diff options
| author | Matthias Kaehlcke <mka@chromium.org> | 2022-09-07 04:18:12 +0300 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2022-09-08 02:37:27 +0300 |
| commit | 6e42aec7c75947e0d6b38400628f171364eb8231 (patch) | |
| tree | 447a9e122ce9d58599900258a3e31ba1850d932d /security/loadpin/Kconfig | |
| parent | 916ef6232cc4b84db7082b4c3d3cf1753d9462ba (diff) | |
| download | linux-6e42aec7c75947e0d6b38400628f171364eb8231.tar.xz | |
LoadPin: Require file with verity root digests to have a header
LoadPin expects the file with trusted verity root digests to be
an ASCII file with one digest (hex value) per line. A pinned
root could contain files that meet these format requirements,
even though the hex values don't represent trusted root
digests.
Add a new requirement to the file format which consists in
the first line containing a fixed string. This prevents
attackers from feeding files with an otherwise valid format
to LoadPin.
Suggested-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220906181725.1.I3f51d1bb0014e5a5951be4ad3c5ad7c7ca1dfc32@changeid
Diffstat (limited to 'security/loadpin/Kconfig')
| -rw-r--r-- | security/loadpin/Kconfig | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig index 994c1d9376e6..6724eaba3d36 100644 --- a/security/loadpin/Kconfig +++ b/security/loadpin/Kconfig @@ -33,4 +33,9 @@ config SECURITY_LOADPIN_VERITY on the LoadPin securityfs entry 'dm-verity'. The ioctl expects a file descriptor of a file with verity digests as parameter. The file must be located on the pinned root and - contain one digest per line. + start with the line: + + # LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS + + This is followed by the verity digests, with one digest per + line. |