> From: Brandon Nielsen [mailto:niels...@jetfuse.net]
> Sent: Wednesday, January 26, 2022 5:14 PM
> On 1/26/22 3:25 AM, Roberto Sassu via devel wrote:
>
> [Snip]
>
> >
> > - web servers or other kind of servers where you, as client, would
> >like the guarantee that your data is processed only
On 1/26/22 3:25 AM, Roberto Sassu via devel wrote:
[Snip]
- web servers or other kind of servers where you, as client, would
like the guarantee that your data is processed only if the software
running in the server is not compromised
For what it's worth, I, and several people I work w
Dne 21. 01. 22 v 17:08 Roberto Sassu via devel napsal(a):
(note for the infrastructure mailing list: please check if the changes
I'm proposing could be tested in the Fedora infrastructure, like Copr)
Copr does not use `rpmsign` at all. Copr uses `obs-sign` [1]. The benefits of obs-sign is that
On Wed, 2022-01-26 at 09:25 +, Roberto Sassu via devel wrote:
> > ...snip
>
> If the users often make changes on their system, with high
> privileges,
> I agree that DIGLIM would simply cause too much overhead for
> the configuration (every time the users make a change, they have
> to whiteli
> From: Kevin Fenzi [mailto:ke...@scrye.com]
> Sent: Tuesday, January 25, 2022 7:30 PM
> On Fri, Jan 21, 2022 at 04:08:04PM +, Roberto Sassu via devel wrote:
> > Hi everyone
> >
> > (note for the infrastructure mailing list: please check if the changes
> > I'm proposing could be tested in the F
On Fri, Jan 21, 2022 at 04:08:04PM +, Roberto Sassu via devel wrote:
> Hi everyone
>
> (note for the infrastructure mailing list: please check if the changes
> I'm proposing could be tested in the Fedora infrastructure, like Copr)
copr uses a different signing setup... so probibly won't work
Hi everyone
(note for the infrastructure mailing list: please check if the changes
I'm proposing could be tested in the Fedora infrastructure, like Copr)
I made the first version of the rpm extension to sign fsverity
digests with a GPG key. The patch set (with some bug fixes)
is available here:
On Fri, Dec 17, 2021 at 4:59 PM Colin Walters wrote:
>
>
>
> On Mon, Dec 13, 2021, at 5:21 PM, Tom Stellard wrote:
> >
> > Did you test the impact this has on package build times? Particularly
> > packages like llvm, clang, webkit2gtk3, etc. that have very large
> > debuginfo files?
>
> I think f
> From: Neal Gompa [mailto:ngomp...@gmail.com]
> Sent: Friday, December 17, 2021 11:17 AM
> On Fri, Dec 17, 2021 at 5:14 AM Roberto Sassu via devel
> wrote:
> >
> > > In Fedora, we use a new package signing key for each Fedora release.
> > > What key would be used for the fs-verity signatures: the
On Fri, Dec 17, 2021 at 5:14 AM Roberto Sassu via devel
wrote:
>
> > In Fedora, we use a new package signing key for each Fedora release.
> > What key would be used for the fs-verity signatures: the same key,
> > a separate key? Edit: I see that the Change page says a dedicated key is
> > used.
>
On 12/12/21 8:26 AM, Florian Weimer wrote:
> * Zbigniew Jędrzejewski-Szmek:
>
>> Some more questions about how the verification happens… IIUC, I need to
>> load some keys to the kernel keyring, and then set
>> fs.verity.require_signatures.
>>
>> Where do the keys come from? How are the keys thems
> On Wed, Dec 15, 2021, at 1:45 PM, Luca Boccassi wrote:
>
> Hmm. Some interesting stuff going on there but I would have started with a
> new SELinux
> access vector. That'd allow fine-grained constraints, e.g. disallowing
> `init_t` but
> allowing `unconfined_service_t`. Possibly also landlo
On Mon, Dec 13, 2021, at 5:21 PM, Tom Stellard wrote:
>
> Did you test the impact this has on package build times? Particularly
> packages like llvm, clang, webkit2gtk3, etc. that have very large
> debuginfo files?
I think far too often the culture here is "make $change for all RPMs". But
t
On Wed, Dec 15, 2021, at 1:45 PM, Luca Boccassi wrote:
>> On Fri, Dec 10, 2021 at 10:47:52AM +0100, Vít Ondruch wrote:
>>
>> Any file covered by fs-verity is immutable after installation. So you
>> cannot modify the contents, the kernel refuses. But you can just
>> replace the file (like during
> We don't have a proof of concept for the LSM module. I agree with you that in
> practice
> it would probably need to implement some kind of "list of files we care
> about",
> but I do not have an intelligent opinion about that.
