управлять томами dm-verity (проверка на уровне блоков) (manage dm-verity (block level verification) volumes)
Имя (Name)
veritysetup - manage dm-verity (block level verification) volumes
Синопсис (Synopsis)
veritysetup <options> <action> <action args>
Описание (Description)
Veritysetup is used to configure dm-verity managed device-mapper
mappings.
Device-mapper verity target provides read-only transparent
integrity checking of block devices using kernel crypto API.
The dm-verity devices are always read-only.
Veritysetup supports these operations:
format <data_device> <hash_device>
Calculates and permanently stores hash verification data
for data_device. Hash area can be located on the same
device after data if specified by --hash-offset option.
Note you need to provide root hash string for device
verification or activation. Root hash must be trusted.
The data or hash device argument can be block device or
file image. If hash device path doesn't exist, it will be
created as file.
<options> can be [--hash, --no-superblock, --format,
--data-block-size, --hash-block-size, --data-blocks,
--hash-offset, --salt, --uuid, --root-hash-file]
If option --root-hash-file is used, the root hash is
stored in hex-encoded text format in <path>.
open <data_device> <name> <hash_device> <root_hash>
open <data_device> <name> <hash_device> --root-hash-file <path>
create <name> <data_device> <hash_device> <root_hash> (OBSOLETE
syntax)
Creates a mapping with <name> backed by device
<data_device> and using <hash_device> for in-kernel
verification.
The <root_hash> is a hexadecimal string.
<options> can be [--hash-offset, --no-superblock,
--ignore-corruption or --restart-on-corruption, --panic-
on-corruption, --ignore-zero-blocks, --check-at-most-once,
--root-hash-signature, --root-hash-file]
If option --root-hash-file is used, the root hash is read
from <path> instead of from the command line parameter.
Expects hex-encoded text, without terminating newline.
If option --no-superblock is used, you have to use as the
same options as in initial format operation.
verify <data_device> <hash_device> <root_hash>
verify <data_device> <hash_device> --root-hash-file <path>
Verifies data on data_device with use of hash blocks
stored on hash_device.
This command performs userspace verification, no kernel
device is created.
The <root_hash> is a hexadecimal string.
If option --root-hash-file is used, the root hash is read
from <path> instead of from the command line parameter.
Expects hex-encoded text, without terminating newline.
<options> can be [--hash-offset, --no-superblock, --root-
hash-file]
If option --no-superblock is used, you have to use as the
same options as in initial format operation.
close <name>
Removes existing mapping <name>.
For backward compatibility there is remove command alias
for close command.
<options> can be [--deferred] or [--cancel-deferred]
status <name>
Reports status for the active verity mapping <name>.
dump <hash_device>
Reports parameters of verity device from on-disk stored
superblock.
<options> can be [--hash-offset]
Параметры (Options)
--verbose, -v
Print more information on command execution.
--debug
Run in debug mode with full diagnostic logs. Debug output
lines are always prefixed by '#'.
--no-superblock
Create or use dm-verity without permanent on-disk
superblock.
--format=number
Specifies the hash version type. Format type 0 is
original Chrome OS version. Format type 1 is current
version.
--data-block-size=bytes
Used block size for the data device. (Note kernel
supports only page-size as maximum here.)
--hash-block-size=bytes
Used block size for the hash device. (Note kernel
supports only page-size as maximum here.)
--data-blocks=blocks
Size of data device used in verification. If not
specified, the whole device is used.
--hash-offset=bytes
Offset of hash area/superblock on hash_device. Value must
be aligned to disk sector offset.
--salt=hex string
Salt used for format or verification. Format is a
hexadecimal string.
--uuid=UUID
Use the provided UUID for format command instead of
generating new one.
The UUID must be provided in standard UUID format, e.g.
12345678-1234-1234-1234-123456789abc.
--ignore-corruption , --restart-on-corruption , --panic-on-
corruption
Defines what to do if data integrity problem is detected
(data corruption).
