1 # SPDX-License-Identifier: GPL-2.0
2
3 config FS_VERITY
4 bool "FS Verity (read-only file-based
5 select CRYPTO
6 select CRYPTO_HASH_INFO
7 # SHA-256 is implied as it's intended
8 # To avoid bloat, other wanted algorit
9 # Note that CRYPTO_SHA256 denotes the
10 # some architectures provided optimize
11 # algorithm that may be used instead.
12 # be omitted even if SHA-256 is being
13 imply CRYPTO_SHA256
14 help
15 This option enables fs-verity. fs-v
16 mechanism implemented at the file le
17 filesystems (currently ext4, f2fs, a
18 use an ioctl to enable verity for a
19 filesystem to build a Merkle tree fo
20 will then transparently verify any d
21 against the Merkle tree. The file i
22
23 This serves as an integrity check, b
24 Merkle tree root hash also allows ef
25 various use cases where normally the
26 be hashed at once, such as: (a) audi
27 hash), or (b) authenticity verificat
28 against a known good value, e.g. fro
29
30 fs-verity is especially useful on la
31 the contents may actually be needed.
32 data each time it is paged back in,
33 protection against malicious disks v
34
35 If unsure, say N.
36
37 config FS_VERITY_BUILTIN_SIGNATURES
38 bool "FS Verity builtin signature supp
39 depends on FS_VERITY
40 select SYSTEM_DATA_VERIFICATION
41 help
42 This option adds support for in-kern
43 fs-verity builtin signatures.
44
45 Please take great care before using
46 the only way to do signatures with f
47 alternatives (such as userspace sign
48 IMA appraisal) can be much better.
49 limitations of this feature, see
50 Documentation/filesystems/fsverity.r
51
52 If unsure, say N.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.