Google Volleys Latest FS-VERITY Code For Transparent Integrity/Authenticity Of Files

One of the new Linux kernel features Google engineers have been working on is fs-verity for read-only file-based authenticity protection. Fs-verity is similar to dm-verity with a similar aim but is designed to work on a per-file basis for read-write file-systems rather than at the block level.

Fs-verity supports transparent integrity and authenticity protection of read-only file-systems. User-space appends a Merkle hash tree to a file and an ioctl allows enabling fs-verity on the per-file basis. All reads are then verified against the hash file and only allowed through if the verification passes.

Fs-verity consists of common kernel code but also requires some hooks into specific file-systems. For now Google is enabling this support for the EXT4 and F2FS file-systems but extending it to other Linux file-systems shouldn't be much of a challenge.

More details on this read-only file protection/verification can be found via the v2 patch series sent out this week. The code isn't being queued for Linux 4.20~5.0 but is an interesting feature likely coming to a future kernel release with Google planning to use fs-verity for Android devices.