On Fri, 16 Jan 2026, Christian Brauner wrote:
> Add a dedicated ".dm-verity" keyring for root hash signature
> verification, similar to the ".fs-verity" keyring used by fs-verity.
>
> By default the keyring is unused retaining the exact same old behavior.
> For systems that provision additional keys only intended for dm-verity
> images during boot, the dm_verity.keyring_unsealed=1 kernel parameter
> leaves the keyring open.
>
> We want to use this in systemd as a way add keys during boot that are
> only used for creating dm-verity devices for later mounting and nothing
> else. The discoverable disk image (DDI) spec at [1] heavily relies on
> dm-verity and we would like to expand this even more. This will allow us
> to do that in a fully backward compatible way.
>
> Once provisioning is complete, userspace restricts and activates it for
> dm-verity verification. If userspace fully seals the keyring then it
> gains the guarantee that no new keys can be added.
>
> Link:
> https://uapi-group.org/specifications/specs/discoverable_partitions_specification
> [1]
> Co-developed-by: Aleksa Sarai <[email protected]>
> Signed-off-by: Aleksa Sarai <[email protected]>
> Signed-off-by: Christian Brauner <[email protected]>
> ---
> Documentation/admin-guide/kernel-parameters.txt | 7 ++++
> drivers/md/dm-verity-target.c | 20 ++++++++++-
> drivers/md/dm-verity-verify-sig.c | 45
> +++++++++++++++++++++++++
> drivers/md/dm-verity-verify-sig.h | 12 +++++++
> 4 files changed, 83 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt
> b/Documentation/admin-guide/kernel-parameters.txt
> index a8d0afde7f85..374571c7921a 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1370,6 +1370,13 @@ Kernel parameters
> For details see:
>
> Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst
>
> + dm_verity.keyring_unsealed=
> + [KNL] When set to 1, leave the dm-verity keyring
> + unsealed after initialization so userspace can
> + provision keys. Once the keyring is restricted
> + it becomes active and is searched during signature
> + verification.
> +
> driver_async_probe= [KNL]
> List of driver names to be probed asynchronously. *
> matches with all driver names. If * is specified, the
> diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
> index 5c17472d7896..835358f63d09 100644
> --- a/drivers/md/dm-verity-target.c
> +++ b/drivers/md/dm-verity-target.c
> @@ -1803,7 +1803,25 @@ static struct target_type verity_target = {
> .preresume = verity_preresume,
> #endif /* CONFIG_SECURITY */
> };
> -module_dm(verity);
> +
> +static int __init dm_verity_init(void)
> +{
> + int r;
> +
> + r = dm_verity_verify_sig_init();
> + if (r)
> + return r;
> +
> + return dm_register_target(&verity_target);
> +}
Hi
There's a bug that if dm_register_target fails, you leak the keyring. I
fixed it and accepted the patch.
Mikulas
