Re: [RFC PATCH v9 10/16] dm-verity: consume root hash digest and signature data via LSM hook
On Wed, 2023-02-01 at 15:26 -0800, Fan Wu wrote:
On Tue, Jan 31, 2023 at 02:22:01PM +0100, Roberto Sassu wrote:
> On Mon, 2023-01-30 at 14:57 -0800, Fan Wu wrote:
> > From: Deven Bowers <deven.desai(a)linux.microsoft.com>
> >
> > dm-verity provides a strong guarantee of a block device's integrity. As
> > a generic way to check the integrity of a block device, it provides
> > those integrity guarantees to its higher layers, including the filesystem
> > level.
>
> I think you could reuse most of is_trusted_verity_target(), in
> particular dm_verity_get_root_digest().
>
> And probably, the previous patch is not necessary.
>
> Roberto
>
Thanks for the info. This function seems could be used to get the roothash
but for saving the signature we still need the hook function in the previous
patch.
Uhm, look at the LoadPin case. It does not need to temporarily store
the root digest in a security blob. It evaluates it directly.
Well, ok, dm_verity_loadpin_is_bdev_trusted() looks for trusted digests
in the dm_verity_loadpin_trusted_root_digests list. So, something
equivalent needs to be made for IPE (or you just get the digest).
However, I find not introducing new hooks and evaluating the
information directly more efficient.
Roberto