DM-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v1] dm verity: Add support for signature verification with 2nd keyring
@ 2020-10-02  7:18 Mickaël Salaün
  2020-10-09  9:50 ` Mickaël Salaün
  0 siblings, 1 reply; 6+ messages in thread
From: Mickaël Salaün @ 2020-10-02  7:18 UTC (permalink / raw)
  To: Alasdair Kergon, Mike Snitzer
  Cc: Mickaël Salaün, Deven Bowers, Jaskaran Khurana,
	Milan Broz, dm-devel, linux-integrity, linux-kernel,
	Mickaël Salaün

From: Mickaël Salaün <mic@linux.microsoft.com>

Add a new DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING configuration
to enable dm-verity signatures to be verified against the secondary
trusted keyring.  This allows certificate updates without kernel update
and reboot, aligning with module and kernel (kexec) signature
verifications.

Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Cc: Jaskaran Khurana <jaskarankhurana@linux.microsoft.com>
Cc: Mike Snitzer <snitzer@redhat.com>
Cc: Milan Broz <gmazyland@gmail.com>
---
 drivers/md/Kconfig                | 13 ++++++++++++-
 drivers/md/dm-verity-verify-sig.c |  9 +++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig
index 30ba3573626c..63870fdfe8ce 100644
--- a/drivers/md/Kconfig
+++ b/drivers/md/Kconfig
@@ -530,11 +530,22 @@ config DM_VERITY_VERIFY_ROOTHASH_SIG
 	bool "Verity data device root hash signature verification support"
 	depends on DM_VERITY
 	select SYSTEM_DATA_VERIFICATION
-	  help
+	---help---
 	  Add ability for dm-verity device to be validated if the
 	  pre-generated tree of cryptographic checksums passed has a pkcs#7
 	  signature file that can validate the roothash of the tree.
 
+	  By default, rely on the builtin trusted keyring.
+
+	  If unsure, say N.
+
+config DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
+	bool "Verity data device root hash signature verification with secondary keyring"
+	depends on DM_VERITY_VERIFY_ROOTHASH_SIG
+	depends on SECONDARY_TRUSTED_KEYRING
+	---help---
+	  Rely on the secondary trusted keyring to verify dm-verity signatures.
+
 	  If unsure, say N.
 
 config DM_VERITY_FEC
diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
index 614e43db93aa..29385dc470d5 100644
--- a/drivers/md/dm-verity-verify-sig.c
+++ b/drivers/md/dm-verity-verify-sig.c
@@ -119,8 +119,13 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
 	}
 
 	ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
-				sig_len, NULL, VERIFYING_UNSPECIFIED_SIGNATURE,
-				NULL, NULL);
+				sig_len,
+#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
+				VERIFY_USE_SECONDARY_KEYRING,
+#else
+				NULL,
+#endif
+				VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
 
 	return ret;
 }
-- 
2.28.0

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v1] dm verity: Add support for signature verification with 2nd keyring
  2020-10-02  7:18 [PATCH v1] dm verity: Add support for signature verification with 2nd keyring Mickaël Salaün
@ 2020-10-09  9:50 ` Mickaël Salaün
  2020-10-12 23:55   ` Jarkko Sakkinen
  0 siblings, 1 reply; 6+ messages in thread
From: Mickaël Salaün @ 2020-10-09  9:50 UTC (permalink / raw)
  To: Alasdair Kergon, Mike Snitzer
  Cc: Deven Bowers, Jaskaran Khurana, Milan Broz, dm-devel,
	linux-integrity, linux-kernel, Mickaël Salaün

Hi,

What do you think about this patch?

