• Eric Biggers's avatar
    fs-verity: support builtin file signatures · 432434c9
    Eric Biggers authored
    To meet some users' needs, add optional support for having fs-verity
    handle a portion of the authentication policy in the kernel.  An
    ".fs-verity" keyring is created to which X.509 certificates can be
    added; then a sysctl 'fs.verity.require_signatures' can be set to cause
    the kernel to enforce that all fs-verity files contain a signature of
    their file measurement by a key in this keyring.
    
    See the "Built-in signature verification" section of
    Documentation/filesystems/fsverity.rst for the full documentation.
    Reviewed-by: default avatarTheodore Ts'o <tytso@mit.edu>
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    432434c9
signature.c 3.96 KB