Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1611212rwb; Thu, 8 Dec 2022 12:57:41 -0800 (PST) X-Google-Smtp-Source: AA0mqf70Amy6Y68auPA+NxW0RWdP3pd0adhVLiFEs2e+MqmnP3E70yV+n17zQEB0hLePMV+W6DuT X-Received: by 2002:a05:6402:175c:b0:46d:89e8:fc24 with SMTP id v28-20020a056402175c00b0046d89e8fc24mr2821094edx.19.1670533061091; Thu, 08 Dec 2022 12:57:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670533061; cv=none; d=google.com; s=arc-20160816; b=t1rlE42pZbp1L5UMXdPDBVJ16HseavKHlJuMpvG86W/nVftQueSDhNqtn2uy/WqAvw 3VxRpQf1pzpa8aR68zK7+4UCC6HfLuG4iZAGaO0VVIF67tTrEaxcW171gyyOwl/7U4xo tz3BMXfvq0OGB7u+1nM21oHJkojqNlQ9I1Spp21evZsjllPg//t3rvDgWloPPaOOVpH9 4hGUhQDCnmBdbN2KrnB+S3yaZw51cgY7yF6Vue/9SxaoXviX7XEhUq4vuaytkAQXV3Nn h9tYRWTPa3jfcmGx74t6WNIute+oRhCLi4aLz8ZkH670LfzvVOyfuKPQWnSfurQxAukM PmfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version; bh=E980lveCUquKKhcMXhM1jQtjJxf2DwElGgp3q5gC3Vs=; b=rBxrKMhNsRelAcwCETWKgS/nlcdf7htJimYqb/J2eLX5Vbw884DE+49KPDrNVAlfhW 6xkhi5UhdS0yRU6QCFV65QIKSGHOqYx2t5GJCSczxpDnMFkV/F+SmHwhGoa6M4ITvZ9u 8+FaCP3ntqjoYqXPYWLas5NW/LYXczTu+ve6NUb8FagveSMh19LYuESGaTZAVuOgx9T8 PrfxGtil2t9d+Lf42I88A7ylbKgClJPbLcHNHCvhU76Ppq4tlEchpjzo32U4ozCd06hv O6+1do/S/7Zh/PGSqcaolFqHXHF5G5cHKsXID7Nu4tmBGGAnOHjvPrJIWxtde5iC4Qzt D3kA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cm19-20020a0564020c9300b004597671e0ddsi6424622edb.338.2022.12.08.12.57.12; Thu, 08 Dec 2022 12:57:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229580AbiLHUnO (ORCPT + 99 others); Thu, 8 Dec 2022 15:43:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42422 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229677AbiLHUnL (ORCPT ); Thu, 8 Dec 2022 15:43:11 -0500 Received: from mail-qt1-f170.google.com (mail-qt1-f170.google.com [209.85.160.170]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 61A5618E32; Thu, 8 Dec 2022 12:43:09 -0800 (PST) Received: by mail-qt1-f170.google.com with SMTP id h16so2085902qtu.2; Thu, 08 Dec 2022 12:43:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=E980lveCUquKKhcMXhM1jQtjJxf2DwElGgp3q5gC3Vs=; b=Xh/QACz95wxzfNV8c9M7caoShX954Fna90hnGu4dpRhkQQGs2X9vESgOsuT/O+v6wp QziFe3GdUIZ0N16xZqPc6k9z/O/6ug03YA71YDm34jOuB0gVCwe8qZ6JitOGqjz+LgXz udq8rEp26j7W6Rc9B0ErorV07qHNmjLoOVkrC07HwL0EGhaZE4T9c7WviuooTqQ7RCew xdyYlHGJj79ly5c8DuNA41VlmzpCVbTqys09GNAPZsxWO3YEHJDW5UGlkpHYKVsDLHfh Rz4scucouRG9hJmXjvAEfZIBFZedmvy/2cgspyAdh6SCjr47X+UGCRE3kXTMh8WBxqP/ up0Q== X-Gm-Message-State: ANoB5pn34mVUJ99PrG3JPLVVOBYgbDMY/9dAyd68vkZnHXLO+Wk0HjA/ biZyYH8k4tLe7a7EeKL9PlBWinOfD4FtXA== X-Received: by 2002:ac8:1345:0:b0:3a7:ef31:a07b with SMTP id f5-20020ac81345000000b003a7ef31a07bmr4627184qtj.11.1670532188353; Thu, 08 Dec 2022 12:43:08 -0800 (PST) Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com. [209.85.128.169]) by smtp.gmail.com with ESMTPSA id m10-20020ac8444a000000b0039cc944ebdasm15856956qtn.54.2022.12.08.12.43.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 08 Dec 2022 12:43:08 -0800 (PST) Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-3c21d6e2f3aso27852597b3.10; Thu, 08 Dec 2022 12:43:08 -0800 (PST) X-Received: by 2002:a81:ff06:0:b0:3ab:6ff4:a598 with SMTP id k6-20020a81ff06000000b003ab6ff4a598mr5143379ywn.425.1670532187832; Thu, 08 Dec 2022 12:43:07 -0800 (PST) MIME-Version: 1.0 References: <20221208033523.122642-1-ebiggers@kernel.org> In-Reply-To: <20221208033523.122642-1-ebiggers@kernel.org> From: Luca Boccassi Date: Thu, 8 Dec 2022 20:42:56 +0000 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] fsverity: don't check builtin signatures when require_signatures=0 To: Eric Biggers Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-btrfs@vger.kernel.org, linux-integrity@vger.kernel.org, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Thu, 8 Dec 2022 at 03:35, Eric Biggers wrote: > > From: Eric Biggers > > An issue that arises when migrating from builtin signatures to userspace > signatures is that existing files that have builtin signatures cannot be > opened unless either CONFIG_FS_VERITY_BUILTIN_SIGNATURES is disabled or > the signing certificate is left in the .fs-verity keyring. > > Since builtin signatures provide no security benefit when > fs.verity.require_signatures=0 anyway, let's just skip the signature > verification in this case. > > Fixes: 432434c9f8e1 ("fs-verity: support builtin file signatures") > Cc: # v5.4+ > Signed-off-by: Eric Biggers > --- > fs/verity/signature.c | 18 ++++++++++++++++-- > 1 file changed, 16 insertions(+), 2 deletions(-) Acked-by: Luca Boccassi