From patchwork Thu May 11 18:50:32 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 1780263
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=fqRkCDHO;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4QHLZf1H0Pz214s
	for <incoming@patchwork.ozlabs.org>; Fri, 12 May 2023 04:51:05 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1pxBNJ-0002h9-2W; Thu, 11 May 2023 18:50:49 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <tim.gardner@canonical.com>) id 1pxBNH-0002gn-Ev
 for kernel-team@lists.ubuntu.com; Thu, 11 May 2023 18:50:47 +0000
Received: from mail-pj1-f69.google.com (mail-pj1-f69.google.com
 [209.85.216.69])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 2FB923F118
 for <kernel-team@lists.ubuntu.com>; Thu, 11 May 2023 18:50:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1683831047;
 bh=j4XMj+j/o9LFChCw153yjo1SeOK1HuhLXcnfEp0yZYI=;
 h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=fqRkCDHO+GmMB2VP0SISy8tr7CxIPIzMKSDDZIrxHHF0AlyvO++iCPF5H6vFTNPzv
 hs9N5VTeP5u9oxIaCO6a2IIcetEOrrYPGa7RW4tKXqFyeRnuAC9ndVPFzKY27UXWmQ
 cRSB2xavlAC/i1Mq80aw9ROoWtJCC7QPJuxJORO6frEdM34rf9QeXxxRJzEGYkzXJO
 d2YNY5THLxEgjUU4u3kBkRJP+qQI5MYE0Efb/8xLivnIhkpA+3nT2rC1nUXscTCB5T
 7HeDgJ2va7DHSgnwWE/e4o4nDR6KpckgCej2AJnMbP8yLsDQf4YnIHyXNrDWVCgYct
 6QE+294MgpigA==
Received: by mail-pj1-f69.google.com with SMTP id
 98e67ed59e1d1-24e4acd6b61so8515556a91.0
 for <kernel-team@lists.ubuntu.com>; Thu, 11 May 2023 11:50:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1683831045; x=1686423045;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=j4XMj+j/o9LFChCw153yjo1SeOK1HuhLXcnfEp0yZYI=;
 b=RYyofLOtU3WnsKPszetjZCRSl35Pl8gffNJKFxdCFRpwYJq5pr6zoXuoSTyDOhAOTC
 dLtaGVBS1YugKI1csfp7KiZiOQQ7V+JMbviuPyxZNGR8a2S7znF2Ki3/jR8IYzv40QOX
 hT9V2l0fy2lrHurDLIcYkbR/zwq9xi38mLgNUJHGjFqsUN71rJ7kuYMAOcIMWPBQuCA/
 lwsF29pECPZn3KDzm180OlB08C3jnxn8nYv68TSyeOJk4zUnpSaWN1evdh2TwOf5NGon
 9QBevI0rD3Q4fFHAMFBMDV1dfGaLq1pGAyo21MfvqU2+OP1RUVrE6or65zBKgTawee+/
 hi0A==
X-Gm-Message-State: AC+VfDwYoM+FSbK/NFcAaJ07jGDpKrEWD48eroHiorTga4sclreWHs9k
 lBST6LHEBLfuU5P6h234ZBvTd/weugIOG1zMNvVXlrCzdD3Qo63ZSjiuhWtw3hE1EWNtgGfieHN
 +mLhD8BrjTD9mEmN+MHCGVgxNiplZzdPv9B+FQaqbFFNLEx/0tw==
X-Received: by 2002:a17:90a:3e4a:b0:24e:534f:7b70 with SMTP id
 t10-20020a17090a3e4a00b0024e534f7b70mr20164089pjm.48.1683831045594;
 Thu, 11 May 2023 11:50:45 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ5/WE/VEGVH4U2tLGbZXKX7c5h8GaO34Xkk8Px3nII/RdUmiwxzTOvfs2CZP9q4dQ5q9XF4Lw==
X-Received: by 2002:a17:90a:3e4a:b0:24e:534f:7b70 with SMTP id
 t10-20020a17090a3e4a00b0024e534f7b70mr20164077pjm.48.1683831045292;
 Thu, 11 May 2023 11:50:45 -0700 (PDT)
Received: from smtp.gmail.com (174-045-099-030.res.spectrum.com.
 [174.45.99.30]) by smtp.gmail.com with ESMTPSA id
 q13-20020a170902bd8d00b001a285269b70sm6237861pls.280.2023.05.11.11.50.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 11 May 2023 11:50:44 -0700 (PDT)
From: Tim Gardner <tim.gardner@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 0/8][j/k/l/m linux][j/k/l/m linux-kvm] CONFIG_DM_VERITY=m
Date: Thu, 11 May 2023 12:50:32 -0600
Message-Id: <20230511185040.220555-1-tim.gardner@canonical.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: https://bugs.launchpad.net/bugs/2019040

SRU Justification

[Impact]

The kvm flavours currently do not enable dm-verity. This stops us from using
integrity protected and verified images in VMs using this kernel flavour.

All of the master kernels should also have CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING enabled. These
config changes should bubble down into the cloud derivative kernels.

[Fix]

Please consider enabling the following kconfigs:

CONFIG_DM_VERITY
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING

(The latter is needed to ensure that MoK keys can be used to verify dm-verity images
too, via the machine keyring linked to the secondary keyring)

These are already enabled in the 'main' kernel config, and in other distros.

As a specific and explicit use case, in the systemd project we want to test
functionality provided by systemd that needs these kconfigs on Ubuntu machines running
the kvm flavour kernel.

Note that I explicitly did not enable CONFIG_IMA as requested in the bug report since
it has performance impacts.

[Regression Potential]

MOK keys may not be correctly read.
Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>