integration with IPE tracker #360
Comments
|
File-backed mount support for EROFS has been merged for Linux v6.12. As that avoids the loopback device, it should make it easier to associate the fsverity signature to the erofs mount. |
Geert has requested for marking it as |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As of the current Linux kernel merge window, the IPE LSM was merged. Per the docs an example policy is e.g.
op=EXECUTE dmverity_signature=TRUE action=ALLOWThis relies on the idea that the dm-verity signature was verified in-kernel I believe. In contrast, the fsverity bits in IPE match by digest (annoying at scale) or rely on the in-kernel fsverity signatures which the fsverity maintainer doesn't like.
As folks here know with composefs we can combine the advantages of these. I think there is a bit of plumbing work that needs to be done, Eric Biggers (fsverity maintainer) noted this at one point.
I think in the end state what we want is something like:
op=EXECUTE composefs_signature=TRUE action=ALLOWNow, this gets into a messy topic of whether signatures are verified in kernel or in user space, and if in user space how we set a property that then later is trusted by the kernel.
And since composefs doesn't exist at the kernel level maybe this would need to be e.g.
op=EXECUTE overlayfs_fsverity_signature=TRUE action=ALLOWor so (and covering both the loopback-erofs fsverity vs backing file fsverity.And in general I think we need propagate metadata across our chain of 3 components (overlays, erofs, and the backing filesystem) so the higher level overlayfs inode that the LSM sees can reliably see that e.g. fsverity was required and enabled on the backing file, etc.
The text was updated successfully, but these errors were encountered: