Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3664567ybi; Mon, 10 Jun 2019 14:24:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqxCHLJQ4jVuc0vwCtb83DfAI/fnB9e/WEUlVVvPgh4TCEGzwBD6vQ5aisOsmgyXIUknnmQA X-Received: by 2002:a63:2109:: with SMTP id h9mr17483147pgh.51.1560201885555; Mon, 10 Jun 2019 14:24:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560201885; cv=none; d=google.com; s=arc-20160816; b=H0QnA9hwH+frj9r/vTjHMZHAJFWw9QUw50pu00o2j/e0p0eLZ5uKhu/2DSVX7zQcTv PcigBBxgTIBz8qgsM33XmHGGIsXmOkB0J9FOO+otzPDzk6jSL68aMT5FR2nhgD+lCC5s jZDrTPDgwdzC2AqbmWzGMZ1wM0GLoVeU8A6KuVe2l72r+xxC/eD28RQcsq2Otv1wfcMh F/bW5Ni7VlaTKrATfIZu+XUnFZhJxcq2OjH+IpniMyE1+WYFqh5+lwoeGfuSJ6UgoU+d B9XoDdo99M9cPHVztdXEDrafRadiecyPCm/vaNgMDAPP84Ebd+AKDBjhiIQMP4qUK6Vp 9GAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=jROxEE+/gBop0aBnOH2jikgWysXuT59PMhB5/KNM6fM=; b=ux+/yUVs3dn0YAdKD/w2fP6achkfNBbOLK93FUqarOuLbKrU4hargXeXIcP5sBatCg tC0VRsPhiFicW7YPPOwonHGBkEuUi9KkiZlttQF6ohRGcitI/rwHIw0o5WOwYdd4qVQe qU3CIlvCNkCmzvxnJBe4l7xgcLsPwTexhf18qeZxkUB/dgi78DrU58dW4lMDPsvGAWdJ j14O687HVK1D5zv75EUwoNr0d2IxCkOBffvVEoVuAEynW2+YStSQv+2e/zycU8+eqEN+ P55p1u23zxUuz0aBhFA2Nih7i4PtZWA1rSJeSd4zzxwhZqH4D1DI1mdPgRnkYYLB+B+G 79rg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g3si10154365pgh.189.2019.06.10.14.24.30; Mon, 10 Jun 2019 14:24:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390040AbfFJVW5 (ORCPT + 99 others); Mon, 10 Jun 2019 17:22:57 -0400 Received: from linux.microsoft.com ([13.77.154.182]:34646 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389571AbfFJVW5 (ORCPT ); Mon, 10 Jun 2019 17:22:57 -0400 Received: by linux.microsoft.com (Postfix, from userid 1029) id 4BCD320B7194; Mon, 10 Jun 2019 14:22:56 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by linux.microsoft.com (Postfix) with ESMTP id 41DCC311B1C8; Mon, 10 Jun 2019 14:22:56 -0700 (PDT) Date: Mon, 10 Jun 2019 14:22:56 -0700 (PDT) From: Jaskaran Singh Khurana X-X-Sender: jaskarankhurana@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net To: Milan Broz cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-fsdevel@vger.kernel.org, agk@redhat.com, snitzer@redhat.com, dm-devel@redhat.com, jmorris@namei.org, scottsh@microsoft.com, ebiggers@google.com, Mikulas Patocka Subject: Re: [RFC PATCH v3 1/1] Add dm verity root hash pkcs7 sig validation In-Reply-To: <54170d18-31c7-463d-10b5-9af8b666df0f@gmail.com> Message-ID: References: <20190607223140.16979-1-jaskarankhurana@linux.microsoft.com> <20190607223140.16979-2-jaskarankhurana@linux.microsoft.com> <54170d18-31c7-463d-10b5-9af8b666df0f@gmail.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 8 Jun 2019, Milan Broz wrote: > On 08/06/2019 00:31, Jaskaran Khurana wrote: > Why is this different from existing FEC extension? > FEC uses ifdefs in header to blind functions if config is not set. > > ifeq ($(CONFIG_DM_VERITY_FEC),y) > dm-verity-objs += dm-verity-fec.o > endif > > ... > The reasoning for doing it this way is that there might be scripts that create a device mapper device and then mount and use it, with the signature verification enabled in kernel the scripts would be passing the signature like: veritysetup open params... --roothash-sig= If later due to some reason the DM_VERITY_VERIFY_ROOTHASH_SIG is disabled if we do not recognize the parameter then the scripts need to be changed or else they will fail with INVALID argument, in current implementation the parameter for signature is always parsed but enforced based on the config being set, so the scripts need not be changed. Let me know if you still feel I should be changing this and I will be happy to make the change, just wanted to share my reasoning for this. > > Thanks, > Milan > Regards, Jaskaran