Security‐Features

Security Features

This page covers the security mechanisms in libfasttree, designed to protect against supply chain attacks, ensure data integrity, and maintain system trustworthiness. We'll explain each feature, how it works, and how to enable/use it. These features build on standard practices like signatures and extend to advanced kernel-level protections.

Overview

libfasttree prioritizes security at every stage:

• Package Verification: Keyless signing to avoid key management issues.
• Immutable Storage: Filesystem-level protections against tampering.
• System State Validation: Hardware-based checks for boot integrity.
• Best Practices: Assume good intent but verify everything.

All features are configurable via the Config struct (see Configuration Guide).

1. Sigstore/Cosign for Keyless Signing

What it is: Instead of traditional GPG keys, libfasttree uses Sigstore for transparent, keyless signatures. This logs signing events publicly and verifies without long-lived keys.

How it works:

• During download_package, it calls Cosign to verify bundles.
• Falls back to GPG if configured (gpg_keyring).

Enabling:

• Set distro_type to a supported manager (e.g., AptManager uses Sigstore).
• No extra config needed—it's built-in.

Example: In install, packages are auto-verified:

ft.install("secure-pkg", "main").await?; // Verifies with Sigstore

Tip: For custom verification, extend the PackageManager trait.

2. FS-Verity for Immutable Files

What it is: Kernel feature making files read-only and verifiable at the block level. Detects tampering even offline.

How it works:

• In store_in_cas, after storing, enables FS-Verity via ioctl.
• Reads root hash from kernel/DB and enforces on access.
• Files in CAS become immutable.

Enabling:

• Set use_fsverity: true in Config.
• Requires Btrfs/Ext4/F2FS with kernel support.

Example: With use_fsverity: true, stored objects get verity hashes:

let config = Config { use_fsverity: true, /* ... */ };
let mut ft = FastTree::new(config).await?;

Tip: Use on production for critical systems; test kernel compatibility first.

3. TPM Integration for System State

What it is: Uses Trusted Platform Module (TPM) to seal keys and sign states based on PCR (Platform Configuration Registers) values.

How it works:

• In build_tree and commit_tree, checks PCRs (e.g., boot state).
• Seals encryption keys only if system state matches expected.
• Signs tree hashes.

Enabling:

• Set tpm_tcti in Config (e.g., Tcti::Device("/dev/tpm0")).
• Requires TPM 2.0 hardware/software.

Example:

use tss_esapi::tcti::Tcti;

let config = Config { tpm_tcti: Tcti::Device("/dev/tpm0".to_string()), /* ... */ };

Tip: For development, use Tcti::Tpmtis (simulator). PCR 7 is used by default for system integrity.

4. IMA (Integrity Measurement Architecture)

What it is: Kernel module for runtime integrity checks using extended attributes.

How it works:

• Stores IMA labels in metadata.
• Sets security.ima xattr in store_in_cas.

Enabling:

• Set use_ima: true.
• Requires kernel with IMA enabled.

Tip: Combine with FS-Verity for layered protection.

5. Other Security Practices

• Deduplication Safety: Hashes ensure no poisoned chunks.
• Ownership/Permissions: Sets uid/gid/mode from metadata.
• Delta Verification: Applies only trusted deltas.
• Health Checks: Post-deploy script to validate integrity.

Tips for Secure Usage

• Enable All: For high-security, set use_fsverity: true, use_ima: true, and use TPM.
• Auditing: Query DB for verity hashes/signatures.
• Threat Model: Protects against supply chain and runtime tampering; not full SELinux/AppArmor.
• Testing: Simulate attacks by modifying CAS files—verity should detect.

For efficiency features that complement security, see Storage Efficiency.

Next: Storage Efficiency

Last updated: February 11, 2026