From: Andrey Albershteyn <aalbersh@kernel.org>
To: linux-xfs@vger.kernel.org, fsverity@lists.linux.dev,
linux-fsdevel@vger.kernel.org, ebiggers@kernel.org
Cc: Andrey Albershteyn <aalbersh@kernel.org>,
hch@lst.de, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-btrfs@vger.kernel.org, djwong@kernel.org
Subject: [PATCH v5 12/25] xfs: introduce fsverity on-disk changes
Date: Thu, 19 Mar 2026 18:01:59 +0100 [thread overview]
Message-ID: <20260319170231.1455553-13-aalbersh@kernel.org> (raw)
In-Reply-To: <20260319170231.1455553-1-aalbersh@kernel.org>
Introduce XFS_DIFLAG2_VERITY for inodes with fsverity. This flag
indicates that inode has fs-verity enabled (i.e. descriptor exist,
tree is built and file is read-only).
Introduce XFS_SB_FEAT_RO_COMPAT_VERITY for filesystems having
fsverity inodes. As on-disk changes applies to fsverity inodes only, let
older kernels read-only access. This will be enabled in the further
patch after full fsverity support.
Signed-off-by: Andrey Albershteyn <aalbersh@kernel.org>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
---
fs/xfs/libxfs/xfs_format.h | 30 +++++++++++++++++++++++++++++-
fs/xfs/libxfs/xfs_inode_buf.c | 8 ++++++++
fs/xfs/libxfs/xfs_inode_util.c | 2 ++
fs/xfs/libxfs/xfs_sb.c | 2 ++
fs/xfs/xfs_iops.c | 2 ++
fs/xfs/xfs_mount.h | 2 ++
6 files changed, 45 insertions(+), 1 deletion(-)
diff --git a/fs/xfs/libxfs/xfs_format.h b/fs/xfs/libxfs/xfs_format.h
index 779dac59b1f3..4dff29659e40 100644
--- a/fs/xfs/libxfs/xfs_format.h
+++ b/fs/xfs/libxfs/xfs_format.h
@@ -374,6 +374,7 @@ xfs_sb_has_compat_feature(
#define XFS_SB_FEAT_RO_COMPAT_RMAPBT (1 << 1) /* reverse map btree */
#define XFS_SB_FEAT_RO_COMPAT_REFLINK (1 << 2) /* reflinked files */
#define XFS_SB_FEAT_RO_COMPAT_INOBTCNT (1 << 3) /* inobt block counts */
+#define XFS_SB_FEAT_RO_COMPAT_VERITY (1 << 4) /* fs-verity */
#define XFS_SB_FEAT_RO_COMPAT_ALL \
(XFS_SB_FEAT_RO_COMPAT_FINOBT | \
XFS_SB_FEAT_RO_COMPAT_RMAPBT | \
@@ -1230,16 +1231,21 @@ static inline void xfs_dinode_put_rdev(struct xfs_dinode *dip, xfs_dev_t rdev)
*/
#define XFS_DIFLAG2_METADATA_BIT 5
+/* inodes sealed with fs-verity */
+#define XFS_DIFLAG2_VERITY_BIT 6
+
#define XFS_DIFLAG2_DAX (1ULL << XFS_DIFLAG2_DAX_BIT)
#define XFS_DIFLAG2_REFLINK (1ULL << XFS_DIFLAG2_REFLINK_BIT)
#define XFS_DIFLAG2_COWEXTSIZE (1ULL << XFS_DIFLAG2_COWEXTSIZE_BIT)
#define XFS_DIFLAG2_BIGTIME (1ULL << XFS_DIFLAG2_BIGTIME_BIT)
#define XFS_DIFLAG2_NREXT64 (1ULL << XFS_DIFLAG2_NREXT64_BIT)
#define XFS_DIFLAG2_METADATA (1ULL << XFS_DIFLAG2_METADATA_BIT)
+#define XFS_DIFLAG2_VERITY (1ULL << XFS_DIFLAG2_VERITY_BIT)
#define XFS_DIFLAG2_ANY \
(XFS_DIFLAG2_DAX | XFS_DIFLAG2_REFLINK | XFS_DIFLAG2_COWEXTSIZE | \
- XFS_DIFLAG2_BIGTIME | XFS_DIFLAG2_NREXT64 | XFS_DIFLAG2_METADATA)
+ XFS_DIFLAG2_BIGTIME | XFS_DIFLAG2_NREXT64 | XFS_DIFLAG2_METADATA | \
+ XFS_DIFLAG2_VERITY)
static inline bool xfs_dinode_has_bigtime(const struct xfs_dinode *dip)
{
@@ -2021,4 +2027,26 @@ struct xfs_acl {
#define SGI_ACL_FILE_SIZE (sizeof(SGI_ACL_FILE)-1)
#define SGI_ACL_DEFAULT_SIZE (sizeof(SGI_ACL_DEFAULT)-1)
+/*
+ * At maximum of 8 levels with 128 hashes per block (32 bytes SHA-256) maximum
+ * tree size is ((128^8 − 1)/(128 − 1)) = 567*10^12 blocks. This should fit in
+ * 53 bits address space.
