Fedora 36 May Support FS-VERITY Integrity/Authenticity Verification For RPMs

Written by Michael Larabel in Fedora on 3 December 2021 at 12:00 AM EST. 7 Comments
FEDORA
Fedora 36 may support using the Linux kernel's fs-verity code for allowing some interesting integrity and authenticity use-cases around RPM packages.

The Linux kernel's fs-verity module provides authenticity protection for read-only files for transparently verifying their integrity and authenticity when those files are on supported file-systems. FS-VERITY allows bulding a Merkle tree for a given file and that to persist with the file and later on the file can then be verified against that Merkle tree. This can allow for detecting corrupted files whether accidental or intentional of malicious nature, auditing of files, and other similar security use-cases.

A set of Facebook engineers are leading the charge to enable using fs-verity for validation of installed RPM files. The change would be transparent to users and only if installing the fs-verity RPM plug-in would the additional verification features be active.

This change proposal lays out the Facebook/Meta-led hopes for the fs-verity RPM support in next spring's Fedora 36 release. The change still needs to be evaluated by the Fedora Engineering and Steering Committee.

The change is interesting from the security perspective but there are some costs involved when it comes to the Merkle tree generation, signature overhead, etc, so we'll see if approved by FESCo and if so what sort of uptake it gets in Fedora 36.

Fedora 36 is expected for release by the end of April.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week