Re: [RFC][PATCH 2/5] fsverity: Revalidate built-in signatures at file open

[RFC][PATCH 0/5] shmem/fsverity: Prepare for mandatory integrity enforcement · Roberto Sassu <roberto.sassu@huawei.com> · 2021-11-12
[RFC][PATCH 1/5] fsverity: Introduce fsverity_get_file_digest() · Roberto Sassu <roberto.sassu@huawei.com> · 2021-11-12
[RFC][PATCH 2/5] fsverity: Revalidate built-in signatures at file open · Roberto Sassu <roberto.sassu@huawei.com> · 2021-11-12
Re: [RFC][PATCH 2/5] fsverity: Revalidate built-in signatures at file open · Eric Biggers <ebiggers@kernel.org> · 2021-11-12
RE: [RFC][PATCH 2/5] fsverity: Revalidate built-in signatures at file open · Roberto Sassu <roberto.sassu@huawei.com> · 2021-11-15
[RFC][PATCH 3/5] fsverity: Do initialization earlier · Roberto Sassu <roberto.sassu@huawei.com> · 2021-11-12
[RFC][PATCH 4/5] shmem: Avoid segfault in shmem_read_mapping_page_gfp() · Roberto Sassu <roberto.sassu@huawei.com> · 2021-11-12
Re: [RFC][PATCH 4/5] shmem: Avoid segfault in shmem_read_mapping_page_gfp() · Ajay Garg <hidden> · 2021-11-12
RE: [RFC][PATCH 4/5] shmem: Avoid segfault in shmem_read_mapping_page_gfp() · Roberto Sassu <roberto.sassu@huawei.com> · 2021-11-12
Re: [RFC][PATCH 4/5] shmem: Avoid segfault in shmem_read_mapping_page_gfp() · Eric Biggers <ebiggers@kernel.org> · 2021-11-12
RE: [RFC][PATCH 4/5] shmem: Avoid segfault in shmem_read_mapping_page_gfp() · Roberto Sassu <roberto.sassu@huawei.com> · 2021-11-15
[RFC][PATCH 5/5] shmem: Add fsverity support · Roberto Sassu <roberto.sassu@huawei.com> · 2021-11-12
Re: [RFC][PATCH 5/5] shmem: Add fsverity support · Eric Biggers <ebiggers@kernel.org> · 2021-11-12
RE: [RFC][PATCH 5/5] shmem: Add fsverity support · Roberto Sassu <roberto.sassu@huawei.com> · 2021-11-15
Re: [RFC][PATCH 5/5] shmem: Add fsverity support · Eric Biggers <ebiggers@kernel.org> · 2021-11-16
RE: [RFC][PATCH 5/5] shmem: Add fsverity support · Roberto Sassu <roberto.sassu@huawei.com> · 2021-11-16

From: Eric Biggers <ebiggers@kernel.org>
Date: 2021-11-12 19:15:05
Also in: linux-doc, linux-fscrypt, linux-fsdevel, linux-mm, lkml

On Fri, Nov 12, 2021 at 01:44:08PM +0100, Roberto Sassu wrote:

Fsverity signatures are validated only upon request by the user by setting
the requirement through procfs or sysctl.

However, signatures are validated only when the fsverity-related
initialization is performed on the file. If the initialization happened
while the signature requirement was disabled, the signature is not
validated again.

I'm not sure this really matters.  If someone has started using a verity file
before the require_signatures sysctl was set, then there is already a race
condition; this patch doesn't fix that.  Don't you need to set the
require_signatures sysctl early enough anyway?

- Eric

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help