On Fri, 3 Dec 2021 at 17:09, Richard W.M. Jones <rjones(a)redhat.com> wrote:
On Fri, Dec 03, 2021 at 06:08:49PM +0000, Davide Cavalca via devel wrote:
> Broadly speaking, fs-verity makes it possible to ensure that files that
> were installed via an RPM have not been modified. It is useful in
> environments where an attacker might be able to modify system files
> (say, replace /bin/ls with a compromised version) and you want to
> protect against that. For example, consider an appliance-like system
> placed in an untrusted location where you may not be able to control
> who has physical access (this could be a server, but it could also be a
> kiosk in an internet point or a school). In this scenario, fs-verity
> can be one of the building blocks to ensure and maintain system trust.
I'm unclear about the threat model - this is an attacker who is
someone able to overwrite single files (eg. /bin/ls) but cannot turn
off the fs-verity system as a whole?
Also if RPM can update /bin/ls then surely an attacker who can widely
compromise system files must also be able to update /bin/ls in the
same way?
Or just pad /usr/bin/rpm with some null characters at the end to break
its signature and also stop updates from happening. [Or the fs-verity
daemon which will report that these problems are occuring. ]
--
Stephen J Smoogen.
Let us be kind to one another, for most of us are fighting a hard
battle. -- Ian MacClaren