^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) =========
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) dm-verity
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) =========
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) Device-Mapper's "verity" target provides transparent integrity checking of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) block devices using a cryptographic digest provided by the kernel crypto API.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) This target is read-only.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) Construction Parameters
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) =======================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) ::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) <version> <dev> <hash_dev>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) <data_block_size> <hash_block_size>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) <num_data_blocks> <hash_start_block>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) <algorithm> <digest> <salt>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) [<#opt_params> <opt_params>]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) <version>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) This is the type of the on-disk hash format.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) 0 is the original format used in the Chromium OS.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) The salt is appended when hashing, digests are stored continuously and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) the rest of the block is padded with zeroes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) 1 is the current format that should be used for new devices.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) The salt is prepended when hashing and each digest is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) padded with zeroes to the power of two.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) <dev>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) This is the device containing data, the integrity of which needs to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) checked. It may be specified as a path, like /dev/sdaX, or a device number,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) <major>:<minor>.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) <hash_dev>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) This is the device that supplies the hash tree data. It may be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) specified similarly to the device path and may be the same device. If the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) same device is used, the hash_start should be outside the configured
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) dm-verity device.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) <data_block_size>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) The block size on a data device in bytes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) Each block corresponds to one digest on the hash device.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) <hash_block_size>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) The size of a hash block in bytes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) <num_data_blocks>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) The number of data blocks on the data device. Additional blocks are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) inaccessible. You can place hashes to the same partition as data, in this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) case hashes are placed after <num_data_blocks>.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) <hash_start_block>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) This is the offset, in <hash_block_size>-blocks, from the start of hash_dev
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) to the root block of the hash tree.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) <algorithm>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) The cryptographic hash algorithm used for this device. This should
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) be the name of the algorithm, like "sha1".
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) <digest>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) The hexadecimal encoding of the cryptographic hash of the root hash block
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) and the salt. This hash should be trusted as there is no other authenticity
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) beyond this point.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) <salt>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) The hexadecimal encoding of the salt value.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) <#opt_params>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) Number of optional parameters. If there are no optional parameters,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) the optional paramaters section can be skipped or #opt_params can be zero.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) Otherwise #opt_params is the number of following arguments.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) Example of optional parameters section:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) 1 ignore_corruption
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) ignore_corruption
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) Log corrupted blocks, but allow read operations to proceed normally.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) restart_on_corruption
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) Restart the system when a corrupted block is discovered. This option is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) not compatible with ignore_corruption and requires user space support to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) avoid restart loops.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) panic_on_corruption
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) Panic the device when a corrupted block is discovered. This option is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) not compatible with ignore_corruption and restart_on_corruption.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) ignore_zero_blocks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) Do not verify blocks that are expected to contain zeroes and always return
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) zeroes instead. This may be useful if the partition contains unused blocks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) that are not guaranteed to contain zeroes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) use_fec_from_device <fec_dev>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) Use forward error correction (FEC) to recover from corruption if hash
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) verification fails. Use encoding data from the specified device. This
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) may be the same device where data and hash blocks reside, in which case
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) fec_start must be outside data and hash areas.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) If the encoding data covers additional metadata, it must be accessible
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) on the hash device after the hash blocks.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) Note: block sizes for data and hash devices must match. Also, if the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) verity <dev> is encrypted the <fec_dev> should be too.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) fec_roots <num>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) Number of generator roots. This equals to the number of parity bytes in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) the encoding data. For example, in RS(M, N) encoding, the number of roots
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) is M-N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) fec_blocks <num>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) The number of encoding data blocks on the FEC device. The block size for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) the FEC device is <data_block_size>.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) fec_start <offset>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) This is the offset, in <data_block_size> blocks, from the start of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) FEC device to the beginning of the encoding data.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) check_at_most_once
