linux-dev/fs/verity/Kconfig, branch masterLinux kernel development work - see feature brancheshttps://git.zx2c4.com/linux-dev/atom/fs/verity/Kconfig?h=master2022-07-16T06:42:30Zfs-verity: mention btrfs support2022-07-16T06:42:30ZEric Biggersebiggers@google.com2022-06-10T00:06:16Zurn:sha1:8da572c52a9be6d006bae290339c629fc6501910
btrfs supports fs-verity since Linux v5.15. Document this.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: David Sterba <dsterba@suse.com>
Link: https://lore.kernel.org/r/20220610000616.18225-1-ebiggers@kernel.org
fs-verity: define a function to return the integrity protected file digest2022-05-01T20:39:36ZMimi Zoharzohar@linux.ibm.com2021-11-23T18:37:52Zurn:sha1:246d921646c071b878480997c294db6c83215b06
Define a function named fsverity_get_digest() to return the verity file
digest and the associated hash algorithm (enum hash_algo).
This assumes that before calling fsverity_get_digest() the file must have
been opened, which is even true for the IMA measure/appraise on file
open policy rule use case (func=FILE_CHECK). do_open() calls vfs_open()
immediately prior to ima_file_check().
Acked-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
fsverity: relax build time dependency on CRYPTO_SHA2562021-04-22T07:31:32ZArd Biesheuvelardb@kernel.org2021-04-21T07:55:11Zurn:sha1:e3a606f2c544b231f6079c8c5fea451e772e1139
CONFIG_CRYPTO_SHA256 denotes the generic C implementation of the SHA-256
shash algorithm, which is selected as the default crypto shash provider
for fsverity. However, fsverity has no strict link time dependency, and
the same shash could be exposed by an optimized implementation, and arm64
has a number of those (scalar, NEON-based and one based on special crypto
instructions). In such cases, it makes little sense to require that the
generic C implementation is incorporated as well, given that it will never
be called.
To address this, relax the 'select' clause to 'imply' so that the generic
driver can be omitted from the build if desired.
Acked-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
fs-verity: support builtin file signatures2019-08-13T02:33:50ZEric Biggersebiggers@google.com2019-07-22T16:26:23Zurn:sha1:432434c9f8e18cb4cf0fe05bc3eeceada0e10dc6
To meet some users' needs, add optional support for having fs-verity
handle a portion of the authentication policy in the kernel. An
".fs-verity" keyring is created to which X.509 certificates can be
added; then a sysctl 'fs.verity.require_signatures' can be set to cause
the kernel to enforce that all fs-verity files contain a signature of
their file measurement by a key in this keyring.
See the "Built-in signature verification" section of
Documentation/filesystems/fsverity.rst for the full documentation.
Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Eric Biggers <ebiggers@google.com>
fs-verity: add Kconfig and the helper functions for hashing2019-07-28T23:59:16ZEric Biggersebiggers@google.com2019-07-22T16:26:21Zurn:sha1:671e67b47e9fffd12c8f69eda853a202cb5b3fc5
Add the beginnings of the fs/verity/ support layer, including the
Kconfig option and various helper functions for hashing. To start, only
SHA-256 is supported, but other hash algorithms can easily be added.
Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>