RE: F36 Change: Enable fs-verity in RPM (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi everyone

(note for the infrastructure mailing list: please check if the changes
I'm proposing could be tested in the Fedora infrastructure, like Copr)

I made the first version of the rpm extension to sign fsverity
digests with a GPG key. The patch set (with some bug fixes)
is available here:

https://github.com/robertosassu/rpm/commits/fsverity-gpg-v1

I tested it locally with my own GPG key. I took an existing
Fedora 34 package and signed it with rpmsign:

$ usr/bin/rpmsign --define "%_gpg_name testhost <testhost@xxxxxxxxx>" \
                                 --define "%_file_signing_key _GPG_" \
                                 --define "%_file_signing_cert _GPG_" \
                                 --addsign --signverity tmux-3.1c-2.fc34.x86_64.rpm


I then checked that the package has now fsverity signatures:

$ usr/bin/rpm -qp tmux-3.1c-2.fc34.x86_64.rpm \
                          --queryformat '[%{RPMTAG_FILENAMES} %{RPMTAG_VERITYSIGNATURES}\n]'
[...]
/usr/bin/tmux iQHHBAABCgAxFiEEEiFa0dGZVYzTrIN+rxtXRMfK0McFAmHq0+4THHRlc3Rob3N0
QHRlc3QudGVzdAAKCRCvG1dEx8rQx81nC/42NW9xJx3rcTiR6/5oL55GPkan+OIq
t2dW1clJUOrxOGVy/5JQTQf0MQXA7gzH1yPgcrskkahjSfWlp4pt7oOw3rukUyaO
zVZxue4XE6XESYtolczK4VEhpc8lbm4hj0e4NCg/dKri/+L5wIdJvmqWNeCfl7uZ
[...]

In a VM I tried to install the modified package. The root filesystem
is ext4 and has the fsverity feature enabled.

The fsverity rpm plugin is also enabled and hasn't been modified
to work with the new PGP signatures.

The kernel includes the patch set I recently sent to the kernel
mailing lists to add support for PGP keys and signatures:

https://lore.kernel.org/linux-integrity/20220111180318.591029-1-roberto.sassu@xxxxxxxxxx/

and another patch that calls verify_pgp_signature() in
fs/verity/signature.c.

The first installation attempt fails, due to the missing key
in the .fs-verity keyring:

# usr/bin/rpm -Uhvi ../tmux-3.1c-2.fc34.x86_64.rpm --debug
[...]
D: Plugin: calling hook fsm_file_prepare in fsverity plugin
D: applying signature: 
[...]
D: failed to enable verity (errno 126) for /usr/bin/tmux;61ead62d

Then, I added the required GPG key to the .fs-verity keyring:

# cat /mnt/repos/linux/certs/pubring.gpg | keyctl padd asymmetric test %keyring:.fs-verity
76292211

The key is now loaded:

# keyctl show %keyring:.fs-verity
Keyring
  66741466 --a-swrv      0     0  keyring: .fs-verity
  76292211 --als--v      0     0   \_ asymmetric: test

I retried the tmux installation:

# usr/bin/rpm -Uhvi ../tmux-3.1c-2.fc34.x86_64.rpm --debug
[...]
D: Plugin: calling hook fsm_file_prepare in fsverity plugin
D: applying signature: 
[...]
D: fsverity enabled signature for: path /usr/bin/tmux;61ead713 dest /usr/bin/tmux

This time the installation is successful, which means that the PGP
signature has been successfully verified.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux