docs: add dm-verity image layer signing #1335
Conversation
dallasd1
requested review from
NiazFK,
gokarnm,
priteshbandi,
rgnote,
shizhMSFT,
toddysm,
vaninrao10 and
yizha1
as code owners
There was a problem hiding this comment.
Thanks @dallasd1. LGTM. The proposal strengthens the secure supply chain by extending image integrity from image pull to runtime and offline scenario. We will need to create separate issues to track additional work, such as spec releated work including the Notation CLI specs, the new signature evenlope PKCS#7, the thread model.
You will need to fix the DCO and sign the comments. You can follow this guide https://github.com/notaryproject/.github/blob/main/CONTRIBUTING.md#commit
Signed-off-by: Dallas Delaney <dadelan@microsoft.com>
Signed-off-by: Dallas Delaney <dadelan@microsoft.com>
Signed-off-by: Dallas Delaney <dadelan@microsoft.com>
Add perf metrics Comment on OCI format and multi-arch scenarios Signed-off-by: Dallas Delaney <dadelan@microsoft.com>
dallasd1
force-pushed
the
dm-verity-proposal
branch
from
53be9dd to
b4efd40
Compare
FeynmanZhou
left a comment
FeynmanZhou
left a comment
There was a problem hiding this comment.
LGTM to make this proposal as the initial version. Thanks @dallasd1 .
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1335 +/- ##
==========================================
+ Coverage 77.00% 79.22% +2.21%
==========================================
Files 68 68
Lines 3853 3066 -787
==========================================
- Hits 2967 2429 -538
+ Misses 682 433 -249
Partials 204 204 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
Hi @NiazFK @vaninrao10 @priteshbandi @rgnote @gokarnm Would you mind take a look at this PR? Thanks. |
|
Really looking forward to runtime integrity verification support! |
|
LGTM! This will be a great add. |
This proposal discusses adding per-layer container image signing using the PKCS#7 format. This will enable signing individual container image layers that are later verified by the kernel at runtime. Runtime verification also depends on milestone 1 of this [RFC for code integrity](containerd/containerd#12081) in containerd. At the time of writing, milestone 1.2 is in PR review and milestone 1.3 remains. --------- Signed-off-by: Dallas Delaney <dadelan@microsoft.com>
6 participants
This proposal discusses adding per-layer container image signing using the PKCS#7 format. This will enable signing individual container image layers that are later verified by the kernel at runtime.
Runtime verification also depends on milestone 1 of this RFC for code integrity in containerd. At the time of writing, milestone 1.2 is in PR review and milestone 1.3 remains.