| Eric Biggers | 671e67b | 2019-07-22 09:26:21 -0700 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0 |
| 2 | |
| 3 | config FS_VERITY |
| 4 | bool "FS Verity (read-only file-based authenticity protection)" |
| 5 | select CRYPTO |
| Ard Biesheuvel | e3a606f | 2021-04-21 09:55:11 +0200 | [diff] [blame] | 6 | # SHA-256 is implied as it's intended to be the default hash algorithm. |
| Eric Biggers | 671e67b | 2019-07-22 09:26:21 -0700 | [diff] [blame] | 7 | # To avoid bloat, other wanted algorithms must be selected explicitly. |
| Ard Biesheuvel | e3a606f | 2021-04-21 09:55:11 +0200 | [diff] [blame] | 8 | # Note that CRYPTO_SHA256 denotes the generic C implementation, but |
| 9 | # some architectures provided optimized implementations of the same |
| 10 | # algorithm that may be used instead. In this case, CRYPTO_SHA256 may |
| 11 | # be omitted even if SHA-256 is being used. |
| 12 | imply CRYPTO_SHA256 |
| Eric Biggers | 671e67b | 2019-07-22 09:26:21 -0700 | [diff] [blame] | 13 | help |
| 14 | This option enables fs-verity. fs-verity is the dm-verity |
| 15 | mechanism implemented at the file level. On supported |
| 16 | filesystems (currently EXT4 and F2FS), userspace can use an |
| 17 | ioctl to enable verity for a file, which causes the filesystem |
| 18 | to build a Merkle tree for the file. The filesystem will then |
| 19 | transparently verify any data read from the file against the |
| 20 | Merkle tree. The file is also made read-only. |
| 21 | |
| 22 | This serves as an integrity check, but the availability of the |
| 23 | Merkle tree root hash also allows efficiently supporting |
| 24 | various use cases where normally the whole file would need to |
| 25 | be hashed at once, such as: (a) auditing (logging the file's |
| 26 | hash), or (b) authenticity verification (comparing the hash |
| 27 | against a known good value, e.g. from a digital signature). |
| 28 | |
| 29 | fs-verity is especially useful on large files where not all |
| 30 | the contents may actually be needed. Also, fs-verity verifies |
| 31 | data each time it is paged back in, which provides better |
| 32 | protection against malicious disks vs. an ahead-of-time hash. |
| 33 | |
| 34 | If unsure, say N. |
| 35 | |
| 36 | config FS_VERITY_DEBUG |
| 37 | bool "FS Verity debugging" |
| 38 | depends on FS_VERITY |
| 39 | help |
| 40 | Enable debugging messages related to fs-verity by default. |
| 41 | |
| 42 | Say N unless you are an fs-verity developer. |
| Eric Biggers | 432434c | 2019-07-22 09:26:23 -0700 | [diff] [blame] | 43 | |
| 44 | config FS_VERITY_BUILTIN_SIGNATURES |
| 45 | bool "FS Verity builtin signature support" |
| 46 | depends on FS_VERITY |
| 47 | select SYSTEM_DATA_VERIFICATION |
| 48 | help |
| 49 | Support verifying signatures of verity files against the X.509 |
| 50 | certificates that have been loaded into the ".fs-verity" |
| 51 | kernel keyring. |
| 52 | |
| 53 | This is meant as a relatively simple mechanism that can be |
| 54 | used to provide an authenticity guarantee for verity files, as |
| 55 | an alternative to IMA appraisal. Userspace programs still |
| 56 | need to check that the verity bit is set in order to get an |
| 57 | authenticity guarantee. |
| 58 | |
| 59 | If unsure, say N. |