On Thu, Dec 02, 2021 at 02:36:51PM -0500, Ben Cotton wrote: ...snip... > > In the context of rpm, there are two parts to this: > * at build time, we compute the Merkle tree for the files within a > package, then sign it and ship it as part of the rpm metadata; This is some kind of seperate signing that happens at build time? Or it's added to the rpm metadata and covered by the normal package signing if/when the package is signed? > * at run time, if the fsverity rpm plugin is enabled, rpm will install > the fsverity signature key and enable fsverity on files that are > installed. Is this signature key the fedora rpm package signing key? Or some seperate fsverity key? ...snip... > fs-verity works by using a Merkle tree to generate a checksum for > every data block in the system, and reads will fail if a single data every data block? or every packaged in rpms data block? > block read fails it’s checksum. The signature of the the file is > validated against a public key loaded into the kernel keyring. Because > fsverity operates on block reads, its runtime cost is small (as it > only needs to verify the block that is being accessed), and it can > protect from alterations at any point in time. Is this via dm_verity kernel module? Or thats a completely seperate thing? ...snip... > == Scope == > > * Proposal owners > ** btrfs kernel enablement work > ([https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=146054090b0859b28fc39015c7704ccc3c3a347f > landed in 5.15]); see this > [https://developers.facebook.com/blog/post/2021/10/19/fs-verity-support-in-btrfs/ > blog post] for more details What does this mean for all the other filesystems? They would just be slower since btrfs is computing the trees as part of it's normal checksumming? > ** koji integration: koji will need to add the fs-verity metadata to > packages when signing them Well, koji doesn't sign packages. robosignatory listens for messages on the message bus for koji tagging and based on it's config, it asks sigul to sign rpms and import the signatures into koji. There's support in robosignatory to ask to sign files (used for the short lived IMA stuff), but I suspect it would need a new ability for this. Finally who is going to write this? Change owners? Or do you expect robosignatory maintainers to do so? > * Other developers: > ** deploy the koji integration changes to production > * Release engineering: tbd > * Policies and guidelines: N/A > * Trademark approval: N/A > > == Upgrade/compatibility impact == > > None > > == How to test == > > Install the fs-verity RPM plugin to validate package contents: > > <pre>$ sudo dnf install rpm-plugin-fsverity</pre> > Note that this will only be useful if the packages being installed > contain the appropriate fs-verity metadata (which, for Fedora upstream > packages, requires Koji integration that is part of this Change). > However, you should still be able to test this if you locally sign a > package with <code>rpmsign --addverity</code>. > > == User experience == > > This Change is fully transparent and there is no user impact by > default. If the user chooses to enable the fs-verity RPM plugin, they > can then leverage the additional verification features provided by > fs-verity. > > == Dependencies == > > * fs-verity support is available in RPM as of 4.17, which is available > as of Fedora 35 and is already enabled in rpm-4.17.0-0.rc1.0.fc36 > * CONFIG_FS_VERITY in the kernel config; this is already enabled > * fs-verity requires filesystem support; currently support for ext4 > and f2fs is already available; support for btrfs landed in 5.15 No xfs support? Thanks in advance for answers. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
