You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As of the current Linux kernel merge window, the IPE LSM was merged. Per the docs an example policy is e.g.
op=EXECUTE dmverity_signature=TRUE action=ALLOW
This relies on the idea that the dm-verity signature was verified in-kernel I believe. In contrast, the fsverity bits in IPE match by digest (annoying at scale) or rely on the in-kernel fsverity signatures which the fsverity maintainer doesn't like.
As folks here know with composefs we can combine the advantages of these. I think there is a bit of plumbing work that needs to be done, Eric Biggers (fsverity maintainer) noted this at one point.
I think in the end state what we want is something like:
op=EXECUTE composefs_signature=TRUE action=ALLOW
Now, this gets into a messy topic of whether signatures are verified in kernel or in user space, and if in user space how we set a property that then later is trusted by the kernel.
And since composefs doesn't exist at the kernel level maybe this would need to be e.g. op=EXECUTE overlayfs_fsverity_signature=TRUE action=ALLOW or so (and covering both the loopback-erofs fsverity vs backing file fsverity.
And in general I think we need propagate metadata across our chain of 3 components (overlays, erofs, and the backing filesystem) so the higher level overlayfs inode that the LSM sees can reliably see that e.g. fsverity was required and enabled on the backing file, etc.
The text was updated successfully, but these errors were encountered:
File-backed mount support for EROFS has been merged for Linux v6.12. As that avoids the loopback device, it should make it easier to associate the fsverity signature to the erofs mount.
File-backed mount support for EROFS has been merged for Linux v6.12. As that avoids the loopback device, it should make it easier to associate the fsverity signature to the erofs mount.
As of the current Linux kernel merge window, the IPE LSM was merged. Per the docs an example policy is e.g.
op=EXECUTE dmverity_signature=TRUE action=ALLOW
This relies on the idea that the dm-verity signature was verified in-kernel I believe. In contrast, the fsverity bits in IPE match by digest (annoying at scale) or rely on the in-kernel fsverity signatures which the fsverity maintainer doesn't like.
As folks here know with composefs we can combine the advantages of these. I think there is a bit of plumbing work that needs to be done, Eric Biggers (fsverity maintainer) noted this at one point.
I think in the end state what we want is something like:
op=EXECUTE composefs_signature=TRUE action=ALLOW
Now, this gets into a messy topic of whether signatures are verified in kernel or in user space, and if in user space how we set a property that then later is trusted by the kernel.
And since composefs doesn't exist at the kernel level maybe this would need to be e.g.
op=EXECUTE overlayfs_fsverity_signature=TRUE action=ALLOW
or so (and covering both the loopback-erofs fsverity vs backing file fsverity.And in general I think we need propagate metadata across our chain of 3 components (overlays, erofs, and the backing filesystem) so the higher level overlayfs inode that the LSM sees can reliably see that e.g. fsverity was required and enabled on the backing file, etc.
The text was updated successfully, but these errors were encountered: