[RFC PATCH v3 1/1] Add dm verity root hash pkcs7 sig validation

James Morris jmorris at namei.org
Tue Jun 11 05:31:45 UTC 2019


On Sat, 8 Jun 2019, Milan Broz wrote:

> > Adds DM_VERITY_VERIFY_ROOTHASH_SIG_FORCE: roothash signature *must* be
> > specified for all dm verity volumes and verification must succeed prior
> > to creation of device mapper block device.
> 
> AFAIK there are tools that use dm-verity internally (some container
> functions in systemd can recognize and check dm-verity partitions) and with
> this option we will just kill possibility to use it without signature.
> 
> Anyway, this is up to Mike and Mikulas, I guess generic distros will not
> set this option.

Right, I think this option would not be for a general purpose distro, but 
for embedded systems and other cases where the user may want a more 
tightly locked-down system.

-- 
James Morris
<jmorris at namei.org>



More information about the Linux-security-module-archive mailing list