git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Christian Brauner <brauner@kernel.org>
	Fri, 16 Jan 2026 14:30:34 +0000 (15:30 +0100)
committer	Mikulas Patocka <mpatocka@redhat.com>
	Mon, 19 Jan 2026 14:21:10 +0000 (15:21 +0100)
commit	033724b1c627885aed049f775e4b10583d895af6
tree	3a2d6ba1b50588b47e6f5264f68867874119207b	tree
parent	fb8a6c18fb9a6561f7a15b58b272442b77a242dd	commit \| diff

dm-verity: add dm-verity keyring

Add a dedicated ".dm-verity" keyring for root hash signature
verification, similar to the ".fs-verity" keyring used by fs-verity.

By default the keyring is unused retaining the exact same old behavior.
For systems that provision additional keys only intended for dm-verity
images during boot, the dm_verity.keyring_unsealed=1 kernel parameter
leaves the keyring open.

We want to use this in systemd as a way add keys during boot that are
only used for creating dm-verity devices for later mounting and nothing
else. The discoverable disk image (DDI) spec at [1] heavily relies on
dm-verity and we would like to expand this even more. This will allow us
to do that in a fully backward compatible way.

Once provisioning is complete, userspace restricts and activates it for
dm-verity verification. If userspace fully seals the keyring then it
gains the guarantee that no new keys can be added.

Link: https://uapi-group.org/specifications/specs/discoverable_partitions_specification
Co-developed-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>

Documentation/admin-guide/kernel-parameters.txt		diff \| blob \| blame \| history
drivers/md/dm-verity-target.c		diff \| blob \| blame \| history
drivers/md/dm-verity-verify-sig.c		diff \| blob \| blame \| history
drivers/md/dm-verity-verify-sig.h		diff \| blob \| blame \| history