On Wed, Dec 15, 2021 at 09:27:42AM +0000, Roberto Sassu via devel wrote:
Hello everyone
I have done some work in the integrity subsystem, called Digest Lists Integrity Module (DIGLIM).
It simplifies the effort necessary to do IMA appraisal, by reusing the digests included in the header of existing RPM packages as reference values. It wouldn't require any change in the building infrastructure.
It also provides an alternative way of attesting systems, by keeping the TPM PCR extended with software measurements, stable and predictable. The main benefit is the ability to seal a TPM key to the desired software configuration, so that a TLS secure communication can be established when only software from installed RPMs is executed. It would be possible to integrate this solution in Keylime.
I have proposed this feature for upstream inclusion:
https://lore.kernel.org/linux-integrity/20210914163401.864635-1-roberto.sass...
I also rebuilt the Fedora kernel in copr, with DIGLIM:
https://copr.fedorainfracloud.org/coprs/robertosassu/DIGLIM/
You can find the instructions about how to use it here:
https://lore.kernel.org/linux-integrity/48cd737c504d45208377daa27d625531@hua...
I would like to join one of your subgroups, for example fedora-contributor, so that I can propose a new feature for Fedora 36/37.
You don't need any particular group membership to propose changes. :) https://docs.fedoraproject.org/en-US/program_management/changes_policy/
Of course being a fedora packager is useful if your change involves updates/changes to packages, but you could submit them as PR's and convince existing maintainers to merge them.
kevin