verity.rst - OpenGrok cross reference for /Linux-v5.15/Documentation/admin-guide/device-mapper/verity.rst

Lines Matching +full:on +full:- +full:device
2 dm-verity
5 Device-Mapper's "verity" target provides transparent integrity checking of
7 This target is read-only.
21     This is the type of the on-disk hash format.
32     This is the device containing data, the integrity of which needs to be
33     checked.  It may be specified as a path, like /dev/sdaX, or a device number,
37     This is the device that supplies the hash tree data.  It may be
38     specified similarly to the device path and may be the same device.  If the
39     same device is used, the hash_start should be outside the configured
40     dm-verity device.
43     The block size on a data device in bytes.
44     Each block corresponds to one digest on the hash device.
50     The number of data blocks on the data device.  Additional blocks are
55     This is the offset, in <hash_block_size>-blocks, from the start of hash_dev
59     The cryptographic hash algorithm used for this device.  This should
87     Panic the device when a corrupted block is discovered. This option is
97     verification fails. Use encoding data from the specified device. This
98     may be the same device where data and hash blocks reside, in which case
102     on the hash device after the hash blocks.
110     is M-N.
113     The number of encoding data blocks on the FEC device. The block size for
114     the FEC device is <data_block_size>.
118     FEC device to the beginning of the encoding data.
121     Verify data blocks only the first time they are read from the data device,
122     rather than every time.  This reduces the overhead of dm-verity so that it
123     can be used on systems that are memory and/or CPU constrained.  However, it
125     data device's content will be detected, not online tampering.
127     Hash blocks are still verified each time they are read from the hash device,
135     the root hash during the creation of the device mapper block device.
136     Verification of roothash depends on the config DM_VERITY_VERIFY_ROOTHASH_SIG
147 dm-verity is meant to be set up as part of a verified boot path.  This
149 booting from a known-good device (like a USB drive or CD).
151 When a dm-verity device is configured, it is expected that the caller
153 After instantiation, all hashes will be verified on-demand during
156 tampering with any data on the device and the hash data.
158 Cryptographic hashes are used to assert the integrity of the device on a
159 per-block basis. This allows for a lightweight hash computation on first read
169 ---------
172 of some data block on disk is calculated. If it is an intermediary node,
176 block.  The number is determined based on block_size and the size of the
177 selected cryptographic digest algorithm.  The hashes are linearly-ordered in
196 On-disk format
199 The verity kernel code does not read the verity metadata on-disk header.
201 It is expected that a user-space tool will verify the integrity of the
205 be passed via the kernel command-line in a rooted chain of trust where
206 the command-line is verified.
212 The full specification of kernel parameters and on-disk metadata format
224 Set up a device::
226   # dmsetup create vroot --readonly --table \
232 the hash tree or activate the kernel device. This is available from
236 Create hash on the device::
242 Activate the device::