From: Andrey Albershteyn <aalbersh@xxxxxxxxxx>
fs-verity brings on-disk changes (inode flag). Add parameter to
enable (default disabled) fs-verity flag in superblock. This will
make newly create filesystem read-only for older kernels.
Signed-off-by: Andrey Albershteyn <aalbersh@xxxxxxxxxx>
Reviewed-by: Darrick J. Wong <djwong@xxxxxxxxxx>
[djwong: make this an -i(node) option, edit manpage]
Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
---
man/man8/mkfs.xfs.8.in | 4 ++++
mkfs/xfs_mkfs.c | 19 +++++++++++++++++--
2 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/man/man8/mkfs.xfs.8.in b/man/man8/mkfs.xfs.8.in
index 8060d342..4864b4d4 100644
--- a/man/man8/mkfs.xfs.8.in
+++ b/man/man8/mkfs.xfs.8.in
@@ -670,6 +670,10 @@ If the value is omitted, 1 is assumed.
This feature will be enabled when possible.
This feature is only available for filesystems formatted with -m crc=1.
.TP
+.BI verity[= value]
+This flag activates verity support, which enables sealing of regular file data
+with hashes and cryptographic signatures.
+This feature is only available for filesystems formatted with -m crc=1.
.RE
.PP
.PD 0
diff --git a/mkfs/xfs_mkfs.c b/mkfs/xfs_mkfs.c
index d6fa48ed..dec5edaf 100644
--- a/mkfs/xfs_mkfs.c
+++ b/mkfs/xfs_mkfs.c
@@ -90,6 +90,7 @@ enum {
I_PROJID32BIT,
I_SPINODES,
I_NREXT64,
+ I_VERITY,
I_MAX_OPTS,
};
@@ -469,6 +470,7 @@ static struct opt_params iopts = {
[I_PROJID32BIT] = "projid32bit",
[I_SPINODES] = "sparse",
[I_NREXT64] = "nrext64",
+ [I_VERITY] = "verity",
[I_MAX_OPTS] = NULL,
},
.subopt_params = {
@@ -523,7 +525,13 @@ static struct opt_params iopts = {
.minval = 0,
.maxval = 1,
.defaultval = 1,
- }
+ },
+ { .index = I_VERITY,
+ .conflicts = { { NULL, LAST_CONFLICT } },
+ .minval = 0,
+ .maxval = 1,
+ .defaultval = 1,
+ },
},
};
@@ -889,6 +897,7 @@ struct sb_feat_args {
bool nodalign;
bool nortalign;
bool nrext64;
+ bool verity; /* XFS_SB_FEAT_RO_COMPAT_VERITY */
};
struct cli_params {
@@ -1024,7 +1033,7 @@ usage( void )
sectsize=num,concurrency=num]\n\
/* force overwrite */ [-f]\n\
/* inode size */ [-i perblock=n|size=num,maxpct=n,attr=0|1|2,\n\
- projid32bit=0|1,sparse=0|1,nrext64=0|1]\n\
+ projid32bit=0|1,sparse=0|1,nrext64=0|1,verity=0|1]\n\
/* no discard */ [-K]\n\
/* log subvol */ [-l agnum=n,internal,size=num,logdev=xxx,version=n\n\
sunit=value|su=num,sectsize=num,lazy-count=0|1,\n\
@@ -1722,6 +1731,9 @@ inode_opts_parser(
case I_NREXT64:
cli->sb_feat.nrext64 = getnum(value, opts, subopt);
break;
+ case I_VERITY:
+ cli->sb_feat.verity = getnum(value, opts, subopt);
+ break;
default:
return -EINVAL;
}
@@ -3478,6 +3490,8 @@ sb_set_features(
sbp->sb_features_ro_compat |= XFS_SB_FEAT_RO_COMPAT_REFLINK;
if (fp->inobtcnt)
sbp->sb_features_ro_compat |= XFS_SB_FEAT_RO_COMPAT_INOBTCNT;
+ if (fp->verity)
+ sbp->sb_features_ro_compat |= XFS_SB_FEAT_RO_COMPAT_VERITY;
if (fp->bigtime)
sbp->sb_features_incompat |= XFS_SB_FEAT_INCOMPAT_BIGTIME;
@@ -4339,6 +4353,7 @@ main(
.nortalign = false,
.bigtime = true,
.nrext64 = true,
+ .verity = false,
/*
* When we decide to enable a new feature by default,
* please remember to update the mkfs conf files.
