Re: [PATCH v17 17/21] ipe: enable support for fs-verity as a trust provider

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Apr 12, 2024 at 05:56:00PM -0700, Fan Wu wrote:
> +config IPE_PROP_FS_VERITY
> +	bool "Enable property for fs-verity files"
> +	depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
> +	help
> +	  This option enables the usage of properties "fsverity_signature"
> +	  and "fsverity_digest". These properties evaluate to TRUE when
> +	  a file is fsverity enabled and has a valid builtin signature
> +	  whose signing cert is in the .fs-verity keyring or its
> +	  digest matches the supplied value in the policy.
> +
> +	  if unsure, answer Y.

Does this really need to depend on FS_VERITY_BUILTIN_SIGNATURES?  That's needed
for fsverity_signature to work, but fsverity_digest would work without it.

I'd prefer if people had the option of only turning on
FS_VERITY_BUILTIN_SIGNATURES if they really need it.

- Eric




[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux