diff options
| author | Matthias Kaehlcke <mka@chromium.org> | 2022-06-27 17:35:24 +0200 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2022-07-08 19:46:46 +0200 |
| commit | b6c1c5745ccc68ac5d57c7ffb51ea25a86d0e97b (patch) | |
| tree | 2b40bdda727e2db9ce4e773f5c52a647638df5ff /security/loadpin | |
| parent | stack: Declare {randomize_,}kstack_offset to fix Sparse warnings (diff) | |
| download | linux-b6c1c5745ccc68ac5d57c7ffb51ea25a86d0e97b.tar.xz linux-b6c1c5745ccc68ac5d57c7ffb51ea25a86d0e97b.zip | |
dm: Add verity helpers for LoadPin
LoadPin limits loading of kernel modules, firmware and certain
other files to a 'pinned' file system (typically a read-only
rootfs). To provide more flexibility LoadPin is being extended
to also allow loading these files from trusted dm-verity
devices. For that purpose LoadPin can be provided with a list
of verity root digests that it should consider as trusted.
Add a bunch of helpers to allow LoadPin to check whether a DM
device is a trusted verity device. The new functions broadly
fall in two categories: those that need access to verity
internals (like the root digest), and the 'glue' between
LoadPin and verity. The new file dm-verity-loadpin.c contains
the glue functions.
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Acked-by: Mike Snitzer <snitzer@kernel.org>
Link: https://lore.kernel.org/lkml/20220627083512.v7.1.I3e928575a23481121e73286874c4c2bdb403355d@changeid
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'security/loadpin')
0 files changed, 0 insertions, 0 deletions