stefanberger
commented
3 years ago Putting this work on hold until the dust settles over there: https://github.com/opencontainers/image-spec/pull/775
Closed stefanberger closed 3 years ago
stefanberger
commented
3 years ago Putting this work on hold until the dust settles over there: https://github.com/opencontainers/image-spec/pull/775
This patch adds the computation of previous layers accumulated hashes on the encryption side and writes this computed hash into the private options of a layer. The private options will be encrypted then. On the decryption side it also performs the computations and, if the private options contain the previous layers' hash, which may not be the case for older images but will be the case for newer ones, it compares the expected hash against the computed one and errors if they don't match.
The previous layers' digest needs to be passed from one layer encrytion step to the next. The sequence must begin with the bottom-most layer getting sha256.Sum256(nil) passed so that no other layer can be slid underneath the bottom-most one.
This patch at least helps fulfill the requirement that previous layers cannot be manipulated assuming the attacker can access the registry but of course not manipulate the decryption code.
Signed-off-by: Stefan Berger stefanb@linux.ibm.com