mirror of https://github.com/OpenIPC/firmware.git
69 lines
2.5 KiB
Diff
69 lines
2.5 KiB
Diff
diff -drupN a/drivers/md/Kconfig b/drivers/md/Kconfig
|
|
--- a/drivers/md/Kconfig 2018-08-06 17:23:04.000000000 +0300
|
|
+++ b/drivers/md/Kconfig 2022-06-12 05:28:14.000000000 +0300
|
|
@@ -459,6 +459,21 @@ config DM_VERITY
|
|
|
|
If unsure, say N.
|
|
|
|
+config DM_VERITY_HASH_PREFETCH_MIN_SIZE_128
|
|
+ bool "Prefetch size 128"
|
|
+
|
|
+config DM_VERITY_HASH_PREFETCH_MIN_SIZE
|
|
+ int "Verity hash prefetch minimum size"
|
|
+ depends on DM_VERITY
|
|
+ range 1 4096
|
|
+ default 128 if DM_VERITY_HASH_PREFETCH_MIN_SIZE_128
|
|
+ default 1
|
|
+ ---help---
|
|
+ This sets minimum number of hash blocks to prefetch for dm-verity.
|
|
+ For devices like eMMC, having larger prefetch size like 128 can improve
|
|
+ performance with increased memory consumption for keeping more hashes
|
|
+ in RAM.
|
|
+
|
|
config DM_VERITY_FEC
|
|
bool "Verity forward error correction support"
|
|
depends on DM_VERITY
|
|
@@ -501,4 +516,42 @@ config DM_LOG_WRITES
|
|
|
|
If unsure, say N.
|
|
|
|
+config DM_ANDROID_VERITY
|
|
+ bool "Android verity target support"
|
|
+ depends on BLK_DEV_DM=y
|
|
+ depends on DM_VERITY=y
|
|
+ depends on X509_CERTIFICATE_PARSER
|
|
+ depends on SYSTEM_TRUSTED_KEYRING
|
|
+ depends on CRYPTO_RSA
|
|
+ depends on KEYS
|
|
+ depends on ASYMMETRIC_KEY_TYPE
|
|
+ depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE
|
|
+ select DM_VERITY_HASH_PREFETCH_MIN_SIZE_128
|
|
+ ---help---
|
|
+ This device-mapper target is virtually a VERITY target. This
|
|
+ target is setup by reading the metadata contents piggybacked
|
|
+ to the actual data blocks in the block device. The signature
|
|
+ of the metadata contents are verified against the key included
|
|
+ in the system keyring. Upon success, the underlying verity
|
|
+ target is setup.
|
|
+
|
|
+config DM_ANDROID_VERITY_AT_MOST_ONCE_DEFAULT_ENABLED
|
|
+ bool "Verity will validate blocks at most once"
|
|
+ depends on DM_VERITY
|
|
+ ---help---
|
|
+ Default enables at_most_once option for dm-verity
|
|
+
|
|
+ Verify data blocks only the first time they are read from the
|
|
+ data device, rather than every time. This reduces the overhead
|
|
+ of dm-verity so that it can be used on systems that are memory
|
|
+ and/or CPU constrained. However, it provides a reduced level
|
|
+ of security because only offline tampering of the data device's
|
|
+ content will be detected, not online tampering.
|
|
+
|
|
+ Hash blocks are still verified each time they are read from the
|
|
+ hash device, since verification of hash blocks is less performance
|
|
+ critical than data blocks, and a hash block will not be verified
|
|
+ any more after all the data blocks it covers have been verified anyway.
|
|
+
|
|
+ If unsure, say N.
|
|
endif # MD
|