-
Eric Biggers authored
For ease of use, add optional support for having fs-verity handle a portion of the authentication policy in the kernel. A ".fs-verity" keyring is created to which trusted X.509 certificates can be added; then a sysctl 'fs.verity.require_signatures' can be set to cause the kernel to enforce that all fs-verity files contain a signature of their file measurement, signed by a key in this keyring. See Documentation/filesystem/fsverity.rst for more information, namely the "Built-in file signatures" section. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
0c9ff58d