xref: /openbmc/linux/fs/verity/Kconfig (revision 671e67b4)
1671e67b4SEric Biggers# SPDX-License-Identifier: GPL-2.0
2671e67b4SEric Biggers
3671e67b4SEric Biggersconfig FS_VERITY
4671e67b4SEric Biggers	bool "FS Verity (read-only file-based authenticity protection)"
5671e67b4SEric Biggers	select CRYPTO
6671e67b4SEric Biggers	# SHA-256 is selected as it's intended to be the default hash algorithm.
7671e67b4SEric Biggers	# To avoid bloat, other wanted algorithms must be selected explicitly.
8671e67b4SEric Biggers	select CRYPTO_SHA256
9671e67b4SEric Biggers	help
10671e67b4SEric Biggers	  This option enables fs-verity.  fs-verity is the dm-verity
11671e67b4SEric Biggers	  mechanism implemented at the file level.  On supported
12671e67b4SEric Biggers	  filesystems (currently EXT4 and F2FS), userspace can use an
13671e67b4SEric Biggers	  ioctl to enable verity for a file, which causes the filesystem
14671e67b4SEric Biggers	  to build a Merkle tree for the file.  The filesystem will then
15671e67b4SEric Biggers	  transparently verify any data read from the file against the
16671e67b4SEric Biggers	  Merkle tree.  The file is also made read-only.
17671e67b4SEric Biggers
18671e67b4SEric Biggers	  This serves as an integrity check, but the availability of the
19671e67b4SEric Biggers	  Merkle tree root hash also allows efficiently supporting
20671e67b4SEric Biggers	  various use cases where normally the whole file would need to
21671e67b4SEric Biggers	  be hashed at once, such as: (a) auditing (logging the file's
22671e67b4SEric Biggers	  hash), or (b) authenticity verification (comparing the hash
23671e67b4SEric Biggers	  against a known good value, e.g. from a digital signature).
24671e67b4SEric Biggers
25671e67b4SEric Biggers	  fs-verity is especially useful on large files where not all
26671e67b4SEric Biggers	  the contents may actually be needed.  Also, fs-verity verifies
27671e67b4SEric Biggers	  data each time it is paged back in, which provides better
28671e67b4SEric Biggers	  protection against malicious disks vs. an ahead-of-time hash.
29671e67b4SEric Biggers
30671e67b4SEric Biggers	  If unsure, say N.
31671e67b4SEric Biggers
32671e67b4SEric Biggersconfig FS_VERITY_DEBUG
33671e67b4SEric Biggers	bool "FS Verity debugging"
34671e67b4SEric Biggers	depends on FS_VERITY
35671e67b4SEric Biggers	help
36671e67b4SEric Biggers	  Enable debugging messages related to fs-verity by default.
37671e67b4SEric Biggers
38671e67b4SEric Biggers	  Say N unless you are an fs-verity developer.
39