summaryrefslogtreecommitdiff
path: root/fs/verity/Kconfig
diff options
context:
space:
mode:
Diffstat (limited to 'fs/verity/Kconfig')
-rw-r--r--fs/verity/Kconfig36
1 files changed, 11 insertions, 25 deletions
diff --git a/fs/verity/Kconfig b/fs/verity/Kconfig
index aad1f1d998b9..76d1c5971b82 100644
--- a/fs/verity/Kconfig
+++ b/fs/verity/Kconfig
@@ -2,15 +2,9 @@
config FS_VERITY
bool "FS Verity (read-only file-based authenticity protection)"
- select CRYPTO
select CRYPTO_HASH_INFO
- # SHA-256 is implied as it's intended to be the default hash algorithm.
- # To avoid bloat, other wanted algorithms must be selected explicitly.
- # Note that CRYPTO_SHA256 denotes the generic C implementation, but
- # some architectures provided optimized implementations of the same
- # algorithm that may be used instead. In this case, CRYPTO_SHA256 may
- # be omitted even if SHA-256 is being used.
- imply CRYPTO_SHA256
+ select CRYPTO_LIB_SHA256
+ select CRYPTO_LIB_SHA512
help
This option enables fs-verity. fs-verity is the dm-verity
mechanism implemented at the file level. On supported
@@ -34,27 +28,19 @@ config FS_VERITY
If unsure, say N.
-config FS_VERITY_DEBUG
- bool "FS Verity debugging"
- depends on FS_VERITY
- help
- Enable debugging messages related to fs-verity by default.
-
- Say N unless you are an fs-verity developer.
-
config FS_VERITY_BUILTIN_SIGNATURES
bool "FS Verity builtin signature support"
depends on FS_VERITY
select SYSTEM_DATA_VERIFICATION
help
- Support verifying signatures of verity files against the X.509
- certificates that have been loaded into the ".fs-verity"
- kernel keyring.
-
- This is meant as a relatively simple mechanism that can be
- used to provide an authenticity guarantee for verity files, as
- an alternative to IMA appraisal. Userspace programs still
- need to check that the verity bit is set in order to get an
- authenticity guarantee.
+ This option adds support for in-kernel verification of
+ fs-verity builtin signatures.
+
+ Please take great care before using this feature. It is not
+ the only way to do signatures with fs-verity, and the
+ alternatives (such as userspace signature verification, and
+ IMA appraisal) can be much better. For details about the
+ limitations of this feature, see
+ Documentation/filesystems/fsverity.rst.
If unsure, say N.
generated by cgit (git 2.34.1) at 2025-12-28 02:39:12 +0000