mirror of
https://github.com/torvalds/linux
synced 2024-10-16 16:29:20 +00:00
39 lines
1.5 KiB
Plaintext
39 lines
1.5 KiB
Plaintext
|
# SPDX-License-Identifier: GPL-2.0
|
||
|
|
||
|
config FS_VERITY
|
||
|
bool "FS Verity (read-only file-based authenticity protection)"
|
||
|
select CRYPTO
|
||
|
# SHA-256 is selected as it's intended to be the default hash algorithm.
|
||
|
# To avoid bloat, other wanted algorithms must be selected explicitly.
|
||
|
select CRYPTO_SHA256
|
||
|
help
|
||
|
This option enables fs-verity. fs-verity is the dm-verity
|
||
|
mechanism implemented at the file level. On supported
|
||
|
filesystems (currently EXT4 and F2FS), userspace can use an
|
||
|
ioctl to enable verity for a file, which causes the filesystem
|
||
|
to build a Merkle tree for the file. The filesystem will then
|
||
|
transparently verify any data read from the file against the
|
||
|
Merkle tree. The file is also made read-only.
|
||
|
|
||
|
This serves as an integrity check, but the availability of the
|
||
|
Merkle tree root hash also allows efficiently supporting
|
||
|
various use cases where normally the whole file would need to
|
||
|
be hashed at once, such as: (a) auditing (logging the file's
|
||
|
hash), or (b) authenticity verification (comparing the hash
|
||
|
against a known good value, e.g. from a digital signature).
|
||
|
|
||
|
fs-verity is especially useful on large files where not all
|
||
|
the contents may actually be needed. Also, fs-verity verifies
|
||
|
data each time it is paged back in, which provides better
|
||
|
protection against malicious disks vs. an ahead-of-time hash.
|
||
|
|
||
|
If unsure, say N.
|
||
|
|
||
|
config FS_VERITY_DEBUG
|
||
|
bool "FS Verity debugging"
|
||
|
depends on FS_VERITY
|
||
|
help
|
||
|
Enable debugging messages related to fs-verity by default.
|
||
|
|
||
|
Say N unless you are an fs-verity developer.
|