WIP: Add computation and verification of previous layers' hashes #44
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stefanberger
force-pushed
the
previous_layer_hash
branch
2 times, most recently
from
bc18913
to
77249b3
Compare
|
Putting this work on hold until the dust settles over there: opencontainers/image-spec#775 |
stefanberger
force-pushed
the
previous_layer_hash
branch
3 times, most recently
from
52df4c8
to
22cb4e2
Compare
This patch adds the computation of previous layers accumulated hashes on the encryption side and writes this computed hash into the private options of a layer. The private options will be encrypted then. On the decryption side it also performs the computations and, if the private options contain the previous layers' hash, which may not be the case for older images but will be the case for newer ones, it compares the expected hash against the computed one and errors if they don't match. The previous layers' digest needs to be passed from one layer encrytion step to the next. The sequence must begin with the bottom-most layer using the result of GetInitalPreviousLayersDigest() so that no other layer can be 'slid' underneath the bottom-most one. This patch at least helps fulfill the requirement that previous layers cannot be manipulated assuming the attacker can access the registry but of course not manipulate the decryption code. Signed-off-by: Stefan Berger <[email protected]>
stefanberger
force-pushed
the
previous_layer_hash
branch
from
22cb4e2
to
3d7c41a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch adds the computation of previous layers accumulated hashes
on the encryption side and writes this computed hash into the private
options of a layer. The private options will be encrypted then. On the
decryption side it also performs the computations and, if the private
options contain the previous layers' hash, which may not be the case for
older images but will be the case for newer ones, it compares the expected
hash against the computed one and errors if they don't match.
The previous layers' digest needs to be passed from one layer encrytion
step to the next. The sequence must begin with the bottom-most layer
getting sha256.Sum256(nil) passed so that no other layer can be slid
underneath the bottom-most one.
This patch at least helps fulfill the requirement that previous layers
cannot be manipulated assuming the attacker can access the registry but
of course not manipulate the decryption code.
Signed-off-by: Stefan Berger [email protected]