Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc/support integration with IMA policies for mounting a composefs filesystem #251

Open
cgwalters opened this issue Feb 5, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@cgwalters
Copy link
Contributor

(This issue is somewhat half baked, but there's some valid discussion to be had of composefs+IMA)


While we decided to remove composefs' builtin signature verification using the fs-verity mechanism, for systems deploying with IMA, it could make a lot of sense to use IMA to sign and verify the composefs metadata file.

I don't think initially this needs actual code changes here, it's basically documenting:

Build server

evmctl ima_sign /path/to/composefs.img

Client (e.g. in initramfs)

  • evmctl ima_verify /target/composefs.img
  • mount.composefs /target/composefs.img

This is just reusing IMA as a mechanism to sign files in a generic fashion. Verification happens in userspace.

In this scenario we aren't using fsverity on the composefs image itself...which would definitely be better. To do that though, we'd need to use IMA to sign the expected digest instead.

Now I guess things get more interesting here as one could imagine a deeper integration with IMA policies (and IMA measurement in general) a bit like what happens with devicemapper ima.

I think doing that would require driving some of the current mount.composefs logic into the Linux kernel though. Which I guess in the end is bringing us back almost full circle in a way, except instead of using fsverity's signature support we'd be using IMA's signature support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant