[PATCH v4 0/3] LoadPin: Enable loading from trusted dm-verity devices
Mike Snitzer
snitzer at kernel.org
Wed May 18 19:43:27 UTC 2022
On Wed, May 18 2022 at 3:23P -0400,
Kees Cook <keescook at chromium.org> wrote:
> On Tue, May 17, 2022 at 04:34:54PM -0700, Matthias Kaehlcke wrote:
> > As of now LoadPin restricts loading of kernel files to a single pinned
> > filesystem, typically the rootfs. This works for many systems, however it
> > can result in a bloated rootfs (and OTA updates) on platforms where
> > multiple boards with different hardware configurations use the same rootfs
> > image. Especially when 'optional' files are large it may be preferable to
> > download/install them only when they are actually needed by a given board.
> > Chrome OS uses Downloadable Content (DLC) [1] to deploy certain 'packages'
> > at runtime. As an example a DLC package could contain firmware for a
> > peripheral that is not present on all boards. DLCs use dm-verity [2] to
> > verify the integrity of the DLC content.
>
> For the coming v5 (which will fix the 0-day reports), if I can get some
> Acks from the dm folks, I can carry this with other loadpin changes in
> my tree. Though I'm fine with this going via the dm tree, too:
>
> Acked-by: Kees Cook <keescook at chromium.org>
I'll review it once it's posted.
But I'm going to reply to v4's 1/3 now.
More information about the Linux-security-module-archive
mailing list