Home
last modified time | relevance | path

Searched refs:verity (Results 1 – 25 of 30) sorted by relevance

12

/linux/Documentation/filesystems/
H A Dfsverity.rst6 fs-verity: read-only file-based authenticity protection
12 fs-verity (``fs/verity/``) is a support layer that filesystems can
16 code is needed to support fs-verity.
18 fs-verity is similar to `dm-verity
19 <https://www.kernel.org/doc/Documentation/admin-guide/device-mapper/verity.rst>`_
21 filesystems supporting fs-verity, userspace can execute an ioctl that
30 the "fs-verity file digest", which is a hash that includes the Merkle
31 tree root hash) that fs-verity is enforcing for the file. This ioctl
34 fs-verity is essentially a way to hash a file in constant time,
41 By itself, fs-verity only provides integrity protection, i.e.
[all …]
H A Doverlayfs.rst481 fs-verity support
485 fs-verity enabled and overlay verity support is enabled, then the
490 When a layer containing verity xattrs is used, it means that any such
496 digest check, or from a later read due to fs-verity) and a detailed
497 error is printed to the kernel logs. For more details of how fs-verity
504 layer is fully trusted (by using dm-verity or something similar), then
511 This feature is controlled by the "verity" mount option, which
516 default if verity option is not specified.
520 generating a metacopy file the verity digest will be set in it
525 will only be used if the data file has fs-verity enabled,
/linux/Documentation/filesystems/ext4/
H A Dverity.rst6 ext4 supports fs-verity, which is a filesystem feature that provides
8 fs-verity is common to all filesystems that support it; see
10 fs-verity documentation. However, the on-disk layout of the verity
11 metadata is filesystem-specific. On ext4, the verity metadata is
25 - The verity descriptor, as documented in
32 - The size of the verity descriptor in bytes, as a 4-byte little
37 They can have EXT4_ENCRYPT_FL set, in which case the verity metadata
40 Verity files cannot have blocks allocated past the end of the verity
/linux/fs/verity/
H A DKconfig9 This option enables fs-verity. fs-verity is the dm-verity
12 use an ioctl to enable verity for a file, which causes the
24 fs-verity is especially useful on large files where not all
25 the contents may actually be needed. Also, fs-verity verifies
37 fs-verity builtin signatures.
40 the only way to do signatures with fs-verity, and the
/linux/Documentation/admin-guide/device-mapper/
H A Ddm-init.rst32 <target_type> ::= "verity" | "linear" | ... (see list below)
61 `verity` allowed
85 dm-verity,,3,ro,
86 0 1638400 verity 1 /dev/sdc1 /dev/sdc2 4096 4096 204800 1 sha256
120 "verity"::
122 dm-verity,,4,ro,
123 0 1638400 verity 1 8:1 8:2 4096 4096 204800 1 sha256
H A Dverity.rst2 dm-verity
5 Device-Mapper's "verity" target provides transparent integrity checking of
40 dm-verity device.
114 verity <dev> is encrypted the <fec_dev> should be too.
131 rather than every time. This reduces the overhead of dm-verity so that it
154 If verity hashes are in cache and the IO size does not exceed the limit,
167 dm-verity is meant to be set up as part of a verified boot path. This
171 When a dm-verity device is configured, it is expected that the caller
219 The verity kernel code does not read the verity metadata on-disk header.
222 verity header.
[all …]
H A Ddm-ima.rst15 target types like crypt, verity, integrity etc. Each of these target
338 #. verity
673 10. verity
676 section above) has the following data format for 'verity' target.
685 target_name := "target_name=verity"
704 When a 'verity' target is loaded, then IMA ASCII measurement log will have an entry
705 similar to the following, depicting what 'verity' attributes are measured in EVENT_DATA
710 name=test-verity,uuid=,major=253,minor=2,minor_count=1,num_targets=1;
711 …target_index=0,target_begin=0,target_len=1953120,target_name=verity,target_version=1.8.0,hash_fail…
/linux/Documentation/ABI/testing/
H A Dima_policy59 specifying "digest_type=verity" first.)
64 digest_type:= verity
