From patchwork Thu Oct 15 15:05:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 11839493 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A6B1616BC for ; Thu, 15 Oct 2020 15:05:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8F96622268 for ; Thu, 15 Oct 2020 15:05:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389487AbgJOPFu (ORCPT ); Thu, 15 Oct 2020 11:05:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34702 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389486AbgJOPFt (ORCPT ); Thu, 15 Oct 2020 11:05:49 -0400 Received: from smtp-bc0e.mail.infomaniak.ch (smtp-bc0e.mail.infomaniak.ch [IPv6:2001:1600:4:17::bc0e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6F18AC061755 for ; Thu, 15 Oct 2020 08:05:49 -0700 (PDT) Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4CBszX6q78zlhTrD; Thu, 15 Oct 2020 17:05:44 +0200 (CEST) Received: from localhost (unknown [94.23.54.103]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4CBszX0rtzzlh8Tg; Thu, 15 Oct 2020 17:05:44 +0200 (CEST) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Alasdair Kergon , Mike Snitzer Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Andrew Morton , Deven Bowers , Jaskaran Khurana , Milan Broz , dm-devel@redhat.com, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, Jarkko Sakkinen , =?utf-8?q?Micka=C3=ABl_S?= =?utf-8?q?ala=C3=BCn?= Subject: [PATCH v2] dm verity: Add support for signature verification with 2nd keyring Date: Thu, 15 Oct 2020 17:05:04 +0200 Message-Id: <20201015150504.1319098-1-mic@digikod.net> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org From: Mickaël Salaün Add a new configuration DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING to enable dm-verity signatures to be verified against the secondary trusted keyring. Instead of relying on the builtin trusted keyring (with hard-coded certificates), the second trusted keyring can include certificate authorities from the builtin trusted keyring and child certificates loaded at run time. Using the secondary trusted keyring enables to use dm-verity disks (e.g. loop devices) signed by keys which did not exist at kernel build time, leveraging the certificate chain of trust model. In practice, this makes it possible to update certificates without kernel update and reboot, aligning with module and kernel (kexec) signature verification which already use the secondary trusted keyring. Cc: Alasdair Kergon Cc: Andrew Morton Cc: Jarkko Sakkinen Cc: Jaskaran Khurana Cc: Mike Snitzer Cc: Milan Broz Signed-off-by: Mickaël Salaün --- Previous version: https://lore.kernel.org/lkml/20201002071802.535023-1-mic@digikod.net/ Changes since v1: * Extend the commit message (asked by Jarkko Sakkinen). * Rename the Kconfig "help" keyword according to commit 84af7a6194e4 ("checkpatch: kconfig: prefer 'help' over '---help---'"). --- drivers/md/Kconfig | 13 ++++++++++++- drivers/md/dm-verity-verify-sig.c | 9 +++++++-- 2 files changed, 19 insertions(+), 3 deletions(-) base-commit: bbf5c979011a099af5dc76498918ed7df445635b diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig index 30ba3573626c..1d68935e45ef 100644 --- a/drivers/md/Kconfig +++ b/drivers/md/Kconfig @@ -530,11 +530,22 @@ config DM_VERITY_VERIFY_ROOTHASH_SIG bool "Verity data device root hash signature verification support" depends on DM_VERITY select SYSTEM_DATA_VERIFICATION - help + help Add ability for dm-verity device to be validated if the pre-generated tree of cryptographic checksums passed has a pkcs#7 signature file that can validate the roothash of the tree. + By default, rely on the builtin trusted keyring. + + If unsure, say N. + +config DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING + bool "Verity data device root hash signature verification with secondary keyring" + depends on DM_VERITY_VERIFY_ROOTHASH_SIG + depends on SECONDARY_TRUSTED_KEYRING + help + Rely on the secondary trusted keyring to verify dm-verity signatures. + If unsure, say N. config DM_VERITY_FEC diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c index 614e43db93aa..29385dc470d5 100644 --- a/drivers/md/dm-verity-verify-sig.c +++ b/drivers/md/dm-verity-verify-sig.c @@ -119,8 +119,13 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len, } ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data, - sig_len, NULL, VERIFYING_UNSPECIFIED_SIGNATURE, - NULL, NULL); + sig_len, +#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING + VERIFY_USE_SECONDARY_KEYRING, +#else + NULL, +#endif + VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL); return ret; }