Linux-FSCrypt Archive on
 help / color / Atom feed
From: Eric Biggers <>
To: Jes Sorensen <>
	Jes Sorensen <>
Subject: Re: [PATCH 0/7] Split fsverity-utils into a shared library
Date: Tue, 11 Feb 2020 11:22:09 -0800
Message-ID: <20200211192209.GA870@sol.localdomain> (raw)
In-Reply-To: <>

Hi Jes,

On Mon, Feb 10, 2020 at 07:00:30PM -0500, Jes Sorensen wrote:
> From: Jes Sorensen <>
> Hi,
> I am looking at what it will take to add support for fsverity
> signatures to rpm, similar to how rpm supports IMA signatures.
> In order to do so, it makes sense to split the fsverity util into a
> shared library and the command line tool, so the core functions can be
> used from other applciations. Alternatively I will have to copy over a
> good chunk of the code into rpm, which makes it nasty to support long
> term.
> This is a first stab at doing that, and I'd like to get some feedback
> on the approach.
> I basically split it into four functions:
> fsverity_cmd_gen_digest(): Build the digest, but do not sign it
> fsverity_cmd_sign():       Sign the digest structure
> fsverity_cmd_measure():    Measure a file, basically 'fsverity measure'
> fsverity_cmd_enable():     Enable verity on a file, basically 'fsverity enable'
> If we can agree on the approach, then I am happy to deal with the full
> libtoolification etc.

Before we do all this work, can you take a step back and explain the use case so
that we can be sure it's really worthwhile?

fsverity_cmd_enable() and fsverity_cmd_measure() would just be trivial wrappers
around the FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY ioctls, so they don't
need a library.  [Aside: I'd suggest calling these fsverity_enable() and
fsverity_measure(), and leaving "cmd" for the command-line wrappers.] 

That leaves signing as the only real point of the library.  But do you actually
need to be able to *sign* the files via the rpm binary, or do you just need to
be able to install already-created signatures?  I.e., can the signatures instead
just be created with 'fsverity sign' when building the RPMs?

Separately, before you start building something around fs-verity's builtin
signature verification support, have you also considered adding support for
fs-verity to IMA?  I.e., using the fs-verity hashing mechanism with the IMA
signature mechanism.  The IMA maintainer has been expressed interested in that.
If rpm already supports IMA signatures, maybe that way would be a better fit?

- Eric

  parent reply index

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-11  0:00 Jes Sorensen
2020-02-11  0:00 ` [PATCH 1/7] Build basic " Jes Sorensen
2020-02-11  0:00 ` [PATCH 2/7] Restructure fsverity_cmd_sign for shared libraries Jes Sorensen
2020-02-11  0:00 ` [PATCH 3/7] Make fsverity_cmd_measure() a library function Jes Sorensen
2020-02-11  0:00 ` [PATCH 4/7] Make fsverity_cmd_enable a library call() Jes Sorensen
2020-02-11  0:00 ` [PATCH 5/7] Rename commands.h to fsverity.h Jes Sorensen
2020-02-11  0:00 ` [PATCH 6/7] Move cmdline helper functions to fsverity.c Jes Sorensen
2020-02-11  0:00 ` [PATCH 7/7] cmd_sign: fsverity_cmd_sign() into two functions Jes Sorensen
2020-02-11 19:22 ` Eric Biggers [this message]
2020-02-11 22:09   ` [PATCH 0/7] Split fsverity-utils into a shared library Jes Sorensen
2020-02-11 23:14     ` Eric Biggers
2020-02-11 23:35       ` Jes Sorensen
2020-02-14 20:35         ` Eric Biggers
2020-02-19 23:49           ` Jes Sorensen
2020-07-30 17:52             ` Eric Biggers
2020-07-31 17:40               ` Jes Sorensen
2020-07-31 17:47                 ` Chris Mason
2020-07-31 19:14                   ` Eric Biggers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200211192209.GA870@sol.localdomain \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-FSCrypt Archive on

Archives are clonable:
	git clone --mirror linux-fscrypt/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-fscrypt linux-fscrypt/ \
	public-inbox-index linux-fscrypt

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone