dm verity: Add support for signature verification with 2nd keyring - linux - Linux Kernel (branches are rebased on master from time to time)

diff options

author	Mickaël Salaün <mic@linux.microsoft.com>	2020-10-23 19:05:12 +0200
committer	Mike Snitzer <snitzer@redhat.com>	2020-12-04 18:04:35 -0500
commit	4da8f8c8a1e07ad18f057f4044ad96f4135dc877 (patch)
tree	99247a48d846727f3288051098cf927be70f55a1 /drivers/md/dm-mpath.h
parent	985eabdcfe3aad1aea6fc195dafff503f303aa3a (diff)
download	linux-4da8f8c8a1e07ad18f057f4044ad96f4135dc877.tar.bz2

dm verity: Add support for signature verification with 2nd keyring

Add a new configuration DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING to enable dm-verity signatures to be verified against the secondary trusted keyring. Instead of relying on the builtin trusted keyring (with hard-coded certificates), the second trusted keyring can include certificate authorities from the builtin trusted keyring and child certificates loaded at run time. Using the secondary trusted keyring enables to use dm-verity disks (e.g. loop devices) signed by keys which did not exist at kernel build time, leveraging the certificate chain of trust model. In practice, this makes it possible to update certificates without kernel update and reboot, aligning with module and kernel (kexec) signature verification which already use the secondary trusted keyring. Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> Signed-off-by: Mike Snitzer <snitzer@redhat.com>

Diffstat (limited to 'drivers/md/dm-mpath.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: