git.kernel.dk Git - linux-2.6-block.git/commit

author	Alexander Larsson <alexl@redhat.com>
	Wed, 19 Apr 2023 11:44:21 +0000 (13:44 +0200)
committer	Amir Goldstein <amir73il@gmail.com>
	Sat, 12 Aug 2023 16:02:38 +0000 (19:02 +0300)
commit	ae8cba4033bc16e8a07792428a48a50710cc0f3c
tree	18a5cb911e62ee310a112312969fce8d48d45bf6	tree \| snapshot
parent	52a93d39b17dc7eb98b6aa3edb93943248e03b2f	commit \| diff

ovl: Add framework for verity support

This adds the scaffolding (docs, config, mount options) for supporting
the new digest field in the metacopy xattr. This contains a fs-verity
digest that need to match the fs-verity digest of the lowerdata
file. The mount option "verity" specifies how this xattr is handled.

If you enable verity ("verity=on") all existing xattrs are validated
before use, and during metacopy we generate verity xattr in the upper
metacopy file (if the source file has verity enabled). This means
later accesses can guarantee that the same data is used.

Additionally you can use "verity=require". In this mode all metacopy
files must have a valid verity xattr. For this to work metadata
copy-up must be able to create a verity xattr (so that later accesses
are validated). Therefore, in this mode, if the lower data file
doesn't have fs-verity enabled we fall back to a full copy rather than
a metacopy.

Actual implementation follows in a separate commit.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Acked-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>

Documentation/filesystems/fsverity.rst		diff \| blob \| blame \| history
Documentation/filesystems/overlayfs.rst		diff \| blob \| blame \| history
fs/overlayfs/overlayfs.h		diff \| blob \| blame \| history
fs/overlayfs/ovl_entry.h		diff \| blob \| blame \| history
fs/overlayfs/params.c		diff \| blob \| blame \| history