lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 08 Dec 2022 10:43:01 +0000
From:   Luca Boccassi <>
To:     Eric Biggers <>,
        Jes Sorensen <>,
        Victor Hsieh <>
Subject: Re: [PATCH] fsverity: mark builtin signatures as deprecated

On Wed, 2022-12-07 at 19:35 -0800, Eric Biggers wrote:
> From: Eric Biggers <>
> fsverity builtin signatures, at least as currently implemented, are a
> mistake and should not be used.  They mix the authentication policy
> between the kernel and userspace, which is not a clean design and causes
> confusion.  For builtin signatures to actually provide any security
> benefit, userspace still has to enforce that specific files have
> fsverity enabled.  Since userspace needs to do this, a better design is
> to have that same userspace code do the signature check too.
> That allows better signature formats and algorithms to be used, avoiding
> in-kernel parsing of the notoriously bad PKCS#7 format.  It is also
> needed anyway when different keys need to be trusted for different
> files, or when it's desired to use fsverity for integrity-only or
> auditing on some files and for authenticity on other files.  Basically,
> the builtin signatures don't work for any nontrivial use case.
> (IMA appraisal is another alternative.  It goes in the opposite
> direction -- the full policy is moved into the kernel.)
> For these reasons, the master branch of AOSP no longer uses builtin
> signatures.  It still uses fsverity for some files, but signatures are
> verified in userspace when needed.
> None of the public uses of builtin signatures outside Android seem to
> have gotten going, either.  Support for builtin signatures was added to
> RPM.  However, was
> subsequently rejected from Fedora and seems to have been abandoned.
> There is also, which was
> never merged.  Neither proposal mentioned a plan to set
> fs.verity.require_signatures=1 and enforce that files have fs-verity
> enabled -- so, they would have had no security benefit on their own.
> I'd be glad to hear about any other users of builtin signatures that may
> exist, and help with the details of what should be used instead.
> Anyway, the feature can't simply be removed, due to the need to maintain
> backwards compatibility.  But let's at least make it clear that it's
> deprecated.  Update the documentation accordingly, and rename the
> kconfig option to CONFIG_FS_VERITY_DEPRECATED_BUILTINSIG.  Also remove
> the kconfig option from the s390 defconfigs, as it's unneeded there.


Thanks for starting this discussion, it's an interesting topic.

At MSFT we use fsverity in production, with signatures enforced by the
kernel (and policy enforced by the IPE LSM). It's just too easy to fool
userspace with well-timed swaps and who knows what else. This is not
any different from dm-verity from our POV, it complements it. I very
much want the kernel to be in charge of verification and validation, at
the time of use.

In essence, I very strongly object to marking this as deprecated. It is
entirely ok if at Google you want to move everything out of the kernel,
you know your use case best so if that works better for you that's
absolutely fine (and thus your other patch looks good to me), but I
don't think it should be deprecated for everybody else too.

Kind regards,
Luca Boccassi

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists