|
|
Log in / Subscribe / Register

A possible step toward integrity measurement for Fedora

A possible step toward integrity measurement for Fedora

Posted Jan 9, 2021 11:14 UTC (Sat) by smurf (subscriber, #17840)
In reply to: A possible step toward integrity measurement for Fedora by rahulsundaram
Parent article: A possible step toward integrity measurement for Fedora

fs-verity uses a Merkle tree to verify contents on every read.

IMA uses, AFAICT from cursory reading of the docs, a single full-file hash, plus the inode version to check whether to re-verify a file. Not so good IMHO; this seems to imply that if I can gain block-level access to a file system (this is not at all difficult if it's on a DM-managed partition) I can modify a file behind IMA's back. Ugh.

Seems to me that adding a method to sign the file's fs-verity tree might be a better option.

to post comments

A possible step toward integrity measurement for Fedora

Posted Jan 9, 2021 16:05 UTC (Sat) by bluca (subscriber, #118303) [Link] (4 responses)

fsverity already supports signatures, enforced by the kernel via the .fs-verity keyring, out of the box

A possible step toward integrity measurement for Fedora

Posted Jan 9, 2021 16:16 UTC (Sat) by smurf (subscriber, #17840) [Link] (3 responses)

Ah. Thanks, I missed that. Even better.
This of course begs the question why I would want to use IMA in the first place (assuming that my file system supports fsverity).

A possible step toward integrity measurement for Fedora

Posted Jan 11, 2021 14:26 UTC (Mon) by hkario (subscriber, #94864) [Link] (1 responses)

fs-verity is a read-only file system, IMA does not require that

A possible step toward integrity measurement for Fedora

Posted Jan 11, 2021 16:29 UTC (Mon) by walters (subscriber, #7396) [Link]

No; fs-verity makes executables read-only, not a complete filesystem. You're thinking of dm-verity perhaps?

Note that with fs-verity even a "read-only" executable can be `unlink()`ed and a new one written in its place; this is why the docs https://www.kernel.org/doc/html/latest/filesystems/fsveri... talk about ensuring that the verity state of a file is validated by something (userspace, or basic support for automatic kernel verification).

A possible step toward integrity measurement for Fedora

Posted Jan 11, 2021 23:13 UTC (Mon) by ebiggers (subscriber, #130760) [Link]

fs-verity is mainly a way of hashing files, while IMA is mainly a policy for what to do with file hashes.

fs-verity does have optional support for storing signatures with files and having the kernel verify that all fs-verity files are signed by a trusted key. This is much simpler than an IMA policy but also much less flexible; e.g., userspace still needs to check which files have fs-verity enabled. It's really more a proof-of-concept, which happens to be enough for some users who don't want to use IMA.

At some point it's likely that IMA will support fs-verity hashes, so that IMA and fs-verity can be used together. They're not mutually exclusive.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds