fa9... The boot is aborted if the + image carries no or a different fsverity digest. + Because fsverity keeps verifying data read from the + image against its Merkle tree at runtime, a trusted + (e.g. signed or TPM-measured) kernel command line + extends the chain of trust to the complete root + filesystem contents without an initramfs. Requires + CONFIG_FS_VERITY and a carrier filesystem with + fsverity support. + rootwait [KNL] Wait (indefinitely) for root device to show up. Useful for devices that are detected asynchronously (e.g. USB and MMC devices). diff --git a/init/do_mounts.c b/init/do_mounts.c index 1b96ef30b..4eb792b27 100644 --- a/init/do_mounts.c +++ b/init/do_mounts.c @@ -24,6 +24,9 @@ #include #include #include +#include +#include +#include #include #include "do_mounts.h" @@ -155,10 +158,18 @@ static int __init root_image_srcdir_setup(char *str) return 1; } +static char * __initdata root_image_verity; +static int __init root_image_verity_setup(char *str) +{ + root_image_verity = str; + return 1; +} + __setup("rootimage=", root_image_setup); __setup("rootimagefstype=", root_image_fs_names_setup); __setup("rootimageflags=", root_image_data_setup); __setup("rootimagesrcdir=", root_image_srcdir_setup); +__setup("rootimageverity=", root_image_verity_setup); /* This can return zero length strings. Caller should check */ static int __init split_fs_names(char *page, size_t size, char *names) @@ -442,6 +453,55 @@ void __init mount_root(char *root_device_name) } } +#ifdef CONFIG_FS_VERITY +/* + * Require the root image to carry the fsverity file digest given by + * rootimageverity=:. @file must have been + * opened so that its fsverity information is loaded. Any deviation + * fails the boot: with a trusted command line this pins the complete + * image contents, which fsverity keeps verifying against the image's + * Merkle tree as they are read. + */ +static void __init verify_root_image(struct file *file) +{ + u8 want[FS_VERITY_MAX_DIGEST_SIZE], got[FS_VERITY_MAX_DIGEST_SIZE]; + enum hash_algo want_algo, got_algo; + int want_size, got_size, i; + char *hex; + + hex = strchr(root_image_verity, ':'); + if (!hex) + panic("VFS: rootimageverity= expects :"); + *hex++ = '\0'; + i = match_string(hash_algo_name, HASH_ALGO__LAST, root_image_verity); + if (i < 0) + panic("VFS: rootimageverity=: unknown hash algorithm \"%s\"", + root_image_verity); + want_algo = i; + want_size = hash_digest_size[want_algo]; + if (strlen(hex) != 2 * want_size || hex2bin(want, hex, want_size)) + panic("VFS: rootimageverity=: expected %d-byte hex digest", + want_size); + + got_size = fsverity_get_digest(file_inode(file), got, NULL, &got_algo); + if (!got_size) + panic("VFS: root image does not have fsverity enabled"); + if (got_algo != want_algo || got_size != want_size || + memcmp(want, got, want_size)) + panic("VFS: root image fsverity digest mismatch: expected %s:%*phN, got %s:%*phN", + hash_algo_name[want_algo], want_size, want, + hash_algo_name[got_algo], got_size, got); + + pr_info("VFS: verified root image fsverity digest %s:%*phN\n", + hash_algo_name[want_algo], want_size, want); +} +#else /* !CONFIG_FS_VERITY */ +static void __init verify_root_image(struct file *file) +{ + panic("VFS: rootimageverity= requires CONFIG_FS_VERITY"); +} +#endif /* !CONFIG_FS_VERITY */ + /* * Mount the actual root filesystem from the image file rootimage= on the * filesystem that was just mounted from root= (the "carrier"), so that @@ -481,6 +541,9 @@ static void __init mount_root_image(void) panic("VFS: unable to open root image %s: error %ld", root_image, PTR_ERR(file)); + if (root_image_verity) + verify_root_image(file); + err = init_mkdir("/image", 0700); if (err < 0 && err != -EEXIST) panic("VFS: unable to create /image: error %d", err); -- 2.43.0