Wiki - https://fedoraproject.org/wiki/Changes/Debuginfod_IMA_Verification Discussion thread - https://discussion.fedoraproject.org/t/f43-change-proposal-debuginfod-ima-verification-by-default-self-contained/147312
This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Enable client-side cryptographic verification of [[Debuginfod]] auto-downloaded debugging information and source code by default. == Owner == * Name: [[User:FChE| Frank Ch. Eigler]] * Email: <f...@redhat.com> == Detailed Description == Fedora's [[Debuginfod]] clients and servers can take advantage of [[Changes/Signed_RPM_Contents|signed RPMs]] to provide and verify cryptographic integrity of debuginfo & source code files made available to clients. Upstream [https://sourceware.org/elfutils elfutils] code has contained all the logic since version 0.192. The Fedora debuginfod servers have made this IMA signature information available for apprx. all RPMS in Fedora 39+. It only needs client side configuration to activate verification. Activating this requires changing the `$DEBUGINFOD_URLS` environment variable's value. This variable is constructed from files in `/etc/debuginfod/*.url` files. The concrete proposal is to replace the `/etc/debuginfod/elfutils.urls` file, provided by the `elfutils-debuginfod-client` subrpm, to the following value: <pre>ima:enforcing https://debuginfod.fedoraproject.org ima:ignore</pre> This will force crypto verification of files downloaded from that server, and let the client reject any unverifiable files. The trailing "ima:ignore" part is for the situation where an end-user might naively append additional debuginfod server URLs to the environment variable, but we don't want to assert enforcing mode for them. == Feedback == This feature fills a gap identified back when [[Changes/DebuginfodByDefault]] arrived during F35. == Benefit to Fedora == The warm fuzzy feeling of more end-user-verifiable security over files they download from Fedora. == Scope == * Proposal owners: Adjustment to `elfutils.spec` * Other developers: None * Release engineering: None, except continuing to publish IMA key certificates in a timely & complete manner in `fedora-gpg-keys` into `/etc/keys/ima/`. * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with the Fedora Strategy: ? == Upgrade/compatibility impact == None. With `fedora-gpg-keys` containing public key signatures for ''all'' recent Fedoras, debugging older or newer binaries should also work fine. == How To Test == Set the `$DEBUGINFOD_URLS` environment variable by hand, or edit the `/etc/debuginfod/*.url` file(s), to add `ima:enforcing` in the proper place. For more diagnostics, set `$DEBUGINFOD_VERBOSE` to `1`. Use `debuginfod-find -v debuginfo $BINARY`. Observe successful download. == User Experience == Normally, no observable change at all, assuming that all RPMs distributed from koji continue to be built with IMA per-file signatures. Should there be unsigned RPMs, or ones whose signatures become invalid due to storage or transmission errors, this will result in user tools treating the debuginfo as unavailable. There may be diagnostics printed. At that point, a user can in principle disable checking manually, download debuginfo by hand (e.g. via `debuginfo-install`), or grin and bear it. == Dependencies == The `fedora-gpg-keys` rpm contains the public key certificates against which the client verifies download signatures. The location of these certificates is a compiled-in default into the debuginfod client code (`/etc/keys/ima`), but may be changed with an environment variable. Releng/koji need to keep building RPMs for present / future versions of Fedora with IMA signatures attached. Transitions between major-version signing keys should be okay, as long as the `fedora-gpg-keys` RPM (containing the certificates) gets updated in a timely manner. == Contingency Plan == * Contingency mechanism: Unroll the `elfutils.spec` change or hand-edit env. vars. * Contingency deadline: N/A (not a System Wide Change) * Blocks release? N/A (not a System Wide Change) == Documentation == N/A (not a System Wide Change) == Release Notes == "The debuginfod client tools used to auto-download debuginfo & source code into tools like `gdb` now cryptographically verify the integrity of the downloaded files from the Fedora debuginfod server." -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-annou...@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-annou...@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
