F43 Change Proposal: Debuginfod IMA Verification By Default (self-contained)

fche · March 19, 2025, 6:08pm

Debuginfod IMA Verification By Default

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Wiki
Announced

Summary

Enable client-side cryptographic verification of Debuginfod auto-downloaded debugging information and source code by default.

Owner

Name: Frank Ch. Eigler
Email: fche@redhat.com

Detailed Description

Fedora’s Debuginfod clients and servers can take advantage of signed RPMs to provide and verify cryptographic integrity of debuginfo & source code files made available to clients.

Upstream elfutils code has contained all the logic since version 0.192. The Fedora debuginfod servers have made this IMA signature information available for apprx. all RPMS in Fedora 39+. It only needs client side configuration to activate verification.

Activating this requires changing the $DEBUGINFOD_URLS environment variable’s value. This variable is constructed from files in /etc/debuginfod/*.url files. The concrete proposal is to replace the /etc/debuginfod/elfutils.urls file, provided by the elfutils-debuginfod-client subrpm, to the following value:

ima:enforcing https://debuginfod.fedoraproject.org ima:ignore

This will force crypto verification of files downloaded from that server, and let the client reject any unverifiable files. The trailing “ima:ignore” part is for the situation where an end-user might naively append additional debuginfod server URLs to the environment variable, but we don’t want to assert enforcing mode for them.

Feedback

This feature fills a gap identified back when Changes/DebuginfodByDefault arrived during F35.

Benefit to Fedora

The warm fuzzy feeling of more end-user-verifiable security over files they download from Fedora.

Scope

Proposal owners: Adjustment to elfutils.spec
Other developers: None
Release engineering: None, except continuing to publish IMA key certificates in a timely & complete manner in fedora-gpg-keys into /etc/keys/ima/.
Policies and guidelines: N/A (not needed for this Change)
Trademark approval: N/A (not needed for this Change)
Alignment with the Fedora Strategy: ?

Upgrade/compatibility impact

None. With fedora-gpg-keys containing public key signatures for all recent Fedoras, debugging older or newer binaries should also work fine.

How To Test

Set the $DEBUGINFOD_URLS environment variable by hand, or edit the /etc/debuginfod/*.url file(s), to add ima:enforcing in the proper place.

For more diagnostics, set $DEBUGINFOD_VERBOSE to 1.

Use debuginfod-find -v debuginfo $BINARY. Observe successful download.

User Experience

Normally, no observable change at all, assuming that all RPMs distributed from koji continue to be built with IMA per-file signatures.

Should there be unsigned RPMs, or ones whose signatures become invalid due to storage or transmission errors, this will result in user tools treating the debuginfo as unavailable. There may be diagnostics printed. At that point, a user can in principle disable checking manually, download debuginfo by hand (e.g. via debuginfo-install), or grin and bear it.

Dependencies

The fedora-gpg-keys rpm contains the public key certificates against which the client verifies download signatures. The location of these certificates is a compiled-in default into the debuginfod client code (/etc/keys/ima), but may be changed with an environment variable.

Releng/koji need to keep building RPMs for present / future versions of Fedora with IMA signatures attached. Transitions between major-version signing keys should be okay, as long as the fedora-gpg-keys RPM (containing the certificates) gets updated in a timely manner.

Contingency Plan

Contingency mechanism: Unroll the elfutils.spec change or hand-edit env. vars.
Contingency deadline: N/A (not a System Wide Change)
Blocks release? N/A (not a System Wide Change)

Documentation

N/A (not a System Wide Change)

Release Notes

“The debuginfod client tools used to auto-download debuginfo & source code into tools like gdb now cryptographically verify the integrity of the downloaded files from the Fedora debuginfod server.”

Last edited by @amoloney 2025-03-19T18:13:24Z

Last edited by @amoloney 2025-03-19T18:13:24Z

system · March 19, 2025, 6:08pm

How do you feel about the proposal as written?

Strongly in favor
In favor, with reservations
Neutral
Opposed, but could be convinced
Strongly opposed

0 voters

If you are in favor but have reservations, or are opposed but something could change your mind, please explain in a reply.

We want everyone to be heard, but many posts repeating the same thing actually makes that harder. If you have something new to say, please say it. If, instead, you find someone has already covered what you’d like to express, please simply give that post a instead of reiterating. You can even do this by email, by replying with the heart emoji or just “+1”. This will make long topics easier to follow.

Please note that this is an advisory “straw poll” meant to gauge sentiment. It isn’t a vote or a scientific survey. See About the Change Proposals category for more about the Change Process and moderation policy.

kevin · March 20, 2025, 6:39pm

This looks pretty good to me. Is it worth adding a comment (assuming they are allowed) to explain what the ima parts of that mean? Since you specifically mentioned the ima:ignore at the end possibly confusing people. A comment might help.

fche · March 21, 2025, 12:17am

A comment where? Can elaborate in the Changes wiki page. The .url file doesn’t take comments unfortunately. The man debuginfod-client-config (and others) describe the options in more detail.

kevin · March 22, 2025, 4:40pm

Ah, I was hoping the .url file could have comments in it. ;(
Too bad.

fche · March 22, 2025, 9:23pm

'suppose the package could put a /etc/debuginfod/README file in there. but /etc/profile.d/debuginfod.sh, which is the script that loads the .urls file, does xref to the man pages.

amoloney · April 1, 2025, 1:00pm

This change proposal has now been submitted to FESCo with ticket #3382 for voting.

To find out more, please visit our Changes Policy documentation.

ngompa · April 1, 2025, 1:02pm

Wouldn’t this break any third party debuginfod endpoints? I don’t know if we do this for COPR yet, but it would suck if that broke.

fche · April 1, 2025, 1:20pm

Neal, not sure break how. IMA enforcement is done by the client, for servers of its choice.

ngompa · April 1, 2025, 1:27pm

Nevermind, I misunderstood how the configuration works. The IMA verification only applies to files downloaded from the Fedora debuginfod server.

fche · April 1, 2025, 1:39pm

Yeah, that’s why the “ima:ignore” part is at the end of the proposed new default $DEBUGINFOD_URLS. Anything added after that is not ima-enforced (unless changed by another manual ima: directive).

Topic		Replies	Views
F43 change Proposal: Disabling support of building OpenSSL engines (system-wide) Change Proposals fesco , f43	20	289	March 10, 2025
F41 Change Proposal: OpenSSL Deprecate Engine (system-wide) Change Proposals fesco , f41	12	779	December 6, 2024
F42 Change Proposal: Copilot Runtime Verification Framework (self-contained) Change Proposals fesco , f42	3	99	March 19, 2025
F43 Change Proposal RPM 6.0 (system-wide) Change Proposals fesco , f43	9	349	March 19, 2025
F42 Change Proposal: Opt-In Metrics for Fedora Workstation (system-wide) Change Proposals fesco , f42	152	3895	March 11, 2025