On Wed, May 03, 2023 at 10:51:38AM +0200, Alexander Larsson wrote: > When resolving lowerdata (lazily or non-lazily) we check the > overlay.verity xattr on the metadata inode, and if set verify that the > source lowerdata inode matches it (according to the verity options > enabled). Keep in mind that the lifetime of an inode's fsverity digest is from when it is first opened to when the inode is evicted from the inode cache. If the inode gets evicted from cache and re-instantiated, it could have been arbitrarily changed. Given that, does this verification happen in the right place? I would have expected it to happen whenever the file is opened, but it seems you do it when the dentry is looked up instead. Maybe that works too, but I'd appreciate an explanation. - Eric