Home
last modified time | relevance | path

Searched refs:verity (Results 1 – 25 of 37) sorted by relevance

12

/linux-6.15/Documentation/filesystems/
H A Dfsverity.rst12 fs-verity (``fs/verity/``) is a support layer that filesystems can
18 fs-verity is similar to `dm-verity
61 fs-verity does not replace or obsolete dm-verity. dm-verity should
375 its "verity"-ness. fs-verity is primarily meant for files like
429 fs-verity descriptor
508 fs.verity.require_signatures=1, just checking whether fs-verity is
588 been formatted with ``-O verity`` or had ``tune2fs -O verity`` run on
699 filesystems to support fs-verity, fs/verity/ also provides a function
778 verity file with a non-verity one?
846 Compare it to dm-verity vs. dm-integrity. dm-verity is very
[all …]
H A Doverlayfs.rst474 fs-verity support
478 fs-verity enabled and overlay verity support is enabled, then the
483 When a layer containing verity xattrs is used, it means that any such
489 digest check, or from a later read due to fs-verity) and a detailed
490 error is printed to the kernel logs. For more details of how fs-verity
497 layer is fully trusted (by using dm-verity or something similar), then
504 This feature is controlled by the "verity" mount option, which
509 default if verity option is not specified.
513 generating a metacopy file the verity digest will be set in it
518 will only be used if the data file has fs-verity enabled,
/linux-6.15/Documentation/filesystems/ext4/
H A Dverity.rst6 ext4 supports fs-verity, which is a filesystem feature that provides
8 fs-verity is common to all filesystems that support it; see
10 fs-verity documentation. However, the on-disk layout of the verity
11 metadata is filesystem-specific. On ext4, the verity metadata is
25 - The verity descriptor, as documented in
32 - The size of the verity descriptor in bytes, as a 4-byte little
37 They can have EXT4_ENCRYPT_FL set, in which case the verity metadata
40 Verity files cannot have blocks allocated past the end of the verity
H A Doverview.rst27 .. include:: verity.rst
/linux-6.15/security/loadpin/
H A DKconfig12 dm-verity or a CDROM.
26 bool "Allow reading files from certain other filesystems that use dm-verity"
30 that use dm-verity. LoadPin maintains a list of verity root
31 digests it considers trusted. A verity backed filesystem is
35 The list of trusted verity can be populated through an ioctl
36 on the LoadPin securityfs entry 'dm-verity'. The ioctl
37 expects a file descriptor of a file with verity digests as
43 This is followed by the verity digests, with one digest per
/linux-6.15/fs/verity/
H A DKconfig11 This option enables fs-verity. fs-verity is the dm-verity
14 use an ioctl to enable verity for a file, which causes the
26 fs-verity is especially useful on large files where not all
27 the contents may actually be needed. Also, fs-verity verifies
39 fs-verity builtin signatures.
42 the only way to do signatures with fs-verity, and the
/linux-6.15/drivers/md/
H A DMakefile27 dm-verity-y += dm-verity-target.o
72 obj-$(CONFIG_DM_VERITY) += dm-verity.o
83 obj-$(CONFIG_SECURITY_LOADPIN_VERITY) += dm-verity-loadpin.o
102 dm-verity-objs += dm-verity-fec.o
106 dm-verity-objs += dm-verity-verify-sig.o
H A DKconfig531 be called dm-verity.
540 Add ability for dm-verity device to be validated if the
553 Rely on the secondary trusted keyring to verify dm-verity signatures.
563 Rely also on the platform keyring to verify dm-verity signatures.
573 Add forward error correction support to dm-verity. This option
/linux-6.15/security/ipe/
H A DKconfig56 bool "Enable support for dm-verity based on root hash"
60 policies. The property evaluates to TRUE when a file from a dm-verity
65 bool "Enable support for dm-verity based on root hash signature"
69 policies. The property evaluates to TRUE when a file from a dm-verity
76 bool "Enable support for fs-verity based on file digest"
87 bool "Enable support for fs-verity based on builtin signature"
93 is in the .fs-verity keyring.
/linux-6.15/Documentation/admin-guide/device-mapper/
H A Ddm-init.rst32 <target_type> ::= "verity" | "linear" | ... (see list below)
61 `verity` allowed
85 dm-verity,,3,ro,
86 0 1638400 verity 1 /dev/sdc1 /dev/sdc2 4096 4096 204800 1 sha256
