diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2025-03-25 18:30:23 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2025-03-25 18:30:23 -0700 |
| commit | bdab2977e47a2eac50e3a0ce23eb5eab110fd490 (patch) | |
| tree | be0ff8e5ef5c34bf2e3ee4c220d0faab5b1149bc | |
| parent | 61af143fbea4f1013e064e7580acb7332e531bd6 (diff) | |
| parent | a19bcde49998aac0a4ff99e9a84339adecffbfcb (diff) | |
Merge tag 'fsverity-for-linus' of git://git.kernel.org/pub/scm/fs/fsverity/linux
Pull fsverity updates from Eric Biggers:
"A fix for an issue where CONFIG_FS_VERITY could be enabled without
some of its dependencies, and a small documentation update"
* tag 'fsverity-for-linus' of git://git.kernel.org/pub/scm/fs/fsverity/linux:
Revert "fsverity: relax build time dependency on CRYPTO_SHA256"
Documentation: add a usecase for FS_IOC_READ_VERITY_METADATA
| -rw-r--r-- | Documentation/filesystems/fsverity.rst | 16 | ||||
| -rw-r--r-- | fs/verity/Kconfig | 8 |
2 files changed, 13 insertions, 11 deletions
diff --git a/Documentation/filesystems/fsverity.rst b/Documentation/filesystems/fsverity.rst index 76e5382178689..dacdbc1149e67 100644 --- a/Documentation/filesystems/fsverity.rst +++ b/Documentation/filesystems/fsverity.rst @@ -248,11 +248,17 @@ FS_IOC_READ_VERITY_METADATA The FS_IOC_READ_VERITY_METADATA ioctl reads verity metadata from a verity file. This ioctl is available since Linux v5.12. -This ioctl allows writing a server program that takes a verity file -and serves it to a client program, such that the client can do its own -fs-verity compatible verification of the file. This only makes sense -if the client doesn't trust the server and if the server needs to -provide the storage for the client. +This ioctl is useful for cases where the verity verification should be +performed somewhere other than the currently running kernel. + +One example is a server program that takes a verity file and serves it +to a client program, such that the client can do its own fs-verity +compatible verification of the file. This only makes sense if the +client doesn't trust the server and if the server needs to provide the +storage for the client. + +Another example is copying verity metadata when creating filesystem +images in userspace (such as with ``mkfs.ext4 -d``). This is a fairly specialized use case, and most fs-verity users won't need this ioctl. diff --git a/fs/verity/Kconfig b/fs/verity/Kconfig index e1036e5353521..40569d3527a71 100644 --- a/fs/verity/Kconfig +++ b/fs/verity/Kconfig @@ -4,13 +4,9 @@ config FS_VERITY bool "FS Verity (read-only file-based authenticity protection)" select CRYPTO select CRYPTO_HASH_INFO - # SHA-256 is implied as it's intended to be the default hash algorithm. + # SHA-256 is selected as it's intended to be the default hash algorithm. # To avoid bloat, other wanted algorithms must be selected explicitly. - # Note that CRYPTO_SHA256 denotes the generic C implementation, but - # some architectures provided optimized implementations of the same - # algorithm that may be used instead. In this case, CRYPTO_SHA256 may - # be omitted even if SHA-256 is being used. - imply CRYPTO_SHA256 + select CRYPTO_SHA256 help This option enables fs-verity. fs-verity is the dm-verity mechanism implemented at the file level. On supported |