On Mon, Jan 19, 2026 at 03:22:58PM +0100, Mikulas Patocka wrote: > > > On Fri, 16 Jan 2026, Christian Brauner wrote: > > > Add a dedicated ".dm-verity" keyring for root hash signature > > verification, similar to the ".fs-verity" keyring used by fs-verity. > > > > By default the keyring is unused retaining the exact same old behavior. > > For systems that provision additional keys only intended for dm-verity > > images during boot, the dm_verity.keyring_unsealed=1 kernel parameter > > leaves the keyring open. > > > > We want to use this in systemd as a way add keys during boot that are > > only used for creating dm-verity devices for later mounting and nothing > > else. The discoverable disk image (DDI) spec at [1] heavily relies on > > dm-verity and we would like to expand this even more. This will allow us > > to do that in a fully backward compatible way. > > > > Once provisioning is complete, userspace restricts and activates it for > > dm-verity verification. If userspace fully seals the keyring then it > > gains the guarantee that no new keys can be added. > > > > Link: > > https://uapi-group.org/specifications/specs/discoverable_partitions_specification > > [1] > > Co-developed-by: Aleksa Sarai <[email protected]> > > Signed-off-by: Aleksa Sarai <[email protected]> > > Signed-off-by: Christian Brauner <[email protected]> > > --- > > Documentation/admin-guide/kernel-parameters.txt | 7 ++++ > > drivers/md/dm-verity-target.c | 20 ++++++++++- > > drivers/md/dm-verity-verify-sig.c | 45 > > +++++++++++++++++++++++++ > > drivers/md/dm-verity-verify-sig.h | 12 +++++++ > > 4 files changed, 83 insertions(+), 1 deletion(-) > > > > diff --git a/Documentation/admin-guide/kernel-parameters.txt > > b/Documentation/admin-guide/kernel-parameters.txt > > index a8d0afde7f85..374571c7921a 100644 > > --- a/Documentation/admin-guide/kernel-parameters.txt > > +++ b/Documentation/admin-guide/kernel-parameters.txt > > @@ -1370,6 +1370,13 @@ Kernel parameters > > For details see: > > > > Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst > > > > + dm_verity.keyring_unsealed= > > + [KNL] When set to 1, leave the dm-verity keyring > > + unsealed after initialization so userspace can > > + provision keys. Once the keyring is restricted > > + it becomes active and is searched during signature > > + verification. > > + > > driver_async_probe= [KNL] > > List of driver names to be probed asynchronously. * > > matches with all driver names. If * is specified, the > > diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c > > index 5c17472d7896..835358f63d09 100644 > > --- a/drivers/md/dm-verity-target.c > > +++ b/drivers/md/dm-verity-target.c > > @@ -1803,7 +1803,25 @@ static struct target_type verity_target = { > > .preresume = verity_preresume, > > #endif /* CONFIG_SECURITY */ > > }; > > -module_dm(verity); > > + > > +static int __init dm_verity_init(void) > > +{ > > + int r; > > + > > + r = dm_verity_verify_sig_init(); > > + if (r) > > + return r; > > + > > + return dm_register_target(&verity_target); > > +} > > Hi > > There's a bug that if dm_register_target fails, you leak the keyring. I > fixed it and accepted the patch.
Thank you very much, Mikulas! Christian
