xref: /linux/fs/verity/Kconfig (revision 5ee8dbf54602dc340d6235b1d6aa17c0f283f48c) 
1# SPDX-License-Identifier: GPL-2.0
2
3config FS_VERITY
4	bool "FS Verity (read-only file-based authenticity protection)"
5	# Filesystems cache the Merkle tree at a 64K aligned offset in the
6	# pagecache.  That approach assumes the page size is at most 64K.
7	depends on PAGE_SHIFT <= 16
8	select CRYPTO_HASH_INFO
9	select CRYPTO_LIB_SHA256
10	select CRYPTO_LIB_SHA512
11	help
12	  This option enables fs-verity.  fs-verity is the dm-verity
13	  mechanism implemented at the file level.  On supported
14	  filesystems (currently ext4, f2fs, and btrfs), userspace can
15	  use an ioctl to enable verity for a file, which causes the
16	  filesystem to build a Merkle tree for the file.  The filesystem
17	  will then transparently verify any data read from the file
18	  against the Merkle tree.  The file is also made read-only.
19
20	  This serves as an integrity check, but the availability of the
21	  Merkle tree root hash also allows efficiently supporting
22	  various use cases where normally the whole file would need to
23	  be hashed at once, such as: (a) auditing (logging the file's
24	  hash), or (b) authenticity verification (comparing the hash
25	  against a known good value, e.g. from a digital signature).
26
27	  fs-verity is especially useful on large files where not all
28	  the contents may actually be needed.  Also, fs-verity verifies
29	  data each time it is paged back in, which provides better
30	  protection against malicious disks vs. an ahead-of-time hash.
31
32	  If unsure, say N.
33
34config FS_VERITY_BUILTIN_SIGNATURES
35	bool "FS Verity builtin signature support"
36	depends on FS_VERITY
37	select SYSTEM_DATA_VERIFICATION
38	help
39	  This option adds support for in-kernel verification of
40	  fs-verity builtin signatures.
41
42	  Please take great care before using this feature.  It is not
43	  the only way to do signatures with fs-verity, and the
44	  alternatives (such as userspace signature verification, and
45	  IMA appraisal) can be much better.  For details about the
46	  limitations of this feature, see
47	  Documentation/filesystems/fsverity.rst.
48
49	  If unsure, say N.
50