162306a36Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0
262306a36Sopenharmony_ci
362306a36Sopenharmony_ciconfig FS_VERITY
462306a36Sopenharmony_ci	bool "FS Verity (read-only file-based authenticity protection)"
562306a36Sopenharmony_ci	select CRYPTO
662306a36Sopenharmony_ci	select CRYPTO_HASH_INFO
762306a36Sopenharmony_ci	# SHA-256 is implied as it's intended to be the default hash algorithm.
862306a36Sopenharmony_ci	# To avoid bloat, other wanted algorithms must be selected explicitly.
962306a36Sopenharmony_ci	# Note that CRYPTO_SHA256 denotes the generic C implementation, but
1062306a36Sopenharmony_ci	# some architectures provided optimized implementations of the same
1162306a36Sopenharmony_ci	# algorithm that may be used instead. In this case, CRYPTO_SHA256 may
1262306a36Sopenharmony_ci	# be omitted even if SHA-256 is being used.
1362306a36Sopenharmony_ci	imply CRYPTO_SHA256
1462306a36Sopenharmony_ci	help
1562306a36Sopenharmony_ci	  This option enables fs-verity.  fs-verity is the dm-verity
1662306a36Sopenharmony_ci	  mechanism implemented at the file level.  On supported
1762306a36Sopenharmony_ci	  filesystems (currently ext4, f2fs, and btrfs), userspace can
1862306a36Sopenharmony_ci	  use an ioctl to enable verity for a file, which causes the
1962306a36Sopenharmony_ci	  filesystem to build a Merkle tree for the file.  The filesystem
2062306a36Sopenharmony_ci	  will then transparently verify any data read from the file
2162306a36Sopenharmony_ci	  against the Merkle tree.  The file is also made read-only.
2262306a36Sopenharmony_ci
2362306a36Sopenharmony_ci	  This serves as an integrity check, but the availability of the
2462306a36Sopenharmony_ci	  Merkle tree root hash also allows efficiently supporting
2562306a36Sopenharmony_ci	  various use cases where normally the whole file would need to
2662306a36Sopenharmony_ci	  be hashed at once, such as: (a) auditing (logging the file's
2762306a36Sopenharmony_ci	  hash), or (b) authenticity verification (comparing the hash
2862306a36Sopenharmony_ci	  against a known good value, e.g. from a digital signature).
2962306a36Sopenharmony_ci
3062306a36Sopenharmony_ci	  fs-verity is especially useful on large files where not all
3162306a36Sopenharmony_ci	  the contents may actually be needed.  Also, fs-verity verifies
3262306a36Sopenharmony_ci	  data each time it is paged back in, which provides better
3362306a36Sopenharmony_ci	  protection against malicious disks vs. an ahead-of-time hash.
3462306a36Sopenharmony_ci
3562306a36Sopenharmony_ci	  If unsure, say N.
3662306a36Sopenharmony_ci
3762306a36Sopenharmony_ciconfig FS_VERITY_BUILTIN_SIGNATURES
3862306a36Sopenharmony_ci	bool "FS Verity builtin signature support"
3962306a36Sopenharmony_ci	depends on FS_VERITY
4062306a36Sopenharmony_ci	select SYSTEM_DATA_VERIFICATION
4162306a36Sopenharmony_ci	help
4262306a36Sopenharmony_ci	  This option adds support for in-kernel verification of
4362306a36Sopenharmony_ci	  fs-verity builtin signatures.
4462306a36Sopenharmony_ci
4562306a36Sopenharmony_ci	  Please take great care before using this feature.  It is not
4662306a36Sopenharmony_ci	  the only way to do signatures with fs-verity, and the
4762306a36Sopenharmony_ci	  alternatives (such as userspace signature verification, and
4862306a36Sopenharmony_ci	  IMA appraisal) can be much better.  For details about the
4962306a36Sopenharmony_ci	  limitations of this feature, see
5062306a36Sopenharmony_ci	  Documentation/filesystems/fsverity.rst.
5162306a36Sopenharmony_ci
5262306a36Sopenharmony_ci	  If unsure, say N.
53