[PATCH 0/8][j/k/l/m linux][j/k/l/m linux-kvm] CONFIG_DM_VERITY=m

Stefan Bader stefan.bader at canonical.com
Fri Sep 1 10:15:04 UTC 2023 

On 11.05.23 20:50, Tim Gardner wrote:
> BugLink: https://bugs.launchpad.net/bugs/2019040
> 
> SRU Justification
> 
> [Impact]
> 
> The kvm flavours currently do not enable dm-verity. This stops us from using
> integrity protected and verified images in VMs using this kernel flavour.
> 
> All of the master kernels should also have CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING enabled. These
> config changes should bubble down into the cloud derivative kernels.
> 
> [Fix]
> 
> Please consider enabling the following kconfigs:
> 
> CONFIG_DM_VERITY
> CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
> CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
> 
> (The latter is needed to ensure that MoK keys can be used to verify dm-verity images
> too, via the machine keyring linked to the secondary keyring)
> 
> These are already enabled in the 'main' kernel config, and in other distros.
> 
> As a specific and explicit use case, in the systemd project we want to test
> functionality provided by systemd that needs these kconfigs on Ubuntu machines running
> the kvm flavour kernel.
> 
> Note that I explicitly did not enable CONFIG_IMA as requested in the bug report since
> it has performance impacts.
> 
> [Regression Potential]
> 
> MOK keys may not be correctly read.
> 
> 
> 
> 
This does not seem to be applied to Mantic, yet. On mantic:linux-kvm: I 
believe that is getting dropped with Mantic, so we could reject it for that.

-- 
- Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230901/683493a1/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230901/683493a1/attachment-0001.sig>

More information about the kernel-team mailing list