From: Kees Cook <keescook@chromium.org>
To: Matthias Kaehlcke <mka@chromium.org>
Cc: Alasdair Kergon <agk@redhat.com>,
Mike Snitzer <snitzer@kernel.org>,
James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org,
Song Liu <song@kernel.org>,
linux-security-module@vger.kernel.org,
Douglas Anderson <dianders@chromium.org>,
dm-devel@redhat.com
Subject: Re: [PATCH 0/3] LoadPin: Enable loading from trusted dm-verity devices
Date: Mon, 18 Apr 2022 15:14:14 -0700 [thread overview]
Message-ID: <202204181512.DA0C0C6EBD@keescook> (raw)
In-Reply-To: <20220418211559.3832724-1-mka@chromium.org>
[oops, resending to actual CC list]
On Mon, Apr 18, 2022 at 02:15:56PM -0700, Matthias Kaehlcke wrote:
> This series extends LoadPin to allow loading of kernel files
> from trusted dm-verity devices. It adds the concept of
> trusted verity devices to LoadPin. Userspace can use the
> new systl file 'loadpin/trusted_verity_root_digests' to
> provide LoadPin with a list of root digests from dm-verity
> devices that LoadPin should consider as trusted. When a
> kernel file is read LoadPin first checks (as usual) whether
> the file is located on the pinned root, if so the file can
> be loaded. Otherwise, if the verity extension is enabled,
> LoadPin determines whether the file is located on a verity
> backed device and whether the root digest of that device
> is in the list of trusted digests. The file can be loaded
> if the verity device has a trusted root digest.
>
> The list of trusted root digests can only be written once
> (typically at boot time), to limit the possiblity of
> attackers setting up rogue verity devices and marking them
> as trusted.
Hi,
Thanks for working all this out! Where does the list of trusted
roothashes come from? I assume some chain of trust exists. Is the list
maybe already stored on the rootfs?
It'd be nice if there was some way to pass the trust chain to LoadPin
more directly.
-Kees
--
Kees Cook
next prev parent reply other threads:[~2022-04-18 22:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-18 21:15 [PATCH 0/3] LoadPin: Enable loading from trusted dm-verity devices Matthias Kaehlcke
2022-04-18 21:15 ` [PATCH 1/3] dm: Add verity helpers for LoadPin Matthias Kaehlcke
2022-04-18 21:15 ` [PATCH 2/3] LoadPin: Enable loading from trusted dm-verity devices Matthias Kaehlcke
2022-04-19 4:32 ` kernel test robot
2022-04-18 21:15 ` [PATCH 3/3] dm: verity-loadpin: Use CONFIG_SECURITY_LOADPIN_VERITY for conditional compilation Matthias Kaehlcke
2022-04-18 22:14 ` Kees Cook [this message]
2022-04-18 22:43 ` [PATCH 0/3] LoadPin: Enable loading from trusted dm-verity devices Matthias Kaehlcke
2022-04-19 2:33 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202204181512.DA0C0C6EBD@keescook \
--to=keescook@chromium.org \
--cc=agk@redhat.com \
--cc=dianders@chromium.org \
--cc=dm-devel@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mka@chromium.org \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).