Gitlab 现已全面支持 git over ssh 与 git over https。通过 HTTPS 访问请配置带有 read_repository / write_repository 权限的 Personal access token。通过 SSH 端口访问请使用 22 端口或 13389 端口。如果使用CAS注册了账户但不知道密码，可以自行至设置中更改；如有其他问题，请发邮件至 service@cra.moe 寻求协助。

Commit 4da8f8c8 authored Oct 23, 2020 by Mickaël Salaün Committed by Mike Snitzer Dec 04, 2020

dm verity: Add support for signature verification with 2nd keyring



Add a new configuration DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
to enable dm-verity signatures to be verified against the secondary
trusted keyring.  Instead of relying on the builtin trusted keyring
(with hard-coded certificates), the second trusted keyring can include
certificate authorities from the builtin trusted keyring and child
certificates loaded at run time.  Using the secondary trusted keyring
enables to use dm-verity disks (e.g. loop devices) signed by keys which
did not exist at kernel build time, leveraging the certificate chain of
trust model.  In practice, this makes it possible to update certificates
without kernel update and reboot, aligning with module and kernel
(kexec) signature verification which already use the secondary trusted
keyring.

Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>

parent 985eabdc

Documentation/admin-guide/device-mapper/verity.rst

+6 −1

Original line number	Diff line number	Diff line
		@@ -134,7 +134,12 @@ root_hash_sig_key_desc <key_description>
		the pkcs7 signature of the roothash. The pkcs7 signature is used to validate
		the root hash during the creation of the device mapper block device.
		Verification of roothash depends on the config DM_VERITY_VERIFY_ROOTHASH_SIG
		being set in the kernel.
		being set in the kernel. The signatures are checked against the builtin
		trusted keyring by default, or the secondary trusted keyring if
		DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is set. The secondary
		trusted keyring includes by default the builtin trusted keyring, and it can
		also gain new certificates at run time if they are signed by a certificate
		already in the secondary trusted keyring.

		Theory of operation
		===================

drivers/md/Kconfig

+12 −1

Original line number	Diff line number	Diff line
		@@ -535,6 +535,17 @@ config DM_VERITY_VERIFY_ROOTHASH_SIG
		pre-generated tree of cryptographic checksums passed has a pkcs#7
		signature file that can validate the roothash of the tree.

		By default, rely on the builtin trusted keyring.

		If unsure, say N.

		config DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
		bool "Verity data device root hash signature verification with secondary keyring"
		depends on DM_VERITY_VERIFY_ROOTHASH_SIG
		depends on SECONDARY_TRUSTED_KEYRING
		help
		Rely on the secondary trusted keyring to verify dm-verity signatures.

		If unsure, say N.

		config DM_VERITY_FEC

drivers/md/dm-verity-verify-sig.c

+7 −2

Original line number	Diff line number	Diff line
		@@ -119,8 +119,13 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
		}

		ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
		sig_len, NULL, VERIFYING_UNSPECIFIED_SIGNATURE,
		NULL, NULL);
		sig_len,
		#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
		VERIFY_USE_SECONDARY_KEYRING,
		#else
		NULL,
		#endif
		VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);

		return ret;
		}

CRA Git | Maintained and supported by SUSTech CRA and CCSE