diff --git a/NEWS.md b/NEWS.md index 87896cf..116ff0f 100644 --- a/NEWS.md +++ b/NEWS.md @@ -8,9 +8,9 @@ ## Version 1.1 -* Split the file measurement computation and signing functionality - of the `fsverity` program into a library `libfsverity`. See - `README.md` and `Makefile` for more details. +* Split the file digest computation and signing functionality of the + `fsverity` program into a library `libfsverity`. See `README.md` + and `Makefile` for more details. * Improved the Makefile. diff --git a/README.md b/README.md index 36a52e9..6045c75 100644 --- a/README.md +++ b/README.md @@ -18,9 +18,9 @@ might add support for fs-verity in the future. fsverity-utils currently contains just one program, `fsverity`. The `fsverity` program allows you to set up fs-verity protected files. -In addition, the file measurement computation and signing -functionality of `fsverity` is optionally exposed through a C library -`libfsverity`. See `libfsverity.h` for the API of this library. +In addition, the file digest computation and signing functionality of +`fsverity` is optionally exposed through a C library `libfsverity`. +See `libfsverity.h` for the API of this library. ## Building and installing @@ -66,13 +66,13 @@ See the `Makefile` for other supported build and installation options. # Enable verity on the file fsverity enable file - # Show the verity file measurement + # Show the verity file digest fsverity measure file # File should still be readable as usual. However, all data read # is now transparently checked against a hidden Merkle tree, whose - # root hash is incorporated into the verity file measurement. - # Reads of any corrupted parts of the data will fail. + # root hash is incorporated into the verity file digest. Reads of + # any corrupted parts of the data will fail. sha256sum file ``` @@ -84,10 +84,10 @@ against a trusted value. ### Using builtin signatures With `CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y`, the filesystem supports -automatically verifying a signed file measurement that has been -included in the verity metadata. The signature is verified against -the set of X.509 certificates that have been loaded into the -".fs-verity" kernel keyring. Here's an example: +automatically verifying a signed file digest that has been included in +the verity metadata. The signature is verified against the set of +X.509 certificates that have been loaded into the ".fs-verity" kernel +keyring. Here's an example: ```bash # Generate a new certificate and private key: diff --git a/include/libfsverity.h b/include/libfsverity.h index 369e1cf..6c4992c 100644 --- a/include/libfsverity.h +++ b/include/libfsverity.h @@ -91,9 +91,9 @@ typedef int (*libfsverity_read_fn_t)(void *fd, void *buf, size_t count); /** * libfsverity_compute_digest() - Compute digest of a file - * An fsverity_digest (also called a "file measurement") is the root of - * a file's Merkle tree. Not to be confused with a traditional file - * digest computed over the entire file. + * A fs-verity file digest is the hash of a file's fsverity_descriptor. + * Not to be confused with a traditional file digest computed over the + * entire file, or with the bare fsverity_descriptor::root_hash. * @fd: context that will be passed to @read_fn * @read_fn: a function that will read the data of the file * @params: Pointer to the Merkle tree parameters @@ -112,12 +112,12 @@ libfsverity_compute_digest(void *fd, libfsverity_read_fn_t read_fn, /** * libfsverity_sign_digest() - Sign previously computed digest of a file - * This signature is used by the file system to validate the - * signed file measurement against a public key loaded into the - * .fs-verity kernel keyring, when CONFIG_FS_VERITY_BUILTIN_SIGNATURES - * is enabled. The signature is formatted as PKCS#7 stored in DER - * format. See Documentation/filesystems/fsverity.rst in the kernel - * source tree for further details. + * This signature is used by the filesystem to validate the signed file + * digest against a public key loaded into the .fs-verity kernel + * keyring, when CONFIG_FS_VERITY_BUILTIN_SIGNATURES is enabled. The + * signature is formatted as PKCS#7 stored in DER format. See + * Documentation/filesystems/fsverity.rst in the kernel source tree for + * further details. * @digest: pointer to previously computed digest * @sig_params: struct libfsverity_signature_params providing filenames of * the keyfile and certificate file. Reserved fields must be zero. diff --git a/programs/cmd_digest.c b/programs/cmd_digest.c index 371f445..1a3c769 100644 --- a/programs/cmd_digest.c +++ b/programs/cmd_digest.c @@ -24,7 +24,7 @@ static const struct option longopts[] = { }; /* - * Compute the fs-verity measurement of the given file(s), for offline signing. + * Compute the fs-verity digest of the given file(s), for offline signing. */ int fsverity_cmd_digest(const struct fsverity_command *cmd, int argc, char *argv[]) diff --git a/programs/cmd_measure.c b/programs/cmd_measure.c index 98382ab..d78969c 100644 --- a/programs/cmd_measure.c +++ b/programs/cmd_measure.c @@ -14,7 +14,7 @@ #include #include -/* Display the measurement of the given verity file(s). */ +/* Display the fs-verity digest of the given verity file(s). */ int fsverity_cmd_measure(const struct fsverity_command *cmd, int argc, char *argv[]) { diff --git a/programs/cmd_sign.c b/programs/cmd_sign.c index 0a08faa..47ba6a2 100644 --- a/programs/cmd_sign.c +++ b/programs/cmd_sign.c @@ -35,7 +35,7 @@ static const struct option longopts[] = { {NULL, 0, NULL, 0} }; -/* Sign a file for fs-verity by computing its measurement, then signing it. */ +/* Sign a file for fs-verity by computing its digest, then signing it. */ int fsverity_cmd_sign(const struct fsverity_command *cmd, int argc, char *argv[]) { diff --git a/programs/fsverity.c b/programs/fsverity.c index 60ae05b..5d5fbe2 100644 --- a/programs/fsverity.c +++ b/programs/fsverity.c @@ -23,7 +23,7 @@ static const struct fsverity_command { .name = "digest", .func = fsverity_cmd_digest, .short_desc = -"Compute the fs-verity measurement of the given file(s), for offline signing", +"Compute the fs-verity digest of the given file(s), for offline signing", .usage_str = " fsverity digest FILE...\n" " [--hash-alg=HASH_ALG] [--block-size=BLOCK_SIZE] [--salt=SALT]\n" @@ -40,7 +40,7 @@ static const struct fsverity_command { .name = "measure", .func = fsverity_cmd_measure, .short_desc = -"Display the measurement of the given verity file(s)", +"Display the fs-verity digest of the given verity file(s)", .usage_str = " fsverity measure FILE...\n" }, {