Commit 02ee2316 authored by Mimi Zohar's avatar Mimi Zohar
Browse files

fsverity: update the documentation 



Update the fsverity documentation related to IMA signature support.

Acked-by: default avatarStefan Berger <stefanb@linux.ibm.com>
Acked-by: default avatarEric Biggers <ebiggers@google.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 398c42e2

Documentation/filesystems/fsverity.rst

+23 −12
Original line number Diff line number Diff line
@@ -70,12 +70,23 @@ must live on a read-write filesystem because they are independently 
updated and potentially user-installed, so dm-verity cannot be used.



The base fs-verity feature is a hashing mechanism only; actually

authenticating the files is up to userspace.  However, to meet some

users' needs, fs-verity optionally supports a simple signature

verification mechanism where users can configure the kernel to require

that all fs-verity files be signed by a key loaded into a keyring; see

`Built-in signature verification`_.  Support for fs-verity file hashes

in IMA (Integrity Measurement Architecture) policies is also planned.

authenticating the files may be done by:



* Userspace-only



* Builtin signature verification + userspace policy



  fs-verity optionally supports a simple signature verification

  mechanism where users can configure the kernel to require that

  all fs-verity files be signed by a key loaded into a keyring;

  see `Built-in signature verification`_.



* Integrity Measurement Architecture (IMA)



  IMA supports including fs-verity file digests and signatures in the

  IMA measurement list and verifying fs-verity based file signatures

  stored as security.ima xattrs, based on policy.





User API

========
@@ -653,12 +664,12 @@ weren't already directly answered in other parts of this document. 
    hashed and what to do with those hashes, such as log them,

    authenticate them, or add them to a measurement list.



    IMA is planned to support the fs-verity hashing mechanism as an

    alternative to doing full file hashes, for people who want the

    performance and security benefits of the Merkle tree based hash.

    But it doesn't make sense to force all uses of fs-verity to be

    through IMA.  As a standalone filesystem feature, fs-verity

    already meets many users' needs, and it's testable like other

    IMA supports the fs-verity hashing mechanism as an alternative

    to full file hashes, for those who want the performance and

    security benefits of the Merkle tree based hash.  However, it

    doesn't make sense to force all uses of fs-verity to be through

    IMA.  fs-verity already meets many users' needs even as a

    standalone filesystem feature, and it's testable like other

    filesystem features e.g. with xfstests.



:Q: Isn't fs-verity useless because the attacker can just modify the