From: Milan Broz <gmazyland@gmail.com>
To: Jaskaran Singh Khurana <jaskarankhurana@linux.microsoft.com>
Cc: ebiggers@google.com, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-fsdevel@vger.kernel.org, agk@redhat.com,
snitzer@redhat.com, dm-devel@redhat.com, jmorris@namei.org,
Scott Shell <SCOTTSH@microsoft.com>,
Nazmus Sakib <mdsakib@microsoft.com>,
mpatocka@redhat.com
Subject: Re: [RFC PATCH v6 0/1] Add dm verity root hash pkcs7 sig validation.
Date: Tue, 16 Jul 2019 14:59:11 +0200 [thread overview]
Message-ID: <395efa90-65d8-d832-3e2b-2b8ee3794688@gmail.com> (raw)
In-Reply-To: <alpine.LRH.2.21.1907121025510.66082@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.inter>
On 12/07/2019 19:33, Jaskaran Singh Khurana wrote:
>
> Hello Milan,
>
>> Changes in v6:
>>
>> Address comments from Milan Broz and Eric Biggers on v5.
>>
>> -Keep the verification code under config DM_VERITY_VERIFY_ROOTHASH_SIG.
>>
>> -Change the command line parameter to requires_signatures(bool) which will
>> force root hash to be signed and trusted if specified.
>>
>> -Fix the signature not being present in verity_status. Merged the
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.kernel.org%2Fpub%2Fscm%2Flinux%2Fkernel%2Fgit%2Fmbroz%2Flinux.git%2Fcommit%2F%3Fh%3Ddm-cryptsetup%26id%3Da26c10806f5257e255b6a436713127e762935ad3&data=02%7C01%7CJaskaran.Khurana%40microsoft.com%7C18f92445e46940aeebb008d6fe50c610%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636976020210890638&sdata=aY0V9%2FBz2RHryIvoftGKUGnyPp9Fsc1JY4FZbHfW4hg%3D&reserved=0
>> made by Milan Broz and tested it.
>>
>>
>
> Could you please provide feedback on this v6 version.
Hi,
I am ok with the v6 patch; I think Mike will return to it in 5.4 reviews.
But the documentation is very brief. I spent quite a long time to configure the system properly.
I think you should add more description (at least to patch header) how to use this feature in combination with system keyring.
Do I understand correctly that these steps need to be done?
- user configures a certificate and adds it in kernel builtin keyring (I used CONFIG_SYSTEM_TRUSTED_KEYS option).
- the dm-verity device root hash is signed directly by a key of this cert
- the signature is uploaded to the user keyring
- reference to signature in keyring is added as an optional dm-verity table parameter root_hash_sig_key_desc
- optionally, require_signatures dm-verity module is set to enforce signatures.
For reference, below is the bash script I used (with unpatched veritysetup to generate working DM table), is the expected workflow here?
#!/bin/bash
NAME=test
DEV=/dev/sdc
DEV_HASH=/dev/sdd
ROOT_HASH=778fccab393842688c9af89cfd0c5cde69377cbe21ed439109ec856f2aa8a423
SIGN=sign.txt
SIGN_NAME=verity:$NAME
# get unsigned device-mapper table using unpatched veritysetup
veritysetup open $DEV $NAME $DEV_HASH $ROOT_HASH
TABLE=$(dmsetup table $NAME)
veritysetup close $NAME
# Generate self-signed CA key, must be in .config as CONFIG_SYSTEM_TRUSTED_KEYS="path/ca.pem"
#openssl req -x509 -newkey rsa:1024 -keyout ca_key.pem -out ca.pem -nodes -days 365 -set_serial 01 -subj /CN=example.com
# sign root hash directly by CA cert
echo -n $ROOT_HASH | openssl smime -sign -nocerts -noattr -binary -inkey ca_key.pem -signer ca.pem -outform der -out $SIGN
# load signature to keyring
keyctl padd user $SIGN_NAME @u <$SIGN
# add device-mapper table, now with sighed root hash optional argument
dmsetup create -r $NAME --table "$TABLE 2 root_hash_sig_key_desc $SIGN_NAME"
dmsetup table $NAME
# cleanup
dmsetup remove $NAME
keyctl clear @u
Milan
next prev parent reply other threads:[~2019-07-16 12:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-01 18:19 [RFC PATCH v6 0/1] Add dm verity root hash pkcs7 sig validation Jaskaran Khurana
2019-07-01 18:19 ` [RFC PATCH v6 1/1] " Jaskaran Khurana
[not found] ` <MN2PR21MB12008A962D4DD8662B3614508AF20@MN2PR21MB1200.namprd21.prod.outlook.com>
2019-07-12 17:33 ` [RFC PATCH v6 0/1] " Jaskaran Singh Khurana
2019-07-16 12:59 ` Milan Broz [this message]
2019-07-16 18:08 ` Jaskaran Singh Khurana
2019-07-17 13:08 ` Milan Broz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=395efa90-65d8-d832-3e2b-2b8ee3794688@gmail.com \
--to=gmazyland@gmail.com \
--cc=SCOTTSH@microsoft.com \
--cc=agk@redhat.com \
--cc=dm-devel@redhat.com \
--cc=ebiggers@google.com \
--cc=jaskarankhurana@linux.microsoft.com \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mdsakib@microsoft.com \
--cc=mpatocka@redhat.com \
--cc=snitzer@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).