Fedora "DIGLIM" Feature Proposal Drawing Mixed Reactions

A proposal for Fedora 36 is to implement Digest Lists Integrity Module "DIGLIM" functionality as an optional feature for effectively providing remote attestation and/or secure boot at the application level.

The DIGLIM feature proposal for Fedora is summed up as: "Digest Lists Integrity Module (DIGLIM) takes a different approach. It allows IMA to extend a PCR in a predictable way or to verify the authenticity of files by querying an in-kernel repository of authenticated reference values, built from information already available in existing packages (FILEDIGESTS section of the RPM header, with signature in the RSAHEADER section). Data source authentication does not require additional key management. With support for PGP keys in the kernel, the official Fedora PGP keys can be imported to the builtin keyring of the kernel and used to verify the PGP signature of the RPM headers...A modified kernel with the DIGLIM patches will expose to user space an interface to add/remove file digests from the kernel hash table. A user space parser, executed by the kernel during early boot, parses RPM headers found in /etc/diglim in the initial ram disk (included with a custom dracut script) and uploads them to the kernel. When a file is accessed, IMA calculates the file digest and queries it with DIGLIM. If the digest is found, measurement is skipped and appraisal is successful. If the digest is not found, a measurement of the file is performed and appraisal fails. When packages are installed or removed, the kernel hash table is kept synchronized with a new rpm plugin."

DIGLIM was previously proposed for Fedora as the IMA Digest Lists but was too invasive. DIGLIM can now work as a standalone module through a less involved process. The hope is that using DIGLIM would bring greater integrity to Fedora and attestable with more easily detecting any tampering of its software.

See the feature proposal which was raised by Huawei's Roberto Sassu.

While this feature can be optional such as an installer option or first-run, it has raised a mix of questions and some criticism. DIGLIM does allow loading user-provided lists and could be disabled, but concerns were raised that this would break or otherwise involve extra work when using third-party software packages such as those commonly obtained from RPM Fusion or even locally built packages causing problems. Ultimately it sounds like a feature most personal desktop/workstation users at least would likely end up disabling for being a burden on the user. DIGLIM also has yet to be mainlined as another challenge and obstacle given Fedora's policies. See the lengthy discussion happening on the Fedora mailing list.

We'll see where this DIGLIM feature proposal heads and if it gets picked up or not for Fedora 36, nevertheless an interesting feature and something worth digging into for those interested in trusted computing.