linux-stable/fs/verity/Kconfig

# SPDX-License-Identifier: GPL-2.0

config FS_VERITY
	bool "FS Verity (read-only file-based authenticity protection)"
	select CRYPTO
	select CRYPTO_HASH_INFO
	# SHA-256 is implied as it's intended to be the default hash algorithm.
	# To avoid bloat, other wanted algorithms must be selected explicitly.
	# Note that CRYPTO_SHA256 denotes the generic C implementation, but
	# some architectures provided optimized implementations of the same
	# algorithm that may be used instead. In this case, CRYPTO_SHA256 may
	# be omitted even if SHA-256 is being used.
	imply CRYPTO_SHA256
	help
	  This option enables fs-verity.  fs-verity is the dm-verity
	  mechanism implemented at the file level.  On supported
	  filesystems (currently ext4, f2fs, and btrfs), userspace can
	  use an ioctl to enable verity for a file, which causes the
	  filesystem to build a Merkle tree for the file.  The filesystem
	  will then transparently verify any data read from the file
	  against the Merkle tree.  The file is also made read-only.

	  This serves as an integrity check, but the availability of the
	  Merkle tree root hash also allows efficiently supporting
	  various use cases where normally the whole file would need to
	  be hashed at once, such as: (a) auditing (logging the file's
	  hash), or (b) authenticity verification (comparing the hash
	  against a known good value, e.g. from a digital signature).

	  fs-verity is especially useful on large files where not all
	  the contents may actually be needed.  Also, fs-verity verifies
	  data each time it is paged back in, which provides better
	  protection against malicious disks vs. an ahead-of-time hash.

	  If unsure, say N.

config FS_VERITY_BUILTIN_SIGNATURES
	bool "FS Verity builtin signature support"
	depends on FS_VERITY
	select SYSTEM_DATA_VERIFICATION
	help
	  This option adds support for in-kernel verification of
	  fs-verity builtin signatures.

	  Please take great care before using this feature.  It is not
	  the only way to do signatures with fs-verity, and the
	  alternatives (such as userspace signature verification, and
	  IMA appraisal) can be much better.  For details about the
	  limitations of this feature, see
	  Documentation/filesystems/fsverity.rst.

	  If unsure, say N.
fs-verity: add Kconfig and the helper functions for hashing Add the beginnings of the fs/verity/ support layer, including the Kconfig option and various helper functions for hashing. To start, only SHA-256 is supported, but other hash algorithms can easily be added. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Eric Biggers <ebiggers@google.com> 2019-07-22 16:26:21 +00:00			`# SPDX-License-Identifier: GPL-2.0`

			`config FS_VERITY`
			`bool "FS Verity (read-only file-based authenticity protection)"`
			`select CRYPTO`
fs-verity: define a function to return the integrity protected file digest Define a function named fsverity_get_digest() to return the verity file digest and the associated hash algorithm (enum hash_algo). This assumes that before calling fsverity_get_digest() the file must have been opened, which is even true for the IMA measure/appraise on file open policy rule use case (func=FILE_CHECK). do_open() calls vfs_open() immediately prior to ima_file_check(). Acked-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-11-23 18:37:52 +00:00			`select CRYPTO_HASH_INFO`
fsverity: relax build time dependency on CRYPTO_SHA256 CONFIG_CRYPTO_SHA256 denotes the generic C implementation of the SHA-256 shash algorithm, which is selected as the default crypto shash provider for fsverity. However, fsverity has no strict link time dependency, and the same shash could be exposed by an optimized implementation, and arm64 has a number of those (scalar, NEON-based and one based on special crypto instructions). In such cases, it makes little sense to require that the generic C implementation is incorporated as well, given that it will never be called. To address this, relax the 'select' clause to 'imply' so that the generic driver can be omitted from the build if desired. Acked-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2021-04-21 07:55:11 +00:00			`# SHA-256 is implied as it's intended to be the default hash algorithm.`
fs-verity: add Kconfig and the helper functions for hashing Add the beginnings of the fs/verity/ support layer, including the Kconfig option and various helper functions for hashing. To start, only SHA-256 is supported, but other hash algorithms can easily be added. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Eric Biggers <ebiggers@google.com> 2019-07-22 16:26:21 +00:00			`# To avoid bloat, other wanted algorithms must be selected explicitly.`
fsverity: relax build time dependency on CRYPTO_SHA256 CONFIG_CRYPTO_SHA256 denotes the generic C implementation of the SHA-256 shash algorithm, which is selected as the default crypto shash provider for fsverity. However, fsverity has no strict link time dependency, and the same shash could be exposed by an optimized implementation, and arm64 has a number of those (scalar, NEON-based and one based on special crypto instructions). In such cases, it makes little sense to require that the generic C implementation is incorporated as well, given that it will never be called. To address this, relax the 'select' clause to 'imply' so that the generic driver can be omitted from the build if desired. Acked-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2021-04-21 07:55:11 +00:00			`# Note that CRYPTO_SHA256 denotes the generic C implementation, but`
			`# some architectures provided optimized implementations of the same`
			`# algorithm that may be used instead. In this case, CRYPTO_SHA256 may`
			`# be omitted even if SHA-256 is being used.`
			`imply CRYPTO_SHA256`
fs-verity: add Kconfig and the helper functions for hashing Add the beginnings of the fs/verity/ support layer, including the Kconfig option and various helper functions for hashing. To start, only SHA-256 is supported, but other hash algorithms can easily be added. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Eric Biggers <ebiggers@google.com> 2019-07-22 16:26:21 +00:00			`help`
			`This option enables fs-verity. fs-verity is the dm-verity`
			`mechanism implemented at the file level. On supported`
fs-verity: mention btrfs support btrfs supports fs-verity since Linux v5.15. Document this. Signed-off-by: Eric Biggers <ebiggers@google.com> Acked-by: David Sterba <dsterba@suse.com> Link: https://lore.kernel.org/r/20220610000616.18225-1-ebiggers@kernel.org 2022-06-10 00:06:16 +00:00			`filesystems (currently ext4, f2fs, and btrfs), userspace can`
			`use an ioctl to enable verity for a file, which causes the`
			`filesystem to build a Merkle tree for the file. The filesystem`
			`will then transparently verify any data read from the file`
			`against the Merkle tree. The file is also made read-only.`
fs-verity: add Kconfig and the helper functions for hashing Add the beginnings of the fs/verity/ support layer, including the Kconfig option and various helper functions for hashing. To start, only SHA-256 is supported, but other hash algorithms can easily be added. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Eric Biggers <ebiggers@google.com> 2019-07-22 16:26:21 +00:00
			`This serves as an integrity check, but the availability of the`
			`Merkle tree root hash also allows efficiently supporting`
			`various use cases where normally the whole file would need to`
			`be hashed at once, such as: (a) auditing (logging the file's`
			`hash), or (b) authenticity verification (comparing the hash`
			`against a known good value, e.g. from a digital signature).`

			`fs-verity is especially useful on large files where not all`
			`the contents may actually be needed. Also, fs-verity verifies`
			`data each time it is paged back in, which provides better`
			`protection against malicious disks vs. an ahead-of-time hash.`

