Looking for help testing patch attestation
Konstantin Ryabitsev
konstantin at linuxfoundation.org
Wed Mar 18 16:36:56 UTC 2020
Hello, all:
I'm reaching out to you because you're a security-oriented mailing list
and would likely be among the folks most interested in end-to-end
cryptographic patch attestation features -- or, at least, you're likely
to be least indifferent about it. :)
In brief:
- the mechanism I propose uses an external mailing list for attestation
data, so list subscribers will see no changes to the mailing list
traffic at all (no proliferation of pgp signatures, extra junky
messages, etc)
- attestation can be submitted after the fact for patches/series that
were already sent to the list, so a maintainer can ask for attestation
to be provided post-fact before they apply the series to their git
tree
- a single attestation document is generated per series (or, in fact,
any collection of patches)
For technical details of the proposed scheme, please see the following
LWN article:
https://lwn.net/Articles/813646/
The proposal is still experimental and requires more real-life testing
before I feel comfortable inviting wider participation. This is why I am
approaching individual lists that are likely to show interest in this
idea.
If you are interested in participating, all you need to do is to install
the "b4" tool and start submitting and checking patch attestation.
Please see the following post for details:
https://people.kernel.org/monsieuricon/introducing-b4-and-patch-attestation
With any feedback, please email the tools at linux.kernel.org list in order
to minimize off-topic conversations on this list.
Thanks in advance,
--
Konstantin Ryabitsev
The Linux Foundation
More information about the Linux-security-module-archive
mailing list