Commit 579b2ba4 authored by Luca Boccassi's avatar Luca Boccassi Committed by Mikulas Patocka

dm verity: fallback to platform keyring also if key in trusted keyring is rejected

If enabled, we fallback to the platform keyring if the trusted keyring doesn't have
the key used to sign the roothash. But if pkcs7_verify() rejects the key for other
reasons, such as usage restrictions, we do not fallback. Do so.

Follow-up for 6fce1f40Suggested-by: default avatarSerge Hallyn <serge@hallyn.com>
Signed-off-by: default avatarLuca Boccassi <bluca@debian.org>
Acked-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
parent e6a3531d
...@@ -127,7 +127,7 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len, ...@@ -127,7 +127,7 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
#endif #endif
VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL); VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING #ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
if (ret == -ENOKEY) if (ret == -ENOKEY || ret == -EKEYREJECTED)
ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data, ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
sig_len, sig_len,
VERIFY_USE_PLATFORM_KEYRING, VERIFY_USE_PLATFORM_KEYRING,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment