mirror of https://github.com/Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
44 lines
1.7 KiB
44 lines
1.7 KiB
.. SPDX-License-Identifier: GPL-2.0 |
|
|
|
Verity files |
|
------------ |
|
|
|
ext4 supports fs-verity, which is a filesystem feature that provides |
|
Merkle tree based hashing for individual readonly files. Most of |
|
fs-verity is common to all filesystems that support it; see |
|
:ref:`Documentation/filesystems/fsverity.rst <fsverity>` for the |
|
fs-verity documentation. However, the on-disk layout of the verity |
|
metadata is filesystem-specific. On ext4, the verity metadata is |
|
stored after the end of the file data itself, in the following format: |
|
|
|
- Zero-padding to the next 65536-byte boundary. This padding need not |
|
actually be allocated on-disk, i.e. it may be a hole. |
|
|
|
- The Merkle tree, as documented in |
|
:ref:`Documentation/filesystems/fsverity.rst |
|
<fsverity_merkle_tree>`, with the tree levels stored in order from |
|
root to leaf, and the tree blocks within each level stored in their |
|
natural order. |
|
|
|
- Zero-padding to the next filesystem block boundary. |
|
|
|
- The verity descriptor, as documented in |
|
:ref:`Documentation/filesystems/fsverity.rst <fsverity_descriptor>`, |
|
with optionally appended signature blob. |
|
|
|
- Zero-padding to the next offset that is 4 bytes before a filesystem |
|
block boundary. |
|
|
|
- The size of the verity descriptor in bytes, as a 4-byte little |
|
endian integer. |
|
|
|
Verity inodes have EXT4_VERITY_FL set, and they must use extents, i.e. |
|
EXT4_EXTENTS_FL must be set and EXT4_INLINE_DATA_FL must be clear. |
|
They can have EXT4_ENCRYPT_FL set, in which case the verity metadata |
|
is encrypted as well as the data itself. |
|
|
|
Verity files cannot have blocks allocated past the end of the verity |
|
metadata. |
|
|
|
Verity and DAX are not compatible and attempts to set both of these flags |
|
on a file will fail.
|
|
|