120 "verity"::
122 dm-verity,,4,ro,
123 0 1638400 verity 1 8:1 8:2 4096 4096 204800 1 sha256
H A Dverity.rst2 dm-verity
5 Device-Mapper's "verity" target provides transparent integrity checking of
40 dm-verity device.
114 verity <dev> is encrypted the <fec_dev> should be too.
131 rather than every time. This reduces the overhead of dm-verity so that it
154 If verity hashes are in cache and the IO size does not exceed the limit,
167 dm-verity is meant to be set up as part of a verified boot path. This
171 When a dm-verity device is configured, it is expected that the caller
219 The verity kernel code does not read the verity metadata on-disk header.
222 verity header.
[all …]
H A Dindex.rst39 verity
H A Ddm-ima.rst15 target types like crypt, verity, integrity etc. Each of these target
338 #. verity
673 10. verity
676 section above) has the following data format for 'verity' target.
685 target_name := "target_name=verity"
704 When a 'verity' target is loaded, then IMA ASCII measurement log will have an entry
705 similar to the following, depicting what 'verity' attributes are measured in EVENT_DATA
710 name=test-verity,uuid=,major=253,minor=2,minor_count=1,num_targets=1;
711 …target_index=0,target_begin=0,target_len=1953120,target_name=verity,target_version=1.8.0,hash_fail…
/linux-6.15/Documentation/ABI/testing/
H A Dima_policy58 specifying "digest_type=verity" first.)
63 digest_type:= verity
64 Require fs-verity's file digest instead of the
165 Example of a 'measure' rule requiring fs-verity's digests
168 measure func=FILE_CHECK digest_type=verity \
171 Example of 'measure' and 'appraise' rules requiring fs-verity
178 measure func=BPRM_CHECK digest_type=verity \
185 appraise func=BPRM_CHECK digest_type=verity \
/linux-6.15/Documentation/admin-guide/LSM/
H A Dipe.rst34 a file's origin, such as dm-verity or fs-verity, which provide a layer of
36 that trust files from a dm-verity protected device. dm-verity ensures the
38 of its contents. Similarly, fs-verity offers filesystem-level integrity
40 fs-verity. These two features cannot be turned off once established, so
50 property. The latter includes checking the roothash of a dm-verity
51 protected device, determining whether dm-verity possesses a valid
52 signature, assessing the digest of a fs-verity protected file, or
704 Prohibit execution from a specific dm-verity volume
717 Allow only a specific dm-verity volume
727 Allow any fs-verity file with a valid built-in signature
[all …]
H A DLoadPin.rst8 such as dm-verity or CDROM. This allows systems that have a verified
/linux-6.15/fs/f2fs/
H A DMakefile10 f2fs-$(CONFIG_FS_VERITY) += verity.o
/linux-6.15/fs/ext4/
H A DMakefile19 ext4-$(CONFIG_FS_VERITY) += verity.o
H A Dsysfs.c328 EXT4_ATTR_FEATURE(verity);
348 ATTR_LIST(verity),
H A Dinode.c1300 bool verity = ext4_verity_in_progress(inode); in ext4_write_end() local
1317 if (!verity) in ext4_write_end()
1322 if (old_size < pos && !verity) { in ext4_write_end()
1335 if (pos + len > inode->i_size && !verity && ext4_can_truncate(inode)) in ext4_write_end()
1346 if (pos + len > inode->i_size && !verity) { in ext4_write_end()
1407 bool verity = ext4_verity_in_progress(inode); in ext4_journalled_write_end() local
1434 if (!verity) in ext4_journalled_write_end()
1440 if (old_size < pos && !verity) { in ext4_journalled_write_end()
1451 if (pos + len > inode->i_size && !verity && ext4_can_truncate(inode)) in ext4_journalled_write_end()
1461 if (pos + len > inode->i_size && !verity) { in ext4_journalled_write_end()
/linux-6.15/Documentation/translations/zh_CN/security/
H A DIMA-templates.rst60 - 'd-ngv2':与d-ng相同,但以"ima"或"verity"摘要类型为前缀
/linux-6.15/fs/btrfs/
H A DMakefile41 btrfs-$(CONFIG_FS_VERITY) += verity.o
H A DKconfig94 - send stream protocol v3 - fs-verity support
/linux-6.15/fs/
H A DMakefile33 obj-$(CONFIG_FS_VERITY) += verity/
/linux-6.15/Documentation/security/
H A Dipe.rst51 offline mount occurs against the filesystem protected by dm-verity, the
54 * As userspace binaries are paged in Linux, dm-verity also offers the
59 dm-verity will check the data when the page fault occurs (and the disk
64 * dm-verity provides integrity verification on demand as blocks are

12