mirror of
https://github.com/torvalds/linux.git
synced 2024-11-18 10:01:43 +00:00
432434c9f8
To meet some users' needs, add optional support for having fs-verity handle a portion of the authentication policy in the kernel. An ".fs-verity" keyring is created to which X.509 certificates can be added; then a sysctl 'fs.verity.require_signatures' can be set to cause the kernel to enforce that all fs-verity files contain a signature of their file measurement by a key in this keyring. See the "Built-in signature verification" section of Documentation/filesystems/fsverity.rst for the full documentation. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Eric Biggers <ebiggers@google.com>
56 lines
2.1 KiB
Plaintext
56 lines
2.1 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0
|
|
|
|
config FS_VERITY
|
|
bool "FS Verity (read-only file-based authenticity protection)"
|
|
select CRYPTO
|
|
# SHA-256 is selected as it's intended to be the default hash algorithm.
|
|
# To avoid bloat, other wanted algorithms must be selected explicitly.
|
|
select CRYPTO_SHA256
|
|
help
|
|
This option enables fs-verity. fs-verity is the dm-verity
|
|
mechanism implemented at the file level. On supported
|
|
filesystems (currently EXT4 and F2FS), userspace can use an
|
|
ioctl to enable verity for a file, which causes the filesystem
|
|
to build a Merkle tree for the file. The filesystem will then
|
|
transparently verify any data read from the file against the
|
|
Merkle tree. The file is also made read-only.
|
|
|
|
This serves as an integrity check, but the availability of the
|
|
Merkle tree root hash also allows efficiently supporting
|
|
various use cases where normally the whole file would need to
|
|
be hashed at once, such as: (a) auditing (logging the file's
|
|
hash), or (b) authenticity verification (comparing the hash
|
|
against a known good value, e.g. from a digital signature).
|
|
|
|
fs-verity is especially useful on large files where not all
|
|
the contents may actually be needed. Also, fs-verity verifies
|
|
data each time it is paged back in, which provides better
|
|
protection against malicious disks vs. an ahead-of-time hash.
|
|
|
|
If unsure, say N.
|
|
|
|
config FS_VERITY_DEBUG
|
|
bool "FS Verity debugging"
|
|
depends on FS_VERITY
|
|
help
|
|
Enable debugging messages related to fs-verity by default.
|
|
|
|
Say N unless you are an fs-verity developer.
|
|
|
|
config FS_VERITY_BUILTIN_SIGNATURES
|
|
bool "FS Verity builtin signature support"
|
|
depends on FS_VERITY
|
|
select SYSTEM_DATA_VERIFICATION
|
|
help
|
|
Support verifying signatures of verity files against the X.509
|
|
certificates that have been loaded into the ".fs-verity"
|
|
kernel keyring.
|
|
|
|
This is meant as a relatively simple mechanism that can be
|
|
used to provide an authenticity guarantee for verity files, as
|
|
an alternative to IMA appraisal. Userspace programs still
|
|
need to check that the verity bit is set in order to get an
|
|
authenticity guarantee.
|
|
|
|
If unsure, say N.
|