[Rpm-maint] [RFC PATCH v2] Include and install file signatures
Mimi Zohar
zohar at linux.vnet.ibm.com
Mon Sep 29 21:55:57 UTC 2014
On Fri, 2014-08-29 at 12:33 -0500, fin at linux.vnet.ibm.com wrote:
> From: Fionnuala Gunter <fin at linux.vnet.ibm.com>
>
> IMA-appraisal, upstreamed in linux-3.7, enforces local file integrity based on
> known 'good' value stored as an extended attribute 'security.ima'. Labeling the
> filesystem is currently done post install using a local private key. Including
> file signatures in the package provides not only file integrity, but file
> provenance.
>
> This patch extends the existing rpm signing tool to sign package files and
> include them in the package header. It defines a tag RPMTAG_FILESIGNATURES, an
> RPM macro %_file_signing_key, new options --fskpath, --signfiles, and IMA
> plugin.
>
> rpm --addsign [--signfiles] PACKAGE_FILE ...
>
> The new option to rpmsign signs all the file digests included in the package.
> When a package is signed with the new option, the file digests are signed using
> libimaevm and the key %_file_sign_key. The resulting signatures are included in
> the package header as an RPMTAG_FILESIGNATURES tag. Since the header is
> modified, the SHA1 and MD5 digests of the header are recalculated and inserted
> in the signature header.
>
> After including the file signatures with the new option, the packages are signed
> normally.
>
> When a package with signed files is installed, the file signatures are extracted
> from the package header, and the IMA plugin writes the file signatures as
> security.ima extended attributes. The IMA plugin instantiates the fsm_file_post
> but the parameter list was modified to include the file signature.
>
> Package files can also be signed during install with the new option --signfiles.
>
> rpm -i [--signfiles] PACKAGE_FILE ...
>
> v2: Added --signfiles option to rpminstall. File signing key can be configured
> on the command line with --fskpath. Added missing file (plugins/ima.c). Fixed
> typo in rpmDigestAlgo.
>
> Signed-off-by: Fionnuala Gunter <fin at linux.vnet.ibm.com>
Thanks, Fin! Sorry for the long delay in commenting. Perhaps this patch
could be broken up a bit into smaller, more manageable pieces? Perhaps
something like:
- Include file signatures in RPM header
- IMA fsm_file_post plugin hook changes
- Install file signatures from RPM header
- Support local file signing on package install
thanks,
Mimi
More information about the Rpm-maint
mailing list