Re: [RFC PATCH v3 1/1] Add dm verity root hash pkcs7 sig validation

From: James Morris
Date: Tue Jun 11 2019 - 01:36:47 EST


On Sat, 8 Jun 2019, Milan Broz wrote:

> > Adds DM_VERITY_VERIFY_ROOTHASH_SIG_FORCE: roothash signature *must* be
> > specified for all dm verity volumes and verification must succeed prior
> > to creation of device mapper block device.
>
> AFAIK there are tools that use dm-verity internally (some container
> functions in systemd can recognize and check dm-verity partitions) and with
> this option we will just kill possibility to use it without signature.
>
> Anyway, this is up to Mike and Mikulas, I guess generic distros will not
> set this option.

Right, I think this option would not be for a general purpose distro, but
for embedded systems and other cases where the user may want a more
tightly locked-down system.

--
James Morris
<jmorris@xxxxxxxxx>