[dm-devel] [PATCH v1] dm verity: Add support for signature verification with 2nd keyring
Jarkko Sakkinen
jarkko.sakkinen at linux.intel.com
Mon Oct 12 23:55:02 UTC 2020
On Fri, Oct 09, 2020 at 11:50:03AM +0200, Mickaël Salaün wrote:
> Hi,
>
> What do you think about this patch?
>
> Regards,
> Mickaël
>
> On 02/10/2020 09:18, Mickaël Salaün wrote:
> > From: Mickaël Salaün <mic at linux.microsoft.com>
> >
> > Add a new DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING configuration
> > to enable dm-verity signatures to be verified against the secondary
> > trusted keyring. This allows certificate updates without kernel update
> > and reboot, aligning with module and kernel (kexec) signature
> > verifications.
I'd prefer a bit more verbose phrasing, not least because I have never
really even peeked at dm-verity, but it is also a good practice.
You have the middle part of the story missing - explaining the semantics
of how the feature leads to the aimed solution.
/Jarkko
More information about the dm-devel
mailing list