1671e67b4SEric Biggers# SPDX-License-Identifier: GPL-2.0 2671e67b4SEric Biggers 3671e67b4SEric Biggersconfig FS_VERITY 4671e67b4SEric Biggers bool "FS Verity (read-only file-based authenticity protection)" 5671e67b4SEric Biggers select CRYPTO 6246d9216SMimi Zohar select CRYPTO_HASH_INFO 7e3a606f2SArd Biesheuvel # SHA-256 is implied as it's intended to be the default hash algorithm. 8671e67b4SEric Biggers # To avoid bloat, other wanted algorithms must be selected explicitly. 9e3a606f2SArd Biesheuvel # Note that CRYPTO_SHA256 denotes the generic C implementation, but 10e3a606f2SArd Biesheuvel # some architectures provided optimized implementations of the same 11e3a606f2SArd Biesheuvel # algorithm that may be used instead. In this case, CRYPTO_SHA256 may 12e3a606f2SArd Biesheuvel # be omitted even if SHA-256 is being used. 13e3a606f2SArd Biesheuvel imply CRYPTO_SHA256 14671e67b4SEric Biggers help 15671e67b4SEric Biggers This option enables fs-verity. fs-verity is the dm-verity 16671e67b4SEric Biggers mechanism implemented at the file level. On supported 17*8da572c5SEric Biggers filesystems (currently ext4, f2fs, and btrfs), userspace can 18*8da572c5SEric Biggers use an ioctl to enable verity for a file, which causes the 19*8da572c5SEric Biggers filesystem to build a Merkle tree for the file. The filesystem 20*8da572c5SEric Biggers will then transparently verify any data read from the file 21*8da572c5SEric Biggers against the Merkle tree. The file is also made read-only. 22671e67b4SEric Biggers 23671e67b4SEric Biggers This serves as an integrity check, but the availability of the 24671e67b4SEric Biggers Merkle tree root hash also allows efficiently supporting 25671e67b4SEric Biggers various use cases where normally the whole file would need to 26671e67b4SEric Biggers be hashed at once, such as: (a) auditing (logging the file's 27671e67b4SEric Biggers hash), or (b) authenticity verification (comparing the hash 28671e67b4SEric Biggers against a known good value, e.g. from a digital signature). 29671e67b4SEric Biggers 30671e67b4SEric Biggers fs-verity is especially useful on large files where not all 31671e67b4SEric Biggers the contents may actually be needed. Also, fs-verity verifies 32671e67b4SEric Biggers data each time it is paged back in, which provides better 33671e67b4SEric Biggers protection against malicious disks vs. an ahead-of-time hash. 34671e67b4SEric Biggers 35671e67b4SEric Biggers If unsure, say N. 36671e67b4SEric Biggers 37671e67b4SEric Biggersconfig FS_VERITY_DEBUG 38671e67b4SEric Biggers bool "FS Verity debugging" 39671e67b4SEric Biggers depends on FS_VERITY 40671e67b4SEric Biggers help 41671e67b4SEric Biggers Enable debugging messages related to fs-verity by default. 42671e67b4SEric Biggers 43671e67b4SEric Biggers Say N unless you are an fs-verity developer. 44432434c9SEric Biggers 45432434c9SEric Biggersconfig FS_VERITY_BUILTIN_SIGNATURES 46432434c9SEric Biggers bool "FS Verity builtin signature support" 47432434c9SEric Biggers depends on FS_VERITY 48432434c9SEric Biggers select SYSTEM_DATA_VERIFICATION 49432434c9SEric Biggers help 50432434c9SEric Biggers Support verifying signatures of verity files against the X.509 51432434c9SEric Biggers certificates that have been loaded into the ".fs-verity" 52432434c9SEric Biggers kernel keyring. 53432434c9SEric Biggers 54432434c9SEric Biggers This is meant as a relatively simple mechanism that can be 55432434c9SEric Biggers used to provide an authenticity guarantee for verity files, as 56432434c9SEric Biggers an alternative to IMA appraisal. Userspace programs still 57432434c9SEric Biggers need to check that the verity bit is set in order to get an 58432434c9SEric Biggers authenticity guarantee. 59432434c9SEric Biggers 60432434c9SEric Biggers If unsure, say N. 61