Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

compose: support verified userspace #1883

Open
lucab opened this issue Aug 10, 2019 · 9 comments
Open

compose: support verified userspace #1883

lucab opened this issue Aug 10, 2019 · 9 comments

Comments

@lucab
Copy link
Member

@lucab lucab commented Aug 10, 2019

As an additional step in boot measurement, and in order to extend the chain of measurement to the userland, it would be interesting for rpm-ostree to attach IMA digests (i.e. security.ima xattr) to committed files.

In particular, it would be nice getting to a point where we are covering the individual files in initramfs. That should in theory allow us to bridge between a measuring bootloader and the real rootfs binaries (checked out from ostree).

I am not sure if appending xattrs would break some content integrity reference with RPM pristine content, plus some RPMs may already be coming with security.ima labeled files.
In that case, it could still be worth investigating labeling files that are not coming from RPMs, e.g. content injected via treefile postprocess.

@cgwalters

This comment has been minimized.

Copy link
Member

@cgwalters cgwalters commented Aug 23, 2019

it would be interesting for rpm-ostree to attach IMA digests (i.e. security.ima xattr) to committed files.

Yes! Thanks for filing this. I would love to investigate this (part of this should be libostree work).
I recently was following with great interest this thread and I want to watch the recordings when they become available.

I am not sure if appending xattrs would break some content integrity reference with RPM pristine content

Oh but we're going to intercept that anyways 😉

plus some RPMs may already be coming with security.ima labeled files.

Not in Fedora at least. Although I think IBM (main IMA sponsor?) was working on that, you can find patches on the rpm-maint list. But it's not relevant for us because librpm isn't involved in actually writing files.

@cgwalters

This comment has been minimized.

Copy link
Member

@cgwalters cgwalters commented Sep 13, 2019

@lucab I propose we move this to a fedora-coreos-tracker issue. I think it encompasses more things; it has an impact on the administrator experience beyond just rpm-ostree.

(Also, I think we should support "sealing" after Ignition has run - in true immutable infrastructure style, /etc would be read-only after that, and we'd try to strongly enforce it or so)

@lucab

This comment has been minimized.

Copy link
Member Author

@lucab lucab commented Sep 13, 2019

@cgwalters I'm fine to also have an umbrella issue in fcos-tracker to tie all the components and parts together. But I currently don't have all the required knowledge to see the whole picture, so I didn't open that (yet).

This ticket is just to scope the initial small step of "ensure that everything has a digest in xattr", either here or in libostree.

@cgwalters

This comment has been minimized.

Copy link
Member

@cgwalters cgwalters commented Oct 2, 2019

I recently was following with great interest this thread and I want to watch the recordings when they become available.

https://www.youtube.com/watch?v=EmEymlA5Q5Q
was quite interesting indeed!

@cgwalters

This comment has been minimized.

Copy link
Member

@cgwalters cgwalters commented Oct 15, 2019

@cgwalters

This comment has been minimized.

Copy link
Member

@cgwalters cgwalters commented Nov 11, 2019

I'm also investigating fs-verity, see:
ostreedev/ostree#1959

It has a number of advantages over IMA most notably:

  • Files are actually read-only even to CAP_SYS_ADMIN
  • Verifies file chunks rather than whole thing, meaning reduced startup latency and avoids "read amplification" for files that are only partially read
  • More modern crypto
@cgwalters

This comment has been minimized.

Copy link
Member

@cgwalters cgwalters commented Nov 11, 2019

However before we do anything like this I think we need to implement a basic "trusted boot" for FCOS that gets us into verified userspace so that we can have that userspace e.g. check fs-verity signatures. Most likely, I think what we should do is teach rpm-ostree how to optionally generate a combined kernel+initramfs image that is signed. See:

I think the systemd crew tested this in concert with sd-boot.

@cgwalters cgwalters changed the title compose: consider attaching IMA digest when committing files compose: support verified userspace Nov 17, 2019
@cgwalters

This comment has been minimized.

Copy link
Member

@cgwalters cgwalters commented Nov 25, 2019

Definitely some useful discussion in https://lwn.net/Articles/791863/ too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.