From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Jaskaran Khurana <jaskarankhurana@linux.microsoft.com>,
Mike Snitzer <snitzer@redhat.com>,
Sasha Levin <sashal@kernel.org>, Milan Broz <gmazyland@gmail.com>
Subject: [PATCH 4.19 61/72] dm verity: add root hash pkcs#7 signature verification
Date: Mon, 29 Mar 2021 09:58:37 +0200 [thread overview]
Message-ID: <20210329075612.300337755@linuxfoundation.org> (raw)
In-Reply-To: <20210329075610.300795746@linuxfoundation.org>
From: JeongHyeon Lee <jhs2.lee@samsung.com>
[ Upstream commit 88cd3e6cfac915f50f7aa7b699bdf053afec866e ]
The verification is to support cases where the root hash is not secured
by Trusted Boot, UEFI Secureboot or similar technologies.
One of the use cases for this is for dm-verity volumes mounted after
boot, the root hash provided during the creation of the dm-verity volume
has to be secure and thus in-kernel validation implemented here will be
used before we trust the root hash and allow the block device to be
created.
The signature being provided for verification must verify the root hash
and must be trusted by the builtin keyring for verification to succeed.
The hash is added as a key of type "user" and the description is passed
to the kernel so it can look it up and use it for verification.
Adds CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG which can be turned on if root
hash verification is needed.
Kernel commandline dm_verity module parameter 'require_signatures' will
indicate whether to force root hash signature verification (for all dm
verity volumes).
Signed-off-by: Jaskaran Khurana <jaskarankhurana@linux.microsoft.com>
Tested-and-Reviewed-by: Milan Broz <gmazyland@gmail.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-verity-target.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index 599be2d2b0ae..fa8c201fca77 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -34,7 +34,7 @@
#define DM_VERITY_OPT_IGN_ZEROES "ignore_zero_blocks"
#define DM_VERITY_OPT_AT_MOST_ONCE "check_at_most_once"
-#define DM_VERITY_OPTS_MAX (2 + DM_VERITY_OPTS_FEC)
+#define DM_VERITY_OPTS_MAX (3 + DM_VERITY_OPTS_FEC)
static unsigned dm_verity_prefetch_cluster = DM_VERITY_DEFAULT_PREFETCH_SIZE;
--
2.30.1
next prev parent reply other threads:[~2021-03-29 8:16 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-29 7:57 [PATCH 4.19 00/72] 4.19.184-rc1 review Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 01/72] net: fec: ptp: avoid register access when ipg clock is disabled Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 02/72] powerpc/4xx: Fix build errors from mfdcr() Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 03/72] atm: eni: dont release is never initialized Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 04/72] atm: lanai: dont run lanai_dev_close if not open Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 05/72] Revert "r8152: adjust the settings about MAC clock speed down for RTL8153" Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 06/72] ixgbe: Fix memleak in ixgbe_configure_clsu32 Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 07/72] net: tehuti: fix error return code in bdx_probe() Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 08/72] sun/niu: fix wrong RXMAC_BC_FRM_CNT_COUNT count Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 09/72] gianfar: fix jumbo packets+napi+rx overrun crash Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 10/72] gpiolib: acpi: Add missing IRQF_ONESHOT Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 11/72] nfs: fix PNFS_FLEXFILE_LAYOUT Kconfig default Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 12/72] NFS: Correct size calculation for create reply length Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 13/72] net: hisilicon: hns: fix error return code of hns_nic_clear_all_rx_fetch() Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 14/72] net: wan: fix error return code of uhdlc_init() Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 15/72] atm: uPD98402: fix incorrect allocation Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 16/72] atm: idt77252: fix null-ptr-dereference Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 17/72] sparc64: Fix opcode filtering in handling of no fault loads Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 18/72] u64_stats,lockdep: Fix u64_stats_init() vs lockdep Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 19/72] drm/radeon: fix AGP dependency Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 20/72] nfs: we dont support removing system.nfs4_acl Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 21/72] block: Suppress uevent for hidden device when removed Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 22/72] ia64: fix ia64_syscall_get_set_arguments() for break-based syscalls Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.19 23/72] ia64: fix ptrace(PTRACE_SYSCALL_INFO_EXIT) sign Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 24/72] netsec: restore phy power state after controller reset Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 25/72] platform/x86: intel-vbtn: Stop reporting SW_DOCK events Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 26/72] squashfs: fix inode lookup