forked from Minki/linux
432434c9f8
To meet some users' needs, add optional support for having fs-verity handle a portion of the authentication policy in the kernel. An ".fs-verity" keyring is created to which X.509 certificates can be added; then a sysctl 'fs.verity.require_signatures' can be set to cause the kernel to enforce that all fs-verity files contain a signature of their file measurement by a key in this keyring. See the "Built-in signature verification" section of Documentation/filesystems/fsverity.rst for the full documentation. Reviewed-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Eric Biggers <ebiggers@google.com>
62 lines
1.2 KiB
C
62 lines
1.2 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* fs/verity/init.c: fs-verity module initialization and logging
|
|
*
|
|
* Copyright 2019 Google LLC
|
|
*/
|
|
|
|
#include "fsverity_private.h"
|
|
|
|
#include <linux/ratelimit.h>
|
|
|
|
void fsverity_msg(const struct inode *inode, const char *level,
|
|
const char *fmt, ...)
|
|
{
|
|
static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL,
|
|
DEFAULT_RATELIMIT_BURST);
|
|
struct va_format vaf;
|
|
va_list args;
|
|
|
|
if (!__ratelimit(&rs))
|
|
return;
|
|
|
|
va_start(args, fmt);
|
|
vaf.fmt = fmt;
|
|
vaf.va = &args;
|
|
if (inode)
|
|
printk("%sfs-verity (%s, inode %lu): %pV\n",
|
|
level, inode->i_sb->s_id, inode->i_ino, &vaf);
|
|
else
|
|
printk("%sfs-verity: %pV\n", level, &vaf);
|
|
va_end(args);
|
|
}
|
|
|
|
static int __init fsverity_init(void)
|
|
{
|
|
int err;
|
|
|
|
fsverity_check_hash_algs();
|
|
|
|
err = fsverity_init_info_cache();
|
|
if (err)
|
|
return err;
|
|
|
|
err = fsverity_init_workqueue();
|
|
if (err)
|
|
goto err_exit_info_cache;
|
|
|
|
err = fsverity_init_signature();
|
|
if (err)
|
|
goto err_exit_workqueue;
|
|
|
|
pr_debug("Initialized fs-verity\n");
|
|
return 0;
|
|
|
|
err_exit_workqueue:
|
|
fsverity_exit_workqueue();
|
|
err_exit_info_cache:
|
|
fsverity_exit_info_cache();
|
|
return err;
|
|
}
|
|
late_initcall(fsverity_init)
|