Fedora "DIGLIM" Feature Proposal Drawing Mixed Reactions

Written by Michael Larabel in Fedora on 2 January 2022 at 05:47 AM EST. 3 Comments
A proposal for Fedora 36 is to implement Digest Lists Integrity Module "DIGLIM" functionality as an optional feature for effectively providing remote attestation and/or secure boot at the application level.

The DIGLIM feature proposal for Fedora is summed up as: "Digest Lists Integrity Module (DIGLIM) takes a different approach. It allows IMA to extend a PCR in a predictable way or to verify the authenticity of files by querying an in-kernel repository of authenticated reference values, built from information already available in existing packages (FILEDIGESTS section of the RPM header, with signature in the RSAHEADER section). Data source authentication does not require additional key management. With support for PGP keys in the kernel, the official Fedora PGP keys can be imported to the builtin keyring of the kernel and used to verify the PGP signature of the RPM headers...A modified kernel with the DIGLIM patches will expose to user space an interface to add/remove file digests from the kernel hash table. A user space parser, executed by the kernel during early boot, parses RPM headers found in /etc/diglim in the initial ram disk (included with a custom dracut script) and uploads them to the kernel. When a file is accessed, IMA calculates the file digest and queries it with DIGLIM. If the digest is found, measurement is skipped and appraisal is successful. If the digest is not found, a measurement of the file is performed and appraisal fails. When packages are installed or removed, the kernel hash table is kept synchronized with a new rpm plugin."

DIGLIM was previously proposed for Fedora as the IMA Digest Lists but was too invasive. DIGLIM can now work as a standalone module through a less involved process. The hope is that using DIGLIM would bring greater integrity to Fedora and attestable with more easily detecting any tampering of its software.

See the feature proposal which was raised by Huawei's Roberto Sassu.

While this feature can be optional such as an installer option or first-run, it has raised a mix of questions and some criticism. DIGLIM does allow loading user-provided lists and could be disabled, but concerns were raised that this would break or otherwise involve extra work when using third-party software packages such as those commonly obtained from RPM Fusion or even locally built packages causing problems. Ultimately it sounds like a feature most personal desktop/workstation users at least would likely end up disabling for being a burden on the user. DIGLIM also has yet to be mainlined as another challenge and obstacle given Fedora's policies. See the lengthy discussion happening on the Fedora mailing list.

We'll see where this DIGLIM feature proposal heads and if it gets picked up or not for Fedora 36, nevertheless an interesting feature and something worth digging into for those interested in trusted computing.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week