RE: F36 Change: Enable fs-verity in RPM (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: Neal Gompa [mailto:ngompa13@xxxxxxxxx]
> Sent: Friday, December 17, 2021 11:17 AM
> On Fri, Dec 17, 2021 at 5:14 AM Roberto Sassu via devel
> <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > > In Fedora, we use a new package signing key for each Fedora release.
> > > What key would be used for the fs-verity signatures: the same key,
> > > a separate key? Edit: I see that the Change page says a dedicated key is used.
> >
> > Hi all
> >
> > I'm doing related work in this area. I'll provide some additional
> > thoughts.
> >
> > Probably, it could be possible to use the package signing key
> > for the fsverity signatures. However, this would require the
> > kernel to be able to load the PGP keys in the builtin keyring
> > and support PGP signatures.
> >
> > David Howells did that some time ago, and I adapted his
> > patches for the latest kernel. Without going into too much
> > detail, I've modified the kernel build to take the Fedora
> > keys. They are available to verify PGP signatures (I use
> > this feature to verify RPM headers).
> >
> > If there is interest, I could propose the patch set to the kernel
> > mailing list.
> >
> 
> That would be phenomenal. That would allow us to tie things to our
> existing process of key rotation for each Fedora release and leverage
> the existing infrastructure for package signing for fsverity
> signatures too.

Great. I will propose the patch set again. For another Fedora
feature I'm proposing (related to this one):

https://fedoraproject.org/wiki/Changes/DIGLIM

I went as far as to be able to appraise with IMA existing
RPM headers (I added support for PGP appended signatures).

I'm using this information in a different way: loading
the file digests from the RPM header to the kernel and
querying them with IMA during appraisal.

That would work with fsverity digests too. If the concern
is the increased package size, adding fsverity digests to the
RPM header instead of signatures might be more acceptable.

I made a small demo:

https://lore.kernel.org/linux-integrity/a16a628b9e21433198c490500a987121@xxxxxxxxxx/

where loading of kernel modules is granted by IPE if their
fsverity digest is found in the DIGLIM hash table.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua

> > > IIUC, I need to do some steps at each boot:
> > > 1. add all the keys to the keyring
> > > 2. set sysctl fs.verity.require_signatures=1
> > >
> > > So… in 1., do I always load all the keys that Fedora has used for this
> > > purpose, in case there are still some files on disk? Or is there some
> > > mechanism to say that e.g. keys older than F(N-2) are now not necessary?
> > >
> > > Who does 2.?
> > >
> > > I think it'd be hard to enable this during a system upgrade: one would need
> > > to reinstall all rpms (with new rpms carrying the fsverity metadata)
> > > or some files become unreadable once 2. is done. This brings a question:
> > > is there some rpm virtual Provides/Requires to specify that the fs-verity
> > > stuff is present? I assume the user would want to triple-check that they
> > > don't have any rpms without the metadata before enabling verification.
> >
> > The kernel does not enforce signature verification unless fsverity
> > is explicitly enabled on a file. I guess the rpm plugin can be configured
> > to enable fsverity only if it finds a signature in the RPM header. That
> > would allow a mixed configuration where some files are protected,
> > other not.
> >
> > This does not seem ideal for mandatory protection, where you want
> > to be sure that integrity is checked, even if only on a subset of files
> > (e.g. executables and shared libraries), regardless of whether fsverity
> > was enabled or not on a file.
> >
> > It could be task of the security subsystem to do this type of enforcement.
> > At the moment, IMA and IPE (Integrity Protection Enforcement) are
> > planning to support fsverity and do the enforcement based on a policy.
> >
> 
> So that means there *will* be a policy control mechanism for this
> enforced by the kernel, cool!
> 
> 
> 
> 
> --
> 真実はいつも一つ!/ Always, there's only one truth!
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux