Add a new configuration CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
that enables verifying dm-verity signatures using the platform keyring,
which is populated using the UEFI DB certificates. This is useful for
self-enrolled systems that do not use MOK, as the secondary keyring which
is already used for verification, if the relevant kconfig is enabled, is
linked to the machine keyring, which gets its certificates loaded from MOK.
On datacenter/virtual/cloud deployments it is more common to deploy one's
own certificate chain directly in DB on first boot in unattended mode,
rather than relying on MOK, as the latter typically requires interactive
authentication to enroll, and is more suited for personal machines.
Default to the same value as DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
if not otherwise specified, as it is likely that if one wants to use
MOK certificates to verify dm-verity volumes, DB certificates are
going to be used too. Keys in DB are allowed to load a full kernel
already anyway, so they are already highly privileged.
Signed-off-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
If unsure, say N.
+config DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
+ bool "Verity data device root hash signature verification with platform keyring"
+ default DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
+ depends on DM_VERITY_VERIFY_ROOTHASH_SIG
+ depends on INTEGRITY_PLATFORM_KEYRING
+ help
+ Rely also on the platform keyring to verify dm-verity signatures.
+
+ If unsure, say N.
+
config DM_VERITY_FEC
bool "Verity forward error correction support"
depends on DM_VERITY
NULL,
#endif
VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
+#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
+ if (ret == -ENOKEY)
+ ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
+ sig_len,
+ VERIFY_USE_PLATFORM_KEYRING,
+ VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
+#endif
return ret;
}
projects / users / jedix / linux-maple.git / commitdiff