Do I understand correctly that IMA will verify signatures of binaries before
running them , but fsverity can verify _any_ file when it is being accessed and
block access if the signature is invalid?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directl
Closed #1121.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1121#event-3839272908___
Rpm-maint mailing list
Rpm-maint@lists.r
#1203 has been merged, I think we can close this one.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1121#issuecomment-703493135__
Here is a more detailed update on the design of the fsverity support I have
been working on for rpm.
I now have code which I believe works correctly, and I'd love some feedback on
it. I am sure I got some things wrong. The code can be found in my cloned repo
here[1]
fsverity itself provides bl
Sounds like system consistency self test, that must be useful
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1121#issuecomment-600920484__
> Care to explain to the uninitiated layman such as myself why would we
> want/need this in rpm, since there already is IMA?
Certainly!
IMA and fs-verity operate very differently, in particular IMA is a lot more
complex and and has substantially higher system overhead when reading signed
files
Care to explain to the uninitiated layman such as myself why would we want/need
this in rpm, since there already is IMA?
Adding per-file data to headers is costly, and IMA already bloats headers
significantly. Adding more of the same (as it kinda seems to me on the outset)
needs to have some pr
I am currently working on splitting fsverity-utils into a shared library which
will provide the needed functionality for computing digests and signing.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-s
fsverity is a new integrity feature in the kernel, which in combination with
fsverity-utils allows for validating integrity of binaries when data blocks are
read from disk.
This request is to add native rpm support for fsverity signatures, similar to
what is already available in RPM for IMA sig