@@ -8,9 +8,9 @@
## Version 1.1
-* Split the file measurement computation and signing functionality
- of the `fsverity` program into a library `libfsverity`. See
- `README.md` and `Makefile` for more details.
+* Split the file digest computation and signing functionality of the
+ `fsverity` program into a library `libfsverity`. See `README.md`
+ and `Makefile` for more details.
* Improved the Makefile.
@@ -18,9 +18,9 @@ might add support for fs-verity in the future.
fsverity-utils currently contains just one program, `fsverity`. The
`fsverity` program allows you to set up fs-verity protected files.
-In addition, the file measurement computation and signing
-functionality of `fsverity` is optionally exposed through a C library
-`libfsverity`. See `libfsverity.h` for the API of this library.
+In addition, the file digest computation and signing functionality of
+`fsverity` is optionally exposed through a C library `libfsverity`.
+See `libfsverity.h` for the API of this library.
## Building and installing
@@ -66,13 +66,13 @@ See the `Makefile` for other supported build and installation options.
# Enable verity on the file
fsverity enable file
- # Show the verity file measurement
+ # Show the verity file digest
fsverity measure file
# File should still be readable as usual. However, all data read
# is now transparently checked against a hidden Merkle tree, whose
- # root hash is incorporated into the verity file measurement.
- # Reads of any corrupted parts of the data will fail.
+ # root hash is incorporated into the verity file digest. Reads of
+ # any corrupted parts of the data will fail.
sha256sum file
```
@@ -84,10 +84,10 @@ against a trusted value.
### Using builtin signatures
With `CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y`, the filesystem supports
-automatically verifying a signed file measurement that has been
-included in the verity metadata. The signature is verified against
-the set of X.509 certificates that have been loaded into the
-".fs-verity" kernel keyring. Here's an example:
+automatically verifying a signed file digest that has been included in
+the verity metadata. The signature is verified against the set of
+X.509 certificates that have been loaded into the ".fs-verity" kernel
+keyring. Here's an example:
```bash
# Generate a new certificate and private key:
@@ -64,9 +64,9 @@ typedef int (*libfsverity_read_fn_t)(void *fd, void *buf, size_t count);
/**
* libfsverity_compute_digest() - Compute digest of a file
- * An fsverity_digest (also called a "file measurement") is the root of
- * a file's Merkle tree. Not to be confused with a traditional file
- * digest computed over the entire file.
+ * A fs-verity file digest is the hash of a file's fsverity_descriptor.
+ * Not to be confused with a traditional file digest computed over the
+ * entire file, or with the bare fsverity_descriptor::root_hash.
* @fd: context that will be passed to @read_fn
* @read_fn: a function that will read the data of the file
* @params: struct libfsverity_merkle_tree_params specifying the fs-verity
@@ -87,12 +87,12 @@ libfsverity_compute_digest(void *fd, libfsverity_read_fn_t read_fn,
/**
* libfsverity_sign_digest() - Sign previously computed digest of a file
- * This signature is used by the file system to validate the
- * signed file measurement against a public key loaded into the
- * .fs-verity kernel keyring, when CONFIG_FS_VERITY_BUILTIN_SIGNATURES
- * is enabled. The signature is formatted as PKCS#7 stored in DER
- * format. See Documentation/filesystems/fsverity.rst in the kernel
- * source tree for further details.
+ * This signature is used by the filesystem to validate the signed file
+ * digest against a public key loaded into the .fs-verity kernel
+ * keyring, when CONFIG_FS_VERITY_BUILTIN_SIGNATURES is enabled. The
+ * signature is formatted as PKCS#7 stored in DER format. See
+ * Documentation/filesystems/fsverity.rst in the kernel source tree for
+ * further details.
* @digest: pointer to previously computed digest
* @sig_params: struct libfsverity_signature_params providing filenames of
* the keyfile and certificate file. Reserved fields must be zero.
@@ -32,7 +32,7 @@ static const struct option longopts[] = {
};
/*
- * Compute the fs-verity measurement of the given file(s), for offline signing.
+ * Compute the fs-verity digest of the given file(s), for offline signing.
*/
int fsverity_cmd_digest(const struct fsverity_command *cmd,
int argc, char *argv[])
@@ -14,7 +14,7 @@
#include <fcntl.h>
#include <sys/ioctl.h>
-/* Display the measurement of the given verity file(s). */
+/* Display the fs-verity digest of the given verity file(s). */
int fsverity_cmd_measure(const struct fsverity_command *cmd,
int argc, char *argv[])
{
@@ -43,7 +43,7 @@ static const struct option longopts[] = {
{NULL, 0, NULL, 0}
};
-/* Sign a file for fs-verity by computing its measurement, then signing it. */
+/* Sign a file for fs-verity by computing its digest, then signing it. */
int fsverity_cmd_sign(const struct fsverity_command *cmd,
int argc, char *argv[])
{
@@ -24,7 +24,7 @@ static const struct fsverity_command {
.name = "digest",
.func = fsverity_cmd_digest,
.short_desc =
-"Compute the fs-verity measurement of the given file(s), for offline signing",
+"Compute the fs-verity digest of the given file(s), for offline signing",
.usage_str =
" fsverity digest FILE...\n"
" [--hash-alg=HASH_ALG] [--block-size=BLOCK_SIZE] [--salt=SALT]\n"
@@ -41,7 +41,7 @@ static const struct fsverity_command {
.name = "measure",
.func = fsverity_cmd_measure,
.short_desc =
-"Display the measurement of the given verity file(s)",
+"Display the fs-verity digest of the given verity file(s)",
.usage_str =
" fsverity measure FILE...\n"
}, {