fs-verity: support builtin file signatures To meet some users' needs, add optional support for having fs-verity handle a portion of the authentication policy in the kernel. An ".fs-verity" keyring is created to which X.509 certificates can be added; then a sysctl 'fs.verity.require_signatures' can be set to cause the kernel to enforce that all fs-verity files contain a signature of their file measurement by a key in this keyring. See the "Built-in signature verification" section of Documentation/filesystems/fsverity.rst for the full documentation. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Eric Biggers <ebiggers@google.com>

commit: 432434c9f8e18cb4cf0fe05bc3eeceada0e10dc6 [log] [tgz]
author: Eric Biggers <ebiggers@google.com> Mon Jul 22 09:26:23 2019 -0700
committer: Eric Biggers <ebiggers@google.com> Mon Aug 12 19:33:50 2019 -0700
tree: cfcf57b2bb1fbdb1e9b5739f020b0311405363c0
parent: add890c9f9d2d1d79184ded72f23b37b164fc673 [diff] [blame]
diff --git a/fs/verity/verify.c b/fs/verity/verify.c
index 62ab8f6..3e8f2de 100644
--- a/fs/verity/verify.c
+++ b/fs/verity/verify.c

@@ -273,3 +273,9 @@ int __init fsverity_init_workqueue(void)
 		return -ENOMEM;
 	return 0;
 }
+
+void __init fsverity_exit_workqueue(void)
+{
+	destroy_workqueue(fsverity_read_workqueue);
+	fsverity_read_workqueue = NULL;
+}
commit	432434c9f8e18cb4cf0fe05bc3eeceada0e10dc6	[log] [tgz]
author	Eric Biggers <ebiggers@google.com>	Mon Jul 22 09:26:23 2019 -0700
committer	Eric Biggers <ebiggers@google.com>	Mon Aug 12 19:33:50 2019 -0700
tree	cfcf57b2bb1fbdb1e9b5739f020b0311405363c0
parent	add890c9f9d2d1d79184ded72f23b37b164fc673 [diff] [blame]