~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/fs/verity/Kconfig

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /fs/verity/Kconfig (Version linux-6.12-rc7) and /fs/verity/Kconfig (Version linux-5.19.17)


  1 # SPDX-License-Identifier: GPL-2.0                  1 # SPDX-License-Identifier: GPL-2.0
  2                                                     2 
  3 config FS_VERITY                                    3 config FS_VERITY
  4         bool "FS Verity (read-only file-based       4         bool "FS Verity (read-only file-based authenticity protection)"
  5         select CRYPTO                               5         select CRYPTO
  6         select CRYPTO_HASH_INFO                     6         select CRYPTO_HASH_INFO
  7         # SHA-256 is implied as it's intended       7         # SHA-256 is implied as it's intended to be the default hash algorithm.
  8         # To avoid bloat, other wanted algorit      8         # To avoid bloat, other wanted algorithms must be selected explicitly.
  9         # Note that CRYPTO_SHA256 denotes the       9         # Note that CRYPTO_SHA256 denotes the generic C implementation, but
 10         # some architectures provided optimize     10         # some architectures provided optimized implementations of the same
 11         # algorithm that may be used instead.      11         # algorithm that may be used instead. In this case, CRYPTO_SHA256 may
 12         # be omitted even if SHA-256 is being      12         # be omitted even if SHA-256 is being used.
 13         imply CRYPTO_SHA256                        13         imply CRYPTO_SHA256
 14         help                                       14         help
 15           This option enables fs-verity.  fs-v     15           This option enables fs-verity.  fs-verity is the dm-verity
 16           mechanism implemented at the file le     16           mechanism implemented at the file level.  On supported
 17           filesystems (currently ext4, f2fs, a !!  17           filesystems (currently EXT4 and F2FS), userspace can use an
 18           use an ioctl to enable verity for a  !!  18           ioctl to enable verity for a file, which causes the filesystem
 19           filesystem to build a Merkle tree fo !!  19           to build a Merkle tree for the file.  The filesystem will then
 20           will then transparently verify any d !!  20           transparently verify any data read from the file against the
 21           against the Merkle tree.  The file i !!  21           Merkle tree.  The file is also made read-only.
 22                                                    22 
 23           This serves as an integrity check, b     23           This serves as an integrity check, but the availability of the
 24           Merkle tree root hash also allows ef     24           Merkle tree root hash also allows efficiently supporting
 25           various use cases where normally the     25           various use cases where normally the whole file would need to
 26           be hashed at once, such as: (a) audi     26           be hashed at once, such as: (a) auditing (logging the file's
 27           hash), or (b) authenticity verificat     27           hash), or (b) authenticity verification (comparing the hash
 28           against a known good value, e.g. fro     28           against a known good value, e.g. from a digital signature).
 29                                                    29 
 30           fs-verity is especially useful on la     30           fs-verity is especially useful on large files where not all
 31           the contents may actually be needed.     31           the contents may actually be needed.  Also, fs-verity verifies
 32           data each time it is paged back in,      32           data each time it is paged back in, which provides better
 33           protection against malicious disks v     33           protection against malicious disks vs. an ahead-of-time hash.
 34                                                    34 
 35           If unsure, say N.                        35           If unsure, say N.
 36                                                    36 
                                                   >>  37 config FS_VERITY_DEBUG
                                                   >>  38         bool "FS Verity debugging"
                                                   >>  39         depends on FS_VERITY
                                                   >>  40         help
                                                   >>  41           Enable debugging messages related to fs-verity by default.
                                                   >>  42 
                                                   >>  43           Say N unless you are an fs-verity developer.
                                                   >>  44 
 37 config FS_VERITY_BUILTIN_SIGNATURES                45 config FS_VERITY_BUILTIN_SIGNATURES
 38         bool "FS Verity builtin signature supp     46         bool "FS Verity builtin signature support"
 39         depends on FS_VERITY                       47         depends on FS_VERITY
 40         select SYSTEM_DATA_VERIFICATION            48         select SYSTEM_DATA_VERIFICATION
 41         help                                       49         help
 42           This option adds support for in-kern !!  50           Support verifying signatures of verity files against the X.509
 43           fs-verity builtin signatures.        !!  51           certificates that have been loaded into the ".fs-verity"
                                                   >>  52           kernel keyring.
 44                                                    53 
 45           Please take great care before using  !!  54           This is meant as a relatively simple mechanism that can be
 46           the only way to do signatures with f !!  55           used to provide an authenticity guarantee for verity files, as
 47           alternatives (such as userspace sign !!  56           an alternative to IMA appraisal.  Userspace programs still
 48           IMA appraisal) can be much better.   !!  57           need to check that the verity bit is set in order to get an
 49           limitations of this feature, see     !!  58           authenticity guarantee.
 50           Documentation/filesystems/fsverity.r << 
 51                                                    59 
 52           If unsure, say N.                        60           If unsure, say N.
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php