Message ID | 20220627083512.v7.3.I5aca2dcc3b06de4bf53696cd21329dce8272b8aa@changeid (mailing list archive) |
---|---|
State | Not Applicable, archived |
Headers | show |
Series | LoadPin: Enable loading from trusted dm-verity devices | expand |
On Mon, Jun 27 2022 at 11:35P -0400, Matthias Kaehlcke <mka@chromium.org> wrote: > The verity glue for LoadPin is only needed when CONFIG_SECURITY_LOADPIN_VERITY > is set, use this option for conditional compilation instead of the combo of > CONFIG_DM_VERITY and CONFIG_SECURITY_LOADPIN. > > Signed-off-by: Matthias Kaehlcke <mka@chromium.org> > Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Mike Snitzer <snitzer@kernel.org>
diff --git a/drivers/md/Makefile b/drivers/md/Makefile index 71771901c823..a96441752ec7 100644 --- a/drivers/md/Makefile +++ b/drivers/md/Makefile @@ -83,6 +83,7 @@ obj-$(CONFIG_DM_LOG_WRITES) += dm-log-writes.o obj-$(CONFIG_DM_INTEGRITY) += dm-integrity.o obj-$(CONFIG_DM_ZONED) += dm-zoned.o obj-$(CONFIG_DM_WRITECACHE) += dm-writecache.o +obj-$(CONFIG_SECURITY_LOADPIN_VERITY) += dm-verity-loadpin.o ifeq ($(CONFIG_DM_INIT),y) dm-mod-objs += dm-init.o @@ -108,12 +109,6 @@ ifeq ($(CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG),y) dm-verity-objs += dm-verity-verify-sig.o endif -ifeq ($(CONFIG_DM_VERITY),y) -ifeq ($(CONFIG_SECURITY_LOADPIN),y) -dm-verity-objs += dm-verity-loadpin.o -endif -endif - ifeq ($(CONFIG_DM_AUDIT),y) dm-mod-objs += dm-audit.o endif diff --git a/include/linux/dm-verity-loadpin.h b/include/linux/dm-verity-loadpin.h index fb695ecaa5d5..552b817ab102 100644 --- a/include/linux/dm-verity-loadpin.h +++ b/include/linux/dm-verity-loadpin.h @@ -15,7 +15,7 @@ struct dm_verity_loadpin_trusted_root_digest { u8 data[]; }; -#if IS_ENABLED(CONFIG_SECURITY_LOADPIN) && IS_BUILTIN(CONFIG_DM_VERITY) +#if IS_ENABLED(CONFIG_SECURITY_LOADPIN_VERITY) bool dm_verity_loadpin_is_bdev_trusted(struct block_device *bdev); #else static inline bool dm_verity_loadpin_is_bdev_trusted(struct block_device *bdev)