> Care to explain to the uninitiated layman such as myself why would we 
> want/need this in rpm, since there already is IMA?

Certainly!

IMA and fs-verity operate very differently, in particular IMA is a lot more 
complex and and has substantially higher system overhead when reading signed 
files off the file system. It also requires one to use the full IMA system.

fs-verity works by using a Merkle tree to generate a checksum for every data 
block in the system, and reads will fail if a single data block read fails it's 
checksum. The signature of the the file is validated against a public key 
loaded into the kernel keyring.

The fs-verity signature is basically a signature of the root digest of the 
Merkle tree.

Happy to elaborate further

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1121#issuecomment-599285238
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Reply via email to