verity.rst (1707B)
1.. SPDX-License-Identifier: GPL-2.0 2 3Verity files 4------------ 5 6ext4 supports fs-verity, which is a filesystem feature that provides 7Merkle tree based hashing for individual readonly files. Most of 8fs-verity is common to all filesystems that support it; see 9:ref:`Documentation/filesystems/fsverity.rst <fsverity>` for the 10fs-verity documentation. However, the on-disk layout of the verity 11metadata is filesystem-specific. On ext4, the verity metadata is 12stored after the end of the file data itself, in the following format: 13 14- Zero-padding to the next 65536-byte boundary. This padding need not 15 actually be allocated on-disk, i.e. it may be a hole. 16 17- The Merkle tree, as documented in 18 :ref:`Documentation/filesystems/fsverity.rst 19 <fsverity_merkle_tree>`, with the tree levels stored in order from 20 root to leaf, and the tree blocks within each level stored in their 21 natural order. 22 23- Zero-padding to the next filesystem block boundary. 24 25- The verity descriptor, as documented in 26 :ref:`Documentation/filesystems/fsverity.rst <fsverity_descriptor>`, 27 with optionally appended signature blob. 28 29- Zero-padding to the next offset that is 4 bytes before a filesystem 30 block boundary. 31 32- The size of the verity descriptor in bytes, as a 4-byte little 33 endian integer. 34 35Verity inodes have EXT4_VERITY_FL set, and they must use extents, i.e. 36EXT4_EXTENTS_FL must be set and EXT4_INLINE_DATA_FL must be clear. 37They can have EXT4_ENCRYPT_FL set, in which case the verity metadata 38is encrypted as well as the data itself. 39 40Verity files cannot have blocks allocated past the end of the verity 41metadata. 42 43Verity and DAX are not compatible and attempts to set both of these flags 44on a file will fail.