Re: [PATCH v4 13/16] fs-verity: support builtin file signatures

[PATCH v4 00/16] fs-verity: read-only file-based authenticity protection · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
[PATCH v4 01/16] fs-verity: add a documentation file · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
Re: [PATCH v4 01/16] fs-verity: add a documentation file · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-15
Re: [PATCH v4 01/16] fs-verity: add a documentation file · Eric Biggers <ebiggers@kernel.org> · 2019-06-18
[PATCH v4 09/16] fs-verity: add data verification hooks for ->readpages() · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
Re: [PATCH v4 09/16] fs-verity: add data verification hooks for ->readpages() · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-15
[PATCH v4 07/16] fs-verity: add the hook for file ->open() · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
Re: [PATCH v4 07/16] fs-verity: add the hook for file ->open() · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-15
Re: [PATCH v4 07/16] fs-verity: add the hook for file ->open() · Eric Biggers <ebiggers@kernel.org> · 2019-06-18
[PATCH v4 11/16] fs-verity: implement FS_IOC_MEASURE_VERITY ioctl · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
Re: [PATCH v4 11/16] fs-verity: implement FS_IOC_MEASURE_VERITY ioctl · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-15
[PATCH v4 13/16] fs-verity: support builtin file signatures · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
Re: [PATCH v4 13/16] fs-verity: support builtin file signatures · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-15
Re: [PATCH v4 13/16] fs-verity: support builtin file signatures · Eric Biggers <ebiggers@kernel.org> · 2019-06-18
[PATCH v4 16/16] f2fs: add fs-verity support · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
[PATCH v4 15/16] ext4: add fs-verity read support · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
[PATCH v4 14/16] ext4: add basic fs-verity support · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
Re: [PATCH v4 14/16] ext4: add basic fs-verity support · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-15
Re: [PATCH v4 14/16] ext4: add basic fs-verity support · Eric Biggers <ebiggers@kernel.org> · 2019-06-18
Re: [PATCH v4 14/16] ext4: add basic fs-verity support · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-18
Re: [PATCH v4 14/16] ext4: add basic fs-verity support · Eric Biggers <ebiggers@kernel.org> · 2019-06-18
Re: [PATCH v4 14/16] ext4: add basic fs-verity support · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-19
Re: [PATCH v4 14/16] ext4: add basic fs-verity support · Eric Biggers <ebiggers@kernel.org> · 2019-06-19
[PATCH v4 10/16] fs-verity: implement FS_IOC_ENABLE_VERITY ioctl · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
Re: [PATCH v4 10/16] fs-verity: implement FS_IOC_ENABLE_VERITY ioctl · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-15
Re: [PATCH v4 10/16] fs-verity: implement FS_IOC_ENABLE_VERITY ioctl · Eric Biggers <ebiggers@kernel.org> · 2019-06-18
[PATCH v4 12/16] fs-verity: add SHA-512 support · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
Re: [PATCH v4 12/16] fs-verity: add SHA-512 support · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-15
[PATCH v4 05/16] fs-verity: add Kconfig and the helper functions for hashing · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
Re: [PATCH v4 05/16] fs-verity: add Kconfig and the helper functions for hashing · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-15
Re: [PATCH v4 05/16] fs-verity: add Kconfig and the helper functions for hashing · Eric Biggers <ebiggers@kernel.org> · 2019-06-18
[PATCH v4 08/16] fs-verity: add the hook for file ->setattr() · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
Re: [PATCH v4 08/16] fs-verity: add the hook for file ->setattr() · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-15
[PATCH v4 06/16] fs-verity: add inode and superblock fields · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
Re: [PATCH v4 06/16] fs-verity: add inode and superblock fields · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-15
[PATCH v4 04/16] fs: uapi: define verity bit for FS_IOC_GETFLAGS · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
Re: [PATCH v4 04/16] fs: uapi: define verity bit for FS_IOC_GETFLAGS · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-15
[PATCH v4 02/16] fs-verity: add MAINTAINERS file entry · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
Re: [PATCH v4 02/16] fs-verity: add MAINTAINERS file entry · "Theodore Ts'o" <tytso@mit.edu> · 2019-06-15
[PATCH v4 03/16] fs-verity: add UAPI header · Eric Biggers <ebiggers@kernel.org> · 2019-06-06
Re: [PATCH v4 00/16] fs-verity: read-only file-based authenticity protection · Linus Torvalds <torvalds@linux-foundation.org> · 2019-06-06
Re: [PATCH v4 00/16] fs-verity: read-only file-based authenticity protection · Eric Biggers <ebiggers@kernel.org> · 2019-06-06

From: Eric Biggers <ebiggers@kernel.org>
Date: 2019-06-18 16:58:54
Also in: linux-api, linux-ext4, linux-f2fs-devel, linux-fscrypt, linux-fsdevel

On Sat, Jun 15, 2019 at 11:21:43AM -0400, Theodore Ts'o wrote:

On Thu, Jun 06, 2019 at 08:52:02AM -0700, Eric Biggers wrote:

quoted

From: Eric Biggers <redacted>

To meet some users' needs, add optional support for having fs-verity
handle a portion of the authentication policy in the kernel.  An
".fs-verity" keyring is created to which X.509 certificates can be
added; then a sysctl 'fs.verity.require_signatures' can be set to cause
the kernel to enforce that all fs-verity files contain a signature of
their file measurement by a key in this keyring.

I think it might be a good idea to allow the require_signatures
setting to be set on a per-file system basis, via a mount option?  We
could plumb it in via a flag in fsverity_info, set by the file system.

Perhaps, but this is something that can be added later, so I think we should
hold off on it until someone needs it.

Other than this feature request, looks good; you can add:

Reviewed-off-by: Theodore Ts'o [off-list ref]

I assume you mean "Reviewed-by" :-)

- Eric

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help