[RFC PATCH v4 1/1] Add dm verity root hash pkcs7 sig validation.

Jaskaran Singh Khurana jaskarankhurana at linux.microsoft.com
Mon Jun 17 20:39:52 UTC 2019



On Mon, 17 Jun 2019, Milan Broz wrote:

> On 13/06/2019 03:06, Jaskaran Khurana wrote:
> ...
>
>> Adds DM_VERITY_VERIFY_ROOTHASH_SIG_FORCE: roothash signature *must* be
>> specified for all dm verity volumes and verification must succeed prior
>> to creation of device mapper block device.
>
> I had a quick discussion about this and one suggestion was
> to add dm-verity kernel module parameter instead of a new config option.
>
> The idea is that if you can control kernel boot commandline, you can add it
> there with the same effect (expecting that root device is on dm-verity as well).
>
> Isn't this better option or it is not going to work for you?

Seems like a better option to me, I will make the change and remove both 
the configs.

>
> Milan
>
Regards,
Jaskaran



More information about the Linux-security-module-archive mailing list