summaryrefslogtreecommitdiff
path: root/drivers/md/Kconfig
diff options
context:
space:
mode:
authorJaskaran Khurana <jaskarankhurana@linux.microsoft.com>2019-07-18 03:46:15 +0300
committerMike Snitzer <snitzer@redhat.com>2019-08-23 17:13:14 +0300
commit88cd3e6cfac915f50f7aa7b699bdf053afec866e (patch)
treea7fe35abcd39a0f98375d77a0a8e43d2bec60092 /drivers/md/Kconfig
parent39d13a1ac41dc8254f484fcd21af7ff05e316fad (diff)
downloadlinux-88cd3e6cfac915f50f7aa7b699bdf053afec866e.tar.xz
dm verity: add root hash pkcs#7 signature verification
The verification is to support cases where the root hash is not secured by Trusted Boot, UEFI Secureboot or similar technologies. One of the use cases for this is for dm-verity volumes mounted after boot, the root hash provided during the creation of the dm-verity volume has to be secure and thus in-kernel validation implemented here will be used before we trust the root hash and allow the block device to be created. The signature being provided for verification must verify the root hash and must be trusted by the builtin keyring for verification to succeed. The hash is added as a key of type "user" and the description is passed to the kernel so it can look it up and use it for verification. Adds CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG which can be turned on if root hash verification is needed. Kernel commandline dm_verity module parameter 'require_signatures' will indicate whether to force root hash signature verification (for all dm verity volumes). Signed-off-by: Jaskaran Khurana <jaskarankhurana@linux.microsoft.com> Tested-and-Reviewed-by: Milan Broz <gmazyland@gmail.com> Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Diffstat (limited to 'drivers/md/Kconfig')
-rw-r--r--drivers/md/Kconfig12
1 files changed, 12 insertions, 0 deletions
diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig
index 3834332f4963..1856c0fb665d 100644
--- a/drivers/md/Kconfig
+++ b/drivers/md/Kconfig
@@ -490,6 +490,18 @@ config DM_VERITY
If unsure, say N.
+config DM_VERITY_VERIFY_ROOTHASH_SIG
+ def_bool n
+ bool "Verity data device root hash signature verification support"
+ depends on DM_VERITY
+ select SYSTEM_DATA_VERIFICATION
+ help
+ Add ability for dm-verity device to be validated if the
+ pre-generated tree of cryptographic checksums passed has a pkcs#7
+ signature file that can validate the roothash of the tree.
+
+ If unsure, say N.
+
config DM_VERITY_FEC
bool "Verity forward error correction support"
depends on DM_VERITY