Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp4689413pxu; Tue, 13 Oct 2020 05:01:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw6jywsojOahjahJ8TjSGkon8kKOyFzZL3gYUVWuTUqdHTNAWNAwq6M4wzFFCKQ2ajOtlMf X-Received: by 2002:a05:6402:32f:: with SMTP id q15mr19911134edw.230.1602590508262; Tue, 13 Oct 2020 05:01:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602590508; cv=none; d=google.com; s=arc-20160816; b=iOcBWXhgNlirvtuu9GjMcoL7FOklRF7qF0aCkkNFSvfgQZmhU9wXIVVgLsUkzMli7C b2oOpUglasqV1r5U8OxJMAbKPiVTVFWDVKz1ylljkJn8Rc2COD3gb4ROgyFc+tq6ULbD zunk45x+Hi/mIxqPF4TwqnQLHNRcBS6O7cscZejfqkZdv6Rn5VCOtUuZNmRkjoKlvado Yb2t4oCfFW+7NfX8cd4C9THB2SM7JY2gM/5XfQtRiXz5cWJnxnM4CNVQae4VsC7eII/a +oV8sZ+jcm3z3lciqRw9N1zPc1nZ/2j8M02Gm+gUPjXYl5206NHRaDXE4kqS/CBg4x2A NpHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=nMYJbOkk6zoWsWwdwn05D0W3sRtwMhcwHfCugLs0YXw=; b=CGYFvGUL/1uvY5l/JHKO12TKWTyvNz3o7VUUq4hbIOhElVwrI7OY53glhOXi6fwhaW kTngjw5rZp9cB82BsPfo2CnvirgZ/tDvfFa6Se2OjNfVGmzAjCEmgptQ5TXhtxGreAST dRFhOO44FV4p13YA1F0mv1sRfu25nYgOHbR66d+ZQiiufkTZKyxVb8pV1buvH7ymMhDH 8gA1bhfLGHyUkHLL+ARmzKptMPbTAXZWk6BGTrwekmuMULoch7IcmiERZvjs8kcnZqsv VnwscyII6cbkrdypkkBwMv7sMJro6ipj8NFn6peeRbFfo5XNEEPCQKJ7VLpVTb6Sqylk jZmg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id mj10si14052142ejb.723.2020.10.13.05.01.23; Tue, 13 Oct 2020 05:01:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404010AbgJMIvk (ORCPT + 99 others); Tue, 13 Oct 2020 04:51:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40308 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390190AbgJMIvk (ORCPT ); Tue, 13 Oct 2020 04:51:40 -0400 Received: from smtp-42af.mail.infomaniak.ch (smtp-42af.mail.infomaniak.ch [IPv6:2001:1600:3:17::42af]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C5FFC0613D0 for ; Tue, 13 Oct 2020 01:51:40 -0700 (PDT) Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4C9Tml6Zp0zlkxyN; Tue, 13 Oct 2020 10:51:35 +0200 (CEST) Received: from ns3096276.ip-94-23-54.eu (unknown [94.23.54.103]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4C9Tmk5Vd6zlh8WW; Tue, 13 Oct 2020 10:51:34 +0200 (CEST) Subject: Re: [PATCH v1] dm verity: Add support for signature verification with 2nd keyring To: Jarkko Sakkinen Cc: Alasdair Kergon , Mike Snitzer , Deven Bowers , Jaskaran Khurana , Milan Broz , dm-devel@redhat.com, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= References: <20201002071802.535023-1-mic@digikod.net> <20201012235502.GA36149@linux.intel.com> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <1b344a3c-2671-3b1a-3c6b-f3b28e819bc5@digikod.net> Date: Tue, 13 Oct 2020 10:51:34 +0200 User-Agent: MIME-Version: 1.0 In-Reply-To: <20201012235502.GA36149@linux.intel.com> Content-Type: text/plain; charset=iso-8859-15 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13/10/2020 01:55, Jarkko Sakkinen wrote: > On Fri, Oct 09, 2020 at 11:50:03AM +0200, Micka?l Sala?n wrote: >> Hi, >> >> What do you think about this patch? >> >> Regards, >> Micka?l >> >> On 02/10/2020 09:18, Micka?l Sala?n wrote: >>> From: Micka?l Sala?n >>> >>> Add a new DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING configuration >>> to enable dm-verity signatures to be verified against the secondary >>> trusted keyring. This allows certificate updates without kernel update >>> and reboot, aligning with module and kernel (kexec) signature >>> verifications. > > I'd prefer a bit more verbose phrasing, not least because I have never > really even peeked at dm-verity, but it is also a good practice. > > You have the middle part of the story missing - explaining the semantics > of how the feature leads to the aimed solution. OK, what about: Add a new configuration DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING to enable dm-verity signatures to be verified against the secondary trusted keyring. Instead of relying on the builtin trusted keyring (with hard-coded certificates), the second trusted keyring can include certificate authorities from the builtin trusted keyring and child certificates loaded at run time. Using the secondary trusted keyring enables to use dm-verity disks (e.g. loop devices) signed by keys which did not exist at kernel build time, leveraging the certificate chain of trust model. In practice, this allows to update certificates without kernel update and reboot, aligning with module and kernel (kexec) signature verification which already use the secondary trusted keyring.