Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 36
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2021-09-09 13:19 UTC by Lennart Poettering
Modified: 2022-06-17 01:14 UTC (History)
19 users (show)

Fixed In Version: kernel-5.18.4-201.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-06-17 01:14:37 UTC
Type: Bug

Attachments (Terms of Use)

Description Lennart Poettering 2021-09-09 13:19:22 UTC
Currently, Fedora kernels do not enable the CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING option. I'd like to ask you to enable it.

If enabled the logic that is already enabled by CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y is slightly tweaked: instead of checking Verity roothash signature keys only against built-in signing keys they can be checked against keys uploaded from userspace first.

Note that module signing already checks the second keyring, i.e. this just makes DM verity mounting more like kernel module loading in respect to signature verification. 

Doing this would tremendously helpful because it allows making use of the roothash signature logic from userspace without requiring everything to be signed by Fedora: if enabled users can bless their own images with a signature that can be validated by a trusted key uploaded into the kernel.

Or to say it the other way round: not setting this option only really makes sense  if Fedora actually would sign any Verity images with the keys built into the kernel. Given that it does not at the moment the fact that CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y is already enabled is kinda pointless, it only starts to make sense once CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING  is set too.

Or to say it even differently: outside of extremely focussed environments where only a single kernel shall boot only a signle verity image and everything comes from a single vendor I doubt disabling CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING ever makes sense.

Comment 1 Ben Cotton 2022-05-12 15:52:50 UTC
This message is a reminder that Fedora Linux 34 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '34'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 34 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 2 Justin M. Forbes 2022-05-23 16:35:07 UTC
This will show up in the 5.18 rebases when they happen

Comment 3 Fedora Update System 2022-06-15 17:09:40 UTC
FEDORA-2022-4810298c00 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-4810298c00

Comment 4 Fedora Update System 2022-06-16 02:40:13 UTC
FEDORA-2022-4810298c00 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-4810298c00`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-4810298c00

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2022-06-17 01:14:37 UTC
FEDORA-2022-4810298c00 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.