fs-verity: support builtin file signatures

To meet some users' needs, add optional support for having fs-verity handle a portion of the authentication policy in the kernel. An ".fs-verity" keyring is created to which X.509 certificates can be added; then a sysctl 'fs.verity.require_signatures' can be set to cause the kernel to enforce that all fs-verity files contain a signature of their file measurement by a key in this keyring. See the "Built-in signature verification" section of Documentation/filesystems/fsverity.rst for the full documentation. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Eric Biggers <ebiggers@google.com>
author: Eric Biggers <ebiggers@google.com> 2019-07-22 09:26:23 -0700
committer: Eric Biggers <ebiggers@google.com> 2019-08-12 19:33:50 -0700
commit: 432434c9f8e18cb4cf0fe05bc3eeceada0e10dc6 (patch)
tree: cfcf57b2bb1fbdb1e9b5739f020b0311405363c0 /fs/verity/init.c
parent: add890c9f9d2d1d79184ded72f23b37b164fc673 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/verity/init.c b/fs/verity/init.c
index b593805aafcc..94c104e00861 100644
--- a/fs/verity/init.c
+++ b/fs/verity/init.c
@@ -45,9 +45,15 @@ static int __init fsverity_init(void)
 	if (err)
 		goto err_exit_info_cache;
 
+	err = fsverity_init_signature();
+	if (err)
+		goto err_exit_workqueue;
+
 	pr_debug("Initialized fs-verity\n");
 	return 0;
 
+err_exit_workqueue:
+	fsverity_exit_workqueue();
 err_exit_info_cache:
 	fsverity_exit_info_cache();
 	return err;
author	Eric Biggers <ebiggers@google.com>	2019-07-22 09:26:23 -0700
committer	Eric Biggers <ebiggers@google.com>	2019-08-12 19:33:50 -0700
commit	432434c9f8e18cb4cf0fe05bc3eeceada0e10dc6 (patch)
tree	cfcf57b2bb1fbdb1e9b5739f020b0311405363c0 /fs/verity/init.c
parent	add890c9f9d2d1d79184ded72f23b37b164fc673 (diff)