xref: /linux/fs/verity/Kconfig (revision 1260ed77798502de9c98020040d2995008de10cc)
1# SPDX-License-Identifier: GPL-2.0
2
3config FS_VERITY
4	bool "FS Verity (read-only file-based authenticity protection)"
5	select CRYPTO
6	select CRYPTO_HASH_INFO
7	# SHA-256 is selected as it's intended to be the default hash algorithm.
8	# To avoid bloat, other wanted algorithms must be selected explicitly.
9	select CRYPTO_SHA256
10	help
11	  This option enables fs-verity.  fs-verity is the dm-verity
12	  mechanism implemented at the file level.  On supported
13	  filesystems (currently ext4, f2fs, and btrfs), userspace can
14	  use an ioctl to enable verity for a file, which causes the
15	  filesystem to build a Merkle tree for the file.  The filesystem
16	  will then transparently verify any data read from the file
17	  against the Merkle tree.  The file is also made read-only.
18
19	  This serves as an integrity check, but the availability of the
20	  Merkle tree root hash also allows efficiently supporting
21	  various use cases where normally the whole file would need to
22	  be hashed at once, such as: (a) auditing (logging the file's
23	  hash), or (b) authenticity verification (comparing the hash
24	  against a known good value, e.g. from a digital signature).
25
26	  fs-verity is especially useful on large files where not all
27	  the contents may actually be needed.  Also, fs-verity verifies
28	  data each time it is paged back in, which provides better
29	  protection against malicious disks vs. an ahead-of-time hash.
30
31	  If unsure, say N.
32
33config FS_VERITY_BUILTIN_SIGNATURES
34	bool "FS Verity builtin signature support"
35	depends on FS_VERITY
36	select SYSTEM_DATA_VERIFICATION
37	help
38	  This option adds support for in-kernel verification of
39	  fs-verity builtin signatures.
40
41	  Please take great care before using this feature.  It is not
42	  the only way to do signatures with fs-verity, and the
43	  alternatives (such as userspace signature verification, and
44	  IMA appraisal) can be much better.  For details about the
45	  limitations of this feature, see
46	  Documentation/filesystems/fsverity.rst.
47
48	  If unsure, say N.
49