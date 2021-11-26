Adding fs-verity support for Fedora 36?
Fs-verity is a kernel feature that is supported by some filesystems; it provides a way to ensure that the contents of a file cannot change on disk. It revolves around a Merkle tree that is created for each file being protected; the tree contains hashes of each data block in the file. When a file is protected by fs-verity, it is marked as read-only and every read operation checks that the block read matches the value stored in the tree; the operation fails if there is no match. In addition, the tree itself can be cryptographically signed to ensure that nothing has been changed underneath the filesystem by, say, accessing the raw block device or image file.
Fedora program manager Ben Cotton posted the Fedora change proposal to add fs-verity support on behalf of the feature owners: Davide Cavalca, Boris Burkov, Filipe Brandenburger, Michel Alexandre Salim, and Matthew Almond. There are several elements to the plan. To start with, the Koji build system needs to be able to create and sign the Merkle tree for each file that gets shipped in the RPM package. The tree itself is not added to the RPM package, just the signed top-level hash for each file.
On the other end, an optional fs-verity RPM plugin would install the Fedora key and enable fs-verity for each file it installs. The filesystem would then recreate the Merkle tree, check it against the signature in the RPM metadata, and store the tree with the file. After that, each access to the file will be checked against the tree, which means that various kinds of operations (e.g. read(), mmap(), execve(), etc.) will only proceed if the data blocks on disk have not changed.
The proposal mainly focuses on the build side of the equation: "Specifically, installing and enabling the fs-verity rpm plugin by default is explicitly considered out of scope here." The overhead of creating the Merkle tree at installation time did not "appear to meaningfully slow down package installs during empirical testing", but there is some (unspecified) cost of creating the tree for every Koji build, of course. The Merkle tree is only stored if the RPM fs-verity plugin is enabled and adds roughly 1/127th (0.8%) to the size of the installed file. All RPMs would get additional metadata, in the form of signatures, if the proposal is adopted, but even that is fairly negligible: "in the vast majority of cases we expect to see minimal to no size increase thanks to RPM header packing".