>
> Based on Roberto's comment in a different sub-thread, there co
> On Fri, Dec 10, 2021 at 10:47:52AM +0100, Vít Ondruch wrote:
>
> Any file covered by fs-verity is immutable after installation. So you
> cannot modify the contents, the kernel refuses. But you can just
> replace the file (like during an upgrade), and of course copy and edit
> in a different loca
On Tue, Dec 14, 2021 at 4:20 PM Zbigniew Jędrzejewski-Szmek
wrote:
>
> On Tue, Dec 14, 2021 at 08:08:19PM +0100, Fabio Valentini wrote:
> > I thought fsverity was about determining at runtime that the system
> > has not been tampered with? But if somebody who has (physical) access
> > to the devi
On Tue, Dec 14, 2021 at 09:18:20PM +, Zbigniew Jędrzejewski-Szmek wrote:
> My understanding it the following: fs-verity originated in the Android
> world where you can have an unprivileged process downloading a file,
> e.g. a jar. This unprivileged process manages the download, but the
> file i
On Tue, Dec 14, 2021 at 08:08:19PM +0100, Fabio Valentini wrote:
> On Tue, Dec 14, 2021 at 1:45 AM Davide Cavalca via devel
> wrote:
> >
> > On Mon, 2021-12-13 at 16:00 +0100, Vít Ondruch wrote:
> > > Would it be possible to document the editing of protected file in the
> > > change proposal, prob
On Tue, Dec 14, 2021 at 1:45 AM Davide Cavalca via devel
wrote:
>
> On Mon, 2021-12-13 at 16:00 +0100, Vít Ondruch wrote:
> > Would it be possible to document the editing of protected file in the
> > change proposal, probably including example of the best way to do it
> > (is
> > it possible to re
I don't believe we systematically tested this. We will collect that along with
the detailed size increase data.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Con
On Mon, 2021-12-13 at 16:00 +0100, Vít Ondruch wrote:
> Would it be possible to document the editing of protected file in the
> change proposal, probably including example of the best way to do it
> (is
> it possible to replace the file by symlink?) Or is there a way to
> temporary enable the edi
On 12/2/21 11:36, Ben Cotton wrote:
https://fedoraproject.org/wiki/Changes/FsVerityRPM
== Summary ==
Enable the use of fsverity for installed RPM files validation.
== Owners ==
* Name: [[User:Dcavalca|Davide Cavalca]], [[User:Borisb|Boris
Burkov]], [[User:Filbranden|Filipe Brandenburger]],
[[
On Mon, Dec 13, 2021 at 07:32:34PM -, Boris Burkov via devel wrote:
> Sorry this wasn't clear.
>
> The rpm carries just 'c' (as well as some small, fixed-size metadata for
> interpreting it, like hash algorithm)
>
> Just to explain that comment which suggested 'a': we have to compute the
>
We don't have a proof of concept for the LSM module. I agree with you that in
practice it would probably need to implement some kind of "list of files we
care about", but I do not have an intelligent opinion about that.
Based on Roberto's comment in a different sub-thread, there could be some
o
Sorry this wasn't clear.
The rpm carries just 'c' (as well as some small, fixed-size metadata for
interpreting it, like hash algorithm)
Just to explain that comment which suggested 'a': we have to compute the Merkle
tree at build time in order to get a root hash to sign. The Merkle tree is then
Dne 12. 12. 21 v 12:33 Zbigniew Jędrzejewski-Szmek napsal(a):
On Fri, Dec 10, 2021 at 10:47:52AM +0100, Vít Ondruch wrote:
Dne 10. 12. 21 v 0:08 Davide Cavalca via devel napsal(a):
On Fri, 2021-12-03 at 22:08 +, Richard W.M. Jones wrote:
I'm unclear about the threat model - this is an att
> In Fedora, we use a new package signing key for each Fedora release.
> What key would be used for the fs-verity signatures: the same key,
> a separate key? Edit: I see that the Change page says a dedicated key is used.
