-
Welcome
-
Subscribe to
Distributing files with signatures
Session information has not yet been published for this event.
One Line Summary
Linux can enforce signature checking on all files and make sure only trusted software can be executed, but this requires that the file signatures be packaged, distributed, and installed together with the files. This BoF aims to bring together people working on package management systems to discuss the different methods of including file signatures in software packages.
Abstract
The Integrity Measurement Architecture (IMA), which can be configured to enforce signature checking on all files, can be leveraged to allow access to only unmodified software, installed from trusted sources. To achieve this goal on Linux will require distros and other software providers to sign not only their software packages, but the individual files included in these packages.
The purpose of this BoF is to bring together people working on package management systems of distros, to work out the issues preventing the adoption of file signature enforcement. Some issues we need to discuss are:
- How should the signing keys be distributed?
- What level of signing key granularity (e.g. per repo, per package, per package version) is needed.
— For example, if we can sign each version of each software with a different key, then we can revoke the certificate for a vulnerable version after a security update. This would prevent the execution of the vulnerable version, and the version rollback attack.
- How do we revoke certificates?
- How would the user manage the keys in the IMA keyring?
Tags
file signatures, ima-appraisal, distro package managers
Speakers
-
Stefan Berger
IBM ResearchBiography
Stefan Berger is a senior technical staff member working in the Secure Systems group at IBM Research.
-
Mehmet Kayaalp
IBM ResearchBiography
Mehmet Kayaalp is a postdoctoral researcher at IBM Research in Secure Systems Group. He received his PhD from Binghamton University, in the area of computer architecture and security.