+ *
+ * At this Merkle tree size we can cover 295EB large file. This is much larger
+ * than the currently supported file size.
+ *
+ * For sha512 the largest file we can cover ends at 1 << 50 offset, this is also
+ * good.
+ */
+#define XFS_FSVERITY_LARGEST_FILE ((loff_t)1ULL << 53)
+
+/*
+ * Alignment of the fsverity metadata placement. This is largest supported PAGE
+ * SIZE for fsverity. This is used to space out data and metadata in page cache.
+ * The spacing is necessary for non-exposure of metadata to userspace and
+ * correct merkle tree synethesis in the iomap.
+ */
+#define XFS_FSVERITY_START_ALIGN (65536)
+
+
#endif /* __XFS_FORMAT_H__ */
diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c
index 3794e5412eba..f2181c1bed54 100644
--- a/fs/xfs/libxfs/xfs_inode_buf.c
+++ b/fs/xfs/libxfs/xfs_inode_buf.c
@@ -760,6 +760,14 @@ xfs_dinode_verify(
!xfs_has_rtreflink(mp))
return __this_address;
+ /* only regular files can have fsverity */
+ if (flags2 & XFS_DIFLAG2_VERITY) {
+ if (!xfs_has_verity(mp))
+ return __this_address;
+ if (!S_ISREG(mode))
+ return __this_address;
+ }
+
if (xfs_has_zoned(mp) &&
dip->di_metatype == cpu_to_be16(XFS_METAFILE_RTRMAP)) {
if (be32_to_cpu(dip->di_used_blocks) > mp->m_sb.sb_rgextents)
diff --git a/fs/xfs/libxfs/xfs_inode_util.c b/fs/xfs/libxfs/xfs_inode_util.c
index 551fa51befb6..6b1e20a4bb9b 100644
--- a/fs/xfs/libxfs/xfs_inode_util.c
+++ b/fs/xfs/libxfs/xfs_inode_util.c
@@ -126,6 +126,8 @@ xfs_ip2xflags(
flags |= FS_XFLAG_DAX;
if (ip->i_diflags2 & XFS_DIFLAG2_COWEXTSIZE)
flags |= FS_XFLAG_COWEXTSIZE;
+ if (ip->i_diflags2 & XFS_DIFLAG2_VERITY)
+ flags |= FS_XFLAG_VERITY;
}
if (xfs_inode_has_attr_fork(ip))
diff --git a/fs/xfs/libxfs/xfs_sb.c b/fs/xfs/libxfs/xfs_sb.c
index 47322adb7690..a15510ebd2f1 100644
--- a/fs/xfs/libxfs/xfs_sb.c
+++ b/fs/xfs/libxfs/xfs_sb.c
@@ -165,6 +165,8 @@ xfs_sb_version_to_features(
features |= XFS_FEAT_REFLINK;
if (sbp->sb_features_ro_compat & XFS_SB_FEAT_RO_COMPAT_INOBTCNT)
features |= XFS_FEAT_INOBTCNT;
+ if (sbp->sb_features_ro_compat & XFS_SB_FEAT_RO_COMPAT_VERITY)
+ features |= XFS_FEAT_VERITY;
if (sbp->sb_features_incompat & XFS_SB_FEAT_INCOMPAT_FTYPE)
features |= XFS_FEAT_FTYPE;
if (sbp->sb_features_incompat & XFS_SB_FEAT_INCOMPAT_SPINODES)
diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
index 208543e57eda..ca369eb96561 100644
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -1415,6 +1415,8 @@ xfs_diflags_to_iflags(
flags |= S_NOATIME;
if (init && xfs_inode_should_enable_dax(ip))
flags |= S_DAX;
+ if (xflags & FS_XFLAG_VERITY)
