IMA support in bootc?

[miabbott]

rpm-ostree supported propagating IMA signatures from RPMs into the final ostree commit. And it looks like ostree-ext-rs had support for IMA, too.

Will bootc support the use of IMA signatures or will we just support composefs?

(I'm only about 56% that I am asking the question correctly, so please feel free to rephrase the question more accurately)

[cgwalters]

Will bootc support the use of IMA signatures

I think the summary of the current status quo is:

• If one injects the ima xattrs into the tar stream of the container images, that will be handled fine via bootc (though there are no tests of this upstream)
• Though having security.ima set via e.g. podman build is supported in theory since Record security.ima in container images containers/storage#657 there were a variety of followups and I'm not sure about testing of that (also ref Ignore security.ima xattrs containers/storage#1608 )

or will we just support composefs?

bootc isn't going to explicitly not support IMA to be clear - mechanically it appears as another extended attribute and we don't need to care about it. But composefs has much stronger security properties.