[Rpm-maint] [rpm-software-management/rpm] Add support for fsverity signatures (#1121)
jessorensen
notifications at github.com
Mon Mar 16 00:08:40 UTC 2020
> Care to explain to the uninitiated layman such as myself why would we want/need this in rpm, since there already is IMA?
Certainly!
IMA and fs-verity operate very differently, in particular IMA is a lot more complex and and has substantially higher system overhead when reading signed files off the file system. It also requires one to use the full IMA system.
fs-verity works by using a Merkle tree to generate a checksum for every data block in the system, and reads will fail if a single data block read fails it's checksum. The signature of the the file is validated against a public key loaded into the kernel keyring.
The fs-verity signature is basically a signature of the root digest of the Merkle tree.
Happy to elaborate further
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1121#issuecomment-599285238
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20200315/2af3be43/attachment.html>
More information about the Rpm-maint
mailing list