+ flags |= S_VERITY;
/*
* S_DAX can only be set during inode initialization and is never set by
diff --git a/fs/xfs/xfs_mount.h b/fs/xfs/xfs_mount.h
index ddd4028be8d6..07f6aa3c3f26 100644
--- a/fs/xfs/xfs_mount.h
+++ b/fs/xfs/xfs_mount.h
@@ -385,6 +385,7 @@ typedef struct xfs_mount {
#define XFS_FEAT_EXCHANGE_RANGE (1ULL << 27) /* exchange range */
#define XFS_FEAT_METADIR (1ULL << 28) /* metadata directory tree */
#define XFS_FEAT_ZONED (1ULL << 29) /* zoned RT device */
+#define XFS_FEAT_VERITY (1ULL << 30) /* fs-verity */
/* Mount features */
#define XFS_FEAT_NOLIFETIME (1ULL << 47) /* disable lifetime hints */
@@ -442,6 +443,7 @@ __XFS_HAS_FEAT(exchange_range, EXCHANGE_RANGE)
__XFS_HAS_FEAT(metadir, METADIR)
__XFS_HAS_FEAT(zoned, ZONED)
__XFS_HAS_FEAT(nolifetime, NOLIFETIME)
+__XFS_HAS_FEAT(verity, VERITY)
static inline bool xfs_has_rtgroups(const struct xfs_mount *mp)
{
--
2.51.2
next prev parent reply other threads:[~2026-03-19 17:03 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-19 17:01 [PATCH v5 00/25] fs-verity support for XFS with post EOF merkle tree Andrey Albershteyn
2026-03-19 17:01 ` [PATCH v5 01/25] fsverity: report validation errors through fserror to fsnotify Andrey Albershteyn
2026-03-19 17:15 ` Darrick J. Wong
2026-03-25 7:54 ` Christoph Hellwig
2026-03-25 11:41 ` Andrey Albershteyn
2026-03-25 16:02 ` Darrick J. Wong
2026-03-26 6:20 ` Christoph Hellwig
2026-03-19 17:01 ` [PATCH v5 02/25] fsverity: expose ensure_fsverity_info() Andrey Albershteyn
2026-03-25 7:56 ` Christoph Hellwig
2026-03-19 17:01 ` [PATCH v5 03/25] fsverity: generate and store zero-block hash Andrey Albershteyn
2026-03-25 7:57 ` Christoph Hellwig
2026-03-25 12:03 ` Andrey Albershteyn
2026-03-25 16:07 ` Darrick J. Wong
2026-03-19 17:01 ` [PATCH v5 04/25] fsverity: introduce fsverity_folio_zero_hash() Andrey Albershteyn
2026-03-25 7:57 ` Christoph Hellwig
2026-03-19 17:01 ` [PATCH v5 05/25] fsverity: pass digest size and hash of the empty block to ->write Andrey Albershteyn
2026-03-19 17:01 ` [PATCH v5 06/25] fsverity: hoist pagecache_read from f2fs/ext4 to fsverity Andrey Albershteyn
2026-03-25 7:58 ` Christoph Hellwig
2026-03-19 17:01 ` [PATCH v5 07/25] iomap: introduce IOMAP_F_FSVERITY and teach writeback to handle fsverity Andrey Albershteyn
2026-03-25 8:00 ` Christoph Hellwig
2026-03-25 12:38 ` Andrey Albershteyn
2026-03-25 16:26 ` Darrick J. Wong
2026-03-19 17:01 ` [PATCH v5 08/25] iomap: obtain fsverity info for read path Andrey Albershteyn
2026-03-19 17:01 ` [PATCH v5 09/25] iomap: issue readahead for fsverity merkle tree Andrey Albershteyn
