dm verity: fallback to platform keyring also if key in trusted keyring is rejected

If enabled, we fallback to the platform keyring if the trusted keyring doesn't have the key used to sign the roothash. But if pkcs7_verify() rejects the key for other reasons, such as usage restrictions, we do not fallback. Do so. Follow-up for 6fce1f40e9 Suggested-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Luca Boccassi <bluca@debian.org> Acked-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
2024-11-12 23:23:03 +00:00 · 2024-09-22 18:17:53 +02:00 · 2024-09-22 18:17:53 +02:00 · 579b2ba40e
commit 579b2ba40e
parent e6a3531dd5
1 changed files with 1 additions and 1 deletions
--- a/drivers/md/dm-verity-verify-sig.c
+++ b/drivers/md/dm-verity-verify-sig.c
@ -127,7 +127,7 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
 #endif
 				VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
 #ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
-	if (ret == -ENOKEY)
+	if (ret == -ENOKEY || ret == -EKEYREJECTED)
 		ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
 					sig_len,
 					VERIFY_USE_PLATFORM_KEYRING,