Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/fs/verity/Kconfig 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  1) # SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  2) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  3) config FS_VERITY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  4) 	bool "FS Verity (read-only file-based authenticity protection)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  5) 	select CRYPTO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  6) 	# SHA-256 is implied as it's intended to be the default hash algorithm.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  7) 	# To avoid bloat, other wanted algorithms must be selected explicitly.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  8) 	# Note that CRYPTO_SHA256 denotes the generic C implementation, but
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  9) 	# some architectures provided optimized implementations of the same
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) 	# algorithm that may be used instead. In this case, CRYPTO_SHA256 may
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) 	# be omitted even if SHA-256 is being used.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) 	imply CRYPTO_SHA256
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) 	  This option enables fs-verity.  fs-verity is the dm-verity
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) 	  mechanism implemented at the file level.  On supported
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) 	  filesystems (currently EXT4 and F2FS), userspace can use an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) 	  ioctl to enable verity for a file, which causes the filesystem
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) 	  to build a Merkle tree for the file.  The filesystem will then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) 	  transparently verify any data read from the file against the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) 	  Merkle tree.  The file is also made read-only.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) 	  This serves as an integrity check, but the availability of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) 	  Merkle tree root hash also allows efficiently supporting
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) 	  various use cases where normally the whole file would need to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) 	  be hashed at once, such as: (a) auditing (logging the file's
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) 	  hash), or (b) authenticity verification (comparing the hash
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) 	  against a known good value, e.g. from a digital signature).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) 	  fs-verity is especially useful on large files where not all
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) 	  the contents may actually be needed.  Also, fs-verity verifies
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) 	  data each time it is paged back in, which provides better
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) 	  protection against malicious disks vs. an ahead-of-time hash.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) 	  If unsure, say N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) config FS_VERITY_DEBUG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) 	bool "FS Verity debugging"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) 	depends on FS_VERITY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) 	  Enable debugging messages related to fs-verity by default.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) 	  Say N unless you are an fs-verity developer.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) config FS_VERITY_BUILTIN_SIGNATURES
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) 	bool "FS Verity builtin signature support"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) 	depends on FS_VERITY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) 	select SYSTEM_DATA_VERIFICATION
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) 	  Support verifying signatures of verity files against the X.509
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) 	  certificates that have been loaded into the ".fs-verity"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) 	  kernel keyring.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) 	  This is meant as a relatively simple mechanism that can be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) 	  used to provide an authenticity guarantee for verity files, as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) 	  an alternative to IMA appraisal.  Userspace programs still
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) 	  need to check that the verity bit is set in order to get an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) 	  authenticity guarantee.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) 	  If unsure, say N.
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.