Regards,
 Mickaël

On 02/10/2020 09:18, Mickaël Salaün wrote:
> From: Mickaël Salaün <mic@linux.microsoft.com>
> 
> Add a new DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING configuration
> to enable dm-verity signatures to be verified against the secondary
> trusted keyring.  This allows certificate updates without kernel update
> and reboot, aligning with module and kernel (kexec) signature
> verifications.
> 
> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
> Cc: Jaskaran Khurana <jaskarankhurana@linux.microsoft.com>
> Cc: Mike Snitzer <snitzer@redhat.com>
> Cc: Milan Broz <gmazyland@gmail.com>
> ---
>  drivers/md/Kconfig                | 13 ++++++++++++-
>  drivers/md/dm-verity-verify-sig.c |  9 +++++++--
>  2 files changed, 19 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig
> index 30ba3573626c..63870fdfe8ce 100644
> --- a/drivers/md/Kconfig
> +++ b/drivers/md/Kconfig
> @@ -530,11 +530,22 @@ config DM_VERITY_VERIFY_ROOTHASH_SIG
>  	bool "Verity data device root hash signature verification support"
>  	depends on DM_VERITY
>  	select SYSTEM_DATA_VERIFICATION
> -	  help
> +	---help---
>  	  Add ability for dm-verity device to be validated if the
>  	  pre-generated tree of cryptographic checksums passed has a pkcs#7
>  	  signature file that can validate the roothash of the tree.
>  
> +	  By default, rely on the builtin trusted keyring.
> +
> +	  If unsure, say N.
> +
> +config DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
> +	bool "Verity data device root hash signature verification with secondary keyring"
> +	depends on DM_VERITY_VERIFY_ROOTHASH_SIG
> +	depends on SECONDARY_TRUSTED_KEYRING
> +	---help---
> +	  Rely on the secondary trusted keyring to verify dm-verity signatures.
> +
>  	  If unsure, say N.
>  
>  config DM_VERITY_FEC
> diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
> index 614e43db93aa..29385dc470d5 100644
> --- a/drivers/md/dm-verity-verify-sig.c
> +++ b/drivers/md/dm-verity-verify-sig.c
> @@ -119,8 +119,13 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
>  	}
>  
>  	ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
> -				sig_len, NULL, VERIFYING_UNSPECIFIED_SIGNATURE,
> -				NULL, NULL);
> +				sig_len,
> +#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
> +				VERIFY_USE_SECONDARY_KEYRING,
> +#else
> +				NULL,
> +#endif
> +				VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
>  
>  	return ret;
>  }
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v1] dm verity: Add support for signature verification with 2nd keyring
  2020-10-09  9:50 ` Mickaël Salaün
@ 2020-10-12 23:55   ` Jarkko Sakkinen
  2020-10-12 23:55     ` [dm-devel] " Jarkko Sakkinen
  2020-10-13  8:51     ` Mickaël Salaün
  0 siblings, 2 replies; 6+ messages in thread
From: Jarkko Sakkinen @ 2020-10-12 23:55 UTC (permalink / raw)
  To: Mickaël Salaün
  Cc: Alasdair Kergon, Mike Snitzer, Deven Bowers, Jaskaran Khurana,
	Milan Broz, dm-devel, linux-integrity, linux-kernel,
	Mickaël Salaün

On Fri, Oct 09, 2020 at 11:50:03AM +0200, Mickaël Salaün wrote:
> Hi,
> 
> What do you think about this patch?
> 
> Regards,
>  Mickaël
> 
> On 02/10/2020 09:18, Mickaël Salaün wrote:
> > From: Mickaël Salaün <mic@linux.microsoft.com>
> > 
> > Add a new DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING configuration
> > to enable dm-verity signatures to be verified against the secondary
> > trusted keyring.  This allows certificate updates without kernel update
> > and reboot, aligning with module and kernel (kexec) signature
> > verifications.

I'd prefer a bit more verbose phrasing, not least because I have never
really even peeked at dm-verity, but it is also a good practice.

You have the middle part of the story missing - explaining the semantics
of how the feature leads to the aimed solution.

/Jarkko

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [dm-devel] [PATCH v1] dm verity: Add support for signature verification with 2nd keyring
  2020-10-12 23:55   ` Jarkko Sakkinen
@ 2020-10-12 23:55     ` Jarkko Sakkinen
  2020-10-13  8:51     ` Mickaël Salaün
  1 sibling, 0 replies; 6+ messages in thread
From: Jarkko Sakkinen @ 2020-10-12 23:55 UTC (permalink / raw)
  To: Mickaël Salaün
  Cc: Mike Snitzer, Deven Bowers, linux-kernel,
	Mickaël Salaün, dm-devel, linux-integrity, Milan Broz,
	Alasdair Kergon, Jaskaran Khurana

On Fri, Oct 09, 2020 at 11:50:03AM +0200, Mickaël Salaün wrote:
> Hi,
> 
> What do you think about this patch?
> 
> Regards,
>  Mickaël
> 
> On 02/10/2020 09:18, Mickaël Salaün wrote:
> > From: Mickaël Salaün <mic@linux.microsoft.com>
> > 
> > Add a new DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING configuration
> > to enable dm-verity signatures to be verified against the secondary
> > trusted keyring.  This allows certificate updates without kernel update
> > and reboot, aligning with module and kernel (kexec) signature
> > verifications.

I'd prefer a bit more verbose phrasing, not least because I have never
really even peeked at dm-verity, but it is also a good practice.

You have the middle part of the story missing - explaining the semantics
of how the feature leads to the aimed solution.

