ovl: Handle verity during copy-up

	bool origin;

	bool indexed;

	bool metacopy;

	bool metacopy_digest;

};

static int ovl_link_up(struct ovl_copy_up_ctx *c)

	}

	if (c->metacopy) {

		err = ovl_check_setxattr(ofs, temp, OVL_XATTR_METACOPY,

					 NULL, 0, -EOPNOTSUPP);

		struct path lowerdatapath;

		struct ovl_metacopy metacopy_data = OVL_METACOPY_INIT;

		ovl_path_lowerdata(c->dentry, &lowerdatapath);

		if (WARN_ON_ONCE(lowerdatapath.dentry == NULL))

			return -EIO;

		err = ovl_get_verity_digest(ofs, &lowerdatapath, &metacopy_data);

		if (err)

			return err;

		if (metacopy_data.digest_algo)

			c->metacopy_digest = true;

		err = ovl_set_metacopy_xattr(ofs, temp, &metacopy_data);

		if (err)

			return err;

	}

	if (err)

		goto cleanup;

	if (!c->metacopy)

		ovl_set_upperdata(d_inode(c->dentry));

	inode = d_inode(c->dentry);

	if (c->metacopy_digest)

		ovl_set_flag(OVL_HAS_DIGEST, inode);

	else

		ovl_clear_flag(OVL_HAS_DIGEST, inode);

	ovl_clear_flag(OVL_VERIFIED_DIGEST, inode);

	if (!c->metacopy)

		ovl_set_upperdata(inode);

	ovl_inode_update(inode, temp);

	if (S_ISDIR(inode->i_mode))

		ovl_set_flag(OVL_WHITEOUTS, inode);

	if (err)

		goto out_fput;

	if (c->metacopy_digest)

		ovl_set_flag(OVL_HAS_DIGEST, d_inode(c->dentry));

	else

		ovl_clear_flag(OVL_HAS_DIGEST, d_inode(c->dentry));

	ovl_clear_flag(OVL_VERIFIED_DIGEST, d_inode(c->dentry));

	if (!c->metacopy)

		ovl_set_upperdata(d_inode(c->dentry));

	ovl_inode_update(d_inode(c->dentry), dget(temp));

	if (flags && ((OPEN_FMODE(flags) & FMODE_WRITE) || (flags & O_TRUNC)))

		return false;

	/* Fall back to full copy if no fsverity on source data and we require verity */

	if (ofs->config.verity_mode == OVL_VERITY_REQUIRE) {

		struct path lowerdata;

		ovl_path_lowerdata(dentry, &lowerdata);

		if (WARN_ON_ONCE(lowerdata.dentry == NULL) ||

		    ovl_ensure_verity_loaded(&lowerdata) ||

		    !fsverity_active(d_inode(lowerdata.dentry))) {

			return false;

		}

	}

	return true;

}

	if (err)

		goto out_free;

	ovl_clear_flag(OVL_HAS_DIGEST, d_inode(c->dentry));

	ovl_clear_flag(OVL_VERIFIED_DIGEST, d_inode(c->dentry));

	ovl_set_upperdata(d_inode(c->dentry));

out_free:

	kfree(capability);

			   struct ovl_metacopy *metacopy);

bool ovl_is_metacopy_dentry(struct dentry *dentry);

char *ovl_get_redirect_xattr(struct ovl_fs *ofs, const struct path *path, int padding);

int ovl_ensure_verity_loaded(struct path *path);

int ovl_get_verity_xattr(struct ovl_fs *ofs, const struct path *path,

			 u8 *digest_buf, int *buf_length);

int ovl_validate_verity(struct ovl_fs *ofs,

			struct path *metapath,

			struct path *datapath);

int ovl_get_verity_digest(struct ovl_fs *ofs, struct path *src,

			  struct ovl_metacopy *metacopy);

int ovl_sync_status(struct ovl_fs *ofs);

static inline void ovl_set_flag(unsigned long flag, struct inode *inode)

}

/* Call with mounter creds as it may open the file */

static int ovl_ensure_verity_loaded(struct path *datapath)

int ovl_ensure_verity_loaded(struct path *datapath)

{

	struct inode *inode = d_inode(datapath->dentry);

	struct file *filp;

	return 0;

}

int ovl_get_verity_digest(struct ovl_fs *ofs, struct path *src,

			  struct ovl_metacopy *metacopy)

{

	int err, digest_size;

	if (!ofs->config.verity_mode || !S_ISREG(d_inode(src->dentry)->i_mode))

		return 0;

	err = ovl_ensure_verity_loaded(src);

	if (err < 0) {

		pr_warn_ratelimited("lower file '%pd' failed to load fs-verity info\n",

				    src->dentry);

		return -EIO;

	}

	digest_size = fsverity_get_digest(d_inode(src->dentry),

					  metacopy->digest, &metacopy->digest_algo, NULL);

	if (digest_size == 0 ||

	    WARN_ON_ONCE(digest_size > FS_VERITY_MAX_DIGEST_SIZE)) {

		if (ofs->config.verity_mode == OVL_VERITY_REQUIRE) {

			pr_warn_ratelimited("lower file '%pd' has no fs-verity digest\n",

					    src->dentry);

			return -EIO;

		}

		return 0;

	}

	metacopy->len += digest_size;

	return 0;

}

/*

 * ovl_sync_status() - Check fs sync status for volatile mounts

 *