1671e67b4SEric Biggers# SPDX-License-Identifier: GPL-2.0 2671e67b4SEric Biggers 3671e67b4SEric Biggersconfig FS_VERITY 4671e67b4SEric Biggers bool "FS Verity (read-only file-based authenticity protection)" 5671e67b4SEric Biggers select CRYPTO 6*e3a606f2SArd Biesheuvel # SHA-256 is implied as it's intended to be the default hash algorithm. 7671e67b4SEric Biggers # To avoid bloat, other wanted algorithms must be selected explicitly. 8*e3a606f2SArd Biesheuvel # Note that CRYPTO_SHA256 denotes the generic C implementation, but 9*e3a606f2SArd Biesheuvel # some architectures provided optimized implementations of the same 10*e3a606f2SArd Biesheuvel # algorithm that may be used instead. In this case, CRYPTO_SHA256 may 11*e3a606f2SArd Biesheuvel # be omitted even if SHA-256 is being used. 12*e3a606f2SArd Biesheuvel imply CRYPTO_SHA256 13671e67b4SEric Biggers help 14671e67b4SEric Biggers This option enables fs-verity. fs-verity is the dm-verity 15671e67b4SEric Biggers mechanism implemented at the file level. On supported 16671e67b4SEric Biggers filesystems (currently EXT4 and F2FS), userspace can use an 17671e67b4SEric Biggers ioctl to enable verity for a file, which causes the filesystem 18671e67b4SEric Biggers to build a Merkle tree for the file. The filesystem will then 19671e67b4SEric Biggers transparently verify any data read from the file against the 20671e67b4SEric Biggers Merkle tree. The file is also made read-only. 21671e67b4SEric Biggers 22671e67b4SEric Biggers This serves as an integrity check, but the availability of the 23671e67b4SEric Biggers Merkle tree root hash also allows efficiently supporting 24671e67b4SEric Biggers various use cases where normally the whole file would need to 25671e67b4SEric Biggers be hashed at once, such as: (a) auditing (logging the file's 26671e67b4SEric Biggers hash), or (b) authenticity verification (comparing the hash 27671e67b4SEric Biggers against a known good value, e.g. from a digital signature). 28671e67b4SEric Biggers 29671e67b4SEric Biggers fs-verity is especially useful on large files where not all 30671e67b4SEric Biggers the contents may actually be needed. Also, fs-verity verifies 31671e67b4SEric Biggers data each time it is paged back in, which provides better 32671e67b4SEric Biggers protection against malicious disks vs. an ahead-of-time hash. 33671e67b4SEric Biggers 34671e67b4SEric Biggers If unsure, say N. 35671e67b4SEric Biggers 36671e67b4SEric Biggersconfig FS_VERITY_DEBUG 37671e67b4SEric Biggers bool "FS Verity debugging" 38671e67b4SEric Biggers depends on FS_VERITY 39671e67b4SEric Biggers help 40671e67b4SEric Biggers Enable debugging messages related to fs-verity by default. 41671e67b4SEric Biggers 42671e67b4SEric Biggers Say N unless you are an fs-verity developer. 43432434c9SEric Biggers 44432434c9SEric Biggersconfig FS_VERITY_BUILTIN_SIGNATURES 45432434c9SEric Biggers bool "FS Verity builtin signature support" 46432434c9SEric Biggers depends on FS_VERITY 47432434c9SEric Biggers select SYSTEM_DATA_VERIFICATION 48432434c9SEric Biggers help 49432434c9SEric Biggers Support verifying signatures of verity files against the X.509 50432434c9SEric Biggers certificates that have been loaded into the ".fs-verity" 51432434c9SEric Biggers kernel keyring. 52432434c9SEric Biggers 53432434c9SEric Biggers This is meant as a relatively simple mechanism that can be 54432434c9SEric Biggers used to provide an authenticity guarantee for verity files, as 55432434c9SEric Biggers an alternative to IMA appraisal. Userspace programs still 56432434c9SEric Biggers need to check that the verity bit is set in order to get an 57432434c9SEric Biggers authenticity guarantee. 58432434c9SEric Biggers 59432434c9SEric Biggers If unsure, say N. 60