From: Eric Biggers ebiggers@google.com
An issue that arises when migrating from builtin signatures to userspace signatures is that existing files that have builtin signatures cannot be opened unless either CONFIG_FS_VERITY_BUILTIN_SIGNATURES is disabled or the signing certificate is left in the .fs-verity keyring.
Since builtin signatures provide no security benefit when fs.verity.require_signatures=0 anyway, let's just skip the signature verification in this case.
Fixes: 432434c9f8e1 ("fs-verity: support builtin file signatures") Cc: stable@vger.kernel.org # v5.4+ Signed-off-by: Eric Biggers ebiggers@google.com --- fs/verity/signature.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/fs/verity/signature.c b/fs/verity/signature.c index 143a530a80088..dc6935701abda 100644 --- a/fs/verity/signature.c +++ b/fs/verity/signature.c @@ -13,8 +13,8 @@ #include <linux/verification.h>
/* - * /proc/sys/fs/verity/require_signatures - * If 1, all verity files must have a valid builtin signature. + * /proc/sys/fs/verity/require_signatures. If 1, then builtin signatures are + * verified and all verity files must have a valid builtin signature. */ static int fsverity_require_signatures;
@@ -54,6 +54,20 @@ int fsverity_verify_signature(const struct fsverity_info *vi, return 0; }
+ /* + * If require_signatures=0, don't verify builtin signatures. + * Originally, builtin signatures were verified opportunistically in + * this case. However, no security property is possible when + * require_signatures=0 anyway. Skipping the builtin signature + * verification makes it easier to migrate existing files from builtin + * signature verification to userspace signature verification. + */ + if (!fsverity_require_signatures) { + fsverity_warn(inode, + "Not checking builtin signature due to require_signatures=0"); + return 0; + } + d = kzalloc(sizeof(*d) + hash_alg->digest_size, GFP_KERNEL); if (!d) return -ENOMEM;
base-commit: 479174d402bcf60789106eedc4def3957c060bad