> Care to explain to the uninitiated layman such as myself why would we
> want/need this in rpm, since there already is IMA?
IMA and fs-verity operate very differently, in particular IMA is a lot more
complex and and has substantially higher system overhead when reading signed
files off the file system. It also requires one to use the full IMA system.
fs-verity works by using a Merkle tree to generate a checksum for every data
block in the system, and reads will fail if a single data block read fails it's
checksum. The signature of the the file is validated against a public key
loaded into the kernel keyring.
The fs-verity signature is basically a signature of the root digest of the
Happy to elaborate further
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
Rpm-maint mailing list