On Thu, Dec 2, 2021 at 7:27 PM Michel Alexandre Salim <salimma@xxxxxxxxxxxxxxxxx> wrote: > > Hello, > > On Thu, Dec 02, 2021 at 07:10:32PM -0500, Josh Boyer wrote: > > On Thu, Dec 2, 2021, 5:33 PM Davide Cavalca via devel < > > devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > > On Thu, 2021-12-02 at 13:09 -0800, Kevin Fenzi wrote: > > > > On Thu, Dec 02, 2021 at 02:36:51PM -0500, Ben Cotton wrote: > > > > ...snip... > > > > > > > > > > In the context of rpm, there are two parts to this: > > > > > * at build time, we compute the Merkle tree for the files within a > > > > > package, then sign it and ship it as part of the rpm metadata; > > > > > > > > This is some kind of seperate signing that happens at build time? > > > > > > > > Or it's added to the rpm metadata and covered by the normal package > > > > signing if/when the package is signed? > > > > > > As part of the signing flow (e.g. via rpmsign), the Merkle tree is > > > generated and a signature is computed from it, which is then added to > > > the rpm metadata. > > > > > > > IMA received significant pushback on the impact to RPMs and signing > > implications in Fedora. How does fs-verity compare here? > We wrote up a comparison here: https://fedoraproject.org/wiki/Changes/FsVerityRPM#Relationship_with_IMA Yes, I saw that and I appreciate it. That's a comparison between the two implementations. I am asking about what benefits and use cases fs-verity solves in Fedora. Right now, the change simply says: "The main benefit is the ability to do block-level verification of RPM-installed files. In turn, this can be used to implement usecase-specific validation and verification policies depending on the environment requirements." which is also largely true of IMA. The IMA change went into more detailed use cases, which perhaps may have been it's downfall. So can you describe what most Fedora users would use this for or benefit from it? Or if "most users" is not an applicable qualifier, can you at least give some more detailed use cases that you would expect people to use it for? > > Alternatively/additionally, why is fs-verity worth the hit for Fedora where > > IMA was not. > > The hit is much smaller; per https://fedoraproject.org/wiki/Changes/FsVerityRPM#Merkle_tree_cost > - if the plugin is installed, the Merkle tree is stored but it's 1/127th > the original file size > - the RPM only ships the signature, not the tree itself; per > https://fedoraproject.org/wiki/Changes/FsVerityRPM#Signature_overhead_cost > in practice we see a minimal to no increase in the size of the RPM > > So as proposed in this Change, users can opt in by installing the > plugin, otherwise they will be mostly unimpacted. OK. I guess I was looking for some side-by-side data comparisons in the overhead between IMA metadata and fs-verity. "1/127th of the original Merkel tree size" doesn't tell me much. Are there some test runs with numbers to show before/after data for both the RPM size and installed FS usage? Perhaps with an example install. The IMA change attempted to document this and seeing a 1.1% average increase in RPM size was easier to understand. josh > As discussed in the write-up - IMA does have a richer policy system, and > could potentially be integrated (so we use IMA but with a fsverity > backend) to get the best of both worlds. > > Best regards, > > -- > Michel Alexandre Salim > profile: https://keyoxide.org/michel@xxxxxxxxxxxxxxx _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
