Re: F36 Change: Enable fs-verity in RPM (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Dec 2, 2021 at 7:27 PM Michel Alexandre Salim
<salimma@xxxxxxxxxxxxxxxxx> wrote:
>
> Hello,
>
> On Thu, Dec 02, 2021 at 07:10:32PM -0500, Josh Boyer wrote:
> > On Thu, Dec 2, 2021, 5:33 PM Davide Cavalca via devel <
> > devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > > On Thu, 2021-12-02 at 13:09 -0800, Kevin Fenzi wrote:
> > > > On Thu, Dec 02, 2021 at 02:36:51PM -0500, Ben Cotton wrote:
> > > > ...snip...
> > > > >
> > > > > In the context of rpm, there are two parts to this:
> > > > > * at build time, we compute the Merkle tree for the files within a
> > > > > package, then sign it and ship it as part of the rpm metadata;
> > > >
> > > > This is some kind of seperate signing that happens at build time?
> > > >
> > > > Or it's added to the rpm metadata and covered by the normal package
> > > > signing if/when the package is signed?
> > >
> > > As part of the signing flow (e.g. via rpmsign), the Merkle tree is
> > > generated and a signature is computed from it, which is then added to
> > > the rpm metadata.
> > >
> >
> > IMA received significant pushback on the impact to RPMs and signing
> > implications in Fedora.  How does fs-verity compare here?
> We wrote up a comparison here: https://fedoraproject.org/wiki/Changes/FsVerityRPM#Relationship_with_IMA

Yes, I saw that and I appreciate it.  That's a comparison between the
two implementations.  I am asking about what benefits and use cases
fs-verity solves in Fedora.  Right now, the change simply says:

"The main benefit is the ability to do block-level verification of
RPM-installed files. In turn, this can be used to implement
usecase-specific validation and verification policies depending on the
environment requirements."

which is also largely true of IMA.  The IMA change went into more
detailed use cases, which perhaps may have been it's downfall.  So can
you describe what most Fedora users would use this for or benefit from
it?  Or if "most users" is not an applicable qualifier, can you at
least give some more detailed use cases that you would expect people
to use it for?

> > Alternatively/additionally, why is fs-verity worth the hit for Fedora where
> > IMA was not.
>
> The hit is much smaller; per https://fedoraproject.org/wiki/Changes/FsVerityRPM#Merkle_tree_cost
> - if the plugin is installed, the Merkle tree is stored but it's 1/127th
>   the original file size
> - the RPM only ships the signature, not the tree itself; per
> https://fedoraproject.org/wiki/Changes/FsVerityRPM#Signature_overhead_cost
>   in practice we see a minimal to no increase in the size of the RPM
>
> So as proposed in this Change, users can opt in by installing the
> plugin, otherwise they will be mostly unimpacted.

OK.  I guess I was looking for some side-by-side data comparisons in
the overhead between IMA metadata and fs-verity.  "1/127th of the
original Merkel tree size" doesn't tell me much.

Are there some test runs with numbers to show before/after data for
both the RPM size and installed FS usage?  Perhaps with an example
install.  The IMA change attempted to document this and seeing a 1.1%
average increase in RPM size was easier to understand.

josh

> As discussed in the write-up - IMA does have a richer policy system, and
> could potentially be integrated (so we use IMA but with a fsverity
> backend) to get the best of both worlds.
>
> Best regards,
>
> --
> Michel Alexandre Salim
> profile: https://keyoxide.org/michel@xxxxxxxxxxxxxxx
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux