iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6fce1f40e9
linux/drivers/md
History
Luca Boccassi 6fce1f40e9 dm verity: add support for signature verification with platform keyring 
Add a new configuration CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
that enables verifying dm-verity signatures using the platform keyring,
which is populated using the UEFI DB certificates. This is useful for
self-enrolled systems that do not use MOK, as the secondary keyring which
is already used for verification, if the relevant kconfig is enabled, is
linked to the machine keyring, which gets its certificates loaded from MOK.
On datacenter/virtual/cloud deployments it is more common to deploy one's
own certificate chain directly in DB on first boot in unattended mode,
rather than relying on MOK, as the latter typically requires interactive
authentication to enroll, and is more suited for personal machines.

Default to the same value as DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
if not otherwise specified, as it is likely that if one wants to use
MOK certificates to verify dm-verity volumes, DB certificates are
going to be used too. Keys in DB are allowed to load a full kernel
already anyway, so they are already highly privileged.

Signed-off-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
2024-07-03 21:41:11 +02:00
..
bcache block: move the raid_partial_stripes_expensive flag into the features field 2024-06-20 06:53:15 -06:00
dm-vdo bd_inode series 2024-05-21 09:51:42 -07:00
persistent-data dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-audit.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-audit.h
dm-bio-prison-v1.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-bio-prison-v1.h dm bio prison v1: add dm_cell_key_has_valid_range 2023-03-30 15:57:51 -04:00
dm-bio-prison-v2.c dm: use bio_list_merge_init 2024-04-01 11:53:37 -06:00
dm-bio-prison-v2.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-bio-record.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-bufio.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-builtin.c dm: adjust EXPORT_SYMBOL() to follow functions immediately 2023-02-14 14:23:07 -05:00
dm-cache-background-tracker.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-background-tracker.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-block-types.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-cache-metadata.c dm cache metadata: remove unused struct 'thunk' 2024-07-02 20:53:05 +02:00
dm-cache-metadata.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-policy-internal.h dm: add missing empty lines 2023-02-14 14:23:06 -05:00
dm-cache-policy-smq.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-cache-policy.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-policy.h dm: address indent/space issues 2023-02-14 14:23:06 -05:00
dm-cache-target.c block: remove the discard_alignment flag 2024-06-20 06:53:14 -06:00
dm-clone-metadata.c bitmap: introduce generic optimized bitmap_size() 2024-04-01 10:49:28 +01:00
dm-clone-metadata.h
dm-clone-target.c block: remove the discard_alignment flag 2024-06-20 06:53:14 -06:00
dm-core.h dm: optimize flushes 2024-06-26 11:32:39 -04:00
dm-crypt.c block: remove the blk_integrity_profile structure 2024-06-14 10:20:06 -06:00
dm-delay.c dm-delay: remove timer_lock 2024-05-09 09:10:58 -04:00
dm-dust.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-ebs-target.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-era-target.c dm: use bio_list_merge_init 2024-04-01 11:53:37 -06:00
dm-exception-store.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-exception-store.h dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-flakey.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-ima.c dm: avoid inline filenames 2023-02-14 14:23:07 -05:00
dm-ima.h dm: avoid inline filenames 2023-02-14 14:23:07 -05:00
dm-init.c dm init: Handle minors larger than 255 2024-07-02 20:53:41 +02:00
dm-integrity.c block: move integrity information into queue_limits 2024-06-14 10:20:07 -06:00
dm-io-rewind.c dm: avoid void function return statements 2023-02-14 14:23:07 -05:00
dm-io-tracker.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-io.c dm io: remove code duplication between sync_io and aysnc_io 2024-07-02 12:00:43 +02:00
dm-ioctl.c dm ioctl: update DM_DRIVER_EMAIL to new dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-kcopyd.c dm io: Support IO priority 2024-02-20 14:22:51 -05:00
dm-linear.c dm: optimize flushes 2024-06-26 11:32:39 -04:00
dm-log-userspace-base.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-log-userspace-transfer.c dm: avoid split of quoted strings where possible 2023-02-14 14:23:07 -05:00
dm-log-userspace-transfer.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-log-writes.c dm: always manage discard support in terms of max_hw_discard_sectors 2024-05-20 15:51:19 -04:00
dm-log.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-mpath.c dm: use bio_list_merge_init 2024-04-01 11:53:37 -06:00
dm-mpath.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-path-selector.c dm: adjust EXPORT_SYMBOL() to follow functions immediately 2023-02-14 14:23:07 -05:00
