[RFC PATCH v3 1/1] Add dm verity root hash pkcs7 sig validation
James Morris
jmorris at namei.org
Tue Jun 11 05:31:45 UTC 2019
On Sat, 8 Jun 2019, Milan Broz wrote:
> > Adds DM_VERITY_VERIFY_ROOTHASH_SIG_FORCE: roothash signature *must* be
> > specified for all dm verity volumes and verification must succeed prior
> > to creation of device mapper block device.
>
> AFAIK there are tools that use dm-verity internally (some container
> functions in systemd can recognize and check dm-verity partitions) and with
> this option we will just kill possibility to use it without signature.
>
> Anyway, this is up to Mike and Mikulas, I guess generic distros will not
> set this option.
Right, I think this option would not be for a general purpose distro, but
for embedded systems and other cases where the user may want a more
tightly locked-down system.
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list