Hi all
I'm doing related work in this area. I'll provide some additional
tho
On Do, 09.12.21 23:55, Fedora Development ML (devel@lists.fedoraproject.org)
wrote:
> > On Do, 02.12.21 14:36, Ben Cotton (bcotton(a)redhat.com) wrote:
> >
> > Hmm, so what I am really missing on the feature page: what's the
> > attack scenario here? Usually security features come with an attack
* Zbigniew Jędrzejewski-Szmek:
> Some more questions about how the verification happens… IIUC, I need to
> load some keys to the kernel keyring, and then set
> fs.verity.require_signatures.
>
> Where do the keys come from? How are the keys themselves verified?
> At what time are they loaded and b
On Fri, Dec 10, 2021 at 10:47:52AM +0100, Vít Ondruch wrote:
>
> Dne 10. 12. 21 v 0:08 Davide Cavalca via devel napsal(a):
> >On Fri, 2021-12-03 at 22:08 +, Richard W.M. Jones wrote:
> >>I'm unclear about the threat model - this is an attacker who is
> >>someone able to overwrite single files
Some more questions about how the verification happens… IIUC, I need to
load some keys to the kernel keyring, and then set fs.verity.require_signatures.
Where do the keys come from? How are the keys themselves verified?
At what time are they loaded and by whom?
(Let's say that I'm an attacker wit
> * at run time, if the fsverity rpm plugin is enabled, rpm will install
> the fsverity signature key and enable fsverity on files that are
> installed.
This requires CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y. Currently our
kernels are built without that. It seems like a simple addition (the
amount of
On Fri, Dec 03, 2021 at 05:31:21PM -, Boris Burkov via devel wrote:
> The top-level hash is calculated for each file, then that hash is signed with
> the inputted rsa key pair and the signed hash is appended to the array of
> signed hashes in the rpm metadata. I am guessing the way we worded
On Thu, 2 Dec 2021 at 14:37, Ben Cotton wrote:
>
> https://fedoraproject.org/wiki/Changes/FsVerityRPM
>
> == Summary ==
>
> Enable the use of fsverity for installed RPM files validation.
>
> == Owners ==
>
> * Name: [[User:Dcavalca|Davide Cavalca]], [[User:Borisb|Boris
> Burkov]], [[User:Filbrande
Dne 10. 12. 21 v 0:08 Davide Cavalca via devel napsal(a):
On Fri, 2021-12-03 at 22:08 +, Richard W.M. Jones wrote:
I'm unclear about the threat model - this is an attacker who is
someone able to overwrite single files (eg. /bin/ls) but cannot turn
off the fs-verity system as a whole?
Also
> On Do, 02.12.21 14:36, Ben Cotton (bcotton(a)redhat.com) wrote:
>
> Hmm, so what I am really missing on the feature page: what's the
> attack scenario here? Usually security features come with an attack
> scenario they are supposed to address. But there's no discussion about
> that.
>
Good poin
On Sat, 2021-12-04 at 23:46 +0100, Kevin Kofler via devel wrote:
> Davide Cavalca via devel wrote:
> > To clarify: RPM does support files validation, but fs-verity is
> > more
> > than just that. With RPM, the validation only happens on install
> > time,
> > and when one runs rpm -V manually. With
> If I enable FS-verity and later find that I need to patch a file to fix
> some problem, how do I as the sysadmin tell Linux that this change is
> authorized? Do I disable FS-verity for that specific file? Disable
> FS-verity globally? Add my own key to the kernel's keyring? Build and
> sign my ow
On Sat, 2021-12-04 at 09:37 -0500, Stephen John Smoogen wrote:
>
> Or just pad /usr/bin/rpm with some null characters at the end to break
> its signature and also stop updates from happening. [Or the fs-verity
> daemon which will report that these problems are occuring. ]
If the attacker has file
On Fri, 2021-12-03 at 22:08 +, Richard W.M. Jones wrote:
> I'm unclear about the threat model - this is an attacker who is
> someone able to overwrite single files (eg. /bin/ls) but cannot turn
> off the fs-verity system as a whole?
>
> Also if RPM can update /bin/ls then surely an attacker wh
You could reinstall the rpm, the fs will reclaim the verity metadata along with
the rest of the old file.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
On Do, 02.12.21 14:36, Ben Cotton (bcot...@redhat.com) wrote:
Hmm, so what I am really missing on the feature page: what's the
attack scenario here? Usually security features come with an attack
scenario they are supposed to address. But there's no discussion about
that.
