diff options
| author | Andrey Albershteyn <aalbersh@redhat.com> | 2024-03-13 11:56:12 -0700 |
|---|---|---|
| committer | Darrick J. Wong <djwong@kernel.org> | 2024-05-10 17:22:28 -0700 |
| commit | 57d0f76878329117d104f9ac2af1fe0e638401d4 (patch) | |
| tree | 67df6ca575085686d1bb9dd41fb9b965e9903132 | |
| parent | 1a684766a63864845a46b70a097f6714d966dc8c (diff) | |
| download | xfsprogs-dev-fsverity.tar.gz | |
mkfs.xfs: add verity parameterfsverity_2024-05-10fsverity
fs-verity brings on-disk changes (inode flag). Add parameter to
enable (default disabled) fs-verity flag in superblock. This will
make newly create filesystem read-only for older kernels.
Signed-off-by: Andrey Albershteyn <aalbersh@redhat.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
[djwong: make this an -i(node) option, edit manpage]
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
| -rw-r--r-- | man/man8/mkfs.xfs.8.in | 6 | ||||
| -rw-r--r-- | mkfs/lts_4.19.conf | 1 | ||||
| -rw-r--r-- | mkfs/lts_5.10.conf | 1 | ||||
| -rw-r--r-- | mkfs/lts_5.15.conf | 1 | ||||
| -rw-r--r-- | mkfs/lts_5.4.conf | 1 | ||||
| -rw-r--r-- | mkfs/lts_6.1.conf | 1 | ||||
| -rw-r--r-- | mkfs/lts_6.6.conf | 1 | ||||
| -rw-r--r-- | mkfs/xfs_mkfs.c | 25 |
8 files changed, 36 insertions, 1 deletions
diff --git a/man/man8/mkfs.xfs.8.in b/man/man8/mkfs.xfs.8.in index 1db6765a80..431cbcb8c7 100644 --- a/man/man8/mkfs.xfs.8.in +++ b/man/man8/mkfs.xfs.8.in @@ -688,6 +688,12 @@ Online repair uses this functionality to rebuild extended attributes, directories, symbolic links, and realtime metadata files. This feature is disabled by default. This feature is only available for filesystems formatted with -m crc=1. +.TP +.BI verity[= value] +This flag activates verity support, which enables sealing of regular file data +with hashes and cryptographic signatures. +This feature is disabled by default. +This feature is only available for filesystems formatted with -m crc=1. .RE .PP .PD 0 diff --git a/mkfs/lts_4.19.conf b/mkfs/lts_4.19.conf index 700dd2dff9..2cd8999b20 100644 --- a/mkfs/lts_4.19.conf +++ b/mkfs/lts_4.19.conf @@ -14,6 +14,7 @@ rmapbt=0 sparse=1 nrext64=0 exchange=0 +verity=0 [naming] parent=0 diff --git a/mkfs/lts_5.10.conf b/mkfs/lts_5.10.conf index a03cebfc41..765ffde89d 100644 --- a/mkfs/lts_5.10.conf +++ b/mkfs/lts_5.10.conf @@ -14,6 +14,7 @@ rmapbt=0 sparse=1 nrext64=0 exchange=0 +verity=0 [naming] parent=0 diff --git a/mkfs/lts_5.15.conf b/mkfs/lts_5.15.conf index 0c93950f31..76afb3cae6 100644 --- a/mkfs/lts_5.15.conf +++ b/mkfs/lts_5.15.conf @@ -14,6 +14,7 @@ rmapbt=0 sparse=1 nrext64=0 exchange=0 +verity=0 [naming] parent=0 diff --git a/mkfs/lts_5.4.conf b/mkfs/lts_5.4.conf index 059af41262..f0f6526da7 100644 --- a/mkfs/lts_5.4.conf +++ b/mkfs/lts_5.4.conf @@ -14,6 +14,7 @@ rmapbt=0 sparse=1 nrext64=0 exchange=0 +verity=0 [naming] parent=0 diff --git a/mkfs/lts_6.1.conf b/mkfs/lts_6.1.conf index 4d14092086..7591699396 100644 --- a/mkfs/lts_6.1.conf +++ b/mkfs/lts_6.1.conf @@ -14,6 +14,7 @@ rmapbt=0 sparse=1 nrext64=0 exchange=0 +verity=0 [naming] parent=0 diff --git a/mkfs/lts_6.6.conf b/mkfs/lts_6.6.conf index 0420e8e476..e3f99d2aa4 100644 --- a/mkfs/lts_6.6.conf +++ b/mkfs/lts_6.6.conf @@ -14,6 +14,7 @@ rmapbt=1 sparse=1 nrext64=1 exchange=0 +verity=0 [naming] parent=0 diff --git a/mkfs/xfs_mkfs.c b/mkfs/xfs_mkfs.c index 7e30404646..f41d9749b4 100644 --- a/mkfs/xfs_mkfs.c +++ b/mkfs/xfs_mkfs.c @@ -92,6 +92,7 @@ enum { I_SPINODES, I_NREXT64, I_EXCHANGE, + I_VERITY, I_MAX_OPTS, }; @@ -477,6 +478,7 @@ static struct opt_params iopts = { [I_SPINODES] = "sparse", [I_NREXT64] = "nrext64", [I_EXCHANGE] = "exchange", + [I_VERITY] = "verity", [I_MAX_OPTS] = NULL, }, .subopt_params = { @@ -538,6 +540,12 @@ static struct opt_params iopts = { .maxval = 1, .defaultval = 1, }, + { .index = I_VERITY, + .conflicts = { { NULL, LAST_CONFLICT } }, + .minval = 0, + .maxval = 1, + .defaultval = 1, + }, }, }; @@ -946,6 +954,7 @@ struct sb_feat_args { bool nrext64; bool exchrange; /* XFS_SB_FEAT_INCOMPAT_EXCHRANGE */ bool rtgroups; /* XFS_SB_FEAT_INCOMPAT_RTGROUPS */ + bool verity; /* XFS_SB_FEAT_RO_COMPAT_VERITY */ }; struct cli_params { @@ -1087,7 +1096,7 @@ usage( void ) /* force overwrite */ [-f]\n\ /* inode size */ [-i perblock=n|size=num,maxpct=n,attr=0|1|2,\n\ projid32bit=0|1,sparse=0|1,nrext64=0|1,\n\ - exchange=0|1]\n\ + exchange=0|1,verity=0|1]\n\ /* no discard */ [-K]\n\ /* log subvol */ [-l agnum=n,internal,size=num,logdev=xxx,version=n\n\ sunit=value|su=num,sectsize=num,lazy-count=0|1,\n\ @@ -1789,6 +1798,9 @@ inode_opts_parser( case I_EXCHANGE: cli->sb_feat.exchrange = getnum(value, opts, subopt); break; + case I_VERITY: + cli->sb_feat.verity = getnum(value, opts, subopt); + break; default: return -EINVAL; } @@ -2470,6 +2482,14 @@ _("metadata directory not supported without CRC support\n")); usage(); } cli->sb_feat.metadir = false; + + if (cli->sb_feat.verity && + cli_opt_set(&iopts, I_VERITY)) { + fprintf(stderr, +_("verity not supported without CRC support\n")); + usage(); + } + cli->sb_feat.verity = false; } if (!cli->sb_feat.finobt) { @@ -3813,6 +3833,8 @@ sb_set_features( sbp->sb_features_ro_compat |= XFS_SB_FEAT_RO_COMPAT_REFLINK; if (fp->inobtcnt) sbp->sb_features_ro_compat |= XFS_SB_FEAT_RO_COMPAT_INOBTCNT; + if (fp->verity) + sbp->sb_features_ro_compat |= XFS_SB_FEAT_RO_COMPAT_VERITY; if (fp->bigtime) sbp->sb_features_incompat |= XFS_SB_FEAT_INCOMPAT_BIGTIME; if (fp->parent_pointers) { @@ -4766,6 +4788,7 @@ main( .nortalign = false, .bigtime = true, .nrext64 = true, + .verity = false, /* * When we decide to enable a new feature by default, * please remember to update the mkfs conf files. |