sanity checks Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 27/72] squashfs: fix xattr id and id " Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 28/72] arm64: dts: ls1046a: mark crypto engine dma coherent Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 29/72] arm64: dts: ls1012a: " Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 30/72] arm64: dts: ls1043a: " Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 31/72] ARM: dts: at91-sama5d27_som1: fix phy address to 7 Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 32/72] dm ioctl: fix out of bounds array access when no devices Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 33/72] bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 34/72] veth: Store queue_mapping independently of XDP prog presence Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 35/72] libbpf: Fix INSTALL flag order Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 36/72] macvlan: macvlan_count_rx() needs to be aware of preemption Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 37/72] net: dsa: bcm_sf2: Qualify phydev->dev_flags based on port Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 38/72] e1000e: add rtnl_lock() to e1000_reset_task Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 39/72] e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 40/72] net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 41/72] ftgmac100: Restart MAC HW once Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 42/72] netfilter: ctnetlink: fix dump of the expect mask attribute Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 43/72] can: peak_usb: add forgotten supported devices Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 44/72] can: flexcan: flexcan_chip_freeze(): fix chip freeze for missing bitrate Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 45/72] can: c_can_pci: c_can_pci_remove(): fix use-after-free Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 46/72] can: c_can: move runtime PM enable/disable to c_can_platform Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 47/72] can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 48/72] mac80211: fix rate mask reset Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 49/72] net: cdc-phonet: fix data-interface release on probe failure Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 50/72] net: stmmac: dwmac-sun8i: Provide TX and RX fifo sizes Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 51/72] drm/msm: fix shutdown hook in case GPU components failed to bind Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 52/72] arm64: kdump: update ppos when reading elfcorehdr Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 53/72] net/mlx5e: Fix error path for ethtool set-priv-flag Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 54/72] RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 55/72] bpf: Dont do bpf_cgroup_storage_set() for kuprobe/tp programs Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 56/72] Revert "netfilter: x_tables: Switch synchronization to RCU" Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 57/72] netfilter: x_tables: Use correct memory barriers Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 58/72] Revert "netfilter: x_tables: Update remaining dereference to RCU" Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 59/72] ACPI: scan: Rearrange memory allocation in acpi_device_add() Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 60/72] ACPI: scan: Use unique number for instance_no Greg Kroah-Hartman
2021-03-29 7:58 ` Greg Kroah-Hartman [this message]
2021-03-29 7:58 ` [PATCH 4.19 62/72] perf auxtrace: Fix auxtrace queue conflict Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 63/72] scsi: qedi: Fix error return code of qedi_alloc_global_queues() Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 64/72] scsi: mpt3sas: Fix error return code of mpt3sas_base_attach() Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 65/72] locking/mutex: Fix non debug version of mutex_lock_io_nested() Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 66/72] x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc() Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 67/72] can: dev: Move device back to init netns on owning netns delete Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 68/72] net: sched: validate stab values Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 69/72] net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 70/72] mac80211: fix double free in ibss_leave Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 71/72] ext4: add reclaim checks to xattr code Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.19 72/72] can: peak_usb: Revert "can: peak_usb: add forgotten supported devices" Greg Kroah-Hartman
2021-03-29 21:33 ` [PATCH 4.19 00/72] 4.19.184-rc1 review Guenter Roeck
2021-03-30 1:27 ` Shuah Khan
2021-03-30 6:52 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210329075612.300337755@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=gmazyland@gmail.com \
--cc=jaskarankhurana@linux.microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=snitzer@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).