Currently, Fedora kernels do not enable the CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING option. I'd like to ask you to enable it.
If enabled the logic that is already enabled by CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y is slightly tweaked: instead of checking Verity roothash signature keys only against built-in signing keys they can be checked against keys uploaded from userspace first.
Note that module signing already checks the second keyring, i.e. this just makes DM verity mounting more like kernel module loading in respect to signature verification.
Doing this would tremendously helpful because it allows making use of the roothash signature logic from userspace without requiring everything to be signed by Fedora: if enabled users can bless their own images with a signature that can be validated by a trusted key uploaded into the kernel.
Or to say it the other way round: not setting this option only really makes sense if Fedora actually would sign any Verity images with the keys built into the kernel. Given that it does not at the moment the fact that CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y is already enabled is kinda pointless, it only starts to make sense once CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is set too.
Or to say it even differently: outside of extremely focussed environments where only a single kernel shall boot only a signle verity image and everything comes from a single vendor I doubt disabling CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING ever makes sense.
This message is a reminder that Fedora Linux 34 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '34'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version'
to a later Fedora Linux version.
Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora Linux 34 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.
This will show up in the 5.18 rebases when they happen
FEDORA-2022-4810298c00 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-4810298c00
FEDORA-2022-4810298c00 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-4810298c00`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-4810298c00
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-4810298c00 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.