linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Luca Boccassi <luca.boccassi@gmail.com>
To: dm-devel@lists.linux.dev, linux-security-module@vger.kernel.org
Cc: snitzer@kernel.org, jmorris@namei.org, paul@paul-moore.com
Subject: Re: [PATCH] dm verity: add support for signature verification with platform keyring
Date: Thu, 4 Jul 2024 10:12:25 +0100	[thread overview]
Message-ID: <CAMw=ZnR9Eqw1Q6CnQhitBKHDGduQStVK7BfSPj-54xJjgSMqcw@mail.gmail.com> (raw)
In-Reply-To: <20240617220037.594792-1-luca.boccassi@gmail.com>

On Mon, 17 Jun 2024 at 23:00, <luca.boccassi@gmail.com> wrote:
>
> From: Luca Boccassi <bluca@debian.org>
>
> Add a new configuration CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
> that enables verifying dm-verity signatures using the platform keyring,
> which is populated using the UEFI DB certificates. This is useful for
> self-enrolled systems that do not use MOK, as the secondary keyring which
> is already used for verification, if the relevant kconfig is enabled, is
> linked to the machine keyring, which gets its certificates loaded from MOK.
> On datacenter/virtual/cloud deployments it is more common to deploy one's
> own certificate chain directly in DB on first boot in unattended mode,
> rather than relying on MOK, as the latter typically requires interactive
> authentication to enroll, and is more suited for personal machines.
>
> Default to the same value as DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
> if not otherwise specified, as it is likely that if one wants to use
> MOK certificates to verify dm-verity volumes, DB certificates are
> going to be used too. Keys in DB are allowed to load a full kernel
> already anyway, so they are already highly privileged.
>
> Signed-off-by: Luca Boccassi <bluca@debian.org>
> ---
>  drivers/md/Kconfig                | 10 ++++++++++
>  drivers/md/dm-verity-verify-sig.c |  7 +++++++
>  2 files changed, 17 insertions(+)
>
> diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig
> index 35b1080752cd..1e9db8e4acdf 100644
> --- a/drivers/md/Kconfig
> +++ b/drivers/md/Kconfig
> @@ -540,6 +540,16 @@ config DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
>
>           If unsure, say N.
>
> +config DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
> +       bool "Verity data device root hash signature verification with platform keyring"
> +       default DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
> +       depends on DM_VERITY_VERIFY_ROOTHASH_SIG
> +       depends on INTEGRITY_PLATFORM_KEYRING
> +       help
> +         Rely also on the platform keyring to verify dm-verity signatures.
> +
> +         If unsure, say N.
> +
>  config DM_VERITY_FEC
>         bool "Verity forward error correction support"
>         depends on DM_VERITY
> diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
> index 4836508ea50c..d351d7d39c60 100644
> --- a/drivers/md/dm-verity-verify-sig.c
> +++ b/drivers/md/dm-verity-verify-sig.c
> @@ -126,6 +126,13 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
>                                 NULL,
>  #endif
>                                 VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
> +#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
> +       if (ret == -ENOKEY)
> +               ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
> +                                       sig_len,
> +                                       VERIFY_USE_PLATFORM_KEYRING,
> +                                       VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
> +#endif
>
>         return ret;
>  }

Gentle ping. Anything I can do to help move this patch forward? It
fixes a gap in our dm-verity story that I'd really like to see sorted
for the next release. We will use this in systemd, among other things.
Thanks!

       reply	other threads:[~2024-07-04  9:12 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20240617220037.594792-1-luca.boccassi@gmail.com>
2024-07-04  9:12 ` Luca Boccassi [this message]
2024-07-04 15:48 ` [PATCH v2] dm verity: add support for signature verification with platform keyring luca.boccassi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAMw=ZnR9Eqw1Q6CnQhitBKHDGduQStVK7BfSPj-54xJjgSMqcw@mail.gmail.com' \
    --to=luca.boccassi@gmail.com \
    --cc=dm-devel@lists.linux.dev \
    --cc=jmorris@namei.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=snitzer@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).