diff options
| author | Eric Biggers <ebiggers@google.com> | 2019-07-22 18:26:23 +0200 |
|---|---|---|
| committer | Eric Biggers <ebiggers@google.com> | 2019-08-13 04:33:50 +0200 |
| commit | 432434c9f8e18cb4cf0fe05bc3eeceada0e10dc6 (patch) | |
| tree | cfcf57b2bb1fbdb1e9b5739f020b0311405363c0 /fs/verity/init.c | |
| parent | fs-verity: add SHA-512 support (diff) | |
| download | linux-432434c9f8e18cb4cf0fe05bc3eeceada0e10dc6.tar.xz linux-432434c9f8e18cb4cf0fe05bc3eeceada0e10dc6.zip | |
fs-verity: support builtin file signatures
To meet some users' needs, add optional support for having fs-verity
handle a portion of the authentication policy in the kernel. An
".fs-verity" keyring is created to which X.509 certificates can be
added; then a sysctl 'fs.verity.require_signatures' can be set to cause
the kernel to enforce that all fs-verity files contain a signature of
their file measurement by a key in this keyring.
See the "Built-in signature verification" section of
Documentation/filesystems/fsverity.rst for the full documentation.
Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Diffstat (limited to 'fs/verity/init.c')
| -rw-r--r-- | fs/verity/init.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/verity/init.c b/fs/verity/init.c index b593805aafcc..94c104e00861 100644 --- a/fs/verity/init.c +++ b/fs/verity/init.c @@ -45,9 +45,15 @@ static int __init fsverity_init(void) if (err) goto err_exit_info_cache; + err = fsverity_init_signature(); + if (err) + goto err_exit_workqueue; + pr_debug("Initialized fs-verity\n"); return 0; +err_exit_workqueue: + fsverity_exit_workqueue(); err_exit_info_cache: fsverity_exit_info_cache(); return err; |