cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

Kconfig (2454B)

      1# SPDX-License-Identifier: GPL-2.0
      2
      3config FS_VERITY
      4	bool "FS Verity (read-only file-based authenticity protection)"
      5	select CRYPTO
      6	select CRYPTO_HASH_INFO
      7	# SHA-256 is implied as it's intended to be the default hash algorithm.
      8	# To avoid bloat, other wanted algorithms must be selected explicitly.
      9	# Note that CRYPTO_SHA256 denotes the generic C implementation, but
     10	# some architectures provided optimized implementations of the same
     11	# algorithm that may be used instead. In this case, CRYPTO_SHA256 may
     12	# be omitted even if SHA-256 is being used.
     13	imply CRYPTO_SHA256
     14	help
     15	  This option enables fs-verity.  fs-verity is the dm-verity
     16	  mechanism implemented at the file level.  On supported
     17	  filesystems (currently EXT4 and F2FS), userspace can use an
     18	  ioctl to enable verity for a file, which causes the filesystem
     19	  to build a Merkle tree for the file.  The filesystem will then
     20	  transparently verify any data read from the file against the
     21	  Merkle tree.  The file is also made read-only.
     22
     23	  This serves as an integrity check, but the availability of the
     24	  Merkle tree root hash also allows efficiently supporting
     25	  various use cases where normally the whole file would need to
     26	  be hashed at once, such as: (a) auditing (logging the file's
     27	  hash), or (b) authenticity verification (comparing the hash
     28	  against a known good value, e.g. from a digital signature).
     29
     30	  fs-verity is especially useful on large files where not all
     31	  the contents may actually be needed.  Also, fs-verity verifies
     32	  data each time it is paged back in, which provides better
     33	  protection against malicious disks vs. an ahead-of-time hash.
     34
     35	  If unsure, say N.
     36
     37config FS_VERITY_DEBUG
     38	bool "FS Verity debugging"
     39	depends on FS_VERITY
     40	help
     41	  Enable debugging messages related to fs-verity by default.
     42
     43	  Say N unless you are an fs-verity developer.
     44
     45config FS_VERITY_BUILTIN_SIGNATURES
     46	bool "FS Verity builtin signature support"
     47	depends on FS_VERITY
     48	select SYSTEM_DATA_VERIFICATION
     49	help
     50	  Support verifying signatures of verity files against the X.509
     51	  certificates that have been loaded into the ".fs-verity"
     52	  kernel keyring.
     53
     54	  This is meant as a relatively simple mechanism that can be
     55	  used to provide an authenticity guarantee for verity files, as
     56	  an alternative to IMA appraisal.  Userspace programs still
     57	  need to check that the verity bit is set in order to get an
     58	  authenticity guarantee.
     59
     60	  If unsure, say N.