LoadPin: Require file with verity root digests to have a header (6e42aec7) · Commits · jan.koester / Linux

security/loadpin/Kconfig

+6 −1

Original line number	Diff line number	Diff line
		@@ -33,4 +33,9 @@ config SECURITY_LOADPIN_VERITY
		on the LoadPin securityfs entry 'dm-verity'. The ioctl
		expects a file descriptor of a file with verity digests as
		parameter. The file must be located on the pinned root and
		contain one digest per line.
		start with the line:

		# LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS

		This is followed by the verity digests, with one digest per
		line.

+15 −1

Original line number	Diff line number	Diff line
		@@ -21,6 +21,8 @@
		#include <linux/dm-verity-loadpin.h>
		#include <uapi/linux/loadpin.h>

		#define VERITY_DIGEST_FILE_HEADER "# LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS"

		static void report_load(const char origin, struct file file, char *operation)
		{
		char cmdline, pathname;
		@@ -292,9 +294,21 @@ static int read_trusted_verity_root_digests(unsigned int fd)

		p = strim(data);
		while ((d = strsep(&p, "\n")) != NULL) {
		int len = strlen(d);
		int len;
		struct dm_verity_loadpin_trusted_root_digest *trd;

		if (d == data) {
		/* first line, validate header */
		if (strcmp(d, VERITY_DIGEST_FILE_HEADER)) {
		rc = -EPROTO;
		goto err;
		}

		continue;
		}

		len = strlen(d);

		if (len % 2) {
		rc = -EPROTO;
		goto err;