This patchset adds support for using fs-verity to validate lowerdata files by specifying an overlay.verity xattr on the metacopy files. This is primarily motivated by the Composefs usecase, where there will be a read-only EROFS layer that contains redirect into a base data layer which has fs-verity enabled on all files. However, it is also useful in general if you want to ensure that the lowerdata files matches the expected content over time. I have also added some tests for this feature to xfstests[1]. I'm also CC:ing the fsverity list and maintainers because there is one (tiny) fsverity change, and there may be interest in this usecase. Changes since v2: * Rebased on top of overlayfs-next * We now alway do verity verification the first time the file content is used, rather than doing it at lookup time for the non-lazy lookup case. Changes since v1: * Rebased on v2 lazy lowerdata series * Dropped the "validate" mount option variant. We now only support "off", "on" and "require", where "off" is the default. * We now store the digest algorithm used in the overlay.verity xattr. * Dropped ability to configure default verity options, as this could cause problems moving layers between machines. * We now properly resolve dependent mount options by automatically enabling metacopy and redirect_dir if verity is on, or failing if the specified options conflict. * Streamlined and fixed the handling of creds in ovl_ensure_verity_loaded(). * Renamed new helpers from ovl_entry_path_ to ovl_e_path_ [1] https://github.com/alexlarsson/xfstests/commits/verity-tests Alexander Larsson (4): fsverity: Export fsverity_get_digest ovl: Add framework for verity support ovl: Validate verity xattr when resolving lowerdata ovl: Handle verity during copy-up Documentation/filesystems/overlayfs.rst | 27 +++++ fs/overlayfs/copy_up.c | 33 +++++- fs/overlayfs/file.c | 8 +- fs/overlayfs/namei.c | 54 +++++++++- fs/overlayfs/overlayfs.h | 12 ++- fs/overlayfs/ovl_entry.h | 3 + fs/overlayfs/super.c | 79 +++++++++++++- fs/overlayfs/util.c | 133 ++++++++++++++++++++++++ fs/verity/measure.c | 1 + 9 files changed, 340 insertions(+), 10 deletions(-) -- 2.40.1
