Re: [RFC PATCH v9 09/16] block|security: add LSM blob to block_device
On Tue, Jan 31, 2023 at 12:53:59AM -0800, Christoph Hellwig wrote:
On Mon, Jan 30, 2023 at 02:57:24PM -0800, Fan Wu wrote:
> From: Deven Bowers <deven.desai(a)linux.microsoft.com>
>
> block_device structures can have valuable security properties,
> based on how they are created, and what subsystem manages them.
That's a lot of cloudy talk but no real explanation.
Sorry for being too general here. Currently the only use target of this hook is dm-verity.
We use the newly added security hook to save the dm-verity roothash and signature to the
new bdev security blob during the bdev creation time, so LSMs can leverage this
information to protect the system.
I will add this example in the next version.
-Fan