Lines Matching full:fs
6 fs-verity: read-only file-based authenticity protection
12 fs-verity (``fs/verity/``) is a support layer that filesystems can
16 code is needed to support fs-verity.
18 fs-verity is similar to `dm-verity
21 filesystems supporting fs-verity, userspace can execute an ioctl that
30 the "fs-verity file digest", which is a hash that includes the Merkle
31 tree root hash) that fs-verity is enforcing for the file. This ioctl
34 fs-verity is essentially a way to hash a file in constant time,
41 By itself, the base fs-verity feature only provides integrity
44 However, because fs-verity makes retrieving the file hash extremely
51 authenticate the contents of an fs-verity file by using the
55 A standard file hash could be used instead of fs-verity. However,
63 Unlike an ahead-of-time hash, fs-verity also re-verifies data each
67 fs-verity does not replace or obsolete dm-verity. dm-verity should
68 still be used on read-only filesystems. fs-verity is for files that
72 The base fs-verity feature is a hashing mechanism only; actually
79 fs-verity optionally supports a simple signature verification
81 all fs-verity files be signed by a key loaded into a keyring;
86 IMA supports including fs-verity file digests and signatures in the
87 IMA measurement list and verifying fs-verity based file signatures
97 The FS_IOC_ENABLE_VERITY ioctl enables fs-verity on a file. It takes
171 - ``ENOKEY``: the fs-verity keyring doesn't contain the certificate
173 - ``ENOPKG``: fs-verity recognizes the hash algorithm, but it's not
176 - ``ENOTTY``: this type of filesystem does not implement fs-verity
177 - ``EOPNOTSUPP``: the kernel was not configured with fs-verity
179 feature enabled on it; or the filesystem does not support fs-verity
192 The fs-verity file digest is a cryptographic digest that identifies
224 - ``ENOTTY``: this type of filesystem does not implement fs-verity
225 - ``EOPNOTSUPP``: the kernel was not configured with fs-verity
239 fs-verity compatible verification of the file. This only makes sense
243 This is a fairly specialized use case, and most fs-verity users won't
268 - ``FS_VERITY_METADATA_TYPE_DESCRIPTOR`` reads the fs-verity
269 descriptor. See `fs-verity descriptor`_.
287 implement fs-verity compatible verification anyway (though absent a
301 - ``ENOTTY``: this type of filesystem does not implement fs-verity, or
303 - ``EOPNOTSUPP``: the kernel was not configured with fs-verity
310 The existing ioctl FS_IOC_GETFLAGS (which isn't specific to fs-verity)
311 can also be used to check whether a file has fs-verity enabled or not.
321 the file has fs-verity enabled. This can perform better than
335 allowed, since these are not measured by fs-verity. Verity files
347 - If the sysctl "fs.verity.require_signatures" is set to 1 and the
348 file is not signed by a key in the fs-verity keyring, then opening
353 its "verity"-ness. fs-verity is primarily meant for files like
359 This section describes how fs-verity hashes the file contents using a
362 that support fs-verity.
365 compute fs-verity file digests itself, e.g. in order to sign files.
407 fs-verity descriptor
415 To solve this problem, the fs-verity file digest is actually computed
434 With CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y, fs-verity supports putting
438 1. At fs-verity module initialization time, a keyring ".fs-verity" is
445 detached signature in DER format of the file's fs-verity digest.
449 in the ".fs-verity" keyring.
451 3. A new sysctl "fs.verity.require_signatures" is made available.
455 fs-verity file digests must be signed in the following format, which
465 fs-verity's built-in signature verification support is meant as a
476 fs-verity is supported by several filesystems, described below. The
477 CONFIG_FS_VERITY kconfig option must be enabled to use fs-verity on
481 ``fs/verity/`` support layer and filesystems. Briefly, filesystems
486 ``fs/verity/`` at certain times, such as when a file is opened or when
492 ext4 supports fs-verity since Linux v5.4 and e2fsprogs v1.45.2.
506 fs-verity. In this case, the plaintext data is verified rather than
507 the ciphertext. This is necessary in order to make the fs-verity file
528 f2fs supports fs-verity since Linux v5.4 and f2fs-tools v1.11.0.
550 btrfs supports fs-verity since Linux v5.15. Verity-enabled inodes are
560 fs-verity ensures that all reads of a verity file's data are verified,
574 Therefore, fs/verity/ provides a function fsverity_verify_page() which
610 filesystems to support fs-verity, fs/verity/ also provides a function
635 fs-verity, these filesystems use fsverity_verify_page() to verify hole
639 direct I/O would bypass fs-verity.
645 fs-verity can be found at:
650 including examples of setting up fs-verity protected files.
655 To test fs-verity, use xfstests. For example, using `kvm-xfstests
663 This section answers frequently asked questions about fs-verity that
666 :Q: Why isn't fs-verity part of IMA?
667 :A: fs-verity and IMA (Integrity Measurement Architecture) have
668 different focuses. fs-verity is a filesystem-level mechanism for
674 IMA supports the fs-verity hashing mechanism as an alternative
677 doesn't make sense to force all uses of fs-verity to be through
678 IMA. fs-verity already meets many users' needs even as a
682 :Q: Isn't fs-verity useless because the attacker can just modify the
684 :A: To verify the authenticity of an fs-verity file you must verify
685 the authenticity of the "fs-verity file digest", which
688 :Q: Isn't fs-verity useless because the attacker can just replace a
691 userspace code that authenticates the files; fs-verity is just a
739 :Q: Why doesn't fs-verity support writes?
742 fs-verity. Write support would require:
764 very different cases; the same applies to fs-verity.
771 properties are unwanted for fs-verity, so reusing the immutable
780 :Q: Does fs-verity support remote filesystems?
781 :A: So far all filesystems that have implemented fs-verity support are
783 per-file verity metadata can support fs-verity, regardless of
788 by ``fs/verity/`` also assume that the filesystem uses the Linux
791 :Q: Why is anything filesystem-specific at all? Shouldn't fs-verity