			`If unsure, say N.`

fs-verity: support builtin file signatures To meet some users' needs, add optional support for having fs-verity handle a portion of the authentication policy in the kernel. An ".fs-verity" keyring is created to which X.509 certificates can be added; then a sysctl 'fs.verity.require_signatures' can be set to cause the kernel to enforce that all fs-verity files contain a signature of their file measurement by a key in this keyring. See the "Built-in signature verification" section of Documentation/filesystems/fsverity.rst for the full documentation. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Eric Biggers <ebiggers@google.com> 2019-07-22 16:26:23 +00:00			`config FS_VERITY_BUILTIN_SIGNATURES`
			`bool "FS Verity builtin signature support"`
			`depends on FS_VERITY`
			`select SYSTEM_DATA_VERIFICATION`
			`help`
fsverity: improve documentation for builtin signature support fsverity builtin signatures (CONFIG_FS_VERITY_BUILTIN_SIGNATURES) aren't the only way to do signatures with fsverity, and they have some major limitations. Yet, more users have tried to use them, e.g. recently by https://github.com/ostreedev/ostree/pull/2640. In most cases this seems to be because users aren't sufficiently familiar with the limitations of this feature and what the alternatives are. Therefore, make some updates to the documentation to try to clarify the properties of this feature and nudge users in the right direction. Note that the Integrity Policy Enforcement (IPE) LSM, which is not yet upstream, is planned to use the builtin signatures. (This differs from IMA, which uses its own signature mechanism.) For that reason, my earlier patch "fsverity: mark builtin signatures as deprecated" (https://lore.kernel.org/r/20221208033548.122704-1-ebiggers@kernel.org), which marked builtin signatures as "deprecated", was controversial. This patch therefore stops short of marking the feature as deprecated. I've also revised the language to focus on better explaining the feature and what its alternatives are. Link: https://lore.kernel.org/r/20230620041937.5809-1-ebiggers@kernel.org Reviewed-by: Colin Walters <walters@verbum.org> Reviewed-by: Luca Boccassi <bluca@debian.org> Signed-off-by: Eric Biggers <ebiggers@google.com> 2023-06-20 04:19:37 +00:00			`This option adds support for in-kernel verification of`
			`fs-verity builtin signatures.`
fs-verity: support builtin file signatures To meet some users' needs, add optional support for having fs-verity handle a portion of the authentication policy in the kernel. An ".fs-verity" keyring is created to which X.509 certificates can be added; then a sysctl 'fs.verity.require_signatures' can be set to cause the kernel to enforce that all fs-verity files contain a signature of their file measurement by a key in this keyring. See the "Built-in signature verification" section of Documentation/filesystems/fsverity.rst for the full documentation. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Eric Biggers <ebiggers@google.com> 2019-07-22 16:26:23 +00:00
fsverity: improve documentation for builtin signature support fsverity builtin signatures (CONFIG_FS_VERITY_BUILTIN_SIGNATURES) aren't the only way to do signatures with fsverity, and they have some major limitations. Yet, more users have tried to use them, e.g. recently by https://github.com/ostreedev/ostree/pull/2640. In most cases this seems to be because users aren't sufficiently familiar with the limitations of this feature and what the alternatives are. Therefore, make some updates to the documentation to try to clarify the properties of this feature and nudge users in the right direction. Note that the Integrity Policy Enforcement (IPE) LSM, which is not yet upstream, is planned to use the builtin signatures. (This differs from IMA, which uses its own signature mechanism.) For that reason, my earlier patch "fsverity: mark builtin signatures as deprecated" (https://lore.kernel.org/r/20221208033548.122704-1-ebiggers@kernel.org), which marked builtin signatures as "deprecated", was controversial. This patch therefore stops short of marking the feature as deprecated. I've also revised the language to focus on better explaining the feature and what its alternatives are. Link: https://lore.kernel.org/r/20230620041937.5809-1-ebiggers@kernel.org Reviewed-by: Colin Walters <walters@verbum.org> Reviewed-by: Luca Boccassi <bluca@debian.org> Signed-off-by: Eric Biggers <ebiggers@google.com> 2023-06-20 04:19:37 +00:00			`Please take great care before using this feature. It is not`
			`the only way to do signatures with fs-verity, and the`
			`alternatives (such as userspace signature verification, and`
			`IMA appraisal) can be much better. For details about the`
			`limitations of this feature, see`
			`Documentation/filesystems/fsverity.rst.`
fs-verity: support builtin file signatures To meet some users' needs, add optional support for having fs-verity handle a portion of the authentication policy in the kernel. An ".fs-verity" keyring is created to which X.509 certificates can be added; then a sysctl 'fs.verity.require_signatures' can be set to cause the kernel to enforce that all fs-verity files contain a signature of their file measurement by a key in this keyring. See the "Built-in signature verification" section of Documentation/filesystems/fsverity.rst for the full documentation. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Eric Biggers <ebiggers@google.com> 2019-07-22 16:26:23 +00:00
			`If unsure, say N.`