[PATCH] dm verity: fallback to platform keyring also if key in trusted keyring is rejected

luca . boccassi Sun, 22 Sep 2024 09:18:20 -0700

From: Luca Boccassi <bl...@debian.org>

If enabled, we fallback to the platform keyring if the trusted keyring doesn't 
have
the key used to sign the roothash. But if pkcs7_verify() rejects the key for 
other
reasons, such as usage restrictions, we do not fallback. Do so.


Follow-up for 6fce1f40e95182ebbfe1ee3096b8fc0b37903269

Suggested-by: Serge Hallyn <se...@hallyn.com>
Signed-off-by: Luca Boccassi <bl...@debian.org>
---
 drivers/md/dm-verity-verify-sig.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/md/dm-verity-verify-sig.c 
b/drivers/md/dm-verity-verify-sig.c
index d351d7d39c60..a9e2c6c0a33c 100644
--- a/drivers/md/dm-verity-verify-sig.c
+++ b/drivers/md/dm-verity-verify-sig.c
@@ -127,7 +127,7 @@ int verity_verify_root_hash(const void *root_hash, size_t 
root_hash_len,
 #endif
                                VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
 #ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
-       if (ret == -ENOKEY)
+       if (ret == -ENOKEY || ret == -EKEYREJECTED)
                ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
                                        sig_len,
                                        VERIFY_USE_PLATFORM_KEYRING,
-- 
2.39.5

[PATCH] dm verity: fallback to platform keyring also if key in trusted keyring is rejected

Reply via email to