1*4882a593Smuzhiyun# SPDX-License-Identifier: GPL-2.0 2*4882a593Smuzhiyun 3*4882a593Smuzhiyunconfig FS_VERITY 4*4882a593Smuzhiyun bool "FS Verity (read-only file-based authenticity protection)" 5*4882a593Smuzhiyun select CRYPTO 6*4882a593Smuzhiyun # SHA-256 is implied as it's intended to be the default hash algorithm. 7*4882a593Smuzhiyun # To avoid bloat, other wanted algorithms must be selected explicitly. 8*4882a593Smuzhiyun # Note that CRYPTO_SHA256 denotes the generic C implementation, but 9*4882a593Smuzhiyun # some architectures provided optimized implementations of the same 10*4882a593Smuzhiyun # algorithm that may be used instead. In this case, CRYPTO_SHA256 may 11*4882a593Smuzhiyun # be omitted even if SHA-256 is being used. 12*4882a593Smuzhiyun imply CRYPTO_SHA256 13*4882a593Smuzhiyun help 14*4882a593Smuzhiyun This option enables fs-verity. fs-verity is the dm-verity 15*4882a593Smuzhiyun mechanism implemented at the file level. On supported 16*4882a593Smuzhiyun filesystems (currently EXT4 and F2FS), userspace can use an 17*4882a593Smuzhiyun ioctl to enable verity for a file, which causes the filesystem 18*4882a593Smuzhiyun to build a Merkle tree for the file. The filesystem will then 19*4882a593Smuzhiyun transparently verify any data read from the file against the 20*4882a593Smuzhiyun Merkle tree. The file is also made read-only. 21*4882a593Smuzhiyun 22*4882a593Smuzhiyun This serves as an integrity check, but the availability of the 23*4882a593Smuzhiyun Merkle tree root hash also allows efficiently supporting 24*4882a593Smuzhiyun various use cases where normally the whole file would need to 25*4882a593Smuzhiyun be hashed at once, such as: (a) auditing (logging the file's 26*4882a593Smuzhiyun hash), or (b) authenticity verification (comparing the hash 27*4882a593Smuzhiyun against a known good value, e.g. from a digital signature). 28*4882a593Smuzhiyun 29*4882a593Smuzhiyun fs-verity is especially useful on large files where not all 30*4882a593Smuzhiyun the contents may actually be needed. Also, fs-verity verifies 31*4882a593Smuzhiyun data each time it is paged back in, which provides better 32*4882a593Smuzhiyun protection against malicious disks vs. an ahead-of-time hash. 33*4882a593Smuzhiyun 34*4882a593Smuzhiyun If unsure, say N. 35*4882a593Smuzhiyun 36*4882a593Smuzhiyunconfig FS_VERITY_DEBUG 37*4882a593Smuzhiyun bool "FS Verity debugging" 38*4882a593Smuzhiyun depends on FS_VERITY 39*4882a593Smuzhiyun help 40*4882a593Smuzhiyun Enable debugging messages related to fs-verity by default. 41*4882a593Smuzhiyun 42*4882a593Smuzhiyun Say N unless you are an fs-verity developer. 43*4882a593Smuzhiyun 44*4882a593Smuzhiyunconfig FS_VERITY_BUILTIN_SIGNATURES 45*4882a593Smuzhiyun bool "FS Verity builtin signature support" 46*4882a593Smuzhiyun depends on FS_VERITY 47*4882a593Smuzhiyun select SYSTEM_DATA_VERIFICATION 48*4882a593Smuzhiyun help 49*4882a593Smuzhiyun Support verifying signatures of verity files against the X.509 50*4882a593Smuzhiyun certificates that have been loaded into the ".fs-verity" 51*4882a593Smuzhiyun kernel keyring. 52*4882a593Smuzhiyun 53*4882a593Smuzhiyun This is meant as a relatively simple mechanism that can be 54*4882a593Smuzhiyun used to provide an authenticity guarantee for verity files, as 55*4882a593Smuzhiyun an alternative to IMA appraisal. Userspace programs still 56*4882a593Smuzhiyun need to check that the verity bit is set in order to get an 57*4882a593Smuzhiyun authenticity guarantee. 58*4882a593Smuzhiyun 59*4882a593Smuzhiyun If unsure, say N. 60