65 Require fs-verity's file digest instead of the
166 Example of a 'measure' rule requiring fs-verity's digests
169 measure func=FILE_CHECK digest_type=verity \
172 Example of 'measure' and 'appraise' rules requiring fs-verity
179 measure func=BPRM_CHECK digest_type=verity \
186 appraise func=BPRM_CHECK digest_type=verity \
H A Dsysfs-fs-f2fs251 verity, sb_checksum, casefold, readonly, compression, pin_file.
261 verity, sb_checksum, casefold, readonly, compression.
271 inode_crtime, lost_found, verity, sb_checksum,
/linux/Documentation/translations/zh_CN/security/
H A Dipe.rst53 如果对由dm-verity保护的文件系统进行了离线挂载,校验
57 verity同样提供了对抗恶意块设备的额外保护。在这样的
60 错误将报告攻击者的有效载荷。由于dm-verity会在页面错
66 * dm-verity在块被读取时按需提供完整性验证,而不需要将整
/linux/Documentation/admin-guide/LSM/
H A Dipe.rst34 a file's origin, such as dm-verity or fs-verity, which provide a layer of
36 that trust files from a dm-verity protected device. dm-verity ensures the
38 of its contents. Similarly, fs-verity offers filesystem-level integrity
40 fs-verity. These two features cannot be turned off once established, so
50 property. The latter includes checking the roothash of a dm-verity
51 protected device, determining whether dm-verity possesses a valid
52 signature, assessing the digest of a fs-verity protected file, or
53 determining whether fs-verity possesses a valid built-in signature. This
648 specific dm-verity volumes, identified via their root hashes. It has a
673 This property can be utilized for authorization of all dm-verity
[all …]
H A DLoadPin.rst8 such as dm-verity or CDROM. This allows systems that have a verified
/linux/Documentation/translations/zh_CN/filesystems/
H A Dubifs-authentication.rst33 dm-verity 子系统[DM-INTEGRITY, DM-VERITY]在块层实现完整数据认证,这些
350 [DM-VERITY] https://www.kernel.org/doc/Documentation/device-mapper/verity.rst
/linux/fs/f2fs/
H A DMakefile10 f2fs-$(CONFIG_FS_VERITY) += verity.o
H A Dsysfs.c1289 F2FS_FEATURE_RO_ATTR(verity);
1450 BASE_ATTR_LIST(verity),
1494 F2FS_SB_FEATURE_RO_ATTR(verity, VERITY);
/linux/fs/ext4/
H A DMakefile19 ext4-$(CONFIG_FS_VERITY) += verity.o
H A Dinode.c1444 bool verity = ext4_verity_in_progress(inode); in ext4_write_end() local
1461 if (!verity) in ext4_write_end()
1466 if (old_size < pos && !verity) { in ext4_write_end()
1479 if (pos + len > inode->i_size && !verity && ext4_can_truncate(inode)) in ext4_write_end()
1490 if (pos + len > inode->i_size && !verity) { in ext4_write_end()
1551 bool verity = ext4_verity_in_progress(inode); in ext4_journalled_write_end() local
1578 if (!verity) in ext4_journalled_write_end()
1584 if (old_size < pos && !verity) { in ext4_journalled_write_end()
1595 if (pos + len > inode->i_size && !verity && ext4_can_truncate(inode)) in ext4_journalled_write_end()
1605 if (pos + len > inode->i_size && !verity) { in ext4_journalled_write_end()
/linux/fs/btrfs/
H A DMakefile41 btrfs-$(CONFIG_FS_VERITY) += verity.o
H A DKconfig107 - send stream protocol v3 - fs-verity support
/linux/fs/
H A DMakefile34 obj-$(CONFIG_FS_VERITY) += verity/
/linux/drivers/md/
H A DKconfig562 be called dm-verity.
571 Add ability for dm-verity device to be validated if the
584 Rely on the secondary trusted keyring to verify dm-verity signatures.
594 Rely also on the platform keyring to verify dm-verity signatures.
604 Add forward error correction support to dm-verity. This option
/linux/Documentation/security/
H A Dipe.rst51 offline mount occurs against the filesystem protected by dm-verity, the
54 * As userspace binaries are paged in Linux, dm-verity also offers the
59 dm-verity will check the data when the page fault occurs (and the disk
64 * dm-verity provides integrity verification on demand as blocks are
H A DIMA-templates.rst70 - 'd-ngv2': same as d-ng, but prefixed with the "ima" or "verity" digest type
/linux/arch/arm64/boot/dts/exynos/google/
H A Dgs101-pixel-common.dtsi69 mode-dm-verity-device-corrupted = <0x80000050>;
/linux/Documentation/userspace-api/
H A Dcheck_exec.rst131 dm-verity/IPE) but where access rights might not be ready yet. Indeed,

12