From Fedora Project Wiki
Line 65: Line 65:
* See [[Talk:Features/PackageSignatureCheckingDuringInstall]]
* See [[Talk:Features/PackageSignatureCheckingDuringInstall]]


[[Category:FeaturePageIncomplete]]
[[Category:FeatureReadyForWrangler]]
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Revision as of 18:36, 2 January 2013

Package Signature Checking During Installation

Summary

One long-standing problem in Fedora is that we don't check package signatures during installation. This has been a persistent issue since the very beginning of Fedora (and even in Red Hat Linux before it.) The reason for this has always been that there's no way to form any root of trust for the signatures in the repositories, and thus no reason they wouldn't have been modified along with whatever package would need to be re-signed after tampering.

Following the implementation of Features/SecureBoot, we can extend the Secure Boot keys as a root of trust provided by the hardware against which we can verify a signature on our key files, thus guaranteeing that they're from the same source as the boot media.

Owner

Current status

  • Targeted release: Fedora 19
  • Last updated: 02-Jan-2013
  • Percentage of completion: 5%
Sub-task Percent Complete Owner Notes
peverify 50 pjones need to finish it.
fedora-release 0 pjones 2 things here - 1) must be moved to "secure-boot" koji channel, 2) must be modified to provide a signed set of keys
anaconda 0 pjones needs to detect that we're in a secure-boot environment and, if so, enforce signature checking on keys and packages.

Benefit to Fedora

Allows verification of packages during installation.

Scope

See the table at https://fedoraproject.org/wiki/Features/PackageSignatureCheckingDuringInstall#Current_status

Test Plan

UEFI-capable systems with Secure Boot features are available from most vendors.

The test methodology is simple - enable secure boot, create a repo with an unsigned package in it, do an install that includes that package. Installation should fail.

User Experience

Significantly similar to that of today in most cases.

Dependencies

  • peverify being trusted is probably dependent on vgoyal's work for kexec+secureboot.
  • "repo" in kickstart (pykickstart, anaconda) may change to specify an enforcement policy.
  • There may be additional work needed to add enforcement policy on a per-repo basis to repomd.xml.

Contingency Plan

  • Bump this to a later release.

Documentation

Release Notes

Probably should write one, yeah.

Comments and Discussion