Home
last modified time | relevance | path

Searched refs:verity (Results 1 – 25 of 44) sorted by relevance

12

/linux/Documentation/filesystems/
H A Dfsverity.rst6 fs-verity: read-only file-based authenticity protection
12 fs-verity (``fs/verity/``) is a support layer that filesystems can
16 code is needed to support fs-verity.
18 fs-verity is similar to `dm-verity
19 <https://www.kernel.org/doc/Documentation/admin-guide/device-mapper/verity.rst>`_
21 filesystems supporting fs-verity, userspace can execute an ioctl that
30 the "fs-verity file digest", which is a hash that includes the Merkle
31 tree root hash) that fs-verity is enforcing for the file. This ioctl
34 fs-verity is essentially a way to hash a file in constant time,
41 By itself, fs-verity only provides integrity protection, i.e.
[all …]
H A Doverlayfs.rst481 fs-verity support
485 fs-verity enabled and overlay verity support is enabled, then the
490 When a layer containing verity xattrs is used, it means that any such
496 digest check, or from a later read due to fs-verity) and a detailed
497 error is printed to the kernel logs. For more details of how fs-verity
504 layer is fully trusted (by using dm-verity or something similar), then
511 This feature is controlled by the "verity" mount option, which
516 default if verity option is not specified.
520 generating a metacopy file the verity digest will be set in it
525 will only be used if the data file has fs-verity enabled,
/linux/security/loadpin/
H A DKconfig12 dm-verity or a CDROM.
26 bool "Allow reading files from certain other filesystems that use dm-verity"
30 that use dm-verity. LoadPin maintains a list of verity root
31 digests it considers trusted. A verity backed filesystem is
35 The list of trusted verity can be populated through an ioctl
36 on the LoadPin securityfs entry 'dm-verity'. The ioctl
37 expects a file descriptor of a file with verity digests as
43 This is followed by the verity digests, with one digest per
/linux/Documentation/filesystems/ext4/
H A Dverity.rst6 ext4 supports fs-verity, which is a filesystem feature that provides
8 fs-verity is common to all filesystems that support it; see
10 fs-verity documentation. However, the on-disk layout of the verity
11 metadata is filesystem-specific. On ext4, the verity metadata is
25 - The verity descriptor, as documented in
32 - The size of the verity descriptor in bytes, as a 4-byte little
37 They can have EXT4_ENCRYPT_FL set, in which case the verity metadata
40 Verity files cannot have blocks allocated past the end of the verity
H A Doverview.rst29 verity
/linux/fs/verity/
H A DKconfig12 This option enables fs-verity. fs-verity is the dm-verity
15 use an ioctl to enable verity for a file, which causes the
27 fs-verity is especially useful on large files where not all
28 the contents may actually be needed. Also, fs-verity verifies
40 fs-verity builtin signatures.
43 the only way to do signatures with fs-verity, and the
/linux/drivers/md/
H A DMakefile27 dm-verity-y += dm-verity-target.o
74 obj-$(CONFIG_DM_VERITY) += dm-verity.o
86 obj-$(CONFIG_SECURITY_LOADPIN_VERITY) += dm-verity-loadpin.o
105 dm-verity-objs += dm-verity-fec.o
109 dm-verity-objs += dm-verity-verify-sig.o
H A DKconfig564 be called dm-verity.
573 Add ability for dm-verity device to be validated if the
586 Rely on the secondary trusted keyring to verify dm-verity signatures.
596 Rely also on the platform keyring to verify dm-verity signatures.
604 Add forward error correction support to dm-verity. This option
/linux/security/ipe/
H A DKconfig57 bool "Enable support for dm-verity based on root hash"
61 policies. The property evaluates to TRUE when a file from a dm-verity
66 bool "Enable support for dm-verity based on root hash signature"
70 policies. The property evaluates to TRUE when a file from a dm-verity
77 bool "Enable support for fs-verity based on file digest"
88 bool "Enable support for fs-verity based on builtin signature"
94 is in the .fs-verity keyring.
/linux/Documentation/admin-guide/device-mapper/
