Re: [PATCH v8 7/7] fsverity: update the documentation

From: Stefan Berger
Date: Fri Apr 29 2022 - 13:43:21 EST

Next message: pr-tracker-bot: "Re: [GIT PULL] arm64 fix for -rc5"
Previous message: Guenter Roeck: "Re: [PATCH v2 3/7] watchdog: npcm: Enable clock if provided"
In reply to: Mimi Zohar: "[PATCH v8 7/7] fsverity: update the documentation"
Next in thread: Mimi Zohar: "[PATCH v8 6/7] ima: support fs-verity file digest based version 3 signatures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/29/22 07:26, Mimi Zohar wrote:

Update the fsverity documentation related to IMA signature support.

Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
Documentation/filesystems/fsverity.rst | 35 +++++++++++++++++---------
1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/Documentation/filesystems/fsverity.rst b/Documentation/filesystems/fsverity.rst
index 8cc536d08f51..b7d42fd65e9d 100644
--- a/Documentation/filesystems/fsverity.rst
+++ b/Documentation/filesystems/fsverity.rst
@@ -70,12 +70,23 @@ must live on a read-write filesystem because they are independently
updated and potentially user-installed, so dm-verity cannot be used.
The base fs-verity feature is a hashing mechanism only; actually
-authenticating the files is up to userspace. However, to meet some
-users' needs, fs-verity optionally supports a simple signature
-verification mechanism where users can configure the kernel to require
-that all fs-verity files be signed by a key loaded into a keyring; see
-`Built-in signature verification`_. Support for fs-verity file hashes
-in IMA (Integrity Measurement Architecture) policies is also planned.
+authenticating the files may be done by:
+
+* Userspace-only
+
+* Builtin signature verification + userspace policy
+
+ fs-verity optionally supports a simple signature verification
+ mechanism where users can configure the kernel to require that
+ all fs-verity files be signed by a key loaded into a keyring;
+ see `Built-in signature verification`_.
+
+* Integrity Measurement Architecture (IMA)
+
+ IMA supports including fs-verity file digests and signatures in the
+ IMA measurement list and verifying fs-verity based file signatures
+ stored as security.ima xattrs, based on policy.
+
User API
========
@@ -653,12 +664,12 @@ weren't already directly answered in other parts of this document.
hashed and what to do with those hashes, such as log them,
authenticate them, or add them to a measurement list.
- IMA is planned to support the fs-verity hashing mechanism as an
- alternative to doing full file hashes, for people who want the
- performance and security benefits of the Merkle tree based hash.
- But it doesn't make sense to force all uses of fs-verity to be
- through IMA. As a standalone filesystem feature, fs-verity
- already meets many users' needs, and it's testable like other
+ IMA supports the fs-verity hashing mechanism as an alternative
+ to full file hashes, for those who want the performance and
+ security benefits of the Merkle tree based hash. However, it
+ doesn't make sense to force all uses of fs-verity to be through
+ IMA. fs-verity already meets many users' needs even as a
+ standalone filesystem feature, and it's testable like other
filesystem features e.g. with xfstests.
:Q: Isn't fs-verity useless because the attacker can just modify the

Acked-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>

Next message: pr-tracker-bot: "Re: [GIT PULL] arm64 fix for -rc5"
Previous message: Guenter Roeck: "Re: [PATCH v2 3/7] watchdog: npcm: Enable clock if provided"
In reply to: Mimi Zohar: "[PATCH v8 7/7] fsverity: update the documentation"
Next in thread: Mimi Zohar: "[PATCH v8 6/7] ima: support fs-verity file digest based version 3 signatures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]