dm verity: Add support for signature verification with 2nd keyring

Add a new configuration DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
to enable dm-verity signatures to be verified against the secondary
trusted keyring.  Instead of relying on the builtin trusted keyring
(with hard-coded certificates), the second trusted keyring can include
certificate authorities from the builtin trusted keyring and child
certificates loaded at run time.  Using the secondary trusted keyring
enables to use dm-verity disks (e.g. loop devices) signed by keys which
did not exist at kernel build time, leveraging the certificate chain of
trust model.  In practice, this makes it possible to update certificates
without kernel update and reboot, aligning with module and kernel
(kexec) signature verification which already use the secondary trusted
keyring.

Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
This commit is contained in:
Mickaël Salaün 2020-10-23 19:05:12 +02:00 committed by Mike Snitzer
parent 985eabdcfe
commit 4da8f8c8a1
3 changed files with 25 additions and 4 deletions

View File

@ -134,7 +134,12 @@ root_hash_sig_key_desc <key_description>
the pkcs7 signature of the roothash. The pkcs7 signature is used to validate
the root hash during the creation of the device mapper block device.
Verification of roothash depends on the config DM_VERITY_VERIFY_ROOTHASH_SIG
being set in the kernel.
being set in the kernel. The signatures are checked against the builtin
trusted keyring by default, or the secondary trusted keyring if
DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is set. The secondary
trusted keyring includes by default the builtin trusted keyring, and it can
also gain new certificates at run time if they are signed by a certificate
already in the secondary trusted keyring.
Theory of operation
===================

View File

@ -530,11 +530,22 @@ config DM_VERITY_VERIFY_ROOTHASH_SIG
bool "Verity data device root hash signature verification support"
depends on DM_VERITY
select SYSTEM_DATA_VERIFICATION
help
help
Add ability for dm-verity device to be validated if the
pre-generated tree of cryptographic checksums passed has a pkcs#7
signature file that can validate the roothash of the tree.
By default, rely on the builtin trusted keyring.
If unsure, say N.
config DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
bool "Verity data device root hash signature verification with secondary keyring"
depends on DM_VERITY_VERIFY_ROOTHASH_SIG
depends on SECONDARY_TRUSTED_KEYRING
help
Rely on the secondary trusted keyring to verify dm-verity signatures.
If unsure, say N.
config DM_VERITY_FEC

View File

@ -119,8 +119,13 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
}
ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
sig_len, NULL, VERIFYING_UNSPECIFIED_SIGNATURE,
NULL, NULL);
sig_len,
#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
VERIFY_USE_SECONDARY_KEYRING,
#else
NULL,
#endif
VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
return ret;
}