H A Ddm-init.rst32 <target_type> ::= "verity" | "linear" | ... (see list below)
61 `verity` allowed
85 dm-verity,,3,ro,
86 0 1638400 verity 1 /dev/sdc1 /dev/sdc2 4096 4096 204800 1 sha256
120 "verity"::
122 dm-verity,,4,ro,
123 0 1638400 verity 1 8:1 8:2 4096 4096 204800 1 sha256
H A Dverity.rst2 dm-verity
5 Device-Mapper's "verity" target provides transparent integrity checking of
40 dm-verity device.
114 verity <dev> is encrypted the <fec_dev> should be too.
131 rather than every time. This reduces the overhead of dm-verity so that it
154 If verity hashes are in cache and the IO size does not exceed the limit,
167 dm-verity is meant to be set up as part of a verified boot path. This
171 When a dm-verity device is configured, it is expected that the caller
219 The verity kernel code does not read the verity metadata on-disk header.
222 verity header.
[all …]
H A Dindex.rst40 verity
H A Ddm-ima.rst15 target types like crypt, verity, integrity etc. Each of these target
338 #. verity
673 10. verity
676 section above) has the following data format for 'verity' target.
685 target_name := "target_name=verity"
704 When a 'verity' target is loaded, then IMA ASCII measurement log will have an entry
705 similar to the following, depicting what 'verity' attributes are measured in EVENT_DATA
710 name=test-verity,uuid=,major=253,minor=2,minor_count=1,num_targets=1;
711 …target_index=0,target_begin=0,target_len=1953120,target_name=verity,target_version=1.8.0,hash_fail…
/linux/Documentation/ABI/testing/
H A Dima_policy59 specifying "digest_type=verity" first.)
64 digest_type:= verity
65 Require fs-verity's file digest instead of the
166 Example of a 'measure' rule requiring fs-verity's digests
169 measure func=FILE_CHECK digest_type=verity \
172 Example of 'measure' and 'appraise' rules requiring fs-verity
179 measure func=BPRM_CHECK digest_type=verity \
186 appraise func=BPRM_CHECK digest_type=verity \
/linux/Documentation/translations/zh_CN/security/
H A Dipe.rst53 如果对由dm-verity保护的文件系统进行了离线挂载,校验
57 verity同样提供了对抗恶意块设备的额外保护。在这样的
60 错误将报告攻击者的有效载荷。由于dm-verity会在页面错
66 * dm-verity在块被读取时按需提供完整性验证,而不需要将整
H A DIMA-templates.rst60 - 'd-ngv2':与d-ng相同,但以"ima"或"verity"摘要类型为前缀
/linux/tools/testing/selftests/dm-verity/
H A Dtest-dm-verity-keyring.sh142 if ! modprobe -n dm-verity &>/dev/null; then
160 modprobe -r dm-verity 2>/dev/null || \
166 …modprobe dm-verity keyring_unsealed="$keyring_unsealed" require_signatures="$require_signatures" |…
203 done < <(dmsetup ls --target verity 2>/dev/null)
206 modprobe -r dm-verity 2>/dev/null || \
229 CN = dm-verity-test-key
427 CN = dm-verity-test-$name
791 WORK_DIR=$(mktemp -d -t dm-verity-test.XXXXXX)
H A DMakefile3 TEST_PROGS := test-dm-verity-keyring.sh
/linux/Documentation/admin-guide/LSM/
H A Dipe.rst34 a file's origin, such as dm-verity or fs-verity, which provide a layer of
36 that trust files from a dm-verity protected device. dm-verity ensures the
38 of its contents. Similarly, fs-verity offers filesystem-level integrity
40 fs-verity. These two features cannot be turned off once established, so
50 property. The latter includes checking the roothash of a dm-verity
51 protected device, determining whether dm-verity possesses a valid
52 signature, assessing the digest of a fs-verity protected file, or
53 determining whether fs-verity possesses a valid built-in signature. This
648 specific dm-verity volumes, identified via their root hashes. It has a
673 This property can be utilized for authorization of all dm-verity
[all …]
H A DLoadPin.rst8 such as dm-verity or CDROM. This allows systems that have a verified
/linux/Documentation/translations/zh_CN/filesystems/
H A Dubifs-authentication.rst33 dm-verity 子系统[DM-INTEGRITY, DM-VERITY]在块层实现完整数据认证,这些
350 [DM-VERITY] https://www.kernel.org/doc/Documentation/device-mapper/verity.rst
/linux/fs/f2fs/
H A DMakefile10 f2fs-$(CONFIG_FS_VERITY) += verity.o
/linux/fs/ext4/
H A DMakefile20 ext4-$(CONFIG_FS_VERITY) += verity.o
/linux/fs/btrfs/
H A DMakefile40 btrfs-$(CONFIG_FS_VERITY) += verity.o
/linux/fs/
H A DMakefile34 obj-$(CONFIG_FS_VERITY) += verity/

12