This protects file conten
On Thu, Dec 02, 2021 at 02:36:51PM -0500, Ben Cotton wrote:
> Enable the use of fsverity for installed RPM files validation.
Can we use this to validate the install media at runtime rather than as a
separate boot step?
--
Matthew Miller
Fedora Project Leader
Davide Cavalca via devel wrote:
> To clarify: RPM does support files validation, but fs-verity is more
> than just that. With RPM, the validation only happens on install time,
> and when one runs rpm -V manually. With fs-verity, the validation
> happens on-demand whenever a block of a file that ori
Vitaly Zaitsev via devel wrote:
> -1. RPM already supports files validation and this feature will waste
> file system space.
I agree with you.
This is yet another "feature" that increases both the size of RPMs and, if
enabled by default, the size of default installations. We need to stop
tolera
On Fri, 3 Dec 2021 at 17:09, Richard W.M. Jones wrote:
>
> On Fri, Dec 03, 2021 at 06:08:49PM +, Davide Cavalca via devel wrote:
> > Broadly speaking, fs-verity makes it possible to ensure that files that
> > were installed via an RPM have not been modified. It is useful in
> > environments wh
On Friday, 03 December 2021 at 18:49, Davide Cavalca via devel wrote:
[...]
> About filesystem usage: unless you install rpm-plugin-fsverity (which
> is not and will not be installed by default), there is no disk space
> increase for verity-signed RPM packages. If you do install rpm-plugin-
> fsver
> * at build time, we compute the Merkle tree for the files within a
> package, then sign it and ship it as part of the rpm metadata;
[...]
> Note that the Merkle tree
> is ''not'' shipped with the RPM itself (only its signature is)
In that case, "ship it" above should be changed to "ship the si
On Fri, Dec 03, 2021 at 06:08:49PM +, Davide Cavalca via devel wrote:
> Broadly speaking, fs-verity makes it possible to ensure that files that
> were installed via an RPM have not been modified. It is useful in
> environments where an attacker might be able to modify system files
> (say, repla
On Fri, Dec 3, 2021 at 1:15 PM Davide Cavalca wrote:
>
> On Thu, 2021-12-02 at 19:10 -0500, Josh Boyer wrote:
> > On Thu, Dec 2, 2021, 5:33 PM Davide Cavalca via devel
> > wrote:
> >
> > > Correct, XFS doesn't support fs-verity at the moment (though it
> > > could
> > > be implemented if one want
Errors at installation time should be fully diagnosable, and even if the output
today doesn't make it totally obvious what happened, it would be easy to fix in
rpm.
The errors post-install are a bit trickier. Imagine you install your rpm, and
kick off some long running daemon from it. A month l
> I think there are two cases of interest:
>
> 1) a file or signature in the rpm is corrupted, the signature doesn't have a
> matching
> cert installed, etc...
> in this case, if the plugin is present, when you attempt to install the rpm
> the verity
> enable ioctl will explicitly fail, and pres
I omitted one more interesting case.
If the verity metadata (signature, root hash) is corrupted after installation
but before the file is opened, then opening/exec-ing the file can fail. Also,
if pages from a binary read in during the exec itself are corrupted, the system
call itself could fail
On Thu, 2021-12-02 at 19:10 -0500, Josh Boyer wrote:
> On Thu, Dec 2, 2021, 5:33 PM Davide Cavalca via devel
> wrote:
>
> > Correct, XFS doesn't support fs-verity at the moment (though it
> > could
> > be implemented if one wanted to).
>
> That means it would exclude Fedora Server and ELN as the
On Thu, 2021-12-02 at 20:05 -0500, Josh Boyer wrote:
> Yes, I saw that and I appreciate it. That's a comparison between the
> two implementations. I am asking about what benefits and use cases
> fs-verity solves in Fedora. Right now, the change simply says:
>
> "The main benefit is the ability
I think there are two cases of interest:
1) a file or signature in the rpm is corrupted, the signature doesn't have a
matching cert installed, etc...
in this case, if the plugin is present, when you attempt to install the rpm the
verity enable ioctl will explicitly fail, and presumably so will t
On Fri, 2021-12-03 at 12:21 +0100, Vitaly Zaitsev via devel wrote:
> On 02/12/2021 20:36, Ben Cotton wrote:
> > Enable the use of fsverity for installed RPM files validation.
>
> -1. RPM already supports files validation and this feature will waste
> file system space.
