[Kernel-packages] [Bug 2019040] [NEW] linux-kvm: please enable dm-verity kconfigs

Luca Boccassi Tue, 09 May 2023 14:00:34 -0700

Public bug reported:

The kvm flavours currently do not enable dm-verity. This stops us from
using integrity protected and verified images in VMs using this kernel
flavour.


Please consider enabling the following kconfigs:

CONFIG_DM_VERITY
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
CONFIG_IMA_ARCH_POLICY

(The latter is needed to ensure that MoK keys can be used to verify dm-
verity images too, via the machine keyring linked to the secondary
keyring)

These are already enabled in the 'main' kernel config, and in other
distros.

As a specific and explicit use case, in the systemd project we want to
test functionality provided by systemd that needs these kconfigs on
Ubuntu machines running the kvm flavour kernel.

** Affects: linux-meta-kvm (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-meta-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/2019040

Title:
  linux-kvm: please enable dm-verity kconfigs

Status in linux-meta-kvm package in Ubuntu:
  New

Bug description:
  The kvm flavours currently do not enable dm-verity. This stops us from
  using integrity protected and verified images in VMs using this kernel
  flavour.

  Please consider enabling the following kconfigs:

  CONFIG_DM_VERITY
  CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
  CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
  CONFIG_IMA_ARCH_POLICY

  (The latter is needed to ensure that MoK keys can be used to verify
  dm-verity images too, via the machine keyring linked to the secondary
  keyring)

  These are already enabled in the 'main' kernel config, and in other
  distros.

  As a specific and explicit use case, in the systemd project we want to
  test functionality provided by systemd that needs these kconfigs on
  Ubuntu machines running the kvm flavour kernel.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-meta-kvm/+bug/2019040/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 2019040] [NEW] linux-kvm: please enable dm-verity kconfigs

Reply via email to