[Rpm-maint] [rpm-software-management/rpm] RPM fsverity support (#1203)

[jessorensen]

> Ok, good. For now I think we need to concentrate on the fundamental problem of architecture dependency. While most architectures today use 4K pages, being common doesn't make it arch independent, and then there even are architectures where this is configurable (eg aarch64). A noarch package cannot have content that is only valid on some architectures.
> 
> How are we supposed to deal with this?

I have been thinking a fair bit about this and I see a couple of options:
1) We could in principle generate signatures for every supported page size. This would require adding more tags, ie. one for each page size.
2) Do not install signatures if the page size doesn't match the expected page size of the signature.
3) Work with the kernel to support 4K Merkle tree block size independent of the page size.

Right now fsverity is only supported on ext4 and f2fs, both of these currently only work with block size == PAGE__SIZE, which is suboptimal. I raised this issue on the linux-fscrypt list already.

We are actively working on adding fsverity support to btrfs, and the design here is to support 4K Merkle tree blocks independently of the page size.

I think 2) and 3) are the most reasonable approach. The changes to support 4K blocks in btrfs should handle the generic kernel code that assumes block size == page size, so it should be doable to fix the other file systems to support this too.

Thoughts ?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1203#issuecomment-637633413
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20200602/7a71add0/attachment.html>