Re: F36 Change: Enable fs-verity in RPM (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Dec 02, 2021 at 02:36:51PM -0500, Ben Cotton wrote:
...snip...
> 
> In the context of rpm, there are two parts to this:
> * at build time, we compute the Merkle tree for the files within a
> package, then sign it and ship it as part of the rpm metadata;

This is some kind of seperate signing that happens at build time?

Or it's added to the rpm metadata and covered by the normal package
signing if/when the package is signed?

> * at run time, if the fsverity rpm plugin is enabled, rpm will install
> the fsverity signature key and enable fsverity on files that are
> installed.

Is this signature key the fedora rpm package signing key? 
Or some seperate fsverity key?

...snip...

> fs-verity works by using a Merkle tree to generate a checksum for
> every data block in the system, and reads will fail if a single data

every data block? or every packaged in rpms data block?

> block read fails it’s checksum. The signature of the the file is
> validated against a public key loaded into the kernel keyring. Because
> fsverity operates on block reads, its runtime cost is small (as it
> only needs to verify the block that is being accessed), and it can
> protect from alterations at any point in time.

Is this via dm_verity kernel module? Or thats a completely seperate
thing?

...snip...

> == Scope ==
> 
> * Proposal owners
> ** btrfs kernel enablement work
> ([https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=146054090b0859b28fc39015c7704ccc3c3a347f
> landed in 5.15]); see this
> [https://developers.facebook.com/blog/post/2021/10/19/fs-verity-support-in-btrfs/
> blog post] for more details

What does this mean for all the other filesystems? They would just be
slower since btrfs is computing the trees as part of it's normal
checksumming?

> ** koji integration: koji will need to add the fs-verity metadata to
> packages when signing them

Well, koji doesn't sign packages. robosignatory listens for messages on
the message bus for koji tagging and based on it's config, it asks sigul
to sign rpms and import the signatures into koji. 

There's support in robosignatory to ask to sign files (used for the
short lived IMA stuff), but I suspect it would need a new ability for
this. 

Finally who is going to write this? Change owners?
Or do you expect robosignatory maintainers to do so?

> * Other developers:
> ** deploy the koji integration changes to production
> * Release engineering: tbd
> * Policies and guidelines: N/A
> * Trademark approval: N/A
> 
> == Upgrade/compatibility impact ==
> 
> None
> 
> == How to test ==
> 
> Install the fs-verity RPM plugin to validate package contents:
> 
> <pre>$ sudo dnf install rpm-plugin-fsverity</pre>
> Note that this will only be useful if the packages being installed
> contain the appropriate fs-verity metadata (which, for Fedora upstream
> packages, requires Koji integration that is part of this Change).
> However, you should still be able to test this if you locally sign a
> package with <code>rpmsign --addverity</code>.
> 
> == User experience ==
> 
> This Change is fully transparent and there is no user impact by
> default. If the user chooses to enable the fs-verity RPM plugin, they
> can then leverage the additional verification features provided by
> fs-verity.
> 
> == Dependencies ==
> 
> * fs-verity support is available in RPM as of 4.17, which is available
> as of Fedora 35 and is already enabled in rpm-4.17.0-0.rc1.0.fc36
> * CONFIG_FS_VERITY in the kernel config; this is already enabled
> * fs-verity requires filesystem support; currently support for ext4
> and f2fs is already available; support for btrfs landed in 5.15

No xfs support?

Thanks in advance for answers. 

kevin

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux