For details see:
Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst
+ dm_verity.keyring_unsealed=
+ [KNL] When set to 1, leave the dm-verity keyring
+ unsealed after initialization so userspace can
+ provision keys. Once the keyring is restricted
+ it becomes active and is searched during signature
+ verification.
+
driver_async_probe= [KNL]
List of driver names to be probed asynchronously. *
matches with all driver names. If * is specified, the
.preresume = verity_preresume,
#endif /* CONFIG_SECURITY */
};
-module_dm(verity);
+
+static int __init dm_verity_init(void)
+{
+ int r;
+
+ r = dm_verity_verify_sig_init();
+ if (r)
+ return r;
+
+ r = dm_register_target(&verity_target);
+ if (r) {
+ dm_verity_verify_sig_exit();
+ return r;
+ }
+
+ return 0;
+}
+module_init(dm_verity_init);
+
+static void __exit dm_verity_exit(void)
+{
+ dm_unregister_target(&verity_target);
+ dm_verity_verify_sig_exit();
+}
+module_exit(dm_verity_exit);
/*
* Check whether a DM target is a verity target.
*/
#include <linux/device-mapper.h>
#include <linux/verification.h>
+#include <linux/key.h>
#include <keys/user-type.h>
#include <linux/module.h>
#include "dm-verity.h"
#define DM_VERITY_VERIFY_ERR(s) DM_VERITY_ROOT_HASH_VERIFICATION " " s
+static struct key *dm_verity_keyring;
+
+static bool dm_verity_keyring_unsealed __ro_after_init;
+module_param_named(keyring_unsealed, dm_verity_keyring_unsealed, bool, 0444);
+MODULE_PARM_DESC(keyring_unsealed, "Leave the dm-verity keyring unsealed");
+
static bool require_signatures;
module_param(require_signatures, bool, 0444);
MODULE_PARM_DESC(require_signatures,
VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
#endif
+ if (ret != -ENOKEY && ret != -EKEYREJECTED)
+ return ret;
+
+ if (dm_verity_keyring->keys.nr_leaves_on_tree &&
+ dm_verity_keyring->restrict_link)
+ ret = verify_pkcs7_signature(root_hash, root_hash_len,
+ sig_data, sig_len,
+ dm_verity_keyring,
+ VERIFYING_UNSPECIFIED_SIGNATURE,
+ NULL, NULL);
+
return ret;
}
sig_opts->sig = NULL;
sig_opts->sig_size = 0;
}
+
+int __init dm_verity_verify_sig_init(void)
+{
+ dm_verity_keyring = keyring_alloc(".dm-verity",
+ GLOBAL_ROOT_UID, GLOBAL_ROOT_GID,
+ current_cred(),
+ KEY_POS_SEARCH |
+ KEY_USR_VIEW | KEY_USR_READ |
+ KEY_USR_WRITE | KEY_USR_SEARCH |
+ KEY_USR_SETATTR,
+ KEY_ALLOC_NOT_IN_QUOTA,
+ NULL, NULL);
+ if (IS_ERR(dm_verity_keyring))
+ panic("dm-verity can't allocate keyring\n");
+
+ if (!dm_verity_keyring_unsealed &&
+ keyring_restrict(make_key_ref(dm_verity_keyring, true), NULL, NULL))
+ panic("dm-verity can't seal keyring\n");
+
+ return 0;
+}
+
+void __exit dm_verity_verify_sig_exit(void)
+{
+ key_revoke(dm_verity_keyring);
+ key_put(dm_verity_keyring);
+}
void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts);
+int __init dm_verity_verify_sig_init(void);
+void __exit dm_verity_verify_sig_exit(void);
+
#else
#define DM_VERITY_ROOT_HASH_VERIFICATION_OPTS 0
{
}
+static inline int dm_verity_verify_sig_init(void)
+{
+ return 0;
+}
+
+static inline void dm_verity_verify_sig_exit(void)
+{
+}
+
#endif /* CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG */
#endif /* DM_VERITY_SIG_VERIFICATION_H */
projects / thirdparty / kernel / linux.git / commitdiff
