@@ -540,6 +540,16 @@ config DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
If unsure, say N.
+config DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
+ bool "Verity data device root hash signature verification with platform keyring"
+ default DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
+ depends on DM_VERITY_VERIFY_ROOTHASH_SIG
+ depends on INTEGRITY_PLATFORM_KEYRING
+ help
+ Rely also on the platform keyring to verify dm-verity signatures.
+
+ If unsure, say N.
+
config DM_VERITY_FEC
bool "Verity forward error correction support"
depends on DM_VERITY
@@ -126,6 +126,13 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
NULL,
#endif
VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
+#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
+ if (ret == -ENOKEY)
+ ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
+ sig_len,
+ VERIFY_USE_PLATFORM_KEYRING,
+ VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
+#endif
return ret;
}