Here is a more detailed update on the design of the fsverity support I have
been working on for rpm.
I now have code which I believe works correctly, and I'd love some feedback on
it. I am sure I got some things wrong. The code can be found in my cloned repo
fsverity itself provides block-level checksumming of files in the file system,
which can be signed and authenticated by a public key loaded into the kernel's
public keyring. This allows the kernel to validate individual data blocks as
they are read from the disk instead of having to validate the entire file's
digest before allowing it to be opened.
Instead of a regular digest, fsverity uses a Merkle tree, which is basically a
tree of digests. For now only sha256 and sha512 are supported for calculating
this tree. The fsverity signature authenticates the root of the Merkle tree, by
signing an fsverity descriptor which contains the root digest. This API is
defined by the kernel. The code to generate the fsverity descriptor, and the
code to sign it, is provided by libfsverity from the fsverity-utils
There is no way to go from the regular digest to the Merkle tree, so the code
parses the archive of the rpm to generate the signatures. As the file count of
the archive doesn't have to match the metadata file count, ghost files etc, and
the file order of the archive and the metadata do not necessarily match, the
signatures are placed in an array based on their file index, and signatures for
the missing items are generated from the metadata fi.
The code introduces four new tags:
* RPMTAG_VERITYSIGNATURELENGTH (uint32_t): The size of the fs verity signatures
* RPMTAG_VERITYSIGNATURES (char *): Array of fsverity signatures
* RPMTAG_VERITYSIGNATUREALGO (uint32_t): Algorithm used to generate signature
* RPMTAG_VERITYSIGNATUREBLKSZ (uint32_t): Block size used to calculate the
In addition the code provides a new plugin "fsverity" which will install the
fsverity signature and enable fsverity on files as they are installed. Similar
to IMA file signatures, it will skip installing signatures for config files,
unless explicitly requested, and it only installs signatures for regular files
as directories and symlinks are not currently supported by fsverity.
To enable fsverity in the build, one must specify --with-fsverity, and have the
fsverity-utils header and library installed.
To generate signatures, one must specify three arguments:
--fskpath= specify siging key (argument is shared with IMA file signing)
--certpath= specify signing certificate
--signverity add fsverity signatures to the package
1: Code adding fsverity support to rpm:
2: Original fsverity git repo:
3: fsverity refactoring providing libfsverity:
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
Rpm-maint mailing list