Without these options kernel fails the IO operation with
I/O error. With --ignore-corruption option the corruption
is only logged. With --restart-on-corruption or --panic-
on-corruption the kernel is restarted (panicked)
immediately. (You have to provide way how to avoid
restart loops.)
WARNING: Use these options only for very specific cases.
These options are available since Linux kernel version
4.1.
--ignore-zero-blocks
Instruct kernel to not verify blocks that are expected to
contain zeroes and always directly return zeroes instead.
WARNING: Use this option only in very specific cases.
This option is available since Linux kernel version 4.5.
--check-at-most-once
Instruct kernel to verify blocks only the first time they
are read from the data device, rather than every time.
WARNING: It provides a reduced level of security because
only offline tampering of the data device's content will
be detected, not online tampering. This option is
available since Linux kernel version 4.17.
--hash=hash
Hash algorithm for dm-verity. For default see --help
option.
--version
Show the program version.
--fec-device=fec_device
Use forward error correction (FEC) to recover from
corruption if hash verification fails. Use encoding data
from the specified device.
The fec device argument can be block device or file image.
For format, if fec device path doesn't exist, it will be
created as file.
Block sizes for data and hash devices must match. Also,
if the verity data_device is encrypted the fec_device
should be too.
FEC calculation covers data, hash area, and optional
foreign metadata stored on the same device with the hash
tree (additional space after hash area). Size of this
optional additional area protected by FEC is calculated
from image sizes, so you must be sure that you use the
same images for activation.
If the hash device is in a separate image, metadata covers
the whole rest of the image after the hash area.
If hash and FEC device is in the image, metadata ends on
the FEC area offset.
--fec-offset=bytes
This is the offset, in bytes, from the start of the FEC
device to the beginning of the encoding data.
--fec-roots=num
Number of generator roots. This equals to the number of
parity bytes in the encoding data. In RS(M, N) encoding,
the number of roots is M-N. M is 255 and M-N is between 2
and 24 (including).
--root-hash-file=FILE
Path to file with stored root hash in hex-encoded text.
--root-hash-signature=FILE
Path to roothash signature file used to verify the root
hash (in kernel). This feature requires Linux kernel
version 5.4 or more recent.
--deferred
Defers device removal in close command until the last user
closes it.
--cancel-deferred
Removes a previously configured deferred device removal in
close command.
Возвращаемое значение (Return value)
Veritysetup returns 0 on success and a non-zero value on
error.
Error codes are:
1 wrong parameters
2 no permission
3 out of memory
4 wrong device specified
5 device already exists or device is busy.
Примеры (Examples)
veritysetup --data-blocks=256 format <data_device> <hash_device>
Calculates and stores verification data on hash_device for the
first 256 blocks (of block-size). If hash_device does not exist,
it is created (as file image).
veritysetup format --root-hash-file <path> <data_device>
<hash_device>
Calculates and stores verification data on hash_device for the
whole data_device, and store the root hash as hex-encoded text in
<path>.
veritysetup --data-blocks=256 --hash-offset=1052672 format
<device> <device>
Verification data (hashes) is stored on the same device as data
(starting at hash-offset). Hash-offset must be greater than
number of blocks in data-area.
veritysetup --data-blocks=256 --hash-offset=1052672 create test-
device <device> <device> <root_hash>
Activates the verity device named test-device. Options --data-
blocks and --hash-offset are the same as in the format command.
The <root_hash> was calculated in format command.
veritysetup --data-blocks=256 --hash-offset=1052672 verify
<data_device> <hash_device> <root_hash>
Verifies device without activation (in userspace).
veritysetup --data-blocks=256 --hash-offset=1052672 --root-hash-
file <path> verify <data_device> <hash_device>
Verifies device without activation (in userspace). Root hash
passed via a file rather than inline.
veritysetup --fec-device=<fec_device> --fec-roots=10 format
<data_device> <hash_device>
Calculates and stores verification and encoding data for
data_device.
Сообщение об ошибках (Reporting bugs)
Report bugs, including ones in the documentation, on the
cryptsetup mailing list at <dm-crypt@saout.de> or in the 'Issues'
section on LUKS website. Please attach the output of the failed
command with the --debug option added.