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) Verify data blocks only the first time they are read from the data device,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) rather than every time. This reduces the overhead of dm-verity so that it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) can be used on systems that are memory and/or CPU constrained. However, it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) provides a reduced level of security because only offline tampering of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) data device's content will be detected, not online tampering.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) Hash blocks are still verified each time they are read from the hash device,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) since verification of hash blocks is less performance critical than data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) blocks, and a hash block will not be verified any more after all the data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) blocks it covers have been verified anyway.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) root_hash_sig_key_desc <key_description>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) This is the description of the USER_KEY that the kernel will lookup to get
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) the pkcs7 signature of the roothash. The pkcs7 signature is used to validate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) the root hash during the creation of the device mapper block device.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) Verification of roothash depends on the config DM_VERITY_VERIFY_ROOTHASH_SIG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) being set in the kernel.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) Theory of operation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) ===================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) dm-verity is meant to be set up as part of a verified boot path. This
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) may be anything ranging from a boot using tboot or trustedgrub to just
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) booting from a known-good device (like a USB drive or CD).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) When a dm-verity device is configured, it is expected that the caller
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) has been authenticated in some way (cryptographic signatures, etc).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) After instantiation, all hashes will be verified on-demand during
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) disk access. If they cannot be verified up to the root node of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) tree, the root hash, then the I/O will fail. This should detect
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) tampering with any data on the device and the hash data.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) Cryptographic hashes are used to assert the integrity of the device on a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) per-block basis. This allows for a lightweight hash computation on first read
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) into the page cache. Block hashes are stored linearly, aligned to the nearest
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) block size.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) If forward error correction (FEC) support is enabled any recovery of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) corrupted data will be verified using the cryptographic hash of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) corresponding data. This is why combining error correction with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) integrity checking is essential.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) Hash Tree
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) ---------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) Each node in the tree is a cryptographic hash. If it is a leaf node, the hash
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) of some data block on disk is calculated. If it is an intermediary node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) the hash of a number of child nodes is calculated.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) Each entry in the tree is a collection of neighboring nodes that fit in one
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) block. The number is determined based on block_size and the size of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) selected cryptographic digest algorithm. The hashes are linearly-ordered in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) this entry and any unaligned trailing space is ignored but included when
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) calculating the parent node.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) The tree looks something like:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) alg = sha256, num_blocks = 32768, block_size = 4096
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) ::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) [ root ]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) / . . . \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) [entry_0] [entry_1]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) / . . . \ . . . \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) [entry_0_0] . . . [entry_0_127] . . . . [entry_1_127]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) / ... \ / . . . \ / \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) blk_0 ... blk_127 blk_16256 blk_16383 blk_32640 . . . blk_32767
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) On-disk format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) ==============
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) The verity kernel code does not read the verity metadata on-disk header.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) It only reads the hash blocks which directly follow the header.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) It is expected that a user-space tool will verify the integrity of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) verity header.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) Alternatively, the header can be omitted and the dmsetup parameters can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) be passed via the kernel command-line in a rooted chain of trust where
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) the command-line is verified.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) Directly following the header (and with sector number padded to the next hash
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) block boundary) are the hash blocks which are stored a depth at a time
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) (starting from the root), sorted in order of increasing index.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) The full specification of kernel parameters and on-disk metadata format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) is available at the cryptsetup project's wiki page
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) Status
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) ======
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) V (for Valid) is returned if every check performed so far was valid.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) If any check failed, C (for Corruption) is returned.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) Example
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) =======
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) Set up a device::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) # dmsetup create vroot --readonly --table \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) "0 2097152 verity 1 /dev/sda1 /dev/sda2 4096 4096 262144 1 sha256 "\
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) "4392712ba01368efdf14b05c76f9e4df0d53664630b5d48632ed17a137f39076 "\
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) "1234000000000000000000000000000000000000000000000000000000000000"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) A command line tool veritysetup is available to compute or verify
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) the hash tree or activate the kernel device. This is available from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) the cryptsetup upstream repository https://gitlab.com/cryptsetup/cryptsetup/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) (as a libcryptsetup extension).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) Create hash on the device::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) # veritysetup format /dev/sda1 /dev/sda2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) ...
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) Root hash: 4392712ba01368efdf14b05c76f9e4df0d53664630b5d48632ed17a137f39076
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) Activate the device::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) # veritysetup create vroot /dev/sda1 /dev/sda2 \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) 4392712ba01368efdf14b05c76f9e4df0d53664630b5d48632ed17a137f39076
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags