diff options
| author | Mickaël Salaün <mic@linux.microsoft.com> | 2020-10-23 19:05:12 +0200 |
|---|---|---|
| committer | Mike Snitzer <snitzer@redhat.com> | 2020-12-04 18:04:35 -0500 |
| commit | 4da8f8c8a1e07ad18f057f4044ad96f4135dc877 (patch) | |
| tree | 99247a48d846727f3288051098cf927be70f55a1 /Documentation | |
| parent | 985eabdcfe3aad1aea6fc195dafff503f303aa3a (diff) | |
| download | linux-4da8f8c8a1e07ad18f057f4044ad96f4135dc877.tar.gz linux-4da8f8c8a1e07ad18f057f4044ad96f4135dc877.tar.bz2 linux-4da8f8c8a1e07ad18f057f4044ad96f4135dc877.zip | |
dm verity: Add support for signature verification with 2nd keyring
Add a new configuration DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
to enable dm-verity signatures to be verified against the secondary
trusted keyring. Instead of relying on the builtin trusted keyring
(with hard-coded certificates), the second trusted keyring can include
certificate authorities from the builtin trusted keyring and child
certificates loaded at run time. Using the secondary trusted keyring
enables to use dm-verity disks (e.g. loop devices) signed by keys which
did not exist at kernel build time, leveraging the certificate chain of
trust model. In practice, this makes it possible to update certificates
without kernel update and reboot, aligning with module and kernel
(kexec) signature verification which already use the secondary trusted
keyring.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/admin-guide/device-mapper/verity.rst | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/Documentation/admin-guide/device-mapper/verity.rst b/Documentation/admin-guide/device-mapper/verity.rst index 66f71f0dab1b..b088a647acb7 100644 --- a/Documentation/admin-guide/device-mapper/verity.rst +++ b/Documentation/admin-guide/device-mapper/verity.rst @@ -134,7 +134,12 @@ root_hash_sig_key_desc <key_description> the pkcs7 signature of the roothash. The pkcs7 signature is used to validate the root hash during the creation of the device mapper block device. Verification of roothash depends on the config DM_VERITY_VERIFY_ROOTHASH_SIG - being set in the kernel. + being set in the kernel. The signatures are checked against the builtin + trusted keyring by default, or the secondary trusted keyring if + DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is set. The secondary + trusted keyring includes by default the builtin trusted keyring, and it can + also gain new certificates at run time if they are signed by a certificate + already in the secondary trusted keyring. Theory of operation =================== |