Commit 45d99129 authored Nov 18, 2025 by Sweet Tea Dorminy Committed by David Sterba Nov 25, 2025

btrfs: disable verity on encrypted inodes

Right now there isn't a way to encrypt things that aren't either
filenames in directories or data on blocks on disk with extent
encryption, so for now, disable verity usage with encryption on btrfs.

fscrypt with fsverity should be possible and it can be implemented
in the future.

Note: The patch was taken from v5 of fscrypt patchset
(https://lore.kernel.org/linux-btrfs/cover.1706116485.git.josef@toxicpanda.com/

)
which was handled over time by various people: Omar Sandoval, Sweet Tea
Dorminy, Josef Bacik.

Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
Signed-off-by: Daniel Vacek <neelx@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ add note ]
Signed-off-by: David Sterba <dsterba@suse.com>

parent f9683400

fs/btrfs/verity.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -578,6 +578,9 @@ static int btrfs_begin_enable_verity(struct file *filp)

		btrfs_assert_inode_locked(inode);

		if (IS_ENCRYPTED(&inode->vfs_inode))
		return -EOPNOTSUPP;

		if (test_bit(BTRFS_INODE_VERITY_IN_PROGRESS, &inode->runtime_flags))
		return -EBUSY;