Message ID | 20220627153526.3750341-1-mka@chromium.org (mailing list archive) |
---|---|
Headers | show |
Series | LoadPin: Enable loading from trusted dm-verity devices | expand |
On Mon, Jun 27 2022 at 11:35P -0400, Matthias Kaehlcke <mka@chromium.org> wrote: > As of now LoadPin restricts loading of kernel files to a single pinned > filesystem, typically the rootfs. This works for many systems, however it > can result in a bloated rootfs (and OTA updates) on platforms where > multiple boards with different hardware configurations use the same rootfs > image. Especially when 'optional' files are large it may be preferable to > download/install them only when they are actually needed by a given board. > Chrome OS uses Downloadable Content (DLC) [1] to deploy certain 'packages' > at runtime. As an example a DLC package could contain firmware for a > peripheral that is not present on all boards. DLCs use dm-verity [2] to > verify the integrity of the DLC content. > > This series extends LoadPin to allow loading of kernel files from trusted > dm-verity devices. LoadPin maintains a list of root digests of verity > devices it considers trusted. Userspace can populate this list through an > ioctl on the new LoadPin securityfs entry 'dm-verity'. The ioctl receives > a file descriptor of a file with verity digests as parameter. Verity reads > the digests from this file after confirming that the file is located on the > pinned root. The digest file must contain one digest per line. The list of > trusted digests can only be set up once, which is typically done at boot > time. > > When a kernel file is read LoadPin first checks (as usual) whether the file > is located on the pinned root, if so the file can be loaded. Otherwise, if > the verity extension is enabled, LoadPin determines whether the file is > located on a verity backed device and whether the root digest of that > device is in the list of trusted digests. The file can be loaded if the > verity device has a trusted root digest. > > [1] https://chromium.googlesource.com/chromiumos/platform2/+/HEAD/dlcservice/docs/developer.md > [2] https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html Hi Kees, Please pick this series up, thanks. Mike -- dm-devel mailing list dm-devel@redhat.com https://listman.redhat.com/mailman/listinfo/dm-devel
On Wed, Jul 06, 2022 at 11:11:58AM -0400, Mike Snitzer wrote: > On Mon, Jun 27 2022 at 11:35P -0400, > Matthias Kaehlcke <mka@chromium.org> wrote: > > > As of now LoadPin restricts loading of kernel files to a single pinned > > filesystem, typically the rootfs. This works for many systems, however it > > can result in a bloated rootfs (and OTA updates) on platforms where > > multiple boards with different hardware configurations use the same rootfs > > image. Especially when 'optional' files are large it may be preferable to > > download/install them only when they are actually needed by a given board. > > Chrome OS uses Downloadable Content (DLC) [1] to deploy certain 'packages' > > at runtime. As an example a DLC package could contain firmware for a > > peripheral that is not present on all boards. DLCs use dm-verity [2] to > > verify the integrity of the DLC content. > > > > This series extends LoadPin to allow loading of kernel files from trusted > > dm-verity devices. LoadPin maintains a list of root digests of verity > > devices it considers trusted. Userspace can populate this list through an > > ioctl on the new LoadPin securityfs entry 'dm-verity'. The ioctl receives > > a file descriptor of a file with verity digests as parameter. Verity reads > > the digests from this file after confirming that the file is located on the > > pinned root. The digest file must contain one digest per line. The list of > > trusted digests can only be set up once, which is typically done at boot > > time. > > > > When a kernel file is read LoadPin first checks (as usual) whether the file > > is located on the pinned root, if so the file can be loaded. Otherwise, if > > the verity extension is enabled, LoadPin determines whether the file is > > located on a verity backed device and whether the root digest of that > > device is in the list of trusted digests. The file can be loaded if the > > verity device has a trusted root digest. > > > > [1] https://chromium.googlesource.com/chromiumos/platform2/+/HEAD/dlcservice/docs/developer.md > > [2] https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html > > Hi Kees, > > Please pick this series up, thanks. Thanks for the Acks! I'll get this into -next shortly.
On Mon, 27 Jun 2022 08:35:23 -0700, Matthias Kaehlcke wrote: > As of now LoadPin restricts loading of kernel files to a single pinned > filesystem, typically the rootfs. This works for many systems, however it > can result in a bloated rootfs (and OTA updates) on platforms where > multiple boards with different hardware configurations use the same rootfs > image. Especially when 'optional' files are large it may be preferable to > download/install them only when they are actually needed by a given board. > Chrome OS uses Downloadable Content (DLC) [1] to deploy certain 'packages' > at runtime. As an example a DLC package could contain firmware for a > peripheral that is not present on all boards. DLCs use dm-verity [2] to > verify the integrity of the DLC content. > > [...] Applied to for-next/hardening, thanks! [1/3] dm: Add verity helpers for LoadPin https://git.kernel.org/kees/c/b6c1c5745ccc [2/3] LoadPin: Enable loading from trusted dm-verity devices https://git.kernel.org/kees/c/3f805f8cc23b [3/3] dm: verity-loadpin: Use CONFIG_SECURITY_LOADPIN_VERITY for conditional compilation https://git.kernel.org/kees/c/231af4709018