> Care to explain to the uninitiated layman such as myself why would we 
> want/need this in rpm, since there already is IMA?


IMA and fs-verity operate very differently, in particular IMA is a lot more 
complex and and has substantially higher system overhead when reading signed 
files off the file system. It also requires one to use the full IMA system.

fs-verity works by using a Merkle tree to generate a checksum for every data 
block in the system, and reads will fail if a single data block read fails it's 
checksum. The signature of the the file is validated against a public key 
loaded into the kernel keyring.

The fs-verity signature is basically a signature of the root digest of the 
Merkle tree.

Happy to elaborate further

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
Rpm-maint mailing list

Reply via email to