On Thu, 2021-12-02 at 20:05 -0500, Josh Boyer wrote: > Yes, I saw that and I appreciate it. That's a comparison between the > two implementations. I am asking about what benefits and use cases > fs-verity solves in Fedora. Right now, the change simply says: > > "The main benefit is the ability to do block-level verification of > RPM-installed files. In turn, this can be used to implement > usecase-specific validation and verification policies depending on > the > environment requirements." > > which is also largely true of IMA. The IMA change went into more > detailed use cases, which perhaps may have been it's downfall. So > can > you describe what most Fedora users would use this for or benefit > from > it? Or if "most users" is not an applicable qualifier, can you at > least give some more detailed use cases that you would expect people > to use it for? Broadly speaking, fs-verity makes it possible to ensure that files that were installed via an RPM have not been modified. It is useful in environments where an attacker might be able to modify system files (say, replace /bin/ls with a compromised version) and you want to protect against that. For example, consider an appliance-like system placed in an untrusted location where you may not be able to control who has physical access (this could be a server, but it could also be a kiosk in an internet point or a school). In this scenario, fs-verity can be one of the building blocks to ensure and maintain system trust. This Change is mostly about putting in place the necessary plumbing for this to be at all possible. We'll try to expand the Change proposal and flesh out potential usecases a bit more. > OK. I guess I was looking for some side-by-side data comparisons in > the overhead between IMA metadata and fs-verity. "1/127th of the > original Merkel tree size" doesn't tell me much. > > Are there some test runs with numbers to show before/after data for > both the RPM size and installed FS usage? Perhaps with an example > install. The IMA change attempted to document this and seeing a 1.1% > average increase in RPM size was easier to understand. We've done some empirical testing on this (showing neglibible increases), but still need to gather more formal data. We'll try to prioritize that and add it to the Change once it's available. Cheers Davide _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
