Ian Jackson:
> Stefan Berger writes ("[PATCH v2] Support for PAX extended header and Linux extended attributes"):
>> The following patch adds support for the tar pax extended header to the tar
>> parser so that tar files with pax extended headers containing Linux extended
>> attributes can be processed by dpkg. Essentially the pax extended header
>> contains key value pairs that describe file attributes. More information
>> about the format can be found here:
>
> Thanks for your mail. NB that I do not speak for the dpkg maintainer
> in Debian, but:
>
>> We are particularly interested in the security.ima extended attribute,
>> which, if available, contains a signature for the following file in the tar
>> and which we then write as a Linux extended attribute into the filesystem.
>
> Can you explain some more what the use case for this is ?
>
> Ian.
>
Hi Ian,
The short version (that I gathered so far): The security.ima attribute
can be used to store a signed checksum of the binary/file. The kernel
can validate said checksum before executing the file (using public key
in its trust store).
As such it is very useful for preventing malware / deliberate
replacement of files (provided the private key is not store on the
system), as the attacker cannot sign the file. This would be the case
if (e.g.) dak generated the signature and attached it to the deb before
putting the debs on the mirror.
See also:
https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture
Thanks,
~Niels
Attachment:
signature.asc
Description: OpenPGP digital signature