Here is a more detailed update on the design of the fsverity support I have 
been working on for rpm.

I now have code which I believe works correctly, and I'd love some feedback on 
it. I am sure I got some things wrong. The code can be found in my cloned repo 

fsverity itself provides block-level checksumming of files in the file system, 
which can be signed and authenticated by a public key loaded into the kernel's 
public keyring. This allows the kernel to validate individual data blocks as 
they are read from the disk instead of having to validate the entire file's 
digest before allowing it to be opened.

Instead of a regular digest, fsverity uses a Merkle tree, which is basically a 
tree of digests. For now only sha256 and sha512 are supported for calculating 
this tree. The fsverity signature authenticates the root of the Merkle tree, by 
signing an fsverity descriptor which contains the root digest. This API is 
defined by the kernel. The code to generate the fsverity descriptor, and the 
code to sign it, is provided by libfsverity from the fsverity-utils 

There is no way to go from the regular digest to the Merkle tree, so the code 
parses the archive of the rpm to generate the signatures. As the file count of 
the archive doesn't have to match the metadata file count, ghost files etc, and 
the file order of the archive and the metadata do not necessarily match, the 
signatures are placed in an array based on their file index, and signatures for 
the missing items are generated from the metadata fi.

The code introduces four new tags:
* RPMTAG_VERITYSIGNATURELENGTH (uint32_t): The size of the fs verity signatures
* RPMTAG_VERITYSIGNATURES (char *): Array of fsverity signatures
* RPMTAG_VERITYSIGNATUREALGO (uint32_t): Algorithm used to generate signature
* RPMTAG_VERITYSIGNATUREBLKSZ (uint32_t): Block size used to calculate the 
Merkle tree

In addition the code provides a new plugin "fsverity" which will install the 
fsverity signature and enable fsverity on files as they are installed. Similar 
to IMA file signatures, it will skip installing signatures for config files, 
unless explicitly requested, and it only installs signatures for regular files 
as directories and symlinks are not currently supported by fsverity.

To enable fsverity in the build, one must specify --with-fsverity, and have the 
fsverity-utils header and library installed.

To generate signatures, one must specify three arguments:
 --fskpath= specify siging key (argument is shared with IMA file signing)
 --certpath= specify signing certificate
 --signverity add fsverity signatures to the package


1: Code adding fsverity support to rpm:
2: Original fsverity git repo: 
3: fsverity refactoring providing libfsverity:
 * git://

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
Rpm-maint mailing list

Reply via email to