Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   mount    ( 8 )

смонтировать файловую систему (mount a filesystem)

DM-VERITY SUPPORT

The device-mapper verity target provides read-only transparent integrity checking of block devices using kernel crypto API. The mount command can open the dm-verity device and do the integrity verification before on the device filesystem is mounted. Requires libcryptsetup with in libmount (optionally via dlopen(3)). If libcryptsetup supports extracting the root hash of an already mounted device, existing devices will be automatically reused in case of a match. Mount options for dm-verity:

verity.hashdevice=path Path to the hash tree device associated with the source volume to pass to dm-verity.

verity.roothash=hex Hex-encoded hash of the root of verity.hashdevice. Mutually exclusive with verity.roothashfile.

verity.roothashfile=path Path to file containing the hex-encoded hash of the root of verity.hashdevice. Mutually exclusive with verity.roothash.

verity.hashoffset=offset If the hash tree device is embedded in the source volume, offset (default: 0) is used by dm-verity to get to the tree.

verity.fecdevice=path Path to the Forward Error Correction (FEC) device associated with the source volume to pass to dm-verity. Optional. Requires kernel built with CONFIG_DM_VERITY_FEC.

verity.fecoffset=offset If the FEC device is embedded in the source volume, offset (default: 0) is used by dm-verity to get to the FEC area. Optional.

verity.fecroots=value Parity bytes for FEC (default: 2). Optional.

verity.roothashsig=path Path to pkcs7(1ssl) signature of root hash hex string. Requires crypt_activate_by_signed_key() from cryptsetup and kernel built with CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG. For device reuse, signatures have to be either used by all mounts of a device or by none. Optional.

verity.oncorruption=ignore|restart|panic Instruct the kernel to ignore, reboot or panic when corruption is detected. By default the I/O operation simply fails. Requires Linux 4.1 or newer, and libcrypsetup 2.3.4 or newer. Optional.

Supported since util-linux v2.35.

For example commands:

mksquashfs /etc /tmp/etc.squashfs dd if=/dev/zero of=/tmp/etc.hash bs=1M count=10 veritysetup format /tmp/etc.squashfs /tmp/etc.hash openssl smime -sign -in <hash> -nocerts -inkey private.key \ -signer private.crt -noattr -binary -outform der -out /tmp/etc.roothash.p7s mount -o verity.hashdevice=/tmp/etc.hash,verity.roothash=<hash>,\ verity.roothashsig=/tmp/etc.roothash.p7s /tmp/etc.squashfs /mnt

create squashfs image from /etc directory, verity hash device and mount verified filesystem image to /mnt. The kernel will verify that the root hash is signed by a key from the kernel keyring if roothashsig is used.