Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
1# SPDX-License-Identifier: GPL-2.0
2
3config FS_VERITY
4 bool "FS Verity (read-only file-based authenticity protection)"
5 select CRYPTO_HASH_INFO
6 select CRYPTO_LIB_SHA256
7 select CRYPTO_LIB_SHA512
8 help
9 This option enables fs-verity. fs-verity is the dm-verity
10 mechanism implemented at the file level. On supported
11 filesystems (currently ext4, f2fs, and btrfs), userspace can
12 use an ioctl to enable verity for a file, which causes the
13 filesystem to build a Merkle tree for the file. The filesystem
14 will then transparently verify any data read from the file
15 against the Merkle tree. The file is also made read-only.
16
17 This serves as an integrity check, but the availability of the
18 Merkle tree root hash also allows efficiently supporting
19 various use cases where normally the whole file would need to
20 be hashed at once, such as: (a) auditing (logging the file's
21 hash), or (b) authenticity verification (comparing the hash
22 against a known good value, e.g. from a digital signature).
23
24 fs-verity is especially useful on large files where not all
25 the contents may actually be needed. Also, fs-verity verifies
26 data each time it is paged back in, which provides better
27 protection against malicious disks vs. an ahead-of-time hash.
28
29 If unsure, say N.
30
31config FS_VERITY_BUILTIN_SIGNATURES
32 bool "FS Verity builtin signature support"
33 depends on FS_VERITY
34 select SYSTEM_DATA_VERIFICATION
35 help
36 This option adds support for in-kernel verification of
37 fs-verity builtin signatures.
38
39 Please take great care before using this feature. It is not
40 the only way to do signatures with fs-verity, and the
41 alternatives (such as userspace signature verification, and
42 IMA appraisal) can be much better. For details about the
43 limitations of this feature, see
44 Documentation/filesystems/fsverity.rst.
45
46 If unsure, say N.