Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Add computation and verification of previous layers' hashes #44

Closed

Conversation

stefanberger
Copy link
Collaborator

This patch adds the computation of previous layers accumulated hashes
on the encryption side and writes this computed hash into the private
options of a layer. The private options will be encrypted then. On the
decryption side it also performs the computations and, if the private
options contain the previous layers' hash, which may not be the case for
older images but will be the case for newer ones, it compares the expected
hash against the computed one and errors if they don't match.

The previous layers' digest needs to be passed from one layer encrytion
step to the next. The sequence must begin with the bottom-most layer
getting sha256.Sum256(nil) passed so that no other layer can be slid
underneath the bottom-most one.

This patch at least helps fulfill the requirement that previous layers
cannot be manipulated assuming the attacker can access the registry but
of course not manipulate the decryption code.

Signed-off-by: Stefan Berger stefanb@linux.ibm.com

@stefanberger stefanberger force-pushed the previous_layer_hash branch 2 times, most recently from bc18913 to 77249b3 Compare March 4, 2021 13:25
@stefanberger
Copy link
Collaborator Author

stefanberger commented Mar 4, 2021

Putting this work on hold until the dust settles over there: opencontainers/image-spec#775

@stefanberger stefanberger force-pushed the previous_layer_hash branch 3 times, most recently from 52df4c8 to 22cb4e2 Compare March 9, 2021 18:00
This patch adds the computation of previous layers accumulated hashes
on the encryption side and writes this computed hash into the private
options of a layer. The private options will be encrypted then. On the
decryption side it also performs the computations and, if the private
options contain the previous layers' hash, which may not be the case for
older images but will be the case for newer ones, it compares the expected
hash against the computed one and errors if they don't match.

The previous layers' digest needs to be passed from one layer encrytion
step to the next. The sequence must begin with the bottom-most layer
using the result of GetInitalPreviousLayersDigest() so that no other layer
can be 'slid' underneath the bottom-most one.

This patch at least helps fulfill the requirement that previous layers
cannot be manipulated assuming the attacker can access the registry but
of course not manipulate the decryption code.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
@stefanberger stefanberger deleted the previous_layer_hash branch March 11, 2024 22:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant