Home
last modified time | relevance | path

Searched refs:verity (Results 1 – 25 of 31) sorted by relevance

12

/linux-6.6.21/Documentation/filesystems/
Dfsverity.rst6 fs-verity: read-only file-based authenticity protection
12 fs-verity (``fs/verity/``) is a support layer that filesystems can
16 code is needed to support fs-verity.
18 fs-verity is similar to `dm-verity
19 <https://www.kernel.org/doc/Documentation/device-mapper/verity.txt>`_
21 filesystems supporting fs-verity, userspace can execute an ioctl that
30 the "fs-verity file digest", which is a hash that includes the Merkle
31 tree root hash) that fs-verity is enforcing for the file. This ioctl
34 fs-verity is essentially a way to hash a file in constant time,
41 By itself, fs-verity only provides integrity protection, i.e.
[all …]
Doverlayfs.rst420 fs-verity support
424 fs-verity enabled and overlay verity support is enabled, then the
429 When a layer containing verity xattrs is used, it means that any such
435 digest check, or from a later read due to fs-verity) and a detailed
436 error is printed to the kernel logs. For more details of how fs-verity
443 layer is fully trusted (by using dm-verity or something similar), then
450 This feature is controlled by the "verity" mount option, which
455 default if verity option is not specified.
459 generating a metacopy file the verity digest will be set in it
464 will only be used if the data file has fs-verity enabled,
Dubifs-authentication.rst32 layer, the dm-integrity or dm-verity subsystems [DM-INTEGRITY, DM-VERITY]
444 [DM-VERITY] https://www.kernel.org/doc/Documentation/device-mapper/verity.rst
/linux-6.6.21/security/loadpin/
DKconfig12 dm-verity or a CDROM.
23 bool "Allow reading files from certain other filesystems that use dm-verity"
27 that use dm-verity. LoadPin maintains a list of verity root
28 digests it considers trusted. A verity backed filesystem is
32 The list of trusted verity can be populated through an ioctl
33 on the LoadPin securityfs entry 'dm-verity'. The ioctl
34 expects a file descriptor of a file with verity digests as
40 This is followed by the verity digests, with one digest per
/linux-6.6.21/Documentation/filesystems/ext4/
Dverity.rst6 ext4 supports fs-verity, which is a filesystem feature that provides
8 fs-verity is common to all filesystems that support it; see
10 fs-verity documentation. However, the on-disk layout of the verity
11 metadata is filesystem-specific. On ext4, the verity metadata is
25 - The verity descriptor, as documented in
32 - The size of the verity descriptor in bytes, as a 4-byte little
37 They can have EXT4_ENCRYPT_FL set, in which case the verity metadata
40 Verity files cannot have blocks allocated past the end of the verity
Doverview.rst27 .. include:: verity.rst
/linux-6.6.21/fs/verity/
DKconfig15 This option enables fs-verity. fs-verity is the dm-verity
18 use an ioctl to enable verity for a file, which causes the
30 fs-verity is especially useful on large files where not all
31 the contents may actually be needed. Also, fs-verity verifies
43 fs-verity builtin signatures.
46 the only way to do signatures with fs-verity, and the
/linux-6.6.21/drivers/md/
DMakefile27 dm-verity-y += dm-verity-target.o
76 obj-$(CONFIG_DM_VERITY) += dm-verity.o
86 obj-$(CONFIG_SECURITY_LOADPIN_VERITY) += dm-verity-loadpin.o
105 dm-verity-objs += dm-verity-fec.o
109 dm-verity-objs += dm-verity-verify-sig.o
DKconfig551 be called dm-verity.
561 Add ability for dm-verity device to be validated if the
574 Rely on the secondary trusted keyring to verify dm-verity signatures.
584 Add forward error correction support to dm-verity. This option
/linux-6.6.21/Documentation/admin-guide/device-mapper/
Ddm-init.rst32 <target_type> ::= "verity" | "linear" | ... (see list below)
61 `verity` allowed
85 dm-verity,,3,ro,
86 0 1638400 verity 1 /dev/sdc1 /dev/sdc2 4096 4096 204800 1 sha256
120 "verity"::
122 dm-verity,,4,ro,
123 0 1638400 verity 1 8:1 8:2 4096 4096 204800 1 sha256
Dverity.rst2 dm-verity
5 Device-Mapper's "verity" target provides transparent integrity checking of
40 dm-verity device.
105 verity <dev> is encrypted the <fec_dev> should be too.
122 rather than every time. This reduces the overhead of dm-verity so that it
145 If verity hashes are in cache, verify data blocks in kernel tasklet instead
151 dm-verity is meant to be set up as part of a verified boot path. This
155 When a dm-verity device is configured, it is expected that the caller
203 The verity kernel code does not read the verity metadata on-disk header.
206 verity header.
[all …]
Dindex.rst37 verity
Ddm-ima.rst15 target types like crypt, verity, integrity etc. Each of these target
338 #. verity
673 10. verity
676 section above) has the following data format for 'verity' target.
685 target_name := "target_name=verity"
704 When a 'verity' target is loaded, then IMA ASCII measurement log will have an entry
705 similar to the following, depicting what 'verity' attributes are measured in EVENT_DATA
710 name=test-verity,uuid=,major=253,minor=2,minor_count=1,num_targets=1;
711 …target_index=0,target_begin=0,target_len=1953120,target_name=verity,target_version=1.8.0,hash_fail…
/linux-6.6.21/Documentation/ABI/testing/
Dima_policy58 specifying "digest_type=verity" first.)
63 digest_type:= verity
64 Require fs-verity's file digest instead of the
165 Example of a 'measure' rule requiring fs-verity's digests
168 measure func=FILE_CHECK digest_type=verity \
171 Example of 'measure' and 'appraise' rules requiring fs-verity
178 measure func=BPRM_CHECK digest_type=verity \
185 appraise func=BPRM_CHECK digest_type=verity \
Dsysfs-fs-f2fs251 verity, sb_checksum, casefold, readonly, compression, pin_file.
261 verity, sb_checksum, casefold, readonly, compression.
271 inode_crtime, lost_found, verity, sb_checksum,
/linux-6.6.21/fs/f2fs/
DMakefile10 f2fs-$(CONFIG_FS_VERITY) += verity.o
Dsysfs.c1046 F2FS_FEATURE_RO_ATTR(verity);
1183 ATTR_LIST(verity),
1216 F2FS_SB_FEATURE_RO_ATTR(verity, VERITY);
/linux-6.6.21/fs/ext4/
DMakefile19 ext4-$(CONFIG_FS_VERITY) += verity.o
Dsysfs.c316 EXT4_ATTR_FEATURE(verity);
336 ATTR_LIST(verity),
Dinode.c1280 bool verity = ext4_verity_in_progress(inode); in ext4_write_end() local
1297 if (!verity) in ext4_write_end()
1302 if (old_size < pos && !verity) in ext4_write_end()
1313 if (pos + len > inode->i_size && !verity && ext4_can_truncate(inode)) in ext4_write_end()
1324 if (pos + len > inode->i_size && !verity) { in ext4_write_end()
1386 bool verity = ext4_verity_in_progress(inode); in ext4_journalled_write_end() local
1413 if (!verity) in ext4_journalled_write_end()
1419 if (old_size < pos && !verity) in ext4_journalled_write_end()
1428 if (pos + len > inode->i_size && !verity && ext4_can_truncate(inode)) in ext4_journalled_write_end()
1438 if (pos + len > inode->i_size && !verity) { in ext4_journalled_write_end()
/linux-6.6.21/Documentation/admin-guide/LSM/
DLoadPin.rst8 such as dm-verity or CDROM. This allows systems that have a verified
/linux-6.6.21/fs/btrfs/
DMakefile42 btrfs-$(CONFIG_FS_VERITY) += verity.o
/linux-6.6.21/fs/
DMakefile33 obj-$(CONFIG_FS_VERITY) += verity/
DKconfig129 source "fs/verity/Kconfig"
/linux-6.6.21/Documentation/security/
DIMA-templates.rst70 - 'd-ngv2': same as d-ng, but prefixed with the "ima" or "verity" digest type

12