Re: [PATCH v7 5/5] fsverity: update the documentation

From: Eric Biggers
Date: Tue Apr 05 2022 - 22:32:42 EST


On Fri, Mar 25, 2022 at 06:38:24PM -0400, Mimi Zohar wrote:
> Update the fsverity documentation related to IMA signature support.
>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> ---
> Documentation/filesystems/fsverity.rst | 20 ++++++++++++--------
> 1 file changed, 12 insertions(+), 8 deletions(-)
>
> diff --git a/Documentation/filesystems/fsverity.rst b/Documentation/filesystems/fsverity.rst
> index 1d831e3cbcb3..c1d355f17a54 100644
> --- a/Documentation/filesystems/fsverity.rst
> +++ b/Documentation/filesystems/fsverity.rst
> @@ -74,8 +74,12 @@ authenticating the files is up to userspace. However, to meet some
> users' needs, fs-verity optionally supports a simple signature
> verification mechanism where users can configure the kernel to require
> that all fs-verity files be signed by a key loaded into a keyring; see
> -`Built-in signature verification`_. Support for fs-verity file hashes
> -in IMA (Integrity Measurement Architecture) policies is also planned.
> +`Built-in signature verification`_.
> +
> +The Integrity Measurement Architecture (IMA) supports including
> +fs-verity file digests and signatures in the IMA measurement list
> +and verifying fs-verity based file signatures stored as security.ima
> +xattrs, based on policy.

This looks okay, but this would be easier to understand as a list of alternative
ways to do signature verification with fs-verity:

* Userspace-only
* Built-in signature verification + userspace policy
* IMA

- Eric