/Jarkko

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v1] dm verity: Add support for signature verification with 2nd keyring
  2020-10-12 23:55   ` Jarkko Sakkinen
  2020-10-12 23:55     ` [dm-devel] " Jarkko Sakkinen
@ 2020-10-13  8:51     ` Mickaël Salaün
  2020-10-13  8:51       ` [dm-devel] " Mickaël Salaün
  1 sibling, 1 reply; 6+ messages in thread
From: Mickaël Salaün @ 2020-10-13  8:51 UTC (permalink / raw)
  To: Jarkko Sakkinen
  Cc: Alasdair Kergon, Mike Snitzer, Deven Bowers, Jaskaran Khurana,
	Milan Broz, dm-devel, linux-integrity, linux-kernel,
	Mickaël Salaün


On 13/10/2020 01:55, Jarkko Sakkinen wrote:
> On Fri, Oct 09, 2020 at 11:50:03AM +0200, Mickaël Salaün wrote:
>> Hi,
>>
>> What do you think about this patch?
>>
>> Regards,
>>  Mickaël
>>
>> On 02/10/2020 09:18, Mickaël Salaün wrote:
>>> From: Mickaël Salaün <mic@linux.microsoft.com>
>>>
>>> Add a new DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING configuration
>>> to enable dm-verity signatures to be verified against the secondary
>>> trusted keyring.  This allows certificate updates without kernel update
>>> and reboot, aligning with module and kernel (kexec) signature
>>> verifications.
> 
> I'd prefer a bit more verbose phrasing, not least because I have never
> really even peeked at dm-verity, but it is also a good practice.
> 
> You have the middle part of the story missing - explaining the semantics
> of how the feature leads to the aimed solution.

OK, what about:

Add a new configuration DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
to enable dm-verity signatures to be verified against the secondary
trusted keyring. Instead of relying on the builtin trusted keyring (with
hard-coded certificates), the second trusted keyring can include
certificate authorities from the builtin trusted keyring and child
certificates loaded at run time. Using the secondary trusted keyring
enables to use dm-verity disks (e.g. loop devices) signed by keys which
did not exist at kernel build time, leveraging the certificate chain of
trust model. In practice, this allows to update certificates without
kernel update and reboot, aligning with module and kernel (kexec)
signature verification which already use the secondary trusted keyring.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [dm-devel] [PATCH v1] dm verity: Add support for signature verification with 2nd keyring
  2020-10-13  8:51     ` Mickaël Salaün
@ 2020-10-13  8:51       ` Mickaël Salaün
  0 siblings, 0 replies; 6+ messages in thread
From: Mickaël Salaün @ 2020-10-13  8:51 UTC (permalink / raw)
  To: Jarkko Sakkinen
  Cc: Mike Snitzer, Deven Bowers, linux-kernel,
	Mickaël Salaün, dm-devel, linux-integrity, Milan Broz,
	Alasdair Kergon, Jaskaran Khurana


On 13/10/2020 01:55, Jarkko Sakkinen wrote:
> On Fri, Oct 09, 2020 at 11:50:03AM +0200, Mickaël Salaün wrote:
>> Hi,
>>
>> What do you think about this patch?
>>
>> Regards,
>>  Mickaël
>>
>> On 02/10/2020 09:18, Mickaël Salaün wrote:
>>> From: Mickaël Salaün <mic@linux.microsoft.com>
>>>
>>> Add a new DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING configuration
>>> to enable dm-verity signatures to be verified against the secondary
>>> trusted keyring.  This allows certificate updates without kernel update
>>> and reboot, aligning with module and kernel (kexec) signature
>>> verifications.
> 
> I'd prefer a bit more verbose phrasing, not least because I have never
> really even peeked at dm-verity, but it is also a good practice.
> 
> You have the middle part of the story missing - explaining the semantics
> of how the feature leads to the aimed solution.

OK, what about:

Add a new configuration DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
to enable dm-verity signatures to be verified against the secondary
trusted keyring. Instead of relying on the builtin trusted keyring (with
hard-coded certificates), the second trusted keyring can include
certificate authorities from the builtin trusted keyring and child
certificates loaded at run time. Using the secondary trusted keyring
enables to use dm-verity disks (e.g. loop devices) signed by keys which
did not exist at kernel build time, leveraging the certificate chain of
trust model. In practice, this allows to update certificates without
kernel update and reboot, aligning with module and kernel (kexec)
signature verification which already use the secondary trusted keyring.


--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-02  7:18 [PATCH v1] dm verity: Add support for signature verification with 2nd keyring Mickaël Salaün
2020-10-09  9:50 ` Mickaël Salaün
2020-10-12 23:55   ` Jarkko Sakkinen
2020-10-12 23:55     ` [dm-devel] " Jarkko Sakkinen
2020-10-13  8:51     ` Mickaël Salaün
2020-10-13  8:51       ` [dm-devel] " Mickaël Salaün

DM-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/dm-devel/0 dm-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 dm-devel dm-devel/ https://lore.kernel.org/dm-devel \
		dm-devel@redhat.com
	public-inbox-index dm-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.redhat.dm-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git