On Fri, Mar 25, 2022 at 06:38:24PM -0400, Mimi Zohar wrote: > Update the fsverity documentation related to IMA signature support. > > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > --- > Documentation/filesystems/fsverity.rst | 20 ++++++++++++-------- > 1 file changed, 12 insertions(+), 8 deletions(-) > > diff --git a/Documentation/filesystems/fsverity.rst b/Documentation/filesystems/fsverity.rst > index 1d831e3cbcb3..c1d355f17a54 100644 > --- a/Documentation/filesystems/fsverity.rst > +++ b/Documentation/filesystems/fsverity.rst > @@ -74,8 +74,12 @@ authenticating the files is up to userspace. However, to meet some > users' needs, fs-verity optionally supports a simple signature > verification mechanism where users can configure the kernel to require > that all fs-verity files be signed by a key loaded into a keyring; see > -`Built-in signature verification`_. Support for fs-verity file hashes > -in IMA (Integrity Measurement Architecture) policies is also planned. > +`Built-in signature verification`_. > + > +The Integrity Measurement Architecture (IMA) supports including > +fs-verity file digests and signatures in the IMA measurement list > +and verifying fs-verity based file signatures stored as security.ima > +xattrs, based on policy. This looks okay, but this would be easier to understand as a list of alternative ways to do signature verification with fs-verity: * Userspace-only * Built-in signature verification + userspace policy * IMA - Eric
|