Do I understand correctly that IMA will verify signatures of binaries before
running them , but fsverity can verify _any_ file when it is being accessed and
block access if the signature is invalid?
--
You are receiving this because you are subscribed to this thread.
Reply to this email
Closed #1121.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1121#event-3839272908___
Rpm-maint mailing list
#1203 has been merged, I think we can close this one.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
Here is a more detailed update on the design of the fsverity support I have
been working on for rpm.
I now have code which I believe works correctly, and I'd love some feedback on
it. I am sure I got some things wrong. The code can be found in my cloned repo
here[1]
fsverity itself provides
Sounds like system consistency self test, that must be useful
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
> Care to explain to the uninitiated layman such as myself why would we
> want/need this in rpm, since there already is IMA?
Certainly!
IMA and fs-verity operate very differently, in particular IMA is a lot more
complex and and has substantially higher system overhead when reading signed
Care to explain to the uninitiated layman such as myself why would we want/need
this in rpm, since there already is IMA?
Adding per-file data to headers is costly, and IMA already bloats headers
significantly. Adding more of the same (as it kinda seems to me on the outset)
needs to have some
I am currently working on splitting fsverity-utils into a shared library which
will provide the needed functionality for computing digests and signing.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
fsverity is a new integrity feature in the kernel, which in combination with
fsverity-utils allows for validating integrity of binaries when data blocks are
read from disk.
This request is to add native rpm support for fsverity signatures, similar to
what is already available in RPM for IMA