-
- Downloads
fs-verity: support builtin file signatures
To meet some users' needs, add optional support for having fs-verity handle a portion of the authentication policy in the kernel. An ".fs-verity" keyring is created to which X.509 certificates can be added; then a sysctl 'fs.verity.require_signatures' can be set to cause the kernel to enforce that all fs-verity files contain a signature of their file measurement by a key in this keyring. See the "Built-in signature verification" section of Documentation/filesystems/fsverity.rst for the full documentation. Reviewed-by:Theodore Ts'o <tytso@mit.edu> Signed-off-by:
Eric Biggers <ebiggers@google.com>
Showing
- fs/verity/Kconfig 17 additions, 0 deletionsfs/verity/Kconfig
- fs/verity/Makefile 2 additions, 0 deletionsfs/verity/Makefile
- fs/verity/enable.c 17 additions, 3 deletionsfs/verity/enable.c
- fs/verity/fsverity_private.h 45 additions, 3 deletionsfs/verity/fsverity_private.h
- fs/verity/init.c 6 additions, 0 deletionsfs/verity/init.c
- fs/verity/open.c 19 additions, 8 deletionsfs/verity/open.c
- fs/verity/signature.c 157 additions, 0 deletionsfs/verity/signature.c
- fs/verity/verify.c 6 additions, 0 deletionsfs/verity/verify.c
Loading
Please register or sign in to comment