dm-path-selector.h dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-ps-historical-service-time.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-ps-io-affinity.c dm: address space issues relative to switch/while/for/... 2023-02-14 14:23:06 -05:00
dm-ps-queue-length.c dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-ps-round-robin.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-ps-service-time.c dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-raid1.c dm io: Support IO priority 2024-02-20 14:22:51 -05:00
dm-raid.c dm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume 2024-07-03 21:41:11 +02:00
dm-region-hash.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-rq.c dm: avoid using symbolic permissions 2023-02-14 14:23:07 -05:00
dm-rq.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-snap-persistent.c dm io: Support IO priority 2024-02-20 14:22:51 -05:00
dm-snap-transient.c dm: avoid split of quoted strings where possible 2023-02-14 14:23:07 -05:00
dm-snap.c dm: always manage discard support in terms of max_hw_discard_sectors 2024-05-20 15:51:19 -04:00
dm-stats.c dm stats: limit the number of entries 2024-01-30 14:06:44 -05:00
dm-stats.h dm stats: check for and propagate alloc_percpu failure 2023-03-16 13:37:06 -04:00
dm-stripe.c dm: optimize flushes 2024-06-26 11:32:39 -04:00
dm-switch.c dm: add helper macro for simple DM target module init and exit 2023-04-11 12:09:08 -04:00
dm-sysfs.c dm sysfs: make kobj_type structure constant 2023-02-14 14:23:08 -05:00
dm-table.c dm: optimize flushes 2024-06-26 11:32:39 -04:00
dm-target.c dm: always manage discard support in terms of max_hw_discard_sectors 2024-05-20 15:51:19 -04:00
dm-thin-metadata.c - Update DM crypt to allocate compound pages if possible. 2023-06-30 12:16:00 -07:00
dm-thin-metadata.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-thin.c - Fix DM discard regressions due to DM core switching over to using 2024-05-21 11:43:11 -07:00
dm-uevent.c dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-uevent.h dm: fix undue/missing spaces 2023-02-14 14:23:06 -05:00
dm-unstripe.c dm: add helper macro for simple DM target module init and exit 2023-04-11 12:09:08 -04:00
dm-verity-fec.c dm-verity: make verity_hash() take dm_verity_io instead of ahash_request 2024-07-03 21:41:11 +02:00
dm-verity-fec.h dm-verity: always "map" the data blocks 2024-07-03 21:41:11 +02:00
dm-verity-loadpin.c dm: verity-loadpin: Add NULL pointer check for 'bdev' parameter 2023-06-28 10:43:04 -07:00
dm-verity-target.c dm-verity: hash blocks with shash import+finup when possible 2024-07-03 21:41:11 +02:00
dm-verity-verify-sig.c dm verity: add support for signature verification with platform keyring 2024-07-03 21:41:11 +02:00
dm-verity-verify-sig.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-verity.h dm-verity: hash blocks with shash import+finup when possible 2024-07-03 21:41:11 +02:00
dm-writecache.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-zero.c dm: always manage discard support in terms of max_hw_discard_sectors 2024-05-20 15:51:19 -04:00
dm-zone.c Merge branch 'for-6.11/block-limits' into for-6.11/block 2024-06-19 08:14:49 -06:00
dm-zoned-metadata.c block: remove gfp_flags from blkdev_zone_mgmt 2024-02-12 08:41:16 -07:00
dm-zoned-reclaim.c
dm-zoned-target.c block: move the zoned flag into the features field 2024-06-19 07:58:28 -06:00
dm-zoned.h
dm.c dm: optimize flushes 2024-06-26 11:32:39 -04:00
dm.h dm: Call dm_revalidate_zones() after setting the queue limits 2024-06-15 20:42:20 -06:00
Kconfig dm verity: add support for signature verification with platform keyring 2024-07-03 21:41:11 +02:00
Makefile dm vdo: use a proper Makefile for dm-vdo 2024-02-20 13:43:17 -05:00
md-autodetect.c md: Remove deprecated CONFIG_MD_LINEAR 2023-12-19 10:16:51 -08:00
md-bitmap.c md/md-bitmap: fix writing non bitmap pages 2024-06-11 21:22:21 +00:00
md-bitmap.h md-bitmap: don't use ->index for pages backing the bitmap file 2023-07-27 00:13:29 -07:00
md-cluster.c md-cluster: check for timeout while a new disk adding 2023-10-12 09:16:19 -07:00
md-cluster.h
md.c Merge branch 'for-6.11/block-limits' into for-6.11/block 2024-06-19 08:14:49 -06:00
md.h Merge branch 'for-6.11/block-limits' into for-6.11/block 2024-06-14 10:22:08 -06:00
raid0.c block: move integrity information into queue_limits 2024-06-14 10:20:07 -06:00
raid0.h md/raid0: add discard support for the 'original' layout 2023-06-30 15:43:50 -07:00
raid1-10.c md/raid1-10: factor out a new helper raid1_should_read_first() 2024-02-29 22:49:46 -08:00
raid1.c Merge branch 'for-6.11/block-limits' into for-6.11/block 2024-06-14 10:22:08 -06:00
raid1.h md/raid1: record nonrot rdevs while adding/removing rdevs to conf 2024-02-29 22:49:45 -08:00
raid5-cache.c md/raid5: remove rcu protection to access rdev from conf 2023-11-27 15:49:05 -08:00
raid5-log.h
raid5-ppl.c md: remove mddev->queue 2024-03-06 08:59:53 -08:00
raid5.c Merge branch 'for-6.11/block-limits' into for-6.11/block 2024-06-20 06:55:20 -06:00
raid5.h md/raid5: remove rcu protection to access rdev from conf 2023-11-27 15:49:05 -08:00
raid10.c Merge branch 'for-6.11/block-limits' into for-6.11/block 2024-06-14 10:22:08 -06:00
raid10.h md/raid10: switch to use md_account_bio() for io accounting 2023-07-27 00:13:29 -07:00