2026-03-25 8:04 ` Christoph Hellwig
2026-03-25 12:08 ` Andrey Albershteyn
2026-03-19 17:01 ` [PATCH v5 10/25] iomap: teach iomap to handle fsverity holes and verify data holes Andrey Albershteyn
2026-03-25 16:29 ` Darrick J. Wong
2026-03-19 17:01 ` [PATCH v5 11/25] iomap: introduce iomap_fsverity_write() for writing fsverity metadata Andrey Albershteyn
2026-03-25 8:05 ` Christoph Hellwig
2026-03-19 17:01 ` Andrey Albershteyn [this message]
2026-03-25 8:05 ` [PATCH v5 12/25] xfs: introduce fsverity on-disk changes Christoph Hellwig
2026-03-19 17:02 ` [PATCH v5 13/25] xfs: initialize fs-verity on file open Andrey Albershteyn
2026-03-25 8:06 ` Christoph Hellwig
2026-03-19 17:02 ` [PATCH v5 14/25] xfs: don't allow to enable DAX on fs-verity sealed inode Andrey Albershteyn
2026-03-25 8:06 ` Christoph Hellwig
2026-03-19 17:02 ` [PATCH v5 15/25] xfs: disable direct read path for fs-verity files Andrey Albershteyn
2026-03-25 8:06 ` Christoph Hellwig
2026-03-19 17:02 ` [PATCH v5 16/25] xfs: handle fsverity I/O in write/read path Andrey Albershteyn
2026-03-25 8:07 ` Christoph Hellwig
2026-03-19 17:02 ` [PATCH v5 17/25] xfs: use read ioend for fsverity data verification Andrey Albershteyn
2026-03-25 8:07 ` Christoph Hellwig
2026-03-19 17:02 ` [PATCH v5 18/25] xfs: add fs-verity support Andrey Albershteyn
2026-03-25 8:08 ` Christoph Hellwig
2026-03-19 17:02 ` [PATCH v5 19/25] xfs: remove unwritten extents after preallocations in fsverity metadata Andrey Albershteyn
2026-03-25 8:09 ` Christoph Hellwig
2026-03-19 17:02 ` [PATCH v5 20/25] xfs: add fs-verity ioctls Andrey Albershteyn
2026-03-25 8:09 ` Christoph Hellwig
2026-03-19 17:02 ` [PATCH v5 21/25] xfs: advertise fs-verity being available on filesystem Andrey Albershteyn
2026-03-25 8:10 ` Christoph Hellwig
2026-03-19 17:02 ` [PATCH v5 22/25] xfs: check and repair the verity inode flag state Andrey Albershteyn
2026-03-25 8:10 ` Christoph Hellwig
2026-03-19 17:02 ` [PATCH v5 23/25] xfs: introduce health state for corrupted fsverity metadata Andrey Albershteyn
2026-03-25 8:10 ` Christoph Hellwig
2026-03-19 17:02 ` [PATCH v5 24/25] xfs: add fsverity traces Andrey Albershteyn
2026-03-19 17:02 ` [PATCH v5 25/25] xfs: enable ro-compat fs-verity flag Andrey Albershteyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260319170231.1455553-13-aalbersh@kernel.org \
--to=aalbersh@kernel.org \
--cc=djwong@kernel.org \
--cc=ebiggers@kernel.org \
--cc=fsverity@lists.linux.dev \
--cc=hch@lst.de \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox