Skip to content
Commit 6e42aec7 authored by Matthias Kaehlcke's avatar Matthias Kaehlcke Committed by Kees Cook
Browse files

LoadPin: Require file with verity root digests to have a header



LoadPin expects the file with trusted verity root digests to be
an ASCII file with one digest (hex value) per line. A pinned
root could contain files that meet these format requirements,
even though the hex values don't represent trusted root
digests.

Add a new requirement to the file format which consists in
the first line containing a fixed string. This prevents
attackers from feeding files with an otherwise valid format
to LoadPin.

Suggested-by: default avatarSarthak Kukreti <sarthakkukreti@chromium.org>
Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220906181725.1.I3f51d1bb0014e5a5951be4ad3c5ad7c7ca1dfc32@changeid
parent 916ef623
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment