Hi Jes, On Mon, Feb 10, 2020 at 07:00:30PM -0500, Jes Sorensen wrote: > From: Jes Sorensen <jsorensen@xxxxxx> > > Hi, > > I am looking at what it will take to add support for fsverity > signatures to rpm, similar to how rpm supports IMA signatures. > > In order to do so, it makes sense to split the fsverity util into a > shared library and the command line tool, so the core functions can be > used from other applciations. Alternatively I will have to copy over a > good chunk of the code into rpm, which makes it nasty to support long > term. > > This is a first stab at doing that, and I'd like to get some feedback > on the approach. > > I basically split it into four functions: > > fsverity_cmd_gen_digest(): Build the digest, but do not sign it > fsverity_cmd_sign(): Sign the digest structure > fsverity_cmd_measure(): Measure a file, basically 'fsverity measure' > fsverity_cmd_enable(): Enable verity on a file, basically 'fsverity enable' > > If we can agree on the approach, then I am happy to deal with the full > libtoolification etc. > Before we do all this work, can you take a step back and explain the use case so that we can be sure it's really worthwhile? fsverity_cmd_enable() and fsverity_cmd_measure() would just be trivial wrappers around the FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY ioctls, so they don't need a library. [Aside: I'd suggest calling these fsverity_enable() and fsverity_measure(), and leaving "cmd" for the command-line wrappers.] That leaves signing as the only real point of the library. But do you actually need to be able to *sign* the files via the rpm binary, or do you just need to be able to install already-created signatures? I.e., can the signatures instead just be created with 'fsverity sign' when building the RPMs? Separately, before you start building something around fs-verity's builtin signature verification support, have you also considered adding support for fs-verity to IMA? I.e., using the fs-verity hashing mechanism with the IMA signature mechanism. The IMA maintainer has been expressed interested in that. If rpm already supports IMA signatures, maybe that way would be a better fit? - Eric
|