| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Oct 2020 02:55:02 +0300
From: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
To: Mickaël Salaün <mic@...ikod.net>
Cc: Alasdair Kergon <agk@...hat.com>,
Mike Snitzer <snitzer@...hat.com>,
Deven Bowers <deven.desai@...ux.microsoft.com>,
Jaskaran Khurana <jaskarankhurana@...ux.microsoft.com>,
Milan Broz <gmazyland@...il.com>, dm-devel@...hat.com,
linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
Mickaël Salaün <mic@...ux.microsoft.com>
Subject: Re: [PATCH v1] dm verity: Add support for signature verification
with 2nd keyring
On Fri, Oct 09, 2020 at 11:50:03AM +0200, Mickaël Salaün wrote:
> Hi,
>
> What do you think about this patch?
>
> Regards,
> Mickaël
>
> On 02/10/2020 09:18, Mickaël Salaün wrote:
> > From: Mickaël Salaün <mic@...ux.microsoft.com>
> >
> > Add a new DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING configuration
> > to enable dm-verity signatures to be verified against the secondary
> > trusted keyring. This allows certificate updates without kernel update
> > and reboot, aligning with module and kernel (kexec) signature
> > verifications.
I'd prefer a bit more verbose phrasing, not least because I have never
really even peeked at dm-verity, but it is also a good practice.
You have the middle part of the story missing - explaining the semantics
of how the feature leads to the aimed solution.
/Jarkko
Powered by blists - more mailing lists