(Created page with "= Debuginfod IMA Verification By Default = {{Change_Proposal_Banner}} == Summary == Enable client-side cryptographic verification of Debuginfod auto-downloaded debugging information and source code by default. == Owner == * Name: Frank Ch. Eigler * Email: <fche@redhat.com> <!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) * FESCo shepherd: Shepherd name <email address> --> == Current status == Category:...") |
|||
| Line 76: | Line 76: | ||
Set the `$DEBUGINFOD_URLS` environment variable by hand, or edit the `/etc/debuginfod/*.url` file(s), to add `ima:enforcing` in the proper place. | Set the `$DEBUGINFOD_URLS` environment variable by hand, or edit the `/etc/debuginfod/*.url` file(s), to add `ima:enforcing` in the proper place. | ||
For more diagnostics, set `$DEBUGINFOD_VERBOSE` to `1`. | |||
Use `debuginfod-find -v debuginfo $BINARY`. Observe successful download. | |||
== User Experience == | == User Experience == | ||
Latest revision as of 22:48, 13 March 2025
Debuginfod IMA Verification By Default
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
Enable client-side cryptographic verification of Debuginfod auto-downloaded debugging information and source code by default.
Owner
- Name: Frank Ch. Eigler
- Email: <fche@redhat.com>
Current status
- Targeted release: Fedora Linux 43
- Last updated: 2025-03-13
- [<link to devel-announce post will be added by Wrangler> Announced]
- [<will be assigned by the Wrangler> Discussion thread]
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Fedora's Debuginfod clients and servers can take advantage of signed RPMs to provide and verify cryptographic integrity of debuginfo & source code files made available to clients.
Upstream elfutils code has contained all the logic since version 0.192. The Fedora debuginfod servers have made this IMA signature information available for apprx. all RPMS in Fedora 39+. It only needs client side configuration to activate verification.
Activating this requires changing the $DEBUGINFOD_URLS environment variable's value. This variable is constructed from files in /etc/debuginfod/*.url files. The concrete proposal is to replace the /etc/debuginfod/elfutils.urls file, provided by the elfutils-debuginfod-client subrpm, to the following value:
ima:enforcing https://debuginfod.fedoraproject.org ima:ignore
This will force crypto verification of files downloaded from that server, and let the client reject any unverifiable files. The trailing "ima:ignore" part is for the situation where an end-user might naively append additional debuginfod server URLs to the environment variable, but we don't want to assert enforcing mode for them.
Feedback
This feature fills a gap identified back when Changes/DebuginfodByDefault arrived during F35.
Benefit to Fedora
The warm fuzzy feeling of more end-user-verifiable security over files they download from Fedora.
Scope
- Proposal owners: Adjustment to
elfutils.spec - Other developers: None
- Release engineering: None, except continuing to publish IMA key certificates in a timely & complete manner in
fedora-gpg-keysinto/etc/keys/ima/. - Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy: ?
Upgrade/compatibility impact
None. With fedora-gpg-keys containing public key signatures for all recent Fedoras, debugging older or newer binaries should also work fine.
How To Test
Set the $DEBUGINFOD_URLS environment variable by hand, or edit the /etc/debuginfod/*.url file(s), to add ima:enforcing in the proper place.
For more diagnostics, set $DEBUGINFOD_VERBOSE to 1.
Use debuginfod-find -v debuginfo $BINARY. Observe successful download.
User Experience
Normally, no observable change at all, assuming that all RPMs distributed from koji continue to be built with IMA per-file signatures.
Should there be unsigned RPMs, or ones whose signatures become invalid due to storage or transmission errors, this will result in user tools treating the debuginfo as unavailable. There may be diagnostics printed. At that point, a user can in principle disable checking manually, download debuginfo by hand (e.g. via debuginfo-install), or grin and bear it.
Dependencies
The fedora-gpg-keys rpm contains the public key certificates against which the client verifies download signatures. The location of these certificates is a compiled-in default into the debuginfod client code (/etc/keys/ima), but may be changed with an environment variable.
Releng/koji need to keep building RPMs for present / future versions of Fedora with IMA signatures attached. Transitions between major-version signing keys should be okay, as long as the fedora-gpg-keys RPM (containing the certificates) gets updated in a timely manner.
Contingency Plan
- Contingency mechanism: Unroll the
elfutils.specchange or hand-edit env. vars. - Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change)
Documentation
N/A (not a System Wide Change)
Release Notes
"The debuginfod client tools used to auto-download debuginfo & source code into tools like gdb now cryptographically verify the integrity of the downloaded files from the Fedora debuginfod server."
