[RFC PATCH v15 18/21] ipe: enable support for fs-verity as a trust provider
Eric Biggers
ebiggers at kernel.org
Mon Mar 18 05:17:03 UTC 2024
On Fri, Mar 15, 2024 at 08:35:48PM -0700, Fan Wu wrote:
> +config IPE_PROP_FS_VERITY
> + bool "Enable property for fs-verity files"
> + depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
> + help
> + This option enables the usage of properties "fsverity_signature"
> + and "fsverity_digest". These properties evaluate to TRUE when
> + a file is fsverity enabled and with a signed digest
Again: why would anyone care if there is a signature, if that signature is not
checked.
I think you meant to write something like: "when a file is fsverity enabled and
has a valid builtin signature whose signing cert is in the .fs-verity keyring".
- Eric
More information about the Linux-security-module-archive
mailing list