Re: [PATCH] dm verity: fallback to platform keyring also if key in trusted keyring is rejected

Keyrings Archive mirror
 help / color / mirror / Atom feed

From: Milan Broz <gmazyland@gmail.com>
To: Luca Boccassi <luca.boccassi@gmail.com>
Cc: Eric Biggers <ebiggers@kernel.org>,
	Jarkko Sakkinen <jarkko@kernel.org>,
	Mikulas Patocka <mpatocka@redhat.com>,
	dm-devel@lists.linux.dev, snitzer@kernel.org, serge@hallyn.com,
	wufan@linux.microsoft.com, David Howells <dhowells@redhat.com>,
	keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
	Mimi Zohar <zohar@linux.ibm.com>
Subject: Re: [PATCH] dm verity: fallback to platform keyring also if key in trusted keyring is rejected
Date: Fri, 27 Sep 2024 09:12:40 +0200	[thread overview]
Message-ID: <08fe559f-f5b8-497f-b7aa-6e61e5c1aeb3@gmail.com> (raw)
In-Reply-To: <CAMw=ZnT=3n+1n6z0HE7JPNFX07fAJS+5W+SeO4pddrcUcEpjZA@mail.gmail.com>

On 9/25/24 11:28 PM, Luca Boccassi wrote:
>>
>> Do people use veritysetup (libcryptsetup) here, or does it run with its separate userspace tooling?
> 
> This is used with libcryptsetup commonly, and often with veritysetup.
> It is fairly easy to test in a VM or on baremetal, it is not required
> to build your own kernel - that's the reason for supporting
> secondary+platform keyrings (the first one allows you to enroll keys
> in MOK, the second one for UEFI DB).
> We would even have a CI testing this for every PR and merge in systemd
> on Github, _except_ there is currently an issue (unrelated to
> dmverity) that happens when nesting KVM with UEFI secure boot enabled
> on top of HyperV, which means it cannot be used reliably on Github
> Actions. Once that is solved, this will be again part of the systemd
> CI integration tests. But it is used regularly by developers on their
> machines.

Hi Luca,

good to know that libcryptswtup userspace is then used here, thanks for the info!

I have some more questions, but that is not related to this thread,
I will ask in another mail later.

Thanks,
Milan


> 
> It might not be commonly used by kernel developers, I do not know as I
> am not a kernel developer, but it is becoming more and more common in
> userspace and among image builders. For example the mkosi image
> builder, using systemd-repart, can very easily build distro images
> using signed dm verity. I am at All Systems Go and just today there
> were multiple talks by multiple people using dmverity images for their
> distros/platforms/products, especially with systemd-sysext, which is
> all about signed dm-verity.
> 
> In 6.12 we will also have IPE which allows to enable trusted code
> integrity checks that cannot be trivially bypassed by other userspace
> processes running with root or caps. This has been, still is and will
> be for the foreseeable future, in use in the Azure infrastructure.
> 
> Hope this provides some clarity, let me know if you need more info.

     prev parent reply	other threads:[~2024-09-27  7:12 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20240922161753.244476-1-luca.boccassi@gmail.com>
2024-09-23 14:04 ` [PATCH] dm verity: fallback to platform keyring also if key in trusted keyring is rejected Mikulas Patocka
2024-09-24 15:54   ` Jarkko Sakkinen
2024-09-24 18:27     ` Mikulas Patocka
2024-09-24 21:36       ` Jarkko Sakkinen
2024-09-24 21:59         ` Eric Biggers
2024-09-25  7:51           ` Jarkko Sakkinen
2024-09-25  8:03           ` Milan Broz
2024-09-25  9:05             ` Jarkko Sakkinen
2024-09-25 12:57               ` Serge E. Hallyn
2024-09-25 14:50                 ` Jarkko Sakkinen
2024-09-25 16:53               ` Eric Biggers
2024-09-25 17:15                 ` Jarkko Sakkinen
2024-09-25 21:28             ` Luca Boccassi
2024-09-27  7:12               ` Milan Broz [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=08fe559f-f5b8-497f-b7aa-6e61e5c1aeb3@gmail.com \
    --to=gmazyland@gmail.com \
    --cc=dhowells@redhat.com \
    --cc=dm-devel@lists.linux.dev \
    --cc=ebiggers@kernel.org \
    --cc=jarkko@kernel.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=luca.boccassi@gmail.com \
    --cc=mpatocka@redhat.com \
    --cc=serge@hallyn.com \
    --cc=snitzer@kernel.org \
    --cc=wufan@linux.microsoft.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).