Allow reading files from certain other filesystems that use dm-verity
modulename: dm-verity-loadpin.ko
configname: CONFIG_SECURITY_LOADPIN_VERITY
Linux Kernel Configuration
└─>Security options
└─>Allow reading files from certain other filesystems that use dm-verity
In linux kernel since version 6 (release Date: 2022-10-02)
If selected LoadPin can allow reading files from filesystems
that use dm-verity. LoadPin maintains a list of verity root
digests it considers trusted. A verity backed filesystem is
considered trusted if its root digest is found in the list
of trusted digests.
The list of trusted verity can be populated through an ioctl
on the LoadPin securityfs entry 'dm-verity'. The ioctl
expects a file descriptor of a file with verity digests as
parameter. The file must be located on the pinned root and
start with the line:
# LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS
This is followed by the verity digests, with one digest per
line.
that use dm-verity. LoadPin maintains a list of verity root
digests it considers trusted. A verity backed filesystem is
considered trusted if its root digest is found in the list
of trusted digests.
The list of trusted verity can be populated through an ioctl
on the LoadPin securityfs entry 'dm-verity'. The ioctl
expects a file descriptor of a file with verity digests as
parameter. The file must be located on the pinned root and
start with the line:
# LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS
This is followed by the verity digests, with one digest per
line.