APPLIED[J,K,L linux-kvm]: [PATCH 0/8][j/k/l/m linux][j/k/l/m linux-kvm] CONFIG_DM_VERITY=m

[Luke Nowakowski-Krijger]

Applied to jammy, kinetic, lunar linux-kvm master-next

Thanks,
- Luke

On Thu, May 11, 2023 at 11:51 AM Tim Gardner <tim.gardner at canonical.com>
wrote:

> BugLink: https://bugs.launchpad.net/bugs/2019040
>
> SRU Justification
>
> [Impact]
>
> The kvm flavours currently do not enable dm-verity. This stops us from
> using
> integrity protected and verified images in VMs using this kernel flavour.
>
> All of the master kernels should also have
> CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING enabled. These
> config changes should bubble down into the cloud derivative kernels.
>
> [Fix]
>
> Please consider enabling the following kconfigs:
>
> CONFIG_DM_VERITY
> CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
> CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
>
> (The latter is needed to ensure that MoK keys can be used to verify
> dm-verity images
> too, via the machine keyring linked to the secondary keyring)
>
> These are already enabled in the 'main' kernel config, and in other
> distros.
>
> As a specific and explicit use case, in the systemd project we want to test
> functionality provided by systemd that needs these kconfigs on Ubuntu
> machines running
> the kvm flavour kernel.
>
> Note that I explicitly did not enable CONFIG_IMA as requested in the bug
> report since
> it has performance impacts.
>
> [Regression Potential]
>
> MOK keys may not be correctly read.
>
>
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230615/7db07c58/attachment.html>