| xj | b04a402 | 2021-11-25 15:01:52 +0800 | [diff] [blame] | 1 | .. SPDX-License-Identifier: GPL-2.0 |
| 2 | |
| 3 | Verity files |
| 4 | ------------ |
| 5 | |
| 6 | ext4 supports fs-verity, which is a filesystem feature that provides |
| 7 | Merkle tree based hashing for individual readonly files. Most of |
| 8 | fs-verity is common to all filesystems that support it; see |
| 9 | :ref:`Documentation/filesystems/fsverity.rst <fsverity>` for the |
| 10 | fs-verity documentation. However, the on-disk layout of the verity |
| 11 | metadata is filesystem-specific. On ext4, the verity metadata is |
| 12 | stored after the end of the file data itself, in the following format: |
| 13 | |
| 14 | - Zero-padding to the next 65536-byte boundary. This padding need not |
| 15 | actually be allocated on-disk, i.e. it may be a hole. |
| 16 | |
| 17 | - The Merkle tree, as documented in |
| 18 | :ref:`Documentation/filesystems/fsverity.rst |
| 19 | <fsverity_merkle_tree>`, with the tree levels stored in order from |
| 20 | root to leaf, and the tree blocks within each level stored in their |
| 21 | natural order. |
| 22 | |
| 23 | - Zero-padding to the next filesystem block boundary. |
| 24 | |
| 25 | - The verity descriptor, as documented in |
| 26 | :ref:`Documentation/filesystems/fsverity.rst <fsverity_descriptor>`, |
| 27 | with optionally appended signature blob. |
| 28 | |
| 29 | - Zero-padding to the next offset that is 4 bytes before a filesystem |
| 30 | block boundary. |
| 31 | |
| 32 | - The size of the verity descriptor in bytes, as a 4-byte little |
| 33 | endian integer. |
| 34 | |
| 35 | Verity inodes have EXT4_VERITY_FL set, and they must use extents, i.e. |
| 36 | EXT4_EXTENTS_FL must be set and EXT4_INLINE_DATA_FL must be clear. |
| 37 | They can have EXT4_ENCRYPT_FL set, in which case the verity metadata |
| 38 | is encrypted as well as the data itself. |
| 39 | |
| 40 | Verity files cannot have blocks allocated past the end of the verity |
| 41 | metadata. |