On Thu, Jan 27, 2022 at 07:46:09PM +0100, Roberto Sassu wrote: > I wanted to propose a different approach for handling fsverity digests and > signatures, compared to: > > https://lore.kernel.org/linux-integrity/20220126000658.138345-1-zohar@xxxxxxxxxxxxx/ > > In the original proposal, a new signature version has been introduced (v3) > to allow the possibility of signing the digest of a more flexible data > structure, ima_file_id, which could also include the fsverity file digest. > > While the new signature type would be sufficient to handle fsverity file > digests, the problem is that its format would not be compatible with the > signature format supported by the built-in verification module in fsverity. > The rpm package manager already has an extension to include fsverity > signatures, with the existing format, in the RPM header. > > Given that the fsverity signature is in the PKCS#7 format, IMA has already > the capability of handling it with the existing code, more specifically the > modsig code. It would be sufficient to provide to modsig the correct data > to avoid introducing a new signature format. I think it would be best to get people moved off of the fs-verity built-in signatures, rather than further extend the use of it. PKCS#7 is a pretty terrible signature format. The IMA one is better, though it's unfortunate that IMA still relies on X.509 for keys. - Eric
|