From: Allison Karlitskaya Date: Tue, 26 Nov 2024 08:48:33 +0000 (+0100) Subject: Documentation: add a usecase for FS_IOC_READ_VERITY_METADATA X-Git-Tag: v6.15-rc1~186^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=212df80e01069da2a179e6ab28c3f52c325575e1;p=thirdparty%2Fkernel%2Flinux.git Documentation: add a usecase for FS_IOC_READ_VERITY_METADATA Mention another potential usecase for FS_IOC_READ_VERITY_METADATA: creating filesystem images which contain fs-verity-enabled files, without having to redo all of the work in userspace. Signed-off-by: Allison Karlitskaya Link: https://lore.kernel.org/r/20241126084833.70538-1-allison.karlitskaya@redhat.com Signed-off-by: Eric Biggers --- diff --git a/Documentation/filesystems/fsverity.rst b/Documentation/filesystems/fsverity.rst index 76e5382178689..dacdbc1149e67 100644 --- a/Documentation/filesystems/fsverity.rst +++ b/Documentation/filesystems/fsverity.rst @@ -248,11 +248,17 @@ FS_IOC_READ_VERITY_METADATA The FS_IOC_READ_VERITY_METADATA ioctl reads verity metadata from a verity file. This ioctl is available since Linux v5.12. -This ioctl allows writing a server program that takes a verity file -and serves it to a client program, such that the client can do its own -fs-verity compatible verification of the file. This only makes sense -if the client doesn't trust the server and if the server needs to -provide the storage for the client. +This ioctl is useful for cases where the verity verification should be +performed somewhere other than the currently running kernel. + +One example is a server program that takes a verity file and serves it +to a client program, such that the client can do its own fs-verity +compatible verification of the file. This only makes sense if the +client doesn't trust the server and if the server needs to provide the +storage for the client. + +Another example is copying verity metadata when creating filesystem +images in userspace (such as with ``mkfs.ext4 -d``). This is a fairly specialized use case, and most fs-verity users won't need this ioctl.