[PATCH v17 17/21] ipe: enable support for fs-verity as a trust provider
Eric Biggers
ebiggers at kernel.org
Thu Apr 25 03:42:33 UTC 2024
On Fri, Apr 12, 2024 at 05:56:00PM -0700, Fan Wu wrote:
> +config IPE_PROP_FS_VERITY
> + bool "Enable property for fs-verity files"
> + depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
> + help
> + This option enables the usage of properties "fsverity_signature"
> + and "fsverity_digest". These properties evaluate to TRUE when
> + a file is fsverity enabled and has a valid builtin signature
> + whose signing cert is in the .fs-verity keyring or its
> + digest matches the supplied value in the policy.
> +
> + if unsure, answer Y.
Does this really need to depend on FS_VERITY_BUILTIN_SIGNATURES? That's needed
for fsverity_signature to work, but fsverity_digest would work without it.
I'd prefer if people had the option of only turning on
FS_VERITY_BUILTIN_SIGNATURES if they really need it.
- Eric
More information about the Linux-security-module-archive
mailing list