lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20221208033523.122642-1-ebiggers@kernel.org> Date: Wed, 7 Dec 2022 19:35:23 -0800 From: Eric Biggers <ebiggers@...nel.org> To: linux-fscrypt@...r.kernel.org Cc: linux-ext4@...r.kernel.org, linux-f2fs-devel@...ts.sourceforge.net, linux-btrfs@...r.kernel.org, linux-integrity@...r.kernel.org, Luca Boccassi <bluca@...ian.org>, Jes Sorensen <jsorensen@...a.com>, Victor Hsieh <victorhsieh@...gle.com>, stable@...r.kernel.org Subject: [PATCH] fsverity: don't check builtin signatures when require_signatures=0 From: Eric Biggers <ebiggers@...gle.com> An issue that arises when migrating from builtin signatures to userspace signatures is that existing files that have builtin signatures cannot be opened unless either CONFIG_FS_VERITY_BUILTIN_SIGNATURES is disabled or the signing certificate is left in the .fs-verity keyring. Since builtin signatures provide no security benefit when fs.verity.require_signatures=0 anyway, let's just skip the signature verification in this case. Fixes: 432434c9f8e1 ("fs-verity: support builtin file signatures") Cc: <stable@...r.kernel.org> # v5.4+ Signed-off-by: Eric Biggers <ebiggers@...gle.com> --- fs/verity/signature.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/fs/verity/signature.c b/fs/verity/signature.c index 143a530a80088..dc6935701abda 100644 --- a/fs/verity/signature.c +++ b/fs/verity/signature.c @@ -13,8 +13,8 @@ #include <linux/verification.h> /* - * /proc/sys/fs/verity/require_signatures - * If 1, all verity files must have a valid builtin signature. + * /proc/sys/fs/verity/require_signatures. If 1, then builtin signatures are + * verified and all verity files must have a valid builtin signature. */ static int fsverity_require_signatures; @@ -54,6 +54,20 @@ int fsverity_verify_signature(const struct fsverity_info *vi, return 0; } + /* + * If require_signatures=0, don't verify builtin signatures. + * Originally, builtin signatures were verified opportunistically in + * this case. However, no security property is possible when + * require_signatures=0 anyway. Skipping the builtin signature + * verification makes it easier to migrate existing files from builtin + * signature verification to userspace signature verification. + */ + if (!fsverity_require_signatures) { + fsverity_warn(inode, + "Not checking builtin signature due to require_signatures=0"); + return 0; + } + d = kzalloc(sizeof(*d) + hash_alg->digest_size, GFP_KERNEL); if (!d) return -ENOMEM; base-commit: 479174d402bcf60789106eedc4def3957c060bad -- 2.38.1
Powered by blists - more mailing lists