[RFC PATCH v15 18/21] ipe: enable support for fs-verity as a trust provider

Fan Wu wufan at linux.microsoft.com
Mon Mar 18 20:40:41 UTC 2024



On 3/17/2024 10:17 PM, Eric Biggers wrote:
> On Fri, Mar 15, 2024 at 08:35:48PM -0700, Fan Wu wrote:
>> +config IPE_PROP_FS_VERITY
>> +	bool "Enable property for fs-verity files"
>> +	depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
>> +	help
>> +	  This option enables the usage of properties "fsverity_signature"
>> +	  and "fsverity_digest". These properties evaluate to TRUE when
>> +	  a file is fsverity enabled and with a signed digest
> 
> Again: why would anyone care if there is a signature, if that signature is not
> checked.
> 
> I think you meant to write something like: "when a file is fsverity enabled and
> has a valid builtin signature whose signing cert is in the .fs-verity keyring".
> 
> - Eric

Thanks for the suggestion. I agree this is a more accurate description. 
I'll update the description to include these details.

-Fan



More information about the Linux-security-module-archive mailing list