[RFC PATCH v13 17/20] ipe: enable support for fs-verity as a trust provider
Randy Dunlap
rdunlap at infradead.org
Thu Feb 29 04:01:16 UTC 2024
On 2/28/24 16:54, Fan Wu wrote:
> diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
> index 7afb1ce0cb99..9dd5c4769d79 100644
> --- a/security/ipe/Kconfig
> +++ b/security/ipe/Kconfig
> @@ -30,6 +30,19 @@ config IPE_PROP_DM_VERITY
> that was mounted with a signed root-hash or the volume's
> root hash matches the supplied value in the policy.
>
> + If unsure, answer Y.
> +
> +config IPE_PROP_FS_VERITY
> + bool "Enable property for fs-verity files"
> + depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
> + help
> + This option enables the usage of properties "fsverity_signature"
> + and "fsverity_digest". These properties evaluates to TRUE when
> + a file is fsverity enabled and with a signed digest or its
> + diegst matches the supplied value in the policy.
digest
> +
> + if unsure, answer Y.
--
#Randy
More information about the Linux-security-module-archive
mailing list