To clarify: RPM does suppor
The top-level hash is calculated for each file, then that hash is signed with
the inputted rsa key pair and the signed hash is appended to the array of
signed hashes in the rpm metadata. I am guessing the way we worded the proposal
is a little unclear because we call it "the" signature when it's
Perhaps I glossed over it in the description, but what is the expected user
experience in the event of a RPM fs-verity mismatch/error?
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject
On 02/12/2021 20:36, Ben Cotton wrote:
Enable the use of fsverity for installed RPM files validation.
-1. RPM already supports files validation and this feature will waste
file system space.
--
Sincerely,
Vitaly Zaitsev (vit...@easycoding.org)
__
> The signature size is roughly proportional to the number of files in
> the package.
Can you explain how the signature is performed? I assume that the verity
top-level hash is calculated for each file and then … ?
And if you have all the per-file hashes, why not do one more level of
Merkle and cal
On Thu, Dec 2, 2021 at 7:27 PM Michel Alexandre Salim
wrote:
>
> Hello,
>
> On Thu, Dec 02, 2021 at 07:10:32PM -0500, Josh Boyer wrote:
> > On Thu, Dec 2, 2021, 5:33 PM Davide Cavalca via devel <
> > devel@lists.fedoraproject.org> wrote:
> >
> > > On Thu, 2021-12-02 at 13:09 -0800, Kevin Fenzi wro
On 12/2/21 6:46 PM, Michael Cronenworth wrote:
Could this be directly added to rpm instead of an external tool set?
I see you did. It helps to read the Change link... Sorry. :)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe s
On 12/2/21 4:32 PM, Davide Cavalca via devel wrote:
There's support in robosignatory to ask to sign files (used for the
short lived IMA stuff), but I suspect it would need a new ability for
this.
Finally who is going to write this? Change owners?
Or do you expect robosignatory maintainers to do
Hello,
On Thu, Dec 02, 2021 at 07:10:32PM -0500, Josh Boyer wrote:
> On Thu, Dec 2, 2021, 5:33 PM Davide Cavalca via devel <
> devel@lists.fedoraproject.org> wrote:
>
> > On Thu, 2021-12-02 at 13:09 -0800, Kevin Fenzi wrote:
> > > On Thu, Dec 02, 2021 at 02:36:51PM -0500, Ben Cotton wrote:
> > >
On Thu, Dec 2, 2021, 5:33 PM Davide Cavalca via devel <
devel@lists.fedoraproject.org> wrote:
> On Thu, 2021-12-02 at 13:09 -0800, Kevin Fenzi wrote:
> > On Thu, Dec 02, 2021 at 02:36:51PM -0500, Ben Cotton wrote:
> > ...snip...
> > >
> > > In the context of rpm, there are two parts to this:
> > >
On Thu, 2021-12-02 at 13:09 -0800, Kevin Fenzi wrote:
> On Thu, Dec 02, 2021 at 02:36:51PM -0500, Ben Cotton wrote:
> ...snip...
> >
> > In the context of rpm, there are two parts to this:
> > * at build time, we compute the Merkle tree for the files within a
> > package, then sign it and ship it
On Thu, Dec 02, 2021 at 02:36:51PM -0500, Ben Cotton wrote:
...snip...
>
> In the context of rpm, there are two parts to this:
> * at build time, we compute the Merkle tree for the files within a
> package, then sign it and ship it as part of the rpm metadata;
This is some kind of seperate signin
On Thu, 2021-12-02 at 15:08 -0500, Frank Ch. Eigler wrote:
>
> > === Relationship with IMA ===
> >
> > [https://sourceforge.net/p/linux-ima/wiki/Home/ IMA] is another
> > technology meant to provide detection of file alterations. IMA and
> > fsverity operate very differently, and are somewhat com
> === Relationship with IMA ===
>
> [https://sourceforge.net/p/linux-ima/wiki/Home/ IMA] is another
> technology meant to provide detection of file alterations. IMA and
> fsverity operate very differently, and are somewhat complementary.
> [...]
Do these two systems use the same per-file signatur
https://fedoraproject.org/wiki/Changes/FsVerityRPM
== Summary ==
Enable the use of fsverity for installed RPM files validation.
== Owners ==
* Name: [[User:Dcavalca|Davide Cavalca]], [[User:Borisb|Boris
Burkov]], [[User:Filbranden|Filipe Brandenburger]],
[[User:Salimma|Michel Alexandre Salim]],
72 matches
Mail list logo