-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support specifying deployment in ostree= kernel arg directly #3314
Comments
This is a check that has been there at least 10 years: I don't see any immediate issue with removing that check, but @cgwalters is the writer of that check and OSTree guru... |
If you're interested in UKIs, you are probably interested in verifying the rootfs as well, hence composefs. The design to track there is containers/composefs#332 In that model, each kernel is bound to the rootfs directly with no intermediates...we'd be in a world where there is no "deployment path" at all...and much less ostree stuff involved in general. There's still the stateroot stuff that's nice...but anyways this is all pretty high on our radar now so stay tuned for some updates! |
thank you! Isn't there also some work on IMA/EVM signing that could help verify OSTree commits? Tying that together with In the end, I reiterate my first question: is it okay to make the indirection optional in |
IMA is multiple things rolled into one. It is both a file integrity and policy enforcement mechanism. In contrast, composefs (and fsverity) are merely about file integrity.
It seems like it'd be a small patch for sure but I'd want a clearer design sketched out for how it'd be useful. In the end it's hard to avoid a "big bang" effect here because so many things interlock and tie together; or inversely stated incremental bits are hard. I would like the focus to be bootc (and composefs) for this stuff; not rpm-ostree or ostree. containers/bootc#806 is where I started to sketch some things out here. Around making the |
The idea of specifying a checkout is that from it, we know the commit hash, which means we have a basis for zero-trust checking from within the UKI -- we know the result, and if we then use Then, in much the same way as IMA/EVM itself, if we sign the hash, we've essentially signed the entire Merkle tree. In fact, with Because if I understand correctly, the boot hash is a product of the kernel+initrd, so we don't update the bootloader often. This leaves us with no guarantee as to whether the underlying checkout can be trusted, as this hash exists outside of the OStree object store. |
As for the recursion issue in #2877, one could imagine generating the UKI kinda like Nix would -- making a commit that contains the UKI, and the deployment commit hash (or a hard-reference to the deployment commit), which would allow us to ship UKI within the OStree architecture. Am I to understand that |
Finally, reading thru |
in the end, I'd be happy with #3291 instead, as this issue is more of a "hotfix" mindset whereas fully leaning into the |
In experimenting with system security and UKIs, I noticed that it is currently impossible to generate kargs to boot one specific deployment hash, with a kernel parameter such as
ostree=/ostree/deploy/fedora/deploy/xxxx.0
, asostree-prepare-root
complains about it not being a symbolic link.If I understand correctly, requiring the symbolic links is an arbitrary limitation:
ostree/src/switchroot/ostree-prepare-root.c
Lines 133 to 135 in 9ca8b46
Would it be possible to tolerate specifying a deployment path in
ostree=
, so as to "lock" a UKI to a specific commit as well?The text was updated successfully, but these errors were encountered: