Some more questions about how the verification happens… IIUC, I need to load some keys to the kernel keyring, and then set fs.verity.require_signatures. Where do the keys come from? How are the keys themselves verified? At what time are they loaded and by whom? (Let's say that I'm an attacker with access to the file system. If the keys are loaded from the file system, can I just drop in a rogue key, similarly to what happens when new keys are distributed as part of distro upgrades?) If fs-verity verification prevents me from successfully modifying or replacing /usr/bin/foo or /usr/lib/systemd/system/foo.service, is there anything which hinders just adding /etc/systemd/system/foo.service that does whatever I want? On Thu, Dec 09, 2021 at 11:08:53PM +0000, Davide Cavalca via devel wrote: > - you could use a LSM to enforce that exec() can only happen on files > with valid fs-verity signatures; this would protect any binary > - you could use a launcher booted from secure storage (say, a dm-verity Is there some LSM module like this ready for use? Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
