> Care to explain to the uninitiated layman such as myself why would we
> want/need this in rpm, since there already is IMA?
Certainly!
IMA and fs-verity operate very differently, in particular IMA is a lot more
complex and and has substantially higher system overhead when reading signed
files off the file system. It also requires one to use the full IMA system.
fs-verity works by using a Merkle tree to generate a checksum for every data
block in the system, and reads will fail if a single data block read fails it's
checksum. The signature of the the file is validated against a public key
loaded into the kernel keyring.
The fs-verity signature is basically a signature of the root digest of the
Merkle tree.
Happy to elaborate further
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1121#issuecomment-599285238___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint