[Rpm-maint] [rpm-software-management/rpm] RPM fsverity support (#1203)

jessorensen notifications at github.com
Tue Jun 2 17:41:31 UTC 2020


> I have been thinking a fair bit about this and I see a couple of options:
> 
> 1. We could in principle generate signatures for every supported page size. This would require adding more tags, ie. one for each page size.
> 2. Do not install signatures if the page size doesn't match the expected page size of the signature.
> 3. Work with the kernel to support 4K Merkle tree block size independent of the page size.
> 
> Right now fsverity is only supported on ext4 and f2fs, both of these currently only work with block size == PAGE__SIZE, which is suboptimal. I raised this issue on the linux-fscrypt list already.
> 
> We are actively working on adding fsverity support to btrfs, and the design here is to support 4K Merkle tree blocks independently of the page size.
> 
> I think 2) and 3) are the most reasonable approach. The changes to support 4K blocks in btrfs should handle the generic kernel code that assumes block size == page size, so it should be doable to fix the other file systems to support this too.

Having discussed this further with Chris Mason who is working on the btrfs support. It seems that rather than mandating 4K Merkle tree, it really is the job of the kernel to support whatever Merkle tree block size it is being presented, not the job of RPM to cater for it.

So the other way of looking at it is to carry the Merkle tree block size in a tag, and expect the kernel to support that. It won't work everywhere right now, but that is where it should go.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1203#issuecomment-637700416
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20200602/54f03fe4/attachment-0001.html>


More information about the Rpm-maint mailing list