On Tue, 2021-01-05 at 13:05 -0500, Ben Cotton wrote: > == Benefit to Fedora == > > Having all files signed with a verifiable key means that system > owners can use the kernel Integrity and Measurement Architecture > (IMA) to enforce only verified files can be executed, or define other > policies. > afaik IMA has other capabilities outside file verification and trust. There is another mechanism that is scoped to this problem space: fs- verity[1]. The main difference is that IMA lets you sign things, but can't be expected to verify reads because there's only one digest per file. By contrast, fs-verity uses a merkle tree so you can verify one section of a file (e.g. mmaped) without needing to read the whole thing. The thing that's not clear to me in this change is how IMA can be used > ... to enforce runtime policies to ensure execution of only trusted files. The only way I can think to do this is to make all the signed files immutable, which is a) really annoying because you can't add hard links and b) trivial for the root user to undo. Note: support for fs-verity in RPM exists today[2], but is really new: enabling it by default is probably premature without more real world testing. One of the big downsides is that it's dependent on filesystem support. IMA is xattr based, so broad support is easier. [1] https://www.kernel.org/doc/html/latest/filesystems/fsverity.html [2] https://github.com/rpm-software-management/rpm/pull/1203 Matthew _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
