Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp2650059ybd; Thu, 27 Jun 2019 16:43:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqw7jHp9p9o5R5eHDIQQZRfunh5G5PZ5rohbsO5ORLzSpFScZM8XOdJq/ZF7fw0V5dnrEDUr X-Received: by 2002:a63:ce4f:: with SMTP id r15mr6188732pgi.107.1561679014572; Thu, 27 Jun 2019 16:43:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561679014; cv=none; d=google.com; s=arc-20160816; b=bNc1YkjHBTZjyV+gLpc7gbK9Vf5werN8o7RJiGajize6vtsVN5PxO6d3lBUSh5elhI x3GbiSTKZECikJ1LuAPwA29qmW4P7RGM4p3x/tSsFuEC7ax2NkAcJz/T0gA1mix7Gkco qo584BfDc7aSozkxDmu143Jx71WikqEoI0UvWjULpgXJg4ngYIMjcDqh3WPs0O7XoXdE x/ZokXe9u7MkJ6hXzQpRSQ/XUODM5XyK3l9mnvK+KYPm/FqXDXpa66t1KMjdVKSEi2jU GlS0+4ut26YB5vTiLU65Mt0vR56gQxMPFVW5mVJlN1XHW57mDazgZ/l1v0qoeohxNZfM pyTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=6lG6YZQ0w1snGL11V/0RdJsqlQreOOSyjToxHP9M6ow=; b=Fh3lp/WEIkgTY7NrQGoymsuRNVI8/jiu6QcYXq2yPnsq0k2qexF7oy5AYxeyxQTkEu T1ySEf+jF6azvkQY9cSJ42dvNeO4jNXS6XOX23Kx+Q4iiFMRmN/wRwhPHjJxImaYPF06 JuAEzyC59/Jgfnlkf+XErrCqaEESYjaEaJf7OeITiKwOFNyXT902fcrnYiAQGY5FOtRm wsYd9Dah79hVY1Aj/F+qed/O+Gq8QvQj84HqudoReCSYn2ojffKSY4ZK70FxVPmK7fFx jQo9PG+CS3rRS1GefVTfj95VEYbXX25Xx0jTkdGeeurwYaFRrXzWhb9b40ZCvzcpcVAY xLOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WY42jKzH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e30si479088pfm.78.2019.06.27.16.43.18; Thu, 27 Jun 2019 16:43:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WY42jKzH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726739AbfF0Xlx (ORCPT + 99 others); Thu, 27 Jun 2019 19:41:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:57638 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726566AbfF0Xlx (ORCPT ); Thu, 27 Jun 2019 19:41:53 -0400 Received: from gmail.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DC31F208E3; Thu, 27 Jun 2019 23:41:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561678912; bh=78SChau8nc/c1cE2Dc8hBwWP8MHlNLa/2/RRRHYTTBo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=WY42jKzHRez627ToGgM55/WghYYH2Kd/+jPHX6Bn8WWc+PNCFMvfO8Ms8jKvtvqEq m+4id6Is6WVNgVPDJ4B7svfCYUI4T4NeIIH/uolDIlsQLR8LOqMDxgWesIKgYb1WDj 5d/i1PKbaPL+t3T5LyL001tJIEHEXuDdUotEqFh4= Date: Thu, 27 Jun 2019 16:41:50 -0700 From: Eric Biggers To: Jaskaran Khurana Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-fsdevel@vger.kernel.org, agk@redhat.com, snitzer@redhat.com, dm-devel@redhat.com, jmorris@namei.org, scottsh@microsoft.com, mpatocka@redhat.com, gmazyland@gmail.com Subject: Re: [RFC PATCH v5 1/1] Add dm verity root hash pkcs7 sig validation. Message-ID: <20190627234149.GA212823@gmail.com> References: <20190619191048.20365-1-jaskarankhurana@linux.microsoft.com> <20190619191048.20365-2-jaskarankhurana@linux.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190619191048.20365-2-jaskarankhurana@linux.microsoft.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Jaskaran, one comment (I haven't reviewed this in detail): On Wed, Jun 19, 2019 at 12:10:48PM -0700, Jaskaran Khurana wrote: > diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig > index db269a348b20..2d658a3512cb 100644 > --- a/drivers/md/Kconfig > +++ b/drivers/md/Kconfig > @@ -475,6 +475,7 @@ config DM_VERITY > select CRYPTO > select CRYPTO_HASH > select DM_BUFIO > + select SYSTEM_DATA_VERIFICATION > ---help--- > This device-mapper target creates a read-only device that > transparently validates the data on one underlying device against > diff --git a/drivers/md/Makefile b/drivers/md/Makefile > index be7a6eb92abc..3b47b256b15e 100644 > --- a/drivers/md/Makefile > +++ b/drivers/md/Makefile > @@ -18,7 +18,7 @@ dm-cache-y += dm-cache-target.o dm-cache-metadata.o dm-cache-policy.o \ > dm-cache-background-tracker.o > dm-cache-smq-y += dm-cache-policy-smq.o > dm-era-y += dm-era-target.o > -dm-verity-y += dm-verity-target.o > +dm-verity-y += dm-verity-target.o dm-verity-verify-sig.o > md-mod-y += md.o md-bitmap.o > raid456-y += raid5.o raid5-cache.o raid5-ppl.o > dm-zoned-y += dm-zoned-target.o dm-zoned-metadata.o dm-zoned-reclaim.o Perhaps this should be made optional and controlled by a kconfig option CONFIG_DM_VERITY_SIGNATURE_VERIFICATION, similar to CONFIG_DM_VERITY_FEC? CONFIG_SYSTEM_DATA_VERIFICATION brings in a lot of stuff, which might be unnecessary for some dm-verity users. Also, you've already separated most of the code out into a separate .c file anyway. - Eric