tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / fs / verity / Kconfig
at master 49 lines 2.0 kB view raw
1# SPDX-License-Identifier: GPL-2.0 2 3config FS_VERITY 4 bool "FS Verity (read-only file-based authenticity protection)" 5 # Filesystems cache the Merkle tree at a 64K aligned offset in the 6 # pagecache. That approach assumes the page size is at most 64K. 7 depends on PAGE_SHIFT <= 16 8 select CRYPTO_HASH_INFO 9 select CRYPTO_LIB_SHA256 10 select CRYPTO_LIB_SHA512 11 help 12 This option enables fs-verity. fs-verity is the dm-verity 13 mechanism implemented at the file level. On supported 14 filesystems (currently ext4, f2fs, and btrfs), userspace can 15 use an ioctl to enable verity for a file, which causes the 16 filesystem to build a Merkle tree for the file. The filesystem 17 will then transparently verify any data read from the file 18 against the Merkle tree. The file is also made read-only. 19 20 This serves as an integrity check, but the availability of the 21 Merkle tree root hash also allows efficiently supporting 22 various use cases where normally the whole file would need to 23 be hashed at once, such as: (a) auditing (logging the file's 24 hash), or (b) authenticity verification (comparing the hash 25 against a known good value, e.g. from a digital signature). 26 27 fs-verity is especially useful on large files where not all 28 the contents may actually be needed. Also, fs-verity verifies 29 data each time it is paged back in, which provides better 30 protection against malicious disks vs. an ahead-of-time hash. 31 32 If unsure, say N. 33 34config FS_VERITY_BUILTIN_SIGNATURES 35 bool "FS Verity builtin signature support" 36 depends on FS_VERITY 37 select SYSTEM_DATA_VERIFICATION 38 help 39 This option adds support for in-kernel verification of 40 fs-verity builtin signatures. 41 42 Please take great care before using this feature. It is not 43 the only way to do signatures with fs-verity, and the 44 alternatives (such as userspace signature verification, and 45 IMA appraisal) can be much better. For details about the 46 limitations of this feature, see 47 Documentation/filesystems/fsverity.rst. 48 49 If unsure, say N.