Fedora 36 can support FS-VERITY integrity / authenticity checking for RPMs

0


[ad_1]

Fedora 36 can support the use of Linux kernel fs-verity code to enable interesting integrity and authenticity use cases around RPM packages.

The Linux kernel fs-verity module provides authenticity protection for read-only files to transparently verify their integrity and authenticity when those files are on supported file systems. FS-VERITY allows to create a Merkle tree for a given file and persist with the file and later the file can then be verified against that Merkle tree. This can help detect corrupted files, whether accidental or intentional, malicious in nature, file auditing, and other similar security use cases.

A set of engineers from Facebook are leading the charge to enable the use of fs-verity for validation of installed RPM files. The change would be transparent to users and only if installing the fs-verity RPM plug-in would the additional verification features be active.

This change proposal exposes Facebook / Meta’s hopes for fs-verity RPM support in the Fedora 36 release next spring. The change has yet to be assessed by Fedora’s engineering and steering committee.

The change is nice from a security perspective, but there are costs involved with regards to the generation of the Merkle tree, signing overhead, etc.

Fedora 36 is expected to be out by the end of April.

[ad_2]

Share.

Comments are closed.