Re: F36 Change: Enable fs-verity in RPM (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> In Fedora, we use a new package signing key for each Fedora release.
> What key would be used for the fs-verity signatures: the same key,
> a separate key? Edit: I see that the Change page says a dedicated key is used.

Hi all

I'm doing related work in this area. I'll provide some additional
thoughts.

Probably, it could be possible to use the package signing key
for the fsverity signatures. However, this would require the
kernel to be able to load the PGP keys in the builtin keyring
and support PGP signatures.

David Howells did that some time ago, and I adapted his
patches for the latest kernel. Without going into too much
detail, I've modified the kernel build to take the Fedora
keys. They are available to verify PGP signatures (I use
this feature to verify RPM headers).

If there is interest, I could propose the patch set to the kernel
mailing list.

> IIUC, I need to do some steps at each boot:
> 1. add all the keys to the keyring
> 2. set sysctl fs.verity.require_signatures=1
> 
> So… in 1., do I always load all the keys that Fedora has used for this
> purpose, in case there are still some files on disk? Or is there some
> mechanism to say that e.g. keys older than F(N-2) are now not necessary?
> 
> Who does 2.?
> 
> I think it'd be hard to enable this during a system upgrade: one would need
> to reinstall all rpms (with new rpms carrying the fsverity metadata)
> or some files become unreadable once 2. is done. This brings a question:
> is there some rpm virtual Provides/Requires to specify that the fs-verity
> stuff is present? I assume the user would want to triple-check that they
> don't have any rpms without the metadata before enabling verification.

The kernel does not enforce signature verification unless fsverity
is explicitly enabled on a file. I guess the rpm plugin can be configured
to enable fsverity only if it finds a signature in the RPM header. That
would allow a mixed configuration where some files are protected,
other not.

This does not seem ideal for mandatory protection, where you want
to be sure that integrity is checked, even if only on a subset of files
(e.g. executables and shared libraries), regardless of whether fsverity
was enabled or not on a file.

It could be task of the security subsystem to do this type of enforcement.
At the moment, IMA and IPE (Integrity Protection Enforcement) are
planning to support fsverity and do the enforcement based on a policy.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux