Re: [RFC PATCH v6 0/1] Add dm verity root hash pkcs7 sig validation.

From: Jaskaran Singh Khurana
Date: Tue Jul 16 2019 - 14:08:49 EST

Hello Milan,
On Tue, 16 Jul 2019, Milan Broz wrote:

On 12/07/2019 19:33, Jaskaran Singh Khurana wrote:

Hello Milan,

Changes in v6:

Address comments from Milan Broz and Eric Biggers on v5.

-Keep the verification code under config DM_VERITY_VERIFY_ROOTHASH_SIG.

-Change the command line parameter to requires_signatures(bool) which will
force root hash to be signed and trusted if specified.

-Fix the signature not being present in verity_status. Merged the
made by Milan Broz and tested it.

Could you please provide feedback on this v6 version.


I am ok with the v6 patch; I think Mike will return to it in 5.4 reviews.

Thanks for the help and also for reviewing this patch. Could you please add Reviewed-by/Tested-by tag to the patch.

But the documentation is very brief. I spent quite a long time to configure the system properly.
I think you should add more description (at least to patch header) how to use this feature in combination with system keyring.

I will add more documentation to the patch header describing the steps required for setup.

Do I understand correctly that these steps need to be done?

- user configures a certificate and adds it in kernel builtin keyring (I used CONFIG_SYSTEM_TRUSTED_KEYS option).
- the dm-verity device root hash is signed directly by a key of this cert
- the signature is uploaded to the user keyring
- reference to signature in keyring is added as an optional dm-verity table parameter root_hash_sig_key_desc
- optionally, require_signatures dm-verity module is set to enforce signatures.

For reference, below is the bash script I used (with unpatched veritysetup to generate working DM table), is the expected workflow here?

The steps and workflow is correct. I will send the cryptsetup changes for review.



# get unsigned device-mapper table using unpatched veritysetup
veritysetup open $DEV $NAME $DEV_HASH $ROOT_HASH
TABLE=$(dmsetup table $NAME)
veritysetup close $NAME

# Generate self-signed CA key, must be in .config as CONFIG_SYSTEM_TRUSTED_KEYS="path/ca.pem"
#openssl req -x509 -newkey rsa:1024 -keyout ca_key.pem -out ca.pem -nodes -days 365 -set_serial 01 -subj /

# sign root hash directly by CA cert
echo -n $ROOT_HASH | openssl smime -sign -nocerts -noattr -binary -inkey ca_key.pem -signer ca.pem -outform der -out $SIGN

# load signature to keyring
keyctl padd user $SIGN_NAME @u <$SIGN

# add device-mapper table, now with sighed root hash optional argument
dmsetup create -r $NAME --table "$TABLE 2 root_hash_sig_key_desc $SIGN_NAME"
dmsetup table $NAME

# cleanup
dmsetup remove $NAME
keyctl clear @u

Thanks for testing the changes and all the guidance here.