On Fri, Apr 12, 2024 at 05:56:00PM -0700, Fan Wu wrote: > +config IPE_PROP_FS_VERITY > + bool "Enable property for fs-verity files" > + depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES > + help > + This option enables the usage of properties "fsverity_signature" > + and "fsverity_digest". These properties evaluate to TRUE when > + a file is fsverity enabled and has a valid builtin signature > + whose signing cert is in the .fs-verity keyring or its > + digest matches the supplied value in the policy. > + > + if unsure, answer Y. Does this really need to depend on FS_VERITY_BUILTIN_SIGNATURES? That's needed for fsverity_signature to work, but fsverity_digest would work without it. I'd prefer if people had the option of only turning on FS_VERITY_BUILTIN_SIGNATURES if they really need it. - Eric
