asedeno.scripts.mit.edu Git - linux.git/commit

author	Eric Biggers <ebiggers@google.com>
	Mon, 22 Jul 2019 16:26:23 +0000 (09:26 -0700)
committer	Eric Biggers <ebiggers@google.com>
	Tue, 13 Aug 2019 02:33:50 +0000 (19:33 -0700)
commit	432434c9f8e18cb4cf0fe05bc3eeceada0e10dc6
tree	cfcf57b2bb1fbdb1e9b5739f020b0311405363c0	tree \| snapshot
parent	add890c9f9d2d1d79184ded72f23b37b164fc673	commit \| diff

fs-verity: support builtin file signatures

To meet some users' needs, add optional support for having fs-verity
handle a portion of the authentication policy in the kernel. An
".fs-verity" keyring is created to which X.509 certificates can be
added; then a sysctl 'fs.verity.require_signatures' can be set to cause
the kernel to enforce that all fs-verity files contain a signature of
their file measurement by a key in this keyring.

See the "Built-in signature verification" section of
Documentation/filesystems/fsverity.rst for the full documentation.

Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Eric Biggers <ebiggers@google.com>

fs/verity/Kconfig		diff \| blob \| history
fs/verity/Makefile		diff \| blob \| history
fs/verity/enable.c		diff \| blob \| history
fs/verity/fsverity_private.h		diff \| blob \| history
fs/verity/init.c		diff \| blob \| history
fs/verity/open.c		diff \| blob \| history
fs/verity/signature.c	[new file with mode: 0644]	blob
fs/verity/verify.c		diff \| blob \| history