]> Git Repo - J-linux.git/commitdiff
dm verity: fallback to platform keyring also if key in trusted keyring is rejected
authorLuca Boccassi <[email protected]>
Sun, 22 Sep 2024 16:17:53 +0000 (18:17 +0200)
committerMikulas Patocka <[email protected]>
Thu, 26 Sep 2024 15:27:08 +0000 (17:27 +0200)
If enabled, we fallback to the platform keyring if the trusted keyring doesn't have
the key used to sign the roothash. But if pkcs7_verify() rejects the key for other
reasons, such as usage restrictions, we do not fallback. Do so.

Follow-up for 6fce1f40e95182ebbfe1ee3096b8fc0b37903269

Suggested-by: Serge Hallyn <[email protected]>
Signed-off-by: Luca Boccassi <[email protected]>
Acked-by: Jarkko Sakkinen <[email protected]>
Signed-off-by: Mikulas Patocka <[email protected]>
drivers/md/dm-verity-verify-sig.c

index d351d7d39c60a652b3da37e7e02f09f4920efe44..a9e2c6c0a33c6db8a3b5791f51e86f401350e614 100644 (file)
@@ -127,7 +127,7 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
 #endif
                                VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
 #ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
-       if (ret == -ENOKEY)
+       if (ret == -ENOKEY || ret == -EKEYREJECTED)
                ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
                                        sig_len,
                                        VERIFY_USE_PLATFORM_KEYRING,
This page took 0.049749 seconds and 4 git commands to generate.