forked from torvalds/linux
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fsverity: mark builtin signatures as deprecated
fsverity builtin signatures, at least as currently implemented, are a mistake and should not be used. They mix the authentication policy between the kernel and userspace, which is not a clean design and causes confusion. For builtin signatures to actually provide any security benefit, userspace still has to enforce that specific files have fsverity enabled. Since userspace needs to do this, a better design is to have that same userspace code do the signature check too. That allows better signature formats and algorithms to be used, avoiding in-kernel parsing of the notoriously bad PKCS#7 format. It is also needed anyway when different keys need to be trusted for different files, or when it's desired to use fsverity for integrity-only or auditing on some files and for authenticity on other files. Basically, the builtin signatures don't work for any nontrivial use case. (IMA appraisal is another alternative. It goes in the opposite direction -- the full policy is moved into the kernel.) For these reasons, the master branch of AOSP no longer uses builtin signatures. It still uses fsverity for some files, but signatures are verified in userspace when needed. None of the public uses of builtin signatures outside Android seem to have gotten going, either. Support for builtin signatures was added to RPM. However, https://fedoraproject.org/wiki/Changes/FsVerityRPM was subsequently rejected from Fedora and seems to have been abandoned. There is also ostreedev/ostree#2269, which was never merged. Neither proposal mentioned a plan to set fs.verity.require_signatures=1 and enforce that files have fs-verity enabled -- so, they would have had no security benefit on their own. I'd be glad to hear about any other users of builtin signatures that may exist, and help with the details of what should be used instead. Anyway, the feature can't simply be removed, due to the need to maintain backwards compatibility. But let's at least make it clear that it's deprecated. Update the documentation accordingly, and rename the kconfig option to CONFIG_FS_VERITY_DEPRECATED_BUILTINSIG. Also remove the kconfig option from the s390 defconfigs, as it's unneeded there. Signed-off-by: Eric Biggers <[email protected]>
- Loading branch information
1 parent
479174d
commit cce9348
Showing
7 changed files
with
97 additions
and
87 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters