On Thu, Apr 4, 2019 at 3:18 PM James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: > The obvious other thought is integration with fs-verity, which is a > filesystem maintained possibly signed merkel tree hash. The problem > here is what does vfs_get_hash() actually mean? The assumption seems > to be that it is the flat hash of the entire file which doesn't work > for merkle trees. However, if it could be a representative hash of the > file which is produced however the filesystem decides, it could work > (well, unless the file is copied on to a different fs, of course ...). We could always use fs-verity to store additional verifiable metadata including actual hashes for consistency?
