> In Fedora, we use a new package signing key for each Fedora release.
> What key would be used for the fs-verity signatures: the same key,
> a separate key? Edit: I see that the Change page says a dedicated key is used.
Hi all
I'm doing related work in this area. I'll provide some additional
tho
Hello everyone
I have done some work in the integrity subsystem, called
Digest Lists Integrity Module (DIGLIM).
It simplifies the effort necessary to do IMA appraisal, by
reusing the digests included in the header of existing
RPM packages as reference values. It wouldn't require
any change in the
Hi Kevin
I didn't find a link to create a new page. Could it be
that I don't have edit access? At the bottom of:
https://fedoraproject.org/wiki/Fedora_Project_Wiki
the page says:
Note that you'll need a Fedora account and to be in
at least one Fedora subproject group on that account
to make wik
> From: Roberto Sassu via devel [mailto:devel@lists.fedoraproject.org]
> Sent: Thursday, December 16, 2021 9:25 AM
> Hi Kevin
>
> I didn't find a link to create a new page. Could it be
> that I don't have edit access? At the bottom of:
>
> https://fedorapr
> From: Neal Gompa [mailto:ngomp...@gmail.com]
> Sent: Friday, December 17, 2021 11:17 AM
> On Fri, Dec 17, 2021 at 5:14 AM Roberto Sassu via devel
> wrote:
> >
> > > In Fedora, we use a new package signing key for each Fedora release.
> > > What key would
> From: Dan Čermák [mailto:dan.cer...@cgc-instruments.com]
> Sent: Sunday, December 26, 2021 7:10 AM
> Ben Cotton writes:
>
> *snip*
>
> >
> > It will also make Fedora able to detect tampering of its components at
> > a more privileged level, the kernel, without the interference of user
> > spac
Hi everyone
thanks for the comments. I try to answer in one email.
First, a clarification. Given that this feature is proposed
for an open source distribution, its primary goal is to
aid the users to satisfy their security needs, and let them
decide how this will be done. It is not going to impos
> From: Neal Gompa [mailto:ngomp...@gmail.com]
> Sent: Tuesday, December 28, 2021 3:57 PM
[...]
> In general, Fedora does not include non-upstream functionality in its
> Linux kernel builds. This can be frustrating for development and cases
> where upstream requires downstream validation before u
> From: Nico Kadel-Garcia [mailto:nka...@gmail.com]
> Sent: Wednesday, December 29, 2021 10:29 AM
[...]
> From one of the patches:
>
> It accomplishes this task by storing reference values coming from
> software vendors and by reporting whether or not the
> digest of file content or metadat
27;re not all guys…
>
> On Tue, Dec 28, 2021 at 02:49:43PM +, Roberto Sassu via devel wrote:
> > It could be even possible that a user installs
> > his own GPG key (adequately protected), if he wants to sign
> > customized software.
>
> …*their* own GPG key,
> From: Nico Kadel-Garcia [mailto:nka...@gmail.com]
> Sent: Wednesday, December 29, 2021 2:06 PM
[...]
> > With Windows 11, they're *mandatory*. Corporate policies now
> > effectively *require* TPM-based mechanisms *in addition* to classical
> > password or token-based multi-factor authentication
> From: Vitaly Zaitsev via devel [mailto:devel@lists.fedoraproject.org]
> Sent: Thursday, December 30, 2021 12:16 PM
> On 29/12/2021 21:53, Michel Alexandre Salim wrote:
> > If/when something like this gets shipped, I hope Fedora limits itself to
> > shipping a policy that is the equivalent of SELi
> From: Vitaly Zaitsev via devel [mailto:devel@lists.fedoraproject.org]
> Sent: Thursday, December 30, 2021 12:18 PM
> On 29/12/2021 15:20, Roberto Sassu via devel wrote:
> > The TPM has a fundamental advantage, compared to other
> > mechanisms. It is tamperproof, it ofte
> From: Zbigniew Jędrzejewski-Szmek [mailto:zbys...@in.waw.pl]
> Sent: Thursday, December 30, 2021 1:02 PM
> The gist of the proposal is described thus:
> > The new feature behaves as follows. A modified kernel with the DIGLIM
> > patches will expose to user space an interface to add/remove file
>
> From: Neal Gompa [mailto:ngomp...@gmail.com]
> Sent: Saturday, January 1, 2022 3:47 PM
> On Sat, Jan 1, 2022 at 5:51 AM Vitaly Zaitsev via devel
> wrote:
> >
> > On 31/12/2021 20:03, Nico Kadel-Garcia wrote:
> > > Sounds like, if this is enabled, they'll need a GPG key associated
> > > with thei
> From: Lennart Poettering [mailto:mzerq...@0pointer.de]
> Sent: Monday, January 3, 2022 2:34 PM
> On Mo, 03.01.22 13:07, Roberto Sassu (roberto.sa...@huawei.com) wrote:
>
> > That would work if all digest lists are supported by the kernel.
> > The first version worked that way, I developed a simp
> From: Lennart Poettering [mailto:mzerq...@0pointer.de]
> Sent: Monday, January 3, 2022 1:33 PM
> On Do, 30.12.21 13:04, Fedora Development ML (devel@lists.fedoraproject.org)
> wrote:
>
> > > From: Zbigniew Jędrzejewski-Szmek [mailto:zbys...@in.waw.pl]
> > > Sent: Thursday, December 30, 2021 1:02
Hi everyone
in the FESCo meeting yesterday, Zbigniew asked what is
the relationship between this feature and
https://fedoraproject.org/wiki/Changes/FsVerityRPM.
I try to explain here.
Both features aim at providing reference values, i.e.
values of software fingerprint certified by the software
ve
> From: Panu Matilainen [mailto:pmati...@redhat.com]
> Sent: Tuesday, January 4, 2022 12:27 PM
> On 1/4/22 10:41, Roberto Sassu via devel wrote:
> > Hi everyone
> >
> > in the FESCo meeting yesterday, Zbigniew asked what is
> > the relationship b
> From: Chris Murphy [mailto:li...@colorremedies.com]
> Sent: Thursday, January 6, 2022 9:34 PM
> Could this feature work with 3rd party kernel modules, in a UEFI
> Secure Boot (and thus kernel lockdown) context?
It could be possible to create a digest list of third-party kernel
modules. However,
Hi everyone
I recently sent to the kernel mailing lists a patch set to support
PGP keys and signatures.
Other than allowing the appraisal of RPM headers without
changes to the building infrastructure, it would also simplify
key management for the use cases requiring file or fsverity
signatures (n
> From: Roberto Sassu
> Sent: Tuesday, January 18, 2022 3:36 PM
> Hi everyone
>
> I recently sent to the kernel mailing lists a patch set to support
> PGP keys and signatures.
>
> Other than allowing the appraisal of RPM headers without
> changes to the building infrastructure, it would also simp
Hi everyone
(note for the infrastructure mailing list: please check if the changes
I'm proposing could be tested in the Fedora infrastructure, like Copr)
I made the first version of the rpm extension to sign fsverity
digests with a GPG key. The patch set (with some bug fixes)
is available here:
> From: Kevin Fenzi [mailto:ke...@scrye.com]
> Sent: Tuesday, January 25, 2022 7:30 PM
> On Fri, Jan 21, 2022 at 04:08:04PM +, Roberto Sassu via devel wrote:
> > Hi everyone
> >
> > (note for the infrastructure mailing list: please check if the changes
> > I&#
> From: Brandon Nielsen [mailto:niels...@jetfuse.net]
> Sent: Wednesday, January 26, 2022 5:14 PM
> On 1/26/22 3:25 AM, Roberto Sassu via devel wrote:
>
> [Snip]
>
> >
> > - web servers or other kind of servers where you, as client, would
> >like the g
Hi everyone
I have very exciting news to share.
Given the difficulty to have the DIGLIM kernel patches
accepted, I checked if I could achieve the same goals
with an eBPF program.
I focused only on the functionality side, it is probably
required some support from the kernel to have the
same secur
world\\n");
> return 0;
> }
> """
>
> b = BPF(text=prog)
> clone = b.get_syscall_fnname("clone")
> b.attach_kprobe(event=clone, fn_name="hello")
> b.trace_print()
> > EOF
>
>
>
> # strace -e bpf ./hi.py
&
> From: Roberto Sassu via devel [mailto:devel@lists.fedoraproject.org]
> Sent: Friday, February 18, 2022 4:27 PM
[...]
> Unlike the previous version of DIGLIM, this one does not
> have any dependency (I just had to add rpmplugin.h in
> the rpm-devel package).
>
> It can b
28 matches
Mail list logo
